’15CFAM’ is More than FUN with Consequence-driven Cyber-informed Engineering (CCE)

Welcome to week two of ‘15 Cybersecurity Fundamentals Awareness Month’ (15CFAM), as WaterISAC continues its tribute to National Cybersecurity Awareness Month (NCSAM). Today we briefly touch on less of a fundamental and more of a slightly advanced topic called Consequence-driven Cyber-informed Engineering (CCE), which comes in at #6 (Install Independent Cyber-Physical Safety Systems) in the 15 Cybersecurity Fundamentals for Water and Wastewater Utilities. Admittedly, not a lot has been discussed on this topic, but the experts at Idaho National Laboratory (INL) have done a lot of work and are the foremost authorities on the concept. Essentially, the CCE methodology aims to secure the nation’s critical infrastructure by limiting physical damage from skilled adversaries focused on sabotage. By applying CCE concepts, utilities engineer physical solutions to protect against the impact of cyber-sabotage resulting in a high-consequence event. Likewise, CCE solutions could also prove valuable for protecting against unintentional cyber incidents, like a sensor failure. For example, the dangerous overdosing of treatment chemicals can occur due to a cyber attack or a component failure. A potential CCE solution would be to carefully select a pump size that would significantly reduce the likelihood of an overdose.

If you can imagine a worst-case cyber threat scenario that could cause physical damage to Industrial Control System (ICS) equipment, so will the bad guys. By installing solutions to limit physical damage that could occur due to a cyber attack (or even an unintentional cyber incident/device failure), asset owners can significantly reduce the impact posed by dangerous conditions such as excessive levels of pressure or chemical additions. For more on the CCE methodology, including the four-step process, case studies, and a presentation overview, members are encouraged to visit the CCE page at INL.

While CCE could be construed as the ultimate in vulnerability management, check out the next Security & Resilience Update for a more holistic discussion on embracing vulnerability management programs.