21, rue d’Artois, F-75008 PARIS http : //www.cigre.org
Paper number D2-107
CIGRE 2012
Cyber attack modelling and security graded approach: key elements when designing security architecture for Electric Power Utilities (EPUs) JENS ZERBST, L. PIETRE-CAMBACEDES, G. DONDOSSOLA, J. McDONALD, M. EKSTEDT, ÅGE TORKILSENG Vattenfall, Électricité de France (EDF), RSE, Électricité de France (EDF), KTH, SKS Sweden, France, Italy, France, Sweden, Norway
SUMMARY The multiplication of access interfaces and technologies in Electric Power Utilities (EPUs) communication architectures and the smart grid developments, which will enable numerous new services with new traffic patterns, will change radically both network accesses and core architectures. This evolution could introduce new vulnerabilities to the reliability of electricity supply, based on the introduction and exposure of vulnerabilities in digital systems, architectures, and communications. This situation calls for new security requirements for digital systems and underlying architecture used in EPUs. Security requirements have to be derived from appropriate risk assessments and general architectural decisions. Numerous existing cyber security standards provide guidance and use-cases which represent valuable inputs for the development of such requirements. The proliferation of standards suggests, however, that the existing documents either do not meet completely the needs of EPUs or are difficult to combine together. This paper focuses on two weak points of the existing cyber security standards in the area. Initially, the paper addresses the characterization, categorization and modeling of malicious cyber threats, which represent key steps in a risk assessment process. The paper presents a conceptual model expressing the meaning and the links between the key concepts of cyber security risks. Following this, the work examines attack modeling, addressing some pertinent technical and architectural issues. In addition, the paper explains why attack modeling is central to risk assessment and present graphical approaches to attack modeling. The second part the paper addresses the use of security architecture principles, notably the graded security approach as a fundamental framework to classify and structure a process of risk mitigation by security controls in both current and future EPU architectures. This discussion starts with the clarification of the terminology related to a graded security approach and then gives a general overview of the characteristics of known standards and best practices of graded security architectures. Following this, the paper presents an outlook of classification criteria to enable the implementation of a graded security approach in a real world environment and then illustrates the effectiveness and adaptability of a graded security approach in a real-world attack case.
KEYWORDS SMART GRID APPLICATIONS, CYBER RISK ASSESSMENT, GRAPHICAL ATTACK MODELLING, GRADED SECURITY APPROACH, ZONE MODEL, DEFENSE IN DEPTH, CYBER SECURITY, SECURITY ARCHITECTURE
1
1
BACKGROUND
Electricity production, transmission, and distribution operations are increasingly dependent on digital systems, information systems and communication networks. For instance, the development of smart grids and their numerous new services will rely on new types of automation, new traffic patterns and will therefore radically change network accesses, core architectures and the use of digital systems. This evolution, at the same time, could introduce vulnerability to the assurance of reliability of electricity supply, resulting from the introduction and exposure of vulnerabilities in digital systems, architectures, and communications. Real-world examples, like the malicious code Stuxnet [1] or dedicated attacks on Industrial Automation and Control Systems (IACS), have shown, that the active exploitation of vulnerabilities in digital systems remains no longer a theoretical notion, but instead represents a possible outcome of targeted attacks today.
2
PURPOSE OF THE PAPER
This situation calls for new security requirements for digital systems and underlying architecture in Electric Power Utilities (EPUs). Security requirements have to be derived from appropriate risk assessments and general architectural decisions. Numerous cyber security existing standards provide guidance and use-cases which represent valuable inputs for the development of such requirements. The analysis of the existing documents has revealed that cyber security standards for the energy grids have to cover organisational and technical issues, including security architectures and protocols. The proliferation of standards suggests, however, that the existing documents either do not meet completely the needs of EPUs or are difficult to combine together. This paper focuses on two specific areas of the existing cyber security standards and treats each in details. Accordingly, the paper is split into two parts. In the first part, the work addresses the role of modelling cyber attacks in managing the complexity of cyber risks in grid control systems. Ongoing research on cyber risk evaluation methodologies have underlined the need to correlate the numerous pertinent aspects (i.e. security requirements, motivated threats, asset vulnerabilities, organisational and architectural security countermeasures, combined attack techniques, multi-step attack processes) in order to determine the possibility of success of a given intentionally malicious action and to judge its impact on the control system and its final impact on the power service. The contribution proposed in the paper focuses on the building of appropriate attack models which can correlate complex intrusion processes with control system architectures and countermeasures. The second part of the paper investigates the concepts of graded security approach and security zoning. A growing number of industrial standards (e.g. [2], [3], [4], [5], [6]), regulations (e.g. [7]), best practices (e.g. [8]), and architecture blue prints, require or recommend graded security approaches as a security architecture methodology. Unfortunately, the graded security approach descriptions found in these different documents are not aligned and rely on different taxonomies, scopes and objectives. This high degree of variations in standards, best practices and regulations can lead, in practice, to challenges in regards to conformity, application and implementations.
