A Review of Cybersecurity Risk and

Consequences for Critical Infrastructure

Md Touhiduzzaman, Member, IEEE, Sri Nikhil Gupta Gourisetti, Member, IEEE, Crystal Eppinger,
Member, IEEE, and Abhishek Somani, Member, IEEE
Pacific Northwest National Laboratory, Email: [email protected], [email protected]

Abstract—This paper reviews the state of the art in risk their associated vulnerabilities when used in support of business
assessment and consequences related to critical infrastructure. functions and processes. A framework that can combine
Different risk assessment methods are analyzed based on their rudimentary and convoluted processes to translate framework
goals, application domains, impacts, and consequences. This paper outputs into risk-informed investment strategies is needed. The
depicts an in-depth analysis of the existing risk assessment discovered strategies can be further used to mitigate risk and to
methods and highlights the advantages, and disadvantages
enforce protection measures based on established business
associated with those methods. In addition, this paper also
articulates the research challenges that are associated with objectives. Such a process and framework should account for
developing an economically quantifiable risk assessment method loss of business continuity and business impact analysis. To
or framework. identify or develop a relative risk analysis framework, we
performed an extensive literature review of the existing
Index Terms—Qualitative risk assessment, quantitative risk methodologies. During the review, we found that a potentially
assessment, bulk power systems, cybersecurity, consequence ideal process for relatively quantifying consequences and risk
analysis, critical infrastructure risks and security factors is to map the hierarchical and sequential relationships
between various attributes. The attributes include a layered list
I. INTRODUCTION of critical cyber assets and their associated data flows, system
The advent of converged networked systems has been applications, engineering consequences, responsible entities,
evident since the emergence the Industrial Internet-of-Things hosting facilities, and business consequences. Lack of such a
(IIoT) [1]. Networked data acquisition systems in the realms of networked framework makes it non-trivial to relatively quantify
information technology (IT) and operational technology (OT) the risk of cyber events and attacks.
have several advantages. Some benefits include autonomous The objective of this paper is to present our analysis of the
controls, increased observability, decentralized and advanced existing frameworks and their attempts to perform relative risk
sensing and communication mechanisms [2], and the ability to analysis by associating engineering and business attributes. The
integrate machine learning and artificial intelligence for precise rest of this paper is organized as follows: Section II provides an
data analytics. According to the estimates presented in Statista overview of risk assessment techniques and pertinent research
[3], the penetration of such smart devices across the global questions, Section III presents an extensive review of existing
infrastructure is expected to grow from a current value of 26 risk analysis methodologies, Section IV describes associated
billion devices to almost 75 billion devices by 2025. Following research challenges and concluding statements.
a similar trend, critical infrastructure automation systems are
expected to grow between 11%–20% by 2022–2026 [4] [5]. II. RISK ASSESSMENT AND RESEARCH QUESTIONS
Although such large penetration of IIoT in critical In keeping with commonly accepted definitions, the term
infrastructures such as the power and energy utilities have “risk” may be defined as “the combination of the frequency, or
noticeable advantages, it is important to ensure that they do not probability, of occurrence and the consequence of a specified
hinder factors related to the confidentiality, integrity, and event [that is identified to do harm]” [7]. Risk assessment plays
availability of the overall network and the organization. One of a vital role in understanding or evaluating risks associated with
the emerging critical challenges related to the integration of critical infrastructure facilities [8]. Such evaluation is often
networked devices is the expansion of the cybersecurity threat performed by answering the following research questions[9]:
landscape. The exacerbation of the emerging cyber threats and • Where is the origin of risk?
security challenges cannot be overstated [6]. • What is the time and place of occurrence of a cyber or
To address the IIoT-created gaps in critical infrastructures, physical event?
researchers have been adopting existing frameworks and • What can go wrong or what are the system weaknesses that
standards such as the cybersecurity capability maturity model could lead to an outcome of hazardous exposure?
(C2M2), National Institute of Standards and Technology
• What is the likelihood of a cyber or physical event?
(NIST) Cybersecurity Framework (CSF), Cyber Security
• In case of a critical cyber or physical event, what are the
Evaluation Tool (CSET®), International Organization for
expected or estimated engineering and business
Standardization and the International Electrotechnical
consequences?
Commission (ISO/IEC) Standard 31010, etc. These
frameworks and standards are phenomenal for identifying The risk associated with a system or an organization varies
vulnerabilities and potentially performing some extent of over time, primarily because of factors such as the emergence
qualitative risk assessments, but they are not fully capable of of new threats, aging of the critical infrastructure system, and
evaluating the overall impact of networked smart systems and even integration of newly designed protocol-based systems. In

