Abstract
We have in an earlier study proposed a set of requirements and an approach to identification and modelling of cybersecurity risks and their impacts on safety, within the context of smart power grids. The approach, which consisted of a process and a modelling language, was a partially customized version of the existing “CORAS” risk-analysis approach. As a part of the study, feasibility of the approach was evaluated by applying it on an industrial pilot for so-called self-healing functionality of a smart power grid. The results obtained were promising, but further empirical evaluation was strongly needed in order to further assess usefulness and applicability of the approach in the context of smart power grids. This paper provides a detailed account of results of applying the same approach to cybersecurity risk identification and modelling in the context of another smart grid pilot, namely digital secondary substations. The trial was conducted in a real setting, in the form of an industrial case study, in close collaboration with the major Norwegian distribution system operator that has been running the pilot for about two years. The evaluation indicates that the approach can be applied in a real setting to identify and model cybersecurity risks. The experiences from the case study moreover show that the presented approach is, to a large degree, well suited for its intended purpose, but it also points to areas in need for improvement and further evaluation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Note that the definition of vulnerability from the energy sector is slightly different, namely “Vulnerability is an expression for the problems a system faces to maintain its function if a threat leads to an unwanted event and the problems the system faces to resume its activities after the event occurred. Vulnerability is an internal characteristic of the system” [15].
References
Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE Approach. Carnegie Mellon University, Pennsylvania (2003)
Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology CRAMM in health information systems. In: Proceedings of the 7th International Congress on Medical Informatics, pp. 1589–1593 (1992)
Belmans, R.: Strategic research agenda for Europe’s electricity networks of the future - SmartGrids SRA 2035: European technology platform SmartGrids (2012)
Ben-Gal, I.: Bayesian networks. Encycl. Stat. Qual. Reliab. 1, 1–6 (2008)
CINELDI (2019). https://www.sintef.no/cineldi. Accessed 2 June 2018
ENISA Good practices for IoT and Smart Infrastructures Tool (2019). https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot/good-practices-for-iot-and-smart-infrastructures-tool. Accessed 22 Feb 2019
Heegaard, P.E., Helvik, B.E., Nencioni, G., Wäfler, J.: Managed dependability in interacting systems. In: Fiondella, L., Puliafito, A. (eds.) Principles of Performance and Reliability Modeling and Evaluation. SSRE, pp. 197–226. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30599-8_8
Hofmann, M., Kjølle, G., Gjerde, O.: Development of indicators to monitor vulnerabilities in power systems. In: Proceedings of the 11th International Probabilistic Safety Assessment and Management Conference and the Annual European Safety and Reliability Conference 2012: Curran Associates, Inc., pp. 5869–5878 (2012)
IEC: IEC 61025:1990 Fault tree analysis (FTA): International Electrotechnical Commission (1990)
IEC: IEC 60300-3-9:1995 Dependability management - Part 3: Application guide - Section 9: Risk analysis of technological systems: International Electrotechnical Commission (1995)
IEC: IEC 61165:2006 - Application of Markov techniques: International Electrotechnical Commission (2006)
IEC: IEC 60050-617:2009 - Organization/Market of electricity: International Electrotechnical Commission (2009)
ISO: ISO 31000: Risk Management - Principles and Guidelines: Geneva: International Organization for Standardization (2009)
Kjølle, G., Gjerde, O.: Risk analysis of electricity supply. In: Hokstad, P., Utne, I., Vatn, J. (eds.) Risk and Interdependencies in Critical Infrastructures: A Guideline for Analysis, pp. 95–108. Springer, London (2012). https://doi.org/10.1007/978-1-4471-4661-2_7
Kjølle, G., Gjerde, O.: Vulnerability analysis related to extraordinary events in power systems. In: Proceedings of the 2015 IEEE Eindhoven PowerTech, pp. 1–6. IEEE (2015)
Lee, R.M., Assante, M.J., Conway, T.: Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case. Electricity - Information Sharing and Analysis Center, Washington (2016)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12323-8
Microsoft Security Development Lifecycle (2018). https://www.microsoft.com/en-us/SDL. Accessed Nov 2018
Nielsen, D.S.: The Cause/Consequence Diagram Method as a Basis for Quantitative Accident Analysis, p. 1374. Risø National Laboratory, Roskile (1971)
Omerovic, A., Vefsnmo, H., Erdogan, G., Gjerde, O., Gramme, E., Simonsen, S.: A feasibility study of a method for identification and modelling of cybersecurity risks in the context of smart power grids. In: Proceedings of the 4th International Conference on Complexity, Future Information Systems and Risk. vol. 1, pp. 39–51 (2019)
Schneier, B.: Attack trees: modeling security threats. Dobb’s J. 24(12), 21–29 (1999)
Tøndel, I.A., Foros, J., Kilskar, S.S., Hokstad, P., Jaatun, M.G.: Interdependencies and reliability in the combined ICT and power system: an overview of current research. Appl. Comput. Inform. 14(1), 17–27 (2017)
Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43839-8
Acknowledgements
This paper has been funded by CINELDI - Centre for intelligent electricity distribution [5], an 8-year Research Centre under the FME-scheme (Centre for Environment-friendly Energy Research, 257626/E20). The authors gratefully acknowledge the financial support from the Research Council of Norway and the CINELDI partners. The centre gathers a significant number of the major public and private actors from the energy sector in Norway, and performs research on the future intelligent energy distribution grids.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Omerovic, A., Vefsnmo, H., Gjerde, O., Ravndal, S.T., Kvinnesland, A. (2020). An Industrial Trial of an Approach to Identification and Modelling of Cybersecurity Risks in the Context of Digital Secondary Substations. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2019. Lecture Notes in Computer Science(), vol 12026. Springer, Cham. https://doi.org/10.1007/978-3-030-41568-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-41568-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41567-9
Online ISBN: 978-3-030-41568-6
eBook Packages: Computer ScienceComputer Science (R0)