Reframing Infrastructure Security

“We also know as engineers that changing things after a build is more expensive and difficult than it is at the design phase,” Doupé said. “In software, for example, we conduct a security analysis of a system before it’s actually created. And we keep doing that at every stage of development, fixing the problems we find as we go. This software engineering concept could be applied to civil engineering and yield significant benefits as we upgrade our national infrastructure.”

Chester says this kind of cross-disciplinary collaboration is vital to advancing resilience in the power, transportation, water and other systems that enable society to function. But alongside research and development, he says we need to expand our view of engineering education.

“We already do a lot to enable emerging and disruptive technologies that expand the functionality and improve the efficiency of our civil systems,” he said. “But successfully managing the transitions we face as a society includes thinking about how we see a civil engineer today versus what we envision a civil engineer as needing to be in the years ahead.”

Chester and Allenby say that engineering’s core competencies now need to include cybersecurity. Doupé notes that the Accreditation Board for Engineering and Technology, or ABET, requires that all university computer science students be exposed to security concepts.

“And at ASU, we’ve been very proactive in requiring that all computer science students take our introduction to cybersecurity course. But we can broaden that requirement,” Doupé said.

“Yes,” said Allenby. “We can make security a mandatory part of all engineering degrees. Engineers need to understand the security implications of what they do. But education is not just about universities. Professional associations have a role to play in training. There are many ways in which we can stay on top of security.”

Doupé added that equipping engineers to stay on top of security is vital to avoiding more ransomware attacks of the kind that struck the fuel pipeline network in the southeastern U.S.— or worse.

“If that situation caused as much disruption as it did, imagine what would happen if an entire city’s power grid gets seized for ransom.”

Basic Hygiene
Engineers build bridges to carry remarkable loads and withstand powerful winds. But the challenges of infrastructure security are not just physical forces or Mother Nature.

The dangers include human adversaries who learn how a system works and then plan to make trouble. And while there are cybercriminals capable of defeating almost any security measures, a great deal of protection can be achieved through what Doupé calls basic hygiene.

“When a computer requests user permission to conduct an important security update, most people click ‘remind me later’,” said Doupé, an associate professor of computer science in the School of Computing, Informatics, and Decision Systems Engineering, one of the six Fulton Schools at ASU. “However, if it’s one of the computers running a power grid, it’s probably vital to make sure those updates are in place.”

But Doupé said even these simple measures can be difficult to implement for a variety of valid reasons. One example may be when computers supporting a utility system have been certified for one particular use case.

“The company running that system could be very hesitant to apply updates out of fear that it will cause operational problems,” Doupé said. “That’s one of the key challenges of computer security right now. We tend to push the task of testing onto end users. So, we need to think about how to offer these security patches with assurance that they are not going to compromise functionality. It’s not necessarily a complex issue, but we need to address it.”