ISECUREI IBY DESIGN 2020

CYBER RESILIENCEI IN THE AGE OFI

Is the aviation industry taking cyber security seriously enough?

Navigating the threat landscape in a 5G enabled world

Autonomous vehicles – the pace of change versus cyber security

INTERCONNECTIVITYI

It’s fair to say that 2020 has been a year of change and uncertainty. From COVID-19 and Brexit to the increasing urgency of Net Zero. And that’s without mentioning the relentless technological advancements demanding more interconnectivity between new digital systems and legacy critical assets, that’s bringing together previously isolated sectors in new and interesting ways. It goes without saying that all opportunities come with their own challenges – a core one being their cyber resilience. And with their increasing connectivity, the impact of a cyber-attack has the potential to be greater than ever before, rippling through this web of connection across the sectors, with boundless consequences.

So, how do we protect our energy and water supplies, critical transport systems and automated manufacturing plants? How can we ensure cyber resilience is built into new technology ‘by design’? And perhaps the greatest challenge – how do we embed cyber safety into assets and systems that were created at a time when the likes of ‘hacking’ and ‘cyber-attacks’ were the stuff of science fiction?

There are the questions we should be asking ourselves – across all industries – and are some of the key discussion points being considered in this magazine. In some cases, we’ve even provided potential resolutions. But that doesn’t mean we think we have all the answers, but simply that we all need to be thinking about how, together, we can protect our infrastructure from the existing threats of today, and the potential threats of the future.

So, read on. Enjoy. And do get in touch if an article sparks your interest – we’re keen to collaborate on the future of cyber.

Matt has over 20 years’ experience in System Engineering, Technical Assurances and Cyber Security. He provides C-Level subject matter advice to key clients on variety of topics including transport security, safety system assurance, secure SCADA architecture and Internet of Things. Matt’s previously worked with the UK Government and the academic sector to produce global standards and guidance in the field of cyber security and smart infrastructure.

Matt Simpson Technical Director, Cyber Resilience

Matthew.Simpson2@atkinsglobal.com

Foreword

Contributors

Martin RichmondTechnical Authority, Cyber SecurityMartin is a Chartered Digital Electronics Engineer with over 20 years’ experience of cyber systems design, testing and assessment. Working across government he has proven experience of complex technical and innovative cyber solutions as well as the validation, characterisation and testing of system vulnerabilities. His passions include the application of critical thinking and domain-driven Open Source intelligence analysis to secure engineering design.

Christian Compton Principal Cyber Security Consultant Christian has over 15 years’ cyber security knowledge and experience, in roles including leading cyber security incidents across Critical National Infrastructure (CNI) for the UK government, and holding the position of Lead Cyber Security Advisor for the civil nuclear sector. Since being at Atkins, he has been involved in a variety of projects across CNI, and recently in the area of Connected and Autonomous Vehicles.

Mike BirdClient DirectorAfter spending some 30 years in the British Military, Mike joined Atkins as a Client Director in 2018. Primarily focussed on cyber security and resilience at a portfolio and programme level, Mike has a particular interest in digital transformation and its associated development and delivery of capabilities.

Caroline BimsonPractice ManagerCaroline leads on Business and Digital Consulting within the Transformation and Delivery Practice. She specialises in defining and delivering complex transformation with experience in digitally enabled change.

Jean-Sebastien Connell Consultant Jean-Sebastien is part of the Future Borders team at Atkins, with experience in cyber and digital projects across government, defence and aerospace.

Jessica Roberts PR Manager Working with the security, aerospace and defence markets, Jessica is responsible for raising the profile of Atkins and its experts across a range of external platforms, from press interviews and magazine articles to news announcements and social media.

Editor

Is technology the answer to fraud detection?Do you know how much personal information you’re sharing online? There are the details you choose to hand over, for example, your debit or credit card number, which you exchange for goods and services. And the data you may not realise you’re providing others with access to (think about cookies on websites), or even that’s been stolen.

The amount of data we’re generating has grown at an extraordinary rate, along with the computing power that enables organisations to process and make use of that information. There are real benefits – it can increase a company’s or department’s efficiency and improve our customer experience. But it needs to be designed carefully. Cyber attacks are on the rise. Fraud plays a big part in this and the UK Government estimates that £31-£53 billion of public money is lost through fraud each year.

