Session

While recent cyber incidents to data and software disrupted the lives of Americans, national headlines also have carried stark warnings about foreign hackers positioning cyber “bombs” in American infrastructure to wreak havoc on our economy and cause harm to citizens and communities – a real threat to our physical safety.

Cyber attackers now are working to sabotage the smart technologies in essential services, including power, water, communications, trade, and transportation systems in our cities and communities. The private sector owners of these systems do not have the threat awareness, expertise, or resources to combat sophisticated attacks.

We have reached an unprecedented risk to the built environment and our way of life from cyber threats. Attacks to critical infrastructure sectors (water, grid, ports, hospitals, and transportation systems) have been broadly documented, and the threat landscape — fueled by the use of AI— exponentially expands each day. The unique risk to the built environment poses a direct threat to the lives, safety, and health of the general public. Within minutes, smart buildings and infrastructure can be rendered unsafe for occupancy or use, forcing evacuations and other protective steps, which may take weeks or months to recover.

The global engineering community must act now to establish standards of care and to offer owners cyber risk mitigation principles in each project. We also must proactively address emerging liability issues associated with risk and safety designed into connected technologies that may impact life/safety/health in an asset. A specific “standard of care” for cyber safety would formalize the responsibilities and principles to perform “reasonable care” and establish the “level of skill and diligence those in engaged in the same profession would ordinarily exercise under similar circumstances.”

This includes:

1. possessing the required degree of learning, skills, and experience that is ordinarily possessed by similarly situated professionals in the community
2. using reasonable and ordinary care and diligence in the exercise of skills to accomplish a professional task
3. 3. using best good professional judgment in performing professional tasks. Of the four potential sources for the applicable standard of care: 1) the agreement between the parties to a project; 2) legislative standards (e.g., statutes, building codes, ordinances); 3) standards specified by an executive authority (such as a professional governing body or administrative agency); and 4) standards developed by courts, we propose to develop a standard for adoption by a professional governing authority.

The panel will outline the following outcomes and propose a plan for the National Institute of Building Sciences and other professional associations to develop formal guidance.

1. Adoption of a cyber safety “standard of care” and pertinent professional licensing requirement
2. A common education curriculum requirement for a 4-year undergraduate cyber security engineering degree
3. Updated NCEES Principles and Practice of Engineering Examination CONTROL SYSTEMS CBT Specifications incorporating cyber safety standards of care for network and control system engineering
4. A list of engineering applications and best practices for the engineering community to enhance cyber safety

Learning Objectives:

• Discuss essential cyber safety concepts and effectively communicate them in cybersecurity discussions
• Recognize the importance of establishing frameworks and standards for a standard of care for cyber safety in buildings and infrastructure
• Apply recommended cybersecurity practices in the context of a human safety culture to mitigate risk to life, safety, and health
• Foster productive collaboration with IT and cybersecurity experts to fortify buildings and infrastructure against cyber threats