DEFINIZIONE DI CARICO

1
iNRiM Istituto Nazionale di Ricerca
Metrologica Incontri del Giovedì
VALUTAZIONE DEL RISCHIO DI ATTACCHI TERRORISTICI
AI SISTEMI ELETTRICI DI POTENZA LA NATURA DEL
PROBLEMA E LE TECNICHE DI ANALISI Ettore
Bompard Politecnico di Torino - Dipartimento di
Ingegneria Elettrica ettore.bompard_at_polito.it

2
OUTLINE

• Why, what to attack and which are the effects.
• Nature of the malicious threats.
• Power systems operation and management
• Framework for the analysis of infrastructure
  security.
• Methods and approaches for vulnerability
  security modeling.
• Topics and issues in the analysis.
• Conceptual examples.
• Component ranking with respect to the malicious
  threats
• Impact of coordination and communication

3
WHY, WHAT TO ATTACK AND WHICH ARE THE EFFECTS
4
WHY TO ATTACK POWER SYSTEMS (PS) ?

• Large visibility provided by successful attacks
  (region/nation wide effects).
• Possibility to affect individuals, organizations
  and businesses in his/her/its activities and
  interests.
• Huge economic impacts
• Possible domino effects due to the physical
  properties and PS structure that may amplify a
  properly chosen action providing large scale
  impacts.
• Difficulty to protect PS due to their large
  extension and territorial dispersion.

5
WHAT CAN BE ATTACKED ?

• Physical targets ? power outage (blackout)
• Power lines (destroying towers).
• Substations (Buses/transformers).
• Power plants (generators or control systems).
• Ecological targets ? environmental disaster
• Nuclear power plants.
• Reservoir hydro power plants.
• Cyber targets ? malfunctioning of the
  information/ operation systems
• Communication networks (internet, telephone )
  for cutting off remote communication among
  interacting systems.
• Dedicated lines for the remote control of power
  plants.

6
WHICH CAN BE THE EFFECTS ?

• Black-outs (as a direct consequence).
• Social disorder and panic, increase of failures
  and criminal actions for machines and apparatus.
• Transportation system stuck (subway, trains and
  flights will be cancelled or influenced, outage
  of the traffic lights).
• Water supply interruption.
• Critical state for information and communication
  system possible shut down of internet services.
• Environmental disaster (especially refers to the
  failure of the nuclear power station or big
  reservoirs).
• Paralysis of industry and finance with huge
  economic impacts.

7
POWER SYSTEMS OPERATION AND MANAGEMENT
8
DIMENSIONS OF POWER SYSTEM OPERATION AND
MANAGEMENT

• Power system structure operative condition
  (physical)
• Information exchange (cyber)
• Decision making (human regulatory)

9
ON-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF
THREE DIMENSIONS
System performance
Information
Physical System
Information System
Control Actions
Information
SOs Decision Making
(Estimation of status performance)
10
POWER SYSTEM STRUCTURE OPERATIVE CONDITION
(PHYSICAL)

• The parameters of network, such as buses, lines,
  reserving margin and availability of ancillary
  services for security management.
• The operational condition of the systems, such as
  the availability of components, the level of load
  and its localization.

11
INFORMATION EXCHANGE (CYBER)

• The information is a key concern both for
  assessing the present status of the system and
  for assessing the performance of the control
  actions on the system.
• With lack of critical information, the control
  actions can be inappropriate and lead to
  catastrophic performance.
• The information availability is a key regulatory
  issue in the interconnected power systems.

12
DECISION MAKING INDIVIDUAL REGULATORY (HUMAN)

• The performance of the whole power system depends
  on the decisions of control actions by different
  related SOs.
• The decision making of each SO aims to maximize
  the performance of its sub-system.
• The decision making should comply with a set of
  rules issued by the entity in charge of
  coordinating the whole system.

13
NATURE OF THE MALICIOUS THREATS
14
NATURE OF MALICIOUS THREATS

• The threat is potential and corresponds to the
  possibility of an attack to be performed but by
  itself does not cause damages.
• The attack is the actual implementation of the
  threat and is the one that causes damages.
• As more as the target can produces disruptive
  effects as more it is likely to be attacked.
• As more as the target is protected as less will
  be likely to be attacked.
• The level of threat, for a given component,
  depends on the attitudes, decisions and
  interaction between attackers and defenders at a
  given point in time and space.

15
MALICIOUS THREATS MODIFIES THE DISTRIBUTION OF
THE CONTINGENCY

• The strategic interaction determines the
  probability and the real occurrence of an attack
  in time and space.
• Natural based threats to PS occur on random base
  (nature has no specific willingness to hurt,
  nature is a random player).
• A malicious threat modifies the probability
  distribution of the contingency, so that the
  contingency corresponding to more severe
  consequences and easier attack implementation
  will be assigned extra probability of occurrence
  due to the consideration of malicious threats.

