Integrating information security requirements in critical infrastructures: smart metering case. Layla AlAbdulkarim* and Zofia Lukszo

Transcription

1 Int. J. Critical Infrastructures, Vol. 6, No. 2, Integrating information security requirements in critical infrastructures: smart metering case Layla AlAbdulkarim* and Zofia Lukszo Section Energy and Industry Faculty of Technology, Policy and Management Delft University of Technology P.O. Box 5015, 2600 GA, Delft, The Netherlands *Corresponding author Abstract: In recent years, critical infrastructures have witnessed rapid developments in the way their services are being implemented and delivered to consumers; this was instigated by the adaptation of the latest technologies in Information Technology (IT). Despite the evident advantages of such transformation, this lead to the emergence of new challenges facing these infrastructures such as preserving the security of the information generated and maintained by the IT systems supporting the operation of these critical infrastructures. An example of such a case is smart metering in the energy sector. In this article, we present an analysis of information security threats and their consequences, emphasising the importance of incorporating information security as nonfunctional requirements in the early stages of system development rather than an afterthought of the system implementation and deployment. We also present a four dimensional information security assurance model for the smart metering system; this model provides guidelines to designers of IT systems supporting the operation of critical infrastructures. Keywords: critical infrastructures; information security; smart metering. Reference to this paper should be made as follows: AlAbdulkarim, L. and Lukszo, Z. (2010) Integrating information security requirements in critical infrastructures: smart metering case, Int. J. Critical Infrastructures, Vol. 6, No. 2, pp Biographical notes: Layla AlAbdulkarim is a PhD candidate at the Energy and Industry group at the Delft University of Technology, the Netherlands. Her area of research is the assurance of information security in critical infrastructures. Dr. ir. Zofia Lukszo is an Associate Professor at Delft University of Technology, the Netherlands. She acquired her PhD from Eindhoven University of Technology, the Netherlands. Her research focuses on operations management, mainly in the process industry and infrastructure sectors. She has extensive experience in the application of mathematical modelling, optimisation and quality control in decision making at the operation and control level in the process industry. She is also a leader of the programme Intelligent Infrastructures within the international research programme of the Next Generation Infrastructures ( Copyright 2010 Inderscience Enterprises Ltd.

2 188 L. AlAbdulkarim and Z. Lukszo 1 Introduction Over the decades, the operation of critical infrastructures has witnessed rapid developments in both the quantity and quality of their offered services and in the way these services are being implemented and delivered to consumers. One of the major transformations in these infrastructures is the adaptation of the latest developments in the information and communication technologies. The rapid and ongoing developments over the past years in information and communication technologies have lead to the emergence of state-of-the-art Information Technology (IT) infrastructures which facilitate the manipulation, storage and transportation of enormous volumes of data and information. The level of IT involvement in these infrastructures varies in visibility from back-end systems and underlying infrastructure technologies to interactive user-friendly service endpoints. The incorporation of IT infrastructures as a vital component supporting critical infrastructures has introduced additional high-tech services, reshaped their services offered to consumers and improved their quality which, in turn, had a noticeable impact on the quality of daily life. The advantages of IT-based services go far beyond consumer satisfaction. In fact, the main motives are usually political which aim for economic, industrial and institutional impact. Examples of this can be seen in the energy sector where the concept of smart metering has recently been introduced. This offers a number of advantages such as providing consumers with more capabilities and services related to electricity consumption, monitoring and managing in an economic and industrial level seeing that smart metering is considered the basis for facilitating the distributed generation of energy and is able to reduce operational costs and improve efficiency. Nevertheless, despite these great advantages allowed by the support of IT infrastructures to critical infrastructures, the gain of these advantages is not without a few drawbacks. The dependability of critical infrastructures on IT infrastructures has introduced new challenges particularly in terms of preserving the security of the information and sustaining the integrity of the system. Information security is normally retrofitted in software systems in the sense that it is treated as an afterthought leading to a cycle of penetrating and patching the different parts of the system (Gilliam et al., 2003). Unfortunately, the IT system supporting smart metering is no exception. This can obviously result in a questionable level of security considering the unstructured and ad hoc manner in which security is being implemented. To avoid the consequences of information security breaches, the assurance of information security requires careful planning starting in the early stages of system development. This can be achieved by analysing threats and vulnerabilities of system components to clearly and thoroughly establish information security requirements which can contribute to alleviating risks and producing a system with high quality information security (Wilander and Gustavsson, 2005; Hassan et al., 2008). In this paper, we emphasise the importance of addressing information security from an early stage of system development by presenting an information security assurance framework for smart metering. The framework includes the following four dimensions against which we propose that information security must be assured: 1 time 2 system breadth

