王聪生：电力系统安全及信息和通信技术的作用(英文)

32Int. J. Critical Infrastructures, Vol. 4, Nos. 1/2, 2008Copyright © 2008 Inderscience Enterprises Ltd.The security of power systems and the role of information and communication technologies: lessons from the recent blackoutsAlberto Stefanini* and Marcelo MaseraInstitute for the Protection and Security of the Citizen Joint Research Centre of the European Commission Via E. Fermi, 1, 21020 Ispra (VA), Italy E-mail: Alberto.Stefanini@jrc.it E-mail: Marcelo.Masera@jrc.it *Corresponding authorAbstract: This paper analyses the impact of information and communication technologies upon the security of networked infrastructures, making specific reference to the situation of the electric power sector. It discusses the lessons learnt from the recent blackouts, and concludes with the identification of the main technological security challenges faced in this field. In recent years, both Europe and the USA have experienced a significant number of huge blackouts, whose frequency and impact looks to be progressively growing. This paper shows that these events had common roots in the fact that current risk assessment methodologies and current system controls no longer appear to be adequate. Beyond the growing complexity of the electrical system as a whole, two main reasons can be listed: (1) system analysis procedures based on these methodologies did not identify security threats emerging from failures of critical physical components; and (2) online controls were not able to avoid system collapse.Keywords: electric power infrastructure; security; risk assessment; control systems; standards; R&D issues.Reference to this paper should be made as follows: Stefanini, A. and Masera, M. (2008) ‘The security of power systems and the role of information and communication technologies: lessons from the recent blackouts’, Int. J. Critical Infrastructures , Vol. 4, Nos. 1/2, pp.32–45.Biographical notes: Alberto Stefanini graduated in Electronic Engineering at the University of Bologna in 1974. He is currently with the Joint Research Centre of the European Commission, Institute for the Protection and Security of the Citizen, where he is involved in studies on critical infrastructure vulnerabilities, and in the coordination of research activities EU-wide on this subject. Until September 2005, he was with CESI, an electrical engineering and research company based in Milan, where he coordinated research on power system security and diffusion of R&D results. His background includes marketing of engineering and software services in the energy sector, research in artificial intelligence, and design of telecommunications devices and micro systems. He is the author of over 30 scientific and technical publications and one book.Marcelo Masera has been an Electronics and Electrical Engineer since 1980, and an Officer of the European Commission at the Joint Research Centre since November 2000. He is in charge of the Information Security of Critical Networked Infrastructures area within the Institute for the SecurityThe security of power systems and the role of ICTs 33and Protection of the Citizen. His interests are in the dependability andsecurity of complex socio-technical systems, and specifically those relatedto critical infrastructures, large-scale systems-of-systems, information andcommunication technologies and the information society. He has publishedmore than 60 papers in the fields of dependability, security and risk.The content of this paper is the sole responsibility of the authors and in no wayrepresents the view of the European Commission or its services.1 The changing power infrastructure: the E+I paradigmAs discussed in Gheorghe et al. (2006), networked infrastructures, and in particular the power systems, are experiencing fundamental changes in the way they are controlled and monitored. One of the main factors behind this evolution is the pervasive and intensive use of Information and Communication Systems (ICS).The application of electronic technologies to power systems began as soon as those technologies were available, because they appeared as an effective means of implementing control and protection mechanisms. The massive incorporation of digital solutions has changed the character of power systems. In Gheorghe et al. (2006), this industrial phenomenon is denominated the E+I paradigm: this designates the new reality of the power infrastructure characterised by the integration of two elements, namely, ‘Electricity plus Information’.The use of ICS has two sides: on the one side it provides new means of improving the operational and monitoring capabilities, but on the other it opens up dangerous risks of cyber threats. Therefore, the assessment of the risks of the electricity infrastructure cannot ignore the information security aspects of ICS.Taking as an example the evolution of the electricity systems in Europe, it is possible to appreciate how the two main structural changes of the last decade (i.e., unbundling of the generation, transmission and distribution sectors, and use of international interconnections for increasing flows supporting the electricity market) would not have been possible without the parallel application of ICS. Within each country, the application of the regulations over the infrastructure depends on the flow of information between actors: be it the application of connectivity rules or tariffs, electricity and information go together.All aspects of the power infrastructure – from the commercial operations in electricity exchanges, to enhanced services to end users, to the assessment and management