In the last five years, we\u2019ve seen a deteriorating threat environment physically impacting industrial control systems and critical infrastructure operations around the globe.[i]<\/a> Before 2019, incidents causing production delays, plant shutdowns, equipment damage or worse occurred at most once or twice per year. In the last two years we\u2019ve seen almost 150 such incidents in the public record. Eighty-five percent of these attacks in the last five years were perpetrated by criminal ransomware groups. Nearly all the rest were perpetrated by politically motivated hacktivists and nation state militaries and intelligence agencies.<\/p>\n\n\n\n Politically or militarily-motivated attacks are growing in severity, with a 250 percent growth over the last three years and the discovery of three new OT-specific malware strains in 2024 alone. Also, credible evidence has emerged that hacktivists and nation-state actors are sharing these malicious tools, techniques and procedures (TTPs).[ii]<\/a><\/p>\n\n\n\n To address cyberthreats to critical infrastructures and other industrial operations, the first generation of cybersecurity standards and guidance, issued shortly after the 9\/11 attack on the World Trade Center, was based on advice from IT experts. This made sense at the time in that enterprise security teams had been dealing with cybersecurity threats for several decades and were, therefore, the logical experts to contribute to the task of securing OT systems. The key principle underlying this generation of advice is that, in computer systems, information is almost always the key asset we must protect. And so, IT experts advised engineering teams and other OT security practitioners to protect their information: the confidentiality, integrity and availability of the information in their industrial automation systems.<\/p>\n\n\n\n This confused a great many practitioners. Once engineering teams gained some experience with cyberattacks and defenses, engineers developed second-generation advice, recognizing that, yes, in some cases there is valuable information in OT systems that must be protected from cyberespionage. In most cases, however, it is the physical process itself that is the key asset deserving of protection from cyber-sabotage: the dams, generators, pipes, pumps and distillation towers of our critical infrastructures.<\/p>\n\n\n\n The primary goal for most OT cybersecurity programs is not to protect information, but rather to assure safe, reliable and efficient operation of the physical process, and prevent damage to physical equipment\u2014that is, damage serious enough to cripple the process for months rather than hours.<\/p>\n\n\n\n The key difference between preventing espionage and preventing sabotage concerns the focus on information. An industrial automation system can change from a normal mode of operation to a compromised or sabotaged mode, only if cyber-sabotage attack information somehow enters and impairs the system. All cyber-sabotage attacks involve information, and all information flows are potential attack vectors. Whereas IT cybersecurity is focused on protecting information, OT cybersecurity programs must focus on protecting physical infrastructure from information<\/em>, more precisely from cyberattack information that might be embedded in other information flows.<\/p>\n\n\n\n <\/p>\n<\/div><\/div>\n\n\n\n Today, a third generation of insight and advice is emerging, led by the Cyber-Informed Engineering[i]<\/a> (CIE) initiative funded by the U.S. Department of Energy and carried out by researchers at Idaho National Laboratory. Informally, Cyber-informed engineering positions OT security as \u2018a coin with two sides.\u2019 One side of the coin is IT-style cybersecurity, focused on teaching engineering teams about cyberattacks, cybersecurity tools and mitigations, and the intrinsic limitations of each of these tools and mitigations. The other side of the coin is engineering: teaching enterprise security teams about powerful engineering tools that can address all threats to physical operations.<\/p>\n\n\n\n The nature of these engineering tools depends on the industry and on the physical process in question. For example, if you were a technician responsible for a half-dozen massive catalytic crackers in a large refinery\u2014massive devices full of hot, high-pressure hydrocarbons\u2014you would work most of every day within the kill radius of a worst-case cracker explosion. If one of these devices explodes, you will most likely perish.<\/p>\n\n\n\n Given that, how would you prefer to be protected from a cyberattack that overheats the furnaces under your crackers, over-pressurizes the crackers and causes them all to explode? Would you prefer a mechanical overpressure relief valve that, when the pressure of high-temperature hydrocarbons in the cracker is too great, the valve is mechanically forced open by that pressure and releases the hydrocarbons harmlessly into a flare stack? Or would you prefer a longer password on the computer controlling the furnace?<\/p>\n\n\n\n Most people answer they would prefer the mechanical relief valve. After all, the valve has no CPU and is thus in a real sense \u201cunhackable\u201d in a cyberattack. Experts respond that not only would they want the unhackable mechanical relief valve, they would want four such valves, because these mechanisms do wear out with metal fatigue and corrosion. Experts would want at least one of the valves to work to save their lives. And<\/em> they would want a longer password. And<\/em> they would want an absolute \u201cboatload\u201d of other IT-style cybersecurity protections, because, after all, their lives are on the line.