Integrated smart grid systems security threat model

Contents lists available at ScienceDirect

Information Systems

Information Systems ] (]]]]) ]]]–]]]

http://d0306-43

n CorrE-m

Pleas(201

journal homepage: www.elsevier.com/locate/infosys

Integrated smart grid systems security threat model

Husam Suleiman a, Israa Alqassemb, Ali Diabat c, Edin Arnautovic d,Davor Svetinovic b,n

a Electrical and Computer Engineering at University of Waterloo, Canadab Electrical Engineering and Computer Science at Masdar Institute of Science and Technology, Abu Dhabi, United Arab Emiratesc Engineering Systems and Management at Masdar Institute of Science and Technology, Abu Dhabi, United Arab Emiratesd Institute of Computer Technology at Vienna University of Technology, Vienna, Austria

a r t i c l e i n f o

Article history:Received 6 May 2014Received in revised form13 October 2014Accepted 8 December 2014

Keywords:Systems security threatsSystems security threats modeling andanalysisSmart gridSmart grid vulnerabilities

x.doi.org/10.1016/j.is.2014.12.00279/& 2014 Elsevier Ltd. All rights reserved.

esponding author.ail address: [email protected] (D. Sv

e cite this article as: H. Suleiman, e4), http://dx.doi.org/10.1016/j.is.2014

a b s t r a c t

The smart grid (SG) integrates the power grid and the Information and CommunicationTechnology (ICT) with the aim of achieving more reliable and safe power transmission anddistribution to the customers. Integrating the power grid with the ICT exposes the SG tosystems security threats and vulnerabilities that could be compromised by malicious usersand attackers. This paper presents a SG systems threats analysis and integrated SGSystems Security Threat Model (SSTM). The reference architecture of the SG, with itscomponents and communication interfaces used to exchange the energy-related informa-tion, is integrated with the results of SG systems security threat analysis to produce acomprehensive, integrated SG SSTM. The SG SSTM in this paper helps better depict andunderstand the vulnerabilities exploited by attackers to compromise the components andcommunication links of the SG. The SG SSTM provides a reference of the systems securitythreats for industrial security practitioners, and can be used for design and implementa-tion of SG systems security controls and countermeasures.

& 2014 Elsevier Ltd. All rights reserved.

1. Introduction

Smart grid (SG) is a modernization of the power grid tomonitor, control, protect, and automatically optimize thecontrol and reliability of the power grid operations, throughmonitoring and distributed control systems [1]. The mainobjectives of the SG are to achieve high efficiency, reliability,safety in the power transmission and distribution, and a secureand reliable power delivery to customers [2,3]. This is achievedthrough the integration of the power grid with the Informationand Communication Technology (ICT) to maximize the bene-fits by enabling remote monitoring, control, and processing ofremote end devices [4,5]. This integration enables intelligentinteraction between the SG and its stakeholders, and improvespower delivery and customer services [4].

etinovic).

t al., Integrated smart.12.002i

Due to the increased dependence on the ICT, increasedconnectivity and openness to the Internet and corporatenetworks, and increased use of hardware, software, andstandard protocols, the SG is even more vulnerable tointernal and external security attacks. It is critical to analyzeand model the systems security threats and vulnerabilitiesexploited by attackers. From an industrial practitioner'sperspective, it is useful to have a comprehensive referencearchitecture and a systems security model for the systemunder consideration. In this paper, given a lack of suchreference systems security models in literature, we per-formed an extensive systems security requirements, threats,and vulnerabilities analysis, and specified and presented acomprehensive Systems Security Threat Model (SSTM).

Thus, this paper presents the integration of the results ofthe SG reference architecture research with the results ofthe systems security requirements, threats, and vulnerabil-ities analysis in order to produce a new comprehensive,

grid systems security threat model, Information Systems

www.sciencedirect.com/science/journal/03064379

www.elsevier.com/locate/infosys

http://dx.doi.org/10.1016/j.is.2014.12.002



mailto:[email protected]





H. Suleiman et al. / Information Systems ] (]]]]) ]]]–]]]2

integrated reference SG SSTM that can be used by industrialsystems security specialists to facilitate design and imple-mentation of SG systems security controls and counter-measures. The integrated SG SSTM facilitates understandingand visualization of the main systems security threats in theSG. We specified the communication architecture of the SGby showing the components and the two-way wired andwireless communication infrastructure used to communi-cate the energy-related information. The main systemssecurity threats under this architecture are specified andanalyzed. The integrated SG SSTM is presented.

The remainder of this paper is organized as follows.Section 2 summarizes the background and related work.Section 3 analyzes the systems security threats of the SG.Section 4 presents the integrated SG SSTM. Section 5discusses the results and evaluates the integrated SGSSTM. Finally, Section 6 concludes the paper.

2. Background and related work

The SG is a system of systems that collaborate via two-way electrical (physical) and communication (logical) inter-faces. Each interface should maintain collaborators' privacywhile communicating with each other. Collaboration bet-ween the SG's entities is required to enable better inte-gration between them. A SG includes electrical storage units,distributed generation, home and building automation sys-tems, industrial automation systems, Distribution Manage-ment Systems (DMS), and wired andwireless communicationtechnologies [6]. The SG enables its participants to participateeffectively in aligning energy supply with demand.

The SG consists of seven domains, and each domain isdivided into sub-domains, actors, applications, associations,and interfaces [1]. These domains are bulk generation,transmission, distribution, customer, service provider, mar-kets, and operations. The bulk generation domain deliverselectricity to be carried over the transmission network;then, the electricity is transferred to the distribution net-work to be delivered to the customers.

Openness of the SG makes it highly vulnerable to themajor systems security attacks. Wei et al. [7] discuss themajor challenges and strategies required to protect the SGagainst internal and external security attacks. They pro-posed a conceptual layered framework to protect the SG.McLaughlin et al. [8] present the methods that could beused by attackers to play with the transmitted and storeddata through the AMI network. AlAbdulkarim and Lukszo[9] provide an overview of the main consequences resultedfrom breaching the information systems security in thesmart metering case in the SG. Lenzini et al. [10] discuss thetrust, systems security, and privacy issues, integrity andavailability, and usability and energy-awareness of the datafor the AMI.

With the use of ICT in the SG, the power load can becontrolled remotely through the Internet. Mohsenian-Radand Leon-Garcia [11] outline a variety of practical loads inthe SG that could be vulnerable for the Internet-based loadaltering attacks. These are Direct Load Control (DLC), ind-irect load control, and data centers and computation load.They present defense mechanisms to protect the SG fromthe Internet-based load altering attacks.

Please cite this article as: H. Suleiman, et al., Integrated smart(2014), http://dx.doi.org/10.1016/j.is.2014.12.002i

In the power transmission system, wired communicationsare integrated in the backbone of the power network. Wire-less communications are integrated in the power distributionsystem. Wireless communications are reliable and providelow cost high speed links and easy setups of connectionsamong smart devices distributed through the distributionsystem. But, wireless communications are also vulnerable tosecurity attacks, like the wired ones. Wang and Yi [12]propose a wireless communication architecture for the SmartDistribution Grid (SDG) based on a Wireless Mesh Networks(WMNs). They analyze the security framework under thisarchitecture. They develop a new intrusion detection mechan-ism called smart tracking firewall to meet the special require-ments of the SDG wireless communications.

