Countering Cyber Sabotage with INL’s Consequence-driven Cyber-informed Engineering (CCE)

Abstract:

The type of sabotage that prompted the development of the CCE methodology, and against which a forthcoming book seeks to introduce practical protections, is most accurately called cyber-enabled sabotage. However, the editors have chosen to reduce the term to cyber sabotage as the title simply couldn’t bear another hyphen. But no matter how it’s phrased, improving one’s posture vs. the 5 D’s of cyber sabotage – disrupt, deny, degrade, destroy, or deceive – must become a central element of all critical infrastructure organizations’ cyber security programs from now on.

In the 21st century global economy, including during a pandemic, it is virtually impossible to build anything more complex than a power drill in one place with high confidence that none of its constituent parts has been touched or modified by a 3rd party. In fact, even a drill may be corrupted if the machines used to fabricate it include software. If they do, and in fact they probably do, tools coming off that assembly line could be altered in ways their owners wouldn’t like one bit. Extrapolate this to the types of systems that make and manage electricity, deliver clean water, run manufacturing plants assembling cars and mixing chemicals, and you see where this is leading with our current approaches to cybersecurity. This I3P brief will present the beginnings of a better way.