U.S. Government work not protected by U.S. copyright 7

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on June 13,2020 at 15:57:39 UTC from IEEE Xplore. Restrictions apply.
risk assessment processes, threats are often identified using A. Risk Assessment Methods Based on Evaluation Method
historical and empirical data about cyberattacks, expert Risk assessment methods can be categorized by one of three
knowledge, known vulnerabilities in the system, and their approaches: 1) quantitative, 2) qualitative, 3) semi-quantitative
respective likelihood and impact on the system [10]. (often referred to as hybrid). Based on the assessment
Empirically, risk quantification may be defined as a set of threat outcomes, the application user may choose to accept, mitigate,
occurrence probabilities and consequences: or transfer the risk. This risk management process is based on
several factors, including asset identification, threat analysis,
= , , = 1, 2, … . , (1) vulnerability analysis, preliminary risk evaluation, interim
where analysis and reporting, risk acceptance criteria, risk mitigation
measures, return on investment analysis, final reporting of
is the number of possible scenarios, findings related to engineering and business processes and
is the probability of occurrence of that scenario, impacts, and operation and maintenance analysis.
is the consequence of a malicious event. When quantitatively assessing risk, agreed-upon numerical
values are assigned to commodities or entities to calculate the
In accordance with Equation (1), various cybersecurity risk risk value. Quantitative assessment may be further divided into
assessment processes have been developed for traditional IT relative quantification and absolute quantification. In relative
systems. These risk assessment processes may not be fully risk quantification methods, a relative score is assigned to each
applicable to OT systems, because of the difference in priorities of the determined criteria. In some cases, the relative scores
between IT and OT systems in relation to the confidentiality, may involve rankings or weights assigned to each criterion.
integrity and availability triad. For example, unlike standard IT Finally, a unified scalar value is determined for the overall
systems, in critical infrastructure OT systems, such as network or system under a predefined scale, such as a scale
smart/power grid utilities, availability is of the highest priority, ranging from 1 to 10 where 1 is the lowest associated risk and
followed by integrity and confidentiality [11] [12]. Therefore, 10 is the highest associated risk. In the case of absolute risk
risk assessment methodologies for converged IT and OT quantification, there are various approaches, some of which are
systems are required to incorporate the mandatory protection based on historical data-based deterministic analysis (these
and security measures associated with mission-critical systems. methods are often based on actuarial tables). A largely
Such measures often are defined by the critical infrastructure acceptable risk quantification method is based on calculating an
owners (utility owners, etc.) and associated stakeholders. The exposure factor, single loss expectancy, annualized rate of
following section articulates the findings derived from the occurrence, and annualized loss expectancy. In the case of
literature review of various risk assessment methods. qualitative analysis, subjective analysis based on expert opinion
is used to categorize risk as high, medium, or low. Finally, the
III. REVIEW METHODOLOGY semi-quantitative risk analysis uses attributes from both
The objective of this section is to describe some of the quantitative and qualitative risk analysis [13].
significant findings about existing risk assessment In the case of power systems and smart grid sectors,
methodologies. A family of existing selective risk assessment quantitative risk analysis methods fall under the broad category
methods, consequence analysis processes, and other related of probabilistic risk assessment, for which the goal is to predict
frameworks are evaluated and discussed. As the core reliability indices such as the system average interruption
component of this paper, this section evaluates the identified duration index (SAIDI), system average interruption frequency
risk assessment methods based on the following criteria: index (SAIFI). Ciapessoni et al. [14] proposed a quantitative
risk assessment method for an electric transmission system by
• Evaluation method: This attribute is used to determine developing a bow-tie model that combines fault and event tree
whether the method performs a qualitative, quantitative, or analysis. The bow-tie model developed a quantitative link
hybrid analysis. between causes and consequences of an unwanted event in
• Application domain: This attribute is used to determine the transmission system. The main advantage of the bow-tie model
critical infrastructure domain used by the researchers to is its two-stage contingency screening process that is allowed
evaluate the risk assessment method. by selecting the most significant contingency and reduced
computational burden. The model’s major disadvantage is its
• Asset identification: This attribute is used to determine
lack of appropriate mathematical models and efficient solution
whether the method performs any level of identification of
methods that reflect real scenarios more accurately.
critical cyber assets. These assets include software,
In 2010, the North American Electric Reliability Corporation
hardware, and human entities.
(NERC) Reliability Metrics Working Group introduced the
• Threat scenario: Risk assessment frameworks and
Severity Risk Index (SRI) methodology in a bulk power system
methodologies are often designed to evaluate the impact of
risk assessment concept paper [15]. SRI is an “event-driven”
a threat, so, through this attribute, the risk assessment
method that focuses on the performance of transmission system
methodologies are examined if they were tested under any
and generation resources. Qualitative weightings (probability)
threat scenarios. This attribute can also be used to
of load loss (60%), transmission line loss (30%), and generator
determine the limitations of a risk assessment method.
loss (10%) are assigned to the system components to calculate
• Impact/consequences: The final attribute is used to
the SRI. This method is considered a foundational attempt to
determine the relationship between the risk assessment
quantify the performance of the bulk power system on a daily
method and impact or consequence analysis.
basis [16]. The SRI method was developed solely based on

