For two decades, cybersecurity experts have struggled to communicate their domain to business leaders and IT generalists. Security experts lean heavily on confusing acronyms and poorly conceived analogies that fail to make business and tech laymen fully understand threats and risk.
The introduction of cyber-informed engineering (CIE) and its growing adoption and support from entities such as The Department of Energy and Idaho National Laboratory (INL) may be finally succeeding in bringing cybersecurity to an intended audience on their terms.
CIE at its most basic level uses design decisions and engineering controls to communicate and mitigate risks facing critical infrastructure asset owners and operators. It relies on concepts familiar to engineers, for example, and attempts to integrate cybersecurity into the design and operation of cyber-physical systems (CPS) across industries. CIE talks the language of engineers.
In this episode of the Nexus Podcast, Andrew Ohrt, the resilience practice area lead at West Yost Associates, a water resource management and engineering firm, joins to explore how and where CIE is succeeding, and where implementation and advocacy challenges remain.
“It's stuff that they don't really understand,” Ohrt said of some meetings he’s had with engineers about cyber hygiene and other commonplace cybersecurity concepts. By introducing CIE concepts to the conversation and how it’s applied to CPS protection, for example, engineers and asset operators realize they’re already doing some CIE-esque operations really well.
“For example, I was working for a small utility in the San Francisco Bay Area, and we had this conversation with them about a day without SCADA, and they [explained], ‘Our SCADA system has never really worked, so we just call that Tuesday.’
“It's fantastic. That's a great way to start with some planned resilience and active defense. CIE allows us to build on the good things that they're already doing, using some of their language. And so instead of it being like a 180 degrees shift for them, it's like three to five degrees to start with.”
INL has been a champion of CIE, and helped develop a 12-step CIE implementation guide that is essentially a de-facto standard for this practice. It has also focused on the methodology of consequence-driven CIE, which starts with the idea that determined, advanced adversaries can penetrate critical infrastructure entities. Consequence-driven CIE recommends a four-phase approach to defending critical infrastructure that involves an understanding of possible attack scenarios, an understanding of attack paths and interdependencies that could be exploited, a determination of the path an adversary would take to achieve the highest impact possible, and mitigation strategies.
“The key question is: How do I understand what critical functions my system must ensure and the undesired consequences it must prevent?” Ohrt asked. “This is the first principle because it's really considered to be the first among equals. As we've gone out and done CIE, we've found that there are people doing all sorts of adoptions and they're starting in different places. And that's fantastic. Consequence-focused design is really about the mission of the organization.”
Ultimately the goal is involving engineers and asset owners in the process of building CPS that can stand up to active intrusions and maintain production on critical systems.
“We're trying to help the engineers and operators understand what their role is in creating and maintaining a cyber resilient organization,” Ohrt said. “One of the intents of CIE is to apply the thinking of building cyber resilience across the whole engineering lifecycle, from concept to retirement.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
