When critical functions like energy transmission and delivery are too important for the safety and security of our nation to fail, these systems take every precaution to defensively prevent cyberattacks from happening. It begins by thinking like the adversary to understand what aspect of the system is most vulnerable, how can the system be compromised, and what information can be taken. Then, a rigorous process called Consequence-driven Cyber-informed Engineering (CCE) can be applied to address vulnerabilities and safeguard the system operations.
Funded by the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER), the CCE program at the Idaho National Laboratory (INL) supports critical energy stakeholders with organizational assessments, trainings, and tools that help to implement CCE principles. INL researchers work with owners, operators, vendors, and manufacturers to explore the entire critical function delivery life cycle – from production to transmission – to understand how adversaries could interrupt operations and design engineering solutions to protect them.
CCE principles can be applied to any infrastructure system across multiple sectors, such as electric power grids, natural gas pipelines, and chemical plants. Critical infrastructure stakeholders trained in CCE principles learn the following four-step process for implementation:
Consequence prioritization identifies High Consequence Events (HCEs) achievable through cyber means that could significantly inhibit an organization’s ability to provide a critical function.
System of system analysis focuses on gathering the system and organizational information necessary to break down and decompose the HCE(s) identified in Phase 1.
Consequence-based targeting is at the core of the aggressor mindset; it determines an adversary’s path to achieve the highest impact effects, where they need to be to conduct the attack, and what information is required to achieve those goals.
Mitigations and protections evaluate potential mitigations intended to remove the possibility or lessen the impact of the HCE.
Due to interest in organizational adoption of CCE, INL partners with DOE, the Department of Defense, the Department of Homeland Security, and academic institutions to evolve the CCE methodology and adapt training programs to the everchanging cyber threats across the sector. Examining high-consequence events using the structured CCE approach can effectively help assure organization critical functions, thereby improving the security of the nation’s critical infrastructure.
Learn to Apply CCE
INL offers trainings for critical infrastructure companies to conduct their own CCE efforts. These ACCELERATE trainings provide 16 hours of FREE in-person instruction to understand the CCE methodology, guide trainees through the process steps, and use case studies to apply the methods. Asset and system operators, control systems engineers, process experts, cybersecurity analysts, and emergency management system support are among the many professionals that benefit from attending. Registration is open for the upcoming trainings:
For more information about other energy security exercises and trainings from CESER, click here.