practical risk assessment using a cumulative smart grid …...practical risk assessment using a...
TRANSCRIPT
Practical Risk Assessment Using a Cumulative Smart Grid Model
Markus Kammerstetter1, Lucie Langer2, Florian Skopik2, Friederich Kupzog3 and Wolfgang Kastner4
1Institute of Computer Aided Automation, Automation Systems Group, International Secure Systems Lab, Vienna Universityof Technology, Vienna, Austria
2Safety and Security Department, Austrian Institute of Technology, Vienna, Austria3Energy Department, Austrian Institute of Technology, Vienna, Austria
4Institute of Computer Aided Automation, Automation Systems Group, Vienna University of Technology, Vienna, Austriamk @ iseclab.org, {lucie.langer, florian.skopik, friederich.kupzog}@ait.ac.at, k @ auto.tuwien.ac.at
Keywords: Smart Grid, Risks, Risk Assessment, Critical Infrastructures
Abstract: Due to the massive increase of green energy, today’s power grids are in an ongoing transformation to smartgrids. While traditionally ICT technologies were utilized to control and monitor only a limited amount of gridsystems down to the station level, they will reach billions of customers in near future. One of the downsidesof this development is the exposure of previously locked down communication networks to a wide range ofpotential attackers. To mitigate the risks involved, proper risk management needs to be in place. Togetherwith leading manufacturers and utilities, we focused on European smart grids and analyzed existing securitystandards in the Smart Grid Security Guidance (SG)2 project. As our study showed that these standardsare of limited practical use to utilities, we developed a cumulative smart grid architecture model in a jointapproach with manufacturers and utilities to represent both current and future European smart grids. Basedon that model, we developed a practical, light-weight risk assessment methodology covering a wide range ofpotential threats that have been evaluated and refined in course of expert interviews with utility providers andmanufacturers.
1 INTRODUCTION
Over the last years, the electrical power grid has un-dergone a tremendous change. The traditional powergrid could be described as a producer-consumermodel. The producers generate electricity and theelectricity is transferred by utilities to the consumers.As a result, the amount of employed ICT technolo-gies was limited. Today, there is a strong trend inthe direction of sustainable green energy, energy sav-ing and higher efficiency. Energy is no longer onlyproduced at the top and delivered to the bottom; in-stead, everyone can become an energy producer. Con-sumers change to “prosumers” by running their ownsolar or wind power stations. Businesses and com-munities specializing on independent energy produc-tion through wind turbines, heating, or biogas plantsemerge and grow. The boundaries in the traditionalpower grid model start to fade. On the other hand,large-scale energy producers and utilities can save en-ergy and achieve higher energy efficiency by havingthe ability to influence or control devices in the userdomain. To make this possible, energy grids are heav-
ily expanded with ICT technologies – the traditionalpower grid is being transformed into the smart grid.On the downside, these technologies bear unforeseenrisks for critical infrastructures. Smart grid ICT tech-nology providers and utilities have limited experiencewith these new technologies and market pressure mayforce them to throw new products on the market be-fore they have undergone quality assurance processessuitable for critical infrastructures. While tradition-ally access to smart grid ICT networks was limitedto energy producers and utilities, new smart grid ICTtechnologies allow the massive amount of consumersto participate in these networks. Communication in-frastructures in energy grids and especially in powergrids are thus also exposed to a wide range of po-tential adversaries. To mitigate the security risks in-volved, there have been significant international ef-forts in terms of smart grid cyber security standards,risk assessment and security mechanisms (see Sec-tion 2).
However, focusing on smart grids in the EuropeanUnion and especially in Austria, it quickly turned outthat many architectural or technological assumptions
do not hold for the smart grid systems currently be-ing rolled out in large quantities. For instance, withinthe European Union, the Smart Metering ProtectionProfiles (BSI, 2013b; BSI, 2013c) are widely knownfor their security requirements and definitions. Yet,smart metering is only one of many areas within thesmart grid, and today’s advanced metering infrastruc-ture (AMI) typically does not correspond to the gate-way and security module design concept suggested inthose Protection Profiles.
As a result, in the Smart Grid Security Guid-ance (SG)2 joint project (AIT, 2013) with leadingsmart grid component manufacturers and utilities, weset out to create a cumulative smart grid landscapemodel representing both current and future Europeansmart grids. Based on established industry securitystandards and in close cooperation with manufactur-ers and utilities, we identified a comprehensive setof threats that are applicable within our cumulativesmart grid model. To foster practical usability, weclustered both identified threats and smart grid sys-tems to form the two dimensions of a threat matrix.This threat matrix allows practical threat assessmentfor both current and future European smart grids, andforms the basis for an according risk assessment de-termined by probability and impact. In summary, themain contributions of our work are:
• A cumulative smart grid model representing bothcurrent and near-future European smart grids as abasis for sound risk assessment
• A thoroughly designed threat catalog for modernsmart grid architectures
• An accompanying practical risk assessment ap-proach evaluated and refined in course of expertinterviews with utility providers and manufactur-ers
The remainder of this paper is organized as fol-lows. Section 2 provides an overview of related work.In Section 3 we explain how we developed the cumu-lative smart grid model. In Section 4 we describe ourrisk assessment approach, while Section 5 covers theevaluation and our results. The conclusions and sug-gestions on further work can be found in Section 6.
2 RELATED WORK
Mainly focusing on U.S. smart grids and technol-ogy, NIST has developed Guidelines for Smart GridCybersecurity (NIST, 2013b). In Europe, the Ger-man Federal Office for Information Security (BSI)has come up with a Common Criteria Protection Pro-file for the Gateway of a Smart Metering System and
its Security Module (BSI, 2013b; BSI, 2013c). Incontrast to our approach, the NIST guidelines do notallow an integrated approach. They are based ontechnologies employed in U.S. smart grids and givehigh-level recommendations only. Similarly, the BSIprotection profiles do not provide a holistic approacheither. Instead, they focus on smart metering only(which is only one building block of a smart grid), andtheir Target of Evaluation is a very specific smart me-tering implementation that does not reflect deployedsmart metering systems.
Regarding risk assessment, Lu et al. outline secu-rity threats in the smart grid (Lu et al., 2010). In com-parison, our approach is targeted on the broad rangeof system components in European smart grids. Rayet al. provide a more formal approach to smart gridrisk management (Ray et al., 2010) while one of ourgoals was to develop a practical risk assessment ap-proach usable for utilities. Varaiya et al. show vari-ous ways to manage security critical energy systems(Varaiya et al., 2011). However, they rather focus onformal methods, and their smart grid model does notreflect current European smart grids. Finally, Hou etal. outline the differences in risk modeling betweentraditional grids and smart grids (Hou et al., 2011),while we focus on the smart grid landscape that is cur-rently deployed or will be deployed in the near future.In addition, existing risk assessment approaches arecovered in more detail in Section 4.1.