The industrial and critical infrastructure functions in theSG (such as electricity, gas, water and waste) are monitoredand controlled using the SCADA system. It is important toanalyze the security threats and risks in the SCADA systemsto develop a proper security solution. Queiroz et al. [13]propose a modeling simulation tool to simulate the SCADAsystem. This modeling simulation tool supports the inte-gration of the external devices and the applications, andtests the attack effect on them. Fernandez and Larrondo-Petrie [14] study the general structure of the SCADA system,analyze the main attacks that could be performed against it,and present methods to build a secure SCADA system usingsecurity patterns. Also, the vulnerabilities of the SCADAsystem are systematically evaluated using a vulnerabilityassessment framework proposed by Ten et al. [15–17] basedon three levels: system, scenario, and access points. This isto study the effect of a security attack on the SCADAsystems. A comprehensive survey on security of electricpower infrastructure system is conducted and an attack-based method for impact analysis based on power systemcontrol network is developed by Ten et al. [18,19].

Gungor et al. [20] present a security analysis of the SGcommunication technologies. They provide a detaileddescription of the SG communication technologies, require-ments, and standards. Advantages and disadvantages ofthese communication technologies are also presented. Thecommunication technologies include ZigBee, WMN, cellularnetwork communication, Power Line Communication(PLComm), and Digital Subscriber Line (DSL). The SG com-munication requirements, which are security, system relia-bility, robustness, availability, scalability, and Quality ofService (QoS) are also presented. Mahmood et al. [21]present the design and implementation of the AutomatedMetering Reading (AMR) SG system with more advancedfeatures to enable efficient monitoring and control and tominimize outages and losses in SG system. The presentedAMR concepts include automated reading and enablemonitoring of load transformers using the SCADA system.Qui et al. [22] experimentally discuss ways of energyconsumption in different security algorithms. They experi-mentally study that by taking different power sites. Theymeasure the energy consumption of these algorithms andpropose a set of principles on using these algorithms inWide Area Monitoring System (WAMS) nodes.

Wei et al. [23] propose a framework for a SG automationsystem to protect the SG against security attacks. Morespecifically, they discuss the communication and network





H. Suleiman et al. / Information Systems ] (]]]]) ]]]–]]] 3

level attacks that make the SG more vulnerable to securityattacks, and how these attacks affect the operation of theSG. Ericsson [24] discusses the role of security and powersystem communication in the SG. Security issues are dis-cussed such as decoupling between operational SCADA andEnergy Management System (EMS) and ICT, threats andpossibilities, information security domains, and the SCADAsystems and SCADA security. Hahn and Govindarasu [25]present a security attack evaluation framework for the SG.They present a novel security model to represent variousstates and evaluate important paths in the SG that could becompromised by attackers.

Watts [26] discusses vulnerabilities and security risksthat affect the operation of the SG. Dependency on theSCADA systems, wireless intrusion, and security andencryption is discussed. Shein [27] presents some securitychallenges for the AMI network and means to mitigatethreats resulted from those challenges. Khurana et al. [28]present a description of issues related to SG security. Thesecurity issues including trust and privacy issues, securitymanagement, and communication security. They alsopropose requirements for effective security solutions withauthentication and encryption solutions on different levelssuch as generation, transmission, and distribution level.

3. SG systems security analysis

In this section, the analysis of the main systemssecurity threats is presented, as a prerequisite for theintegrated SG SSTM presented in the next section. Thiswork builds upon uses various use-case diagrams, use-casescenarios, attack trees and systems security templatesdeveloped in our previous research [29–34].

The analysis is performed using the Security QualityRequirements Engineering (SQUARE) [35] and SecurityRequirements Engineering Process (SREP) [36] methods,and total of 72 systems security requirements, 76 threats,and 32 vulnerabilities are elicited and specified.

SQUARE method facilitates the exploration of security-related issues in the early system development stages toreduce costs and increase efficiency. It consists of ninephases. These phases include security requirements elici-tation, categorization and prioritization. Evaluation of theeffectiveness of this method using SG AMI as case study isexamined thoroughly in our previous work [30]. SREP is arisk-driven method for investigating security require-ments, it supports iterative and incremental modeling ofsecurity requirements with their correlated security ele-ments such as threats and security objectives [37].

Fig. 1 shows all threats in SSTM, relating them to theparticular element (system or connection) in the SGarchitecture. More details about this model are given inthe next section. To indicate the threats in the text, we useangle brackets, e.g., ⟨TNo:⟩.

In the SG, data could be compromised while it isrecorded, stored, or transmitted in the system. Attackersmay inject forged values between the Smart Meter (SM)and collector nodes to modify the data traffic, ⟨T27⟩. Thiscan happen if attackers can get the cryptographic keysused for the encryption of the stored data. Attackers canpenetrate the network and inject forged values into the


communication link by executing control commands atany internal collector node ⟨T19, T23⟩. This may affect thetransmitted demand record and replace it with forgedvalues whenever it passes through a compromised collec-tor node. Considering that a typical SG has over a thousandof collector nodes, the other collector nodes could beaffected and the effect of this threat could be amplified.

Attackers may intercept the data communication in thebackhaul wireless network (General Packet Radio Services –GPRS) used to connect the collector nodes with the controlcenter, using man-in-the-middle attack, ⟨T21, T25, T26⟩. Itincludes compromising the communication links, gateways,and routers of data. Attackers may also read and change thetransferred data through the compromised equipment,⟨T20, T23⟩. Attackers can read un-encrypted informationand get the passwords to compromise the system bydenying legal users' access to the system, ⟨T8, T10, T11⟩.For example, attackers may intercept important data suchas outage messages sent to the Outage Management System(OMS) in case of outage detection.

Attackers may intercept the power consumption reports,pricing signals, urgent messages, SM data, outage reports,and faults notifications sent from the SM to the utility, ⟨T13,T14⟩. Attackers may also intercept the control commandssent from the utility to the SM that includes requests todecrease the overall power consumption in the homedomain (using the SM as a gateway). The SM responds tothis control commands by shutting down some devices usingthe Home Area Network (HAN), and this decision could beaffected if it is a result of inaccurate control commands. Thereported data from the SM and other electric devices(transformers, switches, and sensors) to the utility could beaffected too, which is used for the purpose of billingcalculations, power dispatching, and SG optimization.

In addition to misleading the data transferred to/from thedistributed smart devices and SMs ⟨T19⟩, attackers may floodthemwith unwanted data traffic; Denial of Service (DoS) attack,⟨T18, T69⟩. The data is transmitted via the Internet, GPRSnetwork, or PLComm, which have insecure channels for datatransmission and the data is planned to be stored in a remotelyaccessed database with power consumption data. The DoSattack in this case can delay and mislead the data exchangedbetween these devices and other components in the SG ⟨T16,T17⟩. The DoS can degrade the overall performance of thesedevices, in that they may not respond to the changes in thesystem. The DoS attack may affect the normal use or manage-ment of the SG. It may affect the SM applications used tomeasure the power usage of the available power resources. Itmay overload, or even prevent access to, the SMwhich can nottherefore perform its functions. The received data at the controlcenter could be incorrect andmay not reflect the SG status. Thismay affect control center decision making process as well.

