Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

CPSR-SG 2016: Joint International Workshop on Cyber-Physical Security and Resilience in Smart Grids, 12th April 2016, Vienna Security for smart Electricity GRIDs Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids Judith E. Y. Rossebø ABB AS Frank Fransen, Eric Luiijf TNO SEGRID has received funding from the European Union s Seventh Framework Programme for research, technological development and demonstration under grant agreement no. 607109

FP7 project SEGRID To enhance the protection of smart grids against cyber-attacks. SEGRID Partners Focus of SEGRID SEGRID Use Cases 2

FP7 project SEGRID To enhance the protection of smart grids against cyber-attacks. We do this by applying a risk assessment approach to a number of SEGRID use cases and using the results of the risk assessments we enhance risk assessment methodologies and vulnerability assessment tools determine gaps in current security technologies and regulations develop novel security solutions for smart energy grids test the newly developed solutions 3

Threat & RA applied to SEGRID use cases Requirements on RA Methodologies - Objectives The aim is to adapt/recommend a practical methodology for security threat and risk assessment of smart electricity grids For this, we discussed: What are the Smart Electricity Grid requirements on the methodology? Which methods should be assessed? We discussed, drafted, and approved a set of Evaluation Requirements This set of Requirements was used to evaluate a short list of methodologies 4

Threat & RA applied to SEGRID use cases Candidate methodologies selected to be evaluated (the short list) CORAS EURAM ETSI TVRA method and spreadsheet M/490 SGIS Toolbox HMG IA Standard No. 1 (IS1) (IS1 based) Risk Analysis Methodology created and used by Netbeheer Nederland to assess risks in smart meters The EC SG Expert Group 6 step approach OCTAVE 5

Scoring of the candidate RA methods Result: (IS1 based) Risk Analysis Methodology created and used by Netbeheer NL to assess risks in smart meters 6

Steps in SEGRID Approach to Threat & RA Vision Security Trends Technology Regulation Stakeholder Analysis Regulation Values Expectations Vision smart grid Technology Architecture Processes 1. Define scope 2. Impact assessment 3. Threat assessment 4. Estimate risk Identify stakeholders Choose relevant assets Identify and assess threat sources Determine risks per stakeholder Identify stakeholder processes Define stakeholders impact categories and values Identity and assess threat actors Overall risk per threat scenario Identify assets Link assets & stakeholder processes 7 Assess risk impact for each stakeholder Impact category Identify vulnerabilities and threat scenarios Prioritise threat scenarios

Step 1: Scope of the Threat & Risk Assessment Use case scope Identify Stakeholders and assets Link stakeholder processes & assets using the SGAM functional view Use Case 1 Scenario 2: Remote power switching 8

Step 1: Scope of the Threat & Risk Assessment Define Scope Summary for Use Case 1 Scenario 2 Smart Use Case meter 1 Smart used meter for online used for readings on-line reading : Remote of consumption power and switching technical data Scenario 2 - Remote power switching Stakeholder Stakeholder DSO Stakeholder Energy Supplier Stakeholder Customer Financial Reputation Operations Safety Legal and regulatory Financial Reputation Operations Safety Legal and regulatory Financial Assurance of Suppl Information Assets Privacy 1 2 Switch Data Monitoring Data Confidentiality 1 1 1 1 1 1 1 3 1 2 1 1 4 Information asset Integrity 3 3 4 2 3 3 2 4 3 3 3 4 1 Availability 2 2 3 1 2 2 2 3 1 3 2 2 1 Confidentiality 1 1 1 1 1 1 1 1 1 2 1 1 1 Integrity 3 3 4 2 3 3 2 4 1 3 2 2 1 Availability 3 3 2 2 3 3 2 3 1 3 2 2 1 System Assets 1 Energy Supplier System Confidentiality 1 1 1 1 1 1 1 1 1 2 1 1 1 System asset Integrity 1 1 1 1 1 4 3 4 1 2 2 4 1 Availability 1 1 1 1 1 3 2 3 1 2 2 2 1 9