16
NATURAL VS. MALICIOUS THREATS
17
FRAMEWORK FOR INFRASTRUCTURE SECURITY
18
PLAYERS AND PAYOFFS IN THE MALICIOUS THREATS
ANALYSIS

• Utility represents the motivations, the benefit
  and/or the consequence of each player involved in
  the malicious threat.
• Defender are the government, TSO, GenCos, TranCo
  and the entity that have, in long term, the scope
  to maximize system security.
• Attacker the collective of all the terrorists
  that want to attack some specific targets, they
  are intelligent, and know how PS works
• Sufferer the stakeholders that are directly hurt
  by the attacks of the terrorists and can exert
  pressures on the defender.

19
INTERACTION AMONG THE ROLES IN MALICIOUS THREATS
TERRORISTS (Attacker)
Attack
Attack
INFRASTRUCTURE (POWER SYSTEM)
PEOPLE (SUFFER)
Amplifying hurt
Concede/Fight
Attack/Surrender
Strengthen
Pressure or support
GOVERNMENT (DEFENDER)
Protect, Propagandize
20
OFF-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF
THREE DIMENSIONS
Attacker Decision Making
Threats
Threats
Attacks
Information System
Physical System
Strategy Interaction
Defense Actions
Defense Actions
Defender Decision Making
List of probable targets budgets allocation
21
ON-LINE SECURITY ANALYSIS IN THE FRAMEWORK OF
THREE DIMENSIONS
Attack Scenarios (From off-line security analysis)
Attacks
System performance
Information
Physical System
Information System
Remedial Actions
Information
SOs Decision Making
Information distance
Equilibrium from decision making
(Estimation of status performance)
Assessment of the system performance
22
EQUILIBRIUM ANALYSIS

• The interaction of the various entities in the
  analysis are studied under the hypothesis of
  rational player.
• The rationality player hypothesis implies that
  each entity or player will act to maximize
  his/her own utility.
• An equilibrium is a situation in which no player
  has interest to change its decision if the other
  players dont change their decisions.
• Equilibrium is the outcome searched in the
  modeling process and that allows for the
  evaluation of the possible actions and the
  related probabilities.

23
METHODS AND APPROACHES FOR VULNERABILITY
SECURITY MODELING
24
GAME THEORY (GT) APPLICATIONS

• Game theory is concerned with the actions of
  decision makers who are conscious that the
  actions of the other game participants affect
  their utility
• Game theory is suitable for modeling the
  interaction between attackers and defenders that
  take place in a context in which each player
  behavior impacts the achievement of the goals of
  all other players in the game.
• Game theory in PS can address the issue of
  pointing out which point and/or component has
  higher probability to be attacked.

25
MIXED STRATEGY GAME FOR RANKING POWER SYSTEM
COMPONENTS

• A mixed strategy of a player in a game is a
  probability distribution over the players
  actions.
• Define the system components (line/substation) to
  form the meaningful the failure set or
  attacking action set.
• For each attack, the system is analyzed in the
  new status and the consequences evaluated in
  terms of payoffs of the defender and attacker to
  form a payoff matrix.
• The mixed strategy equilibrium provides the
  probability of each component to be attacked and
  consequently the related risk.

26
MULTI-AGENT SYSTEMS (MAS)

• An agent is an abstract or physical autonomous
  entity which performs a given task using
  information gleaned from its environment to act
  in a suitable manner so as to maximize a given
  measure of its utility.
• The agent should be able to adapt itself based on
  changes occurring in its environment, so that a
  change in circumstances will still yield the
  intended result.

27
INTERACTION BETWEEN AGENT AND ENVIRONMENT
State - St
Action - at
AGENT
Reward - rt
rt1
ENVIRONMENT
St1
At each time step t, the agent senses the current
state sts?S of its environment and on that basis
selects an action ata?A. As a result of its
action, the agent receives an immediate reward
rt1, and the environments state changes to the
new state st1s?S.
28
SOCIALLY RATIONAL AGENTS

• Socially rational agents not only focus on their
  own (individual) utilities but also consider the
  utilities of other agents when deciding which
  action to perform.
• Information sensitivity reflects the robustness
  of a system w.r.t. the availability of
  information.
• Information distance is a measure of how the
  system is impacted by unavailability of
  information. It gives insights on how the
  operators are aware of the effectiveness of their
  possible actions with partial information.

29
FICTITIOUS PLAY

• A fictitious play is a process where each player
  believes that each opponent is using a stationary
  mixed strategy based on empirical distribution of
  their past actions until the strategies come to
  equilibrium.
• It is appropriate for the problems without full
  information for which players can only make
  decisions according to their experiences.
• It can model human decision making by multiple
  operators for defending the system without full
  information. The assessment of the information
  impact can be derived w.r.t. the out coming
  equilibrium.

