=Paper=
{{Paper
|id=Vol-2834/Paper29.pdf
|storemode=property
|title=Improving the Courses of Educational Programs on Information Security Smart Grid
|pdfUrl=https://ceur-ws.org/Vol-2834/Paper29.pdf
|volume=Vol-2834
|authors=Alexander A. Olifirov,Krystina A. Makoveichuk,Sergei A. Petrenko
}}
==Improving the Courses of Educational Programs on Information Security Smart Grid==
https://ceur-ws.org/Vol-2834/Paper29.pdf
340
Improving the Courses of Educational Programs on
Information Security Smart Grid*
Alexander V. Olifirov 1 [0000-0002-5288-2725], Krystina A. Makoveichuk1 [0000-0003-1258-0463],
Sergei A. Petrenko 2 [0000-0003-0644-1731]
1 V.I. Vernadsky Crimean Federal University, Simferopol, Russia
christin2003@yandex.ru
alex.olifirov@gmail.com
2 Innopolis University, Kazan, Russia
s.petrenko@rambler.ru
Abstract. Global trends directly or indirectly affect the directions of develop-
ment of the electric power industry in Russia, including the power grid complex.
Therefore, it is necessary not only to monitor these trends, but also to strive to
respond to them in a timely manner. Smart Grids (SGs) represent a new concept
in the development of electric power infrastructure in a digital economy. The
widespread use of digital technology is a key factor in providing customers with
intelligent electricity services. Existing courses, educational programs in such a
situation do not always meet the requirements of the new concept and do not
allow the formation of the necessary new competencies. This article provides
recommendations for improving educational activities based on the risk analysis
of the electricity company and compiling a competency map for an educational
program for training personnel in the field of security risk management for SG,
methodological approaches to teaching courses are discussed.
Keywords: certified courses; educational program; skills approach; professional
competences; Information Security; intellectual power company.
1 Problem statement and its relationship with the most
important scientific and practical objectives
Specialists who wish to improve their qualifications and professional level and study,
within the framework of certified training courses, information security (IS) problems
in the field of innovative electric power, should become owners of professional com-
petencies and the ability to master working methods related to basic principles, concep-
tual approaches and information technologies used in multilevel information protection
* Copyright 2021 for this paper by its authors. Use permitted under Creative Commons License
Attribution 4.0 International (CC BY 4.0).
� 341
in organizations. These competencies should correspond to the types of professional
activities that the certified courses program is oriented to. At the same time, competen-
cies should be consistent with the innovations of an enterprise operating based on the
Smart Grid concept. That is, the graduate of the courses must be able and know what
the employees of innovative enterprises in this industry know.
In this regard, the problem arises of determining the goals of improving the profes-
sional level of students, selecting the content of teaching materials of the educational
process, assessing educational results and matching competencies with the modern
level of activity of enterprises and organizations in the field of information security in
the electric power industry based on the Smart Grid concept.
The aim of the article is to improve the courses of educational programs in infor-
mation security based on ensuring the completeness and complexity of the competen-
cies of graduates in the field of IS Smart Grid management.
2 Competent approach to training specialists in the field of
information security management
First, the research is related to competences and competence-based approach. The con-
cept of a “skills-based approach” (or “competency-based approach”) has become wide-
spread in connection with the solution of problems of improving the education of Rus-
sia, as well as the transition to the implementation of federal educational standards of
higher education. Curriculum on a skills-based approach can be considered as a set of
principles, goals of education, selection of the content of education, organization of the
educational process and assessment of educational results. The professional compe-
tence of an individual can be considered as the goal and result of education.
In this regard, the implementation of the skills-based approach to training specialists
in the field of information security management and the study of trends in this area will
allow domestic information security specialists to increase their competitiveness in the
international markets of information goods and services.
The international vector of development of education in the field of information se-
curity management, which is based on the following courses, is of particular interest:
CISSP (Certified Information Systems Professional);
CSSLP (Certified Secure Software Lifecycle Professional);
CISM (Certified Information Security Manager);
CISA (Certified Information Systems Auditor).
