CWRAF Vignette Details - Domain energy
The MITRE Corporation Copyright © 2013
http://cwe.mitre.org/cwraf/
|
|
CWRAF version: 0.8.3 |
Date: April 3, 2013 |
Project Coordinator:
Bob Martin (MITRE)
|
Document Editor:
Steve Christey (MITRE)
|
CWRAF Vignettes - energy
CWRAF Vignettes - energy
Within the Common Weakness Risk Analysis
Framework (CWRAF), a vignette
provides a shareable, formalized way to define a particular
environment, the role that software plays within that environment, and
an organization's priorities with respect to software security. It
identifies essential resources and capabilities, as well as their
importance relative to security principles such as confidentiality,
integrity, and availability. For example, in an e-commerce context,
99.999% uptime may be a strong business requirement that drives the
interpretation of the severity of discovered weaknesses.
Vignettes allow CWSS to
support diverse audiences who may have different requirements for how
to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.
This page currently contains details for 6 vignettes within
the "energy" domain. These are illustrative only; the CWRAF
community will help to refine these and develop others. Feedback is
welcome.
|
Vignette Summary
Vignette Summary
Name | Description |
Household Smart Meter | Meter within the Smart Grid that records electrical consumption and communicates
this information to the supplier on a regular basis. |
Smart Grid remote utility server | Obtains information from smart meters through neighborhood gateways. |
Smart Grid Neighborhood Gateway | Appliance between smart meter and remote utility server. |
Regional Electricity Flow Control | Flow control for an electricity network throughout a relatively large region, to
further connect suppliers and consumers. Power now enters the grid from both sides
(classic provider, but also home-to-provider e.g. home photo-voltaic and wind
turbines in homes and throughout the landscape). System needs to have "smarts" to
the load leveling capabilities of the grid which is basically a large distributed
SCADA-type system. |
SCADA Historian | Historian server for archival and analysis of data for a SCADA system. Contains a
database backend and is accessible via a web interface. Access to the server is
typically restricted to a DMZ or internal network. |
Distributed Production Facility Management using SCADA Web-based HMI | A web-based Human Machine Interface (HMI) for SCADA systems. Users can visualize
and control industrial automation processes in real-time from a control interface
directly in communication with remote sensors and data collection points. All facets
of production can be monitored and managed from a web browser.
The HMI uses various frameworks (Java, .NET, etc.) with Restful Architecture
(AJAX, XML, SOAP, XSL, and WML). |
Vignette Details
Vignette Details
Vignette Definition: Household Smart Meter
Name | Household Smart Meter
| ID | smart-meter
| Maturity | under-development
| Domain | energy
| Desc | Meter within the Smart Grid that records electrical consumption and communicates
this information to the supplier on a regular basis.
| Archetypes | Web client, Process Control Systems, Embedded Device |
Business Value Context (BVC) | Confidentiality of customer energy usage statistics is important - could be used
for marketing or illegal purposes. For example, hourly usage statistics could be
useful for monitoring activities. Integrity of metering data is important because of
the financial impact on stakeholders (consumers manipulating energy costs).
Availability typically is not needed for real-time; other avenues exist (e.g. site
visit) if communications are disrupted..
| Notes |
| References |
- Smart Meters Can Be Hacked: Security Experts
- More Researchers Point to Smart Meter Security
Holes
- Smart Metering Communications Issues and
Technologies
- Smart Grids and Smart Water Metering in The
Netherlands
Henk Jan Top EC â ICT for Water Management â June 11th, 2010
- Security Pros Question Deployment of Smart Meters
Kim Zetter - March 4, 2010
- More Researchers Point to Smart Meter Security
Holes
Jordan Robertson, Mar 26, 2010
- Smart Meters Can Be Hacked: Security Experts
Ken Kalthoff, Oct 9, 2009
- Smart Meter Security: A Work in Progress
- Private Memoirs of a Smart Meter
Andres Molina-Markham, Prashant Shenoy, Kevin Fu, Emmanuel Cecchet, and
David Irwin
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | 8 | Attacker might be able to modify consumption reports, leading to financial
loss; possible inefficiencies in grid management due to incorrect reporting
of actual consumption. Attacker could turn appliances and other home systems
on/off.