Attackers may compromise the control center and itscommunication links by flooding themwith unwanted datatraffic, ⟨T51, T56, T58, T59⟩. This threat can affect the controlcenter's resources, system services, and file system, onepossible effect of such a threat is deleting the SMs' IPaddresses stored in the control center (since it is expectedthat the SG will adapt IP-based protocol). Attackers maysend large number of packets to exhaust the availableresources. The communication links could be congested





Fig. 1. SG SSTM for preventing possible threats.


and may cause communication latencies due to the limitedcommunication bandwidth. This can slow down the controlcenter network and degrade its overall performance. Inaddition, this attack may indirectly disturb the operation ofthe communication servers, backup control systems, andthe distributed relational database servers. This attack canalso disrupt the real time services provided by the controlcenter. Deleting the file system may disable the onlinemonitoring system and control center. Generally, attackingthe control center of the SG is considered as the mostharmful attack and may lead to a disaster. It might disablethe entire SG, which is centrally controlled by the controlcenter. Huge losses of crucial information, economic loss,and equipments damage are also possible consequences incase of breaching the security of the control center.

The middleware access point connected the customerEMS and Neighborhood Area Network (NAN) system couldbe compromised, ⟨T15⟩. This threat could be exploited byattackers because the middleware is used within the SG toestablish communication between the customer and utilitythrough the Service Oriented Architecture (SOA). Sessionhijacking and information tampering and modification at themiddleware server are possible in case of using weakauthentication mechanisms.

Even a subset of the systems security threats presentedin this section is difficult to visualize and systematicallytake into account. Therefore, a SG SSTM is produced


through the integration of the systems security threatanalysis results with the SG reference architecture.

4. SG systems security threat model

In this section, the reference SG SSTM and an extendedanalysis of the systems security threats and vulnerabilitiesin the SG SSTM are presented. The SG SSTM captures themain systems security threats. The ability to use the SGSSTM to effectively interrelate and understand the vulner-abilities, potentially exploited by attackers to compromisethe data stored and transmitted through the wired andwireless communication links in the SG, can help imple-ment appropriate systems security solutions and counter-measures. The integrated SG SSTM is shown in Fig. 1. It isbuilt from the partial systems SSTMs presented in Figs. 2–4.

Fig. 1 shows the main systems security threats in theSG. The SM and smart devices send data via communica-tion channels to the control center. The SM is a criticalcomponent in the SG AMI. The password of the SM couldbe compromised by sensing the transmitted data from theSM's optical communication port or compromising theadministration login interface, ⟨T4⟩. Attackers may changethe amount of billing statement to show lower than actualpower consumption so that the amount of payment isreduced. This is accomplished by executing a demand resetoperation to reset the billing system to recount from zero.





Fig. 2. SG AMI SSTM for preventing possible threats.


Also, attackers may use a smart reader device with moni-toring software program to capture the transmitted datathrough the optical communication port of the SM. Thesignals in this case could be sensed and recorded tocapture the password.

Stored data tampering is another threat that affects theSM because the behavior of the SM is controlled by itsstored data, ⟨T6⟩. If attackers can get control over the SM'sstored data, this may affect the SM's operation. Attackersmay tamper with the tariffs for Time of Use (TOU) pricing,logs of physical events and executed commands, andrecorded net commands. Attackers may increase ordecrease the actual consumption rate to affect the actualcustomer's billing price as well.

Tampering with (overwriting) the firmware of the SMcan provide attackers with control over the SM and otherrelated smart devices by the tampered firmware. Tam-pered firmware may affect devices or customers using it todo some sensitive activities such as selling energy. Tam-pered firmware facilitates energy theft and disconnectingof the SM's power supply, ⟨T5⟩.

Spoofing software could be used by attackers to imper-sonate the SM (under inject traffic), ⟨T9⟩. The spoofingsoftware is distributed by attackers to handle and answerthe SM's and utility's requests, which does not leave anyevidence of tampering. Attackers in this case impersonatevalid users. The important records and reports of the SMcould be captured by attackers. These records could be SM


records summarizing the network usage, or billing andpricing information.

Attackers can mislead the data transferred to thedistributed field devices such as the Intelligent EndDevices (IEDs), ⟨T30⟩, Remote Terminal Units (RTUs), Pha-sor Measurements Units (PMUs), Programmable LogicControllers (PLCs), etc., ⟨T12, T34, T35⟩. These devices couldbe exposed to external systems security attacks via theWide Area Network (WAN) on the router and otherdevices in the substation system, ⟨T33⟩. These devices aredesigned to allow managers to remotely access their userinterfaces for diagnostic, maintenance, monitoring, mea-surement, and configuration purposes. Attackers mayexecute supervisory control commands and operationsbased on inaccurate field devices, ⟨T31⟩, so that the controlcenter receives incorrect data. If these devices are com-promised, attackers may:

�

gri

alter the run-time parameters, ⟨T22, T53⟩,
� change devices' settings, ⟨T24, T55⟩, � send wrong control commands to other field devices,
⟨T23, T54⟩, and
� mislead the data transferred to the control center
operator, ⟨T28⟩.

Attackers may also alter the data and the frequent statusinformation sent from the field devices to the control

d systems security threat model, Information Systems




Fig. 3. SG control center SSTM for preventing possible threats.


center, such as control connect/disconnect and settingscommands, power consumption reports, pricing signals,faults notifications, and so on, ⟨T68⟩. For example, attackersmay mislead the control connect/disconnect commands tocause excess power generation from power resources,which can cause financial losses, ⟨T8, T32⟩. Inaccuratecontrol commands from attackers may disrupt the opera-tions of the field devices, cause equipments damage, shutdown the field devices, ⟨T36⟩, and cause loss of service.

This is a result of the weak systems security features ofthe proprietary communication protocols and operatingsystems used in the these devices such as Dynamic NetworkProtocol (DNP3.0), Inter-Control Center Communication Pro-tocol (ICCP), International Electrotechnical Commission (IEC)61850, etc. The DNP 3.0 is mainly used for the SCADA systemand the RTU data communication, while the ICCP is used fordata communication between the control centers. Theseproprietary communication protocols and operating systemsare designed for connectivity quality, control, and perfor-mance purposes, but they suffer from systems securityweaknesses. The documentations of these protocols areavailable and can be easily achieved. Attackers may exploitthat and do a reverse engineering task to perform man-in-the-middle attack, ⟨T26⟩. Using many different commun-ication protocols leads to many difficulties in building a


common network-based systems security solution in com-parison with the actual computer networks. In contrast, theIP communication protocol is commonly used in computernetworks, which facilitates the design and development of acommon network-based systems security solution.

Flooding the field devices distributed throughout theSG such as the SM, IEDs, RTUs, and PLCs is another threat,⟨T3, T69, T76⟩. Attackers sometimes repeatedly flood thesedevices with valid protocol messages to affect its overallperformance. The aim is to consume the channels' com-munication bandwidth in order to deny the incoming andoutgoing data. It may lead to saturate the Central Proces-sing Unit (CPU) computational power and affect thelimited memory space. This may increase the powerconsumption of the node which can decrease its overallperformance. It may also lead to delay in data transmis-sion, loss of sensitive data, and wrong decisions taken bythe control center operators.

The available resources of the SM and field devices arelimited. This does not provide designers flexibility toimplement, perform, and apply all systems security fea-tures. The limited memory space of the SM can barelycontain its firmware. The limited memory space mayprevent the firmware update, which is inevitable due tothe increased number of found vulnerabilities and software





Fig. 4. SG Integration SSTM for preventing possible threats.


bugs. Unavailability of the latest firmware update of the SMmay expose the SM for more penetrations. Attackers maycompromise the firmware update process, and replace itwith a new one compatible with attackers' design andpurpose, ⟨T7⟩. The limited memory space may even preventarchitects from uploading their cryptographic keying mate-rials for their cryptographic functions. The designers canoffload their cryptographic keys into separate memory,which could be also accessed and hacked.