3 Integrating information security requirements in critical infrastructures system depth 4 system actors. This paper is organised as follows: In Section 2, we give an overview of the anatomy of the smart metering system. In Section 3, we present a number of the limitations and challenges facing the system. In Section 4, we give an analysis of information security threats and their consequences, whereas in Section 5, we present our information security assurance model. Section 6 concludes the paper and gives some directions for future researches. 2 Smart metering: technology and anatomy A smart metering system is an interdependence between energy and IT infrastructures. It consists of a number of distrusted components belonging to either of the two infrastructures, the collaboration of which brings the intended services to consumers. Smart metering systems have been receiving a lot of attention lately in the light of the recent roll out of a number of smart metering projects among the member states of the European Union (EU) (Deconinck, 2009; Santer, 2009; Moen, 2009; Jensen, 2009; Pavan, 2009). The motivation behind the adoption of smart metering differs from one country to another. In general, there are some common drivers that encourage the different governments to adopt the smart metering system within their respective countries. For example, within the new liberalised market structure, the introduction of smart metering was considered a prerequisite step to achieve the desired market competitiveness. In addition to that, smart metering is regarded as a means to meet the requirements of both the Kyoto Protocol and the EU energy efficiency directives, i.e., EU Directive 2006/32/EC 1 and EU Directive 2005/89/EC. 2 By putting the smart metering system in use, it is expected that, with proper feedback mechanisms, consumers will reduce their electricity usage as they become aware of their actual consumption. This, in turn, is expected to reduce the need to build more power plants and to expand the existing distribution networks. Furthermore, the system will provide more accurate information to grid operators regarding how to allocate electricity use (Smartgridnews.com, 2007). However, despite the numerous advantages gained by the smart metering system, there exists a number of serious issues which still needs to be addressed in order for the system to achieve its desired goals. For instance, it is still argued that the main driver behind the launch of smart metering is mostly due to the reduction of costs that are related to the operation of the system and electricity consumption (AlAbdulkarim and Lukszo, 2009). This is believed to prevent a full exploitation of the system as it obstructs a more inventive approach to designing the system s operation and functionality. Examples of other issues include lack of regulation, lack of standardisation, the absence of a means to provide consumers with proper and useful feedback, and the need for a more innovative approach to the system s development to ensure a maximum utilisation of the system s capabilities. However, aside from these issues, perhaps a very significant problem associated with the smart metering system is how to ensure and preserve the security of its information. This becomes crucial when considering the severe consequences of information security breaches of the system. The smart metering system

4 190 L. AlAbdulkarim and Z. Lukszo produces and maintains a massive amount of information and the violation of its confidentiality can lead to a wide spectrum of drastic consequences including financial, legal or, in some cases, an entire failure of the system. The main components of the smart metering system as illustrated in Figure 1 are described below. Figure 1 Main components of the smart metering system 2.1 Advanced metering infrastructure Smart metering installation A smart metering installation refers to the device installed at remote households which, among other tasks, keeps track of electricity, gas and water consumption in an advanced manner. A smart metre differs from a conventional one in the wide range of highly developed services that it offers such as remote activation/deactivation of connections and a two-way communication between the metre installation and service providers where the latter is extremely important due to the rising awareness of the significance of public engagement and interaction among involved parties as opposed to top-down communication where the public are treated as passive recipients rather than having a more active role (Owens and Driffill, 2008). The instruments used for the Dutch smart metering system must be in compliance with the requirements of the Metrology Act, the electricity metering code, and the gas metering conditions Data concentrators A data concentrator is a device that is usually located at substations to manage its data which is gathered from the different smart metres at remote households. Mainly, these data concentrators act as a link between metres and the rest of the components of the advanced metering infrastructure by assuming a store-and-forward role as they collect