<\/p>\n\n\n\n The experts\u2019 answer is correct and supported by cyber-informed engineering. Although, every coin has two sides, when we spend a coin, we don\u2019t choose which side to spend; we always spend the whole coin.<\/p>\n\n\n\n More specifically, cyber-informed engineering is an umbrella term, assembling a body of knowledge that includes cyber-relevant aspects of safety engineering, protection engineering, automation engineering, network engineering, as well as OT-relevant aspects of cybersecurity, including all the pillars of the National Institute of Standards and Technology and Cybersecurity Framework: Govern, identify, protect, detect, respond and recover. Cyber-informed engineering includes engineering tools that were neglected in the first two generations of cybersecurity advice, in addition to key elements of the engineering perspective on risk management.<\/p>\n\n\n\n In addition, cyber-informed engineering reflects how engineering teams deal with physical risk. For example, when safety engineers look at a refinery or pipeline, the first question they ask is not, \u201cWhat are the most frequent, least-consequential incidents we see every day?\u201d The first question they ask is, \u201cWhat are the \u2018big fish,\u2019 the truly unacceptable outcomes that we must prevent at all costs?\u201d<\/p>\n\n\n\n Similarly for cyber protection of industrial processes, cyber-informed engineering encourages us to address these questions:<\/p>\n\n\n\n This is the same style of analysis engineering teams carry out routinely to prevent casualties, disasters, equipment damage and costly downtime due to fires, floods, hurricanes, earthquakes and other physical threats. Cyberthreats are unusual in this analysis primarily because of how quickly the threats are changing. While safety and equipment protection analyses tend to be fairly static over the life of an installation, cyberthreats demand regular reassessment and demand deploying protections that have a large margin for any errors made in assessing the risk.<\/p>\n\n\n\n A common criticism of the emerging cyber-informed engineering body of knowledge is that many of the key engineering mitigations, such as overpressure relief valves and centrifugal overspeed governors, are old. Most of these mechanisms have been replaced by digital Safety Instrumented Systems (SIS) over the course of the last decade, because the digital systems are both cheaper and more reliable than the electromechanical safeties they replace. Yes, SIS are software, and yes, all non-trivial software has defects and vulnerabilities that attackers might exploit, so digital safeties are intrinsically more vulnerable to cyberattacks than electro-mechanical safeties, but going back to less reliable and more expensive electro-mechanical tools does not seem like progress.<\/p>\n\n\n\n The criticism is valid. What cyber-informed engineering teaches us, however, is to ask different questions. The question, \u201cHow can I use IT-grade cybersecurity designs to achieve engineering-grade protections?\u201d has no answer. The question cyber-informed engineering asks instead is, \u201cWell, if you don\u2019t like existing engineering-grade protections, how can you make modest changes to the design of your system to address the risk another way?\u201d<\/p>\n\n\n\n For example, consider rooftop solar inverters, which convert direct current (DC) coming from solar panels into alternating current (AC) that is compatible with household needs and with the grid at large. The inverters carry out a number of safety-critical functions, including:<\/p>\n\n\n\n In the latest generation of converters, all these functions are carried out in silicon on a circuit board under the direction of software. There are no longer anyanalog transformers or other electro-mechanical components in the devices. This design lets manufacturers produce a single inverter model that can be configured in software and certified for use in many countries, each with different grid voltages and frequencies.<\/p>\n\n\n\n This flexibility introduces cyber-risk, however, since these modern devices have built-in Wi-Fi and Bluetooth connections to the internet, cell phones, and other devices and systems. This is a lot of software, with inevitable defects and vulnerabilities, and this software is exposed to network connectivity and even to interactions with the open internet. The inverters are therefore very much at risk of being compromised in a cyberattack.<\/p>\n\n\n\n A compromised inverter risks mis-operating the safety-critical functions of the device, either at the attackers\u2019 bidding or indirectly because of lack of understanding by the attackers of the device they are manipulating. For example, a compromised device can be configured in software to send the wrong voltage into the grid. This results in the device overheating dramatically. A compromised device may also impair over-temperature safety shutdown function. If the device is mis-operated and becomes much too hot, it simply bursts into flames and risks burning down the building to which it is mounted.