Organisations of all sizes and across sectors now have the difficult job of weighing up the potential benefits of their data gathering and sharing techniques with the need to keep people’s data safe. Organisations have a weight of responsibility to collect the ‘right’ data, to process it and to share it fairly. Throw into this mix, data that are wrong, stolen or misleading and more than ever before, fraud is a challenge to every organisation. This pieces into a far more complex picture than digital by default.

However, the power of data, used well, has vast potential to detect and prevent fraud. To fight fraud, you first have to find it. Major government departments including HM Revenue and Customs, Department for Work and Pensions, and the National Economic Crime Centre in the National Crime Agency have done just this. The National Fraud Initiative in the Cabinet Office identified over £300m of fraud between 2016 and 2018 by matching the data of local authorities with that of others. In the private sector, the Insurance Fraud Bureau (IFB) brings insurers together, pooling claims data to then flag suspicious patterns and networks of behaviour.

Caroline Bimson Practice Manager, Atkins

As well as leading to over 650 convictions, this ability to analyse large sets of shared data helps protect the general public from purposeful collisions between vehicles, designed to enable fraudsters to make fraudulent claims.

Technology has a key part to play in this. Established technologies are gaining the computing power behind them to be used in anger and emerging technologies are showing their potential.

Here are three key developments:

1. APIsA core technology to make data sharing a reality is the use of APIs (application programming interfaces). It means that different technologies can use a common language to communicate with each other. Instead of a human needing to input data at one end of a conversation, multiple technologies can “talk” to each other or to a central hub in technology-to-technology conversations.

They can make the transfer of data unnecessary in some cases: one version of the truth can remain, with APIs querying a trusted, up-to-date data source with the freedom to build the front-end design in different ways. For example, Atkins supported the Cabinet Office to create the Counter Fraud Data Alliance, setting up data sharing technologies between the public sector, banks and insurers. Government and industry work in partnership to securely share known fraud data for the prevention, detection and reduction of fraud. Each has very different systems but the back-end technologies can use APIs to create a single conversation.

Designed and implemented well – perhaps also using their front-end cousin, RPA (Robotic Process Automation) with its rule based steps and clicks - they can reduce the need for multiple versions of the truth, increasing data quality while being able to share data faster.

2. Artificial intelligenceThe rapid pace of development in Artificial Intelligence (AI) represents the maturation of a technology that has existed for over 50 years and is set to bring further opportunity for improvement to identify and counter fraud. The convergence of large data sets, powerful hardware and advanced algorithms have made AI increasingly capable, for example, through faster data analysis. AI technologies can search through vast amounts of data to look for patterns and identify potentially fraudulent transactions, predict behaviour, make recommendations, for example, that a transaction should be investigated further, and classify information.

Machine learning algorithms are not as good at understanding complex unstructured data such as images and undertaking non-deterministic analysis yet. However, machines are increasingly outperforming humans at aspects of some of these challenging tasks, including image recognition, bulk data analysis and providing decision options.

Certainly, AI promises quicker decisions examining a broader range of information, which will be particularly relevant as human capacity is challenged by the deluge of data. But replacing people with AI is not as simple as a straight switch - optimising the capabilities of humans and AI in teams to mitigate weaknesses will be essential.

3. Distributed ledger technology (or blockchain)Distributed ledger technologies take data sharing another step forward. Instead of a centralised authority, network members exchange data securely across a distributed ledger and the data must be synchronised, which means there can only be one version of the truth.

It’s impossible to say where this will go next. In the context of counter fraud, potentially when a department or agency updates its own database, other members are notified. Notifications mean that every organisation or database that needs to know about that change does know, and instantly. this could mean a distributed set of authorised accounts with different permissions able to share data seamlessly. However, as for all socio-technical security systems, the users are the weak link no matter how cutting edge the cryptography is and managing this risk remains paramount. Cost will also be a limiting factor.

