Attacks and Vulnerabilities
Control device security
Critical infrastructure
Cyber Informed Engineering
Features
ICS Security Framework
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

Harnessing power of CIE, CCE methodologies to build resilience across critical infrastructure sectors

October 22, 2023
Harnessing power of CIE, CCE methodologies to build resilience across critical infrastructure sectors

Amid escalating cyber threats and attacks from determined adversaries, critical infrastructure organizations grapple with the imperative to avert disruptions and fortify their systems to withstand intentional cyber compromise, exploitation, and abuse. The Cyber-Informed Engineering (CIE) and Consequence-driven Cyber-informed Engineering (CCE) methodologies, initially developed by the Idaho National Laboratory (INL) for the energy sector, can be adapted to enhance cyber resilience in other critical infrastructure domains. These methodologies transcend theoretical boundaries, encouraging practical implementations that leverage design decisions and engineering controls. Their focus lies in mitigating or even eliminating routes for cyber-enabled attacks, thus minimizing the consequences in the event of an attack.

The recommendations stemming from CIE/CCE methodologies possess extensive relevance for engineers and ICS (industrial control systems) prevalent across critical infrastructure sectors. Although traditional engineering extensively incorporates safety measures and failure mode analysis, these risk management techniques often neglect the threats posed by sophisticated adversaries seeking to impede, disturb, or dismantle critical functions through cyber tactics. Typically, cybersecurity solutions are added as an afterthought during the later stages of the engineering process, rather than being inherently integrated into the system design.

The CIE and CCE approaches stand as guiding beacons for other sectors to embrace and integrate CIE practices into both governmental and industrial frameworks. These principles are universally applicable, spanning across diverse engineering domains, and can form the bedrock of engineering principles that exhibit comparable efficacy across critical infrastructure sectors, including water, transportation, telecommunications, and manufacturing

Initially designed for large energy corporations, the practical applications of these methodologies transcend theoretical constraints, serving as comprehensive guides for pinpointing and addressing vulnerabilities within critical infrastructure systems. Though their intricate nature may pose a challenge for resource-constrained small businesses, the availability of guidance, training, expertise, and continuous support helps enhance user-friendliness and adaptability for smaller enterprises.

Practical applications of CIE/CCE techniques in energy sector

Industrial Cyber contacted experts to provide real-world success stories or case studies where CIE/CCE methodologies have been effectively implemented in the energy sector, and the benefits that these organizations have realized. They also look into the strategies or best practices organizations employ to ensure the ongoing relevance of CIE/CCE approaches in the face of evolving cybersecurity threats and technologies. 

Curtis St. Michel, a directorate fellow at INL
Curtis St. Michel, a directorate fellow at INL

Curtis St. Michel, a directorate fellow at the INL, told Industrial Cyber that CIE and CCE leverage a broad set of organizational roles, from the leadership team who understand the organization’s risk approach, and provide resources for risk mitigation, to operations, engineering, procurement, cybersecurity and legal who execute risk mitigation strategies. 

“Regularly bringing these entities together to understand and mitigate emerging risk as a team will ensure that the protection strategies employed by the organization evolve to meet emerging threats,” according to St. Michel. “CIE and CCE practitioners begin with the assumption that any organization or system can be targeted by an adversary and the best defense requires ensuring that the critical functions of an organization are resilient to cyber-enabled sabotage or failure.” 

He added that beyond ensuring the confidentiality, availability, and integrity of data, teams focus on the continuity of the most critical organizational functions.

Sarah Freeman, chief engineer for intelligence, modeling and simulation at MITRE’s Cyber Infrastructure Protection Innovation Center
Sarah Freeman, chief engineer for intelligence, modeling and simulation at MITRE’s Cyber Infrastructure Protection Innovation Center

At their core, both CIE and CCE strive to promote the adoption of an ‘engineering first’ mindset, in which security concepts are introduced early in the design phase, Sarah Freeman, chief engineer for intelligence, modeling and simulation at MITRE’s Cyber Infrastructure Protection Innovation Center, told Industrial Cyber. “By considering security as a core requirement of these engineered systems rather than an add-on feature, the technology and systems themselves become more resilient to cyber-attacks.” 

