Cybersecurity Risk Assessment in Smart Grids

Transcription

1 Cybersecurity Risk Assessment in Smart Grids Lucie Langer, Paul Smith, Thomas Hecht AIT Austrian Institute of Technology ComForEn Symposium 2014 Sept 30,

2 Risk Assessment: The Basics Risk assessment is concerned with understanding the probability of a cyber-attack and its impact risk = probability x impact Based on an understanding of threats and vulnerabilities For example, financial loss, damage to equipment, loss of power, The basis for prioritising how to mitigate threats and apply resources for cybersecurity 2

3 The Challenges We See We have identified five key challenges with carrying out a risk assessment for smart grid: 1. Managing safety and security risks 2. Analysing cyber-physical risks 3. Understanding risks to legacy systems 4. Complex organizational dependencies 5. Understanding cascading effects These are not unique to smart grid, but all exist, making risk assessment particularly challenging 3

4 Managing Safety and Security Risks Safety analysis methods are widely used in the energy domain Examples include HAZOP, fault-tree analysis, event-tree analysis, FMEA, STAMP/STPA, There are parallels in the security domain, e.g., attack trees Benefits can be had by performing security and safety co-analysis Reuse of results across analyses Ability to consistently prioritise different types of threats, i.e., attacks versus faults 4

5 Analysing Cyber-physical Risks The smart grid is a cyber-physical system Power system and ICT infrastructure is tightly coupled through SCADA and control systems Traditional IT security provides necessary tools but not sufficient to secure cyber-physical systems Need for tools and strategies to understand and mitigate attacks: Which threats should we care about? What impact can we expect from attacks? Which resources should we protect (more)? 5

6 Understanding Risks to Legacy Systems The smart grid will consist of legacy systems and new ICT components that implement advanced measurement and control functions It is often not clear what impact new components will have on legacy systems, and vice versa Legacy industrial control systems are known to be fragile to active security testing techniques Risk assessment method should account for these characteristics 6

7 Complex Organisational Boundaries In a liberalised European energy market there are many actors Energy Producers, Transmission and Distribution System Operators (TSOs and DSOs), and Energy Suppliers Others from the ICT sector are emerging as being important E.g., telecommunications operators and cloud providers Energy consumers become providers, potentially as part of virtual power providers A diverse and complex supply chain is emerging This complex web of dependencies can make risk assessment challenging 7

8 Understanding Cascading Effects The smart grid consists of a number of sub-systems that support an underlying grid infrastructure The failure of a sub-system could cascade into another This problem is closely related to cyber-physical impact analysis A pathological case: 1. A cyber-attack causes a failure in the energy grid, resulting in a blackout 2. ICT systems start to run on Uninterruptable Power Supply (UPS) 3. The UPS runs out before the grid has recovered 4. ICT systems fail 8

9 NESCOR (National Electric Sector Cybersecurity Organization Resource) Cyber Security Failure Scenarios Realistic events in which the failure to maintain C-I-A of cyber assets has a negative impact on the generation, transmission, and/or delivery of power Intended to be used by utilities for risk assessment, planning, training, security testing Organised in six categories (see NIST SP 1108): AMI: Advanced Metering Infrastructure DER: Distributed Energy Resources WAMPAC: Wide Area Monitoring, Protection, and Control ET: Electric Transportation DR: Demand Response DGM: Distribution Grid Management Ranking of impact and cost to adversary (scores 0.1; 1; 3 and 9) Risk = impact / cost 9

10 CEN-CENELEC-ETSI M/490 Smart Grid Information Security Perform risk assessment of information assets based on smart grid use cases Security Level (SGIS-SL) Risk Impact Level (SGIS-RIL) SGIS-SL = f(sgis-ril, p) 10

11 The (SG) 2 Risk Catalogue 1. Define threats based on IT Baseline Protection and Common Criteria 2. Apply to architecture model BSI Protection Profiles (SG) 2 threat catalogue 3. Rate probability and impact 4. Verify through security tests very low (1). medium (3). very high (5) 11

12 The (SG) 2 Risk Catalogue (cont.) Attacks on the WAN through smart grid gateway Attacks through remote maintenance access Cluster Threat to Smart Buildings E-Mobility Customer Premises Low Volt. Gen. Med. Volt. Gen. Grid Testpoints Primary Substation Secondary Substation Grid Operation Metering Threat Category Avg. Authentication & Authorisation Applied Security Mechanisms Integrity & Availability Internal & ext. Interfaces Confidentiality & Data Protection Maintenance of Equipment 3,50 4,00 3,00 6,00 6,00 6,25 5,25 8,25 7,00 5,00 5,43 9,50 4,15 7,50 6,40 4,60 4,70 5,05 5,90 7,05 3,00 5,79 2,71 4,46 4,69 4,00 3,13 3,07 3,64 4,72 3,97 4,50 3,89 2,67 3,50 6,33 6,67 4,00 3,33 5,00 4,00 5,83 2,33 4,37 5,67 4,67 4,67 8,67 4,33 4,00 3,67 5,63 7,50 3,75 5,25 4,43 3,50 4,60 3,75 4,15 3,31 3,94 5,33 5,83 3,60 4,24 Component Cluster Avg. 4,75 4,05 5,13 5,91 4,37 4,11 4,42 5,64 6,20 3,70 Privacy issues of customer production data 12

13 The SPARKS project 13

14 Cyber-physical Impact Analysis in SPARKS Analysing the potential physical impact of a cyber-attack via a hybrid simulation environment, based on existing tools 1. Power Distribution Simulators (GridLAB-D, etc.) Adapt power grid models from US network standards to European network standards Achieve a realistic model of the real environment and generate comparable results which are directly applicable to real European infrastructure 2. ICT network simulation tools Examples include ns-2, OMNeT++, 3. Real smart grid hardware Automation equipment (AIT SmartEST Lab) E.g., Secondary substation Smart meters 14

15 The SECCRIT Project EU-funded project, focusing on the security of high-assurance ICT services in the Cloud Exploring the challenges of risk assessment for Cloud Challenges include: Unclear and complex organisational boundaries A lack of transparency regarding how Cloud services are provisioned Solutions include a transparency enhancement framework to enable remote real-time cloud infrastructure monitoring Further details: 15

16 The HyRiM Project EU-funded project investigating risk assessment for interconnected and interdependent utility networks Failures of one utility can result in cascading failures in others Project aims to develop quantitative methods to assess these risks Using complex-coupled network and decision theory-based analysis techniques to evaluate these risks Further details: 16

17 Questions? 17