Presentation is loading. Please wait.

Presentation is loading. Please wait.

Project Description: – Utility-driven, public-private collaborative project to develop system-level security requirements for smart grid technology Needs.

Published byLindsey Hodge Modified over 8 years ago

Similar presentations

Presentation on theme: "Project Description: – Utility-driven, public-private collaborative project to develop system-level security requirements for smart grid technology Needs."— Presentation transcript:

1 Project Description: – Utility-driven, public-private collaborative project to develop system-level security requirements for smart grid technology Needs Addressed: – Utilities: specification in RFP – Vendors: reference in build process – Government: assurance of infrastructure security – Commissions: protection of public interests Approach: – Architectural team  produce material – Usability Analysis team  assess effectiveness – NIST, UtiliSec  review, approve Deliverables: – Strategy & Guiding Principles white paper – Security Profile Blueprint – 6 Security Profiles – Usability Analysis ASAP-SG: Summary Schedule: June 2009 – June 2012 Budget: $3M/year ( $1.5M Utilities + $1.5M DOE) Performers: Utilities, EnerNex, Inguardians, SEI, ORNL Partners: DOE, EPRI Release Path: NIST, UCAIug Contacts: Bobby Brown bobby@enernex.combobby@enernex.com Darren Highfill darren@utilisec.comdarren@utilisec.com Schedule: June 2009 – June 2012 Budget: $3M/year ( $1.5M Utilities + $1.5M DOE) Performers: Utilities, EnerNex, Inguardians, SEI, ORNL Partners: DOE, EPRI Release Path: NIST, UCAIug Contacts: Bobby Brown bobby@enernex.combobby@enernex.com Darren Highfill darren@utilisec.comdarren@utilisec.com

2 ASAP-SG Security Profiles Advanced Security Acceleration Project for the Smart Grid – Prescriptive, actionable guidance – How to build-in and implement security Tailored to a set of specific smart grid functions, such as – Advanced Metering Infrastructure – Third Party Data Access – Distribution Management – WAMPAC (Synchrophasors) – Substation Automation – Home Area Networks PROPOSED COMPLETE IN PROGRESS

3 Methods from reliability engineering and their application to cyber- security James Nutaro Oak Ridge National Laboratory nutarojj@ornl.gov

4 Outline Failure identification – State transition systems – Applications Failure likelihood – Markov models – Applications Consequence assessment – Dynamic models – Applications

5 Failure identification We will use state transition models to – Enumerate failures of a systems – Prioritize failures – Determine failure modes to high priority failures – Device security controls to negate failure modes

6 What is a state transition system? A state transition systems has – A set of state variables – A range for each state variable A state is an assignment of values to the state variables A transition is a change of state An trajectory of the system is a sequence of states (or, equivalently, a sequence of transitions)

7 An example of a simple data processing systems, part 1 Two state variables: – data – activity The data state variable – Describes if data is presently available for the system to process – Range is none and present The activity state variable – Describes what the system is doing – Range is idle and active

8 An example of a simple data processing systems, part 2 This system has four states It has sixteen possible transitions – Acceptable transitions are shown in the figure – The system is designed for executions that involve only these transitions data=none activity=idle data=present activity=idle data=present activity=active data=none activity=active

9 An example of a simple data processing systems, part 3 Unacceptable transitions are shown in this figure Any execution that includes one of these transitions is a failure – something went wrong data=none activity=idle data=present activity=idle data=present activity=active data=none activity=active

10 Enumerating failure transitions The simplest failure is a trajectory that consists of a single unacceptable transition – Call this simplest failure a failure transition We can enumerate these transitions – Given N states, there are N*N possible transitions – M of these occur by design – The remaining N*N – M are failure transitions

11 An example of a simple data processing systems, part 4 data=none activity=idle data=present activity=idle data=present activity=active data=none activity=active Failure transition Acceptable transition

12 Failure modes Each failure transition has, in general, several causes These causes are the failure modes for that failure transition data=none activity=idle data=none activity=active A failure mode Driver for the network card incorrectly signals the arrival of a data packet

13 Security controls Security controls are designed to mitigate, negate, or otherwise render implausible one or more failure modes data=none activity=idle data=none activity=active A failure mode Driver for the network card incorrectly signals the arrival of a data packet A security control Require all drivers to be signed and then verified upon loading by the OS kernel

14 Which failures to address? Most useful models will be much larger than our example – As the number of states grows, the number of failures grows as the square of that Thousands upon thousands of failure transitions – It is infeasible to address all of them One solution – Create a rule for prioritizing failures – Generate prioritized list based upon rule and model – Start at the top – Stop when out of time, money, or have met a coverage criteria (e.g., top 10% of failures have been addressed)

15 Failure likelihood We will extend state transition models to – Estimate the probability of a failure – Use this as a tool for prioritization Estimating the benefit of a security control Markov chains will be our primary tool

16 Markov chain State transition model plus a probability for each transition Sum of probabilities on the transitions away from a state must equal 1 Right is an example with two states 0.5 0.9 0.1

17 Basic likelihood assessment The probability of particular failure transition occurring during an arbitrary execution is calculated by simulation – Start in the initial state for the model – Select a transition at random based on the probabilities of the outgoing transitions – Repeat until satisfied (e.g., confidence interval is sufficiently small) – Probability of particular transition is the number of times it was taken divided by the total number

18 Other types of assessments Ranking of first failures – What are my most likely problems? – For each failure transition, calculate the likelihood that it will be encountered first during an execution of the system Mean transitions to fail – How long until I encounter a problem? – Determine the average number of acceptable transitions prior to the first failure transition

19 Security controls A security control reduces the likelihood of the failure transition that it addresses data=none activity=idle data=none activity=active A failure mode Driver for the network card incorrectly signals the arrival of a data packet A security control Require all drivers to be signed and then verified upon loading by the OS kernel

20 Challenges Probabilities are difficult to come by in practice – But there may be sufficient data to make a good guess – e.g., how likely is it that without authentication you will be subject to an unauthorized user? – e.g., how likely is this is you use a particular password policy? – Lots of real world experience to build statistics from here; possibly sufficient data in other cases Analysis can be quite involved (i.e., expensive in terms of time and dollars)

21 Rewards A tool for guiding investment in cyber-security – To what extent does a security control reduce my likelihood of a system failure? – Is the reduction worth the cost? – How much is enough? Are my expected failure rates acceptable?

