NESCOR publishes cybersecurity failure scenario documents.October 18, 2013 -
National Electric Sector Cybersecurity Organization Resource has published 3 cybersecurity failure scenario and impact analyses documents for electric sector. A cybersecurity failure scenario is a realistic event in which failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates negative impact on generation, transmission, and/or delivery of power. Information is useful to utilities for risk assessment, planning, procurement, training, and security testing.
NESCOR Publishes Three Cyber Security Failure Scenario Documents for the Electric Sector
3412 Hillview Ave.
Palo Alto, CA, 94304
Press release date: October 9, 2013
The National Electric Sector Cybersecurity Organization Resource (NESCOR) has published three cyber security failure scenario and impact analyses documents for the electric sector. NESCOR is a DOE funded public-private partnership that is led by EPRI. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power.
These documents include:
How a utility may use the documents
Identification of threat agents
Criteria, methods, and results of prioritization of the failure scenarios
A list of failure scenarios using common terminology for mitigations
An analysis of the frequency of use of common mitigations to identify the greatest potential for benefit across multiple scenarios
The guidance on how to use these documents includes a discussion of their use in conjunction with the National Institute of Standards and Technology Interagency Report (NISTIR 7628), Guidelines for Smart Grid Cyber Security, August 2010 and the Department of Energy (DoE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2).
Here is a brief summary of each document:
Electric Sector Failure Scenarios and Impact Analyses: This document contains cyber security failure scenarios and impact analyses for the electric sector for the six domains: advanced metering infrastructure, distributed energy resources, wide area monitoring, protection, and control, electric transportation, demand response, and distribution grid management. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power. Also included are evaluation criteria and common mitigations.
Analysis of Selected Electric Sector High Risk Failure Scenarios: These provide detailed analyses for a subset of the failure scenarios identified in the short failure scenario document listed above. All analyses presented include an attack tree, which details in a formal notation, the logical dependencies of conditions that allow the failure scenario to occur. Several of the analyses also provide a detailed text write up for the scenario, in addition to the attack trees. Failure scenarios in the short failure scenario document were prioritized for inclusion in this document, based upon level of risk for the failure scenario, and the priorities of NESCOR utility members.
Attack Trees for Selected Electric Sector High Risk Failure Scenarios: This briefing includes the modified attack tree diagrams from the detailed analysis documents. The goal was to have a briefing that utilities could use.
Here are some key takeaways from these documents.
The information about potential cyber security failure scenarios is intended to be useful to utilities for risk assessment, planning, procurement, training, tabletop exercises and security testing. In particular, the briefing was developed for the utilities for easier use and reference.
The failure scenarios were developed and revised based on input from many utilities – to ensure the content was realistic.
The list of common mitigations may be used by utilities as they assess the cyber security of their control systems. This short list gives utilities a manageable set to use, in contrast to assessing hundreds of mitigations.