Estimering av sikkerhet – En sikkerhetseksperts syn på saken
Security for smart Electricity GRIDs
Hordan estimere vi risk ?
Prestasjoner og planer
1
Hvordan estimerer vi risk i SEGRID prosjektet?
Innhold
§ Hva er SEGRID?
§ SEGRID Steps i risikoanalyse
§ Hvordan estimerer vi risk i SEGRID?
Hva har vi gjort
Hva har vi lært
Hva har vi tenkt å jobbe med videre
2
Security for smart Electricity GRIDs
Topic:
Project type:
Grant agreement no:
Thematic Priority:
Start date of project:
Duration:
Coordinator:
3
SEC-2013.2.2-3 Protection of smart energy grids against cyber attacks
Collaborative project – small or medium scale focused research project
607109
FP7-SEC-2013-1
October 1st, 2014
36 months
TNO, The Netherlands
SEGRID is supported by the EU FP7 Programme under Contract No. 607109
The main objective of the SEGRID project is
to enhance the protection of smart grids against cyber-attacks
§ We do this by
applying a risk assessment approach to a number of smart grid use cases
enhancing risk assessment methodologies
§ Based on the results of the risk assessments we
Likelihood
define security requirements
determine gaps in current technologies, standards and regulations
develop novel security measures for smart grids
Very likely
Minor
Major
Critical
Highly
Critical
Highly
Critical
Likely
Very Minor
Minor
Major
Critical
Highly
Critical
Possible
Very Minor
Minor
Major
Critical
Critical
Unlikely
Very Minor
Minor
Minor
Major
Critical
Very
Unlikely
Very Minor Very Minor
Minor
Major
Major
Medium
High
Very High
Very low
4
Low
Impact
SEGRID
Partners
Distribution System
Operators
Manufacturers
Knowledge institutes
Universities
5
SEGRID
Work package structure
WP 2 (ABB)
Application & Enhancements of Risk Assessment
M1
WP 3 (KTH)
Enhancements of Vulnerability Assessment techn.
WP 4 (SICS)
Novel Security Solutions
T4.1 System
& Platform
T4.2 Comm.
protocols
T4.3 Resilient
Comm. infra
WP 6 (TNO)
Dissemination & Exploitation
WP 7 (TNO)
Project management
6
M1
M3
M1
WP 5 (ENCS)
Testing and evaluation
WP 1 (EDP)
Use cases and security goals
M1
T4.4 Privacy
by design
M1
M1
SEGRID
Maturity
Storyline
Current state of
security is insufficient
Gaps in available security
technology for the Smart Grid
SOLL
Smart Energy
Grid
New
threats
5) Automatic reconfiguration
4) Load balancing regionally
Known
threats
3) Dynamic power management
2) Load balancing centrally
IST
1) Smart Metering
Current Energy
Grid
Time
7
SEGRID
Maturity
Use Cases and security goals
Current state of
security is insufficient
Gaps in currently available security
technology for the Smart Grid
SOLL
Smart Energy
Grid
New
threats
5) Automatic reconfiguration
4) Load balancing regionally
Known
threats
3) Dynamic power management
2) Load balancing renewable energy
IST
http://ec.europa.eu/energy/sites/ener/files/docum
ents/xpert_group1_reference_architecture.pdf
1) Smart Metering
Current Energy
Grid
Time
8
Functional architecture
for UCs using SGAM
Steps in SEGRID Approach to Risk Assessment
Vision Security
Trends
Technology
Regulation
Stakeholder
Analysis
Regulation
Values
Expectations
Vision smart grid
Technology
Architecture
Processes
1. Define scope
2. Impact
assessment
3. Threat
assessment
4. Estimate risk
Identify
stakeholders
Choose relevant
assets
Identity threat actors
Determine risks per
stakeholder
Identify stakeholder
processes
Define impact
values stakeholders
Identify threat
scenarios
Overall risk per
threat scenario
Identify assets
Identify and assess
threat sources
Estimate likelihood
Define impact
Estimate impact
Link assets &
stakeholder
processes
9
Prioritise threat
scenarios
Step 1: Scope of the Risk Assessment
§ Use case scope
Identify
Stakeholders and
assets
Link stakeholder
processes & assets
using the SGAM
functional view
10
Use Case 1 Scenario 2: Remote power switching
RA Step 1: Define Scope - Summary
Use Case 1 Smart meter used for on-line reading of consumption and technical data
Scenario 2 - Remote power switching
System
Assets
2
1
11
Monitoring
Data
Energy
Supplier
System
Safety
Legal and
regulatory
Financial
Reputation
Operations
Safety
Legal and
regulatory
Financial
1
1
1
1
1
1
1
3
1
2
1
1
4
3
4
2
3
3
2
4
3
3
3
4
1
Information
3
Integrity
asset
Privacy
Operations
Switch Data
Reputation
1
Stakeholder
Customer
Financial
Information
Assets
Confidentiality
Stakeholder Energy Supplier
Assurance of Supply
Stakeholder DSO
Stakeholder
Availability
2
2
3
1
2
2
2
3
1
3
2
2
1
Confidentiality
1
1
1
1
1
1
1
1
1
2
1
1
1
Integrity
3
3
4
2
3
3
2
4
1
3
2
2
1
Availability
3
3
2
2
3
3
2
3
1
3
2
2
1
Confidentiality
1
1
1
1
1
1
1
1
1
2
1
1
1
Integrity
1
1
1
1
4
3
4
1
2
2
4
1
Availability
1
1
1
1
3
2
3
1
2
2
2
1
System 1
asset 1
Step 2: Stakeholder Impact Assessment
Stakeholder Impact Assessment
What kinds of threats have critical impact on stakeholders?
