Meaningful strides possible with CIE and CCE methodologies across industrial cybersecurity landscape

Organizations facing an increasing number of cyber attacks on control systems can benefit from cybersecurity strategies, such as Cyber-Informed Engineering (CIE) and Consequence-driven Cyber-informed Engineering (CCE). These strategies can aid in managing the growing intensity of cyber attacks. It is vital for organizations to recognize the importance of a change in philosophy and engineering methods. The shift will ensure that digital infrastructure is protected proactively and that new systems are built with resilience to modern and future cyber threats.

The CIE/CCE methodologies involve implementing security measures continuously throughout the lifecycle of a system from design to decommissioning, thus helping address vulnerabilities as they emerge instead of during periodic security assessments. These strategies call for security to be built into the design of systems from the ground up, following secure development practices, implementing security-by-design principles, and conducting threat modeling. 

These approaches also require continuous integration testing where security checks are performed automatically with each code update and configuration changes, and are subject to continuous monitoring where security controls are evaluated on an ongoing basis. They offer promising solutions that work on enhancing system security and cybersecurity for industrial systems, minimizing potential cyber attacks and protecting against industrial espionage. With the growing reliance on technology in industrial settings, it is crucial to explore the benefits of these methodologies and their impact on security. 

In the first part of the feature article, Industrial Cyber explored the integration of engineering concepts and practices into cybersecurity and risk mitigation strategies, particularly across industrial environments. It also analyzed how we arrived at this point, without taking these issues into consideration. Additionally, it investigated how these concepts can be effectively adopted across other regions and verticals.

CCE suggests that, even with adequate security measures in place, determined or well-funded intruders will still be able to penetrate the system; thus, one must assume they are already present. In this piece, cyber engineering experts analyze whether there is any documented evidence to support this.

CCE suggests that cyber-security measures alone aren’t enough to stop determined, well-resourced, and highly skilled adversaries, Virginia Wright, cyber-informed engineering program manager at Idaho National Laboratory (INL), and Curtis St. Michel, a directorate fellow at INL, told Industrial Cyber. “This is based on the premise that with even the best cyber defense in place, there are ways by which an environment can still be compromised (think supply chain interdiction/or tampering, close access (insider threat), or unverified trust in otherwise trusted relationships (subcontractors, etc.).” 

“We still advocate for robust cyber hygiene, but CCE provides a proven way to focus on the most impactful events for an organization and find engineering or administrative fixes that go beyond traditional cyber,” according to Wright and St. Michel.

Wright and St. Michel added that without going into any specifics, “look at any of the high-profile hacking examples of the last couple of years (Colonial, SolarWinds, etc.), and in many of these examples the victim may have been cyber ‘compliant’ or ‘green across the board’ when it came to their industry-mandated or best-practice-based cyber security posture. However, we believe that without considering the functional delivery perspective, you may miss how an adversary could find vulnerable seams in how critical functions are delivered and ultimately find ways to exploit them using cyber.”

Matt Morris, global managing director for 1898 & Co. Security, said that “the fundamental principle of CCE aligns precisely with your statement, and this principle is fully supported by factual evidence. It has been discovered that even if you have implemented virtually every risk mitigation technique and diligently follow stringent cybersecurity practices, you remain vulnerable to attacks from skilled adversaries.” 

“Importantly, this does not necessarily imply that the adversary must be a nation-state. There have been numerous instances of sponsored groups, hacktivists, and others demonstrating the capability to exploit weaknesses in the overall cybersecurity posture of organizations,” Morris told Industrial Cyber.

Addressing documented cases or evidence of intruders successfully gaining access to environments and carrying out activities despite adequate security measures, Morris confirmed that there are numerous such cases. “The truth is that some of these cases can be openly discussed to a certain extent because certain details are already known and talked about publicly. However, there are many more cases that we cannot disclose or discuss due to various reasons.”

“A couple of incidents that have gained significant attention in the public domain include the BlackEnergy/Industroyer attack on the Ukrainian power grid, the SolarWinds supply chain incident, and the Colonial Pipeline breach,” Morris highlighted. “It must be acknowledged that if you were to inquire whether these specific organizations had implemented sufficient cyber defenses and maintained a robust cyber hygiene or not, you would receive varied responses ranging from ‘not bad’ to ‘not so good’ from skilled cybersecurity practitioners.” 

He added that nevertheless, it is important to recognize that this situation reflects the reality across the entire market, encompassing all organizations. 

Morris also said that he “would like to express something that I rarely get the chance to convey regarding the other incidents that have taken place. These incidents pertain to matters that cannot be openly conversed about or divulged. The question of whether or not these events have occurred has been raised in various forums, including magazines, newspapers, different forms of digital media, and even my own social media channels. Rest assured, I comprehend the pursuit of knowledge and, in certain cases, the need for substantiation of different claims. This is an endeavor embraced by commendable journalists and scientists. 

He also emphasized that “as a practitioner closely collaborating with scientists or in science-related domains, it is intrinsic to our identity and purpose to seek answers and evidence, potentially through mathematical formulations, to explain particular phenomena.” 

“Simultaneously, it is crucial for the general public to acknowledge and comprehend that while the fact that something has transpired may be shared as an undeniable reality, the specific details concerning what occurred, when, where, and how cannot be openly disclosed or discussed,” Morris highlighted. “This is precisely why security clearances, non-disclosure agreements, and confidentiality agreements exist. My request to the community is to kindly acknowledge this and be willing to extend us the benefit of the doubt.”

