Critical Infrastructure Security and a Case for Optimism in 2022

The new US infrastructure law will fund new action to improve cybersecurity across rail, public transportation, the electric grid, and manufacturing.

Kurt John, Chief Cybersecurity Officer, Siemens USA

January 12, 2022

5 Min Read
Graphic that concerns infrastructure security
Source: leowolfert via Adobe Stock

For anyone working in cybersecurity, the holiday season was hardly a restful one as we grappled with the Log4j software bug across the multitude of technology systems that facilitate our daily lives. The Cybersecurity and Infrastructure Security Agency's (CISA) director, Jen Easterly, described Log4j as "the most serious vulnerability I have seen in my decades-long career." And as we prepare for such cyberattacks to escalate, I'm not surprised to read warnings that cybersecurity is now in crisis mode as we begin 2022. In a lot of ways, it is.

However, I also see reasons for optimism. Our experience responding to Log4j is already helping to put into better perspective the change needed to ensure trust, traceability, transparency, and security throughout our supply chain and America's critical infrastructure.

Furthermore, when it comes to critical infrastructure, the deployment of the bipartisan infrastructure law signed in November 2021 will spark new action to improve cybersecurity as new project funding across rail, public transportation, the electric grid, and manufacturing also brings new levels of connectivity.

With that, here are my cybersecurity predictions for 2022.

Cyber Talent and Diversity: The Need for Cognitive Variety Will Grow in 2022
We have more than 300,000 open roles in US cybersecurity, and the more machines and buildings are connected, the more cybersecurity talent we will need. This is the year, I think, that we will really ramp up diversity, equity, and inclusion (DEI) in cybersecurity to both address the talent shortage and to improve our security posture.

Cybersecurity is one of those fields where you really need creative solutions, and the ability to think one or two steps ahead of hackers if you can. That calls for intellectual talent — people with the ability to think both creatively and analytically.

Heterogeneous teams are more productive and achieve better outcomes than homogenous teams. In the cybersecurity space, DEI translates into better protection for the systems that unite networked infrastructure — a key topic for the country right now. If you have diversity in all forms, you are maximizing the potential for better insight, better analysis, and new approaches.

Supply Chain Complexity: Downstream Cybersecurity Will Increasingly Affect Upstream
Supply chains will be a significant matter for cybersecurity in 2022 and beyond. They were already becoming more complex and interconnected than ever before, and Log4j and similar supply chain-related vulnerabilities demonstrate how delicate our supply chain can be. If cybercriminals are able to compromise a smaller supplier deep within the supply chain, there is the likelihood of serious cascading impact for all other companies up through the supply chain, impacting large purchasers.

This should motivate connected suppliers and the upstream buyers to operate with a uniform set of cybersecurity protocols, including the sharing of information, and also be willing to offer contractual commitments to cybersecurity. This is critical for infrastructure, too, where consistency will be key in implementing cyber protections across operational and informational technology.

Digital Twins and Simulations: Rising Value in Comparing Right and Wrong in Real Time
The use of digital twins has picked up during the pandemic. They are proving to be a game-changer for planning, deploying, and improving infrastructure and industry. But there is another area that has yet to attract as much attention: digital twins also can be a major asset for infrastructure cybersecurity.

Let's say we've got a smart building that sits on the grid edge. Now, we produce a digital twin of that building that covers everything from IT to personnel to door sensors. The digital twin is the basis for a continuous simulation of how that building should be functioning at all times. When we compare different versions of that simulation to the way the building is actually functioning in real time, we can tell if there is a problem, whether it's an engineering problem, a software problem, or if someone is actually attempting to compromise the building — physically or digitally. I expect the use of digital twins for improving security to increase in 2022.

Public-Private Partnerships and Cyber-Norms: High-Level Teamwork Will Create Lasting Impact
Public-private partnerships for cybersecurity will continue to be critical in 2022. Nobody can face mounting cyber threats alone. Our risk mitigation and response are made stronger when we collaborate across the public-private ecosystem, from organizational computer emergency response teams to federal agencies like CISA and the National Institute of Standards and Technology.

While more cyber regulations are being enacted, we will also see more companies acting on their own to improve cybersecurity regardless of the laws in their home country, as many companies striving for predictability work together to create cyber norms. If we have more and more companies doing this across international boundaries, these self-organized cyber norms will start to inform regulatory policies, further reinforcing the predictability businesses need to thrive.

A good example of a global alliance aimed at improving cybersecurity through cyber norms is the Charter of Trust. Initiated by Siemens, it brings together companies and industry partners to establish binding rules and standards for secure digitalization of the world's infrastructure.

A Breakthrough Year
Crisis response can strengthen cybersecurity for years to come, which is why my last prediction is a simple one: 2022 will be a breakthrough year. The new US infrastructure law contains a five-year allocation of $21 million to the office of the National Cyber Director and $100 million for the Cyber Response and Recovery Fund. This advancement, among others, will strengthen partnerships and open more doors for new talent — attracting a new generation of cybersecurity professionals with the novel, diverse mindsets we need.

About the Author(s)

Kurt John

Chief Cybersecurity Officer, Siemens USA

Kurt John is the Chief Cybersecurity Officer of Siemens USA, where he is responsible for the cybersecurity strategy, governance and implementation for the company's largest market -- ~$23B in annual revenues. In this role, Kurt oversees the coordination of cybersecurity for Siemens' products, solutions, services, and infrastructure used to deliver value to Siemens USA's customers. Kurt is also a member of the Siemens Cybersecurity Board (CSB), where he works alongside colleagues to set strategy, address global challenges, and evaluate actions for opportunities in the area of cybersecurity. Most recently, Kurt was part of a Siemens Leadership Development program, where he was responsible for cybersecurity assurance projects for the Americas.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights