Minichino Qos of a Scada Sys

8/2/2019 Minichino Qos of a Scada Sys

1/31

ICT-SEC 225353 MICIE (1)Brussels, 14 September 2009

Tool for systemic risk analysis and securemediation of data exchanged across linked CI

information infrastructures

QoS of SCADA system interconnectinga Power grid and a Telco network

Michele Minichino

[email protected]

,

ENEA
mailto:[email protected]:[email protected]


2/31

ICT-SEC 225353 MICIE (2)Luxemburg, 20 May 2010

CRPHT

CRATROMA3ENEAIECITRUSTMULT

FCTUCUNIBRAD

ACK: contribute of WP InterdependencyAnalysis and Modelingparticipants

QoS of SCADA system interconnecting aPower grid and a Telco network


3/31


Motivation of the research: lesson learned by IRRIIS project

MICIE: Prediction of risk of loss/degradation of quality of services ofCI operators (i.e. SCADA and NMS operators) Reference scenario and service oriented approach Fault Isolation and System Restoration (FISR) service

Risk of loss/degradation of FISR

FISR models

Indicators of risk of loss/degradation of FISR

MICIE: Models for the online risk prediction tool

Discussion

Talk contents



4/31


A mini black on the Telecom Italia PoP node in Rome

Flooding of a Telecom Italia major telecommunication node hasoccurred in Rome on January the 2nd 2004.

Part of wired and wireless services tilted (a mini black out for ItalianTelco infrastructure)

causing problems and delays in different infrastructures, including Fiumicino airport (stop of check-in, ticketing services and of luggage

acceptance and switching),

ANSI print agency, post offices and banks,

ACEA power distribution and

the communication network (GARR), connecting the main Italian

research institutions. The mini black out occurred to the Telecom Italia major node in

Rome, thePoP of Laurentina -Inviolatella, on Tor Pagnotta street

IRRIIS project - scenario of failure propagationfrom Telco Network to ACEA MV Power Grid


5/31


IRRIIS project - Laurentina Inviolatella node

Green arrow indicates the area where the Telecom centre is located


6/31


IRRIIS project - Telco blackout impacted onservices of SCADA operator of ACEA power grid

ACEA SCADA has two main Control Centres:

Flaminia Control Centre that is unmanned; receive/send data and control commands from a first part of the cabins of Rome

electrical distribution network;

Ostiense Control Centre that is manned; receive/send data and control commands from a second part of the cabins;

all the tele-measures, commands and alarms managed by Flaminia ControlCentre are dispatched to Ostiense Control Centre using two redundant TELCOcommunication links at 2Mbits/sec; One is the main link;

the other one is a backup link that is always in stand-by position;

such links were expected to be located on two different geographical paths;

both links were out of service during the Telco blackout as a consequence no alarms, signals on the status of power distribution network

and commands where exchangeable between the unmanned centre and themanned one.

in this situation SCADA operator completely lose the visibility and controllabilityof all the remote substations managed by the unmanned Flaminia Control Centre.


7/31ICT-SEC 225353 MICIE (7)Luxemburg, 20 May 2010

IRRIIS project - Loss of services of SCADAoperator on failure of SCADA communication links



Power grid: a portion of the HV (High Voltage) grid at 150 kV and thebackbone of the MV (Medium Voltage) grid at 20 kV. Each node represents a primary substation (Pi, large rectangle), in case of

HV network, or a secondary substation (Mi, small rectangle), in case of MVnetwork.

Nodes, named Ei, represent the substations of the national powertransmission grid. They feed the power distribution grid.

The physical link between any two nodes is an electrical trunk

SCADA system A Main SCADA Control Centre (MSC) directly controls and supervises the

portion of the power grid. A Disaster Recovery SCADA centre (DRS), directly controls and

supervises a complementary portion of the power distribution grid.

two types of Remote Terminal Units (RTUs), which interface the SCADAwith power distribution grid: HV RTUs, located at HV substations, and MV

RTUs, located at MV substations. Telco network

Default Proprietary Network of SCADA Public Switched Telephone network (MSC and DRS are connected, via

firewalls, by two redundant, public, high speed Telco links)

Global System Mobile connections

IRRIIS project - SCADA interconnecting power gridand telco network



IRRIIS project - Portion of grid directly observed bySCADA operator (feeding the flooded Telco node)



IRRIIS project - SCADA system and its mapping onthe whole power grid

S SC



MICIE will design and implement a so-called "MICIEalerting system"

MICIE alerting system will support the CI operatorsby means of an on line risk prediction tool thatprovides them a real time risk level making use ofCI models

CI operators are currently assumed to be SCADAand NMS operators

QoS of SCADA system interconnecting aPower grid and a Telco network:

Framework

MICIE main product



MICIE: How can models predict the risk ofloss/degradation the QoS of SCADA and

NMS operators?




How can models predict the risk of loss/degradation the QoS ofSCADA and NMS operators with the final aim to improve thequality of power to grid customers?

