Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract—As much as possible, it is important that the smart vulnerabilities a system (or organization) has and the nature of
grid is secure from cyber-attacks. A vital part of ensuring the the threat. Based on the outcomes of the risk assessment,
security of smart grids is to perform a cybersecurity risk security requirement can be identified, e.g., that certain systems
assessment that methodically examines the impact and likelihood should be authenticated, which can be realized via a security
of cyber-attacks. Based on the outcomes of a risk assessment, architecture and controls.
security requirements and controls can be determined that
inform architectural choices and address the identified risks. There are a number of high-level risk assessment methods
Numerous high-level risk assessment methods and frameworks (or frameworks) that an organization can use to support the
are applicable in this context. A method that was developed implementation of a cybersecurity risk assessment for the smart
specifically for smart grids is the Smart Grid Information Security grid. Examples include OCTAVE [1], HMG IS1[2] and
(SGIS) toolbox, which we applied to a voltage control and power Magerit [3] – many of these are based on the principles
flow optimization smart grid use case. The outcomes of the identified in ISO 27005 [4], which provides guidelines on how
assessment indicate that physical consequences could occur to implement an information security risk management
because of cyber-attacks to information assets. Additionally, we framework within an organization. We discuss these methods
provide reflections on our experiences with the SGIS toolbox, in in more detail in Sec. II on related work. Whilst these risk
order to support others in the community when implementing assessment methods are useful, they do not provide specific
their own risk assessment for the smart grid.
guidelines for the peculiarities of the smart grid. For example,
Keywords—risk assessment; smart grid; SGIS toolbox;
in the smart grid, cyber-attacks can have physical impacts on
cybersecurity the quality of energy supply or cause damage to power
equipment. Furthermore, attacks could result in safety-related
incidents happening, resulting in injury or loss of life. In this
I. INTRODUCTION context, it would be helpful to provide specific guidance on
At the core of the smart grid are increased monitoring and how to assess these aspects.
control capabilities, primarily in medium- and low-voltage
As part of CEN-CENELEC-ETSI’s response to the EU
networks, that are supported by Information and
Mandate 490, the Smart Grid Information Security (SGIS)
Communication Technology (ICT) and Supervisory Control
working group developed the SGIS toolbox [5] – a set of high-
and Data Acquisition (SCADA) systems. An example use of
level guidelines for assessing the cybersecurity risks associated
these systems is to support dynamic voltage control strategies
with smart grid use cases. The SGIS toolbox includes a number
that enable the deployment of volatile Distributed Energy
of notable smart grid-specific aspects, such as the enumeration
Resources (DERs), such as photovoltaics, without the need for
of different impact categories that reflect the nature of the
installing new and expensive grid capacity. Use cases of this
smart grid. We summarize the SGIS toolbox in Sec. III.
nature will result in ICT and SCADA systems playing an
Ultimately, the SGIS toolbox was apparently not very-well
increasingly critical role in the operation of electricity
received in the community, receiving extensive critique [5].
distribution networks; cyber-attacks to these systems could
Nevertheless, in the EU-funded SPARKS project, we applied
have a significant impact.
the SGIS toolbox to a smart grid voltage control and power
Alongside these smart grid developments, a number of flow optimization use case. A summary of the use case that we
cyber-attacks have targeted industrial control systems and investigated is presented in Sec. IV. Our intention was to gain
energy sector organizations. The motivation for these attacks is applied insights into the challenges of performing a risk
varied, and includes industrial espionage and causing physical assessment for the smart grid that, despite its shortcomings, the
damage to equipment. For the moment, the latter is the SGIS toolbox appeared to be well-suited. In Sec. VI, we
exception, and can require expertise that is difficult to acquire summarize some of the key findings from this exercise,
and in-depth knowledge of the target environment. In order to highlighting how cyber-attacks to selected information assets
address these threats, it is important to implement a in this use case under examination can have physical
cybersecurity risk assessment. In short, one assesses the impact consequences. Additionally, we provide reflections on our
of cyber-attacks to information assets, and the likelihood of experiences from using the SGIS toolbox in Sec. VII, which we
attacks occurring – the product of these two items is used to will take forward in the SPARKS project, as we develop our
determine risk. Likelihood is typically a function of the own approach to risk assessment and management.
