Common Weakness Enumeration

CWRAF Vignette Details - Domain energy

CWRAF version: 0.8.3

Date: April 3, 2013

Project Coordinator:

Document Editor:

Within the Common Weakness Risk Analysis Framework (CWRAF), a vignette provides a shareable, formalized way to define a particular environment, the role that software plays within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability. For example, in an e-commerce context, 99.999% uptime may be a strong business requirement that drives the interpretation of the severity of discovered weaknesses.

Vignettes allow CWSS to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.

This page currently contains details for 6 vignettes within the "energy" domain. These are illustrative only; the CWRAF community will help to refine these and develop others. Feedback is welcome.

The HMI uses various frameworks (Java, .NET, etc.) with Restful Architecture (AJAX, XML, SOAP, XSL, and WML).

• Smart Meters Can Be Hacked: Security Experts
• More Researchers Point to Smart Meter Security Holes
• Smart Metering Communications Issues and Technologies
• Smart Grids and Smart Water Metering in The Netherlands

  Henk Jan Top EC – ICT for Water Management – June 11th, 2010

• Security Pros Question Deployment of Smart Meters

  Kim Zetter - March 4, 2010

• More Researchers Point to Smart Meter Security Holes

  Jordan Robertson, Mar 26, 2010

• Smart Meters Can Be Hacked: Security Experts

  Ken Kalthoff, Oct 9, 2009

• Smart Meter Security: A Work in Progress
• Private Memoirs of a Smart Meter

  Andres Molina-Markham, Prashant Shenoy, Kevin Fu, Emmanuel Cecchet, and David Irwin

• Private Memoirs of a Smart Meter

  Andres Molina-Markham, Prashant Shenoy, Kevin Fu, Emmanuel Cecchet, and David Irwin

• Private Memoirs of a Smart Meter

  Andres Molina-Markham, Prashant Shenoy, Kevin Fu, Emmanuel Cecchet, and David Irwin

Confidentiality of customer energy usage statistics is important (could be used for marketing or "illegal" purposes). Confidentiality, integrity, and availability requirements will vary depending on the specific application. For example, energy usage or billing statistics of customers are generally important for confidentiality (hourly stats could be used for monitoring activities, for example), but availability can vary from minimal (customer Home Area Networks, which have few real-time requirements) to important (portions of AMI networks that require real-time interaction).

Key management is important. Wireless interactions may be common. Some components will not be in physically secure environments. Integrity of metering data is important because of the financial impact on stakeholders. May have different priorities between monitoring and control.

• Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters

  Jonathan Pollet, CISSP, CAP, PCIP. July 2010

  Page 16 includes a breakdown of various consequences / vuln types found, focusing on the Operational DMZ (ISA99 level 3). Also talks about AMR and smart meters.

• DRAFT NISTIR 7628 - Smart Grid Cyber Security Strategy and Requiremens

  Includes logical architecture and interfaces, high level security requirements, privacy, C-1 vuln classes, other doc's for control systems

  Appendix A includes Use-Cases with various CIA analyses.

  The functional logical architecture represents a blending of the initial set of use cases and requirements that came from the workshops and the initial NIST Smart Grid Interoperability Roadmap, including the individual logical interface diagrams for the six application areas: electric transportation, electric storage, advanced metering infrastructure (AMI), wide area situational awareness (WASA), distribution grid management, and home area network/business area network (HAN/BAN).

• Cyber Assessment Methods for SCADA Security

  May Robin Permann, Kenneth Rohde. 2005.

  Includes an attack model for "Modifying Alarms and Commands." Primary focus is on vulnerability assessment of COTS.

• Top 10 Most Critical ICS Vulnerabilities

  Quote: "Historian server is used for data archiving and analysis and is typically an integral part of an ICS. It is usually located in a DMZ or on the corporate network. Threats to the historian include compromise of the historian host and data corruption. ICS historians typically utilize a common SQL server as its backend. The historical data is often made available for viewing via a custom Web interface or application."

  Security Goals: confidentiality < integrity < availability

The second greatest threat is the lack of security checks ensuring proper authorization. Many SCADA systems, while providing some form of authentication system, lack the ability to enforce differing levels of access control between users and other critical system functions. Without effective access control design and implementation, for example, an attacker who breaches a SCADA system and who understands the control codes could spoof messages from a sensor resulting in invalid readings that could trigger adverse actions as the system tries to correct an erroneous problem. This attack could easily trigger systemic instability across the facility, including a complete shutdown of the plant or facility if not seriously damaging mission critical systems.

Issues of Confidentiality and Availability are typically less important security concerns for SCADA systems as a category. Network-based denial of service (DoS) attacks, which do not involve the use of stealth commanding of key control systems are unlikely to affect the functioning of the SCADA system. Likewise, network sniffing (eavesdropping) attacks, areless serious threats because eavesdropping on the network traffic of a SCADA system will be only marginally useful to an attacker without special training.

Modify or delete SCADA system monitoring logs, alter sensor readings, or change or corrupt core files used for monitoring the SCADA system via the HMI browser. Because the SCADA system can be remotely monitored and controlled via a web application interface, an attacker who knows which application values to change can control the facility.

Obtain detailed information on the operations of a SCADA facility by reading application data used by the Web-based HMI control apparatus. This could allow an attacker to map out key industrial systems or monitor the operations of the facility covertly.