of risk and costs, etc. – all aspects of electric power are infused with information. The infrastructure will see the amalgamation of electricity and information. This is the emergence of an E+I scenario. Its reality is central to the understanding of the security risks, and the effective use of ICS. Four phases can be identified in the evolution towards the E+I paradigm (see Figure 1, Gheorghe et al. (2006)):1 During the 1950s and 1960s, power systems worked on their own, evolving fromisolated systems to the first networks. The application of electronics and the firstanalogue computer devices closely followed their availability (e.g., frequency relays and offline tools such as analogue simulators). E was isolated, and the loop with Ipassed through human beings.34 A. Stefanini and M. Masera2 In the 1970s, digital electronics began to replace the functions that were previouslyperformed by electromechanical and analogue equipment, e.g., direct control over some functions. Analogue and digital equipment coexisted for some time. In parallel, computing centres were implemented for data storage and business administrative functions. Power systems evolved networking whole regions. E received directsupport from I, first at the equipment level, then linked to entire installations.3 By the mid-1980s, power systems became wired and computerised, and thepossibility of having remote access to distant facilities pushed the development of communication networks. Power systems were nationally integrated andinternational interconnections were developed. Dispatch centres rapidly developed their capabilities. The diffusion of the internet affected all business processes. Itransformed into an indispensable partner of E.4 From the late 1990s onward, companies and national infrastructures became fullydigitalised. Data flows grew profusely between the industrial and the business sides of companies. Energy markets functioned online. International power networksfurther developed and cross-border flows increased following the requirements of the markets. The vast interconnection among national grids was not just accompanied but also enabled by ICS. Sensors and actuators could be reached through a variety of communication means. On the other hand, the pervasiveness of information allowed new functions across systems. E and I became fused into a single reality: E+I.Figure 1 Evolution towards E+ISource:Derived from Gheorghe et al., 2006The E+I scenario presents security challenges that are not only more numerous or more complex than in the previous periods, but are also different in nature. The E branch of security cannot be analysed or solved without consideration of the I branch. The E and I parts cannot be aggregated, but the compound infrastructure E+I requires a joint security approach.The security of power systems and the role of ICTs 35 2 Networked infrastructure failures: lessons from the summer2003 blackoutsNetwork-shaped, highly distributed infrastructures have to take into consideration a greater diversity of threats than single systems. For instance, in addition to local technical faults, human errors and natural disasters, one has to add systemic failures emerging from the topological and organisational structure of the infrastructure. Moreover, since infrastructural networks are typically geographically distributed, natural forces might affect them owing to the accumulation of dispersed events; and owing to the relevance of infrastructures to national security, deliberate attacks take on a new and important significance.Threats against the electrical system are also growing from the point of view of its adequacy: demand is always growing, and, although this growth may be forecast, it cannot be easily faced anytime, also because the public often withstands construction of new power-generating plants and transmission lines (UCTE, 2004a). Interconnections among national power systems have been developed in the past 50 years so as to ensure mutual assistance between national subsystems, by allowing exchanges between these systems. Today’s market development, with its high level of cross-border exchanges, was out of the scope of the original system design. Transactions are increasing, following electrical system liberalisation, and this involves operating the whole infrastructure closer to security limits (Eurelectric, 2004). As discussed in Gheorghe et al. (2006), this discrepancy between the physical infrastructure and the requirements put to its operation has been described as ‘evolutionary unsuitability’ for emphasising this evolving mismatch.In recent years, both Europe and the USA have experienced a significant number of huge blackouts, whose frequency and impact looks to be progressively growing. Summer 2003 especially was characterised by electricity supply disruption events that had a wide impact on a number of key economies; these events contributed to directing attention to how crucially modern societies depend upon the correct operation of the electric infrastructure. They evidenced the extent to which all technological infrastructures depend on electricity, although most interdependencies are usually not perceived, not only by the public at large, but also by most infrastructure operators. These events had common roots in the emerging vulnerabilities of electrical system controls (intended as the procedures for system management, and the related information and communication infrastructure, comprehensive of monitoring, actuation and protection devices). They also evidenced the inadequacy, in that respect, of current risk assessment