Content uploaded by Bruno Rossi
Author content
All content in this area was uploaded by Bruno Rossi on Apr 08, 2019
Content may be subject to copyright.
Recommendations for Smart Grids Security Risk Management
Vikas Lamba, Nikola ˇ
Simkov´a and Bruno Rossi
Faculty of Informatics, Masaryk University, Brno, Czech Republic
Accepted & unedited version of the article Vikas, L., ˇ
Simkov´a, N., Rossi, B. (2019). Recommendations for
Smart Grids Security Risk Management, Cyber-Physical Systems, DOI: 10.1080/23335777.2019.1600035.
https://www.tandfonline.com/doi/abs/10.1080/23335777.2019.1600035
ABSTRACT
Smart Grids (SG) represent a paradigm shift for the traditional electric power in-
frastructure in terms of generation, transmission, and distribution of electricity in
real-time. The vast use of Information & Communication Technology (ICT) is a key
enabler for the provision of smart energy services to customers. For such provision
and sustainability of services, the SG infrastructure has a high level of complexity
that brings an increased risk of security threats that need to be properly accounted
and managed. The goal of this article is to provide recommendations for security
risk management for SG, discussing aspects of SG risk management, and the pecu-
liarities for the planning, identification, assessment, prioritization, monitoring, and
control of security risks.
KEYWORDS
Smart Grids; Risk Management Frameworks; Cyber-Physical Systems;
Cybersecurity
1. Introduction
Smart Grids have emerged has a mean to improve the reliability, resilience, quality of
service, and smartness of the traditional electric power infrastructure (Farhangi, 2010;
Komninos, Philippou, & Pitsillides, 2014). They can be considered as complex cyber-
physical systems (CPS) that make use of advanced Information and Communication
Technologies (ICT) to enhance power quality and services (Habash, Groza, & Burr,
2013; Mo et al., 2012; Sridhar, Hahn, & Govindarasu, 2012).
Smart Grids represent a paradigm shift in the techniques that can monitor the gen-
eration, transmission, and distribution of electricity in real-time. Moreover, security
and privacy aspects assume a key relevance in the two-way data transfer between con-
sumers and producers (J. Liu, Xiao, Li, Liang, & Chen, 2012; Mo et al., 2012). For this
reason, numerous initiatives have started to evolve an intelligent power network that is
robust, secure, and flexible (Goel, Hong, Papakonstantinou, & Kloza, 2015; Komninos
et al., 2014). As a result, Smart Grids have emerged as a solution to realise the long-
term vision of the modernisation of the obsolete electrical power infrastructure (Goel et
al., 2015; Hossain, Han, & Poor, 2012). Smart Grids are believed to overcome the ma-
jor shortcomings of the existing electricity grids which include ”domino-effect failures”,
carbon footprint reduction, energy conservation, and demand-response diversification
(Table 1, Farhangi (2010)).
Long-term sustainability in the context of Smart Grids is made possible by ICT
(Caputo, Buhnova, & Walletzk`y, 2018), with many initiatives focused on improving
Traditional Grids Smart Grids
Nature Electro-mechanical Digital
Power Generation Centralised Distributed
Models Hierarchical Networked
Network Characteristics •Manual restoration
•Limited control
•Self-healing
•Automatic control
Sensors Few Numerous
Table 1. Comparison between traditional power grids and Smart Grids (Adapted from Farhangi (2010))
quality concerns related to communication, control, monitoring of SG components
(Chren, Rossi, Buhnova, & Pitner, 2018; Moslehi & Kumar, 2010). On one side, refer-
ence models have been proposed to take a holistic approach to model and design the
different layers of the Smart Grid, like the NIST Smart Grid Interoperability Standards
(NIST, 2012), or the Smart Grid Reference Model (SGAM) (Bruinenberg et al., 2012).
On the other side, many testing platforms emerged to provide in-vitro experimental
settings for the validation of large-scale deployments, like SmartGridLab (Song, De,
Tan, Das, & Tong, 2012), GridSim (Anderson et al., 2012), or SGTMP(Schvarcbacher,
Hrabovsk´a, Rossi, & Pitner, 2018; Schvarcbacher & Rossi, 2017).
Security in Smart Grids is therefore essential to protect the primary components
such as SCADA (”Supervisory Control and Data Acquisition”), measurement systems,
and communication networks (J. Liu et al., 2012; Metke & Ekl, 2010). Furthermore,
the integration of ICT poses general challenges for cyber-physical systems (Enose,
2014), with multiple security risks that need to be correctly identified, analysed, and
prioritised (Sajjadi & Niknia, 2013). For this reason, an integrated approach for secu-
rity risk management is required to ensure proper planning, evaluation, and definition
of countermeasures, taking into account both the cyber and power domains in a unified
manner (Enose, 2014; Ray, Harnoor, & Hentea, 2010; Sajjadi & Niknia, 2013).
The goal of this paper is to provide recommendations for Smart Grids security
risk management based on the review of existing frameworks for risk management
that have emerged over the years in the context of SGs. We have the following main
contributions:
•a review of current risk management frameworks as applied in the context of
Smart Grids;
•based on the reviewed literature, a set of recommendations for Smart Grids
security risk management;
The article is structured as follows. In section 2, we review project risk management
terms that will be reused in the whole article. In section 3, we discuss SGs and the
main security requirements. Section 4 discusses risk management in the context of
SGs, with a review of existing frameworks. Based on the review and the main security
requirements, section 5 looks into recommendation for SGs security risk management.
Section 6 provides the conclusions.
2. Background on Project Risk Management
With the increasing complexity of projects, project management forms an essential
component to optimise time, cost, and resources involved in a project life cycle. For
any organisation, effective project management not only enhances the capabilities of
2
the project manager in planning, organising, and monitoring the project but also
ensures timely delivery of good quality product to meet organisation business goals
(Chapman & Ward, 2003). However, threats to projects in the form of risks can pose
challenges to proper project management, calling for the need of proper risk manage-
ment activities (Project Management Institute Inc, 2000; Ward & Chapman, 1995)
Risk management has been applied to the more diverse fields, from Software En-
gineering (Boehm, 1991), Information Technology Systems (Stoneburner, Goguen, &
Feringa, 2002), to more recent smart environments, such as Smart Buildings (Kuˇcera
& Pitner, 2013), and Smart Grids (Ray et al., 2010). In the rest of this chapter, we
will cover some of the major terms of project risk management.
2.1. Risk
A risk can be seen as any uncertain event that can have an impact on a project (Kwak
& Stoddard, 2004). It can be defined as the ”probability of occurrence of an unknown
event or uncertain condition that can have either a positive or negative impact on
project objectives” (Chong & Brown, 2000; Project Management Institute Inc, 2000).
Moreover, the risk definition can be made more specific depending upon the domain
in which project management is to be applied. In the domain of ICT, a risk can be
defined as the ”probability that a specific threat will exploit a specific vulnerability of
the system” (Ross, 2011; Stoneburner et al., 2002). According to the IEEE standard
for Software Life Cycle Processes (Engineering & Committee, 2001), a risk is defined as
the likelihood of occurrence of any hazard or threat whose outcomes can be a potential
problem.
2.1.1. Risk Exposure
Risk exposure (RE) can be defined as the product of the ”probability of occurrence
and the loss it can cause” (Han & Huang, 2007; Kwak & Stoddard, 2004) such that
the level of exposure can be measured both quantitatively (through the nominal scale)
and qualitatively (using the ordinal scale) (Project Management Institute Inc, 2000).
2.1.2. Risk Factors
Projects in any domain are inherently vulnerable to multiple potential problems that
can have a huge impact on the final success. In general, the common risk factors that
are described in Chong and Brown (2000); Kwak and Stoddard (2004) are as follows:
(1) Inadequate requirement gathering and analysis.
(2) The communication gap between the organisation and end-users.
(3) Lack of interest and commitment by the top level management.
(4) Lack of expertise and skills in the project team.
(5) Improper planning of budget, time schedule, and resources.
The above list of risk factors can be extended depending upon the domain in which
the project is being implemented. Software projects are more susceptible to failures
due to changing technology, sneaking requirements by the end-users, and the inter-
dependency between multiple development agencies. Hence, the risk factors in software
development are more critical and require specific actions (Chong & Brown, 2000). In
the domain of ICT, risk factors are more pertinent to the identification of threats and
vulnerabilities in the systems. This requires the extensive gathering of system-related
3
information which can be obtained using systematic techniques of the questionnaire,
automated tools for scanning, and conducting reviews to gain insights of implemented
security policies (Ross, 2011; Stoneburner et al., 2002).
2.2. Project Risk Management Process
Project risk management is a comprehensive process to manage project risks. It can be
described as ”continuous process to identify, analyse, prioritise, and mitigate project
risks ” (Project Management Institute Inc, 2000). Moreover, it can be seen as a process
that can be structured into phases based on project objectives and can be applied to
all phases of the project life cycle. Various guides and standards have been evolved
and adopted to assess, evaluate, and control the project risks:
(1) Guide to Project Management Body of Knowledge (PMBOK) has been
developed by the Project Management Institute (Project Management Institute
Inc, 2000) and has described the complete process of project risk management
as an integral component of project management.
