mobility key visual

Critical infrastructure security and a case for optimism in 2022

By Kurt John, Chief Cybersecurity Officer, Siemens USA

Editor’s note: Kurt John serves as a member of the Siemens Cybersecurity Board (CSB), where he works alongside international colleagues to address global challenges and new opportunities in cybersecurity. He has shared his expertise with many external bodies including National Institute of Standards and Technology (NIST), Government Accountability Office, UN Under Secretary General’s Office and U.S. Congress. This post originally appeared as an op-ed in Dark Reading.

 

For anyone working in cybersecurity, the holiday season was hardly a restful one as we grappled with the log4j software bug across the multitude of technology systems that facilitate our daily lives. The Cybersecurity and Infrastructure Security Agency (CISA) Director, Jen Easterly, described log4j as “the most serious vulnerability I have seen in my decades-long career.” And as we prepare for such cyberattacks to escalate, I’m not surprised to read warnings that cybersecurity is now in crisis mode as we begin 2022. In a lot of ways, it is.

 

However,  I also see reasons for optimism. Our experience responding to log4j is already helping to put into better perspective the change needed to ensure trust, traceability, transparency and security throughout our supply chain and America’s critical infrastructure. This has been a core area of focus for Siemens, and our efforts here will continue to accelerate.

 

Furthermore, when it comes to critical infrastructure, the deployment of the bipartisan infrastructure law will spark new action to improve cybersecurity as new project funding across rail, public transportation, the electric grid and manufacturing also brings new levels of connectivity.

 

With that, here are my cybersecurity predictions for 2022.  

 

Cyber talent and diversity: The need for cognitive variety will grow in 2022

 

We have more than 300,000 open roles in U.S. cybersecurity, and the more machines and buildings are connected, the more cybersecurity talent we will need. This is the year, I think, that we will really ramp up diversity, equity and inclusion (DEI) in cybersecurity to both address the talent shortage and tp improve our security posture.

We have more than 300,000 open roles in U.S. cybersecurity, and the more machines and buildings are connected, the more cybersecurity talent we will need. This is the year, I think, that we will really ramp up diversity, equity and inclusion (DEI) in cybersecurity to both address the talent shortage and tp improve our security posture.

Cybersecurity is one of those fields where you really need creative solutions, and the ability to think one or two steps ahead of hackers if you can. That calls for intellectual talent—people with the ability to think both creatively and analytically.

 

Heterogeneous teams are more productive and achieve better outcomes than homogenous teams. In the cybersecurity space, DEI translates into better protection for the systems that unite networked infrastructure – a key topic for the country right now. If you have diversity in all forms, you are maximizing the potential for better insight, better analysis, and new approaches.

 

Supply chain complexity: Downstream cybersecurity will increasingly affect upstream

 

Supply chains will  be a significant matter for cybersecurity in 2022 and beyond. They were already becoming more complex and interconnected than ever before. and Log4j and similar supply chain related vulnerabilities demonstrate how sensitive our supply chain can be to disruption. If cybercriminals are able to compromise a smaller supplier deep within the supply chain, there is the likelihood of serious cascading impact for all other companies up through the supply chain, impacting  large  purchasers, often a big company like Siemens.

 

This should motivate connected suppliers and the upstream buyers to operate with a uniform set of cybersecurity protocols, including the sharing of information, and also be willing to offer contractual committments to cybersecurity. This is critical for infrastructure, too, where consistency will be key in implementing cyber protections across operational and informational technology.

 

Digital Twin and simulations: Rising value in predicting right from wrong in real time

 

The use of digital twins has picked up during the pandemic. They are proving to be a game-changer for planning, deploying and improving infrastructure and industry. But there is another area that has yet to attract as much attention: digital twins also can be a major asset for infrastructure cybersecurity.

 Let’s say we’ve got a smart building that sits on the grid edge—one of the smartest buildings we can build. Now, we create a digital twin of that building that covers everything from IT to personnel to door sensors. The digital twin is the basis for a continuous simulation of how that building should be functioning optimally at all times. When we compare different versions of that simulation to the way the building is actually functioning in real time, we can tell if there is a problem, whether it's an engineering problem, a software problem, or if someone is actually attempting to compromise the building—physically or digitally. I expect the use of digital twins for improving security to increase in 2022.

 

Public-private partnerships & cyber-norms: High-level teamwork will create lasting impact

 

Public-private partnerships for cybersecurity will continue to be critical in 2022. It is not possible to face these mounting cyber threats alone.. Our risk mitigation and response are made stronger when we collaborate across the public-private ecosystem, from organizational Computer Emergency Response Teams to federal agencies like CISA and the National Institute of Standards and Technology.

 

While we are seeing passage of more cyber regulations, we will also see more companies acting on their own to be cybersecure regardless of the laws in their home country, as many companies striving for predictability work together to create cyber norms.. If we have more and more companies doing this across international boundaries, these self-organized cybernorms will most likely inform regulatory policies, further reinforcing the predictability businesses need to thrive. A good example of  a global alliance aimed at improving Cybersecurity through Cybernorms is the Charter of Trust. Initiated by Siemens, it brings together companies and industry partners to establishing binding rules and standards for secure digitalization of the world’s infrastructure.    

 

A breakthrough year

 

Crisis response can strengthen cybersecurity for years to come, which is why my last prediction is a simple one: 2022 will be a breakthrough year. The new infrastructure law contains a five-year allocation of $21 million to the office of the National Cyber Director and $100 million for the Cyber Response and Recovery Fund. This advancement, among others, will strengthen partnerships and open more doors for new talent—attracting a new generation of cybersecurity professionals with the novel, diverse mindsets we need.

Published: January 28, 2022