5 Integrating information security requirements in critical infrastructures 191 data related to energy consumption from metres at remote households, transmit the data to control stations and supply the data to the billing system (Sustainable Buildings Smart Meters, 2008). In addition to that, data concentrators are capable of detecting and configuring newly installed smart metres and creating repeating chains for signal amplification if necessary (DC-100 Data Concentrator, 2008). In general, data concentrators automatically manage a portion of the infrastructure s functionality such as monitoring the operation of the power grid and smart metres in an ongoing basis, reporting disruptions and failures (Sustainable Buildings Smart Meters, 2008), and detecting and reporting of theft of electricity and tampering attempts at metres (DC-100 Data Concentrator, 2008). Data concentrators are not capable of accepting incoming calls from other components of the system; however, if a connection is dropped, the concentrators are capable of initiating and establishing contacts Central access servers A central access server is defined in the Netherlands Technical Agreement as a central application that takes care of the data collection, control and parameterization commands, and the centralized authorization for access to the metering installation. Each grid operator maintains a cluster of servers as part of the smart metering system operation. The servers can be roughly divided into three categories based on the applications they host. In addition to databases that store the system s data, these servers also host the different softwares and applications that are necessary for the operation of the system. Furthermore, these servers also act as web portals through which clients can access their profiles and can monitor their consumption rates for example Communication ports To facilitate communication among the system components and market players, the smart metering system has a number of ports through which information can flow. In principle, the NTA 8130 standard lists four ports, namely: P1, P2, P3 and P4 as illustrated in Figure 1. Throughout the literature, a fifth port, P0, which is located in the metre installation and is mentioned sometimes, is used for configuration purposes. Below, we give a brief description of each of the four main ports of the system as mentioned in the NTA 8130 standard: 3 Port P1 This is a read-only port that is mainly used to link the metering installation to an external device. Port P2 Through this port, the smart metering installation is linked to the grid operator s equipment up to four metering devices. Port P3 This two-way communication port is used to connect the metering installation to the central access servers through a series of intermediate nodes. Port P4 This port differs from the others in the sense that it is not located in the metering installation but rather on the Central Access Server (CAS) to which authorised market players are given access via this port.

6 192 L. AlAbdulkarim and Z. Lukszo 2.2 Information assets The information exchanged over the smart metering system varies in nature; it can take the form of standard messages, ad hoc messages with a maximum of 1024 characters or, simply, metre readings which can be daily, monthly or on-request readings. The metre readings are being stored in daily/monthly registers on the metering installation and sent to the CAS for storage in predefined time intervals. The smart metering system retains a massive amount of information which is either generated by the system or is necessary for its functionality; the main categories of this information are mentioned in later sections of this article. 2.3 Functionality In principle, smart metering systems can offer a wide range of services which vary from one provider to another. However, aside from the value added services, a minimum set of basic functionality strictly related to electricity and gas at the early stages of the system that must be satisfied by the system was defined in the NTA 8130 standard. 3 The main functions are listed in Table 1. These functions belong to grid operators, consumers, suppliers or sometimes to all of them. Table 1 Main functions delivered by the smart metering system Function Generates remotely readable real time metre readings either on a periodic basis or on demand. The readings indicate the amount of energy consumed or supplied to the system in case of decentralised generation. This helps in improving administrative processes. Facilitates promotion of energy saving awareness among consumers Enables safe and remote activation/deactivation of electricity and gas connections, either collectively or individually Enables remote electricity threshold changing Allows energy suppliers to work with differentiated tariffs Facilitates prepaid electricity Monitors distribution networks and generates alerts of service disruptions or fraud detection Measures and detects power quality remotely Allows online interaction between suppliers and consumers Actor(s) involved Consumer Consumer Grid operator Grid operator Grid operator, Consumer Consumer Grid operator Grid operator Grid operator, consumer, supplier From a technical perspective, the system needs to provide a number of functionalities; the most important of which is the two-way communication network that supports the functionality listed in Table 1 (DC-1000 Data Concentrator, 2008). To carry out these functions among others, the system facilitates the exchange of messages among grid operators, suppliers and independent service providers, and consumers. These messages are mainly related to the status of the metering installation and the control of its settings. For example, authorised parties can request via ports P1, P3 or P4 the current status of the metering installation such as the actual tariff indicator, actual breaker position and actual threshold. 3

7 Integrating information security requirements in critical infrastructures 193 Grid operators and energy suppliers display via port P3 (also available via port P1) the status information in the form of standard messages on the display of the metre installation. These messages mainly cope with reasons for deactivation, limitation of the threshold and its level, and impending shortage of prepaid credit. 3 Another form of communication that can occur between grid operators and the metering installations at remote households is the update of firmware installed on the metres. 3 Smart metering system s limitations The launch of smart metering systems in a number of member states of the EU is faced by numerous issues which are adding to the limitations of the system and jeopardising its success. 3.1 Innovation and feedback One of the main problems that can prevent the system from satisfying few of the desired outcomes is the lack of innovation. By offering more innovative services to consumers such as the ability to steer consumer behaviour with respect to selling and producing export electricity to the grid from solar panels, the utilisation of the system can be maximised, and in addition to its intended goals, the system can achieve more targets. Another problem is proper consumer feedback. In the current situation in Italy for example, grid operators are the only ones benefiting from the deployment of the smart metering system with fraud detection (Parliamentary Office of Science and Technology, 2008) and accuracy of billing (European Regulator s Group for Electricity and Gas, 2007) as their main drivers for smart metering. With such a focus, other desired effects, such as demand response, are difficult to achieve which, in turn, negatively affect energy saving and efficiency. In order for the system to help achieve these goals, consumers must be given access to and provided with effective feedback regarding their electricity consumption. Feedback must be provided via attractive interfaces available in different forms such as real time and online portal access for a detailed analysis of their electricity consumption. 3.2 Information security breaches The rapid developments in information and communication technologies lead to the emergence of intelligent infrastructures that are highly reliant on IT infrastructures. Despite the obvious advantages to the incorporation of IT systems within other critical infrastructures to support its functionality, these infrastructures have now become exposed to new risks that jeopardise these systems operations. One prominent risk is compromising the security of the information maintained by these systems, in which case, these systems turn into a security disaster waiting to happen (Viega et al., 2002). The significance of securing the information of smart metering system arises from the grave consequences that may occur should a security breach take place such as the following:

8 194 L. AlAbdulkarim and Z. Lukszo fraud by altering metre reading to reduce it below the actual consumption levels gaining control over certain devices which could result in disconnecting their power supply, e.g., shutting down certain appliances within a household such as a washing machine or a refrigerator maliciously monitoring users electricity consumption rates (low rates indicate that the user is away from home, possibly for extended periods of time, which could result in theft) shutting down the entire grid (this would result in electricity supply down-time throughout the entire system). In the software requirements engineering discipline, security and privacy requirements are regarded, among others, as Nonfunctional Requirements (NFR). Functional requirements are those that describe what the system needs to do, whereas NFRs describe constraints on the solution space and describe how functional requirements should be delivered. Security requirements are considered complex and hard to manage, and they are often addressed as second class requirements that are ignored or unmet in the final product (Yu and Cysneiros, 2002). Many systems are developed initially without security in mind (Bettencourt da Cruz et al., 2003). This results in retrofitting information security requirements into these systems at later stages. Current system development practices address security as an afterthought in an ad hoc manner. They range from poor practice of coding security measures during implementation or even after implementation as a cycle of penetrate and patch to adding security requirements in later stages of system development at best (Crook et al., 2002; Haley et al., 2004). In both cases, the final product is rendered with a questionable level of information security. Apart from the obvious consequences, e.g., risking the confidentiality of information that belongs to a different stakeholder, this poor level of security can result in a wide range of other consequences that are not less severe. Examples of such consequences are given below. From a financial point of view, retrofitting security into systems can be extremely expensive. Addressing security at an early stage helps avoid the excessive costs of expensive fixes or alteration to the existing code (due to overlooking security requirements) at final phases of the system development rather than at the requirements gathering and analysis phase (Chung, 1993; Chung et al., 1994; Cysneiros et al., 2001; Yu et al., 2008). Another drawback to retrofitting information security is that it is time-consuming, causing delays in launching the system or a rushed implementation of security requirements to meet predefined deadlines, in which case, the system becomes compromised and less trust worthy. Both are consequences that can lead sometimes to huge financial losses, regulatory violations or legal implications (Bettencourt da Cruz et al., 2003; Cleland-Huang et al., 2005). From a technical perspective, attempting to retrofit security into the system after its implementation results in an increased level of activities in the system deployment and maintenance phase of the system s development life cycle. This is true considering that when security is addressed at this point of time, it is usually in the form of penetrate and patch cycles which is an exhaustive process that should be carried out on components across the entire system. This results in an increased number of updates to be deployed

9 Integrating information security requirements in critical infrastructures 195 across the system (Bettencourt da Cruz et al., 2003). Furthermore, as retrofitting security mostly requires the change of the existing code of the system, this causes a degraded level of maintainability of the system s code (Bettencourt da Cruz et al., 2003; Cysneiros et al., 2001). Additionally, the complex nature of information security requirements, affecting all parts of the system at all levels of detail, combined with the interconnectedness of the system implies that fixes are often not localised into a certain component but rather propagate and require a series of fixes across other components of the system (Bettencourt da Cruz et al., 2003). But perhaps the worst case scenario could be that the incorporation of security aspects at later stages requires an enormous amount of changes to the extent where the system needs to be redesigned and reimplemented. The effects of retrofitting information security from an operational standpoint can vary in severity. It ranges from compromising the system s efficiency or availability resulting from system down-times if security is implemented after system s deployment to a more drastic case of the system s failure which, in turn, can cost organisations high financial and legal losses (Cysneiros et al., 2001; Cleland-Huang et al., 2005). For example, the smart metering system could not be successfully mandated in the Netherlands in the first chamber of parliament due to information security issues and violation of consumers privacy (EnergieGids.nl, 2009). In the light of the abovementioned drawbacks to addressing information security at later stages of the system development, we propose to address security as early as the requirements gathering and analysis phase of the software engineering process. In Section 5 of this article, we present our information security assurance model for smart metering where we demonstrate how security should be tackled as early as possible. 4 Information security threats and consequences In this section, we give an introduction of the different types of information security breaches which threaten the confidentiality of the information maintained by the system along with the consequences that could result from these breaches. 4.1 Information security threats Threats or breaches are the potential for abuse of a system s assets by intruders (Haley et al., 2004). The degree of a threat depends on the attacker s skills, knowledge, resources, authority, and motives and intentions. A security threat to the information assets of the smart metering system can have serious consequences. The severity of these consequences depends mainly on the sensitivity and the worth of the information. The protection of this information is rather crucial to ensure a normal and uninterrupted operation of its services and to preserve the consumers right to privacy. Table 2 illustrates the main information categories of the smart metering system and some possible threats targeting this information.

