By Virginia Wright and Marcus Sachs, P.E.
On Feb. 1, 2023, leaders of the Cybersecurity & Infrastructure Security Agency at the Department of Homeland Security published an article in Foreign Affairs, “Stop Passing the Buck on Cybersecurity,” which described the nation’s dependency on technology vulnerable to adversary intrusions as “less a cyber problem than a broader technology and culture problem.”
The authors described that as technology has become prevalent in our lives, we have come to accept that it is also vulnerable and indefensible by design. Users of technology have assumed the burden of defending ourselves from the impacts of these flaws. This is equally true for military engineers. Digital technology in the systems we design makes them faster, more capable, and less expensive to operate than their analog counterparts. Digital tools that aid systems design processes allow us to render better designs faster and to support more complex systems than ever before.
However, from ransomware to advanced adversaries, these technologies are vulnerable to digital failure and attack. In engineered systems, the consequences of failures can be catastrophic. Though we work with our information technology counterparts across the Department of Defense to secure these systems, the protections often occur at the end of our system-design process, and leverage bolt-on solutions to mask a larger potential risk. The article from leadership at the Cybersecurity & Infrastructure Security Agency calls for a different approach, where problems are fixed at the earliest possible stage, in design, rather than in operations.
The Department of Energy’s National Laboratories have developed such an approach—tailored to the needs of the engineers building the nation’s critical infrastructure systems. This emerging framework, Cyber-Informed Engineering (CIE), allows all engineers to understand the potential consequences of digital failure or exploitation in their projects, beginning in the concept stage, and develop engineering-driven mitigations that can either eliminate or lessen the impact of such consequences.
Using this approach, military engineers can leverage a far wider range of consequence mitigations early in the design phases than traditional cybersecurity solutions provide (including manual, process, or procedural controls). Military engineers are trained and experienced in identifying, tracking, and diminishing fundamental engineering risks. CIE allows cybersecurity to be treated in the same way.
BUILDING A NATIONAL STRATEGY
The National Strategy for Cyber-Informed Engineering, released in June 2022, was developed by a team of advisors assembled by the Department of Energy at the direction of Congress. Experts from energy sector asset owners and operators, vendors/ manufacturers, standards organizations, research and academic institutions, National Laboratories, and government agencies developed a strategy which, across five pillars of action, contains strategic recommendations for building awareness of CIE, incorporating the framework into formal education, training and credentialing, building the body of knowledge by which it is implemented, applying CIE to current systemically important infrastructure, and applying CIE in federally funded research that will build future energy infrastructure and technology.
Implementation of the CIE strategy is underway. Multiple institutions of higher education—including Auburn University, the University of Texas at San Antonio, Boise State University, and Idaho State University—are building CIE into engineering curricula and degree programs to ensure that future engineers and technicians can employ these principles. The National Laboratories, including Idaho National Laboratory and the National Renewable Energy Laboratory, also are collaborating to create the body of knowledge and tools for applying CIE. A Community of Practice has been established to allow practitioners to share success stories and to learn from others.
For more information, contact CIE@inl.gov.
CIE considers 12 fundamental principles for understanding and reducing risk. These should be considered for any energy infrastructure project that relies on a digital industrial control system.
The CIE framework includes both Design and Operational Principles (consequence-focused design; engineered controls; secure information architecture; design simplification; resilient layered defenses; and active defense) and Organizational Principles (interdependency evaluation; digital asset awareness; cyber-secure supply chain controls; planned resilience with no assumed security; engineering information control; and cybersecurity culture). While each principle can be an important element within an effective risk management approach, two concepts are foremost starting in the early design phases.
Consequence-Focused Design. The engineering team can be highly effective when it can focus first on identifying the functions performed by the system or process where the consequences are most catastrophic. For those critical functions, the team considers where digital technology might allow an unprotected action to initiate a high-consequence event. These could include unauthorized system actions, invalid data that would drive an automated action, or interdiction of a digitally-governed control. Engineers then consider design changes that could either remove the possibility for the unprotected action or mitigate the consequences. These changes, if enacted, would act in addition to traditional cybersecurity protections to reduce the possibility or impact of undesired digital events to result in catastrophic consequences.
Engineered Controls. This principle leverages ideas from the traditional safety Hierarchy of Controls to help a team consider the potential security “value” of mitigative solutions.
In cybersecurity, as in safety, elimination of the possibility that an undesired digital event could happen, either by removing the digital dependency or the functions that enable the event, is the most effective mitigation, but is rarely possible.
Substitution of the dependency or function with a capability which has less potential to allow the undesired event is a more likely possibility than outright elimination, but may introduce new consequences or dependencies which must be examined.
An engineered control, such as a manual override, may be put in place to prevent the digital event from driving the consequence; however, the team must ensure that the control does not also depend upon a digital mechanism.
An administrative solution, such as a policy or procedure, may provide guidance to prevent or enable quick recovery from the undesired event, and such solutions are usually low-cost, but are also less effective than other options discussed.
Finally, some sort of protective mechanism would provide protection from the consequences of the event without mitigating or preventing it.
In CIE, the intent is to eliminate, substitute, or build engineered controls where we can. CIE’s 12 principles were drawn from decades of system assessment and evaluation by the Idaho National Laboratory and incorporate lessons learned across a range of infrastructure sectors and system complexities. The framework principles allow an engineering team to design systems that are resilient to cyber attacks well before they procure and implement the technologies that enable them. The mitigation strategies built into the design not only complement operational cybersecurity solutions, which should still be applied to selected technologies, but due to the understanding of critical functions and high-impact consequences, can inform the selection and design of operational cybersecurity to provide protections in the most important areas of the systems. They build a culture of cybersecurity on engineering projects with roles and responsibilities not just for the information technology personnel, but for everyone who participates in the design, build, operation, and maintenance of the engineered system. This includes those who are directly employed and those who provide contracted services. CIE elevates the discussion of cybersecurity risk so that it can be quantified and mitigated similarly to other engineering risks.
Though developed initially for energy applications, the CIE framework is a model that can apply to any organization practicing engineering design, especially the military engineering community and other mission-critical sectors.
CIE principles have been deployed in advanced nuclear reactor technology design to eliminate potential sources of digital frailty from the design. This approach can be used by U.S. Navy engineers for nuclear powered surface and subsurface platforms.
Consulting firms in the water sector are using CIE to design-in security for water processing and distribution systems as well. This approach can be used by the Civil Works Program of the US. Army Corps of Engineers and at fixed installations across the services.
More News from TME
Setting Standards For the Future at Norfolk Naval ShipyardThe renovation for Dry Dock 4 at Norfolk Naval Shipyard, utilized advanced 3D and scale modeling to guide the design choices that would prepare the facility for another 50 years of service while meeting increased standards for resiliency and redundancy.
Improving NAVFAC’s Facilities Construction CommunityNaval Facilities Engineering Systems Command has implemented a series of process improvements across its construction workforce to increase recruitment, validate and standardize mastery of processes and procedures, and recognize accomplishments of personnel.
Modernizing Dry Dock No. 1 at Naval Base San DiegoA recent project to modernize Dry Dock No. 1 at Naval Base San Diego will allow the facility to service modern vessel types while increasing its reliability for decades.