Unavailability of critical SCADA communication links interconnecting a power grid and a Telco network
Introduction
Power grids and Telco networks have a large impact on everyday life and are typically referred to as critical infrastructures (CIs) since their correct operation is essential for the everyday life of our modern society. CIs share, in general, (bi)directional dependent relationships and mutual influences so that they are interdependent. Interdependency is especially true because CIs are more and more reliant on information and communication technology and, largely through this reliance, they have become more and more interdependent. The successful delivery of any essential CI service depends upon the operating status not only of the CI which is intended to deliver such a service but also on the operating status of any interdependent CI. Initial disturbances in (or even destruction of) parts of one CI, may result in cascading effects in the infrastructure itself and/or in the other interdependent CIs [1]. There is a growing interest in developing models and tools for CI interdependency analysis, as witnessed by various research programs in EU [19], [20], [21] and USA, but practical and methodological difficulties are immense. Interactions among hardware, software and human operators are difficult to capture and to model and adequate formalisms and granularity for CI models have to appropriately addressed. Furthermore, convenient indicators and performance measures of CI interdependencies have to be properly defined. The exploration of suitable modelling approaches for interdependent CIs has been the object of many research lines in the recent literature [2], [3], [17], [18]. A network topology analysis takes inspiration by the works of Watts and Strogatz [5] and Albert and Barabasi [6]. Albert and Barabasi [6] underline how a given topological network asset may improve network resilience in response to an accidental failure, but may expose the network to high vulnerabilities in the presence of malicious attacks.
A service oriented risk analysis, is investigated in [18], while in [9], Event driven process chains are used to model the branched chains of reactions after an incident happens.
Simulative analysis is a possible alternative. In [7], [26] a federation of multiple domain-specific simulators are explored and in [8] the development of specific tools for the simulation of interdependent infrastructures, in the presence of scenarios that include different typologies of infrastructures, are proposed.
A general framework that shows the typical and common interdependencies between a power CI and a Telco CI is reported in Fig. 1.
The upper part of the figure shows the power CI, which is composed by the electrical grid and the Telco of the electrical grid. Telco of electrical grid provides the communication facilities needed to control the electrical grid and may be partly operated by the power operator and partly by the Telco operator.
The lower part of Fig. 1 shows the Telco CI which consists of several networks that provide different Telco services (voice, mobile voice, data, mobile data, etc.). In addition Telco networks require a reliable power supply that is provided by the power CI (power to Telco services). However, it is rather common that Telco offices (or at least the most important ones) have their own emergency power supply system, for backup reasons in case of outages of the main power supply. The set of emergency power supplies is owned and managed by the Telco operator (lower left part of Fig. 1).
The power distribution grid is managed and controlled through a supervisory control and data acquisition (SCADA) system that constitutes the nervous system of a power grid. The operation and control of SCADA relies on communication links among SCADA nodes, partly dependent on the public Telco network and, for such a reason SCADA systems represent one of the major channels of mutual propagation of disturbances and adverse events between power grids and Telco networks. Many power grid services, like supply of critical users/large urban areas, grid reconfiguration after failures and telemetry, are increasingly depending upon the adequate functionality of their SCADA system whose correct operation strictly depends on the adequate functionality of Telco network. On the other hand both SCADA system and Telco network need to be fed by power grid.
To guarantee adequate reliability and performance for the transmission bandwidth, SCADA communication links typically rely on a main, usually proprietary, communication network and on a redundant Telco network. However, due to different reasons, including market deregulation, in electrical and in Telco infrastructures, part of SCADA communication links could rely on a public Telco network, as in the present case study. This fact introduces a number of potential failure points that previously did not exist.
The present paper investigates a risk based modelling methodology, which aims to predict stochastic indicators of services delivered by interdependent CI, say a Telco network and a power distribution grid [16], [24]. To this end, the paper proposes a multi-formalism and multi-solution stochastic approach [4], [23], in which different modelling frameworks and solution techniques are applied to different parts of the interconnected networks in order to realize a good trade-off between modelling power and analytical tractability, and to confine the application of more intensive computational techniques to those parts of the networks, only, that actually require it.
