Presentation is loading. Please wait.

Presentation is loading. Please wait.

VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI AI SISTEMI ELETTRICI DI POTENZA: LA NATURA DEL PROBLEMA E LE TECNICHE DI ANALISI Ettore Bompard Politecnico.

Similar presentations


Presentation on theme: "VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI AI SISTEMI ELETTRICI DI POTENZA: LA NATURA DEL PROBLEMA E LE TECNICHE DI ANALISI Ettore Bompard Politecnico."— Presentation transcript:

1 VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI AI SISTEMI ELETTRICI DI POTENZA: LA NATURA DEL PROBLEMA E LE TECNICHE DI ANALISI Ettore Bompard Politecnico di Torino - Dipartimento di Ingegneria Elettrica POLITECNICO DI TORINO Dipartimento di Ingegneria Elettrica iNRiM – Istituto Nazionale di Ricerca Metrologica Incontri del Giovedì

2 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 2OUTLINE  Why, what to attack and which are the effects.  Nature of the malicious threats.  Power systems operation and management  Framework for the analysis of infrastructure security.  Methods and approaches for vulnerability & security modeling.  Topics and issues in the analysis.  Conceptual examples.  Component ranking with respect to the malicious threats  Impact of coordination and communication

3 WHY, WHAT TO ATTACK AND WHICH ARE THE EFFECTS

4 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 4 WHY TO ATTACK POWER SYSTEMS (PS) ?  Large visibility provided by successful attacks (region/nation wide effects).  Possibility to affect individuals, organizations and businesses in his/her/its activities and interests.  Huge economic impacts  Possible “domino effects” due to the physical properties and PS structure that may amplify a “properly” chosen action providing large scale impacts.  Difficulty to protect PS due to their large extension and territorial dispersion.

5 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 5 WHAT CAN BE ATTACKED ?  Physical targets  power outage (blackout):  Power lines (destroying towers).  Substations (Buses/transformers).  Power plants (generators or control systems).  Ecological targets  environmental disaster:  Nuclear power plants.  Reservoir hydro power plants.  Cyber targets  malfunctioning of the information/ operation systems:  Communication networks (internet, telephone …) for cutting off remote communication among interacting systems.  Dedicated lines for the remote control of power plants.

6 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 6 WHICH CAN BE THE EFFECTS ?  Black-outs (as a direct consequence).  Social disorder and panic, increase of failures and criminal actions for machines and apparatus.  Transportation system stuck (subway, trains and flights will be cancelled or influenced, outage of the traffic lights).  Water supply interruption.  Critical state for information and communication system; possible shut down of internet services.  Environmental disaster (especially refers to the failure of the nuclear power station or big reservoirs).  Paralysis of industry and finance with huge economic impacts.

7 POWER SYSTEMS OPERATION AND MANAGEMENT

8 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 8 DIMENSIONS OF POWER SYSTEM OPERATION AND MANAGEMENT  Power system structure & operative condition (physical);  Information exchange (cyber);  Decision making (human & regulatory);

9 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 9 ON-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONS SOs Decision Making Information System Physical System Information Control Actions (Estimation of status & performance) System performance

10 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 10 POWER SYSTEM STRUCTURE & OPERATIVE CONDITION (PHYSICAL)  The parameters of network, such as buses, lines, reserving margin and availability of ancillary services for security management.  The operational condition of the systems, such as the availability of components, the level of load and its localization.

11 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 11 INFORMATION EXCHANGE (CYBER)  The information is a key concern both for assessing the present status of the system and for assessing the performance of the control actions on the system.  With lack of critical information, the control actions can be inappropriate and lead to catastrophic performance.  The information availability is a key regulatory issue in the interconnected power systems.

12 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 12 DECISION MAKING INDIVIDUAL & REGULATORY (HUMAN)  The performance of the whole power system depends on the decisions of control actions by different related SOs.  The decision making of each SO aims to maximize the performance of its sub-system.  The decision making should comply with a set of rules issued by the entity in charge of coordinating the whole system.

