lessons learned from the new smart meter risk...
TRANSCRIPT
Lessons learned from the new Smart Meter Risk Analysis Methodology in the Netherlands
� Johan Rambi
� Alliancemanager Privacy & Security Alliander
� Chairman Policy Committee Privacy & Security Netbeheer Nederland
� 16 January 2013
Netbeheer Nederland is a branch organization for grid operators (TSO/DSO’s)
2
Privacy & Security
Steps towards the P&S Requirements for Large-scale rollout of smart meters
Stakeholder
Analysis
Stakeholder
Analysis
P&S Requirements
Version 2.0
P&S Requirements
Version 2.0
3
AnalysisAnalysisPrivacy
&
Security
Requirements
Previous
Version 1.5
Privacy
&
Security
Requirements
Previous
Version 1.5
Redevelopment
Privacy &
Security
Sector
Requirements
Redevelopment
Privacy &
Security
Sector
Requirements
Large-scale rollout
Dutch Smart Meter
Requirements
(DSMR)
Large-scale rollout
Dutch Smart Meter
Requirements
(DSMR)
Risk
Analysis
Risk
Analysis
Study Audit
Committee
P&S
Study Audit
Committee
P&S
Version 2.0Version 2.0
Control
Measures
Control
Measures
Implementation
Guidelines
Implementation
Guidelines
Control
Objectives
Control
Objectives
Stakeholder analysis and ‘rule base’Stakeholder analysis and ‘rule base’
Goals of grid operators
Goals of grid operators
Stakeholders’ expectations
Stakeholders’ expectations
Norms and standards
Norms and standards
Formal legislation and regulations
Formal legislation and regulations
Privacy & Security Smart Metering Infrastructure Framework in NL
4
Measures‘how’ to realize it?
Measures‘how’ to realize it?
Requirements‘what’ to protect?
Requirements‘what’ to protect?
Considerationsand choices
Considerationsand choices
Formulation principles
Formulation principles
Riskanalysis
Riskanalysis
Privacy and security goalsPrivacy and security goals
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Identifyprocesses
Identifyprocesses
Define assetsDefine assets
StakeholderAnalysis
StakeholderAnalysis
Risk Analysis Methodology
Identify and assessthreat sources
Identify and assessthreat sources
5
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Define assetsDefine assets Identify and assessthreat sources
Identify and assessthreat sources
StakeholderAnalysis
StakeholderAnalysis
Stakeholder Analysis
Identifyprocesses
Identifyprocesses
6
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
Stakeholders
Consumer Organizations
Sector
Energy suppliers
Grid operators
Society
Universities
Experts
7
Government
Meter vendors
Knowledge institutes
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Define assetsDefine assets Identify and assessthreat sources
Identify and assessthreat sources
StakeholderAnalysis
StakeholderAnalysis
Identify processes
Identifyprocesses
Identifyprocesses
8
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
� Energy procurement� Energy Sales / Invoicing (Billing)� Disconnecting (switch off) defaulters
� Transmission energy� Managing power quality� Meter Management� Capacity Planning
Identify processes
Processes
Processes
Energy
Supplier
9
� Capacity Planning� Minimize grid losses� Market Facilitation: SVO, data collection & billing
� Energy consumption� Energy savings� Energy Production� Payment purchased products� Protection personal data
� Insight / advice on energy consumption of the private consumer
Processes
Private
Consumer
Grid Operator
Processes
ISP
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Define assetsDefine assets Identify and assessthreat sources
Identify and assessthreat sources
StakeholderAnalysis
StakeholderAnalysis
Define Assets
Identifyprocesses
Identifyprocesses
10
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
Energy
Suppliers
EDSN
P4-Portal
Data Exchange
SuppliersSuppliers
Grid Operator A manages infrastructure for both electricity and gas
CentralSystem
A
CentralSystem
A
SmartE-meterSmart
E-meter
P0P0
Module, e.g.
display
Module, e.g.
display
P2P2
Data Con-
P3
P3
Customer
P4-Portal(EDSN)
P4-Portal(EDSN)
P4
P4
P4
P4
P1
P1
P3
P3
P3.1
P3.1
P3.2
P3.2
P1
P1
Define Assets
Independent Service
Provider (ISP)
11
ISPISP
Grid Operator B manages
infrastructure for gas only
Con-centrator
(DC)
Other meters
(G, water, …)
Other meters
(G, water, …)
P2P2
Central System
B
Central System
B
(EDSN)
Data Exchange
(EDSN)
Data Exchange
The clouds symbolise network technologies, such as GPRS, PLC (Power Line Communication), internet, etc.