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on June 13,2020 at 15:57:39 UTC from IEEE Xplore. Restrictions apply.
technical judgment rather than on analysis of technical data, the failure of the SCADA system on a station-by-station basis.
which is one of the major drawbacks of this method. Hamoud’s approach was performed based on two event
Francia et al. [17] reviewed the security best practices and scenarios: 1) failure of control by SCADA, and 2) failure of
risk assessment of the SCADA (Supervisory Control and Data automatic operation of the power system network. One of the
Acquisition) system and ICSs (Industrial Control Systems) by main drawbacks of the proposed methodology was that it
using the CORAS framework [18]. CORAS is a model-based required an immense amount of information, such as average
qualitative risk assessment method, designed for security customer interruption cost, replacement cost, average revenue
critical systems, that covers the entire risk management loss, etc. Obtaining and assessing such information is non-
process—assets, threats, and vulnerabilities. The major trivial and takes significant effort.
advantages of the CORAS framework are that it uses Unified Alvehag [23] performed risk assessment on utility
Modeling Language, has an integrated platform for a data distribution domain from the customer and grid owner
repository, and has a risk assessment reporting system. The perspective. The consequences of the power outage from the
main disadvantage of the CORAS method is that it requires customer perspective were measured. The measurement
expert knowledge from various disciplines. process was performed using interruption cost, which depends
Rossebø et al. [19] introduced an in-depth, structured, on the load model and reliability model. In that work, severe
qualitative SEGRID Risk Management Methodology (SRMM) weather conditions were assumed to be the main contributing
for the smart grid. The objective of SRMM was to help factors to power outages. The major drawback of this risk
distribution system operators (DSOs) understand potential analysis is that it required customer valuation from a customer
threats and vulnerabilities. The SRMM adopts the Social survey report, to which it is difficult to gain access.
Impact Magnitude approach that measured societal impacts of Guo et al. [24] developed a support vector data description
outages based on outage length, disturbance duration, and (SVDD)-based risk assessment method for an electricity
impact incidence (the number of people affected by the outage). transmission system. The SVDD method provided the most
This approach determines the worst-case scenario for an outage recent condition of equipment and considered the historical
and then maps the results to the qualitative scale of very low to failure statistics of the transmission line and operation failure
very high. The major advantage of SRMM is that it builds on risks of system components. Using this method, the selection of
state-of-the-art risk assessment methodologies, while providing system state based on the historical data sometimes led to
guidance and enhancements for use in smart grids. Because of incorrect directions. Those incorrect risk assessment directions
its proven effectiveness, SRMM has been implemented on were generated because some equipment is more prone to
several DSOs across Europe. The drawback of the SRMM failure due to aging.
framework is that no weighting is provided in the network risk Watson et al. [25] used risk assessment-based metrics to
management layer. Therefore, the relative importance of the analyze the resilience of an energy infrastructure system. The
assets is ignored in the SRMM framework. metrics in their work are forward-looking and broadly
The preceding risk assessment analysis based on evaluation informative; resilience is defined with respect to
method concludes that most of the risk assessment methods are threat/disturbance and consequences (including social
based on subjective opinions rather than a proper mathematical consequences) related to operational system performance. To
foundation and that eventually becomes a drawback when measure the consequences, economic impacts are calculated by
trying to analyze real scenarios more accurately. using the probability associated with each of the possible
future’s natural events (e.g., hurricane).
B. Risk Assessment Based on Application Domain
As evidenced by the preceding analysis, risk assessment
The objective of this section is to evaluate the risk assessment methods are developed and applied to a range of power grid
methods that are applied to specific energy delivery system domains (e.g., transmission, distribution), including ICSs.
application domains (e.g., ICSs, generation, transmission,
distribution). C. Risk Assessment Based on Threat Analysis
Cherdantseva et al. [20] comprehensively surveyed several Understanding the potential threats and failure scenarios in
existing cybersecurity risk assessment methods targeting ICSs the power application domain informs the utility risk
such as SCADA systems. The review of methods in [20] assessment process. Threats can be categorized by human (e.g.,
showed risk assessment methods pertaining to the above hackers, theft, accidental) and non-human elements (e.g., flood,
application domains along with the objective and core viruses, fire, lightning). The failure scenario represents a
architecture of the methods. Most of the risk assessment realistic event caused by threats that negatively affect the
methods for the SCADA system were observed to focus on risk generation, transmission, and/or delivery of power. This section
identification rather than risk evaluation. reviews some realistic cyber threats and failure scenarios that
In a survey presented by Ralston et al. [21], the authors affect the power system domain and describes how they are
discussed the application of various risk assessment methods to related to risk assessment.
the distributed control systems. Their survey and review mostly The growing dependency on digital communication systems
highlighted the set of guidelines, best practices, security tools, in critical infrastructure facilities has made the bulk power
and new technologies developed by government agencies and system increasingly vulnerable to the risk of High Impact Low
industry associations. Noteworthy risk assessment methods Frequency cyberattacks [26]. One well-known cyber incident
were hierarchical holographic modeling, the Risk Filtering, that targeted the electricity infrastructure was reported in
Ranking, and Management method, and input–output modeling Ukraine in December 2015. In that attack, the adversaries
(IIM). Hamoud et al. [22] addressed the risks associated with successfully broke into a Ukrainian substation, tripped the

