CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWRAF > CWE List > CWRAF Vignette Details - Domain energy  
ID

CWRAF Vignette Details - Domain energy

The MITRE Corporation
Copyright © 2013
http://cwe.mitre.org/cwraf/

CWRAF version: 0.8.3

Date: April 3, 2013

Project Coordinator:

Bob Martin (MITRE)

Document Editor:

Steve Christey (MITRE)
CWRAF Vignettes - energy
CWRAF Vignettes - energy

Within the Common Weakness Risk Analysis Framework (CWRAF), a vignette provides a shareable, formalized way to define a particular environment, the role that software plays within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability. For example, in an e-commerce context, 99.999% uptime may be a strong business requirement that drives the interpretation of the severity of discovered weaknesses.

Vignettes allow CWSS to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.

This page currently contains details for 6 vignettes within the "energy" domain. These are illustrative only; the CWRAF community will help to refine these and develop others. Feedback is welcome.

Vignette Summary
Vignette Summary
NameDescription
Household Smart MeterMeter within the Smart Grid that records electrical consumption and communicates this information to the supplier on a regular basis.
Smart Grid remote utility serverObtains information from smart meters through neighborhood gateways.
Smart Grid Neighborhood GatewayAppliance between smart meter and remote utility server.
Regional Electricity Flow ControlFlow control for an electricity network throughout a relatively large region, to further connect suppliers and consumers. Power now enters the grid from both sides (classic provider, but also home-to-provider e.g. home photo-voltaic and wind turbines in homes and throughout the landscape). System needs to have "smarts" to the load leveling capabilities of the grid which is basically a large distributed SCADA-type system.
SCADA HistorianHistorian server for archival and analysis of data for a SCADA system. Contains a database backend and is accessible via a web interface. Access to the server is typically restricted to a DMZ or internal network.
Distributed Production Facility Management using SCADA Web-based HMIA web-based Human Machine Interface (HMI) for SCADA systems. Users can visualize and control industrial automation processes in real-time from a control interface directly in communication with remote sensors and data collection points. All facets of production can be monitored and managed from a web browser.

The HMI uses various frameworks (Java, .NET, etc.) with Restful Architecture (AJAX, XML, SOAP, XSL, and WML).

Vignette Details
Vignette Details

Vignette Definition: Household Smart Meter

NameHousehold Smart Meter
IDsmart-meter
Maturityunder-development
Domainenergy
DescMeter within the Smart Grid that records electrical consumption and communicates this information to the supplier on a regular basis.
ArchetypesWeb client, Process Control Systems, Embedded Device
Business Value Context (BVC)Confidentiality of customer energy usage statistics is important - could be used for marketing or illegal purposes. For example, hourly usage statistics could be useful for monitoring activities. Integrity of metering data is important because of the financial impact on stakeholders (consumers manipulating energy costs). Availability typically is not needed for real-time; other avenues exist (e.g. site visit) if communications are disrupted..
Notes
References

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication8Attacker might be able to modify consumption reports, leading to financial loss; possible inefficiencies in grid management due to incorrect reporting of actual consumption. Attacker could turn appliances and other home systems on/off.
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication4Attacker could read customer energy usage statistics, for marketing or surveillance.
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication4Delays in reporting to provider, possibly delays in billing and collections. Availability may be restored if meter stays online long enough. Possible financial impact if a site visit is required.
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication4Delays in reporting to provider, possibly delays in billing and collections. Availability may be restored if meter stays online long enough. Possible financial impact if a site visit is required.
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication9Attacker could read customer energy usage statistics for marketing or surveillance, disable the meter, or modify consumption reports, leading to financial loss; possible inefficiencies in grid management due to incorrect reporting of actual consumption.
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication7
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication7
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem5Cannot obtain sufficient evidence for criminal prosecution of fraud.
Hide activitiesApplication5Cannot obtain sufficient evidence for criminal prosecution of fraud.
Hide activitiesNetwork
Hide activitiesEnterprise

Vignette Definition: Smart Grid remote utility server

NameSmart Grid remote utility server
IDsmart-grid-RUS
Maturitystub
Domainenergy
DescObtains information from smart meters through neighborhood gateways.
ArchetypesWeb client, Process Control Systems, Embedded Device
Business Value Context (BVC)TBD.
Notes
References

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication
Hide activitiesNetwork
Hide activitiesEnterprise

Vignette Definition: Smart Grid Neighborhood Gateway

NameSmart Grid Neighborhood Gateway
IDsmart-grid-gw
Maturitystub
Domainenergy
DescAppliance between smart meter and remote utility server.
ArchetypesWeb client, Process Control Systems, Embedded Device
Business Value Context (BVC)TBD.
Notes
References