10 196 L. AlAbdulkarim and Z. Lukszo Table 2 The main categories of information in the smart metering system and possible threats Type of information Description Possible threat Consumer profile Meter readings System maps Prepaid credit Confidential system information The consumers personal data such as their name and address Daily and monthly meter readings Information that is related to the architecture of the system, the layout of its components and their interconnectedness A method of payment for energy consumption that is mostly used by consumers with poor finances Information that is related to the operation of the system, e.g., encryption keys Risk to the safety of consumers and violation of their right to privacy upon unauthorised possession of this information Theft by penetrating the communication medium, mimicking a device and finally altering genuine meter readings Tapping and penetration of communication mediums and data repository points and possible vulnerabilities within the system Information related to this method of payment is stored on the system s servers; access to credit information may result in credit theft Interruption of service, loss of system control or system shutdown In addition to raw data and information, the system also contains a number of critical functions that allow the monitoring and controlling of the system among other things. The unauthorised access to these functions can result in more severe consequences than those resulting from violating the confidentiality of information assets. Examples of security breaches to the smart metering system functionality include the following: disconnecting consumers should an attacker gain access to the smart metering system via port P4 (this is the port through which relevant actors can gain access to the central access servers as illustrated in Figure 1) injecting Power Line Communication (PLC) signals on the communication medium causing communication disturbance initiating a denial of service attack on port P4 gaining control over the entire system should attackers gain access to critical information related to the operation of the system (this can be regarded as the most disastrous scenario). 4.2 Types of security threats The following are the types of security threats (Tanenbaum et al., 2002): interception Information interception or theft is the act of unlawfully seizing confidential information that is being transmitted across a communication medium among the different components of the system.

11 Integrating information security requirements in critical infrastructures 197 interruption Interruption or vandalism refers to situations where an attacker aims to make information or services unavailable or inaccessible to its legitimate users. An example of such an attack is denial of service or corrupting a data file. modification A modification attack is the action of performing an unauthorised change of information or tampering with the services of the system in a way that they no longer comply with their original state. fabrication Fabrication is a form of data falsification where the attacker generates and adds false information to the system or initiates some abnormal behaviours. An example of such an attack would be addition of an entry to an existing password file to gain unauthorised access to system resources. impersonation Impersonation is the act of assuming a false identity to gain unauthorised access to information resources of the system or to seize control of the system s functionality or part of it. 4.3 Consequences of information security threats The effects of information security breaches in critical infrastructures span beyond the obvious consequence of violating consumers privacy to other consequences that may be less obvious but equally drastic. Below is a list of the most dominant outcomes of information security breaches in the smart metering system; some of which were mentioned in The Information Security Policy (2006) as impacts to government operations from security breaches: loss of productivity A security breach can have an impact on the productivity of the system, the severity of which depends on the extent of the attack. system instability As the security of the system is compromised by an unauthorised access of intruders, this may cause some abnormal activities across the system which, in turn, result in an unstable and unreliable operation. damages to assets Unauthorised access to the system can result in damages to system s assets whether they are physical or logical. loss of control Operators may lose the abilities to monitor and control the system or parts of it as intruders gain unauthorised access and seize the system.