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on June 13,2020 at 15:57:39 UTC from IEEE Xplore. Restrictions apply.
substation circuit breaker, and caused a substantial blackout cyber-physical framework that could potentially improve the
[27]. In December 2016, CRASHOVERRIDE malware mitigation strategy of some of the NESCOR failure scenarios.
manipulated the substation automation protocol (IEC 61850) Improvement was achieved by allocating the resources in a
sequences and affected the substation transmission level in the diversified fashion. One of the main disadvantages of
Ukrainian power grid [28]. These Ukrainian cyber events raised Touhiduzzaman’s framework is that it does not consider all
the level of concern about cyber threats to electric utilities. smart grid domains. For example, it calculates the quantitative
Since then, the government agencies, utilities, the public sector, risk when a failure happens only in the distribution grid
and media have emphasized the need for effective risk management domain.
assessment frameworks. In 2010, the Smart Grid Interoperability Panel – Cyber
In addressing the need to understand cyber threats and their Security Working Group released a document that addressed
impacts, the U.S. National Electric Sector Cybersecurity different vulnerability classes that fall under the management,
Organization Resource (NESCOR) Technical Working Group operational, and technical categories of the smart grid [34]. The
1 compiled cyber failure scenarios. The objective of their work vulnerabilities include inadequate network segregation,
was to document the cyber threats to smart grid domains (e.g., business logic vulnerability, the use of insecure protocols, and
distribution grid management, advanced metering so on. Based on that information, the Electric Power Research
infrastructure, demand response, etc.) [29]. The scenarios were Institute, Inc. developed a tool that mapped NESCOR failure
designed to help utilities conduct risk assessments. Each of the scenarios to NIST Interagency/Internal Report (NISTIR) 7628
scenarios has a detailed description that articulates the attack vulnerability classes. The tool has been helpful in identifying
implementation process, associated vulnerabilities, impacts, NESCOR failure scenarios related to certain business functions
and potential mitigations [30]. Recently, the NESCOR failure [35]. Power operations, metering to cash, customer services,
scenarios have prompted many researchers to design, evaluate, and corporate services are examples of business functions that
and conduct risk assessments [31, 32, 33]. Christopher and Lee are identified by the executive cybersecurity risk management
[31] performed a semi-quantitative risk assessment to score the governance team.
NESCOR failure scenarios based on their impacts. The impacts When reviewing risk assessment based on threat analysis,
included negative publicity, financial loss to utility, power NESCOR failure scenarios were observed to describe realistic
system instability, decrease in operational efficiency, and cyber incidents that are of concern to the power system domain
decrease in service reliability. In this method, the scores used and provide a sufficient level of detail for developing risk
for the impact criteria are 0, 1, 3, and 9. Some impact criteria assessment models. The embedded information in NESCOR
and how they are scored are described in Table I. documents will help to systematically draw the cyberattack
TABLE I. IMPACT CRITERIA TABLE [31]
flow that help to conduct an accurate risk assessment approach.
Criterion How to Score D. Risk Assessment Based on Asset Identification
System scale 0: Single utility customer
1: Neighborhood, town In 2017, European standardization bodies published a report
3: All ET, DER, or DR customers for a utility that identified the information assets and considered them in the
9: Potentially full utility service area and beyond risk assessment as part of mapping dependencies to
Financial impact of 0: Petty cash or less
compromise on 1: Up to 2% of utility revenue vulnerabilities [36]. In the report, smart grid asset management
utility 3: Up to 5% is mapped based on domain (e.g., generation, transmission) and
9: Greater than 5% zone (e.g., process, field, station, etc.). In another report [37],
Negative impact on 0: No effect the expert group categorized the assets based on their protection
generation capacity 1: Small generation facility offline or degraded
operation of large facility
needs and classified them into two groups: smart cyber assets
3: More than 10% loss of generation capacity for (e.g., advanced metering infrastructure or AMI, intelligent
8 hours or less electronics devices or IED, supervisory control and data
9: More than 10% loss of generation capacity for acquisition or SCADA, etc.) and grid cyber assets (energy
more than 8 hours
Negative impact on 0: No
management system or EMS, distribution management system
the bulk transmission 1: Loss of transmission capability to meet peak or DMS, communication link, etc.).
system demand or isolate problem areas
TABLE II ASSET CATEGORIES AND TYPES
3: Major transmission system interruption
9: Complete operational failure or shut-down of Asset Category Asset Type Examples
the transmission system Hardware Server, Laptop
Immediate economic 0: None Network Routers, Gateways
damage refers to 1: Local businesses down for a week
functioning of 3: Regional infrastructure damage People Database Development,
society as a whole 9: Widespread runs on banks Engineering
DER = Distributed Energy Resources; DR = Demand Response; ET = Back Office Applications Internet, Security Software
Electric Transportation. Client Facing Applications Web Site, Telecommunications
Jauhar et al. [32] introduced a tool called CyberSAGE that Data Customer Personal Data, Corporate
Financial Data
can develop a model-based process for assessing the security
risks from NESCOR failure scenarios. The tool can generate a Facilities Headquarters, Offices
security-augmented graph based on each of the NESCOR NERC CIP-002-5 [38] identified and categorized all the bulk
scenarios and evaluate the associated security metrics, such as electric system (BES) Cyber systems based on their high,
failure probabilities. Touhiduzzaman et al. [33] proposed a medium, or low impact on bulk electric systems. This standard

