D2

Information systems
& telecommunication

Cybersecurity: Future threats

and impact on electric power
utility organizations and
operations
Reference: 796

March 2020
Cybersecurity: Future threats
and impact on electric power
utility organizations and
operations
WG D2.46

Members

D.K. HOLSTEIN, Convenor US T.W. CEASE, Secretary US

C. NEWTON US V. KARANTAEV RU
W. WEBB US R. KING US
T. ZHANG CN J.M. STORM NO
S. NESTEROV RU G. ARROYO- FIGUEROA MX
P.K. AGARWAL IN M. TALJAARD ZA
J. WACK US C.C. LIU US
E. MORALES CL

Corresponding Members (if needed)

G. RASCHE US

Copyright © 2020
“All rights to this Technical Brochure are retained by CIGRE. It is strictly prohibited to reproduce or provide this publication in any
form or by any means to any third party. Only CIGRE Collective Members companies are allowed to store their copy on their
internal intranet or other company network provided access is restricted to their own employees. No part of this publication may
be reproduced or utilized without permission from CIGRE”.

Disclaimer notice
“CIGRE gives no warranty or assurance about the contents of this publication, nor does it accept any responsibility, as to the
accuracy or exhaustiveness of the information. All implied warranties and conditions are excluded to the maximum extent permitted
by law”.

WG XX.XXpany network provided access is restricted to their own employees. No part of this publication may be
reproduced or utilized without permission from CIGRE”.

ISBN : 978-2-85873-501-3
Disclaimer notice
“CIGRE gives no warranty or assurance about the contents of this publication, nor does it accept any
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Executive summary
Introduction
WG D2.46 built this technical brochure leveraging the extensive research by others – 76 references are
included in the bibliography and cited in the main body text and annexes of the technical brochure.
Working group subject matter experts then tailored the findings of this research for EPU applications.
The approach used is well-aligned with the concepts described for the “Grid Architecture” in the
September/October 2019 issue of IEEE Power & Energy magazine.

Based on assessments and supporting data in existing standards, technical brochures, and open
source documentation a portrait of the emerging threat landscape was developed for the near-term
planning horizon of 10 years and for the long term of 20 years. Overlaid on this portrait was the
imposition of emerging local laws and regulations. For the two planning horizons estimates of the impact
on EPU cyber-physical security policies, procedures and organizational directives were derived. Each
impact was then associated with recommended solutions to improve the security posture of EPU
operations. For example, in the near term the architecture and capabilities needed to implement an
integrated security operation centre and the technical skills of the centre’s personnel were addressed.

To guide this work, a world-wide survey was conducted to prioritize the most important issues to EPU
stakeholders. Together with other general surveys found in the open literature several issues were
exposed.

1) Protection of mission-critical functions and their data required unique cyber-physical security
skills and advanced tools such as big data analytics to detect and mitigate an attack early in
the attacker’s kill chain.
2) Timely response actions require new capabilities embedded in intelligent electronic devices
and communication network components to provide the data needed for actionable
intelligence assessments.
3) Based on IEC 62443-2-4, certification of vendor cyber-physical security solutions is needed
for selecting the best approach for the long term.
4) Information sharing requires new technologies to ensure the protection of sensitive data while
in transit or when stored in authorized repositories.
A well-defined model-based system engineering process was used to define black box and white box
views of selected systems of interest. For this purpose, a commercial tool based on the Open
Management Group system modelling language was selected. The tool was used to construct business
process models to visualize the processes and their interactions between EPU organizations. These
models were used to capture:

▪ The actors involved in the system of interest and the information flow among them.
▪ The relevance of the information to humans or device entities receiving the information
▪ The use of the information in terms of the action taken.
▪ The quality of the information needed to perform the action taken.
System model constructs were used to identify the need to satisfy specific laws and regulations. In
response, it was clear that EPU policies, procedures, and organizational directives changes were
needed to seamlessly integrate security and data protection into their normal operations. For example,
the models expose the need for a combined role-based and attribute-based access control
management plan.

Summary of findings and recommendations

Some of the key take-way points from this work are:

▪ There is no standard methodology and metrics to support the projections of emerging threat,
the composition of the future grid, and the interaction between them.
▪ Strategic cyber-physical security planning is critical for EPU’s to proactively, rather than
reactively, improve their cybersecurity protection posture. Selection of the best plan and

2
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

options to cope with the emerging threats, regulations, and technologies need well defined
measures of success.
▪ Given the dynamics of the threat environment, advances in cyber-physical security solutions,
and new laws and regulations, EPUs need to automate their awareness assessment process
and analytics. For example, the emerging trend in attack sophistication require EPUs to
develop a complete understanding of the kill chain approach and the necessity to share data
with national agencies and other EPUs in a timely and secured manner.
▪ Most surprising from the survey response was the current EPU lack of need for vendor
security certification, or more to the point vendor conformance to security standards.
This Technical Brochure identified the need for several future works:

▪ Develop case studies to assess the benefits and challenges for EPUs to deploy a deception-
based strategy to complement an anomaly-based detection strategy. Focus attention on the
strong coupling between a simplified maturity model and the kill chain model.
▪ Develop classes of metrics that can be used by other CIGRE study committees to quantify
cyber-physical security solutions in terms of deployment rate, response rate, and degree of
complexity.
▪ Develop a logical architecture for using cloud-based services to augment the capabilities of
an integrated security operations centre.

In conclusion
This Technical Brochure offers an in-depth view of the issues, benefits, and concerns of proposed
solutions that should be considered by EPU security teams. These focus on the need for improved
people skills, dramatic changes to policies, procedures and organizational directives to assign
responsibility and accountability for maintaining a mature security posture, and the use of advanced
technologies and tools to implement a proactive or anticipatory security strategy.

3
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Contents
Executive summary ................................................................................................. 2

1. Scope.................................................................................................................. 8

2. Introduction........................................................................................................ 9
2.1 Background ........................................................................................................................... 9
2.2 Model-based systems engineering ................................................................................... 10
2.3 Complying with the need to protect sensitive data ......................................................... 11
2.4 The need for strong access control and use control ....................................................... 13
2.5 Conforming to existing and emerging standards ............................................................ 15
2.6 Data protection impact assessment .................................................................................. 15
2.7 Risk Management ............................................................................................................... 16
2.7.1 Risk management decisions................................................................................... 16
2.7.2 Cyber exposure gap analysis ................................................................................. 18
2.7.3 Cloud threat issues ................................................................................................. 19
2.8 Business Impact Analysis .................................................................................................. 19
2.9 Business continuity management ..................................................................................... 20

3. Projecting the future........................................................................................ 22

3.1 Future systems need digital focus and high-powered analytics .................................... 22
3.2 Cloud-based solutions are the enablers ........................................................................... 22
3.2.1 Making the case for cloud migration ....................................................................... 22
3.2.2 Leveraging software defined networking ................................................................ 23
3.2.3 How SDN works ..................................................................................................... 23
3.2.4 Leveraging network function virtualization .............................................................. 26
3.2.5 The need for orchestration ..................................................................................... 26
3.2.6 Necessary concept of separation of controls .......................................................... 27
3.2.7 Leveraging cloud access security brokers .............................................................. 27
3.2.8 SDN management requirements and challenges ................................................... 28
3.3 Threat intelligence .............................................................................................................. 29
3.3.1 The need to leverage threat intelligence ................................................................ 29
3.3.2 Threat hunting ........................................................................................................ 31
3.4 A proactive approach to thwarting advanced cyberattacks............................................ 32
3.4.1 Deception is an effective solution ........................................................................... 32
3.4.2 Understanding the kill-chain model ........................................................................ 32
3.4.3 Threats inside EPU’s IT and OT networks ............................................................. 34
3.4.4 Solutions for using pervasive deception ................................................................. 34
3.4.5 Deploying a deception strategy .............................................................................. 35
3.5 Building the operations center of the future .................................................................... 35
3.5.1 Finding the solution ................................................................................................ 35
3.5.2 Operational requirements for an OpCF .................................................................. 35
3.5.3 Key principles for an OpCF .................................................................................... 35
3.5.4 Integrating security into OpCF ................................................................................ 36
3.6 Regulatory approaches to enhance EPU’s cybersecurity frameworks .......................... 37
3.6.1 Background ............................................................................................................ 37
3.6.2 Regulatory needs ................................................................................................... 37

4
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

4. Summary of findings and recommendations ................................................ 39

4.1 Key take-away points ......................................................................................................... 39
4.2 Four stages of secure enterprise information management ........................................... 39
4.3 Lessons learned from the Newton-Evans survey ............................................................ 40
4.4 Recommendations for future work .................................................................................... 40

5. Planning horizon assessment methodology ................................................. 41

5.1 Planning horizon template ................................................................................................. 41
5.2 Metrics and key performance indicators .......................................................................... 41
5.3 Leverage trends in EPU modernization programs ........................................................... 41
5.3.1 General research trends ......................................................................................... 41
5.3.2 EPU-centric research trends .................................................................................. 42

6. Identification of applicable standards, CIGRE TBs, and open source

documents ....................................................................................................... 45
6.1 Applicable standards .......................................................................................................... 45
6.2 Applicable CIGRE Technical Brochures ........................................................................... 45
6.3 Applicable open source documents ................................................................................. 45

7. Impact assessment and solutions .................................................................. 46

7.1 Understanding threat actor’s motivation .......................................................................... 46
7.2 Response to evolving cybersecurity threats over the long term .................................... 47
7.3 Coping with the dynamics and complexity of security management schemas ............ 48
7.4 The need to automate awareness assessment ................................................................ 49

8. The way forward – Strategic planning............................................................ 50

8.1 The challenge ...................................................................................................................... 50
8.1.1 Apply the Baker criterion ........................................................................................ 50
8.1.2 Conform to the EPU’s unique management style ................................................... 50
8.1.3 Disassociate desired states from the actual state of cybersecurity protection ........ 50
8.1.4 Decisions rules need to be robust .......................................................................... 50
8.1.5 The characteristics of system behaviour ................................................................ 51
8.2 Recommended strategic planning process ...................................................................... 51
8.3 Measures of success to manage the adaptability of the strategic plan ......................... 51
8.4 Effective execution of EPU’s strategic plan ..................................................................... 51

Annex A . Definition of terms and acronyms ....................................................... 53

A.1 Definition of terms .............................................................................................................. 53
A.2 Acronyms and abbreviations ............................................................................................. 56
Infrastructure as a Service (IaaS) ......................................................................................... 56

Annex B . Model-based strategic planning framework ....................................... 59

B.1 Introduction ......................................................................................................................... 59
B.2 Assess the projected impact of the threat landscape on EPU’s mission ...................... 59
B.3 Establish goals and criteria to address the threat issues ............................................... 60
B.4 Assess the future risk reduction alternatives .................................................................. 62
B.5 Resource the strategic plan ............................................................................................... 63
B.6 Execute the strategic plan.................................................................................................. 63

5
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex C . Cybersecurity extensions for EPU planning horizons ....................... 65

C.1 Kerzner’s maturity foundation ........................................................................................... 65
C.2 Nemertes Research’s maturity model ............................................................................... 65
C.3 Advanced persistent threat challenges ............................................................................ 66
C.4 Leveraging tactical data fusion ......................................................................................... 67
C.5 Information sharing ............................................................................................................ 68

Annex D . Integrated security operations centre ................................................. 69

D.1 Introduction ......................................................................................................................... 69
D.2 ISOC architecture................................................................................................................ 69
D.3 Event monitoring and management .................................................................................. 70
D.4 ISOC planning requirements and development ............................................................... 71
D.5 Concept for a federated security operations centre ........................................................ 72

Annex E . Newton-Evans survey results .............................................................. 75

E.1 North America EMS/SCADA/DMS report series ............................................................... 75
E.2 The need for vendor security certification........................................................................ 77
E.3 The need for external assistance ...................................................................................... 78
E.4 Demarcation between IT and OT networks ....................................................................... 79

Annex F . Understanding the shared responsibility model................................. 80

F.1 Shared responsibility model .............................................................................................. 80
F.2 Threat vectors in the cloud ................................................................................................ 80

Annex G . Service function chaining – an emerging technology ....................... 82

G.1 The need for service function chaining ............................................................................ 82
G.2 SFC concept and its implementation ................................................................................ 82

Annex H . Bibliography.......................................................................................... 83

6
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Table of figures
Figure 1 – Satisfy local laws and regulations ........................................................................................... 11
Figure 2 – Sensitive data context ............................................................................................................. 12
Figure 3 – Enumeration of roles and permissions .................................................................................... 13
Figure 4 – Enumeration of attribute access controls ................................................................................ 14
Figure 5 – Enumeration of personal identifiable information .................................................................... 15
Figure 6 - Risk management tiers ............................................................................................................ 17
Figure 7 - Notional information and decision flows within an organization ............................................... 18
Figure 8 – Business continuity process interactions................................................................................. 20
Figure 9 - Illustrative scheme BCM & incident lifecycle in Bank Rakyat of Malaysia ................................ 21
Figure 10 – Packet flow in an OpenFlow switch [28] ................................................................................ 25
Figure 11 - Threat hunting loop ................................................................................................................ 32
Figure 12 – Cyberattack life cycle – kill-chain model................................................................................ 33
Figure 13 – DevSecOps integrates security into OpCF............................................................................ 36
Figure 14 – Cybersecurity software for control systems ........................................................................... 43
Figure 15 – Cybersecurity consulting ....................................................................................................... 44
Figure 16 – Consulting services by type of service provider .................................................................... 44
Figure 17 – States assumed by requirements .......................................................................................... 49
Figure 18 - Assess impact of threat landscape and interaction with the future grid ................................. 60
Figure 19 - Update strategic plan guidance ............................................................................................. 62
Figure 20 - Recommend cybersecurity solutions for the strategic plan .................................................... 62
Figure 21 - Compare resourced alternatives ............................................................................................ 63
Figure 22 - Execute action plan................................................................................................................ 64
Figure 23 - Nemertes maturity model ....................................................................................................... 65
Figure 24 – Example of high-level ISOC architecture .............................................................................. 70
Figure 25 - Concept for a federated security operations centre ............................................................... 73
Figure 26 - Outside assistance for cyber related activities ....................................................................... 75
Figure 27 - Projection for year 2019 ......................................................................................................... 76
Figure 28 - Use of encryption to/from substations .................................................................................... 76
Figure 29 – International observations on the user of encryption ............................................................. 77
Figure 30 - The need for vendor security certification .............................................................................. 77
Figure 31 - International need for vendor security certification ................................................................. 78
Figure 32 - North America's need for external assistance ........................................................................ 78
Figure 33 - International need for external assistance ............................................................................. 79
Figure 34 - Separation of responsibilities ................................................................................................. 80

Table of tables
Table 1 – INCOSE characteristics of SoS ................................................................................................ 27
Table 2 – CASB requirements.................................................................................................................. 28
Table 3 – Traditional versus SDN management activities [29] ................................................................. 28
Table 4 – Transitioning EPU network operations ..................................................................................... 35
Table 5 – Regulatory needs ..................................................................................................................... 38
Table 6 – 2017 U.S. market size estimates in $MUSD ............................................................................ 42
Table 7 – 2018-2020 U.S. Outlook in $MUSD ......................................................................................... 42
Table 8 – Contribution of applicable standards ........................................................................................ 45
Table 9 – Contribution of applicable CIGRE TBs ..................................................................................... 45
Table 10 – Contribution of applicable open source documents ................................................................ 45

7
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

1. Scope
This Technical Brochure (TB) reviews the assessments and supporting data in existing standards,
technical brochures, and open source documentation to characterize the evolving threat and
imposition of local laws and regulations over the near term (next 10 years) and the long term (next 20
years) planning horizon. For the two planning horizons estimates of the impact on Electric Power
Utility (EPU) cybersecurity policies, procedures, and organization directives (PP&OD) are described.
Each impact is associated with recommended solutions to improve the security posture of EPU
operations. For example, in the near term the architecture and capabilities needed to implement an
integrated security operation centre (ISOC) and the technical skills of ISOC personnel are addressed.

8
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

2. Introduction
2.1 Background
In general, EPU project managers face a daunting task to balance limited resources to prioritize the
procurement, training, and support logistics required to maintain and upgrade operational reliability and
performance. IEEE Power System Communications and Cybersecurity (PSCC) has commissioned S10
(study Group on utility and municipality challenges on understanding cybersecurity challenges) to
address some of these issues. Annex E shows the results from a recent Newton-Evans survey. The
situation is further exacerbated because EPUs lack the tools to understand the true value of their
projects and continue to rely on making decisions within their department silos. Zpryme surveyed more
than 160 primarily North American utilities 1 to address the need for cross-enterprise decision support[1].
Their key findings include:

▪ 90% of utilities seek to understand how their investments impact their triple bottom line –
financial, societal, and environmental.
▪ 83% of utilities want to move away from departmental autonomy towards greater enterprise-
wide accountability.
▪ Over 80% of utilities feel that enterprise-wide accountability will be increasingly important over
the next three to five years.
▪ Only 8% of utilities feel their project portfolio management tools are helping their organizations
make executive-level portfolio decisions.
▪ Only 5% of utilities are happy with their current investment decision state.
Kerzner’s systems approach to planning, scheduling, and controlling these activities is described in
nearly 1000 pages[2]. This is an excellent foundational approach that this TB builds on.

The addition of forecasting cybersecurity requirements adds a significant degree of complexity and
dimension to the traditional system approaches. For this reason, it is well beyond the scope of this TB
to offer modifications to Kerzner’s approach that includes the dynamics and uncertainty of cybersecurity
threats and evolving solutions.

To address this challenge, WG D2.46 examined the common EPU project management schemas to
identify possible improvements for systems and process resilience aimed at coping with the dynamics
and uncertainty of the cybersecurity landscape 2.

The cybersecurity threat landscape is rapidly evolving[3]. EPUs need a prediction of the evolution of
these threats, the corresponding changes to local laws and regulations, and the need for
standardization. The planning horizon for these estimates should be divided among the near term (next
10 years) and the long term (next 20 years). The assessment of the impact should include
recommended changes to EPU cybersecurity PP&ODs and solutions to improve the security posture
of EPU organizations and operations.

The rapid adoption of cloud and software-as-a-service (SaaS) and Infrastructure as a Service (IaaS)
has transformed the digital business and has fundamentally reshaped the challenge of defending the
enterprise against advanced threats[4]. As noted in this white paper, EPU motivation is driven by the
need to cut costs and increase efficiency. In this technical brochure, WG D2.46 viewed transitioning to
cloud services over the next 10 to 20 years as an essential conduit for future operations that require
advanced analytics for big data sets and support for edge computing and devices attached to the Smart
Grid.

A coherent view of EPU’s environment to plan a graceful evolution of security solutions is needed to
address the new threat vectors that are expanding at an alarming rate. As further noted in [4], this trend
presents a special challenge for strained security teams, who must now cope with an environment

—————————

1 Services provided: electric – 94%, gas – 29%, water – 28%, wastewater – 17%, solid waste – 7%.

2 This TB adopts the International Council on Systems Engineering (INCOSE) formal definition of a system.

9
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

where they have limited visibility and control, and where their familiar on-premises security tools are
often not applicable.

Technical controls are required, but they are not enough. These plans must include people, processes,
and technology. Annex F describes the shared responsibility model (SRM), which delineates the
respective areas of the cloud that service providers and EPUs are expected to manage and secure.
While the EPU’s responsibilities vary across the services (e.g., IaaS and SaaS), the SRM illustrates
that outsourcing certain processes to the cloud does not amount to outsourcing EPU’s security function
altogether, which supports the need for an integrated security operation centre (ISOC).

2.2 Model-based systems engineering

This TB uses model-based systems engineering (MBSE) as codified in the Open Management Group
(OMG) system modelling language (SysML)3. The SysML notation and the use of the modelling
semantics is described in [5-7]. MBSE also includes business process model (BPM) constructs that are
used in this TB (see Annex B). BPM provides a visualization of the process flow and interaction between
EPU organization entities. MBSE is well-aligned with the concepts described for the “Grid Architecture”
in the September/October 2019 issue of IEEE Power & Energy magazine[8].

For EPU’s requirements engineers and analysts, these models are used to capture:

▪ The actors involved in the system of interest (SoI) and the information flow among them.
▪ The relevance of the information to the entities (human or device) receiving the information.
▪ The use of the information in terms of the action taken.
▪ The quality of the information needed to perform the action taken.
Other than the cybersecurity metrics reports 4 by EPRI[9, 10], WG D2.46 could not identify any
documents that address the means to verify compliance to local laws and regulations, or conformance
to applicable standards. For this reason, this technical brochure defines and applies a framework for
verification.

The Zachman life cycle framework[11] is followed to ensure the development of a coherent model that
describes the functional components and logical architecture of the SoI. The model is based on a
description of the user’s needs and concept of operation (ConOps) commonly employed by system
engineers to articulate their mission element needs statement (MENS). Among the uses of the MENS
are technical and non-technical requirements derived from the user needs and ConOps are used to
ensure positive control over the configuration process and timely reporting of misconfiguration alarms,
component failures, or access intrusion events to a user interface in a timely manner.

