IRRIIS- FP6-2005–IST-4

EC - LOGO

Introduction to IRRIIS MIT Add-On Components

IRRIIS, CRUTIAL & GRID Review Meeting

15 March 2007, Brussels

Sandro Bologna

IRRIIS

Three Layers Model for the Critical Infrastructure

CyberCyber

LayerLayer

Organisational Organisational

LayerLayer

Intra-dependency

Inter-dependencyPhysical Physical

LayerLayer

IRRIIS

Three Layers Model for the Critical Infrastructure

Electrical ComponentsElectrical Componentsgenerators, transformers, breakers,generators, transformers, breakers,

connecting cables etcconnecting cables etc

Control and supervisory hardware/software components

(Scada/EMS systems)

Electrical Power OperatorsIndependent System Operator

for electricity planning and transmission

Intra-dependency

National Electrical Power Transmission Infrastructure

Telecomunication Infrastructure

Oil/Gas Transport System Infrastructure

Foreign Electrical Transmission Infrastructure

Inter-dependency

IRRIIS

MIT Introduction

MIT is a software system aiming at enhancing the availability and survivability of LCCIs by mitigating dependency and interdependency effects.

Communication Components. Add-On Components. Other software resources (Databases,GUI,

Configuration Files, Run-Time Environment, etc.)

IRRIIS

Control Room with MIT WorkStation

LCCI 1

LCCI 2

MIT WorkStation

MIT WorkStation

Control Room

Control Room

IRRIIS

MIT integration with existing SCADA systems

IRRIIS

MIT integration with existing SCADA systems

IRR

IIS

In

ter-

LC

CI

Com

mu

nic

ati

on

Hig

hw

ay

LC

CI

1L

CC

I 2

IRRIIS

Overall MIT architecture

IRRIIS

MIT Add-On Components

Internal Assessment– Tool to extract LCCI functional status

Risk Assessment– Risk Estimator– Incident Knowledge Analyser

Emergency Management– Assessment of cascading/escalating effects– Display of Emergency Management Procedures– Negotiator

IRRIIS

Risk Estimator functions

Reasoning about the states of processes and services, mainly focusing on the services to be exchanged with other LCCIs.

Estimating the levels of risks associated to services exchanges with other LCCIs.

Working on a service-process model of the LCCIs by making use of a fuzzy rules-based mechanism.

IRRIIS

Visualisation of the levels of risks associated to the services

LCCI internal stateestimation

After external &internal states

correlation

IRRIIS

Risk Estimator workflow and relations with other add-on components

ISRIA

INPUTS

Internal status table

External status table

Rule Based Correlation

Module

Current State DB

Expert Rules

DB

IKA

Historical status facts

GUI DEMP

OUTPUTSINTELLIGENCE

RuleEditor

Maps ofRisks

Maps ofRisks

LEGENDIA: Internal Assesment ISR: Information Subscriber & ReaderIKA: Incident Knowledge AnalyserDEMP: Display of Emergency Management Procedures GUI: Graphical User Interface

Estimated State DB

IRRIIS

Risk Estimator Benefits

• Make operators more aware about the global LCCIs state, correlating local LCCI and external LCCIs states.

• Give to the LCCIs operators schematic pictures evidencing the potential risks to loss internal and external services.

• Improve coordination between the LCCI operator and the neighbouring LCCIs.

IRRIIS

LAMPSSys RTI

GUI Logger

To

ol 1

Electricity

Simulator LCCI

DataTlc SCADA

Emulator

To

ol 2

Agent / Scenario

Behaviours

An

alysis 1A

nalysis 2

Fault /

Attack

Tool

An

alysis 3

MIT 1

MIT 2

SimCIP

Proposed DEMONSTRATION Logic Set up

Ele SCADA

Emulator

Telco

Simulator

IRRIIS

GUILogger

LAMPSSys RTI

Agent / Scenario

Behaviours

Electricity

Simulator

Com

Simulator

LCCI

Data

Fault /Attack

Tool

Tool 1

Tool 2

Analysis 1, 2, 3 ..

SimCIP

MIT 1Electrical LCCI

MIT 2TeleCommunication LCCI

Proposed TESTBED Physical Configuration

IRRIIS

Roma Mini TELCO Black-out January 2004

Pre-incident TELCO

network in secure state

Station continue

working with decreased

battery autonomy

Many external Telco services

go down, as the ACEA data links between

control centers

The normal power supply

from ACEA was

restarted

Returnto

normal state

AND AND

Trip of main power

supply

Loss of power supply

Damaged equipment replaced

Telco services restart

AND AND

NETWORK STATE OVERVIEW & ROOT CAUSES

1Flood on the

apparatus room of the Telco SGT

station. UPS start from batteries

2The battery autonomy

finished as Fire Brigate was not able to

eliminate water in time.