(2) Project Risk Analysis and Management Guide (PRAM) has been cre-
ated by the Association of Project Managers (APM) (Chapman, 1997) and has
covered all aspects of risk management process (RMP) and good practices that
are required to be adapted to meet project objectives.
(3) IEEE/EIA standard 12207 and IEEE/EIA standard 1540 have been
prepared by IEEE Engineering and Committee (2001) to define the scope of
risk management and explicitly specify the procedures to be adopted for correct
implementation in the software development life cycle (SDLC).
(4) Risk Management Guide for IT Systems has been evolved by NIST
(Stoneburner et al., 2002) to specify objectives, goals, and process of risk manage-
ment for securing the organisations IT systems, proprietary data, and mission-
critical information.
Project risk management involves five major processes: risk management planning,
risk identification, risk analysis, risk response planning, and risk monitoring (Chong
& Brown, 2000; Project Management Institute Inc, 2000). Figure 1 depicts the phases
of project risk management generally followed by all organisations.
2.2.1. Risk Management Planning
Risk management planning involves deliberate decision making on how to perform
risk management and what activities will be performed during the process. This pro-
cess includes assignment of role and responsibilities to project team, formulation of
stringent policy, and procedures for documentation, reporting, and reviewing of risk
in a systematic way (Chong & Brown, 2000). It is also associated with the planning of
foreseen contingencies that may impact on the budget, time, and resources allocated
to the project in future (Chapman & Ward, 2003). This comprehensive process identi-
fies the best methodology, sophisticated tools, and reliable data sources to perform a
correct assessment, tracking, and control the risk (Project Management Institute Inc,
2000).
4
Checklists
Project Risk Management
Risk Management
Planning
Risk Identification Risk Analysis
& Priortisation
Risk Response
Planning
Risk Monitoring
& Control
Brainstroming
SWOT Analysis
Assumption
& Constraints
Graphical
Techniques
Qualitative
Analysis
Quantitative
Analysis
Risk Avoidance
Noninsurance
Transfer
Risk Acceptance
Risk Mitigation
Risk Insurance
Figure 1. Pro ject Risk Management (Adapted from Project Management Institute Inc (2000))
2.2.2. Risk Identification
Risk identification entails the identification of the potential risk factors that may
affect considerably the project progress. It forms a crucial step in risk assessment
to take into account all events and activities pertaining to risk categories that can
have either negative impact as threats or positive impact as opportunities on project
life cycle (Kwak & Stoddard, 2004). The most commonly adopted techniques for risk
identification are described in Chong and Brown (2000); Project Management Institute
Inc (2000):
(1) Checklists are an important technique used to identify possible risks based on
historical data and experiences shared by subject experts.
(2) Brainstorming gathers relevant information about project risks from a group
of experts to generate an exhaustive list of factors contributing to project risk
(Chong & Brown, 2000). It facilitates the categorisation and ranking of risks
which forms an important input for risk analysis and risk prioritisation (Project
Management Institute Inc, 2000)
(3) SWOT Analysis (Strength, Weakness, Opportunities, and Threats) enhances
the capability of risk identifying bodies to examine the project in multiple di-
mensions in perspective of opportunity and threats, thereby amplifying the risk
management process.
(4) Assumptions and Constraint Analysis supposes the existence of assump-
tions and constraints that are required to be identified and analysed explicitly
(Chong & Brown, 2000). Assumptions are certain events that are being assumed
to be true in near future. It is difficult to formally verify them at a particular
instant of time. These events or conditions are known as assumptions (Chapman
& Ward, 2003; Chong & Brown, 2000; Project Management Institute Inc, 2000).
(5) Graphical Techniques mainly involves the representation of a problem by
graphical means (the creation of activity diagrams depicting a sequence of critical
activities). The purpose is to understand the cause and influence of risk on
project variables, thereby analysing a strong relationship between risk factors
and its impact on the project (Project Management Institute Inc, 2000).
5
2.2.3. Risk Analysis and Prioritisation
Risk analysis is a systematic process where identified risk is evaluated based on the
likelihood of its occurrence and impact it will cause on the project. Risk prioritisation is
a subsequent step to risk analysis whose goal is to rank the identified and analysed risks
in order of priority based on their severity and their likely time of occurrence during
the project cycle (Chong & Brown, 2000). There are various formal methodologies that
enable project managers to either measure the magnitude of impacts in quantitative
terms or express them in qualitative terms (Chong & Brown, 2000; Engineering &
Committee, 2001; Kwak & Stoddard, 2004; Project Management Institute Inc, 2000;
Stoneburner et al., 2002). Therefore, the process of risk analysis can be classified into
two major domains:
(1) Qualitative Risk Analysis is performed when it is difficult to gather enough
data to quantify the risks such that this technique is followed when an organ-
isation has limited time, constrained budget, and lack of expertise to do the
formal mathematical analysis (Ray et al., 2010). The most commonly adopted
way to perform qualitative analysis is based on defining the probability of risk
using ordinal scale that can vary from very low to very high. A two-dimensional
matrix can then be made for assignment of ordered values of risk ratings to all
identified risk events based on their likelihood of happening and overall impact
on the project objectives (Chapman & Ward, 2003; Chong & Brown, 2000; Kwak
& Stoddard, 2004).
(2) Quantitative Risk Analysis is a more formal approach for analysing the
projects that have a high-risk ranking, thereby requiring exhaustive risk manage-
ment. This process is generally followed after qualitative risk analysis. However,
both processes can be applied together or selectively depending upon time and
budget constraints of an organisation (Project Management Institute Inc, 2000).
The formal techniques that are commonly used in this process primarily involve
analysis of probability distributions, decision trees, and simulations (Chong &
Brown, 2000; Kwak & Stoddard, 2004; Project Management Institute Inc, 2000).
2.2.4. Risk Response Planning
Once the risks are correctly identified, analysed, and prioritised, the next major step
in project risk management is to evolve the strategies to handle them. Over the period
of time, many studies have been conducted to find optimum techniques to mitigate the
risks (Chapman & Ward, 2003; Chong & Brown, 2000; Project Management Institute
Inc, 2000; Ray et al., 2010; Westland, 2007). However, the most common risk response
strategies followed by various organisations to mitigate the potential risks can be
elaborated as follows:
(1) Risk Avoidance endeavors on the elimination of risk factor by changing the sit-
uation or condition that is primarily responsible for its occurrence. Although this
technique cannot assure to eliminate all possible risks, it can reduce their impact
to a satisfactory level by adopting good practices of project risk management,
such as continuous communication with stakeholders, effective resource manage-
ment, careful allocation of budget, and adoption of innovative technologies to
meet future challenges.
(2) Risk Acceptance means that the project team acknowledges the risk, but it
may or may not take prompt action against it. Risk acceptance can be further
6
classified as active and passive. In the former case, the project team creates a
contingency plan and implement it on identified risks as an when it occurs while
in the latter case, the project team takes no action and willing to accept the
consequences.
(3) Noninsurance Transfer aims to transfer the risk and its outcomes to the third
party (other than an insurance company) which must be selected appropriately
based on expertise and skills to avoid any new risks due to the transfer. The most
commonly adopted methods for risk transfer are through contracts, hedging of
price risks, and incorporation of business firms (Rejda, 2011).
(4) Risk Insurance is one of the risk financing technique (Rejda, 2011) that en-
ables the organisation (beneficiary) to handle risks through agreement with other
party (an insurance company). The agreement specifies the amount of the pre-
mium that beneficiary has to pay to the insurer to cover the risk for a defined
amount on the occurrence of loss. Cybersecurity Insurance (CI), nowadays, is
contributing immensely towards risk insurance in the cyber domain such that it
has been widely implemented as an insurance service model in many business
organisations (Gai, Qiu, & Elnagdy, 2016).
(5) Risk Mitigation deals with the application of counter-measures to reduce the
impact of risk by taking immediate actions rather than postponing them. A
thorough analysis is required by the project manager on the cost and the benefit
of the process keeping the likelihood of risk and its impact in mind (Chong &
Brown, 2000).
2.2.5. Risk Monitoring and Control
The final process in project risk management deals with the tracking of identified
risks and implementation of the appropriate risk management techniques. The major
objective of risk monitoring is to validate the execution of response plans to mitigate
the project risks and their periodic evaluation to achieve project objectives (Project
Management Institute Inc, 2000). It primarily involves a regular audit of policies and
thorough review of risk contingency plans for their effectiveness in dealing with an-
ticipated potential problems. The goal of risk control is to lower the impact of risk
by taking remedial actions on time, thereby circumventing the growth of risk. This
typically involves choosing correct strategies, truthful reporting, measurement of per-
formance, and supplementary planning for unanticipated risks (Project Management
Institute Inc, 2000). Risk control forms an essential component in the ICT domain.