These requirements are specified to ensure they can be verified by inspection, demonstration, test, and
analysis. For example, most documentation is verified by inspection with the caveat that it shall be an
“approved” document. Verification by demonstration is usually performed in a hosted environment,
such as performed for factory acceptance test (FAT). Whereas, a site acceptance test (SAT) is
performed with live data feeds in a quality assurance test (QAT) laboratory, or as a prototype deployed
in a field test environment. In either case, FAT, SAT or QAT or any combination thereof shall be
performed in accordance with approved test procedures. All inspection verification, demonstration
verification, and test verification shall be supported by analysis in a report approved by the designated
authorities. These reports shall provide the “real evidence” needed for audits and other forms of
certification. The results are not simply pass or fail. For example, a test may show that a requirement
was not fully satisfied, but the report shall include an approved remediation plan to be deemed
acceptable.

—————————

3 With permission, No Magic, Inc. provided WG D2.46’s convenor an integrated set of MBSE tools and technical support to
visualize the relationships and interactions between model components.
4 EPRI reports provide EPUs guidance towards developing and implementing a program of security metrics by describing metric
principles, hierarchical structures, calculation formulae, etc.

10
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

For these reasons, the MBSE views shall describe measures of effectiveness (MoEs) that can be
verified by, inspection, demonstration, test, analysis, or combinations thereof. The metrics described in
EPRI reports are good examples of MoEs.

2.3 Complying with the need to protect sensitive data

At level 1, Figure 1 shows the relationships between local laws and regulations in the European Union
(EU) general data protection regulation (GDPR) and North American Electric Reliability Corporation
(NERC) critical infrastructure protection (CIP). In turn, at level 2, EPU’s PP&ODs must be traceable to
those local laws and regulations. At level 3, implementation of specific EPU security objectives (e.g.,
remote service security) must satisfy the PP&ODs as well as the local laws and regulations.

Figure 1 – Satisfy local laws and regulations

Although the GDPR is focused on ‘personal data’, this TB applied the same regulatory specifications to
sensitive data. Furthermore, [12, 13] explain the need to comply with the GDPR for all companies doing
business within the EU’s jurisdiction. A comprehensive description of similar laws and regulations in 80
countries is provided in [14, 15].

Each SysML ‘block’ includes a <<type>> for typing the block information, an id for cross referencing,
and text describing the requirement objective.

Figure 2 describes the context of the term ‘sensitive data’. In general, all data is defined in terms of the
sector in which it is used. This TB is focused on the energy sector. A specialization of data is ‘sensitive
data’ that is defined in terms of the domain in which it is used. The enumeration of domains applies to
all EPU activities.

Data classification is a directed part of the block ‘sensitive data’. Data classification may be determined
by a governing authority such as those enumerated in Figure 2. The cardinality is indicated by 0..* on
the directed association connection between “sensitive data’ and ‘data classification’.

▪ The cardinality shown on the arrowed end of the connection indicates that sensitive data may
have no knowledge of data classification (0), or it may know about many data classification
authorities (*).
▪ The cardinality shown on the filled diamond end of the connection indicates that an instance of
data classification applicable to EPU activities are defined but may not be associated with any

11
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

domain of sensitive data (0) or may be associated with many instances of the domain of
sensitive data.
Sensitive data maybe classified in terms of personal data sensitivity levels (PDSL).

PDSL=0: Personal data used for public access; e.g., public directory information, public web sites.
PDSL=1: Personal data intended for release only on a need-to-know basis, including personal
information not otherwise classified as PDSL=0, 2, or 3, and data protected or restricted by contract,
grant, or other agreement terms and conditions.
PDSL=2: Personal data with a statutory requirement for notification to affected parties in case of a
confidentiality breach; e.g., social security information, driver’s license, financial account numbers,
personal medical information, personal health insurance.
PDSL=3: Personal data that creates extensive “shared-fate” risk between multiple systems. If personal
data compromise would cause further and extensive data compromise from multiple (even
unrelated) sensitive systems, the data creating this “shared-fate” warrants an elevated sensitivity
level.
Sensitive data processing operations includes collection, use, retention, disclosure, and disposal of
data classified as PDSL>0.

In summary, for this technical brochure, personal data is classified for each enumerated sector and one
or more governing authorities.

The distinction of these relationships between data classification and sensitive data are important
because they may be enumerated in EPU policies and procedures, but organizational directives and
implementing procedures may or may not be required.

Figure 2 – Sensitive data context

12
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

2.4 The need for strong access control and use control
Figure 3 enumerates the roles and permissions used by the role-based access control (RBAC)
functions. RBAC provides one of two mechanisms needed to securely manage access and use of
operational configuration and settings data.

▪ For large utilities, a federated RBAC management scheme is recommended.

▪ For smaller utilities, a centralized RBAC management scheme is recommended.

Figure 3 – Enumeration of roles and permissions

Figure 4 enumerates the attribute-based access control (ABAC) functions. ABAC is the second
mechanism needed to securely manage access and use of operational configuration and settings data.

There are many commercial schemes that provide the capabilities shown in the RBAC and ABAC
blocks. CIGRE WG D2.40 WS3 addressed the coupling of RBAC and ABAC requirements in their
technical brochure for remote services[16]. IEC TC57 WG15 addresses the access control mechanisms
specification in in IEC 62351-85[17]. While access control use cases in IEC 61850 are addressed by
IEC TC 57 WG 10 in the technical report IEC 61850-90-9 currently under development.

—————————

5 New edition of 62351-8 is under development.

13
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 4 – Enumeration of attribute access controls

Figure 5 enumerates personal identifiable information (PII) data that must be protected to comply with
the GDPR. These records are commonly stored in Human Resource (HR) repositories and require
protection when the data is at rest or in transit. Furthermore, some responsible organizational units
(ROUs) require the use of PII for access control[18].

It is important to note that RBAC, ABAC, and Personal Data are all directed parts of Operations Data.
In each case, for this technical brochure the focus is access and use control of configuration and settings
data.

14
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 5 – Enumeration of personal identifiable information

2.5 Conforming to existing and emerging standards

To ensure interoperability and to maintain up-to-date security capabilities it is important to select
solutions that conform to existing and emerging standards. From a planning perspective, the planning
horizons are much longer than the guaranteed life-time of specific standards. Thus, a standard may
expire if it is not renewed, or may not be updated in a timely manner. For this reason, EPU lead
organizations must be vigilant in their oversight of applicable standards and related activities. Oversight
requires direct participation in standards development, supporting study committees, and/or user
organizations.

For example, over the planning horizons the following topics need careful attention.

▪ Standards that address the coupling and management schemas for RBAC and attribute-based
access control (ABAC).
▪ Cloud-based service standards such as those identified in TB 698 [19] and by CIGRE WG
B5.66 in their emerging technical brochure. IEEE PSCC also has initiatives to assess the
potential leverage of cloud-based services; e.g., task force P11 – Electric power system use
cases for cloud computing services.

2.6 Data protection impact assessment

A data protection impact assessment (DPIA) should be designed to ensure that sensitive data,
specifically PII, is processed for specified and legitimate purposes. Furthermore, the assessment should
rate the effectiveness of all necessary measures to protect the sensitive data against unauthorized
access and use, and ensure personnel are aware of their data protection obligations. DPIA findings are
one input for improving the strategic plan.

15
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 2 shows the dependency of associated data on the declaration of whether the aggregated data
is sensitive6. For example, the personal data enumerated in Figure 5 may not be sensitive until it is
associated with other data. This association is strongly influenced by the analytics used to create the
associations. Interpretation and tailoring of GDPR regulation varies from country to country[15]. For this
technical brochure, a sample of the most noteworthy GDPR articles are:

Articles 12-23: If an individual requests access to their data or requests that data be removed from
a company’s records (known as the “right to be forgotten”), the controller must comply within
one month.
Articles 24-43: Organizations must proactively demonstrate they understand the data they have
access to, how to use that data, and how to safeguard that data. Therefore, organizations must
maintain, document, and enforce data protection policies and procedures.
Article 32: Organizations that collect personal data must have rigorous due diligence processes to
ensure the appropriate technical and organizational controls are in place before sharing data
with vendors.
Article 33: If a data breach takes place, the company collecting the personal data must notify its
national regulator of said breach within 72 hours of breach discovery.
Articles 37-39: Certain organizations that process data may be required to appoint a Data Privacy
Officer.
Articles 44-50: Any organization anywhere in the world that processes the data of an EU citizen—
not only those operating in the EU—must comply with GDPR requirements.
2.7 Risk Management
2.7.1 Risk management decisions
The importance of risk management is vital in any organization and even more in critical infrastructures
of the electricity sector. Since the 2019 revision of ISO 31000 it provides more strategic guidance than
before and places more emphasis on both the involvement of senior management and the integration
of risk management into the organization. This means that it is a better fit for cyber risk management
than before with a more holistic approach to risk management. However, it is quite high level, and the
usability in a pure cyber perspective could be limited. ISO 27005:2018 can be a better fit because
it provides guidelines specific for IT and OT information security risk management. For example, when
performing audits of EPUs in Norway the audits show that EPUs that implemented this tool in both IT
and OT have the added benefit of closing the gap between IT and OT ROUs, and the cooperation
between those units was improved.

Risk management initially requires a survey of critical assets to analyse the risks to which Industrial
Control Systems (ICS) are exposed. This is vital to know the security breaches with respect to the
associated regulations. An important reference about this matter is given in “Guide to Industrial Control
Systems (ICS) Security of the NIST Special Publication 800-82, Revision 2” [20] , where from his
chapter 3 the following main ideas are obtained:

▪ Organizations must develop processes to evaluate the risks associated with their business and
to decide how to deal with those risks based on organizational priorities and both internal and
external constraints. This management of risk is conducted as an interactive, ongoing process
as part of normal operations.

▪ Organizations that use ICS have historically managed risk through good practices in safety and
engineering.

▪ Safety assessments are well established in most sectors and are often incorporated into
regulatory requirements. Information security risk management is an added dimension that can
be complementary.

—————————

6 The subject of aggregation exceeds the scope of the key performance indicator (KPI) subgroup, but needs to be addressed in
the P7002 standard.

16
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

▪ The risk management process and framework outlined in this section can be applied to any risk
assessment including both safety and information security.

A risk management process should be employed throughout an organization, using a three-tiered

approach to address risk at the 1) organization level, 2) mission/business process level, and 3)
information system level (IT and ICS). The risk management process is carried out seamlessly across
the three tiers with the overall objective of continuous improvement in the organization’s risk-related
activities and effective inter-tier and intra-tier communication among all stakeholders having a shared
interest in the mission/business success of the organization.

In the Figure 6,obtained from: “Recommended Practice: Improving Industrial Control System
Cybersecurity with Defense-in-Depth Strategies”[21], best illustrates the idea to integrate ICS risk
management practices throughout an organization, the entity should employ a three-tiered approach
that addresses risk at the organization level (Tier 1), the mission/business process level (Tier 2), and
the information system level (Tier 3).

Figure 6 - Risk management tiers

The nature of ICS means that when an organization does a risk assessment, there may be additional
considerations that do not exist when doing a risk assessment of a traditional IT system. Because the
impact of a cyber incident in an ICS may include both physical and digital effects, risk assessments
need to incorporate those potential effects.

An interesting flow is shown in the “Framework for Improving Critical Infrastructure Cybersecurity
Version 1.1 [22], point 2.4” where NIST describes a common flow of information and decisions at the
following levels within an organization:

▪ Executive
▪ Business/Process
▪ Implementation/Operations
The executive level communicates the mission priorities, available resources, and overall risk tolerance
to the business/process level. The business/process level uses the information as inputs into the risk
management process, and then collaborates with the implementation/operations level to communicate
business needs and create a “Profile”. The implementation/operations level communicates the Profile
implementation progress to the business/process level. The business/process level uses this
information to perform an impact assessment. Business/process level management reports the
outcomes of that impact assessment to the executive level to inform the organization’s overall risk
management process and to the implementation/operations level for awareness of business impact.
For a better understanding see Figure 7.

17
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 7 - Notional information and decision flows within an organization

2.7.2 Cyber exposure gap analysis

Cyber exposure is an emerging technology used for managing and measuring EPU’s attack surface to
accurately understand and reduce their cyber risk [23, 24]. The references cited provide an actionable
framework for each ROU. The three core inputs of a cyber exposure model are asset and business
context, vulnerabilities, and threat context [24]. Each ROU should use the framework to identify the
cyber exposure gap that lies between the visibility provided by their current security tools and the
complete set of vulnerabilities, including misconfigurations, across the entire attack surface of their
system.

ROUs using cloud services must address the issue that the cyber exposure gap changes daily as virtual
machines (VMs) are dynamically allocated and released.

To perform a cyber exposure gap analysis, each ROU analysis team must consider five stages of the
life cycle: 1) identify the assets of their system of interest (SoI), 2) identify the vulnerabilities and security
issues across all elements of the SoI,3) prioritize the issues based on risk that an exploit could interfere
with, disrupt, or disable a critical function, 4) apply the appropriate remediation in a timely manner, and
5) report their recommendations to EPU’s cybersecurity team. Cooperation with other ROUs should be
facilitated by an ISOC’s security team.

A modern ISOC security team should provide the following capabilities:

▪ Unified view of exposure across all EPU organizational units.

▪ Continuous discovery and assessment of all assets.
▪ Solution scalability and flexibility whether hosted in the cloud or on EPU’s premises to deliver
visibility across all environments.
▪ Translation of technical data into business terms to provide a coherent situation assessment to
senior stakeholders.
▪ Regulatory compliance support for timely reporting.

18
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

2.7.3 Cloud threat issues

According to McAfee, the cloud introduces a multitude of new threat vectors that can lead to data
loss[25]. Listed below are some of the issues raised by McAfee that WG D2.46 addressed from an EPU
shared responsibility perspective (see Annex F):

▪ Malicious or careless insiders7 who download data from a cloud service sanctioned by the EPU,
then upload it to a shadow IT cloud file-sharing service (e.g., Anthem breach 2015).
▪ An EPU employee or support contractor who downloads data into a personal device, regardless
of it be on or off the network, causing a loss of data control.
▪ Cloud service privileged EPU users who change security configurations inappropriately.
▪ An EPU employee who shares data with an unauthorized third party, such as a support
contractor, colleague in a technical venue, etc.
▪ Malware on EPU’s IT or OT network that uses a computer to leverage an unmanaged cloud
service as a vector to exfiltrate data stolen from on-premise systems.
▪ An EPU user end-point device that syncs malware to a file-sharing cloud serves and exposes
other users and the IT or OT network to malware.

2.8 Business Impact Analysis

The fundamental task in business impact analysis (BIA) is understanding which processes in your
business are vital to your ongoing operations and to understand the impact the disruption of these
processes would have on your business.

ISO/TS 22317:2015 provides guidance for an organization to establish, implement, and maintain a
formal and documented business impact analysis (BIA) process. This technical specification does not
prescribe a uniform process for performing a BIA, but will assist an organization to design a BIA process
that is appropriate to its needs.

ISO/TS 22317:2015 is applicable to all organizations regardless of type, size, and nature, whether in
the private, public, or not-for-profit sectors. The guidance can be adapted to the needs, objectives,
resources, and constraints of the organization.

According to “Contingency Planning Guide for Federal Information Systems” of NIST Special
Publication 800-34 Rev. 1 [26], the BIA is a key step in implementing the contingency planning controls
in NIST SP 800-53 [27] and in the contingency planning process overall. The BIA enables the
information system contingency plan (ISCP) coordinator to characterize the system components,
supported mission/business processes, and interdependencies.

The BIA purpose is to correlate the system with the critical mission/business processes and services
provided, and based on that information, characterize the consequences of a disruption. The ISCP
coordinator can use the BIA results to determine contingency planning requirements and priorities.
Results from the BIA should be appropriately incorporated into the analysis and strategy development
efforts for the organization’s continuity of operations plan (COOP), business continuity plan (BCP) and
disaster recovery plan (DRP). The BIA should be performed during the initiation phase of the system
development life cycle (SDLC). As the system design evolves and components change, the BIA may
need to be conducted again during the development/acquisition phase of the SDLC.

Three steps are typically involved in accomplishing the BIA:

1. Determine mission/business processes and recovery criticality. Mission/business processes

supported by the system are identified and the impact of a system disruption to those processes is
determined along with outage impacts and estimated downtime. The downtime should reflect the
maximum time that an organization can tolerate while still maintaining the mission.

—————————

7 Insiders (users) include EPU employees or support contractors.

19
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

2. Identify resource requirements. Realistic recovery efforts require a thorough evaluation of the
resources required to resume mission/business processes and related interdependencies as
quickly as possible. Examples of resources that should be identified include facilities, personnel,
equipment, software, data files, system components, and vital records.
3. Identify recovery priorities for system resources. Based upon the results from the previous
activities, system resources can be linked more clearly to critical mission/business processes and
functions. Priority levels can be established for sequencing recovery activities and resources.
The importance of BIA is also mentioned by ENISA8 in the relationships among corporate governance,
risk management, business continuity management (BCM), IT service continuity management (ITSCM)
and disaster recovery planning (DRP), as shown in the Figure 8.

Figure 8 – Business continuity process interactions

BCM overlaps with risk management, and one of the areas of convergence is business impact analysis.
If ITSCM is in place, it utilizes some of BIA’s information in order to achieve continuity management and
align it with the needs of the business. That is the only information which BCM and ITSCM have in
common. ITSCM uses this information in order to prioritize the plans developed through DRP.

If ITSCM does not exist within the organization then DRP is the pro-active risk mitigation function of risk
management and although it impacts BCM and can be invoked by a BCM event it is not part of business
continuity. Similarly, ITSCM can exist without BCM, but it requires a subset of BIA information so the
business must conduct BIAs in order to ascertain the necessary information. If there are no DRP then
these must also be developed. DRP is an essential part of ITSCM. Although it may not exist when
originally developed it must be in operative if ITSCM is to be considered complete. In a similar way,
BCM cannot exist without BIA information.

2.9 Business continuity management

According to ISO 22301, a business continuity management system emphasizes the importance of the
following actions:

▪ Understanding continuity and preparedness needs, as well as the necessity for establishing
business continuity management policy and objectives.
▪ Implementing and operating controls and measures for managing an organization’s overall
continuity risks.

—————————

8https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/bcm-resilience/bc-rm-interfaces

20
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

▪ Monitoring and reviewing the performance and effectiveness of the business continuity
management system.
▪ Continual improvement based on objective measurements.
The goal of BCM is to provide the organization with the ability to effectively respond to threats such as
natural disasters or data breaches and protect the business interests of the organization. BCM includes
disaster recovery, business recovery, crisis management, incident management, emergency
management and contingency planning.

An illustrative example of the importance of a BCM and its relation at the process level with an enterprise
risk management from a security incident, and the plans that are generated post incident for the
reestablishment of the continuity and protection of the business, is the shown in Figure 9. The scheme
used in Bank Rakyat of Malaysia can be used as a reference for any type of critical infrastructure.

Figure 9 - Illustrative scheme BCM & incident lifecycle in Bank Rakyat of Malaysia

21
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

3. Projecting the future

3.1 Future systems need digital focus and high-powered analytics
EPUs are experiencing pressure from regulators and commercial competitors alike to rebalance the oil
and gas sources which have traditionally dominated every nation’s energy supply. For example, in the
United States, it is widely accepted that by 2025, a minimum of 25-30% of the grid’s supply will come
from renewable sources, primarily solar and wind. This shift accelerates depreciation of traditional
assets and compresses margins. It accelerates digital transformation to drive operational excellence in
every segment of their industry. As a result, severe margin compression is compelling the rapid
implementation of specific digitalization programs that modernize operations, drive costs down and
improve business processes9.

Traditionally, EPUs routinely manage complex relationships and answer regulatory demands. For every
plant in every carbon-based supply stream, these traditional companies have ‘stove-piped’ content
management solutions to achieve security and auditability. One example of specific digitalized
transformation is the integration of enterprise applications with purpose-built applications used for asset
management and capital projects to support nimble analytics as well as mobile communications with
feedback loops from staff and customers to improve their processes.

As described in Pacworld 2018 conference in Sophia, Bulgaria, there is common recognition that
digitally driven focus produces significant cost savings. Because technology is evolving exponentially,
businesses are incorporating the Internet of Things (IoT) to feed advanced analytics resulting in a
significant improvement of the decision-making process at every level.

3.2 Cloud-based solutions are the enablers

3.2.1 Making the case for cloud migration
Innovation will drive EPU operations into the cloud. Access to advanced cloud-based infrastructure and
applications will make it possible to leverage advance analytics and other information resources. Those
capabilities, delivered in the most usable format, provide insights to power system engineers as to when
and where and resources are needed.

