DOE adds two new resources to advance awareness, implementation of CIE in energy sector

The U.S. Department of Energy (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) published Wednesday two resources to support the implementation of several recommendations from the National Cyber-Informed Engineering (CIE) Strategy. CESER developed the CIE Resource Library and the CIE Implementation Guide from its outreach initiative that supports energy partners at the forefront of implementing CIE across the sector.

Focused on strengthening the sector’s ability to identify and mitigate cyber vulnerabilities, the strategy, developed by the Securing Energy Infrastructure Executive Task Force at the direction of Congress, provided recommended actions to enable the energy sector to lead the nation in incorporating CIE by proactively building cybersecurity into the design of infrastructure systems.

“The National CIE Strategy provides a critical framework for the delivery of a more secure and resilient energy sector in the United States,” Puesh Kumar, director of CESER, said in a media statement. “The new resources will enable practitioners across the sector to actively pursue a secure-by-design approach to the energy systems of the future.”

“A decade of DOE research in critical infrastructure vulnerability analysis has resulted in the CIE Implementation Guide,” according to Zach Tudor, associate laboratory director for national and homeland security S&T at INL. “This broadly consumable analysis tool guides identification and mitigation of cyber vulnerabilities in the design of energy systems before they become critical infrastructure.”  

“Cybersecurity for critical infrastructure is evolving rapidly, to keep pace with our rapidly evolving systems and technologies. This is why it is crucial that we think about cybersecurity from the start, injecting it into the design of these systems,” Juan Torres, associate laboratory director for energy systems integration at NREL, said. “The CIE Implementation Guide provides engineers a framework to embed cybersecurity into system design through engineering decisions.” 

The U.S. energy sector is leading the way in secure-by-design approaches to critical infrastructure cybersecurity, positioning a more secure future for America’s energy infrastructure. To support a shift of this magnitude in energy infrastructure design and operations, CESER, Idaho National Laboratory (INL), and the National Renewable Energy Laboratory (NREL) engaged with industry stakeholders to determine critical considerations to implement design-level mitigations for cybersecurity vulnerabilities. 

CIE extends ‘secure-by-design’ concepts beyond information technology (IT) and software engineering to include cyber-physical systems engineering. Secure-by-design approaches typically describe a shift in focus for software developers from finding and patching vulnerabilities to eliminating the design flaws in the software architecture that enable those vulnerabilities. CIE extends this concept beyond software design, introducing cybersecurity considerations that engineers can address at the earliest stages of system engineering, long before the incorporation of software and security controls.

Traditionally, engineering design teams have not recognized the opportunity to create cybersecurity improvements in systems through initial design and engineering decisions. These opportunities, if missed, are often costly or even impossible to implement later in the development process, potentially leaving in place cyber risks that security teams must endlessly manage and monitor. Enabling cybersecurity considerations at the beginning of the system lifecycle not only avoids this outcome but creates new opportunities to secure the system using physics and mechanics, not just digital monitoring and controls.

The practice allows the engineering team to better tailor digital system protections according to the overall system risk and to consider the impacts of digital failure or cyber attack on the overall system development process. Ultimately, the use of CIE to address cyber-physical risks will be recognized as part of the overall ‘standard of care’ for engineering design. While these concepts can be most fruitful when considering the design of a new system, they are helpful to consider even for a currently existing system to raise the engineering-based protections that the system employs for digital failure or cybersecurity risk.

System or design engineers applying the CIE principles will require proactive collaboration with other engineering disciplines, as well as IT and cybersecurity specialists and other business units. Effectively answering the questions laid out in the guide requires a multi-stakeholder approach to systems and engineering design, where security, risk management, and other business function leaders team up with engineers early in system design. This enables a shift in systems engineering that will create a culture of cybersecurity aligned with the existing industry safety culture.

The CIE Resource Library consists of tools, case studies, and lessons that will continue to support designers, manufacturers, and asset owners and operators, in applying CIE principles. CESER also cataloged DOE-led CIE research spanning a decade, including work from a variety of sources and applications of CIE. As future research on CIE is produced, this library will highlight advanced implementation insights and lessons learned. 

The library of materials is intended to support designers, vendors, manufacturers, and asset owners and operators, to apply CIE principles. The material in the library has been derived from leveraging outputs of the implementation of the CIE strategy along its five pillars – Awareness, Education, Development, Current Infrastructure, and Future Infrastructure.

Published last month, the CIE Implementation Guide covers the principles of CIE and outlines questions that engineering teams should consider during each phase of a system’s lifecycle to employ these principles. It expands cybersecurity decisions into the engineering space, not by asking engineers to become cyber experts, but by calling on engineers to apply engineering tools and make engineering decisions that improve cybersecurity outcomes.

The CIE Implementation Guide outlines questions engineering teams should consider during each phase of a system’s life cycle to employ CIE principles. The guide is geared toward supporting engineers who design, build, operate, and maintain the physical infrastructure; they are best positioned to leverage CIE to diminish the severity of cyber attacks or digital technology failures during the system’s engineering design.  

The document describes the principles of CIE and outlines questions that engineering teams should consider during each phase of a system’s life cycle to effectively employ these principles. It describes what it means to engineer systems in a cyber-informed way, rather than offering a comprehensive, step-by-step process or procedure for CIE implementation. 

The guide complements—but does not replace—the application of cybersecurity standards or practices currently in place within an organization. Engineers and technicians who design critical energy infrastructure installations can use the Implementation Guide to integrate the 12 principles of CIE into each phase of the engineering lifecycle, from concept to retirement. 

The guide is aimed at system or design engineers, rather than software engineers or operational cybersecurity practitioners, as the engineers who design, build, operate, and maintain the physical infrastructure are best positioned to leverage a system’s engineering design to diminish the severity of cyber attacks or digital technology failures. 

Additionally, CIE expands cybersecurity decisions into the engineering space, not by asking engineers to become cyber experts, but by calling on engineers to apply engineering tools and make engineering decisions that improve cybersecurity outcomes. CIE examines the engineering consequences that a sophisticated cyber attacker could achieve and drives engineering changes that may provide deterministic mitigations to limit or eliminate those consequences.

The latest material was shared at a CIE Practitioner’s Workshop, hosted by Auburn University on Wednesday. Attendees of this live virtual event will learn from experienced industry practitioners as they discuss a variety of topics, such as applying CIE in industry, linking CIE with standards, and leveraging CIE in research and development.

The DOE announced Tuesday that its OT Defender Fellowship has opened applications for the 2024 cohort. The move focuses on strengthening cybersecurity across the energy sector through public-private partnerships. Applications will close on Sept. 30. The OT Defender Fellowship is open to middle- and senior-level employees at asset owner-operators in the energy sector, including electricity, oil, natural gas, and renewable energy companies.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.