First step into automation of security assessment of critical infrastructures

Abstract

Critical infrastructures have been undergoing significant developments resulting from new economy and society driven trends and demands. In the energy supply, decentralization and digitalization are the key processes that push a significant amount of innovation and movement into the networking of many distributed information and operational technology based energy systems. These advancements bring substantial benefits, but expose the underlying systems to a number of risks at the same time. In response, governments and sector-specific organizations have published a series of regulatory requirements and guidelines on cybersecurity for the industry and especially for critical infrastructures. This article describes a practical approach to conducting cybersecurity assessments for critical infrastructures in the form of an extended gap analysis. The goal is to develop a technique for analyzing gaps between the security measures already implemented, and the recommendations formulated in the legal acts and standards for different critical infrastructure sectors. The methodology includes several assessment steps and layers to address a wide range of security controls of existing standards, taking into account the limitations of conducting such security analyses in the operational environment, especially of power supply systems. In addition, a possible automation strategy for the initial phase of the security assessment is presented, in which information about the assets under investigation is collected and the appropriate security measures are identified. The presented approach has been developed and practically tested for a digital substation of a local German energy grid operator.