Think Like an Adversary

Consequence-driven Cyber-informed Engineering (CCE) is a methodology focused on securing the nation’s critical infrastructure (CI) systems. Developed at Idaho National Laboratory, CCE begins with the assumption that if CI is targeted by a skilled and determined adversary, the targeted operation can–and will–be sabotaged.

This methodology provides CI owners, operators, vendors and manufacturers with a more focused bottom line approach to:

  • Determine most critical functions
  • Evaluate complex systems
  • Identify methods an adversary could use to compromise the critical functions
  • Apply proven engineering, protection, and mitigation strategies to isolate and protect an industry’s most critical assets

Consequence-driven

INL leads executives and operational experts through identifying critical functions essential to fulfilling the organization’s mission and determine the potential consequences of a cyber-enabled sabotage against them.

Cyber-informed

Using the CCE methodology, INL guides system operators to identify key points within a critical system vulnerable to a cyber-enabled sabotage.

Engineering

INL then fully leverages an organization’s operational expertise, system understanding, and process knowledge to remove or reduce cybersecurity risks through engineering practices.

Safeguarding Critical Infrastructure Operations

CCE Methodology: A Four-Step Process

1. Consequence Prioritization

2. System-of-Systems Analysis

3. Consequence-Based Targeting

4. Mitigations and Protections

Case Studies

Information

Presentations

CCE Methodology Overview

1. Consequence Prioritization

Identify functions that must not fail and associated events that would trigger failure of those critical functions. Proceed with events that possess the greatest potential impact.

Methodology Process  A

 

2. System-of-Systems Analysis

Identify, collect, and organize all information regarding critical systems involved in the Phase 1 events.

 

Methodology Process

3. Consequence-Based Targeting

Develop scenarios to determine paths, targets, access, and information an adversary would need to achieve the events.

 

Methodology Process

4. Mitigations and Protections

Develop mitigations and protections to prevent, limit, respond to and recover from an adversary carrying out the scenarios developed.

 

Methodology Process

Information

Through support from multiple federal agencies, we provide a studied and proven methodology of multiple critical infrastructure and national security entities.

DOE logo DOD logo DHS logo

CCE Methodology Overview

Engineering out the cyber risk from things that must not fail.

cce thumb new

CCE Methodology

1. Consequence Prioritization

Identify functions that must not fail and associated events that would trigger failure of those critical functions. Proceed with events that possess the greatest potential impact.

Methodology Process  A

 

2. System-of-Systems Analysis

Identify, collect, and organize all information regarding critical systems involved in the Phase 1 events.

 

Methodology Process

3. Consequence-Based Targeting

Develop scenarios to determine paths, targets, access, and information an adversary would need to achieve the events.

 

Methodology Process

4. Mitigations and Protections

Develop mitigations and protections to prevent, limit, respond to and recover from an adversary carrying out the scenarios developed.

 

Methodology Process

Case Studies

Information

Through support from multiple federal agencies, we provide a studied and proven methodology of multiple critical infrastructure and national security entities.

DOE logo DOD logo DHS logo

Presentations

CCE Methodology Overview

Engineering out the cyber risk from things that must not fail.

cce thumb new

Collaborating Across Critical Infrastructure Sectors

In The News

Untrusting the Grid

More Hard Hats for Security Engineering!

Engineering Out the Cyber-Risk...

The End of Cybersecurity

Multimedia

Consequence Based ICS Risk Management

CCE: INL’s Approach to Securing Critical Industrial Infrastructure

CCE with Andy Bochman of INL

Social Media

Twitter

Upcoming Events

ICS Joint Working Group - VIRTUAL JUNE 9-10

Resilience Week 2020, Salt Lake City, UT

Untrusting the Grid

Power Grid International, March 9, 2020
Article by Sean McBride, an Industrial Cybersecurity Program Coordinator at Idaho State University and a jointly appointed faculty researcher at Idaho National Laboratory.

CCE Powergrid article

More Hard Hats for Security Engineering!

Subtitled: Automation Engineers, You Already Know Almost Everything You Need

Medium.com,  April 19, 2020
Article by Sarah Fluchs on S4x20 highlighting INL and its CCE work.

CCE medium article

Engineering Out the Cyber-Risk...