People or machines?These three technologies can help organisations tackle fraud and reduce human error by automating repetitive tasks and identifying repeating patterns or anomalies. But when we’re dealing with information that needs to be interpreted it adds another layer of complexity for organisations. Cognitive bias may be a well-known factor for people’s decision making, but there are also concerns about bias in AI. If an algorithm decides someone is more likely to be guilty of fraud, how can we check what led to that decision? Can AI be charged with making decisions at all? Even if an algorithm only makes recommendations, is that still a step too far? And how can we be certain that AI that learns in an unsupervised way is not just repeating and amplifying inherent prejudices?

It’s imperative that we see these digital tools as just that – tools to be employed by people. It’s also important for organisations to treat data properly and ensure the thoughtful and complete application of data protection principles that go beyond the obvious and restrictive rules of how long we can store data and for what purposes. Instead, they should be embedded in the ways we design our software and gather and share data, so fraud and errors can be detected from the get-go.

Navigating the threat landscape of a 5G enabled worldYou’re stuck in a traffic jam on the motorway. Like everyone else, you want accurate, up-to-date information about how long the traffic will take to clear. You’re also checking alternative routes to see if you can find a faster option for the driver.

Meanwhile, you’re texting your friends to tell them that you’ll probably be late. A friend in the backseat is streaming TV shows and music to alleviate their boredom. Now imagine thousands of cars all engaged in the same activities. This can lead to the network quickly becoming clogged; surfing speeds decrease and soon it’s not just the traffic that’s reduced to a standstill.

But not with 5G. It allows many connected devices to access the network and receive a similar, efficient experience. It also permits a multitude of machine-to-machine data conversations for your information to arrive within a timely manner, by sharing data between nodes as you move around the transport system, relying on a multitude of access points and micro base stations to transfer the data you need back and forth. Your car will even be able to report on your driving style!

Harnessing the potential in industry 5G brings the potential for mainstreaming of new immersive technologies like virtual and augmented reality, integrated sensing and coherent real-time performance monitoring.

It does this by transmitting data at rates that result in a low-latency, seamless experience, enabling real-time provision at the point of consumption. Put in the context of Critical National Infrastructure (CNI) this will permit levels of machine integration, monitoring and data driven decision making that will completely transform how this infrastructure operates. It will enable an all-encompassing network of sensors that can detect, record and analyse anything that the 5G-enabled system is capable of measuring: sound, vibration, light location, heat – any aspect of the environment around us – and fuse this to provide a sensor network that can analyse its own environment.

In turn, this will lead to true mission critical communications. For CNI, this means the creation of real-time response and alerting – a priceless tool when a crisis occurs.

What’s standing in its way?So, what does this unprecedented high-speed interconnectivity mean for cyber security? Quite a lot, really. Not only will we see a myriad of potential new threats, but it highlights some of the fundamental issues we’re already beginning to see, that will only become more prevalent as 5G is rolled out.

First of all, it means there will be a greater reliance on the supply chain, given the need for this ‘mesh’ of network access points and microcells for a successful 5G network. Without delving too deeply into the story around state-actor access and high-risk vendor equipment (you can read more about that here if you wish) there is a very real challenge with ensuring cyber resilience across the entire network from 3rd party vendors.

This need for cyber-security expertise and understanding is a far-reaching issue. In order for the 5G network to become all encompassing, there will be an access point on every street lamp, signpost and billboard. Bus stops will become microcells and each building will have its own 5G cell. Local councils will not have the in-house proficiency to verify the security of this equipment, at the scale that it will be rolled out. So, where does the onus of responsibility fall and who is accountable for the security of this new infrastructure?

Is it down to the people installing the new cells? Will government regulation mandate what qualifies as ‘adequate cyber resilience’? Should an independent party be required to certify the cyber-security of the system?

These are all questions that are still just being worked through for existing networks, let alone the new world of 5G.

With the network requiring such a vast number of cells to operate efficiently, the number of potential access points for hackers to exploit is exponential, thus exposing a huge attack surface. Because of this, the risk associated with any cyber threat needs to be considered differently; the days of looking at component-driven risk assessments are long gone with the arrival of 5G. Instead, we need to think of the whole network as an interactive system, complete with people, processes and technology all operating and interacting with each other. The NCSC has some really good guidance on system-driven risks and how to consider them; explore them here.

Connect, collaborate, consolidate, secureFittingly, interconnectivity and its security requires the efforts of many stakeholders working together. Across public and private, digital and physical, we need more collaboration to uncover the best use cases and potential attack paths as early as possible.

