Our Critical Infrastructure Defense course incorporates the Consequence-driven Cyber-informed engineering textbook by Bochman and Freeman of the Idaho National Laboratory.
I like the text because it pulls so many thoughts into a single resource. Bochman especially (and I making assumptions about which concepts he principally wrote and which Freeman wrote) draws from leading reports and commentary that support the CCE approach. And there are some great quotes in there from dozens of sources (even including me!).
I also like the text because it lays out the CCE methodology — and what else could you expect?
CCE differs from other methodologies because it includes both the often-overlooked intelligence aspects of a cyber-operation against critical infrastructure and the engineering aspects of preventing a specific physical consequence.
On the other hand, I think the text missed an early opportunity to create its own language around the methodology.
One example is that the phase 4 language involves “protect”. In a podcast/video interview Dale Peterson did with the authors a year or so ago, Dale asked (and I paraphrase here) “why the focus on ‘protect’ when most of the industry has accepted that protection is a bound-to-fail approach?”
It seemed to me that the responses of Bochman and Freeman didn’t hit this head-on. The obvious answer is that when CCE talks protection it means preventing the selected physical consequence — literally engineering it off the table, rather than preventing a breach of a network asset (which is how the broad cybersecurity industry uses the term “protect”).
I give that example to point out that the choice of terminology could influence the clarity of the methodology and the confidence with which it is viewed. In this instance, I would prefer the official terminology refer directly to “cyber-physical fail-safes” instead of “protect”.
In the end, I am pleased that Bochman and Freeman along with the INL team and their government supporters put this out there for use – even if it’s not perfect yet! I am excited to see a variety of firms latching onto the concepts and implementing them in their own work. And I’m thankful to have the book and other publicly-available materials to teach students who will soon work for those firms.