Risikovurdering av AMS. Kartlegging av informasjonssikkerhetsmessige sårbarheter i AMS

-Denne rapporten presenterer en overordnet risikovurdering av Avaserte Måle- og Styringssystemer (AMS) knyttet til hvilke konsekvenser det kan ha for kraftforsyningen at AMS utsettes for informasjonssikkerhetbrudd. Vurderingen er hovedsaklig gjort for AMS basisfunksjoner, som er å registrere måledata hos kunde og overføre disse til nettselskapet, samt bryting/struping av effektuttaket i det enkelte målepunkt

GENERATOR DENAH MEJA UJIAN DENGAN IMPLEMENTASI ALGORITMA BACKTRACKING

Beberapa penelitian mengidentifikasikan bahwa teknik menyontek yang paling umum digunakan adalah bertukar jawaban dengan peserta didik yang berada pada posisi terdekat atau melihat jawaban tanpa sepengetahuan orang yang bersangkutan. (Davis, et al, 1998). Pada penelitian ini dibangun sebuah sistem generator denah meja ujian agar setiap meja ujian memiliki kode soal yang berbeda dari meja tetangganya baik secara vertikal, horizontal dan diagonal dengan mengimplementasikan algoritma backtracking. Pengujian kemudian dilakukan pada matriks dengan berbagai dimensi dimulai dari jumlah kode soal 1 hingga 9. Dari hasil pengujian disimpulkan bahwa untuk kode soal < 4, persoalan dinyatakan tidak akan memiliki solusi kecuali jumlah baris atau kolom pada matriks juga < 4. Untuk jumlah kode soal ≥ 4, persoalan pastilah memiliki solusi berapapun dimensi matriksnya. Kata Kunci: menyontek, algoritma backtracking, generator denah meja ujian, matriks, pembagian kode soal ujian. Some research have identified that the most commonly cheating technique used while exam are exchanging the exam answers with other classmates who sit at the closest range then copying their answer sheet without being noticed (Davis, et al, 1998). In this paper, exam class generator was built by implementing backtracking algorithm in order to arrange exam sheets, so each cell has different code with the cell around. The testing of system then performed on some matrix variety which have sum of exams code within 1 to 9. The results shows, for sum of code < 4, each case will never has any solution unless row or column of the matrix is also < 4. And for sum of code ≥ 4, every case will have solution regardless of the matrix dimension. Keyword: cheat in exam, backtracking algorithm, exam class generator, matrix, distribution of exams sheets

Agile Software Development: The Straight and Narrow Path to Secure Software?

In this article, we contrast the results of a series of interviews with agile software development organizations with a case study of a distributed agile development effort, focusing on how information security is taken care of in an agile context. The interviews indicate that small and medium-sized agile software development organizations do not use any particular methodology to achieve security goals, even when their software is web-facing and potential targets of attack, and our case study confirms that even in cases where security is an articulated requirement, and where security design is fed as input to the implementation team, there is no guarantee that the end result meets the security objectives. We contend that security must be built as an intrinsic software property and emphasize the need for security awareness throughout the whole software development lifecycle. We suggest two extensions to agile methodologies that may contribute to ensuring focus on security during the complete lifecycleacceptedVersionpublishedVersio

Penetration Testing of OPC as part of Process Control Systems

We have performed penetration testing on OPC, which is a central component in process control systems on oil installations. We have shown how a malicious user with different privileges – outside the network, access to the signalling path and physical access to the OPC server – can fairly easily compromise the integrity, availability and confidentiality of the system. Our tentative tests demonstrate that full-scale penetration testing of process control systems in offshore installations is necessary in order to sensitise the oil and gas industry to the evolving threats.Penetration Testing of OPC as part of Process Control System

Play2Prepare: A Board Game Supporting IT Security Preparedness Exercises for Industrial Control Organizations

-Industrial control organizations need to perform IT security preparedness exercises more frequently than today. However, limited support material currently exists. This paper presents a board game, Play2Prepare, which simulates a large scale attack on the electric power grid. The game consists of a number of scenarios and questions that are meant to trigger discussions and knowledge exchange. The intention with this board game is to support organizations in strengthening their incident response capabilities. Initial feedback from the electric power industry indicates that this board game is indeed a relevant tool for preparedness exercises for IT security incidents

Play2Prepare: A Board Game Supporting IT Security Preparedness Exercises for Industrial Control Organizations

