VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI AI SISTEMI ELETTRICI DI POTENZA: LA NATURA DEL PROBLEMA E LE TECNICHE DI ANALISI Ettore Bompard Politecnico

VALUTAZIONE DEL RISCHIO DI VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI AI ATTACCHI TERRORISTICI AI

SISTEMI ELETTRICI DI POTENZA: SISTEMI ELETTRICI DI POTENZA: LA NATURA DEL PROBLEMA E LE LA NATURA DEL PROBLEMA E LE

TECNICHE DI ANALISITECNICHE DI ANALISI

Ettore BompardPolitecnico di Torino - Dipartimento di Ingegneria Elettrica

[email protected]

POLITECNICO DI TORINO

Dipartimento di Ingegneria Elettrica

iNRiM – Istituto Nazionale di Ricerca Metrologica

Incontri del Giovedì

E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 2

OUTLINEOUTLINE

Why, what to attack and which are the effects.

Nature of the malicious threats.

Power systems operation and management

Framework for the analysis of infrastructure security.

Methods and approaches for vulnerability & security

modeling.

Topics and issues in the analysis.

Conceptual examples. Component ranking with respect to the malicious threats

Impact of coordination and communication

WHY, WHAT TO ATTACK AND WHICH WHY, WHAT TO ATTACK AND WHICH ARE THE EFFECTSARE THE EFFECTS


WHY TO ATTACK POWER SYSTEMS (PS) ? WHY TO ATTACK POWER SYSTEMS (PS) ?

Large visibility provided by successful attacks (region/nation wide effects).

Possibility to affect individuals, organizations and businesses in his/her/its activities and interests.

Huge economic impacts Possible “domino effects” due to the physical

properties and PS structure that may amplify a “properly” chosen action providing large scale impacts.

Difficulty to protect PS due to their large extension and territorial dispersion.


WHAT CAN BE ATTACKED ?WHAT CAN BE ATTACKED ?

Physical targets power outage (blackout): Power lines (destroying towers). Substations (Buses/transformers). Power plants (generators or control systems).

Ecological targets environmental disaster: Nuclear power plants. Reservoir hydro power plants.

Cyber targets malfunctioning of the information/ operation systems:

Communication networks (internet, telephone …) for cutting off remote communication among interacting systems.

Dedicated lines for the remote control of power plants.


WHICH CAN BE THE EFFECTS ?WHICH CAN BE THE EFFECTS ?

Black-outs (as a direct consequence). Social disorder and panic, increase of failures and

criminal actions for machines and apparatus. Transportation system stuck (subway, trains and

flights will be cancelled or influenced, outage of the traffic lights).

Water supply interruption. Critical state for information and communication

system; possible shut down of internet services. Environmental disaster (especially refers to the

failure of the nuclear power station or big reservoirs).

Paralysis of industry and finance with huge economic impacts.

POWER SYSTEMS OPERATION AND POWER SYSTEMS OPERATION AND MANAGEMENTMANAGEMENT


DIMENSIONS OF POWER SYSTEM DIMENSIONS OF POWER SYSTEM OPERATION AND MANAGEMENT OPERATION AND MANAGEMENT

Power system structure & operative condition (physical);

Information exchange (cyber);

Decision making (human & regulatory);


ON-LINE SECURITY ANALYSIS IN THE ON-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONSFRAMEWORK OF THREE DIMENSIONS

SOs

Decision Making

Information

System

Physical

System

Information

Information

Control

Actions

(Estimation of status & performance)

System performance


POWER SYSTEM STRUCTURE & OPERATIVE POWER SYSTEM STRUCTURE & OPERATIVE CONDITION CONDITION (PHYSICAL)(PHYSICAL)

The parameters of network, such as buses, lines, reserving margin and availability of ancillary services for security management.

The operational condition of the systems, such as the availability of components, the level of load and its localization.


INFORMATION EXCHANGE INFORMATION EXCHANGE (CYBER)(CYBER)

The information is a key concern both for assessing the present status of the system and for assessing the performance of the control actions on the system.

