Incorporating FAIR into Bayesian Network for Numerical Assessment of Loss Event Frequencies of Smart Grid Cyber Threats

In today’s cyber world, assessing security threats before implementing smart grids is essential to identify and mitigate the risks. Loss Event Frequency (LEF) is a concept provided by the well-known Factor Analysis of Information Risk (FAIR) framework to assess and categorize the cyber threats into five classes, based on their severity. As the number of threats is increasing, it is possible that many threats might fall under the same LEF category, but FAIR cannot provide any further mechanism to rank them. In this paper, we propose a method to incorporate the FAIR’s LEF into Bayesian Network (BN) to derive the numerical assessments to rank the threat severity. The BN probabilistic relations are inferred from the FAIR look-up tables to reflect and conserve the FAIR appraisal. Our approach extends FAIR functionality by providing a more detailed ranking, allowing fuzzy inputs, enabling the illustration of input-output relations, and identifying the most influential element of a threat to improve the effectiveness of countermeasure investment. Such improvements are demonstrated by applying the method to assess cyber threats in a smart grid robustness research project (IRENE).

[1]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[2]  Andrea Ceccarelli,et al.  Threat Navigator: Grouping and Ranking Malicious External Threats to Current and Future Urban Smart Grids , 2016, SmartGIFT.

[3]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[4]  Terje Aven,et al.  Risk assessment and risk management: Review of recent advances on their foundation , 2016, Eur. J. Oper. Res..

[5]  Enrico Zio,et al.  Uncertainties in smart grids behavior and modeling: What are the risks and vulnerabilities? How to analyze them? , 2011 .

[6]  Nirwan Ansari,et al.  The Progressive Smart Grid System from Both Power and Communications Aspects , 2012, IEEE Communications Surveys & Tutorials.

[7]  Shamkant B. Navathe,et al.  A Management Perspective on Risk of Security Threats to Information Systems , 2005, Inf. Technol. Manag..

[8]  Mohamed Cheriet,et al.  Taxonomy of information security risk assessment (ISRA) , 2016, Comput. Secur..

[9]  Eric D. Knapp,et al.  Applied Cyber Security and the Smart Grid: Implementing Security Controls into the Modern Power Infrastructure , 2013 .

[10]  Sandford Bessler,et al.  Towards a collaborative framework to improve urban grid resilience , 2016, 2016 IEEE International Energy Conference (ENERGYCON).

[11]  Alan J. McBride,et al.  Assessing smart Grid security , 2012, Bell Labs Technical Journal.

[12]  Shu-dong Sun,et al.  The study of multi-objective decision method based on Bayesian network , 2010, 2010 IEEE 17Th International Conference on Industrial Engineering and Engineering Management.

[13]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[14]  Hamid Sharif,et al.  A Survey on Cyber Security for Smart Grid Communications , 2012, IEEE Communications Surveys & Tutorials.

[15]  Zhuo Lu,et al.  Cyber security in the Smart Grid: Survey and challenges , 2013, Comput. Networks.

[16]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[17]  Eric D. Knapp,et al.  Chapter 5 – Security Models for SCADA, ICS, and Smart Grid , 2013 .