The Biden administration seeks to shift the approach of “let the buyer beware” to a security-by-design strategy for critical infrastructure software systems
A security-by-design strategy includes making software vendors liable for upholding a “duty of care” to consumers and designing software systems to “fail safely and recover quickly"
The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) is leading the national cyber-informed engineering initiative to improve cybersecurity protections for infrastructure systems
CESER and National Laboratories are working to educate engineers on designing systems that limit the impacts of cyberattacks and remove avenues for digital disruption or misuse
Cyber-informed engineering principles require the identification of critical functions and subsystems with the potential for catastrophic consequences if misused by adversaries
Cyber-informed engineering provides opportunities to protect systems more effectively than IT security alone can by using engineered controls
Cyber-informed engineering also calls for engineers to plan response approaches that allow the overall system to continue to function even when critical elements or features are knocked out of commission