There are multiple factors that are required to be considered while applying the con-
trols such as legal aspects, safety, reliability, and operational impact. In the domain
of software development, the primary objective of this processes is to monitor, review,
and update the risk states based on their priority to perform necessary risk treatment
selected by stakeholders in accordance with the acceptance level of an organisation
(Chong & Brown, 2000).
3. Smart Grids & Security Requirements
Over the recent years, Smart Grids have emerged by means of the convergence of
ITC and power systems to improve reliability, efficiency, and resilience (Goel et al.,
2015). Sustainability and safety of existing communication networks are achieved by
overlaying digital infrastructures to the electrical grid to facilitate real-time monitoring
7
of power generation and distribution.
3.1. Smart Grids Architecture
In a broad sense, the architecture of SG can be represented as the connection be-
tween communication networks and physical power systems to interact for real-time
operational tasks. The SG architecture can be thought as the integration of multi-
ple networks providing ubiquitous communication capability for data collection and
processing to make real-time decisions about future power loads (Goel et al., 2015).
The power network is categorized into four domains: power generation, power trans-
mission, power distribution, and power consumption (Farhangi, 2010). The communi-
cation network is a hierarchical network that provides communication capabilities to
each component of the power network.
Over the time, different conceptual reference models about SG have been proposed.
The development of a conceptual model helps to build a common view about a com-
plex domain, such as the one of SGs, in which many different heterogeneous parts need
to integrate and co-exist. The ultimate goal of a SG conceptual model is to let stake-
holders model use cases, discover needs in terms of interfaces, and frame SG within
cyber-security strategies in a technology agnostic way.
Both the CEN-CENELEC-ETSI and the NIST conceptual models represent the
top-level of a hierarchy to model the main aspects of the SG domain. The NIST model
was the first one to be proposed, by representing the view of SG in the United States
(NIST, 2012). The CEN-CENELEC-ETSI standardization Group adopted the same
NIST conceptual model for the Smart Grid Architecture Model (SGAM) (Bruinenberg
et al., 2012). However, adapting SGAM to the European SG requirements, by adding
a new domain related to distributed energy resources that is not present in the NIST
model (Moura, L´opez, Moreno, & De Almeida, 2013)
3.1.1. NIST Conceptual Reference Model for Smart Grids
NIST has formalised the architecture of SG in terms of integration of communication
and power networks (NIST Framework and Roadmap for Smart Grid Interoperability
Standards, released in February 2012 (NIST, 2012)). The ”conceptual reference model”
presents the logical view of SG as a combination of domains and actors. The model not
only identifies different stakeholders in the context of SG but also describes various
logical interfaces required for power and communication networks (NIST, 2012).
According to the model, the overall architecture of SG can be seen as a combination
of seven major domains. These domains are transmission, distribution, operations,
generation, markets, customer, and service provider (NIST, 2012; Victoria Y. Pillitteri,
2014). The domain in the model is a grouping of organisations, individuals, and systems
that have similar objectives (NIST, 2012; Victoria Y. Pillitteri, 2014). Each domain
of the model comprises a group of actors and applications. The actor can be any
system, device or individual that can make a decision and can communicate with
other actors in order to perform applications within the SG (NIST, 2012; Victoria
Y. Pillitteri, 2014). As an example, a smart meter is an actor that can store, transmit,
and process the information (Chren, Rossi, & Pitner, 2016). The applications are
various tasks performed by an actor within a certain domain, like the management of
energy, generation of solar power, and automation of home appliances.
At the lowest level, the customer domain corresponds to consumers of electricity
(individual, industries, and utilities dealing with power generation, power storage,
8
and power management). At the highest level, the market domain corresponds to the
electricity market where actors can be operators that participate in effective marketing
and trading of the electricity. A service provider in SG plays a key role in the provision
of electricity to the last mile, dealing with customer registration, management, and
billing. The other domains such as generation, transmission, and distribution deal with
power generation, power transmission, and power distribution (Elyengui, Bouhouchi,
& Ezzedine, 2013; Goel et al., 2015; NIST, 2012; Victoria Y. Pillitteri, 2014).
External Network
Portal
Meter Data
Management System
Data Aggregator Unit (DAU)
Enterprise Networks
Wide Area Network (WAN)
Neighbourhood Area Network (NAN)
Smart Meter
Home Area Network (HAN)
NIST Domains
Networks
Markets
Service Providers
Bulk Generations
Operations
Transmission
Distribution
Customer
Technology
Internet Protocol
World Wide Web
Web Services
Multispeak
Message Buses
SONET, ATM
MPLS
Frame Relay
WiMAX
ADSL
Cellular
ZigBee
WiFi
Open HAN
Figure 2. Smart Grid Communication Infrastructure (Adapted from Hossain et al. (2012))
3.1.2. The Smart Grid Reference Model (SGAM)
The Smart Grid Reference Model (SGAM) defined by the CEN-CENELEC-ETSI stan-
dardization Group constitutes a three-dimensional model including domain, zones and
layers (Fig. 3) (Bruinenberg et al., 2012).
The zones constitute different levels of power system management (Bruinenberg et
al., 2012), being composed of process, field, station, operation, enterprise, and mar-
ket levels. For example, the station level can represent the level of information/data
aggregation for data concentration, and substation automation. The domains are lev-
els of the electrical energy conversion chain (Bruinenberg et al., 2012): generation,
transmission, distribution, distributed electrical resources (DER), customer premises.
For example, the distribution level deals with the infrastructure and organizations to
distribute electricity to customers. The layers represent different vertical concerns for
SG architectures, and are represented by the component, communication, informa-
tion, function, and business layers. The component layer is composed of physical and
virtual devices, the communication layer represents the different protocols used, the
information layer relates to the modeling of information, the function layer maps the
functionality that needs to be provided, and the business layer represents the busi-
ness goals in terms of services provided. All these layers need to be considered for the
provision of SG-related services.
9
SGAM represents also a methodology for the creation of SG use cases by considering
all the levels, from the business level down to the field level, in a technology and solution
neutral way.
Figure 3. Smart Grid Architecture Model. Source: Bruinenberg et al. (2012)
3.2. Smart Grids Security Requirements
The reliance of Smart Grids on ICT makes them subject to multiple security threats
associated with emerging advanced technology. Furthermore, SG are a lucrative target
for attackers to achieve various gains by exploiting existing vulnerabilities (Jokar,
Arianpoo, & Leung, 2012; Pandey & Misra, 2016; Yadav & Mahajan, 2015), as well as
to various security threats owing to the interaction between different communication
layers (Enose, 2014; J. Liu et al., 2012; NIST, 2012; Victoria Y. Pillitteri, 2014). Key
security objectives (section 3.2.1), requirements (section 3.2.2), and challenges (section
3.2.3) are important to understand the main security-related issues in SGs.
3.2.1. Key Security Objectives
A lot of research been conducted by various organisations on the developments of se-
curity objectives and requirements in Smart Grids including ”Electric Power Research
Institute (EPRI)”, NIST and ”Smart Grid Interoperability Panel (SGIP)” (Pandey
& Misra, 2016). NIST has evolved an analytical framework that has focused on the
analysis of security risks of Smart Grids in the cyber domain (Victoria Y. Pillitteri,
2014). This framework has identified the main cybersecurity objectives pertaining to
Smart Grids as availability, integrity, and confidentiality:
10
(1) Availability deals with ensuring authorised parties to access the resources only
when needed, granting access to required services (Pandey & Misra, 2016). This
has been identified as the most important security objective, essential for the
continuous operation of SGs, differently from conventional IT systems that could
be restarted without critical impacts (Ray et al., 2010).
(2) Integrity is the aspect of preventing unauthorised modification of critical data of
sensory devices, smart meters, and other system components by adversaries. The
protection of such critical data is essential as it can disrupt command and control
of the network, thereby hindering the decision-making process (Pandey & Misra,
2016). The integrity of data is a secondary security objective for Smart Grids:
in the customer domain, integrity of data concerns the protection of metering
and billing data while in the utility domain concerns the operational data of the
entire grid (J. Liu et al., 2012; Yan, Qian, Sharif, & Tipper, 2012).
(3) Confidentiality is related to the prevention of disclosure of sensitive data and
access to critical system components by unauthorised sources. In the customer
domain, an attacker could predict the behavioral pattern of the customer by
gaining insight to power usage and billing information (Wang & Lu, 2013).
3.2.2. Key Security Requirements
Security in SGs has to be considered for both the power system and IT systems together
and not in isolation (Ray et al., 2010). The aforementioned SGIP, the ”Cyber Security
Working group (CSWG)”, and NIST have identified key security requirements broadly
divided into four major groups: physical security, data security, network security, and
security management (Pandey & Misra, 2016; Victoria Y. Pillitteri, 2014; Yadav &
Mahajan, 2015):
(1) Physical security pertains the protection of SG devices against theft, sabotage,
and tampering. The smart meters are most vulnerable to such kind of threats
and to ensure their security, sophisticated mechanisms are required to be incor-
porated at the customer premises to ensure overall reliability (Goel et al., 2015;
Jokar et al., 2012; Pandey & Misra, 2016; Wang & Lu, 2013).