Further, the computational power of the SM is limited,⟨T2⟩. If the transferred data is received when the memoryspace is full and the CPU is busy, this will lead to deny andlose the service and the exchanged data very frequently.Also, no SM can run the modern security systems such asanti-virus software and firewall, while such softwareprograms can help in detecting or preventing internal orexternal intrusions [27].

Certain critical locations in the SG could be compromisedthrough the Internet. Attackers may alter the load, ⟨T50⟩, inorder to cause circuit overflow or malfunction to deteriorateor damage the power transmission equipments. Data centerservers in the SG are appropriate targets to perform this kindof attack. Attackers may compromise or break into the routerthat relays data to SCADA system, ⟨T75⟩. Attackers may injectfalse data against certain state variable estimations. Inaddition, attackers may send fake switch-on signals to a


group of electric devices to disturb the load demand.Portions of the load in the SG such as air conditioning, waterheating, and refrigeration are under the direct control of theutility (DLC). Attackers can send control commands signals(such as switch-on signals, ⟨T1, T62⟩) via the Internet todegrade the power quality, cause voltage problems, andcause potential damages to customer equipments.

The price signal could be compromised by injectingfalse values. The price signals are obtained through theInternet by utility, which allows customers to control theirload independently. Attackers can exploit this feature toinject false price signals through the Internet. As a result ofdecreasing the price values, the load demands could beincreased by customers. Increasing the load demands ofcustomers can affect the automated energy consumptionscheduling, change the overall energy consumption ofhundreds of residences, and change the load profile ofthe customers. The main problem is that price signal ismulti-cast signal sent to many customers together, and anyprice falsification may increase the effect.

The communication links connected the field deviceswith the historian and Human-Machine Interface (HMI) inthe transmission domain could be compromised. Jammingattack could be performed by sending wireless signals froma malicious node with the same frequency of utility'ssignals, ⟨T70⟩. In addition, packet eavesdropping threat,






⟨T67⟩, could be performed in case of that a malicious nodehas properly bypassed the authentication procedure andconsidered as a trusted one with legal access to the net-work. Packet eavesdropping is performed in a passive waywithout the need to conduct any active security attack.

The HMI system is used by the SG operators to remotelymonitor and control remote devices. If attackers can getunauthorized access and control of the HMI system, ⟨T29,T52⟩, sometimes using standard methods, a lot of informa-tion related to the SCADA system's operations could bedisplayed. Attackers can then perform arbitrary commandsnecessary to control and monitor the operation of the smartdevices connected to the HMI system.

The control center is connected via Local Area Network(LAN) to other redundant servers. It internally includes work-stations and HMI systems. Spoofing the workstations, ⟨T49⟩,and the HMI systems is a possible threat exploited in order toaffect the control center operators' decisions, by analyzing thecommunication protocol used to exchange data. Attackersmay gain unauthorized access to workstations to take controlof the development processes performed through theseworkstations, ⟨T48⟩. Attackers may also impersonate the HMIsystem to present another HMI interface to the control centeroperator, ⟨T29⟩. Accordingly, the operator takes wrong actionsand performs wrong control commands on the SCADA systembased on the wrong information presented by the fake HMIsystem, ⟨T46, T57⟩. The data presented on the HMI systemincludes the data reported from the RTUs and PLCs. It includesequipments status reports and meter reading data collectedfrom actuators and sensors to be stored in the historian server.This is network-based attack that takes the form of man-in-the-middle attack.

Remote access to the controllers through web servicesand dialup modems is also available and it is rarelyrequired authentication. If attackers successfully attackthe controllers, attackers can issue control commandsand can harvest the programming logic and the firmwareinformation, ⟨T40⟩.

Session hijacking threat can be originated when exter-nal user accesses the online information using web portalsvia the redundant web server for data access through theweb, ⟨T41⟩. Attackers may steal the users' session identifier(ID). Attackers may also impersonate the session by pre-tending to be the session owner. Un-encrypted session IDcan cause leakage of sensitive session information tomalicious users. Cross site scripting threat includes attack-ing the control center from the web applications usedwithin the SG, ⟨T42⟩. Attackers can exploit the customerweb portal used to remotely access the energy-relateddata, and the utility online information systems.

Other threats could affect the control center and itsconnected servers and software systems. Flooding theservers with unwanted data traffic is a possible one,⟨T56⟩. This threat could affect the redundant databaseserver, redundant web server for data access via web,redundant calculation server for making time series calcu-lation, and redundant communication server for meterdata acquisition system [21], ⟨T37, T38⟩. For example,malicious code attack (malware), ⟨T39⟩, cross-site scriptingattack, ⟨T42⟩, session hijacking attack, ⟨T41⟩, and spoofingattack, ⟨T43⟩ are possible threats on the redundant web


server. These servers are connected with the control centervia LAN, which is also vulnerable, and the data transferredthrough it could be intercepted and modified.

The server software systems of the control center arealso vulnerable. The data acquisition system software isresponsible for polling SM's data. Attackers may interceptor modify the data transferred from the SM modems sub-station, which is collected and stored in the data acquisi-tion management software system, ⟨T60⟩. The alarm man-agement module used to trigger alarms in case of powerfailure and SM tampering could also be compromised,⟨T61⟩. This can disturb the stable operation of the system.In addition, attackers may switch on/off the supply of anycustomer by switching on/off the SMs or modifying SMs'energization status, ⟨T62⟩. Also, the user administrationmodule could be compromised by changing users' defini-tions, rules, and rights. Attackers in this case aim to enableor limit sensitive technical configurations such as commu-nication lines and SMs data handling, ⟨T63⟩.

Also, the raw data transferred from the data acquisitionsoftware system to the data management system is vulner-able to be attacked, ⟨T64⟩. It is transferred for processing,calculations, and visualizations. The data gathered by thedata management software from the SMs could be com-promised as well, ⟨T65⟩. It includes power factor, active/reactive demands, voltages and currents, and line voltagesand currents. The data management software receives datanot only from SMs and data acquisition software system,but also from the communication servers. In case ofcorrectly compromising the data management system,attackers can alter metered data, graphs, charts, tables,tarrifs, etc. The data management software is sometimesconnected with the Geographical Information System (GIS)to retrieve background maps. This is performed using publicprotocols, which could be exploited as well. Another threatis appeared at the interface for data viewing over web,available for external users to access meter data, ⟨T66⟩.

The SCADA system is used to remotely access the powergeneration to control the power flow. It is also used tocollect data from distributed smart sensors and devices.The gathered data is transmitted and stored in the controlcenter for supervisory and control purposes. Flooding theSCADA master and slave servers with unwanted datatraffic is another type of threat, which can generally causepower outage in the electrical infrastructure, ⟨T51⟩. Thiscan deteriorate the overall performance of these serversand the SCADA system as a whole. This attack may affectthe data availability and integrity between the SCADAservers and the connected workstations as well. It maycause delay in data transmission, fault in data exchange,and failure in the control center.

In addition, the application server in the SCADA systemis another target of attack. Attackers can send requestsasking the application server to issue critical commands tothe Front End Processor (FEP), ⟨T71⟩. If attackers gainunauthorized access to the application server, they mayfind out the exact applications used to control parts of theSCADA system and take control of them [7], ⟨T72⟩. Aftersuccessfully penetrating the SCADA system, attackers maysend fault signals to system breakers to isolate powergenerators and shunts, and disconnect loads [38]. Also,






successfully penetrating the application server may pro-vide attackers with ready access to commands that areunavailable for system operator.

