Cyber threats targeting operational technology (OT) have posed a hazard for infrastructure engineers for more than a decade. Increased integration with IT systems has brought in extra attack vectors that can expose OT environments to the downstream consequences of hacks primarily launched against line-of-business applications.
Either way, OT attacks are differentiated in that they have physical consequences, such as production outages, equipment damage, environmental harms and human injuries or casualties. Waterfall Security’s 2024 threat report found that in 2023 there were 68 cyber attacks with physical consequences in/on OT networks (at more than 500 sites) – a 19% increase in incidents over 2022.
Much of the OT world relies on arrays of physical interfaces, such as industrial control systems, distributed control systems and supervisory control and data acquisition (SCADA) – each essential to national utilities, factories, assembly lines and many other heavy-duty use cases.
Engineers and technicians have always built systems with specified thresholds for functionality, reliability and safety. But while systems engineering includes critical safety and failure mode analysis, cyber security risks are often not specifically addressed – particularly, those that concern intentional cyber compromise (denial of service), exploitation (ransomware, data exfiltration) and intentional misuse (malicious intent).
OT asset owners across sectors have retrofitted cyber security solutions into (or onto) installed infrastructure. Such defences, however, are not strictly ‘native’ to OT environments, and can introduce more security challenges. This means that OT systems have lacked defensive measures designed and built into the technology at its core. Cyber-informed engineering (CIE) has been developed in response to that need.
The CIE initiative was spurred on by the Colonial Pipeline attack in May 2021, in which a pipeline system originating in Texas suffered a ransomware attack that impacted the control equipment managing the pipeline’s operations.
Soon after, President Joe Biden approved Executive Order 14028: Improving the Nation’s Cybersecurity, described in some quarters as “the most comprehensive change to a national strategy for cyber security”. Crucially, the legislation highlighted the importance of identifying inherent vulnerabilities as much as ensuring effective safeguards are in place.
The following year the US Department of Energy released the congressionally-directed National Cyber-Informed Engineering Strategy, in association with the Idaho National Laboratory and the National Renewable Energy Laboratory (NREL). The strategy recognises that, in a world where sophisticated cyber attacks on national infrastructure are on the rise, a way was needed to give OT engineers themselves the tools to address physical risks due to cyber attacks.
The strategy defines the core concepts designed to make cyber security foundational to engineering and energy systems design, but it is intended to be widely applicable across all OT sectors.
CIE extends ‘secure-by-design’ and ‘resilient-by-design’ software engineering principles to include the engineering of physical and cyber-physical systems. The CIE ideal factors cyber security considerations into the earliest stages of OT system design – before the application of control software and physical security features.
Moreover, it formulates a call to action for engineers and technicians to identify engineering controls and design decisions that could mitigate or purge attack vectors open to cyber threats and/or minimise the damage they can wreak.
This approach creates opportunities for engineering teams to secure the system using the mechanics of engineering controls, in addition to digital monitoring and controls.
Controversially, perhaps, CIE calls on OT-engaged engineers to join up directly with an organisation’s defensive cyber-security effort, assuming responsibility for reinforcing the defensive strategy, rather than deferring to enterprise IT security chief officers and other cyber specialists.
CIE principles recognise the importance and necessity of deploying both engineering tools and conventional cyber-security practices systematically to better secure OT networks. It also enables engineers to integrate cyber security – ‘engineer out’ cyber risks and vulnerabilities – into the early design stages and throughout the life cycle of engineered systems, rather than installing security piecemeal after connected OT devices are already up and running.