Upload
joanna-quinn
View
212
Download
0
Embed Size (px)
Citation preview
S. Bologna, C. Balducelli, A. Di Pietro, L. Lavalle, G. Vicoli
http://www.progettoreti.enea.it/ ENERSIS 2008Milano, 17 Giugno, 2008
Una strategia per mitigare l’effetto delle interdipendenze
tra infrastrutture critiche
ENTE PER LE NUOVE TECNOLOGIE L’ENERGIA E L’AMBIENTE
ITALY BLACK-OUT September 2003 Event tree from UCTE report
Pre-incident network in n-1 secure
state
Network in (n-1) state
with short- term
15’ allowable overload
Network in (n-2) state
with excessive
overload of remaining
lines
Separation of Italy from the
UCTE main Grid
Island operation fails due to unit
tripping
AND AND
1st tree flashover
line tripping
2nd tree flashover
line tripping
Italydisconnected
Tripping of many power
units
AND AND
NETWORK STATE OVERVIEW & ROOT CAUSES
1Unsuccessful re-
closing of the Luckmainer line because of a too high phase angle
difference
2Lacking a sense of
urgency regarding the San Bernardino line overload and call for
inadequate countermeasures in
Italy
3Angle instability
and Voltage collapse in Italy
24 min.
1-2 min.
Safe network state
Endangerednetwork state
Disturbednetwork state
Collapsednetwork
Event
Root cause
Legend
Roma Mini TELCO Black-out January 2004
Pre-incident TELCO
network in secure state
Station continue
working with decreased
battery autonomy
Many external Telco services
go down, as the ACEA data links between
control centers
The normal power supply
from ACEA was
restarted
Returnto
normal state
AND AND
Trip of main power
supply
Loss of power supply
Damaged equipment replaced
Telco services restart
AND AND
NETWORK STATE OVERVIEW & ROOT CAUSES
1Flood on the
apparatus room of the Telco SGT
station. UPS start from batteries
2The battery autonomy
finished as Fire Brigate was not able to
eliminate water in time.
3The full
functionality of the SGT station is
restored
4 hoursSafe network state
Endangerednetwork state
Disturbednetwork state
Collapsednetwork
Event
Root cause
Legend
90 min.
• MIT is a software system to enhance the availability and survivability of LCCIs by mitigating (inter)dependency effects. It is composed of:
• communication components.• add-on components.• other software resources (databases,GUI,
configuration files, run-time environment, etc.)
MIT Introduction
Control Room with MIT WorkStation
LCCI 1
LCCI 2
MIT WorkStation
MIT WorkStation
Control Room
Control Room
MIT integration with existing SCADA systems
MIT integration with existing SCADA systems
IRR
IIS
In
ter-
LC
CI
Com
mu
nic
ati
on
Hig
hw
ay
Middleware Improved Technology System: component oriented architecture
LCCI 1
LCCI 2
LCCI 3
LCCI 5
LCCI 4
LCCI 6
MIT 4
Client-server peer to peer communicationClient-server peer to peer communication
LCCIs ->
Critical Infrastructures
MIT 2
MIT 1
MIT 5
MIT 6
MIT 3
MIT Communication Components
MIT Add-On Components
COMMUNICATIONCOMPONENTS
Communication components are responsible on how
sending/receiving information from neighbouring LCCIs, using the appropriate time constraints and security
levels.
Middleware Improved Technology System: component oriented architecture
ADD-ONCOMPONENTS
Add-on components are responsible on what internal information has to be sent to
neighbouring LCCIs, and what information received from neighbouring LCCIs may influence the internal
LCCI state .
Middleware Improved Technology System: component oriented architecture
MIT Add-On Components
• Internal Assessment– Tool to extract LCCI functional status
• Risk Assessment– Risk Estimator– Incident Knowledge Analyser
• Emergency Management– Assessment of cascading/escalating effects– Display of Emergency Management Procedures– Negotiator
Risk Estimator functions
• Reasoning about the states of processes and services, mainly focusing on the services to be exchanged with other LCCIs.
• Estimating the levels of risks associated to services exchanges with other LCCIs.
• Working on a service-process model of the LCCIs by making use of a fuzzy rules-based mechanism.
Visualisation of the levels of risks associated to the services
LCCI internal stateestimation
After external &internal states
correlation
• Make operators more aware about the global LCCIs state, correlating local LCCI and external LCCIs states.
• Give to the LCCIs operators schematic pictures evidencing the potential risks to loss internal and external services.
• Improve coordination between the LCCI operator and the neighbouring LCCIs.