Moving to the cloud is a major step in modernizing EPU infrastructure, capabilities and applications,
without having to replace resources in place or dedicate IT and OT staff to the task. Resistance to
change is by far the biggest non-technology impediment that EPUs face when adapting new technology
or work processes. There is still a strong perception that the cloud is a threat to the way things are, but
perhaps that’s a good thing. Continuing to do what has been done requires a lot of manual tasks for
things like maintenance and monitoring. With the cloud, these tasks can be automated, done more
reliable and more cost effectively.

Existing EPU policies, procedures, and organizational directives also can impede the progress of cloud
adoption. For example, access control and use control of IEDs and data often vary among the
responsible organizational units. Standardizing these requirements makes it easier to build appropriate
controls for everything from data labelling and granular data access to just-in-time access – precisely
the types of controls that work well in cloud computing environments.

Another challenge is the time it takes to procure, test, qualify, and deploy technology. The process of
getting an application approved or platforms deployed to run on an EPU’s operational communication
network can take months to years. It is simpler and faster to stand up applications in the cloud’s more
streamlined and agile environment.

There are also technical challenges. One of the most problematic is the proliferation of legacy
technology. Much of that legacy technology doesn’t work in the cloud. Historically, EPUs that rely on
legacy technology are reluctant to let it go. Cloud service providers must work closely with EPU and
—————————

9 The deployment of IEC 61850 systems is a good example of these benefits.

22
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

their solution providers to develop services that make it possible to migrate applications optimized for
legacy systems.

While cloud-based solutions play an essential role in analytics, the exigent demands for content
management take a toll on efficient delivery of essential insights to employees, including mobile
workers. Organizations must manage content effectively while maintaining secure persistent controls
that meet regulatory demands and create competition between commercially and nimble decentralized
competitors.

EPUs typically manage massive amounts of information in a wide variety of types, such as electronic
operational files, engineering documents, contracts, and work orders. With every project and
operational change, the ROU manages and tracks content through complex revisions, reviews, audits
and handoffs. To comply with local laws and regulations; and for effective maintenance management
and graceful modernization, each ROU needs to document every operating system asset throughout
their lifecycle, from the design, to build, to the latest updates. Capital projects also generate enormous
flows of content and the organization’s ability to control costs is closely linked to its management of
documents across its repositories, as well as multiple handoffs with third parties.

With minor tailoring the following subclauses were extracted from the SDX Central web site 10.

3.2.2 Leveraging software defined networking

The goal of Software-Defined Networking (SDN) is to enable cloud computing and network engineers
and administrators to respond quickly to changing business requirements via a centralized control
console. SDN encompasses multiple kinds of network technologies designed to make the network more
flexible and agile to support the virtualized server and storage infrastructure of the modern data center.
Software-defined networking originally defined an approach to designing, building, and managing
networks that separates the network’s control or SDN network policy (brains) and forwarding (muscle)
planes thus enabling the network control to become directly programmable and the underlying
infrastructure to be abstracted for applications and network services for applications as SDN cloud
computing or mobile networks.

Software-defined wide-area network (SD-WAN) is an extension of SDN. SD-WAN applies SDN to

networking connections that cover a wide geographical area. This technology allows all organizational
units to connect their networks within their system across a wide geographic area. For instance, all EPU
branch office networks and data centres within an enterprise are connected via SD-WAN. More EPUs
are turning toward SD-WAN due to this ability to unify the various connections. Another perk to SD-
WAN is that it provides end-to-end encryption across the network and thus increases security.

3.2.3 How SDN works

Software-defined networking providers offer a wide selection of competing architectures, but at its most
simple, the software-defined networking method centralizes control of the network by separating the
control logic to off-device computer resources. All software-defined network solutions have some
version of an SDN Controller, as well as southbound APIs and northbound APIs:

▪ Controllers: The “brains” of the network, SDN Controllers offer a centralized view of the
overall network and enable network administrators to dictate to the underlying systems (like
switches and routers) how the forwarding plane should handle network traffic.
▪ Southbound APIs: Software-defined networking uses southbound APIs to relay information
to the switches and routers “below.” OpenFlow, considered the first standard in SDN, was the
original southbound API and remains as one of the most common protocols. Despite some
considering OpenFlow and SDN to be one in the same, OpenFlow is merely one piece of the
bigger landscape.
▪ Northbound APIs: Software-Defined Networking uses northbound APIs to communicates
with the applications and business logic “above.” These help network administrators to
programmatically shape traffic and deploy services.

—————————

10 https://www.sdxcentral.com

23
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

To understand the challenges of configuring flow tables in an SDN switch, WG D2.46 examined two of
the settings for packet flow in in an OpenFlow switch that were relevant to SDN applications. Corker
and Azodolmolky Figure 10 describes how packets are matched against flow entries based on
prioritization [28]. Any entry that specifies an exact match (no wildcards) is always the highest priority.
Timeout is a flow entry used to determine when a flow entry should be removed from the OpenFlow
table. Timeouts are either an idle timeout or a hard timeout. The idle timeout is a fixed value attached
to a flow entry, which tells the switch to remove the entry if no packet hits the flow for a certain time.
The hard timeout is a fixed value in which the flow is removed from the device irrespective of whether
a packet hits a flow or not.

24
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Packet in
.. Clear action set
.. Initialize pipeline fields
.. Start at table 0

Yes

Update Counters
Execute instruction set:
Execute action set:
.. Update action set
Match in .. Update packet headers
Yes .. Update packet headers Go to Table n ? No
table n ? .. Update match set fields
.. Update match set fields
.. Update pipeline fields
.. Update pipeline fields
.. As needed, clone packet to egress

No
Yes

Table-miss flow
Yes Group action ?
entry exists ?

No No

Drop packet
Drop packet No Output action ?

Ingess

Egress Yes

Start egress processing

Switch has
.. Action set = {output port} Yes
egress tables ?
.. Start at first egress table

Yes

Update Counters
Execute instruction set:
Execute action set:
.. Update action set
Match in .. Update packet headers
Yes .. Update packet headers Go to Table n ? No
table n ? .. Update match set fields
.. Update match set fields
.. Update pipeline fields
.. Update pipeline fields
.. As needed, clone packet to egress
No
No

Table-miss flow
Yes Drop packet No Output action ?
entry exists ?

No Yes

Drop packet Packet out

Figure 10 – Packet flow in an OpenFlow switch [28]

25
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

3.2.4 Leveraging network function virtualization

SDN and network functions virtualization (NFV) are complementary approaches. IEEE P1916.111
describes the importance of distinguishing between NFV and network virtualization. NFV focuses on
virtualizing tradition network services into entities referred to as virtual network functions (VNFs) and
mandates off-the-shelf commodity services and switches. Network virtualization is used to implement
logical networks decoupled from the underlying hardware. Both approaches offer a new way to design
deployments and manage the network and its services:

▪ SDN: Separates the network’s control (brains) and forwarding (muscle) planes and provides a
centralized view of the distributed network for more efficient orchestration and automation of
network services.
▪ NFV: Focuses on optimizing the network services themselves. NFV decouples the network
functions, such as DNS, caching, etc., from proprietary hardware appliances, so they can run
in software to accelerate service innovation and provisioning, particularly within service provider
environments.
▪ Network virtualization (NV): Ensures the network can integrate with and support the
demands of virtualized architectures, particularly those with multi-tenancy requirements.
▪ White Box: Uses network devices, such as switches and routers, that as based on “generic”
merchant silicon networking chipset available for EPU vendors to buy, as opposed to
proprietary silicon chips designed by and for a single networking vendor.
SDN and NFV aim to advance a software-based approach to networking for more scalable, agile, and
innovative networks that better align and support the overall business IT objectives. It is not surprising
that some common doctrines guide their development. For example, they each aim at:

▪ Moving functionality to software.

▪ Using commodity servers and switches over proprietary appliances.
▪ Leveraging application program interfaces (APIs).
▪ Supporting more efficient orchestration, virtualization, and automation of network services.
These approaches are mutually beneficial but are not dependent on one another. EPUs do not need
one to have the other. However, the reality is that SDN makes NFV and NV more compelling and vice-
versa. SDN contributes to a network automation that enables policy-based decisions to orchestrate
where network traffic, while NFV focuses on the services, and NV ensures that the network’s capabilities
are aligned with the virtualized environments they support.

The advancement of all these technologies is the key to evolving the network and keep up with the
innovations of all the people and devices its connecting. This is illustrated through groups like the Open
Networking Foundation (ONF), the OpenDaylight Project, ETSI12 NFV, and the various open source
projects they collaborate on. Recently, OPNFV, headed up by the Linux Foundation and working closely
with ETSI NFV, has pressed for advancing open standards. All these groups work together by
consistently finding new ways to share open standards and to continually navigate the way for others
to bring openness to their businesses or organizations.

3.2.5 The need for orchestration

Because NFV requires lots of virtualized resources, it requires a high degree of software management,
referred to as orchestration. Orchestration coordinates, connects, monitors, and manages the needed
resources from the platform for the NFV services. Orchestration may need to coordinate with many
network and software elements, including inventory systems, billing systems, provisioning tools, and
operating support systems (OSSs).

Some of the functions that are typically required by NFV orchestration include the following:

—————————

11 IEEE P1916.1 is a work-in-progress focused on performance of virtualized environments.

12 European Telecommunications Standards Institute

26
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

▪ Service coordination and instantiation: The orchestration software must communicate with
the underlying NFV platform to instantiate a service, which means it creates the virtual instance
of a service on the platform.
▪ Service chaining: Enables a service to be cloned and multiplied to scale for either a single
customer or many customers. See Annex G for an explanation of service function chaining.
▪ Scaling services: When more services are added, finding and managing sufficient resources
to deliver the service.
▪ Service monitoring: Tracks the performance of the platform and resources to make sure they
are adequate to provide for good service.
This technical brochure address EPU’s future need for orchestration in the context of a system of
systems (SoS). INCOSE systems engineering handbook (section 2.4) characterizes SoS in Table 1

Table 1 – INCOSE characteristics of SoS

SoS Characteristics Elaboration

Operational independence of the The SoS is composed of systems that are independent and useful in their own right.
constituent ssytems When removed from the SoS, the systems can (and do) usefully operate separately.
Managerial independence of the The SoS is composed of systems that are separely acquired and mainatain a
constituent systems continuing operation existence separate of the SoS.
Evolutionary development The SoS does not appear fully formed. Its development and existence are evolutionary
with purposes and functions added, modified, and removed with experience.
Emergent behavior The SoS has emergent properties that cannot be localized to any constituent system.
The principal purposes of the SoS are fulfilled by these behaviors.
Geographic distribution The geopgraphic extent of the constituent systems is large. Constituent systems can
easily exchange only information and not substantial quantities of mass or energy.

3.2.6 Necessary concept of separation of controls

Data is collected and must be controlled in context. The function of the network is important, but likely
controlled by an entirely different group within an organization. In fact, there will likely be multiple
groups; physical access control departments may not have nor need access to PII data; human
resource departments likely will not have or need access to operational data or controls; operational
departments will likely not have or need access to HR PII data and so on. It is also unlikely that any
one person will have complete understanding of all the complexities of the regulatory demands of each
group.

While the acknowledgement of the topography of the network (discussed above) is important, it is not
sufficient or practical as a total solution for the security of the organizational data.

In support of this need for differential control, an important consideration is to put the protection on the
data independently of the network.

3.2.7 Leveraging cloud access security brokers

As EPUs adopt cloud services, they probably need to consider using cloud access security brokers
(CASB) as part of their security team. Given the complexity of securely migrating applications to cloud
based services, the CASB should provide valuable assistance in governing access and activities in
sanctioned and unsanctioned cloud services; securing sensitive data and preventing loss; and
protecting against internal and external threats.

Table 2 lists the most important EPU requirements for a CASB service provider.

27
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Table 2 – CASB requirements

3.2.8 SDN management requirements and challenges

Wickbold, et al, described the traditional versus SDN management activities in the following Table 3
[29]. Many of the requirements identified in the table are currently being addressed in several IEEE
standards development working groups. WG D2.46 added the second column to identify the IEEE
Working Group.
Table 3 – Traditional versus SDN management activities [29]

Management IEEE WG Traditional networks Software-defined networking

requirement
Bootstrap and P1921.1 Set well known protocol Configure customized and ever-changing software,
configuration parameters, track configuration setup forwarding and control plane connectivity
changes
Availability and P1917.1 Configure alternative routes in Configure forwarding devices behavior in case of
resilience case of link failure failure in the connection with control plane
Network P1930.1 Not required Control versioning, coordinated deployment, and
programmability verification of network software
Performance and P1916.1 Bandwidth assignment and Monitor performance of network applications, adjust
scalability reservation, QoS configuration connection quality between forwarding and control
and enforcement planes
Isolation and P1915.1 Control network access, Grant isolation to network applications, prevent
security prevention intrusion, spoofing eavesdropping and usurpation of control traffic
and denial of service
Flexibility and P1915.1 Adjust the management of Adapt management functions along with
decoupling P1930.1 higher-level protocols management interfaces, coordinate management
information within planes or among management
systems
Network planning P1930.1 Assess capability and Plan the disposition of controlling elements in relation
performance needs, choose a to forwarding elements
network topology

28
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Management IEEE WG Traditional networks Software-defined networking

requirement
Monitoring and All of the Track resource utilization Trace functional parameters of novel applications,
visualization above identify outages and trigger visualize jurisdiction of network controllers
alarms

Following is a summary of the issues taken from reference [29] that are currently being addressed by
the IEEE working groups noted in Table 3:

▪ Configuring bootstrap communication can be a complex task since both plans can operate
under different protocols. Moreover, software changes in any plane may affect such
communications directly.
▪ To ensure availability and resilience, it is important to manage if the connection between planes
is active and in accordance with the network policies.
▪ Every new network release must be consistently persisted over the forwarding and control
plane implementations across the network in order to provide programmability management,
tools to control versioning, coordinated deployment, rollback, and verification.
▪ Performance and scalability assurance are a shared responsibility between the software
developers (vendors) and network managers (utility ROU). Network managers need to
understand bottlenecks, tweak the correct parameters to optimize software-defined protocols,
and choose the most efficient control and management models (centralized, distributed, or
hierarchical).
▪ In SDN, not only the network traffic is shared among many ROU users and applications, but
also the network logic itself is controlled by custom software, sometimes from remote locations
requiring new isolation and security management techniques. Specifically, control traffic
between controllers and forwarding devices must be isolated.
▪ SDN management needs to be flexible and decoupled enough to quickly adapt to new protocols
written for all planes.
▪ Traditionally, utilities need to plan for deployment and expansion of networks supported by well-
defined estimates of capacity and performance needs and decisions as to whether and where
in the topology the network will be segmented (on layers 2 and 3). These decisions require new
network components (router, switches, firewalls) that operate based on standard protocols.
Positioning these elements across the network topology can directly impact the performance,
resilience, and survivability.
▪ For the physical part, monitoring and visualization requirements remain similar to tradition
networks. The logical part is more complex because the forwarding and control protocols can
be completely redesigned. In SDN, the implementation of a protocol is not known in advanced,
but it is defined by the making the forwarding behaviour of the IP routers no longer predictable.

3.3 Threat intelligence

3.3.1 The need to leverage threat intelligence
Nowadays, industrial control networks require greater visibility than before, given the greater number
of threats that take place in cyberspace. The cyber threat environment is highly dynamic and cyber
hackers have time, money, and intelligence to take advantage of the vulnerabilities of supervisory
control and data acquisition (SCADA) systems and other physical and logical layer components, which
added to the weaknesses of the human factor contribute to breaking down the levels of protection that
exist today.

A good definition and scope of threat intelligence can be found in the whitepapers: “Industrial Control
Threat Intelligence”[30] and “Evolution of ICS Attacks and the Prospects for Future Disruptive Events
[31]”. Of particular interest is Slwik’s comment on two clear patterns emerging describing how
cyberattacks have evolved[31]:

1. Initial attack vectors increasing avoid using malware and techniques that are tell-tail signs of
advanced adversary activity.

29
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

2. Only during the final stage of intrusion is ICS complex malware introduced to enable nearly any
computer network operations operator to execute complex commands.
This trend is further discussed in clause 3.4.2 in the context of the kill-chain approach to ICS attacks.

Threat intelligence is knowledge of adversaries and their malicious behaviours through which defenders
gain better visibility. Threat Intelligence reduces harm by improving decision making before, during, and
after cybersecurity incidents reducing operational mean time to recovery, reducing adversary dwell
time, and enabling root cause analysis. It is a necessary component of any modern cybersecurity
program that significantly improves the efficacy of all existing elements.

However, there is no “universal” threat intelligence product, so, organizations must match threat
intelligence products to their threat profile. Generic threat intelligence developed around traditional
information technology (IT) environments will not satisfy the unique requirements for industrial control.
Therefore, industrial control system (ICS) owners and operators and IT groups that have ICS in their
environment should seek out and obtain an ICS threat intelligence product, regardless of whether they
are already receiving generic threat intelligence.

Threat intelligence is a platform used as a tool that must include both context and action and be
delivered in a way to maximize its value to the enterprise. Threat intelligence provides three critical
elements: 1) describe the threat, 2) illustrate the impact, and 3) recommend action. Good threat
intelligence satisfies four primary properties: 1) completeness, 2) accuracy, 3) relevance, and 4)
timeliness13 (CART). An organization consuming high-quality threat intelligence will be able to leverage
it across their cybersecurity program to improve detection, response, and prevention informing the most
technical defenders and operators to the most strategic decision makers. For industrial control networks
where the impact of a cybersecurity incident can mean millions in business losses, reputational damage,
an environmental disaster, or loss of life, the diligent application of high-quality threat intelligence is now
an absolute necessity.

The components of an effective defense that benefit from threat intelligence are:

DETECT: Threat intelligence detailing adversary operations enables detection through threat behaviour
analytics in addition to individual technical indicators which have a short life-span.
RESPOND: Threat intelligence-informed incident response is directly correlated with a quicker and
more complete threat remediation because responders begin with base knowledge rather than
starting blindly. A speedier remediation means quicker time to recovery and reducing adversary
dwell time where business can return to normal more quickly and with reduced impact.
PREVENT: Properly used threat intelligence can prevent harm in many cases. The knowledge of the
threat environment and adversary operational behaviours can broadly inform proactive protection
and prevention activities as follows:
▪ Inform architectural decisions and technology procurement with a complete knowledge of the
threat environment and potential gaps in coverage.
▪ Identify and address data collection gaps where adversary activity may hide that improves
detection and response capabilities.
▪ Improve assessment (e.g., red team, blue team) by modelling actual threat behaviours to
strengthen risk prioritization and measure performance against real adversaries.
▪ Educate users with actual threat stories to enhance their ability to protect the business by taking
better action notify and report suspicious activity.
▪ Build accurate threat models using knowledge of adversary behaviour instead of only
hypothetical scenarios

—————————

13 NERC CIP requires report within 24 hours from event notification.

30
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

3.3.2 Threat hunting

Threat hunting is the process of seeking out adversaries before they can successfully execute an attack.
The concept of hunting for threats is not new, but many organizations are putting an increased emphasis
on programmatic threat hunting in recent times due to malicious actors’ increasing ability to evade
traditional detection methods.

This approach differs from many prevention-based or detection-based security methods. Threat hunting
is a proactive technique that combines security tools, analytics, and threat intelligence with human
analysis and instinct. The threat hunting process typically starts with a hypothesis, developed through
a security alert, risk assessment, penetration test, external intelligence, or some other discovery of
anomalous activity, that a threat is present in your systems. Threat hunters will explore and test these
hypotheses through a variety of investigative, analytical, or offensive activities, searching for latent
threats that have not yet triggered detection.

Many organizations are quickly discovering that cyber threat hunting is the next step in the evolution of
the modern Security Operations Centre (SOC), but they remain unsure of how to start hunting or how
far along they are in developing their hunt capabilities [32].

Hunting consists of manual or machine-assisted techniques, as opposed to relying only on automated

systems like secure information and event management (SIEM)14 [33]. Alerting is important but cannot
be the only focus of a detection program. In fact, one of the chief goals of hunting should be to improve
automated detection by prototyping new ways to detect malicious activity and then turning those
prototypes into effective new automations. Log files generated by all network and host devices should
be input to the SIEM database to leverage the power of correlation. Commercial software is available
to perform the correlation function to support behavioural monitoring, intrusion detection and
vulnerability assessment; e.g., AlienVault’s Unified Security Management ®.

Hunting maturity is based on a number of criteria that determine how effectively an organization can
get through the hunting process. the enterprise Sqrrl has developed a threat hunting loop (Figure 11)
consisting of four stages that define an effective hunting approach 15. The goal of a hunt team should
be to get through the loop as quickly and effectively as possible. The more efficiently you can iterate,
the more you can automate new processes and move on to finding new threats.