<\/p>\n\n\n\n The solution here is not to return to analog transformers, electro-mechanical over-temperature relays and other \u201cold\u201d technologies. The solution is innovation, for example, by adding another CPU to the inverter. Put the Wi-Fi, Bluetooth and other network-exposed functions on a separate \u201cexposed\u201d and, to a large degree, expendable CPU. Design the circuit board so that this CPU is the only one exposed to attacks from wireless networks and the internet, and so that this CPU is electrically unable to send any signal to any of the safety-critical devices. Put the safety-critical software on the second \u201csafety\u201d CPU that is the only CPU able to interact with the safety-critical hardware.<\/p>\n\n\n\n And finally, put an extremely limited communications interface between the two CPUs. Do not send messages between the CPUs, since most messaging communications protocols can become confused and propagate compromise from the exposed CPU into the safety CPU. This is called \u201cpivoting\u201d a cyberattack, when our enemies use a compromised computer (the exposed CPU) to attack connected computers (the safety CPU). Design the interface between the two CPUs to be so simple and deterministic that attack pivoting is not a credible threat to the device, not with today\u2019s attacks nor with any imaginable future cyberattacks.<\/p>\n\n\n\n In this new design, what is the worst that can happen if the Wi-Fi\/internet-exposed CPU is compromised? The inverter might stop reporting how much power it is feeding the grid or might not respond to islanding orders from the grid. All these consequences are acceptable. The grid has other ways to measure power flows and grid stability\u2014reports from inverters are not reliability-critical. And even if the inverter does not receive an islanding order from the grid, because that exposed communication function has been impaired, the inverter\u2019s hardware is still able to detect islanding conditions in the local grid, and the safety CPU can still respond to detecting such conditions by stopping the flow of power from the solar cells.<\/p>\n\n\n\n The cost of the solution? The circuit-board design and the software in the inverter both need modest changes, and the circuit board needs a second CPU, which is not a high-powered $500-$1000 device like the CPU in your latest cell phone. Instead, this is a cheap embedded CPU able to carry out very simple, very important safety decision-making. With safety systems, simpler is better. Leave the complexity in the existing internet-exposed CPU.<\/p>\n\n\n\n The solar inverter design is one example of a new field of knowledge. Emerging as part of cyber-informed engineering networks is a collection of techniques to deterministically prevent cyberattacks from pivoting across consequence boundaries. A consequence boundary is a connection between computers, or between networks of computers, whose worst-case consequences of compromise differ materially. The classic example of such a boundary is the so-called \u201cIT\/OT interface\u201d\u2014the connection between an IT network that automates business functions, such as purchasing or work-crew scheduling, and an OT network that automates and operates a physical process, such as a pipeline or power plant.<\/p>\n\n\n\n For example, what is the worst consequence a business suffers if a cyberattack compromises an IT network? Often, the worst case is that detailed information about thousands of employees is stolen, and the business needs to buy identity theft insurance for those employees at a cost of several million dollars per year. While such a loss is undesirable, it is not likely to put most organizations out of business. This is an undesirable, but acceptable loss.<\/p>\n\n\n\n On the other hand, what is the worst consequence a business suffers if a cyberattack compromises an OT network? Several examples:<\/p>\n\n\n\n In short, the IT\/OT interface very often connects IT networks with acceptable worst-case consequences of compromise to OT networks with unacceptable worst-case consequences.<\/p>\n\n\n\n For example, the Colonial Pipeline incident in 2021 shut down the nation\u2019s largest gasoline pipeline for six days. A ransomware criminal group crippled part of the company\u2019s IT network, and Colonial shut down the pipeline \u201cin an abundance of caution.\u201d Colonial\u2019s management was not confident in the security of the OT network, given the nature of the attack impairing the IT network. They were not willing to risk the malware propagating from the IT network to OT automation, where it might cause a hydraulic hammer, pipeline rupture or other dangerous conditions.<\/p>\n\n\n\n A firewall is the most common security mechanism deployed between two networks. However, firewalls are not network engineering because they are not deterministic. While firewalls prevent some kinds of cyberattacks from propagating from one network to another, firewalls cannot prevent all such attacks from propagating. After all, how many IT networks were compromised by ransomware last year? While there is no universally accepted count, the number is certainly in the thousands and possibly tens of thousands. In the majority of these cases, the cyberattack came from the internet and pivoted through the organization\u2019s IT-to-internet firewall to compromise the victim\u2019s IT network and systems.