Continuous quantitative risk management in smart grids using attack defense trees

Erkuden Rios*, Angel Rego, Eider Iturbe, Marivi Higuero, Xabier Larrucea

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

19 Citations (Scopus)
1 Downloads (Pure)

Abstract

Although the risk assessment discipline has been studied from long ago as a means to support security investment decision-making, no holistic approach exists to continuously and quantitatively analyze cyber risks in scenarios where attacks and defenses may target different parts of Internet of Things (IoT)-based smart grid systems. In this paper, we propose a comprehensive methodology that enables informed decisions on security protection for smart grid systems by the continuous assessment of cyber risks. The solution is based on the use of attack defense trees modelled on the system and computation of the proposed risk attributes that enables an assessment of the system risks by propagating the risk attributes in the tree nodes. The method allows system risk sensitivity analyses to be performed with respect to different attack and defense scenarios, and optimizes security strategies with respect to risk minimization. The methodology proposes the use of standard security and privacy defense taxonomies from internationally recognized security control families, such as the NIST SP 800-53, which facilitates security certifications. Finally, the paper describes the validation of the methodology carried out in a real smart building energy efficiency application that combines multiple components deployed in cloud and IoT resources. The scenario demonstrates the feasibility of the method to not only perform initial quantitative estimations of system risks but also to continuously keep the risk assessment up to date according to the system conditions during operation.

Original languageEnglish
Article number4404
Pages (from-to)1-25
Number of pages25
JournalSensors
Volume20
Issue number16
DOIs
Publication statusPublished - 7 Aug 2020

Keywords

  • Information security
  • Risk assessment
  • Security management

Project and Funding Information

  • Project ID
  • info:eu-repo/grantAgreement/EC/H2020/787011/EU/SPEAR: Secure and PrivatE smArt gRid/SPEAR
  • info:eu-repo/grantAgreement/EC/H2020/780351/EU/Development, Operation, and Quality Assurance of Trustworthy Smart IoT Systems/ENACT
  • Funding Info
  • This research leading to these results was funded by the EUROPEAN COMMISSION, grant number 787011 (SPEAR Horizon 2020 project) and 780351 (ENACT Horizon 2020 project).

Fingerprint

Dive into the research topics of 'Continuous quantitative risk management in smart grids using attack defense trees'. Together they form a unique fingerprint.

Cite this