Recently updated on Maggio 11th, 2021 at 08:59 am

Key issues in the security risk analysis and evaluation of electric power control systems

On behalf of Joint Working Group D2/B3/C2-01 “Security for Information Systems and Intranets in Electric Power Systems”. Authors: Giovanna Dondossola1, Olivier Lamquet, Italy, CESI – Centro Elettrotecnico Sperimentale Italiano Age Torkilseng, Norway, SKS – Salten Kraftsamband, Convener of the JWG CIGRE Session 2006 – Study Committee D2, Preferential Subject No. 3. Development Strategies to Deal with the Increasing Use of IT in the Electricity Business Keywords: Power Control Systems Security Risk Evaluation Information and Communication Vulnerabilities and Threats In the era of pervasive usage of information and communication technologies in people everyday life, there is a great impulse in the utilities managing critical infrastructures on the use of Information and Communication Technology (ICT) for monitoring and controlling their technical, service and market processes. Inter and intra connected ICT systems, open ICT architectures and shared infrastructures have been adopted for information and maintenance purposes by technologically advanced power utilities. They are becoming a reality in the future ICT applications supporting the remote control of a interconnected power infrastructure composed by bulk and dispersed power generation, and associated power grids. Any standard for ICT security management requires performing security risk assessment. Efforts for adapting these standards to industrial control systems are ongoing. In the electricity sector, two basic research directions on risk assessment have been undertaken: the definition of a vulnerability and risk assessment procedure specific for cyber security and the development of probabilistic approaches to the risk analysis of electrical contingencies. However the emerging frameworks, while allowing a more in-depth analysis with respect to the deterministic approach based on the N-1 criterion, do not cover the evaluation of automation system failures and a comprehensive risk assessment methodology is far from becoming a state of practice. The paper aims at providing a step forward in the cyber security analysis of electric power control systems, introducing the key aspects of a methodology supporting the security evaluation of power utility information systems, as complex interacting infrastructures involving process knowledge, advanced control and information and communication technologies. The methodology is mainly addressed to security technical managers as an off-line analysis tool supporting the power system design and planning phases. It may also be used by the security operators as a support tool for security audits and intrusion monitoring activities during the system operation phase, thus contributing at preventing and counteracting the risk of control system degradation or block. The three basic functions of the methodology are: the correlation of security concepts, the computation of security indexes and the consequent evaluation of security failures. The first function of the methodology gives a framework of the relevant security concepts the security manager should examine to carry out a correct security analysis. But above all, the methodology traces 1 dondossola@cesi.it PUBBLICATO A5019388 (PAD – 638702)

19/04/2005 Page 2 step by step a logical route inside these concepts in order to obtain an exhaustive and consistent security profile of the system. The methodology provides the means to categorise each system asset, vulnerability or threat according to predefined taxonomies, and to characterise each of them according to a set of predefined attributes. The knowledge base (taxonomies and attributes) underlying the methodology is constantly updated as soon as new kinds of problems are discovered by external sources of information. According to the evaluation process identified by the methodology, an accurate analysis of the characteristics of a system, that means the description of its internal/external subsystems and information flows, users and stakeholders, points of access and security domains, supports the identification of its weaknesses, that is its vulnerabilities. Then considering these vulnerabilities and analysing the consequences they can have on the overall system (overall system refers not only to the information/control system, but also to the operational/business processes), it is possible to list the threats the system could be subjected to. Finally, starting from a particular threat related to a specific vulnerability, and making some hypothesis of the processes that can lead to the realisation of that threat, give the description of an attack. The outputs of a risk assessment methodology are hypotheses on the possible security breaches the system may have to face. But there is a need to go further and organise these hypotheses with references to their relevancy or priority. It means that the risk assessment should not only define the security failures but it should also evaluate an estimate of the impact these failures could have on the overall system. The resulting index value is directly linked to the weight given to the consequence an event can have on the system. Then, the idea of index can be enlarged: not only security failures but all the security concepts referred above, that means vulnerabilities, threats and attacks/errors, can be characterised by the computation of security indexes, such as robustness, exposure and susceptibility, and security failures may be organised with references to these indexes. From a practical point of view, the methodology provides the framework to maintain a continuous risk assessment process. Its application to power control infrastructures produces • the documentation about the ICT network architecture, the real-time systems, their internal and external types of connections • the System Security Profile, including detailed and synthetic views about the system security failures, scored according to the computed indexes. The System Security Profile supports the identification of non-routine accesses to the real-time sub- domains by external service providers, and of their unnecessary connections, services and applications, to be cared by the system hardening activity. Exposed accesses for essential connections to external sub-domains may be identified, indicating the need of strengthening the access control mechanisms. Finally the output of the methodology application provides evidence for security audits of real-time networks and interconnected systems, allowing to verify if any risk judged relevant by the analysis has been managed by adequate counter measures, or if some risks require to be investigated for appropriate solutions. Then security plans may be compiled with the support of the methodology results, whose actions are aimed at implementing security measures for unacceptable residual failures.