With lack of critical information, the control actions can be inappropriate and lead to catastrophic performance.

The information availability is a key regulatory issue in the interconnected power systems.


DECISION MAKING DECISION MAKING INDIVIDUAL & REGULATORY INDIVIDUAL & REGULATORY (HUMAN)(HUMAN)

The performance of the whole power system depends on the decisions of control actions by different related SOs.

The decision making of each SO aims to maximize the performance of its sub-system.

The decision making should comply with a set of rules issued by the entity in charge of coordinating the whole system.

NATURE OF THE MALICIOUS THREATS NATURE OF THE MALICIOUS THREATS


The threat is potential and corresponds to the possibility of an attack to be performed but by itself does not cause damages.

The attack is the actual implementation of the threat and is the one that causes damages.

As more as the target can produces disruptive effects as more it is likely to be attacked.

As more as the target is protected as less will be likely to be attacked.

The level of threat, for a given component, depends on the attitudes, decisions and interaction between attackers and defenders at a given point in time and space.

NATURE OF MALICIOUS THREATSNATURE OF MALICIOUS THREATS


MALICIOUS THREATS MODIFIES THE MALICIOUS THREATS MODIFIES THE DISTRIBUTION OF THE CONTINGENCYDISTRIBUTION OF THE CONTINGENCY

The strategic interaction determines the probability and the real occurrence of an attack in time and space.

Natural based threats to PS occur on random base (nature has no specific willingness to hurt, nature is a “random” player).

A malicious threat modifies the probability distribution of the contingency, so that the contingency corresponding to more severe consequences and easier attack implementation will be assigned extra probability of occurrence due to the consideration of malicious threats.


NATURAL VS. MALICIOUS THREATS NATURAL VS. MALICIOUS THREATS

Natural threat Malicious threat

Motivation accidental rationally deliberately

Distribution on the system

Randomcritical component

preferred

Risk assessment probabilistic approachesrational interactions

models

Counteractions re-enforce the system1. re-enforce the system

2. preemptive measures against terrorists

Strategic interaction no yes

Players

1. system operators

2. sufferers

1.system operators

2.terrorist organizations

3. government

4. sufferers

FRAMEWORK FOR FRAMEWORK FOR INFRASTRUCTURE INFRASTRUCTURE SECURITYSECURITY


PLAYERS AND PAYOFFS IN PLAYERS AND PAYOFFS IN THE MALICIOUS THREATS ANALYSISTHE MALICIOUS THREATS ANALYSIS

Utility: represents the motivations, the benefit and/or the consequence of each player involved in the malicious threat.

Defender: are the government, TSO, GenCos, TranCo and the entity that have, in long term, the scope to maximize system security.

Attacker: the collective of all the terrorists that want to attack some specific targets, they are intelligent, and know how PS works;

Sufferer: the stakeholders that are directly hurt by the attacks of the terrorists and can exert pressures on the defender.


INTERACTION AMONG THE ROLESINTERACTION AMONG THE ROLES IN MALICIOUS THREATS IN MALICIOUS THREATS

Strength

e

Strength

e

nn Pressure or support

Pressure or support

TERRORISTS TERRORISTS (Attacker)(Attacker)

GOVERNMENTGOVERNMENT

(DEFENDER)(DEFENDER)

PEOPLEPEOPLE

(SUFFER)(SUFFER)

INFRASTRUCTUREINFRASTRUCTURE

(POWER SYSTEM)(POWER SYSTEM)

Attac

Attackk

Attac

Attackk

Amplifying Amplifying hurthurt

Protect, Propagandize

Protect, Propagandize

Attack/Surrender Attack/Surrender Concede/Fight Concede/Fight


OFF-LINE SECURITY ANALYSIS IN THE OFF-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONSFRAMEWORK OF THREE DIMENSIONS

List of probable targets

& budgets allocation

Defender

Decision

Making

Information

System

Physical

System

Attacks

Defense Actions

Attacker

Decision

MakingThreats Threats

Defense Actions

Strategy Interaction


ON-LINE SECURITY ANALYSIS IN THE ON-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONSFRAMEWORK OF THREE DIMENSIONS

Attack Scenarios

(From off-line security analysis)

Assessment of the system

performance

SOs

Decision

Making

Information

System

Physical

System

Attacks

Information

Information

Remedial

Actions

(Estimation of status & performance)

System performanc

e

Information distance Equilibrium

from decision making


EQUILIBRIUMEQUILIBRIUM ANALYSIS ANALYSIS

The interaction of the various entities in the analysis are studied under the hypothesis of rational player.

The rationality player hypothesis implies that each entity or player will act to maximize his/her own utility.

An equilibrium is a situation in which no player has interest to change its decision if the other players don’t change their decisions.

Equilibrium is the outcome searched in the modeling process and that allows for the evaluation of the possible actions and the related probabilities.

METHODS AND APPROACHES FOR METHODS AND APPROACHES FOR VULNERABILITY & SECURITY VULNERABILITY & SECURITY

MODELINGMODELING


GAME THEORY (GT) APPLICATIONSGAME THEORY (GT) APPLICATIONS

Game theory is concerned with the actions of decision makers who are conscious that the actions of the other game participants affect their utility

Game theory is suitable for modeling the interaction between attackers and defenders that take place in a context in which each player behavior impacts the achievement of the goals of all other players in the game.

Game theory in PS can address the issue of pointing out which point and/or component has higher probability to be attacked.


MIXED STRATEGY GAME FOR RANKING MIXED STRATEGY GAME FOR RANKING POWER SYSTEM COMPONENTS POWER SYSTEM COMPONENTS

A mixed strategy of a player in a game is a probability distribution over the player’s actions.

Define the system components (line/substation) to form the meaningful the ‘failure set’ or ‘attacking action set’.

For each attack, the system is analyzed in the new status and the consequences evaluated in terms of payoffs of the defender and attacker to form a payoff matrix.

The mixed strategy equilibrium provides the probability of each component to be attacked and consequently the related risk.


MULTI-AGENT SYSTEMS (MAS)MULTI-AGENT SYSTEMS (MAS)

An agent is an abstract or physical

autonomous entity which performs a given

task using information gleaned from its

environment to act in a suitable manner so as

to maximize a given measure of its utility.

The agent should be able to adapt itself based

on changes occurring in its environment, so

that a change in circumstances will still yield

the intended result.


INTERACTION BETWEEN AGENT AND INTERACTION BETWEEN AGENT AND ENVIRONMENTENVIRONMENT

AGENT

ENVIRONMENTrt+1

St+1

State - St

Reward - rt

Action - at

At each time step t, the agent senses the current state st=sS of its

environment and on that basis selects an action at=aA. As a result of its

action, the agent receives an immediate reward rt+1, and the environment’s

state changes to the new state st+1=s’S.


SOCIALLY RATIONAL AGENTSSOCIALLY RATIONAL AGENTS

Socially rational agents not only focus on their own (individual) utilities but also consider the utilities of other agents when deciding which action to perform.

Information sensitivity reflects the robustness of a system w.r.t. the availability of information.

Information distance is a measure of how the system is impacted by unavailability of information. It gives insights on how the operators are aware of the effectiveness of their possible actions with partial information.


FICTITIOUS PLAYFICTITIOUS PLAY

A fictitious play is a process where each player believes that each opponent is using a stationary mixed strategy based on empirical distribution of their past actions until the strategies come to equilibrium.

It is appropriate for the problems without full information for which players can only make decisions according to their experiences.

It can model human decision making by multiple operators for defending the system without full information. The assessment of the information impact can be derived w.r.t. the out coming equilibrium.

TOPICS AND ISSUES OF THE STUDY TOPICS AND ISSUES OF THE STUDY


Provide assessment on the probability of attacks to physical, ecological and cyber targets in PS.

Pointing out the most critical components. Providing proper risk management tools that

can account for malicious attacks. Designing preventing protection strategies

against malicious attacks. Budget allocation for protection against

malicious attacks. Define coordination strategies for handling

malicious attacks in the EU/UCTE framework.

