ISECUREI IBY DESIGN 2020

CYBER RESILIENCEI IN THE AGE OFI INTERCONNECTIVITYI

Autonomous vehicles – the pace Navigating the threat landscape Is the aviation industry taking ATKINS of change versus cyber security in a 5G enabled world cyber security seriously enough? Member of the SNC-L avalm. Group Foreword

It’s fair to say that 2020 has been a year of change and uncertainty. From COVID-19 and Brexit to the increasing urgency of Net Zero. And that’s without mentioning the relentless technological advancements demanding more interconnectivity between new digital systems and legacy critical assets, that’s bringing together previously isolated sectors in new and interesting ways.

It goes without saying that all opportunities come with their own challenges – a core one being their cyber resilience. And with their increasing connectivity, the impact of a cyber-attack has the potential to be greater than ever before, rippling through this web of connection across the sectors, with boundless consequences. So, how do we protect our energy and water supplies, critical transport systems and automated manufacturing plants? How can we ensure cyber resilience is built into new technology ‘by design’? And perhaps the greatest challenge – how do we embed cyber safety into assets and systems that were created at a time when the likes of ‘hacking’ and ‘cyber-attacks’ were the stuff of science−fction? There are the questions we should be asking ourselves – across all industries – and are some of the key discussion points being considered in this magazine. In some cases, we’ve even provided potential resolutions. But that doesn’t mean we think we have all the answers, but simply that we all−need to be thinking about how, together, we can protect our infrastructure from the existing threats of today, and the potential threats of the future. So, read on. Enjoy. And do get in touch if an article sparks your interest – we’re keen to collaborate on−the future of cyber.

Matt Simpson Technical Director, Cyber Resilience

[email protected]

Matt has over 20 years’ experience in System Engineering, Technical Assurances and Cyber Security. He provides C-Level subject matter advice to key clients on variety of topics including transport security, safety system assurance, secure SCADA architecture and Internet of Things. Matt’s previously worked with the UK Government and the academic sector to produce global standards and guidance in the feld of cyber security and−smart−infrastructure. Contributors

Martin Richmond Christian Compton Mike Bird Technical Authority, Cyber Security Principal Cyber Security Consultant Client Director Martin is a Chartered Digital Electronics Christian has over 15 years’ cyber After spending some 30 years in the Engineer with over 20 years’ experience security knowledge and experience, in British Military, Mike joined Atkins as of cyber systems design, testing roles including leading cyber security a Client Director in 2018. Primarily and assessment. Working across incidents across Critical National focussed on cyber security and government he has proven experience Infrastructure (CNI) for the UK resilience at a portfolio and programme of complex technical and innovative government, and holding the position of level, Mike has a particular interest cyber solutions as well as the validation, Lead Cyber Security Advisor for the civil in digital transformation and its characterisation and testing of system nuclear sector. Since being at Atkins, he associated development and delivery vulnerabilities. His passions include has been involved in a variety of projects of›capabilities. the application of critical thinking and across CNI, and recently in the area of domain-driven Open Source intelligence Connected and Autonomous Vehicles. analysis to secure engineering›design. Editor

Caroline Bimson Jean-Sebastien Connell Jessica Roberts Practice Manager Consultant PR Manager Caroline leads on Business and Digital Jean-Sebastien is part of the Future Working with the security, aerospace Consulting within the Transformation Borders team at Atkins, with experience and defence markets, Jessica is and Delivery Practice. She specialises in cyber and digital projects across responsible for raising the profle of in defning and delivering complex government, defence and aerospace. Atkins and its experts across a range transformation with experience in of external platforms, from press digitally enabled change. interviews and magazine articles to news›announcements and›social media. Caroline Bimson Practice Manager, Atkins Is technology the answer tošfraud detection? Do you know how much personal information you’re sharing online? There are the details you choose to hand over, for example, your debit or credit card number, which you exchange for goods and services. And the data you may not realise you’re providing others with access to (think about cookies on websites), or even that’s been stolen.

