• Keine Ergebnisse gefunden

Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems

N/A
N/A
Info
Herunterladen
Protected

Academic year: 2022

Aktie "Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems"

Copied!
26
0
0

Wird geladen.... (Jetzt Volltext ansehen)

Jetzt herunterladen ( 26 Seite )

Volltext

(1)

Risk-based Selection of Mitigation Strategies for

Cybersecurity of Electric Power Systems

Alessandro Mancuso

1,2

, Piotr Ε»ebrowski

3

and Aitor Couce Vieira

4

1Politecnico di Milano (Italy),

2Aalto University (Finland),

3International Institute for Applied Systems Analysis,

4Institute of Mathematical sciences (Spain)

SRA-E 2019 conference 26 June 2019, Potsdam

(2)

Outline

β€’ Introduction

β€’ Standard practice and its deficiencies

β€’ Probabilistic multi-dimensional risk assessment

β€’ Portfolio optimization

β€’ Summary

(3)

3

Motivation:

β€’ Extensive reliance on IT systems makes electric power grids vulnerable to cyber threats

β€’ Impacts could be massive: cyber attack on Ukraininan power grids in 2015 resulted in power outage for 225 000 customers lasting up to six hours

Objective:

Selection of the optimal portfolios of security measures that reduce the susceptibility of power grids to cyber attacks.

Introduction

Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems 26 June 2019

(4)

Standard practice: a cyber threat scenario (Attack tree) as basic unit of analysis

Source: Lee, A., 2015. Analysis of selected electric sector high risk failure

(5)

5

Standard practice: impact assessment

Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems 26 June 2019

β€’ 14 impact criteria (dimensions)

β€’ Score values in set {0, 1, 3, 9}

β€’ Composite impact score Οƒπ‘˜=114 πΌπ‘†π‘˜

Source:

Lee, A., 2015. Electric sector failure scenarios and impact analyses.

National Electric Sector Cybersecurity Organization Resource

(NESCOR) Technical Working Group 1.

(6)

Standard practice: likelihood assessment

β€’ 5 impact criteria

β€’ Score values in set {0, 1, 3, 9}

β€’ Composite

likelihood score σ𝑗=15 𝐿𝑆𝑗

Source:

Lee, A., 2015. Electric sector failure scenarios and impact analyses.

National Electric Sector Cybersecurity Organization Resource

(NESCOR) Technical Working Group 1.

(7)

Apply security measures to reduce risk of cyber threat scenario

Apply security measures to reduce risk of cyber threat scenarios

Is budget

depleted? Yes Done!

No

Composite likelihood score σ𝑗=15 𝐿𝑆𝑗 Composite impact scoreΟƒ π‘˜=114 𝐼𝑆 π‘˜

Risk Matrix

6

Standard practice: threats prioritization

Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems

(8)

Proposed improvements

Analysis of individual threat

scenarios Integrated analysis of

multiple threat scenarios

Aggregated composite

impact score Multiple impact dimensions

Standard practice Our framework

Likelihood score Probabilisic model of cyber attacks

(9)

9

Security issues:

β€’ AMI introduces large number of devices in widely dispersed and potentially insecure customers sites

β€’ AMI allows for two-way communication with traditionally self- contained power systems.

Focus:

β€’ 8 cyber threat scenarios with the highest priority for AMI systems

β€’ 7 relevant impact dimensions considered (out of total 14 impact criteria considered in standard approach).

Case study: improving security of

Advanced Metering Infrastructure (AMI)

Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems 26 June 2019

(10)

From individual attack graphs to integrated picture

”Reverse engineering of AMI equipment

allows unauthorized mass control”

”Invalid disconnect messages to meters impact customers and utility”

(11)

Graph of integrated attack scenarios

11, date

Chance nodes: events in cyber threat scenarios

Impact nodes: dimensions of cyberattack impacts

Arcs: causal dependencies

(12)

Probabilistic Risk Assessment with Bayesian Network

Turning integrated attack graph into a Bayesian Network:

β€’ Attach a conditional probability table (CPT) to each node to

represent occurance probabilities of corresponding event given the state of nodes on which it directly depends

β€’ CPTs can be derived from: structure of attack graph (0-1 logical links), historical observations or expert judgements

For each impact dimension we define risk as:

π‘…π‘–π‘ π‘˜πΌ = expected impact I = ෍

π‘–βˆˆπΌπΏ

𝑖 Γ— 𝑃(𝐼 = 𝑖) Where 𝐼𝐿 is the set of possible levels of impact 𝐼.