12
Use Case 1: Smart meter used for online reading of consumption & technical data
Scenario 2: Remote power switching
SEGRID RA Step 2: Stakeholder impact assessment
Legenda
Level 4
Enterprise
Energy
Supplier
System
Monitoring
Operate
Maintenance IT DSO:
Smart Metering
Information
System (AMI)
Maintenance
Functional layer
Level 3
Operation
Data Hub:
Exchange
System
SCADA
Make Data available
Make Data available
Meter Data
Concentrator
Information layer
Communication
Level 2
Station
layer
Make Data available
RTU
Level 1
Field
Component
Switch
Data
Household
Smart Meter
Display
Monitoring
Data
layer
Level 0
Process
13
Sensors
Actuator
(Switch)
Use Case 1: Smart meter used for online reading of consumption & technical data
Scenario 2: Remote power switching
SEGRID RA Step 2: Stakeholder impact assessment
Level 4
Enterprise
Level 3
Operation
Energy
Supplier
System
Monitoring
Operate
Maintenance IT DSO:
Smart Metering
Information
System (AMI)
Data Hub:
Exchange
System
SCADA
Make data available
Make data available
Meter Data
Concentrator
Stakeholder x
Level 2
Station
Make Data available
Level 1
Field
- Confidentiality
- Integrity
Household
- Availability
Smart Meter
Switch
Data
14
Legal &
regulatory
Compliance
Display
Financial
Monitoring
Data
Level 0
Process
Reputation Operations
Sensors
Actuator
(Switch)
Safety
Use Case 1: Smart meter used for online reading of consumption & technical data
Scenario 2: Remote power switching
SEGRID RA Step 2: Stakeholder impact assessment
Use Case 1 Smart meter used for on-line reading of consumption and technical data
Scenario 2 - Remote power switching
1
15
Monitoring
Data
Energy
Supplier
System
Financial
1
1
1
3
1
2
1
Integrity
3
3
4
Availability
2
2
3
Assessed
2
3
3
impact
1
2
2
Confidentiality
1
1
1
1
1
Integrity
3
3
4
2
Availability
3
3
2
1
1
1
- Confidentiality
1
1
-1 Integrity
-1Availability
1
1
Privacy
Legal and
regulatory
1
Impact category
stakeholder
Assurance of Supply
Safety
1
Availability
Operations
1
Integrity
Reputation
1
Confidentiality
Financial
Confidentiality
Stakeholder
Customer
Legal and
regulatory
Operations
2
Switch Data
Reputation
1
Financial
System
Assets
Information
Assets
Stakeholder
Stakeholder Energy Supplier
Safety
Stakeholder DSO
1
4
2
4
3
3
3
4
1
2
3
1
3
2
2
1
1
1
1
1
2
1
1
1
3
3
2
4
1
3
2
2
1
2
3
3
2
3
1
3
2
2
1
1
1
1
1
1
1
2
1
1
1
1
1
4
3
4
1
2
2
4
1
1
1
3
2
3
1
2
2
2
1
Step 3: Threat Assessment
§ In the scope of the Use Case
Identify
Threat Actors
Potential attacks
Threat scenarios
Motivation
Capacity
Opportunity
16
Use Case 1: Smart meter used for online reading of consumption & technical data
Scenario 2: Remote power switching
SEGRID RA Step 3: Threat assessment
Motivation
Capacity
Opportunity
IT DSO: Smart
Metering In formation
System (AMI)
IT DSO is impacted
by a law suit for
violating the
privacy directive
Medium
DSO Legal and
regulato ry
compliance
Self-satisfaction,
thrill
Insufficient
Data Miner/
access control
Software
Hacker
17
Hacker Penetrates the
System and extracts customer
data from the systems data (readout) that the customer shall be
switched off and publishes it
[Unlikely]
Theft of
information about
the customer to
be switched off
High
Customer Privacy
Step 4 – Risk Estimation
Very many
customers lose
power
Estimate
High
Customer
Assurance of
Supply
Likelihood
Impact
Data Hub: Exchange
System
Political
Insufficient
Cyberwarrior
/ Software access control
Hacker
Hacker Penetrates the
System and sends <switch off>
commands to very many
customers
[Unlikely]
High
IT DSO is impacted
due to false
<switch off>
commands
Data Hub systems
integrity breach
DSO Operations
Medium
High
Medium
Energy supplier is
not able to supply
customers
18
DSO Legal and
Regulatory
Compliance
Data Hub
Operations
High
High
Data Hub Legal