13 NATURE OF THE MALICIOUS THREATS

14 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 14  The threat is potential and corresponds to the possibility of an attack to be performed but by itself does not cause damages.  The attack is the actual implementation of the threat and is the one that causes damages.  As more as the target can produces disruptive effects as more it is likely to be attacked.  As more as the target is protected as less will be likely to be attacked.  The level of threat, for a given component, depends on the attitudes, decisions and interaction between attackers and defenders at a given point in time and space. NATURE OF MALICIOUS THREATS

15 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 15 MALICIOUS THREATS MODIFIES THE DISTRIBUTION OF THE CONTINGENCY  The strategic interaction determines the probability and the real occurrence of an attack in time and space.  Natural based threats to PS occur on random base (nature has no specific willingness to hurt, nature is a “random” player).  A malicious threat modifies the probability distribution of the contingency, so that the contingency corresponding to more severe consequences and easier attack implementation will be assigned extra probability of occurrence due to the consideration of malicious threats.

16 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 16 NATURAL VS. MALICIOUS THREATS Natural threatMalicious threat Motivationaccidentalrationally deliberately Distribution on the systemRandomcritical component preferred Risk assessmentprobabilistic approachesrational interactions models Counteractionsre-enforce the system 1. re-enforce the system 2. preemptive measures against terrorists Strategic interactionnoyes Players  system operators  sufferers 1.system operators 2.terrorist organizations 3. government 4. sufferers

17 FRAMEWORK FOR INFRASTRUCTURE SECURITY

18 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 18 PLAYERS AND PAYOFFS IN THE MALICIOUS THREATS ANALYSIS  Utility: represents the motivations, the benefit and/or the consequence of each player involved in the malicious threat.  Defender: are the government, TSO, GenCos, TranCo and the entity that have, in long term, the scope to maximize system security.  Attacker: the collective of all the terrorists that want to attack some specific targets, they are intelligent, and know how PS works;  Sufferer: the stakeholders that are directly hurt by the attacks of the terrorists and can exert pressures on the defender.

19 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 19 INTERACTION AMONG THE ROLES IN MALICIOUS THREATS Strengthen Pressure or support TERRORISTS (Attacker) GOVERNMENT(DEFENDER) PEOPLE(SUFFER) INFRASTRUCTURE (POWER SYSTEM) Attack Attack Amplifying hurt Protect, Propagandize Attack/Surrender Concede/Fight

20 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 20 OFF-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONS List of probable targets & budgets allocation Defender Decision Making Information System Physical System Attacks Defense Actions Attacker Decision Making Threats Defense Actions Strategy Interaction

21 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 21 ON-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF THREE DIMENSIONS Attack Scenarios (From off-line security analysis) Assessment of the system performance SOs Decision Making Information System Physical System Attacks Information Remedial Actions (Estimation of status & performance) System performance Information distance Equilibrium from decision making

22 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 22 EQUILIBRIUM ANALYSIS  The interaction of the various entities in the analysis are studied under the hypothesis of rational player.  The rationality player hypothesis implies that each entity or player will act to maximize his/her own utility.  An equilibrium is a situation in which no player has interest to change its decision if the other players don’t change their decisions.  Equilibrium is the outcome searched in the modeling process and that allows for the evaluation of the possible actions and the related probabilities.

23 METHODS AND APPROACHES FOR VULNERABILITY & SECURITY MODELING

24 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 24 GAME THEORY (GT) APPLICATIONS  Game theory is concerned with the actions of decision makers who are conscious that the actions of the other game participants affect their utility  Game theory is suitable for modeling the interaction between attackers and defenders that take place in a context in which each player behavior impacts the achievement of the goals of all other players in the game.  Game theory in PS can address the issue of pointing out which point and/or component has higher probability to be attacked.

25 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 25 MIXED STRATEGY GAME FOR RANKING POWER SYSTEM COMPONENTS  A mixed strategy of a player in a game is a probability distribution over the player’s actions.  Define the system components (line/substation) to form the meaningful the ‘failure set’ or ‘attacking action set’.  For each attack, the system is analyzed in the new status and the consequences evaluated in terms of payoffs of the defender and attacker to form a payoff matrix.  The mixed strategy equilibrium provides the probability of each component to be attacked and consequently the related risk.

