Critical infrastructure interdependency modeling: Using graph models

1

Critical Infrastructure Interdependency Modeling: Using Graph Models to Assess the Vulnerability of Smart Power Grid and SCADA Networks Pravin Chopade1

Marwan Bikdash

Computational Science and Engineering North Carolina A&T State University Greensboro, NC, USA [email protected]

Computational Science and Engineering North Carolina A&T State University Greensboro, NC, USA [email protected]

Abstract—We discuss a framework for quantitative vulnerability assessment of critical infrastructure systems. We focus on the smart electric power delivery systems, i.e., electricity transmission and distribution smart grids, along with SCADA and EMS systems. We introduce concepts and results from graph and social network theories, and apply them to the study of the WSCC-Smart Power Grid Network-SCADA-EMS (WSSE) System. We also calculate values of the topological characteristics of the networks and compare their error and attack tolerances, i.e., their performance when vertices are removed, randomly or in a malicious way. Also, we study the possible topology generation models such as the random graph, small-world, and scale-free models. The WSEE system was found to follow the scale-free graph model of social network theory. Keywords- Smart Grid, SCADA, Graph, Network, Vulnerability.

I.

INTRODUCTION

On August 14, 2003, many north-eastern metropolitan cities were hit by a historic blackout. According to the USCanada Power Systems Outage Task Force [1], the event left millions of American and Canadian citizens without power for more than four days. It cost the U.S. economy between 4 and 10 billion dollars in lost wages, productivity, and overtime. The event was not terrorism-related, but brought infrastructure vulnerabilities to the forefront of homeland security [1]. The blackout is an example of the potential ramifications of a failure or attack on the supervisory control and data acquisition, or SCADA systems. SCADA systems and their components can be found in a number of national infrastructures including the water, oil, and gas industries. SCADA systems are computer controlled devices that perform and relay physical changes in infrastructure systems to technical operators. They are capable of monitoring millions of data points simultaneously, and can therefore be manipulated by a cyber attack. An adversary thus can penetrate the electrical power grid, or other control system, with little more than a laptop and an Internet connection. This is a major threat. SCADA systems were originally designed for reliability and efficiency, not security, and before the advent of the Internet. Today, corporations use the Internet to monitor

SCADA and other control system activity. Many prominent security flaws, including sub-par firewalls and non-unique passwords, continue to exist within these SCADA systems creating the potential for a devastating attack [2]. Section II addresses the vulnerability of critical infrastructures. Section III discuses a framework for quantitative vulnerability assessment of critical infrastructure systems. In Section IV, we study the possible topology model generators for the WSSE. In Section V, we evaluate the vulnerability of the WSSE to widespread attacks. II.

VULNERABILITY OF CRICTICAL INFRASTRUCTURES

A. Vulnerability of Electric Power Delivery Network The infrastructure of a society consists of facilities such as communications, power supplies, transportation, water supplies, and the stock of buildings [3]. Infrastructure systems can be subjects to threats and hazards of different kinds that can make them totally collapse. Threats and hazards include natural disasters, adverse weather, technical failures, human factors, labor conflicts, sabotage, terrorism, and acts of war. Here, the sensitivity to such threats and hazards is the vulnerability of the system. Thus, the concept of vulnerability is used to characterize a lack of robustness and resilience of a system [4]. Robustness signifies that the system will retain its function and resources largely unchanged or nearly unchanged when exposed to perturbations. Resilience implies that the system can adapt to regain a stable acceptable level of performance after perturbations but the new state may be significantly different [5]. B. Need for interdependency modeling The electric power system must always maintain a balance between loads and generation levels while satisfying load flow dynamic constraints. In general, there are three levels of control: i.) The control center or Energy Management System (EMS); ii.) The data collection system called SCADA (supervisory control and data acquisition system);

This work is supported by Pennsylvania State University and The Defense Threat Reduction Agency (DTRA) under contract DTRA01-03D-0010/0020 and sub-contract S03-34. (1 Author doing PhD at NCATSU, USA and Associate Professor at Bharati Vidyapeeth Deemed University College of Engineering, Pune, INDIA)

978-1-4577-1591-4/11/$26.00 ©2011 IEEE

2 iii.)

