ICT Vulnerabilities of the power grid: towards a road map for future research Alberto Stefanini1, Gerard Doorman2, Nouredine Hadjsaid3 on behalf of the GRID consortium * 1 2 Joint Research Center - Institute for the Protection and Security of the Citizen, Ispra, Italy. Norwegian University of Science and Technology, Trondheim, Norway. 3 Institut National Polytechnique de Grenoble, France. Abstract. The transformation of the European infrastructure creates considerable system security challenges. GRID is a joint effort of six European research organizations to achieve consensus on the key issues involved by ICT related vulnerabilities of power systems in view of theses challenges. GRID has recently issued a preliminary Road Map for future research in the area, grounded on a survey on the position of the European industrial and research communities. The survey assessed the challenges raised and the research needs in this perspective. This paper reviews the conception process for the Road Map and provides motivations for the way it is structured. It also overviews the three areas of investigation of the Road Map: understanding the impact of risk and adapting society and organisations, developing risk and vulnerability assessment and upgrading control architectures. The focus is on the needs and the challenges within each area and the main objectives of the Road Map. Keywords: Power Systems, Information & Communication Technologies, Vulnerabilities, R&D Roadmap 1 Introduction Vulnerability of the electrical infrastructure appears to be growing due to growing demand, hectic transactions, growing number of stakeholders, complexity of controls, as made patent by the major recent blackouts over Europe and North America [1] [2] [3]. GRID [5] [6] is a Coordination Action funded under the Trust and Security objective of the Information Society & Technologies Programme of the 6th Framework to achieve consensus at the European level on the key issues involved by Information & Communication Technology (ICT) vulnerabilities of power systems, in view of the challenges driven by the transformation of the European power infrastructure. The purpose of GRID is to assess the needs of the EU power sector on these issues, so as to establish a Roadmap for collaborative research within the 7th Framework Programme. GRID takes place in a global scenario where: * The partners in the GRID consortium are given in the Acknowledgements. • • • • power systems become increasingly more important for the society electricity becomes the most important energy carrier power systems become more and more automatic power systems become increasingly more dependent on an efficient and reliable information system and follows a consultation process among power systems stakeholders and the research community held in 2005 [4]. In that context, the EU energy market must keep and possibly enhance current standards concerning security of supply. The “EU Green paper of Energy” introduces an energy strategy for Europe. One of the strategic objects is Security of supply, and possible future actions for enhancement of the security of supply are presented. Secure electricity supply is dependent on secure infrastructures, which in this case means the electricity network and its adjacent ICT system. This strategy was articulated through a number of further policy steps. The first phase of GRID in dealing with these objectives has encompassed four actions: • a stakeholder Conference held in Stavanger, Norway in June 2006; • a broad consultation with power system stakeholders and the research community through questionnaires and interviews; • a state of the art of current projects in the considered area; • a workshop held in Leuven, Belgium in November 2006. In the following we review the conception process for the GRID Road Map, thus providing motivations for the way it is structured. We also overview the main areas of investigation of the Road Map by focusing on the needs and the challenges pertaining to each area and the main objectives the Road Map envisages to achieve in its 15years perspective. 2 Establishing consensus on the issues to investigate The process was initiated through a Conference that was organised jointly with the Energex 2006 Conference i Stavanger in June 2006 and was aimed at providing a broad assessment of the main current requirements by stakeholders in the sector of power systems controls. Presentations gave raise to a lively debate which may be summarized as follows: • Risk Assessment: this involves integration of different viewpoints, because of the need to commensurate all the impacts of the risk of blackout on the society including social, economic, and psychological aspects. • Emerging Control Technologies: Energy market development and integration will require massive adoption of emergent measurement technologies, which may introduce enhanced cyber problems. The enormous amount and flow of data, the need to integrate those and make the situation • • intelligible to the operator are likely to require a paradigm shift in the way controls architecture is organised. Modelling and Simulation: which way should we model the interconnected systems and their vulnerabilities? New modelling paradigms should be able to analyse and assess the different states of the system like telecom protocols do. These models must provide a time simulation of the grid behaviour as an ICT support to real-time operation. Regulation and the policy risk scenario: how will the electric system evolve in a 15-20 years perspective? It will grow more complex, more stressed, any problem will be made heavier. The role of control rooms and the tasks of the operators will become more and more critical. Tools for real-time decision support will play a major role. The