The amount of data we’re generating Organisations of all sizes and across However, the power of data, used well, has grown at an extraordinary rate, sectors now have the diffcult job of has vast potential to detect and prevent along with the computing power that weighing up the potential benefts fraud. To fght fraud, you frst have to enables organisations to process and of their data gathering and sharing fnd it. Major government departments make use of that information. There techniques with the need to keep including HM Revenue and Customs, are real benefts – it can increase a people’s data safe. Organisations have Department for Work and Pensions, and company’s or department’s effciency a weight of responsibility to collect the the National Economic Crime Centre in and improve our customer experience. ‘right’ data, to process it and to share it the National Crime Agency have done But it needs to be designed carefully. fairly. Throw into this mix, data that are just this. The National Fraud Initiative in Cyber attacks are on the rise. Fraud wrong, stolen or misleading and more the Cabinet Offce identifed over £300m plays a big part in this and the UK than ever before, fraud is a challenge of fraud between 2016 and 2018 by Government estimates that £31-£53 to every organisation. This pieces into matching the data of local authorities billion of public money is lost through a far more complex picture than digital with that of others. In the private sector, fraud each year. by−default. the Insurance Fraud Bureau (IFB) brings insurers together, pooling claims data to then fag suspicious patterns and networks of behaviour. As well as leading to over 650 2. Artifcial intelligence It’s impossible to say where this will go convictions, this ability to analyse large The rapid pace of development in next. In the context of counter fraud, sets of shared data helps protect the Artifcial Intelligence (AI) represents potentially when a department or general public from purposeful collisions the maturation of a technology that agency updates its own database, other between vehicles, designed to enable has existed for over 50 years and is members are notifed. Notifcations fraudsters to make fraudulent claims. set to bring further opportunity for mean that every organisation or database that needs to know about Technology has a key part to play in improvement to identify and counter that change does know, and instantly. this. Established technologies are fraud. The convergence of large data this could mean a distributed set of gaining the computing power behind sets, powerful hardware and advanced authorised accounts with different them to be used in anger and emerging algorithms have made AI increasingly permissions able to share data technologies are showing their potential. capable, for example, through faster data analysis. AI technologies can seamlessly. However, as for all socio- Here are three key developments: search through vast amounts of data to technical security systems, the users look for patterns and identify potentially are the weak link no matter how cutting 1. APIs fraudulent transactions, predict edge the cryptography is and managing A core technology to make data sharing behaviour, make recommendations, this risk remains paramount. Cost will a reality is the use of APIs (application for example, that a transaction also be a limiting factor. programming interfaces). It means should be investigated further, that different technologies can use a and classify information. People or machines? common language to communicate These three technologies can help with each other. Instead of a human Machine learning algorithms are not organisations tackle fraud and reduce needing to input data at one end of a as good at understanding complex human error by automating repetitive conversation, multiple technologies can unstructured data such as images and tasks and identifying repeating patterns “talk” to each other or to a central hub in undertaking non-deterministic analysis or anomalies. But when we’re dealing technology-to-technology conversations. yet. However, machines are increasingly with information that needs to be outperforming humans at aspects interpreted it adds another layer of They can make the transfer of data of some of these challenging tasks, complexity for organisations. Cognitive unnecessary in some cases: one including image recognition, bulk data bias may be a well-known factor for version of the truth can remain, with analysis and providing decision options. people’s decision making, but there APIs querying a trusted, up-to-date Certainly, AI promises quicker are also concerns about bias in AI. If data source with the freedom to build an algorithm decides someone is more the front-end design in different ways. decisions examining a broader range of information, which will be particularly likely to be guilty of fraud, how can we For example, Atkins supported the check what led to that decision? Can Cabinet Offce to create the Counter relevant as human capacity is challenged by the deluge of data. But AI be charged with making decisions Fraud Data Alliance, setting up data at all? Even if an algorithm only makes sharing technologies between the public replacing people with AI is not as simple as a straight switch - optimising the recommendations, is that still a step sector, banks and insurers. Government too far? And how can we be certain and industry work in partnership to capabilities of humans and AI in teams to mitigate weaknesses will be essential. that AI that learns in an unsupervised securely share known fraud data for the way is not just repeating and amplifying prevention, detection and reduction of inherent prejudices? fraud. Each has very different systems 3. Distributed ledger technology but the back-end technologies can use (or blockchain) It’s imperative that we see these APIs to create a single conversation. Distributed ledger technologies take digital tools as just that – tools to be data sharing another step forward. employed by people. It’s also important Designed and implemented well Instead of a centralised authority, for organisations to treat data properly – perhaps also using their front- network members exchange data and ensure the thoughtful and end cousin, RPA (Robotic Process securely across a distributed ledger complete application of data protection Automation) with its rule based steps and the data must be synchronised, principles that go beyond the obvious and clicks - they can reduce the need for which means there can only be one and restrictive rules of how long we multiple versions of the truth, increasing version of the truth. can store data and for what purposes. data quality while being able to share Instead, they should be embedded in the data faster. ways we design our software and gather and share data, so fraud and errors can be detected from the get-go. Navigating the threat landscape of a 5G enabled world You’re stuck in a traffc jam on the motorway. Like everyone else, you want accurate, up-to-date information about how long the traffc will take to clear. You’re also checking alternative routes to see if you can fnd a faster option for the driver.

