Energy Syst DOI 10.1007/s12667-014-0117-5 ORIGINAL PAPER
Addressing vulnerability to cascading failure against intelligent adversaries in power networks Sinan Tas · Vicki M. Bier
Received: 15 June 2013 / Accepted: 13 January 2014 © Springer-Verlag Berlin Heidelberg 2014
Abstract The blackout of August 14, 2003, showed that electric power grids are vulnerable to cascading failure. Since then, numerous methods of vulnerability analysis have been developed to help the owners and operators of power networks and other infrastructure systems protect them against possible catastrophic events (including attacks by intelligent adversaries). With cascading failures, even small attacks can have a large impact. Cascading failures have historically been considered a major unsolved problem for complex networks such as electricity systems, but recent developments in probabilistic analysis of cascading failure are making it possible to take cascading failures into account in methods of vulnerability assessment. In particular, our game-theoretic model can be used to analyze how an intelligent adversary might seek to take advantage of a network’s vulnerability to cascading failure. Specifically, our model provides a tool to simulate power flows within the network, and analyze how attackers can use their knowledge of cascading failure. Our model can also be used to compare the effectiveness of different types of investments to make systems more resilient, including both hardening components and also making the system less vulnerable to cascading failure (e.g., by increasing the capacities of transmission lines, or adding new lines). Keywords Cascading failure · Vulnerability analysis · Power grids · Greedy heuristics · Infrastructure resilience · Game theory
S. Tas (B) Department of Information Sciences and Technology, Penn State University-Berks College, Reading PA, 19610, USA e-mail:
[email protected] V. M. Bier Department of Industrial and Systems Engineering, University of Wisconsin-Madison, Madison, WI 53706, USA e-mail:
[email protected]
123
S. Tas, V. M. Bier
1 Introduction September 11, 2001, was a turning point in recognizing the vulnerability of infrastructure systems to intelligent attacks such as acts of terrorism, sabotage, or war. Infrastructure systems were generally not designed to resist malicious attacks [3], and protecting extensive infrastructure networks can be extremely costly or even infeasible. Furthermore, an intelligent adversary may exploit the weaknesses of such systems (e.g., bottlenecks or capacity constraints), so that the network will respond poorly to even a single attack. The blackout of August 14, 2003, was not a terrorist attack, but its consequences were still significant. In [25], the authors note that after the 2003 blackout, much of the discussion was focused on preventing such events from happening again, even though most cost-effective solutions are “unlikely to eliminate such failures.” They ultimately conclude that if it is difficult to harden complex infrastructure systems even against natural or random events, it is “almost inconceivable” to harden them against deliberate attacks. Bier et al. [5] and Tas [26] similarly show that it may not be costeffective to harden massive complex networks such as electric power grids against intelligent attacks. Electric power networks are complex systems with large numbers of interacting components, complex responses to disturbances, and the possibility of high impact from even a small disruption [2,14]. The complexity of these systems makes it nearly impossible to model all their interactions in detail; as a result, cascading failures have proven to be difficult to predict. The objective of most past vulnerability-assessment methods for electric power networks has been to identify the most critical components to prioritize for protection (i.e., hardening) against intelligent adversaries. Moreover, most methods of vulnerability analysis do not take into account the possibility of cascading failure. Therefore, we need new vulnerability-analysis methods that can study the ability of a system to respond to and withstand an attack. In this paper, we develop a gametheoretic model that simulates the load flows and cascading behavior of the system as well as an intelligent adversary, and as a result can be used to analyze the ability of the system to respond to and withstand various attack strategies. Moreover, our model is simple enough to be usable in practice, and capable of assessing the effectiveness and cost-effectiveness of possible defensive investments—not only for target hardening, but also for other investments, such as increasing the capacity of the network or adding new transmission lines (to reduce the potential for cascading failure).
2 Modeling approach In this section, we discuss the overall philosophy behind our choice of modeling assumptions. Section 2.1 discusses our choice of load-flow models to represent power networks. Section 2.2 highlights the importance of a game-theoretic approach in addressing intelligent adversaries. Finally, Sect. 2.3 discusses probabilistic models of cascading failure.