The training materials for these courses have been tested at Bauman Moscow State
Technical University, at Financial University under the Government of the Russian
Federation when conducting appropriate certification courses for information security
specialists [4].
A graduate of the courses should have professional competences: to know the basic
methods of information security management, be able to improve methods of infor-
mation security, have the skills to assess the effectiveness of information security in
�342
organizations. At the same time, the following seven main sections can be distinguished
in certified courses [4, 5, 6, 9, 12]:
1. IS management;
2. secure access;
3. network security;
4. cryptographic information security;
5. development of safe programs;
6. modeling and conformity assessment;
7. business continuity and recovery.
In Smart Grid information systems, which are an innovative field, this knowledge and
skills, together with their ability to adequately and successfully apply them, can be
formed only directly when solving the corresponding problems in the framework of
practical activities. They cannot be fully acquired in the course of obtaining education,
since in educational institutions there are practically no tasks from the real practice of
managing information security of modern companies, including Smart Grid. It should
be noted that the threat and risk are determined not abstractly, but relatively specifically
protected resources [4, p. 9]. However, this paradox is partially solved by the creation
of pilot laboratories, the development of cases, the widespread use of simulation of the
main and supporting and auxiliary business processes.
The focus of production of something new in the electric power industry is shifting
in modern conditions to the creation of innovative smart grids. The introduction of the
Smart Grid concept provides for the development of smart grid technology and means
a fundamental reorganization of the electric energy services market [2, 10]. Federal
Grid Company of Unified Energy System (FGC UES, PJSC) is one of the largest en-
terprises in the electric power industry, rendering services in the transmission and dis-
tribution of electric energy, in connection to electric networks and in the collection,
transmission and processing of technological information, including measurement and
accounting data. PJSC FGC UES provides half of the total energy consumption in Rus-
sia at the expense of electricity transmitted through its networks. This company controls
142 thousand km of high-voltage transmission lines and 944 substations with a total
capacity of over 345 gigawatts [13].
Electricity company in terms of risk indicators assessment:
─ determines for the planned annual period quantitative and qualitative indicators of
the propensity to operational risk (OR), including the risk of IS (risk appetites of OR
and IS)
─ sets target levels of these indicators: signal (acceptable) level and control (limit)
level
─ performs calculation and justification of signal and control values of risk appetite
indicators when approving a risk and capital management strategy.
FGC UES approved a register of key operational risks, assesses their impact on the
achievement of target performance indicators of the Company, annually updates the
level of materiality and takes measures to manage risks.
� 343
The company uses three methods of risk response: risk avoidance; risk acceptance;
reduction or transfer of risk (Fig. 1). The choice of a method for responding to risks
depends on the significance of the risks.
A network operating on the basis of the Smart Grid concept is able to detect the
damaged area itself, de-energize it and automatically power consumers who are briefly
left without power. Controllers with freely programmable logic implement algorithms
for configuring power supply schemes for various emergencies and provide network
automation.
Risk response
Determination
Risk assess- techniques
Approval of of the level of
ment methods (risk avoid-
the register of significance of
1. Scenario ex- ance; risk ac-
key opera- the risk (mod-
pert ceptance; risk
tional risks erate, signifi-
2. Expert reduction or
cant, critical)
transfer)
Fig. 1. Risk Assessment and Management Scheme for an Electricity Company
Energy companies are characterized by both general risks and specific ones inherent in
one or another type of activity, depending on the scope of their operation. Risks in the
information systems of network companies can be identified and increased at any point
in the life cycle of these systems, from the decision to create a system (purchase, de-
velopment of hardware and technical means) and ending with the implementation of
the system.
�344
Fig. 2. The scheme of the relationship of risks of enterprises of the electric power industry
Nonetheless, the methods of creating information systems cannot be separated from the
main goals of entrepreneurial activity and cannot be unrelated to environmental influ-
ences and limitations [3]. To effectively use information systems, an entrepreneur must
understand the socio-economic risks and limitations of technology development, im-
plementation and use of systems (Fig. 2).
Information systems are created to prevent a company's business risk. This risk can
be in the form of an increase in the cost of services provided, a decrease in income.
