CIE and CCE methodologies can deliver engineered industrial systems for holistic system cybersecurity

Adopting cybersecurity strategies, like Cyber-Informed Engineering (CIE) and Consequence-driven Cyber-informed Engineering (CCE), can assist organizations in managing the growing number and intensity of cyber attacks on control systems. By doing so, organizations recognize the crucial necessity for a shift in philosophy and engineering methods. The move will ensure that digital infrastructure is protected proactively and that new systems are built with resilience to modern and future cyber threats.

The CIE approach to engineering considers the risks associated with cybersecurity threats and attacks. Across OT (operational technology) and ICS (Industrial control systems) environments, CIE involves implementing safeguards and defensive measures to protect critical infrastructure systems from cyber attacks. Arranged in 11 focus areas, the CIE is an emerging paradigm to guide engineering design for cybersecurity in critical infrastructure applications based on a firm understanding of how cyber threats can impact physical systems. It requires engineers to integrate cybersecurity considerations into the design, development, and maintenance of such systems.

The CCE certification establishes that fundamental engineering concepts can be used to solve critical cybersecurity problems and safeguard organizations in ways that current methods cannot. The primary danger is cyber-based sabotage, and CCE operates on the premise that powerful and flexible opponents have already infiltrated and may be operating unnoticed for an extended period. 

The Idaho National Laboratory (INL) walks an organization through core components of CIE in CCE’s four-phase process to evaluate and remove or mitigate weaknesses in their critical functions. The CCE methodology includes consequence prioritization, system-of-systems analysis, consequence-based targeting, and mitigations and protection.

It has been largely accepted that the engineers responsible for constructing complex critical infrastructure systems adhere to rigorous protocols and procedures to ensure the utmost safety and reliability. That being said, most of these procedures were created long before the rise of modern cybersecurity threats, and as such, fail to account for cyberattacks, let alone incorporate cybersecurity measures into the system design.

By rigorously applying the CIE and CCE approaches, OT and ICS environments can reduce risks from threats, maintain compliance with standards, and improve the overall resilience of industrial operations. The transition to these methodologies may require changes to processes, tools, and culture, but can significantly strengthen the security posture and risk management of OT environments over time.

The industrial cybersecurity sector is currently discussing how engineering concepts and practices can be incorporated into cybersecurity and risk mitigation strategies, particularly for industrial environments. 

In a two-part feature article, Industrial Cyber contacted cybersecurity experts within the CIE and CCE fields to gain insight into how the industry arrived at its current state, as well as the challenges that were overlooked during this process. 

“The concept of engineered-in cybersecurity has been a strategy for the Department of Energy since the publication of its 2006 ‘Roadmap to Secure Control Systems in the Energy Sector,’ with the vision that, ‘In 10 years, control systems for critical applications will be designed, installed, operated, and maintained to survive an intentional cyber assault with no loss of critical function,’” Virginia Wright, cyber-informed engineering program manager at INL and Curtis St. Michel, a directorate fellow at INL, told Industrial Cyber.

They added that since the strategy’s publication energy vendors, OEMs, integrators, and asset owners have been improving cybersecurity practices and standards for products and their integration. “These efforts are improving tools and capabilities available to address cybersecurity risk in industry, however, most focus on addressing cyber risk with cyber-specific defenses.”

“CIE and CCE have expanded the cybersecurity workforce conversation to include the engineers who design, implement, configure, and operate critical infrastructure and to develop guidance for how those engineers can leverage engineering insights and process design to add deliberate design elements which mitigate the impact of a cyber attack on infrastructure,” according to Wright and St. Michel. “In some cases, these solutions add analog or manual controls which can be used to physically interrupt a process driven awry from digital sabotage, and in others, they ensure that the engineers and the cybersecurity team work together to develop and exercise resilience and response plans.”

The INL executives also highlighted that CIE and CCE provide the ability for all contributors to engineered industrial systems to aggregate their contributions to holistic system security and to elevate the engineering design and engineering practice for cybersecurity to that safety and reliability.

The integration of engineering concepts and practices into cybersecurity and risk mitigation strategies in the industrial sector has gained significant attention in recent years, at least in part due to concepts such as CIE and CCE, Matt Morris, global managing director for 1898 & Co. Security, told Industrial Cyber.

