Upload
christiana-nix
View
215
Download
1
Embed Size (px)
Citation preview
VALUTAZIONE DEL RISCHIO DI VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI AI ATTACCHI TERRORISTICI AI
SISTEMI ELETTRICI DI POTENZA: SISTEMI ELETTRICI DI POTENZA: LA NATURA DEL PROBLEMA E LE LA NATURA DEL PROBLEMA E LE
TECNICHE DI ANALISITECNICHE DI ANALISI
Ettore BompardPolitecnico di Torino - Dipartimento di Ingegneria Elettrica
POLITECNICO DI TORINO
Dipartimento di Ingegneria Elettrica
iNRiM – Istituto Nazionale di Ricerca Metrologica
Incontri del Giovedì
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 2
OUTLINEOUTLINE
Why, what to attack and which are the effects.
Nature of the malicious threats.
Power systems operation and management
Framework for the analysis of infrastructure security.
Methods and approaches for vulnerability & security
modeling.
Topics and issues in the analysis.
Conceptual examples. Component ranking with respect to the malicious threats
Impact of coordination and communication
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 4
WHY TO ATTACK POWER SYSTEMS (PS) ? WHY TO ATTACK POWER SYSTEMS (PS) ?
Large visibility provided by successful attacks (region/nation wide effects).
Possibility to affect individuals, organizations and businesses in his/her/its activities and interests.
Huge economic impacts Possible “domino effects” due to the physical
properties and PS structure that may amplify a “properly” chosen action providing large scale impacts.
Difficulty to protect PS due to their large extension and territorial dispersion.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 5
WHAT CAN BE ATTACKED ?WHAT CAN BE ATTACKED ?
Physical targets power outage (blackout): Power lines (destroying towers). Substations (Buses/transformers). Power plants (generators or control systems).
Ecological targets environmental disaster: Nuclear power plants. Reservoir hydro power plants.
Cyber targets malfunctioning of the information/ operation systems:
Communication networks (internet, telephone …) for cutting off remote communication among interacting systems.
Dedicated lines for the remote control of power plants.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 6
WHICH CAN BE THE EFFECTS ?WHICH CAN BE THE EFFECTS ?
Black-outs (as a direct consequence). Social disorder and panic, increase of failures and
criminal actions for machines and apparatus. Transportation system stuck (subway, trains and
flights will be cancelled or influenced, outage of the traffic lights).
Water supply interruption. Critical state for information and communication
system; possible shut down of internet services. Environmental disaster (especially refers to the
failure of the nuclear power station or big reservoirs).
Paralysis of industry and finance with huge economic impacts.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 8
DIMENSIONS OF POWER SYSTEM DIMENSIONS OF POWER SYSTEM OPERATION AND MANAGEMENT OPERATION AND MANAGEMENT
Power system structure & operative condition (physical);
Information exchange (cyber);
Decision making (human & regulatory);
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 9
ON-LINE SECURITY ANALYSIS IN THE ON-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONSFRAMEWORK OF THREE DIMENSIONS
SOs
Decision Making
Information
System
Physical
System
Information
Information
Control
Actions
(Estimation of status & performance)
System performance
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 10
POWER SYSTEM STRUCTURE & OPERATIVE POWER SYSTEM STRUCTURE & OPERATIVE CONDITION CONDITION (PHYSICAL)(PHYSICAL)
The parameters of network, such as buses, lines, reserving margin and availability of ancillary services for security management.
The operational condition of the systems, such as the availability of components, the level of load and its localization.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 11
INFORMATION EXCHANGE INFORMATION EXCHANGE (CYBER)(CYBER)
The information is a key concern both for assessing the present status of the system and for assessing the performance of the control actions on the system.
With lack of critical information, the control actions can be inappropriate and lead to catastrophic performance.
The information availability is a key regulatory issue in the interconnected power systems.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 12
DECISION MAKING DECISION MAKING INDIVIDUAL & REGULATORY INDIVIDUAL & REGULATORY (HUMAN)(HUMAN)
The performance of the whole power system depends on the decisions of control actions by different related SOs.
The decision making of each SO aims to maximize the performance of its sub-system.
The decision making should comply with a set of rules issued by the entity in charge of coordinating the whole system.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 14
The threat is potential and corresponds to the possibility of an attack to be performed but by itself does not cause damages.
The attack is the actual implementation of the threat and is the one that causes damages.
As more as the target can produces disruptive effects as more it is likely to be attacked.
As more as the target is protected as less will be likely to be attacked.
The level of threat, for a given component, depends on the attitudes, decisions and interaction between attackers and defenders at a given point in time and space.
