cie – Waterfall Security Solutions

Safety-Critical Clouds in Power Generation – 7 Designs Using Cyber-Informed Engineering

Andrew Ginter — Sun, 27 Apr 2025 08:19:51 +0000

OT Insights CenterSafety-Critical Clouds in Power Generation – 7 Designs Using Cyber-Informed Engineering

Safety-Critical Clouds in Power Generation – 7 Designs Using Cyber-Informed Engineering

The industrial internet is coming. Reap almost all the benefits with almost none of the risks.

The Industrial Internet of Things (IIoT) is the future of automation in power generation and many other industries. The IIoT promises huge gains in efficiency and flexibility, with cloud-based systems and decision-making at the heart of these gains. Today, even safety-critical and critical-infrastructure (CI) decision-making is moving steadily out into the cloud.

But safety-critical and CI systems deserve engineering-grade cybersecurity. So, how can we provide this for Internet-based clouds?

Watch the webinar where we will look at the problem from the perspective of the new Cyber-Informed Engineering (CIE) initiative and dig into 7 design patterns for different kinds of safety-critical, cloud-based systems.

In this webinar Andrew Ginter takes us through:

Review the limitations of traditional IT-grade cyber protections for cloud systems.

Explore seven engineering-grade designs for protecting safety-critical and reliability-critical clouds.

Propose design principles for evaluating critical cloud designs.

For practitioners in power generation, OT security, or other critical infrastructures, this is an opportunity to explore two leading edges: the Industrial Internet (future of automation) and CIE (future of OT security).

We hope you can watch the webinar.

About the Speaker

Andrew Ginter

Andrew Ginter is the most widely-read author in the industrial security space, with over 23,000 copies of his three books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Analyzing Recent NIS2 Regulations – OT security is changing

October 5, 2025

Doing the Math – Remote Access at Wind Farms

September 22, 2025

I don’t sign s**t – Episode 143

September 10, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Safety-Critical Clouds in Power Generation – 7 Designs Using Cyber-Informed Engineering appeared first on Waterfall Security Solutions.

Expert Impressions of Cyber-Informed Engineering

Andrew Ginter — Wed, 27 Nov 2024 13:12:36 +0000

OT Insights Center OT security standardsExpert Impressions of Cyber-Informed Engineering

Expert Impressions of Cyber-Informed Engineering

I recently had the opportunity to ask experts Marc Sachs, Sarah Fluchs and Aaron Crow about their experience with the new Cyber-Informed Engineering (CIE) initiative. Here's what they had to say...

Andrew Ginter

November 27, 2024

I recently had the opportunity to ask experts Marc Sachs from the Center for Internet Security, Sarah Fluchs, from admerita GmbH, and Aaron Crow from Morgan Franklin Consulting, about their experience with the new Cyber-Informed Engineering (CIE) initiative. For anyone not familiar with the initiative, CIE positions OT security as “a coin with two sides.” One side is cybersecurity – teach engineering teams about cyber threats, cybersecurity mitigations, and the limitations and scope of each kind of mitigation. The other side is engineering – use engineering design elements like overpressure-relief valves and manual fall-back procedures to address cyber threats as well as more conventional threats to safe, reliable, and efficient physical operations.

“CIE positions OT security as “a coin with two sides.’ One side is cybersecurity…the other side is engineering.”

With funding from the US Department of Energy (DoE), Idaho National Laboratory (INL) is assembling a body of knowledge – relevant parts of safety engineering, protection engineering, automation engineering, network engineering, and of course cybersecurity and the NIST CSF. My own experience is that CIE is very often, but not always, received very warmly. I was curious to get another couple of data points as to how other people perceived it, and the reactions they observe in their part of the OT security community. So, I asked…

1) What is your general impression of CIE?

Marc Sachs – Cyber-Informed Engineer

Marc responded “Involving the engineering community reframes digital security as a risk area that can be mitigated with engineering principles and practices. Rather than addressing computer science issues within OT or IC systems, engineers can apply physical laws and mathematical principles to design infrastructure resilient to cyber attacks.”

Sarah responded “Cyber-Informed Engineering matters because it emphasizes the need of hearing the engineer’s perspective on cybersecurity. This is both the emphasis on consequence (real-world plant consequence, not some ephemeral CIA triad) and on engineered controls, including aspects that are not in the cyber realm and cyber usually takes for granted or regards as out-of-scope.”

