ICT Vulnerabilities of the power grid: towards a road
map for future research
Alberto Stefanini1, Gerard Doorman2, Nouredine Hadjsaid3
on behalf of the GRID consortium *
1
2
Joint Research Center - Institute for the Protection and Security of the Citizen, Ispra, Italy.
Norwegian University of Science and Technology, Trondheim, Norway. 3 Institut National
Polytechnique de Grenoble, France.
Abstract. The transformation of the European infrastructure creates
considerable system security challenges. GRID is a joint effort of six European
research organizations to achieve consensus on the key issues involved by ICT
related vulnerabilities of power systems in view of theses challenges. GRID has
recently issued a preliminary Road Map for future research in the area,
grounded on a survey on the position of the European industrial and research
communities. The survey assessed the challenges raised and the research needs
in this perspective. This paper reviews the conception process for the Road Map
and provides motivations for the way it is structured. It also overviews the three
areas of investigation of the Road Map: understanding the impact of risk and
adapting society and organisations, developing risk and vulnerability
assessment and upgrading control architectures. The focus is on the needs and
the challenges within each area and the main objectives of the Road Map.
Keywords: Power Systems, Information & Communication Technologies,
Vulnerabilities, R&D Roadmap
1
Introduction
Vulnerability of the electrical infrastructure appears to be growing due to growing
demand, hectic transactions, growing number of stakeholders, complexity of controls,
as made patent by the major recent blackouts over Europe and North America [1] [2]
[3]. GRID [5] [6] is a Coordination Action funded under the Trust and Security
objective of the Information Society & Technologies Programme of the 6th
Framework to achieve consensus at the European level on the key issues involved by
Information & Communication Technology (ICT) vulnerabilities of power systems, in
view of the challenges driven by the transformation of the European power
infrastructure. The purpose of GRID is to assess the needs of the EU power sector on
these issues, so as to establish a Roadmap for collaborative research within the 7th
Framework Programme. GRID takes place in a global scenario where:
*
The partners in the GRID consortium are given in the Acknowledgements.
•
•
•
•
power systems become increasingly more important for the society
electricity becomes the most important energy carrier
power systems become more and more automatic
power systems become increasingly more dependent on an efficient and
reliable information system
and follows a consultation process among power systems stakeholders and the
research community held in 2005 [4].
In that context, the EU energy market must keep and possibly enhance current
standards concerning security of supply. The “EU Green paper of Energy” introduces
an energy strategy for Europe. One of the strategic objects is Security of supply, and
possible future actions for enhancement of the security of supply are presented.
Secure electricity supply is dependent on secure infrastructures, which in this case
means the electricity network and its adjacent ICT system. This strategy was
articulated through a number of further policy steps.
The first phase of GRID in dealing with these objectives has encompassed four
actions:
• a stakeholder Conference held in Stavanger, Norway in June 2006;
• a broad consultation with power system stakeholders and the research
community through questionnaires and interviews;
• a state of the art of current projects in the considered area;
• a workshop held in Leuven, Belgium in November 2006.
In the following we review the conception process for the GRID Road Map, thus
providing motivations for the way it is structured. We also overview the main areas of
investigation of the Road Map by focusing on the needs and the challenges pertaining
to each area and the main objectives the Road Map envisages to achieve in its 15years perspective.
2
Establishing consensus on the issues to investigate
The process was initiated through a Conference that was organised jointly with the
Energex 2006 Conference i Stavanger in June 2006 and was aimed at providing a
broad assessment of the main current requirements by stakeholders in the sector of
power systems controls. Presentations gave raise to a lively debate which may be
summarized as follows:
• Risk Assessment: this involves integration of different viewpoints, because of
the need to commensurate all the impacts of the risk of blackout on the
society including social, economic, and psychological aspects.
• Emerging Control Technologies: Energy market development and
integration will require massive adoption of emergent measurement
technologies, which may introduce enhanced cyber problems. The enormous
amount and flow of data, the need to integrate those and make the situation
•
•
intelligible to the operator are likely to require a paradigm shift in the way
controls architecture is organised.
Modelling and Simulation: which way should we model the interconnected
systems and their vulnerabilities? New modelling paradigms should be able
to analyse and assess the different states of the system like telecom protocols
do. These models must provide a time simulation of the grid behaviour as an
ICT support to real-time operation.
Regulation and the policy risk scenario: how will the electric system evolve
in a 15-20 years perspective? It will grow more complex, more stressed, any
problem will be made heavier. The role of control rooms and the tasks of the
operators will become more and more critical. Tools for real-time decision
support will play a major role. The clash between decision supported
operation and fully automated response will be enhanced.
