US DoE’s National Cyber-Informed Engineering Strategy
The US Department of Energy (DOE) has released its Cyber-Informed Engineering (CIE) Strategy. DoE’s publication notes that “CIE is an emerging method to integrate cybersecurity considerations into the conception, design, development, and operation of any physical system that has digital connectivity, monitoring, or control. CIE approaches use design decisions and engineering controls to mitigate or even eliminate avenues for cyber-enabled attack, or reduce the consequences when an attack occurs.” DoE’s CIE Strategy is supported by five pillars: awareness, education, development, current infrastructure, and future infrastructure.
I’m not a big fan of the term “Cyber Informed Engineering” as it implies there is still some need for engineering that is NOT “cyber-informed.” The strategy is basically well known and proven “build security in” or “secure by design” concepts that should be integrated into all energy system operational, upgrade, and new system efforts. Given that the world’s energy systems will change quite a bit over the next 20 years, now is the time to do that.
This is the most hopeful thing that one has heard in this space. In most industries we know what to do; we simply lack the will to do it. The energy sector is an exception. Because of the interdependencies in the grid, securing it is more complex than simply securing all the operators in the grid. Here, we need a strategic approach that goes across enterprises.
William Hugh Murray
This sprang from the 2019 National Defense Authorization Act for Fiscal Year 2020 which directed DOE to create this CIE strategy. Part of the idea is to engineer a system which is resistant to further attack once penetrated. The CIE in practice summary explains how this should be considered. Note that while this applies to critical infrastructure, there is applicability to important IT systems. Ask if system A is compromised, what could then be reached easily and how you could slow or stop the effectiveness of that lateral movement.
Read more in
Energy: National Cyber-Informed Engineering Strategy (PDF)