S. Bologna, C. Balducelli, A. Di Pietro, L. Lavalle, G. Vicoli

http://www.progettoreti.enea.it/ ENERSIS 2008Milano, 17 Giugno, 2008

Una strategia per mitigare l’effetto delle interdipendenze

tra infrastrutture critiche

ENTE PER LE NUOVE TECNOLOGIE L’ENERGIA E L’AMBIENTE

ITALY BLACK-OUT September 2003 Event tree from UCTE report

Pre-incident network in n-1 secure

state

Network in (n-1) state

with short- term

15’ allowable overload

Network in (n-2) state

with excessive

overload of remaining

lines

Separation of Italy from the

UCTE main Grid

Island operation fails due to unit

tripping

AND AND

1st tree flashover

line tripping

2nd tree flashover

line tripping

Italydisconnected

Tripping of many power

units

AND AND

NETWORK STATE OVERVIEW & ROOT CAUSES

1Unsuccessful re-

closing of the Luckmainer line because of a too high phase angle

difference

2Lacking a sense of

urgency regarding the San Bernardino line overload and call for

inadequate countermeasures in

Italy

3Angle instability

and Voltage collapse in Italy

24 min.

1-2 min.

Safe network state

Endangerednetwork state

Disturbednetwork state

Collapsednetwork

Event

Root cause

Legend

Roma Mini TELCO Black-out January 2004

Pre-incident TELCO

network in secure state

Station continue

working with decreased

battery autonomy

Many external Telco services

go down, as the ACEA data links between

control centers

The normal power supply

from ACEA was

restarted

Returnto

normal state

AND AND

Trip of main power

supply

Loss of power supply

Damaged equipment replaced

Telco services restart

AND AND

NETWORK STATE OVERVIEW & ROOT CAUSES

1Flood on the

apparatus room of the Telco SGT

station. UPS start from batteries

2The battery autonomy

finished as Fire Brigate was not able to

eliminate water in time.

3The full

functionality of the SGT station is

restored

4 hoursSafe network state

Endangerednetwork state

Disturbednetwork state

Collapsednetwork

Event

Root cause

Legend

90 min.

• MIT is a software system to enhance the availability and survivability of LCCIs by mitigating (inter)dependency effects. It is composed of:

• communication components.• add-on components.• other software resources (databases,GUI,

configuration files, run-time environment, etc.)

MIT Introduction

Control Room with MIT WorkStation

LCCI 1

LCCI 2

MIT WorkStation

MIT WorkStation

Control Room

Control Room

MIT integration with existing SCADA systems

MIT integration with existing SCADA systems

IRR

IIS

In

ter-

LC

CI

Com

mu

nic

ati

on

Hig

hw

ay

Middleware Improved Technology System: component oriented architecture

LCCI 1

LCCI 2

LCCI 3

LCCI 5

LCCI 4

LCCI 6

MIT 4

Client-server peer to peer communicationClient-server peer to peer communication

LCCIs ->

Critical Infrastructures

MIT 2

MIT 1

MIT 5

MIT 6

MIT 3

MIT Communication Components

MIT Add-On Components

COMMUNICATIONCOMPONENTS

Communication components are responsible on how

sending/receiving information from neighbouring LCCIs, using the appropriate time constraints and security

levels.

Middleware Improved Technology System: component oriented architecture

ADD-ONCOMPONENTS

Add-on components are responsible on what internal information has to be sent to

neighbouring LCCIs, and what information received from neighbouring LCCIs may influence the internal

LCCI state .

Middleware Improved Technology System: component oriented architecture

MIT Add-On Components

• Internal Assessment– Tool to extract LCCI functional status

• Risk Assessment– Risk Estimator– Incident Knowledge Analyser

• Emergency Management– Assessment of cascading/escalating effects– Display of Emergency Management Procedures– Negotiator

Risk Estimator functions

• Reasoning about the states of processes and services, mainly focusing on the services to be exchanged with other LCCIs.

• Estimating the levels of risks associated to services exchanges with other LCCIs.

• Working on a service-process model of the LCCIs by making use of a fuzzy rules-based mechanism.

Visualisation of the levels of risks associated to the services

LCCI internal stateestimation

After external &internal states

correlation

• Make operators more aware about the global LCCIs state, correlating local LCCI and external LCCIs states.

• Give to the LCCIs operators schematic pictures evidencing the potential risks to loss internal and external services.

• Improve coordination between the LCCI operator and the neighbouring LCCIs.

