Hackers have identified infrastructure as a prime target for a number of reasons, many of which revolve around infrastructure agencies and organizations not adapting quickly enough to the changing digital landscape and not properly training employees on how to avoid exposing their organization to online risks.

The problem is significant enough that the $1 trillion infrastructure bill recently passed by the Senate directs billions of dollars to “cybersecurity purposes” and calls for the establishment and implementation of a program to accelerate state “adoption of advanced digital construction management systems applied throughout the construction lifecycle (including through the design and engineering, construction and operations phases)” that:

• maximize interoperability with other systems, products, tools or applications;
• boost productivity;
• manage complexity;
• reduce project delays and cost overruns; and
• enhance safety and quality.

Many government agencies operate on systems which were designed 20 or more years ago and don’t integrate with other organizations’ data systems. This presents significant risks because they often introduce a single point of failure—if a hacker hijacks a legacy system, the data is most likely not sufficiently backed up in a separate location. To make matters worse, most legacy systems have not been updated with security measures to appropriately address modern day ransomware, making them easier for hackers to access.

One reason legacy systems often aren’t replaced with more secure and reliable systems is push-back from employees who are accustomed to using the existing systems. Migration to a new, cloud-based system is often seen as too much work to undertake, which leads organizations to simply maintain the status quo. As a result, 70% of the government’s IT budget is spent maintaining legacy systems, some of which still operate on Common Business-Oriented Language (COBOL), a programming language first developed in 1959. Similar to physical infrastructure like bridges or highways, the longer these systems exist without being modernized, the more expensive they become to maintain.

Some agencies have approached this problem by developing and implementing new internal software systems rather than adopting solutions offered by private companies. This quickly becomes an expensive endeavor and introduces a number of risks and inefficiencies, such as:

• requiring a dedicated in-house staff to train, support and maintain the system;
• inability of the system to evolve as new technological advances are made, quickly rendering the software “out-of-date";
• lacking the ability to integrate with other private software solutions, thereby creating a single point of failure; and
• requiring additional management, reporting and budgetary requirements for efforts that often fall outside of the agency’s area of expertise.

Finally, large infrastructure companies and government agencies are frequently targeted because cybercriminals understand the lack of priority that is often given to upgrading their software systems. Approximately 70% of businesses fail to see their digital transformation plans to a satisfactory conclusion and only four out of 10 state officials believe their agencies will migrate at least some of their IT infrastructure to the cloud by the end of 2021.

The investment to upgrade legacy systems is often perceived as being substantial, even when maintaining the existing system is far more expensive. Complicated procurement processes can also inhibit organizations from upgrading their legacy systems in a timely manner although industry insiders suspect this will be much less arduous in the near future due to the infrastructure bill.

Moving to the cloud can improve overall security by leveraging the expertise of cloud vendors. Since the security of their clients’ data is a top priority, cloud services providers employ a multi-layered security approach to mitigate threats before they can materialize into serious cyberattacks, and they generally maintain robust security protocols. President Biden’s recent Executive Order on improving the Nation’s Cybersecurity acknowledged the shortcomings of legacy systems, calling for agencies to accelerate cloud migration and “update existing plans to prioritize resources for the adoption and use of cloud technology.”

Breaking the trend

The key to mitigating cybercrime risks is shifting from a monolithic architecture in which all an organization’s eggs are placed in one basket, to a modular system where several independent platforms that perform various business functions are integrated with one another. Instead of having singular points of failure, where one ransomware attack can shut down an organization’s entire online ecosystem, a modular, loosely coupled architecture reduces vulnerabilities by providing multiple points of failure. In a modular system, each component of the overall system has its own security measures in place which are most suitable for that individual business function, making it next to impossible for a cyberattack to take down the entire system at once.

In addition to the direct benefits that modular architecture provides, investing in innovative technologies fosters a sense of cybersecurity awareness throughout the workforce. Many cloud-based systems have built-in functionality that ensures employees follow online bestpractices, such as changing their passwords regularly and updating their software and hardware as security patches become available.

The industry shift to modular architecture is well underway

As an increasing number of organizations are realizing that their legacy systems were not designed to handle the challenges presented by modern-day cyberattacks, coupled with the global shift to remote working, modular architecture continues to increasingly become the norm. In a 2019 study, seven out of 10 state officials surveyed expected that their agencies will shift the bulk of their IT investments to cloud-based models by 2022 rather than using agency-owned data centers. A 2020 study also found that cloud services are becoming an essential component for modern, digital services delivery within the U.S. infrastructure industry.

Next Steps

Adoption of new technologies is always challenging for an organization as it requires employees to change their processes and expand their knowledge base. Three crucial considerations should be made before deciding whether to move forward with a new technology:

1. Tools. Is the software the right tool for the job? Does it address the organization’s needs? Will it substantially improve efficiency, security, costs, and other important metrics?
2. Adoption. What will adoption of the technology look like within the organization? How can the organization ensure that employees will use and find value in the technology?
3. People. Are people within the organization on board? How can the organization ensure all team members are comfortable with the transition?

The most important of these three key factors, which is often overlooked, is the people component. Rather than simply rolling out a new technology without providing any context to the employees, it’s vital that the organization implementing the change fully explain how the technology will bring value to the organization and its people.

In looking to the future and assessing how infrastructure will be sustained, changed and built anew, it is important to modernize legacy software systems to protect vital societal assets from malicious attacks. By doing this, organizations involved in the construction industry will realize myriad benefits, including a more efficient allocation of time and resources, as well as better data to facilitate more informed decision-making from all stakeholders.