How CCE brings changes to securing critical infrastructure
Consequence-driven Cyber-informed Engineering, or CCE, is an approach for safeguarding critical infrastructure systems. To put it briefly, CCE is about imagining the worst possible outcome of a cyber threat perpetrator, and then building a non-cyber or physical mitigation to lessen the possibility of a disaster occurring.
Developed by the Idaho National Laboratory (INL), CCE presents an alternative way to manage risk. Owners, operators, vendors, and manufacturers of critical infrastructure can use this technique to mimic the mindset of the threat to: analyse intricate systems; identify aspects requiring the fullest extent of protection possible; and use tried-and-tested engineering methods to separate and safeguard the most critical assets of a business
"The industrial sector is facing a barrage of cyber-attacks," Jayne Goble, Cyber Security Director, KPMG UK, says. "In fact, the manufacturing industry saw a 300% increase in worldwide cyber-attacks in 2020, according to NTT research. This sector is such an attractive target to cybercriminals because, with downtime costing money, the potential to extract ransom payments is high.
"It's been estimated that ransomware causes downtime of 21 days on average — the sort of interruption that no organisation can afford."
In order to avoid that incident from happening, this four-step process for safeguarding critical infrastructure operations provides critical infrastructure owners and operators with a 'think like the adversary'-style approach.
- Consequence Prioritisation: Select operations that cannot fail and attack scenarios that could bring them down with a clear focus on the risk management system.
- System-of-Systems Analysis: Rectifies the interdependencies and enabling or dependent components of critical processes and defensive systems by gathering data and making systematic observations.
- Consequence-Based Targeting: Defines the adversary's path to accomplish maximum impact effects, where they need to go to perform the attack, and what data is required to attain those aims.
- Mitigations and Protections: Disrupt or eliminate as many digital assault pathways as possible.
CCE vs traditional security systems
Current best practice techniques for cyber protection struggle to stop targeted attacks from resulting in catastrophic outcomes. From a national security standpoint, it is not just the harm to the military, the economy or critical infrastructure corporations that is a problem. It is the cumulative, downstream repercussions from potential regional blackouts, military mission kills, transit stoppages, water distribution or treatment challenges, and so on.
Organisations will be protected in ways that existing approaches cannot guarantee, using CCE to demonstrate the applicability of engineering first principles to the most pressing cybersecurity concerns. The most pressing threat is cyber-enabled sabotage, so CCE begins with the presumption that well-resourced, adaptive adversaries are already in and have, for some time, remained undiscovered and perhaps undetectable.
This design method incorporates such items as hard-wired controls ‒ a manual off or auto switch ‒ to be enabled for control in the absence of current automation or mechanical backstops that physically prohibit a compromised control system from damaging physical assets. The SCADA system may not be able to control well flushing valves if they are currently wired for PLC control.
Consequence-driven - INL guides executives and operational experts through a series of exercises to identify the most vital functions essential to completing their organisation's goal, while also analysing the potential effects of a cyberattack against these functions.
Cyber-informed - INL helps system operators discover vulnerable locations within critical systems using the CCE technique.
Engineering - INL then fully leverages an organisation's operational expertise, system understanding and process knowledge to neutralise cybersecurity threats.
Securing Operational Technology
As firms integrate new technology solutions into their cyber operations, their risk of exposure also increases. CCE extends beyond the usual areas of security by looking at an organisation's entire operation, securing the most vital elements while simultaneously securing the overall technology. These frameworks go beyond standard vulnerability evaluations, considering the potential impact an exploited vulnerability could have on an entire organisation's operations and procedures as a whole.
"Organisations within the sector are also a key target for attackers because they play a key role in the supply chains of other industries, including critical sectors such as defence and infrastructure," Goble added. "This adds to the need for the business to free themselves from the ransomware and resume operations."
Attention to success
Developing and collaborating across critical infrastructure sectors to identify the highest consequence operational systems provides a practical method for industry and government to invest against and prioritise threats to vital functions. Recently, INL concluded a successful CCE pilot project with a large utility. As admitted by the utility's own engineers, the process transformed their viewpoints, fundamentally affecting how they approach risk decisions.
"At an absolute minimum, ensuring security right across the ecosystem of suppliers, contractors and partners should be carried out to ensure a hacker cannot infiltrate the entire network simply by attacking one organisation in the supply chain," Goble says. "Furthermore, conducting annual security reviews of the supply chain will not be enough to maintain the security of an ecosystem."
Advancement in the future
The mission of protecting important national infrastructures, such as the electric power system, natural gas pipelines, chemical factories, and countless others, is difficult for any single institution to accomplish.
That is why INL is working alongside the Departments of Energy, Defence, and Homeland Security to form strategic collaborations with businesses and academics to expand and enhance the CCE methodology. Expert training programmes are presently being developed that will help better secure the most critical facilities in the United States and around the world.
"With the volume of threats only rising, a standard approach to cyber security will no longer suffice," Goble says. "At an absolute minimum, ensuring security right across the ecosystem of suppliers, contractors and partners should be carried out to ensure a hacker cannot infiltrate the entire network simply by attacking one organisation in the supply chain.
"Furthermore, conducting annual security reviews of the supply chain will not be enough to maintain the security of an ecosystem. Tools such as machine learning-enabled technology that can autonomously discover and block ransomware and other malicious threats should be used to lighten the load of the already-stretched security team."