clash between decision supported operation and fully automated response will be enhanced. In summary, in a landscape where the main trends (liberalisation and trade, EU integration, increased use of innovative equipment) concur to grow the system more complex and stressed, two requirements appear to be outstanding: • with reference to risk assessment, there is a need for well integrated methodologies, founded on a sound and unambiguous conceptual basis. These are substantial to be able to value the cost of security, hence for the provision of services of any kind (assessment, protection, insurance, communication etc.) in this area. • with reference to power systems controls, the debate made clear that the main challenge is to integrate innovative control equipment with the legacy control systems of the sector. This integration will be challenging because innovative controls, based on distributed intelligence, will bring about a paradigmatic shift with respect to the conventional control systems, which have a hierarchical architecture. 3 Results of the Stakeholders and Research Community Surveys The stakeholder survey relied on a questionnaire, which was disseminated to a broad selection of professionals, approximately 600 members of industrial and research communities across Europe and beyond. Of those polled, 57 responded; nearly 10 percent. Of the respondents, 34 are from the industrial community and 22 from the research community. Industry respondents were from six categories: transmission system operators (TSO), power companies, manufacturers, regulators, research institutes, and distribution system operators. TSOs were the single most dominant voice in industry. The questionnaire covered three points: Criticality, Vulnerability and Areas of Future Emphasis. Respondents were asked to rank the main ICT dependent functions of power systems (measurements, protection, monitoring, control, operator support and system management) according to their criticality and vulnerability. Protection was ranked as the most critical function followed closely by control. The reason for such high rankings in these two areas is that a single error in protection and/or control has the potential to lead to larger events of a severe nature (voltage instability, blackout, etc.). The ability of protection systems to both limit damage under normal expected operation and to exacerbate problems under abnormal operation makes the protection area critical. Control comes in a close second with protection. The proper circulation of information in the control loop is the key element in control criticality. The availability of correct incoming and outgoing information is essential in supporting and executing operators’ decisions regarding control actions. Protection, the function with highest criticality ranking, also ranked highest in vulnerability. Hidden failures and configuration/settings errors are of primary concern. Remote access via ICT and sensitivities to ICT failures also cause protection schemes such as wide-area protection and distance relays to have increased levels of vulnerability. Measurements are seen as highly vulnerable mainly because of the high failure rate of Remote Terminal Units and the reliance of Wide-area Measurements on ICT functions. Among Areas of future Emphasis, the industrial research community supports an upgrade of Control technologies, rather than their redesign. These conclusions appear rooted in the fact that power grid controls are long standing systems, where the role of legacy components is substantial, and drastic architectural changes will be impractical. Also the research community survey was based upon a summary of questionnaire responses. However, unlike the stakeholders survey, this questionnaire was sent out to research entities exclusively. Although the number of responses to this questionnaire was small (12 responses from approximately 60 that were approached), the main conclusion of the presentation illustrated the current lack of sufficient research coverage in the area of power system protection and control vulnerabilities related to ICT. 4 Stakeholders interaction: the Leuven Workshop This workshop focused on the outcomes of the stakeholders survey and the results of the analysis on existing R&D projects in the area based on the research community survey. Presentation of the survey results was followed by a discussion which can be summarized by the following precepts: • An ICT-based attack at certain points in the electric grid poses the threat of damage to the whole system • A priority is the training of operators to deal with ICT malfunctions and failure. • The control upgrade paradigm should be followed with the realization that progressive upgrade may indeed look like a revolution - compare the electric grid of today with that of 10 years ago. • Previous and present research gaps necessitate further research into the types of ICT vulnerabilities that exist in power systems and how to mitigate such vulnerabilities. • An all-horizons approach is needed to prohibit the electric grid from entering malfunction situations where it is impossible to recover. However, in the • • 5 holistic approach, research must not lose focus of the details on how the power system enters these sick conditions and on how potent these malfunctions are at bringing a loss of control to the system. The notion of malicious attacks voids many vulnerability assessment methods heretofore. Furthermore, the influence of the market on the grid adds another dimension of complexity Just as “no one understands the internet,” the complexity of the power system makes it difficult to assess the criticality and vulnerability of the grid’s components. The preliminary Road Map At the end of the survey process