Cyber-informed engineering (CIE) is a concept wherein engineers are tasked with taking advantage of opportunities early within design lifecycles to address cybersecurity risks. The parallels to secure software development are obvious, and some of the challenges within both disciplines are eerily similar.
Vergle Gipson, senior advisor at Idaho National Lab’s Cybercore Integration Center, discusses the concepts around cyber-informed engineering in this episode of the Aperture Podcast and why it’s important in improving the safety, availability, and resilience of operational technology systems.
“Cyber-informed engineering is the beginning of what needs to be done to help engineers embrace that idea of cybersecurity as a fundamental part of engineering,” Gipson said. “That approach needs to be extended beyond engineers to the technicians and the operators of physical systems with digital automation.”
CIE was the centerpiece of a June report from the Department of Energy to reduce risk within energy-related critical infrastructure sectors, for example, by adopting a security-by-design approach within the sector. Secure these systems from their earliest stages rather than trying to retrofit security as a reactionary measure to an attack or enhanced risk, the report said.
Gipson relayed this message last week to a House Homeland Security subcommittee on the need to secure industrial control systems from cyberattacks.
“It seems that momentum is building for OT cybersecurity,” Gipson said. “There’s more buzz around the fact that OT cybersecurity is an issue for the nation. All those who can make a difference, including those in Congress, ought to be learning more and figuring out how they can contribute.”
Gipson also discussed a number of other important issues, including the cybersecurity maturity gap within OT compared to IT, the types of discussions decision makers and engineers are having inside OT-heavy environments about cybersecurity threats and risk management, and the role of organizations such as INL today and going forward.
"This move toward cyber-informed engineering and adoption of the principles of cyber-informed engineering, in my opinion, will likely do more to secure critical infrastructure and physical systems than anything we've done to date," Gipson said.