<\/p>\n\n\n\n The solar inverter design is an example of intra-system network engineering. The most common example of network engineering at the IT\/OT interface is unidirectional gateway technology[i]<\/a>. A unidirectional gateway is a combination of hardware and software, by which the gateway\u2019s hardware is physically able to send information in only one direction, generally from the OT network to the IT network. The software makes copies of servers and emulates systems, making OT data easily available to IT users and systems.<\/p>\n\n\n\n A unidirectional gateway permits useful data to move from OT networks into IT networks, whereby that data can be used to make the business more efficient. Crucially, the gateway is physically unable to propagate cyber-sabotage attack information, or any information, back into OT networks. Today, unidirectional gateway technology is widely used as deterministic protection at the IT\/OT interface in the nation\u2019s largest power plants, and it is used increasingly in petrochemical pipelines, refineries, passenger metros and the largest water treatment systems.<\/p>\n\n\n\n Cybersecurity on IT networks is often seen as a game of one-upmanship. Every year, the attackers get a little better at what they do, which means the defenders also need to improve. Sometimes IT defenses fail, and victim organizations suffer millions of dollars in losses. The total of these losses across all businesses is significant: billions of dollars per year lost to ransomware alone. Generally, speaking, though, these losses are more or less acceptable to individual victims, in that very few victim organizations go out of business as a result of ransomware attacks.<\/p>\n\n\n\n In the physical world, worst-case consequences\u2014worker casualties, threats to public safety and crippled critical infrastructures\u2014can be truly unacceptable. Such losses currently do not happen routinely and must not be permitted to start happening routinely, despite worsening trends in sophisticated cyberattacks targeting critical infrastructures.<\/p>\n\n\n\n Cyber-informed engineering is a third-generation approach to the OT security problem, having much in common with how safety protection engineers look at protecting human life, the environment and long lead-time equipment.<\/p>\n\n\n\n Cyber-informed engineering does not currently and may never have all the answers we need, but fundamentally, it asks the right questions. Unlike IT defenses, cyber-informed engineering does not ask \u201cHow can I make my security system a little more effective, so that I might have a little more time to detect and hopefully defeat cyberattacks with unacceptable consequences?\u201d \u201cHope\u201d is not what we expect of design engineers. Cyber-informed engineering asks, \u201cHow can I design cost-effective, deterministic defenses that will prevent cyberattacks with truly unacceptable consequences with a very high degree of confidence, no matter how sophisticated such attacks become in the foreseeable future?\u201d<\/p>\n\n\n\n While no defense is, or ever can be, perfect, we can dramatically increase the effectiveness of cyber defenses for our most dangerous and most important industrial processes and critical industrial infrastructures with cyber-informed engineering . Yes, cyber-informed engineering is new and is still a work in progress. Yes, we need innovation, especially in the field of network engineering, both to produce new designs, such as in the solar inverter example, and to deploy much more widely many existing approaches such as unidirectional gateway technology. But as the solar inverter example shows, modern cost-effective solutions can be invented for these needs. Engineering teams are certainly able to innovate and invent powerful solutions, but only if they are asked the right questions. Cyber-informed engineering, for the first time, asks the right questions. \u25c9<\/p>\n\n\n\n For a free copy of Andrew Ginter\u2019s book, Engineering-Grade OT Security: A manager\u2019s guide,<\/em> you may contact Waterfall Security at: https:\/\/waterfall-security.com\/engineering-grade-ot-security<\/a>.<\/strong><\/p>\n\n\n\n [1] R. Machtemes, G. Hale, M. Walhof, A. Ginter and R. Clayton. \u201c2025 OT Cyber Threat Report: Cyber Attacks with Physical Consequences,\u201d Waterfall Security, March 2025.<\/p>\n\n\n\n [1] https:\/\/www.dni.gov\/files\/ODNI\/documents\/assessments\/ATA-2023-Unclassified-Report.pdf<\/a><\/p>\n\n\n\n [1] https:\/\/inl.gov\/national-security\/cie\/<\/a><\/p>\n\n\n\n![\"\"](\"https:\/\/dda.ndus.edu\/ddreview\/wp-content\/uploads\/sites\/18\/2025\/03\/front-cover-Ginter-copy-1-685x1024.jpg\")
<\/figure>An Evolving Understanding<\/span><\/em><\/strong><\/h2>\n\n\n\n
Cyber-Informed Engineering<\/span><\/em><\/strong><\/h2>\n\n\n\n
Innovation Needed<\/span><\/em><\/strong><\/h2>\n\n\n\n
Innovation in Action<\/span><\/em><\/strong><\/h2>\n\n\n\n
![\"\"](\"https:\/\/dda.ndus.edu\/ddreview\/wp-content\/uploads\/sites\/18\/2025\/03\/Circuit-Boards-1024x452.png\")
<\/figure><\/div>\n\n\n\nConsequence Boundaries<\/span><\/em><\/strong><\/h2>\n\n\n\n
![\"\"](\"https:\/\/dda.ndus.edu\/ddreview\/wp-content\/uploads\/sites\/18\/2025\/03\/Networks-1024x479.png\")
<\/figure><\/div>\n\n\n\nDeterministic Defenses<\/span><\/em><\/strong><\/h2>\n\n\n\n
The Right Questions<\/span><\/em><\/strong><\/h2>\n\n\n\n
\n\n\n\nREFERENCES<\/h2>\n\n\n\n