Countering Cyber Sabotage: Introducing Consequence-Driven Cyber-Informed Engineering (CCE)
Preface The situation we find ourselves in today in the realm of cybersecurity is not much different than the one the software world was in in 1994, except that without a significant shift in strategy, the consequences for citizens and civilizations are likely to be much more dire. Prior to the release of the first edition of The Capability Maturity Model: Guidelines for Improving the Software Process by Carnegie Mellon’s Software Engineering Institute (SEI) just as the personal computer era was getting underway circa 1994, the world of software development was, to be generous, a complete goat rope . Scoping with any degree of precision or confidence for any semi-complex platform or application was impossible. Project success was the exception, not the norm. To put it another way, outside of the National Aeronautics and Space Agency (NASA) or certain organizations in the US Department of Defense (DoD) , software development was about as far from an engineering discipline as one could possibly imagine. SEI’s authors sought to bring order to the chaos, and in so doing help software development teams and the projects they undertook on behalf of all manner of end user organizations begin to gain a semblance of order, predictability and efficiency. While improvement has continued, a quarter century later and with very many lessons learned, pairing the word “engineering” in the context of software development, as in “software engineering,” still strains the credulity of many. As the Acknowledgements section illustrates, this book has multiple champions, many contributors, and more than a few sources of inspiration. But one important factor shaping its construction was guidance from my boss at INL, Zach Tudor, to pattern it at least partly after a SEI’s seminal work that has shaped technology ever since. Sarah Freeman and I have attempted to do just that. There are in fact a number of security maturity models, frameworks and standards, all intended to encourage behaviors that improve security posture and reduce the frequency or impact of successful attacks. Perhaps most relevant from the CCE perspective is the DOE’s Cybersecurity Capability Maturity Model or C2M2, brought into being in the early 2010s by Samara Moore, Jason (J.D.) Christopher, and a slew of government and industry experts (and recently revised). Maturity models are helpful for bridging the gap between objective and subjective methods of performance measurement. And since no one has yet been able to define what a fully secure computer is, let alone a fully secure organization, (or how we would recognize either if we saw one), gauging security by inference is what we have to settle on for now. C2M2, like the maturity model for software before it, is subjective as it doesn’t measure the actual strength of cyber defense. By inference we mean that what’s being measured are a cluster of observable behaviors which have been found to have some degree of efficacy in detecting and/or thwarting cyber attacks. However, due to the massive complexity of modern, highly networked digital systems, even an organization that is assessed to have achieved high levels of maturity across the board in its security program may find itself compromised, with sensitive data stolen or encrypted, or worse, with attacks that reach deep into the operational side of the house to disrupt industrial processes or destroy long lead-time-to-replace capital equipment. As was discussed five years ago in “The Case for Simplicity in Energy Infrastructure,” the levels of complexity and dependency we’ve now accepted have created a situation where current approaches to cyber defense are incapable of stopping well-resourced, targeted attackers from creating potentially catastrophic results. Countering Cyber Sabotage introduces not a maturity model, but a new methodology to help critical infrastructure owners, operators and their security practitioners defend their absolutely most important functions and processes against the most capable cyber adversaries. From a national security perspective, it is not just the damage to the military, the economy, or national critical functions that is of concern, but also the civilization-disrupting 2nd and 3rd order effects from prolonged regional blackouts, transportation stoppages, water and wastewater issues, etc. CCE uniquely begins with the assumption that well-resourced, adaptive adversaries have already taken up residence, performed extensive reconnaissance, undetected, and are preparing their cyber-physical attack. Having captured credentials and elevated privileges, they are “living off the land” in target organizations’ networks and systems, including industrial control systems, and preparing to leverage functionality intended solely for trusted operators. Our most important infrastructure elements are designed and rigorously tested to be resilient in the face of equipment failure and operator mistakes, but at present
- Research Organization:
- Idaho National Laboratory (INL), Idaho Falls, ID (United States)
- Sponsoring Organization:
- USDOE Office of Environment, Health, Safety and Security (AU),
- DOE Contract Number:
- DE-AC07-05ID14517
- OSTI ID:
- 1975258
- Report Number(s):
- INL/MIS-20-57769-Rev000
- Country of Publication:
- United States
- Language:
- English
Similar Records
Cyber risk assessment and investment optimization using game theory and ML-based anomaly detection and mitigation for wide-area control in smart grids
Signal Decomposition for Intrusion Detection in Reliability Assessment in Cyber Resilience (Summary Report)
Related Subjects
97 - MATHEMATICS AND COMPUTING
Consequence-Driven
Cybersecurity
Industrial Control Systems
CCE
Cyber-Informed Engineering
Methodology
Consequence-Driven Cyber-Informed Engineering
CIE
Cybersecurity Resilience
Consequence-based Targeting
Energy Transition
Integrating Cybersecurity
Cyber Risk
Cyber Supply Chain Risk
Cyber-Resilience
Cyber
Cyber Threat and Vulnerability