Ultimately, 5G is a framework that has the potential to transform the way we interact with and operate our Critical National Infrastructure. Now is the time to embed cyber security into the network, to ensure its successful implementation and help us fully realise the potential of 5G.

Martin Richmond Managing Consultant – Cyber Security, Atkins

Autonomous vehicles – the pace of change versus the need for cyber security For many of us, car buying has become increasingly complicated. Gone are the days of choosing a vehicle based on the likelihood it will get us from A to B. Now, having easy access to the latest technology is often at the top of our shopping list.

Now, our cars can automatically control our speed and alert us if we suddenly stray from our lane. Some will even help us manoeuvre into tight parking spots. In fact, it won’t be long before the car is doing all the driving.

And that could make our roads safer. These driverless cars, or connected and autonomous vehicles (CAVs), could also help reduce traffic congestion and pollution; improve accessibility and inclusivity for people who are older or less mobile; boost jobs in the automotive and adjacent sectors; and spark economic growth1.

But to operate autonomously, cars need a seamless flow of timely, accurate and reliable data and that means they need to be connected. Connected to the internet, to transport infrastructure, to network control and monitoring systems, and to each other. That communication system must be robust and resilient. Currently, a breakdown is usually an inconvenience. If we’re not in the driving seat, it could have serious safety implications.

So, how do we secure CAVs? And what are we protecting them from?Disruption to the CAV system could be a result of a power outage or extreme weather. And just like other connected devices, CAVs are also vulnerable to cyber-attack. But securing them isn’t just a technical problem, it’s a challenge that requires a coordinated human response too. That’s because a number of procedural and organisational factors will determine how quickly and effectively we can detect and respond to incidents, and minimise the impact on road users. These include:

› How incidents are identified

› How severity is assessed

› How the relevant authorities and organisations respond – from the government, emergency services and highways and local authorities, to car manufacturers and the vehicle owner

› Who within the relevant organisations responds.

In this way, securing CAVs is no different to protecting any other business-critical or safety-related system. For that reason, we can look to more established sectors for best practice.

Watch and learn In the highly regulated nuclear sector, safety always comes first. Risks are identified and assessed early on, and strict procedures are put in place to control the likelihood of an event occurring and to mitigate its impact. This approach, which has matured over time, now extends to the virtual as well as physical world.

There are also several frameworks that help infrastructure organisations work towards achieving cyber resilience.

The US’ National Institute of Standards and Technology has developed a globally recognised, tried and tested model that is applicable across sectors and focuses on:

Identify: understanding the risks to systems and assets

Protect: the measures that can be taken to prevent an incident

Detect: processes and tools that help us spot unusual activity

Respond: the action we take when an incident has occurred

Recover: the steps to take to enable us to return to normal operations as quickly as possible.

This five-step framework is useful because it helps us understand how individual measures fit into an organisation’s overall approach to security. So much so, it forms the basis of our own industry-specific guidance, the Incident Response Framework (IRF), that was developed as part of the South West England-based FLOURISH driverless car project. The IRF outlines the challenges we face in ensuring the UK’s CAV ecosystem is protected from interference and that a minimum viable level of service is always maintained.

In the fast laneBut as I’ve already mentioned, car makers are introducing more connectivity and autonomy to vehicles, and some of these new autonomous features could be trialled on our roads as soon as next year2. So, are we running out of time to ensure that cyber security is at the top of the entire ecosystem’s to-do list?

The speed of technological change means we must act now to ensure the cars that are on roads in the years to come are safe and secure. That means sharing cyber security expertise across all of the sectors involved, from automotive and technology to the public sector; demystifying it for organisations that are currently less exposed to cyber risks; and building trust between stakeholders so we can all share openly and with the benefits of CAVs to society in mind.

They’re also the goals of Zenzic, an organisation that was created to bring government, industry and academia together to help realise the potential of CAVs in the UK. Its roadmap sets out the steps we need to take to ensure people are benefiting from driverless technology by 2030, with collaboration and cross-organisational data sharing playing a central role.

If we come together now, with the government in the lead, we can make our roads safer and position the UK at the forefront of CAV innovation. But more importantly, we’ll be laying a firm foundation for the future. No organisation wants to respond to an incident that could have been prevented if we’d given ourselves more time.