Aaron responded “CIE’s most important contribution is how it fosters collaboration across different domains, creating a culture where stakeholders from engineering, IT, and cybersecurity work together. This collaborative approach elevates threat modeling to the next level because it engages key personnel (like control room leads) who understand real-world operational access points and vulnerabilities.”

These all make a lot of sense to me. CIE calls out powerful tools that engineering teams can use to address cyber risk – tools that are not even mentioned in the NIST CSF, ISO 27001, nor even in the industrial IEC 62443 standards. In my experience, the realization that these engineering risk mitigation tools exist, in addition to cybersecurity mitigations, for the first time brings engineering teams to the cyber risk management table as equals. This makes cooperation easier, puts more options on the table, and results in more effective risk management strategies. And CIE’s emphasis on tackling the highest credible consequences first is consistent with the engineering perspective as well – deal with the “big fish” first and you almost always find that your “big fish” mitigations have already addressed the high-frequency, lower consequence threats as well.

2) What has been the reaction of business, enterprise security and engineering stakeholders to CIE?

Marc – “It resonates since most people are not security experts, but many can understand the concept of using engineering principles and practices to mitigate these new risks.”

Sarah Fluchs – CTO at admeritia GmbH

Sarah – “Not surprisingly, it resonates most with engineers. But I found it also makes it easier to connect with business stakeholders because the focus on plant consequences is closer to business risk than what managers usually get from IT security. Enterprise IT is usually the hardest to convince because they’re just not used to thinking about aspects outside of cyber / IT.”

Aaron – “The eye-opener comes when they realize the importance of connecting all these individual components into a cohesive process that fully integrates cybersecurity throughout the engineering lifecycle. CIE is a shift in perspective on how security should be part of every engineering and business decision.”

So again, different perspectives – Marc‘s & Sarah’s comments speak to the experience of business decision makers, while Aaron looks more at the reaction of more technical practitioners. My own experience is that the majority (but not universal) reaction can be paraphrased as “What a good idea. Why is this new? This should not be new. Why have we not been looking at the problem this way since the beginning?” Stakeholders observe that we are working with the same puzzle pieces – cybersecurity designs, engineering designs, and so on. But when we arrange the pieces as CIE suggests, there are no longer “gaps” between them – they form a seamless whole.

3) Have you had the opportunity to apply the CIE approach yourself?

Marc – “I am currently collaborating with a medium-sized municipal utility to apply the CIE framework to their water and wastewater systems. The staff’s initial impressions are that this is a great way to better understand the risks introduced by the rapid transition to networked control systems. They are already developing new engineering designs to address the issues we have uncovered.”

Sarah – “My work has always been very much aligned with CCE / CIE, so I apply portions of it every day. Mostly not the full-blown approach though because its very heavy on resources.”

Aaron C. Crow – Cyber & Strategic Risk Leader

Aaron – “I’ve been applying a similar approach for over a decade, even before it was formally called CIE, though in a more informal way. A big lesson is how crucial it is to increase awareness of critical system components that may have been overlooked. A simple fix – like training personnel to recover quickly from a failure with something as straightforward as a reboot or hardware swap – can make all the difference. CIE helps bring this level of understanding to the forefront.”

So, the short answer is “yes” – people are applying the methodology and/or the perspective to their projects and decision-making. And I agree with Sarah – CCE (part of CIE) risk assessments for example, are by OT industry standards very comprehensive. And the CIE Implementation Guide contains hundreds of questions we need to be asking of our projects, at every stage of the lifecycle. But picking and choosing or not, the perspective is clearly valuable and being used to one extent or another.

4) Many engineers believe cybersecurity is IT's job. Many enterprise cyber people bemoan the sorry state of OT security. Does or will CIE change any of this?

Marc – “Yes, CIE has the potential to change the conversation. It does not take away any responsibilities from the enterprise IT or the OT/ICS teams. It leverages the non-computer-centric viewpoints and experiences of classic engineers and uses their expertise to find new ways to mitigate digital risk.”

Sarah – “I believe it doesn’t matter as much who actually does OT security. If CIE can either enable engineers to contribute their perspective to OT security or enable IT security to take the engineers’ perspective, there’s hope.”

Aaron – “Absolutely. CIE helps bridge the gap between IT, OT, and engineering by bringing all stakeholders to the table. Ultimately, CIE facilitates shared responsibility, helping engineers realize that OT security isn’t just IT’s job but a collective effort.”

My own experience is that a dialog of equals, asking each other questions, is a powerful tool for changing perceptions. Engineers need cyber attack knowledge from enterprise security, so the engineers can see for themselves why we need to change how we do things. And enterprise security teams need an appreciation of the safety and other considerations that constrain engineering decisions, so enterprise security can see why that “do something” very often cannot be the same thing that we do on enterprise networks.