123
Addressing vulnerability to cascading failure
2.1 Flow-based modeling Flow-based models aim to represent how a system functions by simulating the actual flows on the network. In order to calculate AC power flows in electric power networks, most of these models use a linearized version of the nonlinear power equations. These flow-based models give us the possibility to analyze the steady-state operations of power networks. For example, using these models, we can identify issues related to the capacity of transmission lines, address supply and demand problems due to our generation and load constraints, and identify critical components or component types. By contrast, topological models [4,13,20,21] consider only the network structure. Thus, topological models can identify redundancies, potential bottlenecks, etc., but cannot take into account factors such as capacity constraints (e.g., whether a particular line has sufficient capacity to serve all needed loads when other parts of the system have been degraded). Thus, the idea of using topological models to analyze network vulnerabilities has been criticized as a poor heuristic that may be far from optimal. In particular, in [17], the authors find that power grids are generally more vulnerable to attacks that consider the actual flows within the network than to attacks that consider only the topology of the network (such as the degree of each node). Moreover, topological models cannot deal effectively with cascading failure, because cascading failure depends on links or nodes being overloaded beyond their capacity, not just on the topology of the network. Therefore, rigorous flow-based models are needed to simulate how flows within the system change after some components have been disabled. We adopt for this purpose the optimal DC dispatch model, which is widely used by electrical engineers. This model provides linearized equations for power flows between nodes, to simplify the nonlinear equations for voltages and currents in a circuit [7].
2.2 Game-theoretic modeling of addressing intelligent adversaries Game-theoretic models can be used to measure the effectiveness of different investment types against intelligent attacks on power networks. These models can enable us to analyze different attack scenarios, including for example adversaries who might seek to cause cascading failures. Some researchers (e.g., [24]) have proposed modeling intelligent attacks as purely random. However, [17] shows that even a simple heuristic approach can cause more damage than a random attack. Similarly, [26] compares random attacks with degreebased and greedy attacks, and concludes that in most cases, intelligent attacks are more damaging. In [23], the authors develop a flow-based interdiction model to protect against worst-case attacks on electric-transmission systems. The model is solved as a sequential game, in which the attacker selects an interdiction plan to maximize the cost of operating the network (including the cost of any lost loads), while the defender operates the remaining parts of the network so as to minimize that cost. The authors solve the resulting optimization problem by a decomposition-based heuristic algorithm.
123
S. Tas, V. M. Bier
However, it may be unrealistic to assume that attackers are perfectly rational, and have unlimited computational ability. Another concern is the conservatism of optimization-based game-theoretic models [15], which can result in defending against only the most severe attacks, and may therefore leave the defender vulnerable to less severe but perhaps more likely attacks. Moreover, devoting significant resources to finding an optimum defense against an “assumed” attacker objective function can result in a misplaced precision if the attacker’s objective is not known, or the attacker is not actually optimizing. Therefore, studying “reasonably intelligent” attacker behaviors can help shed light on realistic and feasible attacker strategies. Bier et al. [5] use a simple flow-based heuristic interdiction model, in which a greedy attacker interdicts the components with the maximum flow. In this model, there are three nested algorithms. First, the power flow in the network is simulated using a DC load-flow algorithm that minimizes the cost of operating the system. A greedy interdiction algorithm then identifies the most heavily loaded line, and sets its flow to zero (representing a hypothetical attack); the resulting flows in the rest of the network are then computed using the DC load-flow algorithm. Finally, a hardening algorithm can be run to identify a set of potentially-interdicted lines to be protected, as a way of assessing the effectiveness of protection against a greedy attacker. Surprisingly, this simple set of heuristics yields results similar to those of [23]. However, the results in [5] also indicate that hardening even a significant fraction of the transmission lines in a network may not be sufficient to dramatically diminish the unmet demand resulting from an intelligent attacker, concluding that hardening of components is unlikely to be cost-effective. Heuristic methods have their pitfalls, of course, and can sometimes give misleading results. However, not all facility owners and operators will be able to justify spending significant resources on a vulnerability assessment; operators of relatively small electric-power systems, or systems that serve cities of secondary importance, may feel that the threat of intentional attack is too small to justify a time-consuming analysis. Therefore, development of practical methods that are simple enough to be used by systems engineers could help analyze system risks and evaluate possible defensive investments to protect against intelligent threats. Our use of the relatively simple heuristic approach in [5] also makes it possible for us to add complexities (such as cascading failure) without compromising the computational tractability of the method. Finally, this approach is consistent with the view of [6] that a good decision aid should address many important issues efficiently, “rather than seek technical closure on any one”. Therefore, we adopt the heuristic approach of assuming that the attacker will simply target the components with the highest flows within a system according to optimal DC power dispatch, and design their attacks accordingly [5,26].
