When Security Risk Assessment Meets Advanced Metering Infrastructure: Identifying the Appropriate Method

Abstract

Leading risk assessment standards such as the NIST SP 800-39 and ISO 27005 state that information security risk assessment (ISRA) is one of the crucial stages in the risk-management process. It pinpoints current weaknesses and potential risks, the likelihood of their materializing, and their potential impact on the functionality of critical information systems such as advanced metering infrastructure (AMI). If the current security controls are insufficient, risk assessment helps with applying countermeasures and choosing risk-mitigation strategies to decrease the risk to a controllable level. Although studies have been conducted on risk assessment for AMI and smart grids, the scientific foundations for selecting and using an appropriate method are lacking, negatively impacting the credibility of the results. The main contribution of this work is identifying an appropriate ISRA method for AMI by aligning the risk assessment criteria for AMI systems with the ISRA methodologies’ characteristics. Consequently, this work makes three main contributions. First, it presents a comprehensive comparison of multiple ISRA methods, including OCTAVE Allegro (OA), CORAS, COBRA, and FAIR, based on a variety of input requirements, tool features, and the type of risk assessment method. Second, it explores the necessary conditions for carrying out a risk assessment for an AMI system. Third, these AMI risk assessment prerequisites are aligned with the capabilities of multiple ISRA approaches to identify the best ISRA method for AMI systems. The OA method is found to be the best-suited risk assessment method for AMI, and this outcome paves the way to standardizing this method for AMI risk assessment.