Industrial cybersecurity company 1898 & Co. has teamed with the Idaho National Laboratory (INL) to apply a consequence-driven, cyber-informed engineering discipline developed and pioneered by the laboratory. These initiatives are supported by the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) in the U.S. Department of Energy.
The alliance between 1898 & Co. and INL is focused on expanding the consequence-driven, cyber-informed engineering across the ICS (industrial control systems) cybersecurity community, with the national laboratory focusing primarily on the public sector, and 1898 & Co. on the private sector while delivering support in the public sector as needed.
Developed at INL, the consequence-driven cyber-informed engineering technique is focused on securing the nation’s critical infrastructure systems. It begins with the assumption that if critical infrastructure is targeted by a skilled and determined adversary, the targeted operation can, and will be sabotaged.
The methodology provides critical infrastructure owners, operators, vendors, and manufacturers with a more focused bottom-line approach to determining critical functions, identifying methods an adversary could use to compromise the critical functions, evaluating complex systems, and applying proven engineering, protection, and mitigation strategies to isolate and protect an industry’s critical assets.
The consequence-driven, cyber-informed engineering procedure is about imagining the worst consequence a cyber attacker can affect and creating a non-cyber/physical mitigation to reduce the likelihood of a resultant catastrophe occurring.
“Consequence-driven, cyber-informed engineering enhances risk assessment for cybersecurity by combining first-principles thinking with engineering ingenuity,” said Zach Tudor, INL associate laboratory director, said in a media statement. “It’s a concept we have developed and improved over the last decade in engagements with major utilities and defense establishments, and we are excited to partner with Burns & McDonnell and 1898 & Co. to offer it to more organizations.”
“While there are no guarantees when it comes to critical infrastructure cybersecurity, 1898 & Co. clients who implement CCE for their most critical assets will have additional safeguards in the form of engineering changes and process improvements that limit the damage an attacker can do once inside,” Matt Morris, managing director for 1898 & Co. “At the end of the day, CCE’s ability to temper the size and scale of cyber-sabotage provides a level of certainty CISOs and boards sorely need.”
The INL is a U.S. Department of Energy national laboratory that works to meet the DOE’s goals of energy, national security, and science and environment, while CESER works towards improving the security of U.S. critical energy infrastructure to all hazards, mitigate the impacts of disruptive events and risk to the sector overall through preparedness and innovation, and respond to and facilitate recovery from energy disruptions in collaboration with other federal agencies, private sector, and state, local, tribal, and territory (SLTT) governments.
“1898 & Co. plans to scale the CCE discipline to critical infrastructure asset owners globally,” according to Morris. “A common theme with the majority of the CISOs I am connecting with is that they are desperately searching for a level of certainty when conversing with their respective boards regarding risk to the business. Prior to the development of CCE, the best answer we had was to implement a series of controls and to maintain those on a frequent basis,” he added.
Last week, Dragos and 1898 & Co. announced the expansion of the 1898 & Co. Managed Threat Detection and Response managed security service into the smart manufacturing space. The combination of 1898 & Co. consulting services and improved visibility, monitoring, detection and situational awareness enabled by the Dragos Platform delivers the capability for critical infrastructure companies concerned with the evolving threat landscape and the resulting risks to their organizations.