Towards a Systematic Approach for Smart Grid Hazard Analysis and Experiment Specification

The transition to the smart grid introduces complexity to the design and operation of electric power systems. This complexity has the potential to result in safety-related losses that are caused, for example, by unforeseen interactions between systems and cyber-attacks. Consequently, it is important to identify potential losses and their root causes, ideally during system design. This is non-trivial and requires a systematic approach. Furthermore, due to complexity, it may not possible to reason about the circumstances that could lead to a loss; in this case, experiments are required. In this work, we present how two complementary deductive approaches can be usefully integrated to address these concerns: Systems Theoretic Process Analysis (STPA) is a systems approach to identifying safety-related hazard scenarios; and the ERIGrid Holistic Test Description (HTD) provides a structured approach to refine and document experiments. The intention of combining these approaches is to enable a systematic approach to hazard analysis whose findings can be experimentally tested. We demonstrate the use of this approach with a reactive power voltage control case study for a low voltage distribution network.Comment: 2020 IEEE 18th International Conference on Industrial Informatics (INDIN

Developing Secure and Safe Systems with Knowledge Acquisition for Automated Specification

On spetsiaalsed tehnikad, mida kasutatakse riskihalduses nii turvalisuse kui ohutuse konstrueerimise domeenides. Nende tehnikate väljundid, mida tuntakse artefaktidena, on üksteisest eraldatud, mis toob kaasa mitmeid probleeme, kuna domeenid on sõltumatud ja ei ole domeeni, mis ühendaks neid mõlemat. Probleemi keskmes on see, et turvalisus- ja ohutusinsenerid töötavad erinevates meeskondades kogu süsteemiarenduse elutsükli jooksul, mille tulemusena riskid ja ohud on ebapiisavalt kaetud. Käesolevas magistritöös rakendatakse struktuurset lähenemist, turvalisuse ja ohutuse integreerimiseks läbi SaS (Safety and Security) domeeni mudeli loomise, mis integreerib neid mõlemaid. Lisaks töö käigus näidatakse, et on võimalik kasutada eesmärgipõhist KAOS (Knowledge Acquisition in autOmated Specification) keelt ohtude ja riskide analüüsiks, nii et kaetud saavad nii ohutus- kui ka turvadomeen, muutes nende väljundid e. artefaktid hästi struktureerituks, mille tulemusena toimub põhjalik analüüs ja suureneb usaldatavus. Me pakume välja lahenduse, mis sisaldab sellise domeeni mudeli loomist, milles on integreeritud ohtutuse ja turvalisuse domeenid. See annab parema võrdlus- ja integreerimisvõimaluse, leidmaks kahe domeeni vahelise kesktee ning ühendavad definitsioonid läbi nende kaardistamise üldises ontoloogias. Selline lahendus toob kokku turvalisuse ja ohutusedomeenide integratsiooni ühtsesse mudelisse, mille tulemusena tekib ohutus- ja turvalisustehnikate vahel vastastikune mõjustus ning toodab väljundeid, mida peetakse usaldusartefaktideks ning kasutab KAOSt domeeni mudeliga, mis on ehitatud juhtumianalüüsi põhjal. Peale vastloodud mudeli rakendumist viiakse läbi katse, milles analüüsitakse sedasama juhtumit, võrdlemaks selle tulemusi teiste juba olemasolevate mudelite tulemustega, et uurida sellise domeeni mõttekust. Struktureeritud lähenemine võib seega toimida liidesena, mis lihtsustab aktiivset interaktsiooni riski- ja ohuhalduses, aidates leida lahendusi probleemidele ja vastuoludele, mille lahendamiseks on vaja integreerida ohutuse ja turvalisuse domeenid ja kasutada unifitseeritud süsteemianalüüsi tehnikat, mille tulemusena tekib analüüsi tsentraalsus.There are special techniques languages that are used in risk management in both domains of safety engineering and security engineering. The outputs, known as artifacts, of these techniques are separated from each other leading to several difficulties due to the fact that domains are independent and that there is no one unifying domain for the two. The problem is that safety engineers and security engineers work in separated teams from throughout the system development life cycle, which results in incomplete coverage of risks and threats. The thesis applies a structured approach to integration between security and safety by creating a SaS (Safety and Security) domain model. Furthermore, it demonstrates that it is possible to use goal-oriented KAOS (Knowledge Acquisition in automated Specification) language in threat and hazard analysis to cover both safety and security domains making their outputs, or artifacts, well-structured and comprehensive, which results in dependability due to the comprehensiveness of the analysis. The structured approach can thereby act as an interface for active interactions in risk and hazard management in terms of universal coverage, finding solutions for differences and contradictions which can be overcome by integrating the safety and security domains and using a unified system analysis technique (KAOS) that will result in analysis centrality

STPA-SafeSec: Safety and Security Analysis for Cyber-Physical Systems

AbstractCyber-physical systems tightly integrate physical processes and information and communication technologies. As today's critical infrastructures, e.g., the power grid or water distribution networks, are complex cyber-physical systems, ensuring their safety and security becomes of paramount importance. Traditional safety analysis methods, such as HAZOP, are ill-suited to assess these systems. Furthermore, cybersecurity vulnerabilities are often not considered critical, because their effects on the physical processes are not fully understood. In this work, we present STPA-SafeSec, a novel analysis methodology for both safety and security. Its results show the dependencies between cybersecurity vulnerabilities and system safety. Using this information, the most effective mitigation strategies to ensure safety and security of the system can be readily identified. We apply STPA-SafeSec to a use case in the power grid domain, and highlight its benefits