NATURE OF MALICIOUS THREATSNATURE OF MALICIOUS THREATS
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 15
MALICIOUS THREATS MODIFIES THE MALICIOUS THREATS MODIFIES THE DISTRIBUTION OF THE CONTINGENCYDISTRIBUTION OF THE CONTINGENCY
The strategic interaction determines the probability and the real occurrence of an attack in time and space.
Natural based threats to PS occur on random base (nature has no specific willingness to hurt, nature is a “random” player).
A malicious threat modifies the probability distribution of the contingency, so that the contingency corresponding to more severe consequences and easier attack implementation will be assigned extra probability of occurrence due to the consideration of malicious threats.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 16
NATURAL VS. MALICIOUS THREATS NATURAL VS. MALICIOUS THREATS
Natural threat Malicious threat
Motivation accidental rationally deliberately
Distribution on the system
Randomcritical component
preferred
Risk assessment probabilistic approachesrational interactions
models
Counteractions re-enforce the system1. re-enforce the system
2. preemptive measures against terrorists
Strategic interaction no yes
Players
1. system operators
2. sufferers
1.system operators
2.terrorist organizations
3. government
4. sufferers
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 18
PLAYERS AND PAYOFFS IN PLAYERS AND PAYOFFS IN THE MALICIOUS THREATS ANALYSISTHE MALICIOUS THREATS ANALYSIS
Utility: represents the motivations, the benefit and/or the consequence of each player involved in the malicious threat.
Defender: are the government, TSO, GenCos, TranCo and the entity that have, in long term, the scope to maximize system security.
Attacker: the collective of all the terrorists that want to attack some specific targets, they are intelligent, and know how PS works;
Sufferer: the stakeholders that are directly hurt by the attacks of the terrorists and can exert pressures on the defender.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 19
INTERACTION AMONG THE ROLESINTERACTION AMONG THE ROLES IN MALICIOUS THREATS IN MALICIOUS THREATS
Strength
e
Strength
e
nn Pressure or support
Pressure or support
TERRORISTS TERRORISTS (Attacker)(Attacker)
GOVERNMENTGOVERNMENT
(DEFENDER)(DEFENDER)
PEOPLEPEOPLE
(SUFFER)(SUFFER)
INFRASTRUCTUREINFRASTRUCTURE
(POWER SYSTEM)(POWER SYSTEM)
Attac
Attackk
Attac
Attackk
Amplifying Amplifying hurthurt
Protect, Propagandize
Protect, Propagandize
Attack/Surrender Attack/Surrender Concede/Fight Concede/Fight
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 20
OFF-LINE SECURITY ANALYSIS IN THE OFF-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONSFRAMEWORK OF THREE DIMENSIONS
List of probable targets
& budgets allocation
Defender
Decision
Making
Information
System
Physical
System
Attacks
Defense Actions
Attacker
Decision
MakingThreats Threats
Defense Actions
Strategy Interaction
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 21
ON-LINE SECURITY ANALYSIS IN THE ON-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONSFRAMEWORK OF THREE DIMENSIONS
Attack Scenarios
(From off-line security analysis)
Assessment of the system
performance
SOs
Decision
Making
Information
System
Physical
System
Attacks
Information
Information
Remedial
Actions
(Estimation of status & performance)
System performanc
e
Information distance Equilibrium
from decision making
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 22
EQUILIBRIUMEQUILIBRIUM ANALYSIS ANALYSIS
The interaction of the various entities in the analysis are studied under the hypothesis of rational player.
The rationality player hypothesis implies that each entity or player will act to maximize his/her own utility.
An equilibrium is a situation in which no player has interest to change its decision if the other players don’t change their decisions.
Equilibrium is the outcome searched in the modeling process and that allows for the evaluation of the possible actions and the related probabilities.
METHODS AND APPROACHES FOR METHODS AND APPROACHES FOR VULNERABILITY & SECURITY VULNERABILITY & SECURITY
MODELINGMODELING
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 24
GAME THEORY (GT) APPLICATIONSGAME THEORY (GT) APPLICATIONS
Game theory is concerned with the actions of decision makers who are conscious that the actions of the other game participants affect their utility
Game theory is suitable for modeling the interaction between attackers and defenders that take place in a context in which each player behavior impacts the achievement of the goals of all other players in the game.
Game theory in PS can address the issue of pointing out which point and/or component has higher probability to be attacked.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 25
MIXED STRATEGY GAME FOR RANKING MIXED STRATEGY GAME FOR RANKING POWER SYSTEM COMPONENTS POWER SYSTEM COMPONENTS
A mixed strategy of a player in a game is a probability distribution over the player’s actions.
Define the system components (line/substation) to form the meaningful the ‘failure set’ or ‘attacking action set’.
For each attack, the system is analyzed in the new status and the consequences evaluated in terms of payoffs of the defender and attacker to form a payoff matrix.