10

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on June 13,2020 at 15:57:39 UTC from IEEE Xplore. Restrictions apply.
considered control centers and backup control centers, Studies, examines the economic and insurance implications of
transmission stations and substations, and generation resources a severe, yet plausible, cyberattack against the U.S. power
as their assets. NISTIR 7628 created a smart grid asset grid. The report describes a scenario in which adversaries
inventory for each device within a system based on the system destabilize 50 generators, leave 93 million people without
TABLE III CONSEQUENCES CATEGORIES WITH RISK ASSESSMENT METRICS
Impact/
Evaluation Method Assessment Domain Threat Scenario Consequences
Semi- System Level Com- Eco-
Quali- Quant- Quanti- Gener- Trans- Distri- po- Man- Nat- Cy- nom- Opera-
Ref tative itative tative ation mission bution SCADA nent made ural ber ical Social tional
[41] x x X x x x
[19] x x x x
[32] x x x x x x x
[33] x x x x
[40] x x x x
[29] x x x x x x x
[43] x x x x x x
[44] x x X x

name, type, location, firmware, threats, and vulnerabilities [30]. power, and cause a $243 billion impact on the U.S. economy.
A practice that is complementary to risk management is that Fragility curves have been used extensively to calculate the
of business continuity management (BCM). BCM practices consequences of power system disruption caused by natural
provide a framework for ensuring uninterrupted critical disasters [44] [45] [46]. Panteli et al. [44] demonstrate a
business functions and operations. A key step in developing a relationship between failure probabilities and wind speed by
BCM plan is to map business processes to coordinating developing a fragility curve. The fragility curve is achieved by
resources, the output of which is critical asset identification. applying a sequential Monte-Carlo-based time-series
Assets can then be divided into categories and types. A typical simulation model where the stochasticity of weather effects on
asset characterization table, as found in [39], is displayed in transmission lines and the model of tropical cyclone (TC) winds
Table II. during a cyclone are considered. One of the disadvantages of
the paper is that the uncertainty associated with different
E. Risk Assessment Based on Impact/Consequences
parameters during the calculation of wind speed would result in
Risk assessment is also categorized based on impacts such the collapse of a transmission tower. Dunn et al. [45] proposed
as societal impact, economic impact, and operational impact. a catastrophe risk modeling approach for assessing the risks
This type of categorization is important to all utility and related to independent assets during wind storm hazards. The
customer stakeholders. The work by Fung et al. [40] proposes a major limitation in their study was that the model did not
mathematical model for calculating risk to the smart grid by consider the accurate fault location, event time, and the age of
focusing on economic impacts based on their costs and benefits. assets, and those limitations led to an imprecise risk assessment.
In this method, the economic impact is considered two parts of
the communication layer in the smart grid: 1) loss of control IV. RESEARCH CHALLENGES AND CONCLUSION
command and electricity power and 2) loss of market service
and confidential information. Larsson et al. [41] identify three Due to the large integration and interconnection of
ways (blackout case studied, customer survey, and analytical) information technology (IT) systems on the OT network, it is
to assess societal cost through the breakdown of the power grid non-trivial to precisely map the cyber surface of critical
infrastructure. The electrical load value for each hour during a infrastructure. A proper cybersecurity risk assessment
year is needed as an input, and from this input a series of framework for critical infrastructure that will cover both IT and
calculations are made to create the business activity profile for OT network is required, otherwise the critical infrastructure
achieving gross domestic product. may be unnecessarily exposed to cybersecurity risks. The
Some consequences directly affect the utility, including development of a risk assessment model for critical
power not delivered, loss of revenue, cost of recovery, etc. Also, infrastructures such as power system is a challenging task. It is
some consequences benefit the larger community and are nontrivial to identify and compute the qualitative and
indirectly related to utilities [42]. Some consequences extracted quantitative parameters to perform risk assessment on the
from the NESCOR failure scenario help determine the impact critical infrastructures. Following are some of the high-level
ranking criteria or scoring methodology [29]. challenges that are associated with the previous statement: 1)
Consequences include the financial impacts of compromise lack of trustworthy and sufficient statistical data in makes it
on the utility, restoration costs, negative impacts on generation almost impossible to develop reference models that can be used
capacity, negative impacts on customer service and billing to estimate risk values; 2) Lack of standardized power systems
function, etc. Table III shows examples of consequences architectures across the utilities eliminates the possibility of
categories that can be considered for risk assessment metrics. developing a universal model that fits for all. In the current
Business Blackout [43], a report published by Lloyd’s of power utility landscape, each utility may need to be individually
London and the University of Cambridge’s Centre for Risk evaluated to perform accurate risk quantification; 3) As stated