and Regulatory
Compliance
Medium
Energy Supplier
Operations
Energy Supplier
Financial
Step 4 – Risk Estimation
Based on ETSI TS 102 165 & ISO/IEC 18045 – enhanced for SEGRID
§ Likelihood estimation
Motivation
With TVRA we score what an attacker has to be able
to do in terms of Time, Expertise, Knowledge,
Opportunity, and Equipment
higher score means that the attacker has to have a
higher attack potential
Scores are used as a metric for likelihood
Capacity
Opportunity
§ Impact estimation
Intensity of the attack is a factor of the Impact
Threat Group
Manipulate,
Integrity
Threat Description
Vulnerability: Data Hub: Exchange System
has software vulnerabilities, accessible
Scenario: Attacker penetrates the system
and sends switch off commands to very
many customers. The attack can be carried
out by exploiting a vulnerability to install a
malicious process that tries to influence
Factor
Time
Expertise
Knowledge
Opportunity
Equipment
Asset Impact
Intensity
Opportunity
19
What about
Motivation?
Attack
Notes
Range
Attack requires some planning
<= 1 week
Expert in these systems (insider, state sponsored)Expert
Knowledge of AMI internals is not publicly known Restricted
Remote access, inside access
Difficult
PC
Standard
Very many customers lose power, ES, DSO
High
Attacking large number of customers at once
High intensity
Value
1
5
1
12
0
4
2
Potential
Likelihood
High
Unlikely
Impact
Risk
Very high
Critical
Capability
Risk = likelihood X impact
Business Blackout Report
«Erebos Cyber Blackout Scenario – extreme event»
§ Threat source – unidentified highly motivated group
§ Threat actors – highly knowledgeable hackers – highly skilled
§ Time to prepare
1 year to research, develop malware, penetrate systems
9 months to map networks, disable safety systems, plan attack launch
§ Attack on 50 generators
Sophisticated attack involving a range of different techniques
social engineering («Phishing»), physical intrusions, hacking of remote
access to the control systems
§ Incident – massive outage – 15 states, including NYC and DC
§ Economic impact estimated at $ 1 trillion...
http://www.businessinsider.com/r-cyber-attack-on-us-power-grid-could-cost-economy-1-trillion-report-2015-7
20
SEGRID Risk Assessment
Challenges
§ Risk assessment of cyber attacks with physical impact
do we have good enough tools, methods to estimate risks taking into
account the attacker motivation, opportunity and capability?
§ How do we estimate threats and risks for the Smart Grid 2020?
it’s not even built yet...
§ Assessing threats from the viewpoints of different stakeholders
emerging sophisticated attacks, threats can impact a wide range of
stakeholders
§ What about societal impact?
national black-out
malicious disruption of electricity grid
Business Blackout Report analyses economic impact
21
Risk Assessment - Challenges
Vision Security
Trends
Technology
Regulation
Stakeholder
Analysis
Regulation
Values
Expectations
Vision smart grid
Technology
Architecture
Processes
How to include
Motivation?
2. Impact
assessment
3. Threat
assessment
4. Estimate risk
stakeholders
Choose relevant
assets
Identity threat actors
Determine risks per
stakeholder
Identify stakeholder
processes
Define impact
values stakeholders
Identify threat
scenario’s
Overall risk per
threat scenario
Identify assets
Identify and assess
threat sources
Estimate likelihood
Define impact
Estimate impact
1. Define scope
How to determine
Societal
Impact?
Identify
Link assets &
stakeholder
processes
22
Assessing
attacks/attack
Prioritise threat
paths onscenarios
SG 2020
Questions
Mail:
Website:
Telephone:
info@segrid.eu
www.segrid.eu
+31 8886 67758
Judith E. Y. Rossebø, PhD
Cyber Security Specialist
ABB AS
Phone: +47 22874725
Mobile: +47 41563062
E-mail: judith.rossebo@no.abb.com
23