1 https://www.smmt.co.uk/wp-content/uploads/sites/2/SMMT-Connected-Report-2019-summary.pdf ² https://www.theguardian.com/technology/2020/aug/18/self-driving-cars-allowed-motorways-industry-risk

Christian Compton Principal Cyber Security Consultant, Atkins

Is the aviation industry taking cyber security seriously?If you think cyber security in the aviation industry means merely protecting websites and online booking systems from malicious hackers, it’s time to think again. The issue is much broader, in an industry that’s evolving to fully embrace the benefits of going digital, where any stage along the complex maintenance, repair and operations (MRO) supply chain is exposed to potential risk and loss of service.

Do you remember the original Jurassic Park film, where the lifelong dream of an eccentric genetic pioneer – to bring dinosaurs back to life – was very quickly destroyed thanks in part to the negligence of a wayward computer programmer? Admittedly, being eaten by dinosaurs is rather an extreme example of what can happen when IT goes wrong, but it nevertheless gets to the heart of the cyber security problem: any IT system, no matter how advanced, clever and complex, will only be as strong as its weakest link.

And this issue is seriously coming to the forefront today within our industry. Sure, we know of the damage that hackers, crashed websites, and disrupted navigation systems can cause – not to mention errant drones – but bad computer security isn’t just about what hits the news headlines. Poor resilience in any IT system can have the knock-on effect of infecting core business operations at any level to devastating effect, and the causes can come from many new places – from an infected USB stick plugged into a major maintenance database, to poor staff training.

Why resilience is a business-critical issueSo, operating in an industry where any aeroplane grounded at an airport beyond its scheduled time incurs cost, it makes plain business sense to take a step back and view the bigger picture and tighten any weak spots. Because resilience is a business-critical issue. And timing is of the essence. While aviation is increasingly embracing the digital revolution – and within the aviation MRO sector there is an undoubtedly a strong pull to embrace digital systems and processes and cast old-fashioned paper systems aside – that means increasingly integrated networks will need to be opened-up for users to access processes and systems. It means that potentially thousands of people along the MRO supply chain will need to have that access, as never before. And this means there will, inevitably, be weak links and exposure to risk like never before, too.

A secure airline industry is a safe oneSo, there’s a lot to cover. But we have to start somewhere – and there is a willingness to learn across the sector, and a general view that the only way is forward in addressing these issues. We know that security underpins safety. By failing to address emerging cyber security risks linked to digitisation and interconnectivity, you’re effectively putting the entire sector in jeopardy. However, as things stand, there are no specific cyber requirements mandated by EASA. Regulation and legislation are coming – but no official date of their arrival is yet available. But cyber has been a hot topic for a while now; we need to increase the pace if we’re to ensure the safety of an entire industry.

Matthew SimpsonHead of Cyber Security, Atkins

Making it happenSo, how do we ensure that regulations are put in place to cover all of the ongoing and potentially upcoming cyber threats? What’s needed is:

› A broader understanding of the risks of interconnectivity to, for example, original equipment manufacturers’ IT platforms

› A better understanding and awareness of the risk of integrating such platforms and opening them up to multiple users

› Clarity around how systems can recover after a cyber attack

› A better grasp of managing risk across supply chains and between companies.

Also, on the horizon, we need to know how to better manage increasing connectivity. Because tackling this issue, and its various complexities, is not a question of building new IT systems and processes with security added as a bolt-on. It’s about ensuring every touchpoint of IT systems can demonstrate resilience – old and new. It’s about adopting a step-change in your understanding of engineering – and not merely ‘getting in cyber security experts’ to deal with the problems that will, inevitably, arise later on.

There’s no doubt that the issue of cyber security in the aviation industry will be a transformative one. It has to be – it’s business critical after all. Now we must fully support EASA and other accountable regulators to ensure cyber security is embedded in all systems. Because if not, the results could be catastrophic.

How can airports better protect themselves against cyber attacks?We are in the midst of a technologically-driven revolution. For airports and their passengers, this has the potential to bring substantial opportunities and benefits; the World Economic Forum (WEF) reported earlier this year that artificial intelligence alone is expected to boost global economic growth by 14% by 2030.

