Mike Spear, director of global operations at Honeywell Cybersecurity comments that security dynamics in the process industry changed with the entry of Ethernet and Microsoft on the factory floor. “You now have vulnerabilities. Security has become a big aspect of the operation, not just running production,” he opines.
A risk management methodology, Cyber-Informed Engineering (CIE) is an emerging method to integrate cybersecurity considerations into the conception, design, development, and operation of any physical system, energy or otherwise, to mitigate or even eliminate avenues for cyber-enabled attacks.
Spear reckons that the CIE is still relatively new for those just starting to implement the fundaments. He concedes for those in the middle of the maturity cycle, visibility and predictability are the next issues to tackle. “They want to prevent bad events from occurring and are thus looking to be more proactive,” he continues.
CIE concepts use design decisions and engineering controls to prioritize defence against the worst possible consequences of cyberattacks facing critical infrastructure systems and asset owners.
FutureIOT Prateek Singh, lead engineer, Cybersecurity Services for APAC at Eaton, for his take on Cyber-informed Engineering.
In Asia, is CIE practice a normal occurrence?
Prateek Singh: The U.S. Department of Energy (DoE) released the National Cyber-Informed Engineering Strategy in 2022, outlining 12 principles for integrating cybersecurity into engineering practices.
While the full implementation of the Cyber-Informed Engineering (CIE) approach is not yet widespread in the Asian operational technology (OT) sector, there is active adoption of standards such as IEC 62443.
Here’s how the IEC 62443 suite aligns with CIE principles: IEC 62443-3-3: This standard addresses OT security requirements for asset owners, system integrators, and product suppliers. Within its 7 foundational requirements, FR3 (System Integrity) closely corresponds to CIE Principle 3 (Secure Information Architecture). Both emphasize preventing undesired manipulation of data and ensuring the integrity of critical systems.
In the broader Asian region, the Cyber-Informed Engineering (CIE) practice isn’t yet commonplace. However, several of its 12 principles are already embedded in various critical infrastructure security standards.
These principles cover areas such as data security, security awareness, and secure architecture. While Asia is embracing newer security trends, the full-scale adoption of CIE might still require some time, but the groundwork is being laid through standards like IEC 62443.
How have recent cybersecurity incidents or breaches influenced the development of cyber-informed engineering practices?
Prateek Singh: When we think of cybersecurity attacks, we often think of digital causes, for example, weak passwords and malware that lead to a systems breach. In critical infrastructure systems, however, what makes it complicated is the technical industrial controls and legacy processes that IT is simply not equipped to handle alone.
As OT cybersecurity threats grow in scale and frequency, cybersecurity is not just the responsibility of the IT team. CIE empowers engineers to understand and address cybersecurity – from the design, and operations to maintenance of their facility. This approach uses design decisions and engineering controls to prioritize defence against the worst potential consequences of cyber threats.
While practices such as secure-by-design also offer a framework for the industry, CIE’s emphasis on equipping engineers with the requisite knowledge will be crucial in strengthening the industry’s cyber resilience efforts.
What are the potential implications of integrating artificial intelligence and machine learning into cyber-informed engineering practices?
Prateek Singh: Artificial intelligence (AI) and machine learning (ML) can potentially help with aspects such as proactive threat detection, vulnerability management, and automated incident response.
This can help facilities managers proactively identify potential vulnerabilities, quarantine affected systems and initiate remediation efforts while reducing manual intervention, which is especially helpful for facilities managers who must oversee multiple, distributed sites.
However, there may be concerns around the reliability and accuracy of AI and ML, which are dependent on factors such as the right parameters and training data, to be able to sieve out cyber threats accurately.
Particularly in critical infrastructure environments such as energy and healthcare, any disruption caused by a false shutdown will be very costly. More importantly, cyber attackers are always finding ways to get around existing cyber defences. AI and ML should not be seen as foolproof methods to detect and mitigate potential threats.
How have advancements in cloud computing and edge computing affected the implementation of cyber-informed engineering practices?
Prateek Singh: In the energy sector, companies are integrating the Internet of Things (IOT) to manage distributed energy resources, and enhance power grid resiliency and operational efficiency. However, this results in increased vulnerability to cyberattacks.
This is due to risks associated with, for example, misconfiguration and limited visibility over the security of third-party components, outdated devices with inherent vulnerabilities, and the tension between ease of operations and security controls.
The implementation of CIE cements the vital importance of cybersecurity. This empowers engineers and facilities teams to put it at the forefront of operations even if it results in inconvenience for users due to more stringent security controls.
For instance, prioritizing software updates even if this requires services to be paused, enforcing Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA), and adopting a Zero Trust model to limit access.
What are the key challenges or limitations in applying cyber-informed engineering practices to critical infrastructure and industrial control systems?
Prateek Singh: A mindset change will be the first barrier to overcome, as we’re asking facilities teams and engineers to change long-standing processes that have worked well for their facility for decades. Currently, most enterprises are aware of the importance of cybersecurity, but oftentimes, they don’t see it as urgent – until they become a target, which is way too late.
Implementation will also require extensive time and resources, starting with an audit of existing assets, identifying vulnerabilities, and working with users to implement more stringent security controls. Enterprises will have to put together a dedicated team of personnel who are equipped with the skills to carry out the necessary processes. This may require existing teams to take time to upskill, or work with partners and hire externally.
What are the best practices for integrating cybersecurity considerations into the design and development lifecycle of new engineering projects?
Prateek Singh: The Cyber-Informed Engineering (CIE) framework spans 7 core phases within the systems engineering lifecycle. These 12 principles guide the implementation of cybersecurity practices throughout the entire lifecycle, from initial concept to system retirement and replacement. Effective integration of cybersecurity involves several key practices:
- Leadership-Driven Strategy: Leadership should champion a robust cybersecurity strategy, acting as the driving force for its implementation.
- Defense-in-Depth Architecture: Employ a layered defence approach to enhance security.
- Supply Chain Security: Ensure the cybersecurity of products within the supply chain.
- Incorporating Cybersecurity into Processes: Make cybersecurity and cyber risk management an integral part of every process and change.
By following these practices, organizations can integrate cybersecurity considerations into the design and development lifecycle of new engineering projects.