She also pointed out that although there are some weaknesses in the CIE/CCE approach, the adoption of this mindset ensures some resilience as both threat actor capabilities and technologies continue to evolve.

Ed Suhler, co-founder and chief operating officer at Mission Secure
Ed Suhler, co-founder and chief operating officer at Mission Secure

Ed Suhler, co-founder and chief operating officer at Mission Secure, told Industrial Cyber that “we’re seeing success with CCE in both brownfield and greenfield projects within the energy sector. Distributed energy generation and storage has become a very active area for us, partly because CCE is an ideal complement to NERC CIP compliance activities.” 

He added that “fuel processing is another good example–in doing OT cybersecurity design for a planned new facility, CCE is helping us find and address risks before they ever have a chance to exist in the real world.”

Tony Turner, founder and CEO of Opswright

Many energy sector utilities such as Duke Energy and Southern were involved in the early creation of CIE and CCE concepts, Tony Turner, founder and CEO of Opswright, told Industrial Cyber. “While there is not much public information regarding the success or failure of these efforts, it is clear due to the ongoing efforts in electric power that these initiatives are bearing fruit. Additionally, if you track the Cyber Informed Transmission Planning Framework (CITPF) efforts, while not an explicit mapping to CIE, it was adopted based on CIE principles and is another possible ‘how’ to do CIE, similar to CCE, and specific to transmission use cases.”

Turner added that the most important thing for organizations is to socialize the concepts internally. “It requires management support and stakeholder coordination; this will not happen effectively inside a siloed team. It forces a change in thinking process and imbues a consequences-centric culture across the organization.”

“This is not a checklist. Adversary tactics change, therefore our planning and response needs to adapt quickly,” Turner pointed out. “Custom implementations including new efforts from CCE licensees such as CCE Lite, embody this flexibility in approach.”

Translating CIE/CCE principles across critical infrastructure sectors

​​The experts also explore how the concepts and principles of CIE/CCE can be translated and applied to other crucial infrastructure sectors beyond energy, including healthcare, transportation, and finance. They also offer insights into the potential economic and operational advantages that organizations, both large and small, can gain from effectively implementing the CIE/CCE methodologies.

St. Michel said that both CIE and CCE are directly applicable to any infrastructure where its critical functions depend on engineered processes controlled by digital technology. “These concepts are applicable to all infrastructure sectors, including water, healthcare, agriculture, and manufacturing as examples, but also to any entity with a facility that has safety and environmental controls which are necessary to mission performance.” 

He added that CIE and CCE can increase resilience to cyber-attacks and incorporate engineering-based mitigations to ensure mission continuity even with a system failure or advanced cyber-attack. “We are seeing successful adoption of these methodologies in the water sector and in defense and there is interest beyond those.”

“Any organization with critical mission functions can tailor the Cyber-Informed Engineering concepts to enhance resilience to cyber-attack,” according to St. Michel. “The CIE Implementation guide recently released by DOE-CESER is filled with questions that a risk management team can analyze to better understand the critical functions which must be protected from cyber-attack, how those functions could be disrupted by system failure or adversary attack, and mitigations to create cyber defenses to ensure resilience.” 

St. Michel further added that adopters of CIE and CCE understand where they must make critical investments in cyber defense, the specific goals those investments must achieve, and how to maximize the benefit of those investments. “They can describe specifically how each investment in cyber defense supports resilient functioning of essential organizational missions.”

Although both CIE and CCE were created with cyber-physical systems (CPS) in mind, the CIE principals and the CCE methodology remain sector agnostic, Freeman highlighted. “Even companies within highly digital and interconnected sectors such as financial services, healthcare, and public health can benefit from the adoption of these approaches.” 

She added that CCE, in particular, encourages the adoption of policies, security strategies, and technologies that are designed for resilience by working from the most significant and severe potential outcomes of a cyber-attack. “This ensures that organizations are less susceptible to these attacks and reduces the cost associated with recovery, should they occur.”

Suhler identified that “anywhere there’s a risk that a cyber attack could cause physical damage, we can use CCE to reduce that risk. The energy sector was the starting point for CIE and CCE, but the principles apply equally well to water, manufacturing, food and agriculture, transportation, and other critical infrastructure sectors.” 