Business information systems should reduce risks by increasing the effectiveness of
managers' actions, based on mathematical models of risk optimization and cyber risk
management methods at various levels: enterprise, regional, federal [8, 10, 11].
� 345
3 Map of competencies of specialists in the field of information
security of an intellectual network
The shortage of specialists in the field of information security, who in the digital econ-
omy are ready to solve the key tasks of the coming decade, is focused on innovative
products and the creation of new markets and the globalization of companies. Systems
for training specialists for information security management should begin to train spe-
cialists with knowledge and competencies in several subject areas who can work with
both internal and external risks, both operational and IT risks (cyber risks) and are able
to anticipate future transformations. Changes in the set and nature of competencies are
one of the key aspects of the change in the qualification structure of the operational risk
management system of an electric utility company and its information security service.
It is possible to identify the relationship between the level of human capital and in-
formation security of a high-tech innovative company, which can be expressed in the
number of patents obtained, the creation of new competencies, the introduction of new
information security practices, etc.
The main subject of the study is the need to analyze exactly what competencies and
qualifications are needed to ensure the information security of companies and how this
will affect the training system for its personnel. For the world's leading electricity com-
panies, innovation is an important source of income. Estimates show that the transition
to an innovative development option based on smart energy will be accompanied by a
significant decrease in the commissioning of new power plants and related network
facilities for generating capacity. As a result, the reduction in investment is the most
significant systemic economic effect. The second largest effect is the reduction in the
fuel costs of power plants. New technologies bring energy companies not only new
opportunities but also create new threats and risks. Therefore, the introduction of a new
system of smart metering devices (Smart Meters), allowing remote transmission of en-
ergy consumption data of a client, has opened up many new ways of theft of electricity
[7]. In addition to the previously known forms of theft based on various mechanical
influences on the meter, smart meter vulnerabilities allow an attacker to compromise
real energy consumption data at the software level. Thus, the effect of the introduction
of innovation also brings additional annual economic losses to energy companies from
theft.
The competency clusters and processes are identified on the basis of the analysis of
the interaction scheme of the power company divisions in the operational risk manage-
ment system and their IS risks (cyber risks), based on expert estimates and taking into
account the competence clusters used in the practice of leading companies from the
standpoint of information security of the smart energy network [1].
The operational risk management system in an electric power company consists of
the following elements:
1. a specialized subdivision of the organization that carries out operational risk man-
agement procedures - the operational risk management service (ORMS);
2. a specialized unit of the organization that performs information security risk man-
agement procedures (IS service);
�346
3. subdivisions-owners of the organization's business processes and subdivisions that
support the organization's business processes (hereinafter referred to as competence
centers), use information technologies and carry out risk identification, collection of
information and informing about the identified risk, assessment of identified risks
inherent in the processes of competence centers (within their competence), develop-
ment and implementation of measures aimed at reducing the negative impact of op-
erational and information security risks, as well as monitoring the level of opera-
tional risk and information security risk in their processes;
4. classifiers used in the operational risk and information security management system;
5. an event database containing information on operational risk and IS risk events and
losses from all types of risks;
6. benchmarks of the electric power company and a system of measures aimed at im-
proving the quality of the information security management system and reducing the
negative impact of risks;
7. an automated information system, the scope and functionality of which is determined
by the nature and scale of the operations and processes of the electric power com-
pany.
In Figure 3, which reflects the interaction of company departments in the context of the
integration of information security risks, the following conventions are adopted:
1 - the information security service (ISS) ensures the identification of IS incidents
(IS risk events) and the identification of sources, threats and vulnerabilities of the threat
(attack) implementation, the identification of business processes, systems affected by
the incident, makes an immediate response to the incident in accordance with the pro-
cedure established by the company and transmits information about the incident to the
business unit and to the ORMS;
2 - business units respond to an incident: they suspend business processes, block ac-
counts, etc. and transmit the consequences of the incident to the ORMS;
3 - the operational risk management system determines the extent and degree of im-
pact of the incident (IS risk event) on other risks and business processes, classifies the
incident according to the operational risk methodology and reflects it in the event data-
base;
4 - the operational risk management system determines, together with business units
and the operational risk management system, incident losses (IS risk events); defines
measures to minimize other risks depending on the realized risk of information security;
5 - the business unit provides information on losses in the ISS;
6 - the information security system determines the effectiveness of measures to en-
sure an immediate response to an incident (IS risk event);
7 - ORMS, structural divisions, and the information security service organize activ-
ities aimed at minimizing the consequences of the implementation of IS risk (cyber
risk) and other types of risk;
8 - the information security service evaluates the effectiveness of measures to mini-
mize the risk of information security (cybersecurity risk) and the level of residual risk.