—————————

14 Although the industry has settled on the term ‘SIEM’ as the catch-all term for this type of security software, it evolved from
several different (but complementary) technologies that came before it.
15 https://sqrrl.com/media/Framework-for-Threat-Hunting-Whitepaper.pdf

31
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 11 - Threat hunting loop

3.4 A proactive approach to thwarting advanced cyberattacks

3.4.1 Deception is an effective solution
Cybersecurity breaches are active on all critical infrastructure networks for an average of 200 days
before they are discovered. Once inside an EPU’s IT and OT network, attackers can pivot to access
other systems, stealing sensitive data and interfering with mission critical operations. An effective
solution to counter advanced cyberattacks is to use deception to deceive the attacker[34-36]. Please
refer to the E-ISAC report that maps the Ukrainian cyberattack to the kill-chain[36]. NIST 800-171B,
3.13.13e, also focuses attention on deception technology[37].

3.4.2 Understanding the kill-chain model

The Law Enforcement Cyber Center uses the “kill-chain” model16 to define the cyberattack life cycle
(see Figure 12). Focusing on the EPU’s systems, which is OT or an integrated system of IT & OT, the
kill chain model is more related to IT than to OT systems. The cyberattack on IT systems is straight
forward, hence any attacker can attack the system soon after getting access and escalating the
privileged. But this is not necessarily true for the OT system or integrated OT and IT systems. Because
OT systems differ in technologies and implementation, they are site-specific, and one attack method
may not work with all systems. In such a case, the attacker has to design the site-specific attack and
test the attack before finally getting on the actual attack; otherwise, there are high chances of failure.
The fact also supports this by the survey results mentioned in 3.4.1, which reveal that cybersecurity
breaches are active on an average of 200 days in a critical infrastructure before they are discovered.

—————————

16 There are numerous variations of this model that roughly approximate the different attack stages described in this technical
brochure.

32
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 12 – Cyberattack life cycle – kill-chain model

There are eight stages in the life cycle. For a cyberattack to be successful, the attacker must
successfully execute all eight stages of the cyberattack lifecycle; therefore, to prevent a successful
cyberattack from being successful, we have to thwart the attack at any of the phases, or break the
chain, in the life cycle. The eight stages of the life cycle are:

1. Perform initial reconnaissance. The attacker identifies EPU IT and OT systems and determines
operating systems, security, applications, protocols, addresses, and other runtime
characteristics.
2. Make initial compromise. The attacker uses an exploit or attack to probe and break through
EPU cybersecurity system defences. This compromise could be achieved through social
engineering, phishing, extortion, or other means.
3. Establish a foothold. The attacker establishes or creates persistence on an EPU IT or OT
system, perhaps by installing a backdoor or installing utilities or malware to maintain access.
4. Escalate privileges. The attacker gains greater access to EPU’s systems and data by obtaining
credentials, leveraging privileges, belong to an application or service, or exploiting vulnerable
software.
5. Perform internal reconnaissance. The attacker explores other EPU systems and networks to
map the entire environment, identify the roles and responsibilities of key IT and OT staff, and
locate interesting or valuable data needed to execute the attack scenarios.
6. Move laterally. The attacker jumps from system to system on EPU’s IT and OT networks, using
network shares, scheduled tasks, and remote access tools or clients.
7. Maintain a presence. The attacker maintains ongoing access and activity on EPU’s IT and OT
networks using backdoors or remote access tools.
8. Complete the mission. The attacker achieves his attack objectives, such as stealing sensitive
data or executing a scenario that interferes with, disrupts, or disables mission critical functions.
To further complicate the situation, there is a significant difference in how utilities collect IT information
from OT networks. Newton-Evans 2016 survey sheds some light on this problem by asking two
questions and receiving the following responses.

1. Where do you provide demarcation between the physical IT and OT networks in order to safely
collect IT information from the OT networks?
NORTH AMERICA: In 2016, just over half of North American respondents said the demarcation
between physical IT and OT networks is at the control center, and 47% said demarcation is in
the substation. Seven respondents said demarcation between the two networks is provided at
both the control center and in the substation.
INTERNATIONAL: Unlike the respondents to our North American survey, a clear majority of
international utilities (77% of those surveyed) provide demarcation between physical IT and OT
networks in the substation.

33
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

2. For reliability and availability of Ethernet OT networks, which methods do you use to avoid a single
point of failure?
NORTH AMERICA: Fifty-six percent said they use IT methods for protection and control. Twenty
percent said they use Network fault detection, isolation and restoration via IEC 62439-1
reconnaissance, surveillance, and target acquisition (RSTA) and rapid spanning tree protocol
(RSTP).
INTERNATIONAL: Sixty-four percent said they use Network fault detection, isolation &
restoration via IEC 62439-1 RSTA and RSTP. Forty-one percent said they use dual primary
IEDs and networks to avoid a single point of failure. Only 9% of international respondents said
they use IT methods for protection and control.
3.4.3 Threats inside EPU’s IT and OT networks
Solutions to detect threats inside EPU’s IT and OT networks are either anomaly-based, or deception-
based.

Anomaly-based detection creates a behaviour baseline of hosts, data access, network traffic, user
behaviour, etc. Commonly, any activity that is inconsistent with the baseline is flagged as an alert to
EPU’s responsible organizational unit, and subsequently to EPU’s security team. Anomaly-based
solutions have two significant draw backs:

▪ Capturing, storing, and associating data from disparate sources is complex, expensive, and
time consuming. It requires highly sophisticated tools and skilled analysts that are not usually
common in the EPU’s labour force.
▪ False positives occur at a high rate, which can degrade the confidence in the assessment tools
and security team.
Deception-based detection is an alternative to anomaly-based detection. Many of the EPU’s IT and OT
components can be used for deception-based detection. The deceptions are not part of the normal
operations and are revealed only by a cyberattack. When an intruder spends the time and effort to
locate and access a deception that is set up to invite an attack, it is positive affirmation of a compromise,
or a highly positive anomaly.

3.4.4 Solutions for using pervasive deception

Deceptions take many forms to detect and engage threats at every step of the kill-chain described in
clause 3.4.2. Deceptions are broadly grouped into four types:

▪ Decoys: A decoy is a fabricated system or software server that presents an attractive target to
an attacker. A decoy is usually more attractive to an attacker than IT or OT production network
components because it is seeded with interesting (but fake) data and known vulnerabilities are
left open.
▪ Breadcrumbs: Breadcrumbs are used to lead an attacker to a decoy. When an attacker does
reconnaissance, breadcrumbs are placed on the endpoints and the IT or OT network points to
create an interesting target.
▪ Baits: Baits are honey tokens such as counterfeit data or fake credentials to a service which
the attacker finds valuable. Baits are laid so that ordinary IT and OT procedures or normal user
behaviour do not reach them. An attack can be detected by monitoring the access or usage of
the bait.
▪ Lures: A lure makes a decoy, a breadcrumb, or a bait more attractive than the actual EPU
network assets. For example, to make a software service decoy attractive, it can be set with
factory default credentials.
To address the insider threat: decoys, breadcrumbs, baits, and lures must be closely guarded by the
security team organizational unit – another responsibility for the ISOC. They should not be known to
the ROUs performing 24/7/365 operations.

34
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

3.4.5 Deploying a deception strategy

To automate the deception deployment with the IT and OT infrastructure, the security team must
leverage the security ecosystem comprised of the security information and event management (SIEM),
endpoint detection and response (EDR), privileged identity management (PIM), and external data feeds
for information sharing and analysis centres (ISACs).

3.5 Building the operations center of the future

3.5.1 Finding the solution
Within the TM Forum17, one collaboration activity is focused on building the operations centre of the
future (OpCF) [38]. This technical brochure extracted the key features for their report and put them in
the context of future EPU operations. The objective is to support the EPU environment ubiquitous and
flexible communications with a wide range of service level agreements (SLAs) that simply can’t be met
in today’s EPU appliance-based networks.

Table 4 describes the basic concept envisioned to transition EPU network operation to leverage
SDN/NFV services. This approach will require the EPU to define new operational methods to manage
hybrid networks of virtualized and current components because no EPU is going to simply replace their
infrastructure and start over with virtualized functions.

Table 4 – Transitioning EPU network operations

Today Future
Network functions provided in appliances All network functions provided as software
Decentralized, siloed and often manual operations and management Centralized operational control and automation
One service provider controls an entire network Partner SDN/NFV ecosystems to deliver
services
Complex operational support systems (OSS) and business support OSS and BSS becomes a new function like any
systems (BSS) other

3.5.2 Operational requirements for an OpCF

EPU must select service providers that offer the following capabilities:

▪ Management of virtualized and current network appliances on standard IT/OT infrastructures.

▪ Network operations that expose the network as a service.
▪ Addition of SDN/NFV partnering capabilities that support traditional and virtualized network
services.
▪ Continuous focus on enhancing EPU organizational unit’s experience.

3.5.3 Key principles for an OpCF

EPU must ensure that they address the following key principles for an OpCF:

▪ Open, dynamic APIs exposing standardized network management functions are required at all
layers.
▪ Closed loop control and automation is necessary with orchestration and management being
real-time and zero-touch, and requests being executed rapidly without human intervention.
▪ Real-time data analytics can be used to ensure and enhance EPU organizational unit’s
experience.
▪ Transparent end-to-end management across SDN/NFV partner’s boundaries is essential.

—————————

17 TM Forum’s ZOOM team and Catalyst program are working to enhance their Frameworx suite of standards-based tools and
best practices to include business processes, and information model and open application program interfaces (APIs).

35
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

▪ Orchestration can be used to increase resilience.

▪ Security must be designed in from the beginning and provided at multiple levels.

3.5.4 Integrating security into OpCF

As shown in Figure 13 DevSecOps is the DevOps recipe with security baked into every aspect of
development; from uptime to integrity. It helps ensure each EPU mission-critical application is secure
and that its code can be deployed and tested quickly. By injecting security into the DevOps process,
EPUs can ensure secure and functional software at is demonstrated at the factory acceptance testing
in a hosted environment, quality assurance testing with live data feeds, and site acceptance testing.
Each stage adds to the confidence level in the deployed OpCF solution.

In other words, the EPU OpCF team must be part of developing the end solution, which requires them
to have special training and expertise to effectively execute their responsibilities.

Figure 13 – DevSecOps integrates security into OpCF

With this approach, instead of testing at certain intervals for a predetermined time, testing is conducted
continually throughout development, in different ways and at every juncture. This process catches
issues earlier and helps developers, integrators, and operations avoid repeating them in the future. It
involves constant course correction through penetration testing and code evaluation against metrics
like code complexity. This technical brochure recommends that solution providers for system such as
IEC 61850 use code complexity metrics as an internal benchmark of quality, and maintainability of
source code. Evaluating lines of code is not enough; coders must produce maintainable code without
incurring technical debt. The coding effort can be mapped to measurements of aberrancy, complexity,
and interrelatedness.

A shift to DevSecOps requires infrastructures to evolve and team mindsets to see security as an
ongoing effort rather than an intermittent concern. Instead of responding to a security fire drill near the
end of deployment, the goal of the DevSecOps process is to extinguish a stray match early on. This
shift also means an issue can be caught by someone who doesn’t have security in their job description
but are now engaged in the process through DevSecOps.

Threat modelling, risk assessment, and automation of existing security tasks can allow an OpCF team
to better collaborate through each stage of the development process pipeline. DevSecOps is not only
about creating new security checkpoints and using new tools, but also about better utilizing the existing
security measures.

The goal is to provide the platforms, tools, and processes required for the OpCF team to focus on
continued delivery of a secure product.

36
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

3.6 Regulatory approaches to enhance EPU’s cybersecurity

frameworks
3.6.1 Background
Views differ on the need to regulate cyber-risk[39, 40]. One view is that the evolving nature of cyber-
risk is not amenable to specific regulation and that cyber issues can be handled with existing regulation
relating to technology and/or operational risk. The other view is that regulatory structure is needed to
deal with the unique nature of cyber-risk, and given the growing threats resulting from an increasingly
automated energy sector.

For jurisdictions that already have specific regulatory requirements, debate continues about the level of
prescriptiveness[41, 42]. Some jurisdictions favour a principle-based approach while others apply a
more prescriptive framework. In either case, no open source literature can be found that compares the
two approaches and examines the issues from a regulators point of view. Of particular interest to the
EPUs, is how regulators should or do determine the cost of cybersecurity protection and the metrics
needed to justify the cost.

3.6.2 Regulatory needs

Without the insight provided by a comprehensive survey, WG D2.46 members outlined their
understanding of the high-level regulatory needs. Table 5 groups these needs into five categories: 1)
information sharing, 2) cooperative decisions, 3) compliance with local laws and regulations, 4)
conformance to applicable standards, and 5) a mission element needs statement (MENS) to establish
a regulatory-centric reference model. It is well-beyond the scope of this technical brochure to develop
the details; that is left to a future working group.

37
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Table 5 – Regulatory needs

38
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

4. Summary of findings and recommendations

4.1 Key take-away points
▪ There is no standard methodology and metrics to support the projections of emerging threats,
the composition of the future grid, and the interaction between them.
▪ This technical brochure describes a framework for EPUs to verify compliance to local laws and
regulations and conformance to applicable standards for their system of interest.
▪ Strategic cybersecurity planning is critical for EPUs to proactively, rather than reactively,
improve their cybersecurity protection posture. Selection of the best plan and options to cope
with emerging threats, regulations, and technologies needs well defined measure of success.
▪ EPU stakeholders should actively participate in trade shows and study committees to stay
abreast of the emerging technologies.
▪ Establishing measures of effectiveness (MoEs) and then modelling them to gain usable output
allows the EPU’s strategic planning team to identify measurable criteria.
▪ Modern business intelligence (BI), artificial intelligence (AI), and analytics are strong candidates
for strategic planning of pre-planned improvements for greater accessibility, agility, and
analytical insight from a diverse range of EPU sources.
▪ Given the dynamics of the threat environment, advances in cybersecurity solutions, and new
laws and regulations, EPUs need to automate their awareness assessment process and
analytics. The law has an important role to play as a regulator and implementer of automation,
but prescriptive approaches that seek to produce specific outcomes with universal rules by
requiring particular conduct or technology are ill-suited when a large number of variables are
involved to meet complex regulatory goals[40].
▪ The emerging trends discussed in the evolution of ICS attacks require EPUs to develop
complete understanding of the kill-chain approach to ICS attacks including the need for
information sharing with national agencies and other EPUs.

4.2 Four stages of secure enterprise information management

As the threat landscape evolves, EPUs need to maintain a high-degree of awareness, modernize their
technical controls to protect every data component to maintain confidentiality and data integrity, and to
safeguard proprietary rights. They need to take advantage of technology and work from mobile solutions
to manage their information and open their stove-pipe silos of operation. In summary, this technical
brochure has identified four stages of implementing secure enterprise information management (EIM):

▪ Get content under control by implementing standard taxonomies. The creation of a uniform
language for digital objects opens information silos and enables the efficient migration of
content from completed projects and legacy systems.
▪ Ensure that optimal attribute-based access control, version control, etc. is used when deploying
the efficiencies of cloud designs and mobile delivery capabilities. By protecting the data object,
one achieves the flexibility to be indifferent to the transmission or storage options required by
the data owner.
▪ Secure change management with a structured approach that includes built-in processes for
reviews and approvals. Use structured approach to create audit trails of automatic notifications
of information changes.
▪ Coordinate information from business applications by integrating business systems to ensure
compatibility authoring and collaboration tools. Develop EPU-specific content solutions.
Organizations with secure content management have the strength to control, automate and accelerate
the exchange of information with secure, auditable document control capabilities at will. This large-scale
nimbleness streamlines the creation, distribution, tracking, and enforcement of document templates,
corporate standards and naming conventions.

39
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

When secure content management becomes strong, organizations experience effective collaboration
among interdisciplinary teams of engineering, procurement, and construction contractors, owner-
operators and equipment suppliers on shutdown-turnaround, etc.

Effective, secure, content management reduces costs and increases productivity in change
management. A structured approach to change management reduces errors and accelerates workflows
and collaboration across the organization and with external parties, while strengthening security and
controls. As assets are updated and new components installed, changes in operating conditions must
be documented under full revision control in accordance with ISO/IEC/IEEE standards and the new
asset documentation must be linked to the functional location and equipment. By prioritizing secure
content management in every corner of operations, each ROU can retain knowledge, increase reliability
and maximize return-on-asset investment. This helps ensure that information governance will only
deploy process management controls that bolster rather than hinder all maintenance and growth
activities.

4.3 Lessons learned from the Newton-Evans survey

▪ Electric utilities are largely focused on NERC CIP compliance activities. For the most part, there
is a high dependence on external assistance or third-party services. This will continue in the
foreseeable future unless there are local laws and regulations that require EPUs to provide the
services internally.
▪ The use of encryption to protect sensitive data at rest or in transit requires more attention. There
is some movement to encrypt sensitive data between substations and between substation and
external hosts or networks. This potentially reflects the lack of affordable encryption products
and services that are embedded in protection and control systems and the difficulty to manage
dynamic role-based access control and attribute-based access control.
▪ Most surprising is the current lack of a need for vendor security certification, or more to the
point vendor conformance to security standards. The projection is that this will dramatically
improve in the near future.

4.4 Recommendations for future work

▪ Review open source EPU modernization programs to identify emerging threats, regulations,
and technologies that are the principle motivation for their modernization program. Describe
the trends that can be used to guide strategic cybersecurity planning process and measures of
success.
▪ Using the kill-chain model, automation of awareness assessments (see clause 7.4) needs
additional research and use case verification supported with MBSE simulations.
▪ Leverage existing SDN/NFV studies to build a comprehensive MBSE model of the OpCF.
▪ Develop case studies to assess the benefits and challenges for EPUs to deploy a deception-
based strategy to complement an anomaly-based detection strategy.
▪ Develop classes of metrics that can be used by other CIGRE study committees to quantify
cyber-physical security solutions in terms of deployment rate, response rate, and degree of
complexity. An approach similar to the US Defense Innovation Board metrics for software
development [43] should be considered.
▪ Review the open literature to identify applicable standards, guidelines, and reports that address,
or could be used to address, regulatory approaches to enhance EPU’s cybersecurity
frameworks. Conduct a global survey to solicit EPU recommendations on their preferences,
and to better understand their needs improved regulatory guidance. If possible, include
regulators in the survey to better understand their needs. [Newton-Evans is best equipped to
perform this survey.]

40
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

5. Planning horizon assessment methodology

5.1 Planning horizon template
Near-term and long-term planning must address cybersecurity threats, local laws, regulations, and
solutions. WG D2.46 surveyed EPUs to determine the planning horizons that best fit with normal EPU
planning cycles. Given the uncertainty in predicting threat development, the survey identified the best
approach to develop adaptable solutions and identified the three primary complexity drivers: IP-based
technology, interaction of processes, and specialized people skills.

5.2 Metrics and key performance indicators

WG D2.46 used Herrmann “Complete guide to security and privacy metrics” as the primary resource
for this clause[44]. Collection, analysis, and actionable decisions derived from metrics and key
performance indicators (KPIs) is recognized as a continuous process. When properly executed,
executive decision makers can make informed decisions to improve security processes, operating
procedures, and resource allocations to improve their security posture. Aggregation of metrics to
provide a coherent picture of the security situation is critical for well-informed decision making.

To develop a coherent picture of the security situation, EPU organizational directives should require all
ROUs to execute the following steps:

1. Define what information is going to be collected.

2. Define why this information is being collected and how it will be used.
3. Define how the information will be collected, the constraints and controls on the collection
process.
4. Define the time interval and frequency with which the information is to be collected.
5. Identify the sources(s) from which the information will be collected.
6. Define how the information collected will be preserved to prevent accidental or intentional
alteration, deletion, addition, other tampering, or loss.
7. Define how the information will be analysed and interpreted.
8. Decide on when the data/information is to be deleted.
Aggregating the information for the decision maker requires a clear understanding of the limitation on
the use of individual or aggregate measurements. The most effective way to communicate the security
posture is a KPI color-coded description: GREEN – situation is well within the bounds of acceptable
risk, YELLOW – situation is marginal and requires more frequent monitoring to determine impact on
mission-critical operations, and RED – situation exceeds the bounds of acceptable risk and requires
immediate attention.

YELLOW and RED assessments should include a recommendation for a resourced action plan.

5.3 Leverage trends in EPU modernization programs

5.3.1 General research trends
In the near term, by 2020, Gartner’s [45] planning four key assumptions are:

1. Smart/augmented, non-relational-, search- and visual-based data discovery capabilities will

converge into a single set of next-generation data discovery capabilities as components of
modern business intelligent (BI) and analytics platforms.
2. The number of users of modern BI and analytics platforms that are differentiated by augmented
data discovery capabilities will grow at twice the rate, and will deliver twice the business value,
of those that are not.
3. Natural-language generation and artificial intelligence (AI) will be a standard feature of 90% of
modern BI platforms.
4. 50% of analytic queries will be generated using search, natural-language processing or voice,
or will be automatically generated.

41
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Given this trend, modern BI, AI and analytics are strong candidates for PACS strategic planning of pre-
planned improvements for greater accessibility, agility, and analytical insight from a diverse range of
PACS sources.