Reference scenario and service oriented approach

Fault Isolation and System Restoration (FISR) service

Risk of loss/degradation of FISR

FISR models

Indicators of risk of loss/degradation of FISR FISR models for the online risk prediction tool

Quality of services of SCADA and NMS operators



Reference Scenario consists in identification of

services, sequences of adverse events that could impair the quality of such

services (i.e. in terms of continuity, readiness, performances, timeresponse)

the set of interconnected networks supporting such services (in

terms of topologies, essential systems (i.e. Telco emergencypower supply, cooling systems))

interconnections among networks and systems

MICIE project

Reference scenario and service orientedapproach

U d t di i k f l /d d ti f (SCADA



methodology

modelstools

scenarios

Understanding risk of loss/degradation of (SCADAand NMS operators) services due to

interdependencies

A recursive approach



MICIE Reference scenario currently includes the followingsubset of interconnected networks/CIs:

E CI, Electrical CI: a portion of the electrical 22 KV grid and of

161 KV transmission lines

C CI, Communication: a portion of communication transmissionequipments. It transfers information and data from Remote Terminal Units and

control centres of SCADA and Network Management System for thecontrol and the management of the CIs ( it does not include SCADA

and NMS systems)

ICT CI, SCADA system for 22KV grid and NMS system for controland management of fibre optic grid

It also includes all the Automatic systems on substations thatare included in scenarios

Reference scenario & service oriented approach

Interconnected networks



Reference scenario and service oriented approachE CI Electrical 22 KV grid portion


18/31


Reference scenario and service oriented approachE CI Electrical 22 KV grid portion

(interconnected with C CI and ITC CI)


19/31


Reference scenario and service oriented approachCCI Communication portion and NMS


20/31


Reference scenario and service oriented approachSCADA and interconnections (C CI and NMS)

R f i d i i d h


21/31


Reference scenario and service oriented approachEvents impact (through interconnected CI) on energy

supplied to MV grid customers


22/31


A first set of services have been identified:

trying to reveal interdependencies and thus opening the wayto cascading failures and escalation effects;

Mutual interactions of services; what a service requires (or it

is supposed to require) in order to be properly supplied, interms of ancillary services and company policies andstrategies.

services can be lost (ON/OFF) or can degradate (Quality ofService)

services loss or degradation can propagate impacting on thefinal (end) user with diverse severities.

Reference scenario and service oriented approach:services identification


23/31


Currently we are focusing on the service Fault Isolationand System Restoration

performed by SCADA operator by means of SCADAcontrol centre of the MV power distribution network

Outages in MV power distribution network, need to beautomatically detected, isolated and the network has tobe restored to power its end users again.

Fault Isolation & System Restoration (FISR) service


24/31


Risk of loss/degradation of FISR service

The quality of FISR service affects the quality of power supply interms of

SAIDI

SAIFI

CAIFI

The degradation/loss of FISR service performed by SCADAoperator, is critical because it is strictly correlated to the quality ofpower supplied to customers.

A timely actuation of FISR service, consequential to a permanentfailure of the grid, reduces the outage duration


25/31


FISR models and tools(tools) [online/offline]

Reliability of Interconnected networks

FISR dependability(WNRA reliability analyzer) [online] FISR performance and rerouting (NS2 simulator) [offline]

FISR worst case measures in presence of hacker attacks (MILPalgorithm) [online]

Bayesian Belief Networks (GENIE) [online]

Holistic Reductionistic models (CISIA extension)[online]

Deterministic and Agent Based simulation (RAO)[online]

Raw data models of operational status(algorithm)[online]


26/31


27/31


SCADA systemSCADA implements FISR on Power Grid

by monitoring/ controlling/ reconfiguring

the grid (measures/ switches/RTUs)

SCADA Control Centre

RTU

Gateway

Ethernet Bus

FIU

MOSCAD

WP2000Interconnected networks supporting FISR

WP2000


28/31


Telco networkHierarchical structure

Backbone (Point of Presence)

Transit Exchange (TeX)

Local Access (LeX)

WP2000

Interconnected networks supporting FISR

WP2000


29/31


Power grid,SCADA system, Telco network

WP2000Interconnected networks supporting FISR

INTERCONNECTIONS

SCADA and Telco

Telco and HV grid

RTUs, SCADA andTelco devicesenergised by Powergrid by means ofemergency powersupply systems

see D2.2.1


30/31


Indicators of risk of loss/degradation of FISR

Performances of FISR (NS2 models)

Dynamical path between SCADA control centre and RTUs Throughput of nodes of Telco network

Round Trip time between SCADA control centre and RTUs FISR response time: the time between the occurrence of loss of power supply to

customers (due to a grid failure) and the restoration of power supply to customers.

outage duration % of affected customers

Dependability of FISR Connectivity between SCADA control centre and RTUs: minpaths and

mincuts (WNRA models)

Reliability and availability between SCADA control centre and RTUs (WNRAmodels)

Probability of loss of a service on occurrence of specific events (BBN

models) Reliability indices of power grid: SAIDI, SAIFI, CAIDI (RAO simulator)

FISR operativity level (CISIA)


31/31

MICIE: Models for the online risk prediction tool

at the state of the art, no single technique has the modelling and theanalytical power to cope with a meaningful and quantitative evaluationof degradation/loss of services performed by SCADA or NMS operatorsat regional/national level.

the aim of risk prediction tool should be a meaningful, on line andpossibly quantitative evaluation of the risk of degradation/loss ofservices performed by SCADA or NMS operators

As a consequence, a successful development of the risk prediction toolshould carefully evaluate all the formalisms and models and QoSindicators investigated and computed within WP2000 and should

integrate the most adequate ones, according to the requirements of theon line risk prediction tool

Minichino Qos of a Scada Sys

Documents