The communication path between the SCADA networkand the corporate network (which includes the use of theclient systems) could be compromised, ⟨T47⟩. The clientsystems are required to run the business of the SG byproviding specific information. If the client system iscompromised, attackers can gain easy access pathway tothe SCADA system.

Operators sometimes remotely access the SCADA sys-tem to provide support. The Virtual Private Network (VPN)and the corporate network provide the mean of directlyaccessing the SCADA system remotely. The Remote supportoperator threat includes compromising the client systemconnected to the VPN to gain unauthorized remote accessto the SCADA system from attackers' homes or offices.Attackers may exploit the poor configurations of the VPNand the corporate network to attack the SCADA system aswell, ⟨T45, T46, T47⟩. Sometimes, the VPN server relies onthe VPN client to enforce access rights. The VPN network isalso integrated with the control center and attackers mayutilize this feature to attack the control center as well. Ifthe remote support operator connected to the controlcenter is compromised, attackers may have the ability toswitch-off breakers with SMs to cut electricity supply.

Also, attackers may exploit the communication links ofthe remote site entry points such as backup facilities,development systems, and quality systems, ⟨T73⟩. Theremote site communication links sometimes are not pro-tected by firewall or VPNs. If it is correctly compromised,attackers can directly gain unauthorized access to theSCADA system without the need to hack through thecorporation network.

1 A subset of these categories appears in NISTIR 7628.

5. Evaluation

This research builds upon our previous research on SGreference architectures and SG systems security analysis[29–31,39]. In [29], we developed a SG reference architec-ture through the analysis and specification of the complexinter-domain dependencies among the business and tech-nical domains of the SG. This was accomplished using thedomain-link matrices. The SG reference architecture, withits components, actors, and applications was specified. TheSG reference architecture presents the main communica-tion components used to relay the energy-related informa-tion within the SG. In [30,31], we performed an extensiveanalysis of the systems security requirements, threats, andvulnerabilities in the Advanced Metering Infrastructure(AMI), customer domain, and Supervisory Control and DataAcquisition (SCADA). We developed a specification of sys-tems security definitions and goals. We also developed a setof systems security artifacts, which included system archi-tecture diagrams, use-case diagrams, use-case scenarios,attack trees, and systems security templates. Then, weperformed systems security risk assessment, which inclu-ded threats identification, vulnerabilities identification, like-lihood analysis, impact analysis, and risk determination.Finally, we elicited, categorized, and analyzed the main


systems security requirements to secure the SG AMI againstinternal and external security attacks.

The developed model and the subsequent analysis andevaluation were carried out independently by two differ-ent groups of researchers with background in smart gridsand systems security and privacy.

SG represents a highly distributed power network with acomplex set of stakeholders and complex interconnectedsystems that aim to provide power generators, suppliers andcustomers with reliable electricity and information delivery.Due to the non-trivial nature of SG components and sub-systems and the time and cost constraints, replacing orupdating its components once they are installed (such asthe control systems) is not a straightforward process wherevarious attacks can be performed from any vulnerablecomponent. Therefore, extra attention need to be paid tosecurity threats and vulnerabilities at early design stagesto facilitate the development of adequate and effectivecountermeasures.

In SG SSTM, threats against SG's communication net-works, information domain and infrastructure are classi-fied into the following categories1:

Ava:

grid s

Threats to network availability (total: 15).
Int: Threats to data integrity (total: 33). Con: Threats to data confidentiality and information priv-
acy (total: 27).
Opr: Threats to SG key operation, i.e., managing power
supply and demand (total: 38).
Org: Threats to inter-organizational collaborations and
relationships (total: 9).
Inf: Threats to the resilience and safety of SG infrastruc-
ture (total: 24).

This classification was performed in order to evaluatethe relevance of our SG STTM with respect to NISTIR 7628which presents an analytical framework for SG securityand provides a baseline for organizations to facilitate thedevelopment of efficient solutions and strategies for SGsecurity issues and risks. Although NISTIR 7628 is consid-ered as the most comprehensive standardization effortamong existing industrial efforts which investigate SGsecurity, NISTIR 7628 focuses on security at the systemlevel and not on information transfer between compo-nents, where the claim is that each organization is respon-sible to develop security architecture for SG informationdomain, and consequently these organization shouldassign security requirements to each component [40,41].

The number in parentheses indicates the total numberof identified threats matching that category. Some threatbelong to more than one category as shown in Table 1.Further, different levels of specificity are followed with theintention of: (i) enumerating all possible threats that canbe identified in the current stage in order to facilitate moredetailed identification of sophisticated attacks to criticalinfrastructure and information domains, (ii) enabling theearly design and development of countermeasures and

ystems security threat model, Information Systems




Table 1Systems security threats table.

No. Threat description Ava Int Con Opr Org Inf

T1 Sending fake “switch-on” signals to a group of electric devices to disturb the load demand ✓

T2 The limited and preserved processor computational power and memory capacity of SM ✓ ✓

T3 DoS buffer overflow attack to delete SM's content ✓

T4 Password capturing using monitoring software program with reader device on optical communication port ✓

T5 Tampering with SM's firmware ✓ ✓

T6 Tampering with SM's stored data ✓

T7 Reconfiguring attack by installing unstable firmware on SM ✓ ✓

T8 Sending connect/disconnect commands to the distributed field devices ✓ ✓

T9 Spoofing/impersonating the SM under attack ✓ ✓

T10 Sniffing the SM, un-encrypted packets ✓

T11 Using weak authentication mechanisms ✓ ✓ ✓ ✓

T12 Attacking the proprietary system of the field devices, which are designed for certain functionalities such asmaintenance, monitoring, etc.

✓ ✓

T13 Modifying data transmitted from SM ✓ ✓ ✓

T14 Insecure issues of wireless connection within HAN ✓ ✓ ✓

T15 Insecure customer to middleware access which results in vulnerable communication between customer's EMSand NAN system

✓ ✓

T16 Distorting sensor's data ✓ ✓

T17 Losing sensor's data ✓ ✓

T18 Stopping the data flow or DoS attack on distributed smart devices ✓ ✓

T19 Injecting forged values to change the transmitted demand records between distributed smart devices and SMs ✓ ✓

T20 Unauthorized traffic analysis ✓

T21 Packet Eavesdropping between collector units and the various WiFi/BPL networks ✓

T22 Altering the run-time parameters of the field devices ✓ ✓

T23 Sending wrong commands or malicious settings through the communication links, gateways, or routersconnecting collector nodes with control center

✓ ✓

T24 Changing the settings of the field devices ✓ ✓

T25 Protocol attack on the communication links between the collector units and wireless GSM/GPRS networks ✓ ✓

T26 Intercepting the exchanged data between the field devices and the control center, “man-in-the-middle” attack ✓ ✓

T27 Injecting forged values to modify the data traffic ✓ ✓

T28 Misleading the data transferred to the control center operator ✓ ✓

T29 Spoofing the HMI system to present another interface to the systems operator ✓ ✓

T30 Intercepting the reported data from the IEDs to the control center ✓ ✓

T31 Performing supervisory control operation based on inaccurate field data obtained from inaccurate field devices ✓ ✓