Gartner publishes a detailed “Critical capabilities for business intelligence and analytics platforms”
report as a companion to the “Magic quadrant for business intelligence and analytics platforms.” This
provides an in-depth comparison of products and vendors that meet the definition of a modern analytical
BI platform. Additionally, “Toolkit: BI and analytics platform RFP” covers the detailed functionality that
a modern analytical and BI platform should have.

5.3.2 EPU-centric research trends

With permission from Newton-Evans Research Company, this TB extracted key findings from the
Newton-Evans research report. Annex E reviews the findings from their research.

The prevention of intentional or unintentional interference with the proper operation of utility control
systems such as energy management, SCADA, distribution management, outage management and
protection and control is an active research topic. These control systems manage essential electric
utility operations. They rely on computers, networks, operating systems, applications, and
programmable controllers, which may contain security vulnerabilities. The United States has enacted
cyber-security regulations, guidelines and recommendations for improving the protection of control
systems operating electric power networks and other critical infrastructures.

NERC Standards CIP-002-5.1A through CIP-013-2 provide a cyber-security framework for the
identification and protection of critical cyber assets to support reliable operation of the bulk electric
system. These standards recognize the different roles of each entity in the operation of the bulk electric
system, the criticality and vulnerability of the assets needed to manage the reliability of bulk electric
systems, and their related risks. Control system security is known by several other names such as
SCADA security, PCN security, industrial network security, and control system cyber security.

At least one research firm has pegged the global market for electric power utility cyber security spending
for operational control systems at more than $800 Million. Newton-Evans Research believe that the
total U.S. market segment for cyber security software used specifically in conjunction with operational
control systems is significantly lower, perhaps around $270-300 Million in 2017, growing at 10% in 2018
and developing even more rapidly in the mid-term18.

There are several reasons for a conservative estimate of “separable” cyber security spending for control
systems including (1) the bundling of some cyber security software costs in the contract prices of the
EMS, SCADA, DMS and OMS systems; and (2) the “project-oriented” nature of custom software and
services provided to utilities by defense contractors such as Boeing, Lockheed and Raytheon, and IT
specialists led by IBM, Accenture and SAIC.

Table 6 and Table 7 summarize the estimates.

Table 6 – 2017 U.S. market size estimates in $MUSD

Total Utilities Total Industrial Total U.S.

$279 * $279
* Please note that merchant plants, OEMs and industry are outside the scope of this overview.
Table 7 – 2018-2020 U.S. Outlook in $MUSD

2018 2019 2020

Low Estimate $275 $280 $290
Med. Estimate $292 $305 $320
High Estimate $315 $330 $345

—————————

18 Sources: NERC, Newton-Evans Research Company, DOE, NCCIC, and vendor websites

42
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 14 and Figure 15 depict the estimated portion of total cyber-related expenditures that is
attributable to cybersecurity (principally NERC CIP) consulting services. The Newton-Evans survey
findings suggest a growing market that today stands at $45 Million, but showing good, sustainable
growth in the near and mid-terms.

Figure 14 – Cybersecurity software for control systems

It is notable that more than 50 percent of the solutions shown in Figure 14 are custom cyber solutions
(27%), T&D engineering management consulting (14%), and other providers (16%). The remainder
options (43%) are specialized cybersecurity solutions.

Figure 15 and Figure 16 underscores the emphasis on NERC CIP compliance solutions focused on the
following topics.

▪ Most cyber-specific specialists offer and provide toolkits and reporting/logging toolkits for NERC
CIP compliance requirements.
▪ The community of OT consultants has an important portion in NERC CIP compliance
consulting.
▪ Leading NERC CIP compliance specialist consulting services are being provided by
software/product specialists including Waterfall, N-Dimension, Industrial Defender (Lockheed-
Martin), Tripwire, Core Security, Network & Security Technologies, Archer Energy, Plus
Consultants (just becoming acquired by Southern Company), Securicon, Force 5, PCS-Proven
Compliance Systems.
▪ Cross-over (IT to OT) consultants include major enterprise firms such as IBM, ICF, BAH and
PA Consulting.

43
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 15 – Cybersecurity consulting

Cybersecurity and NERC CIP Consulting Services

by Type of Service Provider

OT Cons ultants NERC Compl iance

20% "Sys tems" Providers
20% 30%
30%

Cyber Specialists
20%
20%

Cyber SW Products
30%
30%

Figure 16 – Consulting services by type of service provider

44
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

6. Identification of applicable standards, CIGRE TBs,

and open source documents
6.1 Applicable standards
Table 8 – Contribution of applicable standards

ID Title Contribution Source

IEC 62443 Industrial communication networks – Network and Baseline requirements for people, [46-48]
system security process, and technology
IECEE IEC System of Conformity Assessment Schemes for Certificate of Conformity the IEC [49]
OD-2061 Electrotechnical Equipment and Components 62443 supported by real evidence
IEC 62351 Power systems management and associated Baseline requirements for power [17, 50-
information exchange: Data and communication system communication security. 53]
security

6.2 Applicable CIGRE Technical Brochures

Table 9 – Contribution of applicable CIGRE TBs

ID Title Contribution Source

TB Framework for EPU operators to manage the response to a cyber-initiated Baseline reference of [19]
698 threat to their critical infrastructure response options.
TB Application and Management of Cybersecurity Measures for Protection and Baseline reference of [54]
603 Control P&C response options.
TB Advanced utility data management and analytics for improved operational Data management and [55]
732 situational awareness of EPU operations analytics for situational
awareness
TB Remote service security requirement objectives Remote service security [16]
762 requirement objectives.

6.3 Applicable open source documents

Table 10 – Contribution of applicable open source documents

ID Title Contribution Source

ISBN: 9781119165354 Project management: a systems approach to planning, Baseline reference for [2, 56]
(hardback) scheduling, and controlling maturity assessment
ISBN: 1420013289 Complete guide to security and privacy metrics: Coupling between [44]
measuring regulatory compliance, operational resilience, security and metrics.
and ROI
ISBN-13: 978-1544751504 Global Guide to Data Protection Laws – Understanding Global assessment of [15]
ISBN-10: 1544751508 privacy and compliance requirements in more that 80 GDPR impacts
countries
ISBN: 9783319579580 The EU general data protection regulation (GDPR) Understanding the [14]
(alk. Paper) requirements of the
GDPR

45
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

7. Impact assessment and solutions

7.1 Understanding threat actor’s motivation
The motivation of adversaries to exploit vulnerabilities on a trusted network can be classified broadly
according to five major categories: 1) espionage and intelligence gathering, 2) denial of service, 3) data
corruption and misinformation, 4) kinetic and cyber-physical effects, and 5) hijack of asset control [57].
An EPU’s specific operational vulnerability may enable one or more of these classes of adversary
operations. The extent to which an adversary can leverage the vulnerability to interfere with EPU
operations depends on which of these five categories the vulnerability may enable and the extent to
which operational execution can withstand adversary activity in each category. Therefore, the inherent
risk presented by a vulnerability is specific to each EPU operation that is impacted.

As noted in [58] there is a key distinction between a disruptive attack on the EPU’s control system and
other types of cyberattacks. First, the attacker’s mission is to interfere with, disrupt, or disable an
operational process rather than steal data. Second, the attacker must have performed OT
reconnaissance and have sufficient specialized engineering knowledge to understand the EPU’s
secondary system control processes and successfully manipulate it.

WG D2.46 considered three attack options:

Attack option 1: Use the protection and automation control system (PACS) to shut down the process.
▪ The attacker can reprogram the PACS logic to cause it to trip and shutdown a process that is,
in actuality, in a safe state; i.e., trigger a false positive.
▪ This will result in financial losses due to the disruption of power delivery and require complex
start up procedures to restore service.
Attack option 2: Reprogram the PACS to allow an unsafe state.
▪ The attacker can reprogram the PACS logic to allow unsafe conditions to persist.
▪ This will result in increased risk that a hazardous situation will cause physical consequences
during a natural disaster.
Attack option 3: Reprogram the PACS to allow an unsafe state while using the energy management
system (EMS) to create an unsafe state or hazard.
▪ The attacker can manipulate the PACS into an unsafe state from the EMS while preventing the
PACS from functioning appropriately.
▪ This will result in serious damage to the environment and damage to equipment.
Clearly, there is a need for EPUs to augment the current capabilities of vulnerability assessment tools
to realistically assess attacker access to existing vulnerabilities and to improve the ability of
stakeholders to triage which system vulnerabilities present the highest risk. This requires a dynamic
approach to vulnerability assessment rather than a static approach, because the attacker posture and
vulnerability access as well as the way the trusted EPU networks are being leveraged to accomplish
their functions are both subject to significant variability in time.

Identifying data sources for use in vulnerability assessment and exploitation is a straightforward
proposition. There are commercial security tools that generate useful data for defining the EPU’s
situational awareness posture and providing content pertinent to a vulnerability assessment. However,
the challenge is not in finding the data sources, but rather i n adopting approaches or tools that
aggregate and correlate the data in a meaningful manner.

46
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

7.2 Response to evolving cybersecurity threats over the long term

Implementing strong security controls is not enough; however, EPU subject matter experts know that
even with strong security defense, mission-critical operations can be compromised. Accordingly, it is
important to maintain regular backups of important data and to have an incident response plan in place
to rely on when an incident occurs.

The four basic tenants of a strategic cybersecurity policy are:

1. Prepare by knowing your data, systems and networks, and by planning for incident response.
▪ In most cases, it may be appropriate for each ROU to adopt a data classification scheme.
Clause 2.3 describes a MBSE approach to identify the data types that may warrant stronger
security controls.
▪ A systems and software inventory, including the network topology, should be maintained to
identify every device that has access to the ROU’s networks. The inventory should identify
specific RBAC and ABAC controls.
▪ Each ROU should validate its backup strategy to protect against system and data storage
failure that result from systemic equipment or communication failure, or from a cyber-induced
incident that interferes with, disrupt, or disables normal operations.
2. Prevent by strengthening your access and use controls, timely patching known vulnerabilities,
improving awareness of employees and support contractors.
▪ Each ROU should strengthen their access controls by enabling a combination of RBAC and
ABAC constraints. The most effective approach is the ensure the security of the data at the
source of the data and retain the security permissions throughout the lifespan of the data.
▪ The principle of least privilege should be applied to all users, including administrators and
support contractors.
▪ Staging of patches in a QA test environment with a live data feed is highly recommended for
assurance of the patches.
▪ Periodic updates of changes in the threat landscape and changes in cybersecurity PP&Ods
should be routinely scheduled. Personnel (employees and support contractors) attending the
awareness updates should sign an attendance sheet to confirm their attendance and
understanding of changes related to their job responsibilities.
3. Mitigate by providing the means to detect incidents early and execute your response plan.
▪ Automated processing of operational logs should be enabled to generate actionable information
for timely corrective action.
▪ In real-time, or near real-time, corrective action should be initiated to contain the incident and
limit the damage to operational functions.
▪ Post-mortem analysis and disclosure require effective collection and protection of the evidence
to ensure it has not been tampered with or altered. Reporting the incident is governed by local
laws and regulations.
4. Restore by using highly automated backup switch-over mechanisms.
▪ Each ROU should implement a highly automated back-up scheme to recover lost data.
▪ When warranted, the ROU should enable a passive hot-backup system with communications
that are independent of the active control system.
▪ Vulnerabilities discovered in the active control system should be corrected in the passive hot-
backup system as soon as possible; and corrected in the active control system on a priority-
based schedule.
Commercial tools and supporting technologies such as firewalls, encryption, authentication, and
anomaly or intrusion detection are available to improve the utility’s capability to prevent and mitigate
the consequence of cyber-physical threats. These systems are continuously being upgraded to counter
new threats as they emerge.

47
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

7.3 Coping with the dynamics and complexity of security management

schemas
Given the rapidly evolving cybersecurity threat landscape, the challenge is to devise a management
schema that is highly adaptable to the dynamics and complexity of known and unknown threats. Based
on the research of [59], CIGRE TB 698, Annex C, introduced the systems dynamics model of an insider
threat[19]. As noted in the research, the means to implement the tenants of a strategic cybersecurity
policy requires attention to three topics – in short, people process, and technology:

1. Technical controls of security are the mechanisms that protect EPU systems from incidents
or attacks: Antivirus software, access controls, backups, recovery and audit software, for
example.
2. Formal controls of security are EPU’s business structures and processes that ensure the
correct general conduct of business and reduce the probability of an incident or an attack, or at
least minimize its impact. For example, separating the security organization from other IT and
OT departments, designing correct segregation of security duties and therefore access rights
and privileges, designing and controlling the appropriate employee-supervisor relationship,
routine risk evaluations, etc.
3. Informal controls essentially deal with the culture, value and belief system of the EPU. An
organizational culture in which it is possible to understand management’ s intentions, and which
is conducive to developing a shared vision and other informal objectives, would make members
of IT and OT more committed to their activities and success. Informal controls might be created,
for example, by increasing awareness of security issues through education and training
programs.
Given the dynamics of the threat environment, the four basic tenants in clause 7.2 and the controls
described above stress the need to deploy cybersecurity solutions that are designed to seamlessly
accept changes. This level of agility should be designed into control settings that are offered as options
and can be enabled on demand. For most OT solutions software updates are less desirable because
24/7 continuous operation is the highest priority.

Most cybersecurity solutions are offered as: a) commercial (off-the-shelf) software with no EPU-specific
customization required, b) commercial software with EPU-specific customization, c) custom solutions
running on commodity hardware, or d) custom solutions running on custom hardware. From an
interoperability and agility point of view, based on IEC 61850 and IEC 62351, option “b” or “c” are the
best choices.

Cybersecurity solution agility requires EPU’s ROU to adopt a DevOps strategy built on start small, be
iterative, and build on success – or be terminated quickly. Waterfall development approaches should
be abandoned and replaced with commercial agile processes. Effective management requires a few
metrics:

▪ Time from program launch to deployment of simplest functionality.

▪ Time to field high-priority functions.
▪ Time required for full regression test (automated) and cybersecurity audit/penetration testing.
▪ Time required to restore services after an interruption or outage.
▪ Number of bugs caught in qualification testing versus deployed testing.

48
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

7.4 The need to automate awareness assessment

Given the dynamics of the threat landscape, advances in cybersecurity solutions, and new laws and
regulations, EPUs need to automate their awareness assessment process and analytics. Awareness
requirements refer to other requirements or domain assumptions and their failure or success when
enabled at runtime[60].

Figure 17 shows that the state is initially undecided. Eventually, the requirement will either have
succeeded, or failed, there is also a cancelled state. Considering EPU’s control system, the reference
input is to fulfil the requirement. If the actual output indicates the requirement has failed, the control
system must act to compensate or reconcile the situation to bring the system back to an acceptable
state.

Figure 17 – States assumed by requirements

An automated awareness assessment system must consider every instance of the referred
requirement. An instance of a task is created every time it is executed and the “never fail” quality
constraint (QC) is to be checked for every such instance.

An aggregate awareness requirement (AR) refers to the instances of another requirement and imposes
constraints on their success/failure rate[60]. At a minimum, it demands that a referred domain
assumption (DA) be true to a specified percentage of the time; e.g., 99% of the time a referred
requirement is attempted. Aggregates should also be able to specify the period and frequency to
consider when aggregating requirement instances.

Additional capabilities to consider include:

▪ The capability to specify min/max success/failure allowed.

▪ The capability to combine different requirements that integrate quality constraints with different
target rates.

49
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

8. The way forward – Strategic planning

8.1 The challenge
The challenge on devising a strategic plan requires an in-depth understanding of the decision making
and human behaviour to effectively execute the decisions. Sterman addressed both in [61]. With some
tailoring, this technical brochure adopts Sterman’s five decision making fundamentals in the
development of its business process models.

1. The inputs to all decision rules in an EPU’s strategic planning schema must be restricted to
information available to the real decision makers.
2. The decision rules of the schema should conform to EPU’s unique managerial practice.
3. Desired and actual conditions should be distinguished. Physical constraints to the realization
of desired outcomes must be represented.
4. Decision rules should be robust and adaptable under extreme uncertainty conditions.
5. Equilibrium should not be assumed. Equilibrium and stability may (or may not) emerge from the
interaction of the elements of the EPU’s environment.
8.1.1 Apply the Baker criterion
The decision rules need to be based on what the EPU decision makers know, and when did they know
it. To properly mimic the behaviour of the process, the decision model inputs to a decision available
only to and used by the decision makers. The decisions in models must be based on available
information and have three important corollaries:

1. No one knows with certainty what the future cybersecurity threats will bring. The model cannot
assume that decision makers have perfect knowledge of future outcomes or that forecasts of
the threat landscape are correct, or even an average.
2. Perceived and actual cybersecurity threats differ. Information about the current state of known
and unknown threats is fuzzy at best. For this reason, EPU’s strategic planning model should
represent processes by which information is generated, and decisions should be represented
based on the reported information. Thus, adaptability is paramount.
3. Strategic planning modelers cannot assume that decision makers know with certainty the
outcomes of contingencies they have never experienced. The planning model must recognize
that decisions come from choosing between alternatives; and these choices lead to
consequences.
8.1.2 Conform to the EPU’s unique management style
Every variable and parameter in the strategic planning model must have a real-world counterpart and
should be meaningful to the EPU stakeholders. Equations must be dimensionally consistent without the
addition of arbitrary parameters such as “technical adjustment factor.” Simulation models must mimic
the way people make their decisions, which requires metrics and adaptability to lessons learned.

8.1.3 Disassociate desired states from the actual state of cybersecurity

protection
The decision rules in models should explain how the stakeholders would respond to security problems,
shortfalls, and other indicators that the quality of cybersecurity protection is not what it should be. Goals
are themselves dynamic, and the model needs to represent the way stakeholders form and update their
expectations.

8.1.4 Decisions rules need to be robust

Complex cybersecurity protection system of people, processes, and technology often generate
behaviour far from the range of historical experience. Thus, the modelling objective is to design policies
that move the system into an entirely new regime of behaviour. Robustness means decision rules must
generate outcomes that are physically possible and operationally meaningful even when the inputs to
those decisions take on extreme values.

50
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

8.1.5 The characteristics of system behaviour

Modelers should represent the process by which decision makers respond to situation in which the state
of cybersecurity protection differs from their goals. Model analysis then reveals whether these decision
rules, by interacting with one another and with the physical structure, result in stable or unstable
behaviours.

8.2 Recommended strategic planning process

An 8-step model-based strategic planning framework is described in Annex B.

1. Assess the impact of the liability exposure of local laws and regulations, and the risks of
emerging threats on EPU’s mission.
2. Establish strategic plan priorities for network assets.
3. Establish strategic plan priorities for power system delivery reliability.
4. Establish success criteria for managing the upgrades to the cybersecurity protection systems.
5. Estimate the risks for each candidate solution.
6. Prioritize and rank each solution.
7. Estimate cost and schedule for each solution.
8. Select the best plan with options and generate the action plan to put the strategic plan in motion.

8.3 Measures of success to manage the adaptability of the strategic

plan
The matching of success criteria with cybersecurity protection objectives at every level associated with
people, process, and technology is lacking the body of open literature. There is no doctrinal method for
establishing a way to measure the point of culmination that could directly impact on the ability to achieve
‘adequate’ cybersecurity protection.

To dogmatically define exact measures of cybersecurity protection success is difficult, if not impossible.
For this reason, the task placed on the strategic planning team is not to recognize or sense the
culminating point during planning horizon, but rather they should plan for it in advance. Waiting until
cyber-induced attacks happened on the EPU’s critical infrastructure is far too late. Therefore, it is
essential that the strategic planning team conducts the following activities during the planning phase:

1. Establish a method to determine the factors that measure the point of culmination and then
2. Identify the factor(s) that require such a measurement.
Annex B is one of many frameworks designed to address these activities.

8.4 Effective execution of EPU’s strategic plan

Annex B end state is an action plan supported by ROU directives to execute the resourced strategic
plan. In response to these directives, each ROU should develop detailed procedures to address the
following tasks within the constraints of funding and schedules:

1. Procurement actions to make or buy new or upgrades to their cybersecurity systems.

2. Training programs or hiring to provide the necessary skills to deploy, operate, and monitor the
new and updated cybersecurity capabilities.
3. Quality assurance test programs with live data feeds to ensure that new or upgraded
cybersecurity capabilities do not degrade the performance of reliable power delivery.

51
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

4. Feedback to the strategic planning team on the status of meeting the objectives stated in the
strategic plan with recommendations for exercising options in the plan and offering
recommendations for pre-planned improvements.

52
 TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex A . Definition of terms and acronyms

A.1 Definition of terms
 attack surface
points of exposure that can be exploited and lead to a cyber breach.

 awareness requirement (AR)

reference to other requirements or domain assumptions and their success or failure
Note to entry: awareness requirements are mapped to other requirements.

 cardinality
measure of the number of elements of the set

 culminating point
the situation at which cybersecurity threat agents are no longer able to perform their operations
Note to entry: The concept of culminating point is analogous to military doctrine describe in [62].