Risk-Based Safety Scoping of Adversary-Centric Security Testing on Operational Technology

Due to the recent increase in cyber attacks targeting Critical National Infrastructure, governments and organisations alike have invested considerably into improving the security of their underlying infrastructure, commonly known as Operational Technology (OT). The use of adversary-centric security tests such as vulnerability assessments, penetration tests and red team engagements has gained significant traction due to these engagements' goal to emulate threat actors in preparation for genuine cyber attacks. Challenges arise, however, when performing security tests on these as the nature of OT results in additional safety and operational risk needing to be considered. This paper proposes a framework for incorporating the assessment of safety and operational risks within an overall scoping methodology for adversary-centric security testing in OT environments. Within this framework, we also propose a hybrid testing model derived from the Purdue Enterprise Reference Architecture and the Defense in Depth model to identify and quantify safety and operational risk at a per-layer level, separating high and low-risk layers and being subsequently used for defining rules of engagement. As a result, this framework can aid vendors and clients in appropriately scoping adversary-centric security tests so that depth-of-testing is maximised while minimising the risk to safety and to the operational process. The framework is then evaluated through a qualitative study involving industry experts, confirming the framework's validity for implementation in practice

SISSA: Real-time Monitoring of Hardware Functional Safety and Cybersecurity with In-vehicle SOME/IP Ethernet Traffic

Scalable service-Oriented Middleware over IP (SOME/IP) is an Ethernet communication standard protocol in the Automotive Open System Architecture (AUTOSAR), promoting ECU-to-ECU communication over the IP stack. However, SOME/IP lacks a robust security architecture, making it susceptible to potential attacks. Besides, random hardware failure of ECU will disrupt SOME/IP communication. In this paper, we propose SISSA, a SOME/IP communication traffic-based approach for modeling and analyzing in-vehicle functional safety and cyber security. Specifically, SISSA models hardware failures with the Weibull distribution and addresses five potential attacks on SOME/IP communication, including Distributed Denial-of-Services, Man-in-the-Middle, and abnormal communication processes, assuming a malicious user accesses the in-vehicle network. Subsequently, SISSA designs a series of deep learning models with various backbones to extract features from SOME/IP sessions among ECUs. We adopt residual self-attention to accelerate the model's convergence and enhance detection accuracy, determining whether an ECU is under attack, facing functional failure, or operating normally. Additionally, we have created and annotated a dataset encompassing various classes, including indicators of attack, functionality, and normalcy. This contribution is noteworthy due to the scarcity of publicly accessible datasets with such characteristics.Extensive experimental results show the effectiveness and efficiency of SISSA

Best practices to improve maritime safety in the Gulf of Finland : a risk governance approach

The Gulf of Finland of the Baltic Sea is a vulnerable sea area with high volumes of maritime traffic and difficult navigation conditions. The reactive international rules are not anymore regarded adequate in ensuring safety in this sea area. In this paper, a regional proactive risk governance approach is suggested for improving the effectiveness of safety policy formulation and management in the Gulf of Finland, based on the risk governance framework developed by the International Risk Governance Council (IRGC), the Formal Safety Assessment approach adopted by the International Maritime Safety Organisation (IMO), and best practices sought from other sectors and sea areas. The approach is based on a formal process of identifying, assessing and evaluating accident risks at the regional level, and adjusting policies or management practices before accidents occur. The proposed approach sees maritime safety as a holistic system, and manages it by combining a scientific risk assessment with stakeholder input to identify risks and risk control options, and to evaluate risks. A regional proactive approach can improve safety by focusing on actual risks, by designing tailor-made safety measures to control them, by enhancing a positive safety culture in the shipping industry, and by increasing trust among all involved.Non peer reviewe

Operational Technology Preparedness:A Risk-Based Safety Approach to Scoping Security Tests for Cyber Incident Response and Recovery

Following the advent of Industry 4.0, there have been significant benefits to industrial process optimisation through increased interconnectivity and the integration of Information Technology (IT) and Operational Technology (OT). However, this has also led to an increased attack surface for cyber threat actors to target. A growing number of cyber attacks on industrial environments, including Critical National Infrastructure, has, subsequently, been observed. In response, government and standardisation organisations alike have invested considerable resources in improving the cyber security of these environments. This includes response and recovery, often used as a last line of defence against cyber attacks. However, due to the unique design philosophies of Industrial Control Systems (ICS), several challenges exist for effectively securing these systems against digital threats. Through an analysis of standards and guidelines, used for assessing and improving cyber incident response and recovery capabilities, and stakeholder engagement on the implementation of these in practice, this thesis first identifies the challenges that exist when it comes to preparing for cyber incidents targeting ICS/OT environments. In particular, risk management, which involves identifying, evaluating, and prioritising risks and finding solutions to minimise, monitor, and control these, was found to be essential for improving preparation for cyber incidents. Assurance techniques are used as part of risk management to generate evidence for making claims of assurances about security. Alongside this, adversary-centric security tests such as penetration tests are used to evaluate and improve cyber resilience and incident response capabilities by emulating the actions of malicious actors. However, despite the benefits that these provide, they are currently not implemented to their full potential due to the safety and operational risks that exist in ICS/OT environments. This thesis contributes to academic and industry knowledge by proposing a framework that incorporates methods for identifying and quantifying the safety and operational risks of conducting adversary-centric security tests within ICS/OT environments. In understanding the risks, these engagements can be scoped using precise constraints so as to maximise the depth of testing while minimising risk to safety and the operational process. The framework is then evaluated through a qualitative study involving industry experts, confirming the framework's validity for implementation in practice