Countering Cyber Sabotage
Introducing Consequence-Driven, Cyber-Informed Engineering (CCE)
Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering (CCE) introduces a new methodology to help critical infrastructure owners, operators and their security practitioners make demonstrable improvements in securing their most important functions and processes.
Current best practice approaches to cyber defense struggle to stop targeted attackers from creating potentially catastrophic results. From a national security perspective, it is not just the damage to the military, the economy, or essential critical infrastructure companies that is a concern. It is the cumulative, downstream effects from potential regional blackouts, military mission kills, transportation stoppages, water delivery or treatment issues, and so on. CCE is a validation that engineering first principles can be applied to the most important cybersecurity challenges and in so doing, protect organizations in ways current approaches do not. The most pressing threat is cyber-enabled sabotage, and CCE begins with the assumption that well-resourced, adaptive adversaries are already in and have been for some time, undetected and perhaps undetectable.
Chapter 1 recaps the current and near-future states of digital technologies in critical infrastructure and the implications of our near-total dependence on them. Chapters 2 and 3 describe the origins of the methodology and set the stage for the more in-depth examination that follows. Chapter 4 describes how to prepare for an engagement, and chapters 5-8 address each of the four phases. The CCE phase chapters take the reader on a more granular walkthrough of the methodology with examples from the field, phase objectives, and the steps to take in each phase. Concluding chapter 9 covers training options and looks towards a future where these concepts are scaled more broadly.
Table of Contents
Foreword by Michael J. Assante xi
Author Bio xxix
1 Running to Stand Still and Still Falling Behind 1
2 Restoring Trust: Cyber- Informed Engineering 29
3 Beyond Hope and Hygiene: Introducing Consequence-
Driven Cyber- Informed Engineering 57
4 Pre- engagement Preparation 77
5 Phase 1: Consequence Prioritization 87
6 Phase 2: System- of- Systems Analysis 105
7 Phase 3: Consequence- Based Targeting 123
8 Phase 4: Mitigations and Protections 141
9 CCE Futures: Training, Tools, and What Comes Next 165
Appendix A CCE Case Study: Baltavia Substation Power Outage 199
Appendix B CCE Phase Checklists 259
Andy Bochman is the Senior Grid Strategist for Idaho National Laboratory’s National and Homeland Security directorate. In this role, Mr. Bochman provides strategic guidance on topics at the intersection of grid security and resilience to INL leadership as well as senior US and international government and industry leaders. A frequent speaker, writer, and trainer, Mr. Bochman has provided analysis on electric grid and energy sector infrastructure security actions, standards, and gaps to the Department of Energy, Department of Defense, Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), National Institute of Standards and Technology (NIST), National Association of Regulatory Utility Commissioners (NARUC), the Electricity Subsector Coordinating Council (ESCC), and most of the US state utility commissions. Teaming with DOE, NARUC, USAID, and international partners, he has cyber-trained grid operators, and is a cybersecurity subject matter expert listed with the US State Department Speakers Bureau. Mr. Bochman has testifi ed before the US Senate Energy and Natural Resources Committee on energy infrastructure cybersecurity issues and before FERC on the security readiness of smart grid cybersecurity standards. He has also held recurring conversations on grid security matters with the Senate Select Committee on Intelligence (SSCI) and the National Security Council (NSC). Prior to joining INL, he was the Global Energy & Utilities Security Lead at IBM and a Senior Advisor at the Chertoff Group in Washington, DC. Mr. Bochman earned a Bachelor of Science degree from the US Air Force Academy and a Master of Arts degree from the Harvard University Extension School.
Sarah Freeman is an Industrial Control Systems (ICS) cyber security analyst at Idaho National Laboratory (INL), where she provides US government partners and private sector entities with actionable cyber threat intelligence, developing innovative security solutions for the critical infrastructure within the US. At Idaho National Laboratory, Ms. Freeman pursues innovative threat analysis and cyber defense approaches, most recently Consequence driven Cyber-informed Engineering (CCE). As Principle Investigator on a laboratory discretionary research, her current research is focused on new signatures and structured methods for cyber adversary characterization. Following the December 2015 electric grid attacks, Ms. Freeman participated in the DOE-sponsored training for Ukrainian asset owners in May 2016. She has also researched the Ukrainian 2015 and 2016 cyber-attacks and the Trisis/Hatman incident. Ms. Freeman earned a Bachelor of Arts from Grinnell College and a Master’s in Security and Intelligence Studies from the University of Pittsburgh.
"The coronavirus pandemic has demonstrated just how important digital networks are to Americans’ professional and personal lives–and hammered home the importance of preparing for worst-case scenario. The team at Idaho National Lab understands the stakes and have laid out steps we can take to protect our critical infrastructure from attacks. These clear-eyed, valuable insights should inform policymakers as we expand our efforts to increase America’s cyber capabilities."
—Angus S. King, Senator, I-Maine, and Co-Chairman of the Cyberspace Solarium Commission
"Defending the United States’ critical control systems is one of the most pressing national security challenges of our time. The Idaho National Lab is the unquestioned leader in critical infrastructure protection and Mr. Bochman and Ms. Freeman, key players in INL’s efforts, have captured the essence and detail of the lab’s philosophy in this timely book. INL’s consequence-driven cyber-informed engineering (CCE) approach of simplifying and isolating our most critical systems to limit paths to attack is the foundation of our national efforts to secure our control systems. Anyone looking to understand the future of cybersecurity and critical infrastructure protection should start right here."
—Senator Jim Risch, Chairman of the Senate Foreign Relations Committee and member of the Intelligence and Energy & Natural Resource Committees
"CCE-founder Mike Assante sparked my interest in cybersecurity more than a decade ago, and he helped me understand how we can better secure the operational technology underlying our daily lives. He was taken from us at far too young an age, but I am excited that his wisdom and philosophy of building security into engineering processes are captured in this book and will continue to aid our nation for years to come."