performed by GRID in 2006, the stakeholders needs, the objectives to focus on, the challenges to face and the research areas to focus on were identified in their main lines. In order to meet the challenges focused by the GRID consensus raising process, GRID has developed an R&D Road Map featuring three main goals that represent the main pillars for achieving a secure energy transport infrastructure within the next 15 years: • Understand the Impact of Risk and Adapt Society and Organisations The changes in both the physical and electronic components and architecture of the power sector will have vast impacts on the power sector. They will require appropriate modifications of the way stakeholder organisations conceive and implement security and the correlated education and training. • Risk and Vulnerability Assessment Tools and Methods Cyber-security assessment of critical online equipment is needed but there is a lack of appropriate methodologies. The effort to amalgamate the risk analysis of electrical contingencies with cyber security analysis is considered a priority area for investigation. • Control Architectures and Technologies Due to their complexity, full redesign of control architectures for power systems is not suitable, so that research and development must focus on their upgrade. In that context, understanding cascading effects of ICT faults on power system functionality and envisaging mitigation failure mechanisms is crucial. In the Road Map, it is suggested to organize the work in several terms, indicated as Near term, Mid term, and Long Term (Fig. 1), with defined objectives and relevant actions to be launched in terms of research, works on policies, standards and best practices, information sharing and benchmarking/deployment/technology transfer. Vision 2020 End State Long Term Mid Term Near Term Start State of the art Fig. 1. Principal overview of the working procedure showing states (Start, near term, mid term, long term, end state), and arrows indicating actions to proceed. The following Sections introduce the key Road map objectives and actions for each pillar. The details of the actions linked with each objective are available in the full Road Map (http://grid.jrc.it). 5.1 Understand the Impact of Risk and Adapt Society and Organisations The changes in both the physical and electronic components and architecture of the power sector will on the one hand have vast impacts on power companies, and on the other will demand appropriate modifications of the correlated education and training systems and of the approaches for the management of the associated societal risks. Although awareness of control and ICT vulnerabilities is spreading among policy and business circles, it is still lacking among power engineers and the public at large. A basic and widespread Education on Security Risk is lacking. Future developments should focus on the creation of educational tools and structures. These structures should support curricular activities in universities and professional training of current staff. This emphasis on security should not only make power engineers aware of ICT risks and vulnerabilities, but also show how such vulnerabilities interact with the electric grid and what can be done to prevent and mitigate risks. Models and simulation techniques that focus on the interactions between both control and protection mechanisms of the power system and ICT are instrumental. Companies will have to adapt their internal handling of security risk, taken into consideration the potential implications for society of security failures (e.g. the potential consequences due to the many existing interdependencies). As the European infrastructure consists of many closely interrelated national systems, each of them typically composed of several generation, transmission and distribution companies, the management of risk will have to adopt fitting arrangements. Summarising, a general culture of security risk will have to permeate the human, organisational and societal dimension of the power infrastructure, embracing the physical and ICT aspects of the systems. The Road Map identifies three main issues: Awareness Raising and Education, Adapt Society and Organisations, Deploy a EUwide security programme, to be coped with in the near term, the medium term and the long term, respectively. Each issue involves a number of key actions: • • • Near term objectives and research actions: Awareness Raising and Education ƒ Deploy an awareness raising campaign for business and policy decision makers and practitioners ƒ Establish training curricula, programs and tools for risk assessment including professional education ƒ Propose a security risk governance arrangement for the European power infrastructure Mid term objectives and research actions: Adapt Society and Organisations ƒ Implement a EU training programme for Power Engineers on security risk ƒ Achieve consensus on Security Risk management & governance structures ƒ Deploy a first set of EU security laboratories ƒ Establish standards for secure data exchange & communication Long term objectives and research actions: Deploy a EU-wide security programme ƒ Deploy EU wide training facilities for power engineers, based on environment/user reactive simulators with the capability of simulating security scenarios on a continental basis.. Research actions to reach these objectives are proposed in the Road Map. 5.2 Develop Risk & Vulnerability Assessment Both the power and ICT communities have had a long lasting focus on risk and vulnerability, but with quite different focus and also different terminology. One of the first issues to assess is the development of a common terminology for the integrated power and ICT systems. This is a necessary precondition for a common understanding