11

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on June 13,2020 at 15:57:39 UTC from IEEE Xplore. Restrictions apply.
in the previous sections, most of the existing risk assessment [15] "Integrated Bulk Power System Risk Assessment Concepts," NERC,
models are either custom fit to a specific application or they are 2010.
built upon a set of assumptions. In either of those cases, any [16] NERC Performance Analysis Subcommittee, "SRI Enhancement,"
NERC, 2014.
level of deviation from the application specifications or the
assumptions will lead to inaccurate predictions. Although the [17] G.A. Francia III, D. Thornton, and J. Dawson, "Security best practices
and risk assessment of SCADA and industrial control systems," in Proc.
above defined challenges indicate the need for more research in 16th Colloquium Inf. Syst. Security Educ, Lake Buena Vista, FL, USA,
the risk analysis domain, some of the existing frameworks can 2012.
still be used by abiding to the frameworks’ prerequisites. Based [18] K. Stolen et al., "Model-based risk assessment–the CORAS approach".
on our findings, we have identified potential methods to bridge [19] J. E. Y. Rossebø, R. Wolthuis, F. Fransen, G. Björkman and N.
some gaps across those three high-level challenges. Upon Medeiros,, "An Enhanced Risk-Assessment Methodology for Smart
further development and testing of our on-going research-based Grids," Computer, vol. 50, no. 4, pp. 62-71, 2017.
risk framework, our future publications will focus on [20] Y. Cherdantseva, P. Burap, A. Blyth, P. Eden, k. Jones, H. Soulsby and
demonstration the core architecture and associated parameters k. Stoddard, "A review of cyber security risk assessment methods for
SCADA systems," Computer and security, pp. 1-27, 2016.
of our risk framework that target critical infrastructures.
[21] P.A.S Ralston, J.H. Graham and J.L.Hieb, "Cyber security risk
assessment for SCADA and DCS networks," ISA Transactions, p. 583–
REFERENCES 594, 2007.
[22] G. Hamoud, R. -. Chen and I. Bradley, "Risk assessment of power
[1] J. Gubbi, R. Buyya, S. Marusic and M. Palaniswami, "Internet of Things systems SCADA," in 2003 IEEE Power Engineering Society General
(IoT): A vision, architectural elements, and future directions," Elsevier Meeting, totonto, 2003.
Journal of Future Generation Computer Systems, vol. 29, no. 7, pp. [23] K. Alvehag, "Impact of dependencies in risk assessments of power
1645-1660, 2013. distribution systems," PhD dessertation, Dept. Elect. Power Syst., Royal
[2] L. Atzori, A. Iera and G. Morabito, "The Internet of Things: A Survey," Inst., Stockholm, 2008.
Elsevier Journal of Computer Networks, vol. 54, no. 15, pp. 2787-2805, [24] L. Guo, Q. Qiu and J. Liu,, "Power transmission risk assessment
2010. considering component condition," J. Mod. Power Syst. Clean Energy ,
[3] Statista, "Internet of Things (IoT) connected devices installed base vol. 2, no. 1, pp. 50-58, 2014.
worldwide from 2015 to 2025 (in billions)," Statista, 2019. [Online]. [25] J.P. Watson, R. Guttromson, C. Silva-Monroy, et al., "Conceptual
Available: https://www.statista.com/statistics/471264/iot-number-of- Framework for Developing Resilience Metrics for the Electricity, Oil,
connected-devices-worldwide/. and Gas Sectors in the United States," Technical Report SAND2014-
[4] Actiontec, "Smart Home Devices Expected to Experience Double-Digit 18019, Sandia National Laboratories, 2016.
Growth Through 2022," 2018. [Online]. Available: [26] NERC, "High-Impact, Low-Frequency Event Risk to the North
https://www.actiontec.com/wifi-market-research/smart-home-devices- American Bulk," A Jointly-Commissioned Summary Report of the
expected-to-experience-double-digit-growth-through-2022/. North American Electric Reliability Corporation and the U.S.
