New methods to analyze cyber security risk in cyber-physical electric power systems.
The increased electrification of society and the need to manage new resources (such as renewable energy sources and flexible resources) and new loads (such as electric vehicles) is changing the electric power system.
A digital system, printed-circuit board – illustrative photo. Image credit: Bermix Studio via Unsplash, free license
The extent of sensors, communication, and automation is increasing, and monitoring and control of the electric power grid is becoming more active and digitalised. The result is a cyber-physical electric power system where the operation of the physical power system increasingly depends on data transmitted through digital networks.
This development increases the number of potential entry points for an attacker and makes the systems more difficult to protect. Also, society is more dependent on electric power than ever before, and the consequences of a successful cyber-attack on interacting digital systems may become catastrophic.
Therefore, we need appropriate methods to assess and reduce cyber security risks in cyber-physical electric power systems. In the InterSecure project, SINTEF Energi, SINTEF Digital, NTNU and Proactima have developed such methods in collaboration with Norwegian grid companies and authorities.
What is a cyber-physical electric power system?
We understand a cyber-physical system as a system of physical components controlled via digital networks.
Commonly, cyber-physical electric power grids are called smart grids. This name emphasises the enhanced possibilities for intelligence, i.e., control, monitoring, and automation, brought to electric grids when they are increasingly connected to digital networks.
What worries the grid operators today?
The emerging smart grid, with its increasing interconnection and exchange of data, increase the number of actors and stakeholders in the operation of power systems. This can potentially cause several new or changed threats and vulnerabilities.
Discussions in the project have revealed some key sources of threats and vulnerabilities that the grid operators worry about today, and that are expected to become even more relevant in the future:
- Extended digital networks that increase the number of possible entry points for cyber attackers,
- new technology, components and systems that are rapidly introduced,
- new connections between administrative IT systems and control systems that increase data flow across systems,
- increased system complexity,
- more interfaces between interdependent applications or systems, and
- dependence on digital services from external suppliers.
The grid companies must be able to understand and handle new risks due to these system developments.
What kind of methods do the grid operators need to address their concerns?
The grid operators in the project secure their systems and manage risks according to current regulations. The main relevant regulations are Energiloven, Kraftberedskapsforskriften and Sikkerhetsloven.
Furthermore, the grid operators collect and use updated threat information from organisations providing notification services, such as KraftCERT, PST (Norwegian Police Security Service) and NSM (Norwegian National Security Authority).
Although the power supply is reliable today, and current regulations and risk management practices are well established, the grid operators are not well equipped to handle the new sources of threats and vulnerabilities described in the previous section.
Traditional power system risk management is not focused on capturing the intentional nature of cyber security incidents, the widespread entry points due to the far-reaching nature of digital networks, nor the vulnerabilities to cyber attackers exploiting these entry points.
Also, cyber security risk and traditional risk analysis are carried out separately. This approach is not optimal, as it does not enable the assessment of potential vulnerabilities due to system interconnections, interdependencies and complexity.
In the following, risk assessment methods developed in the InterSecure project are briefly described.
Framework for risk assessment of cyber-physical electric power systems
The framework is based on the ISO 31000 and NS 5814 standards. It emphasises not only the physical system but the entire system of systems that is included in the operation of smart grids.
In fact, as smart grids develop and the system becomes more complex, it will be fruitless trying to understand the entire system and how all the elements relate and interact. The sheer size and complexity of the system will make this impossible.
Therefore, the risk management of the system needs to be addressed at a more high-level perspective, before focusing in on different sections or areas of the system.
As part of the InterSecure project, a risk management framework has been proposed that enables a more iterative approach to manage the risk of complex socio-technical systems, such as smart grids.
The framework follows a “plan, do, check, act” structure that is common in risk management frameworks. It consists of three main phases: plan, assess and manage as well as three continuous phases of communication and consultation, recording and reporting, and monitoring and review.
Figure 1 Proposed risk management framework for interacting digital systems in smart grids
The overall structure of the risk management framework is that of an iterative process. It includes considering the complexity within the system, and rather than trying to understand and model the entire system, it instead takes an incremental, top-down approach.
This allows the system to first be addressed from a high-level perspective and then become more familiar with the different areas and risks of the system, finding the right level to manage the different risks.
Threat modelling
Threat modelling for interacting digital systems is the exercise of analysing how a software or a system can be attacked with the aim of protecting against such attacks. While several methods exist, one of the more well-known methods is STRIDE (Spoofing, Tempering, Repudiation, Information disclosure, Denial of service, Elevation of privilege).