P4
P4
P4
P4
P3.1
P3.1
P3.2
P3.2
Information Assets
Measurement
Data
Function Assets
Measuring
Function
System Assets
Meter
Define Assets
12
SwitchData
Configuration
Data
Monitoring
Data
Communication
Function
Switching
Function
Central System
Data
Concentrator
P4-Portal
(EDSN)
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Define assetsDefine assets Identify and assessthreat sources
Identify and assessthreat sources
StakeholderAnalysis
StakeholderAnalysis
Identify and assess threat sources
Identifyprocesses
Identifyprocesses
13
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
� The threat sources refer to persons or parties responsible for a security incident. Note that disturbances are not always caused by human behavior. Think for instance of a system failure in the Data Concentrator, that is affecting the stored measurement data.
� Grid Operator� Employee� System error / malfunction Central system� System error / malfunction Data concentrator� System error / malfunction meter
Introduction
Identify and assess threat sources
14
� Data communication provider� Fault Communications
� Energy Supplier� Employee� System energy supplier
� Private consumer
� External attacker� Researcher (academic / journalist)� Fun Hacker� Criminal Fraud� Terrorist
Persons
/
Parties
/
Technical
Identify and assess threat sources
15
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Define assetsDefine assets Identify and assessthreat sources
Identify and assessthreat sources
StakeholderAnalysis
StakeholderAnalysis
Group Assets
Identifyprocesses
Identifyprocesses
16
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
AssetAsset
AssetCategory
AssetCategory
StakeholderStakeholder
ProcessProcess
Link betweenAsset andProcess
Link betweenAsset andProcess
Group Assets
17
CategoryCategory
AssetAsset
AssetCategory
AssetCategory
StakeholderStakeholder
ProcessProcess
Link betweenAsset andProcess
Link betweenAsset andProcess
Group Assets
18
CategoryCategory
FocusFocus
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Define assetsDefine assets
StakeholderAnalysis
StakeholderAnalysis
Identify and assessthreat sources
Identify and assessthreat sources
Business Impact Assessment
Identifyprocesses
Identifyprocesses
19
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
Business Impact Assessment – Impact Classifications
StakeholdersStakeholders
CategoriesStakeholder
Values
CategoriesStakeholder
ValuesClassificationsClassifications
DescriptionStakeholderValues on
classifications
DescriptionStakeholderValues on
classifications
20
Business Impact Assessment – Results
Related to Available,
Integrity orConfidentiality
Related to Available,
Integrity orConfidentiality
Stakeholder(incl. process)Stakeholder
(incl. process)Values of
stakeholderValues of
stakeholderScore onBusinessImpact
Analysis
Score onBusinessImpact
Analysis
TotalScore BIAfor Asset
on A, I, or C
TotalScore BIAfor Asset
on A, I, or C
21
ConfidentialityConfidentiality
FocussedAsset
FocussedAsset
AnalysisAnalysis
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Define assetsDefine assets
StakeholderAnalysis
StakeholderAnalysis
Identify and assessthreat sources
Identify and assessthreat sources
Identify and assess risks
Identifyprocesses
Identifyprocesses
22
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
Identify and assess risks – Likelihood Classifications
Likelihood Categories
Very High High Medium Low Very Low
"Probably "Possible
23
Occurance in time
"Daily (more than 100 times a
year)"
"Monthly (10 to 100 times a
year)"
"Annual (1 to 10 times a
year)"
"Probably (once a year to
once in 10 years)"
"Possible (once in 10
years to once a century)"
� The calculation of the impact comes from the BIA, but the likelihood of the threat is determined during this step. Several aspects are taken into account:
� Which vulnerabilities in the assets can lead to the actual occurrence of this threat?� What threat sources have an interest? How important is that interest of threat source?� What is the extent of the technical complexity to abuse the vulnerability in real life?� What is the likelihood of an unintended disruption?
