Cyber security is no longer the responsibility of the IT professional – it must be engineered into a project from the start. There’s a growing belief that every engineer should have some cyber security expertise.
When she was taking advice on Cyber Security curriculum development from experienced Australian Defence Department staff who were part of her advisory committee, Professor Jill Slay AM was handed a challenge. Defence felt cyber security should become an engineering discipline.
All of the standards around cyber security had previously been defined through an applied computing or information systems lens. But Defence saw the challenge as a greater one, as an issue that could be at least partially resolved by combining physical and digital domains.
“I had previously not thought about cyber security as an engineering discipline,” Slay, now SmartSat Cooperative Research Centre Professorial Chair in Cyber Security, at UniSA, says.
“I did a lot of research around the topic and realised people define cyber security and resilience depending on their disciplinary perspective. So for the aerospace engineer, they’re looking at security and resilience from a structural viewpoint, etc. This helped me understand that there are a lot of different engineering perspectives on security and cyber security. That’s the path I’ve been going down, ever since.”
Slay has since led the development of a Master of Telecommunications and Cyber Engineering degree, as well as a research group that includes an electrical engineer, telecoms engineer, several systems engineers and numerous PhD students.
“This all crosses various disciplines to create what I’m calling cyber engineering,” she says.
At the same time, Engineers Australia has developed the Cyber Engineering Community of Practice, a forum for engineers working in cyber-related roles to come together to share ideas, develop skills and network with fellow cyber engineers.
The Cyber Engineering Community of Practice is headed up by Major General Marcus Thompson AM FIEAust CPEng EngExec, one of Slay’s past PhD students and ex Head Information Warfare for the Australian Defence Force.
“Cyber is … relevant to every discipline of engineering,” Thompson says.
“There are engineers … contributing to the cyber resilience of industry, government and, indeed, the nation. This new Community of Practice is an opportunity for not only engineers working in those roles, but anyone interested in learning or sharing cyber related information, to come together.”
Not just a headline
When a major cyber incident occurs, such as the recent Optus cyber attack, headlines draw attention to cyber security failings.
Slay, who worked as Optus Chair of Cybersecurity at La Trobe University for two years, says claimed details of the breach “appears as a mistake of inexperience in connecting a production network to a test network but not checking on all aspects of how to secure this.”
However, the field of cyber engineering, and Engineers Australia’s Cyber Engineering Community of Practice, is about moving beyond the headlines and instilling a permanent and powerful knowledge of cyber best-practice in all engineers. The Community of Practice is supported by the Cyber Engineering Working Group, which includes engineers and other people from a range of disciplines and sectors.
“That’s important, because the earlier you bring cyber security into a project, the better,” says Bruce Large MIEAust, Operational Technology Cyber Security Team Leader at Powerlink Queensland and incoming Chair of the of the Queensland branch of EA’s Information, Telecommunications and Electronics Engineering (ITEE) College.
“Part of this is about making decisions about what you’re not going to do and what you are going to do. If you make decisions without the right participants or without the right knowledge, you might have to rework. That means a hit to time, cost and quality.
“The more you can put security into the business process rather than only into the technology, the better. For engineering projects, it’s about knowing the context of the engineering requirements and the security requirements and trading off the opportunities with the risks.”
There are IT components within engineered systems, Large says. Often, the engineers don’t understand the IT complexities, and the IT professionals don’t understand the engineering requirements.
It’s time to develop a common language for a better outcome, he says.
“That’s where things like the Cyber Engineering Community of Practice are very powerful,” Large says. “When you run cyber risk assessments, having the right people in the room now means having an engineer in the room.”
Large suggests the Purdue model of enterprise reference architecture as a good planning tool. The model considers the physical requirements of a build, as well as the roles of intelligent devices, control systems, manufacturing operations systems and business logistics systems.
What do engineers need to know?
If there’s one thing all engineers should have an understanding of for better cyber results, it’s threat modelling, Large says.
“This is about understanding the system you’re building in terms of who wants to attack it, how you’re going to secure it and how you’re going to have the ability to regularly check that it’s secure,” he says.
Shireane McKinnie HonFIEAust, a member of the ITEE College Board and Chair of the Cyber Engineering Working Group, agrees with the essential nature of knowledge around threat modelling. And it is essential – in the 2020-21 financial year alone, she says, the Australian Cyber Security Centre received over 67,500 cybercrime reports, representing estimated losses of more than $33 billion.
McKinnie believes engineers are perfectly placed to know how assets connect with each other.
“You need to take a whole-of-life approach and a whole-of-systems approach,” she says. “You have to know where your system sits and how and where it’s interconnected with other systems.”
“When people don’t have a strong understanding of all of their assets and how those assets connect to each other, they can’t understand their exposure to potential attacks.”
That essential knowledge even comes down to realising the security implications of supply chain and procurement decisions.
“When I was with Defence, we had an issue with counterfeit parts,” McKinnie says. “If parts were counterfeit, we couldn’t be certain of the level of reliability. We were working on counter-IED devices, so we needed absolute precision around how they were going to operate. Similarly, in a cyber context, the vulnerability to attack arising from supply chains needs to be understood and mitigated.”
A simple way to understand the level of knowledge an engineer requires around cyber security, McKinnie says, is to consider it as no different to the way engineers look at safety.
“All engineers are aware of safety issues in terms of design, operation, maintenance, etc.,” she says.
“Cyber is the same. If there are any digital technologies involved – a civil engineer, for example, creates smart buildings with digital control systems that can be disrupted to make the building unusable – the engineer needs to factor in cyber threats and risks.”