Michael Gruenbaum, a control systems specialist with West Yost, and Andrew Ohrt, resilience practice area lead with West Yost, told Industrial Cyber that as a water sector engineering company, “we have access to the same public information that everyone else does. Because of this, we must rely on organizations like AWWA, CISA, EPA, and other Federal partners to inform our perspectives. We strongly recommend organizations consider that a determined and well-resourced adversary may penetrate their systems and plan a response to ensure critical functions,” they added.

The experts also explored the feasibility of adapting the CCE for smaller critical infrastructure providers with limited resources. Additionally, they examined the necessary requirements for such adaptation to be successful.

“The beauty of CCE is that it is applicable and adaptable to any size organization. Once trained in the methodology, we have seen organizations from small to large apply the CIE principles taught through CCE to better secure critical functions,” Wright and St. Michel said. “One of the huge value propositions of CCE is that it quickly helps organizations/businesses focus on what matters most from a security perspective. This can be huge for smaller organizations that know they need to do more in ICS/OT security, but don’t know where best to start, and that have limited resources at their disposal.”

Morris said that CIE/CCE is certainly effective even for smaller infrastructure providers. “The encouraging news is that CIE/CCE is primarily an engineering discipline rather than solely focused on ‘cyber’ aspects. It is closely aligned with engineering principles, safety protocols, and more. Consequently, the global shortage of cybersecurity talent does not pose as significant of a challenge as one might assume. Even smaller firms are required to possess the necessary engineering and control systems knowledge to operate their critical infrastructure. This existing expertise becomes a crucial ingredient from an internal team perspective to collaborate effectively with external CCE practitioners, including CCE licensees,” he added. 

Alternatively, the CCE licensee can train the key stakeholders within the organization, enabling them to conduct their own internal CCE engagements, according to Morris.

“For those who feel a strong need for external guidance and direction, the aforementioned group of licensees are fully prepared to engage,” Morris explained. “In fact, some licensees have already innovated the CCE approach, enabling a rapid return on investment by condensing the timeframe for executing the initial two phases of CCE. Typically, these phases can now be completed within a significantly shortened period of around 10-12 weeks, in contrast to the original CCE approach that often required 6+ months to implement phases 1 and 2.”

According to Gruenbaum and Ohrt, critical water infrastructure processes and regulations are nearly identical across the United States, so case studies and best practices across the industry will allow a checklist approach that will allow many smaller water and wastewater agencies to benefit from CIE/CEE. “This would reduce the need for a customized, in-depth CIE/CCE assessment, which can greatly tax the limited staffing and financial resources of smaller providers,” they added.

The experts also analyze the feasibility of implementing CCE approaches in different sectors, areas, and corporate sizes. They also assess the measures required to raise awareness and provide necessary training to promote this approach’s benefits.

“Raising awareness of the principles and importance of cyber-informed engineering is first and foremost, then having a repeatable methodology (CCE) to exercise and apply those principles is key,” Wright and St. Michel said. “As a starter, the aCCElerate training course that DOE offers through INL is a great opportunity to understand how organizations can use the CCE methodology to better protect their functions and systems using CIE principles.” 

However, to be truly successful, Wright and St. Michel added that “we need to continue to work with academic and private-industry partners to instill these principles into the engineering and security workforce (current and future workforce).”

Lastly, Wright and St. Michel said that policy and regulation will need to adapt to better reflect the importance of engineering critical infrastructure and function from a cyber-informed perspective. “Similar to how the industrial safety culture has evolved, engineering for security has to evolve. The practice of industrial safety was greatly benefited by the adoption of regulation and similarly, regulation/compliance-based compulsion may be required to ensure that businesses and organizations adequately address the full breadth of critical function assurance moving forward,” they added.

“Both CIE and CCE possess inherent versatility, making them immediately applicable across all industry sectors, regions, and organizations of varying sizes. The key aspect for both approaches lies in fostering awareness,” Morris said. “The greater the extent to which the general public can hear about, internalize, and contemplate their implications, the higher the likelihood of CIE and CCE bringing about substantial positive changes to the industry as a whole.” 

However, Morris added that it is essential to recognize that the responsibility for spreading awareness does not solely rest with entities like the Department of Energy (DOE), Idaho National Laboratories (INL), 1898 & Co., or other CCE licensees. “Achieving the ultimate impact that CIE and CCE are capable of, and should have, necessitates the collective efforts, co-investment, and expansive media outreach of a much broader array of companies,” he said.

“The national CIE strategy articulates a comprehensive approach to embedding CIE and by extension CCE into engineering practices in university curricula. This is necessary to provide the next generation of engineers with the skills for our changing world,” Gruenbaum and Ohrt said. “National organizations will need to help spread awareness of these practices and develop the training needed to fully implement them into existing infrastructure.” 

Gruenbaum and Ohrt said that they have found that utilities want to protect against risk, but need the tools to do so and that when organizations like AWWA provide leadership, water utilities are willing adopters. “In the next year, AWWA will be publishing a water sector-specific approach to CCE that West Yost is developing so that more utilities are better prepared against growing cyber threats,” they concluded. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.