26 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 26 MULTI-AGENT SYSTEMS (MAS)  An agent is an abstract or physical autonomous entity which performs a given task using information gleaned from its environment to act in a suitable manner so as to maximize a given measure of its utility.  The agent should be able to adapt itself based on changes occurring in its environment, so that a change in circumstances will still yield the intended result.

27 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 27 INTERACTION BETWEEN AGENT AND ENVIRONMENT INTERACTION BETWEEN AGENT AND ENVIRONMENT AGENT ENVIRONMENT r t+1 S t+1 State - S t Reward - r t Action - a t At each time step t, the agent senses the current state s t =s  S of its environment and on that basis selects an action a t =a  A. As a result of its action, the agent receives an immediate reward r t+1, and the environment’s state changes to the new state s t+1 =s’  S.

28 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 28 SOCIALLY RATIONAL AGENTS  Socially rational agents not only focus on their own (individual) utilities but also consider the utilities of other agents when deciding which action to perform.  Information sensitivity reflects the robustness of a system w.r.t. the availability of information.  Information distance is a measure of how the system is impacted by unavailability of information. It gives insights on how the operators are aware of the effectiveness of their possible actions with partial information.

29 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 29 FICTITIOUS PLAY  A fictitious play is a process where each player believes that each opponent is using a stationary mixed strategy based on empirical distribution of their past actions until the strategies come to equilibrium.  It is appropriate for the problems without full information for which players can only make decisions according to their experiences.  It can model human decision making by multiple operators for defending the system without full information. The assessment of the information impact can be derived w.r.t. the out coming equilibrium.

30 TOPICS AND ISSUES OF THE STUDY

31 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 31  Provide assessment on the probability of attacks to physical, ecological and cyber targets in PS.  Pointing out the most critical components.  Providing proper risk management tools that can account for malicious attacks.  Designing preventing protection strategies against malicious attacks.  Budget allocation for protection against malicious attacks.  Define coordination strategies for handling malicious attacks in the EU/UCTE framework. SOME TOPICS TO BE ADDRESSED

32 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 32 SOME POSSIBLE ANSWERS FROM GT & MAS MODELS  Power system component ranking with reference to the possibility of being attacked (physical objectives) and analysis of the damages.  The impact of the failure of the communication between two entities/sub-systems (cyber objectives) and analysis of the consequences.  Comparative analysis of different coordination schemes under the attacking scenario.  Information impacts on the realization of an attack and its consequences.

33 CONCEPTUAL EXAMPLES

34 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 34 SYSTEM COMPONENTS RANKING W.R.T THE RISK/PROBABILITY TO BE ATTACKED  Objective  attribute to each system component a probability of attack and provide a ranking of the components according to the probability/risk of an attack.  Theory  game theory application.  Framework  a PS is considered in which one attacker (terrorist organization) may be willing to attack the bus substation (cut off all connected lines) and only one organization is in charge to defend it (TSO).  Model features  GT model based on mixed strategies game which equilibrium (MSE) provides the set of probability of an attack for each bus.

35 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 35 MIXED STRATEGY EQUILIBRIA INPUT Line information Line No. From Bus To BusX.V.Flow Limit(MW) Att. Cand. Attack cost (k€) Protect Cost (k€) …………………… Node information Node Name Power (MW) Power Min(MW) Power Max(MW) Node Sta Att. Candi. Attack Cost (k€) Protect Cost (k€) …………………… Parameter MultiAttackPower Alloc. TypeBeta The completely destroyed probability of the attacked component, once it is protected 1.Minimize the line flow variation 2.Minimize the node power variation

36 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 36 MIXED STRATEGIES EQUILIBRIA IEEE30-BUS TEST SYSTEM G G1G1 G2G2 G 23 G 22 G %/ 25.61%/ 28.92%/ 29.65%/ ~ ~ ~ ~ ~ ~ AttacksBusProbability Risk(M€) % % % %66.15

37 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 37 IMPACTS EVALUATION OF THE COORDINATION AND COMMUNICATION  Objective  assess the impact of coordination and communication in power system.  Theory  multi-agent system with Q-learning approach for the agents.  Framework  the network is operated by three TSOs, they may be coordinative/independent, communicating/non-communicating.  Model features  MAS to simulate the real system operation by the agent learning and find out the exact outcome of different operation scenarios.

