success D3.4v1.0 Information Security Management Components and Documentation The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700416. Project Name success Contractual Delivery Date: 31.01.2017 Actual Delivery Date: 31.01.2017 Contributors: ENG, SYN, ISMB, TW, REC Work package: WP3 – Securing Smart Devices Estimated person months: 3.45 Security: PU Nature: R Version: 1.0 Total number of pages: 46 Abstract: This document describes the success DSO Security Monitoring Centre which identifies attacks and applies countermeasures. This deliverable also presents a preliminary FIWARE Generic Enablers assessment. In the success infrastructure at Neighborhood area Network level, data is provided by the NORM (the Smart Meter Gateway being developed by success) to the DSO Security Monitoring Centre, which analyses the data to detect cyber-attacks and apply countermeasures. The DSO Security Monitoring Centre provides its local Distributed Security Monitoring and Information System instance with information on applied countermeasures and grid status. Keyword list: Security, communication, Utility, Architecture, Threat, Countermeasure Disclaimer: All information provided reflects the status of the success project at the time of writing and may be subject to change. Page 1 (46) success D3.4 v1.0 Executive Summary This deliverable describes the success DSO Security Monitoring Centre (DSOSMC) which is in charge of identifying and selecting the most suitable countermeasures against cyber attacks, of several available alternatives, for the specific smart meter application scenario. This deliverable is the first of three documents describing the reference architecture of the DSO Security Monitoring Center, and also gives a preliminary introduction to the component library (Generic Enablers) of the FIWARE catalogue Numerous attacks of various categories may be perpetrated against the entire Smart Grid or against specific components therein. Based on data gathered from the distribution grid, the decision support system developed in this deliverable identifies attacks and applies countermeasures. The DSO Security Monitoring Centre provides countermeasures both to the distribution operator but also to the upper security level that manage set of DSO. This document attempts to categorize various attack types and countermeasures that can be used against such attacks on the success infrastructure at Neighborhood Area Network (NaN). It also defines the reference architecture of the DSO Security Monitoring Centre. The current version -being the first- of multiple deliverable documents the current status of the design of the DSO Security Monitoring Centre. The later versions will provide more details of the components and their interfaces. Page 2 (46) success D3.4 v1.0 Authors Partner Name e-mail Engineering – Ingegneria Informatica SPA (ENG) Antonello Corsi [email protected] Giampaolo Fiorentino [email protected] SYNELIXIS Artemis Voulkidis [email protected] Istituto Superiore Mario Boella Mikhail Simonov [email protected] Romanian Energy Centre Mihai Sanduleac [email protected] Team Ware Gianluca Zanetto [email protected] Page 3 (46) success D3.4 v1.0 Table of Contents 1. Introduction ................................................................................................. 5 1.1 Scope of this Deliverable ............................................................................................... 5 1.2 Relation to other deliverables ........................................................................................ 5 1.3 Deliverable Structure ..................................................................................................... 6 2. DSO Security Monitoring Centre Reference Architecture ....................... 6 2.1 DSO Security monitoring centre interactions ................................................................. 7 3. DSO Security Monitoring Centre Modules ................................................ 8 3.1 Key Management module .............................................................................................. 9 3.2 Monitor module ............................................................................................................ 10 3.2.1 Description ........................................................................................................... 10 3.2.2 Input, output and relationships ............................................................................. 10 3.3 Analytics module .......................................................................................................... 10 3.3.1 Description ........................................................................................................... 10 3.3.2 Input, output and relationships ............................................................................. 13 3.4 Countermeasures Extraction tool................................................................................. 13 3.4.1 Description ........................................................................................................... 13 3.4.2 Input, output and relationships ............................................................................. 17 3.5 Semantically Enhanced Countermeasures .................................................................. 17 3.5.1 Description ........................................................................................................... 17 3.6 Dashboard .................................................................................................................... 18 3.6.1 Description ........................................................................................................... 18 3.6.2 Input, output and relationships ............................................................................. 23 3.7 Countermeasure knowledge database ........................................................................ 24 3.7.1 Description ........................................................................................................... 24 3.7.2 Input, output and relationships ............................................................................. 24 3.8 Introduction to FIWARE ............................................................................................... 24 3.8.1 FIWARE and success .......................................................................................... 26 3.8.2 Security Chapter ................................................................................................... 26 3.8.3 Internet of Things services enablement Chapter ................................................. 28 3.8.4 Architecture of Applications/Services Ecosystem and Delivery Framework Chapter ................................................................................................................ 31 3.8.5 Data/Context Management .................................................................................. 32 4. Countermeasures identification .............................................................. 35 4.1 Threat Classification and risk analysis at NAN level .................................................... 35 4.2 Countermeasures Classification analysis at NAN level ............................................... 37 4.3 Threat and countermeasures model at NaN level in DSOSMC .................................. 37 4.3.1 Threat Model ........................................................................................................ 37 4.3.2 Countermeasures Model ...................................................................................... 39 4.3.3 Countermeasure List ............................................................................................ 41 4.3.3.1 Perimeter and device case breached ........................................................ 41 4.3.3.2 Communication link unavailable ................................................................ 41 4.3.3.3 Device unavailable ..................................................................................... 41 4.3.3.4 Device behaving suspiciously .................................................................... 41 4.3.3.5 DoS suspicion ............................................................................................ 41 4.3.3.6 Detection of malware propagation ............................................................. 41 5. References ................................................................................................. 42 6. List of Abbreviations ................................................................................ 45 Page 4 (46) success D3.4 v1.0 1. Introduction 1.1 Scope of this Deliverable The main scope of this deliverable is to describe the main functionalities, mechanisms and the internal architecture of the DSO Security Monitoring Centre (DSOSMC), designed and developed in Task 3.3. The core DSOSMC functionalities are, first, to detect and recognize potential threats underway in the network and, next, to propose suitable countermeasures to mitigate the identified menaces either proactively or reactively, effectively implementing a Decision Support System (DSS). The current deliverable describes those Decision Support SystemDSS mechanisms. This deliverable is released in three versions V1, V2, V3 respectively on M9, M15, M24. The three versions are organized as