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | 4 | Attacker could read customer energy usage statistics, for marketing or
surveillance.
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | 4 | Delays in reporting to provider, possibly delays in billing and
collections. Availability may be restored if meter stays online long enough.
Possible financial impact if a site visit is required.
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | 4 | Delays in reporting to provider, possibly delays in billing and
collections. Availability may be restored if meter stays online long enough.
Possible financial impact if a site visit is required.
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | 9 | Attacker could read customer energy usage statistics for marketing or
surveillance, disable the meter, or modify consumption reports, leading to
financial loss; possible inefficiencies in grid management due to incorrect
reporting of actual consumption.
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | 7 |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | 7 |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | 5 | Cannot obtain sufficient evidence for criminal prosecution of fraud.
| Hide activities | Application | 5 | Cannot obtain sufficient evidence for criminal prosecution of fraud.
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
Vignette Definition: Smart Grid remote utility server
Name | Smart Grid remote utility server
| ID | smart-grid-RUS
| Maturity | stub
| Domain | energy
| Desc | Obtains information from smart meters through neighborhood gateways.
| Archetypes | Web client, Process Control Systems, Embedded Device |
Business Value Context (BVC) | TBD.
| Notes |
| References |
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | |
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | |
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | |
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | |
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | |
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | |
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
Vignette Definition: Smart Grid Neighborhood Gateway
Name | Smart Grid Neighborhood Gateway
| ID | smart-grid-gw
| Maturity | stub
| Domain | energy
| Desc | Appliance between smart meter and remote utility server.
| Archetypes | Web client, Process Control Systems, Embedded Device |
Business Value Context (BVC) | TBD.
| Notes |
| References |
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | |
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | |
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | |
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | |
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | |
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | |
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
Vignette Definition: Regional Electricity Flow Control
Name | Regional Electricity Flow Control
| ID | reg-elec
| Maturity | stub
| Domain | energy
| Desc | Flow control for an electricity network throughout a relatively large region, to
further connect suppliers and consumers. Power now enters the grid from both sides
(classic provider, but also home-to-provider e.g. home photo-voltaic and wind
turbines in homes and throughout the landscape). System needs to have "smarts" to
the load leveling capabilities of the grid which is basically a large distributed
SCADA-type system.
| Archetypes | Process Control Systems, Web client, Web server |
Business Value Context (BVC) | Successful attacks could cause financial loss (consumers manipulating energy
costs) or affect the grid itself. Privacy a concern for consumers (energy usage
revealing activities).
Confidentiality of customer energy usage statistics is important (could be used
for marketing or "illegal" purposes). Confidentiality, integrity, and availability
requirements will vary depending on the specific application. For example, energy
usage or billing statistics of customers are generally important for confidentiality
(hourly stats could be used for monitoring activities, for example), but
availability can vary from minimal (customer Home Area Networks, which have few
real-time requirements) to important (portions of AMI networks that require
real-time interaction).
Key management is important. Wireless interactions may be common. Some components
will not be in physically secure environments. Integrity of metering data is
important because of the financial impact on stakeholders. May have different
priorities between monitoring and control.
| Notes |
| References |
- Electricity for Free? The Dirty Underbelly of SCADA and Smart
Meters
Jonathan Pollet, CISSP, CAP, PCIP. July 2010
Page 16 includes a breakdown of various consequences / vuln types found,
focusing on the Operational DMZ (ISA99 level 3). Also talks about AMR and
smart meters.