� 347
Fig. 3. Information security risk management scheme as part of operational risks
Taking into account the considered scheme and the competency approach proposed in
[1], we present a map of the competencies of specialists in the field of information
security of an intellectual network.
A. Leadership, organizational and managerial competencies of an information secu-
rity officer.
A.1. It owns modern models of organization of the company and can independently
organize the process of ensuring information security.
A.2. It can act as a qualified customer of research and development.
B. Employee competencies in terms of communication and coordination in the ex-
ternal ecosystem.
B.1. It can maintain effective communication with experts to identify promising ar-
eas of development.
C. Technological and special professional and sectoral competencies of employees
in the field of intelligent power grids.
C.1. It can determine long-term directions for development (electric power technol-
ogies).
C.2. Understands the directions of the development of the professional field can de-
termine new tasks in his field and evaluate the means of solving them.
C.3. It can solve new problems in the professional (technological) field.
C.4. It can solve complex problems in the professional (technological) field.
C.5. It can provide standardization of new technologies and solutions.
C.6. It can solve standard tasks in the professional (technological) field.
C.7. It can learn ways to solve standard problems in the professional field.
D. Cognitive competencies of an employee.
D.1. It can evaluate the achieved level of knowledge, formulate the need for new
knowledge in the field of information security, evaluate the methods of their receipt
and the results obtained.
�348
D.2. It can determine and develop ways to obtain new knowledge in the field of
information security, evaluate the results.
D.3. It can create new knowledge on the subject of activity (including technical and
regulatory knowledge).
D.4. Able to independently master new knowledge (including technical and regula-
tory knowledge).
E. Employee competencies.
E.1. Search and discovery of new business opportunities (identifying business op-
portunities).
E.2. Search and discovery of new risks: operational, information (cyber risks).
E.3. Assessing the prospects of new business opportunities (evaluating business op-
portunities).
E.4. Assessment of new operational, informational risks (evaluating of cyber risks).
E.5. Decision making, responsibility for the consequences of decisions (decision-
making).
E.6. Identifying and solving problems.
E.7. The ability to think in a new way (innovative thinking).
E.8. Effectiveness of communication with different partners (communication).
F. Vision of the future, long-term forecasting, and determination of long-term stra-
tegic goals by an employee.
F.1. It can determine the direction of development of the sphere of consumption of
company products and services, as well as infrastructures for 15–20 years and set long-
term goals.
F.2. It can determine the direction of technology development in the field of the
company for 15-20 years and set long-term goals.
This map shows what competencies are necessary for the implementation of the pro-
cesses of an electric power innovation company. At the same time, the distribution of
managerial, technological and entrepreneurial competencies is uneven. However, most
processes require complex organizational and entrepreneurial competencies in conjunc-
tion with a high level of technological and cognitive competencies. This map also
shows the place and importance of the company's technological competencies to ensure
information security. Therefore, shareholders must approve that part of the money that
the company earned from innovations will be spent on the introduction of new infor-
mation security services.
The processes of changing the composition of the required competencies and quali-
fication structure for managing and ensuring innovative activities in the context of dig-
italization and information security acquire a special role at the stage of transformation
of electric companies.
Conclusion
The considered approach to the formation of competencies allows you to:
─ ensure the completeness and comprehensiveness of the composition of competen-
cies, since this composition of competencies, will be associated with the regulation
� 349
of information processes and business processes of the company and fully comply
with its description;
─ represent competencies in educational programs in the form of a tree with a hierar-
chical multi-level structure and in the chronological sequence of their implementa-
tion, according to the chronology of the implementation of relevant processes to en-
sure information security;
─ to supplement, based on the study of new business processes of successful enter-
prises, a set of competencies of graduates taking into account the focus of the edu-
cational program on new specific areas of knowledge and activities.