In summary, in a landscape where the main trends (liberalisation and trade, EU
integration, increased use of innovative equipment) concur to grow the system more
complex and stressed, two requirements appear to be outstanding:
• with reference to risk assessment, there is a need for well integrated
methodologies, founded on a sound and unambiguous conceptual basis.
These are substantial to be able to value the cost of security, hence for the
provision of services of any kind (assessment, protection, insurance,
communication etc.) in this area.
• with reference to power systems controls, the debate made clear that the
main challenge is to integrate innovative control equipment with the legacy
control systems of the sector. This integration will be challenging because
innovative controls, based on distributed intelligence, will bring about a
paradigmatic shift with respect to the conventional control systems, which
have a hierarchical architecture.
3
Results of the Stakeholders and Research Community Surveys
The stakeholder survey relied on a questionnaire, which was disseminated to a broad
selection of professionals, approximately 600 members of industrial and research
communities across Europe and beyond. Of those polled, 57 responded; nearly 10
percent. Of the respondents, 34 are from the industrial community and 22 from the
research community. Industry respondents were from six categories: transmission
system operators (TSO), power companies, manufacturers, regulators, research
institutes, and distribution system operators. TSOs were the single most dominant
voice in industry.
The questionnaire covered three points: Criticality, Vulnerability and Areas of Future
Emphasis. Respondents were asked to rank the main ICT dependent functions of
power systems (measurements, protection, monitoring, control, operator support and
system management) according to their criticality and vulnerability.
Protection was ranked as the most critical function followed closely by control. The
reason for such high rankings in these two areas is that a single error in protection
and/or control has the potential to lead to larger events of a severe nature (voltage
instability, blackout, etc.). The ability of protection systems to both limit damage
under normal expected operation and to exacerbate problems under abnormal
operation makes the protection area critical. Control comes in a close second with
protection. The proper circulation of information in the control loop is the key
element in control criticality. The availability of correct incoming and outgoing
information is essential in supporting and executing operators’ decisions regarding
control actions. Protection, the function with highest criticality ranking, also ranked
highest in vulnerability. Hidden failures and configuration/settings errors are of
primary concern. Remote access via ICT and sensitivities to ICT failures also cause
protection schemes such as wide-area protection and distance relays to have increased
levels of vulnerability. Measurements are seen as highly vulnerable mainly because
of the high failure rate of Remote Terminal Units and the reliance of Wide-area
Measurements on ICT functions.
Among Areas of future Emphasis, the industrial research community supports an
upgrade of Control technologies, rather than their redesign. These conclusions appear
rooted in the fact that power grid controls are long standing systems, where the role of
legacy components is substantial, and drastic architectural changes will be
impractical.
Also the research community survey was based upon a summary of questionnaire
responses. However, unlike the stakeholders survey, this questionnaire was sent out
to research entities exclusively. Although the number of responses to this
questionnaire was small (12 responses from approximately 60 that were approached),
the main conclusion of the presentation illustrated the current lack of sufficient
research coverage in the area of power system protection and control vulnerabilities
related to ICT.
4
Stakeholders interaction: the Leuven Workshop
This workshop focused on the outcomes of the stakeholders survey and the results of
the analysis on existing R&D projects in the area based on the research community
survey. Presentation of the survey results was followed by a discussion which can be
summarized by the following precepts:
• An ICT-based attack at certain points in the electric grid poses the threat of
damage to the whole system
• A priority is the training of operators to deal with ICT malfunctions and
failure.
• The control upgrade paradigm should be followed with the realization that
progressive upgrade may indeed look like a revolution - compare the electric
grid of today with that of 10 years ago.
• Previous and present research gaps necessitate further research into the types
of ICT vulnerabilities that exist in power systems and how to mitigate such
vulnerabilities.
• An all-horizons approach is needed to prohibit the electric grid from entering
malfunction situations where it is impossible to recover. However, in the
•
•
5
holistic approach, research must not lose focus of the details on how the
power system enters these sick conditions and on how potent these
malfunctions are at bringing a loss of control to the system.
The notion of malicious attacks voids many vulnerability assessment
methods heretofore. Furthermore, the influence of the market on the grid
adds another dimension of complexity
Just as “no one understands the internet,” the complexity of the power
system makes it difficult to assess the criticality and vulnerability of the
grid’s components.
