Continuous quantitative risk management in smart grids using attack defense trees

Thumbnail Image
Files
sensors-20-04404.pdf (2.55 MB)
Identifiers
ISSN: 1424-8220
DOI: 10.3390/s20164404
Publication date
2020-08-07
Authors
Advisors
Journal Title
Journal ISSN
Volume Title
Publisher
Citations
Google Scholar
Export
Research Projects
Organizational Units
Journal Issue
Abstract
Although the risk assessment discipline has been studied from long ago as a means to support security investment decision-making, no holistic approach exists to continuously and quantitatively analyze cyber risks in scenarios where attacks and defenses may target different parts of Internet of Things (IoT)-based smart grid systems. In this paper, we propose a comprehensive methodology that enables informed decisions on security protection for smart grid systems by the continuous assessment of cyber risks. The solution is based on the use of attack defense trees modelled on the system and computation of the proposed risk attributes that enables an assessment of the system risks by propagating the risk attributes in the tree nodes. The method allows system risk sensitivity analyses to be performed with respect to different attack and defense scenarios, and optimizes security strategies with respect to risk minimization. The methodology proposes the use of standard security and privacy defense taxonomies from internationally recognized security control families, such as the NIST SP 800-53, which facilitates security certifications. Finally, the paper describes the validation of the methodology carried out in a real smart building energy efficiency application that combines multiple components deployed in cloud and IoT resources. The scenario demonstrates the feasibility of the method to not only perform initial quantitative estimations of system risks but also to continuously keep the risk assessment up to date according to the system conditions during operation.
Description
Publisher Copyright: © 2020 by the authors. Licensee MDPI, Basel, Switzerland.
Keywords
Information security , Risk assessment , Security management , Analytical Chemistry , Information Systems , Atomic and Molecular Physics, and Optics , Biochemistry , Instrumentation , Electrical and Electronic Engineering , SDG 7 - Affordable and Clean Energy , Project ID , info:eu-repo/grantAgreement/EC/H2020/787011/EU/SPEAR: Secure and PrivatE smArt gRid/SPEAR , info:eu-repo/grantAgreement/EC/H2020/780351/EU/Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems/ENACT , info:eu-repo/grantAgreement/EC/H2020/787011/EU/SPEAR: Secure and PrivatE smArt gRid/SPEAR , info:eu-repo/grantAgreement/EC/H2020/780351/EU/Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems/ENACT , Funding Info , This research leading to these results was funded by the EUROPEAN COMMISSION, grant number 787011 (SPEAR Horizon 2020 project) and 780351 (ENACT Horizon 2020 project). , This research leading to these results was funded by the EUROPEAN COMMISSION, grant number 787011 (SPEAR Horizon 2020 project) and 780351 (ENACT Horizon 2020 project).
Type
journal article
Citation
Rios , E , Rego , A , Iturbe , E , Higuero , M & Larrucea , X 2020 , ' Continuous quantitative risk management in smart grids using attack defense trees ' , Sensors , vol. 20 , no. 16 , 4404 , pp. 1-25 . https://doi.org/10.3390/s20164404 , https://doi.org/10.3390/s20164404