Impressions of Cyber-Informed Engineering
I recently had the opportunity to ask experts Marc Sachs, Sarah Fluchs and Aaron Crow about their experience with the new Cyber-Informed Engineering (CIE) initiative. Here's what they had to say...
Andrew Ginter
I recently had the opportunity to ask experts Marc Sachs from the Center for Internet Security, Sarah Fluchs, from admerita GmbH, and Aaron Crow from Morgan Franklin Consulting, about their experience with the new Cyber-Informed Engineering (CIE) initiative. For anyone not familiar with the initiative, CIE positions OT security as “a coin with two sides.” One side is cybersecurity – teach engineering teams about cyber threats, cybersecurity mitigations, and the limitations and scope of each kind of mitigation. The other side is engineering – use engineering design elements like overpressure-relief valves and manual fall-back procedures to address cyber threats as well as more conventional threats to safe, reliable, and efficient physical operations.
“CIE positions OT security as “a coin with two sides.’ One side is cybersecurity…the other side is engineering.”
With funding from the US Department of Energy (DoE), Idaho National Laboratory (INL) is assembling a body of knowledge – relevant parts of safety engineering, protection engineering, automation engineering, network engineering, and of course cybersecurity and the NIST CSF. My own experience is that CIE is very often, but not always, received very warmly. I was curious to get another couple of data points as to how other people perceived it, and the reactions they observe in their part of the OT security community. So, I asked…
1) What is your general impression of CIE?
Marc responded “Involving the engineering community reframes digital security as a risk area that can be mitigated with engineering principles and practices. Rather than addressing computer science issues within OT or IC systems, engineers can apply physical laws and mathematical principles to design infrastructure resilient to cyber attacks.”
Sarah responded “Cyber-Informed Engineering matters because it emphasizes the need of hearing the engineer’s perspective on cybersecurity. This is both the emphasis on consequence (real-world plant consequence, not some ephemeral CIA triad) and on engineered controls, including aspects that are not in the cyber realm and cyber usually takes for granted or regards as out-of-scope.”
Aaron responded “CIE’s most important contribution is how it fosters collaboration across different domains, creating a culture where stakeholders from engineering, IT, and cybersecurity work together. This collaborative approach elevates threat modeling to the next level because it engages key personnel (like control room leads) who understand real-world operational access points and vulnerabilities.”
These all make a lot of sense to me. CIE calls out powerful tools that engineering teams can use to address cyber risk – tools that are not even mentioned in the NIST CSF, ISO 27001, nor even in the industrial IEC 62443 standards. In my experience, the realization that these engineering risk mitigation tools exist, in addition to cybersecurity mitigations, for the first time brings engineering teams to the cyber risk management table as equals. This makes cooperation easier, puts more options on the table, and results in more effective risk management strategies. And CIE’s emphasis on tackling the highest credible consequences first is consistent with the engineering perspective as well – deal with the “big fish” first and you almost always find that your “big fish” mitigations have already addressed the high-frequency, lower consequence threats as well.
2) What has been the reaction of business, enterprise security and engineering stakeholders to CIE?
Marc – “It resonates since most people are not security experts, but many can understand the concept of using engineering principles and practices to mitigate these new risks.”
Sarah – “Not surprisingly, it resonates most with engineers. But I found it also makes it easier to connect with business stakeholders because the focus on plant consequences is closer to business risk than what managers usually get from IT security. Enterprise IT is usually the hardest to convince because they’re just not used to thinking about aspects outside of cyber / IT.”
Aaron – “The eye-opener comes when they realize the importance of connecting all these individual components into a cohesive process that fully integrates cybersecurity throughout the engineering lifecycle. CIE is a shift in perspective on how security should be part of every engineering and business decision.”
So again, different perspectives – Marc‘s & Sarah’s comments speak to the experience of business decision makers, while Aaron looks more at the reaction of more technical practitioners. My own experience is that the majority (but not universal) reaction can be paraphrased as “What a good idea. Why is this new? This should not be new. Why have we not been looking at the problem this way since the beginning?” Stakeholders observe that we are working with the same puzzle pieces – cybersecurity designs, engineering designs, and so on. But when we arrange the pieces as CIE suggests, there are no longer “gaps” between them – they form a seamless whole.
