3.8 Cyber Security Issues Affecting Distribution

3.8.3 Cyber Security Risk Mitigation Categories

Mitigations against the effects of attacks and failures are often described as having eight categories. Associated security countermeasures can mitigate one or more of these purposes.

• Prevention of attack, by taking active measures that are in effect at all times and are designed to prevent a failure or attack. These usually are engineering designs and procedures, as well as cyber security design and architecture measures.
• Deterrence to a failure or attack, to try to make failures and attacks less likely, or at least delay them long enough for counter actions to be undertaken.
• Detection of a failure or attack, to notify the appropriate person or systems that an attack or failure event took place. This notification could also include attempts at attacks or failures that “self-healed”. Detection is crucial to any other security measures since if an attack is not recognized, little can be done to prevent it. Monitoring of systems and communications is critical, while intrusion detection capabilities can play a large role in this effort.
• Assessment of a failure or attack, to determine the nature and severity of the attack. For instance, is the entry of a number of wrong passwords just someone forgetting or is it a deliberate attempt by an attacker to guess some likely passwords.
• Response to a failure or attack, which includes actions by the appropriate authorities and computer systems to stop the spread of the attack or failure in a timely manner. This response can then deter or delay a subsequent attack or failure, or mitigate the impact of cascading failures or attacks.
• Coping during a failure or attack, which includes initiating additional activities to mitigate the impacts, such as performing switching operations to improve the Resilience of the power system, sending crews to failure sites, requiring increased authentication measures for any interactions with compromised systems, and gracefully degrading performance as necessary.
• Resilience during failure or attack, which involves sustaining minimum essential operations during attack despite system compromise and some operational degradation.
• Recovery from a failure or attack, which includes restoration to normal operations after a failure has be corrected, requiring full virus and validation scans of affected systems, or changing passwords for affected systems.
• Audit and legal reactions to a failure or attack, which could include analyzing audit logs, assessing the nature and consequences of the event, performing additional risk assessments, and even pursuing litigation against those responsible for the event.