An Integrated Framework for Power and ICT System Risk-based Security Assessment
E. Ciapessoni, D. Cirio, A. Pitto, Ricerca sul Sistema Energetico - RSE S.p.A.
G. Kjolle, SINTEF EN
M. Sforna, TERNA
PowerTech Conference
Grenoble, June 20, 2013
1
Outline
• Today’s power system criticalities
• The AFTER project
• A Framework for Power and ICT System
Risk-based Security Assessment
• Modeling threats and vulnerabilities
• Modeling ICT/PS response
• Conclusions
2
Today’s power system
• Operational complexity • New monitoring systems – ICT based
3
PMU
PMU
PMUPMU
PMU
PMU
PMU
PMU
Today’s power system
Main causes of damages due to natural
events:
1. Wind storms
2. Ice storms
3. Lightning
VulnerabilitiesPhysical infrastructure - power
4
Today’s power system
• Unexpected behaviour
• System performances affected by RES
5
VulnerabilitiesSystem instability
(small or large disturbances)
2006/11/04
Today’s power system
• CascadingBlack-out often caused by rare
(possibly correlated) N-k events
6
The AFTER project• A EU FP7 3-year project started in Sept 2011
• MAIN GOAL: increasing the TSO capabilities in
creating, monitoring and managing secure power
system infrastructures, being able to survive large
disturbances and to efficiently restore the supply
after major disruptions.
• Defining a framework - including methodologies,
tools and techniques – able to:
– Assess the risk, as hazard, vulnerability and impact
analysis, of the interconnected and integrated electrical
power and ICT systems.
– Design and evaluate global defense and restoration plans.
F T ER
7
What does RISK mean?
• Assessing risk calls for the following tasks:
– identifying and classifying of threats and component
vulnerabilities
– probabilistic modeling of threats, component
vulnerabilities and power system contingencies
– simulating stochastic behavior of control, defense and
protection systems in power systems affected by
contingencies
– Defining and calculating risk indicators
• Both ICT failures and physical components outages
must be included in the security analyses
8
Vulnerabilities
AFTER approach Threats
Contingency
Impact
N-k (physical)
ICT (physical and logical)
Based on
Cascading
simulation
Probability
Risk indices
9
Approach FoundationsDefinitions
• ThreatAny indication, circumstance, or
event with the potential to disrupt or
destroy critical infrastructure, or any
element thereof.
• VulnerabilityA characteristic of an element of the
critical infrastructure's design,
implementation, or operation that
renders it susceptible to destruction
or incapacitation by a threat.
• Contingencyunplanned outage of one or more
components caused by a threat
exploiting one or more vulnerabilities
of the component itself
T1 Ti… …
V1 Vj… …
C1 Ch… …
Vulnerabilities
Component
contingencies
System contingency
TNT
VNV
CNC
Threats
Offline models Online monitoring
10
Statistics on threats
• Preliminary investigations
on operational yearbooks
by ENTSO-E and US NERC
disturbance reports:
– Root cause analysis ⇒pie
charts for root causes
– Statistical analysis of
reliability indicators (Energy
not supplied, Restoration
time)
10%
10%
21%
Causes of power system outages - year 2008
24%
12%9%
16%
overload
false operation
failure in protection device or other element
external events (animals, trees, fire, avalances etc)
exceptional conditions (weather, natural disaster etc)
other reasons
unknown reasons
Most common root causes of
disturbances:
-weather conditions for US disturbances
- Equipment failures for EU disturbances11
Classifying threats
Power
component
threats
External
(Exogenous)
Internal
(Endogenous)
NaturalLightning, fires, ice/snow
storms, floods, solar storms
Component faults,
strained operating
conditions
Man-related
Unintentional damage by
operating a crane;
Sabotage, terrorism,
outsider errors
Employee errors
Malicious actions by
unfaithful employees
12
Classifying threats
ICT threats
(Physical or
Logical)
External
(Exogenous)
Internal
(Endogenous)
Natural
Ice and snow, floods,
Fire and high temperature, solar
storm
ICT component internal
faults
Data overflow
Man-relatedHacker, Sabotage, Malicious
outsider
SW bugs,
Employee errors,
Malicious actions by
unfaithful employees
13
Component
ageing
Threat dependencya sample framework for natural threats
earthquakes
landslides
floods
Strong
wind
Power system
vegetation
Ground movements
Component damages due to ground acceleration
Overflowing dams
Component damages
e.g. transformer
outages
e.g. OHL pylons damaged
e.g. OHL conductor damages
fires
Lateral contacts
Increasing sag
Higher stress
Rain/ice/
snow
AnimalsPollution
e.g. insulator
flashover
Bird drops
e.g. increases salt deposit in marine environments
Solar stormsComponent damages
Ice accretion
e.g. transformer damages/explosion
14
Probability of failure of one component located at x,
affected by one threat Thr, at time t0 over the time interval
∆t=t- t0
Contingency modelingfor power components
( ) ( ) ( )∫ ∫ ⋅=
t
t S
ThrVF ddsxspxstPtxP
0
,,,,|, τττ
( )txPF , = probability that the component, located in x - intact at initial time t0 - fails
within time instant t
( )xstPV ,,|τ = conditional probability that the component fails at time t due to value s
of stress variable S (relevant to threat Thr) at time instant τ . Also the
vulnerability of component is a function of time, due for instance to
ageing or maintenance processes
( )xspThr ,,τ = probability density function of occurrence of a threat Thrapplying the stress variable S in location x, at time instant τ.
