UE Project N.261788

F T ER

Extended Risk Analysis of Power and ICT Systems

C. Brasca, E. Ciapessoni, D. Cirio, A. Pitto, Ricerca sul Sistema Energetico - RSE S.p.A.

A. Morini, Università degli Studi di Genova

M. Sforna, TERNA

ISGT Europe 2013ISGT Europe 2013

Copenaghen, October 7-9, 2013

1

F T EROutline F T EROutline

• Today’s power system criticalities• Today’s power system criticalities

• The AFTER project• The AFTER project

• A Framework for Power and ICT System • A Framework for Power and ICT System

Risk-based Security Assessment

• Modeling threats and vulnerabilities• Modeling threats and vulnerabilities

• Modeling ICT/PS response• Modeling ICT/PS response

• Conclusions• Conclusions

2

F T ERToday’s power system F T ER

RVR

NVR

SFR

NATIONALCONTROLCENTRE

REGIONAL

STATEESTIMATOR

NTS

RTS ATS

NATIONALCONTROLCENTRE

NNM

DEFENCEMETER

CONCENTRATOR

DISTRIBUTION SYSTEM OPERATOR

WAMS

GENERATIONCONTROL SCADA

GENERATION COMPANY

TRANSMISSION SYSTEM OPERATOR

EMS

NNM

Operational

PLANTCONTROL

ROOM

PQR

REGIONALCONTROLCENTRE

STATIONCOMPUTER

RTS ATSAREA CONTROL

CENTRE

DEFENCEMANAGEMENT

CONCENTRATOR

PLANTCONTROL

ROOM

PQR

CONTROLCENTRE

SCADA

SCADA

SCADA

GENERATION COMPANY

Operational

complexity

AVR

POWER PLANT

PFR AVR

EHV

IED IED IED

S

A

SIED

P

PA

SP

S

P

S

P

Local PowerPlantSubstation

SUBSTATION

STATIONCOMPUTER

METERCONCENTRATOR

PFR

GROUP GROUP

SUBSTATION

PMU

AVR

POWER PLANT

PFR AVR

A

SIEDP

A

SP

Local PowerPlantSubstation

PFR

GROUP GROUP

SUBSTATIONS

A A

IED

FACTS

HV

SUBSTATION

AP

AP

AP

DISTRIBUTED POWER GENERATION

A

SP

A

SP

HV

MV

Low Loads

IED IED IED

A

SP

A

SP

A A

SP

MM

FVC

FVC

=~

LVA

SP

PMU

S

PS

ULTCFACTS

SHUNTREACTOR

SHUNTCAPACITOR

DISTRIBUTED POWER GENERATION

New monitoring

PMUPMU

PMU

New monitoring systems – ICT based

3

PMU

PMU PMU

PMU

PMU

PMU

based

F T ERToday’s power system F T ER

Vulnerabilities

Main causes of damages due to natural

VulnerabilitiesPhysical infrastructure - power

Main causes of damages due to natural events:1. Wind storms2. Ice storms2. Ice storms3. Lightning

4

F T ERToday’s power system F T ERToday’s power system

• Cascading• CascadingBlack-out often caused by rare Black-out often caused by rare

(possibly correlated) N-k events

2006/11/042006/11/04

5

F T ERThe AFTER project F T ERThe AFTER project• EU FP7 3-year project started in Sept 2011

• MAIN GOAL: increasing the TSO capabilities in • MAIN GOAL: increasing the TSO capabilities in

creating, monitoring and managing secure power creating, monitoring and managing secure power

system infrastructuressystem infrastructures, being able to survive large system infrastructuressystem infrastructures, being able to survive large

disturbances and to efficiently restore the supply

after major disruptions.after major disruptions.

• Defining a framework - including methodologies,

tools and techniques – able to:tools and techniques – able to:

– Assess the risk, as hazard, vulnerability and impact

analysis, of the interconnected and integrated electrical analysis, of the interconnected and integrated electrical

power and ICT systems.

– Design and evaluate global defense and restoration plans.– Design and evaluate global defense and restoration plans.

6

F T ERWhat does RISK mean? F T ERWhat does RISK mean?

• Assessing risk calls for the following tasks:• Assessing risk calls for the following tasks:

– identifying and classifying of threats and component

vulnerabilitiesvulnerabilities

– probabilistic modeling of threats, component

vulnerabilities and power system contingenciesvulnerabilities and power system contingencies

– simulating stochastic behavior of control, defense and

protection systems in power systems affected by protection systems in power systems affected by

contingencies

– Defining and calculating risk indicators– Defining and calculating risk indicators

• Both ICT failures and physical components outages

must be included in the security analysesmust be included in the security analyses

7

F T ERApproach Foundations

DefinitionsDefinitions Offline models Online monitoringF T ERDefinitionsDefinitions

• ThreatAny indication, circumstance, or

Offline models Online monitoring

Any indication, circumstance, or

event with the potential to disrupt or

destroy critical infrastructure, or any

element thereof.

T1 Ti… … TNT

Threats

element thereof.

• VulnerabilityA characteristic of an element of the

VulnerabilitiesA characteristic of an element of the

critical infrastructure's design,

implementation, or operation that

renders it susceptible to destruction

V1 Vj… …Vulnerabilities

VNV

renders it susceptible to destruction

or incapacitation by a threat.

• Contingency C1 Ch… …Component

contingenciesCNC• Contingencyunplanned outage of one or more

components caused by a threat

exploiting one or more vulnerabilities System contingency

exploiting one or more vulnerabilities

of the component itself System contingency

8

F T ERStatistics on threats F T ERStatistics on threats

• Preliminary investigations

on operational yearbooks Causes of power system outages - year 2008

on operational yearbooks

by ENTSO-E and US NERC

disturbance reports:

10%

21%12%

9%

16%

disturbance reports:

– Root cause analysis ⇒ pie

charts for root causes

10%24%

overloadcharts for root causes

– Statistical analysis of

reliability indicators (Energy

false operation

failure in protection device or other element

external events (animals, trees, fire, avalances etc)exceptional conditions (weather, natural disaster etc)

other reasons

unknown reasonsreliability indicators (Energy

not supplied, Restoration

time)

unknown reasons

Most common root causes of

disturbances:

-weather conditions for US disturbances-weather conditions for US disturbances

- Equipment failures for EU disturbances9

F T ERClassifying threats F T ERClassifying threats

Power Power

component

threats

External

(Exogenous)

Internal

(Endogenous)threats

(Exogenous) (Endogenous)

NaturalLightning, fires, ice/snow

Component faults,

strained operating NaturalLightning, fires, ice/snow

storms, floods, solar stormsstrained operating

conditions

Unintentional damage by

Man-related

Unintentional damage by

operating a crane;

Sabotage, terrorism,

outsider errors

Employee errors

Malicious actions by

unfaithful employees outsider errors

unfaithful employees

10

F T ERClassifying threats F T ERClassifying threats

ICT threatsICT threats

(Physical or

Logical)

External

(Exogenous)

Internal

(Endogenous)Logical)

(Exogenous) (Endogenous)

Natural

Ice and snow, floods,

Fire and high temperature, solar

ICT component internal

faults Natural Fire and high temperature, solar

storm

faults

Data overflow

SW bugs,

Man-relatedHacker, Sabotage, Malicious

outsider

SW bugs,

Employee errors,

Malicious actions by

unfaithful employeesunfaithful employees

11

F T ERThreat dependency

a sample framework for natural threats F T ERa sample framework for natural threats

earthquakes

landslides

Ground movements

Component damages due to ground acceleration

Component damages

Component

landslides

floods

Power systemOverflowing dams

e.g. transformer

Solar stormsComponent damages

Component ageing

floods e.g. transformer outages

e.g. OHL conductor damagesHigher stress

Rain/ice/snow

e.g. insulator Ice accretion

fires

Increasing sag

AnimalsPollution

e.g. insulator flashover

Bird drops

Ice accretion

e.g. transformer damages/explosion

vegetationLateral contacts

Increasing sage.g. transformer damages/explosion

Strong wind

e.g. OHL pylons damagede.g. increases salt deposit in marine environmentse.g. increases salt deposit in marine environments

12

F T ERContingency modeling

for power components

Probability of failure of one component spatially located at

x, affected by one threat Thr, at time t0 over the time

for power components

x, affected by one threat Thr, at time t0 over the time

interval ∆t=t- t0

( ) ( ) ( )∫ ∫t

( ) ( ) ( )∫ ∫ ⋅=t

t S

ThrVF ddsxspxstPtxP0

,,,,|, τττThe stress variables related to a threat indicate the physical quantities through which the

0

( )txPF , = probability that the component, located in x - intact at initial time t0 - fails within time instant t

The stress variables related to a threat indicate the physical quantities through which the threat affects the component vulnerabilities.

0within time instant t

( )xstPV ,,|τ = conditional probability that the component fails at time t due to value sof stress variable S (relevant to threat Thr) at time instant τ . Also the of stress variable S (relevant to threat Thr) at time instant τ . Also the vulnerability of component is a function of time, due for instance to ageing or maintenance processes

( )xspThr ,,τ = probability density function of occurrence of a threat Thrapplying the stress variable S in location x, at time instant τ.