To understand how the industry arrived at this point, Morris outlines the need to consider a few key factors, including industrial systems evolution; the rise of cyber threats; awareness of industrial cyber risks has grown through a series of high-profile incidents and attacks; incidents like the Ukrainian power grid attack in 2015 and the NotPetya malware in 2017 have served as wake-up calls, prompting the industry to recognize the need for better cybersecurity practices; regulatory pressure; and convergence of engineering and cybersecurity. 

“Despite the increasing importance of industrial cybersecurity, it’s true that these issues were not always given sufficient consideration in the past. In fact, we don’t have to look far into history to see examples of the same phenomenon occurring,” Morris said. “The initial focus of industrial environments was on safety and operational efficiency, with cybersecurity often being an afterthought. As technology advanced and threats evolved, it became evident that cybersecurity had been overlooked. However, the industry has made significant strides over the years to address this gap and develop comprehensive cybersecurity frameworks that draw upon engineering principles, with CIE and CCE being among the most prominent,” he added.

Today, there is a growing recognition that cybersecurity should be an integral part of industrial systems’ design and operation, according to Morris. “The industry is actively working to bridge the gap between engineering and cybersecurity, leveraging engineering practices, risk management methodologies, secure coding standards, and other proven techniques to enhance the resilience of industrial environments against cyber threats.” 

“In the United States, CIE and CCE have emerged as the leading approaches for building risk mitigation into secure facilities design upfront,” Morris said. “This resulted in the inclusion of CIE into the White House Office of the National Cyber Director’s National Cybersecurity Strategy released in March 2023, the US Department of Energy’s (DOE) National Cyber-Informed Engineering Strategy released in June 2022, and the DHS CISA Strategic Plan 2023-2025 released in September 2022. Each of these acknowledges CIE as a core and foundational aspect of our cyber risk management approach.”

It is well documented how the cybersecurity threat landscape has evolved over the last few decades, Michael Gruenbaum, a control systems specialist with West Yost, and Andrew Ohrt, resilience practice area lead with West Yost, told Industrial Cyber. “Control systems technologies have also evolved to support increasing connectivity, in part due to customer demand. Many utilities have begun to minimize their dependence on hardwired controls, replacing them with increasingly sophisticated digital systems that are connected via Ethernet-based networks.” 

“The functional requirements of these systems make it impractical to implement and maintain an ‘air-gap’ with outside networks,” according to Gruenbaum and Ohrt. “Finally, the threat environment has changed, with an increased focus by malicious actors on control systems. This change in the operating environment coupled with the evolution of control systems has led us to an uneven and incomplete implementation of cyber-resilience infrastructure across sectors.”  

As the CCE/CIE approaches were born out of the U.S. DOE and the INL with its origins in protecting energy infrastructure, the executives assess how the concept can be successfully adopted to other verticals and across other regions. 

“Cyber-informed engineering (CIE) and the Consequence-driven, Cyber-informed Engineering (CCE) methodology were developed as novel approaches to assure critical functions from potential cyber-enabled sabotage,” Wright and St. Michel said. “Due to the rapid adoption of digital technologies used to deliver critical functions in the energy sector, CCE/CIE was a natural fit to help understand the security trade-offs in delivering critical functions more digitally dependent, and how adversaries could target these dependencies to disrupt critical infrastructure,” they added.

However, Wright and St. Michel added that “the CIE/CCE has been successfully applied to many different verticals (especially with our DOD partners and others in critical infrastructure security). Essentially any vertical or sector can apply CIE/CCE to engineer more resilient systems.”

“The Department of Energy’s CIE program is focusing on education to build CIE concepts into engineering curricula at universities and trade schools. This will include electrical engineering and mechanical engineering, but also engineering disciplines used in other sectors, including nuclear, agricultural, etc.,” according to Wright and St. Michel. “CIE is working with leading engineering universities to build curricula and educational resources which can be incorporated into accredited engineering programs to expand the practice into engineering across all infrastructure sectors.”

Morris said that while it is true that the founders of the CCE approach held positions at INL, an institution funded by the U.S. DOE, it is crucial to note that CCE and CIE are not inherently tied to energy-related systems. These approaches can be implemented in any critical infrastructure environment, regardless of the sector.