Regarding smart grid security mechanisms, Yan etal., Mohan et al. and Vigo et al. provide an overviewof security mechanisms for smart grids and smart me-ters (Yan et al., 2012; Mohan and Khurana, 2012;Vigo et al., 2012). While their work provides anoverview of how security mechanisms should be real-ized, in our approach, we focus on the security mech-anisms that are either implemented in current imple-mentations or will be part of near-future implementa-tions. Finally, Wang et al. (Yufei et al., 2011) presentsmart grid standards covering security, but rather tar-get U.S. standards like those published by NIST.
3 CUMULATIVE SMART GRIDMODELING USING SGAM
In our joint approach to identify technological risks incurrent and future European smart grids, it turned outthat leading experts, utilities and even manufacturershave a very different view and definition of what thesmart grid is. Focusing on European smart grids andthe Austrian power grid in particular, on a high-levelview, the smart grid domains and actors within thosedomains are comparable to existing standards such
as the NIST Smart Grid Framework (NIST, 2013a)or the European Smart Grid Reference Architecture(Smart Grid Coordination Group, CEN-CENELEC-ETSI, 2012b). In a first task, we asked utilities tocompare their deployed smart grid systems, model re-gions, pilot projects and concepts with existing refer-ence models. Since, unlike the NIST framework, theEuropean smart grid reference architecture focuses onEuropean smart grid technologies, it was chosen as abasis for the comparison. Specifically, we used theSmart Grid Architecture Model (SGAM) (Smart GridCoordination Group, CEN-CENELEC-ETSI, 2012b)to allow for a well-structured comparison. Overall, 45different projects could be identified and prioritizedaccording to project size, project relevance, and bothamount and quality of available information. Thestudy showed that, in general, the SGAM model isusable with some limitations, but the reference modelis only applicable on a high level. While it sketchesthe general structure of European smart grids, it doesnot contain detailed information on the technologiesimplementing smart grid components in this struc-ture. For that matter, it is not adequate for qualifiedrisk modeling suitable for utilities. To close this gap,we combined seven national and four internationalprojects within the SGAM model to form a cumula-tive architecture model allowing us to deduce threatsand risks for both current and future smart grid instal-lations in Europe. The following sections describe ourapproach in more detail.
3.1 The Smart Grid Architecture Model(SGAM) Framework
The SGAM model had its original motivation in iden-tifying gaps in standardization and locating these gapsin the SGAM model space. The model is structuredin zones and domains (see Fig. 1). While the zonesare derived from the typical layers of a hierarchi-cal automation system (from field via process, sta-tion towards operation and enterprise level (Sauteret al., 2011)), the domains reflect power-system spe-cific fields of different actors such as transmissionsystem operators, distribution system operators, andcustomers. In contrast to the NIST model, the Euro-pean approach has a dedicated DER (Distributed En-ergy Resources) domain, which captures small dis-tributed generators with their special infrastructure.Finally, in the third dimension, SGAM features in-teroperability layers. With these layers, the differentaspects of networked smart grid systems are aligned.The base layer is the component layer, where phys-ical and software components are situated. On topof that, communication links and protocols between
these components can be placed. The informationlayer holds the data models of the information ex-changed. On top of that, the function layer holdsthe actual functionalities, and the uppermost layer de-scribes the business goals of the system.
Today, SGAM serves three major purposes: firstof all, it is a means to visualize and compare differentsmart grid automation architectures. This also allowsthe identification of gaps in all layers. Finally, SGAMcan serve as a useful model to support model-drivenarchitecture development. In this work, SGAM wasapplied for the first two purposes: comparison andidentification of gaps.
Process Field
Station Operation
Enterprise
Market
Figure 1: Smart Grid Architecture Model (SGAM) Frame-work
3.2 Current and Future Smart GridTechnologies within SGAM
Within the project, a holistic architecture was derived,which reflects the short- to mid-term extension of to-day’s power grid IT technology towards future smartgrid functionalities. The methodology used to achievethis architecture is based on individual SGAM mod-eling of national and international smart grid projectsthat significantly build on the use of ICT systems.From 45 project candidates, seven significant nationalsmart grid research projects were selected for model-ing:
• IEM: Intelligent Energy Management
• Smart Web Grids (Smart Grid ModellregionSalzburg, 2011)
• DG DemoNetz Smart LV Grids (Klimafonds,2012)
• ZUQDE: Zentrale Spannungs- und Blindleis-tungsregelung mit dezentralen Einspeisungen inder Demoregion Salzburg (Smart Grid Modellre-gion Salzburg, 2010)
• EMPORA: E-Mobile Power Austria (E-MobilePower Austria, 2010)
• AMIS Smart Metering Rollout
A similar approach was applied to internationalprojects. The selected significant projects were:
• The European FP7 Project OpenNode (OpenN-ode, 2012)
• The European FP7 Project EcoGrid EU (EcoGrid,2012)
• The US Demand Response Automation Server(DRAS) (DRAS, 2008)
• The German ICT Gateway Approach OGEMA(OGEMA, 2012)
For SGAM modeling, detailed information about thetechnical implementations had to be requested fromthe projects under analysis. The availability of infor-mation (or contacts to the projects) was an additionalselection criterion for the international projects.
3.3 European Smart Grid Viewaccording to the Cumulative SGModel
The derived architecture (Fig. 2) includes a harmo-nized cumulative view of the components found in allanalyzed projects. The SGAM domains transmissionand bulk generation were not covered by the selectedprojects since in the Austrian or, respectively, Euro-pean view, the smart grid is primarily related to dis-tribution systems. The architecture shows the compo-nent and communication layer of the SGAM model.On the bottom, the field devices can be found (suchas smart meters or dedicated sensors and actuators).On the station level, both primary and secondary sub-station are situated with their current and prospec-tive automation components. On the customer side,mainly residential customers, commercial buildings,and electric mobility can be found. On the top of thearchitecture, the enterprise level and market compo-nents are located.
However, one of the main differences to exist-ing models is the addition of detailed communica-tion technology descriptions allowing a more in-depthrisk assessment approach. The communication pro-tocols and technologies underlined are the ones thatare predominantly used in the projects we analyzed.For instance, in future smart grids the broad use ofWeb Services is anticipated for communicating withthe energy market. Nevertheless, as depicted in ourarchitecture, the predominant way to achieve this incurrent smart grids is to use personal communicationvia email or phone calls. From a risk assessment per-spective, this results in a significant difference as WebServices can potentially be more easily compromisedthan a phone call made between a group of personswho probably know each other well from their dailywork routine.
