Vulnerability Identification and Assessment for Critical Infrastructures in the Energy Sector

Vulnerability identification and assessment is a key process in risk management. While enumerations of vulnerabilities are available, it is challenging to identify vulnerability sets focused on the profiles and roles of specific organizations. To this end, we have employed systematized knowledge and relevant standards (including National Electric Sector Cybersecurity Organization Resource (NESCOR), ISO/IEC 27005:2018 and National Vulnerability Database (NVD)) to identify a set of 250 vulnerabilities for operators of energy-related critical infrastructures. We have elaborated a "double-mapping" scheme to associate (arbitrarily) categorized assets, with the pool of identified Physical, Cyber and Human/Organizational vulnerabilities. We have designed and implemented an extensible vulnerability identification and assessment framework, allowing historized assessments, based on the CVSS (Common Vulnerability Scoring System) scoring mechanism. This framework has been extended to allow modelling of the vulnerabilities and assessments using the Structured Threat Information eXpression (STIX) JSON format, as Cyber Threat Intelligence (CTI) information, to facilitate information sharing between Electrical Power and Energy Systems (EPES) and to promote collaboration and interoperability scenarios. Vulnerability assessments from the initial analysis of the project in the context of Research and Technology Development (RTD) projects have been statistically processed, offering insights in terms of the assessment's importance and distribution. The assessments have also been transformed into a dynamic dataset processed to identify and quantify correlation and start the discussion on the interpretation of the way assessments are performed.