RSA Conference 2019
It is dawning on critical infrastructure operators that even the best cyber-hygiene—the sum total of all we now do in cybersecurity—cannot be counted on to keep well-resourced attackers from touching their most critical processes and the systems that support them. This talk will introduce a new approach that draws from engineering first principals to take the highest value targets off the table.

The End of Cybersecurity

Harvard Business Review May 31, 2018
Digital, connected systems now permeate virtually every sector of the U.S. economy, and the sophistication and activity of adversaries–most notably nation-states, criminal syndicates, and terrorist groups–has increased enormously.

HBR EndofCybersecurity

Consequence Based ICS Risk Management

SA4 January 2019
Dale talks with Andy Bochman about the Consequence-Driven, Cyber-Informed Engineering (CCE) and John Cusimano about CyberPHA’s and  lowering the maximum impact of a successful attack.

CCE: INL’s Approach to Securing Critical Industrial Infrastructure

Implementing consequence-driven Cybersecurity with continuous ICS monitoring & threat modeling.

CCE with Andy Bochman of INL

Dale Peterson podcasts with INL’s Andy Bochman to discuss INL’s Consequence-Driven, Cyber-Informed Engineering methodology (CCE) with emphasis on the often neglected consequence part of the risk equation.

Listen to the podcast:

Twitter

The nation’s nuclear energy research laboratory.

ICS Joint Working Group - VIRTUAL JUNE 9-10

RESCHEDULED VIRTUALLY: We are pleased to let you know that our Virtual meeting is scheduled for June 9-10, 2020. Please share this  information with others who are interested in the ICSJWG and who wish to collaborate with us in our continuing information sharing efforts and dedication to protection of critical infrastructure.

Register here

ICSJWG   Banner

 

Resilience Week 2020, Salt Lake City, UT

Join us for the Resilience Week 2020 Symposium to discuss how private and public partners can work together to ensure a secure and reliable flow of energy across the nation.

R Res Week  Mobile

In The News

Untrusting the Grid

Power Grid International, March 9, 2020
Article by Sean McBride, an Industrial Cybersecurity Program Coordinator at Idaho State University and a jointly appointed faculty researcher at Idaho National Laboratory.

CCE Powergrid article

More Hard Hats for Security Engineering!

Subtitled: Automation Engineers, You Already Know Almost Everything You Need

Medium.com,  April 19, 2020
Article by Sarah Fluchs on S4x20 highlighting INL and its CCE work.

CCE medium article

Engineering Out the Cyber-Risk...

RSA Conference 2019
It is dawning on critical infrastructure operators that even the best cyber-hygiene—the sum total of all we now do in cybersecurity—cannot be counted on to keep well-resourced attackers from touching their most critical processes and the systems that support them. This talk will introduce a new approach that draws from engineering first principals to take the highest value targets off the table.

The End of Cybersecurity

Harvard Business Review May 31, 2018
Digital, connected systems now permeate virtually every sector of the U.S. economy, and the sophistication and activity of adversaries–most notably nation-states, criminal syndicates, and terrorist groups–has increased enormously.

HBR EndofCybersecurity

Multimedia

Consequence Based ICS Risk Management

SA4 January 2019
Dale talks with Andy Bochman about the Consequence-Driven, Cyber-Informed Engineering (CCE) and John Cusimano about CyberPHA’s and  lowering the maximum impact of a successful attack.

CCE: INL’s Approach to Securing Critical Industrial Infrastructure

Implementing consequence-driven Cybersecurity with continuous ICS monitoring & threat modeling.

CCE with Andy Bochman of INL

Dale Peterson podcasts with INL’s Andy Bochman to discuss INL’s Consequence-Driven, Cyber-Informed Engineering methodology (CCE) with emphasis on the often neglected consequence part of the risk equation.

Listen to the podcast:

Social Media

Twitter

The nation’s nuclear energy research laboratory.

Upcoming Events

ICS Joint Working Group - VIRTUAL JUNE 9-10

RESCHEDULED VIRTUALLY: We are pleased to let you know that our Virtual meeting is scheduled for June 9-10, 2020. Please share this  information with others who are interested in the ICSJWG and who wish to collaborate with us in our continuing information sharing efforts and dedication to protection of critical infrastructure.