of the issues at hand and the development of integrated risk and vulnerability assessment. Based on the Stavanger Conference, the survey [6] and the Workshops as well as analysis by the GRID partners, a number of specific needs have emerged for the common power and ICT infrastructure. The most important of these are: • The development of measures/indices and criteria for the vulnerability • The development of holistic methods and tools for risk and vulnerability assessment • • Common approaches at the European level for the handling of security information and vulnerability handling Common archives of best practices on countermeasures and other security means Major research challenges are: • Getting consensus among stakeholders on relevant indices and criteria • Modelling of complex systems relevant for networked infrastructures security • Modelling of coordination/intercommunication mechanisms for security protection • Providing generic solutions for coping with the evolutionary power environment It will also be necessary to overcome additional challenges that are not directly research related: • Overhauling the barriers (institutional, economic, confidentiality …) to information and experience sharing, while respecting business confidentiality • Establishing strategic partnerships between member states, the private sector and the research community to implement a common scheme of vulnerability handling • Finding the correct balance between technical, regulatory and organisational solutions The needs expressed by the stakeholders focus on simple and standard vulnerability and risk macro indices and criteria and corresponding micro indices for dependability characteristics. Moreover, the need is perceived for methods and tools that handle a very broad specter of risk and vulnerability, including human and organizational factors and covering “all relevant” hazards and threats. These are truly ambitious needs, and it cannot be expected that they can be satisfied by one comprehensive method. Instead it will probably be necessary to subdivide the total system and process in several sub processes, and for each define a framework for risk and vulnerability analysis as illustrated in Fig. 2. Risk management process Problem definition, information gathering and planning 1) Establish context Implementation, monitoring and evaluation of future development Selection of methods for risk and vulnerability assessment Identification of potential threats/ hazards affecting the ICT system Perform consequence analysis for identified hazards and threats Perform causal analysis and assess uncertainties for identified hazards 2) Risk and vulnerability assessment Establish the overall risk picture Risk evaluation Identify, assess and evaluate measures Propose priority of measures based on a holistic evaluation 3) Risk treatment Management review and decision Fig. 2. Risk management process In the following, objectives are identified for the short, mid and long term to satisfy the needs expressed by the stakeholders and to assess the challenges. The main focus in the near term is on a better understanding of the threats, risks and vulnerabilities involved as well as an initial assessment of methods. In the mid term, focus is on the development and implementation of offline tools, while operational real time tools are focus in the long term. • • Near term objectives and research actions: Crosscutting issues ƒ Identification/understanding of the classes, categories and characteristics of risks and vulnerabilities (present and forecasted) ƒ Common methodologies for risk assessment and vulnerability analyses of integrated Power and ICT systems ƒ Initial assessment of methods and tools for risk and vulnerability analyses ƒ Identify threats arising from increasing integration between control systems and other enterprise software Mid term objectives and research actions: Planning and design of off line assessment tools and technologies ƒ Off-line tools for analyzing the risk and vulnerability related to different hazards and threats (technical, human errors, malicious attacks, etc) • 5.3 ƒ Modelling and simulation tools for the analysis of offensive/defensive strategies and the development of decision support tools ƒ Security audits and incident reporting Long term objectives and research actions: On line and operational assessment ƒ Tools for assessing in “real time” the “operational” vulnerability of the components and systems under given conditions, taking into account expected evolutions and scenarios ƒ Adapting decision support system for real time use ƒ Implementation for testing in operation for integrated vulnerability analyses of a regional power and ICT system Upgrade Control Architectures and Integrate Innovative Technologies Power Control architectures refer to an enormous variety of devices located into the electrical, protection, automation, control, information and communication infrastructures necessary to guarantee the continuity of power supply, the structural integrity of the components of the electrical infrastructure and the correct balance between load and generation. Due to power market liberalisation, new energy sources exploitation and information technology pervasiveness power control architectures evolve in two main directions: the upgrading of existing legacy systems and the development of new control architectures performing additional functions and integrating advanced technologies. During the process of gathering stakeholders’ needs in this sector involving the survey process and analysis, the GRID conference and workshops, the emerged needs with regards upgrading control architectures and integrating innovative technologies can be summarized as follow: • New components and devices with built- in