Cyber-Informed Engineering (CIE) resulted from consistent evaluation that engineers and associated technical staff were not capitalizing on opportunities within the early design lifecycle of engineered systems to reduce cyber risk. Instead, cybersecurity mitigations were added at the late-stage of testing and operational deployment by cybersecurity specialists without the engineer’s deep awareness of the critical functions performed by the engineered system and the key hazards it could face. This late-stage mitigation of risk leaves gaps which an ever-advancing adversary is well aware of. Cyber-Informed Engineering provides a framework for a change in philosophy and engineering practices to proactively secure existing digital infrastructure and build new systems designed to withstand the modern and future cyber-adversary.

Cybersecurity

Implementing the measures required to secure digital devices from unintended or unauthorized access with malicious intent while protecting National Security attributes; damage to stakeholder confidence and trust; often used synonymously with the term computer security.

+ Engineering

Including the cyberattack and defense perspective into the engineering process. Consolidate and characterize the risks from introducing digital technology to an engineering strategy and informed awareness of the cyberthreat to mitigate such risks.

= Cyber-Informed Engineering

Identification and mitigation of the inherent risks of digital technology (which manifest through failure, malign disruption, or compromise )by including cybersecurity as a core element of engineering risk management.

CIE Highlights

CISA Cybersecurity Summit 2021

Cyber Informed Engineering

October 27, 2021
Zach Tudor, Associate Lab Director, National and Homeland Security Idaho National Laboratory

S&P Global Platts

Cyber-informed Engineering Perspective Needed for Cyber-defense

February 1, 2021
Article by Ingrid Lexova

Resilience Week 2020

CIE Presentation by Virginia Wright

Resilience Week
Virtual, October 19-23, 2020

RSA Conference 2019

Better Securing the Now and the Next: Applying Engineering Base Principles to Achieve Demonstrably Better Cybersecurity

March 4, 2019
Presented by Andy Bochman and Virginia Wright

Reference Architecture Profiles for Energy Industrial Control Systems

The Securing Energy Infrastructure Executive Task Force (SEI ETF) has developed several reference architectures profiles for energy industrial control systems that address gaps in existing models. These profiles are designed specifically for the electrical sector, are not limited to localized industrial processes, are not focused on properties of information passing between devices and are flexible enough to reflect advances in technology and design practices.

Learn More

Changing the Engineering Mindset

The Department of Energy (DOE) and INL have developed a framework to guide the application of cybersecurity principles across the engineering design lifecycle. The Cyber-Informed Engineering (CIE) framework and body of knowledge drives the inclusion of cybersecurity as a foundational element of risk management for engineering of functions aided by digital technology. Consequence-Driven Cyber-Informed Engineering (CCE) is a rigorous process for applying CIE’s core principles to a specific organization, facility, or mission by identifying their most critical functions, methods and means an adversary would likely use to manipulate or compromise them, and determining the most effective means of removing or mitigating those risks.

CIE emphasizes “engineering out” potential risk in key areas, as well as ensuring resiliency and response maturity within the design of the engineered system. The following CIE framework shows some of the key focus areas and how the relate to the CCE Methodology. CCE walks an organization through core components of CIE in CCE’s 4-phase process to evaluate and remove or mitigate weaknesses in their critical functions.

Additional Resources

Papers

Reducing the Cyber Threat to Digital Systems

INL Cyber Informed Engineering - 2017

Fermilab Colloquium - 2016

The Need for Cyber-informed Engineering Expertise for Nuclear Research Reactors

Presentations

RSA Conference - Engineering Out the Cyber-Risk...

CIE - Domestic Nuclear Cyber

Additional Resources

CCE ACCELERATE Training

OT Defender Fellowship

Cyber Testing for Resilient Industrial Control Systems (CyTRICS)

Additional Resources

In this section we have listed supporting papers and presentations to the CIE foundations. In addition, there is supplemental information on complimentary and supporting efforts to the program.

iStock scaled

Reducing the Cyber Threat to Digital Systems

Written by Nuclear Threat Initiative (NTI) staff with the assistance of Michael Assante, Robert Anderson and Rob Hoffman

Cyber threats are increasingly one of the major threat facing governments and industrial facility operators. One of the foundational issues that makes protection from such attacks increasingly difficult is the complexity of today’s networks and systems.

INL Cyber Informed Engineering - 2017

INL Report by Robert Anderson, Jacob Benjamin, Virginia Wright, Luis Quinones, Jonathan Paz

Published March 2017

A continuing challenge for engineers who utilize digital systems is to understand the impact of cyber-attacks across the entire product and program lifecycle. This is a challenge due to the evolving nature of cyber threats that may impact the design, development, deployment, and operational phases of all systems. Cyber Informed Engineering is the process by which engineers are made aware of both how to use their engineering knowledge to positively impact the cyber security in the processes by which they architect and design components and the services and security of the components themselves.

Cyber Informed Engineering, March 2017 PDF

Fermilab Colloquium - 2016

Published June 2016

Written by Virginia Wright

Cyber informed engineering (CIE) is a body of knowledge and methodologies to characterize and mitigate risks presented by the introduction of digital technology in this formerly analog environment, focused on the application of traditional engineering techniques informed by an awareness of cyber-security threat and mitigation methods. This talk will describe how managers and engineers can participate in mitigating cyber-security risk in engineering projects throughout the design and installation life cycle.

The Need for Cyber-informed Engineering Expertise for Nuclear Research Reactors

International Conference on Research Reactors: Safe Management and Effective Utilization, 2015

Written by Rob Anderson and Joseph Price

This paper examines the need for cyber-informed engineering practices that encompass the entire engineering life cycle. Cyber-informed engineering, as referenced in this paper, is the inclusion of cybersecurity into the engineering process. This paper addresses several attributes of this process and the long-term goal of developing additional cyber-safety basis analysis and trust principles. With a culture of free information-sharing exchanges, and potentially a lack of security expertise, new risk analysis and design methodologies need to be developed to address this rapidly evolving (cyber) threatscape.

RSA Conference - Engineering Out the Cyber-Risk...

RSA Conference 2019
Presenters: Virginia Wright and Andrew Bochman

It is dawning on critical infrastructure operators that even the best cyber-hygiene—the sum total of all we now do in cybersecurity—cannot be counted on to keep well-resourced attackers from touching their most critical processes and the systems that support them. This talk will introduce a new approach that draws from engineering first principals to take the highest value targets off the table.

PRESENTATION PDF

CIE - Domestic Nuclear Cyber

An introduction of CIE and how it pertains to nuclear energy and cybersecurity.

By Virginia Wright

PRESENTATION PDF

CCE ACCELERATE Training

Accelerate Training provides participants with a fundamental knowledge of the CCE methodology focused on securing the nation’s critical infrastructure systems. Participants should be critical infrastructure owners, operators, vendors, and manufacturers.

To schedule training, please contact:
cce@inl.gov

nhs Methodology

For More Information

CIE Program Manager

Virginia Wright

Send a Message

INL Media Contact

Ethan Huffman

Phone: 208-526-5015

Send a Message