Cyber-Informed Engineering: A Way Toward More Resilient OT Systems

The technology industry is its worst enemy in many ways, especially regarding software and device quality as it relates to cybersecurity. Last year, according to the MITRE Corporation’s Common Vulnerability and Exposure data, there were a record 25,227 software vulnerabilities identified. With 13,255 discovered by mid-June of this year, that number will likely be eclipsed before this year is out. 

Such rising numbers and the steady beat of zero-day vulnerability disclosures and attacks feed into a sense that — despite years of improvements in software development tools and secure development processes — not much has improved regarding the security-related quality of software and devices. Yet, because of the potentially dire physical-world consequences stemming from compromises of operational technologies (OT) and critical infrastructure, building systems secure by design is the only sensible way forward. 

Fortunately, thanks to efforts underway by various departments within the federal government and the Cybersecurity and Infrastructure Security Agency (CISA) — at least when it comes to OT and critical infrastructure — significant efforts are underway to improve the inherent security-related system quality within the critical infrastructure. 

CIE: The Key to Building Defensible Systems

“It’s as if we’ve normalized the deviant behavior of operating at the bleeding edge of the accident boundary. This is the current state of the technology industry—and we need to make a fundamental shift if we want to do better. And we must do better,” said Jen Easterly, CISA's director, in her speech, “Unsafe at Any CPU Speed:  The Designed-in Dangers of Technology and What We Can Do About It,” earlier this year.

Building and deploying systems designed at the “bleeding edge of the accident boundary” means it’s next to impossible—despite reasonable security efforts and training—that organizations won’t have cyber-related incidents, such as data breaches. 

Many believe a discipline known as cyber-informed engineering (CIE) can help organizations step back from the accident boundary. Cyber-informed engineering began as a shift to formalize “security-by-design” development. CIE aims to help ensure the design, manufacture, and deployment of new OT and critical infrastructure assets — enough that these assets are reasonably secure from cyberattacks and remain reliable and resilient. Last June, the Department of Energy (DOE) released its National Cyber-Informed Engineering Strategy report. 

Alejandro Moreno, the acting assistant secretary for energy efficiency and renewable energy at the DOE, said cyber-informed engineering is essential considering the wide-scale deployment of clean energy and Americans' foundational reliance on the power grid. 

“CIE ensures that security is built into the infrastructure right from the start, rather than added as an afterthought, says Harman Singh, director at cybersecurity consultancy Cyphere. “In OT environments, where cyber threats are a significant concern, the concept of CIE is even more critical. By adopting CIE, organizations can minimize cyberattack risks, protect their assets and customers, and improve their overall resilience,” Singh says.

Essentially, the CIE framework calls for engineering teams to consider and mitigate cybersecurity-related risks throughout the design and development of such assets. When the CIE framework is fully implemented, expectations for how an asset would function must be modeled, along with the modeling of specific high-consequence cyber impacts and a description of how the system should be designed and developed to prevent those incidents. Such mitigations typically include creating and enacting manual engineering controls, limiting digital functionality, employing operational cybersecurity solutions, enacting monitoring capabilities, and potential combinations.

CIE: Current Adoption, Expanding Government Efforts

While still a fledgling effort, experts say CIE is being adopted, albeit with varying degrees of action across the industry. “While some vendors have recognized the significance of cybersecurity and have made considerable strides in implementing CIE principles, others may still have room for improvement,” says Richard Baker, CTO at TWC IT Solutions. “Currently, the status of CIE within vendors that build OT equipment is varied,” agrees Singh. “Some vendors are ahead of the curve and have already embraced the CIE approach, while others are still playing catch-up. However, as more and more organizations recognize the importance of cybersecurity in OT environments, we can expect to see an increase in the adoption of CIE across the board,” Singh adds.

CEI principles expand beyond OT environments. In April of this year, the CISA and the FBI, NSA, and half-dozen security agencies worldwide published a joint report Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. The joint guidance details how software makers can develop secure systems by design before developing, configuring, and shipping their products.

The guidance calls explicitly for software makers to: 

• Take ownership of the security outcomes of their technology products, shifting the burden of security from the customers. A secure configuration should be the default baseline, in which products automatically enable the most important security controls to protect enterprises from malicious cyber actors. 

• Embrace radical transparency and accountability—for example, by ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate. 

• Build the proper organizational structure by providing executive-level commitment for software manufacturers to prioritize security as a critical element of product development.  

“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” said CISA’s Easterly in a statement.

Baker and others say cyber-informed engineering is immensely important, especially in OT environments. “By incorporating cybersecurity practices proactively, CIE helps identify vulnerabilities early on, reducing the risk of successful cyberattacks. This ensures that OT systems are built with security in mind, minimizing the potential impact of cyber incidents on critical operations and services,” says Baker.