12 198 L. AlAbdulkarim and Z. Lukszo system shutdown System shutdown is the total or partial shut down of the smart metering system, causing interruption of services. violation of privacy Disclosure of personal information to unauthorised parties results in compromising individuals right to privacy which, in turn, is a violation of Article 8 of the European Convention for the Protection of Human Rights, i.e., right to respect private and family life. threat to public safety The possession of personal or confidential information by intruders may pose serious threats to public safety or individuals well-being. damages to reputation The violation of consumers right to privacy and interruption of services caused by information security breaches have a tremendous impact on the reputation of grid operators as owners of the system. loss of consumers trust Security breaches that result in the violation of consumers right to privacy of personal information result in the loss of confidence in the grid operators and their commitment to ensure consumers privacy. financial losses Liable parties, mainly grid operators, may suffer financial losses as a result of financial penalties or other losses related to damage control. legal consequences Legal consequences entail legal action taken by afflicted individuals against liable parties. regulatory contraventions An invasion of the smart metering system s security and the subsequent circumstances may lead to infraction of laws and regulations of the domain in which the system operates. The consequences of information security breaches of the smart metering system mentioned above can be classified in a number of ways such as direct versus indirect or major versus minor depending on the severity of the impact of the breach. Moreover, most of these outcomes are interrelated and they affect or cause one another, e.g., damages to reputation or violation of right to privacy can lead to loss of consumers trust, system shutdown can result in productivity and financial losses, and regulatory contraventions may damage the reputation and threaten the organisation s licence to operate.

13 Integrating information security requirements in critical infrastructures 199 These relationships and others, which exist among the consequences of security breaches, are best illustrated in Table 3 where the association is that a consequence in a row triggers another in a column. The table depicts the above-mentioned consequences and the complex relationships that exist among them and the asymmetrical nature of most of these relationships except for a few instances where a feedback may exist between two consequences. Table 3 The interrelatedness among information security breaches consequences Control Financial Legal Privacy Safety System shutdown System instability Productivity Regulatory violation Damage to reputation Loss of trust Damage to assets Control Financial Legal Privacy Safety Shutdown Instability Productivity Regulatory violation Reputation Trust Damage to assets From the table, it is clear that reputation damages and financial losses are the consequences that are highly likely to occur as they are triggered by almost all other consequences. In reality, companies mostly identify damages to reputation as their number one concern as the impact on their reputation is significant in the sense that it will influence their profit and may affect their continuity. 5 Information security design and engineering In order to generate tight security systems to avoid the security breaches mentioned in Section 4 and their consequences as well as to ensure the confidentiality of the system s information, a proper security implementation is needed. This can be achieved by regarding information security as a design and engineering process rather than tackling it in an ad hoc manner.

14 200 L. AlAbdulkarim and Z. Lukszo The process of security design and engineering deals with the development of detailed plans and designs for security features, controls and systems. Its aim is to deliver plans and policies that satisfy predefined security requirements of a given system and ensure its security by preventing internal misuse or external malicious attacks on the system. The outcomes of this process are information security models which are schemes or plans through which the protection of informational assets is ensured against malicious attacks and exploitations of unauthorised parties. They are rules and guidelines that must be taken into consideration, beginning from the time of system design and implementation until the system becomes in a state of obsoleteness including all system development steps in between. Adhering to these models renders the resulting system to be secure. To ensure the highest level of information security, the security requirements of the system should be taken into consideration from the earliest stages of the system life cycle and throughout its subsequent stages. In our approach, we aim to ensure the security of the information of the smart metering system against the multiple dimensions which relate to different aspects of the system within an information security assurance model. 5.1 Time dimension A system [that] is measured secure today does not mean it will be secure tomorrow (Wang, 2005). The assurance of information security throughout smart metering systems requires a careful and thorough planning beginning from the early stages of system development. Currently, there is no time aspect associated with the current security definitions (Wang, 2005). Traditionally, software security has been treated as an afterthought leading to a cycle of penetrate and patch (Gilliam et al., 2003). Unfortunately, the same can be said about the smart metering system which obviously results in a questionable level of security considering the unstructured and ad hoc manner in which security is being implemented. In our approach, we place great emphasis on the importance of addressing security in all the stages of the smart metering system development including the time when the system becomes obsolete and is phased out of production. These stages are mentioned below in a variation of the Waterfall software development model (Sommerville, 2000). In general, this software engineering model was chosen as the smart metering system is based on an IT infrastructure which naturally involves a considerable number of software components. In particular, the Waterfall model was initially chosen considering its fame and simplicity which facilitates ease of communicating the proposed framework Requirements specification Security requirements must be gathered along with the functional and nonfunctional system requirements. This includes identifying the informational assets to be protected, the different information security levels (high, moderate, low (Centers for Medicare and Medicaid Services, 2002)), and who has access rights to what information. In the case of smart metering, the data to be protected is the periodic metre readings and the clients profile data stored either in the metering installation or the CAS servers. But that is not all; since processes are also resources (Harris, 2003), it is rather vital to