Table 1: Relevant Methodologies and Frameworks for Risk Assessment applicability to the smart grid. In general, current risk
Applicability to Smart assessment frameworks are mostly focused either on
Name Short Description
Grids
conventional ICT systems, or on traditional power grids, and
A good starting point to
set up a risk
little consideration has been given to smart grids and their
ISO/IEC Framework for general risk idiosyncrasies. Table 1 provides a summary of the most closely
management process
31000 management
with all relevant related overarching risk assessment methods and frameworks
subcategories that we have identified, and provides a brief analysis of their
Framework for the security of applicability to the smart grid.
industrial automation and
control systems, including Describes how to handle The European Network and Information Security Agency
ISA/IEC Industrial Automation and risks in the context of (ENISA) maintains a repository of risk assessment standards,
62443 Control System (IACS) IACS, which include methods and tools [6]. The Guidelines for Smart Grid Cyber
cyber-security aspects and smart grids
Cyber Security Management
Security developed by National Institute of Standards and
Technology (NIST) (NIST-IR 7628 [7]) provide a set of high-
Frameworks
mathematical method
A part of the VIKING project for analysing the impact
grids in response to the M/490 Smart Grid Mandate by the
concerned with the impact of of adverse events in the European Commission. As such (and because there are few
VIKING
attacks on communication area of SCADA/EMS other risk assessment methods that apparently target the
Impact
Analysis
signals to and from Remote systems at the specific needs of the smart grid), the SGIS toolbox has the
Terminal Units (RTUs) in the transmission level. potential in the smart grid sector to be a primary choice for
power grid Some of the tools
developed could be
stakeholders to use for a risk assessment. Despite numerous
applied to the smart grid criticisms that have levelled at the SGIS toolbox [5], upon
An asset-driven risk initial inspection, the approach advocated in the toolbox has a
Focuses on activities, threats assessment method that number of merits. For example, we suggest that an asset-driven
and vulnerabilities, using an highlights the approach to risk assessment is valuable, and the different
expected value matrix importance of self- impact categories that an assessor must consider, e.g., in terms
OCTAVE (incorporating subjective assessment. It has a of power loss, reputation, human impact, etc. are important to
impact and probability broad interpretation of
Qualitative Methods
estimates) to determine the what constitutes an consider for the smart grid.
expected value of a risk asset, which could be
interesting for smart grid
The SGIS toolbox estimates the inherent risk for individual
Defines and analyses use
information assets. Ultimately, the assessment results in
cases to determine risk impact information assets relating to one of five Security Levels
levels for each information This method is (from Low to Highly Critical), which are interpreted in terms
asset, identifying supporting dedicated to the area of of power loss: highly critical assets are those that could lead to
SGIS
components and running an smart grid security, we
Toolbox
inherent risk analysis to describe it further in
a power loss above 10GW when disrupted (i.e., a pan-
appropriately select standards Sec. III European incident), while the lowest level applies to assets
to protect every information whose disruption could lead to a power loss under 1MW (i.e.,
asset based on security level a town or neighbourhood incident). The Security Level for an
Good practices in ICT risk Overviews different risk information asset determines a set of essential security
Support Tools
2) Estimate risk impact: Risk impact is estimated, and IV. A VOLTAGE CONTROL USE CASE
expressed in five Risk Impact Levels that use different For our risk assessment using the SGIS Toolbox we
measurement categories. These are organised into an overall elaborated on the Voltage and VAR Control and Power Flow
impact table (see Figure 2). To determine the Risk Impact Optimisation (VVO) (WGSP-0200) use case that was defined
Level for a specific information asset, every category has to be by the CEN-CENELEC-ETSI Smart Grid Coordination Group
evaluated for different analysis scenarios and for each of the on Sustainable Processes [9].
