**4. Cyber-informed engineering**

Digital technology will be increasingly used in both existing and future nuclear reactors. While DI&C enables improved operations and new capabilities, the cyber risks must not only be understood, but risk treatments and protections must be put in place to lower this risk from malicious and unintentional actions. Whereas significant strides have occurred with securing ICT systems, these ICT-based solutions are not always effective for OT systems which are often designed to perform a limited set of functions and therefore have limited processing, memory, storage, retrieval, and proprietary communication protocols. Additionally, cyber risk mitigations have historically been applied after DI&C systems are installed, which limits the range of risk treatments available. On the other hand, applying the concepts of CIE throughout the entire systems engineering lifecycle can reduce overall cyber risk.

Engineers, operators, maintenance personnel, and other technical staff who support the systems engineering process are critical to the design, implementation, and secure operation of complex control systems. Nevertheless, this staff often lacks the necessary knowledge, skills, and abilities to effectively address and mitigate cyber risk. Given the critical functions of DI&C in nuclear reactors, this gap must be filled. For this reason, the Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response is developing a national strategy for CIE to fundamentally change the culture of the engineering discipline to consider cybersecurity as a fundamental design principle.
