Lessons learned from the new Smart Meter Risk Analysis Methodology in the Netherlands

Similar documents
Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

ENCS/NEC RESEARCH MEETING

Cyber Security in EU: ENISA approach

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

Cyber Security in EU: ENISA approach

NIS Direktive und Europäische sicherheitsrelevante Projekte Udo Helmbrecht Executive Director, ENISA

EU CIP Project DENSEK. Joining forces against cyber threats on European level

Robert Malmgren. Smart Grid. Security Challenges - Legacy and Infrastructure Burdens

KPN and Utilities. Agenda

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

ESKISP Conduct security testing, under supervision

THINK SMART! THE INTRODUCTION OF SMART GAS METERS

SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios

Principles for BCM requirements for the Dutch financial sector and its providers.

NIST National Institute of Standards and Technology

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

Cyber Security for the energy industry

Information Technology

European Network for Cyber Security

How To Protect Your Network From Attack

Cloud Security Standardisation & Certification. Arjan de Jong Policy Advisor Information Security

Smart grid cyber security certification

ESKISP Direct security testing

BT Conferencing Business Continuity Management. Planning to stay in business

Appropriate security measures for smart grids

Cyber Security and Privacy - Program 183

DATA, THE GATE TO A SMART ENERGY SYSTEM - views from the electricity industry

Network security policy issues. Ilias Chantzos, Director EMEA & APJ NIS Summer School 2008, Crete, Greece

Vattenfall Eldistribution AB, Sweden Project AMR Automatic Meter Reading

Smart Metering Implementation Programme: Data Privacy and Security

DBC 999 Incident Reporting Procedure

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

An ERGEG Public Consultation Paper on Draft Guidelines of Good Practice on Regulatory Aspects of Smart Metering for Electricity and Gas

How To Write A Cybersecurity Framework

SECURITY RISK MANAGEMENT

Cybersecurity Risk Assessment in Smart Grids

State Governments at Risk: The Data Breach Reality

Advanced Metering Infrastructure

Overview TECHIS Manage information security business resilience activities

Information Security Team

Risk Management & Business Continuity Manual

Cyber security guide for boardroom members

ISO Information Security Management Services (Lot 4)

LGMA Qld Governance and Corporate Planning Village Forum

National Cyber Security Policy -2013

National Cyber Security Strategies

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

The PNC Financial Services Group, Inc. Business Continuity Program

Privacy and Security in Healthcare

Cyber Security - What Would a Breach Really Mean for your Business?

OECD PROJECT ON CYBER RISK INSURANCE

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

How To Manage Risk On A Scada System

future data and infrastructure

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Information Security: Business Assurance Guidelines

Industrial Cyber Security 101. Mike Spear

Claes Rytoft, ABB, Security in Power Systems. ABB Group October 29, 2009 Slide 1

Certified Information Security Manager (CISM)

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Big Data, Big Risk, Big Rewards. Hussein Syed

Volker Jacumeit, DIN e. V. ILNAS Workshop CSCG Presentation June 4, 2015

The PNC Financial Services Group, Inc. Business Continuity Program

De Nieuwe Code voor Informatiebeveiliging

Cyber Security Health Test

Appendix 3 - Joint FRS Information Security & Assurance Sub Group Action Plan

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

ESKISP Direct security architecture development

Business Continuity Management Policy

Procurement Innovation for Cloud Services in Europe

Road map for ISO implementation

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

INFRASTRUCTURE CONTROL SYSTEMS ENCRYPTION

Advanced Project Management Incl. MS Projects 5 DAYS

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

Smart grid security analysis

Smart Grid Security: A Look to the Future

Smart Meters Executive Paper

Onsight IntelliDefense SECURING YOUR BUSINESS

Cybersecurity The role of Internal Audit

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Managed Security Services SECURING YOUR BUSINESS

PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution

Preparing yourself for ISO/IEC

Business Continuity for Cyber Threat

Polish Financial Supervision Authority. Guidelines

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

External Supplier Control Requirements

Emerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP

How small and medium-sized enterprises can formulate an information security management system

Developing a robust cyber security governance framework 16 April 2015

Paul Vlissidis Group Technical Director NCC Group plc

Flexible Plug & Play Smart grid cyber security design and framework. Tim Manandhar

Cloud and Critical Information Infrastructures

Cybersecurity & Public Utility Commissions

Are your people playing an effective role in your cyber resilience?

Transcription:

Lessons learned from the new Smart Meter Risk Analysis Methodology in the Netherlands Johan Rambi Alliancemanager Privacy & Security Alliander Chairman Policy Committee Privacy & Security Netbeheer Nederland 16 January 2013

Netbeheer Nederland is a branch organization for grid operators (TSO/DSO s) Privacy & Security 2

Steps towards the P&S Requirements for Large-scale rollout of smart meters Privacy Stakeholder Analysis P&S Requirements Version 2.0 & Security Redevelopment Control Objectives Large-scale rollout Requirements Previous Version 1.5 Risk Analysis Privacy & Security Sector Requirements Control Measures Dutch Smart Meter Requirements (DSMR) Study Audit Committee P&S Implementation Guidelines 3

Privacy & Security Smart Metering Infrastructure Framework in NL Stakeholder analysis and rule base Goals of grid operators Stakeholders expectations Formal legislation and regulations Norms and standards Privacy and security goals Formulation principles Risk analysis Requirements what to protect? Considerations and choices Measures how to realize it? 4

Risk Analysis Methodology Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 5

Stakeholder Analysis Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 6

Stakeholders Society Consumer Organizations Experts Universities Sector Energy suppliers Grid operators Government Knowledge institutes Meter vendors 7

Identify processes Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 8

Identify processes Processes Energy Supplier Energy procurement Energy Sales / Invoicing (Billing) Disconnecting (switch off) defaulters Processes Grid Operator Transmission energy Managing power quality Meter Management Capacity Planning Minimize grid losses Market Facilitation: SVO, data collection & billing Processes Private Consumer Energy consumption Energy savings Energy Production Payment purchased products Protection personal data Processes ISP Insight / advice on energy consumption of the private consumer 9

Define Assets Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 10

Define Assets Customer Module, e.g. display P1 Grid Operator A manages infrastructure for both electricity and gas P0 P1 Smart E-meter P2 P2 Other meters (G, water, ) P3 P3 3.1 Data Concentrator (DC) P3 3.2 Grid Operator B manages infrastructure for gas only P3 Central System A The clouds symbolise network technologies, such as GPRS, PLC (Power Line Communication), internet, etc. Central System B P4 P4 EDSN P4-Portal Data Exchange P4-Portal (EDSN) Data Exchange P4 P4 Energy Suppliers Suppliers ISP Independent Service Provider (ISP) 11

Define Assets Information Assets Function Assets System Assets Measurement Data Measuring Function Meter Switch Data Communication Function Central System Configuration Data Switching Function Data Concentrator Monitoring Data P4-Portal (EDSN) 12

Identify and assess threat sources Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 13

Identify and assess threat sources Introduction The threat sources refer to persons or parties responsible for a security incident. Note that disturbances are not always caused by human behavior. Think for instance of a system failure in the Data Concentrator, that is affecting the stored measurement data. Grid Operator Employee System error / malfunction Central system System error / malfunction Data concentrator System error / malfunction meter Persons / Parties / Technical Data communication provider Fault Communications Energy Supplier Employee System energy supplier Private consumer External attacker Researcher (academic / journalist) Fun Hacker Criminal Fraud Terrorist 14

Identify and assess threat sources 15

Group Assets Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 16

Group Assets Stakeholder Process Link between Asset and Process Asset Asset Category 17

Group Assets Stakeholder Process Link between Asset and Process Asset Asset Category Focus 18

Business Impact Assessment Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 19

Business Impact Assessment Impact Classifications Stakeholders Categories Stakeholder Values Description Stakeholder Values on classifications Classifications 20

Business Impact Assessment Results Total Score BIA for Asset on A, I, or C Related to Available, Integrity or Confidentiality Stakeholder (incl. process) Values of stakeholder Score on Business Impact Analysis Focussed Asset 21

Identify and assess risks Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 22

Identify and assess risks Likelihood Classifications Likelihood Categories Very High High Medium Low Very Low Occurance in time "Daily (more than 100 times a year)" "Monthly (10 to 100 times a year)" "Annual (1 to 10 times a year)" "Probably (once a year to once in 10 years)" "Possible (once in 10 years to once a century)" The calculation of the impact comes from the BIA, but the likelihood of the threat is determined during this step. Several aspects are taken into account: Which vulnerabilities in the assets can lead to the actual occurrence of this threat? What threat sources have an interest? How important is that interest of threat source? What is the extent of the technical complexity to abuse the vulnerability in real life? What is the likelihood of an unintended disruption? 23

Identify and assess risks Related to Available, Integrity or Confidentiality Identify Likelihood Identified Threat Related Asset Identify Impact The identified impact is taken from the Business Impact Assessment (BIA) Main Threat Sub Threat Sub Threat 24

Identify and assess risks Count risk 25

Prioritise and present risks Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 26

Prioritise and present risks Identified Threat Related Asset Risk Risk = Likelihood * Impact Main Threat Sub Threat Sub Threat 27

Approach for redevelopment Stakeholder Analysis Stakeholder Analysis Risk Analysis Risk Analysis Other input phase 1 Other input phase 2 Open issues P&S Requirements Version 1.50 Open issues P&S Dutch Smart Meter Requirements 4.0 Official Privacy Code Smart Meter Grid Operators Document Integral Vision Smart Meter P&S Requirements Version 2.0 Control Objectives Alignment with Working Group DSMR Review P&S Audit Committee of the P&S Requirements Desk study P&S Audit Committee Experiences from penetration tests DSMR 4 meters Control Measures Internal review grid operators P&S requirements other European countries Experiences from code reviews DSMR 4 meters Implementation Guidelines Alignment with EDSN about P4-portal Essential Regulatory Recommedations for E.C. (EG-2) Analysis incidents Review and alignment ESMIG 28

Structure of the requirements Stakeholder Analysis Risk Analysis Stakeholders Asset process Stakeholder Values BIA P&S Requirements Version 2.0 Risks Control Objectives Control Measures Implementation Grid Operator Organisation Implementation Guidelines Processes Technical 29

Structure of the requirements Stakeholder Analysis Risk Analysis Stakeholders Asset process Stakeholder Values BIA P&S Requirements Version 2.0 Risks Control Objectives Control Measures Implementation Grid Operator Organisation Implementation Guidelines Processes Technical 30

Nationaal Cyber Security Centre Cyber Security CPNI.nl CouncilThe Netherlands IRB ICT Response Board (for Crisis) Dutch Data Protection Authority (CBP) ENCS Contact Group Security and Crisismanagement Policy Committee Audit Committee Privacy & Security Privacy & Security Netbeheer Nederland Working Group Smart Grid Cyber Security Project Group Smart Grids NEN European SCADA Control Systems Information Exchange (EuroSCSIE) Thematic Network for Critical Energy Infrastructure Protection (TNCEIP) Cyber Security EG: European Network of Transmission System Operators for Electricity European Commission DG ENER Europe European Commission DG INFSO/CONNECT Smart Grid Task Force Steering committee M/490 Smart Grid Coordination Group. Expert Group on Smart Grid Security M/490 Smart Grid Steering Committee. ENISA Expert Group 2 Data Privacy and Cyber Security M/490 Working Group for Smart Grid Information Security (WG SGIS). EUTC ETSI CEN CENELEC Stand dardisation European Reference Network Critical Infrastructure Protection (ERNCIP) European Commission DG HOME. DG HOME CIIP for SCADA and the Smart Grid. NIST U.S.A. DECC U.K. STEG 31

Security Toolbox M/490 32

Security Toolbox M/490 Comparison with Dutch Risk Analysis methodology Make for this distinction of the different assets and grouping of the assets for instance a model like this: Use Case x Stakeholder 1 Stakeholder 2 Business Process 1 Business Process 2 Business Process 3 Business Process 1 Business Process 2 Business Process 3 Business Process 4 Business Process 5 Asset Category 1 Asset Category 2 A 1 X X X A 2 X X X X A 1 X X X X A 2 X X X X 33

Security Toolbox M/490 Comparison with Dutch Risk Analysis methodology For the information assets the impact of each use case should be defined, of course per category of the different stakeholders. Use case x Stakeholder Stakeholder Financial Reputation Safety Financial Reputation Operations Safety Regulation Total Asset Category x Asset 1 Asset 2 A I C A I C 34

Security Toolbox M/490 Comparison with Dutch Risk Analysis methodology Now only for the information assets that score significant on impact potential threats are identified: ID Sub Threat Asset AIC-Classifications Likelihood Impact Risk Remarks Threat 1 Asset 2 A 1 A Asset 2 A 1 B Asset 2 A 1 C Asset 2 A 2 Asset 2 A 3 Asset 2 A 3 A Asset 2 A 3 B Asset 2 A 3 C Asset 2 A 4 Asset 2 I 4 A Asset 2 I 4 B Asset 2 I Remarks Chance 35

Security Toolbox M/490 Comparison with Dutch Risk Analysis methodology Therefore an overall risk can be identified for each potential threat on an asset with a significant impact on the risk categories (operational, legal etc.). These threats should be the trigger to identify the needed essential requirements, and next to analyze the potential gaps in the existing standards: Stakeholder Analysis Stakeholder processes Stakeholder Values Risk Analysis Impact on Stakeholder processes Impact on Stakeholder values Identify the gaps & define actions Actions to solve gaps Security Goals Risks Gaps Define essential requirements Essential Requirements Compare requirements with standards Identify relevant Standards

Are we ready for Cyber Security? 37

Many thanks for your attention! Johan Rambi : Alliancemanager Privacy & Security Telephone : +316 11879945 E-mail : johan.rambi@alliander.com 38

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information