5) Any other observations?

Marc – “CIE represents a shift from treating cybersecurity as a separate IT issue to integrating it within core engineering practices, leading to more resilient and secure critical infrastructure systems. I’m thrilled and honored to have been a part of the CIE team since 2020. It’s a great way to apply 40 years experience in Civil Engineering and network security to a field that is increasingly putting our society at risk.”

Aaron – “The key to the success of CIE lies in stakeholder involvement and adoption. Getting everyone at the table – engineers, cybersecurity teams, operations, and management – ensures open communication and collaboration from the start. This shared involvement fosters trust and clarity, which are essential to fully understanding and mitigating risks.”

Said another way, the “coin” has two sides – cybersecurity and engineering. When we spend this “coin” just like any other coin, we do not choose one side of the coin over the other – we spend the whole coin. In practice, the sites and organizations that I see using engineering tools the most thoroughly to address cyber risk also use cybersecurity tools the most thoroughly. Cybersecurity alone was never enough to secure our operations optimally, and CIE shows us the unique contributions that each of our kinds of stakeholders can make to more effective solutions.

And thank you so much to Marc, Sarah, and Aaron for their insights!

Interested in learning more about Cyber-informed Engineering? Get a complimentary copy of my latest book Engineering-grade OT Security: A Manager’s Guide to learn how CIE can be put to use for protecting your systems, operations, and OT.

About the author

Andrew Ginter

Fill out the form and get your complimentary copy

Secure Industrial Remote Access Solutions

August 28, 2025

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

August 28, 2025

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

August 18, 2025

Stay up to date

Subscribe to our blog and receive insights straight to your inbox

The post Expert Impressions of Cyber-Informed Engineering appeared first on Waterfall Security Solutions.

Webinar: Cyber-securing Safety and Equipment Protection Systems in Mining

Waterfall team — Wed, 01 May 2024 08:16:00 +0000

OT Insights Center Metals & MiningWebinar: Cyber-securing Safety and Equipment Protection Systems in Mining

Webinar: Cyber-securing Safety and Equipment Protection Systems in Mining

Join us on May 29th, with 2 live webinar sessions at 9:00 AM Singapore time, and 11:00 AM New York time.

Safety is the top priority in almost all mines, and reliable, efficient physical operations are close seconds. Cybersecurity is essential to all these priorities, in a world where automation is remotely accessible and where many mines are the targets of threats from sophisticated ransomware criminals to nation states. In addition, the trend towards cloud computing and cloud-based predictive maintenance services complicates cybersecurity and expands attack opportunities.

The good news is that Cyber-Informed Engineering (CIE) offers a new engineering-friendly approach to understanding and addressing cyber threats that have the potential to impair worker safety and damage long-lead-time equipment.

Join our webinar on Wednesday May 29th where we'll look at:

The latest cyberattack outage data as we introduce CIE and dig into consequences, blind spots, electro-mechanical mitigations, and network engineering.

Comparing engineering-grade designs to IT-grade designs such as “secure” remote access and “secure” by design initiatives – these IT-grade approaches work well for small shoe factories, but have serious limitations in the most consequential mining networks.

We’ll finish with a look at advanced topics – such as data abstraction for safer cloud-based remote control of mining operations.

About the Speaker

Andrew Ginter, Waterfall VP Industrial Security

Andrew Ginter is the most widely-read author in the industrial security space, with over 20,000 copies of his first two books in print. He is a trusted advisor to the world's most secure industrial enterprises, and contributes regularly to industrial cybersecurity standards and guidance.

Register Now

The post Webinar: Cyber-securing Safety and Equipment Protection Systems in Mining appeared first on Waterfall Security Solutions.

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Waterfall team — Thu, 01 Feb 2024 08:17:43 +0000

OT Insights Center Oil and GasCyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Join our webinar for an in-depth look at how CIE (Cyber-Informed Engineering) can help in converging IT and OT security for Oil & Gas operations.

Join us on February 28th or 29th 2024.
There will be 2 live streams of the webinar, please pick the date and time that works best for you.

On this webinar, we'll take you through:

IT/OT integration introduces threats to reliable operations. Connected networks move both data, malware, and remote-control cyber attacks along their wires and cables. In the Oil & Gas industry, E&P, pipelines, and refineries have found that securing IT/OT connections involves more than just having Enterprise Security telling Engineering what to do and Engineering saying “no” to IT over and over.