3
MODELING OF CYBER ATTACKS FOR ASSESSING SMART GRID SECURITY
Irrespective of the conceptual framework used, a cyber security risk is generally formulated in two parts: the likelihood of the realization of a given threat and its impact value. In the context of energy grid cyber security, the threat realization is related to the ICT architecture, while the impact factor has to account for the cascading effect of cyber failures in grid control systems on the service provided by the energy infrastructure [9]. The evaluation of the likelihood of a threat realization is a complex process depending on both the likelihood that the threat is manifested and the likelihood that the attack constituting the threat is successful. Both these elements depend on the properties of the attacker and the ICT infrastructure.
2
Focusing on a weak point of the ongoing cyber security standards for smart grids [10], this paper addresses the characterization, categorization and modeling of malicious cyber attacks that are the technical processes aggregating the ICT contingencies of the cyber-power risk index [11]. This section, summarizing a joint work by the Cigré working group D2.31, will present: - the role of attack modelling - abstract attack scenarios to control systems in active distribution grids - the graphical notation aspect.
3.1
Centrality of attack modelling
A key objective for a power grid operator is to reduce the impact of threats to the delivery of a continuous supply of electricity. A special kind of operational threat, often classified as cyber security risks, are antagonistic threats originating from the cyber domain and targeting grid control systems. Maximizing the security of the ICT infrastructure relies heavily on addressing the different vulnerabilities in the system as a whole. An efficient approach to this is to model and examine different attack scenarios to the system. Attack scenarios are, in essence, the steps that an attacker needs to take to realize a threat. The question is then to find a powerful notation for representing cyber attacks.
3.2
Abstract attack scenarios to control systems in active distribution grids
In this section the simple attack tree formalism [12] is used to represent attack scenarios to control architecture of active distribution grids. Inspired by the fault-tree formalism commonly used in dependability analysis, attack steps and techniques are organized in a Boolean logical tree, with the attack objective as the “top-event” (root). Graphical attack modelling formalisms enable the visual representation of the different scenarios that an attack may follow to achieve its objective, thus supporting the analysis of the scenarios. Control systems in active distribution grids focus mainly on applications controllingDERs (Distributed Energy Resources) such as generators, loads, and energy storages connected to Mid Voltage bars and feeders. These DERs, which may be owned by a third party, could play an active role in the energy balancing. In MV feeders including distributed generation, the power injected by DERs can lead the voltage beyond the limits in some parts of the grid. Control actions limited to the OLTC (On Line Tap Changers) of the substation transformers – a standard practice in passive grids - may be not sufficient to meet the supply requirements established by the relevant norms. Voltage profiles in the MV grid may be adjusted in response to the distributed energy resources connected to the MV feeders. A resultant Voltage and Power Control (VPC) algorithm will require several information flows that imply some architectural changes to current SCADA systems. Clearly, the possible architectural options have to be clearly analysed in terms of their cyber security exposure. Fig. 1 gives a high-level attack tree representation following an input/output view of the VPC function. The top-level branches and gates correspond to the high-level categories of attacks, plus a gate accounting for attacks on legitimate remote entities. Detailed sub-trees should be elaborated and connected to this structure, in order to represent concrete attack techniques and vulnerability exploitation. These lower level decompositions require a vision of the communication infrastructure. Fig. 1 presents some initial stages in the decomposition of an attack process leading to the on-line corruption of needed input messages of the VPC function. Under the OR gate “input messages modification”, Fig. 1 illustrates a possible approach to the corruption of the information sent by the TSO. Such network-centric attacks may include specific spoofing and forge techniques, as well as gaining access to the actual communication channels. Alternatively, an intrusion process might be used to attack the system processing the function. The intrusion process, in turn, could be broken down into intermediate steps such as: violation of the local access control measures, interception and then use of remote access credentials and finally corruption of process. As indicated on the figure, the modelling of the specific attacks requires greater technical details of the communication architecture. In either case, the hierarchical nature of the Boolean tree notation enables different depths of representation for these elements.