The preliminary Road Map
At the end of the survey process performed by GRID in 2006, the stakeholders needs,
the objectives to focus on, the challenges to face and the research areas to focus on
were identified in their main lines. In order to meet the challenges focused by the
GRID consensus raising process, GRID has developed an R&D Road Map featuring
three main goals that represent the main pillars for achieving a secure energy transport
infrastructure within the next 15 years:
• Understand the Impact of Risk and Adapt Society and Organisations
The changes in both the physical and electronic components and architecture
of the power sector will have vast impacts on the power sector. They will
require appropriate modifications of the way stakeholder organisations
conceive and implement security and the correlated education and training.
• Risk and Vulnerability Assessment Tools and Methods
Cyber-security assessment of critical online equipment is needed but there is
a lack of appropriate methodologies. The effort to amalgamate the risk
analysis of electrical contingencies with cyber security analysis is considered
a priority area for investigation.
• Control Architectures and Technologies
Due to their complexity, full redesign of control architectures for power
systems is not suitable, so that research and development must focus on their
upgrade. In that context, understanding cascading effects of ICT faults on
power system functionality and envisaging mitigation failure mechanisms is
crucial.
In the Road Map, it is suggested to organize the work in several terms, indicated as
Near term, Mid term, and Long Term (Fig. 1), with defined objectives and relevant
actions to be launched in terms of research, works on policies, standards and best
practices, information sharing and benchmarking/deployment/technology transfer.
Vision 2020
End
State
Long
Term
Mid
Term
Near
Term
Start
State of the art
Fig. 1. Principal overview of the working procedure showing states (Start, near term, mid term,
long term, end state), and arrows indicating actions to proceed.
The following Sections introduce the key Road map objectives and actions for each
pillar. The details of the actions linked with each objective are available in the full
Road Map (http://grid.jrc.it).
5.1 Understand the Impact of Risk and Adapt Society and Organisations
The changes in both the physical and electronic components and architecture of the
power sector will on the one hand have vast impacts on power companies, and on the
other will demand appropriate modifications of the correlated education and training
systems and of the approaches for the management of the associated societal risks.
Although awareness of control and ICT vulnerabilities is spreading among policy and
business circles, it is still lacking among power engineers and the public at large. A
basic and widespread Education on Security Risk is lacking. Future developments
should focus on the creation of educational tools and structures. These structures
should support curricular activities in universities and professional training of current
staff. This emphasis on security should not only make power engineers aware of ICT
risks and vulnerabilities, but also show how such vulnerabilities interact with the
electric grid and what can be done to prevent and mitigate risks. Models and
simulation techniques that focus on the interactions between both control and
protection mechanisms of the power system and ICT are instrumental.
Companies will have to adapt their internal handling of security risk, taken into
consideration the potential implications for society of security failures (e.g. the
potential consequences due to the many existing interdependencies). As the European
infrastructure consists of many closely interrelated national systems, each of them
typically composed of several generation, transmission and distribution companies,
the management of risk will have to adopt fitting arrangements.
Summarising, a general culture of security risk will have to permeate the human,
organisational and societal dimension of the power infrastructure, embracing the
physical and ICT aspects of the systems. The Road Map identifies three main issues:
Awareness Raising and Education, Adapt Society and Organisations, Deploy a EUwide security programme, to be coped with in the near term, the medium term and the
long term, respectively. Each issue involves a number of key actions:
•
•
•
Near term objectives and research actions: Awareness Raising and Education
Deploy an awareness raising campaign for business and policy decision
makers and practitioners
Establish training curricula, programs and tools for risk assessment
including professional education
Propose a security risk governance arrangement for the European power
infrastructure
Mid term objectives and research actions: Adapt Society and Organisations
Implement a EU training programme for Power Engineers on security
risk
Achieve consensus on Security Risk management & governance
structures
Deploy a first set of EU security laboratories
Establish standards for secure data exchange & communication
Long term objectives and research actions: Deploy a EU-wide security
programme
Deploy EU wide training facilities for power engineers, based on
environment/user reactive simulators with the capability of simulating
security scenarios on a continental basis..
Research actions to reach these objectives are proposed in the Road Map.
5.2
Develop Risk & Vulnerability Assessment
Both the power and ICT communities have had a long lasting focus on risk and
vulnerability, but with quite different focus and also different terminology. One of the
first issues to assess is the development of a common terminology for the integrated
power and ICT systems. This is a necessary precondition for a common understanding
of the issues at hand and the development of integrated risk and vulnerability
assessment.
