Advertisement

A Threat Analysis Methodology for Smart Home Scenarios

  • Kristian BeckersEmail author
  • Stephan Faßbender
  • Maritta Heisel
  • Santiago Suppan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8448)

Abstract

A smart grid is envisioned to enable a more economic, environmental friendly, sustainable and reliable supply of energy. But significant security concerns have to be addressed for the smart grid, dangers range from threatened availability of energy, to threats of customer privacy. This paper presents a structured method for identifying security threats in the smart home scenario and in particular for analyzing their severity and relevance. The method is able to unveil also new threats, not discussed in the literature before. The smart home scenario is represented by a context-pattern, which is a specific kind of pattern for the elicitation of domain knowledge [1]. Hence, by exchanging the smart home pattern by a context-pattern for another domain, e.g., clouds, our method can be used for these other domains, as well. The proposal is based on Microsoft’s Security Development Lifecycle (SDL) [2], which uses Data Flow diagrams, but proposes new alternatives for scenario definition and asset identification based on context-patterns. These alleviate the lack of scalability of the SDL. In addition, we present Attack Path DFDs, that show how an attacker can compromise the system.

Keywords

Smart grid Attack pattern Threat analysis Requirements engineering Context 

References

  1. 1.
    Beckers, K., Faßbender, S., Heisel, M.: A meta-model approach to the fundamentals for a pattern language for context elicitation. In: Proceedings of the 18th European Conference on Pattern Languages of Programs (Europlop), ACM (2013) (Accepted for Publication)Google Scholar
  2. 2.
    Howard, M., Lipner, S.: The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, Cambridge (2006)Google Scholar
  3. 3.
    Aloula, F., Al-Alia, A.R., Al-Dalkya, R., Al-Mardinia, M., El-Hajj, W.: Smart grid security: threats, vulnerabilities and solutions. Int. J. Smart Grid Clean Energy 1(1), 1–6 (2012)CrossRefGoogle Scholar
  4. 4.
    Lin, H., Fang, Y.: Privacy-aware profiling and statistical data extraction for smart sustainable energy systems. IEEE Trans. Smart Grid 4(1), 332–340 (2013)CrossRefGoogle Scholar
  5. 5.
    NIST: Guidelines for smart grid cyber security (2010)Google Scholar
  6. 6.
    Geer, D.: Are companies actually using secure development life cycles? Computer 43(6), 12–16 (2010)CrossRefGoogle Scholar
  7. 7.
    Win, B.D., Scandariato, R., Buyens, K., Grégoire, J., Joosen, W.: On the secure software development process: Clasp, \(\{\)SDL\(\}\) and touchpoints compared. Inf. Softw. Technol. 51(7), 1152–1171 (2009). Special Section: Software Engineering for Secure Systems Software Engineering for Secure SystemsCrossRefGoogle Scholar
  8. 8.
    SANS: Sans - a member of the microsoft security development lifecycle (sdl) pro network (2014). http://www.sans.org/security-resources/microsoft-sdl
  9. 9.
    OWASP: CLASP (Comprehensive, Lightweight Application Security Process). Technical report, The Open Web Application Security Project (OWASP) (2011). https://www.owasp.org/index.php/Category:OWASP_CLASP_Project
  10. 10.
    Commission of the European communities.: Communication from the commission to the european parliament, the council, the European economic and social committee and the committee of the regions (2011)Google Scholar
  11. 11.
    Lu, Z., Lu, X., Wang, W., Wang, C.: Review and evaluation of security threats on the communication networks in the smart grid. In: Military Communications Conference, 2010 - MILCOM 2010, pp. 1830–1835 (2010)Google Scholar
  12. 12.
    Wang, W., Lu, Z.: Survey cyber security in the smart grid: survey and challenges. Comput. Netw. 57(5), 1344–1371 (2013)CrossRefGoogle Scholar
  13. 13.
    Yang, Y., Littler, T., Sezer, S., McLaughlin, K., Wang, H.: Impact of cyber-security issues on smart grid. In: 2011 2nd IEEE PES International Conference and Exhibition on Innovative Smart Grid Technologies (ISGT Europe), pp. 1–7 (2011)Google Scholar
  14. 14.
    McDaniel, P., McLaughlin, S.: Security and privacy challenges in the smart grid. IEEE Secur. Priv. 7(3), 75–77 (2009)CrossRefGoogle Scholar
  15. 15.