13

F T ERThreats probabilistic modeling F T ERThreats probabilistic modelingsome examples

• Long/medium term models:• Long/medium term models:

– Weather-related threats -> extreme

value distributions tuned on historical

Wind

Origin of the disturbances on 380 kV lines

(Data relevant to period: 1997-2002)

value distributions tuned on historical

series analyses

– Fires/animals -> Bayes networks

Wind Salt wind Ice/snow Gallopping Lightnings Pollution Humidity Fog Smog Salt deposit Flood landslides – Fires/animals -> Bayes networks

• Man related threats:

– Human errors -> Performance

Month

Attacker Group – Human errors -> Performance

shaping factors, MERE model

– Intentional attacks -> semi-Markov

Target

Bayes net for

attack to

physical – Intentional attacks -> semi-Markov

chains, attack trees and Bayesian

networks

Intensity of attack

Success of attack Component

Vulnerability

physical

infrastructure

Semi-Markov chainGeographical

location

Physical

protection of

assets

Semi-Markov chain

for intrusion into a

computer system14

F T ERVulnerability probabilistic modeling F T ERVulnerability probabilistic modeling

• Interest in separately assessing threat and

vulnerability probabilitiesvulnerability probabilities

– Possibility to distinguish «actual risk» from «potential risk»

• Possible to use similar distributions to describe the

vulnerability to different threatsvulnerability to different threats

–– lognormallognormal distributions for vulnerability to

earthquakes and landslidesearthquakes and landslides

–– WeibullWeibull distributions for ageing and for polluting

agentsagents

• For man related threats, vulnerability of the target

depends on adopted protection systems for physicaldepends on adopted protection systems for physical

security 15

F T ERModeling the ICT/PS response F T ERModeling the ICT/PS responsecascading simulation

• ICT/PS response to contingencies may• ICT/PS response to contingencies may

lead to cascadings and finally to

blackoutsblackouts

• Ongoing research on cascading enginesCascading trippings

on the Italian border,

Sept 2003

– works by IEEE CAMS TF «Understanding,

Prediction, Prevention and Restoration of

Cascading Failures»

Sept 2003

Cascading Failures»

• AFTER starts from the cascading engine

of PRACTICE tool, a risk assessment SW EU grid separation

of PRACTICE tool, a risk assessment SW

developed in RSE

EU grid separation

after cascading

trippings, Nov 2006

Cascading trippings Cascading trippings

during S-W USA

blackout, Sept 201116

F T ERModeling the ICT/PS response F T ER

• PRACTICE has a quasi quasi staticstatic cascadingcascading engineengine which simulates at

Modeling the ICT/PS responsethe PRACTICE cascading engine

• PRACTICE has a quasi quasi staticstatic cascadingcascading engineengine which simulates at

least the early stages of cascading

– taking into account the steady state response of main control/defense and – taking into account the steady state response of main control/defense and

protection systems

• Analysing cascading evolution along different paths, considering the

stochastic response of protection systemsstochastic response of protection systems

‒

stochastic response of protection systemsstochastic response of protection systems

‒ possible malfunctions during fault clearing and in the post fault period

‒ Uncertain settings on overcurrent protection relays

‒

‒

‒ Uncertain settings on overcurrent protection relays

‒ Hidden failures of relays in the on-fault period

• Different load shedding (LS) schemes load shedding (LS) schemes (underfrequency LS, anti –

‒

• Different load shedding (LS) schemes load shedding (LS) schemes (underfrequency LS, anti –

cascading LS) are simulated and operators’ behaviours operators’ behaviours are

probabilistically represented accounting for different levels of

observability/controllability, and for time delays in deploying control

actions. 17

F T ERRisk indices calculation F T ERRisk indices calculation

Different metrics Different metrics available to assess the impact Different metrics Different metrics available to assess the impact

of contingencies on power system:of contingencies on power system:

– the loss of load at the end of the cascading

process triggered by a contingencyprocess triggered by a contingency

– a function of (over-) currents on longitudinal

elements immediately after the contingencyelements immediately after the contingency