 DevOps
solution development phrase requiring a type of agile relationship between development and IT/OT
operations.
Note to entry: The solution provider is the development team and the IT/OT operations is the EPU team. Seamless integration
of solution development and operations leverages early engagement with EPU’s ROU and automation an monitoring during
each stage of the solution development, testing, deployment, and maintenance.

 directed association
relationship between blocks of objects that allows one object instance to cause another to
perform an action on its behalf
Note to entry: SysML uses the term ‘reference association’. A filled diamond represents a composite association is not used.
The open arrowhead on the end of the association points from the owner to the block that is referenced. See [6], page 127, for
a comprehensive discussion on reference associations.

 doctrinal method [security]

techniques for investigating phenomena, acquiring new knowledge, or correcting and integrating
previous knowledge

 governing authority
entity responsible for establishing the rules for specifying types and uses of sensitive data

 information system
a system which is designated to collect, organize, store, and communicate data
Note to entry: Because transparency deals with information, it becomes one of the main attributes of an information system
[63].

 measure of effectiveness
criterion used to assess changes in system behaviour, capability, or operational environment that is
tied to measuring the attainment of an end state, achievement of an objective, or creation of an effect

 metric
measure or unit of measure that is designed to facilitate decision making and improve performance
and accountability through collection, analysis, and reporting of relevant data

 modern analytics and BI platform

self-contained architecture that enables nontechnical users to autonomously execute workflows
Note to entry: By contrast, tradition BI platforms are designed to support modular development of IT and OT produced analytic
content. This requires specialized tools and skills and significant upfront data modelling, coupled with a predefined metadata
layer [45].

53
 TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

 network function
an entity in a network infrastructure with well-defined functional behavior and external interfaces
[source: IEEE P1916.1]

 network function virtualization

a methodology to design, deploy and manage networking services
[source: IEEE P1916.1]

 reference model (MBSE)

an abstract framework for understanding important relationships amongst the entities of a system of
interest
Note 1 to entry: MBSE reference models use consistent standards and unifying concepts that are independent of
implementation details but are prescriptive to enhance interoperability between different solutions.

 responsibility (ROU)
ability to give account to somebody or some organization for one’s actions, and the possibility to be
held accountable for them
Note to entry: It refers to the actions and their consequences that a person executes out of free will, knowing what he/she is
doing.
[source: The concept of responsibility: Norms, actions and their consequences [18]]

 schema
a representation of a plan or theory in the form of an outline or model

 shared responsibility model

cloud security framework that dictates the security obligations of a cloud computing provider and its
users to ensure accountability

 software defined networking

an approach that facilitates network management and enables programmable network configuration
[source: IEEE P1916.1]

 service function chaining

Set of technologies, processes and rules that operate together to enable service operators to
dynamically configure network services in software without the need to make changes in hardware
[source: IEEE P1916.1]

 strategic planning
process of decisions made by the EPU to set cybersecurity goals and to outline a course of action to
achieve those goals

 system
combination of interacting elements organized to achieve one or more stated purposes
[source: ISO/IEC/IEEE Standard 15288:2015]
Note to entry: An integrated set of elements, subsystems, or assemblies that accomplish a defined objective. These elements
include products (hardware, software, firmware), processes, people, information, techniques, facilities, services, and other
support elements. [64]

 tradecraft
techniques, methods, and technologies used in modern espionage (spying) and generally, as part of
the activity of intelligence gathering

 threat intelligence
actional information to detect threats and prioritize response
Note to entry: Threat intelligence comes in many forms; e.g., IP addresses, domain names, DNS servers, URLs, file hashes,

54
 TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

 transparency
open flow of information relevant to evaluating solutions defined by context
Note 1 to entry: Local laws and regulations may require EPU governance to regard information transparency as a verifiable
requirement.
Note 2 to entry: An EPU information system is transparent when it discloses to its users the information it deals with and its
internal functioning processes.
Note 3 to entry: In requirements engineering, transparency is generally viewed as non-functional requirement. See MBSE
notation for non-functional requirements[65].

 virtual machine
an emulation of a computer system
[source: IEEE P1916.1]

 virtualized network function

tasks done on proprietary dedicated hardware
Note to entry: Virtualized network functions move individual network functions out of dedicated hardware devices into software
that runs on commodity hardware that can run on virtual machines.
[source: IEEE P1916.1]

 vulnerability
any weakness of information technology, operational technology, assets, or cyber-physical or
control systems that could be exploited to launch an attack by adversary [57]

 white box
internal view of the system (attributes and structure)
[source: INCOSE]
Note to entry: Internal interfaces are within the system boundary.

55
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

A.2 Acronyms and abbreviations

ABAC attribute-based access control
AI artificial intelligence
API application program interface
APT advanced persistent threat
AR awareness requirement
BCM business continuity management
BCP business continuity plan
BI business intelligence
BIA business impact analysis
BPM business process model
BSS business support systems
CAMP cyber attacker model profiler
CART completeness, accuracy, relevance, and timeliness
CASB cloud access security broker
CIP critical infrastructure protection
CERT computer emergency readiness team
ConOps concept of operation
COOP continuity of operations plan
DA domain assumption
DevOps development and operations
DiD defense in depth
DPIA data protection impact assessment
DRP disaster recovery plan or planning
EDR endpoint detection and response
EIM enterprise information management
EMS energy management system
ENISA European Network & Information Security Agency
EPRI Electric Power Research Institute
EPU electrical power utility
ERP Emergency response plan
ETSI European Telecommunication Standards Institute
FAT factory acceptance test
FSOC federated security operations centre
GDPR general data protection regulation
GRC governance, risk, and compliance
HR Human Resources (an organizational unit)
IaaS
Infrastructure as a Service (IaaS)
ICS industrial control system
IDS intrusion detection system
IEC International Electrotechnical Commission
IED intelligent electronic device
IEEE Institute of Electrical and Electronic Engineers

56
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

IETF Internet engineering task force

INCOSE International Council on Systems Engineering
IP Internet protocol
IPS intrusion prevention system
ISA International Society of Automation
ISAC information sharing and analysis centre
ISCP information system contingency plan
ISOC integrated security operations centre
IT information technologies
ITSCM IT service continuity management
KPI key performance indicator
MAC media access control
MBSE model-based system engineering
MENS mission element needs statement
MoE measure of effectiveness
MSSP managed security service provider
NERC North American Electric Reliability Corporation
NFV network function virtualization
NV network virtualization
NIST National Institute of Standards and Technology
NSH Network service header
OpCF operations centre of the future
OMG Open Management Group
ONF Open Network Foundation
CSCC cloud standards customer council
OSS operating support systems
OT operation technologies
P&C protection and control
PaaS Platform as a service
PACS protection and control system
PII personal identifiable information
PIM privileged identity management
PP&OD policies, procedures, and organizational directives
PSCC Power System Communication and Cybersecurity
QA quality assurance
QAT quality acceptance test
QC quality constraint
QoS quality of service
RBAC role-based access control
RFC request for comment
ROU responsible organizational unit
RSTA reconnaissance, surveillance, and target acquisition
RSTP rapid spanning tree protocol
SAT site acceptance test

57
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

SCADA supervisory control and data acquisition

SDN software defined networking
SDLC system development life cycle
SDN-WAN software defined wide area network
SFC service function chaining
SIEM security information and event management
SME subject matter expert
SOC security operations centre
SoI system of interest
SoS system of systems
SRM shared responsibility model
SysML system modeling language
TB technical brochure
TDF tactical data fusion
TOR top of rack
TR technical report
VNF virtualized network function
W3C World Wide Web Consortium

58
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex B . Model-based strategic planning

framework
B.1 Introduction
Model-based systems engineering (MBSE) is used in this TB to identify the cybersecurity protection
requirements that account for people, processes, and technology. For the planning horizons, the
objective is to identify and describe the processes needed to collect and report data, to identify the
relationships and prerequisites between requirements, and to establish a baseline risk assessment
model. The risk assessment model is needed to rate or prioritize requirements, establish criteria for
determining success, and the process for managing risk.

Cybersecurity protection requirements are best enabled by integrating the schemas into the normal
work load of those responsible for managing the process19. Achieving this goal requires attention to
four topics: 1) the local laws and regulations, 2) a generalization of company policies and procedures
to understand the impact on mission objectives, 3) a good understanding of what metrics and key
performance indicators the organization collects or infers and the purposes for which it is used, and 4)
organizational directives to establish accountability for managing the processes.

Developing key performance indicator (KPI) requirements is facilitated in this TB by selecting metrics
(what is to be measured), determining frequency (how often to measure), and selecting the analytics to
generate actionable information. Given the KPI requirements, the next step is to develop the quality
assurance (QA) requirements. This begins by selecting and prioritizing the actionable information KPI
requirements. Using this prioritized list of KPI provides the basis to define the enablers to ensure the
processes align with a simplified maturity model. Lastly, this annex defines a remedial action plan to
establish the basis for just-in-time fixes.

B.2 Assess the projected impact of the threat landscape on EPU’s

mission
Figure 18 (below) shows how the imposition of local laws and regulations is the primary trigger for EPUs
to initiate an assessment of the projected threat landscape on its mission. These laws and regulations
commonly specify the national authority responsible for enforcement, specific technical security
requirements and controls, definition of sensitive data that must be protected, and requirements for
breach notification.

▪ Senior managers rely on threat landscape projections and their expert judgement to support
the impact assessment. This is relatively soft information because there is no standard
methodology and metrics to support the projections.
▪ Another relatively soft information projection is the composition of the future smart grid; e.g.,
microgrids, advance telecommunication systems, and the use of cloud-based services. On this
topic, more information is known about the forces driving the development of smart grid
technologies. What is uncertain is how deployment of smart grid technologies will interact with
the future threat of the landscape20. Here, the challenge is the lack of a standard methodology
and metrics to support the projections.
▪ Liability exposure is another matter. In this case the legal department has hard data based on
assessed threat events and adjudicated liability settlements to support their recommendations.
Data inputs, shown as D1 and D2, are the result of intense analysis and deliberations by the respective
EPU organizations to support their recommendations. The methodology they use is a local matter and

—————————

19 Many of the management challenges are addressed in IEEE PSCC S10.

20 All indications are that the future smart grid will have offer a larger attack surface for exploiting the vulnerabilities of the grid
that could interfere with, disrupt, or disable the EPU’s capability to deliver reliable power.

59
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

is not addressed by this TB. There is some open source information available that describes grid
modernization plans, from the EPUs who are the early adapters of smart grid technology.

At this stage, the intermediate output of the strategic planning process is guidance used for establishing
the goals and criteria to address the threat issues. At a minimum, the guidance should include:

▪ Well-defined assumptions used to assess impact on EPU mission:

 Prediction of the future threats, composition of the future grid, and the interaction
between the grid and threats.
 Evolution of local laws and regulations.
▪ Framework for scheduling upgrades to the cybersecurity protection architecture.
▪ Acquisition of special personal skills needed to manage new cybersecurity technologies and
processes.
▪ Training objectives for ROU to monitor data that could be related to a cyber-induced threat.
▪ Quality assurance test capabilities needed to ensure security improvements do not degrade
reliable power delivery services.

Figure 18 - Assess impact of threat landscape and interaction with the future grid

B.3 Establish goals and criteria to address the threat issues

B.3.1 Security goals
Given the initial assessment of the impact on the EPU mission, and commensurate with the guidance
generated in Figure 18, the next task is to establish the goals and measurable criteria to address the
threat issues.

Security engineering requirements is an area of research that is maturing, but no particular methodology
has yet achieved dominance. IEC 62443 [46, 66] and NIST SP 800-53 [27] are probably the best
frameworks for an EPU to tailor. However, both documents rely on a threat analysis to address security
requirements. As noted in annex B.2, projecting the threat landscape for strategic planning is extremely
difficult. Regardless, at this stage of the strategic planning process, the goals should address the
following:

▪ Protection of critical assets used in annex B.2 should establish the strategic plan priorities.

60
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

▪ Protect assets from cybersecurity attacks that can interfere with, disrupt or disable the critical
assets and impact the power delivery reliability. Two examples in this area are:
i) Commensurate with NERC CIP [67] requirements, the cybersecurity protection system shall
prevent interference with, disruption of, or disablement of power deliver assets.
ii) Commensurate with the EU’s GDPR [14] requirements, the cybersecurity protection system
shall prevent the disclosure of personal identifiable information.

B.3.2 Success criteria

To ensure that success criteria is suitably realistic, criteria development must follow the “define, align,
and approve” paradigm. In short, success criteria must be specified in measurable terms, must be
aligned with security needs and constraints, and must be approved by all decision-making stakeholders

Success criteria must be stated in specific terms tied to the execution of the EPU’s project management
process, project tasks and related deliverables (as expressed in the Project Statement of Work and
Governance Plans). Specifically, stated success criteria can be readily recognized and measured -
which is the whole point. The types of measure21 criteria are:

▪ Quality - response time decreased by 20%.

▪ Quantity - process 50 more security alerts per day.
▪ Cost – reduces security administrative costs by 10%.
▪ Timeliness- completion by the end of the 4th quarter.
3. Success criteria must be sufficiently aligned with the EPU’s vision of sufficient cybersecurity
protection, scope and work effort, considering the overall purpose, benefits to be realized,
performing ROU capabilities, priorities, risks, and related operational constraints. For example,
success is defined as a 5% reduction in problem reports relating to remote access.
4. Success criteria must be developed using a structured, collaborative process, whereby all decision-
making stakeholders can provide input, challenge assumptions, negotiate, and provide authorizing
acceptance. For example, ROU stakeholders should be selected for a "success criteria"
committee. This committee can be tasked with proposing initial criteria, soliciting feedback,
organizing all input, and creating finalized results. The committee should be given a specific
timeframe for performing these tasks and producing viable end results.
Periodically, success criteria can be used as a basis for evaluating project performance with the goal
for adjusting the strategic plan and accommodate important indicators for future performance
improvements. Success criteria should also be used as a benchmark to evaluate overall performance.

B.3.3 An interactive process to set strategic plan goals and criteria

Figure 19 shows the process used to set strategic plan goals and criteria that are documented in an
update to the guidance plan. The symbol “+” denotes a complex subprocess and the intermediate catch
event22 with the “+” denotes a collaboration between IT and OT stakeholders. These complex
processes require an in-depth understanding of the risk reduction alternatives addressed in annex B.4.

—————————

21 Data collection and processing automation is the enabling technology.

22 SysML’s BPMN is used in the graphics.

61
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 19 - Update strategic plan guidance

B.4 Assess the future risk reduction alternatives

Assessing the future risk reduction alternatives is the most challenging task required to develop a
coherent cybersecurity strategic plan. A good example of the challenge is described in the cyber
attacker model profile (CAMP) [68] and the Mitre attack framework [69]. More to the point, EPRI has
described multiple metrics that an EPU can use for their risk assessment and success criteria needed
to prioritize and rank solution alternatives[9, 10].

Figure 20 captures the what is known with certainty, operating histories – D3 and system
configuration and settings – D4. As indicated previously, the projected threat landscape is very
uncertain, requiring the technical experts to evaluate a wide range of possible threats and
contingencies. The collaboration symbol requires considerable cooperation between IT and OT.

Figure 20 - Recommend cybersecurity solutions for the strategic plan

Risk assessment in process 5 yields a benchmark estimation based on operation histories and their
system configuration and settings. The task is to use the projected threat landscape and the emergence
of open system solutions to update the risk estimations. A prominent issue to consider is the maturity

62
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

of these emerging solutions23. Specifically, assessment teams must be beware of the marketing ‘hype’
that promises ‘future-proof’ security solutions.

Prioritizing and ranking these open system security solutions in process 6 is another intense
collaboration between IT and OT. Commonly, the initial risk estimations are suspect when considered
in the ranking matrix. Issues raised in the ranking process are revisited in the risk estimation process
as indicated by the return arrow between processes 6 and 5.

All iteration must come to an end to support strategic planning deadlines. At his point, technical IT and
OT experts must reach a consensus on their recommended solutions to counter the future threats. The
output is shown as D.6.

B.5 Resource the strategic plan

Strategic plan alternatives need to be resourced to allow for well-informed executive management to
choose the best alternative. Given the updated guidance from Figure 19 and the resourced alternatives
from Figure 21 (item D.7) the input merges this information for estimating cost and time phasing. The
output is a matrix comparing the resourced solution alternatives (item D.7).

Figure 21 - Compare resourced alternatives

B.6 Execute the strategic plan

Given the resourced solution alternatives from Figure 21, executive management should now be in a
reasonable position to select the best plan and contingency options. This in turn provides the
information needed for the strategic planning team to generate an action plan with ROU directives to
execute the plan as shown in Figure 22.

—————————

23 Participation in CIGRE activities provides an excellent opportunity to stay abreast of emerging cybersecurity solutions and the
assessment of those solutions by IT and OT peer groups.

63
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 22 - Execute action plan

64
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex C . Cybersecurity extensions for EPU

planning horizons
C.1 Kerzner’s maturity foundation
Kerzner focused on 16 points to management maturity[2]. For this TB the short-list used as a basis for
cybersecurity extensions is:

▪ Select a common EPU project management methodology and use it consistently. Note, this TB
uses MBSE to extend Kerner’s systems approach.
▪ Minimize scope changes by committing to realistic cybersecurity objectives. Note, this TB
focuses on objectives not requirements.
▪ Rely on line management to seamless integrate cybersecurity management into their normal
work flows. Note, this TB emphasizes the use of organizational directives seamless integrate
cybersecurity management processes.
▪ Measure progress and periodically assess impacts on EPU PP&ODs, and to update 10- and
20-year modernization plans. Note, this TB emphasizes the use of spiral processes to
implement and improve cybersecurity management processes.

C.2 Nemertes Research’s maturity model

Another approach is Nemertes Research’s maturity model 24. This model has a few advantages over
CMMI v2.0 and ES-C2M2. The simplicity of this approach is captured in Figure 23, which aligns well
with IEC 62443 focus on people, process and technology. EPUs can use a simple index (0..3) to rate
the maturity of their staff’s ability to address the evolving cyber threat landscape. In concert with staff
skills is the need for well-defined policies, procedures, and organizational directives that can be indexed
in terms of processes. Furthermore, staff skills also need to be aligned with technologies deployed by
the EPU.

Figure 23 - Nemertes maturity model

At the lowest level (unprepared) is when the staff skill level is rudimentary, processes are for the most
part ad-hoc, and cybersecurity protection relies on perimeter defense in the form of firewalls and airgap
between the operational networks and the business networks.

When examined in some detail, most EPUs fall into the “reactive” category of maturity. The staff is
periodically updated on the threat landscape to improve their awareness to the cybersecurity threats of
interest. They do have approved policies, procedures, and organizational directives that reflect the

—————————

24 https://nemertes.com

65
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

requirements imposed by local laws and regulations, such as the NERC CIP and GDPR. Most
cybersecurity protection is deployed in terms of traditional systems, such as firewalls, DMZ, and some
features of IEC 62351 that are available from IEC 61850 solution providers. Many of the larger EPU
have stood-up versions of an ISOC. But due to the high cost of operating an ISOC many utilities have
the need for an alternative security operation centre, to share the cost – a federated security operations
centre (FSOC). The idea behind the FSOC is to use many of the cloud computing services. CIGRE SC
D2 is considering a proposal to study the benefits and challenges of a FSOC.

There may be a few “proactive” EPUs that have invested in personnel with specialized cybersecurity
skills and have updated their policies, procedures, and organizational directives to reflect the guiding
principle of zero-trust. This requires the latest cutting-edge technologies to adequately ensure that only
authorized entities (person or computer) have access to and use of mission critical assets. For example,
identity and authentication management (IAM) relies on the use of digital signatures and an implied
trust in the selected certificate authority (CA).

The ultimate goal is to reach the “anticipatory” maturity level. At this level, the key is to provide skilled
staff and the use of advanced cybersecurity prototypes to address the emerging threats, such as zero-
day threats. Some EPUs may be investigating such technologies as quantum cryptography and
blockchain solutions. There is some interest in CIGRE SC D2 to stand-up a working group to examine
these solutions.

C.3 Advanced persistent threat challenges

Advanced persistent threats (APTs) are extremely difficult to detect and defend against, making them
adversary's weapon of choice. Deploying an APT requires significant investment on the part of the
attacker to develop the knowledge and approach to launching such an attack. It is not easy, and it takes
patience to probe the target entry points to exploit their vulnerabilities. To defend against APT
deployment and execution requires the defender to carefully analyse the adversary's campaign at each
stage of the kill-chain. This is not a simple task; it requires advanced tools and a high-degree of maturity
and diligence [70].

EPUs commonly deploy conventional network defense tools such as firewalls, intrusion
detection/prevention systems (IDS/IPS) and anti-virus systems that focus on the vulnerability
component of risk. This defense-in-depth (DiD) strategy presupposes a successful intrusion. However,
APTs represent well-resourced and trained adversaries the patience to conduct multi-year intrusion
campaigns targeting EPU networks, intelligent electronic devices (IEDs), and workstations. These
adversaries use advanced tools and techniques designed to defeat DiD's protection systems to
accomplish their goals.

