Post on 25-Jun-2020
UE Project N.261788
F T ER
Extended Risk Analysis of Power and ICT Systems
C. Brasca, E. Ciapessoni, D. Cirio, A. Pitto, Ricerca sul Sistema Energetico - RSE S.p.A.
A. Morini, Università degli Studi di Genova
M. Sforna, TERNA
ISGT Europe 2013ISGT Europe 2013
Copenaghen, October 7-9, 2013
1
F T EROutline F T EROutline
• Today’s power system criticalities• Today’s power system criticalities
• The AFTER project• The AFTER project
• A Framework for Power and ICT System • A Framework for Power and ICT System
Risk-based Security Assessment
• Modeling threats and vulnerabilities• Modeling threats and vulnerabilities
• Modeling ICT/PS response• Modeling ICT/PS response
• Conclusions• Conclusions
2
F T ERToday’s power system F T ER
RVR
NVR
SFR
NATIONALCONTROLCENTRE
REGIONAL
STATEESTIMATOR
NTS
RTS ATS
NATIONALCONTROLCENTRE
NNM
DEFENCEMETER
CONCENTRATOR
DISTRIBUTION SYSTEM OPERATOR
WAMS
GENERATIONCONTROL SCADA
GENERATION COMPANY
TRANSMISSION SYSTEM OPERATOR
EMS
NNM
Operational
PLANTCONTROL
ROOM
PQR
REGIONALCONTROLCENTRE
STATIONCOMPUTER
RTS ATSAREA CONTROL
CENTRE
DEFENCEMANAGEMENT
CONCENTRATOR
PLANTCONTROL
ROOM
PQR
CONTROLCENTRE
SCADA
SCADA
SCADA
GENERATION COMPANY
Operational
complexity
AVR
POWER PLANT
PFR AVR
EHV
IED IED IED
S
A
SIED
P
PA
SP
S
P
S
P
Local PowerPlantSubstation
SUBSTATION
STATIONCOMPUTER
METERCONCENTRATOR
PFR
GROUP GROUP
SUBSTATION
PMU
AVR
POWER PLANT
PFR AVR
A
SIEDP
A
SP
Local PowerPlantSubstation
PFR
GROUP GROUP
SUBSTATIONS
A A
IED
FACTS
HV
SUBSTATION
AP
AP
AP
DISTRIBUTED POWER GENERATION
A
SP
A
SP
HV
MV
Low Loads
IED IED IED
A
SP
A
SP
A A
SP
MM
FVC
FVC
=~
LVA
SP
PMU
S
PS
ULTCFACTS
SHUNTREACTOR
SHUNTCAPACITOR
DISTRIBUTED POWER GENERATION
New monitoring
PMUPMU
PMU
New monitoring systems – ICT based
3
PMU
PMU PMU
PMU
PMU
PMU
based
F T ERToday’s power system F T ER
Vulnerabilities
Main causes of damages due to natural
VulnerabilitiesPhysical infrastructure - power
Main causes of damages due to natural events:1. Wind storms2. Ice storms2. Ice storms3. Lightning
4
F T ERToday’s power system F T ERToday’s power system
• Cascading• CascadingBlack-out often caused by rare Black-out often caused by rare
(possibly correlated) N-k events
2006/11/042006/11/04
5
F T ERThe AFTER project F T ERThe AFTER project• EU FP7 3-year project started in Sept 2011
• MAIN GOAL: increasing the TSO capabilities in • MAIN GOAL: increasing the TSO capabilities in
creating, monitoring and managing secure power creating, monitoring and managing secure power
system infrastructuressystem infrastructures, being able to survive large system infrastructuressystem infrastructures, being able to survive large
disturbances and to efficiently restore the supply
after major disruptions.after major disruptions.
• Defining a framework - including methodologies,
tools and techniques – able to:tools and techniques – able to:
– Assess the risk, as hazard, vulnerability and impact
analysis, of the interconnected and integrated electrical analysis, of the interconnected and integrated electrical
power and ICT systems.
– Design and evaluate global defense and restoration plans.– Design and evaluate global defense and restoration plans.
6
F T ERWhat does RISK mean? F T ERWhat does RISK mean?
