Two cybersecurity researchers at Idaho National Laboratory have published a new book to help train employees at public utilities to recognize cybersecurity vulnerabilities and develop measures to defend their networks from increasingly sophisticated cyberattacks.
Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering, written by Andy Bochman and Sarah Freeman, details INL’s innovative approach to securing critical infrastructure systems like the electric power grid, oil and natural gas refineries and water treatment facilities. Developed in the pre-internet era, much of the technology responsible for controlling operations at many public utilities is often decades-old and lacks modern defense capabilities. This makes them vulnerable to cyberattacks ranging from ransomware threats to significant service disruptions.
To address this challenge, INL developed and pioneered a think-like-the-adversary cybersecurity approach called Consequence-driven Cyber-informed Engineering (CCE). The method acknowledges the fragility of internet-connected technology and services. Instead of relying on traditional protection strategies like intrusion detection software or additional firewalls, INL’s cybersecurity approach uses engineering design principles to prevent top tier cyberattackers from damaging or disrupting utilities’ most essential operations.
“Every day, millions of Americans depend on the seamless operation of our nation’s critical infrastructure systems. We take for granted how necessary energy, power, clean water and communications are for our daily lives,” said INL researcher and author Andy Bochman. “This book lays the groundwork for a new approach to cybersecurity that acknowledges the grim reality of targeted cyberattacks and teaches utilities how to engineer barriers that prevent nation-state hackers from completing their objectives.”
INL developed the CCE method over the last decade in consultation with leading government, industry and academic researchers. Beginning in 2018, Congress and the Department of Energy Office of Cybersecurity, Energy Security and Emergency Response provided INL with $20 million in funding to further develop the method. Additional support has come from the Department of Homeland Security and the Department of Defense.
The laboratory has used the funding to support hands-on security engagements with large utilities whose operations impact multiple states, millions of residents or other critical operations. During engagements, INL experts embed with utility operators for several months. They provide expert analysis and relay the latest threat information to help shift the culture, increase understanding about targeted cyberattacks on critical industrial processes and systems, and develop the most cost-effective mitigation and protection solutions. DOE funding also supports interactive classroom exercises and the development of training materials that allow small-and medium-sized utilities to implement their own cyber defense programs.
Last December, INL licensed the CCE method to West Yost, a California company that provides engineering services and training to many of the nation’s 50,000 water utilities. West Yost plans to offer CCE training to their customers to increase cybersecurity awareness and preparedness in the water sector. The laboratory is currently discussing licensing opportunities with other prospective partner organizations.
Published by Taylor and Francis Group, the book can be purchased online or through select retail outlets.
INL is a U.S. Department of Energy national laboratory that performs work in each of DOE’s strategic goal areas: energy, national security, science and environment. INL is the nation’s center for nuclear energy research and development. Day-to-day management and operation of the laboratory is the responsibility of Battelle Energy Alliance.