Register here

ICSJWG   Banner

 

Resilience Week 2020, Salt Lake City, UT

Join us for the Resilience Week 2020 Symposium to discuss how private and public partners can work together to ensure a secure and reliable flow of energy across the nation.

R Res Week  Mobile

Sharing Actionable Resources

Papers

CCE FACT SHEET

Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector

CCE Mission Support Center Concept Paper

The Need for Cyber-informed Engineering Expertise for Nuclear Research Reactors

Training

ACCELERATE TRAINING

Contacts

The Team

CCE FACT SHEET

Consequence-driven-Cyber-informed-Engineering Fact Sheet

 

Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector

This paper seeks to illustrate the current cyber-physical landscape of the U.S. electric sector in the context of its vulnerabilities to cyber attacks, the likelihood of cyber attacks, and the impacts cyber events and threat actors can achieve on the power grid. In addition, this paper highlights utility perspectives, perceived challenges, and requests for assistance in addressing cyber threats to the electric sector.

 

cyber threat

CCE Mission Support Center Concept Paper

CCE participants are encouraged to work collaboratively with each other and with key U.S. Government (USG) contributors to establish a coalition, maximizing the positive effect of lessons-learned and further contributing to the protection of critical infrastructure and other national assets.

CCE

 

The Need for Cyber-informed Engineering Expertise for Nuclear Research Reactors

This paper examines the need for cyber-informed engineering practices that encompass the entire engineering life cycle. Cyber-informed engineering, as referenced in this paper, is the inclusion of cybersecurity into the engineering process. This paper addresses several attributes of this process and the long-term goal of developing additional cyber-safety basis analysis and trust principles. With a culture of free information-sharing exchanges, and potentially a lack of security expertise, new risk analysis and design methodologies need to be developed to address this rapidly evolving (cyber) threatscape.

need for cyber informed engineering

 

ACCELERATE TRAINING

This two-day course provides participants with a fundamental knowledge of the CCE methodology focused on securing the nation’s critical infrastructure systems. Participants should be critical infrastructure owners, operators, vendors, and manufacturers.

Training Flyer

To schedule training, please contact:
cce@inl.gov

 

Contacts

Cybercore Director

Scott Cramer

Phone: 208-526-2757

Email: scott.cramer@inl.gov


Deputy Director of Programs

Rob Helton

Phone: 208-526-6266

Email: robert.helton@inl.gov


Senior Grid Strategist

Andy Bochman

Phone: 781-962-6845

Email: andrew.bochman@inl.gov


CCE Program Manager

Rob Smith

Phone: 208-526-3881

Email: robert.smith@inl.gov


CCE Technical Advisor

Curtis St. Michel

Phone: 208-526-7064

Email: curtis.stmichel@inl.gov

Papers

CCE FACT SHEET

Cyber Threat and Vulnerability Analysis of the U.S. Electric Sector

This paper seeks to illustrate the current cyber-physical landscape of the U.S. electric sector in the context of its vulnerabilities to cyber attacks, the likelihood of cyber attacks, and the impacts cyber events and threat actors can achieve on the power grid. In addition, this paper highlights utility perspectives, perceived challenges, and requests for assistance in addressing cyber threats to the electric sector.

 

cyber threat

CCE Mission Support Center Concept Paper

CCE participants are encouraged to work collaboratively with each other and with key U.S. Government (USG) contributors to establish a coalition, maximizing the positive effect of lessons-learned and further contributing to the protection of critical infrastructure and other national assets.

CCE

 

The Need for Cyber-informed Engineering Expertise for Nuclear Research Reactors

This paper examines the need for cyber-informed engineering practices that encompass the entire engineering life cycle. Cyber-informed engineering, as referenced in this paper, is the inclusion of cybersecurity into the engineering process. This paper addresses several attributes of this process and the long-term goal of developing additional cyber-safety basis analysis and trust principles. With a culture of free information-sharing exchanges, and potentially a lack of security expertise, new risk analysis and design methodologies need to be developed to address this rapidly evolving (cyber) threatscape.

need for cyber informed engineering

 

Training

ACCELERATE TRAINING

This two-day course provides participants with a fundamental knowledge of the CCE methodology focused on securing the nation’s critical infrastructure systems. Participants should be critical infrastructure owners, operators, vendors, and manufacturers.

Training Flyer

To schedule training, please contact:
cce@inl.gov