S4x25: Integrating cyber informed engineering in water sector 

At the S4x25 conference, one of the sessions highlighted the transformative role of Cyber Informed Engineering (CIE) in enhancing the resilience of water and wastewater infrastructure. Andrew Ohrt, resilience practice area lead at West Yost shared insights drawn from years of practical experience, underscoring lessons learned, effective strategies, and case studies that illustrate the impact of CIE on critical infrastructure. 

Understanding role of CIE 

The session began by framing CIE within the context of national strategies. CIE aims to embed cybersecurity principles directly into the engineering processes governing critical infrastructure systems. This approach ensures that cybersecurity considerations are integrated from the ground up, influencing design, operations, and organizational practices. 

Key components of CIE include: 

• Consequence-Focused Design: Prioritizing engineering decisions that mitigate the most severe potential impacts of cyber incidents. 
• Engineered Controls: Designing physical and digital safeguards that reduce vulnerabilities and limit the consequences of cyberattacks. 
• Active Defense Tactics: Combining traditional operational awareness with advanced monitoring technologies to detect and respond to threats in real time. 

Lessons from the Field: Practical Case Studies 

1. Water Treatment Plant Incident: 

• A critical case involved a water treatment plant where an automated valve closure led to a significant water hammer event, causing pipeline displacement. This incident highlighted the need for engineering solutions that prevent such mechanical failures, regardless of whether they stem from operational errors or cyber manipulations. 
• The solution involved reengineering the valve control system to ensure it could not close too rapidly, effectively eliminating a cyber risk through a simple mechanical adjustment. 

2. SCADA Cloud Control Implementation: 

• In another project, a client insisted on moving SCADA operations to the cloud despite initial resistance from cybersecurity consultants. By applying CIE principles, the team designed safeguards that included physical interlocks preventing unsafe operations even if the cloud system was compromised. This collaboration resulted in enhanced security, operational efficiency, and a model for integrating cloud technologies securely. 

3. Long-Term CIE Integration: 

• A large water utility undertook a multi-year effort to embed CIE into its engineering culture. Through iterative design reviews and the development of comprehensive design guidelines, the utility institutionalized CIE practices, ensuring that future infrastructure projects inherently incorporate cybersecurity considerations. 

Challenges and strategies in implementing CIE 

Ohrt addressed common barriers to adopting CIE, including: 

• Cultural Resistance: Engineers traditionally focused on physical safety and reliability may be skeptical of cybersecurity’s relevance. The speaker emphasized the importance of framing cybersecurity as an extension of traditional engineering priorities like safety and resilience. 
• Information Sensitivity: Public utilities often face challenges in protecting sensitive information due to transparency requirements. Strategies to mitigate this include controlling the dissemination of detailed technical specifications and enhancing awareness of information security among procurement staff. 

Role of leadership and organizational commitment 

Leadership buy-in was identified as a critical factor for successful CIE implementation. The concept of a “mission commander” role within projects was introduced, emphasizing the need for a dedicated leader to champion CIE initiatives, coordinate cross-disciplinary teams, and maintain focus on cybersecurity objectives throughout project lifecycles. 

CIE principles: A closer look 

The presentation broke down the 12 CIE principles into two categories: 

1. Design and Operations Principles: Focused on technical aspects like consequence-focused design, engineered controls, and secure information architecture. 
2. Organizational Principles: Addressing governance, risk management, and the integration of cybersecurity into organizational culture and processes. 

Each principle is supported by key questions derived from the CIE Implementation Guide, designed to prompt critical thinking and guide the application of CIE across various stages of infrastructure projects. 

Looking ahead: Future of CIE in water sector 

The session concluded with a forward-looking perspective, highlighting emerging trends and initiatives: 

• Integration with Funding Processes: The Idaho Department of Environmental Quality’s initiative to incentivize CIE through grant application scoring was cited as a model for encouraging widespread adoption. 
• Resource Development: The upcoming publication of “CIE for the Water Sector” by the American Water Works Association was announced, promising to provide comprehensive guidance tailored to the unique challenges of water infrastructure. 

Final Reflections 

The speaker’s closing remarks emphasized that CIE is not just a technical framework but a shift in mindset. By redefining how we approach the intersection of cybersecurity and engineering, CIE empowers organizations to build infrastructure that is not only functional and safe but resilient against the evolving threat landscape. 

The session resonated with attendees, many of whom acknowledged the growing recognition of cybersecurity as an integral part of critical infrastructure defense. The message was clear: by embracing CIE, the water sector can safeguard its systems, protect public health, and ensure the continuity of essential services in the face of current and future cyber threats.