Critical infrastructure for functioning of today’s civilization can be categorized as follows:

1. Physical components – devices and general physical infrastructure, such as power distribution systems, plumbing, wiring, etc. that are used to deliver essential services; 
2. Information and communication technology – consisting of computers, networks and data gathering sensors that are used to monitor and control the physical components. The Supervisory Control and Data Acquisition (SCADA) systems, regardless of the type of infrastructure they are used in, are the main part of this layer;
3. Man-machine interface and knowledge – software on the operators’ computer used to poll the remote sites and store the collected data in its centralized database. Logic can be configured in the SCADA host software which then monitors and controls plant or equipment. Data is then processed to detect preset alarm conditions, and if an alarm is present, an alarm message shows on the operator screen and is added to an alarm list. The operator must then acknowledge this alarm and act by giving commands to the system. Advanced, knowledge-based SCADAs can filter part of the incoming information to reduce stress on the operator and provide advice as to what needs to be done to remove the alarm and the cause of the disturbance.

All three have strict survivability requirements on a twenty-four-hours-a-day, seven-days-a-week (24x7) basis. Here survivability means the capability of a system to fulfill its mission in a timely manner, even in the presence of failures, attacks, or accidents. In difference to fault tolerant systems (such as the electricity grid) which are generally engineered to tolerate random natural failures, system survivability must also consider unpredictable faults which may be caused by emergent phenomena such as terrorism, large natural hazards, unplanned disruptions, market disturbances, international policy shifts, etc.

Digital control systems are developed to monitor and estimate the current operation state, collect, analyze, and diagnose fault alarms, as well as use redundant techniques to provide fault tolerance of the critical infrastructures of NATO member states and partner countries, including vital systems such as energy and water production/distribution, logistics and transport, and military systems. In particular, most of the complex critical infrastructures and plants are managed by SCADA systems. Similar to the earlier division, SCADA systems are consisted of one or more of the following components:

• Human-Machine Interfaces (HMI), which present process data to human operators, accepting commands and input;
• Supervisory systems, which gather data, elaborate it, and send commands to the controlled process;
• Remote Terminal Units which digitalize sensors data, or convert digital signals to electric impulses, and Programmable Logic Controllers (PLCs) which control the processes;
• A communication infrastructure.

SCADA systems help control and monitor utilities by gathering field data from sensors and instruments located at remote sites, transmitting and displaying these data at a central site, and enabling engineers to send control commands to the field instruments. Commonly controlled field instruments include track switches, gas and water pumps, traffic signals, valves, and electric circuit breakers. The data collected from the field instruments and devices are viewed by the engineers on one or more SCADA host computers located at the central or master site.Traditionally, SCADA systems were only meant for data acquisition, but today the distinction with DCS (Digital Control Systems) is disappearing as the two have become integrated. Moreover, the “communication infrastructures”, which used to be proprietary, are increasingly being switched over to use common protocols such as the Internet Protocol (IP) and Ethernet due to requirements on interfacing with other enterprise software utilities use. Similarly, HMI and Supervisory systems are increasingly switching over to common operating systems, as opposed to custom-developed systems. With the growing importance of software-as-a-service, SCADA technologies are shifting towards Internet-based architectures, taking advantage of service-oriented protocols such as SOAP (Simple Object Access Protocol) and of thin clients, web portals, and other web-based interfaces.

Since electricity is today a critical infrastructure underlying all others and disruptions in this system by far have the greatest economical and societal consequences, the area of application of this project is the electrical power system.

One of the expected results of the testbed is to confirm and further develop recommendations for the next generation SCADA in power systems – they must offer alarm management, which prevents operator overload in cases where many alarms occur within a short time, as is the case in situations where a blackout is about to occur. It must also overcome deliberate attempts to decoy operators.  Alarm management filters alarms by location, logical grouping or priority and keeps operators focused. Time-stamped alarm records must be time-stamped, which are maintained in an audit trail, allow alarms to be correlated with other time-based information, such as video frames.  The audit trail is also extremely important to investigations if a blackout occurs, after-the-fact. SCADA systems should also automatically react to conditions and perform control actions, such as emergency shutdowns of processes, starting or stopping pumps, opening/closing valves, etc.  Input for these actions can come from anywhere on the network. The SCADA system should be able to automatically isolate a portion of your supply system by stopping pumps and closing valves or it can inform operators of the process conditions and let them decide.