[5] MarketWatch, "Building Automation and Control Systems Market Size, Department of Energy, June 2010.
Share, Report, Analysis, Trends & Forecast to 2026," 2019. [Online]. [27] "Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense
Available: https://www.marketwatch.com/press-release/building- Use," Electricity Information Sharing and Analysis Center (E-
automation-and-control-systems-market-size-share-report-analysis- ISAC)/SANS, March 2016.
trends-forecast-to-2026-2019-01-02.
[28] "CRASHOVERRIDE: Analyzing the Threat to Electric Grid
[6] R. Weber, "Internet of Things - New Security and privacy challenges," Operations," Dragos, 2017.
Elsevier Journal on Computer Law and Security Review, vol. 26, no. 1,
pp. 23-30, 2010. [29] "Electric sector failure scenarios and impact analyses," Electric Power
Research Institute, June 2014.
[7] IEC 60300-3-9, "Dependability management - Part 3: Application guide
- Section 9: Risk analysis of technological systems," 1995. [30] "Electric sector failure scenarios common vulnerabilities and mitigations
mapping," Electric Power Research Institute, Tech. Rep., June 2014.
[8] U.S. DHS, "Critical Infrastructure Sectors," U.S. Department of
Homeland Security. [Online]. [Accessed 2015-2019]. [31] J. D. Christopher and A. Lee, "Integrating Electricity Subsector Failure
Scenarios into a Risk Assessment Methodology," EPRI, Tech. Rep.,
[9] B. Garrick and S. Kaplan, "On the quantitative definition of risk," Risk December 2013.
Analysis, vol. 1, no. 1, 1981.
[32] S. Jauhar, B. Chen, W. G. Temple, X. Dong, Z. Kalbarczyk and W. H.
[10] L. Langer and M. Kammerstetter, "The evolution of the smart grid threat S. a. D. M. Nicol, "Model-Based Cybersecurity Assessment with
landscape and cross-domain risk assessment," in Innovative Solutions for NESCOR Smart Grid Failure Scenarios," in IEEE 21st Pacific Rim
a Modernized Grid, Syngress, 2015, pp. 49-77. International Symposium on Dependable Computing (PRDC), 2015.
[11] IEC62443-2-1, "Industrial communication networks – Network and [33] M. Touhiduzzaman, A. Hahn and A. Srivastava, "A Diversity-based
system security –Part 2-1: Establishing an industrial automation and Substation Cyber Defense Strategy utilizing Coloring Games," IEEE
control system security program.," 2010. Transactions on Smart Grid, 2018.
[12] National Institute of Standards and Technology (NIST), "NISTIR 7628, [34] The Smart Grid Interoperability Panel – Cyber Security, "Guidelines for
Revision 1. Guidelines for Smart Grid Cybersecurity: Volume 1: Smart Smart Grid Cyber Security: Vol. 3, Supportive Analyses and
Grid Cybersecurity Strategy,Architecture, and High Level References," NISTIR 7628, August 2010.
Requirements, Volume 2: Privacy and the Smart Grid, Volume 3:
Supportive Analyses and References," 2014. [Online]. Available: [35] "NESCOR failure scneario toolkit," ERPI, [Online]. Available:
http://nvlpubs.nist.gov/nistpubs/. smartgrid.epri.com/doc/NESCOR%20Failure%20Scenario%20Toolkit
%20Final.xlsm.
[13] European union agency for network and information security, [Online].
Available: http://www.enisa.europa.eu/activities/risk- [36] CEN-CENELEC-ETSI Coordination Group on Smart Energy Grids
management/current-risk/risk-managementinventory. (CG-SEG), "SEGCG/M490/G_Smart Grid Set of Standards 22,"
European Standards Organizations, 2017.
[14] E. Ciapessoni, D. Cirio, G. Kjølle, S. Massucco, A. Pitto and M. Sforna,
"Probabilistic Risk-Based Security Assessment of Power Systems [37] Expert Group on the security and resilience of communication networks
Considering Incumbent Threats and Uncertainties," IEEE Transactions and information systems for smart grids, "Cyber Security of the Smart
on Smart Grid,, vol. 7, no. 6, pp. 2890-2903, 2016. Grids," European Commision.