The mixed strategy equilibrium provides the probability of each component to be attacked and consequently the related risk.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 26
MULTI-AGENT SYSTEMS (MAS)MULTI-AGENT SYSTEMS (MAS)
An agent is an abstract or physical
autonomous entity which performs a given
task using information gleaned from its
environment to act in a suitable manner so as
to maximize a given measure of its utility.
The agent should be able to adapt itself based
on changes occurring in its environment, so
that a change in circumstances will still yield
the intended result.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 27
INTERACTION BETWEEN AGENT AND INTERACTION BETWEEN AGENT AND ENVIRONMENTENVIRONMENT
AGENT
ENVIRONMENTrt+1
St+1
State - St
Reward - rt
Action - at
At each time step t, the agent senses the current state st=sS of its
environment and on that basis selects an action at=aA. As a result of its
action, the agent receives an immediate reward rt+1, and the environment’s
state changes to the new state st+1=s’S.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 28
SOCIALLY RATIONAL AGENTSSOCIALLY RATIONAL AGENTS
Socially rational agents not only focus on their own (individual) utilities but also consider the utilities of other agents when deciding which action to perform.
Information sensitivity reflects the robustness of a system w.r.t. the availability of information.
Information distance is a measure of how the system is impacted by unavailability of information. It gives insights on how the operators are aware of the effectiveness of their possible actions with partial information.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 29
FICTITIOUS PLAYFICTITIOUS PLAY
A fictitious play is a process where each player believes that each opponent is using a stationary mixed strategy based on empirical distribution of their past actions until the strategies come to equilibrium.
It is appropriate for the problems without full information for which players can only make decisions according to their experiences.
It can model human decision making by multiple operators for defending the system without full information. The assessment of the information impact can be derived w.r.t. the out coming equilibrium.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 31
Provide assessment on the probability of attacks to physical, ecological and cyber targets in PS.
Pointing out the most critical components. Providing proper risk management tools that
can account for malicious attacks. Designing preventing protection strategies
against malicious attacks. Budget allocation for protection against
malicious attacks. Define coordination strategies for handling
malicious attacks in the EU/UCTE framework.
SOME TOPICS TO BE ADDRESSEDSOME TOPICS TO BE ADDRESSED
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 32
SOME POSSIBLE ANSWERSSOME POSSIBLE ANSWERSFROM GT & MAS MODELSFROM GT & MAS MODELS
Power system component ranking with reference to the possibility of being attacked (physical objectives) and analysis of the damages.
The impact of the failure of the communication between two entities/sub-systems (cyber objectives) and analysis of the consequences.
Comparative analysis of different coordination schemes under the attacking scenario.
Information impacts on the realization of an attack and its consequences.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 34
SYSTEM COMPONENTS RANKING SYSTEM COMPONENTS RANKING W.R.TW.R.T THE THE RISK/PROBABILITYRISK/PROBABILITY TO BE TO BE
ATTACKEDATTACKED Objective attribute to each system component
a probability of attack and provide a ranking of the components according to the probability/risk of an attack.
Theory game theory application. Framework a PS is considered in which one
attacker (terrorist organization) may be willing to attack the bus substation (cut off all connected lines) and only one organization is in charge to defend it (TSO).
Model features GT model based on mixed strategies game which equilibrium (MSE) provides the set of probability of an attack for each bus.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 35
MIXED STRATEGY EQUILIBRIAMIXED STRATEGY EQUILIBRIA INPUT INPUT
Line informationLine informationLineNo.
FromBus
To Bus
X.V. FlowLimit(MW)
Att.Cand.
Attack cost (k€)
Protect Cost (k€)
1 2 1 0.0575
400 0 15 21
… … … … … … … …Node informationNode information
Node Name
Power(MW)
Power Min(MW
)
Power Max(MW)
Node Sta
Att. Candi.
Attack Cost (k€)
Protect Cost (k€)
1 203.4 -240 0 1 1 60 50… … … … … … … …
ParameterParameter
MultiAttack Power Alloc. Type
Beta
1 2 0.2
The completely destroyed probability of the attacked component, once it is protected
1. Minimize the line flow variation2. Minimize the node power variation
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 36
MIXED STRATEGIES EQUILIBRIAMIXED STRATEGIES EQUILIBRIA IEEE30-BUS TEST SYSTEMIEEE30-BUS TEST SYSTEM
G27
1
215
14
18
19
12
13
1716
20
2324
3029
27
2221
10
11
6 7 58
9
28
26
25
3 4
G1 G2
G23
G22
G13
15.8215.82%/%/
25.61%/25.61%/
28.9228.92%/%/
29.6529.65%/%/
~ ~
~
~
~
~
AttackAttackss
BusBus ProbabilitProbabilityy
Risk(MRisk(M€)€)
1 0 0 0
2 1 0 0
3 2 15.82% 35.26
4 5 25.61% 57.14
5 12 28.92% 64.52
6 21 29.65% 66.15
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 37
IMPACTS EVALUATION OF THE IMPACTS EVALUATION OF THE COORDINATION AND COORDINATION AND
COMMUNICATIONCOMMUNICATION
Objective assess the impact of coordination and communication in power system.
