On Monday 29th September 2014, SPARKS held a joint workshop with the nationally-funded Smart Grid Security Guidance (SG)2 project on the topic of cybersecurity risk assessment for smart grid. The workshop took place in conjunction the Communications for Energy Systems (ComForEn) Symposium. The aim of the workshop was to present and get feedback on the results from the (SG)2 project, and discuss the challenges and necessary future research directions for risk assessment in smart grid, which could be addressed in SPARKS.

After introducing an overview of the two projects to the workshop attendees, the programme focused on identifying the challenges of realizing a risk assessment for smart grid. It was highlighted the core challenge of risk assessment is rigorously assessing the probability that an attack could lead to a failure, i.e., the probability of an attacker’s success, and the impact that could have. Attendees were asked to breakout into smaller groups and discuss their views. In an open discussion, the following challenges were identified:

• Physical-attacks vs. cyber-attacks: the smart grid is a cyber-physical system, consequently an assessor has to reconcile the relative importance and impact of cyber versus physical attacks.
• Unpatchable weaknesses: it may not always be possible to remedy known security vulnerabilities in a smart grid, e.g., because of the presence of legacy equipment. The risks from such systems should be assessed and managed.
• Subjectivity of assessors: risk assessment is primarily concerned with understanding the probability of a failure (caused by a cyber-attack) and its impact. Often this assessment is carried out by experts, which may result in subjective bias being introduced to an assessment.
• The past is not the same as the future:  the probability of incidents occurring that are based on component failures can be assessed using well-understood failure probability models. However, despite the presence of threat intelligence data, past incidents might not be a good indicator of future trends.
• System complexity: the smart grid is a complex system of systems, which relies on the correct function of many systems and organizations. This complexity makes risk assessment challenging, e.g., understand cascading effects caused by complex dependencies.
• Customer access and acceptance: a lack of customer acceptance, e.g., as a result of a cyber-attack or invasion of privacy, may result in an impact to the operation of the grid. Techniques for evaluating this risk need to be considered.
• Responsibility for implementing assessments: the smart grid involves a number of stakeholders, such as Distribution System Operators (DSOs), energy suppliers, equipment manufacturers and consumers. It is not clear who should be responsible for risk assessment in this context, and how their findings could relate to each other.

In the SPARKS project, we have similarly considered the key challenges to implementing a risk assessment for smart grid. Many of our thoughts were echoed in the discussions at the workshop. Specifically, the project has been considering the challenges of safety and security co-analysis, including the potential benefits of implementing cybersecurity assessments into existing safety analysis workflows, and analyzing the physical impact of attacks with support from novel simulation tools. Furthermore,  in a similar manner to the workshop participants, we identified system and organizational complexity and dependencies, along with the risks associated with legacy systems, as being important challenges to address when implementing a risk assessment in this context. In addition, we identified the challenge of analyzing potential cascading effects from attacks, as their impact is felt across cyber-physical sub-systems.

Following on from this discussion, results from the (SG)2 project were presented and discussed. The results that were discussed are twofold: (1) the outcomes of a risk assessment of an architectural model and key components of the Austrian smart grid; and (2) a set of protection measures that can be applied to mitigate the highest risks. Dr Lucie Langer from AIT Austrian Institute of Technology discussed the process that was followed by the project to implement the risk assessment and its key findings. For example, she highlighted how risks associated with the poor authentication and authorization of components in secondary substations could have significant impact to the smart grid.

A number of the risks identified in the (SG)2 can be mitigated using some of the key security technologies that are being investigated in the SPARKS project. These technologies were briefly introduced to the workshop participants, including SCADA-specific intrusion detections systems, novel security analytics approaches, smart meter (gateway) authentication approaches based on physical uncloneable functions (PUFs), and resilient control systems. These technologies will be evaluated on the project’s three demonstration sites; the aim is to show their ability to address cyber-attacks to smart grid. To help us identify the attacks that our technologies can address, we have examined the EPRI National Electric Sector Cybersecurity Organization Resource (NESCOR) failure scenarios — a catalogue of cyber-attack scenarios for different sub-systems of a smart grid, such as the Advanced Metering Infrastructure (AMI) or Distributed Energy Resources (DER).

In the workshop, we were interested in ranking the importance of the NESCOR scenarios that we plan to use to evaluate our technologies, and illustrating the need for the risk assessment research that we are doing. To do this we carried out a simple risk assessment with the participants. The risk associated with a scenario can be evaluated using two measures: the impact of an attack, e.g., in terms of the number of customers affected or damage to equipment, and the cost to an adversary, e.g., related to attack complexity and financial cost. Each of these measures can be assigned a value of 0 (0.1), 1, 3, 7 or 9, with the risk being determined by dividing them.  Participants worked in pairs to carry out the assessment. Subsequently,  the values the participants assigned to the impact and cost parameters were discussed, along with a justification. In a number of cases the risk values that were assigned varied significantly for the same scenario, despite the participants having apparently sound justification for their scores. It was pointed out to the workshop participants the way they implemented their risk assessment often represents the state-of-practice. This simple exercise highlighted the need for the systematic and repeatable risk assessment methods, which minimize subjective bias, that are being investigated in the SPARKS project.

In a final session, the immediate road ahead for the SPARKS project’s risk assessment activities was discussed. As a first step we will evaluate the suitability of the widely-advocated Smart Grid Information Security (SGIS) toolbox with respect to the challenges that have been identified in the project, and by the stakeholders present at the workshop. This exercise will help us to focus on the most important problems for smart grid stakeholders. Furthermore, we propose to exercise the assessment methods that we will develop by carrying out a risk assessment for one of the project’s demonstrator sites — the outcomes from this exercise will be presented at our second stakeholder workshop, which is scheduled to take place in March 2015. If you are interested in further details about our risk assessment activities in SPARKS, please feel free to get in touch.

The slides from the workshop can be found below:

• Introduction to the (SG)2 and SPARKS projects
• The challenges of risk assessment for smart grid
• (SG)2 results on cybersecurity risks and protection measures for smart grid
• SPARKS security technologies and the NESCOR cybersecurity failure scenarios
• Introduction to the (SG)2 and SPARKS projects

The worksheets that we used for evaluating the NESCOR failure scenarios can be found here.