information security • Need for incremental and flexible Control Architectures, inherently robust to ICT attacks and flaws • Mitigate cascading effects among ICT infrastructures and power systems. • Accommodate new technologies and tools for security evaluation and countermeasures • Specific Operator decision tools, based on online, real-time monitoring results The major challenged thus are: • • • Shifting from dedicated to off-the-shelf data processing and communication systems Incremental solutions and transition steps to be identified and planned (accommodating legacy systems) Increased requirements for coupling operational and business networks and information systems. Each one of these issues involves a set of objectives and relevant actions to be launched in terms of research, works on policies, standards and best practices, information sharing and benchmarking/deployment/technology transfer. Below are listed the main research directions to be tackled with respect to near, medium and long term perspective. • Near term objectives and research actions: Crosscutting issues ƒ Understanding of interdependencies and cascading effects of ICT faults and scenarios • Mid term objectives and research actions: Components and architectures ƒ Identification of transition steps toward more robust control systems ƒ Investigating flexible architectures needed to mitigate cascading effects among ICT infrastructures and power systems - Envisage mitigation of failure mechanisms ƒ Assurance of the power infrastructure: security policies (procedures, protection, etc.) in the context of defence plans, communication of security risk, assurance cases • Long term objectives and research actions: Protective measures, remedial actions and real time applications ƒ Real time applications for supervision & control encompassing EMS & ICT functions ƒ Strategies for decentralized intelligence and self reconfiguring architectures and protection mechanisms ƒ Implementation, testing and performance evaluation of the introduced and incremental new control concepts 6. Conclusion In this paper a draft Road Map for research agenda in the area of ICT vulnerabilities of power systems and relevant defence methodologies was presented. The overall time horizon is consistent with the 7th framework programme and involves R&D actions with prospected outcome in a mid and long term horizon. Through various stakeholders consultation, questionnaires, conference and workshops, there is a general agreement, within the particular scope of GRID initiative, on the identified research priorities: • Risk and Vulnerability Assessment Tools and Methods, • Control Architectures and Technologies • Understand the Impact of Risk and Adapt Society and Organisations However, it has to be noted that issues and research directions highlighted in this preliminary version are still under finalization. Structuring specific research topics in front of each objective and challenge with respect to priorities and as well as making this roadmap as “ready to be used” by the EC for issuing corresponding calls is still to be worked out. Thus, future work will be dedicated to further structure this roadmap and define the relevant recommendation to support the identified research priorities. Acknowledgements The GRID Road Map is the result of a European Coordination Action. The GRID Consortium comprises: • • • • • • Institut National Polytechnique de Grenoble (INPG) – Laboratoire d'Electrotechnique de Grenoble – France Joint Research Centre of the European Commission (JRC) – Institute for the Protection and Security of the Citizen SINTEF – Foundation for Scientific and Industrial Research at the Norwegian Institute of Technology – Norway CESI RICERCA – Grid and Infrastructures Department – Italy Fraunhofer Institute for Secure Information Technology (FhG-SIT) – Germany Katholieke Universiteit Leuven (KUL) – Belgium. Although taking full responsibility for the way GRID and its results are presented here, the authors want to acknowledge that many individuals have given key contributions to the Road Map, specifically: Geert Deconinck (KUL), Giovanna Dondossola (CESI RICERCA), Nils Flatabø, Oddbjørn Gjerde, Gerd Kjølle, (SINTEF), Marcelo Masera (JRC), Jean-Pierre Rognon (INPG), Mechthild Stöwer, Paul Friessem (FhG). In addition many others took part in the GRID events reported in this paper, whose contribution is impossible to namely acknowledge. References 1. 2. 3. 4. 5. 6. View publication stats Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations, U.S.-Canada Power System Outage Task Force, April 5, 2004, http://www.nerc.com/~filez/blackout.html Investigation Report into the Loss of Supply Incident affecting parts of South London at 18:20 on Thursday, 28 August 2003, Executive Summary. National Grid Transco. September 10, 2003. http://195.92.225.33/uk/library/documents/pdfs/London28082003.pdf Final Report of the Investigation Committee on the 28 September 2003 Blackout in Italy, UCTE Ad-hoc Investigation Committee, April 27, 2004 http://www.ucte.org/pdf/News/20040427_UCTE_IC_Final_report.pdf The future of ICT for power systems: emerging security challenges, Report of the Consultation Workshop held in Brussels on February 3-4, 2005. https://rami.jrc.it/workshop_05/Report-ICT-for-Power-Systems.pdf Stefanini, R.M. Gardner, N. Hadjsaid and J.P. Rognon, A Survey on ICT Vulnerabilities of Power Systems, European CIIP Newsletter, www.IRRIIS.eu, European Commission IRRIIS Project, contract no 027568, WEB-Publication, January / February 2007, Volume 3, Number 1, pp. 6 - 8. R.M. Gardner and The GRID Consortium, A Survey of ICT Vulnerabilities of Power Systems and Relevant Defense Methodologies, accepted in: IEEE Power Engineering Society General Meeting 2007, 24-28 June 2007.