Affiliation:
1. University of New South Wales, Australia
2. University of New South Wales, Australia and Cyber Security Cooperative Research Centre (CSCRC), Australia
3. Jemena, Australia
Abstract
The exponential rise in popularity of Distributed Energy Resources (DERs) is attributed to their numerous benefits within the power sector. However, the risks that new DERs pose to the power grid have not yet been closely assessed, exposing a gap in the literature. This paper addresses this gap by presenting a comprehensive threat model of the DER architecture, combining the MITRE ATT&CK catalogue for Industrial Control Systems (ICS), and the IDDIL/ATC threat model, to create a hybrid approach. Our first contribution is to propose criteria derived from seven metrics to evaluate and compare the efficacy and usability of threat modelling frameworks for DER systems, allowing more informed framework selection. Our second contribution is to develop a comprehensive hybrid threat modelling approach based on IDDIL/ATC and MITRE ATT&CK and organise attack paths chronologically using the Cyber Kill Chain methodology to categorise attacker techniques. Our third contribution is to perform a comprehensive DER architecture system decomposition, elaborating assets, trust levels, entry points, data, protocols, and entity relations to identify the threat landscape. Our final contribution is to apply the proposed approach to the Distribution System Operator (DSO), mapping potential attacker techniques and illustrating a ransomware attack chain on the DSO’s Energy Management System, with proposed mitigations.
Publisher
Association for Computing Machinery (ACM)
Reference38 articles.
1. IEEE Standard for Smart Energy Profile Application Protocol
2. 2023. Australian Energy Update 2023. (2023), 51. https://www.energy.gov.au/sites/default/files/Australian%20Energy%20Update%202023_0.pdf
3. Mohamed Abomhara, Martin Gerdes, and Geir M Køien. 2015. A stride-based threat model for telehealth systems. Norsk informasjonssikkerhetskonferanse (NISK) 8, 1 (2015), 82–96.
4. Christopher J Alberts and Audrey J Dorofee. 2003. Managing information security risks: the OCTAVE approach. Addison-Wesley Professional.
5. OCTAVE Catalog of Practices, Version 2.0