However, understanding what “more” means has been the challenge.

Cyber-Informed Engineering (CIE) is a new approach to securing IT/OT convergence – an approach and a perspective that highlights important opportunities. For example, in CIE, worst-case consequences define security requirements for industrial networks, and consequence boundaries define unique spheres of expertise and approaches, including safety engineering, process engineering, the NIST Cybersecurity Framework and leveraging industrial data in the cloud.

Join Kevin Rittie, Andrew Ginter, and Alan Acquatella in this webinar as they introduce a new approach to solving long standing challenges by:

Identifying the challenges facing OT engineering as it strives to build secure bridges between operations, corporate, and the cloud in order to satisfy the ever growing need for operational data that drives strategic business growth.

Introducing CIE in a way that it is clear how this approach to secure-by-design engineering can improve the security and operational integrity of both brownfield and greenfield installations.

Looking at some practical examples that make tangible how cyber-informed engineering and unidirectional network engineering combine to build safe and secure production environments.

Listing some tangible next steps on your continuous cybersecurity journey.

Kevin Rittie, a Critical Infrastructure Technology Consultant

With over 30 years in the control system market, Kevin Rittie is a seasoned software and cybersecurity professional who has led diverse development groups with budgets up to $10M. He has a comprehensive background, starting as a project engineer and software developer, and has excelled in roles such as Product Management, Cybersecurity, Sales, and Marketing.

Andrew Ginter, Waterfall VP Industrial Security

Alan Acquatella, Industry Expert at Schneider Electric

Alan Acquatella heads the Pipeline & New Energies Infrastructure Segment for Schneider Electric. He brings domain expertise about industry and customer requirements and provides thought leadership and knowledge on valuable technologies and services customers can use to improve their operations and sustainability efforts.

Register Now

The post Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations appeared first on Waterfall Security Solutions.

cie – Waterfall Security Solutions

Safety-Critical Clouds in Power Generation – 7 Designs Using Cyber-Informed Engineering

Safety-Critical Clouds in Power Generation – 7 Designs Using Cyber-Informed Engineering

The industrial internet is coming. Reap almost all the benefits with almost none of the risks.

In this webinar Andrew Ginter takes us through:

About the Speaker

Andrew Ginter

Share

Trending posts

Analyzing Recent NIS2 Regulations – OT security is changing

Doing the Math – Remote Access at Wind Farms

I don’t sign s**t – Episode 143

Stay up to date

Tags

Expert Impressions of Cyber-Informed Engineering

Expert Impressions of Cyber-Informed Engineering

I recently had the opportunity to ask experts Marc Sachs, Sarah Fluchs and Aaron Crow about their experience with the new Cyber-Informed Engineering (CIE) initiative. Here's what they had to say...

Andrew Ginter

1) What is your general impression of CIE?

2) What has been the reaction of business, enterprise security and engineering stakeholders to CIE?

3) Have you had the opportunity to apply the CIE approach yourself?

4) Many engineers believe cybersecurity is IT's job. Many enterprise cyber people bemoan the sorry state of OT security. Does or will CIE change any of this?

5) Any other observations?

About the author

Andrew Ginter

Share

Fill out the form and get your complimentary copy

Trending posts

Secure Industrial Remote Access Solutions

Remoting Into Renewables – the latest guidelines for secure remote access applied to renewables generation

NIS2 and the Cyber Resilience Act (CRA) – Episode 142

Stay up to date

Tags

Webinar: Cyber-securing Safety and Equipment Protection Systems in Mining

Webinar: Cyber-securing Safety and Equipment Protection Systems in Mining

Join us on May 29th, with 2 live webinar sessions at 9:00 AM Singapore time, and 11:00 AM New York time.

Join our webinar on Wednesday May 29th where we'll look at:

About the Speaker

Andrew Ginter, Waterfall VP Industrial Security

Share

Register Now

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Cyber-Informed Engineering Transforms IT/OT Convergence in Oil & Gas Operations

Join our webinar for an in-depth look at how CIE (Cyber-Informed Engineering) can help in converging IT and OT security for Oil & Gas operations.

On this webinar, we'll take you through:

Join Kevin Rittie, Andrew Ginter, and Alan Acquatella in this webinar as they introduce a new approach to solving long standing challenges by:

Kevin Rittie, a Critical Infrastructure Technology Consultant

Andrew Ginter, Waterfall VP Industrial Security

Alan Acquatella, Industry Expert at Schneider Electric

Share

Register Now