Cyber Informed Engineering Implementation Guide: Version 1.0: U.S. Department of Energy (DOE), Office of Cybersecurity, Energy Security, and Emergency Response (CESER)

Robert Anderson; Victor Atkins; Marco Ayala; KatherineAnne Baker; Lance Barnes; Krystel Castillo; Samuel Chanoski; Joel Cox; Robert Edsall; Rob Foy; Tim Gale; Jeff Gellner; Rich Graham; Daniel Groves; Mary Holtz; Stephanie Johnson; Jeremy Jones; Lindsay Kishter; Katya Le Blanc; Sin Loo; Richard Macwan; Joseph Mahanes; Maurice Martin; Shane McFly; Timothy McJunkin; Jakob Meng; Matt Morris; Andrew Ohrt; Waylon Pattison; Jessica Robinson; Daniel Rucinski; Marc Sachs; Greg Shannon; Jeremy Smith; Venkatesh Venkataramanan; Emily Waligoske; Justin Welch; Gareth Williams; Zane Wilsterman; Virginia Wright

doi:10.2172/2004921

Cyber Informed Engineering Implementation Guide: Version 1.0: U.S. Department of Energy (DOE), Office of Cybersecurity, Energy Security, and Emergency Response (CESER)

Robert Anderson, Victor Atkins, Marco Ayala, KatherineAnne Baker, Lance Barnes, Krystel Castillo, Samuel Chanoski, Joel Cox, Robert Edsall, Rob Foy, Tim Gale, Jeff Gellner, Rich Graham, Daniel Groves, Mary Holtz, Stephanie Johnson, Jeremy Jones, Lindsay Kishter, Katya Le Blanc, Sin LooRichard Macwan, Joseph Mahanes, Maurice Martin, Shane McFly, Timothy McJunkin, Jakob Meng, Matt Morris, Andrew Ohrt, Waylon Pattison, Jessica Robinson, Daniel Rucinski, Marc Sachs, Greg Shannon, Jeremy Smith, Venkatesh Venkataramanan, Emily Waligoske, Justin Welch, Gareth Williams, Zane Wilsterman, Virginia Wright

Energy Security and Resilience Center

Research output: NREL › Technical Report

Abstract

This Implementation Guide describes the principles of Cyber-Informed Engineering (CIE) and outlines questions that engineering teams should consider during each phase of a system's lifecycle to effectively employ these principles. It describes what it means to engineer systems in a cyber-informed way, rather than offering a comprehensive, step-by-step process or procedure for CIE implementation. This guide complements - but does not replace - the application of cybersecurity standards or practices currently in place within an organization. Engineers and technicians that design critical energy infrastructure installations can use this Implementation Guide to integrate the 12 principles of CIE into each phase of the engineering lifecycle, from concept to retirement. The guide is aimed at system or design engineers, rather than software engineers or operational cybersecurity practitioners. The engineers who design, build, operate, and maintain the physical infrastructure are best positioned to leverage a system's engineering design to diminish the severity of cyber attacks or digital technology failures. CIE expands cybersecurity decisions into the engineering space, not by asking engineers to become cyber experts, but by calling on engineers to apply engineering tools and make engineering decisions that improve cybersecurity outcomes. CIE examines the engineering consequences that a sophisticated cyber attacker could achieve and drives engineering changes that may provide deterministic mitigations to limit or eliminate those consequences.

Original language	American English
Number of pages	170
DOIs	https://doi.org/10.2172/2004921
State	Published - 2023

NREL Publication Number

NREL/TP-5R00-87145

Other Report Number

INL/RPT-23-74072

Keywords

cyber informed engineering
cyber resilience
cybersecurity
cybersecurity culture
security by design
systems engineering

Access to Document

10.2172/2004921

https://inldigitallibrary.inl.gov/sites/sti/sti/Sort_67122.pdf

Cite this

Anderson, R., Atkins, V., Ayala, M., Baker, K., Barnes, L., Castillo, K., Chanoski, S., Cox, J., Edsall, R., Foy, R., Gale, T., Gellner, J., Graham, R., Groves, D., Holtz, M., Johnson, S., Jones, J., Kishter, L., Le Blanc, K., ... Wright, V. (2023). Cyber Informed Engineering Implementation Guide: Version 1.0: U.S. Department of Energy (DOE), Office of Cybersecurity, Energy Security, and Emergency Response (CESER). https://doi.org/10.2172/2004921