3.4 Evaluation of the Model
After a first draft of the architecture model had beendeveloped, it was subject to a number of feedbackrounds with members of the consortium (utilities andmanufacturers). Improvements and additional infor-mation were integrated into the architecture. The(SG)2 architecture model serves as an anchor pointfor further analysis and as a common document of en-ergy, IT and security experts. The main benefit of themodel is that questions between the different expertdomains can clearly be formulated and therefore eas-ily be answered by referring to individual elements ofthe architecture.
4 SMART GRID RISKASSESSMENT
4.1 Existing Approaches
Smart grid cyber security and risk assessment in par-ticular has been addressed in several standards, guide-lines and recommendations. The U.S. National Insti-tute of Standards and Technology (NIST) has devel-oped a three-volume report on “Guidelines for SmartGrid Cyber Security (NIST-IR 7628)” (NIST, 2013b):Volume two focuses on risks related to customer pri-vacy in the smart grid, and gives high-level recom-mendations on how to mitigate these risks. However,no general approach for assessing security risks in thesmart grid is provided. The European Network andInformation Security Agency (ENISA) has issued areport on smart grid security. It builds on existingwork like NIST-IR 7628 or ISO 27002 and provides
Figure 2: Cumulative Smart Grid Model
a set of specific security measures for smart grid ser-vice providers, aimed at establishing a minimum levelof cyber security (ENISA, 2012). Each security mea-sure can be implemented at three different “sophisti-cation levels”, ranging from early-stage to advanced.The importance of a risk assessment to be performedbefore deciding the required sophistication levels is
pointed out, but no specific risk assessment method-ology is identified within the report.
The German Federal Office for Information Se-curity has come up with a Common Criteria Pro-tection Profile for the Gateway of a Smart MeteringSystem and its Security Module (BSI, 2013b; BSI,2013c). Both define minimum security requirements
for the corresponding smart grid components basedon a threat analysis. However, the Common Criteriaapproach, which focuses on a specific, well-definedTarget of Evaluation, cannot provide a holistic viewon cyber security threats in future smart grids. An-other drawback is that the implementation of manysmart metering systems currently being rolled outdoes not correspond to the defined gateway and se-curity module design concept.
The CEN-CENELEC-ETSI Smart Grid Coordina-tion Group has provided a comprehensive frameworkon smart grids in response to the EU Smart Grid Man-date M/490 (Smart Grid Coordination Group, CEN-CENELEC-ETSI, 2012a). As part of that framework,the “Smart Grid Information Security (SGIS)” reportdefines five SGIS Security Levels to assess the criti-cality of smart grid components by focusing on powerloss caused by ICT systems failures. Moreover, fiveSGIS Risk Impact Levels are defined that can be usedto classify inherent risks in order to assess the impor-tance of every asset of the smart grid provider. Thismeans that the assessment is carried out under the as-sumption that no security controls whatsoever are inplace. While this is a valuable approach, it is not suit-able for a more practical scenario that focuses on ac-tual, currently deployed or foreseeable implementa-tions.
Risk assessment methodologies have also beenaddressed by the FP7 project EURACOM, which con-sidered protection and resilience of energy supply inEurope and aimed at identifying a common and holis-tic approach for risk assessment in the energy sector.As part of a project deliverable1, existing risk assess-ment methodologies and good practices have been an-alyzed in order to identify a generic risk assessmentmethod which could be customized to suit the specificneeds of the energy sector.
While most of the existing risk assessment meth-ods are asset-driven, the (SG)2 project required anarchitecture-driven approach for developing a riskcatalog. This approach is described more closely inthe following.
4.2 Our Approach: Threat Matrix andRisk Catalog
The risk assessment approach taken in (SG)2 focusedon the ICT architecture model initially developedwithin the project (see Section 3). The goal was tocome up with a comprehensive catalog of ICT-relatedrisks for smart grids in Europe from a Distribution
1The EURACOM project deliverables can be down-loaded at http://www.eos-eu.com/?Page=euracom.
System Operator’s perspective. The following stepswere taken to achieve that goal:
1. Compile a threat catalog for smart grids focusingon ICT-related threats and vulnerabilities
2. Develop a threat matrix by applying the threat cat-alog to the ICT architecture model, i.e., identifywhich threats apply to which components of themodel
3. Assess the potential risk for each element withinthe threat matrix by estimating the probability andthe impact of an according attack, thus eventuallyproducing a risk catalog
These steps are explained in more detail in the follow-ing paragraphs.
4.2.1 Compiling the Threat Catalog
The (SG)2 threat catalog was not to be developedfrom scratch, but should build upon a well-establishedsource of ICT-related security threats. To that end,the IT Baseline Protection Catalogs developed by theFederal Office for Information Security (BSI, 2013a)were chosen to form the main source of input asthey provide a comprehensive list of security threatsthat could possibly apply to an ICT-supported system.Additionally, the threats specified in the smart-grid-specific Protection Profiles (BSI, 2013b; BSI, 2013c)were taken into account. Non-technical threats, i.e.,threats related to organizational issues or force ma-jeure, were not considered due to the scope and focusof the (SG)2 project. Thus, out of a list of initially 500threats accumulated from the identified sources, theones without any relevance to smart grids or withoutany relation to ICT were eliminated at first, yieldingroughly half of the initial threats for further consider-ation. While certain threats listed in the BSI Catalogsare very generic, others apply to very specific settingsonly; therefore, it was necessary to merge some of thethreats that remained in our list after the “weeding”step. This resulted in a list of 31 threats, which weregrouped into the following clusters:
• Authentification / Authorization
• Cryptography / Confidentiality
• Integrity / Availability
• Missing / Inadequate Security Controls
• Internal / External Interfaces
• Maintenance / System Status
Since the BSI Baseline Protection Catalogs are nottailored for any specific use case, the relevant threatshad to be adapted to the smart grid scenario, i.e., theywere interpreted in the smart grid context.
4.2.2 Developing the Threat Matrix
The next step on the path to the (SG)2 risk catalogwas to apply the threats identified in the first step tothe components of the (SG)2 architecture model (seeSection 3), i.e., to state which threats are relevant forwhich of the components and why. To answer thatquestion, the functionality and the characteristics ofthe individual architecture components had to be as-sessed first. For feasibility reasons, the granularity ofthe components to be considered was set to the levelof the boxes depicted in dark grey in Fig. 2:
• Functional Buildings
• E-Mobility & Charge Infrastructure
• Household
• Generation Low Voltage
• Generation Medium Voltage
• Testpoints
• Transmission (High/Medium Voltage)
• Transmission (Medium/Low Voltage)
• Grid Operation
• Metering
The Energy Markets domain was not considered dueto lack of current ICT utilization and lack of informa-tion on future functionalities.
