• Hand holding digital security interface with padlock and warning icons, holographic style, dark background. Concept of cybersecurity

    IEEE Computer magazine article on the need to bridge the gap between engineering and cybersecurity

    July 30, 2025
    The cultural divide between engineering and cybersecurity in critical infrastructure sectors

    The July 2025 issue of IEEE Computer magazine contains the article “Bridging the Gap Between Engineering and Cybersecurity to Better Protect Critical Infrastructures” by myself and James Bret Michael from the Naval Postgraduate School.

    The genesis of the article were two recent job postings. A mid-sized water utility seeking engineering positions and a large electric utility seeking operational technology (OT) security analysts. The two descriptions underline the distinction between “engineering” and “OT” – they are not the same.

    The engineering job description stated,

    “Assist with or lead providing electrical engineering and technical support to ensure reliable operation of the utility’s SCADA controlled facilities including RTUs, PLCs, programmable automation controllers, associated industrial communications, networking equipment and protective relaying equipment.”

    Get your subscription to Control's tri-weekly newsletter.

    Even though communications and networking were addressed, the term “security” was missing. The cybersecurity analyst job description stated:

    “The analyst would be part of a team consisting of skilled OT cybersecurity professionals to ensure the cybersecurity resilience and regulatory compliance of the utility’s industrial operational sites. The focus would be on identifying vulnerabilities and assessing risks to uphold and continuously improving the security posture of industrial control systems (ICS) and OT environments.”

    There was no mention of ensuring the control systems accomplished their functions in a safe and reliable manner or working with the engineering organizations. The education requirement was computer science not engineering.

    Summary

    The cultural conflict between cybersecurity and engineering originates from the cybersecurity and engineering disciplines often being taught in different schools within the same university (computer science and engineering). Many universities do not require an introductory engineering class for studying computer science or the engineering disciplines have a requirement to take an introduction cybersecurity class. This has led to teaching different technologies and goals without understanding what that means technically and operationally to the other.

    Often, it may not be possible to meet the potentially mutually exclusive goals from the two disciplines as both sides may not be aware of the other’s mutually exclusive needs. This must change as it creates a cultural gap starting at the university and propagating into the work force.

    About the Author

    Joe Weiss | Cybersecurity Contributor

    Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

    Email

    Continue Reading