T32 Incorrect control commands to achieve overload condition to damage the various field device ✓ ✓

T33 External security threats via the WAN on the router and other devices in the substation system ✓

T34 Sending mislead data to the field device ✓ ✓

T35 Attacking the proprietary system of the field devices, that are designed for specific functionalities, e.g.,transducer, PMU, circuit recloser, meter, tap changer, and protection relay

✓

T36 Shutting down the IEDs and other end devices ✓ ✓

T37 Flooding the redundant database, web, calculation, and communication servers with unwanted traffic ✓ ✓ ✓ ✓

T38 DoS attack on the redundant database, web, calculation, and communication servers ✓ ✓ ✓ ✓ ✓

T39 Malicious code attack on the redundant database and web servers ✓ ✓

T40 Accessing controllers remotely through web services and dialup modems ✓

T41 Session hijacking on the redundant web server (for data access through the web) ✓ ✓

T42 Cross site scripting on the redundant web server ✓

T43 Spoofing attack on the redundant web server, where attacker pretends that s/he is the session owner ✓ ✓ ✓

T44 Injecting control command ✓ ✓

T45 Exploiting the poor configuration of the VPN and other corporate networks ✓

T46 Compromising the client system by exploiting the poor client configurations; to gain unauthorized remoteaccess to the SCADA system

✓

T47 Misleading the data transferred to the control center via the VPN and corporate networks ✓ ✓

T48 Gaining unauthorized access to workstations thus being able to control the development processes performedthrough these workstations

✓ ✓

T49 Spoofing the workstations ✓ ✓

T50 Altering the load through the Internet ✓

T51 Flooding the SCADA master and slave to delay data transmission ✓ ✓

T52 Gaining unauthorized access to the HMI system ✓

T53 Altering the run-time parameters of distributed field devices ✓

T54 Sending wrong commands or malicious settings to distributed field devices ✓

T55 Changing the settings of the field devices ✓

T56 Flooding the control center and its connected servers and software systems with unwanted traffic (DoS) ✓

T57 Sending misleading data to control center operator ✓ ✓ ✓

T58 Injecting data or commands into the SG's networks, e.g., the control center network ✓ ✓ ✓

T59 Manipulating the data sources such as relational database servers and file system ✓ ✓

T60 Intercepting or modifying the received data from the SM modems sub-station at the data acquisition systemsoftware

✓ ✓

T61 Triggering the alarm management module to disturb the operations ✓

Please cite this article as: H. Suleiman, et al., Integrated smart grid systems security threat model, Information Systems(2014), http://dx.doi.org/10.1016/j.is.2014.12.002i





Table 1 (continued )

No. Threat description Ava Int Con Opr Org Inf

T62 Attacking the server software systems of the control center to switch on/off the supply of any customer byswitching on/off or playing with customers' meters and with their energization status

✓ ✓ ✓

T63 Attacking the user administration module and consequently playing with user's definition, roles, and rights; toenable/disable or restrict sensitive technical configurations (communication lines and SMs data handling)

✓ ✓ ✓

T64 Intercepting/modifying raw data fetched for processing, calculations, and visualizations ✓ ✓

T65 Intercepting/modifying data collected from SMs such as power factors, currents, voltages, etc., at the datamanagement software

✓ ✓

T66 Performing web attack on the web interfaces of external users in order to access SM data ✓

T67 Packets eavesdropping on the communication links that connect the HMIs, RTUs, IEDs, and PMUs together ✓

T68 Misleading the data transferred to the field devices such as power consumption reports, pricing signals, urgentmessages, and faults notifications

✓ ✓

T69 DoS attack by flooding the field devices with unwanted data traffic ✓ ✓ ✓

T70 Jamming the communication links connected the field devices with HMI by sending signals with the samefrequency of the utility signals

✓ ✓

T71 Triggering the application server to issue commands to FEP ✓

T72 Attacking the application server to take control of the different applications used to control parts of the SCADAsystem

✓ ✓ ✓

T73 Remote site communication on the backup facilities and substations connected with the SCADA system ✓ ✓

T74 Modifying data exchanged between application servers, HMI, etc. ✓ ✓ ✓

T75 Compromising or breaking into the router to insert errors into certain state variable estimations ✓ ✓

T76 Flooding the RTU with valid protocol messages to saturate CPU, memory, or bandwidth ✓ ✓


mitigation strategies that weaken or discourage thesethreats.

The first threat category that targets the availability ofthe supply of energy is of the highest priority with respectto maintaining SG systems security goals, since networkunavailability may affect critical power infrastructure,result in blackout, cause financial losses and loss of real-time monitoring. DoS attacks, in particular, can be con-sidered threats to network availability, e.g., an attacker in⟨T18⟩ attempts to prevent, delay or mislead data transmis-sion to block nodes from reaching power resources.

Data integrity attacks attempt to modify data trans-mitted over SG network such as billing, accounting or dateinformation. Although data integrity attacks may notdirectly affect the functionality of the power networks asa whole, they still have critical impact. One example is thenew class of data integrity attacks, false data injectionattacks, presented in [42], where such attacks can bypassdata integrity checks at the existing power system toexploit power system's configurations and inject false datainto the monitoring center.

Differing from data integrity attackers, attackers target-ing confidentiality and information privacy threaten powermarket information and individuals' privacy. For instance,they try to acquire energy historical information, identifi-cation numbers, etc. Such attackers eavesdrop on commu-nication links, wireless channels or stored data (e.g., ⟨T67⟩)without altering or deleting records. Thus, to guarantee alegally operating environment within the SG, confidenti-ality need to be considered to ensure secure financialtransactions and protect individuals' privacy. Furthermore,since the development and deployment of SG incorporatemultiple organizations such as components manufac-turers, system integrators, etc. category “Org” specifiesthreats in multi-organization context.

The integration of ICT system within power grid exposesthe SG to threats that could result in a significant impact onenergy grid operations, in particular, energy transmission


and distribution, the fourth category describes these threats.While the last category highlights threats which may causepower outage or damage to SG energy infrastructure.

It is worth pointing out that it is difficult to compro-mise a legitimate node or communication link in a powernetwork with authentication, however due to the distrib-uted and ubiquitous nature of the SG in addition to theintegration of wireless technology, attacks targeting dataintegrity and information privacy by establishing a con-nection to power network are still possible, hence theyshould be identified and addressed properly [43].

One of the weaknesses of our model is that a SG SSTMshould include an assessment of identified threats, theiranalysis and categorization. Our model does not cover thisthreat assessment, i.e., measures of the likelihood or rankof a specific threat or threat category. These measuresneed further empirical investigation and are context spe-cific, so our model should be extended with the particularassessment for a concrete industrial application.

Building a fully secure system is not economicallyfeasible, and as such, threat assessment will help todetermine the feasibility of each security attack to enablestakeholders to assess vulnerabilities and the degree ofprotection needed, and consequently agree on minimumsecurity standards. A notable example here is bindingadditional functionalities to SG, other than billing andaccounting, to enhance security and ensure data integrityand confidentiality. Moreover, threat assessment will helpto identify the right tradeoffs between the various threatcategories, e.g., threats to network availability and stabilityversus other threats.

It is worth noting that after the preliminarily evaluationto SG SSTM, several redundant and similar threats wereeliminated. And as a future improvement the threatsshould be grouped based on different criteria such asthreat impact or targeting component. One should alsoidentify precisely the threats that results from exploitingcertain systems vulnerabilities.





