By Virginia Wright and Marcus Sachs, P.E.
On Feb. 1, 2023, leaders of the Cybersecurity & Infrastructure Security Agency at the Department of Homeland Security published an article in Foreign Affairs, “Stop Passing the Buck on Cybersecurity,” which described the nation’s dependency on technology vulnerable to adversary intrusions as “less a cyber problem than a broader technology and culture problem.”
The authors described that as technology has become prevalent in our lives, we have come to accept that it is also vulnerable and indefensible by design. Users of technology have assumed the burden of defending ourselves from the impacts of these flaws. This is equally true for military engineers. Digital technology in the systems we design makes them faster, more capable, and less expensive to operate than their analog counterparts. Digital tools that aid systems design processes allow us to render better designs faster and to support more complex systems than ever before.
However, from ransomware to advanced adversaries, these technologies are vulnerable to digital failure and attack. In engineered systems, the consequences of failures can be catastrophic. Though we work with our information technology counterparts across the Department of Defense to secure these systems, the protections often occur at the end of our system-design process, and leverage bolt-on solutions to mask a larger potential risk. The article from leadership at the Cybersecurity & Infrastructure Security Agency calls for a different approach, where problems are fixed at the earliest possible stage, in design, rather than in operations.
The Department of Energy’s National Laboratories have developed such an approach—tailored to the needs of the engineers building the nation’s critical infrastructure systems. This emerging framework, Cyber-Informed Engineering (CIE), allows all engineers to understand the potential consequences of digital failure or exploitation in their projects, beginning in the concept stage, and develop engineering-driven mitigations that can either eliminate or lessen the impact of such consequences.
Using this approach, military engineers can leverage a far wider range of consequence mitigations early in the design phases than traditional cybersecurity solutions provide (including manual, process, or procedural controls). Military engineers are trained and experienced in identifying, tracking, and diminishing fundamental engineering risks. CIE allows cybersecurity to be treated in the same way.
BUILDING A NATIONAL STRATEGY
The National Strategy for Cyber-Informed Engineering, released in June 2022, was developed by a team of advisors assembled by the Department of Energy at the direction of Congress. Experts from energy sector asset owners and operators, vendors/ manufacturers, standards organizations, research and academic institutions, National Laboratories, and government agencies developed a strategy which, across five pillars of action, contains strategic recommendations for building awareness of CIE, incorporating the framework into formal education, training and credentialing, building the body of knowledge by which it is implemented, applying CIE to current systemically important infrastructure, and applying CIE in federally funded research that will build future energy infrastructure and technology.
Implementation of the CIE strategy is underway. Multiple institutions of higher education—including Auburn University, the University of Texas at San Antonio, Boise State University, and Idaho State University—are building CIE into engineering curricula and degree programs to ensure that future engineers and technicians can employ these principles. The National Laboratories, including Idaho National Laboratory and the National Renewable Energy Laboratory, also are collaborating to create the body of knowledge and tools for applying CIE. A Community of Practice has been established to allow practitioners to share success stories and to learn from others.
For more information, contact CIE@inl.gov.
CONSIDERING PRINCIPLES
CIE considers 12 fundamental principles for understanding and reducing risk. These should be considered for any energy infrastructure project that relies on a digital industrial control system.
The CIE framework includes both Design and Operational Principles (consequence-focused design; engineered controls; secure information architecture; design simplification; resilient layered defenses; and active defense) and Organizational Principles (interdependency evaluation; digital asset awareness; cyber-secure supply chain controls; planned resilience with no assumed security; engineering information control; and cybersecurity culture). While each principle can be an important element within an effective risk management approach, two concepts are foremost starting in the early design phases.
Consequence-Focused Design. The engineering team can be highly effective when it can focus first on identifying the functions performed by the system or process where the consequences are most catastrophic. For those critical functions, the team considers where digital technology might allow an unprotected action to initiate a high-consequence event. These could include unauthorized system actions, invalid data that would drive an automated action, or interdiction of a digitally-governed control. Engineers then consider design changes that could either remove the possibility for the unprotected action or mitigate the consequences. These changes, if enacted, would act in addition to traditional cybersecurity protections to reduce the possibility or impact of undesired digital events to result in catastrophic consequences.
Engineered Controls. This principle leverages ideas from the traditional safety Hierarchy of Controls to help a team consider the potential security “value” of mitigative solutions.
In cybersecurity, as in safety, elimination of the possibility that an undesired digital event could happen, either by removing the digital dependency or the functions that enable the event, is the most effective mitigation, but is rarely possible.
Substitution of the dependency or function with a capability which has less potential to allow the undesired event is a more likely possibility than outright elimination, but may introduce new consequences or dependencies which must be examined.
An engineered control, such as a manual override, may be put in place to prevent the digital event from driving the consequence; however, the team must ensure that the control does not also depend upon a digital mechanism.
An administrative solution, such as a policy or procedure, may provide guidance to prevent or enable quick recovery from the undesired event, and such solutions are usually low-cost, but are also less effective than other options discussed.
Finally, some sort of protective mechanism would provide protection from the consequences of the event without mitigating or preventing it.
In CIE, the intent is to eliminate, substitute, or build engineered controls where we can. CIE’s 12 principles were drawn from decades of system assessment and evaluation by the Idaho National Laboratory and incorporate lessons learned across a range of infrastructure sectors and system complexities. The framework principles allow an engineering team to design systems that are resilient to cyber attacks well before they procure and implement the technologies that enable them. The mitigation strategies built into the design not only complement operational cybersecurity solutions, which should still be applied to selected technologies, but due to the understanding of critical functions and high-impact consequences, can inform the selection and design of operational cybersecurity to provide protections in the most important areas of the systems. They build a culture of cybersecurity on engineering projects with roles and responsibilities not just for the information technology personnel, but for everyone who participates in the design, build, operation, and maintenance of the engineered system. This includes those who are directly employed and those who provide contracted services. CIE elevates the discussion of cybersecurity risk so that it can be quantified and mitigated similarly to other engineering risks.
PRACTICAL APPLICATION
Though developed initially for energy applications, the CIE framework is a model that can apply to any organization practicing engineering design, especially the military engineering community and other mission-critical sectors.
CIE principles have been deployed in advanced nuclear reactor technology design to eliminate potential sources of digital frailty from the design. This approach can be used by U.S. Navy engineers for nuclear powered surface and subsurface platforms.
Consulting firms in the water sector are using CIE to design-in security for water processing and distribution systems as well. This approach can be used by the Civil Works Program of the US. Army Corps of Engineers and at fixed installations across the services.
More News from TME
-
Reversing the Shrinking Industrial Base
Incentivizing companies to remain as advanced small businesses, without needing to transition to the large fully open competition market, coupled with difficulties for new small businesses to enter federal acquisition, has resulted in a steady pattern of decline in the nation’s defense industrial base, carrying with it risks to innovation, global standing, and national security. -
Fulfilling the Mission
Rear Adm. Dean VanderLey, CEC, USN, Commander, Naval Facilities Engineering Systems Command, sits down with TME to discuss the Department of the Navy’s Systems Command for shore facilities and expeditionary equipment, Naval Facilities Engineering Systems Command (NAVFAC) and its varied responsibility that directly support warfighter lethality. -
A Roadmap for Clean Energy on Kwajalein Atoll
A recent effort led by U.S. Army Space & Missile Defense Command to meet the Army Climate Strategy for operations on Kwajalein Atoll studied potential courses of action that would help the remote installation reach 100 percent carbon-pollution free electricity by 2030.