38 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 38 INDIVIDUAL & SOCIAL RATIONALITY  Individually rational agent: focuses only on its own (individual) utility when deciding which action to perform;  Socially rational agent: in deciding which action to perform it also considers the utility of other agents;  Expected utility of the agent (EU): generally is composed by two terms: IU  individual utility, SU  social utility,    action Utility in this context means the evaluation of the action implemented by the agent.  Action Set: each agent can shed the loads of some buses in its local subsystem.

39 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 39 CALCULATION OF UTILITY  For actions that can not remove congestions completely, the action causing less overloaded rate should have higher utility. Utility = Total Overloaded Rate (negative)  For actions that can remove congestions completely, the action shedding less loads should have higher utility. Utility = M – Quantity of total shed loads (positive) (M is a constant which must be bigger than maximum possible quantity of total shed loads in one action.)

40 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza TSOs EXAMPLE

41 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 41 SYSTEM STATES CONSIDERED Part1 Part2 Part3 Part1 Part2 Part3 State 1 State 2 Flow 12 = Flow 13 = Flow 32 = Flow 12 = Flow 13 = Flow 23 =

42 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 42 COMMUNICATIONS IMPACTS FOR INTERCONNECTED SYSTEMS (STATE 1) NO COMMUNICATIONS Individually rational agents COMMUNICATION Socially rational agents TSO 1TSO 2TSO 3TSO 1TSO 2TSO 3 Bus of shed loads None None None Utility For state 1, both locally rational agents and socially rational agents can find the same actions to remove all security congestions. Individually rational agents converge in 435,856 iterations and socially rational agents converge in 423,393 iterations.

43 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 43 COMMUNICATIONS IMPACTS FOR INTERCONNECTED SYSTEMS (STATE 2) NO COMMUNICATIONS Individually rational agents COMMUNICATION Socially rational agents TSO 1TSO 2TSO 3TSO 1TSO 2TSO 3 Bus of shed loads Utility  At state 2, agent 2 may not have enough sources to remove the security congestions in its local system by itself. When communication is not available, agent 1 and agent 3 can not get the information about the security situation of agent 2 and help it to remove its security congestion. Individually rational agents converge in 435,856 iterations and socially rational agents converge in 423,393 iterations.

44 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 44 COORDINATION IMPACTS  From the overall perspective, coordination should be better than independence.  Agent 2 and agent 3 would like to choose coordination because more loads in their subsystems will be supplied. But agent 1 would not. To persuade agent1 to coordinate, agent 2 and agent 3 may wish to pay some compensation. CoordinationIndependence Power Generated [pu] Loads Supplied [pu] Power Generated [pu] Loads Supplied [pu] TSO TSO TSO Total

45 E.Bompard - Valutazione del rischio di attacchi terroristici ai Sistemi Elettrici di Potenza - 45CONCLUSIONS  Various dimensions need to be accounted for in the analysis of power system security & vulnerability.  Those dimensions interact among themselves in producing the system performance and need proper tools able to capture that interaction at various levels.  Game theory technique provides a sound framework for threat analysis on an off-line basis.  MAS and fictitious play can apply for on-line attack analysis with consideration of coordinating activities and rules.

46 JOINT RESEARCH CENTER Institute for the Protection and the Security of the Citizen Istituto Superiore sui Sistemi Territoriali per l'innovazioneACKNOWLEDGMENT


Download ppt "VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI AI SISTEMI ELETTRICI DI POTENZA: LA NATURA DEL PROBLEMA E LE TECNICHE DI ANALISI Ettore Bompard Politecnico."

Similar presentations


Ads by Google