Identify and assess risks
Identified Threat
Identified Threat
RelatedAsset
RelatedAsset
Related to Available,
Integrity orConfidentiality
Related to Available,
Integrity orConfidentiality
Identify Likelihood
Identify Likelihood
The identified impact is taken from the Business Impact Assessment (BIA)
IdentifyImpactIdentifyImpact
24
Main ThreatMain Threat
Sub ThreatSub
Threat
Sub ThreatSub
Threat
Identify and assess risks – Count risk
25
DefineFocus-of-Interest
DefineFocus-of-Interest
Define assetsDefine assets
Define assetsDefine assets
StakeholderAnalysis
StakeholderAnalysis
Identify and assessthreat sources
Identify and assessthreat sources
Prioritise and present risks
Identifyprocesses
Identifyprocesses
26
Focus-of-InterestFocus-of-Interest
Group assetsGroup assets
Business ImpactAssessment (BIA)Business Impact
Assessment (BIA)
Identify and assess risksIdentify and assess risks
Prioritise andpresent risksPrioritise andpresent risks
Identified Threat
Identified Threat
RelatedAsset
RelatedAsset
Prioritise and present risks
Risk = Likelihood * ImpactRiskRisk
27
Main ThreatMain Threat
Sub ThreatSub
Threat
Sub ThreatSub
Threat
Risk AnalysisRisk Analysis
Risk AnalysisRisk Analysis
Stakeholder AnalysisStakeholder Analysis
Stakeholder AnalysisStakeholder Analysis
Other input phase 1Other input phase 1
Open issuesP&S Requirements
Version 1.50
Open issuesP&S Requirements
Version 1.50
Official Privacy Code Smart Meter Grid
Operators
Official Privacy Code Smart Meter Grid
Operators
Other input phase 2Other input phase 2
Alignment withWorking
Group DSMR
Alignment withWorking
Group DSMR
P&S Requirements
Version 2.0
P&S Requirements
Version 2.0
Approach for redevelopment
28
Version 1.50Version 1.50
AnalysisincidentsAnalysisincidents
Desk study P&SAudit CommitteeDesk study P&SAudit Committee
Essential Regulatory Recommedations for
E.C. (EG-2)
Essential Regulatory Recommedations for
E.C. (EG-2)
Experiences fromcode reviews
DSMR 4 meters
Experiences fromcode reviews
DSMR 4 meters
DocumentIntegral Vision
Smart Meter
DocumentIntegral Vision
Smart Meter
Open issues P&SDutch Smart Meter Requirements 4.0
Open issues P&SDutch Smart Meter Requirements 4.0
Experiences frompenetration testsDSMR 4 meters
Experiences frompenetration testsDSMR 4 meters
OperatorsOperators
P&S requirementsother European
countries
P&S requirementsother European
countries
Review P&S Audit Committee of the
P&S Requirements
Review P&S Audit Committee of the
P&S Requirements
Internal review grid operatorsInternal review grid operators
Group DSMRGroup DSMR
Alignment with EDSNabout P4-portal
Alignment with EDSNabout P4-portal
Review and alignment
ESMIG
Review and alignment
ESMIG
Version 2.0Version 2.0
Control
Measures
Control
Measures
Implementation
Guidelines
Implementation
Guidelines
Control
Objectives
Control
Objectives
P&S Requirements
Version 2.0
P&S Requirements
Version 2.0
Risk AnalysisRisk Analysis
BIABIA
Asset
process
Asset
process
Stakeholder AnalysisStakeholder Analysis
StakeholdersStakeholders
Stakeholder
Values
Stakeholder
Values
Structure of the requirements
Implementation
Grid Operator
Implementation
Grid Operator
OrganisationOrganisation
TechnicalTechnical
ProcessesProcesses
Version 2.0Version 2.0
29
RisksRisksControl
Objectives
Control
Objectives
Control
Measures
Control
Measures
Implementation
Guidelines
Implementation
Guidelines
P&S Requirements
Version 2.0
P&S Requirements
Version 2.0
Risk AnalysisRisk Analysis
Asset
process
Asset
process
Stakeholder AnalysisStakeholder Analysis
StakeholdersStakeholders
Stakeholder
Values
Stakeholder
ValuesBIABIA
Structure of the requirements
Version 2.0Version 2.0
30
RisksRisksControl
Objectives
Control
Objectives
Control
Measures
Control
Measures
Implementation
Guidelines
Implementation
Guidelines
Implementation
Grid Operator
Implementation
Grid Operator
OrganisationOrganisation
TechnicalTechnical
ProcessesProcesses
CPNI.nlCPNI.nl
IRB
ICT Response
Board
(for Crisis)
IRB
ICT Response
Board
(for Crisis)
Expert Group 2
Data Privacy
and Cyber Security
Expert Group 2
Data Privacy
and Cyber Security
Nationaal
Cyber
Security
Centre
Nationaal
Cyber
Security
Centre
ENCSENCS
Dutch Data
Protection Authority
(CBP)
Dutch Data
Protection Authority
(CBP)
Working Group
Smart Grid
Cyber Security
Working Group
Smart Grid
Cyber Security
Policy Committee
Privacy & Security
Policy Committee
Privacy & SecurityNENNEN
Contact Group
Security and
Crisismanagement
Contact Group
Security and
Crisismanagement
ETSIETSI
Sta
nd
ard
isatio
nS
tan
dard
isatio
n
Project Group
Smart Grids
Project Group
Smart Grids
Audit Committee
Privacy & Security
Audit Committee
Privacy & Security
Netbeheer NederlandNetbeheer Nederland
Cyber
Security
Council
Cyber
Security
CouncilThe NetherlandsThe Netherlands
Smart Grid
Task Force
Steering committee
Smart Grid
Task Force
Steering committee
European SCADA
Control Systems
Information Exchange
(EuroSCSIE)
European SCADA
Control Systems
Information Exchange
(EuroSCSIE)
European
Commission
DG ENER
European
Commission
DG ENER
31
..DG HOME
CIIP for SCADA
and the Smart Grid
DG HOME
CIIP for SCADA
and the Smart Grid
..