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication
Hide activitiesNetwork
Hide activitiesEnterprise

Vignette Definition: Regional Electricity Flow Control

NameRegional Electricity Flow Control
IDreg-elec
Maturitystub
Domainenergy
DescFlow control for an electricity network throughout a relatively large region, to further connect suppliers and consumers. Power now enters the grid from both sides (classic provider, but also home-to-provider e.g. home photo-voltaic and wind turbines in homes and throughout the landscape). System needs to have "smarts" to the load leveling capabilities of the grid which is basically a large distributed SCADA-type system.
ArchetypesProcess Control Systems, Web client, Web server
Business Value Context (BVC)Successful attacks could cause financial loss (consumers manipulating energy costs) or affect the grid itself. Privacy a concern for consumers (energy usage revealing activities).

Confidentiality of customer energy usage statistics is important (could be used for marketing or "illegal" purposes). Confidentiality, integrity, and availability requirements will vary depending on the specific application. For example, energy usage or billing statistics of customers are generally important for confidentiality (hourly stats could be used for monitoring activities, for example), but availability can vary from minimal (customer Home Area Networks, which have few real-time requirements) to important (portions of AMI networks that require real-time interaction).

Key management is important. Wireless interactions may be common. Some components will not be in physically secure environments. Integrity of metering data is important because of the financial impact on stakeholders. May have different priorities between monitoring and control.

Notes
References
  • Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters

    Jonathan Pollet, CISSP, CAP, PCIP. July 2010

    Page 16 includes a breakdown of various consequences / vuln types found, focusing on the Operational DMZ (ISA99 level 3). Also talks about AMR and smart meters.

  • DRAFT NISTIR 7628 - Smart Grid Cyber Security Strategy and Requiremens

    Includes logical architecture and interfaces, high level security requirements, privacy, C-1 vuln classes, other doc's for control systems

    Appendix A includes Use-Cases with various CIA analyses.

    The functional logical architecture represents a blending of the initial set of use cases and requirements that came from the workshops and the initial NIST Smart Grid Interoperability Roadmap, including the individual logical interface diagrams for the six application areas: electric transportation, electric storage, advanced metering infrastructure (AMI), wide area situational awareness (WASA), distribution grid management, and home area network/business area network (HAN/BAN).

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication
Hide activitiesNetwork
Hide activitiesEnterprise

Vignette Definition: SCADA Historian

NameSCADA Historian
IDscada-hist
Maturityunder-development
Domainenergy
DescHistorian server for archival and analysis of data for a SCADA system. Contains a database backend and is accessible via a web interface. Access to the server is typically restricted to a DMZ or internal network.
ArchetypesProcess Control Systems, Database, Web client, Web server
Business Value Context (BVC)Confidentiality is generally regarded as less important than integrity, which is regarded as less important than availability. Modification of data could cause users to make incorrect decisions, potentially leading to inefficiencies or accidents.
Notes
References
  • Cyber Assessment Methods for SCADA Security

    May Robin Permann, Kenneth Rohde. 2005.

    Includes an attack model for "Modifying Alarms and Commands." Primary focus is on vulnerability assessment of COTS.

  • Top 10 Most Critical ICS Vulnerabilities

    Quote: "Historian server is used for data archiving and analysis and is typically an integral part of an ICS. It is usually located in a DMZ or on the corporate network. Threats to the historian include compromise of the historian host and data corruption. ICS historians typically utilize a common SQL server as its backend. The historical data is often made available for viewing via a custom Web interface or application."

    Security Goals: confidentiality < integrity < availability

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication7Modified data could cause operators to make incorrect decisions, potentially leading to inefficiencies or accidents.
Modify dataNetwork
Modify dataEnterprise
Read dataSystem4Attackers could learn the state of the system, configuration, and possibly launch other attacks.
Read dataApplication
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication9Inability of operators to view current state or change system behaviors.
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem9Reduced ability of operators to view current state or change system behaviors.
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication9Modified data could cause operators to make incorrect decisions, potentially leading to inefficiencies or accidents.
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem7
Gain privileges / assume identityApplication
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem7
Bypass protection mechanismApplication
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication4Inability to detect source or cause of attack.
Hide activitiesNetwork
Hide activitiesEnterprise

Vignette Definition: Distributed Production Facility Management using SCADA Web-based HMI