    Tøndel, I.A., Jaatun, M.G., Line, M.B.: Security threats in demo steinkjer - report from the telenor-sintef collaboration project on smart grids. Technical report, SINTEF/NTNU (2012)Google Scholar
  16. 16.
    Dhillon, D.: Developer-driven threat modeling: lessons learned in the trenches. IEEE Secur. Priv. 9(4), 41–47 (2011)CrossRefGoogle Scholar
  17. 17.
    ISO/IEC: Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Geneva, Switzerland (2005)Google Scholar
  18. 18.
    Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press, Redmond (2004)Google Scholar
  19. 19.
    Beckers, K., Côté, I., Hatebur, D., Faßbender, S., Heisel, M.: Common criteria compliAnt software development (CC-CASD). In: Proceedings 28th Symposium on Applied Computing, pp. 937–943. ACM (2013)Google Scholar
  20. 20.
    Beckers, K., Hatebur, D., Heisel, M.: A problem-based threat analysis in compliance with common criteria. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 111–120. IEEE Computer Society (2013)Google Scholar
  21. 21.
    Beckers, K., Küster, J.C., Faßbender, S., Schmidt, H.: Pattern-based support for context establishment and asset identification of the ISO 27000 in the field of cloud computing. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES), pp. 327–333. IEEE Computer Society (2011)Google Scholar
  22. 22.
    Beckers, K., Faßbender, S.: Peer-to-peer driven software engineering considering security, reliability, and performance. In: Proceedings of the International Conference on Availability, Reliability and Security (ARES) - 2nd International Workshop on Resilience and IT-Risk in Social Infrastructures(RISI 2012), pp. 485–494. IEEE Computer Society (2012)Google Scholar
  23. 23.
    Beckers, K., Faßbender, S., Heisel, M., Meis, R.: Pattern-based context establishment for service-oriented architectures. In: Heisel, M. (ed.) Software Service and Application Engineering. LNCS, vol. 7365, pp. 81–101. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  24. 24.
    Beckers, K., Faßbender, S., Küster, J.-C., Schmidt, H.: A pattern-based method for identifying and analyzing laws. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 256–262. Springer, Heidelberg (2012) Google Scholar
  25. 25.
    BSI: Protection Profile for the Gateway of a Smart Metering System (Gateway PP). Version 01.01.01(final draft), Bundesamt für Sicherheit in der Informationstechnik (BSI) - Federal Office for Information Security Germany, Bonn, Germany (2011). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/SmartMeter/PP-SmartMeter.pdf?_blob=publicationFile
  26. 26.
    BSI: Protection Profile for the Security Module of a Smart Meter Gateway (Security Module PP). Version 1.0), Bundesamt für Sicherheit in der Informationstechnik (BSI) - Federal Office for Information Security Germany, Bonn, Germany (2013). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/SmartMeter/PP_Security_%20Module.pdf?_blob=publicationFile
  27. 27.
    OPEN node project: Evaluation of general requirements according state of the art. Technical report, OPEN node project (2010)Google Scholar
  28. 28.
    OPEN node project: Functional Use cases. Technical report, OPEN node project (2011)Google Scholar
  29. 29.
    OPEN meter project: D1.1 Requirements of AMI. Technical report, OPEN meter project (2009)Google Scholar
  30. 30.
    Department of Energy and Climate Change: Smart metering implementation programme, response to prospectus consultation, overview document. Technical report, Office of Gas and Electricity Markets (2011)Google Scholar
  31. 31.
    Department of Energy and Climate Change: Smart metering implementation programme, response to prospectus consultation, design requirements. Technical report, Office of Gas and Electricity Markets (2011)Google Scholar
  32. 32.
    Mohsenian-Rad, A.H., Wong, V., Jatskevich, J., Schober, R., Leon-Garcia, A.: Autonomous demand-side management based on game-theoretic energy consumption scheduling for the future smart grid. IEEE Trans. Smart Grid 1(3), 320–331 (2010)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Kristian Beckers
    • 1
    Email author
  • Stephan Faßbender
    • 1
  • Maritta Heisel
    • 1
  • Santiago Suppan
    • 2
  1. 1.paluno - The Ruhr Institute for Software Technology – University of Duisburg-EssenEssenGermany
  2. 2.Siemens AGMunichGermany

Personalised recommendations