He added, “what’s interesting is that when you look at an engineered environment through the CCE lens, you not only find ways to make it more secure, you often find ways to make it more efficient. There might be unnecessary software running on workstations, devices, or HMIs, there might even be outdated or testing devices that are no longer used in the industrial process but are still plugged in and consuming resources.”

“Core concepts are highly applicable, for instance, the case studies utilized in the CIE Implementation Guide used the water sector as the foundation for implementation,” Turner said. “Nothing in CIE is specific to power, though the examples, metrics, and scoring criteria utilized in CCE are specific to electric power. Some adaptation has been required to apply this methodology to other sectors, but it is minimal.”

Since CIE is more conceptual, it does not suffer from the same industry lock-in as these principles are applicable to anyone, Turner added. 

Navigating complexity by tailoring CIE/CCE for small organizations

The experts shed light on specific adaptations or simplifications that can be integrated into the CIE/CCE framework to cater to the requirements of smaller organizations without compromising its effectiveness. They also explore methods for enhancing the user-friendliness and practicality of CIE/CCE methodologies for smaller businesses with restricted resources and limited cybersecurity expertise.

The core of the practice of both CIE and CCE is Critical Functional Assurance (CFA), St. Michel said. “CFA in general is an approach to prioritize and address risk based on impact and is rooted in a holistic understanding of how critical functions are delivered. It provides rapid focus to what matters most and illuminates elements and areas of risk that otherwise are often overlooked.”

St. Michel added that organizations with limited resources and cybersecurity expertise must first make core business and operational decisions about which functions of their organization are most critical to ensure they are not catastrophic if disrupted. “For those functions, the entities identify the systems with the most potential to impact those functions through failure or sabotage and analyze specifically how that might happen.”

“Just because a consequence might be enacted through cyber-attack, doesn’t mean the best defenses require cyber expertise,” according to St. Michel. “Sometimes an engineering mitigation, such as a pressure relief, time delay relay or other physical design enhancement would lower the worst impacts of cyber-attack to be bearable. This focus enables effective application of available security resources to the most vital areas of a business/mission/entity and provides the foundation for optimizing greater security strategy and policy efforts, regardless of the size of the organization,” he added.

Freeman said that although the greatest value from a CCE assessment requires organizations to complete all four phases, the methodology ensures even resource-constrained or nascent security programs can receive value from completing some of the stages or employing a stepwise approach. 

For example, she added that by completing the first phase of CCE, consequence prioritization, organizations can improve communication and understanding around which systems within their enterprise are more critical to daily operations. Freeman also identified that similarly, the materials gathered during phase 2 of CCE can inform a variety of cybersecurity initiatives even beyond CCE activities.

CCE at its core, is an engineering effort that eliminates the ‘trust’ assumption and fills the existing cyber security gaps through a series of processes and procedures. These processes are divided into four distinct quadrants, each with a unique goal of consequence prioritization, a system of systems breakdown, consequence-based targeting, and mitigations and protections. The combined process is intended to be completed in order from the first to the fourth quadrant. 

“One of our primary goals in partnering with INL is to make it easier for organizations to apply the CCE methodology,” according to Suhler. “A full-scale CCE project for a federal program might involve dozens of people over the course of a year or more, and that might be entirely appropriate. But for a municipal water system, a solar power site, or even a large fuel processing plant, the process needs to be streamlined. One way we can do this is to take advantage of what the organization already knows about its own systems.” 

Suhler added that for example, in a ‘by-the-book’ CCE project, there’s a sometimes lengthy process of identifying and ranking the possible consequences of cyber sabotage. “But we find that many operators already know exactly what can go wrong and how bad it would be. They need help finding the most effective strategy to stop it from happening, so that’s where we start.”

“The concept of CCE Lite has emerged to support smaller organizations, and this is taking a few different approaches,” Turner said. “One I have seen frequently focuses on Phase 1 of CCE for Consequence Prioritization, and then makes assumptions about System of Systems Analysis and Consequence-based Targeting before moving into Phase 4 for Mitigation and Protection.”

