Developing a Cybersecurity Risk Management Framework for Non-Technical Losses in National Power Distribution Companies
DOI:
https://doi.org/10.35682/jje.v1i2.717Keywords:
Smart grid, AMI, Organizational Risk Management Framework (RMF), EDCO, security controls, SCADA securityAbstract
Traditionally, power companies are the driving force behind a country’s economy and disturbances in its services have severe effects. Advanced metering infrastructure (AMI) grids are vulnerable to network & web security attacks. The objective of this study is to pinpoint the risk mitigation measures that should be integrated into the electric power advanced metering grids of Jordan. The study investigates and proposes a Risk Management Framework (RMF) to minimize the risks of power fraudulent activity. AMI is vulnerable to electricity losses and hence the need to develop a system that would help mitigate this risk. To develop the RMF, we integrate security and privacy into the management activities, to assist in the organizational preparation of the processes and technologies needed for the ongoing energy system IT and OT convergence and digital transformation poses more cybersecurity concerns and essential requirements. We used the Quantitative Risk Management process utilizing the NIST RMF standards for financial risk impacts mitigation of energy losses in the AMI grid. The dependencies and influences between the dimensions considered are investigated, information gathering, and the collection of work data were carried out and used for quantitative analysis. This paper presents a pilot project study in collaboration with EDCO the developed and proposed RMF requirements, risk assessment and, finally recommends the implementation of the selected security controls for the AMI profile protection to mitigate the identified cyber risk.
References
B. S. Munir, A. Trisetyarso, M. Reza and B. S. Abbas, Application of Artificial Neural Networks for Power System Oscillation Prediction, ICIC Express Letters, vol. 13, no. 9, pp. 815-822, 2019.
L. M. W. G. Fan Zhang, An Integrated Wide Area Protection Scheme for Active Distribution Network Based On Fault Component Principle, IEEE Transaction on Smart Grid, vol. 10, no. 1, pp. 392-402, 2019.
V. F. Martins and C. L. T. Borges, Active distribution network integrated planning incorporating distributed generation and load response uncertainties, IEEE Transactions on Power Systems, vol. 26, no. 4, pp. 2164-2172, 2011.
X. Chen, Y. Li, M. Zhao, A. Wen and N. Liu, A coordinated strategy of protection and control based
C. Chandraratne, W. L. Woo, T. Logenthiran and R. T. Naayagi, Adaptive Overcurrent Protection for Power Systems with Distributed Generators, 2018 8th International Conference on Power and Energy Systems (ICPES), 2018.
J. Ma, X. Xiang, R. Zhang, J. L. a. P. Li and J. S. Thorp, Regional protection scheme for distribution network based on logical information, IET Generation, Transmission & Distribution, vol. 11, no. 17, pp. 4314-4323, 2017.
J. Bertsch, C. Carnal, D. Karlson, J. McDaniel and K. Vu, Wide-Area Protection and Power System Utilization, Proceedings of the IEEE, vol. 93, no. 5, pp. 997-1003, 2005.
M. N. Alam, S. Chakrabarti, A. Sharma and S. C. Srivastava, An Adaptive Protection Scheme for AC Microgrids Using μPMU Based Topology Processor, 2019 IEEE International Conference on Environment and Electrical Engineering and 2019 IEEE Industrial and Commercial Power Systems Europe (EEEIC / I&CPS Europe), 2019.
Shalini, S. R. Samantaray and A. Sharma, Enhancing Performance of Wide-Area Back-Up Protection Scheme Using PMU Assisted Dynamic State Estimator, IEEE Transactions on Smart Grid, vol. 10, no. 5, pp. 5066-5074, 2019.
E. J. Holmes, Protection of Electricity Distribution Networks, 3rd Edition, 2011.
E. J., Byres, M., Franz, & D. Miller. (2004, December). The use of attack trees in assessing vulnerabilities in SCADA systems. In Proceedings of the international infrastructure survivability workshop (pp. 3-10). Citeseer.
A. M., Khattak, S. I., Khanji, & W. A. Khan, (2019, January). Smart meter security: Vulnerabilities, threat impacts, and countermeasures. In International Conference on Ubiquitous Information Management and Communication (pp. 554-562). Springer, Cham.
L., Langer, F., Skopik, P., Smith, & M. Kammerstetter, (2016). From old to new: Assessing cybersecurity risks for an evolving smart grid. computers & security, 62, 165-176.
C., Lopez, A., Sargolzaei, H., Santana, & C. Huerta (2015). Smart Grid cybersecurity: An overview of threats and countermeasures. Journal of Energy and Power Engineering, 9(7), 632-647.
C. M., Mathas, K. P., Grammatikakis, C., Vassilakis, N., Kolokotronis, V. G., Bilali, & D. Kavallieros, (2020, August). The threat landscape for smart grid systems. In Proceedings of the 15th International Conference on Availability, Reliability, and Security (pp. 1-7).
S., McLaughlin, D., Podkuiko, & P. McDaniel, (2009, September). Energy theft in the advanced metering infrastructure. In International Workshop on Critical Information Infrastructures Security (pp. 176-187). Springer, Berlin, Heidelberg.