NameDistributed Production Facility Management using SCADA Web-based HMI
IDweb-scada-hmi
Maturityunder-development
Domainenergy
DescA web-based Human Machine Interface (HMI) for SCADA systems. Users can visualize and control industrial automation processes in real-time from a control interface directly in communication with remote sensors and data collection points. All facets of production can be monitored and managed from a web browser. The HMI uses various frameworks (Java, .NET, etc.) with Restful Architecture (AJAX, XML, SOAP, XSL, and WML).
ArchetypesWeb browser, Web application, Web server, Endpoint System, General-purpose OS, Internet Communications, Wireless Communications, Process Control Systems, Web service, Database
Business Value Context (BVC)The current generation of SCADA systems utilizes web technologies and open protocols which has resulted in more scalable industrial control processes, but have also exposed what were previously closed systems to Internet-based cyber threats. Weak authentication is the foremost concern for web-based HMI SCADA systems due to the ubiquity of access provided by the web browser. Malware and rootkits designed to compromise web user’s systems are an equally serious concern as “Drive by Download” attacks and other attacks against web browsers are becoming increasing common.

The second greatest threat is the lack of security checks ensuring proper authorization. Many SCADA systems, while providing some form of authentication system, lack the ability to enforce differing levels of access control between users and other critical system functions. Without effective access control design and implementation, for example, an attacker who breaches a SCADA system and who understands the control codes could spoof messages from a sensor resulting in invalid readings that could trigger adverse actions as the system tries to correct an erroneous problem. This attack could easily trigger systemic instability across the facility, including a complete shutdown of the plant or facility if not seriously damaging mission critical systems.

Issues of Confidentiality and Availability are typically less important security concerns for SCADA systems as a category. Network-based denial of service (DoS) attacks, which do not involve the use of stealth commanding of key control systems are unlikely to affect the functioning of the SCADA system. Likewise, network sniffing (eavesdropping) attacks, areless serious threats because eavesdropping on the network traffic of a SCADA system will be only marginally useful to an attacker without special training.

Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem10By manipulating memory it may be possible to cause mission critical SCADA systems to crash or become unstable.
Modify dataApplication10Modify valid data reports or create false reading from SCADA sensors causing the system to respond in an adverse manner, possibly creating instability within the plant or installation.

Modify or delete SCADA system monitoring logs, alter sensor readings, or change or corrupt core files used for monitoring the SCADA system via the HMI browser. Because the SCADA system can be remotely monitored and controlled via a web application interface, an attacker who knows which application values to change can control the facility.

Modify dataNetwork
Modify dataEnterprise
Read dataSystem6Read SCADA information or steal the web client's cryptographic keys used for encrypting SCADA data. Obtain configuration information and possibly discover the key industrial systems and nodes which could be attacked.

Obtain detailed information on the operations of a SCADA facility by reading application data used by the Web-based HMI control apparatus. This could allow an attacker to map out key industrial systems or monitor the operations of the facility covertly.

Read dataApplication6Read and monitor SCADA in an unauthorized manner, possibly interpret the hex codes to ascertain the status of particular SCADA sensors.
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication5Plant administrators cannot efficiently poll data from SCADA systems due to frequent crashing and restarting of the web application controller or the HMI browser interface. An attack aimed at the web application used for controlling the SCADA plant could prevent administrators from connecting to the system and using the control interface.
DoS: unreliable executionNetwork7Attacks against the Internet gateway could prevent the SCADA system from communicating with other plants or facilities.
DoS: unreliable executionEnterprise5With memory sortage, the HMI web-based control system becomes slow and unresponsive and possibly crash. Controlling and monitoring plant operations becomes difficult as either the Browser HMI or the controller web application run out of memory.Attacks against the control web application would likely cause it to crash, temporarily disabling plant control via Browser-Based HMI.
DoS: resource consumptionApplication7The HMI web-based control system becomes slow and unresponsive. Controlling and monitoring plant operations is difficult because of the slow response times from the browser interface. Attacks against the control web application could slow the control processes and possibly halt them altogether until the application was restarted.
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication10Read or modify the Browser HMI or the web application controller for the plant or facility. Executing commands via the control interface could give an attacker the ability to shut down the plant or facility, or possibly cause a catastrophic failure by causing a key system (e.g. heat exchanger) to lose efficiency or fail.
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication10Attacker can perform administrative functions by assuming the role of an authorized administrator. The degree of damage that could be done is limited only by the privileges of the assumed role and the attacker's knowledge of the SCADA system's operation.
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication9Bypassing control based protection mechanisms could allow an attacker to manipulate the SCADA system without sufficient authorization.
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication8Inability to identify source of attack. Cannot obtain sufficient evidence for criminal prosecution or ensure that the attacker's footholds have been eliminated from the SCADA system.
Hide activitiesNetwork
Hide activitiesEnterprise

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017