Determining Information Security Threats for an IoT-Based Energy Internet by Adopting Software Engineering and Risk Management Approaches

: This paper introduces an information security threat modeling (ISTM) scheme, which leverages the strengths of software engineering and risk management approaches, called I-SERM. The proposed I-SERM scheme e ﬀ ectively and e ﬃ ciently prioritizes information security threats for IT systems that utilize a large number of sensors, such as Internet of Things (IoT)-based energy systems. I-SERM operations include determining functional components, identifying associated threat types, analyzing threat items, and prioritizing key threats with the use of software engineering tools such as product ﬂow diagrams, use case diagrams, and data ﬂow diagrams. By simultaneously referring to a proposed STRIDE + p matrix and a deﬁned threat breakdown structure with reference score (TBS + r) scheme, the I-SERM approach enables systematic ISTM. To demonstrate the usability of I-SERM, this study presents a practical case aimed at electricity load balancing on a smart grid. In brief, this study indicates a substantive research direction that combines the advantages of software engineering and risk management into a systematic ISTM process. In addition, the demonstration of I-SERM in practice provides a valuable and practical reference for I-SERM application, and contributes to research in the ﬁeld of information security designs for IoT-based Energy Internet systems.


Introduction
With the development of information and communications technology (ICT), ICT-enabled applications significantly impact not only our daily lives, but also business profits. However, if an ICT application is attacked due to vulnerability, the consequences can be significant, which directly affect associated human activities and cause accompanying harm. As the saying goes, prevention is better than cure, and the total cost of preventive disposal or innate improvement is usually less than that of problem elimination. Thus, determining information security threats (ISTs) in advance, such as, in the system analysis phase of the system development life cycle (SDLC), will be more helpful than carrying out remedial mechanisms to protect against attacks in real-time.
Identifying, enumerating, and prioritizing potential threats or structural vulnerabilities is commonly referred to as information security threat modeling (ISTM). An attack is an event that is happening, whereas a threat is a risk that is associated with an attack which has not yet occurred. The success of ISTM depends on how effectively it can identify ISTs, assess the risk level of ISTs, and confirm key ISTs that should be managed for prevention or recovery-ready actions. In cases like large-scale Energy Internet systems, for example, an Internet of Things (IoT)-based smart grid, ISTM becomes very complicated due to the large number of devices, components, and sensors involved. Accordingly, systematically assessing the risk of possible ISTs, understanding the relationships between ISTM method can also help determine key ISTs during the SDLC analysis and design phases and provide an opportunity to pre-establish corresponding security precautions against possible attacks to ensure the information security of the SG. In practice, the information security problems that an IoT-based system, for example an SG, has to face include attacks from the Internet [7]. Identifying potential threats which could damage the valuable software and hardware assets of a system (or an organization) is a challenging issue in the process of designing an IoT-based system. Based on the above, finding a way to systematically carry out ISTM for large-scale Energy Internet systems is an essential issue worthy of investigation. This study proposes an approach which can effectively and efficiently perform ISTM for complex systems, such as an SG with many kinds of components on a traditional power system, AMI, and SCADA. To this end, this study combines the mature technology of software engineering and a risk assessment mechanism to develop a novel ISTM method, I-SERM. In the next section, published literature associated with the design of the proposed I-SERM is reviewed. Section 3 introduces the details of the I-SERM process, a STRIDE+p matrix, a threat breakdown structure with reference score (TBS+r) scheme, and a risk management mechanism for assessing and prioritizing ISTs. In order to evaluate the operational feasibility of the I-SERM, an SG application for load balancing of electricity is demonstrated in Section 4. Finally, this paper concludes with remarks regarding future study in the last section.