The proposed approach is intended to be a valuable quantitative methodological support for failure scenarios involving interdependent CIs. For the sake of clarity, our approach is applied to an actual failure scenario occurred on January 2, 2004 and initiated with the outage of a Point of Presence (PoP) of the Italian telecommunication backbone, located in Rome. Examining the dynamic of the failure scenario, it appeared evident the criticality of two SCADA communication links, provided by a public Telco company and essential for the observability and the control of a large part of the power distribution grid. The availability of the two SCADA links relies on three interconnected networks: (a) Telco network, which directly supports the two communication links throughout a single pair high speed digital subscriber line (SHDSL) connection; (b) power distribution grid which provides the main power supply at the Telco sites. (c) Telco emergency power supply, which feeds the Telco network in the case of loss of the main power supply. The paper is organized as follows. Section 2 examines the dynamics of the failure scenario under study in order to identify the dependencies and criticalities in the interconnected CIs. Section 3 proposes a service oriented approach to quantify the behaviour of the interconnected CIs in the examined reference scenario. Section 4 enlightens the proposed multi-formalism technique and shows how different formalisms have been applied to different CIs. Finally Section 5 shows and discusses quantitative results.
Section snippets
Failure scenario of the case study
A failure scenario consists in the identification of the sequence of adverse events that have produced an anomalous and undesirable behaviour in the interconnected CIs, the identification of services that have been impaired (in terms of continuity, readiness, performances, response time) during the sequence of adverse events and the set of interconnected networks that support such services and have contributed to their degradation. In this paper, we concentrate our attention on an actual
Service availability of interconnected networks
A natural way to deal with the complexity of the performance and reliability analysis of interconnected CIs is to follow a service oriented approach. By this we mean that the different services provided by the interdependent CIs are isolated and analysed separately. As a unifying measure to characterize the delivery of an appropriate service level, we propose the service availability defined as the probability that a specific service delivered by interconnected networks is operational at time t
Models of interconnected networks
According to the analysis of the case study considered in Section 2, we first build the appropriate stochastic model for each one of the CIs that have been involved in the failure scenario, as specified in the following:
- (i)
The public Telco network and its influence on the SHDSL connection between the two SCADA control centres MSC and DRS. The appropriate model is RDB.
- (ii)
The power distribution grid and its influence in the supply of electrical energy to the Telco network. The appropriate model is an
Results and discussion
This section presents and discusses the quantitative results obtained by applying the explained multi-formalism hierarchical approach. Results represent a first refinement of the iterative modelling process between modellers and CI operators shown in Fig. 8.
Quantitative analysis requires quantitative data about the failure and repair characteristics of the elementary blocks and components appearing in the models. As it is well known, getting reliable data may be difficult or even impossible,
Conclusions
In previous studies aimed at investigating the interdependencies between power and Telco networks, the SCADA system was not explicitly, or very roughly, modelled. On the contrary, we have demonstrated here how an actual failure scenario is affected by the availability of two critical public communication links between two SCADA control centres. Furthermore, we have shown that quantitative analysis is a valuable way to identify weak points in the networks and to suggest design improvements.
In a
Acknowledgements
This research is originated by the participation in the EU projects IRRIIS (http://www.irriis.org/) and MICIE (http://micie.eu/) and the Italian MIUR project Cresco (http://www.cresco.enea.it/). The authors wish to thank G. Rapanotti for fruitful discussions on some technological aspects and D. Lefevre.
References (26)
- et al.
Modeling s–t path availability to support disaster vulnerability assessment of network infrastructure
Comput Operat Res
(2009) - et al.
Bulk power risk analysis: ranking infrastructure elements according to their risk significance
Electric Power Energy Syst
(2008) - et al.
Identifying, understanding, and analyzing critical infrastructure interdependencies
IEEE Control Syst Mag
(2001) - et al.
Overview of reliability and vulnerability in critical infrastructure
- et al.(2009)
- et al.
Collective dynamics of “small-world” networks
Nature
(1998) - et al.
Statistical mechanics of complex networks
Rev Mod Phys
(2002) - et al.
EPOCHS: a platform for agent-based electric power and communication simulation built from commercial off-the-shelf components
IEEE Trans Power Syst
(2006) - Dudenhoeffer D, Permann R, Manic M. CIMS A: framework for infrastructure interdependency modeling and analysis. In:...
- Kroger W. Protecting coupled critical infrastructure: understanding and governing complexity. In: Proceedings of the...