Theory multi-agent system with Q-learning approach for the agents.
Framework the network is operated by three TSOs, they may be coordinative/independent, communicating/non-communicating.
Model features MAS to simulate the real system operation by the agent learning and find out the exact outcome of different operation scenarios.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 38
INDIVIDUAL & SOCIAL RATIONALITYINDIVIDUAL & SOCIAL RATIONALITY
Individually rational agent: focuses only on its own (individual) utility when deciding which action to perform;
Socially rational agent: in deciding which action to perform it also considers the utility of other agents;
Expected utility of the agent (EU): generally is composed by two terms:
IU individual utility , SU social utility, actionUtility in this context means the evaluation of the action implemented by the agent.
Action Set: each agent can shed the loads of some buses in its local subsystem.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 39
CALCULATION OF UTILITYCALCULATION OF UTILITY
For actions that can not remove congestions completely, the action causing less overloaded rate should have higher utility.
Utility = Total Overloaded Rate (negative) For actions that can remove congestions
completely, the action shedding less loads should have higher utility.
Utility = M – Quantity of total shed loads (positive)
(M is a constant which must be bigger than maximum possible quantity of total shed loads in one action.)
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 40
3 TSOs EXAMPLE3 TSOs EXAMPLE
TSO 1
1
2
4
8
10
11
13
17
18
23
19
21
20
22
3 12 2930
9
14 5
34
31
32
33
7 15
16 6
24 28
25 27 26
TSO 2
TSO 3
POSSIBLE ATTACKS
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 41
SYSTEM STATES CONSIDEREDSYSTEM STATES CONSIDERED
Part1 Part2
Part3
Part1 Part2
Part3
State 1 State 2
Flow12= 3.6643
Flow13= 1.7357 Flow32 = 2.1357
Flow12 = 1.8261
Flow13= 3.5739 Flow23 = 0.5261
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 42
COMMUNICATIONS IMPACTS FOR COMMUNICATIONS IMPACTS FOR INTERCONNECTED SYSTEMS (STATE 1)INTERCONNECTED SYSTEMS (STATE 1)
NO COMMUNICATIONS
Individually rational agents
COMMUNICATION
Socially rational agents
TSO 1 TSO 2 TSO 3 TSO 1 TSO 2 TSO 3
Bus of shed loads
None 33
34
None None 33
34
None
Utility 20 18.8 20 20 18.8 20
For state 1, both locally rational agents and socially rational agents can find the same actions to remove all security congestions.
Individually rational agents converge in 435,856 iterations and socially rational agents converge in 423,393 iterations.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 43
COMMUNICATIONS IMPACTS FOR COMMUNICATIONS IMPACTS FOR INTERCONNECTED SYSTEMS (STATE 2)INTERCONNECTED SYSTEMS (STATE 2)
NO COMMUNICATIONS
Individually rational agents
COMMUNICATION
Socially rational agents
TSO 1 TSO 2 TSO 3 TSO 1 TSO 2 TSO 3
Bus of shed loads
23 3
5
7
27
23 3
5
6
7
Utility 19.4 -0.1655
19.1 19.4 17.2 18.9
At state 2, agent 2 may not have enough sources to remove the security congestions in its local system by itself. When communication is not available, agent 1 and agent 3 can not get the information about the security situation of agent 2 and help it to remove its security congestion.
Individually rational agents converge in 435,856 iterations and socially rational agents converge in 423,393 iterations.
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 44
COORDINATION IMPACTSCOORDINATION IMPACTS
From the overall perspective, coordination should be better than independence.
Agent 2 and agent 3 would like to choose coordination because more loads in their subsystems will be supplied. But agent 1 would not. To persuade agent1 to coordinate, agent 2 and agent 3 may wish to pay some compensation.
Coordination Independence
Power Generate
d [pu]
LoadsSupplied
[pu]
PowerGenerate
d [pu]
LoadsSupplied
[pu]
TSO 1 9.05 7.05 7.65 7.65
TSO 2 2.9 1.9 1.55 1.55
TSO 3 0 3 1.5 1.5
Total 11.95 11.95 10.7 10.7
E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 45
CONCLUSIONSCONCLUSIONS
Various dimensions need to be accounted for in the analysis of power system security & vulnerability.
Those dimensions interact among themselves in producing the system performance and need proper tools able to capture that interaction at various levels.
Game theory technique provides a sound framework for threat analysis on an off-line basis.
MAS and fictitious play can apply for on-line attack analysis with consideration of coordinating activities and rules.