As a result of the worldwide evolution of the power, communication and information systems, electricity infrastructure will get more and more interlinked with ICT-infrastructure. The architecture and operation of this ICT infrastructure must be adapted to the technical structure of the (future) power grid but also to operator’s needs (there is no SCADA which can work without people) and the associated generation, transmission and distribution facilities, but also to the structure of the liberalized energy market. This ICT architecture must be designed using a strong system-wide viewpoint, but must also consider stakes of all actors in the system, which is currently not being done. In other words - there is a need for a multi-actor coordination system, which optimizes global system objectives (like stability, power quality, and security of supply), in coherence with the interests of local actors in the form of installations for electricity production, consumption, and storage, having also in mind general information security.

Context and background

Energy utilities are undergoing structural changes along the recently developed legal framework in the area. The new EU aligned legislation allows open access to the previously vertically integrated power system. Hence, companies with interest in building generation capacities are allowed to supply power to the grid. Electricity market has established, with an expected increase in trading capacity as new investors start entering the market. The changes in the operation of the system make it more important to anticipate possible transformations on the national power system scale, but also in the context of UCTE (Union for the Co-ordination of Transmission of Electricity), as occurrences in various countries have been observed to show certain patterns such as electricity price spikes, transmission lines congestion, etc.

Physical system security cannot be allowed to be compromised as electricity is underlying all other critical infrastructures. The system must be operated both in a safe and for society benefit most economical way through the market system, where data among system operators must be shared while ensuring that only the appropriate market sensitive data can be accessed by marketers. Thus, the restructuring of the utility industry has resulted in the need for varying levels of system safety, electricity market information awareness and general IT security as the component which connects the physical electricity system with the market system.

Because of the mission-critical nature of a large number of SCADA systems, interruptions (major accidents caused by faults, natural events or attacks) of the physical system, the electricity market or ICT infrastructure could cause massive damage, financial losses and even physical destruction or loss of life, either directly or indirectly, as shown below.

Scope of research

The project will develop a software based testbed for SCADA infrastructure in the area of power systems, which will be able to simulate physical grid properties, energy market negotiations and communication infrastructure capabilities, which would also enable modeling of human operator behavior within the system.

The main use of the tool is to answer questions such as:

• How do market disturbances impact the physical power system?
• How can compromised lines of information exchange impact the electricity market and the physical power system?
• What happens in individual power system components (components) and how a human operator responds in case of exceptional events such as:
  • Natural hazards;
  • Unplanned disruptions of trans-national power flows;
  • New generation capacities being installed (renewable energy);
  • Part of information from the physical system becomes unavailable;
  • Part of information from the electricity market system becomes unavailable;
  • Terrorist (including cyber-terrorism) attacks to either of the systems;
  • Energy security policy changes;
  • General security politics changes;
• What should the next generation SCADA have in order to improve performance of the human operator when the power grid reaches an unstable state? 
• Who needs which information and for what purpose in case the power system becomes unstable?
• How can the power system and its components (physical grid, electricity market infrastructure and ICT) be defended and their security increased? 
• How to optimally distribute limited resources for improving security?

There have been attempts to answer some of these questions, either fully or partly (findings and results of which will be used to validate our final product), but so far there has not been an attempt to create a simulation testbed including all relevant components which would enable further scenario-based exploration or a holistic system analysis.

The testbed will make use of commercially available software for modeling (selection based on work done by various research teams worldwide), of which the dominant concept is agent-based modeling. This will enable researchers to concentrate on modeling individual components of the system, which enables combining specific researcher knowledge into a larger, more diverse system. The end result, individual components working together, will enable exploring performance of the system as a whole, instead of the older approach to modeling the whole power system top-down using a system of complex equations to describe system behavior. Also, the man-machine behavior is relatively easy to model using agent-based architecture. Agent-based modeling has also been extensively used to include social dynamics into technical systems. Thus agent-based modeling can enable accounting for the human factor within the simulation – which is a novelty in the area.

The proposed architecture enables offline simulations. Real-life data can be imported. The proposed workflow layer is built external to SCADA systems and interfaces with the SCADA by processing and controlling inputs and outputs via the testbed.

Figure 2 - Components of the proposed project

As shown in Figure 2, the envisioned testbed is to be composed of three basic components:

• Physical grid
• Energy market
• Communication infrastructure

Testbed is envisioned to be capable of accepting various sources of major disturbances with interpretation and modeling of their influences on the all three components.

The solution is functionally integrated via the input/output interface – this is the actual simulation testbed and it constitutes the core of research activities within this project - integration of various system components. Conceptually, the system is integrated in the way that results of electricity market operations are routed through the simulated (compromised or safe) communication infrastructure, after which calculations in the physical systems are performed. This produces physical constraints which are forwarded to the market so that market players can react and try to even out imbalances. This is an iterative process until the whole system reaches equilibrium – an end state which can become an input to analyst (human operators) for creating contingency plans. Major disruptions which can occur are also shown in Figure 2, and will be focuses of case studies after the testbed is put into operation.

