Securing Critical Infrastructure: The Role of Consequence-Driven Cyber-Informed Engineering
As utilities grapple with escalating threats—from extreme weather events and surging demand to increasingly frequent cyberattacks—the challenge of securing the systems that ensure water flows, lights stay on, and gas lines operate has become more intricate than ever. In response to these challenges, the Idaho National Laboratory (INL) has pioneered a methodology known as Consequence-Driven Cyber-Informed Engineering (CCE). This innovative approach aims to identify and protect the most essential physical operations by pinpointing digital vulnerabilities that, if exploited, could lead to significant real-world damage.
Understanding CCE: A New Paradigm in Cybersecurity
Micah Steffensen, the INL researcher leading the CCE program, emphasizes that this methodology resides at the intersection of digital technology and physical processes. While the approach has gained national relevance, it began with more modest ambitions. CCE operates on the premise that if a critical infrastructure system is targeted by a skilled hacker, it is likely to be breached. Therefore, the methodology adopts a "think like the adversary" approach, providing critical infrastructure owners, operators, vendors, and manufacturers with a structured framework to evaluate complex systems, identify what must be safeguarded, and apply proven engineering strategies to isolate and protect vital assets.
The Stepwise Process of CCE
The CCE methodology employs a systematic process for evaluating and safeguarding critical functions. It begins with consequence prioritization, focusing the risk management framework on identifying vital operations that must not fail and the attack scenarios that threaten them. This is followed by system of systems analysis, which gathers information and maps the interdependencies between critical processes, defense systems, and enabling components.
Next comes consequence-based targeting, where researchers determine the adversary’s likely path to achieve the highest impacts, including potential attack locations and the information required for a successful breach. Finally, the process culminates in implementing mitigations and protections that disrupt or eliminate digital attack pathways.
From Concept to Implementation: Real-World Applications
Initially, INL researchers struggled to articulate the unique hazards posed to critical infrastructure. Curtis St. Michel, a CCE technical advisor and co-creator of the methodology, noted that traditional cybersecurity language fell short in describing these risks. To advance the CCE concept, St. Michel and his team presented their findings to the Department of Energy (DOE) and the Department of Homeland Security (DHS), seeking funding and industry collaboration to demonstrate the methodology’s effectiveness.
Their first test case involved a partnership with Florida Power and Light. By simulating an adversary’s attack on their system, the team identified engineering solutions that could prevent a digital breach from propagating throughout the network, thereby limiting its overall impact. This successful trial fundamentally transformed how Florida Power and Light managed its digital systems.
Growing Support and Recognition
Since its inception, the CCE methodology has garnered robust support from both state and federal entities. The Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) now recognizes the value of CCE and provides ongoing funding to support its implementation. The program has surpassed $40 million in federal funding since 2018, enabling researchers to conduct over 35 comprehensive training and security engagements with top-tier U.S. utilities and defense installations.
Recently, INL collaborated with a major natural gas company to assess how a cyber adversary could disrupt gas flow, potentially impacting electricity production at natural gas-fired power plants. By analyzing thousands of miles of pipelines and digital equipment, the team narrowed the threat scope to a few compressor stations and digital assets that required enhanced security measures. This targeted approach allows companies to focus their security efforts on the most critical areas, mitigating the risk of catastrophic failures from cyberattacks.
Training and Capacity Building
The CCE methodology has proven invaluable for state officials as well. INL has offered its expertise through a series of CCE Accelerate training courses, enabling critical infrastructure owners and operators to learn from INL experts and implement advanced cyber protections at their facilities. Chris Volmer, cyber and infrastructure security manager for the Idaho Office of Emergency Management, highlighted the significant capability enhancement that the CCE methodology provides to public and private sector partners throughout Idaho.
INL’s collaboration with the DOE, DHS, and the Department of Defense has facilitated the deployment of the CCE methodology across both industry and government. The laboratory also offers specialized training to help organizations manage critical infrastructure through a self-guided approach. To date, CCE has been licensed to 11 commercial companies, expanding its reach and influence.
A Cultural Shift in Cybersecurity
St. Michel notes that the focus has shifted from merely fixing vulnerabilities to fundamentally changing the engineering culture surrounding critical infrastructure. Organizations are now encouraged to understand risk in a fundamentally different way, adapting to the evolving landscape of cyber threats.
As threats to national critical functions continue to evolve, defending these infrastructures remains a complex challenge. INL is actively building strategic partnerships across industry, government, and academia to further develop and adapt the CCE framework, making it a cornerstone of the nation’s cybersecurity defense strategy.
Conclusion
In light of a surge in cyberattacks targeting industrial control systems, manufacturers and utilities are increasingly turning to INL’s immersive training programs to bolster their defenses. Known for its innovative cyber escape rooms and hands-on simulations, INL has established itself as a global leader in preparing professionals to detect and disrupt threats to critical infrastructure. Through its partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), INL’s ICS 301 course trains participants to respond to real-world cyber incidents in high-stakes environments where safety and uptime are paramount.
As the landscape of cybersecurity continues to evolve, the CCE methodology stands as a vital tool in the ongoing effort to secure critical infrastructure against an array of emerging threats.