15 Integrating information security requirements in critical infrastructures 201 protect the on/off switching of services. This is considered of great importance considering the grave consequences of service down-time throughout the entire system should an intruder gain access System analysis and design This denotes identifying possible malicious attacks and system vulnerabilities and preparing countermeasures to overcome them to ensure the system s security and reliability System implementation As the system is being realised, information security should be implemented by choosing the most secure and suitable methods such as computer security protocols with strong encryption methods, firewalls, user access control mechanisms and choosing secure physical locations of system hardware components to avoid unauthorised tampering or penetration. The current implementation of the smart metering system uses computer security protocols for communication ports P2 and P3. Additionally, firewalls are used for the CAS servers as well as for user-access authorisation mechanisms on port P4 through which the data will be accessed by grid operators, suppliers and independent service providers System integration and testing After a full system implementation and before the system is put into use, the various components of the system should be integrated and put into testing. From a security perspective, testers must run penetration attacks to challenge the system s resilience against malicious attacks by using diverse hacking utilities such as those used by intruders. Corrective actions must be taken (if needed) based on the results of these tests. These tests must be carried out across all system components such as the metering installation, CAS servers, communication ports P1 to P4 and the different communication channels with their various communication mediums System deployment and maintenance The assurance of information security in this phase is an ongoing process. After the smart metering system is fully deployed for use, security must be ensured by running periodic system analyses and security audits to assess the system status and to ensure that it remains secure against malicious attacks. The purpose of security audits is to carry out thorough and comprehensive inspections of the smart metering system s physical and logical components. This includes, for example, the inspection of the security of the locations of physical equipment such as the CAS servers and the encryption methods used for the security protocols which are employed for the communication channels to examine their effectiveness and to explore the possibility of utilising newer and stronger encryption algorithms. Furthermore, security policies must be verified to ensure their validity.

16 202 L. AlAbdulkarim and Z. Lukszo These audits are extremely significant since new threats and attacks emerge every day and due to the evolving nature of IT system as a result of either the addition of new services or the adjustment of the implementation of existing ones. Based on the results of these assessments, security measures of the smart metering system (if needed) should be amended to accommodate the new security requirements. In addition to the processes mentioned above, it is crucial to include an additional phase to the system life span in which the system will be phased out of production and will go out of service permanently, in other words until it becomes obsolete System obsoleteness System obsoleteness is not part of the original Waterfall software development model and is often overlooked in other development models. However, we feel it is imperative to include this phase of the infrastructure s life cycle while addressing security concerns. What happens to the data after the system is no longer in use? Even when the system is no longer operational, its data is not normally disposed of; rather, it remains confidential and must be protected against unauthorised access and tampering. Procedures such as where the data is to be stored, who has access rights to it and what security measures are to be enforced must be carefully planned in advance regarding this scenario. Continuing to secure data after the system has become obsolete is equally important as when the system was operational. However, this crucial step is alarmingly neglected by system designers and engineers. Because of this, our information security framework extends the common Waterfall model with the notion of system obsoleteness. 5.2 System breadth dimension The system breath dimension implies that the assurance of information security is extended across all the IT-technical components comprising the smart metering system. These include the physical and logical components as well as the network the system is a part of. It also includes the interactions between these components. The importance of this dimension rises from the nature of IT systems which are highly interconnected and which facilitates the access from internal and external networks (Masera and Favino, 2007). Ensuring information security across the entire system requires identifying all logical and physical components of the smart metering system and carefully deciding on the appropriate tools or methods for each of these components to protect the information of the system. Below is a list of the major smart metering system components in which information security mechanisms should be enforced: smart metering installation CAS database server CAS application server smart metering web portal communication channels communication network hubs

17 Integrating information security requirements in critical infrastructures 203 Note that the communication channels employ different communication mediums where the choice of communication medium is entirely dependent on the technologies available to the grid operator at any given area across the Netherlands. In the current smart metering implementation, the security of the information flowing through communication ports P3 and P4 is ensured by employing computer security protocols, whereas the security of the CAS servers is being enforced by installing firewall software and applying user-access control mechanisms. The interactions among these components mostly take the form of exchanging information across network mediums. These interactions increase the level of exposure to malicious attacks since transmitted data is more vulnerable than immobile data. In light of this, we believe that it is required to pay special attention to securing both physical and logical means of interaction employed in the smart metering system to ensure that the information remains intact and confidential. We believe that the importance of the system breadth dimension is directly correlated to the degree of interconnectedness of the underlying infrastructure. In securing a component within the system, it is therefore crucial to also take into account the interaction with other components. Also, care must be taken that security is assured equally across all components of the system because failing to do so in a single component compromises all connected components. 5.3 System depth dimension Securing smart metering information along the system depth dimension involves ensuring the information security across all levels within each and every smart metering system component. Figure 2 illustrates the most common logical and physical layers within the smart metering system components. The physical layer denotes the hardware elements of the component, whereas the network layer encompasses physical and logical elements which facilitate the exchange of information among smart metering system actors by transmitting the information across communication mediums. The operating system layer holds the software that is designed to control the hardware of a system in order to allow users and application programs to make use of it. The supporting services layer includes a set of utilities which extends the operating system in order to support the running applications. And finally, the application layer holds all the software programs that are in operation to achieve the predefined goal of the system. Naturally, the different smart metering system components consist of various number of the layers depicted in Figure 2. The layers contained within the different smart metering system components are shown in Table 4. In addition to enforcing security measures across all smart metering system components identified in the system breadth dimension of our framework, we strongly believe that security must also be enforced along the depth of each component, that is, in each of its layers by using appropriate security tools for each layer. This proves most crucial when taking into account that securing data in one layer does not necessarily mean that it remains protected once it is passed on to the next layer.