methodologies. Most recent incidents arose from a pattern where an initial fault of the electrical infrastructure was not confined because protection systems acted on a purely local basis, and the monitoring equipment failed to alarm human operators in a timely manner:• 14 August 2003 – Eastern North AmericaAccording to the joint US-Canada Task Force (2005), in a way this event wasinduced and, above all, inappropriately managed because of some pending problems affecting the monitoring and control equipment. The state estimator used to preview the likely system evolution was out of order for approximately four hours and was restarted a few minutes before the blackout. Another fault in the SCADA server36 A. Stefanini and M. Maseraput alarm management out of operation and slowed down the entire SCADAfunctionality, to the effect of making control room operators almost totally blindregarding the event.• 28 August 2003 – South London, UKThe cause of this incident was the incorrect rating of a protection relay, undiscovered by the extensive quality control and commissioning procedures. Following an alarm caused by a low oil level in a shunt reactor, a transformer was disconnected from the distribution system, as is the normal practice in this case. Unexpectedly, automatic protection equipment interpreted the change in power flow due to the transformer disconnection as a fault, and disconnected 410 000 customers, including parts of the London Underground and Network Rail (National Grid, 2003).• 23 September 2003 – Southern Sweden and eastern DenmarkThe root cause of this incident was the combination of the initial loss of a largenuclear unit with the double bus-bar fault in the substation on the West coast,which drove the system beyond its security criteria (N-3 situation). Approximately five min after the initial fault (loss of a 1250 MW generation unit), a doublebus-bar fault in a substation on the west coast disconnected four out of five 400 kV transmission lines. Increasing flows on the remaining lines and low voltage insouthern Sweden caused protection relays to trip, and southern Sweden and eastern Denmark were completely disconnected after 90 seconds.• 28 September 2003 – ItalyThe root cause of the event was the trip of the Lukmanier line in Switzerland, due toa tree flashover. In that situation, the Swiss operator had to rely on countermeasuresavailable outside Switzerland, but lacked a sense of urgency regarding the overload of a second line connecting the Swiss system to Italy, and called for inadequatecountermeasures in Italy (UCTE, 2004a). According to the Italian Authority (AEEG, 2003; 2004), the subsequent degradation of the Italian system and its long restoration were mostly due to either inadequate or inappropriate performance of protectionequipment. All three categories of protection systems – critical section control, load relief equipment and load rejection equipment – failed for different reasons. It is also remarkable that 21 out of 52 power plants failed to compensate for the lack ofimported power, because most of them rejected load at about 49 Hz, well above the stated threshold of 47.5 Hz (AEEG, 2003; 2004).3 Open questionsMarket liberalisation and the creation of a single European market have changed the conditions for ensuring a secure electricity supply. The European grid is hosting the transit of commercial flows over long distances, driving system operators to become more and more interdependent, while at the same time substantial commercial interests have appeared and the number of market actors has significantly increased. The major political question raised by recent power outages is whether liberalisation did trigger aThe security of power systems and the role of ICTs 37 process of mismanagement of the electrical infrastructure, whose final outcome is an increase in the frequency and severity of power outages. As pointed out by the authoritative Eurelectric (2004) report ‘Power Outages in 2003’:“major power outages are viewed by consumers as a failure of the wholeelectricity industry, irrespective of the actual reasons and contributing factors(…) The power outage events may increase scepticism to liberalisation incitizens, and have already done so in some officials both at national andEuropean levels.”The main lesson implied by the blackouts is that neither electrical system management, nor its operating procedures, nor system automation was revised so as to adequately cope with the liberalisation scenario. By comparing the two major events discussed in Section 2, the Eastern North America and the Italian blackout, we may recognise a common pattern:• Regarding the Italian case, the UCTE (2004a) report points out that, as an accident originating in Switzerland, it required the timely intervention by the Italian operator to be adequately dealt with. However, the Italian operator did not have directvisibility on the events that happen in other countries, and therefore had to bewarned on the phone by the Swiss operator (!).• Similarly, the US system lacks a governing body that may effectively coordinate operators’ activities. Although NERC (2005a), the North American coordinatingbody, did advance a proposal to that effect, this initially met the opposition of several regional operators.1 Moreover, the malfunction of critical supervisory equipment, which were to act as a common reference for the operators involved in the triggering event, was a crucial factor, in that it deceived operators on the likely progression of events.