30
TOPICS AND ISSUES OF THE STUDY
31
SOME TOPICS TO BE ADDRESSED

• Provide assessment on the probability of attacks
  to physical, ecological and cyber targets in PS.
• Pointing out the most critical components.
• Providing proper risk management tools that can
  account for malicious attacks.
• Designing preventing protection strategies
  against malicious attacks.
• Budget allocation for protection against
  malicious attacks.
• Define coordination strategies for handling
  malicious attacks in the EU/UCTE framework.

32
SOME POSSIBLE ANSWERSFROM GT MAS MODELS

• Power system component ranking with reference to
  the possibility of being attacked (physical
  objectives) and analysis of the damages.
• The impact of the failure of the communication
  between two entities/sub-systems (cyber
  objectives) and analysis of the consequences.
• Comparative analysis of different coordination
  schemes under the attacking scenario.
• Information impacts on the realization of an
  attack and its consequences.

33
CONCEPTUAL EXAMPLES
34
SYSTEM COMPONENTS RANKING W.R.T THE
RISK/PROBABILITY TO BE ATTACKED

• Objective ? attribute to each system component a
  probability of attack and provide a ranking of
  the components according to the probability/risk
  of an attack.
• Theory? game theory application.
• Framework ? a PS is considered in which one
  attacker (terrorist organization) may be willing
  to attack the bus substation (cut off all
  connected lines) and only one organization is in
  charge to defend it (TSO).
• Model features ? GT model based on mixed
  strategies game which equilibrium (MSE) provides
  the set of probability of an attack for each bus.

35
MIXED STRATEGY EQUILIBRIA INPUT
The completely destroyed probability of the
attacked component, once it is protected

• Minimize the line flow variation
• Minimize the node power variation

36
MIXED STRATEGIES EQUILIBRIA IEEE30-BUS TEST
SYSTEM
G1
G2


1
18
15.82/
15
2
19
14
3
4
28
28.92/
G13
13

6
7
12
5
8
25.61/
11
17
9
16
26
10
G22
20

29.65/
25
22
21
23
24
G23
G27

30
29
27

37
IMPACTS EVALUATION OF THE COORDINATION AND
COMMUNICATION

• Objective ? assess the impact of coordination and
  communication in power system.
• Theory? multi-agent system with Q-learning
  approach for the agents.
• Framework ? the network is operated by three
  TSOs, they may be coordinative/independent,
  communicating/non-communicating.
• Model features ? MAS to simulate the real system
  operation by the agent learning and find out the
  exact outcome of different operation scenarios.

38
INDIVIDUAL SOCIAL RATIONALITY

• Individually rational agent focuses only on
  its own (individual) utility when deciding which
  action to perform
• Socially rational agent in deciding which
  action to perform it also considers the utility
  of other agents
• Expected utility of the agent (EU) generally is
  composed by two terms
• IU ? individual utility , SU ? social utility,
  a ? action
• Utility in this context means the evaluation of
  the action implemented by the agent.
• Action Set each agent can shed the loads of some
  buses in its local subsystem.

39
CALCULATION OF UTILITY

• For actions that can not remove congestions
  completely, the action causing less overloaded
  rate should have higher utility.
• Utility Total Overloaded Rate
  (negative)
• For actions that can remove congestions
  completely, the action shedding less loads should
  have higher utility.
• Utility M Quantity of total shed
  loads (positive)
• (M is a constant which must be bigger than
  maximum possible quantity of total shed loads in
  one action.)

40
3 TSOs EXAMPLE
41
SYSTEM STATES CONSIDERED
42
COMMUNICATIONS IMPACTS FOR INTERCONNECTED SYSTEMS
(STATE 1)
Individually rational agents converge in 435,856
iterations and socially rational agents converge
in 423,393 iterations.
For state 1, both locally rational agents and
socially rational agents can find the same
actions to remove all security congestions.
43
COMMUNICATIONS IMPACTS FOR INTERCONNECTED SYSTEMS
(STATE 2)
Individually rational agents converge in 435,856
iterations and socially rational agents converge
in 423,393 iterations.

• At state 2, agent 2 may not have enough sources
  to remove the security congestions in its local
  system by itself. When communication is not
  available, agent 1 and agent 3 can not get the
  information about the security situation of agent
  2 and help it to remove its security congestion.

44
COORDINATION IMPACTS

• From the overall perspective, coordination should
  be better than independence.
• Agent 2 and agent 3 would like to choose
  coordination because more loads in their
  subsystems will be supplied. But agent 1 would
  not. To persuade agent1 to coordinate, agent 2
  and agent 3 may wish to pay some compensation.

45
CONCLUSIONS

• Various dimensions need to be accounted for in
  the analysis of power system security
  vulnerability.
• Those dimensions interact among themselves in
  producing the system performance and need proper
  tools able to capture that interaction at various
  levels.
• Game theory technique provides a sound framework
  for threat analysis on an off-line basis.
• MAS and fictitious play can apply for on-line
  attack analysis with consideration of
  coordinating activities and rules.

46
ACKNOWLEDGMENT
JOINT RESEARCH CENTER Institute for the
Protection and the Security of the Citizen