Harnessing power of CIE, CCE methodologies to build resilience across critical infrastructure se…
Industrial Cyber – Anna Ribeiro, Tony Turner, Ed Suhler, Sarah Freeman and Curtis St. Michel
Small organizations with limited resources and cybersecurity expertise can still benefit from implementing the Cyber-Informed Engineering (CIE) and Cyber-Consistent Engineering (CCE) frameworks.
The core concept of both CIE and CCE is Critical Functional Assurance (CFA), which prioritizes and addresses risk based on impact and identifies critical functions and the systems that impact them.
For smaller organizations, focusing on Phase 1 of CCE, which involves consequence prioritization, can be a good starting point.
By identifying the most critical functions and potential consequences, organizations can determine the most effective strategies for mitigating and protecting against disruptions.
This approach allows for a stepwise implementation of the CCE methodology, even if all four phases are not completed.
To make the CCE process more efficient for smaller organizations, it can be helpful to create OT (Operational Technology) site profiles based on critical infrastructure sector, site purpose, and critical functions.
This streamlines the process and shortens the timeframe to get started on CCE.
Additionally, leveraging existing knowledge about system vulnerabilities and potential consequences can save time in the assessment process.
Resources and support mechanisms are available to help organizations implement CIE and CCE.
The INL (Idaho National Laboratory) offers ACCELERATE training, which provides a self-guided approach to conducting CCE assessments.
They also offer deep-dive training for more in-depth assessments.
The INL has licensed CCE to engineering practitioners, expanding its application in critical infrastructure.
The Cyber-Informed Engineering Implementation Guide, published in August 2023, provides specific questions and guidance for developing cyber-informed engineered resilience strategies.
Various resources and workshops are available to help organizations understand and implement CIE.
Partnerships with the private sector and academic institutions play a crucial role in promoting the adoption of CIE and CCE.
These partnerships enhance the resources and expertise available to organizations and help customize CIE and CCE approaches to specific needs.
Regular meetings and a community of practice (COP) contribute to the continuous development and implementation of CIE concepts.
Overall, while implementing CIE and CCE may require adaptation and tailoring to fit the specific needs of smaller organizations, they can still derive value from these frameworks in improving cybersecurity and prioritizing critical functions.
Link: https://industrialcyber.co/threats-attacks/harnessing-power-of-cie-cce-methodologies-to-build-resilience-across-critical-infrastructure-sectors/