Meanwhile, you’re texting your friends It does this by transmitting data at First of all, it means there will be a to tell them that you’ll probably be late. rates that result in a low-latency, greater reliance on the supply chain, A friend in the backseat is streaming seamless experience, enabling real-time given the need for this ‘mesh’ of TV shows and music to alleviate their provision at the point of consumption. network access points and microcells boredom. Now imagine thousands of Put in the context of Critical National for a successful 5G network. Without cars all engaged in the same activities. Infrastructure (CNI) this will permit delving too deeply into the story around This can lead to the network quickly levels of machine integration, monitoring state-actor access and high-risk vendor becoming clogged; surfng speeds and data driven decision making that equipment (you can read more about decrease and soon it’s not just the traffc will completely transform how this that --here if you wish) there is a very real that’s reduced to a standstill. infrastructure operates. It will enable an challenge with ensuring cyber resilience all-encompassing network of sensors across the entire network from 3rd But not with 5G. It allows many that can detect, record and analyse party vendors. connected devices to access the anything that the 5G-enabled system is network and receive a similar, effcient This need for cyber-security expertise capable of measuring: sound, vibration, experience. It also permits a multitude of and understanding is a far-reaching light location, heat – any aspect of the machine-to-machine data conversations issue. In order for the 5G network to environment around us – and fuse this for your information to arrive within a become all encompassing, there will be to provide a sensor network that can timely manner, by sharing data between an access point on every street lamp, analyse its own environment. nodes as you move around the transport signpost and billboard. Bus stops will system, relying on a multitude of In turn, this will lead to true mission become microcells and each building access points and micro base stations critical communications. For CNI, will have its own 5G cell. Local councils to transfer the data you need back and this means the creation of real-time will not have the in-house profciency forth. Your car will even be able to report response and alerting – a priceless tool to verify the security of this equipment, on your driving style! when a crisis occurs. at the scale that it will be rolled out. So, where does the onus of responsibility Harnessing the potential What’s standing in its way? fall and who is accountable for the in industry So, what does this unprecedented security of this new infrastructure? high-speed interconnectivity mean for 5G brings the potential for Is it down to the people installing cyber security? Quite a lot, really. Not mainstreaming of new immersive the new cells? Will government only will we see a myriad of potential technologies like virtual and augmented regulation mandate what qualifes as new threats, but it highlights some of reality, integrated sensing and coherent ‘adequate cyber resilience’? Should an the fundamental issues we’re already real-time performance monitoring. independent party be required to certify beginning to see, that will only become the cyber-security of the system? more prevalent as 5G is rolled out. These are all questions that are still Connect, collaborate, just being worked through for existing consolidate, secure networks, let alone the new world of 5G. Fittingly, interconnectivity and its With the network requiring such a vast security requires the efforts of many number of cells to operate effciently, stakeholders working together. Across the number of potential access points public and private, digital and physical, for hackers to exploit is exponential, we need more collaboration to uncover thus exposing a huge attack surface. the best use cases and potential attack Because of this, the risk associated with paths as early as possible. any cyber threat needs to be considered Ultimately, 5G is a framework that differently; the days of looking at has the potential to transform the component-driven risk assessments way we interact with and operate our are long gone with the arrival of 5G. Critical National Infrastructure. Now is Instead, we need to think of the whole the time to embed cyber security into network as an interactive system, the network, to ensure its successful complete with people, processes and implementation and help us fully realise technology all operating and interacting the potential of 5G. with each other. The NCSC has some really good guidance on system-driven risks and how to consider them; explore Martin Richmond them here. Managing Consultant – Cyber Security, Atkins Autonomous vehicles – the pace of change versus the need for cyber security For many of us, car buying has become increasingly complicated. Gone are the days of choosing a vehicle based on the likelihood it will get us from A to B. Now, having easy access to the latest technology is often at the top of our shopping list.