Risk estimator Benefits

Incremental development & testing process of the components

DEVELOPING COMPONENTS

INTEGRATION TESTING &

VALIDATION

Experimentationof the integrated

capabilities

SimCIPSimCIP

CRIPSCRIPS

TEFSTEFSMIT CompMIT Comp

Laboratory experimentation

LABORATORY EXPERIMENTATION

TEST BEDS TO VERIFY THE INTEGRATED CAPABILITIES

Experimentation strategy (Step 1)

SimCIPNormal

behaviours

SimCIPAttack/fault behaviours

Attack/faults

scenario

tables

Build an experimentation

infrastructure

Simulation Environment

Knowledge elicitation about a set of scenarios

COMPAREBEHAVIOURS WITHOUT MIT

NO ATTACKS/

FAULTS ATTACKS/FAULTSEVENTS TREE

SimCIPAttack/fault behaviours

Attack/faults

scenario

tables

Build an experimentation

infrastructure

Simulation Environment

Knowledge elicitation about a set of scenarios

COMPAREBEHAVIOURS &

EFFECTS WITH MIT

ATTACKS/FAULTSEVENTS TREE

MIT CommunicationMIT Communication

Add-on #nAdd-on #2

Add-on #1

Experimentation strategy (Step 2)

SimCIPNormal

behaviours

SimCIPSimCIP

TelecomTelecomSimulatorSimulator

LCCI TelecomLCCI TelecomData BaseData Base

ElectricityElectricitySimulatorSimulator

LCCI ElectricityLCCI ElectricityData BaseData Base

MITcommunicationMITcommunicationElectricity MIT Add-onElectricity MIT Add-on

Telecom MIT Add-onTelecom MIT Add-on

Electrical Electrical SCADA EmulatorSCADA Emulator

TelecomTelecomSCADA EmulatorSCADA Emulator

Electrical Control RoomElectrical Control Room Telecom Control RoomTelecom Control Room

Optional External Components

Physical set-up of the experimentation environment

LCCIs for experimentationLCCI

OwnerPower Carrier

Telco Carrier

PrimaryLCCI P T

Supporting CI PT TP

P Power (electrical) network

PT Power Telecom network (SCADA systems including also telecom network owned by Power Network Operator)

T Telecom network (Telecom Infrastructure)

TP Telecom Power network (Telecom backup power systems)

LCCIs INVOLVED IN THE ROME MINI

TELCO BLACK-OUT

P – Power Network Simulation

PT – Power Telecom Network Simulation

(SCADA)

TP –Telco Power Network Simulation

T – Telecom Network

Simulation

Scenario

Table

Simulating different LCCIs components within SimCIP

P – Power Network Simulation

PT – Power Telecom Network Simulation

(SCADA)

TP –Telco Power Network Simulation

T – Telecom Network

Simulation

Scenario

Table

Using scenario tables to define different scenario event sequences

Scenarios execution and evaluation

Scenario Tables………………………

Compiling

Selecting

Configure

Run

t0ti ti

t0 = start of scenariote = end of scenarioi = 1...n risky situations = snapshot of risky situation

course of scenario

teti

ti

Logs of the events

Experimentation of MIT integrated capabilities

RETEFS

MIT Communication

IKA CRIPS

Evaluating the expected results

Expected results tables

Scenario tables

MIT Behavior 1

Detection t1Local info t2Remote Info t3………

Scenario 1

Event 1Event 2Event 3………

MIT ComponentsMIT Components

IKA

TEFS

CRIPS

RE

PTPT TPTP

TTPP

Knowledge from analysts/expertsKnowledge from analysts/experts

Verify resultsVerify resultsIterativeIterative

improvementsimprovements

Experimentation steps for RE

Knowledge fromKnowledge fromanalysts/expertsanalysts/experts

RE Knowledge Base RE Knowledge Base General General

rulesrulesSpecific Specific

rulesrules ServicesServices ProcessesProcessesrelations

MIT Behavior 1

Detection t1Local info t2Remote Info t3………

Scenario 1

Event 1Event 2Event 3………

MIT Behavior 1

Detection t1Local info t2Remote Info t3………

Scenario 1

Event 1Event 2Event 3………

2 tables fail2 tables fail

First First experimental stepexperimental step

MIT Behavior 1

Detection t1Local info t2Remote Info t3………

Scenario 1

Event 1Event 2Event 3………

1 table fails1 table fails

SecondSecondexperimental stepexperimental step

FinalFinalexperimental stepexperimental step

Updating rules & Updating rules & services/processes relations services/processes relations

System ready for System ready for demonstration to demonstration to

stakeholdersstakeholders

All tables okAll tables ok

• To prevent cascading effects among interdependent LCCIs is a new challenge

• LCCIs modelling capacity, exploiting also commercial simulation tools, is necessary to develop realistic testing environment.

• Strategies/guidelines to implement exhaustive experimentation sessions must be developed

• Producing/evaluating experiments with/without introducing the MIT solutions may help to obtain an assessment of the MIT benefits.

http://www.irriis.org/

Final considerations