Beyond Steel: Securing the Digital Scaffolding of Our Cities

NEW YORK, NY – December 01, 2025 – While engineering firms gather to celebrate innovation in concrete and steel, the modern threat landscape is quietly shifting. This month, global design and engineering firm Arcadis received a slate of seven prestigious Engineering Excellence Awards from ACEC New York for projects that are reshaping the state's infrastructure. From a Diamond Award-winning climate risk platform for the Port Authority of New York and New Jersey (PANYNJ) to a mobile app that streamlines taxi dispatch at JFK Airport, the honors highlight a clear trend: the future of infrastructure is digital, data-driven, and deeply interconnected.

But as we embed software and sensors into the bedrock of our society, we are also building a new, more vulnerable class of target. These award-winning projects, lauded for their efficiency and resilience, serve as a powerful case study for the next great challenge in cybersecurity: securing the cyber-physical systems that now control our water, transportation, and energy. The blueprints for our cities are no longer just paper and ink; they are lines of code, and they demand a new level of digital vigilance.

The Efficiency Trap: When Smart Becomes Vulnerable

At first glance, the innovations are undeniably impressive. Take the Platinum Award-winning JFK Mobile Dispatching system. By creating a virtual queue via a mobile app, Arcadis enabled airport authorities to slash taxi wait times, reduce vehicle emissions, and optimize valuable real estate. It's a textbook example of using technology to solve a complex logistical problem.

However, from a cybersecurity perspective, this system introduces a host of new attack vectors. A mobile application connected to a central Ground Transportation Management System (GTMS) is a tempting target. What happens if an attacker compromises the app to manipulate the dispatch queue, causing chaos for drivers and travelers? Could a denial-of-service attack on the GTMS paralyze ground transport at one of the world's busiest airports? The system's success, with 60% of dispatches now handled by the app, also represents a significant concentration of risk into a single digital platform.

Similarly, the Diamond Award-winning Climate Risk Assessment for PANYNJ leverages a custom Digital Assessment Platform. This tool is critical for analyzing climate threats and prioritizing resilience projects for the region's most vital mobility assets. The platform ingests vast amounts of data to model complex scenarios, making it an invaluable strategic asset. But it is also a repository of sensitive information about the vulnerabilities of our critical infrastructure. A breach of this platform wouldn't just be a data leak; it would hand a strategic playbook to adversaries, detailing the precise weaknesses of our ports, bridges, and tunnels in the face of systemic stress.

These examples illustrate the double-edged nature of digital transformation in infrastructure. "Every sensor, every networked controller, every line of code that replaces a manual process adds a new layer to the attack surface," noted one independent security analyst focused on industrial control systems. "The efficiency gains are real, but they often come at the cost of previously air-gapped systems now being exposed to the internet."

Securing the Digital Veins of the Metropolis

The digitalization trend extends far beyond high-profile transportation hubs. Several of Arcadis's Gold Award-winning projects involve the modernization of water and wastewater systems—the unseen, yet vital, lifelines of urban centers. The Frank E. Van Lare Wastewater Resource Recovery Facility and the City of Newburgh's North Interceptor sewer replacement both utilized innovative solutions to meet regulatory compliance and reduce environmental impact.

These facilities are increasingly reliant on Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) for process automation, monitoring, and remote management. While these systems enable precise control over aeration, chemical feeds, and overflow management—delivering millions in cost savings and significant pollution reduction—they have also become prime targets for cyberattacks. A successful intrusion could manipulate chemical dosing to cause an environmental disaster, falsify compliance reports to regulators, or shut down a facility entirely, jeopardizing public health.

The challenge is compounded by programs like the Platinum Award-winning Resilient NYC Partners, a green infrastructure initiative. This "pay-for-performance" model accelerates the deployment of stormwater management solutions on private properties by coordinating between the city and landowners. While innovative, it creates a complex digital supply chain. Data on site suitability, project performance, and financial transactions flows between multiple public and private entities. Securing this distributed ecosystem against breaches or data manipulation is a far more complex task than protecting a single, centralized network. The resilience of the physical infrastructure becomes dependent on the cyber resilience of the partnerships that manage it.

As the American Society of Civil Engineers (ASCE) has repeatedly warned, the interconnectedness of modern infrastructure means one failure can trigger a domino effect. In today's landscape, that initial failure is just as likely to be a malicious code injection as it is a physical break.

A Unified Doctrine for Cyber-Physical Resilience

The recognition from ACEC New York rightly celebrates engineering ingenuity. But it also serves as an urgent call to action. The concept of "resilience" must evolve. It can no longer be limited to withstanding floods, storms, and physical decay. True resilience in the 21st century is cyber-physical—an integrated strategy that treats digital threats with the same seriousness as structural ones.

John McCarthy, President, North America at Arcadis, noted that the awards reflect a "relentless pursuit of engineering excellence, ingenuity, and resilience." To meet the challenges of the modern threat landscape, this pursuit must explicitly incorporate cybersecurity from the very beginning of the design process, not as an IT-centric afterthought. This "security by design" philosophy means that when engineers are designing a new water pump station, they must also be designing the firewalls and access controls that protect its digital brain.

This requires a fundamental shift in skills and collaboration. The teams building our future cities can't be siloed into civil engineers, software developers, and cybersecurity experts. They must work as a unified force. As one university engineering professor stated, "We are training a new generation of professionals who must be fluent in both the language of structural mechanics and network protocols. The skills gap isn't just in one field; it's in the empty space between them."

The award-winning projects in New York are a glimpse into a future where infrastructure is intelligent, responsive, and efficient. They deliver tangible benefits, from cleaner water in the Hudson River to a revitalized cultural anchor in Brooklyn. Yet, ensuring this future is also a secure one depends on our ability to protect the digital scaffolding that now underpins it all. The next great engineering marvel won't just be a taller skyscraper or a longer bridge; it will be the creation of a truly resilient cyber-physical infrastructure capable of withstanding the threats of a deeply interconnected world.