– a function of node voltages immediately after the

contingencycontingency

18

F T ERAFTER framework for power

and ICT risk assessmentF T ER

and ICT risk assessment Dependencies among threatsThreats and

Threats models

Component / Element/ System Vulnerability models

Scenario generator

Dependencies among threats

and functional dependence

among components are taken

into account inside this module

Threats and

vulnerability

modeling

Vulnerability models

Component / Element / System contingencies Power | ICT

Threat and vulnerability

data

Con

tin

gen

cy s

elec

tion

Selection of critical hybrid N-k-j

contingencies involving k power

Power | ICT and probabilities

Selection

criteria

Con

tin

gen

cy s

elec

tion

contingencies involving k power

component contingencies and j

ICT malfunctions

Overall contingency (power + ICT) and

probabilities Use of AFTER multi-

path cascading engine

Impact modeling (Probabilistic

cascading)

Injection uncertainties

Other influent factors

Models of automatic/manual

actions (SPS, Operator…)

19

Risk indexes calculation

F T ERCase study (I) F T ERCase study (I)

• Application to IEEE RTS 1979• Application to IEEE RTS 1979

• Contingency definition (threat = lightnings)• Contingency definition (threat = lightnings)

Voltage level [kV] Failure rate λ [faults/(100km*yr)]

RATE OF OCCURRENCE OF LIGHTNING INDUCED FAULTS

Voltage level [kV] Failure rate λ [faults/(100km*yr)]

380 0.90

220 1.11

132 1.60

• Different contingencies analysed:

N-1 branch

132 1.60

– N-1 branch

– N-k busbar with different possible responses of – N-k busbar with different possible responses of

primary and backup protections20

F T ERCase study (II) F T ERCase study (II)

• Loss of Load risk LIN_B08K308_B10Q310S1C1

TR_B11QT4S1C1

TR_B12QT5S1C1

Individual contributions to overall LOL risk (time interval = 10 minutes)

• Loss of Load risk

indicator (expected

lost MW at the end SSB2_B10Q310S1C1

SB_B10Q310S1C1

LIN_B05I305_B10Q310S1C1

LIN_B06K306_B10Q310S1C1

LIN_B08K308_B10Q310S1C1

0% HF prob.lost MW at the end

of cascading)

• Effect of hidden

60 80 100 120 140 160 180

SSB1_B10Q310S1C1

SSB2_B10Q310S1C1

Risk Index Value

0% HF prob.1% HF prob.5 % HF prob.

Probability of having x steps• Effect of hidden

failure probability on 1

1.2

1.4x 10

-5 Probability of having x steps

1% hidden failure probability5% hidden failure probability

2.5

3x 10

-8

1% hidden failure probability5% hidden failure probability

riskHidden failure LOL risk, % Variation 0.4

0.6

0.8

-0.5

0

0.5

1

1.5

2

Hidden failure

probability, p0,

in %

LOL risk,

expected MW

(∆∆∆∆t=10

minutes)

% Variation

with respect

to ideal case

0 (ideal case) 7.37×10-4 -

0 1 2 30

0.2

number of steps

2 3number of steps

21

0 (ideal case) 7.37×10-4 -

1 7.48×10-4 + 1.5

5 8.13×10-4 + 10.3

Higher hidden failure probability implies

higher probability of longer cascading paths

F T ERConclusions F T ERConclusions• AFTER EU FP7 project

– Presented a general framework to classify and model the threats occurring on – Presented a general framework to classify and model the threats occurring on

power and ICT components, and the relevant component vulnerabilities

– Discussed some aspects related to the models for threats and vulnerabilities

to be implemented in AFTER prototype. to be implemented in AFTER prototype.

• A quasi-steady state simulation of possible cascading paths, by using a

specific software tool (PRACTICE), is adopted, taking into account specific software tool (PRACTICE), is adopted, taking into account

uncertainties in protection settings and in relay response to hidden

failures.

• Preliminary investigations confirm the significant impact of ICT subsystem • Preliminary investigations confirm the significant impact of ICT subsystem

failures on power system operation which are explored in depth in the

AFTER project.

Next steps will be devoted to the integration of the contingency models ntegration of the contingency models • Next steps will be devoted to the integration of the contingency models ntegration of the contingency models

with the probabilistic with the probabilistic model model of the integrated of the integrated ICT/PS responseICT/PS response. Eventual

aim is to obtain a probabilistic application for risk assessment and control aim is to obtain a probabilistic application for risk assessment and control

over planning and operation time horizons.

22

F T ERUE Project N.261788

F T ER F T ER

Thank you for your attention!

AFTER project website: AFTER project website: www.afterwww.after--project.euproject.euAFTER project website: AFTER project website: www.afterwww.after--project.euproject.eu

Contact the project coordinator! Contact the project coordinator! Contact the project coordinator! Contact the project coordinator! emanuele.ciapessoni@rseemanuele.ciapessoni@rse--web.it web.it

23