SOME TOPICS TO BE ADDRESSEDSOME TOPICS TO BE ADDRESSED


SOME POSSIBLE ANSWERSSOME POSSIBLE ANSWERSFROM GT & MAS MODELSFROM GT & MAS MODELS

Power system component ranking with reference to the possibility of being attacked (physical objectives) and analysis of the damages.

The impact of the failure of the communication between two entities/sub-systems (cyber objectives) and analysis of the consequences.

Comparative analysis of different coordination schemes under the attacking scenario.

Information impacts on the realization of an attack and its consequences.

CONCEPTUAL EXAMPLESCONCEPTUAL EXAMPLES


SYSTEM COMPONENTS RANKING SYSTEM COMPONENTS RANKING W.R.TW.R.T THE THE RISK/PROBABILITYRISK/PROBABILITY TO BE TO BE

ATTACKEDATTACKED Objective attribute to each system component

a probability of attack and provide a ranking of the components according to the probability/risk of an attack.

Theory game theory application. Framework a PS is considered in which one

attacker (terrorist organization) may be willing to attack the bus substation (cut off all connected lines) and only one organization is in charge to defend it (TSO).

Model features GT model based on mixed strategies game which equilibrium (MSE) provides the set of probability of an attack for each bus.


MIXED STRATEGY EQUILIBRIAMIXED STRATEGY EQUILIBRIA INPUT INPUT

Line informationLine informationLineNo.

FromBus

To Bus

X.V. FlowLimit(MW)

Att.Cand.

Attack cost (k€)

Protect Cost (k€)

1 2 1 0.0575

400 0 15 21

… … … … … … … …Node informationNode information

Node Name

Power(MW)

Power Min(MW

)

Power Max(MW)

Node Sta

Att. Candi.

Attack Cost (k€)

Protect Cost (k€)

1 203.4 -240 0 1 1 60 50… … … … … … … …

ParameterParameter

MultiAttack Power Alloc. Type

Beta

1 2 0.2

The completely destroyed probability of the attacked component, once it is protected

1. Minimize the line flow variation2. Minimize the node power variation


MIXED STRATEGIES EQUILIBRIAMIXED STRATEGIES EQUILIBRIA IEEE30-BUS TEST SYSTEMIEEE30-BUS TEST SYSTEM

G27

1

215

14

18

19

12

13

1716

20

2324

3029

27

2221

10

11

6 7 58

9

28

26

25

3 4

G1 G2

G23

G22

G13

15.8215.82%/%/

25.61%/25.61%/

28.9228.92%/%/

29.6529.65%/%/

~ ~

~

~

~

~

AttackAttackss

BusBus ProbabilitProbabilityy

Risk(MRisk(M€)€)

1 0 0 0

2 1 0 0

3 2 15.82% 35.26

4 5 25.61% 57.14

5 12 28.92% 64.52

6 21 29.65% 66.15


IMPACTS EVALUATION OF THE IMPACTS EVALUATION OF THE COORDINATION AND COORDINATION AND

COMMUNICATIONCOMMUNICATION

Objective assess the impact of coordination and communication in power system.

Theory multi-agent system with Q-learning approach for the agents.

Framework the network is operated by three TSOs, they may be coordinative/independent, communicating/non-communicating.

Model features MAS to simulate the real system operation by the agent learning and find out the exact outcome of different operation scenarios.


INDIVIDUAL & SOCIAL RATIONALITYINDIVIDUAL & SOCIAL RATIONALITY

Individually rational agent: focuses only on its own (individual) utility when deciding which action to perform;

Socially rational agent: in deciding which action to perform it also considers the utility of other agents;

Expected utility of the agent (EU): generally is composed by two terms:

IU individual utility , SU social utility, actionUtility in this context means the evaluation of the action implemented by the agent.

Action Set: each agent can shed the loads of some buses in its local subsystem.


