The best cybersecurity measures are those that prevent attacks from ever happening. Cyber-informed engineering (CIE) is an approach that allows engineers to design critical infrastructure systems that are hardened against cyberattacks from the start. Using CIE, engineers can create systems that mitigate against worst-case-scenarios even before digital technologies are incorporated.
CIE can be applied to any engineering system – from manufacturing to wastewater management – but it has a particularly essential role in the energy sector. Think about the many components involved in building a new electric utility – from substations to generation plants and all the assets in between. Engineers with CIE training can learn from previous patterns of vulnerabilities in these assets to build a more secure infrastructure that addresses those risks in the operational technology.
The Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) leads the effort to implement CIE in the energy sector. CESER released its National Cyber-Informed Engineering Strategy in 2022, which provides a roadmap for teaching CIE concepts in engineering schools, developing tools and capabilities to aid in its adoption, and applying CIE to current and future infrastructure.
In many ways, CIE expands the workforce for critical energy infrastructure cybersecurity beyond traditional IT professionals to incorporate engineering staff who design and operate the infrastructure. CESER works closely with Idaho National Laboratory (INL) and the National Renewable Energy Laboratory (NREL) to expand and implement CIE efforts. INL partners with universities, like Auburn University and the University of Texas at San Antonio, to embed CIE principles into their engineering curricula.
The Biden-Harris administration’s National Cybersecurity Strategy called out CIE as an important security approach to support the nation’s clean energy future. As the U.S. moves toward new energy infrastructure, there is an opportunity to build in cybersecurity proactively using CIE. Secure-by-design products are built in a way that reasonably protects against malicious cyber actors successfully gaining access to devices, data, and connected infrastructure. The Cybersecurity Infrastructure and Security Agency (CISA), a close partner of CESER’s, encourages manufacturers to support a secure-by-design approach by providing secure software solutions. CIE complements this approach by focusing on engineering cybersecurity into the operational elements of the infrastructure.
While cyber adversaries try to get in front of critical information digitally, CIE enables systems to prevent that from happening physically, giving it an important role in securing the nation’s critical energy infrastructure. While CESER leads this effort from an energy industry perspective, the overall approach will require close collaboration and significant work with its inter-agency partners, including INL, CISA and the National Institute of Standards and Technology. These partnerships will ensure that CIE recommendations are implemented across the country to address the current and future threat landscapes.