Threat Model
According to Olivoa et al. [12], a threat model is a feature set of the attacker's strategy. In theory, a threat model should describe the capabilities of the attacker as well as identify the threats, based on the anticipated security requirements [13]. In practice, a threat model can be formed in different ways. For example, Opdahl and Sindre [14] compared two threat analysis methods, the misuse case diagram and the attack tree, and indicated that the attack tree model was able to describe more details of the threats than the misuse case diagram. In brief, an attack tree represents attacks in the form of a tree structure [15]. The root of the tree indicates the main event of potential attacks, and it then downlinks to leaf nodes which represent extended attacks (events) [16].
It is useful to describe ISTs in a well-formulated form such as an attack tree, but care must also be taken with how the contents of ISTs are determined. In practice, most ISTM operations, including constructing an attack tree, should rely significantly on the expertise of domain experts who are skilled in the target system and information security theories. This implies a question as to whether systematic/modular modeling methods will benefit ISTM modeling. And, if the answer is yes, how should a comprehensive ISTM process for the modeling methods be formulated? Wuyts et al. [17] proposed a privacy-centric threat modeling approach that leverages the traditional data flow diagram (DFD), as well as a new threat classification mechanism LINDDUN, which can help analysts to identify seven high-level threat types: Linkability, Identifiability, Non-repudiation, Detectability, information Disclosure, content Unawareness, and policy and consent Non-compliance through a six-step process.
Similarly, the STRIDE [18,19] method based on its STRIDE security threat classification mechanism categorizes threats into six types: Spoofing [20], Tampering, Repudiation [21], Information disclosure, Denial of service [22], and Elevation of privilege [23]. The stepwise process of STRIDE was designed in accordance with the Secure Development Lifecycle (SDL) [24], and it also uses DFD and a threat classification mapping scheme as tools to perform ISTM operations.
Although LINDDUN and STRIDE have demonstrated their ISTM capabilities, whether these approaches are able to derive DFD for a wide variety of functional components from a large and complex information system such as an SG remains to be seen. In addition, if there is a need to determine which key threats are priorities for attention, due to concerns around available resources, it is important that a more objective and effective ISTM threat assessment be developed.

Smart Grid (SG)
Nafi at al. [25] define an SG as an electric network able to intelligently access data related to actions from power generation to electricity consumption. As Rahman et al. [26] noted, an SG has the potential to provide innovative and efficient energy management with high reliability. In addition, according to [6,27], an SG is a type of modern grid infrastructure that may introduce renewable energy sources, and combine automation and communication technologies to improve the efficiency, reliability, and safety of a power system. Furthermore, Gharavi and Ghafurian [28], as well as Delgado-Gomes et al. [29], stress that the primary feature of an SG is to apply ICT and computational intelligence to gather, record, and analyze electricity-related information from power generation, transmission and distribution, to consumption.
In addition to providing efficient data access, an SG must consider innovative energy management with high reliability. Therefore, some new SG frameworks have introduced SCADA to carry out the functions of effective monitoring and status assessment by using various types of equipment and sensors [30]. The advantage of SCADA is its supervisory control and data collection for commonly used livelihood infrastructure and industrial systems such as hydraulic systems, power generation systems. The trend of SCADA development is to integrate ICT-enabled operations into an industrialized control system. As to the ICT-enabled operations for SCADA, they are commonly allocated to such functions as monitoring [31], managing power generation, and transmission and distribution of information [32]. SCADA can be structurally organized for better deployment; Keith et al. [33] suggest that SCADA be divided into a control center, a wide area network, and a field site. A control center is mainly composed of a human machine interface (HMI), engineering workstations, control servers, data historians, and communication routers. Its functions involve supervising the status of equipment, controlling execution procedures, and extracting information from monitored devices. The supervised equipment and the monitored devices include a remote terminal unit (RTU), a programmable logic controller (PLC), and intelligent electronic devices (IED). The wide area network is responsible for the data communications among the cross-regional networks in SCADA. The primary task of the field site is to collect and transfer the on-site data to the control center. Most traditional SCADA systems rely on concealed security; however, nowadays, due to its combination with the Internet, the information security of SCADA is facing great challenges [15,32,[34][35][36].
In addition to the operations of traditional power systems and SCADA-enabled functions, the new SG should cover the provision of data access and management directly for end-users. To this end, an AMI system capable of improving the data management for the demand side [37] plays an essential role. As defined by Rahman et al. [26], an AMI is an advanced solid-state electronic instrument that can collect time-based electricity data for further information analysis and power management. In addition to enabling end-users to query the Meter Data Management System (MDMS) for power usage data through the network, the AMI can also perform demand-side power management, which helps to intelligently monitor peak power consumption, adjust the power transmission and distribution plan, and avoid abnormal loads [37][38][39]. The AMI-supported data can be stored in the MDMS and analyzed to serve electricity-related management services such as pricing plans, automatic meter recording, demand response, and power quality management [40]. It may also contribute to incorporating renewable energy options from the single home side to improve the overall reliability of an SG's power source management.

