Abstract
The electricity grid is an important critical infrastructure that is undergoing major changes, due to the Internet of Things (IoT) and renewable energy, heading towards the smart grid. However, besides the many good promises of the smart grid, such as better peak control, cheaper maintenance, and more open energy markets, there are many new security threats evolving, especially from the IoT side, and also from the diversification of the systems and practices that the smart grid brings. We thus see the need for more light-weight and dynamic methods for conducting security analyses of systems applicable at (re)design time, intended to help system engineers build secure systems from the start. As a consequence, the methods should also look more at the functionalities (exposure/protection) of the system than at the possible attacks.In this paper we propose a methodology called Smart Grid Security Classification (SGSC) developed for complex systems like the smart grid, focusing on the specifics of Advanced Metering Infrastructure (AMI) systems. Our methodology is built upon the Agence nationale de la sécurité des systémes d’information (ANSSI) standard methodology for security classification of general Information and Communication Systems (ICS). Analyses performed following our method easily translate into ANSSI valid reports. Our SGSC is related to methods of risk analysis with the difference that our classification method has the purpose to assign a system to a security class, based on (combinations of) scores given to the various exposure aspects of the system and the respective protection mechanisms implemented; without looking at attackers. There are multiple uses of SGSC, such as offering indications to decision-makers about the security aspects of a system and for deciding purchasing strategies, for regulatory bodies to certify various complex infrastructure systems, but also for system/security designers to make easier choices of correct functionalities that would allow to reach a desired level of security. Particularly useful for smart grid systems is the discussion and mapping that we do of the SGSC methodology to a complex AMI infrastructure description derived from real deployments being done in ongoing Norwegian smart grid upgrades.
Highlights
With the increase of population and advancement of technology, the demand for energy is increasing
We focus on the distribution part of the smart grid, and in particular on the Advanced Metering Infrastructures (AMIs) infrastructure, and we omit the details about the generation and transmission parts
We evaluate a system’s security on the basis of security criteria presented below, derived from guidelines provided by widely used sources such as ISO 27002, Open Web Application Security Project (OWASP), ENISAs and best practice guides for Internet of Things (IoT) from Cloud Security Alliance (CSA) and Industrial Internet Consortium (IIC)23,24
Summary
In this paper we propose a methodology called Smart Grid Security Classification (SGSC) developed for complex systems like the smart grid, focusing on the specifics of Advanced Metering Infrastructure (AMI) systems. Our SGSC is related to methods of risk analysis with the difference that our classification method has the purpose to assign a system to a security class, based on (combinations of) scores given to the various exposure aspects of the system and the respective protection mechanisms implemented; without looking at attackers. Useful for smart grid systems is the discussion and mapping that we do of the SGSC methodology to a complex AMI infrastructure description derived from real deployments being done in ongoing Norwegian smart grid upgrades
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have