Assessing Information Security Risks of AMI - What Makes it so Difficult?

Inger Anne Tøndel, Maria B. Line, Gorm Johansen

Abstract

A rich selection of methods for information security risk assessments exist, but few studies evaluate how such methods are used, their perceived ease-of-use, and whether additional support is needed. Distribution system operators (DSOs) find it difficult to perform information security risk assessments of Advanced Metering Infrastructure (AMI). We have performed a case study in order to identify these difficulties and the reasons for them. Our findings indicate that the risk assessment method in itself is not the main challenge. The difficulties regard competence; more specifically, insight in possible information security threats and vulnerabilities, being able to foresee consequences, and making educated guesses about probability. Improved guidelines can be a valuable aid, but including information security experts as participants in the process is even more important.

References

  1. Caralli, R. A., Stevens, J. F., Young, L. R., and Wilson, W. R. (2007). The OCTAVE Allegro Guidebook v1.0. Software Engineering Institute.
  2. Cybenko, G. (2006). Why Johnny Can't Evaluate Security Risk. IEEE Security & Privacy, 4(1):5.
  3. EnergiNorgeAS (2012). Overordnet risiko-og sa°rbarhetsanalyse for innføring av AMS. PT1070549-RE-01.
  4. Fenz, S. and Ekelhart, A. (2011). Verification, Validation, and Evaluation in Information Security Risk Management. IEEE Security & Privacy, 9(2):58-65.
  5. GAO (1999). Information Security Risk Assessment: Practices of Leading Organizations. United States General Accounting Office (GAO).
  6. Gerber, M. and von Solms, R. (2005). Management of risk in the information age. Computers & Security, 24(1):16 - 30.
  7. Group, T. S. G. I. P. C. S. W. (2010). Guidelines for smart grid cyber security.
  8. ISO/IEC (2005). ISO/IEC 27001:2005 Information security management systems - Requirements.
  9. ISO/IEC (2011a). ISO/IEC 27005:2011 Information technology - Security techniques - Information security risk management.
  10. ISO/IEC (2011b). ISO/IEC 27035:2011 Information technology - Security techniques - Information security incident management.
  11. Jourdan, Z., Rainer, K., Marshall, T. E., and Ford, N. (2010). An Investigation of Organizational Information Security Risk Analysis. Journal of Service Science, 3(2):33-42.
  12. Line, M. B., Tøndel, I. A., Johansen, G. I., and Saele, H. (2013). Informasjonssikkerhet og personvern: Støtte til risikoanalyse av AMS og tilgrensende systemer (Norw.). Technical Report A24258, SINTEF. ISBN 978-8-214-053203.
  13. NVE (2010). Veiledning i risiko- og sa°rbarhetsanalyser for kraftforsyningen (in Norwegian). Norwegian Water Resources and Energy Directorate.
  14. NVE (2013). FOR 1999-03-11 nr 301: Forskrift om ma°ling, avregning og samordnet opptreden ved kraftomsetning og fakturering av nettjenester.
  15. Rhee, H.-S., Ryu, Y. U., and Kim, C.-T. (2012). Unrealistic optimism on information security management. Computers & Security, 31(2):221 - 232.
  16. Shedden, P., Ruighaver, A. B., and Ahmad, A. (2010). Risk Management Standards - The Perception of Ease of Use. Journal of Information System Security, 6(3):23- 41.
  17. Skapalen, F. and Jonassen, B. (2013). Veileder til sikkerhet i AMS (in Norw.). NVE.
  18. Sulaman, S. M., Weyns, K., and Höst, M. (2013). A review of research on risk analysis methods for IT systems. In Proceedings of the 17th International Conference on Evaluation and Assessment in Software Engineering, EASE 7813, pages 86-96, New York, NY, USA. ACM.
  19. Yin, R. K. (2009). Case Study Research - Design and Methods, 4th ed., volume 5 of Applied Social Research Methods. SAGE Publications.
Download


Paper Citation


in Harvard Style

Tøndel I., Line M. and Johansen G. (2015). Assessing Information Security Risks of AMI - What Makes it so Difficult? . In Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-081-9, pages 56-63. DOI: 10.5220/0005228900560063


in Bibtex Style

@conference{icissp15,
author={Inger Anne Tøndel and Maria B. Line and Gorm Johansen},
title={Assessing Information Security Risks of AMI - What Makes it so Difficult?},
booktitle={Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2015},
pages={56-63},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005228900560063},
isbn={978-989-758-081-9},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Assessing Information Security Risks of AMI - What Makes it so Difficult?
SN - 978-989-758-081-9
AU - Tøndel I.
AU - Line M.
AU - Johansen G.
PY - 2015
SP - 56
EP - 63
DO - 10.5220/0005228900560063