The stress variables related to a threat indicate the physical quantities through which the
threat affects the component vulnerabilities.
15
Probability of failure of one component located at x,
affected by one threat Thr, at time t0 over the time interval
∆t=t- t0
( ) ( ) ( )∫ ∫ ⋅=
t
t S
ThrVF ddsxspxstPtxP
0
,,,,|, τττ
Threat probability
density function
Statistical analyses
on historical data
Lightnings
Solar storms
Landslides
Earthquakes
ageing
…
Experts’ knowledge
Human errors
Malicious
attacks
sabotage/theft
…
Contingency modeling for power components
16
Probability of failure of one component located at x,
affected by one threat Thr, at time t0 over the time interval
∆t=t- t0
Contingency modelingfor power components
( ) ( ) ( )∫ ∫ ⋅=
t
t S
ThrVF ddsxspxstPtxP
0
,,,,|, τττ
Vulnerability distribution
function
Statistical analyses
on historical dataExperts’ knowledge
- knowledge on
physical
protection
systems
- Assumptions on
reactions to
terrorist attacks
…
Fragility curves
from records
and ad hoc tests
…
17
Threats probabilistic modelinggeneralities
• Long term models: ∆ t =1 year
– Rely on historical series analsyses
• Short term models: ∆ t=15-30 min
– Call for real time monitoring systems
• Remember threat dependency!
18
Threats probabilistic modelingsome examples
• Long/medium term models:
– Weather-related threats -> extreme
value distributions tuned on historical
series analyses
– Fires/animals -> Bayes networks
• Man related threats:
– Human errors -> Performance
shaping factors, MERE model
– Intentional attacks -> semi-Markov
chains, attack trees and Bayesian
networks
Attacker Group
Target
Intensity of attack
Success of attack Component
Vulnerability
Geographical
location
Physical
protection of
assets
Bayes net for
attack to
physical
infrastructure
Semi-Markov chain
for intrusion into a
computer system19
Vulnerability probabilistic modeling
• Interest in separately assessing threat and
vulnerability probabilities
– Possibility to distinguish «actual risk» from «potential risk»
• Possible to use similar distributions to describe the
vulnerability to different threats
– lognormal distributions for vulnerability to
earthquakes and landslides
– Weibull distributions for ageing and for polluting
agents
• For man related threats, vulnerability of the target
depends on adopted protection systems for physical
security 20
Modeling the ICT/PS responsecascading simulation
• ICT/PS response to contingencies may
lead to cascadings and finally to
blackouts
• Ongoing research on cascading engines
– works by IEEE CAMS TF «Understanding,
Prediction, Prevention and Restoration of
Cascading Failures»
• AFTER starts from the cascading engine
of PRACTICE tool, a risk assessment SW
developed in RSE
Cascading trippings
on the Italian border,
Sept 2003
EU grid separation
after cascading
trippings, Nov 2006
Cascading trippings
during S-W USA
blackout, Sept 201121
• PRACTICE has a quasi static cascading engine which
simulates at least the early stages of cascading
– taking into account the steady state response of main
control/defense and protection systems
• The tool considers:
– possible protection malfunctions in fault clearing
• stuck breaker, bus differential protection out of service
– hidden failures of protection relays
• Ongoing development to include human behaviours,
malicious attacks, further ICT failure modes and delays in
communication nets22
Modeling the ICT/PS responsethe PRACTICE cascading engine
Modeling the ICT/PS responsethe PRACTICE cascading engine
• PRACTICE has a quasi static cascading engine which
simulates at least the early stages of cascading
– taking into account the steady state response of main
control/defense and protection systems
• The tool considers:
– possible protection malfunctions in fault clearing
• stuck breaker, bus differential protection out of service
– hidden failures of protection relays
• Ongoing development to include human behaviours,
malicious attacks, further ICT failure modes and
delays in communication nets
Risk of loss of load
due to contingencies
in case of no hidden
failures on
protection relays
(green bars) and in
case of a 1%
probability of
hidden relay failures
(blue bars)
23
Conclusions• AFTER EU FP7 project
– Presented a general framework to classify and model the threats occurring on
power and ICT components, and the relevant component vulnerabilities
– Discussed some aspects related to the models for threats and vulnerabilities
to be implemented in AFTER prototype.
• A quasi-steady state simulation of possible cascading paths, by using a
specific software tool (PRACTICE), is adopted, taking into account
uncertainties in protection settings and in relay response to hidden
failures.
• Preliminary investigations confirm the significant impact of ICT subsystem
failures on power system operation which are explored in depth in the
AFTER project.
• Next steps will be devoted to the integration of the contingency models
with the probabilistic model of the integrated ICT/PS response. Eventual
aim is to obtain a probabilistic application for risk assessment and control
over planning and operation time horizons.
24
Thank you for your attention!
AFTER project website: www.after-project.eu
UE Project N.261788
F T ER
Contact the project coordinator!
25