However, these opportunities also present themselves to airport industry’s C-suites as a catch 22. Investing in digital transformation implies both complexity and expense, and could therefore be seen as high risk. Conversely, failure to invest would see airports become increasingly vulnerable in the face of ever expanding and dangerous cyber threats, with potentially catastrophic effects. So, in the face of this conundrum, how can we better protect our airports from a cyber attack?

Operational Technology (OT)Gartner refers to OT as “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.” In essence, OT is what keeps airports running. Due to this technological revolution, OT is increasingly becoming embedded in all facets of airport operations, be that baggage handling systems, security scanners, passport controls, biometric scanners, CCTV, fuel pumps, air conditioning or control of entry devices, to name a few.

And thanks to OT’s growing interconnectivity, an attack to power supply, hardware or software could have substantially further-reaching effects than ever before.

The expanding threatTo an adversary, the increasing use of sophisticated technology notably expands their attack options. The WEF’s 2020 Global Risks report states that “cybercrime-as-a-service is also a growing business model, as the increasing sophistication of tools on the Darknet makes malicious services more affordable and easily accessible for anyone”. Noting that more than 50% of the world’s population is now online, and growing by approximately one million people each day, it adds that cybercrime is the “second most concerning risk for doing business globally over the next 10 years”.

Set within this context, attackers, at negligible risk to themselves can undertake preliminary attacks from anywhere in the world, and without raising suspicion, they can conduct a detailed analysis of the targeted systems in preparation for executing primary attacks. These could result in physical damage to the airport, for example by shutting down air conditioning in the data hall, damaging the servers. This is not, however, solely confined to the virtual domain. Exploiting OT may also enable an attacker to bypass physical security measures and gain physical access within the airport for criminal or terrorist motives, such as planting an explosive device onto a fuel bowser.

Mike BirdClient Director, Atkins

Based on the balance of probabilities, we must recognise that at some point, all airports will be subject to a successful cyber attack. The frequency, severity and repercussions will be directly proportional to the effectiveness of the airport’s cyber and physical security measures.

A cyber strategy is an operational strategyAs part of the UK’s Critical National Infrastructure, airports must adhere to the UK’s Network and Information System Regulations (NISR). To do so, the Civil Aviation Authority published CAP1753; a cyber security oversight process that promotes a collaborative approach to security. It highlights that, contrary to conventional thinking, cyber security is no longer a responsibility confined to IT. Now, airports must ensure they are resilient to a broader range of attacks, from those leading to power supply loss, hardware or software failure and physical damage, to attacks that resonate throughout the supply chain. Accordingly, cyber security must be treated like physical security and embedded into an airport’s infrastructure.

Planning for the long termAs with all problems, the starting point is to recognise that they exist. Unfortunately, we still have a way to go; the WEF’s 2020 report stated that “using “security-by-design” principles to integrate cybersecurity features into new products is still secondary to getting products quickly out into the market”. But as long as interconnectivity continues to grow and security is treated as a bolt on, cyber threats will continue to challenge airport operations.

However, it is not all about the technology. The European Information Security Summit recently identified that 88% of Chief Information Security Officers are suffering from high levels of stress, with an impact across both their professional and personal lives. Meanwhile, 97% of C-suite executives believe the cyber security teams should be “doing more with less”.

Couple this with significant evidence that the majority of cyber breaches are caused by employees (both inadvertently and maliciously), we must recognise that although an airport’s staff are a notable weakness in terms of cyber security, they have the potential to be its greatest strength.

So how do airports better protect themselves against cyber attacks, in the face of the predicted exponential rise in air passenger numbers and with digital innovations continuing to transform airport operations? They will need to adopt a holistic and people-centric risk-based approach to cyber security, led by the C-Suite level, recognising that effective employee training beyond the traditional IT team is fundamental to successful and long-term cyber awareness.

UK border resilience in the age of connectivityAs an island nation, our borders have always been vital to us. And in today’s globalised and technological age, we must ensure that the way we see and understand them stays relevant. In the face of disruption or attack – be it physical or cyber – we need to rethink the way we manage these borders and instead view them as a complex Critical National Infrastructure (CNI) network of interdependent nodes. By doing this, we can ensure operations remain smooth, seamless and secure.