(2) Data security primarily includes the privacy of customer data, secure storage
of data, regular back-up of critical data, and lost data recovery mechanisms. The
privacy of consumer data is considered the most relevant aspect in Smart Grids
due to the fact that disclosure of information flowing between smart meters and
utilities can enable adversaries to determine behavioral patterns (J. Liu et al.,
2012; Wang & Lu, 2013).
(3) Network security encompasses security of wireless networks, security of com-
mand and control networks, security of real-time measurements systems against
eavesdropping, state manipulation, and data injection attacks (Komninos et al.,
2014; Wang & Lu, 2013; Yadav & Mahajan, 2015). It also includes protection
against unauthorised access such that only legitimate users can have access to
the network after their identity is verified. However, the selection of appropriate
cryptographic mechanism for use in SGs requires attention, due to low memory
and slow processing devices that can can be part of the network (Jokar et al.,
2012; Mo et al., 2012; Wang & Lu, 2013).
(4) Security management is concerned with the formulation and implementation
of security policies, deployment of risk management frameworks, periodical au-
dits, and entrusting accountability. Audits can be well used to detect and prevent
11
security breaches by performing the proper analysis of logs.
3.2.3. Smart Grids Security Challenges
There are numerous challenges to meet key security requirements discussed in the
preceding section. This section highlights prominent challenges that must be addressed
while implementing security mechanisms in SGs.
(1) Operating Environments Heterogeneity is a key challenge, as SGs can
be seen as the convergence of ”operational technology (OT)” and information
technology (IT) systems (Ray et al., 2010) with a huge difference in operating
environments.
(2) Interconnectivity of Diverse Networks: the communication infrastructure
of SGs is composed of multiple networks like wired, wireless, cellular, power line
cables, each working with its own standards and protocols (Hossain et al., 2012).
Hence, the interoperability of such diverse networks meeting security policies is
quite challenging.
(3) Heavy Dependence on Wireless Technology: the customer domain and
distribution domain of SGs is predominantly wireless, using technologies like
ZigBee, Wi-Fi, and WiMAX making these networks prone to various attacks as
data flow can be intercepted by adversaries (Goel et al., 2015; Hossain et al.,
2012; Jokar et al., 2012; Victoria Y. Pillitteri, 2014; Wang & Lu, 2013).
4. Risk Management Frameworks for Smart Grids
To identify common characteristics of risk management frameworks in the area of
SGs, we run a review about existing studies. Our goals was to identify common tech-
niques applied to evaluate, assess, and mitigate risks in the context of SGs: how the
frameworks have been implemented, and what kind of features were considered.
4.1. Identified SG Risk Management Frameworks
Overall, we identified seven main categories (F1-F7) of risk management frameworks
that cover a variety of aspects in SGs risk management (Table 2).
Unified frameworks (F1) take an overall view to analyse security and privacy risks,
such as the one proposed by Kalogridis, Sooriyabandara, Fan, and Mustafa (2014).
The framework is known as the Unified Security and Privacy Protection (USaPP)
framework providing a methodological approach to manage underlying privacy and
security risks in SGs exploring a set of solutions for security management. Integration
of security and safety into risk assessment has been proposed by Dobaj (2018). The
emphasis has been laid on an integrated methodology of risk assessment that primarily
focuses on security and safety risks in SGs. An architecture driven SG risk management
framework has been proposed by Kammerstetter, Langer, Skopik, and Kastner (2014).
The framework considers the whole architecture of SGs for holistic risk management.
Simulation/modelling-based frameworks (F2) are based on these activities as main
building blocks of the SG risk management process. An example is the Cyber-physical
modeling and assessment (CPMA) framework that simulates the interdependencies
between the physical and cyber systems to isolate the potential failings in the system,
evaluating the operational reliability of cyber-physical systems (Davis et al., 2015).
12
Stakeholder-based frameworks (F3) place the emphasis on the actors interacting at
the different levels of SGs. An example is the risk management methodology known
as the ”Smart Electricity Grid (SEGRID) Risk Management Methodology (SRMM)”
(Rossebo, Wolthuis, Fransen, Bjrkman, & Medeiros, 2017). The proposed framework
includes stakeholder inter-dependencies and risk propagation through value chains,
which enable system operators to have a better knowledge about the impact of risks
on stakeholders interests.
Hardware-based frameworks (F4) pose the focus on hardware devices for risk pre-
vention and management. As an example, Duren, Aldridge, Abercrombie, and Shel-
don (2013) analysed the significance of hardware enabled trust for detecting security
threats. The study highlighted the compromises due to advanced persistent threats
(APT) and the needs of risk management as a continuous process for mitigation.
The authors suggested the use of the mechanism offered by PUF (”Physically Un-
clonable Functions”) which enables devices to exhibit unique behaviour to support
cryptographic operations.
Stochastic models (F5) are focused on modelling the uncertainties at various lev-
els of SGs. For example, a risk-limiting dispatch methodology was proposed by Wu,
Varaiya, and Hui (2015), as a stochastic approach that considers load and generation
as random variables. The approach was implemented in a layered ”Smart Grid with
intelligent periphery architecture, known as smart GRIP”. The risk in this context has
been seen as an uncertainty of mismatching of load and generation thereby causing
a mismatch in the net power balance. Stochastic models have been also proposed to
respond to the uncertainties in the electricity price in the market while predicting and
maximizing the profits of Smart Grids (Shen, Jiang, Liu, & Wang, 2016).
Network-based frameworks (F6) are based on the importance of power/IT net-
works in the context of SG. Overlay networks may form an essential component in
risk management frameworks such that electrical distribution networks can be man-
aged, monitored, and secured using wandering mobile agents (Dawes, Prosser, Fulp, &
McKinnon, 2013). Tesfay, Hubaux, Le Boudec, and Oechslin (2014) proposed a secure
cyber communication infrastructure for a reliable bi-directional flow of control signals
and sensor data between the diverse components of the power network.
System security model-based frameworks (F7) focus on security mechanisms. One
example is the framework proposed in Abercrombie, Sheldon, Hauser, Lantz, and Mili
(2013) that involves stakeholders, security requirements, threats and components of
the system to quantify security. Another framework is CPAC (Cyber-Physical Ac-
cess Control) that provides access control solutions to protect the Smart Grid that
can be seen as a complex cyber-physical system. The framework has been proposed
by Etigowni, Tian, Hernandez, Zonouz, and Butler (2016) to mitigate operational risks
and prevent insider attacks in Smart Grids by employing context-aware policies after
considering both physical and cyber elements of the grid together.
13
Category Sample Frameworks
F1. Combined & Unified Dobaj (2018); Kalogridis et al.
(2014); Kammerstetter et al.
(2014)
F2. Simulation/modelling-based frameworks Davis et al. (2015)
F3. Stakeholder-based frameworks Rossebo et al. (2017)
F4. Hardware security-based frameworks Duren et al. (2013)
F5. Stochastic-based frameworks Shen et al. (2016); Wu et al.
(2015)
F6. Networking-based frameworks Dawes et al. (2013); Tesfay et
al. (2014)
F7. System security model-based frameworks Abercrombie et al. (2013);
Etigowni et al. (2016)
Table 2. Main categories of SG Risk management frameworks
4.2. Key characteristics of SG risk management frameworks
There are various factors that enabled the reviewed frameworks to be effective at
assessing, evaluating, and mitigating risks. These factors can be seen as key charac-
teristics that enhance the security of Smart Grids and can be elaborated as follows:
(1) Unifying: the majority of studies have taken a unified approach for conducting
the process of security risk management in SGs. These studies have revealed the
significance of integrating security and privacy for both cyber and power domain
in Smart Grids (Habash, Groza, Krewski, & Paoli, 2013; Kalogridis et al., 2014).
The major advantage of using a unified approach is that it helps in the overall
reduction of risks by applying integrated risk assessment methodology to evaluate
diverse kind of security, safety, and privacy threats. Furthermore, it also helps in
methodically addressing the emerging challenges due to the incorporation of ICT.
The unification is essential as privacy depends on security services like access
control and confidentiality (Habash, Groza, Krewski, & Paoli, 2013; Kalogridis
et al., 2014).
(2) Proactive: risk management frameworks that modeled and mapped the inter-
connections between the cyber and physical systems have easily identified the
vulnerable parts of the system and the critical paths, which in turn enabled
proactive management of threats (Davis et al., 2015). Furthermore, these frame-
works were able to provide more meaningful information to the system operators.
Some of the frameworks had a layered architecture and provided interoperabil-
ity (Wu et al., 2015) and integrated security into risk assessment to provide a
proactive approach for in-depth risk assessment (Dobaj, 2018).