Based on the Stavanger Conference, the survey [6] and the Workshops as well as
analysis by the GRID partners, a number of specific needs have emerged for the
common power and ICT infrastructure. The most important of these are:
• The development of measures/indices and criteria for the vulnerability
• The development of holistic methods and tools for risk and vulnerability
assessment
•
•
Common approaches at the European level for the handling of security
information and vulnerability handling
Common archives of best practices on countermeasures and other security
means
Major research challenges are:
• Getting consensus among stakeholders on relevant indices and criteria
• Modelling of complex systems relevant for networked infrastructures
security
• Modelling of coordination/intercommunication mechanisms for security
protection
• Providing generic solutions for coping with the evolutionary power
environment
It will also be necessary to overcome additional challenges that are not directly
research related:
• Overhauling the barriers (institutional, economic, confidentiality …) to
information and experience sharing, while respecting business
confidentiality
• Establishing strategic partnerships between member states, the private sector
and the research community to implement a common scheme of
vulnerability handling
• Finding the correct balance between technical, regulatory and organisational
solutions
The needs expressed by the stakeholders focus on simple and standard vulnerability
and risk macro indices and criteria and corresponding micro indices for dependability
characteristics. Moreover, the need is perceived for methods and tools that handle a
very broad specter of risk and vulnerability, including human and organizational
factors and covering “all relevant” hazards and threats. These are truly ambitious
needs, and it cannot be expected that they can be satisfied by one comprehensive
method. Instead it will probably be necessary to subdivide the total system and
process in several sub processes, and for each define a framework for risk and
vulnerability analysis as illustrated in Fig. 2.
Risk management process
Problem definition, information
gathering and planning
1) Establish
context
Implementation, monitoring and
evaluation of future development
Selection of methods for risk
and vulnerability assessment
Identification of potential threats/
hazards affecting the ICT system
Perform consequence analysis for
identified hazards and threats
Perform causal analysis and assess
uncertainties for identified hazards
2) Risk and
vulnerability
assessment
Establish the overall risk picture
Risk evaluation
Identify, assess and
evaluate measures
Propose priority of measures based
on a holistic evaluation
3) Risk
treatment
Management review and decision
Fig. 2. Risk management process
In the following, objectives are identified for the short, mid and long term to satisfy
the needs expressed by the stakeholders and to assess the challenges. The main focus
in the near term is on a better understanding of the threats, risks and vulnerabilities
involved as well as an initial assessment of methods. In the mid term, focus is on the
development and implementation of offline tools, while operational real time tools are
focus in the long term.
•
•
Near term objectives and research actions: Crosscutting issues
Identification/understanding of the classes, categories and
characteristics of risks and vulnerabilities (present and forecasted)
Common methodologies for risk assessment and vulnerability analyses
of integrated Power and ICT systems
Initial assessment of methods and tools for risk and vulnerability
analyses
Identify threats arising from increasing integration between control
systems and other enterprise software
Mid term objectives and research actions: Planning and design of off line
assessment tools and technologies
Off-line tools for analyzing the risk and vulnerability related to
different hazards and threats (technical, human errors, malicious
attacks, etc)
•
5.3
Modelling and simulation tools for the analysis of offensive/defensive
strategies and the development of decision support tools
Security audits and incident reporting
Long term objectives and research actions: On line and operational
assessment
Tools for assessing in “real time” the “operational” vulnerability of the
components and systems under given conditions, taking into account
expected evolutions and scenarios
Adapting decision support system for real time use
Implementation for testing in operation for integrated vulnerability
analyses of a regional power and ICT system
Upgrade Control Architectures and Integrate Innovative Technologies
Power Control architectures refer to an enormous variety of devices located into
the electrical, protection, automation, control, information and communication
infrastructures necessary to guarantee the continuity of power supply, the structural
integrity of the components of the electrical infrastructure and the correct balance
between load and generation. Due to power market liberalisation, new energy sources
exploitation and information technology pervasiveness power control architectures
evolve in two main directions: the upgrading of existing legacy systems and the
development of new control architectures performing additional functions and
integrating advanced technologies.
During the process of gathering stakeholders’ needs in this sector involving the
survey process and analysis, the GRID conference and workshops, the emerged needs
with regards upgrading control architectures and integrating innovative technologies
can be summarized as follow:
• New components and devices with built- in information security
• Need for incremental and flexible Control Architectures, inherently robust to
ICT attacks and flaws
• Mitigate cascading effects among ICT infrastructures and power systems.
• Accommodate new technologies and tools for security evaluation and
countermeasures
• Specific Operator decision tools, based on online, real-time monitoring
results
The major challenged thus are:
•
•
•
Shifting from dedicated to off-the-shelf data processing and communication
systems
Incremental solutions and transition steps to be identified and planned
(accommodating legacy systems)
Increased requirements for coupling operational and business networks and
information systems.
Each one of these issues involves a set of objectives and relevant actions to be
launched in terms of research, works on policies, standards and best practices,
information sharing and benchmarking/deployment/technology transfer. Below are
listed the main research directions to be tackled with respect to near, medium and
long term perspective.