Now, our cars can automatically control And that could make our roads safer. But to operate autonomously, cars need ' l our speed and alert us if we suddenly These driverless cars, or connected a seamless fow of timely, accurate stray from our lane. Some will even help and autonomous vehicles (CAVs), could and reliable data and that means they us manoeuvre into tight parking spots. also help reduce traffc congestion and need to be connected. Connected to .. In fact, it won’t be long before the car is pollution; improve accessibility and the internet, to transport infrastructure, doing all the driving. inclusivity for people who are older or to network control and monitoring less mobile; boost jobs in the automotive systems, and to each other. That and adjacent sectors; and spark communication system must be robust economic growth1. and resilient. Currently, a breakdown is usually an inconvenience. If we’re not in the driving seat, it could have serious safety implications. So, how do we secure CAVs? The US’ National Institute of Standards In the fast lane And�what are we protecting and Technology has developed a But as I’ve already mentioned, them�from? globally recognised, tried and tested car makers are introducing more model that is applicable across sectors Disruption to the CAV system could be connectivity and autonomy to vehicles, and−focuses−on: a result of a power outage or extreme and some of these new autonomous weather. And just like other connected Identify: understanding the risks to features could be trialled on our roads 2 devices, CAVs are also vulnerable systems and assets as soon as next year . So, are we running to cyber-attack. But securing them out of time to ensure that cyber security Protect: the measures that can be taken isn’t just a technical problem, it’s a is at the top of the entire ecosystem’s to prevent an incident challenge that requires a coordinated to-do list? human response too. That’s because a Detect: processes and tools that help us The speed of technological change number of procedural and organisational spot unusual activity means we must act now to ensure factors will determine how quickly and the cars that are on roads in the years effectively we can detect and respond Respond: the action we take when an incident has occurred to come are safe and secure. That to incidents, and minimise the impact on means sharing cyber security expertise road users. These include: Recover: the steps to take to enable us across all of the sectors involved, from › How incidents are identifed to return to normal operations as quickly automotive and technology to the public as possible. sector; demystifying it for organisations › How severity is assessed that are currently less exposed to This fve-step framework is useful › How the relevant authorities and cyber risks; and building trust between because it helps us understand organisations respond – from the stakeholders so we can all share openly how individual measures ft into an government, emergency services and and with the benefts of CAVs to society organisation’s overall approach to highways and local authorities, to car in mind. manufacturers and the vehicle owner security. So much so, it forms the basis of our own industry-specifc guidance, They’re also the goals of Zenzic, an › Who within the relevant the Incident Response Framework organisation that was created to bring organisations−responds. (IRF), that was developed as part of the government, industry and academia In this way, securing CAVs is no different South West England-based FLOURISH together to help realise the potential of to protecting any other business- driverless car project. The IRF outlines CAVs in the UK. Its roadmap sets out critical or safety-related system. For the challenges we face in ensuring the the steps we need to take to ensure that reason, we can look to more UK’s CAV ecosystem is protected from people are benefting from driverless established−sectors for best practice. interference and that a minimum viable technology by 2030, with collaboration level of service is always maintained. and cross-organisational data sharing Watch and learn playing a central role. In the highly regulated nuclear sector, If we come together now, with the safety always comes frst. Risks are government in the lead, we can make identifed and assessed early on, and our roads safer and position the UK strict procedures are put in place at the forefront of CAV innovation. to control the likelihood of an event But more importantly, we’ll be laying occurring and to mitigate its impact. This a frm foundation for the future. No approach, which has matured over time, organisation wants to respond to an now extends to the virtual as well as incident that could have been prevented physical world. if we’d given ourselves more time. There are also several frameworks that help infrastructure organisations work towards achieving cyber resilience. Christian Compton Principal Cyber Security Consultant, Atkins

1 https://www.smmt.co.uk/wp-content/uploads/sites/2/SMMT-Connected-Report-2019-summary.pdf ² https://www.theguardian.com/technology/2020/aug/18/self-driving-cars-allowed-motorways-industry-risk Is the aviation industry taking cyber security seriously?

