Securing Electricity Supply in the Cyber Age (eBook)

Zofia Lukszo . Geert DeconinckMargot P.C. WeijnenEditorsSecuring Electricity Supply in the Cyber AgeExploring the Risks of 3
Chapter 1 7
Introduction 7
1.1 Infrastructures Are Critical 7
1.2 Power and Telecom Are Key 8
1.3 Infrastructures Are Complex Adaptive Socio-Technical Systems 9
1.4 Emergent Behaviour 10
1.5 Minor Incidents with Major Consequences 11
1.6 The Approach of This Book 13
1.7 The Authors’ Contributions 14
References 17
Chapter 2 19
The Future of Electricity Systems: General Trends, Developments 19
2.1 Introduction 20
2.2 Assumptions and Objectives Underlying Today’s Electric Power Industry 22
2.2.1 Basic Physical Architecture of Today’s Electric Power Networks 23
2.2.2 Planning and Operating Performance Objectives of Today’s Electric Power Systems 24
2.2.3 Preventive Approach to Managing Uncertain Equipment Status in Today’s Industry 25
2.2.4 Feedback Control Functions in Today’s Industry 26
2.2.5 Hierarchical Information Structure in Today’s Industry 27
2.3 Potential for Enhanced Performance of Today’s Industry by Means of ICT 28
2.3.1 Performance Criteria for Ensuring System Viability During Normal Conditions 29
2.3.2 Performance Criteria for Ensuring Reliable Operations During Non-time critical Contingencies 30
2.3.3 Criteria for Measuring Economic Performance of the System (Efficiency, Cost, Benefit) 31
2.3.4 Environmental Performance Criteria 31
2.4 Toward Open Access Operations of Future Electric Power Systems 32
2.4.1 The Need for Novel Standards and Protocols 35
2.4.2 Related Unconventional Requirements for Monitoring and Control 35
2.4.3 Next Generation SCADA: Dynamic Monitoring and Decision Systems (DYMONDS) as a Possible Means for Coordinated Interact 36
2.5 Conclusions 37
References 38
Chapter 3 39
Dependency on Electricity and Telecommunications 39
3.1 Introduction 39
3.2 Electricity and Telecommunications: Two Indispensable Resources 41
3.3 Approach for Identifying Interdependencies Among Critical Infrastructures 42
3.4 Dependency Curves and the Flexible Cartography Approach 43
3.5 Dependency on Electricity 46
3.6 Dependency on Telecommunications 51
3.7 Application and Validation of the Methodology 55
3.8 Conclusions 56
References 57
Chapter 4 59
Critical Interrelations Between ICT and Electricity System 59
4.1 Introduction 59
4.2 ICT Systems and Blackouts 60
4.2.1 US Blackout on 14 August 2003 60
4.2.1.1 The Course of Events 61
4.2.1.2 Criticality of ICT Systems for the USA/Canada Blackout 64
4.2.2 Italian Blackout on 28 September 2003 65
4.2.2.1 The Course of Events 66
4.2.2.2 Criticality of ICT Systems for the Italian Blackout 67
4.2.3 Need for Coordination of Operation in Interconnected Power Systems 67
4.3 Preventing Blackouts: Wide Area Measurement Systems 70
4.4 Conclusions 71
4.5 Appendix 1: Maintaining Reliability of an Interconnected Power System 72
4.6 Appendix 2: Wide Area Measurement Systems 73
4.6.1 WAMS and WAMPAC Based on GPS Signal 73
4.6.2 Structures of WAMS and WAMPAC 74
References 75
Chapter 5 77
ICT and Powers Systems: An Integrated Approach 77
5.1 Introduction 77
5.2 Overview: ICT for Power Systems 79
5.2.1 Generalities: ICT 80
5.2.2 Hierarchical Structure of Power Systems and Main ICT 81
5.2.3 The Control Energy Center, EMS and BMS 82
5.2.3.1 Brief SCADA/EMS Functions Inventory 83
5.3 Power System Security Assessment with Regards to ICT Failures and Cyber Attacks 84
5.4 Modeling Interdependencies Between the ICS and Electrical Infrastructure of a Power System 88
5.4.1 State of the Art of Interdependencies Modeling 89
5.4.1.1 Modeling with Petri Nets 89
5.4.1.2 Agent Based Modeling 90
5.4.1.3 Other Modeling Approaches 93
5.4.2 Multi-infrastructure Simulator for Interdependencies Studies 94
5.4.2.1 The Electric Network/Infrastructure 95
5.4.2.2 The Telecommunication Network/Infrastructure 95
5.4.2.3 The Control Center/Information Infrastructure 95
5.4.2.4 Inter-process Communication 96
5.4.2.5 The Benchmark 96
5.4.2.6 Applications 97
5.4.2.7 Modeling Interdependencies by Complex Networks 97
5.4.3 A Comparison of the Studied Modeling Approaches 99
5.5 Security Assessment with Regards to Cyber Attacks and ICT Failures 100