SG Information Security Threats
In recent years, the industrial trend of SG development and promotion has meant that analysis of SG IST has received increasing research attention. Li et al. [41] listed four possible types of security attacks that an SG may encounter: device attacks, data attacks, privacy attacks, and network availability attacks. In addition, Skopik and Ma [42] categorized SG ISTs into a three-tiered attack zone hierarchy. The first tier contains seven potential attack actions around the smart meter; Tier 2 threats include six possible attacks against the neighborhood area network and utility; the ISTs in the third tier include six kinds of security attack that may come from outside the backend center through web applications. Their IST analysis approach provides a valuable reference in the field of zone-based ISTM for SGs.
In addition to the research listed above, some articles, such as [43], present comprehensive viewpoints on ISTM research and provide interesting survey results, however, few of them have determined specific SG threats or attacks. To date, studies considering SG-specific ISTs have gradually increased in number. Suleiman et al. [44] proposed an SG Systems Security Threat Model (SSTM) based on a SCADA and AMI-involved SG. Their SSTM for application to a Security Quality Requirements Engineering (SQUARE) method [45] identified 76 ISTs. Unfortunately, the construction of such a large-scale ISTM and whether it is necessary to confirm the priorities of these ISTs are not detailed. In practice, these questions are critical and must be further investigated. Furthermore, Langer et al. [46] discussed the information security issues of an SG that involves SCADA and AMI. The study particularly considered a risk assessment model from both conceptual and implementation perspectives. Although this process model attempts to establish an SG security model through systematic steps, it only points out the functional requirements of SG security, and lacks the necessary assessment for those security threats.

Risk Management
According to Olivoa et al. [12], a threat should be estimated by its likelihood and consequent impact, and therefore, a risk management approach capable of estimating the impact and likelihood of risk items [47] may worth including in ISTM development. According to Hubbard [48], risk management is a process of risk identification, evaluation, and prioritization in order to minimize, monitor, and control the probability or impact of unfortunate events. Clearly, the first step involved in managing risks is to discover what they are [47]. Various methods have been proposed for identifying risks, or at least for prompting questions that will help to identify risks [49,50]. Among them, the risk breakdown structure (RBS), which is a hierarchically organized depiction of identified risks arranged by category, is a frequently used risk identification tool. In practice, the RBS can significantly help almost any stakeholder to understand, and therefore be able to identify and further assess, risk.
Broadly speaking, a risk assessment is the combined effort of not only identifying and analyzing potential events which may negatively impact individuals, assets, and/or the environment but also involves making judgments on the tolerability of the risks while considering influencing factors. In brief, a risk assessment analyzes what can go wrong, how likely it is to happen, what the potential consequences are, and how tolerable the identified risk is. The resulting determination of risks according to their impact and likelihood [47] can be expressed in a quantitative or qualitative fashion. The benefit of making risk assessments is to focus management attention on those risks with the greatest probability of occurring, and those that will most damage the target if they do occur.

2.
Although the DFD is a commonly used design tool, and is good at describing processes, data, and their interrelationships, the implementation of DFD should consider other supporting tools for analyzing large-scale information systems because the number of external entities and processes will increase the quantity of data flows, making the whole DFD implementation more complex.
In other words, if there is no necessary confirmation or screening support, the subsequent ISTM process will be too divergent, and not easily focused.

3.
The well-known categorization schemes for threat types, whether LINDDUN or STRIDE, are useful tools capable of listing threat types through accessing DFDs. However, different schemes cover different threat types-whether it is possible combine their advantages into a single scheme is an interesting issue.

4.
Tools such as STRIDE can be used to analyze the DFD component in order to map the corresponding threat type but are incapable of determining more detailed IST items. In addition to introducing expert opinions (mostly using the Delphi method which is a well-known communication technique widely used for forecasting through an iterative process with a panel of experts [51][52][53] and is also a useful means of determining key factors, especially those with uncertainty [54]), the ISTM operation should consider referring to a topic-related RBS as an objective basis for discussion and corresponding ISTs.

5.
When assessing ISTs for a system that contains a large number of functional components, as well as a variety of applications, it can be assumed that the number of ISTM outputs, i.e., ISTs, will be large. On the other hand, if the available resources are not sufficient to respond to all the ISTs, the way in which key ISTs are evaluated and screened for subsequent disposal is a practical problem that must be attended to. Moreover, the question of how to make a suitable arrangement between subjective expert opinions and objective information to avoid the bias of expert opinions is also an essential problem that should be solved.

Proposed I-SERM ISTM Approach
Based on the review findings, this study proposes a novel ISTM method leveraging the strength of the mature technology of software engineering methodology and risk management, called I-SERM. This section presents the details of the proposed I-SERM approach, including its working process, as well as the supporting approaches including a STRIDE+p matrix, a threat breakdown structure with reference score (TBS+r) scheme, and a threat assessment mechanism.

I-SERM Process
The processing steps of the I-SERM (as shown in Figure 1) and the key operating instructions are described as follows.

