Just like rustproofing and many other endeavors, it’s better to give it forethought and install it during manufacturing than treating it as an afterthought and trying to add it later.
For instance, besides diligently evaluating what type and how much cybersecurity is needed, Idaho National Laboratory (INL) advocates using Cyber-Informed Engineering (CIE) to design cybersecurity into equipment, process applications and networks early in their lifecycles. Similar to process safety for physical risks, CIE uses design skills, physics and think-like-an-adversary practices to engineer out security risks, and emphasizes the partnership needed for designers and engineers to work with cybersecurity professionals to determine possible and worst-case consequences possible from cyber-attacks and related failures.
“CIE started as a philosophy inspired by Mike Assante at INL with a series of research projects in conjunction with the U.S. Dept. of Energy (DoE) to test systems and find and solve vulnerabilities through engineering approaches as opposed to just applying patches,” says Virginia “Ginger” Wright, energy cyber-portfolio manager at INL’s Cybercore Integration Center. “It shifts the focus from seeking a completely vulnerability-free system to understanding that any digital system can fail or be subverted, and that cyber hygiene can’t mitigate all threats. This allows practitioners to concentrate on engineering out as many weaknesses as possible, early in the systems engineering lifecycle.”
CIE manifests as CCE
Wright reports that maturation of CIE is guided by the DOE National CIE Strategy, released this summer. The five pillars of the strategy drive INL’s research and development of the body of knowledge around how CIE can be best applied in different organizations, and determining where mitigations can be applied. INL is taking its CIE strategy to engineering schools to incorporate fundamental cybersecurity education that most don’t receive in their engineering curriculums. In fact, INL has already been working with Auburn and the University of Texas, San Antonio, to incorporate CIE in their programs.
“INL’s patented Consequence-driven Cyber-Informed Engineering (CCE) methodology is the first operationalization of CIE principles to go into widespread use,” explained Sam Chanoski, a technical relationship manager with INL’s Cybercore Integration Center. INL conducts training and engagements for CCE customers, and licenses CCE to selected practitioners. For example, water engineering firm West Yost recently became the first organization to license the CCE methodology, which will allow it to help U.S. water utilities protect their operations from cyber-threats.
Likewise, starting in 2023, INL will launch a “community of practice” to educate users about CIE, and develop cybersecurity mitigations for their applications and facilities. Its first product will likely be an implementation guide to walk engineers through the process of developing a cybersecurity program for applying CIE principles to their work, including guidance on who needs to participate and what data is needed, identifying security considerations early in the engineering lifecycle, mitigating risks, deciding how to handle risks that can’t be mitigated, and tracking and trending progress for continuous improvement.