3The full

functionality of the SGT station is

restored

4 hoursSafe network state

Endangerednetwork state

Disturbednetwork state

Collapsednetwork

Event

Root cause

Legend

90 min.

IRRIIS

ACEA Remote control system: an overview

Distribution grid TLC tools Owned by Status

High Voltage

Copper cables Power line carrier GSM service

AceaAceaOthers

Complete and working

Medium Voltage GSM Copper cables

OthersOthers

Advanced, but non yet complete

Low Voltage Power line carrier (1)

GPRS (2)

AceaOthers

Advanced 20%

(1) From energy meter to secondary cabin

(2) From secondary cabin to control room

IRRIIS

Effects on the public telecom network

Telecom inter district fixed traffic

OFL Overall Failed Load

ASR Answer Seizure Ratio

IRRIIS

Effects on the ACEA tele-control Centers

Data flux A

Data flux B

FLAMINIA

Control Centre

Electrical

grid 1

Substationsdirectly affected

by Telco blackout

OSTIENSE

Control Centre

Electrical

grid 2

Substations

not directly

affected by

Telco blackout9:30:54 Out of service of data flux A

9.32:00 - 9.32:00 Few number of tele command failures

9.32:15 Out of service of data flux B

9.32:19 - 9.32:30 General tele command failures

9.32: 32 Service restoration of data flux B

9.32:34 - 9.32:59 General tele command restoration

9.33:01 Out of service of data flux B

9.33:34 - 9.34:12 General tele command failures

9.34:12 - 9.44:00 Total substations un visibility

9.44:00 - 9.56:00 Service restoration of some substations in backup mode

10.54:35 Service restoration of data flux A

10.54:43 -10.56:29 All substations reactivated, many of them in local command operation

10:57:56 Service restoration of data flux B

Sequence of Events

ACEA Control Centers configuration

IRRIIS

Roma Mini TELCO Black-out January 2004

Pre-incident TELCO

network in secure state

Station continue

working with decreased

battery autonomy

Many external Telco services

go down, as the ACEA data links between

control centers

The normal power supply

from ACEA was

restarted

Returnto

normal state

AND AND

Trip of main power

supply

Loss of power supply

Damaged equipment replaced

Telco services restart

AND AND

NETWORK STATE OVERVIEW & ROOT CAUSES

1Flood on the

apparatus room of the Telco SGT

station. UPS start from batteries

2The battery autonomy

finished as Fire Brigate was not able to

eliminate water in time.

3The full

functionality of the SGT station is

restored

4 hoursSafe network state

Endangerednetwork state

Disturbednetwork state

Collapsednetwork

Event

Root cause

Legend

90 min.Also before the crisis contingencies, MIT Add-on components could support different LCCIs operators to negotiate

possibilities for short term black-outs in case of need.

IRRIIS

Roma Mini TELCO Black-out January 2004

Pre-incident TELCO

network in secure state

Station continue

working with decreased

battery autonomy

Many external Telco services

go down, as the ACEA data links between

control centers

The normal power supply

from ACEA was

restarted

Returnto

normal state

AND AND

Trip of main power

supply

Loss of power supply

Damaged equipment replaced

Telco services restart

AND AND

NETWORK STATE OVERVIEW & ROOT CAUSES

1Flood on the

apparatus room of the Telco SGT

station. UPS start from batteries

2The battery autonomy

finished as Fire Brigate was not able to

eliminate water in time.

3The full

functionality of the SGT station is

restored

4 hoursSafe network state

Endangerednetwork state

Disturbednetwork state

Collapsednetwork

Event

Root cause

Legend

90 min.

MIT Add-on components could estimate the internal risks associated to possible external services degradation.

IRRIIS

Roma Mini TELCO Black-out January 2004

Pre-incident TELCO

network in secure state

Station continue

working with decreased

battery autonomy

Many external Telco services

go down, as the ACEA data links between

control centers

The normal power supply

from ACEA was

restarted

Returnto

normal state

AND AND

Trip of main power

supply

Loss of power supply

Damaged equipment replaced

Telco services restart

AND AND

NETWORK STATE OVERVIEW & ROOT CAUSES

1Flood on the

apparatus room of the Telco SGT

station. UPS start from batteries

2The battery autonomy

finished as Fire Brigate was not able to

eliminate water in time.

3The full

functionality of the SGT station is

restored

4 hoursSafe network state

Endangerednetwork state

Disturbednetwork state

Collapsednetwork

Event

Root cause

Legend

90 min.

MIT Add-on components could help the LCCI operator to be more prepared during the black out contingencies.