(3) Flexible: the majority of SG risk management frameworks take a flexible ap-
proach for risk assessment, control, and mitigation of security risks in Smart
Grids by modeling it as a generic cyber-physical system. Hence, these frame-
works for Smart Grids can also be well applied to other cyber-physical systems
where power systems have a heavy dependency on ICT systems (Deng, Yue, Fu,
& Zhou, 2015; Etigowni et al., 2016; Ferragut, Laska, Czejdo, & Melin, 2013;
Kammerstetter et al., 2014).
(4) Anomaly detection based: anomaly detection forms a central component of
overall risk management in SGs. Energy grid systems are subjected to long-
periods as well as short-period effects such as cyber-communication and voltage
regulation. Anomaly detection is one of the key features of any effective risk
management framework that can deal with such changes (Ferragut et al., 2013).
14
(5) Stakeholders interdependencies: the framework introduced in Rossebo et
al. (2017) includes stakeholder inter-dependencies and risk propagation through
value chains for an effective risk assessment. The risk management framework
proposed in Abercrombie et al. (2013) enables the process owner to define and
include all the essential tasks of risk management. The framework recognizes
the system components, system requirements, threats, and stakeholders of the
system for effective threat management. Such frameworks take into account the
importance of stakeholders and users for proper management of SG risks.
5. Recommendations for Security Risk Management in SG
Based on the reviewed SG security requirements (section 3.2) and the reviewed SG
risk management frameworks (section 4), we derive a series of recommendations for
SG security risk management. The primary purpose of these recommendations is to
provide guidance to the organisations and personnel who are responsible to carry
out risk management activities in SG that primarily includes risk assessment, risk
monitoring, and risk control (Habash, Groza, Krewski, & Paoli, 2013; Ray et al.,
2010). The recommendations are divided into four major categories:
(1) Security Risk Assessment (SRA)
(2) Security Risk Control (SRC)
(3) Security risk management (SRM)
(4) Recommended Security Mechanisms (RSM)
5.1. Recommendations for SG Security Risk Assessment (SRA)
Risk assessment is one of the most critical components of risk management frame-
work that should be conducted to identify, analyse, and evaluate the potential threats
and vulnerabilities in SGs that can have an adverse impact on its operational per-
formance (Sridhar et al., 2012; Yadav & Mahajan, 2015). This process should be
performed methodologically and on an ongoing basis rather than a one-time activity.
Furthermore, depending upon the time frame, the complexity of the methodology,
and criticality of the data, single or multiple approaches of risk assessment should be
considered (Stoneburner et al., 2002). Table 3 summarises the list of key activities
and methods recommended by the researcher to conduct the process of security risk
assessment in SGs.
(1) Defining the purpose and scope of risk assessment: before conducting
the process of risk assessment, organisations should define an explicit purpose
and scope with great specificity in order to obtain relevant information that can
facilitate sound decision making in managing risks in Smart Grids. Owing to the
complexity and convergence of heterogeneous networks in SGs, the scope of risk
assessment is very large. Hence, organisations should adopt proactive methods
and automated tools for gaining ”system-related information” that can help in
categorising the system to define the exact scope of risk assessment (Stoneburner
et al., 2002).
(2) Conduct threat, vulnerability, and impact analysis: as Smart Grids are
vulnerable to multiple security threats, the organisations should adopt a holistic
approach to conduct threat, vulnerability, and impact analysis. Threat analy-
sis should primarily involve the identification of potential threat sources, threat
15
classification, and threat modeling (Mo et al., 2012; Ray et al., 2010; Rossebo
et al., 2017). While identifying the threat sources in Smart Grids, the major
focus should be laid on cybersecurity threats and advanced persistent threats
(APT) that can have a devastating impact on the operational reliability of the
grid (Duren et al., 2013; Pandey & Misra, 2016; Tesfay et al., 2014). Organisa-
tions should prepare threat catalogs to classify threats based on the key security
requirements of SGs (Kammerstetter et al., 2014). Furthermore, to correctly
model the dependencies between cyber and physical systems in Smart Grids,
organisations should develop cyber-physical threat models (Davis et al., 2015).
Vulnerability analysis can be quite complex in the context of Smart Grids
owing to a large number of vulnerabilities that can exist in both cyber and
power domain. Hence, organisations should make maximum use of automated
scanning tools to detect them for preparing vulnerability catalogues (Duren et
al., 2013; Stoneburner et al., 2002). Impact analysis enables the organisation to
measure the level of risk such that it should be conducted using qualitative and
quantitative approaches (Project Management Institute Inc, 2000; Stoneburner
et al., 2002; Victoria Y. Pillitteri, 2014). Impact matrix and impact assessment
reports can be used for same to determine the magnitude of impact (Abercrombie
et al., 2013; Ross, 2011; Victoria Y. Pillitteri, 2014). More particularly for SGs,
privacy impact assessment (PIA) should be carried out to evaluate the potential
privacy risks associated with users and utility data (Stoneburner et al., 2002;
Victoria Y. Pillitteri, 2014).
(3) Development of a risk model: the diversity in risk factors and a many-to-
many relationship between them necessitates systematic modeling of threat and
vulnerabilities in SGs (Ross, 2011). Organisations may develop multiple risk
models as a single model may not accommodate all security risk factors. Fur-
thermore, risk models should be less complex thereby enabling effective decision
making and ”computationally tractable analysis” (Kammerstetter et al., 2014;
Li, Aung, Williams, & Sanchez, 2014).
(4) Selection of an assessment approach for risk determination: organisa-
tions should adopt the combination of both qualitative and quantitative ap-
proaches for determination of overall risk (Project Management Institute Inc,
2000; Ross, 2011; Victoria Y. Pillitteri, 2014). Risk scales and risk matrix can
be used to determine the risk level and its overall impact on the critical assets of
SGs (Abercrombie et al., 2013; Kammerstetter et al., 2014; Stoneburner et al.,
2002).
(5) Continuous monitoring and updating of security risk assessment: secu-
rity risk assessment in SGs is highly recommended to be adopted as a continuous
process that entails the monitoring of ever-changing risk factors and the update
of risk assessment (Victoria Y. Pillitteri, 2014).
(6) Communication and documentation of risks: SGs have a large number of
stakeholders such that communication and documentation of risks is the most
vital component of any risk assessment framework (Ray et al., 2010; Sridhar
et al., 2012). Organisations should prepare risk assessment reports that can be
referred by risk management team.
16
Security Risk Assessment (SRA) Tasks Recommended activities
SRA 1 Defining the purpose and
scope of risk assessment
•Proactive and automated tools
SRA 2
Conduct threat,
vulnerability,
and impact analysis
•Threat profiles and models
•Security advisories
•Vulnerability catalogues
•Vulnerability scanning tools
•Impact matrix
•Impact assessment reports
SRA 3 Development of a risk model
•Probabilistic models
•Attack tree models
•Intrusion detection models
•State estimation models
•Risk taxonomy
SRA 4 Risk determination
•Risk matrix and risk scales
•Graph-theoretic approaches
•Stochastic approaches
•System-theoretic approaches
SRA 5 Continuous monitoring and
update of risk assessment
•Periodic risk assessment
SRA 6 Communication and
documentation of risks
•Risk assessment reports
•Risk registers
Table 3. Recommendations for security risk assessment (SRA)
5.2. Recommendations for SG security risk control (SRC)
Once the security risks in SGs are correctly identified and assessed, the next major
step towards risk management is to control and mitigate them. Organisations should
identify, analyse, and evaluate security controls that can be implemented for miti-
gating security risks in Smart Grids. Table 4 summarises the list of key activities and
techniques recommended to conduct the process of security risk control and mitigation.
(1) Prioritisation of identified security risks: it is highly impractical to control
and mitigate all risks in SGs; therefore, the first task for the risk management
team is to prioritise the risks based on risk assessment report. Risk ranking
should be done considering the risk and its overall impact on the security of
SGs.
(2) Identification of security controls: organisations should identify the security
controls for operational and information security in Smart Grids. Identification
of the security controls should be done based on their detection, prevention, and
reaction capabilities to mitigate the risks, threats, and vulnerabilities in SGs.
The detection mechanisms should broadly focus on detection of threats such
as anomalies, intrusion, and malware. The prevention mechanisms should be
more oriented towards the protection of the grid from diverse kind of malicious
attacks such as tampering of field devices, modification of critical data, state
manipulation, and false data injection. Finally, reaction/recovery mechanisms
should enable the SG components to resume after the risk has manifested.
(3) Categorisation of security controls: keeping complexity and vastness of
Smart Grids in mind, the identified security controls can be categorised in the
following domains:
(a) Physical security controls: this category encompasses security control
mechanisms that can mitigate physical threats. Physical security controls
should focus on the protection of far-field embedded devices such as smart
17
meters and intelligent electronic devices (IED) that are prone to theft, tam-
pering, and malware injection.