@misc{af7811ea1232430a8096f44d248f748c,

title = "Cyber Informed Engineering Implementation Guide: Version 1.0: U.S. Department of Energy (DOE), Office of Cybersecurity, Energy Security, and Emergency Response (CESER)",

abstract = "This Implementation Guide describes the principles of Cyber-Informed Engineering (CIE) and outlines questions that engineering teams should consider during each phase of a system's lifecycle to effectively employ these principles. It describes what it means to engineer systems in a cyber-informed way, rather than offering a comprehensive, step-by-step process or procedure for CIE implementation. This guide complements - but does not replace - the application of cybersecurity standards or practices currently in place within an organization. Engineers and technicians that design critical energy infrastructure installations can use this Implementation Guide to integrate the 12 principles of CIE into each phase of the engineering lifecycle, from concept to retirement. The guide is aimed at system or design engineers, rather than software engineers or operational cybersecurity practitioners. The engineers who design, build, operate, and maintain the physical infrastructure are best positioned to leverage a system's engineering design to diminish the severity of cyber attacks or digital technology failures. CIE expands cybersecurity decisions into the engineering space, not by asking engineers to become cyber experts, but by calling on engineers to apply engineering tools and make engineering decisions that improve cybersecurity outcomes. CIE examines the engineering consequences that a sophisticated cyber attacker could achieve and drives engineering changes that may provide deterministic mitigations to limit or eliminate those consequences.",

keywords = "cyber informed engineering, cyber resilience, cybersecurity, cybersecurity culture, security by design, systems engineering",

author = "Robert Anderson and Victor Atkins and Marco Ayala and KatherineAnne Baker and Lance Barnes and Krystel Castillo and Samuel Chanoski and Joel Cox and Robert Edsall and Rob Foy and Tim Gale and Jeff Gellner and Rich Graham and Daniel Groves and Mary Holtz and Stephanie Johnson and Jeremy Jones and Lindsay Kishter and {Le Blanc}, Katya and Sin Loo and Richard Macwan and Joseph Mahanes and Maurice Martin and Shane McFly and Timothy McJunkin and Jakob Meng and Matt Morris and Andrew Ohrt and Waylon Pattison and Jessica Robinson and Daniel Rucinski and Marc Sachs and Greg Shannon and Jeremy Smith and Venkatesh Venkataramanan and Emily Waligoske and Justin Welch and Gareth Williams and Zane Wilsterman and Virginia Wright",

year = "2023",

doi = "10.2172/2004921",

language = "American English",

type = "Other",

}

Anderson, R, Atkins, V, Ayala, M, Baker, K, Barnes, L, Castillo, K, Chanoski, S, Cox, J, Edsall, R, Foy, R, Gale, T, Gellner, J, Graham, R, Groves, D, Holtz, M, Johnson, S, Jones, J, Kishter, L, Le Blanc, K, Loo, S, Macwan, R, Mahanes, J, Martin, M , McFly, S, McJunkin, T, Meng, J, Morris, M, Ohrt, A, Pattison, W, Robinson, J, Rucinski, D, Sachs, M, Shannon, G, Smith, J, Venkataramanan, V , Waligoske, E, Welch, J, Williams, G, Wilsterman, Z & Wright, V 2023, Cyber Informed Engineering Implementation Guide: Version 1.0: U.S. Department of Energy (DOE), Office of Cybersecurity, Energy Security, and Emergency Response (CESER).. https://doi.org/10.2172/2004921

TY - GEN

T1 - Cyber Informed Engineering Implementation Guide: Version 1.0

T2 - U.S. Department of Energy (DOE), Office of Cybersecurity, Energy Security, and Emergency Response (CESER)

