An Integrated Framework for Power and ICT System Risk-based Security Assessment

E. Ciapessoni, D. Cirio, A. Pitto, Ricerca sul Sistema Energetico - RSE S.p.A.

G. Kjolle, SINTEF EN

M. Sforna, TERNA

PowerTech Conference

Grenoble, June 20, 2013

1

Outline

• Today’s power system criticalities

• The AFTER project

• A Framework for Power and ICT System

Risk-based Security Assessment

• Modeling threats and vulnerabilities

• Modeling ICT/PS response

• Conclusions

2

Today’s power system

• Operational complexity • New monitoring systems – ICT based

3

PMU

PMU

PMUPMU

PMU

PMU

PMU

PMU

Today’s power system

Main causes of damages due to natural

events:

1. Wind storms

2. Ice storms

3. Lightning

VulnerabilitiesPhysical infrastructure - power

4

Today’s power system

• Unexpected behaviour

• System performances affected by RES

5

VulnerabilitiesSystem instability

(small or large disturbances)

2006/11/04

Today’s power system

• CascadingBlack-out often caused by rare

(possibly correlated) N-k events

6

The AFTER project• A EU FP7 3-year project started in Sept 2011

• MAIN GOAL: increasing the TSO capabilities in

creating, monitoring and managing secure power

system infrastructures, being able to survive large

disturbances and to efficiently restore the supply

after major disruptions.

• Defining a framework - including methodologies,

tools and techniques – able to:

– Assess the risk, as hazard, vulnerability and impact

analysis, of the interconnected and integrated electrical

power and ICT systems.

– Design and evaluate global defense and restoration plans.

F T ER

7

What does RISK mean?

• Assessing risk calls for the following tasks:

– identifying and classifying of threats and component

vulnerabilities

– probabilistic modeling of threats, component

vulnerabilities and power system contingencies

– simulating stochastic behavior of control, defense and

protection systems in power systems affected by

contingencies

– Defining and calculating risk indicators

• Both ICT failures and physical components outages

must be included in the security analyses

8

Vulnerabilities

AFTER approach Threats

Contingency

Impact

N-k (physical)

ICT (physical and logical)

Based on

Cascading

simulation

Probability

Risk indices

9

Approach FoundationsDefinitions

• ThreatAny indication, circumstance, or

event with the potential to disrupt or

destroy critical infrastructure, or any

element thereof.

• VulnerabilityA characteristic of an element of the

critical infrastructure's design,

implementation, or operation that

renders it susceptible to destruction

or incapacitation by a threat.

• Contingencyunplanned outage of one or more

components caused by a threat

exploiting one or more vulnerabilities

of the component itself

T1 Ti… …

V1 Vj… …

C1 Ch… …

Vulnerabilities

Component

contingencies

System contingency

TNT

VNV

CNC

Threats

Offline models Online monitoring

10

Statistics on threats

• Preliminary investigations

on operational yearbooks

by ENTSO-E and US NERC

disturbance reports:

– Root cause analysis ⇒pie

charts for root causes

– Statistical analysis of

reliability indicators (Energy

not supplied, Restoration

time)

10%

10%

21%

Causes of power system outages - year 2008

24%

12%9%

16%

overload

false operation

failure in protection device or other element

external events (animals, trees, fire, avalances etc)

exceptional conditions (weather, natural disaster etc)

other reasons

unknown reasons

Most common root causes of

disturbances:

-weather conditions for US disturbances

- Equipment failures for EU disturbances11

Classifying threats

Power

component

threats

External

(Exogenous)

Internal

(Endogenous)

NaturalLightning, fires, ice/snow

storms, floods, solar storms

Component faults,

strained operating

conditions

Man-related

Unintentional damage by

operating a crane;

Sabotage, terrorism,

outsider errors

Employee errors

Malicious actions by

unfaithful employees

12

Classifying threats

ICT threats

(Physical or

Logical)

External

(Exogenous)

Internal

(Endogenous)

Natural

Ice and snow, floods,

Fire and high temperature, solar

storm

ICT component internal

faults

Data overflow

Man-relatedHacker, Sabotage, Malicious

outsider

SW bugs,

Employee errors,

Malicious actions by

unfaithful employees

13

Component

ageing

Threat dependencya sample framework for natural threats

earthquakes

landslides

floods

Strong

wind

Power system

vegetation

Ground movements

Component damages due to ground acceleration

Overflowing dams

Component damages

e.g. transformer

outages

e.g. OHL pylons damaged

e.g. OHL conductor damages

fires

Lateral contacts

Increasing sag

Higher stress

Rain/ice/

snow

AnimalsPollution

e.g. insulator

flashover

Bird drops

e.g. increases salt deposit in marine environments

Solar stormsComponent damages

Ice accretion

e.g. transformer damages/explosion

14

Probability of failure of one component located at x,

affected by one threat Thr, at time t0 over the time interval

∆t=t- t0

Contingency modelingfor power components

( ) ( ) ( )∫ ∫ ⋅=

t

t S

ThrVF ddsxspxstPtxP

0

,,,,|, τττ

( )txPF , = probability that the component, located in x - intact at initial time t0 - fails

within time instant t

( )xstPV ,,|τ = conditional probability that the component fails at time t due to value s

of stress variable S (relevant to threat Thr) at time instant τ . Also the

vulnerability of component is a function of time, due for instance to

ageing or maintenance processes

( )xspThr ,,τ = probability density function of occurrence of a threat Thrapplying the stress variable S in location x, at time instant τ.