(b) Operational Technology (OT) security controls: this category encom-
passes security control mechanisms that can mitigate threats to the gen-
eration, transmission, distribution, and consumer domain of SGs. Security
controls for generation domain must ascertain protection of voltage regu-
lators against bad data injection. In the transmission domain, the security
mechanisms should ensure the protection of switching devices against ma-
nipulation of their state. In the distribution domain, the security controls
should ensure the protection to advanced metering infrastructure (AMI)
components that are predominantly wireless (Sridhar et al., 2012). Finally,
in the consumer domain, the security mechanisms should control and mit-
igate the risks associated with demand-side management.
(c) Information Technology (IT) security controls: broadly, this cate-
gory encompasses security control mechanisms that ascertains information
security, communication security, network security, and infrastructure secu-
rity. Some of the recommended security controls/mechanisms for the above
categories have been presented in section 5.4.
(4) Formulation of a risk mitigation strategy: while formulating a risk miti-
gation strategy, organisations must identify and evaluate various risk mitigation
options such as risk acceptance, risk avoidance, risk transfer, and risk insurance
after doing a cost-benefit analysis (Project Management Institute Inc, 2000; Ray
et al., 2010; Stoneburner et al., 2002). The designed strategy must facilitate the
team to make a correct decision about exercising the appropriate risk mitigation
option and implementing effective security control depending upon the severity
of the risk.
(5) Implementation of a risk mitigation strategy: organisation should imple-
ment the formulated risk mitigation strategy depending upon the risk scenario.
This should primarily involve exercising of chosen risk mitigation option and
implementation of appropriate security controls. Organisation should make key
risk management professionals responsible for implementing the risk mitigation
techniques by allocating necessary resources to them.
(6) Continuous evaluation of security controls: organisations should continu-
ously evaluate the existing security controls to determine their effectiveness and
applicability with changing risk scenarios in SGs. Periodic security audits are
recommended methods to evaluate shortcomings in security controls pertaining
to the physical, operational, and IT domains of SGs.
18
Security risk control (SRC) Tasks Recommended activities
SRC 1 Prioritisation of
identified security risks •Risk ranking
SRC 2 Identification
of security controls
•Detection mechanisms
•Prevention mechanisms
•Reaction mechanisms
SRC 3 Categorisation
of security controls
•Physical controls
•Operational technology controls
•Information technology controls
SRC 4 Formulation
of risk mitigation strategy
•Cost-benefit analysis
•Formulation of security policies
SRC 5 Implementation
of risk mitigation strategy
•Assignment of responsibilities
•Allocation of resources
•Exercising risk mitigation option
•Implementation of
security controls
SRC 6 Continuous evaluation
of risk mitigation strategy •Periodic security audits
Table 4. Recommendations for security risk control (SRC)
5.3. Recommendations for development of security risk management
(SRM) frameworks
This section focuses on the key points that should be take into account while developing
security risk management (SRM) frameworks for SGs. Table 5 summarises the key
points.
(1) Adoption of a unified approach for addressing safety, security, and
privacy risks: Cyber-physical systems have a complex infrastructure which in-
tegrates a variety of independent sub-systems in order to introduce new business
models. Traditional approaches that implement layered security concepts can-
not be applied to such complex systems. Hence, while developing a security risk
management framework, a unified approach should be considered for holistic
management of safety, security, and privacy risks in complex critical infrastruc-
tures like SGs (Dobaj, 2018; Habash, Groza, Krewski, & Paoli, 2013; Kalogridis
et al., 2014). Furthermore, unified approaches that address both intra-domain
security measures and system-level threats are recommended to address the secu-
rity requirements of the systems and the various stakeholders. These approaches
help in streamlining security compliance and enable the effective utilisation of
the entire solution space.
(2) Systematic mapping of cyber-physical interdependencies: while develop-
ing security risk management frameworks, due consideration should be given to
the capabilities of the framework to capture the interactions and interdependen-
cies between cyber and physical networks of SGs. This facilitates a systematic
and integrated evaluation, assessment, and mitigation of overall system security
risks (Davis et al., 2015; Deng et al., 2015; Kammerstetter et al., 2014).
(3) Designing of architecture-based frameworks: generic risk management
frameworks that focus only on the I&CT are not applicable to SGs owing to
the complex architecture and stringent security requirements. Hence, security
risk management frameworks should be developed keeping the overall architec-
19
ture of SGs in view, primarily entailing legacy industrial control systems and
state-of-the-art information technology systems (Ray et al., 2010).
(4) Conduct of Compliance check: SG security risk management frameworks
must include a compliance checking phase in the process model to ensure that
all the components in the system adhere to the latest risk mitigation strategies.
Furthermore, it is important that all the components are should be subjected to
compliance checking tools, otherwise a vulnerability in a single component can
compromise the security of the entire system (Kammerstetter et al., 2014).
Security Risk Management
(SRM) Tasks Recommended methods
SRM 1 Adoption of unified approach •Integrated frameworks
SRM 2 Systematic mapping •Cyber-physical models
SRM 3 Architecture-based designing •Smart grid architecture model
•NIST reference model
SRM 4 Conduct of compliance check •Automated tools
Table 5. Recommendations for security risk management (SRM)
5.4. Recommended SG Security Mechanisms (RSM)
This section primarily focuses on the recommended security mechanisms (RSM) that
can be adopted by the organisations while implementing security risk management
frameworks in SGs. This is a very broad area, so the guidelines cover a subset of all
possible mechanisms. Table 6 summarises the security mechanisms discussed in the
current section.
(1) Integrated security of field devices: Smart Grids have a plethora of intel-
ligent electronic devices (IED) that are deployed on large scale and prone to
multiple security threats such as tampering, injection of malware, and firmware
vulnerabilities. Cost-effective security solutions that can provide tamper resis-
tance, security of cryptographic keys, and manipulation of data are therefore
highly recommended to be adopted. Remote code attestation is one of the rec-
ommended security controls that can be used to enhance the protection of such
field devices against the injection of malware (Enose, 2014; Mo et al., 2012; Srid-
har et al., 2012). Furthermore, the use of a trusted platform module (TPM) for
the security of cryptographic keys in smart meters is highly recommended to
mitigate the risk of unauthorised access (Tesfay et al., 2014).
(2) Secure access control: although discretionary access control (DAC) and
mandatory access control (MAC) can be used for conventional IT systems, these
mechanisms may not be a viable solution for SGs as they cannot model interde-
pendencies between cyber and physical components. Further, these mechanisms
are not resistant to operator mistakes and insider attacks. Hence, context-aware
access control policies may be used that have the capability to track information
flow, ability to detect events, and inhibits operations that can leak sensitive data
(Etigowni et al., 2016). In addition, role-based access control (RBAC) mecha-
nisms can also be used to avoid complexities in managing big data from the
numerous stakeholders in SGs (Enose, 2014; Victoria Y. Pillitteri, 2014).
(3) Robust and secure communication protocols: secure communication pro-
tocols that guarantee end-to-end security are highly desirable for SGs. Although
20
SSL/TLS serves the purpose for conventional IT systems, they are not a viable
solution for SGs due to their large bandwidth overhead and high latency (Mo
et al., 2012; Ray et al., 2010; Sridhar et al., 2012). Use of lightweight secure
communication protocols compatible with legacy industrial protocols should be
employed in SGs.
(4) Secure authentication mechanisms: the identification and implementation
of secure authentication mechanisms in SGs have been found as the most chal-
lenging tasks due to numerous intelligent devices interacting in real-time in the
grid. Use of centralised authentication, authorisation, and accounting (AAA)
may seem to a be one of the recommended solutions (Li et al., 2014). Further-
more, the combination of network access authentication and two-factor authen-
tication may also be used for secure authentication in AMI networks (Victoria
Y. Pillitteri, 2014).
(5) Efficient cryptographic key management: SGs are composed of millions of
devices sharing critical information using diverse communication protocols and
technologies. Highly efficient and cost-effective key management schemes that
can be employed over large-scale are necessary (Enose, 2014). Hence, conven-
tional key management schemes such as public key infrastructure (PKI) do not
seem to be the most viable solution for SGs. Group key management, where a
central server is responsible for generation, distribution, and revocation of keys
can be adopted as one of the recommended methods for scalable key manage-
ment for SGs (George, Nithin, & Kottayil, 2016). Furthermore, identity-based
encryption (IBE) that eliminates the need for key distribution and key revoca-
tion may be a suitable option for effective key management for SGs (Victoria
Y. Pillitteri, 2014). Another option is attribute-based encryption (ABE) that
eliminates the need for a trusted third party for distribution of keys (Tesfay et
al., 2014; Victoria Y. Pillitteri, 2014). Finally, mechanisms in which the secret
key is not exchanged over the network may be considered as the most effective
solution for SGs as they mitigate the risk of key compromission (George et al.,
2016; T. Liu et al., 2014).