22 Consequence assessment We will extend state transition models to – Include time and dynamics – Use this as a tool for Estimating the likelihood of unwanted physical effects Determining performance requirements for security solutions Assessing risk Discrete event models will be our primary tool

23 Discrete event model All the elements of state transition and Markov models plus – Interactions with the outside world (e.g., the system being controlled) – Evolution through time State InputOutput

24 Method for consequence assessment Dynamic model of system under control Discrete event model of computer system

25 Uses of a combined model Links failure analysis to physical consequences Questions that might be answerable: – Which failures pose the biggest risk in terms of physical outcomes? – How is my risk related to the speed with which I can find and remove an intruder? – How does a particular security solution affect these risks?

26 Challenges Performance characteristics for some security solutions may be difficult to obtain – For example, how quickly does an intrusion detection system find an intruder? – How quickly can I remove that intruder? Analysis can be very involved (i.e., very expensive in terms of time and dollars)

27 Rewards A tool for both understanding risk and guiding investment in cyber-security – To what extent does a security control reduce my risk? – Is the reduction in risk worth the cost? – How much is enough? Are my expected risks acceptable?

28 Comments and questions?

Download ppt "Project Description: – Utility-driven, public-private collaborative project to develop system-level security requirements for smart grid technology Needs."

Similar presentations

Chapter 7 Managing Risk.

Chapter 7 Managing Risk.
Dialogue Policy Optimisation

Dialogue Policy Optimisation
SG Security Working Group Face-to-Face Meeting – July Vancouver, BC  Usability Analysis Task Force  Cybersec-Interop Task Force  Embedded Systems.

SG Security Working Group Face-to-Face Meeting – July Vancouver, BC  Usability Analysis Task Force  Cybersec-Interop Task Force  Embedded Systems.
UCAIug HAN SRS v2.0 Summary August 12, 2010. 2 Scope of HAN SRS in the NIST conceptual model.

UCAIug HAN SRS v2.0 Summary August 12, Scope of HAN SRS in the NIST conceptual model.
The Voice of the Asset Owner ICSJWG – April Dallas  UCAIug  SG Security  ASAP-SG SG Security WG Chair: Darren Reece Highfill

The Voice of the Asset Owner ICSJWG – April Dallas  UCAIug  SG Security  ASAP-SG SG Security WG Chair: Darren Reece Highfill
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Engineering Economic Analysis Canadian Edition

Engineering Economic Analysis Canadian Edition
Planning under Uncertainty

Planning under Uncertainty
Copyright © 2003 Software Quality Research Laboratory Software Production Essentials Seeing Past the Buzz Words.

Copyright © 2003 Software Quality Research Laboratory Software Production Essentials Seeing Past the Buzz Words.
A Robust Process Model for Calculating Security ROI Ghazy Mahjub DePaul University M.S Software Engineering.

A Robust Process Model for Calculating Security ROI Ghazy Mahjub DePaul University M.S Software Engineering.
Discrete Event Simulation How to generate RV according to a specified distribution? geometric Poisson etc. Example of a DEVS: repair problem.

Discrete Event Simulation How to generate RV according to a specified distribution? geometric Poisson etc. Example of a DEVS: repair problem.
The AutoSimOA Project Katy Hoad, Stewart Robinson, Ruth Davies Warwick Business School OR49 Sept 07 A 3 year, EPSRC funded project in collaboration with.

The AutoSimOA Project Katy Hoad, Stewart Robinson, Ruth Davies Warwick Business School OR49 Sept 07 A 3 year, EPSRC funded project in collaboration with.
(c) 2007 Mauro Pezzè & Michal Young Ch 1, slide 1 Software Test and Analysis in a Nutshell.

(c) 2007 Mauro Pezzè & Michal Young Ch 1, slide 1 Software Test and Analysis in a Nutshell.
Adjusting EPLC to your Project Colleen Robinson & Teresa Kinley Friday, February 6, 2009.

Adjusting EPLC to your Project Colleen Robinson & Teresa Kinley Friday, February 6, 2009.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.

Tony Gould Quality Risk Management. 2 | PQ Workshop, Abu Dhabi | October 2010 Introduction Risk management is not new – we do it informally all the time.
Vulnerability Assessments

Vulnerability Assessments
Hazards Analysis & Risks Assessment By Sebastien A. Daleyden Vincent M. Goussen.

Hazards Analysis & Risks Assessment By Sebastien A. Daleyden Vincent M. Goussen.
8 Managing Risk Teaching Strategies

8 Managing Risk Teaching Strategies
Bottom-Up Integration Testing After unit testing of individual components the components are combined together into a system. Bottom-Up Integration: each.

Bottom-Up Integration Testing After unit testing of individual components the components are combined together into a system. Bottom-Up Integration: each.

Similar presentations

Ads by Google