Confidentiality (C), Integrity (I), and Availability (A) In our study, we consider a grid control function that uses
properties individually. Eventually, every information asset distributed voltage measurements from Distributed Energy
obtains three Risk Impact Levels (one each for C-I-A); if Resources (DERs), such as photovoltaic and wind turbines, and
different levels are assigned per analysis scenario, then the Power Equipment (PE) as input to an algorithm that adjusts the
highest level is considered. settings of an On-Load Tap Changer (OLTC) and DERs, in
order to manage voltage levels on a low-voltage distribution
3) Identify supporting components: Supporting components line. Without the presence of DERs, the voltage on a line is
for the information assets are identified through a dependency expected to go down the further away from a substation it is
map. This step is implemented to understand the potential measured, primarily because of loads (see Figure 1). However,
cascading effects that are associated with an information asset. in the presence of DERs, which feed-in power on a line in a
distributed fashion, voltage levels could also rise. It is these
4) Estimate attack likelihood. The SGIS toolbox does not aspects that are intended to be managed by the functionality
propose its own toolset for vulnerability and threat analysis. described in this use case.
Instead, it suggests the use of the HMG IS1 standard for those
purposes [2]. This method is highly focused on possible
threats by looking at capabilities and motivation for attackers,
thus losing view of vulnerabilities and countermeasures.
>50% EBITDA*
<50% EBITDA*
<33% EBITDA*
<10% EBITDA*
algorithm Critical (9)
<1% EBITDA*
FINANCIAL
Critical (4) Severe (5) Highly
Tap setting command
Critical (9)
DER reactive power set Low (1) Severe (5) High (6)
point command
DER state command (i.e., Critical (4) Severe (5) Highly
population supplied
population supplied
trust by >50% of the
REPUTATION
supplied
supplied
In general, the Security Levels associated with the
availability security objective are somewhat lower than for
integrity. The exceptions to this rule are the “SCS and set point
algorithm” and the “Tap setting command”. For both of these
fatal injuries
persons
HUMAN
overvoltage situation occurs, the lack of availability of these
information assets (and their capacity to control such
situations), could lead to a significant impact for the DSO. This
point highlights how the incorporation of ICT components to
temporary disruption of
collateral disruptions
activities
warnings
Table 7: Security levels for the availability security objective
Information Asset Impact Likelihood Security
Level Level
LEGAL
DER reactive power state Low (1) Severe (5) High (6)
Distributed voltage Low (1) Severe (5) High (6)
unautorized disclosure or
unautorized disclosure or
modification of sensitive
modification of personal
no personal or sensitive
measurements
Data protection
data involved
not defined
not defined
Smart meter consumption Low (1) Severe (5) High (6)
data
data
measurements
Current tap setting Low (1) Severe (5) High (6)
Critical (4) Severe (5) Highly
SCS and set point algorithm
Critical (9)
Critical (4) Severe (5) Highly
essential infrastructures in
infrastructures in supply
critical infrastructures in
infrastructures affected
critical infrastructures
Critical (9)
no complimentary
complimentary
Infrastructures
area affected
DER reactive power set Low (1) Severe (5) High (6)
affected
point command
DER state command (i.e., on Low (1) Severe (5) High (6)
or off)
from 25% to 50% population
OPERATIONAL (availability)
from 2% to 10% population
(5.000 to 10.000 customers)
more than 50% population
under 2% population of
of supply area affected
to 2.000 customers)
Population
50 - 500 kW
5 - 50 kW
>5 MW
MEDIUM
HIGH
LOW
Level for all of the information assets in our use case is either
High or Highly Critical. Consequently, it is recommended that
all of the security measures that are defined should be
implemented. The countermeasures table references security Figure 2: Adjusted SGIS impact table
for the DSO under consideration
requirements and example technologies in NISTIR 7628 [7].
