The Imperative for the Connected Built Environment

As information technology and operational technology converge into a cyber-physical systems across the built environment, professional engineers must now account for a category of public safety risk that sits outside traditional engineering disciplines. This risk is foreseeable, repeatable, and life-safety relevant. Yet it remains largely unassigned within professional responsibility and liability structures. The education and practice of cyber safety engineering must be recognized as a distinct designer of record function, supported by professional licensing, a formal Standard of Care, and clear professional liability determination.

In May 2023, malicious Chinese code was discovered embedded deep inside the networks of power grids, communications systems, fuel distribution, and water infrastructure that provide essential life-sustaining services for society globally. The malware dubbed, “Volt Typhoon,” and its successors are still considered ticking time bomb across most U.S. critical infrastructure sectors. These intrusions demonstrated that the ability to disrupt or destroy critical infrastructure through cyber-physical manipulation is no longer theoretical. Local water utilities, a major Gulf Coast port, wireless networks, an oil and gas pipeline, and the Texas power grid have all been affected by cyber incidents with physical consequences.

These events exposed a design assumption failure, Systems were engineered to be physically safe, but digitally blind. Unlike traditional information technology attacks that primarily target data or software, operational technology cyber attacks directly threaten human life, health, and property across the life cycle of the asset – a property/casualty loss clearly within the realm of professional engineering responsibilities and asset owner liability.

Converging Cyber-Physical Systems

Engineers increasingly incorporate connected technologies and automation to provide owners and operators with improved system reliability and performance, reduced operating costs, and less risk from human error. Remote management of electrical, mechanical, and control systems has become standard practice across building, utilities, transportation, and industrial environments. Given the increasing value and operational benefits of convergence, legacy safety practices that relied on firewalls, air gaps, or assumed isolation are no longer sufficient.

Those legacy practices are now being replaced by proactive technologies that provide continuous monitoring, segmentation, protection, and automated recovery following cyber exploitation.

Continued reliance on outdated assumptions substantially increases public safety risk when OT systems are not monitored or protected with the same rigor applied to IT systems. Compounding this risk, asset owners routinely connect their own technology stacks into operating environments, introducing additional and often undocumented attack vectors.

Engineers must therefore account not only for the intended use of a designed system, but also for the full range of functions, interconnections, and failure modes that affect safe operations. The proliferation of automated systems directly interfacing with humans is accelerating with advanced robotics, digital twins, and AI-enabled design and control platforms. As capability and complexity expand, so too do risk and liability exposure for engineers, owners, and insurance companies.

The Historic Development of Standards of Care

The relationship between insurance and professional engineering standards of care has evolved significantly over the past century and a half, usually when major engineering failures (fires, bridge collapse, boiler explosions) led to significant liability issues.

Professional engineering societies, including the American Society of Civil Engineers (founded 1852), developed codes of ethics and practice standards in part to address public safety failures and insurance market concerns. As projects grew larger and more complex, engineering firms sought professional liability insurance. Insurers, in turn, required predictable professional behavior, defensible norms of practice, and evidence that engineers adhered to accepted standards of care.

By the mid 20th century, state-based professional licensing became widespread. Insurance coverage beyond gross negligence to include “errors and omissions”, insurers increasingly required documentation, risk management protocols. Engineering societies responded by formalizing standards and guidance that could serve as benchmarks for professional judgment.

Today, insurance considerations directly influence engineering standards development . Professional organizations like ASCE, IEEE, and ASME consult with insurance industry representatives when updating standards. Compliance with recognized standards can reduce premiums while deviation may increase liability exposure or void coverage altogether. Continuing professional education requirements now embedded in licensing frameworks further reinforce the expectation that engineers remain current as standards evolve.

Cyber-physical systems now present the same conditions that historically drove the creation of engineering standards of care: foreseeable hazards, repeatable failure modes, and catastrophic consequences. Yet no comparable standard exists for cyber safety in the built environment.

Engineering Cyber Safety into Lifecycle Management

The engineering profession cannot ignore the growing cyber safety risks that increasingly dominate infrastructure incident reporting. Nor can engineers defer responsibility on the basis that asset owners did not request protections. Waiting for a major catastrophic loss of life before acting would represent a failure of professional duty.

As with fire protections, electrical grounding, and other mandatory safety systems, cyber safety controls must be specified, designed, and verified as part of standard engineering practice. These protections should be designed by a trained engineer with defined educational requirements and ongoing professional development to maintain currency with evolving threats and mitigation technologies. Contractors must then install and integrate those protections as specified. Owners/operators have a responsibility to maintain cyber safety systems throughout the lifecycle of the asset.

When a cyber incident occurs, the owner has a responsibility to determine whether continued operation is safe during response and recovery. If the asset cannot be operated safely, preservation of human life must take precedence. At that point liability for operational decisions rests with the owner, regardless of the source of the attack. The engineer’s responsibility is to design for safety, document risk, and provide professional judgement, not to assume operational control.

Establishing a Cyber Safety Standard of Care

Engineering practice has reached an inflection point. Professional standards for cyber safety in the built environment must be established, adopted the academic and professional societies, and enforced through licensing requirements. At a minimum, a cyber safety standard of care should be grounded in the following principles:

What Next? A Call to Action

In June 2026, professional engineering societies, academic institutions, an insurance stakeholders will convene in Washington DC at the Cyber Safety Summit to establish the foundations of a cyber safety Standard of Care. The summit will review technical papers addressing the role of a designated Cyber Safety Engineer of Record, verification and documentation requirements during design and cyber commissioning, and incident reporting obligations parallel to occupational safety or structural integrity failures.

The summit is convened to establish the requirements for a Cyber Safety engineer to be adequately educated, trained, and professionally licensed for responsibilities including:

• Duty of Care – Applying professional judgment to ensure cyber safety is incorporated into all design and operational decisions connected cyber/physical systems.
• Competency– Demonstrated expertise in cyber safety and security and undergo continuous professional development.
• Ethical Conduct– Managing systems transparency, safeguarding privacy, and acting in the public interest, in alignment with established engineering ethics.
• Accountability Assigning clear responsibility for cyber safety to a primary designer of record. This role would include development of a technology registry at the beginning of design to capture the totality of systems and devices, including building management systems and owner-installed technologies.

Bringing together the Nation’s leading engineering schools, global engineering firms, professional associations, asset owners, and technology companies may be a long-term project, but the consequences of not acting now are real and existential. For the sake of future generations, we engineers must move faster than the evolving cyber threat.

The Honorable Lucian Niemeyer, F.SAME, is CEO, BuildingCybersecurity.org and a Member of the National Academy of Construction; [email protected]. Dr. Georgianna “George” Shea, chief technologist at the Foundation for Defense of Democracies (FDD) Center on Cyber and Technology Innovation.