Lessons learned from the new Smart Meter Risk Analysis Methodology in the Netherlands

Transcription

1 Lessons learned from the new Smart Meter Risk Methodology in the Netherlands Johan Rambi Alliancemanager Privacy & Security Alliander Chairman Policy Committee Privacy & Security Netbeheer Nederland 6 December 2012 Netbeheer Nederland is a branch organization for grid operators (TSO/DSO s) Privacy & Security 2

2 Steps towards the P&S Requirements for Large-scale rollout of smart meters Privacy & Security Requirements Previous Version 1.5 Risk Study Audit Committee P&S Redevelopment Privacy & Security Sector Requirements P&S Requirements Version 2.0 Control Objectives Control Measures Implementation Guidelines Large-scale rollout Dutch Smart Meter Requirements (DSMR) 3 Privacy & Security Smart Metering Infrastructure Framework in NL analysis and rule base Goals of grid operators s expectations Formal legislation and regulations Norms and standards Privacy and security goals Formulation principles Risk analysis Requirements what to protect? Considerations and choices Measures how to realize it? 4

3 Risk Methodology processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 5 processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 6

4 s Society Consumer Organizations Experts Universities Sector Energy suppliers Grid operators Government Knowledge institutes Meter vendors 7 processes processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 8

5 processes Processes Energy Supplier Energy procurement Energy Sales / Invoicing (Billing) Disconnecting (switch off) defaulters Processes Grid Operator Transmission energy Managing power quality Meter Management Capacity Planning Minimize grid losses Market Facilitation: SVO, data collection & billing Processes Private Consumer Energy consumption Energy savings Energy Production Payment purchased products Protection personal data Processes ISP Insight / advice on energy consumption of the private consumer 9 Define Assets processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 10

6 Define Assets Customer Module, e.g. display P1 Grid Operator A manages infrastructure for both electricity and gas P0 P1 Smart E-meter P2 P2 P3 Other meters (G, water, ) P3.1 Data Concentrator (DC) P3.2 Grid Operator B manages infrastructure for gas only P3 Central System A The clouds symbolise network technologies, such as GPRS, PLC (Power Line Communication), internet, etc. Central System B P4 EDSN P4-Portal Data Exchange P4 P4-Portal (EDSN) Data Exchange P4 P4 Energy Suppliers Suppliers ISP Independent Service Provider (ISP) 11 Define Assets Information Assets Function Assets System Assets Measurement Data Measuring Function Meter Switch Data Communication Function Central System Configuration Data Switching Function Data Concentrator Monitoring Data P4-Portal (EDSN) 12

7 and assess threat sources processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 13 and assess threat sources Introduction The threat sources refer to persons or parties responsible for a security incident. Note that disturbances are not always caused by human behavior. Think for instance of a system failure in the Data Concentrator, that is affecting the stored measurement data. Grid Operator Employee System error / malfunction Central system System error / malfunction Data concentrator System error / malfunction meter Persons / Parties / Technical Data communication provider Fault Communications Energy Supplier Employee System energy supplier Private consumer External attacker Researcher (academic / journalist) Fun Hacker Criminal Fraud Terrorist 14

8 and assess threat sources 15 Group Assets processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 16

9 Group Assets Process Link between Asset and Process Asset Asset Category 17 Group Assets Process Link between Asset and Process Asset Asset Category Focus 18

10 Business Impact Assessment processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 19 Business Impact Assessment Impact Classifications s Categories Values Description Values on classifications Classifications 20

11 Business Impact Assessment Results Total Score BIA for Asset on A, I, or C Related to Available, Integrity or Confidentiality (incl. process) Values of stakeholder Score on Business Impact Focussed Asset 21 and assess risks processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 22

12 and assess risks Likelihood Classifications Likelihood Categories Very High High Medium Low Very Low Occurance in time "Daily (more than 100 times a year)" "Monthly (10 to 100 times a year)" "Annual (1 to 10 times a year)" "Probably (once a year to once in 10 years)" "Possible (once in 10 years to once a century)" The calculation of the impact comes from the BIA, but the likelihood of the threat is determined during this step. Several aspects are taken into account: Which vulnerabilities in the assets can lead to the actual occurrence of this threat? What threat sources have an interest? How important is that interest of threat source? What is the extent of the technical complexity to abuse the vulnerability in real life? What is the likelihood of an unintended disruption? 23 and assess risks Related to Available, Integrity or Confidentiality Likelihood Identified Threat Related Asset Impact The identified impact is taken from the Business Impact Assessment (BIA) Main Threat Sub Threat Sub Threat 24