- DRAFT NISTIR 7628 - Smart Grid Cyber Security Strategy and
Requiremens
Includes logical architecture and interfaces, high level security
requirements, privacy, C-1 vuln classes, other doc's for control systems
Appendix A includes Use-Cases with various CIA analyses.
The functional logical architecture represents a blending of the initial
set of use cases and requirements that came from the workshops and the
initial NIST Smart Grid Interoperability Roadmap, including the individual
logical interface diagrams for the six application areas: electric
transportation, electric storage, advanced metering infrastructure (AMI),
wide area situational awareness (WASA), distribution grid management, and
home area network/business area network (HAN/BAN).
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | |
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | |
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | |
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | |
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | |
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | |
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
Vignette Definition: SCADA Historian
Name | SCADA Historian
| ID | scada-hist
| Maturity | under-development
| Domain | energy
| Desc | Historian server for archival and analysis of data for a SCADA system. Contains a
database backend and is accessible via a web interface. Access to the server is
typically restricted to a DMZ or internal network.
| Archetypes | Process Control Systems, Database, Web client, Web server |
Business Value Context (BVC) | Confidentiality is generally regarded as less important than integrity, which is
regarded as less important than availability. Modification of data could cause users
to make incorrect decisions, potentially leading to inefficiencies or
accidents.
| Notes |
| References |
- Cyber Assessment Methods for SCADA Security
May Robin Permann, Kenneth Rohde. 2005.
Includes an attack model for "Modifying Alarms and Commands." Primary
focus is on vulnerability assessment of COTS.
- Top 10 Most Critical ICS Vulnerabilities
Quote: "Historian server is used for data archiving and analysis and is
typically an integral part of an ICS. It is usually located in a DMZ or on
the corporate network. Threats to the historian include compromise of the
historian host and data corruption. ICS historians typically utilize a
common SQL server as its backend. The historical data is often made
available for viewing via a custom Web interface or application."
Security Goals: confidentiality < integrity < availability
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | 7 | Modified data could cause operators to make incorrect decisions,
potentially leading to inefficiencies or accidents.
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | 4 | Attackers could learn the state of the system, configuration, and
possibly launch other attacks.
| Read data | Application | |
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | 9 | Inability of operators to view current state or change system
behaviors.
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | 9 | Reduced ability of operators to view current state or change system
behaviors.
| DoS: resource consumption | Application | |
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | 9 | Modified data could cause operators to make incorrect decisions,
potentially leading to inefficiencies or accidents.
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | 7 |
| Gain privileges / assume identity | Application | |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | 7 |
| Bypass protection mechanism | Application | |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | 4 | Inability to detect source or cause of attack.
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
Vignette Definition: Distributed Production Facility Management using SCADA Web-based HMI
Name | Distributed Production Facility Management using SCADA Web-based HMI
| ID | web-scada-hmi
| Maturity | under-development
| Domain | energy
| Desc | A web-based Human Machine Interface (HMI) for SCADA systems. Users can visualize
and control industrial automation processes in real-time from a control interface
directly in communication with remote sensors and data collection points. All facets
of production can be monitored and managed from a web browser.
The HMI uses various frameworks (Java, .NET, etc.) with Restful Architecture
(AJAX, XML, SOAP, XSL, and WML).
| Archetypes | Web browser, Web application, Web server, Endpoint System, General-purpose OS, Internet Communications, Wireless Communications, Process Control Systems, Web service, Database |
Business Value Context (BVC) | The current generation of SCADA systems utilizes web technologies and open
protocols which has resulted in more scalable industrial control processes, but have
also exposed what were previously closed systems to Internet-based cyber threats.
Weak authentication is the foremost concern for web-based HMI SCADA systems due to
the ubiquity of access provided by the web browser. Malware and rootkits designed to
compromise web userâs systems are an equally serious concern as âDrive by Downloadâ
attacks and other attacks against web browsers are becoming increasing common.