AGC (automatic generation control) for maintaining the instantaneous power balance.

consequence Q in the context of power outages can be described by power loss (MW) or unserved energy (MWh). Let Q(t ) be consequence of a disturbance that occurs at time t , t  T . Then, the vulnerability of the infrastructure system is measured by the probability P(max Q(t )  q).

(1)

t∈T

Let Ai be an initiating event, then its effect on the conditional vulnerability can measured using [7] Figure 1. Physical Architecture Representation of Smart Power Grid with SCADA

P(max Q(t )  q | Ai ).

In some initiating events, such as failure of technical components, P( Ai ) can be estimated by using its frequency of occurrence. For other events, such attacks P( Ai ) is not available because those attacks can be extremely rare and hence very difficult to estimate. Only the conditional probability can be used (Eq. 2). The total vulnerability is a sum over all potential initiating events. P(max Q(t )  q)  t∈T

Figure 2. Graph Analytical Representation

The impact of a major power outage (Blackout) will be determined by the nature of the affected area, the duration of the disturbance, the time of day, the weather conditions etc. [6]. Especially critical is the dependence between telecommunications and power systems. This emphasizes the need of developing interdependent models of critical infrastructures. In Figure 1, we illustrate such interdependent models. Figure 2 shows graph-analytical representation for the same interdependent Smart Power Grid Network (SPGN) and SCADA network. III.

FRAMEWORK FOR VULNERABILITY ANALYSIS

In Figure 3, we present a generic framework for vulnerability analysis captured by the following questions [3] i. ii. iii. iv.

What can go wrong? What are the consequences? How likely is it to happen? How is a normal state restored?

The vulnerability of an infrastructure system is related to the probability that the disturbance produces a consequence Q (societal, technical, etc) which is larger than some large (critical) value q, during a given period of time T . The

(2)

t∈T

∑P( A ). P(max Q(t )  q | A ). i

i

t∈T

i

(3)

Crisis management consists of a number of phases; for example: prevention, mitigation, response, recovery, and learning. In some cases, it can be more suitable to concentrate on resources to abort an ongoing disturbance, rather than using the resources to prevent the disturbance from taking place. The aim of a vulnerability analysis is then to identify events that can lead to critical situations (large negative consequences), and study how the function of the system can be restored. A vulnerability analysis can, thus, facilitate the development of responses to possible crisis situations, and find the basis for prioritization between different alternatives to improve system performance. Vulnerability assessment also includes an evaluation of the level of vulnerability, and (if needed) an analysis of options for enhancing the robustness and/or resilience of the system see Figure 3. An important difference between risk analysis and vulnerability analysis is that the latter emphasizes post-failure response towards recovery. Traditional risk analysis focuses mainly on the probability of failures emerging. Vulnerability analysis is an “all hazards approach”, thus including both threats from planned (antagonistic) attacks and unintentional threats and hazards in the vulnerability analysis.

3 CC 



Figure 3. A framework for vulnerability assessment, and vulnerability analysis.

IV.

GRAPH THEORETIC VULNERABILITY ANALYSIS

SPGN and SCADA can often be represented in a useful way as networks, The structure (topology) of networks is mathematically described in terms of graphs, i.e., sets of vertices (nodes) and edges (links). For a smart electric power grid, the vertices can be power plants, stations and power users, and the edges power lines. Here, the aim of network analysis is to study how the performance of networks is affected by the removal of vertices and edges, to compare the structure of different networks, and analyze of how the change of structure affects the vulnerability of networks. There has been a revival of network modeling in the past years due to increased computing power, the computerization of data acquisition, and the intense interest in complex systems. New Emphasis has been placed on statistical measures, and numerical simulations [7, 8]. In the following, the graphs will be undirected and initially connected, even though directed graphs can better represent actual flow of power in the network. Vega-Redondo [8], Bhandari [9], and Ahuja, et al.[10] review recent advances made in the field of graph theory and survivable network analysis. A number of statistical measures have been proposed to characterize the structure of complex networks. The following concepts are central:  Average path length: the distance between two vertices is defined as the number of edges along the shortest path connecting them. Many complex networks, despite their often-large size, have a relatively short average path length between any two vertices.  Clustering coefficient: The clustering coefficient, CCi , of a vertex i is the ratio between the actual number of edges that exist between the vertex and its neighbors and the maximum number of possible edges between these neighbors. The CC of the network is defined as [11]:

1 n

 CC

i

iV



1 n

 k (k iV

i

Mi , i  1) / 2

(4)

where CCi is the local clustering coefficient, M i is the number of edges that exist between the neighbors of vertex i, and ki is the number of neighbors for vertex i. The denominator ki (ki  1) / 2 is the maximum possible number of edges that can exist between the neighbors of vertex i. Degree distribution : The number of edges connected to a vertex is called its degree. The degree distribution P(k ) of many empirical networks has a power law, P(k ) ~ k  , where  is typically between 1 and 3 [12].