VII. SGIS TOOLBOX REFLECTIONS power loss associated with a risk (i.e., an impact and threat
The SGIS toolbox has been used on a number of occasions pair associated with an information asset). This Security Level
and has been subjected to a critique and recommendations for is then used as a basis for identifying the security measures
improvement (see Section 11 and Annex C of [5]). These that should be implemented by an organization. This loss of
include criticisms regarding the presentation of the overall information from the detailed analysis through to the very
methodology, which we agree with. Here, we present a brief coarse grain Security Level makes it challenging to relate
summary of our reflections on using the toolbox, which may implemented security measures back to the particular threat
affirm previously identified issues. they are addressing, and therefore challenging for someone to
1) Evaluating inherent risk: The SGIS methodology analyse the security improvement that has been introduced.
evaluates inherent risk, i.e., it considers assets without any 5) The challenges of identifying assets: The SGIS toolbox
security measures in place. While this approach is useful to provides limited guidance on how information assets should
express the importance and significance of assets in general, be identified based on a use case description. There is the
and performs an important role, it goes only part of the way potential for a very large number of information assets to exist
towards an overall risk assessment evaluating the effect of for a given use case, many of which could have limited
existing controls on the risk. This position is particularly relevance for a risk assessment. Furthermore, it is not clear
problematic given that the smart grid, for the most part, is an what precisely an information asset should be – for example,
evolving infrastructure that includes legacy systems – whether an information asset is a system, data item (in transit
considering a clean slate approach to risk assessment is or at rest), or a functional component. In our assessment, we
challenging. primarily chose to focus on information assets that sit at the
2) Future smart grid topologies: The SGIS toolbox is border of the cyber and physical domain, i.e., those that can
understandably dedicated to traditional grids, and their directly influence power systems, such as tap changers and
topology and hierarchy. It is not well-suited to the new DERs. When attempting to understand the impact of a cyber-
topologies that are proposed in smart grids, such as attack on the power system, it may be more appropriate to
microgrids, distributed generation, etc. It does not offer initially determine the important power equipment assets, and
support for a hierarchal approach in dealing with smart grids, then identify the information assets (and how they can be
which is required when dealing with smart grids as a compromised) as a secondary activity.
collection of distributed microgrids. Furthermore, the 6) A lack of tools support for assessment: Analysing the
thresholds set in the impact assessment of the toolbox are not cyber-physical impact of attacks to a smart grid is a complex
applicable to the localised nature of individual microgrids, task – in our example, we attempted to use event-tree analysis
which makes it difficult to assess local risk. Similarly, in our to support this analysis. It is both challenging to assess the
study, we had to adjust the impact levels to the DSO power loss and potential safety implications of a cyber-attack.
infrastructure under consideration. The tool itself is not Additionally, analysing emerging multi-stage attacks, such
domain-specific; it requires supporting tools to deal with Advanced Persistent Threats (APTs), is challenging. The SGIS
localised and domain-specific impact analysis, which are not toolbox does not provide any specific tools support for these
provided for. forms of analysis, and provides no recommendations about
3) Limitations of HMG IS1 for likelihood assessment: The suitable modelling approaches that can be used. This situation
HMG IS1 standard used by SGIS toolbox is a method for results in experts having to infer the impact and likelihood of
business information technology (IT) and does not reflect the attacks to the smart grid, which is a process that is known to
specifics of critical infrastructure. It also seems to be more be problematic. The SPARKS project will aim to address this
focused on information channels that are present by design, shortcoming with tools and guidance about appropriate
and less so on possibilities through vulnerabilities. For modelling approaches for vulnerability, threat and impact
example, when considering network-based attacks, (almost) assessment.
every threat source might use the Internet, which therefore
VIII. CONCLUSION AND NEXT STEPS
automatically makes them the threat actor too. It is focused on
persons, clearances and access rights, and has no capabilities The results presented in this paper demonstrate the
for technical analysis of system. Since clearance levels are not challenges encountered whilst assessing cybersecurity risks to
smart grids. In this deliverable, a brief survey of existing risk
significant in the smart grid domain, it is not strictly relevant
assessment methodologies and frameworks, and an in-depth
to the security of critical infrastructure. Similarly, it fails to analysis of the SGIS toolbox reveal the shortcomings in each of
consider technical security measures. them. The shortcomings of the SGIS toolbox are further
4) Information loss throughout the process: To implement demonstrated by performing a risk assessment using a use case
the SGIS methodology, an assessor has to gather a great deal of voltage control and power flow optimisation. The exercise
of information about the use case they are considering, and also uncovered several lessons to be learnt regarding the SGIS
perform a detailed impact and threat analysis. Having methodologies and the requirements for support tools.
