This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Post

Do I buy the Idaho National Lab’s new CCE book, or not?

image credit: Unsplash
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,478 items added with 629,429 views
  • Feb 7, 2021
  • 1445 views

I’ve been looking at various online articles and videos to decide if I should buy INL’s new Consequence-Driven, Cyber-Informed Engineering (CCE) book, just released this month. The book’s retail price is $79.95 ($63.96/kindle), which is a modest cost for a book. I’m always willing to spend that kind of money on a book that offers significant benefits, improves my knowledge base or provides some new insightful and innovative way to improve my existing processes. This started me down a research path to help me make this buying decision. Here is what I found.

There is a considerable amount of information online about INL’s CCE book, which helped me decide not to purchase the book. Dale Peterson’s interview with the books authors, Andy Bochman and Sarah Freeman proved most helpful in reaching this decision, but other articles were also considered.

The CCE methodology appears to be following traditional methods that you can find in the NAESB, NIST and NERC standards and guidelines already available, to implement a proper cyber risk management program. In this sense, there is really nothing new being offered by CCE. The authors emphasize the importance of assuming a bad outcome will occur in phase 1 of the CCE process, likelihood = 1 (to get the math right?), and then go through phases 2 and 3 to determine the feasibility of the top N most critical risks by applying a cyber kill chain approach. As Dale Peterson pointed out in the YouTube video, many parties “bake in” the feasibility test as part of identifying risks, as opposed to assuming that everything will “always blow up”, as phase 1 of CCE suggests. Phase 4 goes into mitigation processes. The authors stated during the online interview that phases 2, 3 and 4 apply traditional methods that already prescribed in other methods, e.g., NERC, NAESB and NIST guidelines and standards. Phase 1 is emphasized as the distinguishing factor of the CCE method which is manifested by always assigning a likelihood (probability) of 1 to every identified risk (to get the math right?), which means that all risks are equally likely to occur all the time, resulting in a consequence and impact.

People that have worked in the Energy industry for 20 years or more are already very familiar with the risks/threats/mitigations on cyber assets that are used in command and control of the electricity grid. The NERC standards, guidelines and lessons learned, combined with the excellent guidance provided by NIST, offers more detailed coverage of these topics than the CCE book appears to cover. I did not find the authors emphasis on likelihood=1 to be a convincing reason for me to buy the book. Remember, I didn’t buy the book so this information is based purely on the information I found when deciding if the book was worth buying.

I suspect that many people working in the Electric industry on grid reliability and cyber security that follow NAESB, NERC and NIST standards and guidelines will not find any real benefit from acquiring this book. However, if someone is new to the electric industry or looking to break into a cybersecurity position within the industry may find this book useful. In the end, I found myself agreeing with Dale Peterson’s conclusion:

“I believe the CCE program will be of most value to organizations that are new in their ICS security efforts and those that benefit from a CCE branded approach and documented rigor it provides. If you are well along on your ICS security program and focused mainly on security controls, then a true consequence reduction approach, like a Cyber PHA, is the way to go.”

There is very active online discussion taking place on LinkedIn regarding this article.

I’ll keep the $79.95 in my pocket for now. I welcome all comments and insights.

 

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Matt Chester's picture
Matt Chester on Feb 8, 2021

People that have worked in the Energy industry for 20 years or more are already very familiar with the risks/threats/mitigations on cyber assets that are used in command and control of the electricity grid. The NERC CIP standards, guidelines and lessons learned, combined with the excellent guidance provided by NIST, offers more detailed coverage of these topics than the CCE book appears to cover. 

I would also imagine there's somewhat of a limited lifespan of certain topics in this space to be put in a book, given how fast-changing some aspects could be? 

Richard Brooks's picture
Richard Brooks on Feb 8, 2021

You make an excellent point, Matt. Discussions are underway on approaches to "speed up" cybersecurity standards and guidelines development to keep up with adversary advances.

Richard Brooks's picture
Richard Brooks on Feb 14, 2021

UPDATE 2/14/2021: I was contacted by Robert Smith of INL via LinkedIn pointing out some characteristics of CCE that may be worth reconsidering my decision, here is Robert's expanded description of CCE sent via LinkedIn and my response to reconsider my decision based on his updated description.

We have enough dragons to slay to protect the electric grid from bad guys, so any improvement in cyber protections, especially with the software supply chain, should be given top priority. It helps when we all work together, respectfully, to keep our grid safe.

Never trust software, always verify and report!

 

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »