Cyber-Informed Engineering (CIE) is an emerging method to integrate cybersecurity considerations into the conception, design, development, and operation of any physical system, energy or otherwise, to mitigate or even eliminate avenues for cyber-enabled attacks. CIE concepts use design decisions and engineering controls to prioritize defense against the worst possible consequences of cyberattacks facing critical infrastructure systems and asset owners.
By extending traditional engineering education to include defense against cybersecurity vulnerabilities, CIE expands and strengthens the workforce that can protect critical infrastructure from cyberattacks to include engineers. It offers these professionals the opportunity to “engineer out” cyber risks from the earliest possible phase of design, the optimal time to introduce both low-cost and effective cybersecurity approaches.
The U.S. Department of Energy (DOE) released the Congressionally-directed National Cyber-Informed Engineering Strategy in 2022. It outlines the core CIE concepts that place cybersecurity considerations at the foundation of engineering and energy systems design. The strategy is built on five integrated pillars – Awareness, Education, Development, Current Infrastructure, and Future Infrastructure – and offers recommendations to incorporate CIE as a common practice for control system engineers. In March 2023, the Biden-Harris Administration’s National Cybersecurity Strategy called for a large-scale shift to secure-by-design approaches for the digital ecosystem that underpins all U.S. critical infrastructure systems.
CIE is one way that the energy sector bolsters cybersecurity protections for our clean energy future. The DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) partners with Idaho National Laboratory (INL) and the National Renewable Energy Laboratory (NREL) to lead the efforts to realize this crucial goal.
This collaboration led to the release of two resources that support energy partners at the forefront of implementing CIE across the sector:
- CIE Resource Library: The CIE Resource Library consists of tools, case studies, and lessons which will continue to support designers, manufacturers, and asset owners and operators in applying CIE principles. CESER also cataloged DOE-led CIE research spanning a decade, including work from a variety of sources and applications of CIE. As future research on CIE is produced, this library will highlight advanced implementation insights and lessons learned.
- CIE Implementation Guide: The CIE Implementation Guide outlines questions engineering teams should consider during each phase of a system’s lifecycle to employ CIE principles. The guide is geared toward supporting engineers who design, build, operate, and maintain the physical infrastructure; they are best positioned to leverage CIE to diminish the severity of cyber attacks or digital technology failures during the system’s engineering design.
Helpful Resources from our Partners
CIE Learning Opportunities
View sessions from the virtual CIE Practitioner’s Workshop on September 6, 2023. Hosted by INL and funded by CESER, these sessions are geared toward engineers and other users interested in or already implementing CIE concepts in their work. You can view the full list of recordings here.
This session includes remarks from leaders in the field, including representatives from the Office of the National Cyber Director; U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency; INL; NREL; and CESER.
This session addresses the types of practitioners that should be included in CIE processes, who should be considered as stakeholders, and how a variety of voices can be integrated to provide security insights through CIE process.
This session looks at how teams interested in CIE can make the benefits clear to executives, and what messaging is needed to make the business case for CIE up the chain.
This session explores how engineers can convey engineering consequence to a cyber team and how they play a part to inform a tailored, consequence-based approach to cybersecurity.
Much of the practice of CIE aligns with a robust human performance culture. This talk explains how to build and leverage human performance culture to aid in cybersecurity.
The ISA 62443 standard provides a holistic framework for security in automation and industrial control systems. It also has alignment with several CIE principles. This presentation addresses those points of alignment and how to incorporate CIE into 62443 practices.
This session outlines how to identify high-impact consequences which could threaten a technology or system even at the research phase, and how we can ensure that technology licensees and adopters benefit from security thinking throughout the research life cycle.
The Devil in the Details – Addressing the Risk and Liability Challenges in Implementing Cyber “Secure-by-design” Principles Within Engineering Practices
This presentation explores the specific issues that engineering firms must address to successfully incorporate CIE principles into overall risk and liability assessments, including how to align secure-by-design concepts with a broader set of risk factors that asset owners and engineers should consider throughout the design, procurement, and construction processes.
Authors of the newly developed CIE Implementation Guide conducted a detailed walkthrough of its contents and took questions and feedback from the audience.