The stress variables related to a threat indicate the physical quantities through which the

threat affects the component vulnerabilities.

15

Probability of failure of one component located at x,

affected by one threat Thr, at time t0 over the time interval

∆t=t- t0

( ) ( ) ( )∫ ∫ ⋅=

t

t S

ThrVF ddsxspxstPtxP

0

,,,,|, τττ

Threat probability

density function

Statistical analyses

on historical data

Lightnings

Solar storms

Landslides

Earthquakes

ageing

…

Experts’ knowledge

Human errors

Malicious

attacks

sabotage/theft

…

Contingency modeling for power components

16

Probability of failure of one component located at x,

affected by one threat Thr, at time t0 over the time interval

∆t=t- t0

Contingency modelingfor power components

( ) ( ) ( )∫ ∫ ⋅=

t

t S

ThrVF ddsxspxstPtxP

0

,,,,|, τττ

Vulnerability distribution

function

Statistical analyses

on historical dataExperts’ knowledge

- knowledge on

physical

protection

systems

- Assumptions on

reactions to

terrorist attacks

…

Fragility curves

from records

and ad hoc tests

…

17

Threats probabilistic modelinggeneralities

• Long term models: ∆ t =1 year

– Rely on historical series analsyses

• Short term models: ∆ t=15-30 min

– Call for real time monitoring systems

• Remember threat dependency!

18

Threats probabilistic modelingsome examples

• Long/medium term models:

– Weather-related threats -> extreme

value distributions tuned on historical

series analyses

– Fires/animals -> Bayes networks

• Man related threats:

– Human errors -> Performance

shaping factors, MERE model

– Intentional attacks -> semi-Markov

chains, attack trees and Bayesian

networks

Attacker Group

Target

Intensity of attack

Success of attack Component

Vulnerability

Geographical

location

Physical

protection of

assets

Bayes net for

attack to

physical

infrastructure

Semi-Markov chain

for intrusion into a

computer system19

Vulnerability probabilistic modeling

• Interest in separately assessing threat and

vulnerability probabilities

– Possibility to distinguish «actual risk» from «potential risk»

• Possible to use similar distributions to describe the

vulnerability to different threats

– lognormal distributions for vulnerability to

earthquakes and landslides

– Weibull distributions for ageing and for polluting

agents

• For man related threats, vulnerability of the target

depends on adopted protection systems for physical

security 20

Modeling the ICT/PS responsecascading simulation

• ICT/PS response to contingencies may

lead to cascadings and finally to

blackouts

• Ongoing research on cascading engines

– works by IEEE CAMS TF «Understanding,

Prediction, Prevention and Restoration of

Cascading Failures»

• AFTER starts from the cascading engine

of PRACTICE tool, a risk assessment SW

developed in RSE

Cascading trippings

on the Italian border,

Sept 2003

EU grid separation

after cascading

trippings, Nov 2006

Cascading trippings

during S-W USA

blackout, Sept 201121

• PRACTICE has a quasi static cascading engine which

simulates at least the early stages of cascading

– taking into account the steady state response of main

control/defense and protection systems

• The tool considers:

– possible protection malfunctions in fault clearing

• stuck breaker, bus differential protection out of service

– hidden failures of protection relays

• Ongoing development to include human behaviours,

malicious attacks, further ICT failure modes and delays in

communication nets22

Modeling the ICT/PS responsethe PRACTICE cascading engine

Modeling the ICT/PS responsethe PRACTICE cascading engine

• PRACTICE has a quasi static cascading engine which

simulates at least the early stages of cascading

– taking into account the steady state response of main

control/defense and protection systems

• The tool considers:

– possible protection malfunctions in fault clearing

• stuck breaker, bus differential protection out of service

– hidden failures of protection relays

• Ongoing development to include human behaviours,

malicious attacks, further ICT failure modes and

delays in communication nets

Risk of loss of load

due to contingencies

in case of no hidden

failures on

protection relays

(green bars) and in

case of a 1%

probability of

hidden relay failures

(blue bars)

23

Conclusions• AFTER EU FP7 project

– Presented a general framework to classify and model the threats occurring on

power and ICT components, and the relevant component vulnerabilities

– Discussed some aspects related to the models for threats and vulnerabilities

to be implemented in AFTER prototype.

• A quasi-steady state simulation of possible cascading paths, by using a

specific software tool (PRACTICE), is adopted, taking into account

uncertainties in protection settings and in relay response to hidden

failures.

• Preliminary investigations confirm the significant impact of ICT subsystem

failures on power system operation which are explored in depth in the

AFTER project.

• Next steps will be devoted to the integration of the contingency models

with the probabilistic model of the integrated ICT/PS response. Eventual

aim is to obtain a probabilistic application for risk assessment and control

over planning and operation time horizons.

24

Thank you for your attention!

AFTER project website: www.after-project.eu

UE Project N.261788

F T ER

Contact the project coordinator!

emanuele.ciapessoni@rse-web.it

25