• Assessing risk calls for the following tasks:• Assessing risk calls for the following tasks:
– identifying and classifying of threats and component
vulnerabilitiesvulnerabilities
– probabilistic modeling of threats, component
vulnerabilities and power system contingenciesvulnerabilities and power system contingencies
– simulating stochastic behavior of control, defense and
protection systems in power systems affected by protection systems in power systems affected by
contingencies
– Defining and calculating risk indicators– Defining and calculating risk indicators
• Both ICT failures and physical components outages
must be included in the security analysesmust be included in the security analyses
7
F T ERApproach Foundations
DefinitionsDefinitions Offline models Online monitoringF T ERDefinitionsDefinitions
• ThreatAny indication, circumstance, or
Offline models Online monitoring
Any indication, circumstance, or
event with the potential to disrupt or
destroy critical infrastructure, or any
element thereof.
T1 Ti… … TNT
Threats
element thereof.
• VulnerabilityA characteristic of an element of the
VulnerabilitiesA characteristic of an element of the
critical infrastructure's design,
implementation, or operation that
renders it susceptible to destruction
V1 Vj… …Vulnerabilities
VNV
renders it susceptible to destruction
or incapacitation by a threat.
• Contingency C1 Ch… …Component
contingenciesCNC• Contingencyunplanned outage of one or more
components caused by a threat
exploiting one or more vulnerabilities System contingency
exploiting one or more vulnerabilities
of the component itself System contingency
8
F T ERStatistics on threats F T ERStatistics on threats
• Preliminary investigations
on operational yearbooks Causes of power system outages - year 2008
on operational yearbooks
by ENTSO-E and US NERC
disturbance reports:
10%
21%12%
9%
16%
disturbance reports:
– Root cause analysis ⇒ pie
charts for root causes
10%24%
overloadcharts for root causes
– Statistical analysis of
reliability indicators (Energy
false operation
failure in protection device or other element
external events (animals, trees, fire, avalances etc)exceptional conditions (weather, natural disaster etc)
other reasons
unknown reasonsreliability indicators (Energy
not supplied, Restoration
time)
unknown reasons
Most common root causes of
disturbances:
-weather conditions for US disturbances-weather conditions for US disturbances
- Equipment failures for EU disturbances9
F T ERClassifying threats F T ERClassifying threats
Power Power
component
threats
External
(Exogenous)
Internal
(Endogenous)threats
(Exogenous) (Endogenous)
NaturalLightning, fires, ice/snow
Component faults,
strained operating NaturalLightning, fires, ice/snow
storms, floods, solar stormsstrained operating
conditions
Unintentional damage by
Man-related
Unintentional damage by
operating a crane;
Sabotage, terrorism,
outsider errors
Employee errors
Malicious actions by
unfaithful employees outsider errors
unfaithful employees
10
F T ERClassifying threats F T ERClassifying threats
ICT threatsICT threats
(Physical or
Logical)
External
(Exogenous)
Internal
(Endogenous)Logical)
(Exogenous) (Endogenous)
Natural
Ice and snow, floods,
Fire and high temperature, solar
ICT component internal
faults Natural Fire and high temperature, solar
storm
faults
Data overflow
SW bugs,
Man-relatedHacker, Sabotage, Malicious
outsider
SW bugs,
Employee errors,
Malicious actions by
unfaithful employeesunfaithful employees
11
F T ERThreat dependency
a sample framework for natural threats F T ERa sample framework for natural threats
earthquakes
landslides
Ground movements
Component damages due to ground acceleration
Component damages
Component
landslides
floods
Power systemOverflowing dams
e.g. transformer
Solar stormsComponent damages
Component ageing
floods e.g. transformer outages
e.g. OHL conductor damagesHigher stress
Rain/ice/snow
e.g. insulator Ice accretion
fires
Increasing sag
AnimalsPollution
e.g. insulator flashover
Bird drops
Ice accretion
e.g. transformer damages/explosion
vegetationLateral contacts
Increasing sage.g. transformer damages/explosion
Strong wind
e.g. OHL pylons damagede.g. increases salt deposit in marine environmentse.g. increases salt deposit in marine environments
12
F T ERContingency modeling
for power components
Probability of failure of one component spatially located at
x, affected by one threat Thr, at time t0 over the time
for power components
x, affected by one threat Thr, at time t0 over the time
interval ∆t=t- t0
( ) ( ) ( )∫ ∫t
( ) ( ) ( )∫ ∫ ⋅=t
t S
ThrVF ddsxspxstPtxP0
,,,,|, τττThe stress variables related to a threat indicate the physical quantities through which the
0
( )txPF , = probability that the component, located in x - intact at initial time t0 - fails within time instant t
The stress variables related to a threat indicate the physical quantities through which the threat affects the component vulnerabilities.
0within time instant t
( )xstPV ,,|τ = conditional probability that the component fails at time t due to value sof stress variable S (relevant to threat Thr) at time instant τ . Also the of stress variable S (relevant to threat Thr) at time instant τ . Also the vulnerability of component is a function of time, due for instance to ageing or maintenance processes
( )xspThr ,,τ = probability density function of occurrence of a threat Thrapplying the stress variable S in location x, at time instant τ.
