Closing the License Gap: Register Implementers of Software and Controls for Critical Systems
(ENR) All 50 states in the U.S. require registration of all professionals practicing engineering. The basic reason is to protect the public by enforcing standards that restrict practice to qualified individuals.
While professional registration is required for design of most critical infrastructure projects such as water and wastewater treatment facilities, people and companies that implement and configure the control systems and software for these same systems aren’t covered by registration requirements. Also, many organizations do not require professional engineers to have demonstrated proficiency in these areas of design. This gap needs to be closed.
The good news is the National Council of Examiners for Engineering and Surveying offers examinations with proficiencies in control-system engineering and software engineering. Further, the framework for registration requirements already exists in other disciplines.
Why is registration important? First, nearly all modern control systems depend on critical software development, network security design and implementation. The implementation of these systems affects electrical, mechanical, process and nearly all other branches of engineering and design. Second, as financial pressures drive organizations toward more automation, control systems and software become more important as many critical assets are run remotely, sometimes completely unmanned during large portions of their operation. Owners depend on control systems to monitor and control these critical assets and notify operators of abnormalities.
For example, many critical infrastructure systems, including water and wastewater treatment facilities, operate with minimal levels of operational staff, who depend on control systems to monitor and control drinking-water quality or protect the environment by treating wastewater.
Finally, regulatory agencies require large amounts of data collection that would be cost-prohibitive to do manually, such as 15-minute water-quality samples. In order to satisfy demand, many control systems are connected to external networks (either directly or via portable media) to deliver this data to the organization. The control systems are now exposed to cyber threats. Secure implementation helps protect them.
Cyber Security Drives Change
Recent news events have shown that many systems are now vulnerable to cyber attacks due to the improper implementation of network connectivity. The Cyber Security Act of 2012, currently awaiting floor debate in the Senate, includes regulation for the cyber security protection of critical assets.
GROVES |
While it is clear that control-system engineering and software implementation is vital to protect the public, a significant disconnect still exists in many organizations that commission the design and implementation of the systems.
For example, many public utilities select registered professional engineers and firms to design water and wastewater treatment facilities, but relatively few firms have specific requirements for professional engineers to have proficiencies in control-system engineering. It is common to see control systems (including network and software) designed, signed and sealed by registered civil, mechanical or electrical engineers.
Another area that deserves consideration is the implementation of control systems and software. Currently, many organizations hire professional engineers for design but leave the implementation, including network and programming, to the contractor.
However, most contractors proficient with construction of critical infrastructure are specialized in civil and mechanical construction and therefore must depend on subcontractors—also known as system integrators—for the implementation of the control system.
Many times these system integrators are third-tier subcontractors hired by electrical subcontractors who also do not have the in-house expertise to implement these systems. Many system integrators are highly qualified, but others are not. Some have personnel with questionable experience, character and ethics. With threats to critical infrastructure on the rise, it is time asset owners and regulators begin requiring professional registration for design and implementation of these critical
assets.
Daniel A. Groves is principal consultant at Red Oak Consulting, an ARCADIS group based in Phoenix. He can be e-mailed at daniel.groves@arcadis-us.com.