References
1. Afanasyev G. E. Karta kompetentsiy i perspektivnykh professiy R&D [Map of competencies
and promising professions R&D]. Federalnyy spravochnik. Obrazovaniye v Rossii [Federal
directory. Education in Russia], 2011, Volume 8. Available at: URL: http://federal-
book.ru/files/FSO/soderganie/Tom%208/V/Karta.pdf (Accessed October 11, 2019). (In
Russ.)
2. Kobets B. B., Volkova I. O. Innovatsionnoye razvitiye elektroenergetiki na baze kontseptsii
Smart Grid [Innovative development of the electric power industry based on the Smart Grid
concept]. – M.: IAC Energiya, 2010. — 208 p. (In Russ.)
3. Kartvelishvili V. M., Sviridova O. A. Risk-menedzhment. Metody otsenki riska: uchebnoye
posobiye [Risk management. Risk Assessment Techniques: A Study Guide]. – Moskva:
FGBOU VO «REU im. G. V. Plekhanova», 2017. – 120 p. (In Russ.)
4. Barabanov A. V.. Dorofeyev A. V.. Markov A. S.. Tsirlov V. L. Sem bezopasnykh infor-
matsionnykh tekhnologiy [Seven secure information technologies]. Pod red. A. S. Markova
[Ed. A.S. Markov.]. – Moskva: DMK, 2017. - 221 p. (In Russ.)
5. Conrad E., Misenar S., Feldman J. CISSP Study Guide. 3rd edition. - Boston: Syngress,
2015. 622 p. DOI: 10.1016/C2009-0-61065-5
6. David L. Cannon CISA Certified Information Systems Auditor Study Guide, 4th Edition.
2016. DOI: 10.1002/9781119419211
7. Ghansah I. Smart grid cyber security potential threats, vulnerabilities and risks // Public In-
terest Energy Research, Prepared for: California Energy Commission, 2012. DOI:
10.1016/j.jesit.2018.01.001
8. Olifirov, A.V., Makoveichuk, K.A., Zhytnyy, P.Y., Filimonenkova, T.N., Petrenko, S.A.
Models of Processes for Governance of Enterprise IT and Personnel Training for Digital
Economy / 2019 Proceedings of 2018 17th Russian Scientific and Practical Conference on
Planning and Teaching Engineering Staff for the Industrial and Economic Complex of the
Region, PTES 2018 с. 216-219 DOI: 10.1109/PTES.2018.8604166
9. Paul M. Official (ISC) 2 Guide to the CSSLP CBK 2nd Edition - 2013, 800 p. DOI:
10.1201/b15377
10. Petrenko, S.A., Makoveichuk, K.A. Ontology of cyber security of self-recovering smart Grid
/ CEUR Workshop Proceedings 8th All-Russian Scientific and Technical Conference on
Secure Information Technologies, BIT 2017; Moscow; Russian Federation; 6-7 December
2017. - Volume 2081, 2017, Pages 98-106. Available at: URL: http://ceur-ws.org/Vol-
2081/paper21.pdf (Accessed October 11, 2019).
�350
11. Petrenko, S.A., Makoveichuk, K.A., Chetyrbok, P.V., Petrenko, A.S. About readiness for
digital economy / 2017 Proceedings of 2017 IEEE 2nd International Conference on Control
in Technical Systems, CTS 2017, p. 96-99. DOI: 10.1109/CTSYS.2017.8109498
12. The Official (ISC)2 Guide to the CCSPSM CBK®, Second Edition.- 2016.
DOI:10.1002/9781119419198
13. Integrirovannyy godovoy otchet Publichnogo aktsionernogo obshchestva «Federalnaya
setevaya kompaniya Edinoy energeticheskoy sistemy» za 2018 god [Integrated annual report
of the Public Joint Stock Company "Federal Grid Company of the Unified Energy System"
for 2018]. Available at: URL: https://report2018.fsk-ees.ru/?/ru/59-information-on-the-re-
port (Accessed October 11, 2019). (In Russ.)
