A Threat Analysis Methodology for Smart Home Scenarios

A smart grid is envisioned to enable a more economic, environmental friendly, sustainable and reliable supply of energy. But significant security concerns have to be addressed for the smart grid, dangers range from threatened availability of energy, to threats of customer privacy. This paper presents a structured method for identifying security threats in the smart home scenario and in particular for analyzing their severity and relevance. The method is able to unveil also new threats, not discussed in the literature before. The smart home scenario is represented by a context-pattern, which is a specific kind of pattern for the elicitation of domain knowledge [1]. Hence, by exchanging the smart home pattern by a context-pattern for another domain, e.g., clouds, our method can be used for these other domains, as well. The proposal is based on Microsoft’s Security Development Lifecycle (SDL) [2], which uses Data Flow diagrams, but proposes new alternatives for scenario definition and asset identification based on context-patterns. These alleviate the lack of scalability of the SDL. In addition, we present Attack Path DFDs, that show how an attacker can compromise the system.

[1]  Kristian Beckers,et al.  Pattern-Based Support for Context Establishment and Asset Identification of the ISO 27000 in the Field of Cloud Computing , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[2]  Fadi A. Aloul,et al.  Smart Grid Security: Threats, Vulnerabilities and Solutions , 2012 .

[3]  Kristian Beckers,et al.  Pattern-Based Context Establishment for Service-Oriented Architectures , 2012, Software Service and Application Engineering.

[4]  Kristian Beckers,et al.  Peer-to-Peer Driven Software Engineering Considering Security, Reliability, and Performance , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[5]  Kristian Beckers,et al.  A Pattern-Based Method for Identifying and Analyzing Laws , 2012, REFSQ.

[6]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[7]  Kristian Beckers,et al.  A meta-model for context-patterns , 2013, EuroPLoP.

[8]  Annabelle Lee,et al.  Guidelines for Smart Grid Cyber Security , 2010 .

[9]  David Geer,et al.  Are Companies Actually Using Secure Development Life Cycles? , 2010, Computer.

[10]  Sakir Sezer,et al.  Impact of cyber-security issues on Smart Grid , 2011, 2011 2nd IEEE PES International Conference and Exhibition on Innovative Smart Grid Technologies.

[11]  Zhuo Lu,et al.  Cyber security in the Smart Grid: Survey and challenges , 2013, Comput. Networks.

[12]  Vincent W. S. Wong,et al.  Autonomous Demand-Side Management Based on Game-Theoretic Energy Consumption Scheduling for the Future Smart Grid , 2010, IEEE Transactions on Smart Grid.

[13]  Kristian Beckers,et al.  Common criteria compliant software development (CC-CASD) , 2013, SAC '13.

[14]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[15]  Patrick D. McDaniel,et al.  Security and Privacy Challenges in the Smart Grid , 2009, IEEE Security & Privacy.

[16]  Maritta Heisel,et al.  Software Service and Application Engineering , 2012, Lecture Notes in Computer Science.

[17]  Yuguang Fang,et al.  Privacy-Aware Profiling and Statistical Data Extraction for Smart Sustainable Energy Systems , 2013, IEEE Transactions on Smart Grid.

[18]  Danny Dhillon,et al.  Developer-Driven Threat Modeling: Lessons Learned in the Trenches , 2011, IEEE Security & Privacy.

[19]  Inger Anne Tøndel,et al.  Security Threats in Demo Steinkjer. Report from the Telenor-SINTEF collaboration project on Smart Grids , 2012 .

[20]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[21]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[22]  Wenye Wang,et al.  Review and evaluation of security threats on the communication networks in the smart grid , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[23]  Kristian Beckers,et al.  A Problem-Based Threat Analysis in Compliance with Common Criteria , 2013, 2013 International Conference on Availability, Reliability and Security.