13 and assess risks Count risk 25 Prioritise and present risks processes and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) and assess risks Prioritise and present risks 26

14 Prioritise and present risks Identified Threat Related Asset Risk Risk = Likelihood * Impact Main Threat Sub Threat Sub Threat 27 Approach for redevelopment Risk Risk Other input phase 1 Other input phase 2 Open issues P&S Requirements Version 1.50 Open issues P&S Dutch Smart Meter Requirements 4.0 Official Privacy Code Smart Meter Grid Operators Document Integral Vision Smart Meter P&S Requirements Version 2.0 Control Objectives Alignment with Working Group DSMR Review P&S Audit Committee of the P&S Requirements Desk study P&S Audit Committee Experiences from penetration tests DSMR 4 meters Control Measures Internal review grid operators P&S requirements other European countries Experiences from code reviews DSMR 4 meters Implementation Guidelines Alignment with EDSN about P4-portal Essential Regulatory Recommedations for E.C. (EG-2) incidents Review and alignment ESMIG 28

15 Structure of the requirements Risk s Values Asset process BIA Risks P&S Requirements Version 2.0 Control Objectives Control Measures Implementation Grid Operator Organisation Implementation Guidelines Processes Technical 29 Structure of the requirements Risk s Values Asset process BIA Risks P&S Requirements Version 2.0 Control Objectives Control Measures Implementation Grid Operator Organisation Implementation Guidelines Processes Technical 30

16 Nationaal Cyber Security Centre Cyber Security CPNI.nl Council The Netherlands IRB ICT Response Board (for Crisis) Dutch Data Protection Authority (CBP) ENCS Contact Group Security and Crisismanagement Policy Committee Audit Committee Privacy & Security Privacy & Security Netbeheer Nederland Working Group Smart Grid Cyber Security Project Group Smart Grids NEN European SCADA Control Systems Information Exchange (EuroSCSIE) Thematic Network for Critical Energy Infrastructure Protection (TNCEIP) Cyber Security EG: European Network of Transmission System Operators for Electricity European Commission DG ENER Europe European Commission DG INFSO/CONNECT Smart Grid Task Force Steering committee M/490 Smart Grid Coordination Group.. Expert Group on Smart Grid Security M/490 Smart Grid Steering Committee.. ENISA Expert Group 2 Data Privacy and Cyber Security M/490 Working Group for Smart Grid Information Security (WG SGIS).. EUTC ETSI CEN CENELEC Standardisation European Reference Network Critical Infrastructure Protection (ERNCIP) European Commission DG HOME.. DG HOME CIIP for SCADA and the Smart Grid.. NIST U.S.A. DECC U.K. STEG 31 Security Toolbox M/490 32

17 Security Toolbox M/490 Comparison with Dutch Risk methodology Make for this distinction of the different assets and grouping of the assets for instance a model like this: 33 Security Toolbox M/490 Comparison with Dutch Risk methodology For the information assets the impact of each use case should be defined, of course per category of the different stakeholders. 34

18 Security Toolbox M/490 Comparison with Dutch Risk methodology Now only for the information assets that score significant on impact potential threats are identified: 35 Security Toolbox M/490 Comparison with Dutch Risk methodology Therefore an overall risk can be identified for each potential threat on an asset with a significant impact on the risk categories (operational, legal etc.). These threats should be the trigger to identify the needed essential requirements, and next to analyze the potential gaps in the existing standards: processes Values Security Goals Risk Impact on processes Impact on values Risks the gaps & define actions Actions to solve gaps Gaps Define essential requirements Essential Requirements Compare requirements with standards relevant Standards

19 Are we ready for Cyber Security? 37 Many thanks for your attention! Johan Rambi : Alliancemanager Privacy & Security Telephone : johan.rambi@alliander.com 38