If you think cyber security in the aviation industry means merely protecting websites and online booking systems from malicious hackers, it’s time to think again. The issue is much broader, in an industry that’s evolving to fully embrace the benefts of going digital, where any stage along the complex maintenance, repair and operations (MRO) supply chain is exposed to potential risk and loss of service.

Do you remember the original Jurassic Why resilience is a A secure airline industry Park flm, where the lifelong dream business-critical�issue is�a�safe�one of an eccentric genetic pioneer – to So, operating in an industry where any So, there’s a lot to cover. But we have bring dinosaurs back to life – was very aeroplane grounded at an airport beyond to start somewhere – and there is a quickly destroyed thanks in part to the its scheduled time incurs cost, it makes willingness to learn across the sector, negligence of a wayward computer plain business sense to take a step back and a general view that the only way is programmer? Admittedly, being eaten and view the bigger picture and tighten forward in addressing these issues. We by dinosaurs is rather an extreme any weak spots. Because resilience is know that security underpins safety. example of what can happen when IT a business-critical issue. And timing By failing to address emerging cyber goes wrong, but it nevertheless gets to is of the essence. While aviation is security risks linked to digitisation and the heart of the cyber security problem: increasingly embracing the digital interconnectivity, you’re effectively any IT system, no matter how advanced, revolution – and within the aviation MRO putting the entire sector in jeopardy. clever and complex, will only be as sector there is an undoubtedly a strong However, as things stand, there are no strong as its weakest link. pull to embrace digital systems and specifc cyber requirements mandated And this issue is seriously coming processes and cast old-fashioned paper by EASA. Regulation and legislation are to the forefront today within our systems aside – that means increasingly coming – but no offcial date of their industry. Sure, we know of the damage integrated networks will need to be arrival is yet available. But cyber has that hackers, crashed websites, and opened-up for users to access processes been a hot topic for a while now; we disrupted navigation systems can and systems. It means that potentially need to increase the pace if we’re to cause – not to mention errant drones thousands of people along the MRO ensure the safety of an entire industry. – but bad computer security isn’t just supply chain will need to have that about what hits the news headlines. access, as never before. And this means Poor resilience in any IT system can there will, inevitably, be weak links and have the knock-on effect of infecting exposure to risk like never before, too. core business operations at any level to devastating effect, and the causes can come from many new places – from an infected USB stick plugged into a major maintenance database, to poor staff−training. Making it happen Also, on the horizon, we need to know So, how do we ensure that regulations how to better manage increasing are put in place to cover all of the connectivity. Because tackling this ongoing and potentially upcoming issue, and its various complexities, cyber−threats? What’s needed is: is not a question of building new IT systems and processes with security › A broader understanding of the risks added as a bolt-on. It’s about ensuring of interconnectivity to, for example, every touchpoint of IT systems can original equipment manufacturers’ demonstrate resilience – old and new. IT−platforms It’s about adopting a step-change in your › A better understanding and understanding of engineering – and not awareness of the risk of integrating merely ‘getting in cyber security experts’ such platforms and opening them up to deal with the problems that will, to multiple users inevitably, arise later on. › Clarity around how systems can There’s no doubt that the issue of recover after a cyber attack cyber security in the aviation industry › A better grasp of managing will be a transformative one. It has to risk across supply chains and be – it’s business critical after all. Now between−companies. we must fully support EASA and other accountable regulators to ensure cyber security is embedded in all systems. Because if not, the results could be−catastrophic.

Matthew Simpson Head of Cyber Security, Atkins How can airports better protect themselves againstšcyber attacks? We are in the midst of a technologically-driven revolution. For airports and their passengers, this has the potential to bring substantial opportunities and benefts; the−World Economic Forum (WEF) reported earlier this year that artifcial intelligence alone is expected to boost global economic growth by 14% by 2030.