..
CENELECCENELEC
NISTNIST STEGSTEG
M/490 Smart
Grid Steering
Committee
M/490 Smart
Grid Steering
Committee
U.S.A.U.S.A.
CENCEN
Sta
nd
ard
isatio
nS
tan
dard
isatio
n..
ENISAENISA
M/490 Smart
Grid Coordination
Group
M/490 Smart
Grid Coordination
Group
M/490 Working
Group for Smart
Grid Information
Security (WG SGIS)
M/490 Working
Group for Smart
Grid Information
Security (WG SGIS)
DECCDECC
U.K.U.K.
Thematic Network for
Critical Energy
Infrastructure
Protection (TNCEIP)
Thematic Network for
Critical Energy
Infrastructure
Protection (TNCEIP)
Cyber Security EG:
European Network of
Transmission System
Operators for Electricity
Cyber Security EG:
European Network of
Transmission System
Operators for Electricity
EuropeEurope
European
Reference Network
Critical Infrastructure
Protection (ERNCIP)
European
Reference Network
Critical Infrastructure
Protection (ERNCIP)
European
Commission
DG HOME
European
Commission
DG HOME
..
EUTCEUTCExpert Group
on Smart Grid
Security
Expert Group
on Smart Grid
Security
European
Commission
DG INFSO/CONNECT
European
Commission
DG INFSO/CONNECT
Security Toolbox M/490
32
Security Toolbox M/490 – Comparison with Dutch Risk Analysis methodology
� Make for this distinction of the different assets and grouping of the assets for instance a model like this:
Use Case x
Stakeholder 1 Stakeholder 2
33
Business
Process 1
Business
Process 2
Business
Process 3
Business
Process 1
Business
Process 2
Business
Process 3
Business
Process 4
Business
Process 5
Asset
Cate
go
ry 1
A 1 X X X
A 2 X X X X
Asset
Cate
go
ry 2
A 1 X X X X
A 2 X X X X
Security Toolbox M/490 – Comparison with Dutch Risk Analysis methodology
� For the information assets the impact of each use case should be defined, of course per category of the different stakeholders.
Use case x
To
tal
Stakeholder Stakeholder
Financial Reputation Safety Financial Reputation Operations Safety Regulation
34
Financial Reputation Safety Financial Reputation Operations Safety Regulation
Asset
Cate
go
ry x
Asset1
A
I
C
Asset2
A
I
C
Security Toolbox M/490 – Comparison with Dutch Risk Analysis methodology
� Now only for the information assets that score significant on impact potential threats are identified:
ID
Su
b
Th
rea
t
As
se
t
AIC
-Cla
s-
sific
atio
ns
Lik
elih
oo
d
Imp
ac
t
Ris
k
Re
ma
rks
Th
rea
t
Re
ma
rks
Ch
an
ce
1 …… Asset 2 A ……
1 A …… Asset 2 A ……
1 B …… Asset 2 A ……
35
1 B …… Asset 2 A ……
1 C …… Asset 2 A ……
2 …… Asset 2 A …… ……
3 …… Asset 2 A ……
3 A …… Asset 2 A ……
3 B …… Asset 2 A ……
3 C …… Asset 2 A ……
4 …… Asset 2 I ……
4 A …… Asset 2 I ……
4 B …… Asset 2 I ……
Security Toolbox M/490 – Comparison with Dutch Risk Analysis methodology
� Therefore an overall risk can be identified for each potential threat on an asset with a significant impact on the risk categories (operational, legal etc.). These threats should be the trigger to identify the needed “essential” requirements, and next to analyze the potential gaps in the existing standards:
Stakeholder AnalysisStakeholder Analysis Risk AnalysisRisk Analysis Identify the gaps
& define actions
Identify the gaps
& define actions
Actions to solve gapsActions to solve gapsStakeholder ValuesStakeholder Values
Impact on
Stakeholder processes
Impact on
Stakeholder processes
Impact onImpact on
Stakeholder processesStakeholder processes
Security GoalsSecurity Goals
Define “essential”
requirements
Define “essential”
requirements
Compare requirements
with standards
Compare requirements
with standards
Identify relevant
Standards
Identify relevant
Standards
Essential
Requirements
Essential
Requirements
RisksRisks GapsGaps
Actions to solve gapsActions to solve gapsStakeholder ValuesStakeholder ValuesImpact on
Stakeholder values
Impact on
Stakeholder values
Are we ready for Cyber Security?
37
Many thanks for your attention!
38
� Johan Rambi : Alliancemanager Privacy & Security
� Telephone : +316 11879945
� E-mail : [email protected]