Cybersecurity in Control Systems Engineer PE Exam

I was visiting the NCEES web site the other day. NCEES is the National Council of Examiners for Engineering and Surveying. That is the group that produces/maintains the Fundamentals of Engineering (FE) and Principles and Practices of Engineering (PE) examinations.

Image: Unsplash

In States of the United States, passing the PE exam is a requirement for obtaining professional licensure as an engineer.

PE exams are offered in 16 fields, ranging (alphabetically) from Agricultural & Biological to Structural.

During the course of seven years developing the country’s first Industrial Cybersecurity degree program, I have asked myself what success would look like for the country.

One core idea (and I am not the only person to think this way – see DOE Cyber Informed Engineering effort) is that professional licensure for all engineering AND engineering technology fields would require some basic knowledge, or even better, basic competency in cybersecurity.

So, when reviewing the NCEES PE exam specifications document for Control Systems Engineering (CSE), I was pleased to find an entry for “Security”. It states:

D. Security of Industrial Automation and Control Systems
1. Security (e.g., physical, cyber, network, firewalls, routers, switches, protocols,
hubs, segregation, access controls)
2. Security life cycle (e.g., assessment, controls, audit, management of change)
3. Requirements for a security management system
4. Security risk assessment and system design
5. Product development and requirements
6. Verification of security levels (e.g., level 1, level 2)


This seems like a great start. I was left wondering what the exam questions might actually entail. Maybe I will have to take the exam to find out! I was able to gather that the CSE is offered exactly once each year at a Pearson Vue center.

Perhaps more importantly, I wondered:
* Are these the most important security concepts for a control systems engineer to know?
* How will cybersecurity knowledge affect the behavior of a control systems engineer?
* What are the correct answer rates for each question?

Interestingly, the exam specifications for the following exams (where we might hope to find it) do not name security (as in cybersecurity) among covered topics:
* Electrical and computer – electronics, controls, and communications
* Electrical and computer – power
* Industrial and systems

Specifications for the other exams (where we might be less expecting to find it): Agriculture and Biological, Architectural, Chemical, Civil, Environmental, Fire Protection, Mechanical, Metallurgical, Mining and Mineral Processing, Naval Architecture and Marine, Nuclear, Petroleum, and Structural do not mention cybersecurity despite its cross-cutting implications.

It is very informative that the NCEES Web site makes pass rate information available for all of the exams. A review of this data shows that in the 2023 year, the Control Systems Engineering exam was administered 221 times, with a 57% 1st time pass rate.

The data also indicates roughly 19,000 individuals take a PE exam in any field for the first time each year (data provided is biannual for some tests, I multiplied those by two to make an annual estimate).

In short, I believe there is a real opportunity to bake cybersecurity into the engineering discipline here, but it is going to require some serious effort!

Posted in Uncategorized.

3 Comments

  1. Thanks Sean for your observations on the PE/Control System Engineer Licensure.

    International Society of Automation offers a Control Systems Engineering (CSE) PE Exam Review Course (EN00)review course. (ISA.org)

    Important Exam Notice: If you are interested in taking the CSE review exam in 2024, the exam date has been moved up from October 2024 to April 2024. ISA offers a 3-day virtual review course March 5-7 2024– or you can schedule a course prior to the next exam offering.

    INFO: Control Systems Engineering (CSE) PE Exam Review Course (EN00) reviews the knowledge and skills areas included on the CSE Professional Engineer (PE) examination. This course prepares engineers with a minimum of four years of experience, to take the exam by providing instruction on the broad range of technical areas that will be tested. The exams are produced by the National Council of Examiners for Engineering and Surveying (NCEES) and administered by US state professional license boards. EN00 course content is based on the CSE exam specification that went into effect in October 2019. Contact NCEES to schedule your exam.

  2. Great article Sean! Thank you for the shout-out!

    One topic I perceive as missing, unless it’s baked into topics 3 or 4, is control of cyber-induced impacts on engineering systems. That is one area that CIE stresses, the need to leverage information technology controls, and add engineering, physics, and process controls where the consequence of a cyber event bypassing information technology controls was sufficiently high.

    I’d love to work with you to contact those designing the testing approach!

  3. Great post!

    The PE exam questions are written by PE licensed volunteers from the industry and academia, and the team works with NCEES on reworking exam specs every few years. As part of the process, a professional activities and knowledge study (PAKS) is performed and a survey is sent out to the industry where topics can be recommended for percentage adjustment, removal or addition. A study was just completed over the past few months, and as a volunteer who works on the Computer exam I can say our team recommended a significant increase in the breadth of cybersecurity topics and overall exam weight as part of the survey that went out. Once the results of the survey are processed, updates to the specifications will be made.

    I can’t recommend volunteering with NCEES enough if you’re a professionally licensed engineer willing to help in the development of the exams, or at least keeping an eye out for the PAKS surveys and making recommendations on how the exam topics can be updated to stay relevant to what’s important to practitioners in the field. As far as cybersecurity goes: you can be sure there’s at least one (very vocal) practitioner out there encouraging teams to incorporate more of this into relevant exams; I’ll be sure to share your post!

Leave a Reply

Your email address will not be published. Required fields are marked *