13
F T ERThreats probabilistic modeling F T ERThreats probabilistic modelingsome examples
• Long/medium term models:• Long/medium term models:
– Weather-related threats -> extreme
value distributions tuned on historical
Wind
Origin of the disturbances on 380 kV lines
(Data relevant to period: 1997-2002)
value distributions tuned on historical
series analyses
– Fires/animals -> Bayes networks
Wind Salt wind Ice/snow Gallopping Lightnings Pollution Humidity Fog Smog Salt deposit Flood landslides – Fires/animals -> Bayes networks
• Man related threats:
– Human errors -> Performance
Month
Attacker Group – Human errors -> Performance
shaping factors, MERE model
– Intentional attacks -> semi-Markov
Target
Bayes net for
attack to
physical – Intentional attacks -> semi-Markov
chains, attack trees and Bayesian
networks
Intensity of attack
Success of attack Component
Vulnerability
physical
infrastructure
Semi-Markov chainGeographical
location
Physical
protection of
assets
Semi-Markov chain
for intrusion into a
computer system14
F T ERVulnerability probabilistic modeling F T ERVulnerability probabilistic modeling
• Interest in separately assessing threat and
vulnerability probabilitiesvulnerability probabilities
– Possibility to distinguish «actual risk» from «potential risk»
• Possible to use similar distributions to describe the
vulnerability to different threatsvulnerability to different threats
–– lognormallognormal distributions for vulnerability to
earthquakes and landslidesearthquakes and landslides
–– WeibullWeibull distributions for ageing and for polluting
agentsagents
• For man related threats, vulnerability of the target
depends on adopted protection systems for physicaldepends on adopted protection systems for physical
security 15
F T ERModeling the ICT/PS response F T ERModeling the ICT/PS responsecascading simulation
• ICT/PS response to contingencies may• ICT/PS response to contingencies may
lead to cascadings and finally to
blackoutsblackouts
• Ongoing research on cascading enginesCascading trippings
on the Italian border,
Sept 2003
– works by IEEE CAMS TF «Understanding,
Prediction, Prevention and Restoration of
Cascading Failures»
Sept 2003
Cascading Failures»
• AFTER starts from the cascading engine
of PRACTICE tool, a risk assessment SW EU grid separation
of PRACTICE tool, a risk assessment SW
developed in RSE
EU grid separation
after cascading
trippings, Nov 2006
Cascading trippings Cascading trippings
during S-W USA
blackout, Sept 201116
F T ERModeling the ICT/PS response F T ER
• PRACTICE has a quasi quasi staticstatic cascadingcascading engineengine which simulates at
Modeling the ICT/PS responsethe PRACTICE cascading engine
• PRACTICE has a quasi quasi staticstatic cascadingcascading engineengine which simulates at
least the early stages of cascading
– taking into account the steady state response of main control/defense and – taking into account the steady state response of main control/defense and
protection systems
• Analysing cascading evolution along different paths, considering the
stochastic response of protection systemsstochastic response of protection systems
‒
stochastic response of protection systemsstochastic response of protection systems
‒ possible malfunctions during fault clearing and in the post fault period
‒ Uncertain settings on overcurrent protection relays
‒
‒
‒ Uncertain settings on overcurrent protection relays
‒ Hidden failures of relays in the on-fault period
• Different load shedding (LS) schemes load shedding (LS) schemes (underfrequency LS, anti –
‒
• Different load shedding (LS) schemes load shedding (LS) schemes (underfrequency LS, anti –
cascading LS) are simulated and operators’ behaviours operators’ behaviours are
probabilistically represented accounting for different levels of
observability/controllability, and for time delays in deploying control
actions. 17
F T ERRisk indices calculation F T ERRisk indices calculation
Different metrics Different metrics available to assess the impact Different metrics Different metrics available to assess the impact
of contingencies on power system:of contingencies on power system:
– the loss of load at the end of the cascading
process triggered by a contingencyprocess triggered by a contingency
– a function of (over-) currents on longitudinal
elements immediately after the contingencyelements immediately after the contingency
– a function of node voltages immediately after the
contingencycontingency
18
F T ERAFTER framework for power
and ICT risk assessmentF T ER
and ICT risk assessment Dependencies among threatsThreats and