CALCULATION OF UTILITYCALCULATION OF UTILITY

For actions that can not remove congestions completely, the action causing less overloaded rate should have higher utility.

Utility = Total Overloaded Rate (negative) For actions that can remove congestions

completely, the action shedding less loads should have higher utility.

Utility = M – Quantity of total shed loads (positive)

(M is a constant which must be bigger than maximum possible quantity of total shed loads in one action.)


3 TSOs EXAMPLE3 TSOs EXAMPLE

TSO 1

1

2

4

8

10

11

13

17

18

23

19

21

20

22

3 12 2930

9

14 5

34

31

32

33

7 15

16 6

24 28

25 27 26

TSO 2

TSO 3

POSSIBLE ATTACKS


SYSTEM STATES CONSIDEREDSYSTEM STATES CONSIDERED

Part1 Part2

Part3

Part1 Part2

Part3

State 1 State 2

Flow12= 3.6643

Flow13= 1.7357 Flow32 = 2.1357

Flow12 = 1.8261

Flow13= 3.5739 Flow23 = 0.5261


COMMUNICATIONS IMPACTS FOR COMMUNICATIONS IMPACTS FOR INTERCONNECTED SYSTEMS (STATE 1)INTERCONNECTED SYSTEMS (STATE 1)

NO COMMUNICATIONS

Individually rational agents

COMMUNICATION

Socially rational agents

TSO 1 TSO 2 TSO 3 TSO 1 TSO 2 TSO 3

Bus of shed loads

None 33

34

None None 33

34

None

Utility 20 18.8 20 20 18.8 20

For state 1, both locally rational agents and socially rational agents can find the same actions to remove all security congestions.

Individually rational agents converge in 435,856 iterations and socially rational agents converge in 423,393 iterations.


COMMUNICATIONS IMPACTS FOR COMMUNICATIONS IMPACTS FOR INTERCONNECTED SYSTEMS (STATE 2)INTERCONNECTED SYSTEMS (STATE 2)

NO COMMUNICATIONS

Individually rational agents

COMMUNICATION

Socially rational agents

TSO 1 TSO 2 TSO 3 TSO 1 TSO 2 TSO 3

Bus of shed loads

23 3

5

7

27

23 3

5

6

7

Utility 19.4 -0.1655

19.1 19.4 17.2 18.9

At state 2, agent 2 may not have enough sources to remove the security congestions in its local system by itself. When communication is not available, agent 1 and agent 3 can not get the information about the security situation of agent 2 and help it to remove its security congestion.

Individually rational agents converge in 435,856 iterations and socially rational agents converge in 423,393 iterations.


COORDINATION IMPACTSCOORDINATION IMPACTS

From the overall perspective, coordination should be better than independence.

Agent 2 and agent 3 would like to choose coordination because more loads in their subsystems will be supplied. But agent 1 would not. To persuade agent1 to coordinate, agent 2 and agent 3 may wish to pay some compensation.

Coordination Independence

Power Generate

d [pu]

LoadsSupplied

[pu]

PowerGenerate

d [pu]

LoadsSupplied

[pu]

TSO 1 9.05 7.05 7.65 7.65

TSO 2 2.9 1.9 1.55 1.55

TSO 3 0 3 1.5 1.5

Total 11.95 11.95 10.7 10.7


CONCLUSIONSCONCLUSIONS

Various dimensions need to be accounted for in the analysis of power system security & vulnerability.

Those dimensions interact among themselves in producing the system performance and need proper tools able to capture that interaction at various levels.

Game theory technique provides a sound framework for threat analysis on an off-line basis.

MAS and fictitious play can apply for on-line attack analysis with consideration of coordinating activities and rules.

JOINT RESEARCH CENTER

Institute for the Protection and the Security of the Citizen

Istituto Superiore sui Sistemi Territoriali per l'innovazione

ACKNOWLEDGMENTACKNOWLEDGMENT

Documents

VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI AI SISTEMI ELETTRICI DI POTENZA: LA NATURA DEL PROBLEMA E LE TECNICHE DI ANALISI Ettore Bompard Politecnico