(6) Event logging and monitoring for intrusion detection: SGs systems are
highly susceptible to anomalies and intrusion by both inside and outside attack-
ers (Jow, Xiao, & Han, 2017). Hence, security mechanisms that enable event
logging, monitoring, and investigation of critical events are of utmost impor-
tance. One of the approaches that can be applied for the in-depth investigation
is an analysis of system logs to detect anomalies (Sridhar et al., 2012). Log-based
and network-based intrusion detection that collects the data from network de-
vices and continuously monitor network traffic may also be applied as security
mechanisms for SGs (Tesfay et al., 2014). Furthermore, anomaly-based intrusion
detection mechanism seems to be a viable option due to the flexibility and com-
putational complexity (El-Alfy & Al-Obeidat, 2014; Rossi, Chren, Buhnova, &
Pitner, 2016).
21
Recommended
Security Mechanisms (RSM) Recommended methods
RSM 1 Device Security •Remote code attestation
•Trusted platform module (TPM)
RSM 2 Secure access control •Context-aware policies
•Role-based access control (RBAC)
RSM 3 Secure communication •Light-weight protocols
RSM 4 Secure authentication
•Centralised authentication server
•Network access authentication
•Two-factor authentication
RSM 5 Efficient key management
•Group key management
•Identity-based encryption (IBE)
•Attribute-based encryption (ABE)
RSM 6 Intrusion detection
•Log-based intrusion detection
•Network-based intrusion detection
•Anomaly-based intrusion detection
•Intrusion tolerant systems
Table 6. Recommended security mechanisms (RSM)
6. Conclusions
Smart Grids represent a paradigm shift over the traditional power grids. However, the
benefits provided by SGs in terms of improved reliability, availability, and sustainabil-
ity of the provided services come with a higher level of complexity. Such complexity
brings more challenging potential security threats that need to be addressed.
In this article, we have provided a discussion about SG risk management frameworks
with the goal to review the characteristics of common frameworks in the area, and
the provision of security recommendations for proper security risk management. The
proposed recommendations cover several aspects of the overall process, from security
risk assessment, control, management, and the adoption of security mechanisms.
According to SGAM and NIST suggestions, the SG multiple layers and domains
need to be taken into account, so that a holistic view is necessary to accurately pre-
dict, manage, and mitigate the risks that are involved in the complex cyberphysical
infrastructure. To address the multiple facets of SG security, the best approach is a
unified view that takes into account safety, security, and privacy risks in such a complex
critical infrastructure. The analysis of the stakeholders involved and multiple points
of view are suggested. The proposed recommendations cover traditional risk manage-
ment activities, such as the definition of the purpose and scope of the risk assessment,
the development of risk models, and the definition of threats and impact analysis.
These aspects should take into account the peculiarities of SG infrastructural archi-
tecture that involves several communication layers with many interactions, protocols,
and devices with a definition of recommended security mechanisms such as integrated
security for field devices, secure access control, secure communication protocols. All
these are still open research areas due to the SG peculiarities.
Funding
The research was supported from ERDF/ESF ”CyberSecurity, Cyber-
Crime and Critical Information Infrastructures Center of Excellence” (No.
CZ.02.1.01/0.0/0.0/16 019/0000822).
22
References
Abercrombie, R. K., Sheldon, F. T., Hauser, K. R., Lantz, M. W., & Mili, A. (2013).
Failure impact analysis of key management in ami using cybernomic situational assess-
ment (csa). In Proceedings of the eighth annual cyber security and information intelli-
gence research workshop (pp. 19:1–19:4). New York, NY, USA: ACM. Retrieved from
http://doi.acm.org/10.1145/2459976.2459998
Anderson, D., Zhao, C., Hauser, C., Venkatasubramanian, V., Bakken, D., & Bose, A. (2012).
Intelligent design” real-time simulation for smart grid control and communications design.
IEEE Power and Energy Magazine,10 (1), 49–57.
Boehm, B. W. (1991). Software risk management: principles and practices. IEEE software,
8(1), 32–41.
Bruinenberg, J., et al. (2012, nov). Smart grid reference architecture. CEN, CENELEC, ETSI,
Tech. Rep.
Caputo, F., Buhnova, B., & Walletzk`y, L. (2018). Investigating the role of smartness for
sustainability: insights from the smart grid domain. Sustainability Science, 1–11.
Chapman, C. (1997). Project risk analysis and managementPRAM the generic pro-
cess. International Journal of Project Management ,15 (5), 273–281. Retrieved from
http://linkinghub.elsevier.com/retrieve/pii/S0263786396000798
Chapman, C., & Ward, S. (2003). Project Risk Management: Processes, Techniques and
Insights. Wiley.
Chong, Y. Y., & Brown, E. M. (2000). Managing project risk: Business risk management for
project leaders. Financial Times.
Chren, S., Rossi, B., Buhnova, B., & Pitner, T. (2018, May). Reliability data for smart grids:
Where the real data can be found. In 2018 smart city symposium prague (scsp) (p. 1-6).
Chren, S., Rossi, B., & Pitner, T. (2016, May). Smart grids deployments within eu projects:
The role of smart meters. In 2016 smart cities symposium prague (scsp) (p. 1-5).
Davis, K. R., Davis, C. M., Zonouz, S. A., Bobba, R. B., Berthier, R., Garcia, L., & Sauer,
P. W. (2015, Sept). A cyber-physical modeling and assessment framework for power grid
infrastructures. IEEE Transactions on Smart Grid,6(5), 2464-2475.
Dawes, N., Prosser, B., Fulp, E. W., & McKinnon, A. D. (2013). Using mobile agents and
overlay networks to secure electrical networks. In Proceedings of the eighth annual cyber
security and information intelligence research workshop (pp. 32:1–32:4). New York, NY,
USA: ACM. Retrieved from http://doi.acm.org/10.1145/2459976.2460012
Deng, S., Yue, D., Fu, X., & Zhou, A. (2015, October). Security risk assessment of cyber
physical power system based on rough set and gene expression programming. IEEE/CAA
Journal of Automatica Sinica,2(4), 431-439.
Dobaj, J. (2018). Inspira: Integrating security into risk assessment: Doctoral project paper.
In Proceedings of the 13th international conference on software engineering for adaptive
and self-managing systems (pp. 183–187). New York, NY, USA: ACM. Retrieved from
http://doi.acm.org/10.1145/3194133.3194159
Duren, M., Aldridge, H., Abercrombie, R. K., & Sheldon, F. T. (2013). Designing and op-
erating through compromise: Architectural analysis of ckms for the advanced metering
infrastructure. In Proceedings of the eighth annual cyber security and information intel-
ligence research workshop (pp. 48:1–48:3). New York, NY, USA: ACM. Retrieved from
http://doi.acm.org/10.1145/2459976.2460031
El-Alfy, E.-S. M., & Al-Obeidat, F. N. (2014). A multicriterion fuzzy clas-
sification method with greedy attribute selection for anomaly-based intru-
sion detection. Procedia Computer Science,34 , 55 - 62. Retrieved from
http://www.sciencedirect.com/science/article/pii/S1877050914008928 (The
9th International Conference on Future Networks and Communications (FNC’14)/The
11th International Conference on Mobile Systems and Pervasive Computing (Mo-
biSPC’14)/Affiliated Workshops)
Elyengui, S., Bouhouchi, R., & Ezzedine, T. (2013). The Enhancement of Communication
23
Technologies and Networks for Smart Grid Applications. International Journal of Emerging
Trends & Technology in Computer Science,2(6), 107–115.
Engineering, S., & Committee, S. (2001). IEEE Standard for Software Life Cycle Processes
Risk Management. IEEE Std 1540-2001 , 1-30.
Enose, N. (2014, sep). Implementing an integrated security management framework to
ensure a secure smart grid. In 2014 international conference on advances in comput-
ing, communications and informatics (icacci) (pp. 778–784). IEEE. Retrieved from
http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6968521
Etigowni, S., Tian, D. J., Hernandez, G., Zonouz, S., & Butler, K. (2016). Cpac: Securing
critical infrastructure with cyber-physical access control. In Proceedings of the 32nd annual
conference on computer security applications (pp. 139–152). New York, NY, USA: ACM.
Retrieved from http://doi.acm.org/10.1145/2991079.2991126
Farhangi, H. (2010). The path of the smart grid. IEEE power and energy magazine,8(1),
18-28.
Ferragut, E. M., Laska, J., Czejdo, B., & Melin, A. (2013). Addressing the challenges of
anomaly detection for cyber physical energy grid systems. In Proceedings of the eighth an-
nual cyber security and information intelligence research workshop (pp. 3:1–3:4). New York,
NY, USA: ACM. Retrieved from http://doi.acm.org/10.1145/2459976.2459980
Gai, K., Qiu, M., & Elnagdy, S. A. (2016). A novel secure big data cyber incident ana-
lytics framework for cloud-based cybersecurity insurance. In Big data security on cloud
(bigdatasecurity), ieee international conference on high performance and smart computing
(hpsc), and ieee international conference on intelligent data and security (ids), 2016 ieee
2nd international conference on (pp. 171–176).