Risk estimator Benefits
Incremental development & testing process of the components
DEVELOPING COMPONENTS
INTEGRATION TESTING &
VALIDATION
Experimentationof the integrated
capabilities
SimCIPSimCIP
CRIPSCRIPS
TEFSTEFSMIT CompMIT Comp
Laboratory experimentation
LABORATORY EXPERIMENTATION
TEST BEDS TO VERIFY THE INTEGRATED CAPABILITIES
Experimentation strategy (Step 1)
SimCIPNormal
behaviours
SimCIPAttack/fault behaviours
Attack/faults
scenario
tables
Build an experimentation
infrastructure
Simulation Environment
Knowledge elicitation about a set of scenarios
COMPAREBEHAVIOURS WITHOUT MIT
NO ATTACKS/
FAULTS ATTACKS/FAULTSEVENTS TREE
SimCIPAttack/fault behaviours
Attack/faults
scenario
tables
Build an experimentation
infrastructure
Simulation Environment
Knowledge elicitation about a set of scenarios
COMPAREBEHAVIOURS &
EFFECTS WITH MIT
ATTACKS/FAULTSEVENTS TREE
MIT CommunicationMIT Communication
Add-on #nAdd-on #2
Add-on #1
Experimentation strategy (Step 2)
SimCIPNormal
behaviours
SimCIPSimCIP
TelecomTelecomSimulatorSimulator
LCCI TelecomLCCI TelecomData BaseData Base
ElectricityElectricitySimulatorSimulator
LCCI ElectricityLCCI ElectricityData BaseData Base
MITcommunicationMITcommunicationElectricity MIT Add-onElectricity MIT Add-on
Telecom MIT Add-onTelecom MIT Add-on
Electrical Electrical SCADA EmulatorSCADA Emulator
TelecomTelecomSCADA EmulatorSCADA Emulator
Electrical Control RoomElectrical Control Room Telecom Control RoomTelecom Control Room
Optional External Components
Physical set-up of the experimentation environment
LCCIs for experimentationLCCI
OwnerPower Carrier
Telco Carrier
PrimaryLCCI P T
Supporting CI PT TP
P Power (electrical) network
PT Power Telecom network (SCADA systems including also telecom network owned by Power Network Operator)
T Telecom network (Telecom Infrastructure)
TP Telecom Power network (Telecom backup power systems)
LCCIs INVOLVED IN THE ROME MINI
TELCO BLACK-OUT
P – Power Network Simulation
PT – Power Telecom Network Simulation
(SCADA)
TP –Telco Power Network Simulation
T – Telecom Network
Simulation
Scenario
Table
Simulating different LCCIs components within SimCIP
P – Power Network Simulation
PT – Power Telecom Network Simulation
(SCADA)
TP –Telco Power Network Simulation
T – Telecom Network
Simulation
Scenario
Table
Using scenario tables to define different scenario event sequences
Scenarios execution and evaluation
Scenario Tables………………………
Compiling
Selecting
Configure
Run
t0ti ti
t0 = start of scenariote = end of scenarioi = 1...n risky situations = snapshot of risky situation
course of scenario
teti
ti
Logs of the events
Experimentation of MIT integrated capabilities
RETEFS
MIT Communication
IKA CRIPS
Evaluating the expected results
Expected results tables
Scenario tables
MIT Behavior 1
Detection t1Local info t2Remote Info t3………
Scenario 1
Event 1Event 2Event 3………
MIT ComponentsMIT Components
IKA
TEFS
CRIPS
RE
PTPT TPTP
TTPP
Knowledge from analysts/expertsKnowledge from analysts/experts
Verify resultsVerify resultsIterativeIterative
improvementsimprovements
Experimentation steps for RE
Knowledge fromKnowledge fromanalysts/expertsanalysts/experts
RE Knowledge Base RE Knowledge Base General General
rulesrulesSpecific Specific
rulesrules ServicesServices ProcessesProcessesrelations
MIT Behavior 1
Detection t1Local info t2Remote Info t3………
Scenario 1
Event 1Event 2Event 3………
MIT Behavior 1
Detection t1Local info t2Remote Info t3………
Scenario 1
Event 1Event 2Event 3………
2 tables fail2 tables fail
First First experimental stepexperimental step
MIT Behavior 1
Detection t1Local info t2Remote Info t3………
Scenario 1
Event 1Event 2Event 3………
1 table fails1 table fails
SecondSecondexperimental stepexperimental step
FinalFinalexperimental stepexperimental step
Updating rules & Updating rules & services/processes relations services/processes relations
System ready for System ready for demonstration to demonstration to
stakeholdersstakeholders
All tables okAll tables ok
• To prevent cascading effects among interdependent LCCIs is a new challenge
• LCCIs modelling capacity, exploiting also commercial simulation tools, is necessary to develop realistic testing environment.
• Strategies/guidelines to implement exhaustive experimentation sessions must be developed
• Producing/evaluating experiments with/without introducing the MIT solutions may help to obtain an assessment of the MIT benefits.
http://www.irriis.org/
Final considerations