1.
Identify the functional components of the target sensor system: This step performs a literature search to retrieve functional components of the target system. The result of the literature search is presented in the form of a product flow diagram (PFD), which is useful for describing the relative positions of the components and the production flows of the outputs. If required for further discussion, the definition of the involved components should be noted.

2.
Analyze use cases of applications and their relationships: This step analyzes application cases and their relationships according to application requirements by referring to the associated functional components denoted in the PFD. Then, it transforms the selected application cases into a Subject, Verb, Object (S+V+O) pattern to clearly present the application cases. Next, it depicts a use case diagram (UCD).

3.
Functional decomposition on the use cases: The purpose of this step is to detail the operation paths, including the exception path for each case. The methods for detailing the operation paths are scenario description and interface design by blueprint. The above functional decompositions with detailed descriptions are the essential basis for generating further DFDs.

4.
Determine the threat types of each DFD element: This step determines threat types by analyzing the DFD components (including external entities, data flow, data storage, and processes) corresponding to STRIDE+p (introduced in the next sub-section).

5.
Identify ISTs by using TBS+r: A TBS+r is a pre-defined threat breakdown structure for use as a reference when listing the possible ISTs for each DFD element. 6.
Assess ISTs by referring to TBS+r scores: In this step, experts in the field of the target system or information security theories are invited to help confirm key ISTs. The well-known Delphi method is suggested for the process of prioritizing ISTs by assessing their impact and likelihood. By using an iterative Delphi process with anonymous scoring, open discussion, and result confirmation, this step can be completed when the pre-defined criteria are met, and the process can proceed to the next step. Otherwise, the process should go back to Step 5 to recheck the ISTs, or even identify further possible ISTs that merit concern. 7.
Confirm key ISTs for the planned application: This step confirms the key ISTs, and creates the final ISTM in a proper form, for example, a threat tree.

STRIDE+p Matrix
Since STRIDE and LINDDUN each have their specific strengths, weaknesses, and application coverage, this study proposes a new STRIDE+p matrix. The new matrix is based on STRIDE, combined with the privacy concerns of LINDDUN, and is therefore named STRIDE+p.
STRIDE+p refers to a combination of the features of the threat types defined in STRIDE and LINDDUN. The combined perspectives include: (1) Both the Linkability and Identifiability of LINDDUN can be categorized with the Spoofing of STRIDE, but they should not occur when accessing the data flow; (2) The Non-repudiation of LINDDUN is synonymous with the Repudiation of STRIDE; (3) The Detectability of LINDDUN is related to the Denial of service of STRIDE; (4) The information Disclosure of LINDDUN is synonymous with the information Disclosure of STRIDE; (5) The content Unawareness of LINDDUN means that a user is unaware the potential attack events, therefore it can be omitted; (6) The policy and consent Non-compliance of LINDDUN is related to the Elevation of privilege of STRIDE, but it should not happen on the data flow. STRIDE+p was thus built based on the above adjustments. The threat types of STRIDE, LINDDUN, and STRIDE+p are compared in Table 1. Process Note. √ means that the specified DFD element has the corresponding threat type.

TBS+r Scheme
STRIDE+p can only help correspond DFD elements to their associated threat types. Detailed ISTs

STRIDE+p Matrix
Since STRIDE and LINDDUN each have their specific strengths, weaknesses, and application coverage, this study proposes a new STRIDE+p matrix. The new matrix is based on STRIDE, combined with the privacy concerns of LINDDUN, and is therefore named STRIDE+p.
STRIDE+p refers to a combination of the features of the threat types defined in STRIDE and LINDDUN. The combined perspectives include: (1) Both the Linkability and Identifiability of LINDDUN can be categorized with the Spoofing of STRIDE, but they should not occur when accessing the data flow; (2) The Non-repudiation of LINDDUN is synonymous with the Repudiation of STRIDE; (3) The Detectability of LINDDUN is related to the Denial of service of STRIDE; (4) The information Disclosure of LINDDUN is synonymous with the information Disclosure of STRIDE; (5) The content Unawareness of LINDDUN means that a user is unaware the potential attack events, therefore it can be omitted; (6) The policy and consent Non-compliance of LINDDUN is related to the Elevation of privilege of STRIDE, but it should not happen on the data flow. STRIDE+p was thus built based on the above adjustments. The threat types of STRIDE, LINDDUN, and STRIDE+p are compared in Table 1.

DFD Element
Threat Type √ means that the specified DFD element has the corresponding threat type.