The studies of networks has given birth to several classes of abstract network models. Erdös and Rényi introduced the idea of random graphs in the late 1950s [10]. The simple random graph model combines low clustering with an exponential degree distribution. Watts and Strogatz introduced the so-called small-world model in 1998 [11]. This model combines high clustering and a short average path length [11]. In 1999, Barabási and Albert presented the scale-free network model that has a power-law degree distribution [13,14]. Application to IEEE 14-Bus Network : We first use a simple power network to illustrate the graph statistics and their calculation. Shown in Figure 4 is the standard IEEE 14-Bus network. Figure 5 shows the abstracted topology of the 14-Bus network [4] which has 14 nodes and 20 edges. The degree the critical path length, and the clustering coefficient of each node are calculated and tabulated in Table I. The average degree is 2.857; the average critical path length is 2.374 and the average clustering coefficient is 0.367. A random graph with the same number of nodes, and same degree of 2.857, would have lRandom = 2.51 and CCRandom = 0.204. The critical path length of the 14-Bus network is close to that of the random graph, but the clustering coefficient is twice that of the random graph. Hence the 14-Bus network can be thought of as a random graph. As the number of nodes in the power network increases, it looks less random and more like the small-world and scalefree networks. The key topological characteristic of small-world networks is the presence of a small fraction of very long-range global edges, which contract otherwise-distant parts of the graph, while most edges remain local, thus contributing to the high clustering coefficient. Since the qualitative nature of a system‟s connectivity is important in determining both its structural and dynamic properties, the removal of a node, e.g., the outage of a generator or substation transformer, or a sudden pull-out of a large load or an edge (a transmission line), could affect the functionality of other nodes as well.

4 the characteristics of a scale-free network. A scale-free network is a connected graph or network with the property that the number of links k originating from a given node exhibits a power law distribution. A scale-free network can be constructed by progressively adding nodes to an existing network and introducing links to existing nodes with preferential attachment so that the probability of linking to a given node i is proportional to the number of existing links k that node has, i.e., kj . (5) P(linking to node i) ~ k j j



Figure 4. IEEE 14 Bus Network [4]

Scale-free networks occur in many areas of science and engineering. The power grid of the WSCC has been argued to posses the scale-free property [12]. V.

GRAPH MODELING AND VULNERABILITY ANALYSIS OF WESTERN STATES US GRID

Figure 5. Topology of 14-Bus Network TABLE I. GRAPHICAL PROPERTIES OF THE 14-BUS NETWORK

Node Degree, Critical Number Path ki Length l i

Clustering Coefficient,

1

2

2.692

1.0

2

4

2.154

0.5

3

2

2.615

1.0

4

5

1.836

0.3

5

4

1.923

0.333

6

4

2.077

0.167

7

3

2.231

0.333

8

1

3.154

0.0

9

4

1.923

0.167

10

2

2.462

0.0

11

2

2.538

0.0

12

2

2.769

1.0

13

3

2.462

0.333

14

2

2.385

0.0

2.374

0.367

Average 2.857

CCi

When the SPGN and the SCADA networks are considered simultaneously, the network exhibits more clearly

Figure 6. Illustrating the type of connections in the WSCC model of SPGN and SCADA system

Next we consider the combined SPGN, SCADA and EMS system (WSSE) of WSCC US Grid. The topology of the network and the interactions involved are illustrated in Figure 6. Power system failures sometimes progress across the boundaries of balancing authorities, where sensor data are aggregated, through EMS and SCADA systems. Across these boundaries, the models are often less useful. Furthermore, even within a balancing authority, cascading failures can progress more quickly than the communications and computational processes from which eigenvalues are calculated. Therefore there is a need for tools that can identify emerging risks without detailed, highly accurate, network models. The full model of the WSSE network [15] has 4941

