Determining Information Security Threats for an IoT-Based Energy Internet by Adopting Software Engineering and Risk Management Approaches

This paper introduces an information security threat modeling (ISTM) scheme, which leverages the strengths of software engineering and risk management approaches, called I-SERM. The proposed I-SERM scheme effectively and efficiently prioritizes information security threats for IT systems that utilize a large number of sensors, such as Internet of Things (IoT)-based energy systems. I-SERM operations include determining functional components, identifying associated threat types, analyzing threat items, and prioritizing key threats with the use of software engineering tools such as product flow diagrams, use case diagrams, and data flow diagrams. By simultaneously referring to a proposed STRIDE+p matrix and a defined threat breakdown structure with reference score (TBS+r) scheme, the I-SERM approach enables systematic ISTM. To demonstrate the usability of I-SERM, this study presents a practical case aimed at electricity load balancing on a smart grid. In brief, this study indicates a substantive research direction that combines the advantages of software engineering and risk management into a systematic ISTM process. In addition, the demonstration of I-SERM in practice provides a valuable and practical reference for I-SERM application, and contributes to research in the field of information security designs for IoT-based Energy Internet systems.

[1]  Matthew Roughan,et al.  Case Studies of SCADA Firewall Configurations and the Implications for Best Practices , 2016, IEEE Transactions on Network and Service Management.

[2]  Qazi Mamoon Ashraf,et al.  Autonomic schemes for threat mitigation in Internet of Things , 2015, J. Netw. Comput. Appl..

[3]  Luiz Eduardo Soares de Oliveira,et al.  Obtaining the threat model for e-mail phishing , 2013, Appl. Soft Comput..

[4]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[5]  Xiaohui Liang,et al.  Securing smart grid: cyber attacks, countermeasures, and challenges , 2012, IEEE Communications Magazine.

[6]  Dirk Pesch,et al.  Sensor Fusion and State Estimation of IoT Enabled Wind Energy Conversion System , 2019, Sensors.

[7]  Taskin Koçak,et al.  Smart Grid Technologies: Communication Technologies and Standards , 2011, IEEE Transactions on Industrial Informatics.

[8]  Zhuo Lu,et al.  Cyber security in the Smart Grid: Survey and challenges , 2013, Comput. Networks.

[9]  Morgan Henrie,et al.  Cyber Security Risk Management in the SCADA Critical Infrastructure Environment , 2013 .

[10]  Murray Turoff,et al.  The Delphi Method: Techniques and Applications , 1976 .

[11]  Yu-Tso Chen,et al.  The key factors affecting the strategy planning of Taiwan's hydrogen economy , 2019, International Journal of Hydrogen Energy.

[12]  Edin Arnautovic,et al.  Integrated smart grid systems security threat model , 2015, Inf. Syst..

[13]  K. Sathish Kumar,et al.  A survey on residential Demand Side Management architecture, approaches, optimization models and methods , 2016 .

[14]  Raj Jain,et al.  An Internet of Things Framework for Smart Energy in Buildings: Designs, Prototype, and Experiments , 2015, IEEE Internet of Things Journal.

[15]  Jean-Marie Flaus,et al.  A safety/security risk analysis approach of Industrial Control Systems: A cyber bowtie - combining new version of attack tree with bowtie analysis , 2018, Comput. Secur..

[16]  Alagan Anpalagan,et al.  Efficient Energy Management for the Internet of Things in Smart Cities , 2017, IEEE Communications Magazine.

[17]  Wouter Joosen,et al.  Empirical evaluation of a privacy-focused threat modeling methodology , 2014, J. Syst. Softw..

[18]  M. Dolores Gallego,et al.  Exploring the application of the Delphi method as a forecasting tool in Information Systems and Technologies research , 2014, Technol. Anal. Strateg. Manag..

[19]  Yan Shi,et al.  Multiobjective optimization technique for demand side management with load balancing approach in smart grid , 2016, Neurocomputing.

[20]  S. Shankar Sastry,et al.  Rethinking security properties, threat models, and the design space in sensor networks: A case study in SCADA systems , 2009, Ad Hoc Networks.

[21]  Zhen Shao,et al.  Energy Internet: The business perspective , 2016 .

[22]  Florian Skopik,et al.  From old to new: Assessing cybersecurity risks for an evolving smart grid , 2016, Comput. Secur..

[23]  Atef Abdrabou,et al.  A Wireless Communication Architecture for Smart Grid Distribution Networks , 2016, IEEE Systems Journal.

[24]  Kaamran Raahemifar,et al.  A survey on Advanced Metering Infrastructure , 2014 .

[25]  Manoj Datta,et al.  A survey of smart grid architectures, applications, benefits and standardization , 2016, J. Netw. Comput. Appl..

[26]  Patrick D. McDaniel,et al.  Security and Privacy Challenges in the Smart Grid , 2009, IEEE Security & Privacy.

[27]  Yang Xiang,et al.  A survey on security control and attack detection for industrial cyber-physical systems , 2018, Neurocomputing.

[28]  Dilip Patel,et al.  Assessing and augmenting SCADA cyber security: A survey of techniques , 2017, Comput. Secur..

[29]  George Wright,et al.  Delphi: A reevaluation of research and theory , 1991 .

[30]  Manoj Singh Gaur,et al.  DDoS attacks in cloud computing: Issues, taxonomy, and future directions , 2017, Comput. Commun..

[31]  Peter Torr,et al.  Demystifying the threat modeling process , 2005, IEEE Security & Privacy Magazine.

[32]  Ehab Al-Shaer,et al.  A Noninvasive Threat Analyzer for Advanced Metering Infrastructure in Smart Grid , 2013, IEEE Transactions on Smart Grid.

[33]  S. M. Macgill,et al.  A new paradigm for risk analysis , 2005 .

[34]  Syed Muhammad Anwar,et al.  A survey on consumers empowerment, communication technologies, and renewable generation penetration within Smart Grid , 2018 .

[35]  Tzvi Raz,et al.  Use and benefits of tools for project risk management , 2001 .

[36]  Asif Sabanovic,et al.  Distribution system state estimation-A step towards smart grid , 2018 .

[37]  Haris Ch. Doukas,et al.  An Advanced IoT-based System for Intelligent Energy Management in Buildings , 2018, Sensors.

[38]  T. Jick Mixing Qualitative and Quantitative Methods: Triangulation in Action. , 1979 .

[39]  Andreas L. Opdahl,et al.  Experimental comparison of attack trees and misuse cases for security threat identification , 2009, Inf. Softw. Technol..