3
VPC dangerous results
OR VPC corruption (bad results)
OR
OR
OR
Attacks on legitimate remote entities
Attacks on I/O communication messages
OR
OR
Output messages modification
Input messages modification
VPC function direct modification (substation attack)
OR
AND
[Attack tree cut for space reasons]
Attack tree cut for space reasons]
AND TSO Router attack
OR Attack step 1
Attack step 2
[…] Admin pwd bruteforce Social engineering
Alt. attack technique
Fig. 1. Attack tree fragment
3.3
A graphical notation for attack models
If the dynamic aspects of the attacks (i.e. the order and timing of the different attack steps) are deemed important, the simple attack tree representation has to be replaced by dynamic modeling techniques. Several examples different dynamic graphical attack modeling formalisms have already been applied in the context of power control systems by each of the authors. For example, RSE employed a statediagram approach for modeling attack experiments [13] which highlights the need to estimate the time taken by an attacker to complete a given attack step. Attack step duration is quite relevant in the design of appropriate mitigation measures. Alternatively, EDF R&D has developed a formalism called BDMP [14] which, although visually close to attack trees, enables the modeling of dynamic characteristics such as sequential attack steps, detections and reactions. The formalism has been adapted from the dependability area [15], it supports diverse quantitative and qualitative treatments which cannot be made in classical attack trees (e.g., ordered list of attack sequences, mean-time-to-success estimations, sensitivity analysis for security resources optimization, etc.). Finally, KTH has developed a Probabilistic Relational Model (PRM) for cyber security risk analysis [16], which enables attack step representation while providing a broader framework supporting risk computations on an instantiable UML-like class diagram. The three approaches, developed independently, are directed towards the common need to represent the dynamic nature of a time dependent process developing along a given compromise path of the control network. Many challenges still remain to be solved in the use of graphical attack modeling by EPUs. A simple modeling method (such as attack trees) should be complemented by a more complex probabilistic and dynamic approach. For a complete model, more details need to be added both with regards to various (ICT) system components and to the description of smart grid control functionalities. Likewise, other attack processes and additional targets beyond the example presented have to be considered. Added to this, countermeasures also need to be included. Finally, in order for graphical attack modeling to become a practical support to EPU decision making, the consequences of various attacks, on both the power system and the business as a whole, need to be addressed.
4
4
GRADED APPROACH TO CYBER SECURITY OF EPUs
The section clarifies the concept of graded security approach as a fundamental security architecture principle for digital systems in EPUs, enabling efficient mitigation of current and upcoming risks. 4.1
A clarified terminology
The workgroup D2.31 has worked more particularly on the terms: - graded security approach - security level - security zone and security zoning - defense-in-depth - security domains For each of them, extended definitions have been crafted, with a particular care given to the relations existing between the associated concepts. Shortened definitions are provided hereunder, but the reader is invited to read [17] for a more complete and accurate understanding. Graded security approach involves grouping systems sharing similar needs for protection. It implies the definition of a limited number of security levels, grouping diversified security controls and requirements. A Security level is assigned to a system or group of systems in order to reflect similar needs for protection. A security level corresponds to a given set of high-level security requirements. Each system is assigned a security level, based on assignment criteria, depending on each specific graded security approach implementation. In further documents, e.g. ISA-62443.03.03 (99.03.03) DRAFT [18], Security assurance levels is used as a more specific term when referring to Security level. A security zone is a “grouping of logical or physical assets that share common security requirements. A zone has a clearly defined border (either logical or physical), which is the boundary between included and excluded elements.” [8] The principle of security zoning corresponds to the definition and implementation of security zones (latter simply called “zones”): it is the architectural and implementation side of the graded security approach defined earlier. Each zone has a given security level assigned, indicating the protective measures to be applied for all digital systems in that zone. The relationship between zones and security levels is not one-to-one: there may be several zones with the same security level. Defense-in-Depth (DiD) is an approach to security in which multiple, independent security measures, covering organizational, technical and operational aspects [19], are deployed in a security architecture, as no individual measure can provide an appropriate level of security. In such approach, it is the set of diversified and independent security measures which are able to bring the needed detection, protection and response capabilities. A security domain is a set of elements, a security policy, a security authority and a set of securityrelevant activities in which the set of elements are subject to the security policy for the specific activities, and the security policy is administered by the security authority for the security domain. [20]. A security domain concept [21] is used in a top-down approach with the view to define high level security requirements reflecting the risk and the risk appetite of security authorities and by taking into account considerations regarding organization, business processes, power system architecture, applications, technology, location of assets, etc. Security domain assets are protected in an electronic network using a graded security approach. 4.2
Overview known documents dealing with graded security approaches
