In an era where cyber threats are becoming increasingly more sophisticated, the integrity of Operational Technology (OT) is key. While architects and engineers do not need to be cyber experts to create and produce successful designs and buildings, it is imperative that they are able to make informed decisions using Cyber-Informed Engineering (CIE) principles to enhance the resilience and security for our critical infrastructure.
“We may not be able to engineer out all risk, but there are choices we can make during the design stage to simplify the cyber security process, “Virginia Wright, Program Manager at the Idaho National Laboratory (INL) stated.
CIE is one of the most transformative approaches to OT security in over a decade. This proactive engineering approach integrates cybersecurity considerations into the design and development of OT systems, ensuring they are secure and resilient from the start.
Cyber Threats to OT Systems
OT environments encompassing systems and networks that power critical operations are prime targets for cyberattacks. The systems are exposed to a range of cybersecurity risks and vulnerabilities that have potential to cause significant disruptions. These vulnerabilities include mobile security breaches, web/application compromise, insider breaches, removeable storage device/media, internet of things (IoT)/network device compromise, and phishing/smishing.
Over the past three years, mobile security breaches and web compromises ranked highest in FORTINET’s 2024 State of Operational Technology and Cybersecurity Report, while insider breaches by bad actors were among the least common. The intrusion techniques used in cyberattacks ranked as follows:
2024 State of Operational Technology and Cybersecurity Report (FORTINET)
Cybersecurity measures must be integrated from the start of a project to protect these systems. The combination of intelligent design and CIE are fundamentally linked and enhance cybersecurity in OT systems. Adopting an intelligent design framework can serve as a powerful shield, protecting the future of OT against emerging challenges. Integrating cybersecurity measures seamlessly into the design process help ensure that OT systems not only survive but thrive in a dynamic threat landscape.
The Principles of CIE
Rather than add cybersecurity controls after the design is complete, CIE enables engineering to mitigate cyber-attacks at the earliest stage of design and throughout the system’s life cycle. INL developed a framework called the 12 Principles of CIE. While they are all important, there are five engineering focused principles:
What essential operations must the system perform without fail, and what harmful outcomes must it be designed to avoid?
2. Engineering ControlsWhat safeguards limit potential attack paths or minimize the impact if one occurs?
3. Design SimplificationWhich parts of the system are non-essential and can be removed without affecting its core mission?
4. Planned ResilienceWhat design will be most beneficial to the system so that it continues to function even if a disruption occurs?
5. Interdependency EvaluationWhich points of the system either depends on or influences other systems or missions, What are the potential cascading effects and interdependencies?
Robust Designs Are Essential
When designing infrastructure, incorporating a robust design is the key tool to protect OT environments from cyber threats, ensuring operational continuity, and safeguarding public safety. Proactive design strategies can anticipate vulnerabilities and mitigate risks. CIE principles play an integral part of the infrastructure’s initial design phase to enhance resilience and maintain operational efficiency.
