Advertisement

An Industrial Trial of an Approach to Identification and Modelling of Cybersecurity Risks in the Context of Digital Secondary Substations

  • Aida OmerovicEmail author
  • Hanne Vefsnmo
  • Oddbjørn Gjerde
  • Siri T. Ravndal
  • Are Kvinnesland
Conference paper
  • 51 Downloads
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12026)

Abstract

We have in an earlier study proposed a set of requirements and an approach to identification and modelling of cybersecurity risks and their impacts on safety, within the context of smart power grids. The approach, which consisted of a process and a modelling language, was a partially customized version of the existing “CORAS” risk-analysis approach. As a part of the study, feasibility of the approach was evaluated by applying it on an industrial pilot for so-called self-healing functionality of a smart power grid. The results obtained were promising, but further empirical evaluation was strongly needed in order to further assess usefulness and applicability of the approach in the context of smart power grids. This paper provides a detailed account of results of applying the same approach to cybersecurity risk identification and modelling in the context of another smart grid pilot, namely digital secondary substations. The trial was conducted in a real setting, in the form of an industrial case study, in close collaboration with the major Norwegian distribution system operator that has been running the pilot for about two years. The evaluation indicates that the approach can be applied in a real setting to identify and model cybersecurity risks. The experiences from the case study moreover show that the presented approach is, to a large degree, well suited for its intended purpose, but it also points to areas in need for improvement and further evaluation.

Keywords

Cybersecurity Digital substations Cyber risk Smart power grids Risk identification Risk analysis Risk modelling 

Notes

Acknowledgements

This paper has been funded by CINELDI - Centre for intelligent electricity distribution [5], an 8-year Research Centre under the FME-scheme (Centre for Environment-friendly Energy Research, 257626/E20). The authors gratefully acknowledge the financial support from the Research Council of Norway and the CINELDI partners. The centre gathers a significant number of the major public and private actors from the energy sector in Norway, and performs research on the future intelligent energy distribution grids.

References

  1. 1.
    Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE Approach. Carnegie Mellon University, Pennsylvania (2003)CrossRefGoogle Scholar
  2. 2.
    Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology CRAMM in health information systems. In: Proceedings of the 7th International Congress on Medical Informatics, pp. 1589–1593 (1992)Google Scholar
  3. 3.
    Belmans, R.: Strategic research agenda for Europe’s electricity networks of the future - SmartGrids SRA 2035: European technology platform SmartGrids (2012)Google Scholar
  4. 4.
    Ben-Gal, I.: Bayesian networks. Encycl. Stat. Qual. Reliab. 1, 1–6 (2008)Google Scholar
  5. 5.
    CINELDI (2019). https://www.sintef.no/cineldi. Accessed 2 June 2018
  6. 6.
    ENISA Good practices for IoT and Smart Infrastructures Tool (2019). https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot/good-practices-for-iot-and-smart-infrastructures-tool. Accessed 22 Feb 2019
  7. 7.
    Heegaard, P.E., Helvik, B.E., Nencioni, G., Wäfler, J.: Managed dependability in interacting systems. In: Fiondella, L., Puliafito, A. (eds.) Principles of Performance and Reliability Modeling and Evaluation. SSRE, pp. 197–226. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-30599-8_8CrossRefGoogle Scholar
  8. 8.
    Hofmann, M., Kjølle, G., Gjerde, O.: Development of indicators to monitor vulnerabilities in power systems. In: Proceedings of the 11th International Probabilistic Safety Assessment and Management Conference and the Annual European Safety and Reliability Conference 2012: Curran Associates, Inc., pp. 5869–5878 (2012)Google Scholar
  9. 9.
    IEC: IEC 61025:1990 Fault tree analysis (FTA): International Electrotechnical Commission (1990)Google Scholar
  10. 10.
    IEC: IEC 60300-3-9:1995 Dependability management - Part 3: Application guide - Section 9: Risk analysis of technological systems: International Electrotechnical Commission (1995)Google Scholar
  11. 11.
    IEC: IEC 61165:2006 - Application of Markov techniques: International Electrotechnical Commission (2006)Google Scholar
  12. 12.
    IEC: IEC 60050-617:2009 - Organization/Market of electricity: International Electrotechnical Commission (2009)Google Scholar
  13. 13.
    ISO: ISO 31000: Risk Management - Principles and Guidelines: Geneva: International Organization for Standardization (2009)Google Scholar
  14. 14.
    Kjølle, G., Gjerde, O.: Risk analysis of electricity supply. In: Hokstad, P., Utne, I., Vatn, J. (eds.) Risk and Interdependencies in Critical Infrastructures: A Guideline for Analysis, pp. 95–108. Springer, London (2012).  https://doi.org/10.1007/978-1-4471-4661-2_7CrossRefGoogle Scholar
  15. 15.
    Kjølle, G., Gjerde, O.: Vulnerability analysis related to extraordinary events in power systems. In: Proceedings of the 2015 IEEE Eindhoven PowerTech, pp. 1–6. IEEE (2015)Google Scholar
  16. 16.
    Lee, R.M., Assante, M.J., Conway, T.: Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case. Electricity - Information Sharing and Analysis Center, Washington (2016)Google Scholar
  17. 17.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-12323-8CrossRefzbMATHGoogle Scholar
  18. 18.
    Microsoft Security Development Lifecycle (2018). https://www.microsoft.com/en-us/SDL. Accessed Nov 2018
  19. 19.
    Nielsen, D.S.: The Cause/Consequence Diagram Method as a Basis for Quantitative Accident Analysis, p. 1374. Risø National Laboratory, Roskile (1971)Google Scholar
  20. 20.
    Omerovic, A., Vefsnmo, H., Erdogan, G., Gjerde, O., Gramme, E., Simonsen, S.: A feasibility study of a method for identification and modelling of cybersecurity risks in the context of smart power grids. In: Proceedings of the 4th International Conference on Complexity, Future Information Systems and Risk. vol. 1, pp. 39–51 (2019)Google Scholar
  21. 21.
    Schneier, B.: Attack trees: modeling security threats. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  22. 22.
    Tøndel, I.A., Foros, J., Kilskar, S.S., Hokstad, P., Jaatun, M.G.: Interdependencies and reliability in the combined ICT and power system: an overview of current research. Appl. Comput. Inform. 14(1), 17–27 (2017)CrossRefGoogle Scholar
  23. 23.
    Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43839-8CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Aida Omerovic
    • 1
    Email author
  • Hanne Vefsnmo
    • 2
  • Oddbjørn Gjerde
    • 2
  • Siri T. Ravndal
    • 3
  • Are Kvinnesland
    • 3
  1. 1.SINTEF DigitalOsloNorway
  2. 2.SINTEF EnergyTrondheimNorway
  3. 3.Lyse ElnettSandnesNorway

Personalised recommendations