DBIS

Thesis Type
Master

Status
Running

Background
Power grids are increasingly operated digitally and are tightly interconnected via IT and OT components with control centers, remote terminal/telecontrol systems, maintenance processes, and external service providers. This connectivity expands the attack surface and simultaneously increases the likelihood that technical vulnerabilities, organizational deficiencies, lack of training, or insufficient physical safeguards lead to security-relevant incidents that can impair availability, integrity, and operational capability. Large grid operators address these challenges through established ISMS structures and specialized resources, whereas smaller operators often face the practical hurdle that common approaches (e.g., comprehensive standard workflows or extensive control catalogs) are too time-consuming, require too much prior knowledge, or are difficult to translate into a prioritized and actionable mitigation plan. This creates the need for a pragmatic, transparent, and resource-efficient approach that reflects the reality of small operators while remaining systematic enough to be effective and verifiable.

Objectives
The objective of this master’s thesis is to develop and evaluate a clearly defined analysis algorithm that helps small power grid operators with limited resources to systematically capture relevant information, derive security requirements for systems, information flows, roles, and locations in a traceable manner, and generate a prioritized list of measures. The approach should integrate technical, organizational, human, and physical aspects without presupposing a full-fledged ISMS, and it should be documented in a way that enables a third party to reproduce and apply it with reasonable effort.

Tasks
The student first conducts a focused literature review that goes beyond a high-level overview by documenting, in a comparison matrix, which steps, inputs, protection-need logics, and output artifacts are provided by typical approaches (in particular BSI IT-Grundschutz, ISO-based risk assessments, and OT-/critical-infrastructure-oriented methods). Building on this, the student creates a precise requirements specification for the new approach, including measurable criteria such as maximum data collection effort, required minimum data, comprehensibility requirements, coverage across the domains IT/OT/organization/physical security, and the form of the output (a prioritized action plan). The student then designs and defines a concrete data collection and modeling procedure, including the necessary templates and data structures, so that an operator can capture the required information in a reproducible way; this results in a unified model that formally represents IT and OT systems, interfaces, locations, personnel groups/roles, business functions, as well as digital and analog information flows.

At the core, the student develops the algorithm for deriving protection needs and/or criticality as a clearly described sequence of steps with rules, assumptions, and termination criteria: starting from prioritized organizational goals and obligations, initially critical components are marked; then protection needs are iteratively propagated through dependencies and redundancies until a stable state is reached. The result is output in a defined categorization scheme that can be used for deriving measures. Building on this, the student implements a control-catalog and gap-analysis step that compares the derived target requirements with an assessed current state and produces a prioritized list in which quick wins, medium-term measures, and structural improvements are clearly separated; organizational processes (e.g., permissions, training status, responsibilities, four-eyes principle, handling conflicts of interest) and physical security aspects are explicitly considered.

The student implements the approach in a prototype (e.g., a small tool or a clearly reproducible template-based workflow) so that inputs can be captured, the model generated, categories computed, and the action plan produced automatically. For evaluation, the student develops at least one realistic case study (synthetic or based on anonymized real-world data) and performs a structured comparison with at least one reference approach (e.g., a classic, heavily simplified IT-Grundschutz workflow or a known risk assessment scheme), assessing criteria such as time effort, comprehensibility, traceability, coverage, and the quality of prioritization both quantitatively and qualitatively. Finally, the student conducts expert interviews using a predefined guideline, systematically analyzes the results (e.g., thematic clustering/quality criteria), and refines the model, rules, and measure derivation accordingly. All results are fully documented, including the algorithm specification, data schema/notation, prototype documentation, evaluation design, interview guideline and analysis, and a transparent discussion of limitations and scope of validity.

Prerequisites
Basic knowledge of IT security and networking (e.g., zoning/segmentation, access control, logging), interest in OT/ICS environments and typical operational processes of grid operators, ability to perform structured modeling (e.g., diagrams/data models), and solid implementation skills to build a demonstrable prototype. In addition, scientific working practices, clean documentation, and the willingness to prepare, conduct, and methodically evaluate interviews are expected.

References (MLA)

• Bundesamt für Sicherheit in der Informationstechnik. IT-Grundschutz-Kompendium. BSI: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/IT-Grundschutz-Kompendium/it-grundschutz-kompendium_node.html

• International Organization for Standardization. ISO/IEC 27005: Information Security Risk Management. ISO, 2022: https://www.iso.org/obp/ui/en/#iso:std:iso-iec:27005:ed-4:v1:en

• National Institute of Standards and Technology. Guide for Conducting Risk Assessments (SP 800-30 Rev. 1). NIST, 2012: https://csrc.nist.gov/pubs/sp/800/30/r1/final

• International Electrotechnical Commission. IEC 62443 Series: Security for Industrial Automation and Control Systems. IEC (introductory literature): https://link.springer.com/content/pdf/10.1007/s10207-025-00990-9.pdf

• International Organization for Standardization. ISO/IEC 27001: Information Security Management Systems—Requirements. ISO, 2022 (introductory literature): https://link.springer.com/chapter/10.1007/11915034_80