
The Energy Collective Group
This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.
Post
Do I buy the Idaho National Lab’s new CCE book, or not?

I’ve been looking at various online articles and videos to decide if I should buy INL’s new Consequence-Driven, Cyber-Informed Engineering (CCE) book, just released this month. The book’s retail price is $79.95 ($63.96/kindle), which is a modest cost for a book. I’m always willing to spend that kind of money on a book that offers significant benefits, improves my knowledge base or provides some new insightful and innovative way to improve my existing processes. This started me down a research path to help me make this buying decision. Here is what I found.
There is a considerable amount of information online about INL’s CCE book, which helped me decide not to purchase the book. Dale Peterson’s interview with the books authors, Andy Bochman and Sarah Freeman proved most helpful in reaching this decision, but other articles were also considered.
The CCE methodology appears to be following traditional methods that you can find in the NAESB, NIST and NERC standards and guidelines already available, to implement a proper cyber risk management program. In this sense, there is really nothing new being offered by CCE. The authors emphasize the importance of assuming a bad outcome will occur in phase 1 of the CCE process, likelihood = 1 (to get the math right?), and then go through phases 2 and 3 to determine the feasibility of the top N most critical risks by applying a cyber kill chain approach. As Dale Peterson pointed out in the YouTube video, many parties “bake in” the feasibility test as part of identifying risks, as opposed to assuming that everything will “always blow up”, as phase 1 of CCE suggests. Phase 4 goes into mitigation processes. The authors stated during the online interview that phases 2, 3 and 4 apply traditional methods that already prescribed in other methods, e.g., NERC, NAESB and NIST guidelines and standards. Phase 1 is emphasized as the distinguishing factor of the CCE method which is manifested by always assigning a likelihood (probability) of 1 to every identified risk (to get the math right?), which means that all risks are equally likely to occur all the time, resulting in a consequence and impact.
People that have worked in the Energy industry for 20 years or more are already very familiar with the risks/threats/mitigations on cyber assets that are used in command and control of the electricity grid. The NERC standards, guidelines and lessons learned, combined with the excellent guidance provided by NIST, offers more detailed coverage of these topics than the CCE book appears to cover. I did not find the authors emphasis on likelihood=1 to be a convincing reason for me to buy the book. Remember, I didn’t buy the book so this information is based purely on the information I found when deciding if the book was worth buying.
I suspect that many people working in the Electric industry on grid reliability and cyber security that follow NAESB, NERC and NIST standards and guidelines will not find any real benefit from acquiring this book. However, if someone is new to the electric industry or looking to break into a cybersecurity position within the industry may find this book useful. In the end, I found myself agreeing with Dale Peterson’s conclusion:
“I believe the CCE program will be of most value to organizations that are new in their ICS security efforts and those that benefit from a CCE branded approach and documented rigor it provides. If you are well along on your ICS security program and focused mainly on security controls, then a true consequence reduction approach, like a Cyber PHA, is the way to go.”
There is very active online discussion taking place on LinkedIn regarding this article.
I’ll keep the $79.95 in my pocket for now. I welcome all comments and insights.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.
Sign in to Participate