Cyber-Informed Engineering Recognized with Cyber Policy Award for Research Impact
Waterfall team
The growing importance of Cyber-Informed Engineering (CIE) was recently recognized with a Cyber Policy Award for Research Impact from the Institute for Security and Technology.
What is Cyber Informed Engineering?
Cyber-Informed Engineering is “the big umbrella” – bringing together relevant parts of safety engineering, protection engineering, automation engineering, network engineering, and most of cyber security into a comprehensive body of knowledge for addressing cyber risks to physical operations. The body of knowledge looks at the problem of OT cybersecurity from the engineering perspective:
• Addressing high-consequence risks first, consistent with industrial engineering practices, and addressing high-frequency, low-impact irritants only secondarily,
• Encouraging modest design changes to physical processes to take entire sets of consequences and attack vectors off the table – avoiding / eliminating risk rather than merely mitigating the risk / reducing frequency of high-consequence events,
• Recognizing that the key objective in terms of preventing most truly unacceptable outcomes is preventing sabotage rather than espionage, and recommending strong oversight / control of online and offline communication channels that can transmit attack information into sensitive systems.
In short, CIE is positioned as “a coin with two sides.” One side is cybersecurity – teach engineering teams about cyber threats, about cybersecurity tools, and about the intrinsic limitations of such tools, so that these teams can evaluate residual risks. The other side is engineering – overpressure relief valves, manual fall-backs and other “unhackable” mitigations for all types of risk – including cyber risks. This engineering side of the coin has been under-represented in most OT security advice to date, and represents a big opportunity to dramatically improve OT security outcomes.
“CIE is the most important innovation in OT security in 20 years – bringing the engineering risk-management perspective and powerful engineering tools and approaches to bear on the problem of assuring safe, reliable and efficient physical operations, in an increasingly hostile cyber threat environment.”
Waterfall and Cyber Informed Engineering
At Waterfall Security Solutions, we believe in the principles of CIE. Just as the public expects bridges to carry a specified load, in a specified operating environment, for a specified number of decades, with a large margin for error, increasingly society demands that automation systems for physical operations carry a specified threat load, until at least the next opportunity to upgrade our defenses, with a large margin for error. And society generally expects that “carry a specified threat load” means to carry that load deterministically, with a very high degree of confidence.
This philosophy is very compatible with Waterfall’s own Unidirectional Gateways and hardware-enforced solutions. Our solutions are part of the Network Engineering body of knowledge – hardware-enforced / deterministic tools to prevent cyber attacks from pivoting through consequence boundaries: connections between networks with dramatically different worst-case consequences of compromise.
To learn more about Cyber-Informed Engineering and the work of Andrew Ginter, who was recognized with the Cyber Policy Award for Research Impact, you can request a copy of his book, Engineering-Grade OT Security: A Manager’s Guide.
About the author
Waterfall team
Share
Trending posts
Stay up to date
Subscribe to our blog and receive insights straight to your inbox
