The Department of Energy plans to issue the National Cyber-Informed Engineering Strategy next week to incorporate and strengthen cybersecurity awareness and practices into engineering activities across the country, according to a DOE cyber leader at the RSA Conference in San Francisco Monday.
DOE and key stakeholders began developing a National CIE Strategy after Congress mandated the formation of the strategy in the fiscal year 2020 National Defense Authorization Act. This development will culminate next week in a national five-pillar strategy, said Cheri Caddy, Senior Advisor for the DOE Office Cybersecurity, Energy Security, and Emerging Response.
The five pillars of the strategy revolve around awareness, education, development, DIE application across current infrastructure, and building CIE into new infrastructure.
“Providing that foundation of knowledge, of education, of the tools, of research, that body of work to support engineers and then examples of successful applications is really again—we’re looking at the goal of making sure that we’re addressing cybersecurity in the earliest stage possible rather than bolting it on at the end,” Caddy said during an RSA presentation on Monday.
In implementing this five-part strategy, DOE and its stakeholders aim to apply design decisions and engineering controls to mitigate avenues for cyberattacks, “engineer out” cybersecurity risks throughout engineering design and operation lifecycles, as well as develop education and culture around security in engineering and critical infrastructure fields.
From the awareness and education standpoints, Caddy said it’s critical that DOE and stakeholders across engineering industries develop community-wide efforts with foundational cybersecurity information and practices for engineers to consider in their work.
The development pillar looks to build the body of knowledge for CIE applications and implementation so new CIE standards are compatible with or fill gaps in current engineering and cybersecurity standards in fields like the energy sector.
Some strategic recommendations for CIE development include leveraging DOE’s national laboratories and partners in academia, government and industry to continually improve applicability of CIE. The strategy task force also recommends creating a CIE Center of Excellence and open-source library of CIE tools, case studies and lessons.
The infrastructure pillars look to apply CIE to existing and legacy infrastructure, new infrastructure systems and emerging technology. Many energy and critical infrastructure system lifecycles can often last longer than 30 years, Caddy added, so it’s important to address CIE issues within legacy architecture.
“How do we adopt red teaming approaches?” she said. “How do we have a look at consequence impacts of cybersecurity compromises, affordable systems, and use that to help prioritize which things need the most cybersecurity infused in current infrastructure?”
Some other key aspects around legacy infrastructure include embedding CIE into procurement decisions and providing incentives for asset owners who invest in applying CIE principles to secure higher-priority current infrastructure.
Future DOE-supported infrastructure will help decarbonize the energy grid and incorporate more renewable energy technologies, initiatives that will receive R&D funds from the $1 trillion Infrastructure Investment and Jobs Act of 2021 (IIJA), signed into law by President Joe Biden late last year. Caddy said CIE will be a component considered when granting those funds.
As the government makes new investments in critical infrastructure, the National CIE Strategy aims to work with the energy sector to apply CIE principles into the full lifecycle of newly commissioned critical infrastructure systems.
While DOE is on its way to releasing the National CIE Strategy, Caddy said there are already some early adopters of CIE at Boise State University, Auburn University and University of Texas San Antonio. Design teams at the Defense Department are also working on building out CIE concepts as well.