1 Introduction and Background
1.1 Background
1.2 Problem Statement
1.3 Contribution
2 Theoretical Background
2.1 Semantic Models and Frameworks for Critical Infrastructure Cybersecurity
2.2 Reference Architecture for Smart Grid Cybersecurity
2.3 Dependence Analysis in Cyber-Physical Systems
3 Research Method
Research activity | Research output | ||
---|---|---|---|
Taxonomy | Analysis method | Instantiated reference model | |
Identify problem and motivate | Literature review | Literature review | Literature review |
Define objectives of a solution | Literature review | Literature review | Contemporary practices review |
Design and development | Literature review | Literature review | Contemporary practices review |
Demonstration | Instantiation | Qualitative analysis | Case study |
Evaluation | Instantiation | Instantiation | Case study Interview |
Communication | To be published in an academic journal | To be published in an academic journal | To be published in an academic journal |
4 Artifact I: Taxonomy for Critical Infrastructure Cybersecurity Analysis
4.1 Cyber-Physical System Semantics
4.2 Vulnerability-Driven Cybersecurity Semantics
5 Artifact II: Model-Based Dependence Analysis and Vulnerability Assessment Method
5.1 Cyber and Cyber-Physical Functional Dependence
5.2 Cascading Modeling and Criticality Analysis
5.3 Vulnerability Retrieval and Feature Allocation
6 Instantiating the Taxonomy in Power-Grid Reference Modeling
6.1 Public Internet and Other Networks
6.2 Office, Engineering, and Security Operating Center Network
6.3 Control Center Network
6.4 Substation Network
6.5 Power-Grid Substation
6.6 Data Asset Identification
6.6.1 Process Data and Process Control Data
6.6.2 Historical Analysis and Load-Prediction Data
6.6.3 Time-Synchronization Data
6.6.4 System Update Data and Configuration Data
6.6.5 Remote Login Data
6.6.6 Web Browsing Data and Mail Data
7 Validation and Application
7.1 Validation Metrics
-
The structural metric measures semantic models from four dimensions: (i) whether an ontology has a high cohesion with strongly related classes and a good domain coverage; (ii) whether an ontology is informative; (iii) whether an ontology provides formal relations support; and (iv) whether an ontology is related to the existence of multiple inheritances.
-
The functional adequacy metric expects an ontology to have the following characteristics: (i) avoiding heterogeneous terms; (ii) providing consistent search and query; (iii) representing acquired knowledge clearly; and (iv) can be used to build other ontologies.
-
The compatibility metric considers the performance of an ontology when adapted to different environments without additional actions other than those that were clarified by the ontology (i.e., adaptability).
-
The coverage metric measures the range of concepts and relationships, which reflects how well the ontology represents the domain it models.
7.2 Case Study I
7.2.1 Instantiated Power-Grid Models
7.2.2 Model-Based Dependence Analysis and Cascade Modeling
7.2.3 Case Study II Using Real-World Municipal Power Grid
-
The taxonomy could cover all components. Two new components types had to be added. One for a special balancing unit used the guarantee a common potential for the neutral power line. A second component type was added to model circuit breakers with embedded RTU. Later, we decided to use the "subcomponent" construct to model such integrated devices.
-
We learned that subsystems like the transformer stations all had the same design. This led to the addition of a duplication function in the network modeler to quickly create copies of a subsystem. This applies to all internal components, including their interconnections.
-
The case study revealed that the manual modeling of the power grid is rather time-consuming. Since the topology of the power grid is also stored in the SCADA system, we propose to import the model from there to minimize the manual effort and avoid errors in the manual transcription.
-
The modeling of the software components led to similar conclusions about the coverage of the taxonomy. We learned that the control center heavily used virtualization, hence the hypervisor systems had to be modeled as containers of the guest operation systems, which themselves were modeled as containers of the application software.
-
We did not model the data flows between the data center and the OT components because these items were not readily available.
-
The information about different parts of the network model is scattered among different departments, and even the vendors of the components. This is a major challenge to create a complete and consistent network model.