STRIDE starts by creating a model of the system to visualise how and what type of data is being transmitted between the different parts of the system. As an example, a part of the model used in InterSecure is shown in Figure 2. Based on this model, threats (i.e., potential attacks) are identified for the different parts of the system.
To aid the STRIDE threat modelling process, Microsoft has developed the Microsoft Threat Modeling tool. This tool provides a graphical user interface to build the model of the system and a structured way of identifying and evaluating threats.
The tool is originally aligned towards threat modelling of software, but as the tool allows users to create their own template, we have adapted the tool to identify threats against the smart grid. Here you can find the template developed.
Figure 2: Model used in STRIDE threat modeling
In this project, we performed threat modelling of a digital secondary substation to test and demonstrate the use of the tool in a smart grid context.
Guided by the threat categories making up the STRIDE mnemonic, threats towards the substation from each of the categories were identified. Information disclosure and denial of service threats were identified as the most critical mainly due to the simplicity of performing such attacks.
The reason is that such threats were evaluated to potentially have relatively serious consequences without requiring specific knowledge or specialised tools to execute.
Communication impact simulations
Figure 3 Impact simulation model in Mininet network emulator
We have developed two simulation models to verify the most critical threats (sniffing and availability attacks) identified by threat modelling. Both models have a topology comprising two digital secondary substations and a control centre.
The first model was created within the Mininet network emulator and selected as the primary model due to its easy usability and transportability, as the entire model is composed from a single virtual machine. The schema of the first model is shown in Figure 3.
The second model was created using separate virtual machines for each component (RTUs, gateways, routers and the monitoring device).
This model was used only for performance testing during Denial-of-Service attacks as its results were more closely corresponding to reality when compared to the Mininet model.
Performance evaluation of the model was done and described in the article “Threat Modeling of a Smart Grid Secondary Substation“. This model was not further considered due to its complexity and lack of easy export. The model schema is shown in Figure 4.
Figure 4 Impact simulation model using virtual machines
Both impact simulation models used emulated IEC 104 communication corresponding to data from The National Smart Grid Lab in Trondheim.
The results gained from the simulation models testing can be used by grid operators to improve grid security, for example, by tuning security devices such as firewalls. The first model was provided to all members of the InterSecure project and was also demonstrated.
In this demonstration, all the participants could install the model on their devices and learn the basic control of the model in a provided scenario. A demonstration is also available on Youtube.
Assessment of vulnerabilities and failure consequences
Smart grids are complicated systems, so no single model or framework can uncover all vulnerabilities. Hence, there is a need for a selection of models and frameworks to help the grid operators viewing the problem at hand from different angles.
To complement the other methods in the InterSecure project, an approach for assessing vulnerabilities and failure consequences for cyber-physical power grids based on the bow-tie model has been developed.
The approach is illustrated in Figure 5. The first part of the analysis is to perform a bow-tie analysis for a selected scenario for a specific critical asset, i.e., an asset that can directly impact the distribution of electricity.
Next, assumptions on the operation state of the power system are made, and the coping capacity and consequences at the system level are assessed.
Figure 5 A bow-tie model with the critical asset event at the center. The left side illustrates the four zones in the Purdue model. On the right side, the zone closest to the center is related to the event tree from the asset perspective, while the rest of the right side is related to the power system consequence assessment. The vertical orange bars represent barriers. Adapted from Sperstad et al., 2020.
The proposed approach has been tested on a case related to conditional connection agreements at a Norwegian DSO. Advantages of the proposed approach are that the bow-tie model is well-known in the industry.
Thus, little time was needed to explain the method to the participants. The bow-tie model was found to be flexible enough to incorporate both traditional threats, such as technical failures and cyber threats from malicious actors, in the same diagram.
Further, the approach aided in building a common understanding among participants from the different departments of the grid operator by visualising threats, vulnerabilities, barriers, and consequences in the same diagram.
The bow-tie analyses are, however, time-consuming to perform. Considerable time is also needed to process the results before they can be used further in the risk management process.
Another consequence of the flexibility of the bow-tie method is that successful use is dependent on the ability of the facilitator to guide the discussion in the group so that relevant threats and vulnerabilities are discussed.
Because of this, there is a need for a structured overall approach to ensure that this type of analysis is used on the relevant assets and threats.
To summarize the methods tested in InterSecure are applicable in different situations where different levels of detail is needed. The suggested framework can be used at a high level.
While threat model can be used to identify information flows and threats and further “sort” out the most important threats for more detailed analysis and follow-up.
The simulation model is useful for detailed testing of concrete attacks with realistic communication- and network topology, while the assessment of vulnerabilities is useful for in depth analysis of both physical and cyber threats, vulnerabilities and barriers. The DSO should test the methods and plan which method to use when.
Source: Sintef