For each element of the threat matrix, it was firstdecided whether the threat could be relevant to thatparticular component or not. If potential relevancewas assessed, the reason for that decision was noted,and possible attack scenarios were developed. Sincethe architecture model considered also smart grid de-velopments for the near future, reasonable assump-tions regarding the implementation had to be made incertain cases. These assumptions were discussed andverified by the involved manufacturers and utilities.
4.2.3 Assessing the Risk Potential
The final step of the (SG)2 risk assessment involvedestimating the risk potential for each element of thethreat matrix, thus providing a comprehensive riskcatalog. To that end, the probability and the impactof each of the threats occuring was rated for each ofthe components of the architecture model. A semi-quantitative approach was chosen for the risk assess-ment, which had previously been applied and prac-tically assessed by one of the member organizationsof the project consortium: both probability and im-pact were measured on a five-level scale ranging fromvery low (level 1) to very high (level 5). The probabil-ity level was determined by the number of successful
attacks per year, ranging from less than 0.1 incidents(level 1) to multiple incidents (level 5) per year. Theimpact of a successful attack was determined by mon-etary loss, customer impact, and geographic range ofthe effects (e.g., local, regional, global). The outcomeof this step is a comprehensive catalog of cyber secu-rity risks on smart grids in Europe. The steps taken toevaluate the catalog as well as the main findings aredescribed in the following section.
5 EVALUATION AND RESULTS
A good threat and risk assessment model delivers use-ful results, i.e., captures specific threats appropriately,is easy to use, and well applicable in reality. Withthese targets in mind, we evaluated and revised themodel in a series of workshops, where domain ex-perts from both areas of information technology andenergy rated the proposed risk assessment approach.
5.1 Evaluation Methodology
The evaluation, partly integrated in the overall cre-ation of our cumulative smart grid model for risk as-sessment, included in the following three steps:
• Step 1: Evaluation of Threat Catalog. In orderto evaluate our threat catalog, we set up end userworkshops with experts from utility providers, de-vice manufacturers, and academic institutions toevaluate both the relevance and completeness ofthe identified threats. During that evaluation, ad-ditional threats were added that are unique to thesmart grid domain.
• Step 2: Threat Relevance. Experts surveyed theapplicability of identified threats to the variousdomains in the SGAM model. This step enabledthe identification of the most important threats perdomain as well as their interdependencies, andfurther allowed to focus on most relevant threats.The result was again discussed and refined withmajor utility providers in Austria in end user cen-tric workshops.
• Step 3: Probability and Impact Assessment. In alast step, we had experts independently rate theprobability of occurrence of identified threats andthe impact from their point of view. These ex-perts represent the opinions of different utilityproviders, ranging from small and locally operat-ing organizations, to larger ones. In a joint work-shop, the individual results were again discussedand consolidated to ensure the broad use of theresulting threat and risk catalog.
5.2 Main Findings
Dealing with proper risk assessment in the smart griddomain is indeed challenging, mainly because of thenovelty, complexity, and multidisciplinarity of thistopic. Here, we present some of the main findings,derived from the application of our approach in a realuser context. We foresee these qualitative statementsas a major contribution for future improvements ofour smart grid risk assessment approach.
5.2.1 Unbalanced Risk Distribution
Essentially, the probability of a security breach iscomparatively low on the upper levels of the cumula-tive smart grid model, because components are smallin numbers and easy to protect. An attacker typi-cally has no physical access to components, and well-trained experts acting under rigid policies maintainthe grid’s backend. Furthermore, protection mech-anisms on the upper levels do not suffer from costpressure on this level; for instance, redundant sys-tems and hot stand-by sites are state-of-the-art here.However, once an attacker manages to get access tocritical systems, the negative impact will eventuallybe high; for instance, shutting down a primary sub-station node could affect whole city districts. Thismakes the security of higher level smart grid com-ponents a first priority for utility providers. On theother hand, the probability of a security incident onthe bottom level of the cumulative smart grid modelis much higher. The reason is that attackers can eas-ily get hold of components (e.g., a concentrator or asecondary substation node) or have them installed ontheir own premises (e.g., a smart meter). The impactof an attack towards these components is expected tobe (geographically) limited at a first glance. The situ-ation may however change tremendously if someonepublishes a successful smart meter mass attack on theInternet. This could lead to unanticipated cascadingeffects in the power grid. Hence, smart grid securityon the lower levels of the smart grid is of major im-portance for utility providers as well.
5.2.2 Evolution of the Grid
Security challenges arise from the fact that the currentpower grid architecture is just step-wise transformedto a smart grid. While neither a pure legacy systemnor a completely new system designed from scratchis too hard to be properly secured, while a mixture ofboth is. We identified that during the transmission ofthe current power grid into a smart grid, we are facingmany security challenges: (i) the mix of legacy pro-tocols and new protocols; (ii) the usage of wrappers,
data converters, and gateways to make devices inter-operable; (iii) short innovation cycles and rapid pacewith which technologies advance clash with the tradi-tional views of grid investments, where componentshave been designed to last for decades.
5.2.3 Technological Diversity
Not only the transformation phase, but also the fi-nal smart grid architecture foresees the applicationof a wide variety of different technologies (Skopikand Langer, 2013). Many security specialists ar-gue that this diversity leads to a large attack sur-face, meaning that in hundreds of different protocolsand implementations, a security relevant flaw is muchmore likely compared to only a small set of well-tested standardized technologies. This technologicaldiversity and the need for seamless interoperabilitymostly avoids rigid designs and the setup of a uni-form and secure architecture. On the other side, sys-tems may be designed with different goals in mindso that the intermediary interfaces between them maylead to security vulnerabilities. Although standardiza-tion bodies, such as the NIST and BSI, have published(vendor-independent) viable technology recommen-dations and guidelines, there are no obligations fordevice vendors and utility providers to stick to them.However, we must not negate the positive aspectsof technological diversity. Combining different tech-nologies and products can help to prevent cascadingeffects caused by a specific vulnerability prevalent ina single technology or series of devices. As a conse-quence, an attack that has been successful at one util-ity provider is not necessarily successful at anotherone, if different technologies are deployed.
