The challenge in identifying and categorising Hybrid Metrics lies in the variety of (originally) independent utility networks involved and the differences in their scenarios. Additionally, when sensitive utility network systems are exposed to the Internet it makes them a potential target of new kinds of threats (e.g. Advanced Persistent Threat – APT) which are especially targeted towards SCADA networks. Utility providers may not be aware of the sensitivity of these connections or may underestimate their importance. Hence, the sensitive parameters describing these risks would need to be identified by computer network and security experts in cooperation with domain experts coming from the utility providers. Another challenge for utility providers is the lack of standardisation or regulation resulting in uncertainty about the required investment of computer systems security in utility networks and their control networks. This may lead to an insecure company environment, also including lacking perimeter surveillance, as for instance, malicious software introduced to the network manually via a USB stick dropped in the car park, taken by a curious employee and plugged in into a company laptop, thus infecting the whole system. Such scenarios could be detected by novel surveillance technologies. Another emerging threat is represented by new cultural changes and new business directives such as “bring your own device” (BYOD) or the Internet of Things (IoT), which can result in new attack vectors. Such scenarios result in situations in which mobile computing devices are being used privately and also, for the convenience of their users, to access network services in a utility provider’s infrastructure control. All of the above is triggered by human behaviour, i.e. the security awareness (or the lack of it) of a utility provider’s employees. Hence, the Human Factor represents another hugely important dimension in our Hybrid Risk Management approach.
The Project’s Objectives
- Definition of hybrid risk metrics and risk assessment processes to enable comprehensive risk management for dealing with threats in multiple (diverse) aspects of utility network infrastructures and to support categorisation of utility infrastructures to prioritise countermeasures development.
- Evaluation of hybrid risk metrics for interdependent utility network infrastructures to cope with attacks targeted specifically at utility network controls.
- Development of tools and methods for risk assessment, which extend existing methodologies towards the handling of new threats (e.g., Advanced Persistent Threats) arising in interconnected utility networks.
- Definition of security architectures and guidelines to mitigate threats related to human and organisational (including cyber) risk.
- Enhancing network and infrastructure surveillance systems using novel, on-demand technologies in the extended perimeter of utility networks.
- Demonstration and Evaluation of Project Results in Simulated and Real Testbed Environments.
- Increase awareness of policy makers and pave the way for new legislation and pre-standardisation efforts.