Consider the utility services that people use every day: light switches, water faucets and gas burners. The simple act of delivering electricity, water or gas to a home or business requires a cascade of invisible digital and physical processes, all functioning in tandem.
Today, utilities must contend with a range of challenges: surges in demand, adverse weather conditions and, increasingly, cyberattacks that disrupt critical operations.
To support utilities in the fight against cyber-enabled sabotage, the Idaho National Laboratory (INL) developed Consequence-driven Cyber-informed Engineering (CCE). The goal of this methodology is to identify the most essential processes and functions of critical infrastructure and then selectively reduce or eliminate the digital pathways vulnerable to cyberattack.
The methodology lives “at the nexus between digital technology and the physical processes,” said Micah Steffensen, an INL researcher who leads the CCE program. But this groundbreaking approach started much more modestly.
The seed of innovation: LDRD beginnings
CCE began as a Laboratory Directed Research and Development (LDRD) project in 2016 with $300,000 in seed funding from INL. For national laboratories, the LDRD program functions like an internal startup incubator to support innovative or exploratory research projects aligned with the strategic goals of the lab and the Department of Energy (DOE).
INL’s journey to better understand how to defend critical infrastructures from cyberthreats began in the late 1990s, said Curtis St. Michel, a CCE technical advisor and cocreator of the methodology. “This was more than a decade before most people even realized critical, societal functions could be targeted digitally,” he said.
After years of work to identify and close vulnerabilities in the nation’s critical energy infrastructure, it became clear to lab researchers that patching every vulnerability was an impossible task. What was really needed was an engineering solution — a physical backstop that would prevent or lessen the impacts of cyberattacks.
CCE: A new approach
CCE starts with the assumption that if a critical infrastructure system is targeted by a skilled and determined hacker, the targeted network can and will be penetrated. Therefore, CCE employs a “think like the adversary” approach. The approach provides critical infrastructure owners, operators, vendors and manufacturers with a disciplined methodology to evaluate complex systems, determine what must be safeguarded, and apply proven engineering strategies to isolate and protect the industry’s most critical assets.
The four-step process
CCE uses a four-step process for evaluating and protecting a critical function.
- Consequence prioritization: Focuses the risk management framework on selecting vital operations that must not fail and the associated attack scenarios that threaten them.
- System of systems analysis: Gathers information and identifies the systematic interdependencies between critical processes, defense systems and enabling or dependent components.
- Consequence-based targeting: Determines the adversary’s path to achieve the highest impacts, where they would conduct the attack and what information they would require.
- Mitigations and protections: Removes or disrupts the digital attack paths.
Backyard origins and early successes
When INL researchers started studying threats to critical infrastructure, they didn’t know how to describe the hazards. “We used traditional cybersecurity language at first, but the risks are very different,” said St. Michel. “And on the engineering side, the closest thing we had as a reference point was safety culture.”
To help advance the notional CCE concept, St. Michel and his team presented the methodology to the DOE and the Department of Homeland Security, hoping to secure more funding. The agencies encouraged the researchers to work with an industry partner to demonstrate the research’s effectiveness.
For its first test case, INL teamed up with Florida Power and Light.
“We targeted their system like an adversary would,” said St. Michel. “But then, we also identified engineering solutions that could be put into place that would stop a digital attack from propagating through the entire network, limiting its overall effectiveness.”
The trial was a success and fundamentally changed how Florida Power and Light operated its digital systems.
From concept to state and federal support
Today, with cyberthreats against critical infrastructure growing, the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response recognizes the CCE methodology’s impact and supports it annually with federal funding. Through ongoing support, CCE has grown into a successful, multi-year program surpassing $40 million in federal funding since 2018. More importantly, researchers have conducted more than 35 comprehensive training and security engagements with top-tier U.S. utilities and defense installations, ensuring those services can withstand even the most forceful cyberattacks.
Recently, INL collaborated with a major natural gas company to understand how a cyber adversary could disrupt gas flow enough to affect electricity production at natural gas-fired power plants. The team analyzed thousands of miles of pipelines and digital equipment, narrowing the scope of the threat to a handful of compressor stations and digital assets that needed to be better secured. “That means the company can focus their security efforts on the most salient areas to protect and mitigate the potential of catastrophic failure from cyberattacks,” said Steffensen.
CCE has also been valuable for state officials. On several occasions, INL has offered its expert instructors to lead training on the methodology. A series of CCE Accelerate training courses has enabled critical infrastructure owners and operators to learn from INL experts and then implement advanced cyber protections at their plants and facilities.
“After members of our senior leadership team were invited to attend the (Accelerate) course in Idaho Falls, we recognized the value that the CCE methodology could provide to our state, local and tribal critical infrastructure operators throughout Idaho,” said Chris Volmer, cyber and infrastructure security manager for the Idaho Office of Emergency Management. “Making Accelerate available to more of our public and private sector partners significantly increases capability across the board and has greatly enhanced our efforts as Idaho continues driving forward on whole-of-state cybersecurity initiatives.”
A growing threat and a culture shift
Today, INL works alongside DOE, the Department of Homeland Security and the Department of Defense to deploy the methodology across industry and government, while also offering expert training sessions to help companies in the United States and around the world manage their critical infrastructure with a self-guided approach. CCE has been licensed to 11 commercial companies, further increasing its reach and impact.
“Today, we’re not trying to just fix vulnerabilities we find,” said St. Michel. “We are changing the engineering culture for critical infrastructure, so they understand risk in a fundamentally different way.”
Although threats to national critical functions come from many sources, defending these vital infrastructures is a challenging task for any organization. INL is working to form strategic partnerships with industry, government and academia to expand and evolve the CCE methodology.
From its LDRD beginnings, CCE has become a cornerstone in the nation’s cybersecurity defense strategy.