5.2.4 Risk Assessment Complexity
The complexity of risk assessment in the energy do-main increases rapidly with the introduction of ICTcomponents. This situation will become even worse,once smart grid technology is rolled out on a largescale, because systems become more and more cou-pled, even across geographical borders, resulting instrong interdependencies among components. Theutility providers’ concerns are therefore mainly cen-tered around the understanding, detection, and miti-gation of complex attack scenarios, where similarlyto highly distributed computer systems, a multitudeof vulnerabilities may be exploited in course of acomplex attack. Estimating risks for such cases isextremely difficult, since numerous mostly unknownvariables need to be considered. An example for sucha complex attack case is the potential intrusion of ma-licious users into the metering backend through an ex-
ploitation of the smart meter communication network.Here, we argue that our architecture model, whichclearly documents existing communication links aswell as utilized protocols, is of significant help.
6 CONCLUSION AND FUTUREWORK
In this work we analyzed existing smart grid stan-dards with respect to smart grid security and riskassessment together with leading manufacturers andutilities. Our study indicated that standards like NIST-IR 7628 (NIST, 2013b) or the Protection Profiles pub-lished by the The German Federal Office for Informa-tion Security (BSI, 2013b; BSI, 2013c) are only oflimited practical use to utilities. As a consequence, ina joint approach with leading manufacturers and utili-ties, we analyzed seven national and four internationalsmart grid projects to form a cumulative smart gridmodel representing both current and future Europeansmart grids. In comparison to existing models likethe U.S. NIST Smart Grid Framework (NIST, 2013a)or the European Smart Grid Reference Architecture(Smart Grid Coordination Group, CEN-CENELEC-ETSI, 2012b), our model is technically more detailedand includes a description of predominant communi-cation technologies. In the second part of our work,we developed an extensive methodology to assessthe risks involved within our cumulative smart gridmodel. While our threat catalog initially comprised alist of more than 500 threats, we were able to create aclustered catalog of no more than 31 threats that canbe practically handled on top of the smart grid areas inour model. Due to the close cooperation with leadingmanufacturers and utilities, we believe that our workhas a high practical impact on European utilities, asit can support them to conduct a risk analysis of theirspecific infrastructure.
In near future, we also plan to extend our risk cat-alog with respect to risk mitigation approaches andsecurity controls, so that utilities can effectively miti-gate identified risks with the help of our framework.
ACKNOWLEDGEMENTS
This work has been made possible through the jointSG2 KIRAS project under national FFG grant number836276.
REFERENCES
AIT (2013). SmartGrid Security Guidance.http://www.ait.ac.at/research-services/research-services-safety-security/ict-security/reference-projects/sg2-smart-grid-security-guidance/. [On-line; accessed 14-October-2013].
BSI (2013a). IT Baseline Protection Catalogs. http://www.bsi.bund.de/gshb.
BSI (2013b). Protection Profile for the Gateway of a SmartMetering System. BSI-CC-PP-0073.
BSI (2013c). Protection Profile for the Security Module ofa Smart Metering System (Security Module PP). BSI-CC-PP-0077.
DRAS (2008). The US Demand Response Automa-tion Server. http://drrc.lbl.gov/projects/draserver. [Online; accessed 16-October-2013].
E-Mobile Power Austria (2010). Empora. http://www.empora.eu/. [Online; accessed 16-October-2013].
EcoGrid (2012). European FP7 Project. http://www.opennode.eu. [Online; accessed 16-October-2013].
ENISA (2012). Appropriate security measures forsmart grids. http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/smart-grids-and-smart-metering/appropriate-security-measures-for-smart-grids.
Hou, H., Zhou, J., Zhang, Y., and He, X. (2011). A briefanalysis on differences of risk assessment betweensmart grid and traditional power grid. In KnowledgeAcquisition and Modeling (KAM), 2011 Fourth Inter-national Symposium on, pages 188–191.
Klimafonds (2012). DG DemoNet - SmartLV Grid. http://www.ait.ac.at/departments/energy/research-areas/electric-energy-infrastructure/smart-grids/dg-demonet-smart-lv-grid/.[Online; accessed 16-October-2013].
Lu, Z., Lu, X., Wang, W., and Wang, C. (2010). Review andevaluation of security threats on the communicationnetworks in the smart grid. In MILITARY COMMU-NICATIONS CONFERENCE, 2010 - MILCOM 2010,pages 1830–1835.
Mohan, A. and Khurana, H. (2012). Towards addressingcommon security issues in smart grid specifications.In Resilient Control Systems (ISRCS), 2012 5th Inter-national Symposium on, pages 174–180.
NIST (2013a). NIST Special Publication 1108R2 - NISTFramework and Roadmap for Smart Grid Interoper-ability Standards, Release 2.0.
NIST (2013b). NISTIR 7628 - Guidelines for Smart GridCybersecurity.
OGEMA (2012). The German ICT Gateway Approach.http://www.ogema.org. [Online; accessed 16-October-2013].
OpenNode (2012). European FP7 Project. http://www.opennode.eu. [Online; accessed 16-October-2013].
Ray, P., Harnoor, R., and Hentea, M. (2010). Smart powergrid security: A unified risk management approach.
In Security Technology (ICCST), 2010 IEEE Interna-tional Carnahan Conference on, pages 276–285.
Sauter, T., Soucek, S., Kastner, W., and Dietrich, D. (2011).The evolution of factory and building automation. InIEEE Magazine on Industrial Electronics, pages 35–48.
Skopik, F. and Langer, L. (2013). Cyber security chal-lenges in heterogeneous ict infrastructures of smartgrids. Journal of Communications, 8(8):463–472.
Smart Grid Coordination Group, CEN-CENELEC-ETSI(2012a). Reports in response to smart grid mandatem/490. http://www.cencenelec.eu/standards/sectors/SmartGrids/Pages/default.aspx. [On-line; accessed 16-October-2013].
Smart Grid Coordination Group, CEN-CENELEC-ETSI (2012b). Smart grid reference archi-tecture. http://ec.europa.eu/energy/gas_electricity/smartgrids/doc/xpert_group1_reference_architecture.pdf. [Online; accessed15-October-2013].
Smart Grid Modellregion Salzburg (2010). ZUQDE.http://www.smartgridssalzburg.at/forschungsfelder/stromnetze/zuqde/. [Online;accessed 16-October-2013].
Smart Grid Modellregion Salzburg (2011). Smart
Web Grid. http://www.smartgridssalzburg.at/forschungsfelder/ikt/smart-web-grid/. [On-line; accessed 16-October-2013].
