Idaho National Lab researchers publish book on cybersecurity for public utilities

Published on February 04, 2021 by Dave Kovaleski

© Shutterstock

Two cybersecurity researchers at Idaho National Laboratory (INL) have authored a book to help train employees at public utilities to recognize cybersecurity vulnerabilities and develop measures to defend their networks from cyberattacks.

The book — Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering – was written by Andy Bochman and Sarah Freeman. It details INL’s innovative approach to secure critical infrastructure systems like the electric power grid, oil and natural gas refineries, and water treatment facilities.

The authors point out that much of the technology responsible for controlling operations at many public utilities is decades-old and lacks modern defense capabilities. This makes them vulnerable to cyberattacks ranging from ransomware threats to significant service disruptions.

INL developed an approach to cybersecurity called Consequence-driven Cyber-informed Engineering (CCE) to address this challenge. Instead of relying on traditional protection strategies like intrusion detection software or additional firewalls, INL’s cybersecurity approach uses engineering design principles to prevent cyberattackers from damaging or disrupting operations.

“Every day, millions of Americans depend on the seamless operation of our nation’s critical infrastructure systems. We take for granted how necessary energy, power, clean water, and communications are for our daily lives,” Bochman, a researcher at INL, said. “This book lays the groundwork for a new approach to cybersecurity that acknowledges the grim reality of targeted cyberattacks and teaches utilities how to engineer barriers that prevent nation-state hackers from completing their objectives.”

INL developed the CCE method over the last decade in consultation with leading government, industry, and academic researchers. In 2018, the Department of Energy Office of Cybersecurity, Energy Security and Emergency Response provided INL with $20 million to further develop the method. INL has used the funding to support hands-on security engagements with large utilities whose operations impact multiple states, millions of residents, or other critical operations.

In December 2020, INL licensed the CCE method to West Yost, a California company that provides engineering services and training to many of the nation’s 50,000 water utilities. West Yost plans to offer CCE training to their customers to increase cybersecurity awareness and preparedness in the water sector. INL is currently discussing other licensing opportunities.

The book is published by Taylor and Francis Group and can be purchased online and in select retail outlets.