Step 2: Stakeholder Impact Assessment Stakeholder Impact Assessment What kinds of threats have critical impact on stakeholders assets? Example: Ukrainian outage Several DSOs impacted: Operations, Reputation, Financial losses 225,000 Customers: Experienced loss of power on Dec 23rd, 2015 10

Step 2: Stakeholder Impact Assessment Use Case 1: Smart meter used for online reading Scenario 2: Remote power switching Level 4 Enterprise Energy Supplier System Level 3 Operation Data Hub: Exchange System Make data available Monitoring Operate Maintenance IT DSO: Smart Metering Information System (AMI) Meter Data Concentrator SCADA Make data available Level 2 Station Level 1 Field Level 0 Process Switch Data Monitoring Data Sensors Make Data available - Confidentiality - Integrity Household - Availability Display Smart Meter Legal & Actuator (Switch) Financial Stakeholder x Reputation Operations Safety regulatory Compliance 11

Step 2: Stakeholder Impact Assessment Smart Use Case meter 1 Smart used meter for online used for readings on-line reading : Remote of consumption power and switching technical data Scenario 2 - Remote power switching Stakeholder Stakeholder DSO Stakeholder Energy Supplier Stakeholder Customer Financial Reputation Operations Safety Legal and regulatory Financial Impact category stakeholder Reputation Operations Safety Legal and regulatory Financial Assurance of Suppl Privacy Information Assets 1 2 Switch Data Monitoring Data Confidentiality 1 1 1 1 1 1 1 3 1 2 1 1 4 Assessed impact Integrity 3 3 4 2 3 3 2 4 3 3 3 4 1 Availability 2 2 3 1 2 2 2 3 1 3 2 2 1 Confidentiality 1 1 1 1 1 1 1 1 1 2 1 1 1 Integrity 3 3 4 2 3 3 2 4 1 3 2 2 1 Availability 3 3 2 2 3 3 2 3 1 3 2 2 1 System Assets 1 Energy Supplier System Confidentiality 1 1 1 1 1 1 1 1 1 2 1 1 1 - Confidentiality - Integrity - Availability Integrity 1 1 1 1 1 4 3 4 1 2 2 4 1 Availability 1 1 1 1 1 3 2 3 1 2 2 2 1 12

Step 3: Threat Assessment In the scope of the Use Case Identify Threat Actors Potential attacks Threat scenarios Motivation Opportunity Capability 13

Step 4: Risk Estimation Based on ETSI TVRA enhanced for SEGRID Likelihood estimation With TVRA we score what an attacker has to be able to do in terms of Time, Expertise, Knowledge, Opportunity, and Equipment higher score means that the attacker has to have a higher attack potential Scores are used as a metric for likelihood Opportunity Motivation Capability Impact estimation Intensity of the attack is a factor of the Impact What about Motivation? 14 Opportunity Capability (Risk = likelihood X impact)

Ukrainian Attacks, Dec 23, 2015 Ukrainian Power Companies power outages Threat source unidentified highly motivated group Threat actors highly knowledgeable hackers highly skilled Time to prepare Not known: time to research, develop malware, penetrate systems (> 6 months?) Time to aquire legitimate credentials, knowledge of networks and systems Attack on 3 DSOs Synchronized and coordinated attack involving a range of techniques, following extensive reconnaissance of victim networks (Black Energy?) Malicious remote operation of breakers by multiple external attackers, using remote admin tools, ICS client software over VPN. Wiping of systems (RTUs) using KillDisk malware, Serial-to-Ethernet devices firmware corrupted, scheduling of disconnects for server Uninteruptable Power Supplies via remote management interface (to interfere with restoration efforts) Incident power outages 225,000 customers https://ics-cert.us-cert.gov/alerts/ir-alert-h-16-056-01 15

SEGRID Risk Assessment Findings from applying the SEGRID approach TVRA assesses what is required in terms of capability and opportunity to assess likelihood of an attack However, what about threat actor (motivation and capability)? Stuxnet, the Ukrainian power outage are real examples that demonstrate that threat actor capability and motivation influence likelihood What about threat actor motivation and capability? 16 Opportunity Capability (Risk = likelihood X impact)

