Critical Function
Assurance
Optimizing Security Strategy and Activities
Modern life is enabled by complex and interdependent critical functions like energy, communications, transportation, food and water. Automation has significantly reduced or replaced human interactions in the delivery of these functions, resulting in a web of goods and services available only through intentional deployments of microprocessors, software and firmware technologies. Potential cyber-enabled sabotage of these processes disrupts traditional risk determination models. Critical Function Assurance (CFA) is a foundational approach to identifying, prioritizing, and mitigating the risk that is inherent in the delivery of critical functions that depend on digital technology.
For over 20 years, Idaho National Laboratory has focused on CFA and specifically the role industrial control systems and operational technology play in assuring critical functions and missions in the digital age.
CFA Focus and Overview
This paper provides rapid focus to what matters most and illuminates elements and areas of risk that are often overlooked. This focus enables effective application of available security resources and optimizes security strategy and policy efforts. It introduces CFA to decision-makers and risk executives (including CEOs, COOs, CFOs and CISOs) whose organizations support and deliver the critical functions that underpin national defense, societal health and safety, and a vibrant economy.
How CFA, CIE and CCE Work Together
INL championed the concept of Cyber-Informed Engineering (CIE) and created a robust and repeatable methodology to apply CIE principles, prioritized based on functional impact and operational understanding through Consequence-driven Cyber-informed Engineering (CCE).
The relationship can be simplified by thinking of CFA as the ‘Why,’ or the objective, and CIE as ‘What’ principles to think about in achieving the objective. CCE can be thought of as a repeatable process to apply elements of CFA and CIE to assure critical functions.