However, the field of cyber engineering, and Engineers Australia’s Cyber Engineering Community of Practice, is about moving beyond the headlines and instilling a permanent and powerful knowledge of cyber best-practice in all engineers. The Community of Practice is supported by the Cyber Engineering Working Group, which includes engineers and other people from a range of disciplines and sectors.
“That’s important, because the earlier you bring cyber security into a project, the better,” says Bruce Large MIEAust, Operational Technology Cyber Security Team Leader at Powerlink Queensland and incoming Chair of the of the Queensland branch of EA’s Information, Telecommunications and Electronics Engineering (ITEE) College.
“Part of this is about making decisions about what you’re not going to do and what you are going to do. If you make decisions without the right participants or without the right knowledge, you might have to rework. That means a hit to time, cost and quality.
“The more you can put security into the business process rather than only into the technology, the better. For engineering projects, it’s about knowing the context of the engineering requirements and the security requirements and trading off the opportunities with the risks.”
There are IT components within engineered systems, Large says. Often, the engineers don’t understand the IT complexities, and the IT professionals don’t understand the engineering requirements.
It’s time to develop a common language for a better outcome, he says.
“That’s where things like the Cyber Engineering Community of Practice are very powerful,” Large says. “When you run cyber risk assessments, having the right people in the room now means having an engineer in the room.”
Large suggests the Purdue model of enterprise reference architecture as a good planning tool. The model considers the physical requirements of a build, as well as the roles of intelligent devices, control systems, manufacturing operations systems and business logistics systems.
What do engineers need to know?
If there’s one thing all engineers should have an understanding of for better cyber results, it’s threat modelling, Large says.
“This is about understanding the system you’re building in terms of who wants to attack it, how you’re going to secure it and how you’re going to have the ability to regularly check that it’s secure,” he says.
@Shireane McKinnie HonFIEAust, a member of the ITEE College Board and Chair of the Cyber Engineering Working Group, agrees with the essential nature of knowledge around threat modelling. And it is essential – in the 2020-21 financial year alone, she says, the Australian Cyber Security Centre received over 67,500 cybercrime reports, representing estimated losses of more than $33 billion.
McKinnie believes engineers are perfectly placed to know how assets connect with each other.
“You need to take a whole-of-life approach and a whole-of-systems approach,” she says. “You have to know where your system sits and how and where it’s interconnected with other systems.”
“When people don’t have a strong understanding of all of their assets and how those assets connect to each other, they can’t understand their exposure to potential attacks.”
That essential knowledge even comes down to realising the security implications of supply chain and procurement decisions.
“When I was with Defence, we had an issue with counterfeit parts,” McKinnie says. “If parts were counterfeit, we couldn’t be certain of the level of reliability. We were working on counter-IED devices, so we needed absolute precision around how they were going to operate. Similarly, in a cyber context, the vulnerability to attack arising from supply chains needs to be understood and mitigated.”
A simple way to understand the level of knowledge an engineer requires around cyber security, McKinnie says, is to consider it as no different to the way engineers look at safety.
“All engineers are aware of safety issues in terms of design, operation, maintenance, etc.,” she says.
“Cyber is the same. If there are any digital technologies involved – a civil engineer, for example, creates smart buildings with digital control systems that can be disrupted to make the building unusable – the engineer needs to factor in cyber threats and risks.”