Fig. 5. SG electricity supply activity model.


Finally, we have effectively applied SG SSTM in our ownwork through two case studies. The first one is concernedwith increasing the security of the SG through the devel-opment of the decentralized and distributed consumer–supplier relationship. The second study was concernedwith the development of the SG Bitcoin-based decentra-lized trading infrastructure model [44]. Here we presentexcerpts from the first study and note the relevant threatshandled in each. Both studies demonstrate feasibility andrelevance of the developed SG SSTM.

Fig. 5 shows SG electricity supply activity model. SGelectricity supply functionality focuses on six aspects. First,SG receives registration request from the suppliers. Arequest includes the identification information for thesupplier and the parameters required to describe theelectricity generated ⟨T11, T27⟩. SG stores this informationin its storage ⟨T39⟩.


Second, SG can also receive a request for parametersupdate from a supplier. In this case, SG updates theparameters that are stored corresponded to the requestingsupplier ⟨T5, T6, T7, T9⟩.

Third, SG receives a request for a suppliers list fromconsumers. The consumer request is associated withparameters specification identifying the requested electri-city. SG filters the suppliers list in respect to the receivedparameters and sends a list of potential suppliers to theconsumer ⟨T18, T19⟩.

Fourth, SG receives encrypted offer messages from theconsumers and stores these messages. Since SG does nothave the encryption key, it only has access to the consumerID, the supplier ID, and the time of the delivery limiting SGto only be aware of its role in the transaction withoutknowing the remaining part of the offer's content ⟨T10,T13, T20⟩.






Fifth, SG receives a request to retrieve a storedencrypted offer message from a supplier. SG checks if thesupplier is the one supplying the electricity in the mes-sage. If the check is positive, SG returns the message to therequested supplier ⟨T34, T41, T44, T64⟩.

Sixth, SG receives a request for time allocation for thedelivery of the electricity, which is done in two steps. In thefirst step, SG receives the request and checks if delivery canbe made in the specified time. If possible, SG reserves thetime and confirms the reservation to the supplier. In thesecond step, SG waits for a confirmation message from thesupplier. When a confirmation is received and accepted, SGconfirms the time allocated. This step is guarded by aconstraint which prevents SG from accepting the requestin case SG did not receive the encrypted offer messageassociated with it ⟨T19, T48, T50, T68, T75⟩.

6. Conclusion

This paper presents SG systems security threat modelingand analysis. In total, 72 systems security requirements, 76threats, and 32 vulnerabilities are elicited, categorized, andintegrated in the SG SSTM. The main systems securitythreats are discussed in detail. The proposed systemssecurity threat analysis together with SG SSTM aim to(i) provide the means to gain better understanding of howmalicious attackers may compromise SG systems security,(ii) provide foundation for the investigation of more sop-histicated attacks and vulnerabilities with their impact,(iii) help to envision the major SG systems security weak-nesses, and hence increase the investment in systemssecurity and facilitate the development of countermeasuresand mitigation strategies to reduce the risks in the futuredevelopment and deployment of SG. Additionally, ourmodel can be beneficial for systems designers, integrators,information security practitioners to identify securitythreats and vulnerabilities and develop automated testingtools at the early stages of systems development life cycle.

References

[1] S. Magazine, P. Policy, S. Grid, NIST interoperability framework andaction plans, in: IEEE Power and Energy Society General Meeting,2010, pp. 1–4.

[2] G. Srinivasa Prasanna, A. Lakshmi, S. Sumanth, V. Simha, J. Bapat,G. Koomullil, Data communication over the smart grid, in: IEEEInternational Symposium on Power Line Communications and ItsApplications (ISPLC), Dresden, April 2009, pp. 273 –279.

[3] M. Ali, Z. Dong, X. Li, P. Zhang, RSA-grid: a grid computing basedframework for power system reliability and security analysis, in:IEEE Power Engineering Society General Meeting, Montreal, Quebec,2006, p. 7.

[4] C. Gellings, M. Samotyj, B. Howe, The future's smart delivery system[electric power supply], IEEE Power Energy Mag. 2 (5) (2004) 40–48.

[5] M. Amin, B. Wollenberg, Toward a smart grid: power delivery for the21st century, IEEE Power Energy Mag. 3 (5) (2005) 34–41.

[6] S. Bruno, S. Lamonaca, M. La Scala, G. Rotondo, and U. Stecchi, Loadcontrol through smart-metering on distribution networks, in: IEEEBucharest PowerTech, Bucharest, June 28–July 2 2009, pp. 1–8.

[7] D. Wei, Y. Lu, M. Jafari, P. Skare, K. Rohde, Protecting smart gridautomation systems against cyberattacks, IEEE Trans. Smart Grid(99) (2011) 1.

[8] Stephen McLaughlin, Dmitry Podkuiko, Patrick McDaniel, Energytheft in the advanced metering infrastructure, in: Erich Rome, RobinBloomfield, (Eds.), Critical Information Infrastructures Security, Lec-ture Notes in Computer Science, Springer, Berlin, Heidelberg, vol.


6027, 2010, pp. 176-187 ⟨http://dx.doi.org/10.1007/978-3-642-14379-3_15⟩, ISBN 978-3-642-14378-6.

[9] L. AlAbdulkarim, Z. Lukszo, Information security implementationdifficulties in critical infrastructures: smart metering case, in: IEEEInternational Conference on Networking, Sensing and Control(ICNSC), Chicago, IL, April 2010, pp. 715–720.

[10] G. Lenzini, M. Oostdijk, W. Teeuw, B. Hulsebosch, M. Wegdam,N. Enschede, Trust, Security, and Privacy for the Advanced MeteringInfrastructure, Novay/RS/2009/010, 2009.

[11] A. Mohsenian-Rad, A. Leon-Garcia, Distributed internet-based loadaltering attacks against smart power grids, IEEE Trans. Smart Grid(99) (2011) 1.

[12] X. Wang, P. Yi, Security framework for wireless communications insmart distribution grid, IEEE Trans. Smart Grid (99) (2011) 1.

[13] C. Queiroz, A. Mahmood, Z. Tari, SCADASim a framework for buildingscada simulations, IEEE Trans. Smart Grid 2 (4) (2011) 589–597.

[14] E. Fernandez, M. Larrondo-Petrie, Designing secure scada systemsusing security patterns, in: 43rd IEEE Hawaii International Conferenceon System Sciences (HICSS), Honolulu, HI, January 2010, pp. 1–8.

[15] C.-W. Ten, C.-C. Liu, M. Govindarasu, Vulnerability assessment ofcybersecurity for scada systems using attack trees, in: IEEE PowerEngineering Society General Meeting, Tampa, FL, 2007, pp. 1–8.

[16] C.-W. Ten, C.-C. Liu, G. Manimaran, Vulnerability assessment ofcybersecurity for scada systems, IEEE Trans. Power Syst. 23 (4)(2008) 1836–1846.

[17] C.-W. Ten, C.-C. Liu, M. Govindarasu, Cyber-vulnerability of powergrid monitoring and control systems, in: Proceedings of the 4th ACMAnnual Workshop on Cyber Security and Information IntelligenceResearch: Developing Strategies to Meet the Cyber Security andInformation Intelligence Challenges Ahead, ser. CSIIRW'08, ACM,New York, NY, USA, 2008, pp. 43:1–43:3, Available Online at: http://dx.doi.org/10.1145/1413140.1413190.