In CIGRE study committees B5 and D2, effective defense approaches are being studied to counter APT
attack campaigns. Their approach requires EPUs to significantly invest in the triad of people, process,
and technology attain a proactive and anticipatory maturity level at each stage of the kill-chain. In these
CIGRE technical brochures, they promote an approach that gathers intelligence of the attacker’s
campaign to identify patterns that indicate link the individual intrusions to an attacker's future course of
action and ultimate goal of the attack. This intelligence feedback loop is updated at each stage of the
kill-chain to reveal relevant metrics and effective means to counter the attack.

IEC 62443 and IEC 62351 describe advances in cyber-physical security (CPS) tools to enable best
practices for patching and hardening, reducing the most easily accessible vulnerabilities in the EPU's
networked services. However, as evident from recent attacks, APT actors continually demonstrate the
capability to compromise the EPU networks by using advanced tools. The root cause is EPU's lack the
proactive/anticipatory maturity to gather and process the intelligence to effectively apply and manage
commercially available CPS protection tools.

As reported in multiple open sources, audits are recommended to identify gaps in the solutions offered
to effectively respond to the APT. These gaps make it more difficult for the EPU to gather, prioritize,
and process the raw intelligence data in a timely manner. Faced with these gaps, EPUs investment is
commonly focused on perimeter defense and their maturity level is "reactive." To improve this situation,
some utilities have invested in an integrated security operation centre (ISOC) staffed with highly
qualified security subject matter experts (SMEs). But, even with an ISOC they lack the tools to analyse

66
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

adversary's campaign in the early stages of the kill-chain. The gap is even more pronounce when a
"zero-day" attack is the issue.

If detection of the attack early in the kill chain is disrupted, or used to set traps, it can be used to thwart
the adversary's intrusion objectives. ISOC defenders can then implement appropriate countermeasures
to protect their mission critical functions. The fundamental elements of intelligence use by the ISOC
SME are the three types indicators: atomic (source addresses, vulnerability identifiers), computed
(derived data involved in and incident), and behavioural (tactics used by the adversary).

C.4 Leveraging tactical data fusion

Tracking the deviation of a given indicator from its predecessors in the kill-chain is the challenge.
Connecting the indicator dots because the raw data comes from disparate sensors and is subject to
unverified assumptions. In military intelligence terms, this process is known as tactical data fusion
(TDF). At each stage of the kill-chain, the outcome of TDF analysis can be catalogued as:

▪ Reconnaissance to identify and select targets for intrusion.

▪ Weaponization by exploiting a selected vulnerability to deliver a payload by means of an
automated tool
▪ Delivery of the weapon to the targeted environment.
▪ Exploitation to trigger the weapon's action by direct command or by auto-execution.
▪ Installation to maintain a persistent presence inside the target environment to manage the
attack.
▪ Command & Control (C2) for the adversary to maintain positive control over the weapon's
actions.
▪ Actions on objectives to execute the attack and adjust the tactics to achieve their ultimate
objectives.
Two observations are derived from analysis of successful adversary campaigns and extrapolation to
existing EPU environments: 1) adversaries have highly sophisticated tradecraft25 tools and expertise
to perform engage in each of the categories and 2) EPU defenders (ISOC SMEs) need to significantly
raise their maturity levels with advanced tools and strategies to perform the TDF functions in each
category. In short, EPU's need to migrate from a purely DiD siege mentality to a proactive and
anticipatory response strategy.

This dramatic shift in response strategy requires well-defined metrics to measure the performance and
effectiveness of defensive actions at each stage of the kill-chain intrusion. As noted by Hutchins [71],
framing metrics in the context of the kill chain, defenders have the proper perspective of the relative
effect of their defences against the intrusion attempts and where there were gaps to prioritize
remediation. Of course, this is only true for EPUs that have invested in a mature ISOC and SME
capability. Furthermore, it is clear that ISOC SME need the tools to reconstruct the intrusion scenario
at each stage of the kill-chain. Without this reconstruction it is nearly impossible to project the next steps
by the attacker. This projection is needed to establish the mitigation strategy to either disrupt, degrade,
deceive, or destroy the attackers kill-chain strategy and tactics.

One approach called intrusion reconstruction, promoted in several CIGRE technical brochures, is to
define model-based systems engineering (MBSE) descriptions of the problem domain in terms of black-
box and white-box relationships of the EPU SoI. In turn, these logical architectures that emulate the SoI
can be used to simulate (with live data feeds) the progression of the kill-chain scenario. Various
mitigation options can then be examined to determine which approach is most effective to deny the
attackers ultimate objectives. MBSE analysis focuses attention on the behaviour of the attackers, their
tactics, techniques, and procedure to determine "how" they operate, not specifically "what" they do.

—————————

25 Tradecraft includes techniques, methods, and technologies used in modern espionage (spying) and generally, as part of the
activity of intelligence gathering.

67
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Thus, a better understanding of the real objectives of the attack. How well this is executed by the ISOC
SMEs is a direct measure of the proactive and anticipatory maturity index.

For example, consider the case that from a remote workstation a targeted malicious agent containing a
weaponized application installs a backdoor for outbound communications. Access to and execution of
the weaponized application maybe controlled by a means known only to the attacker. If so, this will be
important information for the defender to select the appropriate mitigation option. Due to the re-use of
known indicators collected over several weeks/months the agent is blocked. Furthermore, ISOC/SME
analysis of the remaining kill-chain reveals a new exploit or backdoor to EPU's operational network.
Without this knowledge, future intrusions from remote workstations, delivered by other means may go
undetected. This example illustrates the importance of the speed of response to deploy
countermeasures, which gives the defender a tactical advantage. Background for this example is
discussed at length in CIGRE technical brochure #762 [16].

This example illustrates the need for highly specialized SME training and tools to detect, process, and
reach an actionable conclusion. It also emphasizes the need for timely coordination and cooperation
between ISOC/SMEs and SMEs responsible for operating the SoI. Additionally, the ISOC/SMEs need
provide well-defined situation assessments that can be shared with external agencies (e.g., ISACs). If
the attack employs a combination of threat agents, selecting and executing the best response option is
even more complicated. This further supports the need for a well-defined MBSE model of the SoI to
select the best response and to avoid unintentional consequences.

C.5 Information sharing

Information sharing with external agencies such as information sharing and analysis centres (ISACs)
needs special attention. As noted by Julie Ryan [72], once the process is abstracted to show the data
flowing between companies [EPUs] and governments, then the use of the data flows as delivery
vehicles for information warfare payloads may be examined. MBSE white-box models of the logical
architectures provide the analysis with the tools needed to examine in detail these data flows. The
issues extend beyond the interaction between the EPU and the ISAC. Frequently, there is a need to
share data between ISACs and other government agencies to address espionage issues. EPUs that
share their data should benefit from recommendations to improve their data collection capability and
priorities.

Of particular interest is the potent misuse and abuse when sharing EPU sensitive information. This
brings into play the need to protect the confidentiality and integrity of the sensitive data being shared.
Furthermore, protection needs to be controlled not on the whole file, but in a more granular way.
Standards-based commercial solutions are available to provide the granular protection using encryption
technology. More work is needed to address this topic as it applies to EPU/ISAC interactions.

68
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex D . Integrated security operations centre

D.1 Introduction
CIGRE WG B5.66 includes a comprehensive discussion of the ISOC in their technical brochure[73].
This technical brochure extends the PACS-centric view of an ISOC to an enterprise view of IT and OT
operation of an ISOC. In summary, ISOCs bring together the many isolated monitoring and response
functions in a unified framework. The benefits of an ISOC over multiple but separate SOCs include:

▪ real-time intelligence,
▪ improved threat analysis across utility domains,
▪ efficient forensics and root cause analysis,
▪ unified (corporate IT/OT) security incident management,
▪ unified configurations and patch management, and
▪ optimization of security resources.
While there are several security and business drivers for utilities to implement an ISOC, the process
can impact the security operations of several groups in the organization and can face technological
hurdles. Potential challenges to implementing an ISOC include:

▪ organizational barriers between corporate IT and OT security groups,

▪ availability requirements of real-time systems limiting the quantity and frequency of event logs,
▪ lack of security technology available for field systems,
▪ lack of skilled staff to support an ISOC, and
▪ budget constraints.
In response to the theme of this technical brochure, an ISOC certainly provides the framework for
effective cybersecurity planning over the long-term forecast horizons of 10 and 20 years. In fact, the
EPU has a center of technical excellence whose sole mission is to ensure the cybersecurity protection
of its critical assets. Organizational units responsible for management and operation of power delivery
functions are relieved from the burden of understanding and keeping the pace with the esoteric nuances
of cybersecurity threats and protection mechanisms.

D.2 ISOC architecture

Figure 24 shows a potential architecture for an ISOC. The ISOC integrated the security monitoring of
multiple domains within a utility, including corporate IT systems, power delivery systems, generation
systems, and physical security. The ISOC also includes vulnerability and threat information from
external sources, such as Information Sharing and Analysis Centres (ISACs), Computer Emergency
Readiness Teams (CERTs) and law enforcement.

69
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 24 – Example of high-level ISOC architecture

D.3 Event monitoring and management

Most hardware devices, operating systems, and applications can detect and log important or interesting
actions, errors, or events. Historically these event logs were in specific proprietary formats with different
data elements, storage formats, and user interfaces. Recently more emphasis has been placed on
using standard collection formats, transmission, and storage mechanisms to facilitate a consolidated
view of events across large systems or enterprises.

Consolidated event management and log monitoring systems are at the heart of integrated security
management and are major component of an ISOC.

Many factors must be considered when developing an event log management system. There are
different requirements and uses for logs and event analysis, including:

▪ internal audit,
▪ regulatory compliance,
▪ system performance management,
▪ error or malfunction diagnosis,
▪ system misuse or attack detection, and
▪ post-event analysis, or forensics.
When designing the event log management system, architectural issues to be considered include:

▪ system and application inventory,

▪ event types,
▪ logging guidelines (such as retention and deletion),
▪ logging operations,

70
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

▪ logging model (distributed, centralized, hybrid),

▪ log transmission,
▪ log storage, and
▪ log security.

D.4 ISOC planning requirements and development

Building an ISOC can be a multi-year process that requires significant planning and investment. Once
the business drivers and potential challenges have been identified, several internal stakeholders must
be engaged to provide technical and budgetary support throughout the planning, implementation, and
operational phases of the ISOC.

D.4.1 Executive engagement

For an ISOC to be successful, a clear directive from senior management, including the heads of various
business units, is usually required to ensure long-term support for building an ISOC and implementing
the necessary governance, risk, and compliance (GRC) processes. Senior management may also be
required to authorize any financial commitments for capital investments, staff requisitions, and operating
costs.

D.4.2 Business unit engagement

Once senior management has provided their support and a clear directive for consolidating incident
management, an ISOC champion will need to be identified to engage with the business units and the
various OT domains. A critical challenge in many utilities is the lack of trust between the corporate or
central security group and the OT staff. Depending on how the utility is structured, these groups may
not have a long history of interaction, or some level of distrust or hostility may exist based on past
experiences.

D.4.3 Selecting requirements for ISOC domains

Each ISOC domain must be able to develop requirements for:

Corporate systems: identify how corporate information security teams monitor their corporate
networks and systems in a traditional security operation centre (SOC).
Business units and control systems: prioritize the systems that are included in each phase of
implementing an ISOC.
Physical security: separate physical security can make it difficult to correlate physical events with
cyber events in real time.
External sources for security alerts: integration of external sources of information that can provide
the utility with awareness of current threats and vulnerabilities that may impact their various risk
profiles.
D.4.4 ISOC Logging requirements
Log transport and storage requirements will be highly dependent on the type of electric sector domains
that are included in the ISOC. The retention period for logs and captured data is impacted by operational
considerations as well as regulatory requirements. The utility will need to determine the amount of log
data that needs to be at ‘ready access’ versus long-term storage.

D.4.5 ISOC architecture design

The architecture and management of an ISOC will be determined based on the requirements that have
been developed, the enterprise’s current monitoring and response capabilities, and the resources
available to devote to ISOC development.

D.4.6 External management of the ISOC

A key design consideration is the use of third-party security service providers for managing the ISOC.
Managed security service providers (MSSPs) provide monitoring and management of intrusion

71
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

detection26 systems and firewalls as a service. MSSPs may also support other security functions, such
as patch management and security audits. By outsourcing these services, a company may reduce its
own security staff and focus on its core business. Many utilities currently rely on MSSPs to provide
analysis and support for their corporate security operations centres.

Third-party MSSPs may also have a larger global footprint due to the management of other customers’
ISOCs, which could allow them to detect newer threats and attack signatures earlier.

While there are many advantages of using externally managed ISOCs, there are also many
disadvantages. Most MSSPs do not have expertise in power systems and may not be able to meet
utility-specific requirements for managing data from critical systems. Additionally, utilities can lose
insight and control over the process for identifying incidents, making it difficult to tune the process aimed
at reducing false positives[75].

D.4.7 Internal management of the ISOC

When the utility has internalized the management and staffing of all aspects of its ISOC, the ISOC has
full control of the utility’s incident analysis and response processes. There can also be a reduction in
concerns related to the storage and transportation of security logs and other sensitive data.

Internally managed ISOCs require the utility to maintain 24x7 staffing support and require the utility staff
to be trained in multiple security disciplines. Utility staff must be able to track new threat information and
may be required to obtain government security clearances.

D.4.8 Hybrid management of the ISOC

A hybrid approach seeks to combine the prior two approaches in order to match the capabilities and
resources of the utility. For example, a utility may choose to staff the ISOC during normal business
hours but rely on a third-party MSSP to enable 24x7 monitoring.

This approach reduces staffing requirements for the utility ISOC, while still being able to take advantage
of the security expertise and threat tracking capabilities of the MSSP. However, the utility loses control
over part of the indecent management process. And it also requires strong knowledge transfer in both
directions: power systems knowledge from the utility to the MSSP, and security knowledge from the
MSSP to the utility.

D.5 Concept for a federated security operations centre

D.5.1 Affordability is the issue
The cybersecurity threat landscape is rapidly evolving. As discussed in several CIGRE technical
brochures[16, 19, 73], EPUs need an ISOC to provide a centre of excellence for cybersecurity
management. Standing up and operating an ISOC requires significant resources for training, process
management, and technical controls. Such a resource commitment is not affordable for smaller utilities.
Thus, a federated security operation centre (FSOC) using cloud-based services maybe economically
feasible. The basic FSOC concept shown in Figure 25 is to provide a cloud-based arrangement for
multiple smaller utilities to use federated management schemas that let subscribers use same
information for access control, use control, timely reporting of events, etc. For FSOC to be effective,
protection of sensitive data and data sharing are trust issues that need to be addressed.

—————————

26 There are two types of network IDS: signature detection and anomaly detection. In a signature-based IDS, there are rules or
patterns of known malicious traffic that it is looking for. Once a match to a signature is found it generates an alert. These
alerts can turn up issues such as malware, scanning activity, attacks against servers and much more. With anomaly-based
IDS, the payload of the traffic is far less important than the activity that generated it. An anomaly-based IDS tool relies on
baselines rather than signatures. It will look for unusual activity that deviates from statistical averages of previous activities
or activity that has been previously unseen.[74] AlienVault, "Beginners Guide to Open Source Intrusion Detection
Tools," ed.

72
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Specialized Islands
Specialized Islands
(non-federated)

Federated cloud islands

Software as a Service
Platform as a Service
Infrastructure as a
Service
...

Figure 25 - Concept for a federated security operations centre

Developing a coherent approach for FSOC is well-beyond the scope of this technical brochure. A future
working group should review existing standards, CIGRE technical brochures and open source
documentation to define the FSOC architecture and applicable cloud-based services (xx-as-a-service).
This work could describe alternative architectures to provide high flexibility and agility among
independently cooperating EPUs, and at the same time reduce significantly operating complexities.
Two topics of concern are:

▪ The impact on small utility cybersecurity policies, procedures, and organizational directives
needed for effective oversight management of FSOC operations.
▪ Associated with each impact, recommend solutions to improve the security posture of small
utility operations. Solutions need to protect sensitive data and data sharing.
D.5.2 Built-in security as a service for EPU users
One example is Microsoft’s security services reported by Kelly Sheridan27: Azure Sentinel, a cloud-
native security information and event management (SIEM) system, and Threat Experts, a service
—————————

27https://www.darkreading.com/cloud/microsoft-debuts-azure-sentinel-siem-threat-experts-service/d/d-
id/1334005?_mc=sm_iwfs_editor_kellysheridan

73
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

through which security operations teams can leverage expertise from the service provider. Azure
Sentinel provides the capability to scour large volumes of data from users, applications, servers, and
devices running on EPU premises or in the cloud. Threat Experts is a managed threat-hunting service
built into Windows Defender Advanced Threat Protection. It is intended to provide two capabilities.

1. Targeted attack notification alerts tailored to an EPU’s critical threats 28. The objective is to inform
the EPU user with timeline, scope of breach, and method of intrusions.
2. When a breach exceeds the EPU’s ability to investigate, Microsoft’s security experts 29 will provide
technical consultation. If a full incident response is necessary, the EPU can transition to working
with Microsoft incident response services.
This is only one example. Other cloud-based service providers provide similar services; e.g. Artic Wolf’s
SOC-as-a-Service30 [32]. EPU’s interested in using cloud-based services providers need to ensure
(with reasonable certainty) that the selected providers are best aligned with their needs.

—————————

28 https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard

29 https://www.microsoft.com/security/blog/2019/02/28/announcing-microsoft-threat-experts/

30 San Review: https://articwolf.com/resources/sans-review-of-artic-wolfs-soc-as-a-service/

74
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex E . Newton-Evans survey results

E.1 North America EMS/SCADA/DMS report series
E.1.1 Objective
One objective was to check any external assistance or third-party services needed for the following
control centre activities.

E.1.2 Use of outside assistance for cyber-related activities

Figure 26 and Figure 27 describe the survey results for current (2017) outside assistance and future
projection (2019) for outside assistance respectively.

The areas in which most North American electric utilities seem to need outside assistance continue to
include vulnerability assessment, critical infrastructure protection, and cybersecurity monitoring. Half of
all survey respondents said they currently use an outside provider for vulnerability assessments, while
13% said they plan to use such service providers by 2019. Forty-one percent currently use a third party
for CIP-related consulting, and 31% use a third-party service to assist with cybersecurity issues. The
findings reported in this study closely follow previous survey findings.

The areas for which international utilities were using outside assistance at year-end 2017 continued to
be vulnerability assessment, critical infrastructure protection, and cybersecurity monitoring. However, a
much larger portion of the international survey sample indicated a current need for assistance in these
areas than was reported in 2013. Plans for using outside services firms for vulnerability assessments
and remediation look to be strong by 2019.

Figure 26 - Outside assistance for cyber related activities

75
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 27 - Projection for year 2019

E.1.3 Use of encryption to/from substations

Substation automation survey findings shown in Figure 28 indicate that data encryption in substation
communication networks is stronger for data transmission between the substation and the external host
or network. Twenty-nine percent of all respondents said all data is encrypted for such communications,
and 40% said some data is encrypted. Thirty-two percent (mainly smaller utilities) responded that they
do not yet encrypt data in transit from the substation to the external host or network.

Figure 28 - Use of encryption to/from substations

However, within the substation and from substation to substation, far fewer responding utilities indicated
any use of encryption on data in transit; 60% said they do not encrypt data sent from substation to
substation, and 74% said they do not encrypt data transmission within the substation. This observation
held across all types and sizes of utilities.

Substation survey results shown in Figure 29 indicate that the use of data encryption in sampled
international utility substation communication networks is lower than found among their North American
counterparts. No data transfers occurring solely within the substation were being encrypted by the

76
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

surveyed utilities, located in more than 20 countries. Only about 30% of respondents reported some or
all data transmitted to other substations or to control center systems was being encrypted.

Figure 29 – International observations on the user of encryption

E.2 The need for vendor security certification

Figure 30 shows that forty-nine percent of respondents do not have a vendor security certification
program and have no plans to start one in the future. Fifteen percent have one in place as of late 2017,
and 23% said while they don’t yet have a program, they will require one by the end of 2020.

Figure 30 - The need for vendor security certification

Figure 31 shows that thirty-five percent of international respondents did not have a vendor security
certification program by Autumn, 2017, and do not have a plan to start such a program in the near
future. Eighteen percent do have a vendor certification program in place, and 47% said that while they
don’t have a program yet, they will require one by the end of 2020.

77
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 31 - International need for vendor security certification

E.3 The need for external assistance

Figure 32 shows that within North America, sixty-four percent of respondents said that they currently
require or will require assistance from a third-party vendor to train employees in the area of substation
automation. Fifty-two percent currently require or will soon require assistance for IED configuration and
support, as well as security.

