Abstract
On 19th May, the Engineering Council launched a new document ‘Guidance on Security for Engineers and Technicians’. The event hosted at The House of Commons by the Rt Hon John Hayes MP, Minister for Security, was attended by over 100 people from across the engineering profession. Speakers included Terry Morgan, CBE, CEng, FREng, Chairman of Crossrail, and the Head of the Centre for the Protection of National Infrastructure (CPNI). The document, developed jointly by the Professional Engineering Institutions and the CPNI, provides guidance for engineers and technicians on their role in dealing with security and their associated responsibilities to help keep society safe.
Security is already referred to both explicitly and implicitly in several Engineering Council documents including the UK Standard for Professional Engineering Competence (UK-SPEC), the Information and Communications Technology Technician (ICTTech) Standard and within the learning outcomes for accredited degrees and approved qualifications and apprenticeships. This new document seeks to provide specific guidance on an increasingly important aspect.
Security can be defined as ‘The state of relative freedom from threat or harm caused by deliberate, unwanted, hostile or malicious acts’. It operates on a number of levels ranging from national security issues to countering crime. It includes preserving the value, longevity and ongoing operation and function of an enterprise’s assets, whether tangible or intangible, and the handling of privacy issues such as the protection of personally identifiable information.
This guidance sets out six key principles (listed below) to guide engineers and technicians in identifying, assessing, managing and communicating issues about security. The principles emphasise the importance of taking a security-minded approach to both professional and personal life, being aware of and proactive in our approach to matters of security, taking responsibility for all security related issues and generally being security minded:
Adopt a security-minded approach to your professional and personal life;
Apply responsible judgement and take a leadership role;
Comply with legislation and codes, understand their intent and seek further improvements;
Ensure good security-minded communications;
Understand, comply and seek to improve lasting systems for security governance;
Contribute to public and professional awareness of security.
The behaviour of people is central to any engineering enterprise and the security of its operations, products and services. Assets can be compromised by individuals through lack of knowledge, carelessness, complacency and deliberate non-compliance. Therefore, in addition to physical, technological and process aspects, security must necessarily involve consideration of people and their potential behaviour, both in their professional duties and when sharing information, including when using social media. Development of a security-minded culture has many similarities with that of an effective safety culture, a key difference being in responding to hostile or malicious acts often associated with security issues.
Appropriate and proportionate security should be an integral part of the design and operation of an asset and embodied in its whole lifecycle. Systems for security governance should be effective and lasting but must also recognise that threats and vulnerabilities change and evolve over time. Good security can enable business benefits and competitive advantage by protecting key assets and services and engendering trust.
By following the six principles within this guidance document, engineers and technicians should be able to
Reduce the vulnerabilities in assets, systems or operations;
Provide early warning of potential threats;
Reduce opportunities for unauthorised or gratuitous access to information to plan hostile acts and/or the compromising of design and intellectual property;
Explain and manage security risks in an appropriate and proportionate manner;
Minimise the potential impact of security breaches or failures on their work, clients, services and the supply chain;
Improve the resilience, reliability, effectiveness and trustworthiness of their product, process or service;
Enable economic and societal benefits to be realised securely.
Among the key messages for measurement and control professionals are recommendations to develop
Awareness of the impact of data aggregation, both through accumulation and association, including the use of disparate sources of data;
Recognition of the persistent nature and accessibility of information published on the Internet or otherwise made publicly available;
Recognition that indiscriminate publication of project, technical or personal information can aid reconnaissance and enable security breaches through social media;
Awareness of the use of social engineering to manipulate individuals to give up confidential information.
Of particular interest to measurement and control professionals, the CPNI has also developed a specific suite of good practice guidance for the ‘Security of Industrial Control Systems (SICS)’. This good practice guidance is potentially applicable to all industrial control systems, including distributed control system (DCS), supervisory control and data acquisition (SCADA) or programmable logic controller (PLC)-based systems, and in particular to any control of major accident hazards (COMAH) site operations. This is available at http://www.cpni.gov.uk/advice/cyber/Security-for-Industrial-Control-Systems/
The Guidance on Security for Engineers and Technicians is now available to download from www.engc.org.uk/security. In addition, the Engineering Council has produced handy wallet-sized cards for engineers and technicians, listing the six principles. These can be obtained by contacting
(Copyright note: some of the text in this article has been drawn directly from the Engineering Council Guidance on Security, and this source is acknowledged.)