To better protect critical infrastructure in the United States from cyberattacks, the Biden administration is calling on organizations to build defenses into systems design and not rely solely on IT protections. This article explains the concepts of “cyber-informed engineering” and illustrates them with examples from the water sector.
In his National Cybersecurity Strategy published on March 2, the Biden administration called for major changes in how the United States prioritizes the security of software systems used by critical infrastructure. It recognizes that the de facto approach – until now essentially “buyer beware” – leaves entities least able to assess or defend against vulnerable software responsible for the effects of designed-in vulnerabilities while the makers of the technology bear no responsibility. The strategy recommends a security-by-design approach that includes making software vendors responsible for upholding a “duty of care” to consumers and for systems designed to “fail to safe and easy to recover.”
For energy infrastructure, the strategy calls for the implementation of a “National cyber-informed engineering strategy” to achieve more effective cybersecurity protection. This article provides a high-level overview of what it entails.
The engineers who build our complex infrastructure systems use strict standards and procedures to ensure high levels of safety and reliability. However, most of these methods were developed well before the advent of modern cybersecurity, and have not yet guided engineers to consider cyberthreats, let alone design cybersecurity defenses in systems.
Through a cyber-informed engineering initiative, the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) aims to address that. With the help of the National Laboratories, CESER is engaged in an effort to educate engineers on how to design systems to remove the paths and reduce the effects of cyberattacks.
Early in the system design phase, engineers can identify critical system functions and determine how to engineer them in ways that will limit the effects of digital disruption or misuse. Combined with a strong IT security strategy, such cyber-informed engineering offers the opportunity to protect systems more effectively than IT security can.
Idaho National Laboratory is pioneering the development of cyber-informed engineering concepts and is working with CESER to educate others in industry, academia, and government on how to apply these concepts to real-world challenges. In this article, we will discuss some of the basic principles, and illustrate how they are implemented through a fictionalized account of a municipal water utility.
Outcome Focused Design
The most important task of any organization is to ensure that its most critical functions are never interrupted. Engineers are trained to design robust systems, using specific methods to identify and prevent traditional failure modes. However, it cannot protect a system against a sophisticated cyberattack. That’s because adversaries often take advantage of a system’s inherent functionality to make it behave in an unwanted way, such as causing a tank to overflow or repeatedly turning off or turning off power to damage critical assets and disrupt operations.
In the practice of cyber-informed engineering, the first step that engineers take is to identify functions and related subsystems that have the potential to result in catastrophic consequences when used by an intelligent adversary. Then, as we will describe below, they can identify ways to prevent an attack, stop the negative consequences, or limit their impact.
Think about that For example, let’s say A municipal water utility is considering a new cloud-based service for monitoring and controlling (ie, starting and stopping) a critical, remote pump station. Cloud technology can make operations more efficient and save significant work. In a cyber-informed design review, design team members are asked to imagine the worst-case outcome of an attack. They identified a scenario where an attacker could infiltrate the cloud service and use it to remotely control pumps, which could affect the reliability of the flow or the safety of the water supply. The utility’s leaders considered this a very high risk and, as a result, delayed plans to acquire cloud-based capabilities until the team could develop a way to reduce this risk by approx. zero.
Designed Controls
If the high-impact consequences of a potential cyberattack are known during the design phase, engineers have the power to adjust physical system parameters in response. They can choose technologies that have features that are less dangerous if used improperly. They can change how processes work or adjust capacities and permissions to reduce the damage that negative outcomes can cause. They can also introduce additional validations and controls to ensure the expected results.
Since these protections can include physical barriers or other elements of an industrial process, they provide additional protection against cyberattacks when used with traditional cyber defense technologies. They can build defenses that block paths and limit the consequences of attacks.
Members of the utility’s design team examined the parts of the water pumps that an attacker could access through the cloud-based service. They found that the worst outcome would result from an attacker remotely starting and stopping bombs too quickly. They determined that installing a $50 analog time-delay relay in the pump’s controller would slow down remote start and stop commands, preventing an attacker who gained remote access from damaging the system. The utility chose to incorporate this protection and continues to purchase cost-saving cloud technology.
Active Defense
When an infrastructure system is attacked by an adversary, system operators and information technology specialists must work together to ensure the continuous operation of critical system functions and, at the same time, protect the system from to attack. Unless these actions are planned, documented, and practiced in advance, this process can be at best ineffective or at worst, completely ineffective in the event of an attack.
Consequently, cyber-informed engineering calls for engineers to plan response strategies that allow the overall system to continue to function, although perhaps not at full capacity, even if critical element or parts are out of commission. They partner with information technology specialists to develop response strategies as the system is designed, developed, tested, and operated. They regularly conduct exercises to practice documented response methods and measure their effectiveness. Instead of being passive in the event of a cyberattack, engineers and operators can be an active part of the response team.
Most municipal water utilities rely on an automated supervisory control and data acquisition (SCADA) system to control their operational functions. This system has programs that maximize the efficiency and effectiveness of the water system and manage system operations better than any human could. Engineering and operations teams trained in core cyber-informed engineering concepts develop procedures to follow in the event of attacks on their SCADA systems and conduct regular exercises with their IT , engineering, and operations teams, simulate scenarios where automation is unavailable or unreliable. Regular exercises allow operational staff to develop the necessary skills to operate water systems manually, if necessary, to maintain safe and reliable service to customers.
Owners of energy, water, and other critical infrastructure systems must continually be prepared to deal with cyberattacks that breach their external electronic defenses. Adding engineering-led defense measures improves their ability to withstand and prevent catastrophic consequences from cyberattacks. The national strategy for cyber-informed engineering provides a way to educate engineers, develop tools, and apply these cyber-defense methods to current and future infrastructures. By identifying the possible catastrophic consequences of cyberattacks before they occur and eliminating the ability of adversaries to achieve the negative consequences they desire, we can improve the cyber defense of infrastructures which perform some of the country’s most critical functions.