George, N., Nithin, S., & Kottayil, S. K. (2016). Hybrid key management scheme for se-
cure ami communications. Procedia Computer Science,93 , 862 - 869. Retrieved from
http://www.sciencedirect.com/science/article/pii/S1877050916315046 (Proceed-
ings of the 6th International Conference on Advances in Computing and Communications)
Goel, S., Hong, Y., Papakonstantinou, V., & Kloza, D. (2015). Smart grid security. Springer.
Habash, R. W. Y., Groza, V., & Burr, K. (2013). Risk Management Framework for the
Power Grid Cyber-Physical Security. British journal of applied science & technology,3(4),
1070–1085.
Habash, R. W. Y., Groza, V., Krewski, D., & Paoli, G. (2013, Aug). A risk assessment
framework for the smart grid. In 2013 ieee electrical power energy conference (p. 1-6).
Han, W. M., & Huang, S. J. (2007). An empirical analysis of risk components and performance
on software projects. Journal of Systems and Software,80 (1), 42–50.
Hossain, E., Han, Z., & Poor, H. V. (2012). Smart grid communications and networking.
Cambridge University Press.
Jokar, P., Arianpoo, N., & Leung, V. C. M. (2012). A survey on security issues in
smart grids. Security and Communication Networks ,9(3), 262–273. Retrieved from
http://doi.wiley.com/10.1002/sec.559
Jow, J., Xiao, Y., & Han, W. (2017). A survey of intrusion detection systems in smart grid.
International Journal of Sensor Networks,23 (3), 170–186.
Kalogridis, G., Sooriyabandara, M., Fan, Z., & Mustafa, M. A. (2014, 06). Toward unified
security and privacy protection for smart meter networks. IEEE Systems Journal ,8, 641-
654.
Kammerstetter, M., Langer, L., Skopik, F., & Kastner, W. (2014). Architecture-driven smart
grid security management. In Proceedings of the 2nd acm workshop on information hid-
ing and multimedia security (pp. 153–158). New York, NY, USA: ACM. Retrieved from
http://doi.acm.org/10.1145/2600918.2600937
Komninos, N., Philippou, E., & Pitsillides, A. (2014). Survey in smart grid and smart home
security: Issues, challenges and countermeasures. IEEE Communications Surveys & Tuto-
rials,16 (4), 1933–1954.
Kuˇcera, A., & Pitner, T. (2013). Intelligent facility management for sustainability and risk
management. In International symposium on environmental software systems (pp. 608–
24
617).
Kwak, Y. H., & Stoddard, J. (2004). Project risk management: lessons learned from software
development environment. Technovation ,24 (11), 915–920.
Li, D., Aung, Z., Williams, J., & Sanchez, A. (2014, Oct). P3: Privacy preservation protocol
for automatic appliance control application in smart grid. IEEE Internet of Things Journal ,
1(5), 414-429.
Liu, J., Xiao, Y., Li, S., Liang, W., & Chen, C. P. (2012). Cyber security and privacy issues
in smart grids. IEEE Communications Surveys & Tutorials,14 (4), 981–997.
Liu, T., Gui, Y., Sun, Y., Liu, Y., Sun, Y., & Xiao, F. (2014). Sede: State estimation-based
dynamic encryption scheme for smart grid communication. In Proceedings of the 29th annual
acm symposium on applied computing (pp. 539–544). New York, NY, USA: ACM. Retrieved
from http://doi.acm.org/10.1145/2554850.2555033
Metke, A. R., & Ekl, R. L. (2010). Security technology for smart grid networks. IEEE
Transactions on Smart Grid,1(1), 99–107.
Mo, Y., Kim, T. H., Brancik, K., Dickinson, D., Lee, H., Perrig, A., & Sinopoli, B. (2012,
Jan). Cyberphysical security of a smart grid infrastructure. Proceedings of the IEEE,
100 (1), 195-209.
Moslehi, K., & Kumar, R. (2010). A reliability perspective of the smart grid. IEEE Transac-
tions on Smart Grid,1(1), 57–64.
Moura, P. S., L´opez, G. L., Moreno, J. I., & De Almeida, A. T. (2013). The role of smart
grids to foster energy efficiency. Energy Efficiency,6(4), 621–639.
NIST. (2012). NIST Special Publication 1108R2 NIST Framework and
Roadmap for Smart Grid Interoperability Standards , NIST Special Pub-
lication 1108R2 NIST Framework and Roadmap for Smart Grid Interop-
erability Standards. NIST Special Publication,0, 1–90. Retrieved from
http://www.nist.gov/smartgrid/upload/NIST Framework Release 2-0 corr.pdf
Pandey, R. K., & Misra, M. (2016). Cyber security threats Smart grid infras-
tructure. 2016 National Power Systems Conference (NPSC), 1–6. Retrieved from
http://ieeexplore.ieee.org/document/7858950/
Project Management Institute Inc. (2000). A guide to the project management body of knowl-
edge (PMBOK R
guide). ProjectManagementInstitute.
Ray, P. D., Harnoor, R., & Hentea, M. (2010). Smart power grid secu-
rity: A unified risk management approach. 44th Annual 2010 IEEE Interna-
tional Carnahan Conference on Security Technology, 276-285. Retrieved from
http://ieeexplore.ieee.org/xpls/abs all.jsp?arnumber=5678681
Rejda, G. E. (2011). Principles of risk management and insurance. Pearson Education India.
Ross, R. S. (2011). Managing information security risk: Organization, mission, and information
system view. NIST Special Publication 800 ,39 (March).
Rossebo, J. E. Y., Wolthuis, R., Fransen, F., Bjrkman, G., & Medeiros, N. (2017, April). An
enhanced risk-assessment methodology for smart grids. Computer ,50 (4), 62-71.
Rossi, B., Chren, S., Buhnova, B., & Pitner, T. (2016). Anomaly detection in smart grid
data: An experience report. In 2016 ieee international conference on systems, man, and
cybernetics (smc) (p. 2313-2318).
Sajjadi, M., & Niknia, B. (2013, June). Smart power grid security services: Risk management
approach considering both ot and it domains case study: Shiraz power distribution company.
In 22nd international conference and exhibition on electricity distribution (cired 2013) (p. 1-
4).
Schvarcbacher, M., Hrabovsk´a, K., Rossi, B., & Pitner, T. (2018). Smart grid testing man-
agement platform (sgtmp). Applied Sciences,8(11), 2278.
Schvarcbacher, M., & Rossi, B. (2017). Smart grids co-simulations with low-cost hardware.
In Software engineering and advanced applications (seaa), 2017 43rd euromicro conference
on (pp. 252–255).
Shen, J., Jiang, C., Liu, Y., & Wang, X. (2016). A microgrid energy management system and
risk management under an electricity market environment. IEEE Access,4, 2349-2356.
25
Song, W.-Z., De, D., Tan, S., Das, S. K., & Tong, L. (2012). A wireless smart grid testbed in
lab. IEEE Wireless Communications,19 (3).
Sridhar, S., Hahn, A., & Govindarasu, M. (2012, Jan). Cyberphysical system security for the
electric power grid. Proceedings of the IEEE ,100 (1), 210-224.
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information
technology systems: Recommendations of the national institute of standards and technology,
retrieved november 25, 2009. ed.
Tesfay, T. T., Hubaux, J.-P., Le Boudec, J.-Y., & Oechslin, P. (2014). Cyber-secure com-
munication architecture for active power distribution networks. In Proceedings of the 29th
annual acm symposium on applied computing (pp. 545–552). New York, NY, USA: ACM.
Retrieved from http://doi.acm.org/10.1145/2554850.2555082
Victoria Y. Pillitteri, T. L. B. (2014). Guidelines for smart grid cybersecu-
rity. National Institute of Standards and Technology,1, 668. Retrieved from
http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7628r1.pdf
Wang, W., & Lu, Z. (2013). Cyber security in the Smart Grid: Survey and challenges.
Computer Networks,57 (5), 1344–1371.
Ward, S. C., & Chapman, C. B. (1995). Risk-management perspective on the project lifecycle.
International Journal of Project Management ,13 (3), 145–149.
Westland, J. (2007). The project management life cycle: A complete step-by-step methodology
for initiating, planning, executing & closing a project successf. Kogan Page Publishers.
Wu, F. F., Varaiya, P. P., & Hui, R. S. (2015). Smart grids with intelligent periphery:
An architecture for the energy internet. Engineering ,1(4), 436 - 446. Retrieved from
http://www.sciencedirect.com/science/article/pii/S2095809916300248
Yadav, D., & Mahajan, A. R. (2015). Smart Grid Cyber Security and Risk Assessment
: An Overview. International Journal of Science, Engineering and Technology Research
(IJSETR),4(9), 3078–3085.
Yan, Y., Qian, Y., Sharif, H., & Tipper, D. (2012, Fourth). A survey on cyber security for
smart grid communications. IEEE Communications Surveys Tutorials,14 (4), 998-1010.
26