Associations

NESCOR publishes cybersecurity failure scenario documents.

EPRI Oct 18, 2013

Press Release Summary:



National Electric Sector Cybersecurity Organization Resource has published 3 cybersecurity failure scenario and impact analyses documents for electric sector. A cybersecurity failure scenario is a realistic event in which failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates negative impact on generation, transmission, and/or delivery of power. Information is useful to utilities for risk assessment, planning, procurement, training, and security testing.


Original Press Release:



NESCOR Publishes Three Cyber Security Failure Scenario Documents for the Electric Sector



The National Electric Sector Cybersecurity Organization Resource (NESCOR) has published three cyber security failure scenario and impact analyses documents for the electric sector. NESCOR is a DOE funded public-private partnership that is led by EPRI. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power.



These documents include:

How a utility may use the documents

Identification of threat agents

Criteria, methods, and results of prioritization of the failure scenarios

A list of failure scenarios using common terminology for mitigations

An analysis of the frequency of use of common mitigations to identify the greatest potential for benefit across multiple scenarios



The guidance on how to use these documents includes a discussion of their use in conjunction with the National Institute of Standards and Technology Interagency Report (NISTIR 7628), Guidelines for Smart Grid Cyber Security, August 2010 and the Department of Energy (DoE) Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2).



Here is a brief summary of each document:



Electric Sector Failure Scenarios and Impact Analyses: This document contains cyber security failure scenarios and impact analyses for the electric sector for the six domains: advanced metering infrastructure, distributed energy resources, wide area monitoring, protection, and control, electric transportation, demand response, and distribution grid management. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power. Also included are evaluation criteria and common mitigations.



Analysis of Selected Electric Sector High Risk Failure Scenarios: These provide detailed analyses for a subset of the failure scenarios identified in the short failure scenario document listed above. All analyses presented include an attack tree, which details in a formal notation, the logical dependencies of conditions that allow the failure scenario to occur. Several of the analyses also provide a detailed text write up for the scenario, in addition to the attack trees. Failure scenarios in the short failure scenario document were prioritized for inclusion in this document, based upon level of risk for the failure scenario, and the priorities of NESCOR utility members.



Attack Trees for Selected Electric Sector High Risk Failure Scenarios: This briefing includes the modified attack tree diagrams from the detailed analysis documents. The goal was to have a briefing that utilities could use.



Here are some key takeaways from these documents.



The information about potential cyber security failure scenarios is intended to be useful to utilities for risk assessment, planning, procurement, training, tabletop exercises and security testing. In particular, the briefing was developed for the utilities for easier use and reference.



The failure scenarios were developed and revised based on input from many utilities – to ensure the content was realistic.



The list of common mitigations may be used by utilities as they assess the cyber security of their control systems. This short list gives utilities a manageable set to use, in contrast to assessing hundreds of mitigations.



Don Kintner

EPRI

dkintner@epri.com

704-595-2506

White Papers & Case Studies

View All White Papers & Case Studies

View All Resources

All Topics

Manufacturing Innovation

Industry Trends

Engineering & Design

Sales & Marketing

Supply Chain

Career & Workforce

Company News

New Products

Thomas Index

Daily Bite

Find Suppliers, Insights, Tools and More...

Become part of North America's largest and most active network of B2B buyers and industrial/commercial suppliers.

Select From Over 500,000
Industrial Suppliers

Find and evaluate OEMs, Custom Manufacturers, Service Companies and Distributors.

Receive Daily
Industry Updates

Stay up to date on industry news and trends, product announcements and the latest innovations.

Search Over
6 Million Products

Find materials, components, equipment, MRO supplies and more.

Download 2D & 3D
CAD Models

10+ million models from leading OEMs, compatible with all major CAD software systems.
Start Sourcing Suppliers Claim Your Company Profile ico-arrow-default-right
Cookie Policy
Close
Thomas uses cookies to ensure that we give you the best experience on our website. By using this site, you agree to our Privacy Statement and our Terms of Use.
Accept