I’ve been looking at various online articles and videos to decide if I should buy INL’s new Consequence-Driven, Cyber-Informed Engineering (CCE) book, just released this month. The book’s retail price is $79.95 ($63.96/kindle), which is a modest cost for a book. I’m always willing to spend that kind of money on a book that offers significant benefits, improves my knowledge base or provides some new insightful and innovative way to improve my existing processes. This started me down a research path to help me make this buying decision. Here is what I found.

There is a considerable amount of information online about INL’s CCE book, which helped me decide not to purchase the book. Dale Peterson’s interview with the books authors, Andy Bochman and Sarah Freeman proved most helpful in reaching this decision, but other articles were also considered.

The CCE methodology appears to be following traditional methods that you can find in the NAESB, NIST and NERC standards and guidelines already available, to implement a proper cyber risk management program. In this sense, there is really nothing new being offered by CCE. The authors emphasize the importance of assuming a bad outcome will occur in phase 1 of the CCE process, likelihood = 1 (to get the math right?), and then go through phases 2 and 3 to determine the feasibility of the top N most critical risks by applying a cyber kill chain approach. As Dale Peterson pointed out in the YouTube video, many parties “bake in” the feasibility test as part of identifying risks, as opposed to assuming that everything will “always blow up”, as phase 1 of CCE suggests. Phase 4 goes into mitigation processes. The authors stated during the online interview that phases 2, 3 and 4 apply traditional methods that already prescribed in other methods, e.g., NERC, NAESB and NIST guidelines and standards. Phase 1 is emphasized as the distinguishing factor of the CCE method which is manifested by always assigning a likelihood (probability) of 1 to every identified risk (to get the math right?), which means that all risks are equally likely to occur all the time, resulting in a consequence and impact.

People that have worked in the Energy industry for 20 years or more are already very familiar with the risks/threats/mitigations on cyber assets that are used in command and control of the electricity grid. The NERC standards, guidelines and lessons learned, combined with the excellent guidance provided by NIST, offers more detailed coverage of these topics than the CCE book appears to cover. I did not find the authors emphasis on likelihood=1 to be a convincing reason for me to buy the book. Remember, I didn’t buy the book so this information is based purely on the information I found when deciding if the book was worth buying.

I suspect that many people working in the Electric industry on grid reliability and cyber security that follow NAESB, NERC and NIST standards and guidelines will not find any real benefit from acquiring this book. However, if someone is new to the electric industry or looking to break into a cybersecurity position within the industry may find this book useful. In the end, I found myself agreeing with Dale Peterson’s conclusion:

“I believe the CCE program will be of most value to organizations that are new in their ICS security efforts and those that benefit from a CCE branded approach and documented rigor it provides. If you are well along on your ICS security program and focused mainly on security controls, then a true consequence reduction approach, like a Cyber PHA, is the way to go.”

There is very active online discussion taking place on LinkedIn regarding this article.

I’ll keep the $79.95 in my pocket for now. I welcome all comments and insights.