M., Nabil, M., Ismail, M., Mahmoud, M., Shahin, K., Qaraqe, & E. Serpedin, (2019). Deep learning-based detection of electricity theft cyber-attacks in smart grid AMI networks. In Deep Learning Applications for Cyber Security (pp. 73-102). Springer, Cham.
S., Saini, R. K., Beniwal, R., Kumar, R., Paul, & S. Saini, (2018). Modeling for improved cybersecurity in Smart distribution system. International Journal on Future Revolution in Computer Science & Communication Engineering, 4(2), 56-59.
C. C., Sun, A., Hahn, & C. C., Liu, (2018). Cybersecurity of a power grid: State-of-the-art. International Journal of Electrical Power & Energy Systems, 99, 45-56.
L., Streltsov, (2017). The system of cybersecurity in Ukraine: principles, actors, challenges, accomplishments. European Journal for Security Research, 2(2), 147-184.
S. A., Yadav, S. R., Kumar, S., Sharma, & A. Singh, (2016, February). A review of possibilities and solutions of cyber-attacks in smart grids. In 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH) (pp. 60-63). IEEE.
Ro’ya daily newspaper, https://en.royanews.tv/news/14184/The-shocking-consequences-of-electricity-theft-in-Jordan, retrieved 8/3/2021 Published: 2018-05-06 10:31
Alghad daily newspaper, https://alghad.com/jordans-biggest-power-theft/, retrieved 8/3/2021
Jordan Regulation Commission. 2020. https://web.archive.org/web/20120617064232/http://www.jnrc.gov.jo/About.html
Jordan time's daily newspaper,https://www.jordantimes.com/news/local/15511-power-theft-cases-reported-first-10-months-year-%E2%80%94-emrc retrieved 8/3/2021
Gueltoum Bendiab, Konstantinos-Panagiotis Grammatikakis, Ioannis Koufos, Nicholas Kolokotronis, Stavros Shiaeles: Advanced Metering Infrastructures: Security Risks and Mitigation, https://doi.org/10.1145/3407023.3409229, The 15th International Conference on Availability, Reliability, and Security (ARES 2020), Dublin – Ireland
A. k., Masood "Smart Meter Security: Vulnerabilities, Threat Impacts, and Countermeasures," May 2019, https://www.researchgate.net/publication/333305127_Smart_Meter_Security_Vulnerabilities_Threat_Impacts_and_Countermeasures
I., Mkpong-Ruffin, D., Umphress, J., Hamilton, & J. Gilbert (2007, October). Quantitative software security risk assessment model. In Proceedings of the 2007 ACM workshop on Quality of protection (pp. 31-33).. DOI: 10.1145/1314257.1314267.
J., Yao, P., Venkitasubramaniam, S., Kishore, L. V., Snyder, & R. S., Blum, (2017, March). Network topology risk assessment of stealthy cyber attacks on advanced metering infrastructure networks. In 2017 51st Annual Conference on Information Sciences and Systems (CISS) (pp. 1-6). IEEE.
R. W., Habash, V., Groza, & K., Burr, (2013). Risk management framework for the power grid cyber-physical security. Current Journal of Applied Science and Technology, 1070-1085.
Y., Guo, C. W., Ten, S., Hu, & W. W., Weaver, (2015, February). Modeling distributed denial of service attack in advanced metering infrastructure. In 2015 IEEE power & energy society innovative smart grid technologies conference (ISGT) (pp. 1-5). IEEE. DOI: 10.1109/ISGT.2015.7131828
M. A., Faisal, Z., Aung, J. R., Williams, & A., Sanchez, (2012, May). Securing advanced metering infrastructure using intrusion detection system with data stream mining. In Pacific-Asia Workshop on Intelligence and Security Informatics (pp. 96-111). Springer, Berlin, Heidelberg.
A. O., Otuoze, M. W., Mustafa, O. O., Mohammed, M. S., Saeed, N. T., Surajudeen-Bakinde, & S., Salisu. (2019). Electricity theft detection by sources of threats for smart city planning. IET Smart Cities, 1(2), 52-60.
R., Leszczyna. (2019). Standards with cybersecurity controls for smart grid A systematic analysis. International Journal of Communication Systems, 32(6), e3910.DOI:10.1002/dac.3910. https://onlinelibrary.wiley.com/doi/10.1049/iet-smc.2019.0045
DHS Sensitive Systems Policy Directive 4300A Version 13.1 July 27th, 2017. https://www.dhs.gov/
P., McDaniel, & S., McLaughlin, (2009). Security and privacy challenges in the smart grid. IEEE Security & Privacy, 7(3), 75-77.
e., Fernandes, J., Jung, and A. Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In 2016 IEEE Symposium on Security and Privacy (S.P.). IEEE, 636–654.
A., Hansen, J., Staggs, and S., Shenoi. 2017. Security analysis of an advanced metering infrastructure. International Journal of Critical Infrastructure Protection, 18, pp.3-19. https://doi.org/10.1016/j.ijcip.2017.03.004
NIST Special Publication 800-53A Assessing Security and Privacy Controls in Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations http://dx.doi.org/10.6028/NIST.SP.800-53Ar4.
The National Electric Power Company (NEPCO) annual 2021 report, https://www.nepco.com.jo/store/docs/web/2021_en.pdf , accessed 25nov2022.
NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations, September 2020, retrieved, Nov. 22 from https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final