TBS+r Scheme
STRIDE+p can only help correspond DFD elements to their associated threat types. Detailed ISTs should be carefully identified; however, in practice, the ISTs concerned usually vary depending on the application scenario. As a result, this study considered the concept of risk breakdown structure [47] and suggests the use of threat breakdown structure with reference scores (TBS+r). The purpose of using TBS+r is twofold: (1) to help to identify the ISTs, and (2) to serve as a reference for assisting IST assessments, i.e., using the reference score. According to studies [22,[55][56][57][58], and with reference to Wikipedia, this study conducted four TBS+r for different DFD elements, as shown in Figures 2-4. Each TBS+r consists of several threat types, and each threat type contains several ISTs with their respective Impact reference score I r and Probability reference score P r , in the form of (I r , P r ). The values of I r and P r range from 0 to 1. For example, in Figure 2, the TBS+r for DFD Process has six threat types. Of these types, the Spoofing type contains five ISTs. the man-in-the-middle is one of these Spoofing ISTs; its I r is 0.6, and P r is 0.5.
Inventions 2019, 4, x FOR PEER REVIEW 8 of 20 [47] and suggests the use of threat breakdown structure with reference scores (TBS+r). The purpose of using TBS+r is twofold: (1) to help to identify the ISTs, and (2) to serve as a reference for assisting IST assessments, i.e., using the reference score. According to studies [22,[55][56][57][58], and with reference to Wikipedia, this study conducted four TBS+r for different DFD elements, as shown in Figures 2-4. Each TBS+r consists of several threat types, and each threat type contains several ISTs with their respective Impact reference score Ir and Probability reference score Pr, in the form of (Ir, Pr). The values of Ir and Pr range from 0 to 1. For example, in Figure 2, the TBS+r for DFD Process has six threat types. Of these types, the Spoofing type contains five ISTs. the man-in-the-middle is one of these Spoofing ISTs; its Ir is 0.6, and Pr is 0.5.   Inventions 2019, 4, x FOR PEER REVIEW 8 of 20 [47] and suggests the use of threat breakdown structure with reference scores (TBS+r). The purpose of using TBS+r is twofold: (1) to help to identify the ISTs, and (2) to serve as a reference for assisting IST assessments, i.e., using the reference score. According to studies [22,[55][56][57][58], and with reference to Wikipedia, this study conducted four TBS+r for different DFD elements, as shown in Figures 2-4. Each TBS+r consists of several threat types, and each threat type contains several ISTs with their respective Impact reference score Ir and Probability reference score Pr, in the form of (Ir, Pr). The values of Ir and Pr range from 0 to 1. For example, in Figure 2, the TBS+r for DFD Process has six threat types. Of these types, the Spoofing type contains five ISTs. the man-in-the-middle is one of these Spoofing ISTs; its Ir is 0.6, and Pr is 0.5.

Threat Assessment Mechanism
As soon as the ISTs are identified using the TBS+r operation, the next step is to assess the ISTs and determine the key ISTs, especially when the considered resources will not be sufficient to deal with all possible ISTs. Experts in the IST field commonly play a critical role in expertise interchange, experience sharing, issue discussion, and factor analysis in the overall threat assessment process. The expertise is introduced to analyze and discuss the contents of possible ISTs. However, in order to increase the efficiency of the IST assessment, and make the content discussions objective, the TBS+r reference score plays an assisting role, as a good source of historical records and comparable experience.
The process of assessing ISTs and prioritizing key ISTs is facilitated by the Delphi method, which refers to the iterative process of anonymous participation (scoring), open discussion, and confirmation of the result until a predetermined stop condition is satisfied [52,53]. The IST assessment uses Impact and likelihood (Probability) as the assessed factors. Impact refers to the degree of influence once the target risk occurs. In order to evaluate the Impact grade of each IST, the calculation of a weighted average, as expressed in Equation (1), is adopted. In the case of m items to be evaluated by n experts, Ii represents the Impact grade of the ith item, while ISij represents the Impact score of the ith item given by the jth expert, and IEij is the score of expertise regarding ISij. The scoring value of the above variables is set from 0 to 10 = ∑ × ∑ , = 1,2, … , ; = 1,2, … , .
In addition, any risk has its occurrence likelihood (probability); the Probability of each IST must also be rated. Pi represents the evaluated Probability grade of the ith item, which can be calculated by Equation (2). PSij represents the Probability score of the ith item given by the jth expert, while PEij is the score of expertise regarding PSij. The scoring value of the above variables is set from 0 to 10: = ∑ × ∑ , = 1,2, … , ; = 1,2, … , .
Since any IST relates to both impact and likelihood, the Impact (Ii) and Probability (Pi) grades should be simultaneously examined to determine the key ISTs, i.e., high Impact and high Probability. Additionally, it is necessary to consider the relationship of the weights of the Impact and Probability