5

TABLE II. Statistical graph measures for WSCC Network

Total Nodes or vertices NN

4941

Number of Connected Nodes Number of disconnected Nodes Edges or links NL

4923 18 11305

Power in scale-free degree distribution Alpha



2.2

Average Node Degree Fraction of reciprocal links Clustering Coefficient CC

2.30 0.39 % 0.0024

Average Clustering Coefficient

0.002 %

4

10

Incoming Outgoing Node Degree Distribution

3

P(k)

10

2

10

1

10

0

10 0 10

1

10 k,Degree

2

10

Figure 7. Node Degree Distribution

Performing Random and Targeted of attacks on the network : Next, we compare how the networks disintegrate when vertices are disabled. This is the structural vulnerability analysis [5, 12]. To do so, we simulated two kinds of attacks on the network a) Random attack - By removing random nodes until the graph is no longer connected. b) Targeted attack - By removing the most connected nodes first; i.e. those with highest outgoing degree.

Number of components

200

Random Targeted 150

100

50

0

0

1000

3000

2000

4000

5000

Step

Figure 8. Network behavior under Random and Targeted attack. Number of Nodes in connected components

nodes (buses). The data can be found at the database of the North American Electric Reliability Corporation‟s (NERC) [15]. We have analyzed its graph-theoretic properties using MATLAB Graph Functions [16]. We calculated statistical graph measures as shown in table II, including the degree distribution P(k ) of the original 4941-node network. The data shown in Table II suggest that the WSSE does indeed follow the scale-free model. It does not fit the random-graph model well [17]. The WSEE has a clustering coefficient significantly larger than the equivalent random graph, and the average path length is larger than twice in the random graph. The WSSE demonstrates approximately a power law degree distribution. However, we point out that the CC is not an ideal measure for meshed networks such as power grids. The degree distribution P(k ) of the WSCC network combined with SCADA and EMS (WSSE) is shown in Figure 7. Clearly it follows the degree power law of scale-free networks. This characteristic feature of power transmission grids is supported by earlier studies of the WSCC network [18,19].

5000 Random Targeted

4000

3000

2000

1000

0

0

1000

2000

3000

4000

5000

Step

Figure 9. Network behavior under Random and Targeted attack

Next, we find all strongly connected components. Each strongly connected component is a set of nodes each of which is reachable from any other. The empirical networks exhibit similar disintegration patterns [20, 21, 22]. We apply this analysis to the combined WSSE system. We find that the combined network disintegrates considerably faster when the vertices are removed deliberately than randomly, i.e. they have a lower attack tolerance than error tolerance as shown in Figure 8 and Figure 9. Figure 10 illustrates the emergence of a large number of components occurring after the removal of about 500 nodes. This is interpreted as a phase change, where the network topology changes qualitatively from a single component to a chattered network with a large number of components. The peak of the size of the second-largest component marks the phase transition. The above measures used to classify graphs reflect only the average topological properties of the network. Only large changes of the networks topology will be visible by studying these indicators [23]. The relation between the vulnerability of a network and the values of the above graph measures is not straightforward. We argue that the generic topological analysis may be too imprecise to enable a realistic study of an upgrading of the transmission grid.

6 Size of SECOND largest component

200

[3] Random Targeted

150

[4]

Component Size 100 Size

[5]

50

[6] 0

0

1000

2000

3000

4000

5000

Step

Figure 10. Size of second largest cluster under Random and Targeted attack.

VI.

CONCLUSIONS

Graph modeling gives a conceptual picture of the studied network, and graphs can serve as simple reference models for comparison. In this paper we used graph-theoretic vulnerability analysis to study the performance of networks. We proved that WSSE network follows the power law of scale-free network. This Network is affected by the removal of vertices and edges and compared the structure of different networks, and analyzed the affects of vulnerability on the structure of the networks. The major drawback with the generic graph analysis is that the performance measures are not related to the practical decision-situation, and involve unrealistically high failure rates (removal of fractions of vertices in the graph). We must be careful to note that the analysis of error and attack tolerance is perhaps too imprecise to enable a realistic study of an upgrading of the transmission grid. We conclude that structural vulnerability can lead to major blackouts which will affect all functions in a society. This emphasizes the need of developing interdependent models of critical infrastructures.

[7]

[8] [9] [10] [11] [12]

[13] [14] [15] [16] [17]

[18]

ACKNOWLEDGMENT The authors gratefully acknowledge Pennsylvania State University and The Defense Threat Reduction Agency (DTRA) for their support and finance for this Project.