However, these opportunities also And thanks to OT’s growing Set within this context, attackers, present themselves to airport industry’s interconnectivity, an attack to power at negligible risk to themselves can C-suites as a catch 22. Investing supply, hardware or software could have undertake preliminary attacks from in digital transformation implies substantially further-reaching effects anywhere in the world, and without both complexity and expense, and than ever−before. raising suspicion, they can conduct could therefore be seen as high risk. a detailed analysis of the targeted Conversely, failure to invest would The expanding threat systems in preparation for executing see airports become increasingly To an adversary, the increasing use primary attacks. These could result vulnerable in the face of ever expanding of sophisticated technology notably in physical damage to the airport, and dangerous cyber threats, with expands their attack options. The for example by shutting down air potentially catastrophic effects. So, in WEF’s 2020 Global Risks report states conditioning in the data hall, damaging the face of this conundrum, how can that “cybercrime-as-a-service is also the servers. This is not, however, solely we better protect our airports from a a growing business model, as the confned to the virtual domain. Exploiting cyber−attack? increasing sophistication of tools on the OT may also enable an attacker to Darknet makes malicious services more bypass physical security measures and Operational Technology (OT) affordable and easily accessible for gain physical access within the airport Gartner refers to OT as “hardware anyone”. Noting that more than 50% of for criminal or terrorist motives, such and software that detects or causes a the world’s population is now online, and as planting an explosive device onto a change through the direct monitoring growing by approximately one million fuel−bowser. and/or control of physical devices, people each day, it adds that cybercrime processes and events in the enterprise.” is the “second most concerning risk for In essence, OT is what keeps airports doing business globally over the next running. Due to this technological 10−years”. revolution, OT is increasingly becoming embedded in all facets of airport operations, be that baggage handling systems, security scanners, passport controls, biometric scanners, CCTV, fuel pumps, air conditioning or control of Mike Bird entry devices, to name a few. Client Director, Atkins Based on the balance of probabilities, Planning for the long term Couple this with signifcant evidence we−must recognise that at some As with all problems, the starting that the majority of cyber breaches point, all airports will be subject to a point is to recognise that they exist. are caused by employees (both successful cyber attack. The frequency, Unfortunately, we still have a way to inadvertently and maliciously), we must severity and repercussions will be go; the WEF’s 2020 report stated that recognise that although an airport’s directly proportional to the effectiveness “using “security-by-design” principles staff are a notable weakness in terms of of the airport’s cyber and physical to integrate cybersecurity features cyber security, they have the potential to security−measures. into new products is still secondary to be its greatest−strength. getting products quickly out into the So how do airports better protect A cyber strategy is an market”. But as long as interconnectivity operational�strategy themselves against cyber attacks, in continues to grow and security is treated the face of the predicted exponential As part of the UK’s Critical National as a bolt on, cyber threats will continue rise in air passenger numbers and Infrastructure, airports must adhere to challenge airport operations. with digital innovations continuing to to the UK’s Network and Information However, it is not all about the transform airport operations? They will System Regulations (NISR). To do so, need to adopt a holistic and people- the Civil Aviation Authority published technology. The European Information Security Summit recently identifed centric risk-based approach to cyber CAP1753; a cyber security oversight security, led by the C-Suite level, process that promotes a collaborative that 88% of Chief Information Security Offcers are suffering from high levels recognising that effective employee approach to security. It highlights that, training beyond the traditional IT team is contrary to conventional thinking, cyber of stress, with an impact across both their professional and personal lives. fundamental to successful and long - security is no longer a responsibility term cyber−awareness. confned to IT. Now, airports must Meanwhile, 97% of C-suite executives ensure they are resilient to a broader believe the cyber security teams should range of attacks, from those leading be “doing more with less”. to power supply loss, hardware or software failure and physical damage, to attacks that resonate throughout the supply chain. Accordingly, cyber security must be treated like physical security and embedded into an airport’s−infrastructure. UK border resilience in the age of connectivity As an island nation, our borders have always been vital to us. And in today’s globalised and technological age, we must ensure that the way we see and understand them stays relevant. In the face of disruption or