Summer 2023

Future Forward

The NSPE Emerging Technologies Committee is laser focused on ensuring that advancements in technology can benefit society and the profession with minimal risk to safety and security.

BY DANIELLE BOYKIN

Emerging technologies such as artificial intelligence, biotechnology, 3D printing, machine learning, and nanotechnology are revolutionizing the world. But these technologies are developing at a pace much faster than can be effectively absorbed into critical engineered infrastructure. This reality makes it imperative that NSPE examine how these technologies will affect public safety and licensure, and to ensure that ethical engineering practice is at the forefront of their development and deployment. Members of the NSPE Emerging Technologies Committee (ETC) recently shared with PE what’s on the agenda to ensure that these new technologies can benefit society with minimal risk to public safety and security.

The Emerging Technologies Committee is charged with identifying the top areas of emerging technology that are currently or will have an impact on the engineering profession and the public health, safety, and welfare in the next three to five years and beyond. Some examples of focus areas might be AI, autonomous vehicles, software supply chain, carbon technologies, and cyber security. The committee, led by Benjamin Railsback, P.E., F.NSPE, and Dan Wittliff, P.E., F.NSPE, is comprised of 22 NSPE members and industry advisors.

"To get out ahead of the proliferation of emerging technologies, it is key for NSPE to be the long-range radar looking over the horizon to see what’s coming and alert our members, the profession, and the public to the potential risks of using those technologies," says Dan Wittliff, the ETC vice chair.

Patty Mamola, P.E., F.NSPE, is looking forward to bringing a unique perspective to the committee as a state licensing regulator and a previously practicing engineer. "We are currently living in the fourth industrial revolution, which is all about the rapid evolution of technology. It is naive to believe that this technology won’t impact the engineering profession," says the executive director of the Nevada Board of Professional Engineers and Land Surveyors and past president of NCEES. "Ideally, engineers should be participating as stewards of technology. As licensed engineers we are held to a higher standard with an obligation to a canon of ethics and we have a duty to consider what is in the best interest of society."

The Emerging Tech Landscape

When Dan Wittliff began his Air Force and engineering career in 1972, PCs (personal computers) did not exist in the mass market. The standard for controls in the nuclear power plants where Wittliff worked reflected a decade of proven technology. "The radios my communications maintenance personnel worked on were vacuum tube equipment left over from World War II. High speed digital subscriber terminal equipment was 9600 baud. Phone systems were making the transition to digital equipment. Proprietary software was the standard for controls."

Today, it’s a much different landscape as technologies are materializing exponentially faster. This software is pervasive in systems that affect infrastructure, water resources, energy, defense, transportation, communications, healthcare, and other critical systems. While this may sound exciting, there are inherent risks associated with such rapid development.

"Software has consumed various industries and transformed the way we operate. The speed of technological advancement is surpassing our ability to effectively manage and safeguard public security and safety, particularly in relation to technologies like artificial intelligence (AI)," says Ben Amaba, Ph.D., P.E., LEED AP, CPIM, an ETC and NSPE Board of Directors member.

For example, open-source software currently supports a sizable portion of software systems, with approximately 90% of existing systems incorporating this technology, Amaba explains. What does this mean? This technology is accessible by almost anyone to inspect, modify, and enhance. Individuals could launch unsafe products or services into the public domain in minutes versus years, whether it was accidental or purposeful. "The integration of these systems and tools not only impacts the end products but also alters the design and implementation processes themselves. While open-source software and AI offers tremendous capabilities and potential public benefits, many unanswered questions remain."

Assessing the Risks

The risks and events that are threatening the safe, secure integration of systems in today’s digital world are similar to that of the analog world, says Amaba. This can involve poor requirements and design, bad construction, poor testing, maintenance problems, change and configuration management issues, broken engineering processes, and lack of quality assurance.

Cyberattacks have emerged as a primary risk concern of US businesses, outweighing worries about the ongoing pandemic or workforce skills shortages, Amaba explains. "A Rubrik Zero Labs study reveals alarming statistics. Nearly half of all US businesses (47%) experienced an attack within the past year, resulting in an average cost of $9.5 million per incident. These attacks have far-reaching consequences, leading to leadership replacements in one-third of affected organizations and a loss of 40% of their customer base."

Another risk that threatens the safe, secure integration and deployment of software systems is the pressure to be first to market. "While competition is a cornerstone of the American economy, there needs to be someone in responsible charge of the development process who serves as the lynchpin between the software team and the engineering team," says Dan Wittliff. "This should be an individual who can tell management that the product is not ready for deployment and if there is a risk of material loss of life or property."

To mitigate risks associated with these technologies, Patty Mamola believes that it’s necessary to form a robust framework for responsible innovation that includes comprehensive risk assessment, ethical considerations, regulatory adaptation, and ongoing dialogue among stakeholders (governments, industry, academia, and the public). "NSPE can advocate for the establishment and enforcement of ethical standards. This includes pushing for laws and regulations that ensure the responsible and safe development and deployment of new technologies."

Stepping Up to the Challenge

When Texas became the first state to license software engineers in 1998, NSPE didn’t hesitate to support actions to protect the public through competent engineering practice. The Society participated in the Software Engineering Licensing Consortium, a collaboration with IEEE-USA, the IEEE Computer Society, and the Texas Board of Professional Engineers. The consortium commenced in 2007 to create a path to licensure for the thousands of engineers who were working on the software to control key infrastructure systems. In 2013, the software PE exam became a new addition to the family of exams administered by NCEES. Despite this investment in the path to licensure, the exam was discontinued in 2018 due to an inadequate number of test takers after five administrations.