“CIE/CCE has already been widely adopted and implemented across diverse critical infrastructure sectors and environments. It is worth mentioning that a group of companies has partnered with INL to become licensees of the CCE approach. These companies have undergone training and possess the capability to train others in CCE,” according to Morris. “Moreover, some licensees engage in CCE projects within both the public and private sectors. While the primary mission and focus of the DOE revolve around energy-related industries, it is important to highlight that each licensee has a broader focus beyond the purview of INL and the DOE. This expands the range and coverage of the discipline, encompassing sectors such as water and wastewater, maritime operations, pipelines, chemicals, federal agencies, military, manufacturing, and many more.”

To date, Morris disclosed that CCE projects have been implemented across power utilities, water utilities, nuclear-powered assets (such as power generation facilities or nuclear-powered submarines and ships), pipelines, maritime operations, and military and defense systems. “From a regional and national security standpoint, CCE has primarily been implemented in the United States. However, as awareness grows among US allies due to the regional or global presence of CCE licensees, we can expect further adoption of the approach in other regions as well,” he added. 

Gruenbaum and Ohrt said that because CCE/CIE methodologies are general and broad, any engineer can adapt them from the original energy context into their design, operations, and management practices. “At West Yost, we are adapting and integrating CCE/CIE into our day-to-day water sector engineering practice.” 

They added that likely, “the best approach to most easily drive adoption of CCE/CIE across sectors and regions is to provide examples for how engineers and asset owners can embed CCE/CIE into existing practices, like through regular risk management, cybersecurity assessments, and engineering practices.” 

The CIE and CCE approaches have been in use for several years now and appear to be gaining wider interest. The experts analyze whether there have been significant uptakes of these approaches in sectors beyond energy and countries other than the U.S. They also look into the industries/regions leading the way, and the effect that this has on the existing model. 

“We have recently conducted several CCE training courses outside of the US to critical infrastructure security stakeholders,” Wright and St. Michel shared. “Of note, the CCE book, ‘Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering (CCE)’ has recently been translated to Japanese and we have spent time with members of the Japanese Industrial Security Center of Excellence (ISCoE) to share ideas around how CIE/CCE can augment their existing security approaches.”

Additionally, Wright and St. Michel said that “over the past several years we have partnered with private-industry security and engineering firms who are trained and licensed in the CCE methodology to provide CIE/CCE services to their clients in critical infrastructure. These firms provide engineering and ICS/OT security services to all critical infrastructure verticals (water, ONG, energy, advanced manufacturing, military applications, etc.).”

“Seeking a technology-agnostic risk management approach, the IAEA has leveraged CIE principles within cybersecurity guidance for the international nuclear community. CIE provides the basis for a consequence-driven approach focusing security mitigations on the preservation of critical functions,” Wright and St. Michel added.

Indeed, the CCE approach has been implemented across a significant cross-section of critical infrastructure, Morris said. “Thus far, CCE projects have been successfully applied to power utilities, water utilities, assets related to nuclear power (both power generation facilities and nuclear-powered assets such as submarines or ships), pipelines, maritime operations, and military/defense systems.”

“In terms of geographical reach, the United States stands as the pioneering nation where the approach was developed, making it the frontrunner in terms of adoption and implementation. However, the approach has also been shared with numerous allied nations, including Japan, the United Kingdom, Israel, Australia, and several European countries,” according to Morris. 

He added that as the largest licensee for CCE in terms of the number of trained personnel, “1898 & Co. is taking the initiative to introduce the CCE ACCELERATE training program to the Asia Pacific region, specifically in Singapore, during the third quarter of 2023.”

Gruenbaum and Ohrt said that their focus is on the U.S. water and wastewater sector, “so our exposure to interest from other countries is limited.”

Do catch the second part of this Industrial Cyber feature article, scheduled to be published Monday, that looks into how CCE can be adapted for smaller critical infrastructure providers with limited resources and the requirements for this adaptation to be successful. The experts also examine whether CCE can be deployed across verticals, regions, and organization sizes and what needs to happen to raise awareness. They also look into the training and education that would be necessary to extol the benefits of this approach.