(13)

A

B

C

𝐀 0.4 𝐀 0.6

𝐀 𝐀

𝐁 0.8 0.1 𝐁 0.2 0.9

𝐀 𝐀

𝐁 𝐁 𝐁 𝐁

𝐂 0.9 0.6 0.2 0 𝐂 0.1 0.4 0.8 1

β„™ 𝐂

= β„™ 𝐂|𝐀, 𝐁 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝐁 + β„™ 𝐂|𝐀, 𝑩 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝐁 + β„™ 𝐂|𝐀, 𝑩 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝑩 + β„™ 𝐂|𝑨, 𝑩 βˆ™ β„™ 𝑨 βˆ™ β„™ 𝑩 = 𝟎. πŸ‘πŸ’πŸ–

β„™ 𝐀 = 𝟎. πŸ’

β„™ 𝐁 = β„™ 𝐁|𝐀 βˆ™ β„™ 𝐀 + β„™ 𝐁|𝐀 βˆ™ β„™ 𝐀 = 𝟎. πŸ– βˆ™ 𝟎. πŸ’ + 𝟎. 𝟏 βˆ™ 𝟎. πŸ” = 𝟎. πŸ‘πŸ–

I

E 𝐈 = β„™ 𝐂 βˆ™ 𝑰 𝐂 + β„™ 𝐂 βˆ™ 𝑰 𝐂 = 𝟎. πŸ‘πŸ’πŸ– βˆ™ πŸ— + 𝟎. πŸ”πŸ“πŸ βˆ™ 𝟎 = πŸ‘. πŸπŸ‘πŸ

𝐈

𝐂 9

𝐂 0

BN: a toy example

13, date

(14)

Options for risk reduction

Index Security measure

1 Train personnel on possible paths for infection 2 Maintain patches and anti-virus

3 Test for malware before connection 4 Implement configuration management 5 Verify all firewall changes

6 Require intrusion detection and prevention 7 Require authentication to access firewall 8 Conduct penetration testing periodically 9 Train personnel on social engineering attacks

10 Strong passwords

11 Encrypt communication paths

Index Security measure

12 Protect against replay

13 Strong security questions 14 Require multi-factor authentication

15 Use a token with PIN

16 Limit individuals with privilege

17 Isolate network

18 Enforce restrictive firewall rules 19 Require authentication to access network 20 Remove unsecure development features 21 Include credentials in equipment design 22 Configure for least functionality

β€’ Each security measure is applied to a specific chance node

(15)

15, date

(16)

β€’ Each security measure is applied to a specific chance node

β€’ It reduces the occurance probability of the event a node represents

β€’ Bayesian Networks enable probability update on the cascading events of the cyber threat scenarios.

Options for risk reduction

Index Security measure

1 Train personnel on possible paths for infection 2 Maintain patches and anti-virus

3 Test for malware before connection 4 Implement configuration management 5 Verify all firewall changes

6 Require intrusion detection and prevention 7 Require authentication to access firewall 8 Conduct penetration testing periodically 9 Train personnel on social engineering attacks

10 Strong passwords

11 Encrypt communication paths

Index Security measure

12 Protect against replay

13 Strong security questions 14 Require multi-factor authentication

15 Use a token with PIN

16 Limit individuals with privilege

17 Isolate network

18 Enforce restrictive firewall rules 19 Require authentication to access network 20 Remove unsecure development features 21 Include credentials in equipment design 22 Configure for least functionality

(17)