7.3 Interviews with Cybersecurity Experts
7.3.1 Background
7.3.2 Interview Results
-
(i) Semantic model provides good overall picture of the systemThe proposed artifacts provide a good overall visualization of the connections and dependencies between components. Vulnerability management of a complex and large-scale IT/OT infrastructure is challenging with respects to gain a full and up-to-date overview of the vulnerability situation. Such an overview is needed as suppliers usually only provide heterogeneous documentations that are not easy to interpret. Interviewee C addressed that “there are thousands of different equipment and various traffic flows that are geographically widespread in real power grids that need to be modeled and visualized. Therefore, it is important to model all types of systems based on how they are actually structured.”Particularly, asset information is decentralized in various asset-management systems. For example, vulnerability scanner is utilized to automatically detect servers, open ports and their locations, as well as the applications embedded in these servers. Suppliers of CIs also provide some structured asset documentation that can be imported to the system inventory. Such asset information is stored “in several different data centers”, as stated by Interviewee C. Nevertheless, not all components are inventorised properly. This is exemplified by quotations from Interviewee A that “asset management may be outdated and may not include all details of all the relevant components.”Interviewee D also commented that “our vulnerability scanners scan the system every day. Then every once or twice a week we check the scanning results to check if anything unusual happens. We lack some kind of indication to automatically inform us of such a change. Therefore, I think this is very good to have an overview and to see which parts are more important if you are going to prioritize in some way or build away weaknesses where you see that these parts are critical and these are not so important for the operation.”
-
(ii) The artifacts bring valuable insights for vulnerability assessmentThe proposed artifacts can be used to find out which neighbor components are affected by updating a component, and to quickly look up configuration details which further aid system configuration such as configuring the firewalls to allow only the communication that is necessary according to the data flows defined in the model. The artifacts can also be used to assess redundancy such as duplicate transformers and thus the resilience of the network against disruptions. Interviewee D summarized that “It is helpful to understand how to prioritize the endless amount of vulnerabilities that arise and always exist all the time.”Although there is no standard on the frequency of IT security report generation, vulnerability trends are observed systematically. If there are few changes to the vulnerability scores, then the updates can be relatively infrequent. However, when the maximum vulnerability score of a component jumps up, an alarm should be raised. Interviewee B also suggested “hourly updates and in addition event-based alarms”for vulnerability score update.
-
(iii) The instantiated tool is helpful in integrating IT and OT cybersecurityInterviewee A said that “such tool can provide a valuable service, not just for power grid companies but also for the suppliers who provide integrated solutions to the power grid companies. Suppliers could utilize such tool to demonstrate the IT security of their various offerings to their customers.”The asset overview is distributed among multiple persons. Traditionally, different procedures are applied in managing IT and OT cybersecurity. The procedures for cybersecurity management stem from the IT side and are now gradually applied to the OT network, although OT software and firmware are usually not updated automatically like the updating process of IT software. The challenge with the OT network is that errors in patching the components lead to production breakdowns. Additionally, it is common that CI organizations out-source some IT services to data centers and specific companies. In such situations, it is harder for the CI companies to have a complete overview of the software components used for their operations. Interviewee D added that “we have different documentation systems and technicians who work with different parts of the systems, but we do have an IT operating partner who has a more complete control of the cybersecurity status of the organization.”
-
(iv) Limitations of the current toolInterviewee A pointed out that “one disadvantage of such a tool is the effort needed to keep it up to date.”Besides average severity, one should also show the components with the maximum vulnerability. Different decision makers should be able to use different metrics, depending on the goal of decision making. “Besides, one should also support measuring the proximity of a component to the Internet and its attack surface”, quoted from Interviewee A. Interviewee B gave similar suggestion that “The metric that considers the criticality and vulnerability score is interesting as it combines the flow of commands between components with the vulnerability of the components. This metric can be normalized for further improvement. ”Interviewee D thought that besides CVSS scores, it is also important to be able to review the system protection in depth, to know what services are exposed and how, and work with the vulnerabilities in several layers, as “some vulnerabilities with the highest CVSS base scores do not get exposed at all and less likely to be exploited, thus going down in the protection levels”.