Title: UNA PROPOSTA PER ESTENDERE LA CAPACITA DI SOPRAVVIVENZA DI RETI DI DISTRIBUZIONE DI ENERGIA INFORMAT
1 - UNA PROPOSTA PER ESTENDERE LA CAPACITA DI
SOPRAVVIVENZA DI RETI DI DISTRIBUZIONE DI ENERGIA
INFORMATIZZATE IL PROGETTO SAFEGUARD
Sandro Bologna - Claudio Balducelli Giordano
Vicoli ENEA CAMO bologna_at_casaccia.enea.it
Alessandro De Carli Giovanni Guida Università
di Roma La Sapienza alessandro.decarli_at_uniroma1.
it
Convegno ENERSIS 2004 Milano 1-2 Aprile 2004
2The challenge
Transportation
3(No Transcript)
4Layered networks model
Intra-dependency
Cyber-Infrastructure
Physical Infrastructure
5Three Layers Model for the Electrical
Infrastructure
6General layout of typical control and supervisory
infrastructure of the electrical grid
Physical electrical layer (high-medium voltage)
7The Safeguard approach( a Middleware on the top
of existing SCADA Systems or just a retrofitted
add-on device to the existing SCADA)
8RETROFITTED ADD-ON SOLUTION
RTU Remote Terminal Unit
SCADA System
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Safe Bus
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
9RETROFITTED ADD-ON SOLUTION
RTU Remote Terminal Unit
SCADA System
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Utilities have significant investment in SCADA
equipment. SCADA and similar control equipment
are designed to have significant
lifetimes. Protection mechanisms should not be
developed that require major replacement of
existing equipment in the near term.
Safe Bus
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
10RETROFITTED ADD-ON SOLUTION
RTU Remote Terminal Unit
SCADA System
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Safe Bus
Because of the limited capabilities of the SCADA
processors, protection mechanisms should be
implemented as a retrofitted add-on device.
Protection mechanisms management should be
designed to operate in one or more control
centers for disaster recovery and distributed
management purposes
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
11RETROFITTED ADD-ON SOLUTION
SCADA System
RTU Remote Terminal Unit
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
Safe Bus
SCADA systems are designed for frequent (near
real-time) status updates. Protection mechanisms
should not reduce the performance (reading
frequency, transmission delay, computation) below
an acceptable level.
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
12RETROFITTED ADD-ON SOLUTION
RTU Remote Terminal Unit
SCADA System
Safeguarding SCADA Systems
Correlators
Actuators
Anomaly Detectors
Safe Bus API Interface
SCADA protection mechanisms should be designed to
address all forms of SCADA protection, including
monitoring data transmission, cryptographic
functions, state estimation functions, topology
estimation, usage and actions taken by operators,
etc.
Safe Bus
Safe Bus API Interface
Safe Bus API Interface
RTU Remote Terminal Unit
RTU Remote Terminal Unit
13 SAFEGUARD ARCHITECTURE
Network global protection
Local nodes protection
14 SAFEGUARD ARCHITECTURE
- At Level 1 identify component failure or attack
in progress - Hybrid anomaly detection agents utilise
algorithms specialised in detecting deviations
from normality. Signature-based algorithms are
used to classify failures based on accumulated
functional behaviour.
High-level agents
Negotiation agent
MMI agent
Low-level agents
Local nodes protection
Diagnosiswrappers
Intrusion Detection wrappers
Hybrid Anomaly Detection agents
Cyber Layer of Electricity Network Home LCCIs
Commands and information
Information only
15 SAFEGUARD ARCHITECTURE
Other LCCIs Foreign Electricity
Networks Telecommunication Networks
-------------------
- At level 2 Correlate different kind of
information - Correlation and Topology agents correlate
diagnosis - Action agent replaces functions of failed
components
T
High-level agents
Correlation agent
Action agent
Topology agent
Low-level agents
Local nodes protection
Diagnosiswrappers
Intrusion Detection wrappers
Hybrid Anomaly Detection agents
Actuators
Cyber Layer of Electricity Network Home LCCIs
Commands and information
Information only
16 SAFEGUARD ARCHITECTURE
Network global protection
At level 3 operator decision support MMI agent
supports the operator in the reconfiguration
strategy Negotiation agent supports to negotiate
recovery policies with other interdependent LCCIs.