The following documents have been analyzed and compared from a general standpoint:
5
-
The Purdue Enterprise Reference Architecture (PERA) and the ISA95, 99 derived models1 ANSI/ISA-99.01.01–2007 (also issued as IEC 62443-1-1) The CIGRÉ WG D2.24 Technical Brochure (DRAFT), WGD2.22 Technical Brochure NIST SP 800-82 “Guide to Industrial Control Systems (ICS) Security” describes security methods and security controls. U.S. Nuclear Regulatory Commission (NRC) Regulatory Guide (RG) 5.71 U.S. NEI (Nuclear Energy Institute) 08-09 IAEA reference manual on Computer security at nuclear facilities (DRAFT) IEC 62645 (DRAFT) SINTEF SecureSafety (SeSa) report Advanced Metering Infrastructure (AMI) system security requirements
The highlighted documents use different terminologies, and different number of security levels and associated security controls. This could lead, in practice, to challenges with regards to conformity, application and implementations. Nevertheless, most of the examined documents share common generic concepts and principles, which are identified and discussed in 4.2. The analysis has further shown that the assignment criteria used by these documents to assign security levels were different in focus and nature. To visualize these differences, the assignment criteria were mapped against a simplified model of “Archimate” [22], based on the three following dimensions: -
“The Business/Operational layer about business processes, functions and events of business units.” [22] (e.g., saftey function)
-
“The Application layer about software application support the components in the business with application services". [22]
-
“The Technology layer deals "with the infrastructural services needed to run applications, realized by computer and communication hardware and system software". [22] (e.g. communication systems)
Fig. 2 – Assignment criteria analysis based on the “Archimate” model [22] decomposition
4.4
Classification methodology
The sustainable and successful implementation of a graded security approach and zones model depends on a consistent mapping of digital systems to different zones as a part of an integrated classification methodology. The classification methods outlined in the document examined represent, at best, only part of this integrated classification methodology.
1
Note that those set of documents are not security-oriented and do not define security levels, contrarily to the other document cited. Nevertheless, we have included them in our analysis as they are often used directly or indirectly as reference models by the other documents.
6
A classification methodology should consist of classification criteria of relevant disciplines and a classification process, which is anchored in the organisational process framework (e.g., risk assessment process, definition of control objectives). The classification methodology has to consider that digital systems (e.g., ICAS systems) are an essential part of the operation processes of a production/distribution unit including critical business functions, information/data flow, master data management and are embedded in organizational and technical structures. Therefore the classification methodology shouldn’t reduce the classification criteria to security only, but rather should also consider process-related criteria, functional criteria, legal criteria, organizational criteria, safety criteria or technical criteria. Contradictive criteria and architectural implementation conflicts, which could lead to complications, time delay or unnecessary high costs during the implementation, could so be avoided. 4.3
Illustration of the effectiveness of a graded security approach
We evaluated, from a conceptual/paper perspective, the effect of an advanced but realistic multi-vector attack against a simplified architecture (see [17]). This chosen architecture implemented a graded security approach and security zoning principle. The chosen attack processes corresponded to the malicious framework “Stuxnet” [1]. After having presented the attack vectors used by “Stuxnet”, we identified the possible attack points for these vectors in a simplified architecture, designed along a graded security approach. Following this, examples of the associated protective measures and an explanation of the expected mitigation effects of such an architecture in front of the considered attack vectors were provided. 4.4
Intermediate conclusions, on-going work
Based on the work previously described, the following intermediate conclusions have been drawn: - Terminology and definitions related to the graded security approach differ partly in the examined documents. This could lead in practice to challenges in regards to conformity, application and implementations. Nevertheless, most of the documents examined share common generic concepts and principles, which are identified and discussed in this paper. A visualization of the different terminology and definitions related to the graded security approach in an operational context and operational lifecycle could provide more clarity and differentiation. This represents on-going work within WGD2.31. -
The development of a graded security approach for digital systems cannot be viewed in isolation. The practical implementation and operation of a graded security approach should include and connect to “non security” aspects like business integration, architecture, governance, organization structure, physical environment, legal or safety regulations. All these aspects have to feed in and be aligned with the graded security approach to ensure a successful and efficient implementation and operation.
-
It is essential to provide classification criteria to ensure a consistent mapping of digital systems to different zones and so ensure a successful implementation of a graded security approach. The examined documents represent, at best, only part of this integrated classification methodology.. Furthermore, security classification criteria should not lead to unidentified conflicts with “non security” characteristics. To enable the sustainable implementation of graded security approach, which can also be applied in cross functional and cross company interfaces, classification methodology has to be developed compatible and back traceable to criteria of different standards and best practices.