In response to this issue, NSPE formed the Software Professional Certification Task Force in January 2020. The task force determined what was needed by industry to address the trillions of dollars of economic impact created by the use of open-source software and a lack of rigorously applied security protocols throughout the supply chain. "When the PE exam was discontinued, we received industry feedback that licensure wasn’t readily transportable while certifications are," Wittliff recalls. "What came across loud and clear was that industry shared NSPE’s concern for protection of public health and safety."

With the lessons learned from this experience, it’s important that the profession remains committed to engineering licensure as it relates to emerging technologies, yet open to some form of change. Mamola points out that with only 20% of graduating engineers seeking licensure, and the continued proliferation of multidisciplinary engineering degrees that are often driven by emerging technologies—robotics, mobility engineering, entertainment engineering, etc.—licensure could easily become extinct. "Licensure will need to evolve. The current licensing model does not work for these new blended engineering degrees and does not work if it is to be considered applicable to some emerging technologies."

Mamola adds, "We need to consider that if the goal is to regulate engineering for public safety, what could or should engineering licensure look like in the future when considering emerging technologies and their application in the built environment."

The work of the Software Professional Certification Task Force resulted in the development of the Systems Software Integrator (SSI) Certification with NICET, the certification division of NSPE. The purpose of the certification is to provide a common standard of care to reduce risk, improve quality, and ensure public safety as software and information technology converges with the operation of physical processes and machinery affecting society. Industries that could benefit from a more secure software supply chain involve critical infrastructure in the areas of aerospace, automotive, petrochemicals, pharmaceuticals, electronics, and power.

The Emerging Technologies Committee is focused on ensuring the effectiveness of the SSI Certification program. NICET is currently seeking individuals with systems software integrator experience to serve as subject matter experts in the development of the certification.

The launch of the SSI Certification program could provide a blueprint going forward. Similar to the development of this certification, says Wittliff, other emerging technologies will likely need to go through a similar process to identify any issues and risks associated with the technologies.

Amaba believes that this work will show NSPE’s commitment to upholding best practices and standards to protect the public. "PEs have been able to protect our physical infrastructure, from the energy grid to our transportation system. The care of these systems by engineers enabled our nation to prosper in the industrial revolution. As we transition to the Digital Age, the same professional licensed engineers can support a successful and safe transition into our inevitable future of computing and software."

The Cost of Software Failures and Threats

The Cost of Software Failures and Threats Systems software will undoubtedly continue to shape our infrastructure, defense systems, overall operational frameworks, and financial risk whether it be good or bad. There is substantial risk to the public health, safety, and welfare caused by using software and software-based devices designed or developed by others without a similar commitment. Reports from the Standish Group, an advisory group on software development, have projected that up to 75% of software projects continue to fail due to poor management practices. There are thousands of attacks and breaches on private and government infrastructure daily and trillions of dollars in financial impacts annually. Ninety-six percent of this vulnerability and risk is avoidable.

The impact of cyber security management practices on the likelihood of cyber events and on financial risk is framed in a Moody’s Analytics report: "Our findings demonstrate a strong relationship between the quality of cybersecurity practices and the probability of a reported cybersecurity event. Certain industries, such as finance, healthcare, and technology, exhibit relatively higher risk of cyber related financial losses. Likewise, larger companies face an elevated risk of security events compared to smaller ones.

The federal government experiences substantial cyberattacks on its systems, which rely on software for control and defense against these attacks. President Biden issued Executive Order 14028 in 2021, which directs federal departments and agencies to secure the US infrastructure and software supply chain against the 700% increase in cyberattacks.

Also, common use of open-source software by engineers and software developers is a critical vulnerability because much of this open-source software is subject to compromise by bad actors. There are thousands of daily attacks and breaches of US infrastructure with an average cost of $9.5 million for a data breach.
Notable Attacks and Failures

iLog4J Vulnerability – iLog4J is open-source software provided by the Apache Software Foundation. The iLog4j vulnerability allows attackers to easily take full control over vulnerable systems without having to go through any security measures and remain undetected by users.

Autonomous Vehicle Crashes – Automakers reported nearly 400 crashes from July 2021 to May 2022, according to a National Traffic Highway Safety report. More than 270 of these crashes involved Tesla models. The AI systems were primarily the cause of these crashes. In 2020, Robert Sumwalt, the former National Transportation Safety Board chairman, clarified that there is no self-driving car in the US: "There is not a vehicle currently available to US consumers that is self-driving. Period. Every vehicle sold to US consumers still requires the driver to be actively engaged in the driving task, even when advanced driver assistance systems are activated." According to industry forecasts, auto makers envision a fully self-driving car by 2025 or later.

Boeing 737 MAX Airliner Crashes – Boeing airliner crashes in October 2018 (Indonesia – 189 deaths) and in March 2019 (Ethiopia – 157 deaths) led to a 21-month grounding of 387 aircraft in the fleet and an estimated $20 billion in direct costs and $80 billion in indirect costs. The plane’s maneuvering characteristics augmentation system (MCAS) software is designed to help prevent the 737 Max from stalling. This software played a role in both crashes.

SolarWinds Cyberattack – In 2020, major cyberattacks carried out through a breach of the SolarWinds’ Orion software update penetrated thousands of organizations globally including multiple parts of the US federal government, leading to a series of data breaches. The threat actor was identified as the Russian Foreign Intelligence Service.

MGM Resorts and Ceasars Entertainment Cyberattack – MGM Resorts International shut down its computer systems at properties in the US after a cyberattack on September 12, 2023. All of MGM’s Grand Hotels & Casinos properties were impacted by the outages, including well-known properties in Las Vegas and New York, according to a notice by MGM. Ceasars Entertainment reported to the Securities and Exchange Commission that it experienced a cyberattack on September 7 and paid $15 million of a $30 million ransom, according to an AP news report.