5.5.1 Precedence Graphs and Modified FMECA Approach to Assess Criticality of SCADA/EMS and DMS Functions 100
5.5.1.1 FMECA 101
5.5.1.2 Precedence Graphs 102
5.5.2 Using Bayesian Networks for Security and Risk Assessment 105
5.5.2.1 Generalities: Bayesian Networks 105
5.5.2.2 The Approach 107
5.5.3 A Comparison of the Presented Security Assessment Approaches 107
5.6 Conclusions 108
5.7 Appendix 1: ICT Failures and Cyber Attacks 109
References 111
Chapter 6 116
Governance: How to Deal with ICT Security in the Power Infrastructure? 116
6.1 Introduction 116
6.2 The Electric Power Sector as an Infrastructure 117
6.3 The E + I Paradigm 119
6.4 The Governance of Infrastructures 120
6.5 ICT, Governance and the Power Infrastructure 122
6.6 Cybersecurity and the Power Infrastructure 124
6.7 Governing Cybersecurity Issues 126
6.8 Research and Policy Recommendations 129
6.8.1 Research Recommendations 129
6.8.2 Policy Recommendations 130
6.9 Conclusions 131
References 131
Chapter 7 133
Deficient ICT Controls Jeopardize Systems Supporting the Electric Grid: A Case Study 133
7.1 Introduction 133
7.1.1 Industrial Control Systems Are Used in Critical Infrastructures and the Electric Grid 134
7.1.2 Control Systems for Critical Infrastructures Face Increasing Risks 135
7.1.3 TVA Provides Power to the Southeastern United States 137
7.1.4 ICT Control Systems Are Essential to TVA’s Operation 138
7.2 Case Study: Implementation of ICT Controls for Systems and Networks Supporting TVA’s Critical Infrastructure 139
7.2.1 TVA Had Not Fully Implemented Appropriate Security Practices to Protect Its Critical Infrastructures 139
7.2.1.1 Weaknesses in TVA’s Corporate Network Controls Placed Network Devices at Risk 140
7.2.1.2 Weaknesses in TVA Control Systems Networks Jeopardized the Security of Its Control Systems 140
7.2.1.3 Physical Security Did Not Sufficiently Protect Sensitive Control Systems 141
7.2.2 Information Security Management Program Was Not Consistently Implemented Across TVA’s Critical Infrastructure 142
7.2.2.1 TVA’s Inventory of Systems Did Not Include Many Control Systems 142
7.2.2.2 TVA Had Not Assessed Risks to Its Control Systems 142
7.2.2.3 Inconsistent Application of TVA’s Policies and Procedures Contributed to Program Weaknesses 143
7.2.2.4 Patch Management Weaknesses Left TVA’s Control Systems Vulnerable 143
7.2.2.5 TVA Had Not Developed System Security and Remedial Action Plans for All Control Systems 143
7.2.3 Opportunities Exist to Improve Security of TVA’s Control Systems 144
7.3 Conclusions 145
References 145
Chapter 8 147
Metering, Intelligent Enough for Smart Grids? 147
8.1 Introduction 147
8.2 Advanced Metering: Context and Communication Requirements 148
8.2.1 From AMR to Smart Metering 148
8.2.2 Advanced Meter Communication Requirements 150
8.3 Suitable Communication Means 151
8.3.1 Power Line Carrier 151
8.3.2 Smallband Communication over Telephone Lines 152
8.3.3 Broadband Connection over Phone Line or TV Cable 152
8.3.4 Second or Third Generation Mobile Telephony and Data 153
8.3.5 Non-licensed RF 153
8.3.6 Licensed RF 153
8.4 Detailed Analysis 154
8.4.1 Cost Analysis 154
8.4.2 Dependability Analysis 155
8.5 Assessment 157
References 159
Chapter 9 162
Experience From the Financial Sector with Consumer Data and ICT Security 162
9.1 Introduction 163
9.2 Standards and Norms 163
9.2.1 Standards and Norms Payment Services 163
9.2.2 Basel II 164
9.3 Risk Models 165
9.3.1 Classification Process 165
9.3.2 Risk Analysis 166
9.4 External Fraud 167
9.4.1 Internet Direct Banking Fraud 167
9.4.2 Defensive Actions 169
9.4.2.1 Secure the Channel 169
9.4.2.2 Educate the Customer 169
9.4.2.3 Clean the Internet 170
9.4.2.4 Transaction Monitoring 170
9.5 Cooperation 170
9.6 Conclusions and Recommendations 171
9.6.1 ICT (Security) in an Electricity and Banking Environment, Some Differences 171
9.6.2 Policy Recommendations 171
9.6.3 Research Recommendations 172
References 172
Chapter 10 173
The Way Forward 173
10.1 Introduction 173
10.2 Trends 174
10.3 The Role of ICT 175
10.4 Risks 176
10.5 Who Benefits, Who Pays? 177
10.6 Where To Go? 178
10.6.1 Research, Risk Assessment and Communication 179
10.6.2 Organization and Governance 180
10.6.3 Understanding the Cost of Failures 180
10.7 Conclusions 180
References 181