collected all of these important details, the result of the The major outcomes of our assessment indicate that
assessment is a Security Level, which indicates the amount of compromising the integrity of information assets that are used
as a basis for voltage control can have some impact on the ACKNOWLEDGMENT
operational behaviour of a smart grid, and dependent The research leading to these results has received funding
infrastructures. The latter is especially the case when under-
from the European Union Seventh Framework Programme
voltage situations are created, for example, when voltage
measurements are tampered with in such a way to cause an (FP7/2007-2013) under grant agreement No. 608224.
OLTC to reduce the overall voltage on a line. This is the case, REFERENCES
despite a number of existing grid protection measures being
[1] OCTAVE Information Security Risk Evaluation,
present, such as bad data detection functions and overvoltage http://www.cert.org/octave/
protection systems. For the most part, we argue that
[2] CESG National Technical Authority for Information Assurance, HMG
compromising the availability of information assets under IA Standard No. 1 Technical Risk Assessment, October, 2009.
nominal conditions has limited impact, as many grid [3] MAGERIT v.3: Methodology of analysis and risk management
protections measures assume that sensors may fail, resulting in information systems,
measurements not being present. In the use case analysed, very http://administracionelectronica.gob.es/pae_Home/pae_Documentacion/
few of the information assets relate to personally identifiable pae_Metodolog/pae_Magerit.html?idioma=en
information, with the exception of smart metering data. This [4] ISO/IEC 27005:2011 Information technology — Security techniques —
data, in more sophisticated instantiations of the use case, could Information security risk management (second edition),
http://www.27000.org/iso-27005.htm
be used for forecasting and subsequently optimising power
[5] CEN-CENELEC-ETSI Smart Grid Coordination Group, Smart Grid
flows, for example. We understand that if an attacker were to Information Security, Nov 2012.
compromise the confidentiality of this information asset [6] ENISA, Inventory of risk management/risk assessment methods and
(metering data), the impact to the DSO under consideration tools http://www.enisa.europa.eu/activities/risk-management/current-
could be significant when considering the categories of impact risk/risk-management-inventory
that are proposed by the SGIS toolbox that relate to the overall [7] National Institute of Standards and Technology, NISTIR 7628 Revision
population affected and reputational damage. 1 – Guidelines for Smart Grid Cybersecurity, 2014.
[8] ENISA, Appropriate security measures for smart grids, Dec 2012.
Based on this assessment, the SGIS toolbox recommends a
[9] CEN-CENELEC-ETSI, Smart Grid Coordination Group. Reports in
number of security measures that could be used to mitigate the response to Smart Grid Mandate M/490, 2012.
risks that have been identified. The recommendations are wide- [10] M. Stifter, B. Bletterie, H. Brunner, D. Burnier, H. Sawsan et al, DG
ranging, and include improvements to organisational security DemoNet validation: voltage control from simulation to field test.
and various technology areas, e.g., introducing encryption and Presented at Innov. Smart Grid Technol. (ISGT Europe) 2011, 2nd IEEE
authentication. However, because the SGIS toolbox ultimately PES Int. Conf. Exhib., pp. 1–8, Manchester, UK.
derives a high-level Security Level for information assets that [11] A. G. E. Ali Abur, Power System State Estimation Theory and
maps to these recommendations, it is challenging to prioritise Implementation, CRC Press, 2004.
which of them should be implemented, given a potentially [12] E. Hong; I. Lee, H. Shin, S. Nam and J. Kong, Quantitative risk
evaluation based on event tree analysis technique: Application to the
limited security budget. In future work, we intend to build on design of shield TBM. Tunneling and Underground Space Technology
these lessons learned when proposing the risk assessment 24 (3): 269–277.
methodology within the SPARKS project.