Secure-by-Design Part 1: Cyber-informed Engineering & Secure By Design for the Energy Industry

Cyber-Informed Engineering (CIE) and Secure by Design (SbD) are related concepts, but they have distinctive approaches and methodologies. Let's delve into these differences, and how they could impact an organization looking to implement these programs.

Cyber-Informed Engineering (CIE)

CIE is a risk-informed approach that is often utilized for protecting critical infrastructure, such as those found within the energy sector. This methodology places emphasis on understanding the potential cyber threats and their consequences, specifically focusing on the most severe cyber threats that could lead to physical damage or significant operational disruption.

Implementing CIE involves a deep understanding of system operations and the impacts of worst-case scenarios. It could lead to modifications of system design or operational practices to mitigate the risk of high-consequence events. So, when adopting CIE, an organization needs to be prepared for substantial involvement of engineering, operations, and cybersecurity teams to holistically examine the potential impacts and work to reduce the most consequential risks.

Secure by Design (SbD)

SbD, on the other hand, is a more comprehensive and proactive approach that involves integrating security principles into every stage of the system design and development process. Its main objective is to make systems inherently resistant to cyber threats from the outset, rather than adding security features after the system has been developed.

When implementing SbD, an organization needs to ensure security considerations are woven into the fabric of the design and development process. This can include everything from the initial conceptualization, system design, to coding practices and operational procedures. Adopting SbD may require changes to the organization's development culture and process and may need involvement from all teams - not just the cybersecurity team, but also the design, development, and operational teams.

Summary

While both CIE and SbD aim to enhance security, they do so from different angles:

CIE is more prominent in discussions of industrial control systems and critical infrastructure, while SbD is a broader concept applicable across software and system design in many industries.

CIE focuses on understanding and mitigating high-consequence cyber threats, making it particularly suitable for critical infrastructure protection.  SbD involves building security into every step of system design and development, creating an inherently secure system from the ground up. Both approaches can be beneficial, and the choice between them can depend on an organization's specific needs, existing systems, and the potential threats they face.

Operant Networks utilizes Security by Design to build fundamental cybersecurity into our next-generation communications platform.  By deploying Operant’s solution, our customers benefit from the reduced attack surface as part of their own Cyber-Informed Engineering efforts.