• In the Italian case, restoration was further compounded by critical infrastructure interdependency. After two hours, the emergency supply to several vital information and communication equipment ceased to work, hence the equipment could no longer operate. This required turning to a backup satellite facility for communication with on-site personnel, who had to manually operate all the remotely controlledequipment, thus making restoration far longer and more cumbersome (AEEG, 2004). • In the US case, restoration was even longer and more cumbersome, owing to the inherent complexity and the extension of the crisis, the plethora of actorsinvolved, and inadequacies of automation and support equipment (US-CanadaTask Force, 2005).The Italian case clearly outlines how the two basic attributes of power service reliability, i.e., adequacy and security, could in some cases be somewhat contrasting. During the summer crisis of 26 June 2003, owing to exceptional weather conditions, the Italian operator was unable to meet demand requirements (failure to provide adequate service), while the September blackout scenario is one where the Italian system, crucially dependent on power imports, failed when this import was suddenly cut off owing to a fault, thus showing a lack of overall security. The system operator was driven to crucially rely on imports for several reasons, among them pressure from public opinion after the summer crisis, thus operating the system closer to its capacity and security limits. Also, the deployment of the Italian crisis is largely due to premature tripping of protection38 A. Stefanini and M. Maserarelays, made to protect specific assets, like power plants, transformers and lines; in this case, security in asset protection prevailed over adequacy, i.e., caused a total failure to meet demand.In conclusion, there is a drive towards integration of the European electricity market, huge opportunities for advanced ICS in this domain and a need to address new vulnerabilities. The main open questions appear to be twofold, as discussed next.3.1 Inadequacy of the current practices to assess power system reliabilityMany incidents arise from a pattern where the initial fault of a power system is compounded by the failure of monitoring equipment and/or incorrect tripping of automatic protection devices (CIGRÉ, 2001). The general industry practice for security assessment has been to use a deterministic approach (CIGRÉ, 2005): the power system is designed and operated to withstand a set of contingencies referred to as ‘normal contingencies’, selected on the basis that they have a significant likelihood of occurrence. This is usually referred to as the N-1 criterion because it examines the behaviour of an N-component grid following the loss of any one of its major components (UCTE, 2004b). Techniques such as load flow analysis are then applied to evaluate the resulting grid conditions. There is no holistic methodology, however, for evaluating risks arising from the power system failures and the automation system together, so as to join physical power system risk assessment with testing/compliance control procedures for automation and protection equipment.3.2 Vulnerabilities of power systems controlsMarket liberalisation involves multiple operators exchanging critical information so as to jointly operate the system; hence a number of key control systems need drastic reviews in order to be fit for operation in a market context. The electrical system depends substantially and increasingly upon its supporting information and communication infrastructure, because almost all vital system functions are remotely controlled, so that an increased control systems complexity, required for secure system operation, may in turn raise system vulnerability, owing to both accidental faults and malicious attacks. Critical infrastructures, and primarily the electrical system, are well-known to be a privileged target in warfare, as well as of terrorist attacks. Unless appropriate measures are taken, this risk will increase with the adoption of open and public information and communication infrastructures for automation support.4 Non-holistic approach to power system reliability assessmentAs discussed in the previous section, many incidents arise from a pattern where the initial fault of a power system is compounded by the failure of monitoring equipment and/or incorrect tripping of automatic protection devices. However, there is no way to join the assessment of risks arising from physical system failures with those arising from failures or attacks to system controls. On the contrary, even the conceptual framework concerning systems security and reliability of power system engineering appears to be quite different from the control systems one.The security of power systems and the role of ICTs 39 Computer systems security was defined by Laprie (1992) as “dependability with respect to the prevention of unauthorised access and/or handling of information”. Computer science views dependability as a global concept, encompassing such properties as availability, reliability, safety, confidentiality, integrity and maintainability. The widespread use of information and communication technologies made the above terminology to be accepted in many sectors of industry, starting from the safety-critical ones – automotive, aerospace, railways, ships, etc., – so that it may be considered a global concept nowadays in control system engineering.Unfortunately, this conceptual framework was not accepted in the power sector, where a different perspective emerged long before the introduction of computer systems to practical applications. Reliability is basically