attack – be it physical or cyber – we need to rethink the way we manage these borders and instead view them as a complex Critical National Infrastructure (CNI) network of interdependent nodes. By doing this, we can ensure operations remain smooth, seamless and secure. Borders and the UK’s A Border Network With border traffc continuing to grow international supply chain Ports and airports have historically been and increasing physical and cyber threats, network resilience is now Events over the last few years have operated independently by different a necessity for the UK’s borders. thrown the UK’s global supply chain groups, with their own operating models The drone disruptions at Gatwick and its dependence on effcient borders and USPs. However, the pace of growth Airport in 2018 led to subsequent into sharp focus. The need to call of every borders’ digital footprint and fight cancellations and fnancial loss, on the military to import vital PPE data has seen growing interconnection exposing the absence of interconnected during COVID-induced disruptions, and between these points of entry and resilience of the border network. questions about the post-Brexit ability to the Critical National Infrastructure Additionally, the border network’s import components and skills for energy they feed. The use of port community already large and growing digital infrastructure, are stark reminders systems as well as new technology such footprint makes it an attractive target. of how vulnerable the UK’s global as AI and blockchain are also likely to Combine that with low barriers to entry supply chain is to border changes. Such increase the amount of digital data that for cyber warfare and it makes a large- concerns have shown that if an effcient fows through supply chains and across scale security breach a matter of ‘when’ border helps secure the UK by stopping borders. This in no uncertain terms not ‘if’. dangerous goods and people entering creates both opportunity and risk. the country, then a slow and complex Increased data sharing across the Clearly, we must address borders as border stops the right skills and goods network helps identify areas for an interconnected physical and digital coming in. investment and collaboration to network if we are to ensure a fully resilient border network in this age of Furthermore, several entry points carry reinforce the network and support increasing connectivity. In this regard, risk due being single points of failure free fowing but secure borders. With enhanced data sharing at a network by virtue of their size. In May 2020, the increasing connections between level would support the identifcation Heathrow Airport and Felixstowe Port ports of entry and the UK’s growing of port vulnerabilities and help identify were the two main UK import points, global supply chain, it is no longer appropriate ‘back-up’ solutions within being responsible for £6.79 billion enough to secure individual ports or the network, if a vulnerability were to be and £2.06 billion worth of UK imports airports. We must address them and exploited. Much like the National Grid, respectively1. So what happens to our the security requirement as a UK wide when one part of the network is down, national infrastructure if Heathrow or one. This means ensuring we secure our the rest of it will be able to take the load. Felixstowe were to be attacked and interconnected borders as a network, so stop−operating? How quickly would they remain resilient to threats and able we be able to adjust our supply chain to maintain our security in return. and obtain critical goods? Borders and our supply chain are vulnerable to a Network Resilience variety of threats. Much like a marching The concept of network resilience is far army, the UK in this globalised world is from a new one. Developed by the cyber critically dependent on its supply chain security world, network resilience is and by being the most important link in the ability to maintain a minimum level the chain, borders and their components of service in the face of challenges and are consequently the most vulnerable. threats to standard operation, and can Indeed, it is this idea of our borders be applied in both physical and cyber being a network made up of a variety space. Having been adopted by the of different components (airports, National Grid, the concept is already seaports, rail stations etc.) that we must present in the CNI space. Jean-Sebastien Connell take further. Consultant, Atkins

1 The Observatory of Economic Complexity, United Kingdom Latest Trends (May 2020), https://oec.world/en/profle/country/gbr/ Have you read any of our other magazines?

ITHE FUTURE I TRANSFORMATION OF FLIGHT IN DEFENCE 2020 2019

EMBRACING INNOVATION IN THE DEFENCE SECTOR

The four cornerstones Composites and their Using technology to help reboot Building towards How open Protecting assets – of space-enabled UAM impact on MRO operations aviation in a COVID-19 world ašdigital future shouldšyoušbe? whyšlanguage matters

IDATA BYI iSAFER IDESIGNI PUBLIC 2019 SPACESi 2020

THE VALUE OF DOING THINGS INTEGRATING DIFFERENTLY SOCIAL DISTANCING

Five ways data can help us Drones: Three benefts of focusing Reopen, Recover, Keeping the Human Temporary Measures protect people & places The bigger picture on the IM in BIM Reimagine Centric Approach orPermanent Solutions?

snclavalin.com atkinsglobal.com/cyber Or contact us at [email protected]