12

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on June 13,2020 at 15:57:39 UTC from IEEE Xplore. Restrictions apply.
[38] NERC, "CIP-002-5 – Cyber Security – BES Cyber System
Categorization," 2016.
[39] European Network and Information Security Agency (ENISA), "IT
Business Continuity Management," 2010.
[40] C. C. Fung, M. A. Roumani and Kit Po Wong, "A proposed study on
economic impacts due to cyber attacks in Smart Grid: A risk based
assessment," in 2013 IEEE Power & Energy Society General Meeting,
Vancouver, BC, 2013.
[41] M. B.-O. Larsson, G. Björkman and M. Ekstedt, "Assessment of Social
Impact Costs and Social Impact Magnitude from Breakdowns in Critical
Infrastructures," in International Workshop on Critical Information
Infrastructures Security, 2013.
[42] E. Vugrin, A. Castillo and C. Silva-Monroy, "Resilience Metrics for the
Electric Power System: A Performance-Based," SAND2017-1493,
Sandia National Laboratories.
[43] Lloyd'S and University of Cambridge center for risk studies, "Business
Blackout: The insurance implications of a cyber attack on the US power
grid," Lloyds, 2015.
[44] M. Panteli, C. Pickering, S. Wilkinson, R. Dawson and P. Mancarella,
"Power System Resilience to Extreme Weather: Fragility Modeling,
Probabilistic Impact Assessment, and Adaptation Measures," IEEE
Transactions on Power Systems, vol. 32, no. 5, pp. 3747-3757, 2017.
[45] S. Dunn, S. Wilkinson, D. Alderson, H. Fowler, and C. Galasso,
""Fragility Curves for Assessing the Resilience of Electricity Networks
Constructed from an Extensive Fault Database," Natural Hazards
Review, vol. 19, no. 1, pp. 1-10, 2018.
[46] S. N. Rezaei, "Fragility assessment and reliability analysis of
transmission lines subjected to climatic hazard," PhD thesis, McGill
University, Quebec, Canada, 2016.
[47] M. Ellison et al., "NISTIR 7628 User's Guide," Smart grid
interpperability panel, 2014.

13

Authorized licensed use limited to: UNIVERSITY OF BIRMINGHAM. Downloaded on June 13,2020 at 15:57:39 UTC from IEEE Xplore. Restrictions apply.