2025-08-05 –, Pearl
What Engineers Need to Know About Cyber and Why (and are not getting this in school).
This workshop uses a case study of a hypothetical engineering project to support discussion and application of the principles for Cyber-Informed Engineering (CIE) throughout the workshop. The scenario draws from a selection of real-world case studies, is fictional, and is crafted to support the application of CIE principles. Workshop participants get a workbook to structure their journey, capture insights and lessons learned, and provide a useful takeaway item that can further conversations after the event.
This is a hands-on workshop filled with exercises to develop understanding of the principles of Cyber Informed Engineering. This training event is designed for anyone who is interested in learning a methodology of designing out cyber-risk before a system is placed into operation.
This training session emerges from the Idaho National Laboratory Cyber Informed Engineering project, a Department of Energy supported effort to improve system resilience and risk reduction through design efforts to include cyber risks alongside other engineering considered hazards. Previous versions of this course have been conducted using different specific engineering problems to local industry groups. This class is a product from those experiences. The diversity of the BSidesLV attendee base will make this class much more engaging than an industry specific audience.
Cyber-Informed Engineering (CIE) offers an opportunity to “engineer out” some cyber risk across the entire system lifecycle, starting from the earliest possible phases of conceptual design and requirements development and system design—the most optimal times to introduce mitigations against cyber risk. CIE is an emerging method to integrate cybersecurity risk considerations into the conception, design, development, and operation of any physical system that has digital connectivity, monitoring, or control. CIE uses design decisions and engineering controls to mitigate or even eliminate avenues for cyber-enabled attacks or reduce the consequences when an attack occurs. In the same way that engineers design systems for safety, engineers informed by CIE use similar methods to prevent or lessen the impact of a cyber-attack. CIE also allows the engineers to advise the approaches used by specialized Information Technology (IT) and Operational Technology (OT) cybersecurity experts to align cybersecurity mitigations to the most critical consequences identified by the engineers.
What are the 12 principles of CIE?
1. Consequence-Focused Design
2. Engineered Controls
3. Secure Information Architecture
4. Design Simplification
5. Layered Defenses
6. Active Defense
7. Interdependency Evaluation
8. Digital Asset Awareness
9. Cyber-Secure Supply Chain Controls
10. Planned Resilience
11. Engineering Information Control
12. Organizational Culture
The purpose of the training is to help people understand how to use these principles during engineering design to design out many sources of cyber risk. The hands-on workshop engages participants in a journey that helps improve their skills in designing out issues that would later potentially affect cyber risk.
The session begins with a presentation of the principles for Cyber Informed Engineering and leads thoughts with an initiating question to prompt thoughts and actions for each principle. The scenario used to facilitate discussion is then presented, providing a template upon which the principles can then be addressed. The exercise then moves through the 12 principles where each is given an overview by one of the facilitators. What follows next is small group exercise tasks designed to facilitate the operationalization of each principle. The facilitators help the groups advance their discussion and learning. The training exercise concludes with a lessons-learned discussion.
References:
U.S. Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Cyber Informed Engineering Implementation Guide. Version 1.0, August 7, 2023. https://www.osti.gov/biblio/1995796.
Technical Report: Cyber-Informed Engineering Workbook: CIE Hands-On Training. Cyber-Informed Engineering Workbook: CIE Hands-On Training. May 29, 2024. https://www.osti.gov/biblio/2371031.
This is a sample text for the bio. Replace before publication.
Dr. Kitty is a Professor Emeritus at the University of Houston, joint appointee at Idaho National Laboratory. An internationally recognized expert in cybersecurity for operational technology (OT) systems and critical infrastructures. He is also recognized as a national leader in the development of educational programs in industrial control systems cybersecurity.
Taught 20 different classes (5 undergraduate, 15 graduate classes) over 19 years.
Published 6 books on cybersecurity.
Speaker at numerous conferences including regional BSides, DefCon ICS Village, Hack the Capital, RSAC (twice).
Virginia “Ginger” Wright is the program manager for Cyber-Informed Engineering (CIE) at the Idaho National Laboratory (INL). She leads INL’s implementation of the National Strategy for Cyber-Informed Engineering developed by the Department of Energy. Ms. Wright has led multiple cyber research programs at INL including DOE-CESER’s Cyber Testing for Resilient Industrial Control Systems (CyTRICS™) program, Software Bills of Material for the Energy Sector, critical infrastructure modeling and simulation, and nuclear cybersecurity. Ms. Wright has a Bachelor of Science in Information Systems/Operations Management from the University of North Carolina at Greensboro.