Industrial control organizations need to perform IT security preparedness exercises more frequently than today. However, limited support material currently exists. This paper presents a board game, Play2Prepare, which simulates a large scale attack on the electric power grid. The game consists of a number of scenarios and questions that are meant to trigger discussions and knowledge exchange. The intention with this board game is to support organizations in strengthening their incident response capabilities. Initial feedback from the electric power industry indicates that this board game is indeed a relevant tool for preparedness exercises for IT security incidents

Security Threats in Demo Steinkjer. Report from the Telenor-SINTEF collaboration project on Smart Grids

This report describes security threats associated with the deployment of an Advanced Metering Infrastructure (AMI) in the Demo Steinkjer demonstration project. The description is based on the first phase of the actual smart meter roll-out in Steinkjer, but is kept on a vendor-neutral level. This document should thus be relevant for all other Distribution System Operators choosing a similar configuration for their AMI. The work described in this report has been performed by SINTEF with funding from Telenor, as a contribution to the Demo Steinkjer project organised under the auspices of the Norwegian Smart Grid Centre. Additional contributions have been received from NTNU, NTE and Aidon

Why securing smart grids is not just a straightforward consultancy exercise

The long-term vision for modernization of power management and control systems, Smart Grid, is rather complex. It comprises several scientific traditions; SCADA and automation systems, information and communication technology, safety, and security. Integrating ICT and power management and control systems causes a need for a major change regarding system design and operation, which security controls are required and implemented, and how incidents are responded to and learnt from. This paper presents concerns that need to be addressed in order for the implementation of smart grids to succeed from an information security point of view: a unified terminology, a fusion of cultures, improved methods for assessing risks in complex and interdependent systems, preserving end-users’ privacy, securing communications and devices, and being well prepared for managing unwanted incidents in a complex operating environment

UNDERSTANDING INFORMATION SECURITY INCIDENT MANAGEMENT PRACTICES:A case study in the electric power industry

With the implementation of smarter electric power distribution grids follows new technologies, which lead to increased connectivity and complexity. Traditional IT components – hardware, firmware, software – replace proprietary solutions for industrial control systems. These technological changes introduce threats and vulnerabilities that make the systems more susceptible to both accidental and deliberate information security incidents. As industrial control systems are used for controlling crucial parts of the society’s critical infrastructure, incidents may have catastrophic consequences for our physical environment in addition to major costs for the organizations that are hit. Recent attacks and threat reports show that industrial control organizations are attractive targets for attacks. Emerging threats create the need for a well-established capacity for responding to unwanted incidents. Such a capacity is influenced by both organizational, human, and technological factors. The main objective of this doctoral project has been to explore information security incident management practices in electric power companies and understand challenges for improvements. Both literature studies and empirical studies have been conducted, with the participation of ten Distribution System Operators (DSOs) in the electric power industry in Norway. Our findings show that detection mechanisms currently in use are not sufficient in light of current threats. As long as no major incidents are experienced, the perceived risk will most likely not increase significantly, and following, the detection mechanisms might not be improved. The risk perception is further affected by the size of the organization and whether IT operations are outsourced. Outsourcing of IT services limits the efforts put into planning and preparatory activities due to a strong confidence in suppliers. Finally, small organizations have a lower risk perception than large ones. They do not perceive themselves as being attractive targets for attacks, and they are able to operate the power grid without the control systems being available. These findings concern risk perception, organizational structure, and resources, which are factors that affect current practices for incident management. Furthermore, different types of personnel, such as business managers and technical personnel, have different perspectives and priorities when it comes to information security. Besides, there is a gap in how IT staff and control system staff understand information security. Cross-functional teams need to be created in order to ensure a holistic view during the incident response process. Training for responding to information security incidents is currently given low priority. Evaluations after training sessions and minor incidents are not performed. Learning to learn would make the organizations able to take advantage of training sessions and evaluations and thereby improve their incident response practices. The main contributions of this thesis are knowledge on factors that affect current information security incident management practices and challenges for improvement, and application of organizational theory on information security incident management. Finally, this thesis contributes to an increased body of empirical knowledge of information security in industrial control organizations

Risikovurdering av AMS. Kartlegging av informasjonssikkerhetsmessige sårbarheter i AMS

Denne rapporten presenterer en overordnet risikovurdering av Avaserte Måle- og Styringssystemer (AMS) knyttet til hvilke konsekvenser det kan ha for kraftforsyningen at AMS utsettes for informasjonssikkerhetbrudd. Vurderingen er hovedsaklig gjort for AMS basisfunksjoner, som er å registrere måledata hos kunde og overføre disse til nettselskapet, samt bryting/struping av effektuttaket i det enkelte målepunkt