Analysis of threat actor in RA methodologies Overview of State of the Art ISO/IEC 27005:2011 motivation is a factor for deliberate threat sources, however no guidance is given IS1 method: Threat source is analyzed in terms of capability, motivation and opportunity to cause a compromise. Risk is evaluated at a high level, does not include likelihood explicitly OWASP risk rating methodology: threat actor motivation is a threat agent factor, however, overall likelihood is calculated as an average of the 8 factors ETSI TS 102 165-1 (TVRA) does not include threat actor analysis Others: IRAM2, DBT, Intel Threat Agent Library Threat actor analysis is addressed, however a more complete analysis for including it in the risk estimation step is needed 17

Including threat actor capability and motivation Starting point: Likelihood Estimation in the ETSI TVRA Based on the CC CEM Attack Scenario Factor Time 4 Expertise 6 Knowledge 3 Opportunity 4 Equipment 3 20 Factor Attack Potential Likelihood 0 to 9 Basic Very likely 10 to 13 Enhanced Basic Likely 14 to 19 Moderate Possible 20 to 24 High Unlikely >24 Beyond high Very Unlikely Required Attack Potential Likelihood of attack 18

Including threat actor capability and motivation Threat actor analysis (based on IS1) Capability of the threat source/actor is combined with motivation 19

Likelihood Estimation Enhanced Factor Attack scenario Threat source/ Threat actor Time 4 Expertise 6 Knowledge 3 Opportunity 4 Equipment 3 20 Property Capability Motivation C 4 3 I 4 5 A 4 4 Required Attack Potential Threat Level Likelihood of attack Threat Level Likehood of attack Negligible Low Moderate Severe Critical 20 Attack Potential Basic Possible Likely Very Likely Very Likely Very Likely Enhanced Basic Unlikely Possible Likely Very Likely Very Likely Moderate Very Unlikely Unlikely Possible Likely Very Likely High Very Unlikely Very Unlikely Unlikely Possible Likely Beyond high Very Unlikely Very Unlikely Very Unlikely Unlikely Possible

Enhancement of the Risk Estimation Step Based on ETSI TS 102 165 & ISO/IEC 18045 enhanced for SEGRID Likelihood estimation With TVRA we score what an attacker has to be able to do in terms of Time, Expertise, Knowledge, Opportunity, and Equipment higher score means that the attacker has to have a higher attack potential - Required Capability Threat actor motivation and capability is included also Impact estimation Intensity of the attack is a factor of the Impact Risk = likelihood X impact Opportunity Motivation Capability f 1 f 4 f 2 f 3 21 Opportunity Required Capability Motivation and Capability of Threat Source/ Threat Actor

Conclusion SEGRID threat and risk assessment for smart grid The SEGRID approach builds on state of the art RA methodologies while providing guidance and enhancements for use in smart grids. We applied the SEGRID approach to selected use cases Demonstrating suitability for RA across multiple stakeholders for identifying critical threats and risks to the stakeholders involved in the use cases Identifying the need to include the threat actor analysis in the RA for smart grids We have presented an enhancement to the SEGRID approach for including the threat actor motivation and capability in the risk estimation step The enhanced method is supported by a tool and by practical guidance for each step of the method Further work includes applying the enhanced method to all of the SEGRID use cases 22

Questions Judith E. Y. Rossebø, PhD Cyber Security Specialist ABB AS Phone: +47 22874725 Mobile: +47 41563062 E-mail: judith.rossebo@no.abb.com 23 Mail: info@segrid.eu Website: www.segrid.eu Telephone: +31 8886 67758

24

SEGRID Risk Assessment Enhancements Discussion - Why did we chose a standards based approach? SEGRID set out to build on results from European research projects that have contributed to the development of RA for the energy sector We wanted a practical approach that can be applied to the SEGRID use cases If a standard exists, it should be applied We also aim is to be able to feed our results back into the standards development organizations (SDOs) for improvements, revisions of the standards 25

Example based on Alert (IR-ALERT-H-16-056-01) Cyber-Attack Against Ukrainian Critical Infrastructure Opportunity Required Capability Motivation and Capability of Threat Source/ Threat Actor 26

Business Blackout Report «Erebos Cyber Blackout Scenario extreme event» Threat source unidentified highly motivated group Threat actors highly knowledgeable hackers highly skilled Time to prepare 1 year to research, develop malware, penetrate systems 9 months to map networks, disable safety systems, plan attack launch Attack on 50 generators Sophisticated attack involving a range of different techniques social engineering («Phishing»), physical intrusions, hacking of remote access to the control systems Incident massive outage 15 states, including NYC and DC Economic impact estimated at $ 1 trillion... http://www.businessinsider.com/r-cyber-attack-on-us-power-grid-could-cost-economy-1-trillion-report-2015-7 27

SEGRID WP2 Application & evaluation of security RA methodologies for SG Elaborate on existing threat, vulnerability and risk assessment results and apply selected methodologies to the SEGRID smart grid use cases Results so far: We have specified a set of requirements These were used to evaluate candidate methodologies We have elaborated on results of the M/490 SGIS, the Netbeheer NL, and have applied the proposed SEGRID approach to selected Use Cases The approach includes the different stakeholders in the risk estimation step D2.1 presents the results of the threat and risk assessments applied to SEGRID use cases including recommendations for enhancement of the RA methodology D2.2 (ongoing) - Enhancements to the SEGRID approach to threat and risk assessment D2.3 reports on the identified gaps with recommendations for closing gaps 28

Steps in SEGRID Approach to Threat & RA Vision Security Trends Technology Regulation Stakeholder Analysis Regulation Values Expectations Vision smart grid Technology Architecture Processes 1. Define scope 2. Impact assessment 3. Threat assessment 4. Estimate risk Identify stakeholders Choose relevant assets Identity threat actors Determine risks per stakeholder Identify stakeholder processes Define stakeholders impact values Identify threat scenarios Overall risk per threat scenario Identify assets Identify and assess threat sources Estimate likelihood Link assets & stakeholder processes 29 Assess impact Estimate impact Prioritise threat scenarios

D2.1 Result SEGRID Practical RA WP2 has defined an practical approach to risk assessment: Step 1: Define the scope Step 2: Impact assessment Step 3: Threat assessment Step 4: Evaluate Risks (can use different methods for each step) Further steps are needed in full approach: Step 5: Risk treatment plan technical measures needed Step 6: Gap Analysis on technical measures (which technical measures needed are missing today?) and Roadmap (T2.3) Step 7: Specify Solutions for identified selected gaps (WP4) Step 8: Implement and evaluate these selected improved novel solutions in the test environment (WP5) 30

Use Case 1: Smart meter used for online reading of consumption & technical data Scenario 2: Remote power switching SEGRID RA Step 3: Threat assessment Very many customers lose power High Customer Assurance of Supply Cyberwarrior / Software Hacker Political Insufficient access control Data Hub: Exchange System Hacker Penetrates the System and sends <switch off> commands to very many customers [Unlikely] IT DSO is impacted due to false <switch off> commands Data Hub systems integrity breach High Medium High Medium DSO Operations DSO Legal and Regulatory Compliance Data Hub Operations High Energy supplier is not able to supply customers High Data Hub Legal and Regulatory Compliance Medium Energy Supplier Operations 33 Energy Supplier Financial

Step 2: Stakeholder Impact Assessment Use Case 1: Smart meter used for online reading Scenario 2: Remote power switching Legenda Level 4 Enterprise Energy Supplier System Maintenance Functional layer Level 3 Operation Data Hub: Exchange System Make Data available Monitoring Operate Maintenance IT DSO: Smart Metering Information System (AMI) Meter Data Concentrator SCADA Make Data available Information layer Communication Level 2 Station layer RTU Level 1 Field Switch Data Household Smart Meter Make Data available Display Component layer Monitoring Data Level 0 Process Sensors Actuator (Switch) 34