—Congressman Jim Langevin, U.S. Representative for Rhode Island's 2nd Congressional District
"This book is an invaluable resource for the electric power industry, its complex supply-chains, and those charged with better protecting all of it. At its core, CCE is really about keeping operations going no matter what adversary nations or hostile groups have up their sleeves. By protecting what matters most, this methodology is very good news for critical infrastructure organizations, for the continuity of the economy, and for the safety and security of our nation."
—Tom Fanning, CEO, Southern Co.
"Engineering software without cyber security is like launching space vehicles without shielding from radiation. Nonetheless, cyber insecurity abounds everywhere we look. This book, climaxing in a compelling hypothetical case study, shows how we can, and must, do better—much better."
—Richard Danzig, former Secretary of the Navy
"INL’s Countering Cyber Sabotage is the seminal and game-changing textbook of our time aimed at assuring the resiliency of our fragile Industrial Control Systems and Operational Technologies. This book marks ‘the beginning of the end’ of operators being overwhelmed by the vast potential cyber threats to our ICS and OT. Government, Military, Academia, and Private Sector can move out TODAY on implementing CCE based the proven processes described in this book. Colleges must incorporate this knowledge into every engineering program to prepare our future engineers. The work is also a wonderful tribute to Mike Assante and the entire INL team. Well Done!"
—Vice Admiral Janet Tighe, US Navy (Retired), Former Commander of Fleet Cyber Command
"INL is already well underway conducting and coordinating the most challenging ICS security work for the nation with DOE, DOD, DHS, and industry. And Andy and Sarah’s CCE book, as well as CCE engagement—completed, underway, and coming up—are the clearest evidence yet that the lab’s experts are a if not the leading force for improving cyber protection of the nation’s critical infrastructure."
—Paul Stockton, former Assistant Secretary of Defense for Mission Assurance
"As someone charged with improving critical infrastructure cybersecurity in the states of Colorado and California, the Department of Homeland Security, and the entire bulk power system at the North American Reliability Corporation, it’s impossible for me to adequately describe my friendship with Mike Assante, and perhaps more importantly, his role in my career. Mike was an indispensable voice post-9/11, evolving our national thinking on what needed protecting most, and then on how to move the country from glaring cyber vulnerabilities circa 2002. Following Stuxnet in 2010, and then to our much improved (if far from perfect) security posture in 2020, he was personally responsible for much of the progress our nation has made over the past 20 years. While Mike authored numerous influential articles and papers, Countering Cyber Sabotage captures his role in the development of the CCE methodology and the entirety of his vision that will enlighten everyone who reads it."
—Mark Weatherford, Chief Strategy Officer at the National Cybersecurity Center. Former Deputy Under Secretary for Cybersecurity at DHS and Chief Security Officer at NERC
"In a clear, concise, readable manner, Bochman and Freeman's new book explores how to build cyber resilience into the critical infrastructure upon which our country's prosperity and security depend. They deconstruct the dangers of a mindset where ‘hope’ and unverified trust remain central elements to cybersecurity and how to replace that faulty premise with a more logical and quantifiable process. Consequence-Driven Cyber-Informed Engineering (CCE), as explained in this book and operationalized in practice at Idaho National Lab, must become a key feature of cybersecurity if we are serious about countering cyber sabotage."
—Samantha F. Ravich, Ph.D., Commissioner, Cyber Solarium Commission and Chair of the Center for Cyber and Technology Innovation.
"A state of security is the absence of unmitigable surprise; hence the pinnacle goal of security design is no silent failure, but complexity obscures interdependence and, thereby, abets silent failure. Only first principles engineering grounded in simplicity can erase the structural advantage offense otherwise enjoys; AI algorithms only makes it worse—reducing workload when the workload is low and increasing it when the workload is high. Mike Assante knew all that, and more."
—Dan Geer, Senior Fellow at In-Q-Tel (& a security researcher with a quantitative bent)
"Bochman and Freeman have written an incredibly important book on a serious topic in a manner that is engaging and disarming to readers. It is required reading for consultants and engineers designing critical infrastructure. I also appreciate that time and effort the authors spent to bring the principles and ideas Mike Assante to light. He played an important role in my decision to join NERC through his transparent and diligent focus on uncovering facts that helped bring about regulatory certainty and clarity which were traits I attempted to emulate."
—Tobias Whitney, former Senior Manager of Critical Infrastructure Protection at the North American Electric Reliability Corporation (NERC).
"The massive pressure to increase automation of critical assets in water and other sectors suggests, driven by promises of optimization and cost savings, many are willing to also accept additional operational uncertainty. While the benefits are real, the downsides of this rapid transition are the potential loss of self-sufficiency and an increased dependency on ever more complex systems. CCE offers a means to more fully examine the cyber risk domain and enable owner/operators to ensure mission continuity. That is, after all, the expectation of the public served by the water sector, a national critical function and essential lifeline sector."
—Kevin Morley, PhD, The American Water and Wastewater Association (AWWA)
"This book goes to the heart of the international cybersecurity threat to design a defense for critical parts of the nation’s energy infrastructure that cannot be lost."
—Peter Behr, E&E News
"With Countering Cyber Sabotage, Bochman and Freeman masterfully present a brilliant new methodology for defending critical infrastructure against the next generation of cyber threats. As someone who is focused on thinking the unthinkable and bringing it to life through fiction, it is reassuring to know this book will become an essential resource for those protecting the nation's defense systems and critical infrastructure against future worst-case scenarios."
—August Cole, author of Ghost Fleet and Burn-In