Quantitative risk analysis of cyber attacks on Cyber Physical Power System substations

Abstract

The modern power grid is becoming more susceptible to cyber-attacks due to an increase in digitalization, leading to a larger attack surface for malicious actors to attack. Such attacks on critical infrastructure could lead to partial power outages, minor societal disruption, or in the worst-case scenario, a rolling black-out in which the entire country has no access to electricity. Electrical utility companies can decrease the likelihood of a successful cyber-attack on the Cyber Physical Power System (CPPS) – consisting of the physical power grid, and vulnerable Information Technology (IT) and Operational Technology (OT)- by implementing cyber security interventions. Investing in these cyber security mechanisms is not cheap, which is why it is expected to have a certain return on investment. However, it is hard to quantify the effects of prospective cyber security investments. The main research question of this study is: “To what extent can cyber security measures decrease the risk of cyber attacks on CPPS substations?” This research question is answered by means of an implicitly mixed research approach that uses computer-assisted attack tree modelling and Monte Carlo simulation. The model is based on the publicly available technical system information of known suppliers of relevant substation components and other documentation acquired by means of multiple literature studies and document analyses. The change in likelihood and subsequent risk has been studied by extensively modelling the possible attack paths of a digital substation. This has been combined with financial analysis in the form of a societal cost-benefit analysis. As a result, potential cyber security investments can be evaluated on their merits in the form of risk reduction and their required costs as expressed in dollars. The contribution of the performed research to science is the elaboration of existing models to more accurately represent reality, and simultaneously provide the cyber security decision-making process with a tool that provides guiding Key Performance Indicators (KPIs). This study has shown that suggested measures from the quantified model are able to increase the TTCavg needed by malicious actors to reach their intended target, and therefore cause a decrease in likelihood and subsequent risk of the studied scenarios. An important finding of this study emphasizes the need for extensive attack path modelling. This finding was the fact that the application of some well-intended countermeasure (such as remote-attestation), might have no significant effect on the likelihood and risk of a certain scenario at all, but only changes the dominant attack path. While the constructed quantified model, as proposed in this study, is able to provide quantified insights into the effects of proposed cyber security investments, it is merely a simplified tool that should be expanded upon to generate more accurate insights. Besides the aforementioned there have been additional findings from this study. Such as a list of weaknesses in the current state of digital substation cyber security. This list has been created by an extensive document analysis of over 40 sources. Also, an overview of 23 different possible cyber security interventions has been compiled by a systemic literature review of over 16 sources. According to the quantified model, a reduction (between 21.8% and 93%) in the total risk of certain attack scenarios against digital substation by malicious actors can be achieved. The costs for these possible risk reductions range between $28 thousand for a honeypot deception system and $413 thousand for a combination of all the simulated countermeasures. These countermeasures could, in comparison to a base case with no protection, potentially reduce the total risk by an amount between $3.7 billion and $15.9 billion. According to the general societal cost-benefit analyses, the best Retun-on- Investment (ROI)/cost-effectiveness of investment is the investment in a honeypot (scenario 5) which has an ROI of 247,390, and the least cost-effective is the investment in remote attestation (scenario 4), which has an ROI of -2,066. Altogether, this study has shown that there is added value in using a simplified quantified model to aid in decision-making for digital substation cyber security investments aimed at risk reduction.