Journal of Network and Systems Management

, Volume 27, Issue 1, pp 269–285 | Cite as

Specialized CSIRT for Incident Response Management in Smart Grids

  • Rafael de Jesus MartinsEmail author
  • Luis Augusto Dias Knob
  • Eduardo Germano da Silva
  • Juliano Araujo Wickboldt
  • Alberto Schaeffer-Filho
  • Lisandro Zambenedetti Granville


Power grids are undergoing a major modernization process, which is transforming them into Smart Grids. In such cyber-physical systems, a security incident may cause catastrophic consequences. Unfortunately, the number of reported incidents in power grids has been increasing in the last years. In this article we advocate that the adoption of Computer Security Incident Response Teams (CSIRTs) is necessary for the proper management of security incidents in Smart Grids. CSIRTs for Smart Grids must cover different parts of the grid, thus consisting of specialized response teams for handling incidents not only on the physical infrastructure, but also on the Smart Grid equipment and on the IT infrastructure. We thus propose an incident classification to assist the implementation of CSIRTs for Smart Grids, considering the specific concerns of the different response teams. We evaluate attack classifications available in the literature and review a well-known database of Smart Grid security incidents.


Power grid Computer security Incident classification SCADA systems AMI 



This work is supported by ProSeG - Information Security, Protection and Resilience in Smart Grids, a research project funded by MCTI/CNPq/CT-ENERG # 33/2013.