The second greatest threat is the lack of security checks ensuring proper
authorization. Many SCADA systems, while providing some form of authentication
system, lack the ability to enforce differing levels of access control between users
and other critical system functions. Without effective access control design and
implementation, for example, an attacker who breaches a SCADA system and who
understands the control codes could spoof messages from a sensor resulting in
invalid readings that could trigger adverse actions as the system tries to correct
an erroneous problem. This attack could easily trigger systemic instability across
the facility, including a complete shutdown of the plant or facility if not
seriously damaging mission critical systems.
Issues of Confidentiality and Availability are typically less important security
concerns for SCADA systems as a category. Network-based denial of service (DoS)
attacks, which do not involve the use of stealth commanding of key control systems
are unlikely to affect the functioning of the SCADA system. Likewise, network
sniffing (eavesdropping) attacks, areless serious threats because eavesdropping on
the network traffic of a SCADA system will be only marginally useful to an attacker
without special training.
| Notes |
| References | No references recorded.
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | 10 | By manipulating memory it may be possible to cause mission critical SCADA
systems to crash or become unstable.
| Modify data | Application | 10 | Modify valid data reports or create false reading from SCADA sensors
causing the system to respond in an adverse manner, possibly creating
instability within the plant or installation.
Modify or delete SCADA system monitoring logs, alter sensor readings, or
change or corrupt core files used for monitoring the SCADA system via the
HMI browser. Because the SCADA system can be remotely monitored and
controlled via a web application interface, an attacker who knows which
application values to change can control the facility.
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | 6 | Read SCADA information or steal the web client's cryptographic keys used
for encrypting SCADA data. Obtain configuration information and possibly
discover the key industrial systems and nodes which could be
attacked.
Obtain detailed information on the operations of a SCADA facility by
reading application data used by the Web-based HMI control apparatus. This
could allow an attacker to map out key industrial systems or monitor the
operations of the facility covertly.
| Read data | Application | 6 | Read and monitor SCADA in an unauthorized manner, possibly interpret the
hex codes to ascertain the status of particular SCADA sensors.
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | 5 | Plant administrators cannot efficiently poll data from SCADA systems due
to frequent crashing and restarting of the web application controller or the
HMI browser interface. An attack aimed at the web application used for
controlling the SCADA plant could prevent administrators from connecting to
the system and using the control interface.
| DoS: unreliable execution | Network | 7 | Attacks against the Internet gateway could prevent the SCADA system from
communicating with other plants or facilities.
| DoS: unreliable execution | Enterprise | 5 | With memory sortage, the HMI web-based control system becomes slow and
unresponsive and possibly crash. Controlling and monitoring plant operations
becomes difficult as either the Browser HMI or the controller web
application run out of memory.Attacks against the control web application
would likely cause it to crash, temporarily disabling plant control via
Browser-Based HMI.
| DoS: resource consumption | Application | 7 | The HMI web-based control system becomes slow and unresponsive.
Controlling and monitoring plant operations is difficult because of the slow
response times from the browser interface. Attacks against the control web
application could slow the control processes and possibly halt them
altogether until the application was restarted.
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | 10 | Read or modify the Browser HMI or the web application controller for the
plant or facility. Executing commands via the control interface could give
an attacker the ability to shut down the plant or facility, or possibly
cause a catastrophic failure by causing a key system (e.g. heat exchanger)
to lose efficiency or fail.
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | 10 | Attacker can perform administrative functions by assuming the role of an
authorized administrator. The degree of damage that could be done is limited
only by the privileges of the assumed role and the attacker's knowledge of
the SCADA system's operation.
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | 9 | Bypassing control based protection mechanisms could allow an attacker to
manipulate the SCADA system without sufficient authorization.
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | 8 | Inability to identify source of attack. Cannot obtain sufficient evidence
for criminal prosecution or ensure that the attacker's footholds have been
eliminated from the SCADA system.
| Hide activities | Network | |
| Hide activities | Enterprise | |
|
More information is available — Please edit the custom filter or select a different filter.
|