[18] C.-W. Ten, M. Govindarasu, C.-C. Liu, Cybersecurity for electric powercontrol and automation systems, in: IEEE International Conferenceon Systems, Man and Cybernetics (ISIC), Montreal, Quebec, October2007, pp. 29–34.

[19] C. Ten, G. Manimaran, C. Liu, Cybersecurity for critical infrastruc-tures: attack and defense modeling, IEEE Trans. Syst., Man Cybern.,Part A: Syst. Hum. 40 (4) (2010) 853–865.

[20] V. Gungor, D. Sahin, T. Kocak, S. Ergut, C. Buccella, C. Cecati, G. Hancke,Smart grid technologies: communication technologies and standards,IEEE Trans. Ind. Inf. 7 (November (4)) (2011) 529–539.

[21] A. Mahmood, M. Aamir, M. Anis, Design and implementation of amrsmart grid system, in: IEEE Canada Electric Power Conference(EPEC), Vancouver, BC, October 2008, pp. 1–6.

[22] M. Qiu, W. Gao, M. Chen, J. Niu, L. Zhang, Energy efficient securityalgorithm for power grid wide area monitoring system, IEEE Trans.Smart Grid 2 (4) (2011) 715–723.

[23] D. Wei, Y. Lu, M. Jafari, P. Skare, K. Rohde, An integrated securitysystem of protecting smart grid against cyber attacks, in: IEEEInnovative Smart Grid Technologies (ISGT), Gaithersburg, MD, Jan-uary 2010, pp. 1–7.

[24] G. Ericsson, Cyber security and power system communication-essential parts of a smart grid infrastructure, IEEE Trans. PowerDeliv. 25 (3) (2010) 1501–1507.

[25] A. Hahn, M. Govindarasu, Cyber attack exposure evaluation frame-work for the smart grid, IEEE Trans. Smart Grid 2 (4) (2011) 835–843.

[26] D. Watts, Security and vulnerability in electric power systems, in:35th North American power symposium (NAPS), University ofMissouri-Rolla, 2003, pp. 559–566.

[27] R. Shein, Security measures for advanced metering infrastructurecomponents, in: IEEE Asia-Pacific Power and Energy EngineeringConference (APPEEC), Chengdu, March 2010, pp. 1–3.

[28] H. Khurana, M. Hadley, N. Lu, D. Frincke, Smart-grid security issues,IEEE Secur. Priv. 8 (1) (2010) 81–85.

[29] H. Suleiman, K. Ahmed, N. Zafar, E. Phillips, D. Svetinovic, O. de Weck,Inter-domain analysis of smart grid domain dependencies usingdomain-link matrices, IEEE Trans. Smart Grid (99) (2012) 1–19.

[30] H. Suleiman, D. Svetinovic, Security requirements analysis of smartgrid advanced metering infrastructure: a case study using theSQUARE method, in: IEEE PES International Asia-Pacific Power andEnergy Engineering Conference (APPEEC), Shanghai, China, IEEE,2012.

[31] H. Suleiman, D. Svetinovic, Evaluating the effectiveness of thesecurity quality requirements engineering (SQUARE) method: a casestudy using smart grid advanced metering infrastructure, in:Requirements Engineering, 2012, pp. 1–29.

[32] H. Suleiman, Evaluating the effectiveness of the security qualityrequirements engineering (square) method: a case study using the


http://refhub.elsevier.com/S0306-4379(14)00189-6/sbref4







http://dx.doi.org/10.1007/978-3-642-14379-3_15

http://dx.doi.org/10.1007/978-3-642-14379-3_15











dx.doi.org/10.1145/1413140.1413190

dx.doi.org/10.1145/1413140.1413190
























smart grid advanced metering infrastructure (Master's thesis),Computing and Information Science, Masdar Institute of Scienceand Technology, 2011, Unpublished.

[33] K.A. Ahmed, Evaluation of security requirements engineering pro-cess (srep): a case study on smart grid wireless networks (Master'sthesis), Computing and Information Science, Masdar Institute ofScience and Technology, 2011, Unpublished.

[34] N. Zafar, Security quality requirements engineering (square) methodevaluation: a case study using smart grid customer domain (Mas-ter's thesis), Computing and Information Science, Masdar Instituteof Science and Technology, 2011, Unpublished.

[35] N.R. Mead, T. Stehney, Security quality requirements engineering(SQUARE) methodology, in: Proceedings of the Workshop on Soft-ware Engineering for Secure Systems-Building Trustworthy Applica-tions, ser. SESS'05. New York, NY, USA, ACM, 2005, pp. 1–7, AvailableOnline at: http://dx.doi.org/10.1145/1082983.1083214.

[36] F. Keblawi, D. Sullivan, Applying the common criteria in systemsengineering, IEEE Secur. Privacy 4 (March–April (2)) (2006) 50–55.

[37] D. Mellado, E. Fernndez-Medina, M. Piattini, Applying a securityrequirements engineering process, in: D. Gollmann, J. Meier, A.Sabelfeld (Eds.), Computer Security ESORICS 2006, ser. Lecture Notesin Computer Science, vol. 4189, Springer, Berlin, Heidelberg, 2006,pp. 192–206. Available Online at: http://dx.doi.org/10.1007/11863908_13.

[38] J. Stamp, A. McIntyre, B. Ricardson, Reliability impacts from cyberattack on electric power systems, in: IEEE/PES Power Systems Con-ference and Exposition (PSCE'09), Seattle, WA, March 2009, pp. 1–8.


[39] N. Zafar, E. Arnautovic, A. Diabat, D. Svetinovic, System securityrequirements analysis: a smart grid case study, Syst. Eng. 17 (1)(2014) 77–88. Available Online at: http://dx.doi.org/10.1002/sys.21252.

[40] The Smart Grid Interoperability Panel Cyber Security Working Group,Introduction to NISTIR 7628, Guidelines for Smart Grid Cyber Security,⟨http://www.nist.gov/smartgrid/upload/nistir-7628_total.pdf⟩, September,2010.

[41] A. Chan, J. Zhou, On smart grid cybersecurity standardization: issuesof designing with nistir 7628, IEEE Commun. Mag. 51 (January (1))(2013) 58–65.

[42] Y. Liu, P. Ning, M.K. Reiter, False data injection attacks against stateestimation in electric power grids, in: Proceedings of the 16th ACMConference on Computer and Communications Security, ser. CCS'09.ACM, New York, NY, USA, 2009, pp. 21–32, Available Online at:http://dx.doi.org/10.1145/1653662.1653666.

[43] Z. Lu, X. Lu, W. Wang, C. Wang, Review and evaluation of securitythreats on the communication networks in the smart grid, in:Military Communications Conference – MILCOM 2010, October2010, pp. 1830–1835.

[44] Enas Al Kawasmi, Edin Arnautovic, Davor Svetinovic, Bitcoin-baseddecentralized carbon emissions trading infrastructure model, Syst. Eng.2014 ⟨http://dx.doi.org/10.1002/sys.21291⟩, (online) issn={1520-6858}.


dx.doi.org/10.1145/1082983.1083214



dx.doi.org/10.1007/11863908_13

dx.doi.org/10.1002/sys.21252

dx.doi.org/10.1002/sys.21252

http://www.nist.gov/smartgrid/upload/nistir-7628_total.pdf




dx.doi.org/10.1145/1653662.1653666

http://dx.doi.org/10.1002/sys.21291




Documents

Integrated smart grid systems security threat model