Inputs are controlled by human operators, and executed in all components within the testbed at the same time. Human operator has an overview of the outputs, which can both be filtered (to prevent information overload) or examined in detail if so requested. Human operators control all parameters in the system – both the ones systems are designed for (i.e. power system lines or market bids), but also background parameters such as whether a communication line has been compromised, or if there’s a malicious trader operating in the market, etc.

Once created, the testbed has essentially two goals:

(1) identifying whether an incoming operation applied on any testbed component will lead to a pattern of consequences which will endanger the stability of the power grid, which is pre-defined within the workflow based on domain specific security knowledge; and

(2) analyzing and predicting the propagation of an emergent fault in physical grid and the market system.

Commands issued to the testbed are routed to components through the interfaces which will be developed within the project, in order to perform computations and observe outputs simultaneously from all components. The state information monitored by the testbed layer is also forwarded to the database for further data mining and pattern recognition. Once the testbed has identified the system is in an unsafe state, control, algorithms will be developed to enable recovery from possible adverse actions – the end result being contingency plans for unplanned disruptions, such as in case of terrorism, natural hazards and other unplanned disruptions which are generally hard to either simulate or plan against in the real world.

Since the testbed is simulated and therefore non-intrusive to the existing critical infrastructures, advanced knowledge of behavior from individual component domains can be easily applied to determine both vulnerabilities as well as options for increasing security performance.

Developed testbed will contain mathematical and agent-based models of devices, market concepts and IT infrastructure derived from domain knowledge. At run time, the simulations on the testbed verify the behavior of the physical system and identify potential faults.

Network clients

The network clients, both fixed and mobile, provide key functions needed to accept inputs and to be used as monitors of the testbed, hence resembling real world behavior presented to the human operator. The client will have following key capabilities:

• A graphical view of power system states. The information used to drive the display is obtained via TCP/IP from a server. This mimics a control room display that is obtaining SCADA data from the power grid over a communications network.
• The ability to control (rather than simply view) power system and market elements as a key component of real power system operation. The client supports control actions, such as opening and closing of lines, in addition to simple display of data.
• All data displayed on the client must first be communicated over the network from the server to the client. This decoupling of the display (the network client) from the data source (the PowerWorld server and market simulation in Anylogic) enables independent modification and testing of the display, communications networks, and power system without affecting other components of the testing environment.
• An individual client can access any number of servers, with a highly configurable scheduling mechanism for retrieving data. Data retrieval from the server can be asynchronously initiated or set to occur at regularly timed intervals. By setting the intervals between retrievals to a very small value, it is easy to stress the underlying communications system to examine bandwidth effects.
• Support for major operating systems (Windows, Mac OS X, Linux)

3.3.2.       Physical power grid component

The physical power grid will be simulated using PowerWorld software allowing it to serve as a surrogate for the real power grid performing experiments, particularly:

• The intended software – PowerWorld Simulator server simulates the power grid with a feature-rich power flow solver. This allows simulating power systems with a high degree of modeling accuracy by taking advantage of the built-in advanced modeling facilities. The initial power system for simulation will be the 400 kV transmission system of Italy and Croatia, along with several connecting countries from UCTE (to be determined). The expanded UCTE system is shown in Figure 3. 

 

Figure 3 - Map of the enlarged UCTE power system

• The server provides the SCADA data that would typically be fed into a control center display (represented by the client). The server provides the simulated data to other testbed components via the simulated communication component (to simulate potential disruptions in situational awareness) with the final destination being the system operator (to determine whether the system is stable), as well as the market (to check if physical constraints have been respected when trading).
• The server also accepts control commands sent by clients, e.g., the opening and closing of lines. The server continuously performs power flow calculations, so network flow impacts are instantly solved and propagated to all connected clients. The ability to accept control commands from the client allows us to study the effects of various network attacks on control actions.
• The server communicates with agent-based simulations of the electricity market and IT component.

Data provided for this component includes bus voltage magnitude and phase angle, line status, power flows and generator status.

Energy market component

Electricity market is a microeconomic setting wherein several actors strategically interact. The main works proposed in current research model the electricity market resorting to oligopolies (extensions and refinements of Bertrand and Cournot oligopolies). These models are intrinsically game theoretical models. Automated agents that negotiate on behalf of human beings can find more efficient agreements saving labor time and money. This is because automated agents are more prone to follow game theoretic prescription.

Solving a microeconomic problem means finding the optimal strategies for each agent in the market. These strategies are those prescribed by Nash equilibrium. Nash equilibrium (named after John Forbes Nash, who proposed it) is a solution concept of a game involving two or more players, in which each player is assumed to know the equilibrium strategies of the other players, and no player has anything to gain by changing only his or her own strategy unilaterally. If each player has chosen a strategy and no player can benefit by changing his or her strategy while the other players keep their unchanged, then the current set of strategy choices and the corresponding payoffs constitute Nash equilibrium. Algorithmic game theory provides the appropriate tools for solving game problems.

