On Wednesday, Kansas City-based industrial cybersecurity firm 1898 & Co., part of the engineering firm of Burns & McDonnell, announced that it is partnering with the U.S. Department of Energy‘s Idaho National Laboratory (which is the nation’s center for nuclear energy research and development) on a project to scale a patent-pending, consequence-driven, cyber-informed engineering (CCE) application for critical infrastructure security.
The CCE protocol was developed at the Idaho National Laboratory, with support from the DoE’s Office of Cybersecurity, Energy Security and Emergency Response, to protect the critical functioning of power and water utilities, oil, gas and chemicals, pipelines, defense industrial bases, aviation and rail transportation, maritime assets and ports, and manufacturing companies.
“While there are no guarantees when it comes to critical infrastructure cybersecurity, 1898 & Co. clients who implement CCE for their most critical assets will have additional safeguards in the form of engineering changes and process improvements that limit the damage an attacker can do once inside,” said 1898 & Co Managing Director Matt Morris. “At the end of the day, CCE’s ability to temper the size and scale of cyber sabotage provides a level of certainty CISOs and boards sorely need.”
1898 says the benefits and return on investment from efforts to digitalize operations are real, and deliver value to shareholders, customers, and the environment alike. But this is only the case if such efforts are performed with “cyber vigilance,” where capabilities have struggled to keep pace with continuous advances in digitalization.
As a result, the firm says, critical infrastructure cybersecurity specialists are stretched in multiple directions and don’t want to be perceived as “holding back the business.” Increased scope and coverage requirements for cybersecurity professionals, along with new vulnerabilities, provide ample opportunity for adversaries to take advantage.
“Consequence-driven, cyber-informed engineering enhances risk assessment for cybersecurity by combining first-principles thinking with engineering ingenuity,” said INL Associate Laboratory Director Zach Tudor. “It’s a concept we have developed and improved over the last decade in engagements with major utilities and defense establishments, and we are excited to partner with Burns & McDonnell and 1898 & Co. to offer it to more organizations.”
In the last 12 months, 1898 & Co. notes, the SolarWinds attack and Oldsmar water facility hack, and the Colonial Pipeline and JBS Foods ransomware attacks have impacted both private companies, as well as the broader U.S. economy.
“1898 & Co. plans to scale the CCE discipline to critical infrastructure asset owners globally,” added Morris. “A common theme with the majority of the CISOs I am connecting with is that they are desperately searching for a level of certainty when conversing with their respective boards regarding risk to the business. Prior to the development of CCE, the best answer we had was to implement a series of controls and to maintain those on a frequent basis.”
1898 & Co. and INL are focused on expanding CCE across the global ICS cybersecurity community, with INL focusing primarily on the public sector and 1898 & Co. on the private sector, as well as support in the public sector as needed.