Varaiya, P., Wu, F., and Bialek, J. (2011). Smart operationof smart grid: Risk-limiting dispatch. Proceedings ofthe IEEE, 99(1):40–57.
Vigo, R., Yuksel, E., and Ramli, C. (2012). Smart grid secu-rity a smart meter-centric perspective. In Telecommu-nications Forum (TELFOR), 2012 20th, pages 127–130.
Yan, Y., Qian, Y., Sharif, H., and Tipper, D. (2012). A sur-vey on cyber security for smart grid communications.Communications Surveys Tutorials, IEEE, 14(4):998–1010.
Yufei, W., Bo, Z., WeiMin, L., and Tao, Z. (2011). Smartgrid information security - a research on standards. InAdvanced Power System Automation and Protection(APAP), 2011 International Conference on, volume 2,pages 1188–1194.
APPENDIX
Thr
eatC
ateg
ory
Thr
eat
Func
tiona
lBui
ldin
gsE
-Mob
ility
incl
.Inf
rast
ruct
.H
ouse
hold
Gen
erat
ion
(Low
Volt.
)G
ener
atio
n(H
igh
Volt.
)
Auth
entic
atio
n/A
u-th
oris
atio
nD
efec
tive
orm
iss-
ing
auth
entic
atio
nor
inap
prop
ri-
ate
hand
ling
ofau
then
ticat
ion
data
Rel
evan
tfo
ral
lin
terf
aces
toth
eSm
art
Gri
dG
atew
ay(B
uild
ing
Aut
omat
ion,
Mar
-ke
t/Int
erne
tun
dSe
cond
ary
Subs
tatio
n)(P
:2;I
:2)
An
atta
cker
coul
dim
pers
on-
ate
the
EM
San
dta
keco
ntro
lov
eral
lch
arge
stat
ions
inan
affe
cted
area
(e.g
.,a
stre
et),
whi
chco
uld
lead
toin
stab
ili-
ties
inth
egr
id(P
:2;I
:3)
Rel
evan
tfor
Smar
tGri
dG
ate-
way
and
Smar
tM
eter
and
all
inte
rfac
es(c
onfig
urat
ion
inte
r-fa
ce,M
arke
t,PL
Cto
data
con-
cent
rato
ran
dSe
cond
ary
Sub-
stat
ion)
(P:2
;I:2
)
Exa
ctsc
ope
and
func
tiona
l-ity
ofSm
art
Gri
dG
atew
ayis
not
clea
rto
date
-ho
ww
illth
eau
then
ticat
ion
tow
ards
the
Aut
omat
ion
Fron
t-en
dan
dth
eSm
art
Gri
dG
atew
aybe
han-
dled
?(P
:1-3
;I:2
-3)
Exa
ctsc
ope
and
func
tiona
l-ity
ofSm
art
Gri
dG
atew
ayis
not
clea
rto
date
-ho
ww
illth
eau
then
ticat
ion
tow
ards
the
Aut
omat
ion
Fron
t-en
dan
dth
eSm
art
Gri
dG
atew
aybe
han-
dled
?(P
:1-3
;I:3
-4)
Cry
ptog
raph
y/
Con
fiden
tialit
yD
iscl
osur
eof
sens
i-tiv
eda
taB
uild
ing
auto
mat
ion
data
are
sens
itive
sinc
eth
eym
aygi
veaw
ayin
form
atio
nab
out
pro-
duct
ivity
orw
orki
ngho
urs
(P:
2;I:
2)
Con
fiden
tial
load
data
coul
dbe
eave
sdro
pped
onth
roug
hth
eco
nnec
tion
toth
eE
-M
obili
tyM
anag
emen
tSys
tem
orSm
art
Gri
dG
atew
ay(P
:2-
3;I:
2)
Met
erin
gda
tais
confi
dent
ial
sinc
eit
affe
cts
priv
acy
and
habi
tsof
the
cust
omer
s;im
-pa
ctof
acci
dent
aldi
sclo
sure
depe
nds
onth
esc
ope
ofda
taan
dth
enu
mbe
rof
hous
ehol
dsaf
fect
ed(P
:2;I
:3)
Out
put
data
ofsm
all
prod
uc-
ers
isco
nfide
ntia
lsi
nce
they
may
allo
wco
nclu
sion
sto
bedr
awn
onco
nsum
erbe
havi
or;
high
prob
abili
tysi
nce
nopr
o-te
ctio
nm
easu
res
curr
ently
inpl
ace
(P:4
;I:3
)
Har
dly
rele
vant
sinc
eou
tout
data
are
not
confi
dent
ial;
low
mot
ivat
ion
(P:1
;I:1
)
Inte
grity
/Ava
ilabi
l-ity
Tam
peri
ngw
ithde
-vi
ces
Har
dly
rele
vant
due
toph
ysi-
cala
cces
sco
ntro
l;Sm
artG
rid
Gat
eway
coul
dbe
phys
ical
lypa
rtof
the
Bui
ldin
gA
utom
a-tio
nsy
stem
;bu
ildin
gop
era-
tor
has
nom
otiv
atio
nto
com
-pr
omis
ehi
sow
nlo
adm
anag
e-m
ent(
P:1;
I:1)
Tam
peri
ngw
ithE
V,ch
arge
stat
ion
orE
-Mob
ility
Man
-ag
emen
tSy
stem
;a
mal
icio
usus
erca
nea
sily
acce
ssre
leva
ntco
mpo
nent
s;im
pact
depe
nds
onw
heth
erpr
ivat
eor
publ
icch
arge
stat
ion
ista
rget
ed(P
:3;
I:2-
3)
Cus
tom
ers
have
dire
ctac
cess
toth
eco
mpo
nent
s;m
ain
mo-
tivat
ion
isfr
aud,
but
mor
ese
-ve
reat
tack
sm
ight
asw
ell
bepo
ssib
le(e
.g.