2.3 Probabilistic modeling of cascading failure Cascading failures can be critical to understanding the response of complex systems that operate at or near their capacity. Models of cascading failure can be categorized as either deterministic (where failure of an overloaded component is assumed to occur based on a deterministic condition, such as load exceeding capacity by a given percent-
123
Addressing vulnerability to cascading failure
age), or probabilistic (where failure of an overloaded component is assumed to occur at random). In either case, failure of overloaded nodes or arcs has the potential to result in cascading failures by causing other system components to become overloaded. Despite the development of many deterministic models of cascading failures [1,10, 27], cascading failures have historically been considered a major unsolved problem in electricity systems, since it has proven difficult to determine exactly where and when cascading failures will occur. In particular, deterministic flow-based models are incapable of considering the hidden latent flaws that may lead to cascading failure, since by definition such latent failures are unobservable. Since attempts to replicate the physics of what goes on in electricity networks have not been particularly successful, some authors have proposed using probabilistic approaches to account for the difficulty of predicting cascading failures. For example, [11] uses a probabilistic flow-based model in which cascading failure occurs with some probability when one or more lines are at or near their maximum capacities. The model is developed by the researchers from Oak Ridge National Laboratory, the Power Systems Engineering Research Center at the University of Wisconsin, and the University of Alaska, hence known as OPA model. The model has two intrinsic dynamics, slow and fast. The slow dynamics represent load growth and response to blackouts on a scale of days, months, or years. The fast dynamics represent the possibility of cascading failures on a scale of seconds to minutes. The assumption is that even though disruptions can happen at any time, they are more likely to happen at or near times of peak load, when lines are highly stressed. Each overloaded line is assumed to fail with a specified probability, after which loads are recomputed, with the process continuing until there are no more overloaded lines. For some applications of the model, see also [8,12,22]. In our approach, we model cascading failure probabilistically, since deterministic models have not yet proven capable of adequately representing the hidden or unidentified failures that may lead to cascading failure. In particular, the probabilistic model of [12] appears to be remarkably realistic, as illustrated by the comparison of model results with NERC blackout data [9,12]. For simplicity, in our model, we ignore the slow dynamics of that model, since our goal is just to assess the vulnerability of a system in its current form (rather than modeling long-term changes in supply and demand). 3 Addressing cascading failure in a game-theoretic model In order to model the algorithm, we first introduce the following notation: B F Fk (t) T G L Z
set of nodes in the network, indexed by i set of transmission lines in the network, indexed by k power flow through transmission line k at iteration t, ≤ 0 set of transformers in the network, T ⊆ F set of generators in the network, indexed by i, G ⊆ B set of loads in the network, indexed by i, L ⊆ B set of all possible components to interdict, indexed by x, Z = B ∪ F = G∪L∪F
123
S. Tas, V. M. Bier
Zx (t) power flow through component x at iteration t x*(t) index of the component that is chosen to be attacked at iteration t of the interdiction algorithm X set of components attacked in the interdiction algorithm, indexed by x, |X|/|Z| being the percentage of components attacked n number of components hardened at each iteration of the hardening algorithm H set of hardened components, |H|/|Z| being the percentage of components hardened h specified proportion of components to be hardened α the percentage of the used flow of component at which it would become a potential candidate for cascading failure β the failure probability of an overloaded component M minimum number of replications to be performed in the simulation C cx (t) set of overloaded components at the cth iteration of the cascading algorithm if x is attacked in the tth iteration of the intetdiction algorithm C c (t) set of overloaded components at the cth iteration of the cascading algorithm in the tth iteration of the interdiction algorithm C(t) set of failed components due to cascading failure at iteration t of the interdiction algorithm C set of all failed components due to cascading failure As mentioned in the previous section, we choose a flow-based model that optimizes the flows in the network based on component and system constraints, while we assume that the attacker follows a greedy heuristic to determine which components to interdict. The network exhibits probabilistic cascading behavior when components are overloaded. In our algorithm, there are three loops (not including the fourth step of identifying possible defensive investments). Since the algorithm is probabilistic, the outer loop consists of Monte Carlo simulation to ensure that we have a statistically reliable representation of system behavior. Using greedy interdiction, the middle loop determines which component to target at each iteration of an attack (up to a predetermined percentage of components). After each iteration of the attack algorithm, the inner loop (a modified version of the OPA model) is then run as often as necessary to identify all cascading failures caused by failure of the targeted component, and to compute the resulting loads on the remaining (unfailed) components in the system using the DC load-flow algorithm; see Fig. 1. The defensive algorithm can be run to determine which components to protect. In summary, the defender runs the algorithm to identify components that are likely to be attacked and hardens a certain percentage of them, or (instead of hardening) identifies the components that are likely to cascade, and either increases the capacity of these components or adds new transmission lines. For the outer loop (Monte Carlo simulation), we start with M =20 simulation runs, and then increase the number of replications M by 10 until the standard error of the mean for the load lost is
