Needs and Challenges Concerning Cyber-Risk Assessment in the Cyber-Physical Smart Grid

Cyber-risk assessment methods are used by energy companies to manage security risks in smart grids. However, current standards, methods and tools do not adequately provide the support needed in practice and the industry is struggling to adopt and carry out cyber-risk assessments. The contribution of this paper is twofold. First, we interview six companies from the energy sector to better understand their needs and challenges. Based on the interviews, we identify seven success criteria cyber-risk assessment methods for the energy sector need to fulfill to provide adequate support. Second, we present the methods CORAS, VAF, TM-STRIDE, and DA-SAN and evaluate the extent to which they fulfill the identified success criteria. Based on the evaluation, we provide lessons learned in terms of gaps that need to be addressed in general to improve cyber-risk assessment in the context of smart grids. Our results indicate the need for the following improvements: 1) ease of use and comprehensible m ethods, 2) support to determine whether a method is a good match for a given context, 3) adequate preparation to conduct cyber-risk assessment, 4) manage complexity, 5) adequate support for risk estimation, 6) support for trustworthiness and uncertainty handling, and 7) support for maintaining risk assessments.acceptedVersio

Analysis and Enforcement of GDPR-related Privacy Principles in Object-Oriented Distributed Systems

Privacy is recognized as a fundamental human right in the European Union, giving the right to a private life and associated freedom. In the midst of digital disruption, to have a meaningful balance between the fundamental privacy rights, innovation, and economic growth, it is therefore important to consider privacy as a primary requirement in system engineering. This thesis provides fundamental computing concepts for privacy, in order to facilitate construction of privacy-compliant systems. By making privacy as an intrinsic component in design and development of systems, contributions of this thesis provide a way to turn privacy needs into tangible controls and a way to verify if the system is privacy compliant. In particular, the thesis focus on GDPR’s specific privacy requirements: data protection by design and data subject access request. There is a growing demand for verifiable privacy compliance in order to produce evidence for regulatory requirements such as accountability, transparency, etc. And this research work is at the intersection of GDPR-related privacy requirements and formal methods to facilitate a formal specification and verification of privacy compliance

Static checking of GDPR-related privacy compliance for object-oriented distributed systems

The adoption of information technology in foremost sectors of human activity such as banking, healthcare, education, governance etc., increases the amount of data collected and processed to enable these services. With the convenience the technology offers, it also brings increased challenges pertaining to the privacy. In response to these emerging privacy concerns, the European Union has approved the General Data Protection Regulation (GDPR) to strengthen data protection across the European Union. This regulation requires individuals and organizations that process personal data of EU citizens or provide services in EU, to comply with the privacy requirements in the GDPR. However, the privacy policies stating how personal information will be handled to meet regulations as well as organizational objectives, are given in natural language statements. To demonstrate a program's compliance with privacy policies, a link should be established between policy statements and the program code, with the support of a formalized analysis. Based on this vision, we formalize a notion of privacy policies and a notion of compliance for the setting of object-oriented distributed systems. For this we provide explicit constructs to specify constituents of privacy policies (i.e., principal, purpose, access right) on personal data. We present a policy specification language and a formalization of privacy compliance, as well as a high-level modeling language for distributed systems extended with support for policies. We define a type and effect system for static checking of compliance of privacy policies and show soundness of this analysis based on an operational semantics. Finally, we prove a progress property

A secrecy-preserving language for distributed and object-oriented systems

In modern systems it is often necessary to distinguish between confidential (low-level) and non-confidential (high-level) information. Confidential information should be protected and not communicated or shared with low-level users. The non-interference policy is an information flow policy stipulating that low-level viewers should not be able to observe a difference between any two executions with the same low-level inputs. Only high-level viewers may observe confidential output. This is a non-trivial challenge when considering modern distributed systems involving concurrency and communication. The present paper addresses this challenge, by choosing language mechanisms that are both useful for programming of distributed systems and allow modular system analysis. We consider a general concurrency model for distributed systems, based on concurrent objects communicating by asynchronous methods. This model is suitable for modeling of modern service-oriented systems, and gives rise to efficient interaction avoiding active waiting and low-level synchronization primitives such as explicit signaling and lock operations. This concurrency model has a simple semantics and allows us to focus on information flow at a high level of abstraction, and allows realistic analysis by avoiding unnecessary restrictions on information flow between confidential and non-confidential data. Due to the non-deterministic nature of concurrent and distributed systems, we define a notion of interaction non-interference policy tailored to this setting. We provide two kinds of static analysis: a secrecy-type system and a trace analysis system, to capture inter-object and network level communication, respectively. We prove that interaction non-interference is satisfied by the combination of these analysis techniques. Thus any deviation from the policy caused by implicit information leakage visible through observation of network communication patterns, can be detected. The contribution of the paper lies in the definition of the notion of interaction non-interference, and in the formalization of a secrecy type system and a static trace analysis that together ensure interaction non-interference. We also provide several versions of a main example (a news subscription service) to demonstrate network leakage

Power Grids - Cyber Security Requirements for SCADA and Substations

The ‘Smart Grid’ describes a next-generation electrical power system which brings multiple benefits from the increased use of information and communication technology but at the same time escalate security risks. Security experts recommend using standardized solutions to alleviate such security risks. This report aims to explore the cyber security requirements as prescribed in various standards from process, personnel, technical and operational perspectives for selected smart grid components, i.e., SCADA and substation. Another goal is to facilitate Statnett to identify potential gaps by considering cyber security requirements described in this report and the current state of practice. Since the set of requirements relevant for an organization depends on the context and their needs therefore this list should be taken as a recommendation

A Systematic Mapping Study on Cyber Security Indicator Data

A security indicator is a sign that shows us what something is like or how a situation is changing and can aid us in making informed estimations on cyber risks. There are many different breeds of security indicators, but, unfortunately, they are not always easy to apply due to a lack of available or credible sources of data. This paper undertakes a systematic mapping study on the academic literature related to cyber security indicator data. We identified 117 primary studies from the past five years as relevant to answer our research questions. They were classified according to a set of categories related to research type, domain, data openness, usage, source, type and content. Our results show a linear growth of publications per year, where most indicators are based on free or internal technical data that are domain independent. While these indicators can give valuable information about the contemporary cyber risk, the increasing usage of unconventional data sources and threat intelligence feeds of more strategic and tactical nature represent a more forward-looking trend. In addition, there is a need to take methods and techniques developed by the research community from the conceptual plane and make them practical enough for real-world application

Needs and Challenges Concerning Cyber-Risk Assessment in the Cyber-Physical Smart Grid

Cyber-risk assessment methods are used by energy companies to manage security risks in smart grids. However, current standards, methods and tools do not adequately provide the support needed in practice and the industry is struggling to adopt and carry out cyber-risk assessments. The contribution of this paper is twofold. First, we interview six companies from the energy sector to better understand their needs and challenges. Based on the interviews, we identify seven success criteria cyber-risk assessment methods for the energy sector need to fulfill to provide adequate support. Second, we present the methods CORAS, VAF, TM-STRIDE, and DA-SAN and evaluate the extent to which they fulfill the identified success criteria. Based on the evaluation, we provide lessons learned in terms of gaps that need to be addressed in general to improve cyber-risk assessment in the context of smart grids. Our results indicate the need for the following improvements: 1) ease of use and comprehensible m ethods, 2) support to determine whether a method is a good match for a given context, 3) adequate preparation to conduct cyber-risk assessment, 4) manage complexity, 5) adequate support for risk estimation, 6) support for trustworthiness and uncertainty handling, and 7) support for maintaining risk assessments