Threats models
Component / Element/ System Vulnerability models
Scenario generator
Dependencies among threats
and functional dependence
among components are taken
into account inside this module
Threats and
vulnerability
modeling
Vulnerability models
Component / Element / System contingencies Power | ICT
Threat and vulnerability
data
Con
tin
gen
cy s
elec
tion
Selection of critical hybrid N-k-j
contingencies involving k power
Power | ICT and probabilities
Selection
criteria
Con
tin
gen
cy s
elec
tion
contingencies involving k power
component contingencies and j
ICT malfunctions
Overall contingency (power + ICT) and
probabilities Use of AFTER multi-
path cascading engine
Impact modeling (Probabilistic
cascading)
Injection uncertainties
Other influent factors
Models of automatic/manual
actions (SPS, Operator…)
19
Risk indexes calculation
F T ERCase study (I) F T ERCase study (I)
• Application to IEEE RTS 1979• Application to IEEE RTS 1979
• Contingency definition (threat = lightnings)• Contingency definition (threat = lightnings)
Voltage level [kV] Failure rate λ [faults/(100km*yr)]
RATE OF OCCURRENCE OF LIGHTNING INDUCED FAULTS
Voltage level [kV] Failure rate λ [faults/(100km*yr)]
380 0.90
220 1.11
132 1.60
• Different contingencies analysed:
N-1 branch
132 1.60
– N-1 branch
– N-k busbar with different possible responses of – N-k busbar with different possible responses of
primary and backup protections20
F T ERCase study (II) F T ERCase study (II)
• Loss of Load risk LIN_B08K308_B10Q310S1C1
TR_B11QT4S1C1
TR_B12QT5S1C1
Individual contributions to overall LOL risk (time interval = 10 minutes)
• Loss of Load risk
indicator (expected
lost MW at the end SSB2_B10Q310S1C1
SB_B10Q310S1C1
LIN_B05I305_B10Q310S1C1
LIN_B06K306_B10Q310S1C1
LIN_B08K308_B10Q310S1C1
0% HF prob.lost MW at the end
of cascading)
• Effect of hidden
60 80 100 120 140 160 180
SSB1_B10Q310S1C1
SSB2_B10Q310S1C1
Risk Index Value
0% HF prob.1% HF prob.5 % HF prob.
Probability of having x steps• Effect of hidden
failure probability on 1
1.2
1.4x 10
-5 Probability of having x steps
1% hidden failure probability5% hidden failure probability
2.5
3x 10
-8
1% hidden failure probability5% hidden failure probability
riskHidden failure LOL risk, % Variation 0.4
0.6
0.8
-0.5
0
0.5
1
1.5
2
Hidden failure
probability, p0,
in %
LOL risk,
expected MW
(∆∆∆∆t=10
minutes)
% Variation
with respect
to ideal case
0 (ideal case) 7.37×10-4 -
0 1 2 30
0.2
number of steps
2 3number of steps
21
0 (ideal case) 7.37×10-4 -
1 7.48×10-4 + 1.5
5 8.13×10-4 + 10.3
Higher hidden failure probability implies
higher probability of longer cascading paths
F T ERConclusions F T ERConclusions• AFTER EU FP7 project
– Presented a general framework to classify and model the threats occurring on – Presented a general framework to classify and model the threats occurring on
power and ICT components, and the relevant component vulnerabilities
– Discussed some aspects related to the models for threats and vulnerabilities
to be implemented in AFTER prototype. to be implemented in AFTER prototype.
• A quasi-steady state simulation of possible cascading paths, by using a
specific software tool (PRACTICE), is adopted, taking into account specific software tool (PRACTICE), is adopted, taking into account
uncertainties in protection settings and in relay response to hidden
failures.
• Preliminary investigations confirm the significant impact of ICT subsystem • Preliminary investigations confirm the significant impact of ICT subsystem
failures on power system operation which are explored in depth in the
AFTER project.
Next steps will be devoted to the integration of the contingency models ntegration of the contingency models • Next steps will be devoted to the integration of the contingency models ntegration of the contingency models
with the probabilistic with the probabilistic model model of the integrated of the integrated ICT/PS responseICT/PS response. Eventual
aim is to obtain a probabilistic application for risk assessment and control aim is to obtain a probabilistic application for risk assessment and control
over planning and operation time horizons.
22
F T ERUE Project N.261788
F T ER F T ER
Thank you for your attention!
AFTER project website: AFTER project website: www.afterwww.after--project.euproject.euAFTER project website: AFTER project website: www.afterwww.after--project.euproject.eu
Contact the project coordinator! Contact the project coordinator! Contact the project coordinator! Contact the project coordinator! emanuele.ciapessoni@rseemanuele.ciapessoni@rse--web.it web.it
23