One of the neat things we have done in our Critical Infrastructure Defense class is incorporate the CCE methodology. The training materials created by the INL focus on two fictitious scenarios: Stinky Cheese — a Montana-based diary operation, and Baltavia — based roughly on the Ukraine power outages.
The materials allow learners to have some hand-holding with Stinky Cheese, and then a bit more freedom with Baltavia. I think it was a nice approach.
The next step, of course, is for participants to carry out the methodology on real systems. Our students don’t have that quite yet (they are students). So we have come up with set of 16 applied learning activities, as can be seen in the table below. These are in various stages of completion.
CCE Phase | Activity |
1 | Build critical infrastructure sector taxonomy and infographic |
1 | Identify high consequence event (HCE) for chosen sector |
2 | Conduct notional system of systems analysis (SOSA) for chosen HCE with real artifacts |
2 | Conduct SOSA & system description for heat exchanger skid (perfect knowledge) |
3 | Break down and document PLC components |
3 | Create targeting portfolio for HCE |
3 | Develop initial Concept of Operations to cause HCE |
3 | Conduct Process Hazards Assessment for heat exchanger skid |
3 | Conduct hackability analysis for heat exchanger skid |
4 | Identify fail-safe for heat exchanger skid |
3 | Conduct Process Hazards Assessment for flow control trainers |
4 | Conduct hackability analysis for flow control trainers |
4 | Identify fail-safes for flow control trainers |
4 | Describe feasibility of recommended fail-safe for flow control trainer |
4 | Implement non-hackable fail-safe for flow control trainer |
4 | Describe an early warning system for identified HCE |
I feel like CCE is a little light on both phase 3 and phase 4. Phase 3 probably because there is concern about teaching attack-related concepts, and Phase 4 because, well, I don’t know why. But, you can see that those are the areas on which we are really trying to focus.
For the activities in phase 3 and 4, we are supplementing with the ISA Security PHA methodology and book. Maybe I’ll discuss that another day!