Figure 32 - North America's need for external assistance

78
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Figure 33 shows that two-thirds of the international respondents indicated that they currently require or
will require assistance from a third-party vendor to train employees in substation automation topics.
Sixty-three percent currently require or will soon require assistance for IED configuration and support,
as well as security. Equally important was the requirement for assistance with security matters (both
physical and cybersecurity matters). Nearly two thirds of the population indicated the need for
assistance with IEM configuration support and/or installation services.

Among North American respondents, 64% reported that they currently require or will require
assistance from a third-party vendor to train employees in the area of substation automation. Fifty-two
percent currently require or will soon require assistance for IED configuration and support as well as
security.

Figure 33 - International need for external assistance

E.4 Demarcation between IT and OT networks

From the current protection and control surveys, Newton-Evans found that over half (51%) of the
population said the demarcation between physical IT and OT networks is at the control centre, and 47%
said demarcation is in the substation. Seven respondents said demarcation between the two networks
is provided at both the control centre and the substation31.

The North American respondents indicated that a clear majority of their international utilities provide
demarcation between physical IT and OT networks in the substation. Seventy-seven percent of
international survey respondents indicated this in their responses versus a 47% indicated by the North
American survey respondents.

—————————

31 IEEE PSCC S09 (Study Group of utility IT-OT cybersecurity challenges in roles and terminology) is also addressing this issue.

79
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex F . Understanding the shared responsibility

model
F.1 Shared responsibility model
Figure 34 shows the general separation of responsibilities between the on-premise resource owners,
EPU subscriber, and cloud service provider.

Figure 34 - Separation of responsibilities

According to the cloud standards customer council (CSCC), which is an advocacy group for cloud users,
users' responsibilities generally increase as they move from SaaS to platform as a service (PaaS) to
IaaS. For example, according to CSCC, in IaaS environment, the cloud service provider supplies and it
is responsible for securing basic cloud infrastructure components such as virtual machines, disks and
networks. The provider is also responsible for the physical security of the data centres that house its
infrastructure. IaaS users, on the other hand, are generally responsible for the security of the operating
system and software stack required to run their applications, as well as their data.

Conversely, in a SaaS model (according to the CSCC), the provider is primarily responsible for the
infrastructure and software stack, as the user has less control over these components.

Because user responsibilities differ based on the cloud service model and provider selected, there is
not a standard shared responsibility model. To understand their cloud security responsibilities, users
should reference the service-level agreements in place with their providers.

F.2 Threat vectors in the cloud

Gartner predicts that by 2022, at least 95% of cloud security failures will have occurred in the customer’s
portion of the SRM[76]. Darktrace unpacked the main threat vectors through which these failures might
occur[4]. WG D2.46 used these threat vectors to better understand what an EPU can do to mitigate
these risks effectively.

80
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

F.2.1 Insider threat

Malicious insiders have the advantage of knowing how the systems work, and they take their time to
prepare and practice an attack. For example, they can manipulate data slowly over days and weeks to
compromise entire cloud environments and evade rule-based security tools designed to monitor normal
activity.

F.2.2 Compromised credentials

An external attacker using legitimate credentials to gain access is a critical risk for EPUs with little to no
visibility in the cloud. These threats can potentially take control of SaaS and steal operational data for
use in a playback scenario. With IaaS in particular, user credential for system administrators are the
keys to invaluable cloud assets, giving hackers access to sensitive configuration data, operating
settings, and test environments.

F.2.3 Misconfigurations
One of the most common threat vectors in the cloud is critical misconfigurations in IaaS environments
that result from intentional or unintentional human error. The resulting misconfigurations can result from
a range of reasons such as forgetting to deploy security controls, misconfiguring a test environment for
maintenance or software patching, or forgetting to re-enable the protective control mechanisms in an
environment.

F.2.4 Unsecured application program interfaces

Unsecured application program interfaces (APIs) are one of the most serious examples of cloud
misconfigurations since vulnerabilities in error response handling in their interface to back-end data are
very attractive targets for cyber-criminals.

81
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex G . Service function chaining – an emerging

technology
G.1 The need for service function chaining
Dynamic service chaining enables operators to dynamically create service by using virtual network
functions (VNFs). Ongoing work in the Internet Engineering Task Force (IETF), request for comment
(RFC) 7498, reference [77] is the SFC problem statement. IEEE P1916.1 believes that service function
chaining (SFC) will become the dominant element in service chaining because it enables telecom
operators to dynamically configure network services in software, without the need to make changes in
hardware. From a performance point of view P1916.1 identifies three important architectural elements
SFC: 1) a classifier used to identify and classify the traffic, 2) the control plane that is responsible for
maintaining the SFC policy tables, and 3) the network service controller.

G.2 SFC concept and its implementation

Funded by the European Commission, Medhat, et. al. introduced a SFC taxonomy that considers
architecture and performance dimensions as the basis for the subsequent state-of-the-art analysis[78].
In their paper they used a gap analysis of 13 existing solutions (circa 2016) to identify future research
challenges. Using high, medium, and low ratings, they rated the flexibility and scalability performance
of each solution. They concluded the following:

▪ Solutions that adopt SDN and NFV technologies together alongside the orchestrator layer
provide higher SFC scalability and flexibility than others.
▪ Most SFC approaches did not involve quality of service (QoS) and policy enforcement and
neglect the load balancing functionality.
▪ Most frameworks use media access control (MAC) address and OpenFlow functionality to apply
traffic steering among the service functions without network service header (NSH) support as
specified by the IETF SFC group.
▪ The usage of MAC address and/or OpenFlow protocols without NSH support has limited
scalability and is more complex than using them with NSH support. There are some approaches
that use tags instead of NSH.

82
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

Annex H . Bibliography

[1] Copperleaf. (2018). Enterprise Portfolio Management for Utilities. Available: www.copperleaf.com
[2] H. Kerzner, Project management: a systems approach to planning, scheduling, and controlling, Twelfth
edition. ed. Hoboken, New Jersey: Wiley, 2017.
[3] N. Kshetri and J. Voas. (August 2018) Hacking Power Grids: A Current Problem. Computing Edge
[Technical]. three pages. Available: www.computer.org
[4] Darktrace. (2018, Cyber AI and Darktrace Cloud: Securing New Computing Models, Applications, Users,
and Devices. [White Paper]. Available: https://www.darktrace.com/en/resources/#white-papers
[5] A. Aleksandraviciene and A. Morkevicius, MagicGrid - Book of Knowledge. Kaunas, Lithuania: Vitae
Litera, UAB, 2017.
[6] S. Friedenthal, A. Moore, and R. Steiner, A practical guide to SysML: the systems modeling language:
Morgan Kaufmann, 2015.
[7] L. Delligatti, SysML distilled: A brief guide to the systems modeling language: Addison-Wesley, 2013.
[8] (September/October 2019) Grid Architecture - shaping our energy future. IEEE power & energy
[Technical].
[9] A. A. C. Suh-Lee, G. Rasche, M. Wakefield, "Cyber Security Metrics for the Electric Sector," Electric Power
Research Institute, Report December 2017. Available:
https://www.epri.com/#/pages/product/3002010426/?lang=en-US,
[10] A. L. C. Suh-Lee, "Creating Secuirty Metrics for the Electric Sector," Electric Power Research Institute,
Report December 2016. Available:
https://www.epri.com/#/pages/product/000000003002007886/?lang=en-US,
[11] J. A. Zachman, "A framework for information systems architecture," IBM systems journal, vol. 38, pp. 454-
470, 1999.'Available: 'https://www.research.ibm.com/journal/sj38-23.html
[12] BoldenJames. (2018, 2018-02-22). GDPR: The Final Countdown. Available: www.boldenjames.com
[13] Osterman_Research, "The procrastinator's guide to preparing for the GDPR,"
https://www.ostermanresearch.com/home/white-papers/, Report February 2018. Available:
https://www.ostermanresearch.com/home/white-papers/,
[14] The EU general data protection regulation (GDPR). New York, NY: Springer Berlin Heidelberg, 2017.
[15] W. Leichter and D. Berman, "Global Guide to Data Protection Laws - Understanding privacy and
compliance requirements in more that 80 countries," CipherCloud, San Jose, California USA Report 2
June 2017. ISBN-13: 978-1544751504 & ISBN-10: 1544751508
[16] CIGRE_WG_D2.40, "Remote service security requirement objectives," CIGRE Report 762, March 2019.
ISBN : 978-2-85873-464-1
[17] TC57WG15, "IEC 62351-8:2011 - Power systems management and associated information exchange:
Data and Communication Security - Role-based access control (note: new edition under development),"
ed: International Electrotechnical Commission, 2011.
[18] S. Baumgärtner, T. Petersen, and J. Schiller, "The Concept of Responsibility: Norms, Actions and Their
Consequences," p. 54, April 4, 2018.'Available: 'https://ssrn.com/abstract=3157667
[19] CIGRE_WG_D2.38, "Framework for EPU operators to manage the response to a cyber-initiated threat to
their critical infrastructure," CIGRE, Report #698, September 2017. 978-2-85873-401-6
[20] K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams, and A. Hahn, "NIST special publication 800-82, revision
2: Guide to industrial control systems (ICS) security," National Institute of Standards and Technology,
2014.'Available: 'https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-82r2.pdf
[21] DHS CSSP, "Recommended proctice: improving industrial control systems cybersecurity with defense-in-
depth strategies," US-CERT Defense In Depth, 2009.'Available:
'https://doi.org/10.6028/NIST.CSWP.04162018
[22] NIST, "Framework for Improving Critical Infrastructure Cybersecurity," Framework, vol. 1.1, p. 11,
2018.'Available: 'https://doi.org/10.6028/NIST.CSWP.04162018
[23] A. Hahn and M. Govindarasu, "Cyber attack exposure evaluation framework for the smart grid," IEEE
Transactions on Smart Grid, vol. 2, pp. 835-843, 2011.'Available:
'https://ieeexplore.ieee.org/document/6025254
[24] S. P. Stacy Moran. (2018). Cyber Exposure for Dummies (Tenable Special Edition ed.).

83
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

[25] Mcafee. (2018). Definitive Guide to Cloud Threat Protection. Available: www.mcafee.com
[26] S. NIST, "800–34 Rev. 1. Contingency Planning Guide for Federal Information Systems," Gaithersburg,
MD, United States: National Institute of Standards & Technology, vol. 150, 2010.'Available:
'https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
[27] National Institute of Standards and Technology, "Security and Privacy Controls for Federal Information
Systems and Organizations," Gaithersburg, MD, Government Document SP 800-53 Revision 4, April
2013.
[28] O. Coker and S. Azodolmolky. (2017). Software Defined Networking with OpenFlow. Available:
www.amazon.com
[29] J. A. Wickboldt, W. P. De Jesus, P. H. Isolani, C. B. Both, J. Rochol, and L. Z. Granville, "Software-defined
networking: management requirements and challenges," IEEE Communications Magazine, vol. 53, pp.
278-285, 2015.'Available: 'https://ieeexplore.ieee.org/document/7010546
[30] C. M. Hurd and M. V. McCarty, "A survey of security tools for the industrial control system environment,"
Idaho National Lab.(INL), Idaho Falls, ID (United States), Report 2017.
[31] J. Slowik, "Evolution of ICS Attacks and the Prospects for Future Disruptive Events."'Available:
'https://dragos.com/resource/evolution-of-ics-attacks-and-the-prospects-for-future-disruptive-events/
[32] C. Bedell and M. Bouchard, Definitive Guide to SOC-as-a-Service. Annapolis MD: CyberEdge Group,
2018.
[33] "SIEM for Beginners," ed: Alien Vault, 2019.
[34] T. Acalvio, Deception 2.0 for Dummies, Acalvio Special Edition. Hoboken, NJ: John Wiley & Sons, Inc.,
2017.
[35] X. Zhou, Z. Xu, L. Wang, K. Chen, C. Chen, and W. Zhang, "Kill Chain for Industrial Control System," in
MATEC Web of Conferences, 2018, p. 01013.
[36] M. J. A. Robert M. Lee, Tim Conway, "Analysis of the cyber attack on the Ukrainian power grid - Defense
use case," Electricity Information sharing and analysis center (E-ISAC), Washington, DC 20005, Report
March 18, 2016. Available: www.eisac.com,
[37] V. P. N. Ron Ross (NIST), Gary Guissanie (IDA), Ryan Wagner (IDA), Richard Graubart (MITRE),
Deborah Bodeau (MITRE), "Protecting Controlled Unclassified Information in Nonfederal Systems and
Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets," National
Institute of Science and Technology, Report June 2019. Available: https://csrc.nist.gov › publications ›
detail › sp › 800-171b › draft,
[38] D. Bushaus, "Building the operations center of the future," T. Forum, Ed., ed. www.tmforum.org, October
2015.
[39] M. L. Ambrose, "The law and the loop," in Proceedings of the IEEE 2014 International Symposium on
Ethics in Engineering, Science, and Technology, 2014, p. 10.
[40] K. A. Bamberger, "Regulation as delegation: private firms, decisionmaking, and accountability in the
administrative state," Duke LJ, vol. 56, p. 377, 2006.'Available:
'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=947632
[41] S. J. Shackelford and Z. Bohm, "Securing North American critical infrastructure: A comparative case study
in cybersecurity regulation," Can.-USLJ, vol. 40, p. 61, 2016.'Available:
'https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2576460
[42] N. A. Sales, "Regulating cyber-security," Nw. UL Rev., vol. 107, p. 1503, 2012.'Available:
'https://scholarlycommons.law.northwestern.edu/nulr/vol107/iss4/1/
[43] M. Schwartz and C. V. O'Connor, "The Nunn-McCurdy Act: Background, Analysis, and Issues for
Congress," Congressional Research Service Washington United States, Report 2016.
[44] D. S. Herrmann, Complete guide to security and privacy metrics: measuring regulatory compliance,
operational resilience, and ROI: CRC Press, 2007.
[45] C. Howson, R. L. Sallam, J. Tapadinhas, J. L. Richardson, and C. J. Idoine. (12 September 2017).
Technology insights for modern analytics and business intelligence platforms.
[46] TC65WG10, "IEC 62443-2-4:2015 Industrial communication networks - Network and system security -
Part 2-4: Installation and maintenance service providers," 1.0 ed. Geneva CH: International
Electrotechnical Commission, 2015-06-30, p. 193.
[47] TC65WG10, "Security for industrial automation and control systems - Network and system security - Part
2-3: Patch management in the IACS environment," International Electrotechnical Commission, Report
IEC/DTR 62443-2-3 (ISA-99.02.03), 2014-01-07.

84
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

[48] TC65WG10, "Industrial communication networks - Network and system security - Part 3-2: Security Levels
for Zones and Conduits," ed: International Electrotechnical Commission, 2013.
[49] "IEC System of Conformity Assessment Schemes for Electrotechnical Equipment and Components
(IECEE System)," International Electrotechnical Commission (IEC), Switzerland, Government Document
OD-2061, 2018-06-05. Available: www.iec.ch/searchpub
[50] TC57WG15, "IEC 62351-3 + AMD1:2018 - Power systems management and associated information
exchange: Data and communication security- Part 3: Profiles including TCP/IP," ed: International
Electrotechnical Commission, 2014.
[51] TC57WG15, "IEC 62351-4:2018 - Power systems management and associated information exchange:
Data and communication security - Part 4: Profiles including MMS and derivatives," ed: International
Electrotechnical Commission, 2018.
[52] TC57WG15, "IEC 62351-6:2007 - Power systems management and associated information exchange:
Data and Communication Security - Part6: Security for IEC 61850 (note: new edition under development),"
ed: International Electrotechnical Commission, January 2007.
[53] TC57WG15, "IEC/CDV 62351-9:2017 - Power systems management and associated information
exchange - Data and communications security - Part 9: Cyber security key management for power system
equipment," ed: International Electrotechnical Commission, 2017.
[54] JWG-B5/D2.46, "Application and Management of Cybersecurity Measures for Protection and Control,"
CIGRE, Report 603, December 2014.
[55] CIGRE_JWG_D2C2.41, "Advanced Utility Data Management and Analytics for Improved Operation
Situation Awareness of EPU Operations," Report 732, 2018.
[56] CMMI_Institute, "CMMI v2.0: Online capability maturity platoform accelerates speed to performance,
resiliency and scale," ed, January 29, 2019.
[57] A. Schulz, M. Ljungberg, H. Cam, and A. Oniha, "Dynamic Analytics-Driven Assessment of Vulnerabilities
and Exploitation," MIT Lincoln Laboratory Lexington United States, Report 2016.
[58] B. Johnson, D. Caban, M. Krotofil, D. Scali, N. Brubaker, and C. Glyer. (December 14, 2017). Attackers
Deploy New ICS Attack Framework "TRITON" and Cause Operation Disruption to Critical Infrastructure.
Available: www.fireeye.com
[59] C. Melara, J. M. Sarriegui, J. J. Gonzalez, A. Sawicka, and D. L. Cooke, "A System Dynamics Model of
an Insider Attack on an Information System," in Proceedings of the 21st International Conference of the
System Dynamics Society, July 20-24, 2003.
[60] V. E. Silva Souza, A. Lapouchnian, W. N. Robinson, and J. Mylopoulos, "Awareness requirements for
adaptive systems," in Proceedings of the 6th international symposium on Software engineering for
adaptive and self-managing systems, 2011, pp. 60-69.
[61] J. D. Sterman, Business Dynamics - System thinking and modeling for a complex world: McGraw-Hill
Higher Education, 2000.
[62] D. J. Caraccilo, "Measuring Operational Success: Establishing Criteria to Benchmark the Point of
Culmination," NAVAL WAR COLL NEWPORT RI, , Report 1997
[63] M. Hosseini, A. Shahri, K. Phalp, and R. Ali, "Four reference models for transparency requirements in
information systems," Requirements Engineering, vol. 23, pp. 251-275, 2018.'Available:
'https://link.springer.com/content/pdf/10.1007/s00766-017-0265-y.pdf
[64] INCOSE, A guide for system lifecycle processes and activities, Fourth ed. vol. INCOSE-TP-2003-002-04.
San Diego, CA USA: Wiley, 2015.
[65] A. Aleksandraviciene and A. Morkevicius, MagicGrid Book of Knowledge. Kaunas, Lithuania: Vitae Litera,
UAB, 2018.
[66] TC65WG10, "Industrial communication networks – Network and system security – Part 2-1: Establishing
an industrial automation and control system security program," ed: International Electrotechnical
Commission, 2013.
[67] North American Electric Reliability Corporation, "Critical Infrastructure Protection (CIP) standards," ed.
[68] P. A. Watters, S. McCombie, R. Layton, and J. Pieprzyk, "Characterising and predicting cyber attacks
using the Cyber Attacker Model Profile (CAMP)," Journal of Money Laundering Control, vol. 15, pp. 430-
441, 2012.'Available:
[69] O. Sheyner and J. Wing, "Tools for generating and analyzing attack graphs," in International Symposium
on Formal Methods for Components and Objects, 2003, pp. 344-371.

85
TB 796 – Cybersecurity: Future threats and impact on electric power utility organizations and operations

[70] G. Tecuci, D. Marcu, S. Meckl, and M. Boicu, "Evidence-Based Detection of Advanced Persistent
Threats," Computing in Science & Engineering, vol. 20, pp. 54-65, 2018.'Available:
'https://ieeexplore.ieee.org/document/8492519
[71] E. M. Hutchins, M. J. Cloppert, and R. M. Amin, "Intelligence-driven computer network defense informed
by analysis of adversary campaigns and intrusion kill chains," Leading Issues in Information Warfare &
Security Research, vol. 1, p. 80, 2011.'Available: 'https://lockheedmartin.com/content/dam/lockheed-
martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
[72] J. Ryan, "Use of Information Sharing Between Government and Industry as a Weapon," Leading Issues
in Information Warfare and Security Research, vol. 1, p. 165, 2011.'Available:
'https://www.jinfowar.com/journal/volume-5-issue-2/use-information-sharing-between-government-
industry-weapon
[73] WG_B5.66, "Cybersecurity requirements for PACS and the resilience of PAC architectures," CIGRE,
Report Work in progress.
[74] AlienVault, "Beginners Guide to Open Source Intrusion Detection Tools," ed.
[75] EPRI, "Guidelines for planning an integrated security operations center," EPRI, Palo Alto CA, Report
300200374, 2013.
[76] Gartner, "Gartner Survey Says Cloud Computing Remains Top Emerging Business Risk," ed.
https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-says-cloud-computing-
remains-top-emerging-business-risk, 2018-08-15.
[77] P. Quinn and T. Nadeau, "Problem statement for service function chaining," Report 2070-1721, 2015.
[78] A. M. Medhat, T. Taleb, A. Elmangoush, G. A. Carella, S. Covaci, and T. Magedanz, "Service function
chaining in next generation networks: State of the art and research challenges," IEEE Communications
Magazine, vol. 55, pp. 216-223, 2017.'Available: 'https://ieeexplore.ieee.org/document/7593430

86
CIGRE
21, rue d'Artois
75008 Paris - FRANCE

© CIGRE

ISBN : 978-2-85873-501-3