18 204 L. AlAbdulkarim and Z. Lukszo Figure 2 Logical and physical layers in smart metering system components Table 4 Layers within smart metering system components System components Physical Network Component layers Operating system Smart metering installation X X X Supporting services Applications CAS application server X X X X X CAS database server X X X X X Smart metering web portal X X X X X Communication channels X X Network hubs X X 5.4 System actors dimension The importance of the system actors dimension stems from the notion that an infrastructure can be seen as a large integrated sociotechnical system which implies that actors are a key component of the system (Lukszo et al., 2008). To ensure a secure operation of the system, these actors must be taken into account and be addressed properly.

19 Integrating information security requirements in critical infrastructures 205 The key component under the system actors dimension is to provide the system s different actors a secure interface through which they can benefit from the available services offered by the smart metering system and perform certain tasks that may require accessing and occasionally manipulating a set of the system s information. This can be achieved by giving careful consideration to the following aspects from the early stages of the system design Defining informational assets The information stored in the CAS servers of the smart metering system is of a varying nature and sensitivity, and along with this variety comes also various degrees of required security. This implies that the information that is being generated and maintained by the smart metering system must be classified into different categories based on its level of confidentiality. Throughout the literature, there exists a number of different approaches for information classification, some of which can be found in independent efforts or in documents by government agencies such as the Security in the Government Sector article. Furthermore, classification of informational assets can be found in the ISO/IEC standard Defining user classes Defining the system s user classes requires identifying the different actors of the system along with their respective information access requirements. For the smart metering system, users include grid operators, energy suppliers and consumers. Each one of these users falls under a different user class depending on the set of information they are allowed to access and the level of information manipulation permitted for this user Defining roles The goal of this step is to combine the user classes with the information categories by using roles. This can be achieved by assigning to the smart metering system actors who are categorised in different user classes in Step 2 the appropriate access and manipulation privileges of the information classified in Step 1. This concept is illustrated in Figure 3. Figure 3 User classes tied to information categories via roles

20 206 L. AlAbdulkarim and Z. Lukszo Access rights to physical and logical assets In addition to the informational assets of the smart metering system, there exists a number of other valuable assets of the system which also require protection. By assuring the security of these assets, the smart metering information security is being assured in turn. These assets can be of a physical or logical nature; an example of the former is the server rooms, whereas an example of the latter is the operating system and applications that are running throughout the entire smart metering system. Access privileges must be allocated to the smart metering system s actors in a manner that permits them to gain access to assets (e.g., a database or a server room) that are required to carry out their system-related tasks and in a manner that prevents the users from viewing or manipulating other assets which are not part of their predefined access rights Security logs Security logs are automatically recorded events taking place across the system in order to provide an audit trail that can be used to understand system activity and to diagnose problems. Events logs play an important role in maintaining system security. They prove most useful in situations where security violations occur as a result of internal errors or malpractices. By referring to these, logs incidents can be analysed, countermeasures are put in action to restore system security and security policies are modified to prevent such scenarios from reoccurring Providing user training Providing users with training on how to use the system is an important part of system deployment. During this process, a number of customised training sessions are held for their respective different user classes. In these sessions, the users are presented with a certain scope of the system which they are allowed to view or manipulate. The system actors dimension ensures information security by defining the roles of actors within the system and by monitoring their behaviour to ensure legal usage of the system. The activities mentioned above limit access to the system, thereby decreasing the number of possible attack opportunities that may be exploited by malicious entities. 6 Conclusion Assuring information security in critical infrastructures is very crucial to ensure a successful operation of these infrastructures and delivery of their services. The best manner in which security can be implemented in the IT systems supporting these critical infrastructures is to regard security as a design and engineering process from the early stages of system development rather than an afterthought when the system has already been realised. In this paper, we presented the different kinds of information security threats that jeopardise the confidentiality of information maintained by the system and the consequences that may occur should these security breaches take place. We have also emphasised the importance of addressing security and integrating it into the system from the early stages of the system s development rather than retrofitting it at later stages,