Engineering of ICT and Security

The engineering aspects describe “how” ICT and cyber resilience capabilities can be implemented by proper conceptualisation and execution of IT and OT projects as well as through incremental engineering improvements during a project’s operating lifecycle. It delves into systems engineering and systems security engineering in IT, OT and IIoT systems. It also delves into cyber resiliency engineering, an emerging specialty system engineering discipline to develop survivable, trustworthy secure systems.

The audience for this chapter includes:

  • Business Heads, CIOs, CTOs, CISOs and their respective teams within CSEs.
  • Sectoral Regulators, who are mandated to oversee/ regulate the cybersecurity related issues of their regulated entities.
  • Consultancy organisations, System Integrators, OEMs and MSPs/ MSSPs engaged by the CSEs.
  • Empaneled bodies, who carry out cyber security verification & validation (V&V), VAPT and technical audit of systems and networks of CSEs.
  • the lower levels of management, who are responsible for project execution and maintenance of systems in the operations phase.
  • project design and implementation teams, who conceptualise, design and implement the ICT and cyber security elements for protection of their IT, OT and IIoT.
  • engineering support teams, who support the operations teams during the use of ICT, OT and IIoT.

An engineering lifecycle approach is essential for successful delivery of business and technology systems. Readers may refer to relevant material included in the standards section of this document.

Engineering requires the knowledge of concepts and technologies related to the use of IT and information security. The resources section provides links to well-known public documents.

Systems Engineering

It is globally recognised that large and complex IT and OT systems need to be engineered and secured using a life cycle approach. The design and engineering teams are expected to apply the knowledge, concepts, and principles from international work on systems engineering. The publications cover the principles and processes of systems engineering and systems security engineering, connecting the governance, program management, technology (systems) and operations layers within enterprises.

Systems and software engineering lays the groundwork for a disciplined and organised approach towards building reliable, trustworthy secure systems. It is a collection of system life cycle technical and nontechnical processes with associated activities and tasks. The technical processes apply engineering analysis and design principles to deliver a system with the capability to satisfy stakeholder requirements and critical quality properties. The nontechnical processes provide engineering management of all aspects of the engineering project, agreements between parties involved in the engineering project, and project-enabling support to facilitate execution of the engineering project.

Systems Security Engineering

The systems security engineering discipline is applicable at each stage of the system life cycle and provides security considerations towards the engineering of systems. The system security engineering processes are designed to address cybersecurity aspects in IT, OT and IS projects. These processes are typically carried out by design and engineering teams during the project implementation phase, and by field engineering teams during the operations phase.

Systems security engineering ensures that stakeholder protection requirements, and security issues associated with the system are accurately recognized and addressed in all systems engineering tasks throughout the system life cycle.

An organisation adopting systems security engineering lifecycle approach will be able to incorporate security by design and engineering during all the lifecycle stages of IT and OT systems, right from conceptualisation to design, procurement, installation, commissioning, acceptance, operations, and retirement.

Cyber Resiliency Engineering

Cyber resiliency engineering is an evolving specialised discipline within system engineering, employed together with systems security engineering and resilience engineering to develop systems that are secure, dependable, and capable of withstanding threats.  This is predicated on the assumption that adversaries will breach defences and establish a long-term presence in organisational systems. Hence, the focus should be on assuring the continuity of mission or business functions and reducing the risk of potentially compromised cyber resources.

Guidance on Systems and Security Engineering

Currently, implementing cybersecurity in large and complex systems is generally a bolt-on activity. The conventional VAPT carried out prior to acceptance of systems happens shortly before the system is put into production. At this stage, the time pressure typically impacts the level of testing of the robustness of security of the system.

The systems security engineering approach must be incorporated in every stage of the system cycle, covering both business systems and technology systems. This will ensure that the security architecture is of high quality and is based on the rigour with which the fundamental security design principles have been applied in the system lifecycle.

The following aspects must be considered while acquiring any new software/ application:

  • complete cybersecurity life cycle support for the software system.
  • appying the principles of Dev-Sec-Ops in the custom-development of software applications.
  • mechanisms for software enhancements and bug fixing activities to avoid adverse impact of software weaknesses and vulnerabilties.
  • skillsets required (in-house or through support services) for secure operations of the acquired system.
  • carrying out VAPT and all vulnerabilities removed/ patched before any system goes live.
  • accountability of OEMs and suppliers to follow the Information Security Engineering Lifecycle approach in the manufacturing/ assembly/ development of their products.
  • non-acceptance of products/ solutions which have not followed the system security and cyber resiliency engineering best practices in the product development and in providing maintenance support services.

Senior management, business heads, operations and support teams must develop in-house expertise or hire experts to help adopt systems security engineering lifecycle approach within their enterprise projects, starting with securing their CII.