A Feasibility Study of a Method for Identification and Modelling of Cybersecurity Risks in the Context of Smart Power Grids

Power grids are undergoing a digital transformation are therefore becoming increasingly complex. As a result of this they are also becoming vulnerable in new ways. With this development come also numerous risks. Cybersecurity is therefore becoming crucial for ensuring resilience of this infrastructure which is critical to safety of humans and societies. Risk analysis of cybersecurity in the context of smart power grids is, however, particularly demanding due to its interdisciplinary nature, including domains such as digital security, the energy domain, power networks, the numerous control systems involved, and the human in the loop. This poses special requirements to cybersecurity risk identification within smart power grids, which challenge the existing state-of-the-art. This paper proposes a customized four-step approach to identification and modelling of cybersecurity risks in the context of smart power grids. The aim is that the risk model can be presented to decision makers in a suitable interface, thereby serving as a useful support for planning, design and operation of smart power grids. The approach applied in this study is based on parts of the "CORAS" method for model-based risk analysis. The paper also reports on results and experiences from applying the approach in a realistic industrial case with a distribution system operator (DSO) responsible for hosting a pilot installation of the self-healing functionality within a power distribution grid. The evaluation indicates that the approach can be applied in a realistic setting to identify cybersecurity risks. The experiences from the case study moreover show that the presented approach is, to a large degree, well suited for its intended purpose, but it also points to areas in need for improvement and further evaluation.