"Walls have ears": NEOM's CISO on threats facing "smart" cities
EXCLUSIVE: Mike Loginov speaks about the vulnerabilities of building systems and the need for cyber resilience
As the UAE, Saudi Arabia, and other GCC countries work towards developing smart cities, the focus has shifted to building technologies and cutting-edge research driving energy-efficient ‘smart’ buildings, connected infrastructure, and seamless mobility solutions running on sustainable power grids.
Yet, technology on its own, secure or otherwise, does not make a building or a city ‘smart’.
Speaking exclusively to Construction Week, the chief information security officer at Saudi Arabia’s Public Investment Fund-backed (PIF) flagship gigaproject NEOM, Mike Loginov, says: “What makes a city or a building ‘smart’ is a combination of complex factors that once integrated and functioning in harmony form a ‘smart’ ecosystem.
“In short, I see these as ‘smart environments’, which adjust to meet the needs of the building’s or city’s residents, and improve the liveability of the city through cleaner, safer, more efficient and effective systems.”
In the process of building such a city – which can think for itself – construction materials and methodologies are changing in terms of how they monitor and collect data, interact with the environment, and adjust in real time to operating demands.
Currently, autonomous building management systems (BMS) and operational technologies (OT), among other solutions, are monitoring, managing, and controlling processes and networks based on data being generated, organised, analysed, and interpreted.
However, software or control systems used to operate devices come with inherent security vulnerabilities that can be exploited. The need to prioritise the safety and security of networks and connected systems has become greater than ever before.
Loginov says: “One current challenge from a cybersecurity perspective is managing the sheer scale and volume of devices. Most operational technologies and building management systems haven’t been designed, or built, with cybersecurity in mind.
“This is why, at NEOM, we will be using state-of-the-art technology from the beginning without any legacy issues. Everything we develop will be built from the ground up, so we can integrate the latest secure systems at every level from the start. We will address vulnerabilities across the spectrum of devices.”
Industry analysts have pointed to national infrastructure projects, including roads and utilities in the Middle East, being under constant threat.
Loginov confirms: “The instances where national infrastructure has been attacked and disrupted through weaponised cyberattacks continues to evolve and grow. Cybersecurity is, therefore, a very serious concern for governments in the region.”
Cybersecurity provider Kaspersky Lab reported more than 150 million malware attacks in the Middle East, Turkey, and Africa (META) during Q1 2019 alone, representing an average of 1.6 million attacks per day, marking a 108% year-on-year increase.
“Security is very important for us. At this point we are defining our contractual terms to ensure that suppliers and partners to NEOM provide contractual assurances that cybersecurity testing has been carried out to an acceptable standard through their own development and design processes,” Loginov adds.
“By pushing the requirement for secure supply back to the market, NEOM will lead the drive in helping to ensure a safer more secure future for all.”
In addition, much of the construction in NEOM will be mass modular, which will involve highly technical solutions in the manufacture and operation of the buildings.
“Vendors must start building devices securely. End users must drive the market to encourage suppliers of systems, platforms, and applications to take security seriously by ensuring contractual clauses focus on security issues,” Loginov adds.
What you can’t see, you can’t defend – this is a common adage in the cybersecurity world. I brought this up in conversation with Loginov in the context of creating awareness for cybersecurity within the construction phase of a building or a city.
He responds: “Another common adage in the cybersecurity world is that ‘the attackers only need to get lucky once’, while on the defender’s side, we need to stay lucky full-time – 24 hours a day, seven days a week, every single day of every year.”
“The old saying that ‘walls have ears’ has never been so true, or indeed, easier to deploy, exploit, and monitor. As we become increasingly digital, construction companies should know what goes into their ‘walls’ and should be responsible and accountable for managing the risk to their clients in an appropriate way.”
Yet, this is not just an issue only for megaprojects and megacities of the future. It is here and now, and all stakeholders within the construction industry need to take cognizance.
“Depending on your business and the level of risk appetite your board or sponsors are prepared to take, building your own team of cybersecurity specialists should be a priority. If you do not have the resources, outsourcing to a recognised Managed Security Services Provider (MSSP) is an option to explore,” he advises.
“At a basic level, take a resilient, layered defensive approach. Make sure all systems are patched regularly against known exploits; train your staff as the first line of defence against phishing attacks; and monitor systems and platforms regularly.”
Physical and digital worlds are becoming more integrated and interdependent. It is becoming correspondingly imperative that all parties involved in a project ensure that security is incorporated into every aspect of a development.
Loginov says: “Cybersecurity will be as important to the construction industry as safety standards, such as HSE and fire and life safety, are today. Digital security and safety must become the norm.”
“Retrofitting is never the most effective way to achieve the desired result and leaves the way open to potentially exploit the gaps and weaknesses for their own means. At NEOM, our vision, from a cybersecurity perspective, is to ensure that we establish a culture and platform which champion safety and security.”
“Everyone who visits, invests, or trades with NEOM can be confident that their interactions with, and through NEOM’s digital infrastructure, will be at the highest level of security.”
Looking to the future, there is a recognised global skills gap for cybersecurity across all industries, not just construction. To help address this issue, NEOM has signed a memorandum of understanding (MoU) with the Saudi National Cybersecurity Authority to train young Saudi nationals in cybersecurity.
Loginov adds: “We are also working with other cybersecurity training partners and universities to develop relevant programs.”
According to the World Economic Forum Global Risks Report 2020, cyberattacks are ranked as the second risk of greatest concern for business globally over the next 10 years.
“In addition, cyberattacks on critical infrastructure – which has been rated as the fifth top risk in 2020 – has become normal across sectors such as energy, healthcare, and transportation,” he says.
“The demand for cybersecurity professionals in the construction industry will only continue to grow as we see more Internet-of-Things (IoT) devices come online through the launch of 5G, and what lies ahead.”
“Construction firms that hire and develop skilled cybersecurity resources will undoubtedly capture more market share as this trend develops,” Loginov concludes.