Local nodes protection
17HOW SAFEGUARD MIGHT SUPPORT MANAGING MAJOR
SYSTEMS OUTAGE
18ITALY BLACK-OUT
(From UCTE Interim Report)
NETWORK STATE OVERVIEW ROOT CAUSES
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
Event tree acquired from UTCE report
19ITALY BLACK-OUT
(From UCTE Interim Report)
NETWORK STATE OVERVIEW ROOT CAUSES
In SAFEGUARD system Correlator agent intercepts
anomalies and failures inside the sequence of
events and Action agent try to re-execute the
unsuccessful commands.
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
20(From UCTE Interim Report)
NETWORK STATE OVERVIEW ROOT CAUSES
Pre-incident network in n-1 secure state
Island operations fails due to unit tripping
SAFEGUARD might help to recognize the anomaly
state and call for adequate countermeasures
21COORDINATIONS PROBLEMS BETWEEN SYSTEM
OPERATORS (From UCTE Interim Report)
In this specific case ETRANS needs as corrective
measures which are necessary to comply with the
N-1 rule, also action to be undertaken in the
Italian system. This was confirmed by the check
list available to the ETRANS operators, which
explicitly mentions that, in case of loss of
Mettlen-Lavorgo, the operator should call GRTN,
inform GRTN about the loss of the line, request
for the pumping to be shut down, generation to be
increased in Italy. This clause is mentioned in
Italian on the ETRANS checklist for this incident.
22(From UCTE Interim Report)
SAFEGUARD makes available a Negotiation Agent in
duty for coordination among different operators
In this specific case ETRANS needs as corrective
measures which are necessary to comply with the
N-1 rule, also action to be undertaken in the
Italian system. This was confirmed by the check
list available to the ETRANS operators, which
explicitly mentions that, in case of loss of
Mettlen-Lavorgo, the operator should call GRTN,
inform GRTN about the loss of the line, request
for the pumping to be shut down, generation to be
increased in Italy. This clause is mentioned in
Italian on the ETRANS checklist for this incident.
23US CANADA BLACK-OUT
Power System Outage Task Force Interim Report
24US CANADA BLACK-OUT
The State Estimation tool, doesnt work in the
regular way because a critical information (a
line connection status) is not correctly acquired
by the SCADA system. The data utilized by the
State Estimator could be corrupted by an attack
or by a fault inside SCADA system
On August 14 at about 1215 EDT, MISOs
state estimator produced a solution with a high
mismatch (outside the bounds of acceptable
error). This was traced to an outage of
Cinergys Bloomington-Denois Creek 230-kV
linealthough it was out of service, its status
was not updated in MISOs state estimator.
25US CANADA BLACK-OUT
Task Force Interim Report
A SAFEGUARD anomaly detection agent has the duty
to verify the correctness level of the data that
must be used by the State Estimator. If the
State Estimation tool knows what data can be
considered good or bad it has the capability
to furnish a more correct state of the network.
26US CANADA BLACK-OUT
2A) 1414 EDT FE alarm and logging
software failed. Neither FEs control room
operators nor FEs IT EMS support personnel
were aware of the alarm failure. The Alarm
system of FirstEnergy electrical Company doesnt
work correctly and the operators are not aware of
this situation
27US CANADA BLACK-OUT
Task Force Interim Report
2A) 1414 EDT FE alarm and logging
software failed. Neither FEs control room
operators nor FEs IT EMS support personnel
were aware of the alarm failure. Safeguard
Correlator agent could detect failures inside
Alarm system correlating the sequences of signals
flowing from RTUs towards Control Centres.