defined in terms of continuity of correct service in power systems engineering, while dependability has no formal meaning, although some authors take it as a synonym of reliability. Power system security is defined as “the ability to withstand sudden disturbances such as electric short circuits or non-anticipated loss of system components” IEEE/CIGRÉ (2004).The practical consequence of these different conceptions is that there exists no holistic approach to risk assessment in power systems, able to evaluate the impact of control system failures together with the impact of physical failures. “Devices used to protect individual equipment may respond to variations in system variables and cause tripping of the equipment, thereby weakening the system and possibly leading to system instability” IEEE/CIGRÉ (2004), thus making automated protection equipment a key vulnerability factor in power systems. However, risk assessment methods in power systems disregard control systems failures: the N-1 criterion takes into account only failures of major electrical components.5 Revision of electrical system controls may increase their vulnerabilities An electric system comprising interconnected power grids (regional, national and supernational) needs complex controls, intended as the procedures for system management, and the related information and communication infrastructure, comprising monitoring, actuation and protection devices, to ensure that the delivery of electrical power anywhere in the system meets certain specified criteria (IEC, 2003). As discussed in the Introduction, such infrastructure has grown together with the electrical system since the 1950s, and in most respects it did not go through a thorough revision after liberalisation to cope with the new security challenges. In summary, these controls appear to be no longer adequate because:• Alarms are not displayed on the screen of the operators who would have to manage them, owing to inappropriate procedures and jurisdictional issues (e.g., alongfrontiers, as in the Switzerland/Italy case, (CRE AEEG, 2004)).• Critical apparatuses are not duplicated so as to remove the effects of their malfunction (North America).• The defence plans of both the North American and the European systems failed.Automatic protection devices were not able to avoid system collapse.40 A. Stefanini and M. Masera• In the Italian case, restoration was made long and cumbersome by inadequacies of the supporting information and communication infrastructure, as far as emergency supply systems are concerned.As a result, there is now a growing consensus about the inadequacy of the European system controls:“The lack or inadequacy of communication, coordination and/or data exchangebetween system operators seems to have played a major role in the escalationof some of the examined events. (…) Binding rules for coordination amongsystem operators both in normal operation and in other situations are desirable.These rules must take account of the new challenges imposed by theliberalisation and integration of the European markets. (...) Tools and means tointensify collection and availability of real-time data should be examined andestablished.” (Eurelectric, 2004)In the aftermath of the 2003 events, the former UC(P)TE non-binding recommendations were transformed into the standards and requirements of the UCTE Operation Handbook and were made binding to all UCTE members via an inter-TSOs Multilateral Agreement signed on 1 July 2005 (UCTE, 2005b). The North American operational procedures alike are being revised by NERC (2005b). In summary, blackouts have triggered a rather hastened overhauling of the whole control system, which may in turn bring about new vulnerabilities. Power systems are multi-jurisdictional infrastructures; hence the real challenge is how to design and implement such a substantial amendment, which involves most of the various private and state entities that participate in some way or another in the operation of the electrical system. In most of the affected countries, particularly the USA and Italy, such process is already in progress so as to reflect changes in the regulatory agreements between TSOs.Meanwhile, new control technologies (Anderson and LeReverend, 1996) are emerging (adaptive protection systems (Jonsson, 2003; Wilks, 2002; Zima,2002), dynamic security assessment (Kundur et al., 2000; Kamwa et al., 2003), wide area measurement systems (Kamwa and Grondin, 2003)). All these systems are inherently based on collecting data in different places, and possibly over an extended period of time, so as to detect an impending malfunction affecting a large portion of the overall system; hence, they are inherently based on fast processing and communication techniques (Naduvathuparambil et al., 2002). Although most of these technologies started to be introduced in the mid-1980s, they are not yet fully mature:• Several issues specifically concerning technology performance are to be addressed, like the criteria for PMU positioning, the reliability of their synchronisation process, the performances of the algorithms (Kamwa and Grondin, 2003).• The potential of innovative technologies for smart local control at the substation level, like adaptive relaying (Phadke and Horowitz, 1990), need to be fully exploited.Their appropriate integration into a multi-level/multi-area hierarchical controlstructure must be investigated.According to a recent workshop among experts of the sector (Stefanini and Servida, 2005), the main challenges implied by the current review of the control systems can be summarised as follows:。