The power generating companies bidding strategy is applied complex adaptive systems theory in electricity market environment (Complex Adaptive System, CAS). CAS is basically the idea of describing the conditions of interaction between Agent and the environment in time (a dynamic relationship) – both the agent and the environment change in time, either independently or due to consequences of mutual interaction. Since the 1990s, Agent-based simulation modeling technology has been widely used in socio-economic and economy fields of study. This is a bottom-up approach simulation. For purposes of this project and according to the work plan, subsequent to detailed research review, along with knowledge co-directors already possess from respective domains, the latest research results (algorithms) will be used, directly simulating the trading system with agents at micro-level, interactions between agents, including regulatory agents, as they exist in the real world, with their most relevant capabilities to influence the simulated power system.

AnyLogic, the proposed agent development environment, is the only available tool that supports all the most common simulation methodologies in place today: System Dynamics, Process-centric (Discrete Event), and Agent Based modeling. The flexibility of the modeling language enables the user to capture the complexity and heterogeneity of business, economic and social systems to desired level of details. AnyLogic’s graphical interface, tools, and library objects allows modeling diverse areas such as manufacturing and logistics, business processes, human resources, consumer and/or patient behavior. The object-oriented model design paradigm supported by AnyLogic provides for modular, hierarchical, and incremental construction of large models.

Framework envisioned for this component conceptualizes both simulation and analysis of market player motivations and simulation of real market behavior by using test cases which can be either from real life or suggested by end-users.

Communication infrastructure component

SCADA systems evolved from insecure telemetry systems of the 1960s to current systems that include computers and internet connections. In the past, control systems such as SCADA were isolated from other information systems. With the rise in system complexity and number of threats, integration of most computers with the internet, and little or no security features, current SCADA systems are vulnerable systems to cyber terror or major disruptions. For example, by using a computer connected to the internet, if terrorists are successful in sending a control message to manipulate measurement signals, valves, or even whole power station operation, they can create a major disaster for public safety and health. Recent data indicate that there is a significant increase in cyber attacks against SCADA systems. Although the exact number of cyber attacks against control systems is not known because many companies hide such information from the public, a few recent cyber attacks indicate the potential of the threats.

The communication infrastructure module simulation rounds off the other two components. Current research at University of Zagreb includes use of secure socket layer/transport layer security (SSL/TLS) and IP security (IPSec), to be simulated using agent-based methodology – all communication routes will be modeled using their physical parameters, forming a telecommunication system through which measurements from the physical system flow towards the simulated SCADA, and market data travels to traders. Research on possible implementations of the SSL/TLS and the IPSec solutions within large existing SCADA systems owned by end-users of the project will be performed.

Motivation for research and expected results

Safety and environmental compatibility means that neither personnel safety, nor the quality of the environment (natural or otherwise) is endangered. Therefore, the overall security concern for SCADA typically originates from malicious threat agents attempting to disrupt an industrial process such as to interfere with it specified operation (e.g. to create a power outage) or to negatively impact on the environment and/or personnel safety. This is recognized also in former publications funded by earlier NATO Science for Peace efforts (see “Responses to Cyber Terrorism”, vol. 34 of NATO Science for Peace and Security Series: Human and Societal Dynamics, March 2008).

So far, attempting to use current agent-based technologies in any SCADA system was not feasible due to the differences between the processes and the networks deployed across various industries. However, in our view, there exists a subset of nonfunctional requirements (including security and reliability ones) that are applicable to all SCADA implementations. This subset is the focus of present proposal. In our opinion, the proposed SCADA testbed can be developed to encompass such requirements and create the foundation upon which specific SCADA systems can be ported with limited effort.

Novel aspects of the project

As agent based systems have so far not been applied for any critical infrastructure control system, nor are they used for supervisory control and/or decision making support, the result of the project, a prototype of an advanced SCADA system will make a novel contribution for application-level development in the countries of NATO, potentially leading to relevant industrial applications.

The goals for this work are to develop a prototype intelligent, resilient, scalable and secure agent-based architecture for SCADA systems, by the following approach:

• Fill in gaps in the current understanding of how simple transition rules and network geometries can combine to permit system-spanning cascades; identify the influence on cascading of the drop of common assumptions in current models.
• Discover the ranges of parameter values that cause transitions in macro-scale behavior (e.g. between isolated failure and pervasive failure);
• Using agent-based technologies to perform early detection and control of critical situations includes distributed adaptive negotiation techniques instead of centralized control approaches – this is where cutting-edge technological developments are happening in the world.