To maintain the security of our institutions and infrastructure in an online world, engineers will need an entirely new way of thinking about the cyber landscape.
When the Australian Government released its new Cyber Security Strategy last year, it came with a clear warning of the increased risk of cyber attacks.
With an investment of $1.67 billion over 10 years, the strategy aims to defend a range of sectors, from healthcare to essential services and critical infrastructure, against cyber attack.
But rather than wrapping existing systems in layers of security, what if engineers could build cyber security into their design?
The threat of cyber security breaches cannot be underestimated. Between 1 July 2019 and 30 June 2020, the Australian Cyber Security Centre (ACSC) responded to 2266 cyber security incidents at a rate of almost six per day, and received 59,806 cybercrime reports in that period.
It estimates that a four-week interruption to digital infrastructures resulting from a significant cyber incident would cost the economy $30 billion — around 1.5 per cent of the country’s GDP — and around 163,000 jobs.
Build it in
“This is why we need cyber engineers,” said Robert Di Pietro, Partner and Cyber Security Lead for Critical Infrastructure and Operational Technology at PwC and a member of Engineers Australia’s recently established Cyber Engineering Community of Practice.
“We need to be building cyber security into engineering design. We can’t just have cyber professionals come and bolt on cyber security at the end.”
Professor Jill Slay is SmartSat Professorial Chair in Cybersecurity at the University of South Australia and head of the Cybersecurity and Resilience Theme of the SmartSat Australian Co-operative Research Centre.
She said a fundamental challenge in the transition to a digital society is that while cyber criminals become more sophisticated, cyber security specialists are playing catch up.
“Instead of putting security into the design lifecycle and testing for the security, it’s often an add-on,” said Slay, who is also a member of Engineers Australia’s Cyber Engineering Community of Practice.
“The internet, for example, was never designed to be secure. It was designed to make the sharing of data easy. But when it was decided that we could use it for a profit or doing our banking, we’ve had to wrap layers and layers of security around it like an onion.”
Another approach is “security by obscurity”, where systems are designed to be so complex that it is assumed hackers can’t crack them.
“It’s incredibly risky,” Slay said.
“We need a new kind of engineer for the new disciplines or professions that are arising. Just think about the defence industry and the government’s desire to have 20,000 more jobs in the space area, for just a start.”
What is cyber engineering?
Essentially, cyber engineering is about building cyber security into engineering designs right from the beginning.
“It’s really about bringing the engineering mindset to the technical problem of security and how to solve it,” said Maximillian Jeffries, an officer with the Australian Air Force working in cyber security and a member of Engineers Australia’s Cyber Engineering Community of Practice.
“An engineer’s method of approaching and solving problems is crucial to the successful design and operation of networks into the future.”
Slay said cyber security education has been lacking in Australia and needs to be built into engineering courses.
“Essentially, the principles of cyber security that we have been teaching have been more like applied computing — adding on the security through software after we’ve designed something,” she said.
“What we don’t teach in engineering, or in applied computer courses, is control system security. How do we secure all the electricity, water and gas infrastructure? Or even complex vehicles like fighter planes? You plug them into huge control systems and they’re very vulnerable through this, but we’ve never trained in that part of the security.”
Filling the education gap
This education gap looks set to change as cyber threats increase and security gains greater focus.
Slay, for example, is developing a draft cyber security curriculum for the University of South Australia and said it includes the “building blocks” of the discipline.
“[Engineers] have to understand systems — satellites, for instance, or the Internet of Things and other complex constructions,” she said.
“There will be some aspects of telecoms engineering, some aspects of systems engineering, but then it will add applied cyber security so that the engineer understands about cryptography and how to build it, or what is the impact of quantum computing on the security.”
A cyber security specialisation should also bring in aspects from other disciplines that engineers may not have considered, Slay said.
“This includes all the people issues around security, malware, insider attacks and things like that.”
Jeffries said any engineer with a “passion for knowledge” can learn to incorporate cyber security into designs.
“I don’t know of any direct cyber engineering undergraduate degrees right now, but most engineers with a passion for knowledge and a willingness to learn will be able to transition into a cyber securities career,” he said.
“This can be done in a myriad of pathways, such as upskilling through various online courses.”
Di Pietro said that while there are opportunities to build cyber security into engineering courses, engineering companies should also be looking to upskill their workforce.
“I would rather start with an engineer and teach them cyber security than the other way around when it comes to the security of critical infrastructure,” he says.
“I just find that engineers have a great mindset to learn, and they’ve got a great understanding of not only the technology, but of process engineering and the lower-level aspects to whatever it is they’re building or designing or securing. And we find that engineers often love the challenge of learning a bit of cyber, on top of what they’re doing for their day job.”
Di Pietro believes there is a strong demand for engineers with a cyber skill set.
“Almost all engineering disciplines are trending towards greater adoption of technology,” he said.
“With that comes the need for increased awareness and knowledge around security in order to protect those systems and build in resilience.”
New thinking
Di Pietro stressed that cyber engineering requires a change in mindset.
“Engineers design things to be physically secure and to be resilient to things like extreme weather, but the cyber angle is different,” he said.
“Someone can be trying to cause harm from a thousand miles away.
“When we work with engineers and talk about how someone might want to manipulate a system, they often shake their head and ask, ‘Why would anyone want to do that? Why would someone change the telemetry on a system so you couldn’t know the real pressure on a valve?’”
While engineers understand operational technology systems very well, Di Pietro noted they haven’t had to think about their cyber security — and this needs to change.
“Now that we’ve got systems interconnected with other systems and networks, we can no longer rely on things being physically or geographically isolated, because they can be attacked from anyone, potentially anywhere, over a network,” he said.
“There’s a real shift in the mindset for a lot of organisations, and certainly a lot engineers who I speak to are grappling with that very different type of threat.”
Sorry, But this is somewhat silly and shows a lack on understanding of where the issues come from. I have been working in security for more than 20 years and the majority of engineers I have worked with ( Not certified by a central body of engineers ) want to do things more security but budget and time pressures with project managers deciding these things are not important.
Sure, providing more education and training so engineers understand all the potential vulnerabilities and threats that exist is a great idea, but it wont change anything until cybersecurity is a key metric in project management deliverables and executives are held accountable for the failings that happen as a result of their decisions in this area.
” want to do things more security ” should be ” want to do things more securely “, damn autocorrect
I can only speak on behalf of a Defence Industry player here, but we are well down the path of integrating ‘cybersecurity’ as a specialist engineering discipline; analogous to system safety engineering. There is merit in considering a merger of sorts with the traditional ICT discipline as many of the training and skills required can be found there. So, either we up-skill engineers or contemplate an entirely new discipline that considers the strengths of both. Keen to get your thoughts?
Interesting piece Susan – there is still a lot of debate as to where the IOT cyber workforce comes from. Is it a matter of training up “blue collar” I/F manufacturing engineers in cyber or cross training “white collar” IT cyber analysts in industrial control and embedded system engineering. The debate continues
In terms of cyber by design one of the leading groups looking at this is the Idaho Nat’l Laboratory (part of the US Dept of Energy) around Cyber-Informed Consequence-Driven Engineering (CCE) – https://inl.gov/critical-infrastructure-protection/#cybersecurity.