A

B

C

𝐀 0.4 𝐀 0.6

𝐀 𝐀

𝐁 0.8 0.1 𝐁 0.2 0.9

𝐀 𝐀

𝐁 𝐁 𝐁 𝐁

𝐂 0.9 0.6 0.2 0 𝐂 0.1 0.4 0.8 1

β„™ 𝐂

= β„™ 𝐂|𝐀, 𝐁 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝐁 + β„™ 𝐂|𝐀, 𝑩 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝐁 + β„™ 𝐂|𝐀, 𝑩 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝑩 + β„™ 𝐂|𝑨, 𝑩 βˆ™ β„™ 𝑨 βˆ™ β„™ 𝑩 = 𝟎. πŸ‘πŸ’πŸ–

S

𝐀 0.2 𝐀 0.8

β„™ 𝐀 = 𝟎. πŸ’

β„™ 𝐁 = β„™ 𝐁|𝐀 βˆ™ β„™ 𝐀 + β„™ 𝐁|𝐀 βˆ™ β„™ 𝐀 = 𝟎. πŸ– βˆ™ 𝟎. πŸ’ + 𝟎. 𝟏 βˆ™ 𝟎. πŸ” = 𝟎. πŸ‘πŸ– β„™ 𝐀 = 𝟎. 𝟐

β„™ 𝐁 = β„™ 𝐁|𝐀 βˆ™ β„™ 𝐀 + β„™ 𝐁|𝐀 βˆ™ β„™ 𝐀 = 𝟎. πŸ– βˆ™ 𝟎. 𝟐 + 𝟎. 𝟏 βˆ™ 𝟎. πŸ– = 𝟎. πŸπŸ’ β„™ 𝐂

= β„™ 𝐂|𝐀, 𝐁 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝐁 + β„™ 𝐂|𝐀, 𝑩 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝐁 + β„™ 𝐂|𝐀, 𝑩 βˆ™ β„™ 𝐀 βˆ™ β„™ 𝑩 + β„™ 𝐂|𝑨, 𝑩 βˆ™ β„™ 𝑨 βˆ™ β„™ 𝑩 = 𝟎. πŸπŸ–πŸ’

I

E 𝐈 = β„™ 𝐂 βˆ™ 𝑰 𝐂 + β„™ 𝐂 βˆ™ 𝑰 𝐂 = 𝟎. πŸ‘πŸ’πŸ– βˆ™ πŸ— + 𝟎. πŸ”πŸ“πŸ βˆ™ 𝟎 = πŸ‘. πŸπŸ‘πŸ R 𝐈 = β„™ 𝐂 βˆ™ 𝑰 𝐂 + β„™ 𝐂 βˆ™ 𝑰 𝐂 = 𝟎. πŸπŸ–πŸ’ βˆ™ πŸ— + 𝟎. πŸ–πŸπŸ” βˆ™ 𝟎 = 𝟏. πŸ”πŸ“πŸ”

𝐈

𝐂 9

𝐂 0

17, date

(18)

β€’ A portfolio is a combintion of security measures, represented by a binary 𝑧 such that π‘§π‘Ž = 1 iff security measure π‘Ž belongs to the portfolio.

β€’ A portfolio must satisfy budget and technical constraints:

෍

π‘Ž

π’›π‘Ž βˆ™ π’„π‘Ž ≀ 𝐡

෍

𝑠

β„™[𝑋 = 𝑠|𝒛] ≀ πœ€

π’›π‘Žβ€² + π’›π‘Žβ€²β€² ≀ 1 π’›π‘Žβ€² βˆ’ π’›π‘Žβ€²β€² = 0

Budget

Risk acceptability

Mutually exclusive Mutually inclusive

Portfolio of security measures

(19)

Goal: to find Pareto-optimal portfolios

A portfolio is Pareto-optimal if there is no other feasible portfolio that further reduces the risks in any of impact dimesnion πΌπ‘˜ without

increasing the risk in any other dimension

π’›βˆ— ≻ 𝒛 ↔ α‰Šπ‘…[πΌπ‘˜](π’›βˆ—) ≀ 𝑅[πΌπ‘˜](𝒛) for all π‘˜ 𝑅 πΌπ‘˜ π’›βˆ— < 𝑅[πΌπ‘˜](𝒛) for some π‘˜

≻

⊁

Risk dimension 1 Risk dimension 2

Pareto-optimal solutions

Dominance relations

⊁

Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems13

(20)

Input:

β€’ Set of security measures

β€’ Budget and technical constraints

Method: Implicit enumeration algorithm (Mancuso et al. 2019)

β€’ Computationally efficient: intelligent search over 2𝑁 portfolios, explores only subspace containing good candidates for Pareto- optimal portfolios

β€’ Scalability: time consuming for large portfolios of security measures (>40)

Computing the set of Pareto-optimal

portfolios (Pareto front)

(21)

Risk profiles (envelope of Pareto front)

R I S K S B

U D G E T

Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems15

(22)

Picking a Pareto-optimal portfolio

β€’ Set of Pareto optimal portfolios is large

β€’ Possible guidance offered by the core index (LiesiΓΆ et al. 2008) 𝐢𝐼 π‘Ž = No. of Pareto βˆ’ optimal portfolios containing π‘Ž

No. of all Pareto βˆ’ optimal portfolios

β€’ Interpretation: high 𝐢𝐼(π‘Ž) implies that π‘Ž belongs to the core i.e., subset of measures shared by all Pareto-optimal portfolios (for given constraints).

(23)

Core index map for selection of security measures

Risk-based Selection of Mitigation Strategies for Cybersecurity of Electric Power Systems17

(24)

Summary

β€’ Quantitative extension of qualitative standard practice

β€’ Systemic perspective:

o Different threat scenarios analysed jointly

o Different risk dimensions represented explicitly

o Taking advantage of synergies between mitigation actions

β€’ Probabilistic approach:

o Natural representation of likelihoods, framework for rigorous likelihood calculus o Bayesian Network:

β–ͺ Probabilistic model of cascading events leading to successful cyber attacks

β–ͺ Conditional probabilities: tractable and (relatively) easy to estimate

β–ͺ Allow to calculate contribution of portfolios of security measures to reduction of risks

β€’ Risks understood as expected impacts

β€’ Optimization

o Multi-objective

o Representation of budget and technical constraints

o Efficient algorithm of computing the set of Pareto-optimal portfolios of mitigation actions

(25)

Thank you for your attention!

Questions?

Piotr Ε»ebrowski IIASA, Advanced Systems Analysis program zebrowsk@iiasa.ac.at

(26)

Optimization algorithm

1 0 0 0 0 0 0 0 0 0

The selection of Pareto optimal portfolios is performed through an implicit enumeration algorithm.

30 40 30 20 50 20 60 40 30 50

1 1 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0

1 1 0 1 0 0 0 0 0 0 1 1 0 1 0 1 0 0 0 0

Budget=100 Cost vector

Saving 27 portfolio evaluations!

Saving 24 portfolio evaluations!

1 1 0 0 0 0 0 0 0 0

Referenzen

Jetzt herunterladen ( PDF - 26 Seite - 1.83 MB )

Γ„HNLICHE DOKUMENTE

The Power of Persuasion

The answer, according to Hawkins, has its roots in persuasion, communication and argumentation... Mainstream realist and liberal explanations of international institutions

The Limited Power of Voting to Limit Power

In the preceding section, we have seen that a voting mechanism leads to higher transfers if and only if it is coupled with electoral promises con- cerning the future choices

The limited power of voting to limit power

The randomly seleted president deides on how to distribute 100 points. among the itizens in his group

Energy Strategies and the Case of Nuclear Power

show that a design basis accident scenario must be anticipated, and that resulting normative accident probabilities must be derived from permissible dose rates.. Thereby upper

The Power of Growth

Stable gas condensate (oil), motor gasoline, diesel fuel, TS-1 engine jet fuel, liquefi ed gas, WFLH, PHF, GCLD Methanol production plantООО SibmetakhimTomsk1983750 thousand tons

The power of character

While listening, match the beginnings of the sentences (1–9) with the sentence endings (A–L).. There are two sentence endings that you should

Risk-based Selection of Forest Regeneration Methods

A stochastic optimization model is developed to make a selection between the planting method and the seed-tree method, taking into account the uncertainty of, and the legal

Computation of Electric Energy Exchange between two Power Systems

The expected energy exchange between cooperating systems is an important infor- mation supporting capacity expansion planning for electric power systems.. A model based