• Near term objectives and research actions: Crosscutting issues
Understanding of interdependencies and cascading effects of ICT faults
and scenarios
• Mid term objectives and research actions: Components and architectures
Identification of transition steps toward more robust control systems
Investigating flexible architectures needed to mitigate cascading effects
among ICT infrastructures and power systems - Envisage mitigation of
failure mechanisms
Assurance of the power infrastructure: security policies (procedures,
protection, etc.) in the context of defence plans, communication of
security risk, assurance cases
• Long term objectives and research actions: Protective measures, remedial
actions and real time applications
Real time applications for supervision & control encompassing EMS &
ICT functions
Strategies for decentralized intelligence and self reconfiguring
architectures and protection mechanisms
Implementation, testing and performance evaluation of the introduced
and incremental new control concepts
6.
Conclusion
In this paper a draft Road Map for research agenda in the area of ICT vulnerabilities
of power systems and relevant defence methodologies was presented. The overall
time horizon is consistent with the 7th framework programme and involves R&D
actions with prospected outcome in a mid and long term horizon.
Through various stakeholders consultation, questionnaires, conference and
workshops, there is a general agreement, within the particular scope of GRID
initiative, on the identified research priorities:
• Risk and Vulnerability Assessment Tools and Methods,
• Control Architectures and Technologies
• Understand the Impact of Risk and Adapt Society and Organisations
However, it has to be noted that issues and research directions highlighted in this
preliminary version are still under finalization. Structuring specific research topics in
front of each objective and challenge with respect to priorities and as well as making
this roadmap as “ready to be used” by the EC for issuing corresponding calls is still to
be worked out.
Thus, future work will be dedicated to further structure this roadmap and define the
relevant recommendation to support the identified research priorities.
Acknowledgements
The GRID Road Map is the result of a European Coordination Action. The GRID
Consortium comprises:
•
•
•
•
•
•
Institut National Polytechnique de Grenoble (INPG) – Laboratoire
d'Electrotechnique de Grenoble – France
Joint Research Centre of the European Commission (JRC) – Institute for the
Protection and Security of the Citizen
SINTEF – Foundation for Scientific and Industrial Research at the
Norwegian Institute of Technology – Norway
CESI RICERCA – Grid and Infrastructures Department – Italy
Fraunhofer Institute for Secure Information Technology (FhG-SIT) –
Germany
Katholieke Universiteit Leuven (KUL) – Belgium.
Although taking full responsibility for the way GRID and its results are presented
here, the authors want to acknowledge that many individuals have given key
contributions to the Road Map, specifically: Geert Deconinck (KUL), Giovanna
Dondossola (CESI RICERCA), Nils Flatabø, Oddbjørn Gjerde, Gerd Kjølle,
(SINTEF), Marcelo Masera (JRC), Jean-Pierre Rognon (INPG), Mechthild Stöwer,
Paul Friessem (FhG). In addition many others took part in the GRID events reported
in this paper, whose contribution is impossible to namely acknowledge.
References
1.
2.
3.
4.
5.
6.
View publication stats
Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes
and Recommendations, U.S.-Canada Power System Outage Task Force, April 5, 2004,
http://www.nerc.com/~filez/blackout.html
Investigation Report into the Loss of Supply Incident affecting parts of South London at
18:20 on Thursday, 28 August 2003, Executive Summary. National Grid Transco.
September
10,
2003.
http://195.92.225.33/uk/library/documents/pdfs/London28082003.pdf
Final Report of the Investigation Committee on the 28 September 2003 Blackout in Italy,
UCTE
Ad-hoc
Investigation
Committee,
April
27,
2004
http://www.ucte.org/pdf/News/20040427_UCTE_IC_Final_report.pdf
The future of ICT for power systems: emerging security challenges, Report of the
Consultation
Workshop
held
in
Brussels
on
February
3-4,
2005.
https://rami.jrc.it/workshop_05/Report-ICT-for-Power-Systems.pdf
Stefanini, R.M. Gardner, N. Hadjsaid and J.P. Rognon, A Survey on ICT Vulnerabilities
of Power Systems, European CIIP Newsletter, www.IRRIIS.eu, European Commission
IRRIIS Project, contract no 027568, WEB-Publication, January / February 2007, Volume
3, Number 1, pp. 6 - 8.
R.M. Gardner and The GRID Consortium, A Survey of ICT Vulnerabilities of Power
Systems and Relevant Defense Methodologies, accepted in: IEEE Power Engineering
Society General Meeting 2007, 24-28 June 2007.