As utilities face mounting threats, from extreme weather and surging demand to increasingly frequent cyberattacks, securing the systems that keep water flowing, lights on, and gas lines running has become more complex than ever. To help protect these critical services, the Idaho National Laboratory (INL) has developed a methodology known as consequence-driven cyber-informed engineering, or CCE. Designed to pinpoint and protect the most essential physical operations, CCE works by identifying digital weak points that, if exploited, could cause the greatest real-world damage, and then strategically reducing or removing those attack pathways.
“The methodology lives at the nexus between digital technology and the physical processes,” Micah Steffensen, the INL researcher leading the CCE program, said in a recent statement. Despite its national relevance today, the approach began with far more modest ambitions.
CCE starts with the assumption that if a critical infrastructure system is targeted by a skilled and determined hacker, the targeted network can and will be penetrated. Therefore, CCE employs a ‘think like the adversary’ approach. The approach provides critical infrastructure owners, operators, vendors, and manufacturers with a disciplined methodology to evaluate complex systems, determine what must be safeguarded, and apply proven engineering strategies to isolate and protect critical assets.
CCE uses a stepwise process for evaluating and protecting a critical function. It begins with consequence prioritization, which focuses the risk management framework on selecting vital operations that must not fail and identifying the attack scenarios that threaten them.
This is followed by system of systems analysis, which gathers information and maps the interdependencies between critical processes, defense systems, and enabling or dependent components. Next is consequence-based targeting, which determines the adversary’s likely path to achieve the highest impacts, including where they would conduct the attack and what information they would require. Finally, the process implements mitigations and protections that remove or disrupt digital attack paths.
When INL researchers started studying threats to critical infrastructure, they didn’t know how to describe the hazards. “We used traditional cybersecurity language at first, but the risks are very different,” Curtis St. Michel, a CCE technical advisor and cocreator of the methodology, said. “And on the engineering side, the closest thing we had as a reference point was safety culture.”
To help advance the notional CCE concept, St. Michel and his team presented the methodology to the DOE and the Department of Homeland Security, hoping to secure more funding. The agencies encouraged the researchers to work with an industry partner to demonstrate the research’s effectiveness.
For its first test case, INL teamed up with Florida Power and Light.
“We targeted their system like an adversary would,” said St. Michel. “But then, we also identified engineering solutions that could be put into place that would stop a digital attack from propagating through the entire network, limiting its overall effectiveness.”
The trial was a success and fundamentally changed how Florida Power and Light operated its digital systems.
From early concept to widespread adoption, the INL’s CCE methodology has gained strong state and federal backing. As cyberthreats to critical infrastructure intensify, the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER) now recognizes CCE’s value and provides ongoing annual funding to support its use.
Through ongoing support, CCE has grown into a successful, multi-year program surpassing US$40 million in federal funding since 2018. More importantly, researchers have conducted more than 35 comprehensive training and security engagements with top-tier U.S. utilities and defense installations, ensuring those services can withstand even the most forceful cyberattacks.
Recently, INL collaborated with a major natural gas company to understand how a cyber adversary could disrupt gas flow enough to affect electricity production at natural gas-fired power plants. The team analyzed thousands of miles of pipelines and digital equipment, narrowing the scope of the threat to a handful of compressor stations and digital assets that needed to be better secured.
“That means the company can focus their security efforts on the most salient areas to protect and mitigate the potential of catastrophic failure from cyberattacks,” said Steffensen.
CCE has also been valuable for state officials. On several occasions, INL has offered its expert instructors to lead training on the methodology. A series of CCE Accelerate training courses has enabled critical infrastructure owners and operators to learn from INL experts and then implement advanced cyber protections at their plants and facilities.
“After members of our senior leadership team were invited to attend the (Accelerate) course in Idaho Falls, we recognized the value that the CCE methodology could provide to our state, local and tribal critical infrastructure operators throughout Idaho,” said Chris Volmer, cyber and infrastructure security manager for the Idaho Office of Emergency Management. “Making Accelerate available to more of our public and private sector partners significantly increases capability across the board and has greatly enhanced our efforts as Idaho continues driving forward on whole-of-state cybersecurity initiatives.”
INL now works closely with the Department of Energy, the Department of Homeland Security, and the Department of Defense to deploy the CCE methodology across both industry and government. It also offers specialized training to help organizations, domestically and globally, manage critical infrastructure through a self-guided approach. So far, CCE has been licensed to 11 commercial companies, expanding its adoption and influence.
“Today, we’re not just fixing vulnerabilities we find,” said St. Michel. “We’re changing the engineering culture of critical infrastructure so that organizations understand risk in a fundamentally different way.”
While threats to national critical functions continue to evolve, defending these infrastructures remains a complex challenge. To keep pace, INL is building strategic partnerships across industry, government, and academia to further develop and adapt the CCE framework. Thus, making the CCE project a key element of the nation’s cybersecurity defense strategy.
Earlier this month, amid a surge in cyberattacks targeting industrial control systems (ICS), manufacturers and utilities began turning to the INL’s immersive training programs to strengthen their defenses. Known for its cyber escape rooms and hands-on simulations, INL has emerged as a global leader in preparing professionals to detect and disrupt threats to critical infrastructure.
In partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), INL’s ICS 301 course trains participants to respond to real-world cyber incidents in high-stakes environments where safety and uptime are non-negotiable.