AU - Anderson, Robert

AU - Atkins, Victor

AU - Ayala, Marco

AU - Baker, KatherineAnne

AU - Barnes, Lance

AU - Castillo, Krystel

AU - Chanoski, Samuel

AU - Cox, Joel

AU - Edsall, Robert

AU - Foy, Rob

AU - Gale, Tim

AU - Gellner, Jeff

AU - Graham, Rich

AU - Groves, Daniel

AU - Holtz, Mary

AU - Johnson, Stephanie

AU - Jones, Jeremy

AU - Kishter, Lindsay

AU - Le Blanc, Katya

AU - Loo, Sin

AU - Macwan, Richard

AU - Mahanes, Joseph

AU - Martin, Maurice

AU - McFly, Shane

AU - McJunkin, Timothy

AU - Meng, Jakob

AU - Morris, Matt

AU - Ohrt, Andrew

AU - Pattison, Waylon

AU - Robinson, Jessica

AU - Rucinski, Daniel

AU - Sachs, Marc

AU - Shannon, Greg

AU - Smith, Jeremy

AU - Venkataramanan, Venkatesh

AU - Waligoske, Emily

AU - Welch, Justin

AU - Williams, Gareth

AU - Wilsterman, Zane

AU - Wright, Virginia

PY - 2023

Y1 - 2023

N2 - This Implementation Guide describes the principles of Cyber-Informed Engineering (CIE) and outlines questions that engineering teams should consider during each phase of a system's lifecycle to effectively employ these principles. It describes what it means to engineer systems in a cyber-informed way, rather than offering a comprehensive, step-by-step process or procedure for CIE implementation. This guide complements - but does not replace - the application of cybersecurity standards or practices currently in place within an organization. Engineers and technicians that design critical energy infrastructure installations can use this Implementation Guide to integrate the 12 principles of CIE into each phase of the engineering lifecycle, from concept to retirement. The guide is aimed at system or design engineers, rather than software engineers or operational cybersecurity practitioners. The engineers who design, build, operate, and maintain the physical infrastructure are best positioned to leverage a system's engineering design to diminish the severity of cyber attacks or digital technology failures. CIE expands cybersecurity decisions into the engineering space, not by asking engineers to become cyber experts, but by calling on engineers to apply engineering tools and make engineering decisions that improve cybersecurity outcomes. CIE examines the engineering consequences that a sophisticated cyber attacker could achieve and drives engineering changes that may provide deterministic mitigations to limit or eliminate those consequences.

AB - This Implementation Guide describes the principles of Cyber-Informed Engineering (CIE) and outlines questions that engineering teams should consider during each phase of a system's lifecycle to effectively employ these principles. It describes what it means to engineer systems in a cyber-informed way, rather than offering a comprehensive, step-by-step process or procedure for CIE implementation. This guide complements - but does not replace - the application of cybersecurity standards or practices currently in place within an organization. Engineers and technicians that design critical energy infrastructure installations can use this Implementation Guide to integrate the 12 principles of CIE into each phase of the engineering lifecycle, from concept to retirement. The guide is aimed at system or design engineers, rather than software engineers or operational cybersecurity practitioners. The engineers who design, build, operate, and maintain the physical infrastructure are best positioned to leverage a system's engineering design to diminish the severity of cyber attacks or digital technology failures. CIE expands cybersecurity decisions into the engineering space, not by asking engineers to become cyber experts, but by calling on engineers to apply engineering tools and make engineering decisions that improve cybersecurity outcomes. CIE examines the engineering consequences that a sophisticated cyber attacker could achieve and drives engineering changes that may provide deterministic mitigations to limit or eliminate those consequences.

KW - cyber informed engineering

KW - cyber resilience

KW - cybersecurity

KW - cybersecurity culture

KW - security by design

KW - systems engineering

U2 - 10.2172/2004921

DO - 10.2172/2004921

M3 - Technical Report

ER -

Cyber Informed Engineering Implementation Guide: Version 1.0: U.S. Department of Energy (DOE), Office of Cybersecurity, Energy Security, and Emergency Response (CESER)

Abstract

NREL Publication Number

Other Report Number

Keywords

Access to Document

Fingerprint

Cite this