Cyber-Informed Engineering (CIE) and Consequence Driven, Cyber-Informed Engineering (CCE) are concepts developed by the Idaho National Laboratory (INL).
A side-by-side comparison of the two is presented in the table below.
CIE is a guide to embedding cyber security considerations into cyber-physical systems throughout the engineering lifecycle model, and across business functions.
The CIE guide is granular and specific, and covers subjects including design, information governance, culture and supply chain controls. Organisational beneficiaries are not limited to engineers; procurement, operations, information governance and leadership teams can all have a role to play.
CCE is a methodology to identify high consequence physical events achievable through cyber means in cyber-physical infrastructure environments, and develop mitigations and protections.
Each one serves a distinct purpose, however they are not mutually exclusive. Maximum benefits to an organisation, including potential long-term cost savings, can be realised from utilisation of both from an early stage.
What is the difference between CIE and CCE?
The following table attempts to summarise key differences between the CIE and CCE concepts.
| Comparison | CIE | CCE |
|---|---|---|
| Summary | A guide to embedding cyber security considerations into cyber-physical systems throughout the engineering lifecycle model, and across business functions. | A methodology to identify high consequence physical events achievable through cyber means in cyber-physical infrastructure environments, and develop mitigations and protections. |
| Format | 12 principles, each broken down across the phases of the engineering lifecycle model. Takes the format of a comprehensive question set to provoke critical thinking. | Four methodology phases. Takes the format of a step-by-step, how-to process. |
| Implementation | Interpretations to be embedded into policies, processes and standards for longevity. | Intended to be run end-to-end as a focused exercise over one or several sessions. |
| Timing | Principles can be applied against applicable organisational functions and activities at any phase of the engineering lifecycle model. | Methodology can be run against a proposed cyber-physical system, based on plans, or a live and functional system. |
| Organisational ownership | Each principle can be the responsibility of a primary function within an organisation, but can apply to others. Overall coordination for implementation and monitoring of effectiveness could be via the asset management or engineering functions. | Responsibility for execution and oversight of outcomes could be owned by a function, for example risk management. Execution benefits from a knowledgeable and capable facilitator. |
| CIE and CCE relationship | Considerations at any phase of any principle may be prompted and improved by outcomes from running the CCE process. | Outcomes may trigger considerations at any phase of any CIE principle. |
The CIE Implementation Guideline is available via https://inl.gov/national-security/cie/, whilst the CCE Four-Phased Reference Document can be downloaded from https://inl.gov/national-security/cce/.
Monthly cyber security insights, news and tips direct to your inbox
More information here. You can unsubscribe at any time. See Privacy Policy for further details.