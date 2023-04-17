To better protect critical infrastructure in the United States from cyberattacks, the Biden administration is calling on organizations to build defenses into system design and not rely solely on IT protections. This article explains the concepts of “cyber-informed engineering” and illustrates them with examples from the water sector.

In his National cybersecurity strategy released March 2, the Biden administration is calling for major changes in how the United States prioritizes the security of software systems used in critical infrastructure. He acknowledges that the de facto approach so far has essentially let the buyer beware, leaving those entities least able to assess or defend vulnerable software liable for the impacts of engineered weaknesses, while technology makers n assume no liability. The strategy recommends a security-by-design approach that makes software vendors responsible for meeting a duty of care to consumers and that systems are designed to fail safely and recover quickly.

For energy infrastructure, the strategy calls for the establishment of a national cyber-informed engineering strategy to achieve significantly more effective cybersecurity protections. This article provides a high level overview of what this entails.

The engineers who build our complex infrastructure systems rely on strict standards and procedures to ensure high levels of security and reliability. However, most of these procedures were developed long before the advent of modern cybersecurity and do not yet guide engineers to consider cyber threats, let alone design cybersecurity defenses in these systems.

Through its cyber-informed engineering initiative, the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) seeks to address this. With the help of the National Laboratories, CESER has embarked on an effort to train engineers to design systems to suppress the possibilities and mitigate the impacts of cyberattacks.

Early in the system design phase, engineers can identify critical system functions and determine how to design them to limit the impacts of digital disruption or misuse. Combined with a robust IT security strategy, such cyber-informed engineering offers the possibility of protecting systems much more effectively than IT security alone can.





The Idaho National Laboratory has pioneered the development of cyber-informed engineering concepts and is working with CESER to educate others in industry, academia and government on how to apply these concepts. to real-world challenges. In this article, nicely describe some of the basic principles and illustrate how they are put into practice through a fictional account of a municipal water utility.

Consequence-based design

The most important task of any organization is to ensure that its most critical functions are never interrupted. Engineers are trained to design resilient systems, using specific techniques to identify and prevent traditional failure modes. However, this will not protect a system against a sophisticated cyberattack. Indeed, adversaries often take advantage of a system’s innate functionality to cause it to operate in undesirable ways, such as causing a tank to overflow or repeatedly powering on or off to damage critical assets and disrupt the operations.

In the practice of cyber-informed engineering, the first step for engineers is to identify functions and associated subsystems that could lead to catastrophic consequences if misused by an intelligent adversary. Then, as we’ll describe below, they can identify methods to prevent an attack, stop the negative consequences, or limit their impact.

For example, suppose a municipal water utility is considering a new cloud-based service to monitor and control (i.e. start and stop) a critical remote pump station. Cloud technology would make operations much more efficient and save significant manpower. In a cyber-informed review of the design, members of the design team were asked to imagine the worst consequences of an attack. They identified a scenario where an attacker could break into the cloud service and use it to remotely control pumps, possibly affecting flow reliability or water supply security. Utility executives felt this was too high a risk and therefore delayed plans to acquire cloud-based capabilities until the team could find a way to reduce this risk to almost zero.

Technical checks

When the high-impact consequences of a potential cyberattack are identified during the design phase, engineers have the power to adjust the physical parameters of the system in response. They can select technologies whose functionalities pose less risk in the event of misuse. They can change how processes work or adjust capabilities and tolerances to reduce the damage that negative consequences can cause. They can also introduce additional validations and checks to ensure the expected results.

Since these protections may incorporate physical barriers or other elements into an industrial process, they provide additional protection against cyber attacks when used with traditional cyber defense technologies. They can incorporate protections that thwart the avenues and limit the consequences of attacks.

Members of the utilities design team looked at the functionality of the water pumps that an attacker might be able to access through the cloud-based service. They identified that the worst consequence would be for an attacker to start and stop remote pumps too quickly. They determined that installing a $50 analog timer relay in the pump controller would slow down remote start and stop commands, preventing an attacker who gained remote access from damaging the system. . The utility chose to integrate this protection and proceeded to purchase the cost-effective cloud technology.

active defense

When an infrastructure system is attacked by an adversary, system operators and information technology specialists must work together to ensure the continued operation of critical system functions and, at the same time, defend the system against attack. ‘offensive. Unless these actions are planned, documented, and practiced in advance, this process can be at best ineffective or at worst completely ineffective when an attack occurs.

As a result, cyber-informed engineering asks engineers to plan response approaches that allow the overall system to continue to operate, though perhaps not at its full level, even when critical elements or functionality are taken out of service. They team up with information technology specialists to develop intervention strategies as the system is designed, developed, tested and operated. They regularly perform drills to practice documented response procedures and measure their effectiveness. Rather than being passive in the event of a cyberattack, engineers and operators become an active part of the response team.

Most municipal water utilities rely on an automated control and data acquisition (SCADA) system to control their operational functions. This system has programming that maximizes the efficiency and effectiveness of the water system and oversees system operations far better than any human. Engineering and operations teams trained in basic cyber-aware engineering concepts develop procedures to follow in the event of attacks on their SCADA systems and conduct regular drills with their IT, engineering and operations teams. operation, simulating scenarios where automation is unavailable or unreliable. Regular drills allow operations personnel to develop the skills required to operate water systems manually, if necessary, to maintain safe and reliable service to customers.

Owners of energy, water, and other critical infrastructure systems must be constantly prepared for cyberattacks that breach their external electronic defenses. Adding engineering-focused defensive measures improves their ability to resist and prevent catastrophic consequences from cyberattacks. The national cyber-informed engineering strategy provides the means to train engineers, develop tools and apply these cyber defense methods to current and future infrastructures. By identifying the possible catastrophic consequences of cyberattacks before they occur and eliminating the ability of adversaries to achieve the negative results they anticipate, we can dramatically improve the cyberdefense of infrastructure that performs some of nations most critical functions. .