issu
ing
cont
rol
com
man
ds)(
P:4;
I:3)
Rel
ativ
ely
expo
sed
(in
aho
useh
old)
;th
eam
ount
ofen
ergy
supp
lied
may
bea
subj
ect
tofr
aud;
depe
nds
onth
eus
eof
anom
aly
dete
ctio
nte
chni
ques
and
plau
sibi
lity
chec
ks(P
:4;I
:2)
Bas
icle
velo
fphy
sica
lpro
tec-
tion;
low
prob
abili
tydu
eto
prof
essi
onal
oper
ator
(P:
1;I:
4)
Mis
sing
/In
ad-
equa
teSe
curi
tyC
ontr
ols
Def
ectiv
eor
mis
sing
secu
rity
cont
rols
inne
twor
ks
Com
mun
icat
ion
via
the
net-
wor
kin
the
build
ing;
Smar
tG
rid
Gat
eway
com
mun
icat
esvi
ain
secu
rene
twor
ks(I
nter
-ne
t),w
hich
open
sup
the
poss
i-bi
lity
ofdi
stri
bute
dat
tack
son
the
Smar
tGri
dG
atew
ay(P
:1;
I:4)
Use
ofpr
otoc
ols
that
lack
secu
rity
feat
ures
(e.g
.IE
C61
334
via
PLC
)cou
ldle
adto
eave
sdro
ppin
gon
confi
dent
ial
load
data
;ne
gativ
eco
nse-
quen
ces
form
anuf
actu
rer/
op-
erat
orof
the
char
gest
atio
n,al
-th
ough
the
utili
tym
ayal
sobe
affe
cted
(P:2
;I:2
)
Com
mun
icat
ion
over
inse
cure
netw
orks
(Int
erne
t,PL
C)
(P:
3;I:
3)
Esp
ecia
llyre
leva
ntfo
rInt
erne
tco
nnec
tion
toSe
cond
ary
Sub-
stat
ion
Nod
e(P
:2;I
:2)
Esp
ecia
llyre
leva
ntfo
rco
mm
unic
atio
nov
erth
ete
leco
ntro
lW
AN
,cu
rren
tlyIE
C60
870-
5-10
4w
ithou
ten
cryp
tion
(P:2
;I:3
)
Inte
rnal
/E
xter
nal
Inte
rfac
esIl
lega
llog
ical
inte
r-fa
ces
Ille
gal
com
mun
icat
ion
chan
-ne
lsbe
twee
nth
eG
atew
ayan
din
terf
aces
(Mar
ket/I
nter
net,
Seco
ndar
ySu
bsta
tion,
Bui
ld-
ing
Aut
omat
ion)
coul
dbe
esta
blis
hed
and
expl
oite
din
anat
tack
(P:2
;I:3
)
Ille
gal
com
mun
icat
ing
with
EV,
char
gest
atio
nor
E-
Mob
ility
Man
agem
entS
yste
mco
uld
lead
todi
sclo
sure
ofco
nfide
ntia
lloa
dda
ta(P
:2;
I:3)
Ille
gal
com
mun
icat
ion
chan
-ne
lsbe
twee
nth
eSm
art
Gri
dG
atew
ayan
dis
tin
terf
aces
(Mar
ket/I
nter
net,
Seco
ndar
ySu
bsta
tion,
Smar
tM
eter
)co
uld
bees
tabl
ish
and
ex-
ploi
ted
inan
atta
ck(P
:2;
I:3)
Due
toph
ysic
alex
pona
tion
anat
tack
erco
uld
inte
ract
with
the
syst
emdi
rect
ly,t
hus
reve
alin
gne
win
terf
aces
that
coul
dbe
expl
oite
d(P
:3;I
:2)
Bas
icle
vel
ofph
ysic
alpr
o-te
ctio
n;ac
cess
tote
leco
ntro
lW
AN
may
befe
asib
leth
roug
hfa
ulty
oper
atio
nor
targ
eted
at-
tack
s(P
:2;I
:3)
Mai
nten
ance
/Sy
s-te
mSt
atus
Ope
ratio
nof
unre
g-is
tere
dor
inse
cure
com
pone
nts
orco
m-
pone
nts
with
over
lybr
oad
rang
eof
func
-tio
ns
The
Gat
eway
coul
dha
vea
wid
era
nge
ofca
pabi
litie
san
dfu
nctio
ns,
thus
incr
eas-
ing
the
atta
cksu
rfac
evi
ath
ein
terf
aces
(Bui
ldin
gA
utom
a-tio
n,M
arke
t/Int
erne
t,Se
c-on
dary
Subs
tatio
n)(P
:2;I
:2)
Poss
ible
disr
uptio
nof
the
E-
Mob
ility
Man
agem
entS
yste
mor
Smar
tGri
dG
atew
ayif
con-
nect
edto
ano
n-st
anda
rdor
man
ipul
ated
char
gest
atio
n;
loca
lim
pact
only
(P:1
;I:1
)
Smar
tGri
dG
atew
ayor
Smar
tM
eter
coul
dha
vea
too
wid
era
nge
ofca
pabi
litie
san
dfu
nc-
tions
,th
usin
crea
sing
the
at-
tack
surf
ace
via
the
inte
rfac
es(S
mar
tMet
erin
g,M
arke
t,Se
c-on
dary
Subs
tatio
n)(P
:2;I
:2)
Rat
her
low
prob
abili
tysi
nce
the
com
pone
nts
are
dedi
cate
dto
ave
rysp
ecifi
cus
e;ho
w-
ever
,ba
ckdo
ors
cons
titut
ea
real
istic
thre
atsc
enar
ioes
pe-
cial
lyin
repl
icat
edde
vice
s(P
:3;
I:2)
Rat
her
low
prob
abili
tysi
nce
the
com
pone
nts
are
dedi
cate
dto
ave
rysp
ecifi
cus
e;ho
w-
ever
,ba
ckdo
ors
cons
titut
ea
real
istic
thre
atsc
enar
io(P
:2;
I:3)
Tabl
e1:
Thr
eatA
sses
smen
t(Pa
rt1)
.N
otic
e,th
eth
reat
cate
gory
and
anex
empl
ary
thre
atar
egi
ven
inth
efir
sttw
oco
lum
ns.
Subs
eque
ntco
lum
nsco
ntai
nth
equ
antit
ativ
ean
dqu
alita
tive
asse
ssm
ents
resu
ltsfo
r(P)
roba
bilit
yan
d(I
)mpa
cton
asc
ale
from
1to
5fo
reac
hth
reat
and
perd
omai
n.