“For instance, creating OT site profiles based on critical infrastructure sector, site purpose and critical functions and their dependencies, dramatically shortens the timeframe to get started on CCE,” Turner detailed. “If you look at other industry capabilities around asset visibility, engineering workflows, or breach attack simulation, this may also provide pathways for efficiency.”

Turner also pointed out that “there’s a lot that goes into doing CIE and CCE, which is a frequent criticism, but like everything else we do in risk management, focusing our efforts on the most critical activities and automating where we can, will push this transformational approach to the right balance of effort vs value creation.”

Fostering adoption of CIE/CCE implementation through resources, partnerships

The experts delve into available resources, training, and support mechanisms for organizations aiming to implement the CIE/CCE approach and tailor it to their unique requirements. They also examine the critical role of partnerships and collaborations between organizations, government agencies, and cybersecurity experts in fostering the broad adoption and customization of CIE/CCE.

ACCELERATE Training provides critical infrastructure companies with a self-guided approach to conducting their own CCE effort, St. Michel said. “The course is two days (16 hours) and includes everything participants need to facilitate a CCE effort within their organization. INL also offers deep-dive training tailored for larger in-depth critical function assessments.” 

He pointed out that the INL has licensed CCE to engineering practitioners, including 1898 & Co., Black & Veatch, MAG Aerospace, Mission Secure, Opswright, Sentar, and West Yost, to extend the practice of CCE throughout critical infrastructure applications.

“The Cyber-Informed Engineering Implementation Guide was published in August 2023, describing the principles of CIE and how they can be applied across the engineering lifecycle, from the earliest design phases, through retirement and replacement,” according to St. Michel. “This guide provides specific questions that a design team can tailor to their needs and infrastructure threat scenarios to guide the development of cyber-informed engineered resilience strategies. This guide was developed by 117 contributors from industry, government, and academia and leveraged contributor expertise in both cybersecurity and engineering.” 

He added that these experts, more than 200, meet regularly as members of a community of practice to advise the CIE program’s research, alignment with education, and integration with standards. These experts also apply CIE practices in their work, whether it is in education, engineering system design, product development, or critical infrastructure operation.

Freeman outlined that for groups interested in implementing or testing out the CCE or CIE approaches, various resources exist. “Considering the CIE framework, organizations can review the CIE principals as defined within the National Cyber-Informed Engineering Strategy. Similarly, a number of CCE-centric resources have been released publicly, including the introductory book I co-authored, Countering Cyber Sabotage, which walks through an example CCE assessment within its appendix.”

She also pointed to the INL’s ACCELERATE program, as well as workshops designed to explain the principles and implementation strategy for CIE. 

Freeman added that partnerships with the private sector and academic institutions play a key role in the wide rollout and adoption of CIE/CCE and serve as a force multiplier for activities that would otherwise be constrained by the resource limitations of the INL. 

Partnerships are essential for expanding the adoption of CIE and CCE, according to Suhler. “Through our partnership with Idaho National Laboratory, Mission Secure is able to apply the CCE methodology for our customers in ways that are tailored to each organization’s size, level of maturity, and specific needs,” he added.

Several ‘Community of Practice’ (COP) areas have been formed for the CIE effort in the areas of education, standards, and development, and these meetings are conducted monthly, Turner mentioned. “Additionally, the CIE Implementation Guide referenced is a strong resource for anyone wishing to learn more about real-world implementation of CIE concepts. INL conducts regular training for CCE at their ACCELERATE sessions held in Idaho Falls and other locations around the country.”

Additionally, Turner said that the resource library which was one of the strategic objectives in the DOE CIE strategy guide, provides a rich historical context for the work that has gone into CIE over the last decade with close to 100 research-quality papers. Industry education efforts also serve to promote these concepts and explain how to approach these programs.

“If you look at the CCE site, you will find the training schedule and partners within this ecosystem that are driving adoptions,” according to Turner. “In many cases, the methodology is incorporated into larger service delivery for engineering projects or as a standalone activity in support of asset owners looking to embrace CIE and CCE. INL also conducts many exercises as standalone or with support of the very same partners listed here.”

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation