Lessons learned from the new Smart Meter Risk Analysis Methodology in the Netherlands Johan Rambi Alliancemanager Privacy & Security Alliander Chairman Policy Committee Privacy & Security Netbeheer Nederland 16 January 2013
Netbeheer Nederland is a branch organization for grid operators (TSO/DSO s) Privacy & Security 2
Steps towards the P&S Requirements for Large-scale rollout of smart meters Privacy Stakeholder Analysis P&S Requirements Version 2.0 & Security Redevelopment Control Objectives Large-scale rollout Requirements Previous Version 1.5 Risk Analysis Privacy & Security Sector Requirements Control Measures Dutch Smart Meter Requirements (DSMR) Study Audit Committee P&S Implementation Guidelines 3
Privacy & Security Smart Metering Infrastructure Framework in NL Stakeholder analysis and rule base Goals of grid operators Stakeholders expectations Formal legislation and regulations Norms and standards Privacy and security goals Formulation principles Risk analysis Requirements what to protect? Considerations and choices Measures how to realize it? 4
Risk Analysis Methodology Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 5
Stakeholder Analysis Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 6
Stakeholders Society Consumer Organizations Experts Universities Sector Energy suppliers Grid operators Government Knowledge institutes Meter vendors 7
Identify processes Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 8
Identify processes Processes Energy Supplier Energy procurement Energy Sales / Invoicing (Billing) Disconnecting (switch off) defaulters Processes Grid Operator Transmission energy Managing power quality Meter Management Capacity Planning Minimize grid losses Market Facilitation: SVO, data collection & billing Processes Private Consumer Energy consumption Energy savings Energy Production Payment purchased products Protection personal data Processes ISP Insight / advice on energy consumption of the private consumer 9
Define Assets Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 10
Define Assets Customer Module, e.g. display P1 Grid Operator A manages infrastructure for both electricity and gas P0 P1 Smart E-meter P2 P2 Other meters (G, water, ) P3 P3 3.1 Data Concentrator (DC) P3 3.2 Grid Operator B manages infrastructure for gas only P3 Central System A The clouds symbolise network technologies, such as GPRS, PLC (Power Line Communication), internet, etc. Central System B P4 P4 EDSN P4-Portal Data Exchange P4-Portal (EDSN) Data Exchange P4 P4 Energy Suppliers Suppliers ISP Independent Service Provider (ISP) 11
Define Assets Information Assets Function Assets System Assets Measurement Data Measuring Function Meter Switch Data Communication Function Central System Configuration Data Switching Function Data Concentrator Monitoring Data P4-Portal (EDSN) 12
Identify and assess threat sources Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 13
Identify and assess threat sources Introduction The threat sources refer to persons or parties responsible for a security incident. Note that disturbances are not always caused by human behavior. Think for instance of a system failure in the Data Concentrator, that is affecting the stored measurement data. Grid Operator Employee System error / malfunction Central system System error / malfunction Data concentrator System error / malfunction meter Persons / Parties / Technical Data communication provider Fault Communications Energy Supplier Employee System energy supplier Private consumer External attacker Researcher (academic / journalist) Fun Hacker Criminal Fraud Terrorist 14
Identify and assess threat sources 15
Group Assets Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 16
Group Assets Stakeholder Process Link between Asset and Process Asset Asset Category 17
Group Assets Stakeholder Process Link between Asset and Process Asset Asset Category Focus 18
Business Impact Assessment Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 19
Business Impact Assessment Impact Classifications Stakeholders Categories Stakeholder Values Description Stakeholder Values on classifications Classifications 20
Business Impact Assessment Results Total Score BIA for Asset on A, I, or C Related to Available, Integrity or Confidentiality Stakeholder (incl. process) Values of stakeholder Score on Business Impact Analysis Focussed Asset 21
Identify and assess risks Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 22
Identify and assess risks Likelihood Classifications Likelihood Categories Very High High Medium Low Very Low Occurance in time "Daily (more than 100 times a year)" "Monthly (10 to 100 times a year)" "Annual (1 to 10 times a year)" "Probably (once a year to once in 10 years)" "Possible (once in 10 years to once a century)" The calculation of the impact comes from the BIA, but the likelihood of the threat is determined during this step. Several aspects are taken into account: Which vulnerabilities in the assets can lead to the actual occurrence of this threat? What threat sources have an interest? How important is that interest of threat source? What is the extent of the technical complexity to abuse the vulnerability in real life? What is the likelihood of an unintended disruption? 23
Identify and assess risks Related to Available, Integrity or Confidentiality Identify Likelihood Identified Threat Related Asset Identify Impact The identified impact is taken from the Business Impact Assessment (BIA) Main Threat Sub Threat Sub Threat 24
Identify and assess risks Count risk 25
Prioritise and present risks Stakeholder Analysis Define assets Identify processes Define assets Identify and assess threat sources Define Focus-of-Interest Group assets Business Impact Assessment (BIA) Identify and assess risks Prioritise and present risks 26
Prioritise and present risks Identified Threat Related Asset Risk Risk = Likelihood * Impact Main Threat Sub Threat Sub Threat 27
Approach for redevelopment Stakeholder Analysis Stakeholder Analysis Risk Analysis Risk Analysis Other input phase 1 Other input phase 2 Open issues P&S Requirements Version 1.50 Open issues P&S Dutch Smart Meter Requirements 4.0 Official Privacy Code Smart Meter Grid Operators Document Integral Vision Smart Meter P&S Requirements Version 2.0 Control Objectives Alignment with Working Group DSMR Review P&S Audit Committee of the P&S Requirements Desk study P&S Audit Committee Experiences from penetration tests DSMR 4 meters Control Measures Internal review grid operators P&S requirements other European countries Experiences from code reviews DSMR 4 meters Implementation Guidelines Alignment with EDSN about P4-portal Essential Regulatory Recommedations for E.C. (EG-2) Analysis incidents Review and alignment ESMIG 28
Structure of the requirements Stakeholder Analysis Risk Analysis Stakeholders Asset process Stakeholder Values BIA P&S Requirements Version 2.0 Risks Control Objectives Control Measures Implementation Grid Operator Organisation Implementation Guidelines Processes Technical 29
Structure of the requirements Stakeholder Analysis Risk Analysis Stakeholders Asset process Stakeholder Values BIA P&S Requirements Version 2.0 Risks Control Objectives Control Measures Implementation Grid Operator Organisation Implementation Guidelines Processes Technical 30
Nationaal Cyber Security Centre Cyber Security CPNI.nl CouncilThe Netherlands IRB ICT Response Board (for Crisis) Dutch Data Protection Authority (CBP) ENCS Contact Group Security and Crisismanagement Policy Committee Audit Committee Privacy & Security Privacy & Security Netbeheer Nederland Working Group Smart Grid Cyber Security Project Group Smart Grids NEN European SCADA Control Systems Information Exchange (EuroSCSIE) Thematic Network for Critical Energy Infrastructure Protection (TNCEIP) Cyber Security EG: European Network of Transmission System Operators for Electricity European Commission DG ENER Europe European Commission DG INFSO/CONNECT Smart Grid Task Force Steering committee M/490 Smart Grid Coordination Group. Expert Group on Smart Grid Security M/490 Smart Grid Steering Committee. ENISA Expert Group 2 Data Privacy and Cyber Security M/490 Working Group for Smart Grid Information Security (WG SGIS). EUTC ETSI CEN CENELEC Stand dardisation European Reference Network Critical Infrastructure Protection (ERNCIP) European Commission DG HOME. DG HOME CIIP for SCADA and the Smart Grid. NIST U.S.A. DECC U.K. STEG 31
Security Toolbox M/490 32
Security Toolbox M/490 Comparison with Dutch Risk Analysis methodology Make for this distinction of the different assets and grouping of the assets for instance a model like this: Use Case x Stakeholder 1 Stakeholder 2 Business Process 1 Business Process 2 Business Process 3 Business Process 1 Business Process 2 Business Process 3 Business Process 4 Business Process 5 Asset Category 1 Asset Category 2 A 1 X X X A 2 X X X X A 1 X X X X A 2 X X X X 33
Security Toolbox M/490 Comparison with Dutch Risk Analysis methodology For the information assets the impact of each use case should be defined, of course per category of the different stakeholders. Use case x Stakeholder Stakeholder Financial Reputation Safety Financial Reputation Operations Safety Regulation Total Asset Category x Asset 1 Asset 2 A I C A I C 34
Security Toolbox M/490 Comparison with Dutch Risk Analysis methodology Now only for the information assets that score significant on impact potential threats are identified: ID Sub Threat Asset AIC-Classifications Likelihood Impact Risk Remarks Threat 1 Asset 2 A 1 A Asset 2 A 1 B Asset 2 A 1 C Asset 2 A 2 Asset 2 A 3 Asset 2 A 3 A Asset 2 A 3 B Asset 2 A 3 C Asset 2 A 4 Asset 2 I 4 A Asset 2 I 4 B Asset 2 I Remarks Chance 35
Security Toolbox M/490 Comparison with Dutch Risk Analysis methodology Therefore an overall risk can be identified for each potential threat on an asset with a significant impact on the risk categories (operational, legal etc.). These threats should be the trigger to identify the needed essential requirements, and next to analyze the potential gaps in the existing standards: Stakeholder Analysis Stakeholder processes Stakeholder Values Risk Analysis Impact on Stakeholder processes Impact on Stakeholder values Identify the gaps & define actions Actions to solve gaps Security Goals Risks Gaps Define essential requirements Essential Requirements Compare requirements with standards Identify relevant Standards
Are we ready for Cyber Security? 37
Many thanks for your attention! Johan Rambi : Alliancemanager Privacy & Security Telephone : +316 11879945 E-mail : johan.rambi@alliander.com 38