  1. 1.
    Yan, Y., Qian, Y., Sharif, H., Tipper, D.: A survey on smart grid communication infrastructures: motivations, requirements and challenges. IEEE Commun. Surv. Tutor. 15(1), 5–20 (2013)CrossRefGoogle Scholar
  2. 2.
    Nicholson, A., Webber, S., Dyer, S., Patel, T., Janicke, H.: Scada security in the light of cyber-warfare. Comput. Secur. 31(4), 418–436 (2012)CrossRefGoogle Scholar
  3. 3.
    Rahimi, F., Ipakchi, A.: Demand response as a market resource under the smart grid paradigm. IEEE Trans. Smart Grid 1(1), 82–88 (2010)CrossRefGoogle Scholar
  4. 4.
    Bou-Harb, E., Fachkha, C., Pourzandi, M., Debbabi, M., Assi, C.: Communication security for smart grid distribution networks. IEEE Commun. Mag. 51(1), 42–49 (2013)CrossRefGoogle Scholar
  5. 5.
    Chen, P.-Y., Cheng, S.-M., Chen, K.-C.: Smart attacks in smart grid communication networks. IEEE Commun. Mag. 50(8), 24–29 (2012)CrossRefGoogle Scholar
  6. 6.
    Tãÿndel, I.A., Line, M.B., Jaatun, M.G.: Information security incident management: current practice as reported in the literature. Comput. Secur. 45(0), 42–57 (2014)CrossRefGoogle Scholar
  7. 7.
    Stouffer, K., Falco, J., Scarfone, K.: Guide to industrial control systems (ICS) security. In: NIST special publication, pp. 800–882 (2011)Google Scholar
  8. 8.
    Zhu, B., Joseph, A., Sastry, S.: A taxonomy of cyber attacks on scada systems. In: Proceedings of the 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, ser. ITHINGSCPSCOM ’11, pp. 380–388. IEEE Computer Society, Washington (2011)Google Scholar
  9. 9.
    Wang, W., Lu, Z.: Survey cyber security in the smart grid: survey and challenges. Comput. Netw. 57(5), 1344–1371 (2013). CrossRefGoogle Scholar
  10. 10.
    Igure, V., Laughter, S., Williams, R.: Security issues in SCADA networks. Comput. Secur. 25(7), 498–506 (2006)CrossRefGoogle Scholar
  11. 11.
    Fleury, T., Khurana, H., Welch, V.: Critical Infrastructure Protection II. Towards a Taxonomy of Attacks Against Energy Control Systems, pp. 71–85. Springer, Boston (2008)Google Scholar
  12. 12.
    Silva, E., Knob, L., Wickboldt, J., Gaspary, L., Granville, L., Schaeffer-Filho, A.: Capitalizing on SDN-based SCADA systems: an anti-eavesdropping case-study. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 165–173 (2015)Google Scholar
  13. 13.
    Finster, S., Baumgart, I.: Privacy-aware smart metering: a survey. IEEE Commun. Surv. Tutor. 16(3), 1732–1745 (2014)CrossRefGoogle Scholar
  14. 14.
    Wermann, A., Bortolozzo, M., Silva, E., Schaeffer-Filho, A., Gaspary, L., Barcellos, A.: ASTORIA: a framework for attack simulation and evaluation in smart grids. In: Network Operations and Management Symposium (NOMS), 2016 IFIP/IEEE, (2016, to appear)Google Scholar
  15. 15.
    Swales, A.: Open modbus/tcp specification. Schneider Electr. 29, 1–25 (1999) Google Scholar
  16. 16.
    Clarke, G.R., Reynders, D., Wright, E.: Practical modern SCADA protocols: DNP3, 60870.5 and related systems. Newnes (2004)Google Scholar
  17. 17.
    Needham, R.M.: Denial of service. In: Proceedings of the 1st ACM Conference on Computer and Communications Security, ser. CCS ’93, pp. 151–153. ACM, New York (1993).
  18. 18.
    Al-Shurman, M., Yoo, S.-M., Park, S.: Black hole attack in mobile ad hoc networks. In: Proceedings of the 42nd Annual Southeast Regional Conference, ser. ACM-SE 42, pp. 96–97. ACM, New York (2004).
  19. 19.
    Ericsson, G.: Cyber security and power system communication—essential parts of a smart grid infrastructure. IEEE Trans. Power Deliv. 25(3), 1501–1507 (2010)CrossRefGoogle Scholar
  20. 20.
    Disterer, G.: ISO/IEC 27000, 27001 and 27002 for information security management. J. Inf. Secur. 4(02), 92 (2013)Google Scholar
  21. 21.
    Brownlee, N., Guttman, E.: RFC 2350-expectations for computer security incident response. Internet RFCs (1998)Google Scholar
  22. 22.
    Chen, R., Sharman, R., Rao, H.R., Upadhyaya, S.J.: Coordination in emergency response management. Commun. ACM 51(5), 66–73 (2008). CrossRefGoogle Scholar
  23. 23.
    Grance, B.K.T., Kent, K., Kim, B.: Computer security incident handling guide, recommendations of the national institute of standards and technology NIST800-61 (2004). Accessed 20 Apr 2018
  24. 24.
    Ruefle, R., Dorofee, A., Mundie, D., Householder, A., Murray, M., Perl, S.: Computer security incident response team development and evolution. IEEE Secur. Priv. 12(5), 16–26 (2014)CrossRefGoogle Scholar
  25. 25.
    West-Brown, M.J., Stikvoort, D., Kossakowski, K.-P., Killcrece, G., Ruefle, R.: Handbook for Computer Security Incident Response Teams (CSIRTs). Technical Report, Software Engineering Institute, Carnegie-Mellon University, Pittsburgh (2003)Google Scholar
  26. 26.
    Stouffer, K., Falco, J., Scarfone, K.: Guide to industrial control systems (ICS) security. NIST Spec. Publ. 800(82), 16–16 (2011)Google Scholar
  27. 27.
    Dufkova, A., Budd, J., Homola, J., Marden, M.: Good practice guide for certs in the area of industrial control systems. In: European Network and Information Security Agency (ENISA) (2013)Google Scholar
  28. 28.
    RISIDATA: RISI: the repository of industrial security incidents (2016). Accessed 20 Apr 2018
  29. 29.
    Dell Incorporated: Dell security annual threat report. Technical Report, Dell Incorporated (2015). Accessed 19 Jul 2017
  30. 30.
    Time: Florida’s blackout: a warning sign? Time (2008)Google Scholar
  31. 31.
    Chikuni, E., Dondo, M.: Investigating the security of electrical power systems scada. AFRICON 2007, 1–7 (2007)Google Scholar
  32. 32.
    McClanahan, R.H.: SCADA and IP: is network convergence really here? IEEE Ind. Appl. Mag. 9(2), 29–36 (2003) CrossRefGoogle Scholar
  33. 33.
    Barbosa, R.R.R.: Anomaly detection in SCADA systems: a network based approach. Ph.D. dissertation, University of Twente, Enschede (2014). Accessed 20 Apr 2018
  34. 34.
    Cardenas, A.A., Amin, S., Lin, Z.-S., Huang, Y.-L., Huang, C.-Y., Sastry, S.: Attacks against process control systems: risk assessment, detection, and response. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ser. ASIACCS ’11, pp. 355–366. ACM, New York (2011).
  35. 35.
    Parthasarathy, S., Kundur, D.: Bloom filter based intrusion detection for smart grid scada. In: 2012 25th IEEE Canadian Conference on Electrical Computer Engineering (CCECE), pp. 1–6 (2012)Google Scholar
  36. 36.
    Asif, M., Al-Harthi, Y.: Intrusion detection system using honey token based encrypted pointers to mitigate cyber threats for critical infrastructure networks. In 2014 IEEE International Conference on Systems, Man and Cybernetics (SMC), pp. 1266–1270 (2014)Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  • Rafael de Jesus Martins
    • 1
    Email author
  • Luis Augusto Dias Knob
    • 1
  • Eduardo Germano da Silva
    • 1
  • Juliano Araujo Wickboldt
    • 1
  • Alberto Schaeffer-Filho
    • 1
  • Lisandro Zambenedetti Granville
    • 1
  1. 1.Institute of InformaticsFederal University of Rio Grande do Sul (UFRGS)Porto AlegreBrazil

Personalised recommendations