Consequence-driven Cyber-informed Engineering (CCE) is a methodology put forward by the US Department of Energy that aims to help energy sector entities that are critical infrastructure avoid the worst consequences, or impacts, of cyber attacks. Or that is my quick sum-up of it anyway.
I spent some years working at an energy sector entity that is considered critical infrastructure. Being even a tiny cog in the enormous wheel of that space was equal parts daunting, energizing, and challenging in the best of ways. CCE was and is one of the most fascinating things I had the opportunity to learn about. In this post I’m going to offer a very quick summary of my own biggest takeaways about it, based on the ‘Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering (CCE)’ book that introduces it, the thoughts on it of Industrial Controls System (ICS) Security experts like Dale Peterson, and my own brainstorming on how elements of this could be incorporated into cyber risk assessments.
I am certain that my thoughts here will not even begin to do justice to the CCE methodology. I hope it may serve though as just a little taster on the CCE that might provoke a desire to learn more on it - and I’ll share some suggested links below to pursue that further learning. With that said, here is my quick outline of the core principles of CCE:
Prepare to be compromised
Focus on the impact (consequences) side of the likelihood and impact components or risk assessment - based on the premise that given the level of adversary group that targets critical infrastructure entities, the likelihood of success/compromise is 100 percent.
Recognize that we can't engineer out all the risk in really complex systems
Identify ‘crown jewels’ - the systems, functions, and/or processes that must not fail. They must not fail from the perspective that if they do, the level of financial, operational, reputational impact will be beyond significant, difficult to recover from. Even worse, impact to the availability of critical services and/or the safety of staff and the general public may have terrible consequences.
Go deeper and identify critical dependencies for the crown jewel systems, functions, and/or processes
Flesh out the worst case scenarios for the identified systems, functions, and/or processes - and how a cyber (or digital) attack could cause those
Identify physical controls that can prevent the digital attack from causing that level of impact, that can stop those attacks in their tracks
As promised, here are some links that can provide a wealth of better information and thoughts on CCE than my quick effort above:
The ‘Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering (CCE)’ book
Well done, Patrick! A very good summary!