STRIDE to a secure Smart Grid in a hybrid cloud Bojan Jelacic*, Daniela Rosic*, Imre Lendák*, Marina Stanojevic*, Sebastijan Stoja* *Faculty of technical sciences, University of Novi Sad, Serbia CyberICPS 2017 Oslo, 2017.09.15.
Overview Problem Definition Smart Grid ICS Architecture Risk Management Risk Analysis Migration to the Cloud Conclusion CyberICPS 2017 Oslo, 2017.9.15.
Problem definition Number of electricity consumers is continuously increasing. Existing energy networks are not able to supply this increasing demand without significant investments in infrastructure and automated computer systems. The migration to a computing cloud is a considerable challenge, both because of multiple decade-long reliance on closed and utility-owned computing resources and its possible impact on information security. This paper presents an migration proposal in witch current level of information security is preserved. CyberICPS 2017 Oslo, 2017.9.15.
Smart Grid ICS Architecture CyberICPS 2017 Oslo, 2017.9.15.
SCADA Subsystem Collects data from IEDs in order to monitor and control system OMS – component responsible for restoration of power NMS – component responsible for storing and providing access to a static network model of the power system. Contains information about the connectivity of the network EMS – performs calculations on the transmission and sub-transmission levels DMS – executes various analytical calculations on the subsystem for electricity distribution The Historian collects and records all changes in the system WOM – manages the work orders MDM – works with smart meters CyberICPS 2017 Oslo, 2017.9.15.
Criteria for Impact Levels Risk Management Criteria for Impact Levels CyberICPS 2017 Oslo, 2017.9.15.
Criteria for Likelihood Levels Risk Management Criteria for Likelihood Levels CyberICPS 2017 Oslo, 2017.9.15.
Risk Management Risk matrix CyberICPS 2017 Oslo, 2017.9.15. 8
Risk Analysis Security assessment of Smart Grid ICS components is performed by Microsoft’s Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege (STRIDE) methodology. Impact for each Smart Grid component is assessed and graded with one of the following levels: Low (L), Medium (M) and High (H). The likelihood is determined with one of the following levels: Very Likely (V), Moderate (M) and Rare (R). The risk (R) is determined according to the risk matrix. CyberICPS 2017 Oslo, 2017.9.15.
Analysis of DMS and EMS T Energy/Distribution Management System I L R S Using another user’s credentials can lead to unwanted calculation performing. If that user has high privilege, it can be dangerous. These subsystems are medium exposed to external systems and internet.The threat-source is highly motivated. M M Modification of data in the topology analysis and other calculations such as state estimation, load flow, short circuit calculation and other, can significantly affect the final results and system operations and could cause failure in these real time operations. DMS and EMS also uses measurements from SCADA, which integrity is very important. These subsystems are medium exposed to external systems and internet.The threat-source is highly motivated. M Each method inside EMS/DMS component has importance in functioning of the whole system, and in providing valid results. Repudiation of their execution is unacceptable.This subsystem is medium exposed to external systems and internet.The threat-source is motivated. L Violation of confidentiality represents a less risky scenario in regard to integrity and availability because DMS and EMSdataaren’t interesting in read only mode.This subsystem is medium exposed to external systems and internet.The threat-source is lacks motivated. D Practice has shown that the availability of SCADA is more critical.Violation of EMS availability can cause bad operations, but compared to SCADA, it doesn’t have same importance.Similarly to EMS, availability of DMS is important, but not as in SCADA. These subsystems are medium exposed to external systems and internet.The threat-source is highly motivated. E If unprivileged user gains high privileges in EMS/DMS unnecessary functions and other unwanted operations could be performed. These subsystems are medium exposed to external systems and internet. The threat-source is highly motivated. CyberICPS 2017 Oslo, 2017.9.15.
Migration to the Cloud Hybrid cloud is a composition of private and public/community cloud infrastructures that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability. Components should be deployed in the private cloud if their violation can lead to destroying the whole system, losing of human life, damaging to equipment or financial costs and the degree of risk is high. Otherwise, components should be moved to the community cloud. CyberICPS 2017 Oslo, 2017.9.15.
Proposed migration scenario Secure Smart Grid on a hybrid cloud CyberICPS 2017 Oslo, 2017.9.15.
Conclusions & future work Based on the results of the risk assessment, an optimal Smart Grid ICS cloud migration scenario was proposed. Future Work: Introduce other measures of the Smart Grid ICS, e.g. factoring in the cost of the necessary computing and storage capacities, the cost of IT departments maintaining the data centers. Focus on STRIDE analysis of the business and process subsystem. CyberICPS 2017 Oslo, 2017.9.15.
Summary This paper presents an STRIDE analysis of Smart Grid ICS. Aim was to identify the common elements of a Smart Grid ICS, perform their security assessment and based on that propose a migration scenario to a hybrid computing cloud. Key requirement while creating the proposed architecture was to maintain the existing level of information system security. In the proposed architecture, the components whose violation can lead to destroying the whole system, losing of human life, damaging to equipment or financial costs are deployed in the private cloud. Otherwise in the community cloud. CyberICPS 2017 Oslo, 2017.9.15.
CyberICPS 2017 Oslo, 2017.9.15.