Borders and the UK’s international supply chainEvents over the last few years have thrown the UK’s global supply chain and its dependence on efficient borders into sharp focus. The need to call on the military to import vital PPE during COVID-induced disruptions, and questions about the post-Brexit ability to import components and skills for energy infrastructure, are stark reminders of how vulnerable the UK’s global supply chain is to border changes. Such concerns have shown that if an efficient border helps secure the UK by stopping dangerous goods and people entering the country, then a slow and complex border stops the right skills and goods coming in.

Furthermore, several entry points carry risk due being single points of failure by virtue of their size. In May 2020, Heathrow Airport and Felixstowe Port were the two main UK import points, being responsible for £6.79 billion and £2.06 billion worth of UK imports respectively1. So what happens to our national infrastructure if Heathrow or Felixstowe were to be attacked and stop operating? How quickly would we be able to adjust our supply chain and obtain critical goods? Borders and our supply chain are vulnerable to a variety of threats. Much like a marching army, the UK in this globalised world is critically dependent on its supply chain and by being the most important link in the chain, borders and their components are consequently the most vulnerable. Indeed, it is this idea of our borders being a network made up of a variety of different components (airports, seaports, rail stations etc.) that we must take further.

A Border NetworkPorts and airports have historically been operated independently by different groups, with their own operating models and USPs. However, the pace of growth of every borders’ digital footprint and data has seen growing interconnection between these points of entry and the Critical National Infrastructure they feed. The use of port community systems as well as new technology such as AI and blockchain are also likely to increase the amount of digital data that flows through supply chains and across borders. This in no uncertain terms creates both opportunity and risk.

Increased data sharing across the network helps identify areas for investment and collaboration to reinforce the network and support free flowing but secure borders. With the increasing connections between ports of entry and the UK’s growing global supply chain, it is no longer enough to secure individual ports or airports. We must address them and the security requirement as a UK wide one. This means ensuring we secure our interconnected borders as a network, so they remain resilient to threats and able to maintain our security in return.

Network ResilienceThe concept of network resilience is far from a new one. Developed by the cyber security world, network resilience is the ability to maintain a minimum level of service in the face of challenges and threats to standard operation, and can be applied in both physical and cyber space. Having been adopted by the National Grid, the concept is already present in the CNI space.

With border traffic continuing to grow and increasing physical and cyber threats, network resilience is now a necessity for the UK’s borders. The drone disruptions at Gatwick Airport in 2018 led to subsequent flight cancellations and financial loss, exposing the absence of interconnected resilience of the border network. Additionally, the border network’s already large and growing digital footprint makes it an attractive target. Combine that with low barriers to entry for cyber warfare and it makes a large-scale security breach a matter of ‘when’ not ‘if’.

Clearly, we must address borders as an interconnected physical and digital network if we are to ensure a fully resilient border network in this age of increasing connectivity. In this regard, enhanced data sharing at a network level would support the identification of port vulnerabilities and help identify appropriate ‘back-up’ solutions within the network, if a vulnerability were to be exploited. Much like the National Grid, when one part of the network is down, the rest of it will be able to take the load.

1 The Observatory of Economic Complexity, United Kingdom Latest Trends (May 2020), https://oec.world/en/profile/country/gbr/

Jean-Sebastien Connell Consultant, Atkins

snclavalin.comatkinsglobal.com/cyber

Or contact us at cyber@atkinsglobal.com

Have you read any of our other magazines?

I TRANSFORMATION IN DEFENCE 2019

EMBRACING INNOVATIONIN THE DEFENCE SECTOR

Protecting assets – why language matters

How open should you be?

Building towards a digital future

ITHE FUTURE OF FLIGHT 2020

Using technology to help reboot aviation in a COVID-19 world

Composites and their impact on MRO operations

The four cornerstones of space-enabled UAM

INTEGRATINGSOCIAL DISTANCING

Temporary Measures or Permanent Solutions?

Keeping the Human Centric Approach

Reopen, Recover, Reimagine

2020

iSAFER PUBLIC SPACESi

IDATA BYI IDESIGNI 2019

DOING THINGSTHE VALUE OF

DIFFERENTLY

Three benefits of focusing on the IM in BIM

Drones: The bigger picture

Five ways data can help us protect people & places