[19]

[20]

REFERENCES [1]

[2]

U.S.-Canada Power System Outage Task Force, Final report on the August 14, 2003 blackout in the United States and Canada: causes and recommendations, April 2004. A. Bobbio, E. Ciancamerla, S. Di Blasi, A. Iacomini, F. Mari, I. Melatti, M. Minichino, A. Scarlatti, E.Tronci, R.Terruggia, and E. Zendri, “Risk analysis via heterogeneous models of SCADA interconnecting Power Grids and Telco Networks”, IEEE Transactions on Smart Grid : 978-14244-4497-7/09/$25.00 ©2009 IEEE, pp. 90-97.

[21] [22]

[23]

A. Murray, and T. Grubesic, Critical Infrastructure-Reliability and Vulnerability, Advances in Spatial Science, Springer Publications, 2007. Charles J. Kim, Obinna B. Obah, “Vulnerability Assessment of Power Grid Using Graph Topological Indices”, International Journal of Emerging Electric Power Systems, Vol. 8, Issue 6, 2007, Article 4, pp. 1-17. A. J. Holmgren, “Using Graph Models to Analyze the Vulnerability of Electric Power Networks”, Int. Journal of Risk Analysis, Vol. 26, No. 4, 2006, pp.955-969. J. Bigger, M. Willingham and F. Krimgold, “Consequences of critical infrastructure interdependencies: lessons from the 2004 hurricane season in Florida‟‟, Int. J. Critical Infrastructures, Vol. 5, No. 3, 2009, pp. 199219. L. Mili, Q. Qiu, and A. G. Phadke, “Risk Assessment of catastrophic failures in electric power systems”, Int. Journal on Critical Infrastructures, Vol. 1, No. 1, 2004, pp. 38-63. Vega-Redondo, Complex Social Networks, Economic Society Monographs, Cambridge University Press, 2007. Bhandari, Survivable Networks- Algorithms for Diverse Routing, Kumar Academic Publishers, 1999. R. K. Ahuja, T. L. Magnanti, and James B. Orlin. Network Flows: Theory, Algorithms and Applications, PrenticeHall, 1993. Watts, D. J. and Strogatz, S. H., “Collective dynamics of „small-world‟ networks”, Nature, Vol. 393, No. 6, June 1998, pp. 440-442. Ke Sun, “Complex Networks Theory: A New Method of Research in Power Grid”, 2005 IEEE/PES Transmission and Distribution Conference & Exhibition: Asia and Pacific Dalian, China, pp. 1-6. A. Barabasi, and R. Albert. “Emergence of scaling in random networks”, Science, 286 (5439),1999, pp. 509-512. R. Albert, and A. Barabási, "Statistical mechanics of complex networks". Reviews of Modern Physics, 74, 2002, pp. 47-97. The North American Electric Reliability Corporation‟s (NERC) http://www.nerc.com/ http://www.mathworks.com/matlabcentral Erdős, and Rényi, "On Random Graphs-I". Publicationes Mathematicae 6:, 1959, pp. 290-297. http://www.mathworks.cn/matlabcentral/fileexchange/4206-erdos-renyirandom-graph Z. Wang, A. Scaglione, and R. Thomas, “Generating Statistically Correct Random Topologies for Testing Smart Grid Communication and Control Networks”, IEEE Transctions on Smart Grid, 1949-3053/$26.00 © 2010 IEEE, pp. 1-12. E. Bompard, R. Napoli, and F. Xue, “Analysis of structural vulnerabilities in power transmission grids,” International Journal of Critical Infrastructure Protection, Vol. 2, 2009, pp. 5-12. Massoud Amin, “National Infrastructures as Complex Interactive Networks”, Automation, Control, and Complexity: An Integrated Approach, Samad & Weyrauch (Eds.), John Wiley and Sons, 2000, pp. 263-286. WSCC, US Power Grid system Data http://www.solcomhouse.com/uspowergrid.htm Western System Coordinating Council (WSCC) Disturbance Report for the Power System Outage that occurred on the Western Interconnection on August 10th, 1996 at PAST, October 1996. Kostereve, Taylor, and Mittelstadt, “Modal Validation for the August 10, 1996 WSCC System Outage”, IEEE Transaction on Power Systems, Vol.14, No.3, August 1999, pp. 967-979.