S. Himmelstein | June 29, 2022
A framework for enhancing engineering training, tools and practices to build resilient clean energy systems designed to withstand cyber threats in the U.S. has been issued by the U.S. Department of Energy (DOE). The National Cyber-Informed Engineering (CIE) Strategy promotes incorporation of cybersecurity technology early in the design lifecycle of engineered systems to reduce cyber risks and vulnerabilities including threats by foreign actors.
The document delivers guidance on the application of cybersecurity technology across the engineering design lifecycle of grid development and ensures that automated systems on the grid are designed to be cybersecure and resilient. The strategy is organized into five pillars — awareness, education, development, current infrastructure and future infrastructure — and focuses on reducing or eliminating cyber vulnerabilities by engineering them out. Emphasis is also placed on reducing the likelihood of disruptions to critical energy infrastructure even if a cyber-attack is successful.
The CIE strategy guides an engineering team to consider and mitigate the potential for cyber compromise throughout the engineering design lifecycle, leveraging engineering solutions to limit the pathways for cyber sabotage, exploitation, theft and misuse within the system. In a fully mature CIE design, requirements would be developed to describe expectations for how the system would function and specific high-consequence cyber impacts that must be prevented within the system design.
The DOE platform embraces secure by design and zero trust software security strategies and expands these concepts beyond software engineering to the engineering of cyber-physical systems. The secure-by-design software development shifts the security focus from finding and patching vulnerabilities to eliminating design flaws in the architecture of a software system. Additionally, the strategy expands to build secure architectures into physical infrastructure systems with digital access or control.