Full Report
At the S4x25 conference, one of the sessions highlighted the transformative role of Cyber Informed Engineering (CIE) in... The post S4x25: Integrating cyber informed engineering in water sector appeared first on Industrial Cyber.
Analysis Summary
# Best Practices: Integrating Cyber Informed Engineering (CIE) in Water Sector Infrastructure
## Overview
These practices focus on integrating cybersecurity principles directly into the engineering lifecycle of critical infrastructure systems, specifically within the water and wastewater sector. The goal of Cyber Informed Engineering (CIE) is to embed security considerations from the ground up—influencing design, operations, and organizational practices—to enhance system resilience against cyber incidents.
## Key Recommendations
### Immediate Actions
1. **Identify Critical Assets and Consequences:** Immediately document the most critical water/wastewater processes and determine the most severe physical, health, or operational consequences that a cyber incident could induce. (Focus on **Consequence-Focused Design**).
2. **Review Current Design Documentation:** Conduct an initial review of existing design standards and procurement checklists to identify where cybersecurity requirements are currently missing or inadequately addressed.
3. **Establish IT/OT Crossover Awareness:** Facilitate initial joint sessions between IT security teams and OT/Engineering staff to establish common language and understanding of operational constraints versus security mandates.
### Short-term Improvements (1-3 months)
1. **Integrate CIE Principles into Procurement:** Mandate that all new system procurements (e.g., PLCs, RTUs, HMIs) explicitly require vendor adherence to defined cybersecurity standards as a condition of purchase.
2. **Develop Engineered Control Narratives:** Begin documenting specific engineered controls (physical and digital safeguards) that are prioritized based on the highest consequence scenarios identified in immediate actions.
3. **Implement Basic Active Defense Monitoring:** Deploy foundational monitoring capabilities (e.g., simple network flow monitoring or log aggregation) on key OT segments to build initial operational awareness of network behavior.
### Long-term Strategy (3+ months)
1. **Formalize CIE into Engineering Lifecycle:** Establish a formal, documented process where cybersecurity reviews and risk assessments become mandatory gates within the standard Facility Design Lifecycle (e.g., conceptual design, detailed engineering, commissioning).
2. **Implement Advanced Active Defense:** Integrate industrial monitoring solutions capable of deep protocol inspection and anomaly detection within the operational network to enable real-time threat detection and response.
3. **Develop Consequence-Driven Incident Response:** Update incident response plans to specifically address scenarios prioritized by the physical consequences (e.g., procedures for safe manual operation or graceful degradation when a cyber incident occurs).
## Implementation Guidance
### For Small Organizations
- **Focus on Vendor Requirements:** Since in-house expertise may be limited, heavily rely on the contractual requirements placed on System Integrators and OEMs to meet baseline cybersecurity specifications during any system upgrade.
- **Prioritize Physical Segmentation:** Focus immediate architectural efforts on basic, robust physical separation (air gaps or one-way diodes where feasible) between enterprise IT and critical operational networks.
### For Medium Organizations
- **Dedicated Cross-Functional Team:** Establish a small, dedicated team comprising representation from Engineering, Operations, and IT to govern the integration of CIE requirements into new projects.
- **Document "Lessons Learned" Systematically:** Formalize the capitalization of security lessons from any minor operational issues or near misses, directly feeding them back into the engineering standards (closing the feedback loop).
### For Large Enterprises
- **Establish Organizational CIE Framework:** Develop a comprehensive, formalized Cyber Informed Engineering framework aligned with organizational risk tolerance, ensuring consistency across multiple sites or complex interdependencies.
- **Develop Software/Hardware Assurance Programs:** Implement formal processes for testing, vetting, and approving libraries, operating systems, and field devices for known vulnerabilities *before* they are deployed into the OT environment.
## Configuration Examples
*(Note: Specific configuration steps were not detailed in the provided text, but the focus areas suggest configuration must be driven by consequence analysis.)*
**Focus Area:** Engineered Controls
**Guidance:** Define specific configurations for boundary devices (e.g., firewall rules, protocol gateways) based on the lowest acceptable risk level defined by potential physical consequence. For example, configuring HMI access to only allow read-only commands across a zone boundary unless an explicit override procedure is followed.
## Compliance Alignment
The principles outlined within Cyber Informed Engineering strongly align with requirements from:
- **NIST Cybersecurity Framework (CSF):** Particularly the **Identify** (Asset Management, Risk Assessment) and **Protect** (Protective Technology, Maintenance) functions, as CIE inherently focuses on risk-driven protection.
- **NIST SP 800-82:** Specific guidance for securing Industrial Control Systems (ICS) will be necessary to translate high-level CIE goals into actionable system hardening.
- **CISA Guidelines:** Adherence to any relevant CISA directives concerning critical infrastructure resilience and security postures, especially regarding operational continuity.
## Common Pitfalls to Avoid
- **"Bolt-On" Security:** Avoid treating cybersecurity as a final step checklist item performed just before commissioning. If security is not integrated into the initial design mandate, it will be costly and ineffective.
- **Ignoring Operational Constraints:** Do not impose purely IT-centric security solutions without understanding the real-time availability and reliability requirements of the water process (e.g., using authentication methods that cause unacceptable latency).
- **Lack of Ownership Transfer:** Failing to transfer knowledge from the design/engineering team to the long-term operations and maintenance staff means security controls will degrade without proper understanding or maintenance.
## Resources
* **Cyber Informed Engineering (CIE) Documentation:** Reference primary publications from national laboratories (such as those related to INL work on CIE) for comprehensive frameworks.
* **Industrial Control System (ICS) Security Standards:** Utilize best practices outlined in recognized standards focused on operational technology security.
* **S4x Conference Proceedings:** Review materials from the S4 events focusing on resilience and actionable strategies for critical infrastructure.