ThreatC
ategoryT
hreatTestpoints
Transmission
(High/M
ed.Voltage)
Transmission
(Med./L
owVoltage)
Grid
Operation
Metering
Authentication/
au-thorisation
Defective
orm
iss-ing
authenticationor
inappropri-ate
handlingof
authenticationdata
No
authenticationbetw
eenA
utomation
Front-endand
Testpoint,althoughthe
Front-end
authenticatestow
ardsthe
Primary
Subst.N
ode(PSN
);a
spoofingattack
couldlead
tofalse
databeing
sentto
thePSN
;low
impact
(suboptimal
supply)(P:2-3,I:1)
Due
tothe
relativelylow
number
ofPrim
arySubstation
Nodes
accountsor
parameters
canbe
configuredand
testedm
anually,therefore
theprob-
abilityis
lower
thanin
lower
partsofthe
architecturem
odel(P:1-2,I:4)
Especially
relevantforrem
otem
aintenanceaccess
points;Secondary
SubstationN
odeand
Concentratorcan
beeasily
accessedm
ostly,w
hichgives
ahigh
probability;possibly
regionalim
pactsin
caseof
unauthorizedaccess
(P:4;
I:3)
Access
rightsm
anagement
onSC
AD
Asystem
sim
plemented
onan
individualbasis
atutil-
ities,standardIT
technologiesare
employed;”identity
spoof-ing”
ofcalls
toE
MS;
main
threatis
exploitationof
inse-cure
remote
accesssolutions
(P:2,I:4)
The
connectionbetw
eenA
MI
headendand
Smart
Meters
isencrypted
byutilizing
strongcryptographic
primitives
(EC
DSA
,A
ES);
authenti-cation
andauthorization
isrealized
throughcertificates;
thus,a
highsecurity
standardis
expected(P:1,I:2)
Cryptography
/C
onfidentialityD
isclosureof
sensi-tive
dataD
oesnotapply
sincetestdata
(voltage,frequency)
isnot
confidential
Current
supplydata
andcon-
trolcom
mands
areprobably
notconfidential;
consumption
dataare
aggregated,therefore
lowim
pact(P:2,I:1)
Processingofconfidentialsup-
ply/consumpt.
datain
Con-
centratorand
SecondarySub-
stationN
ode;m
ediumprob-
abilitydue
tolittle
(physical)protection
(P:3,I:3)
Forloadestim
ation,consump-
tionand
energyproduction
datais
anonymized;
power
gridplans
andcontrol
datais
requiredto
beprotected
ac-cordingly
(P:1-2,I:4)
Relevant
sinceconfidential
power
consumption
datais
processedand
stored(P:
1,I:
3)
Integrity/Availabil-
ityTam
peringw
ithde-
vicesH
ardlyrelevant
dueto
physi-calaccess
controlmechanism
sin
place;m
anipulationvia
thecom
munication
interfacecould
befeasible
(e.g.chang-
ingthe
configurationon
SDcard);low
impact(P:2,I:1)
Tampering
hardlyrelevantdue
tohigh
voltage,but
thism
aynot
holdfor
malicious
insid-ers;
currentlystrong
impact
(outage),buttimely
mitigation
canbe
expected(P:2,I:3)
Tampering
possibleespecially
with
Concentrator;ratherhigh
probabilitydue
tolittle
(phys-ical)
protectionm
easures;re-
gionalimpact(P:3-4,I:3)
Relevant
ifdirect
manipu-
lationby
insiders;rem
otem
anipulationover
telecontrolW
AN
possible;forgedprocess
datam
aycause
malfunction
ofD
MS
andsubsequently
leadto
gridinstability
(P:2,I:4)
Low
relevancedue
tophysical
protectionm
easures(P:1,I:3)
Missing
/Inad-
equateSecurity
Controls
Defective
ormissing
securitycontrols
innetw
orks
Connected
toPrim
arySub-
stationN
odevia
telecontrolW
AN
with
IEC
60870-5-104(unencrypted);
lowim
pact(suboptim
alsupply)(P:2-3,I:1)
Especially
relevantfor
thecom
munication
viathe
tele-control
WA
N;
probabilityis
lowsince
securitycontrols
inplace
arem
oreefficient
thanfor
thecom
ponentsin
thelow
erparts
ofthe
architecturem
odel(P:1,I:1-2)
Especially
relevantfor
Inter-net/PL
Cconnection
toM
id-dlew
areand
SmartG
ridG
ate-w
ay(P:2-3,I:3)
Relevant
forsom
einterfaces
(telecontrolWA
N,E
MS
link);link
toPSN
securedw
ithIPSec;
telecontrolW
AN
linkto
SecondarySubst.
Node
couldinclude
forgeddata
causinggrid
instability;(P:2,
I:4)
Especially
relevantfor
thein-
terfacesto
theoutside
world
(i.e.connection
toconcentra-
tors)(P:1,I:2)
Internal/
External
InterfacesIllegallogicalinter-faces
Relevant
forunauthorized
ac-cess
viatelecontrol
WA
N;
aD
oS-attackon
thePrim
arySubstation
Node
couldlead
togeneration
plantsgoing
offline,resulting
involtage
drops(P:2,I:2-3)
Relevant
foraccess
viatele-
controlWA
N(P:2,I:4)
Relevant
foraccess
viatele-
controlWA
N(P:2,I:4)
Relevant
dueto
unauthorizedaccess
overexternal
inter-faces:
telecontrol-WA
N(A
u-tom
ationH
eadend),W
ebser-vice
(EM
S),R
emote
Access
(SCA
DA
)depending
onde-
ployedtechnologies(P:2,I:4)
Due
toillicit
logicalinterface
(e.g.due
toa
successfulat-
tack)a
connectionfrom
them
eteringsystem
overthem
id-dlew
areto
thegrid
operationsystem
isfeasible
(P:1,I:3)
Maintenance
/Sys-
temStatus
Operation
ofunreg-
isteredor
insecurecom
ponentsor
com-
ponentsw
ithoverly
broadrange
offunc-tions
Unregistered
components
hardlyrelevant
(physicalac-
cesscontrol);
anoverly
broadrange
offunctions
possibledespite
on-sitem
aintenance(m
ostlyno
remote
mainte-
nance);low
impact
(P:1-2,I:
1)
Unregistered
components
hardlyrelevantdue
tophysical
accesscontrol;
anoverly
broadrange
offunctions
possible;low
probabilitydue
tohighly
specializedcom
-ponents
(compared
tohom
earea)(P:1,I:2-3)
Due
toeasy
accessibilityofthe
substationsunregistered
com-
ponentscould
beinstalled;re-
gionalimpacts
(P:3-4,I:3-4)
Unregistered
components
areof
lowrelevance
dueto
phys-ical
accessprotection;
unusedbut
activesystem
functional-ities
arerelevant,
especiallyconsidering
remote
accessor
supportinterfaces
form
anu-facturers
(P:2-3,I:4)
Unused
butactive
systemfunctionalities
inthe
AM
Iheadend
leadto
anincreased
attacksurface
(P:2,I:2)
Table2:
ThreatA
ssessment(Part2).
Notice,the
threatcategoryand
anexem
plarythreatare
givenin
thefirsttw
ocolum
ns.Subsequentcolum
nscontain
thequantitative
andqualitative
assessments
resultsfor(P)robability
and(I)m
pactona
scalefrom
1to
5foreach
threatandperdom
ain.