-
The effectiveness of a graded security approach relies on an appropriate selection, implementation and operation of different security controls. Therefore security controls cannot be reduced to network segmentation measures, but must integrate security controls of different level like organizational, physical and technical, in a Defense-in-Depth approach.
7
5
CONCLUSION
The paper summarizes the current work on two given areas of cyber security in a theoretical context. Further work is necessary to conclude both topics but also to ensure a transformation of the theoretical discussion into a practical application considering real life dependencies and rules. A next step for the working group is the application and combination of the presented models in an integral security discussion of 3rd party maintenance and access. Finally, although this paper has focused on two specific aspects, ensuring an appropriate security posture involves clearly the consideration of many other security aspects and controls.
BIBLIOGRAPHY [1] W32.Stuxnet Dossier, 2011, Nicolas Falliere, Liam O Murchu, Eric Chien, Available at: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.p df (last visited 25th April 2011) [2] IEC 62443-1, 2008, “Industrial communication networks - Network and system security Part 1 Terminology, concepts and models”, 7 et sqq. [3] IEC 62254-1, 2003, “Enterprise-control system integration – Part 1: Models and terminology”, 185 et sqq. [4] IEC 61226, 2005, “Nuclear power plants - Instrumentation and control systems important to safety Classification of instrumentation and control functions” [5] NIST 800-60 Volume II Revision 1, “SECURITY CATEGORIZATION OF INFORMATION AND INFORMATION SYSTEMS”, 2008 [6] U.S. Nuclear Regulatory Commission (NRC), “Regulatory Guide 5.71 - Cyber Security programs for Nuclear Facilities”, pp. 35, 2010 [7] Idaho National Laboratory, “Control Systems Cyber Security: Defense in Depth Strategies”, 2006 [8] American National Standards Institute (ANSI), International Electro technical Commission (IEC), International Society of Automation (ISA), ANSI/ISA-99.00.01-2007, 2007, IEC 62443-1 Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models [9] M. Beccuti, G. Franceschinis, S. Donatelli, S. Chiaradonna, F. Di Giandomenico, P. Lollini, G. Dondossola, F. Garrone “Quantification of Dependencies in Electrical and Information Infrastructures: the CRUTIAL approach”, Fourth International CRIS conference on Critical Infrastructures, CRIS 2009, Linkoping, Sweeden, April 2009. [10] NIST IR 7628, “Guidelines for Smart Grid Cyber Security: Vol. 3, Supportive Analyses and References”, 2010 [11] G. Dondossola, F. Garrone, J. Szanto, 2011 “Cyber Risk Assessment of Power Control Systems -A Metrics weighted by Attack Experiments” IEEE Power & Energy Society General Meeting, Detroit, Michigan, USA, 2429 July 2011 [12] B. Schneier, “Attack trees: Modeling security threats”, Dr. Dobb's Journal, vol. 12, no. 24, pp. 21-29, 1999. [13] G. Dondossola, F. Garrone, J. Szanto “Experimental Evaluation of Cyber Intrusions into Highly Critical Power Control Systems” Proceedings of the CIRED 2011 - International Conference on Electricity Distribution, Paper n. 0440, Frankfurt, 2011. [14] L. Piètre-Cambacédès, M. Bouissou, “Attack and defense dynamic modeling with BDMP”, in Proceedings of the 5th International Conference on Mathematical Methods, Models, and Architectures for Computer Networks Security (MMM-ACNS-2010), pp. 86–101, LNCS 6258, St Petersburg, Russia, 2010. [15] M. Bouissou, J.-L. Bon, “A new formalism that combines advantages of fault-trees and Markov models: Boolean logic driven Markov processes,” Reliability Engineering & System Safety, vol. 82, no. 2, pp. 149– 163, November 2003. [16] T. Sommestad, M. Ekstedt, P. Johnson, “A probabilistic relational model for security risk analysis,” Computers & Security, vol. 29, no. 6, pp. 659–679, 2010. [17] Jens-Tobias Zerbst, Ludovic Pietre-Cambacedes Åge Torkilseng, Olivier Breton, "Graded approach to cyber security for EPUs: Clarifying the security levels and zones concepts", 2011 [18] ISA-62443.03.03 (99.03.03), "Security for industrial automation and control systems: System security requirements and security assurance levels, Draft 3", September 2011 [19] NSA, Defense in Depth. US National Security Agency [20] SO/IEC 10181 Information technology, "Open System Interconnection – Security frameworks for open systems", 1996 [21] Cigré WG D2.22, "Technical Brochure TB 419 on Treatment of Information Security for Electric Power Utilities”, 2010 [22] ArchiMate 1.0 Specification, "Technical Standard - The Open Group Series", ISBN 9087535023, 2009
8