28NEW SCADA SYSTEM CONFIGURATION FOR THE ITALIAN
ELECTRICAL NETWORK (GRTN-ABB)
29Safeguard Testing Environment
Distributed SCADA Emulator
Safeguard Agents
Remote Data Concentrator Devices
Regional Control Center
available SCADA events
MMI Alarm Panel
Low level agents
High Level agents
Load Charging Scripts
SCADA Instrumentation Points
available data/signals qualities
demand evolution
realistic data/signals qualities
National Control Center
Toward foreign electrical networks
pure data/signals
Data filtering corruption
State estimation results
Tele-commands
Tele-commands
Tele-commands
30Testing Environment and Test Platform
AIA e-Agora Simulation Data source
Message broker
Regional Control Centre
Network Data Base (On-line mode)
Network Data Base (Update mode)
National Control Centre
SCADA data exchange bus
31TEST PLATFORM Modeling intrusion and failures
by attack/fault trees
- Define a reference language to model attacks
and failures - Utilization of attack trees
- The root of the tree represents an event that
could significantly harm the infrastructures
mission. The terminal leafs of the tree represent
the actions to execute for reaching the high
level goals - Every path in the attack tree represents a unique
type of attack/fault - every node could be decomposed inside lower level
nodes using ltANDgt and ltORgt decomposition types - The attack trees could be visualized also in
textual form
32Generate intrusion scenarios
- In an attack tree the terminal leafs represent
the actions needed to execute the attack - An attack tree generates intrusion scenarios,
composed by sequences of actions, in such way
ltG3, G2, G5, G6gt
33Insert difficulty degrees
- A possible extension of this reference model
consists in another type of node (in addition to
the OR and AND type). the SCORE type of node
34Textual form of the attack tree
- Goal GA0
- Precondition Pstart
- AND GO1
- SCORE (60)G3
- (40)G4
- G2
- GA2
- AND G5
- G6
- Post-condition Presult
- The attack tree generates the following intrusion
scenarios - ltG3, G2, G5, G6gt with 60 of Presult certainty
- ltG4, G2, G5, G6gt with 40 of Presult certainty
35TEST PLATFORM
Attacks/faults Console
design
running
log/document
36ATTACK TREES EDITOR AND SCENARIOS RUNNING CONSOLE
37Attack/fault scenarios for testing Safeguard
agents
Events corruption story a sequence of false
commands generates the tripping of a critical
line. The operators are not able to restore the
line connection.
Data corruption story Some measured values and
information statuses of the network are
corrupted. The State Estimator tool is not able
to make a good estimation of the network state.
System corruption story The normal functioning
of SCADA system is no more guaranteed, due to
malicious task consuming system resources.
38CONCLUSIONS
INCREASING NEED TO TRANSFORM TODAYS CENTRALISED,
DUMB POWER GRID INTO SOMETHING CLOSER TO A SMART,
DISTRIBUTED NETWORK THE ENERGY INTERNET
INCREASING NEED OF INTELLIGENT DATA
INTERPRETATION TO CAPTURE NOVELTIES AND PROVIDE
OPERATORS WITH EARLY WARNINGS.
MULTI-AGENT SYSTEM TECHNOLOGY, COMBINED WITH
INTELLIGENT SYSTEMS, CAN BE USED TO AUTOMATE THE
FAULT DIAGNOSIS ACTIVITY AND TO SUPPORT OPERATORS
IN THE RECOVERY POLICIES.
SAFEGUARD MULTI-AGENT SYSTEM TECHNOLOGY CAN WORK
IN AN AUTONOMOUS MANNER AS AN ADD-ON SYSTEM,
INTERACTING BOTH WITH THEIR ENVIRONMENT AND WITH
ONE-OTHER