3) Have you had the opportunity to apply the CIE approach yourself?
Marc – “I am currently collaborating with a medium-sized municipal utility to apply the CIE framework to their water and wastewater systems. The staff’s initial impressions are that this is a great way to better understand the risks introduced by the rapid transition to networked control systems. They are already developing new engineering designs to address the issues we have uncovered.”
Sarah – “My work has always been very much aligned with CCE / CIE, so I apply portions of it every day. Mostly not the full-blown approach though because its very heavy on resources.”
Aaron – “I’ve been applying a similar approach for over a decade, even before it was formally called CIE, though in a more informal way. A big lesson is how crucial it is to increase awareness of critical system components that may have been overlooked. A simple fix – like training personnel to recover quickly from a failure with something as straightforward as a reboot or hardware swap – can make all the difference. CIE helps bring this level of understanding to the forefront.”
So, the short answer is “yes” – people are applying the methodology and/or the perspective to their projects and decision-making. And I agree with Sarah – CCE (part of CIE) risk assessments for example, are by OT industry standards very comprehensive. And the CIE Implementation Guide contains hundreds of questions we need to be asking of our projects, at every stage of the lifecycle. But picking and choosing or not, the perspective is clearly valuable and being used to one extent or another.
4) Many engineers believe cybersecurity is IT's job. Many enterprise cyber people bemoan the sorry state of OT security. Does or will CIE change any of this?
Marc – “Yes, CIE has the potential to change the conversation. It does not take away any responsibilities from the enterprise IT or the OT/ICS teams. It leverages the non-computer-centric viewpoints and experiences of classic engineers and uses their expertise to find new ways to mitigate digital risk.”
Sarah – “I believe it doesn’t matter as much who actually does OT security. If CIE can either enable engineers to contribute their perspective to OT security or enable IT security to take the engineers’ perspective, there’s hope.”
Aaron – “Absolutely. CIE helps bridge the gap between IT, OT, and engineering by bringing all stakeholders to the table. Ultimately, CIE facilitates shared responsibility, helping engineers realize that OT security isn’t just IT’s job but a collective effort.”
My own experience is that a dialog of equals, asking each other questions, is a powerful tool for changing perceptions. Engineers need cyber attack knowledge from enterprise security, so the engineers can see for themselves why we need to change how we do things. And enterprise security teams need an appreciation of the safety and other considerations that constrain engineering decisions, so enterprise security can see why that “do something” very often cannot be the same thing that we do on enterprise networks.
5) Any other observations?
Marc – “CIE represents a shift from treating cybersecurity as a separate IT issue to integrating it within core engineering practices, leading to more resilient and secure critical infrastructure systems. I’m thrilled and honored to have been a part of the CIE team since 2020. It’s a great way to apply 40 years experience in Civil Engineering and network security to a field that is increasingly putting our society at risk.”
Aaron – “The key to the success of CIE lies in stakeholder involvement and adoption. Getting everyone at the table – engineers, cybersecurity teams, operations, and management – ensures open communication and collaboration from the start. This shared involvement fosters trust and clarity, which are essential to fully understanding and mitigating risks.”
Said another way, the “coin” has two sides – cybersecurity and engineering. When we spend this “coin” just like any other coin, we do not choose one side of the coin over the other – we spend the whole coin. In practice, the sites and organizations that I see using engineering tools the most thoroughly to address cyber risk also use cybersecurity tools the most thoroughly. Cybersecurity alone was never enough to secure our operations optimally, and CIE shows us the unique contributions that each of our kinds of stakeholders can make to more effective solutions.
And thank you so much to Marc, Sarah, and Aaron for their insights!
Interested in learning more about Cyber-informed Engineering? Get a complimentary copy of my latest book Engineering-grade OT Security: A Manager’s Guide to learn how CIE can be put to use for protecting your systems, operations, and OT.
About the author
Andrew Ginter
Share
Trending posts
Impressions of Cyber-Informed Engineering
Top 10 Cyberattacks on Industrial and Critical Infrastructure of 2024
Stay up to date
Subscribe to our blog and receive insights straight to your inbox