Threat Assessment Mechanism
As soon as the ISTs are identified using the TBS+r operation, the next step is to assess the ISTs and determine the key ISTs, especially when the considered resources will not be sufficient to deal with all possible ISTs. Experts in the IST field commonly play a critical role in expertise interchange, experience sharing, issue discussion, and factor analysis in the overall threat assessment process. The expertise is introduced to analyze and discuss the contents of possible ISTs. However, in order to increase the efficiency of the IST assessment, and make the content discussions objective, the TBS+r reference score plays an assisting role, as a good source of historical records and comparable experience.
The process of assessing ISTs and prioritizing key ISTs is facilitated by the Delphi method, which refers to the iterative process of anonymous participation (scoring), open discussion, and confirmation of the result until a predetermined stop condition is satisfied [52,53]. The IST assessment uses Impact and likelihood (Probability) as the assessed factors. Impact refers to the degree of influence once the target risk occurs. In order to evaluate the Impact grade of each IST, the calculation of a weighted average, as expressed in Equation (1), is adopted. In the case of m items to be evaluated by n experts, Ii represents the Impact grade of the ith item, while ISij represents the Impact score of the ith item given by the jth expert, and IEij is the score of expertise regarding ISij. The scoring value of the above variables is set from 0 to 10 In addition, any risk has its occurrence likelihood (probability); the Probability of each IST must also be rated. Pi represents the evaluated Probability grade of the ith item, which can be calculated by Equation (2). PSij represents the Probability score of the ith item given by the jth expert, while PEij is the score of expertise regarding PSij. The scoring value of the above variables is set from 0 to 10: Since any IST relates to both impact and likelihood, the Impact (Ii) and Probability (Pi) grades should be simultaneously examined to determine the key ISTs, i.e., high Impact and high Probability. Additionally, it is necessary to consider the relationship of the weights of the Impact and Probability if the importance of these two factors is not equal. That is, the threat assessment process must consider not just Ii and Pi, but also the Impact weight (IW) as well as the Probability weight (PW).
A detailed description of how key ISTs are screened is given in Figure 5 (a Cartesian coordinate system). Assume that the value range in Figure 6 is the same, i.e., the coordinate value is equal. Each IST with both the Impact grade Ii and Probability grade Pi can be regarded as a corresponding point on a coordinate system. When the selection of key ISTs is based on the principle of high Impact and high Probability, point T in Figure 5 is the first priority, with the highest Impact and highest Probability. From the viewpoint of Analytic Geometry, starting from point T, proceeding toward point O along the α direction, the priority of the representative options is shown in a descending order, from the highest position to the lowest position. That is, through point A 1 , point A 3 and point A 4 is a sequential selection from higher priority to lower priority. In addition, any two points on the plane coordinate system can determine a straight line. if the importance of these two factors is not equal. That is, the threat assessment process must consider not just Ii and Pi, but also the Impact weight (IW) as well as the Probability weight (PW). A detailed description of how key ISTs are screened is given in Figure 5 (a Cartesian coordinate system). Assume that the value range in Figure 6 is the same, i.e., the coordinate value is equal. Each IST with both the Impact grade Ii and Probability grade Pi can be regarded as a corresponding point on a coordinate system. When the selection of key ISTs is based on the principle of high Impact and high Probability, point T in Figure 5 is the first priority, with the highest Impact and highest Probability. From the viewpoint of Analytic Geometry, starting from point T, proceeding toward point O along the α direction, the priority of the representative options is shown in a descending order, from the highest position to the lowest position. That is, through point A1, point A3 and point A4 is a sequential selection from higher priority to lower priority. In addition, any two points on the plane coordinate system can determine a straight line.   Equation (3) is used to compute the output, R i , of a linear equation on a specific IW:PW ratio. Since point A 1 and point A 2 have the same R i value, they can jointly determine a line, a 1 , with a slope − PW IW = −1; i.e., PW = IW(|PW| : |IW| = 1 : 1). Line a 1 and line TO are perpendicular to each other. The linear equation f (x, y) of line a 1 using the slope-intercept form is f (A 1 ) = f (P a1 , I a1 ) : I a1 − (−1)P a1 = R a1 . Similarly, point A 3 falls on line a 2 , point A 4 falls on line a 3 , and lines a 1 , a 2 , and a 3 are parallel to each other. The three lines have the same slope but different values, so the priority order of the points falling on a 1 is higher than that of the points falling on a 2 . The priority situation of a 2 , a 3 can be analogously deduced.
Furthermore, if the weighting ratio UW and IW changes, the slope of the line will change accordingly, and the equation of the line will be different. When point T extends along the β direction toward the midpoint of the P axis, the extended line with a slope of − PW Based on the above, when screening ISTs with two respective factor vectors, regardless of the weighting ratio of the two factors, the ISTs can be prioritized according to the computed result of the corresponding liner equation. Essentially, R i is the basis for prioritizing participating ISTs.
This study proposes the following three steps for prioritizing and choosing key ISTs. First, Equation (3) is used to compute R i . Next, the group of key ISTs (S IW:PW ) is determined by Equation (4) with a threshold (L) set as a satisfied condition. Third, the above two steps are repeated with different linear equations. Key ISTs are then determined through an open-discussion cross-analysis of all the considered S IW:PW groups:

Demonstration of an I-SERM Practice: SG Electricity Load Balance
This section demonstrates an I-SERM practice that focuses on electricity load balance (ELB) on SG.

Identifying the Functional Components of the Target Sensor System
Since the proposed I-SERM is designed for ISTM of large-scale sensor systems such as SGs, the architecture of the functional components of the target sensor system must first be confirmed. The first step of I-SERM is to create an architecture of the SG's functional components, i.e., an SG framework.
Step 1 of I-SERM is detailed as a nine-substep (from 1a to 1i) process as shown in Figure 6.
Step 1a is to explore the components of the physical power system. According to [24], the components of physical power systems include power plants, renewable energy stations, power line networking systems, substations, transformers, and physical electricity meters. In the next step, four facility areas including generation, transmission, distribution, and user side are defined.
Step 1c determines the functional components located in proper facility areas in the physical power system using the PFD approach.
Similarly, Steps 1d to 1f are for the SCADA part. In Step 1d, 10 components including wide area networks (WANs), intelligent electronic devices (IEDs), programmable logic controllers (PLCs), remote terminal units (RTUs), engineering workstations, human machine interfaces (HMIs), communication routers, data historians, control servers, and communication networks are involved [33]. A new facility area called a control center is included in Step 1e. All the SCADA components are appropriately placed in five facility areas. Then, a PFD presenting the functional components for both the physical power system and SCADA is created.
Steps 1g to 1i are for the AMI part. In Step 1g, three components including smart meters, home area networks (HAN), and meter data management systems (MDMS) are confirmed [26,38]. Finally, the overall functional components of the physical power system, SCADA, and AMI are integrated in the form of a PFD, forming an SG framework, as shown in Figure 7.

Steps 2 to 7 of the I-SERM
The remainder of the I-SERM steps (from Step 2 to Step 7) for ELB and the deliverables are shown in Figure 8, wherein Step 2 is divided into substeps 2a, 2b, and 2c, and Step 3 includes substeps 3a and 3b.

Steps 2 to 7 of the I-SERM
The remainder of the I-SERM steps (from Step 2 to Step 7) for ELB and the deliverables are shown in Figure 8, wherein Step 2 is divided into substeps 2a, 2b, and 2c, and Step 3 includes substeps 3a and 3b.

Steps 2 to 7 of the I-SERM
The remainder of the I-SERM steps (from Step 2 to Step 7) for ELB and the deliverables are shown in Figure 8, wherein Step 2 is divided into substeps 2a, 2b, and 2c, and Step 3 includes substeps 3a and 3b. First, the functional components related to the target application, i.e., the ELB, were selected. Based on the functional components, the functional requirements of the ELB were determined by Step 2b.
Step 2c determines the required functions of the ELB, as well as the relationships between these functions, and then consults the output as a UCD. In Step 3a, the use cases were detailed in the form of scenario descriptions, so that all the operation paths and the data dictionary were clarified. Accordingly, in Step 3b, the DFD was created, as presented in Figure 9.  First, the functional components related to the target application, i.e., the ELB, were selected. Based on the functional components, the functional requirements of the ELB were determined by Step 2b.
Step 2c determines the required functions of the ELB, as well as the relationships between these functions, and then consults the output as a UCD. In Step 3a, the use cases were detailed in the form of scenario descriptions, so that all the operation paths and the data dictionary were clarified. Accordingly, in Step 3b, the DFD was created, as presented in Figure 9. First, the functional components related to the target application, i.e., the ELB, were selected. Based on the functional components, the functional requirements of the ELB were determined by Step 2b.
Step 2c determines the required functions of the ELB, as well as the relationships between these functions, and then consults the output as a UCD. In Step 3a, the use cases were detailed in the form of scenario descriptions, so that all the operation paths and the data dictionary were clarified. Accordingly, in Step 3b, the DFD was created, as presented in Figure 9.  In the next steps, several experts were invited to help determine key ISTs for ELB through Steps 4 to 7. In Step 4, the threat types of the use cases were identified by referring to STRIDE+p.
Step 5 explores the ISTs of DFD elements according to the TBS+r for ELB. The TBS+r for ELB, shown in Figure 10, is a specified TBS+r version for this ELB practice, and was confirmed by the invited experts before performing this step. In this step, the DFD elements f3.1, f4.1, f5.1, f6.1, f7.1, f8.1, and  In the next steps, several experts were invited to help determine key ISTs for ELB through Steps 4 to 7. In Step 4, the threat types of the use cases were identified by referring to STRIDE+p.
Step 5 explores the ISTs of DFD elements according to the TBS+r for ELB. The TBS+r for ELB, shown in Figure 10, is a specified TBS+r version for this ELB practice, and was confirmed by the invited experts before performing this step. In this step, the DFD elements f3.1, f4.1, f5.1, f6.1, f7.1, f8.1, and f9.1 were excluded because these elements are expected not to have ISTs. Figure 10. The adopted TBS+r for the ELB practice.
In Step 6, all the ISTs were assessed by the participants, with reference to the scores of TBS+r for ELB. The IST evaluation scores, I for Impact score and P for Probability score, are listed by DFD types in Tables 2-5, respectively.  10. The adopted TBS+r for the ELB practice. In Step 6, all the ISTs were assessed by the participants, with reference to the scores of TBS+r for ELB. The IST evaluation scores, I for Impact score and P for Probability score, are listed by DFD types in Tables 2-5, respectively.    Step 7 confirms the key ISTs using a Delphi operation. The ratio of |PW|:|IW| was set as = 1:1, and the threshold L was set to 1.39, so that 22 key ISTs (with respective R i values greater than or equal to 1.39) were confirmed. Finally, an ISTM result for the SG ELB, as depicted in Figure 11, was built as a threat tree with the Impact and Probability values, noted as the (Impact, Probability) of the key ISTs. For example, SQL injection with process 1.0 is one of the 22 key ISTs, and its Impact value is 0.76 and Probability value is 0.77. This indicates that this SQL injection threat should be carefully considered when designing and implementing the user login function (process). Step 7 confirms the key ISTs using a Delphi operation. The ratio of |PW|:|IW| was set as = 1:1, and the threshold ℒ was set to 1.39, so that 22 key ISTs (with respective Ri values greater than or equal to 1.39) were confirmed. Finally, an ISTM result for the SG ELB, as depicted in Figure 11, was built as a threat tree with the Impact and Probability values, noted as the (Impact, Probability) of the key ISTs. For example, SQL injection with process 1.0 is one of the 22 key ISTs, and its Impact value is 0.76 and Probability value is 0.77. This indicates that this SQL injection threat should be carefully considered when designing and implementing the user login function (process).

Conclusions
This paper presents an I-SERM approach for IST analysis for applications of large-scale systems. The I-SERM approach provides a systematic process for determining key ISTs for complex information systems. To practically evaluate the performance of the proposed I-SERM approach, a

Conclusions
This paper presents an I-SERM approach for IST analysis for applications of large-scale systems. The I-SERM approach provides a systematic process for determining key ISTs for complex information systems. To practically evaluate the performance of the proposed I-SERM approach, a simple electricity load balancing (ELB) example was used to demonstrate the I-SERM operations. This ELB example not only demonstrated the usability of STRIDE+p and TBS+r, but also showed a suggested SG framework covering a basic physical power system and emerging SG mechanisms. The results of this investigation contribute to research in the field of information security for smart energy management, offering more comprehensive viewpoints on new SG functions and ISTM schemes for intelligent applications of power consumption and management.
Although the I-SERM is able to effectively and efficiently perform ISTM for complex systems by using the proposed schemes, there are the following extended issues worthy of further discussion:

1.
The maintenance of the content of TBS+r. A key feature of I-SERM is applying TBS+r in a Delphi process in order to enhance the performance of the ISTM operation. In addition, the success of I-SERM should also rely on the IST scoring by the participating experts, while their feedback will be associated with the referred TBS+r. In other words, the content of TBS+r will significantly affect the ISTM result. As similar as the importance of maintaining updated rules for firewalls, intrusion detection systems (IDS) or intrusion prevention systems (IPS), the TBS+r must be kept up to date.

2.
The use of multi-dimensional analysis. In practice, the use of a single-dimensional perspective is illogical for assessing target factors. In this ELB case, the ratio of |PW|:|IW| set as = 1:1 is the only perspective for selecting key ISTs. Different |PW|:|IW| ratios should deliver different viewpoints of the selection. That is, a multi-dimensional analysis method could improve the