Two Parts

I Adaptive Security Dependability

II Threats from New Technology

I Adaptive Security Dependability

(Second DOE Demonstration project)
CIEE
(California Institute for Energy and the Environment)
Virginia Tech
Southern California Edison
Pacific Gas and Electric
San Diego Gas and Electric
Mississippi State

The protection system was designed to protect equipment

why? system was overbuilt. The system would work with a
line out. Damaged equipment meant customers out of service
- high cost. Multiple primary (3 on transmission lines)
protection and layers of backup protection. Backup of a
backup
A relay can do two things wrong trip incorrectly or fail to trip.
dependability is "the degree of certainty that a relay or relay
system will operate correctly",. Security "relates to the degree
of certainty that a relay or relay system will not operate
incorrectly
The current system is dependable at the expense of security
trigger happy

Adaptive Protection

Adaptive protection is a protection philosophy

which permits and seeks to make adjustments
automatically in in various protection functions in
order to make them more attuned to prevailing
system conditions

Adjusting balance of security-dependability

What terminal?
What measurements?

Determination of triggering logic

PMU data

System State
Assessment

PMU data
Supervisory
signals

See detail
below

Critical
System
Locations

Performance evaluation

Supervisory
signal
Relay 1

OR

Relay 2

VOTE

Relay 3

AND

Adjustment of DependabilitySecurity balance under

stressed system conditions.
JST

Voting Scheme

JST

Adaptive Voting Scheme with three primary relays.

State of the System

Stressed
Security = Vote

Safe
Dependability = Dont Vote

Adaptive
Voting
Scheme

We are NOT changing relay settings neither during, before or

after a fault.
The choice of location for the measurements and the voting
logic is obtained using data mining software.
We create the data base by running many simulations
(15,000) CART Classification and Regression Trees

Recursive Partitioning Algorithm

(b)

o
1

x
o

0.6

o
o
o

1.8

o
1

1.2

(a)
2

CART selects splitting variables and the logic of the tree. That is, CART
selects PMU locations and the logic.

Decision Tree Diagram

(a,b)
Is a > 1.2
yes
Is b > 0.6
yes
Is a > 1.8
yes
o

no
no
x

no
x

PMU Placement:

Line Current

PMU

TESLA

LOSBANOS

ROUND MT

LOSBANOS

MIDWAY

TESLA

N.GILA

IMPRLVLY

VINCENT

TRACY

TESLA

LUGO

LUGO

VINCENT

IMPLVLY

METCALF

MOSSLAND

LUGO

MOHAVE

MALIN

ROUND MT

Less than 1% error rate in 15,000 cases half of which

would have caused serious problems without voting. Two
kinds of error: 1) fail to vote when you should have
2) Vote when you should not have. 1) is what we now do

More about CART

Then PG&E said they did not want to waste a PMU at the
reference bus Pittsburg. Make the reference bus a 500 kV
bus.
Could not find a 500 kV reference with the same 1%
performance. Had to use different references in summer and
winter
I gave a couple of talks at Statistical and Applied
Mathematical Sciences Institute (SAMSI) NSF, Duke, NCSU,
UNC Consortium. They use CART to look for DNA cancer
markers. My 15,000 ~ their 1,000,000

CART

CART data is in an array, rows are events and

outcome
Columns are measurements. We use magnitude
and angles for voltage and real and imaginary parts
of currents. CART picks measurements to use for
splitting.
One column at a time the way we are doing it.
If it picks the column it gets a real or imaginary part
of the current to branch on. Creates a problem
when you have to change the reference

Real data

Heavy Winter training data.

4150 cases 133 measurements counting

real and imag parts of currents. 43
voltage angles 40 complex current. Red
vote Blue dont vote
Heavy Summer 11367 cases 113
measurements
Voltage angles and real and imaginary
parts of currents

Cart would like data like this. This is an almost

perfect first splitting node.

But this is what you are more likely to get

Solution

Form the perpendicular bisector of the line

joining the centroids.
The centroid of the blue points is the
average of the x point and the average of
the y points taken over all 4150 points.
Same for red points.
Consider line joining the centroids. Bisect it
and form a perpendicular

Centroids in
green

xi, yi a data point

perpendicular
x-(1/)y== xi-(1/)yi
x+y=
Dividing line

xi y i
d1(i ) =

1
[ xi yi ]
2
(1 + )

d1(i)

sign( d1(i )) > 0 below

sign( d1(i )) < 0 above
xi yi

d1(i ) =

Make a new matrix for CART with x and y

replace by d1. Remember .
The split will be
d1>.23
d1<.23

1
[ xi yi ] > 0.23
(1 + 2 )
blue

red

y
beta=-0.4068,
gamma=4.2446
x+beta*y=gamma

NE1=0,
NE2=22
0.53% error

min(d1(1:1636))=2.1e-004
max(d1(1637:4150))=0.03
x

Heavy Winter line 1106 complex current per unit

Blue - dont vote (1) 1636 points
Red - vote (0) 2514 points

More dimensions

A single PMU measures at least one voltage and one current

(usually more). The minimum amount of data is 3 a voltage
angle and real and imag current. Could go up to 10 or 12.
Trajectories in impedance. Even six point gives 12 numbers.
Now need an idea from R. A. Fisher: Fishers Linear
Discriminant Analysis (1936)
Normalize the data with the experimental covariance matrix.
That turns ellipsoids into spheres. Now the perpendicular
bisector of the line joining the centriods is optimum

II Threats from the new Technology

Expense of retrofitting Chinas mandate is easy

with new construction (a Chinese student said you have
a market we have a government)

Here the cost of PMU retrofit and communication

dwarf the cost of the PMU
So we will have a mix of legacy (dumb) protection
and new smart protection.
As an example many utilities are installing
dedicated fiber communication for
synchrophasors (Sonet -NASPINet) but at least
one will send PMU data over the Verizon network

It is rumored that 60% of the SEL digital relays

installed still have the default factory password.
It is accepted that access through a digital relay
was the entry technique used by the Idaho National
Laboratory in the Aurora Project in 2007 to gain
remote access to a $1 Million diesel-electric
generator and destroyed it. The Aurora tape is at

http://www.youtube.com/watch?v=fJyWngDco3g&feature=related

Once youre in, and you know something about

synchronizing systems it's all too easy to destroy the
engine/generator coupling or the entire engine

Dual purpose line relay-PMU

SEL 621 and Siemens dual purpose line relay and PMU
can do something new in this vein.
Because of the GPS multiple dual purpose devices in
widely distributed location can open and close breakers
synchronously to force the low frequency modes of the
system.

Switching between two

stable systems at the
right times = unstable
Even randomly with a good
distribution

15

10

-5

-10

-15

-10

-5

10

15

EMP

EMP: I was recently asked if I was interested in working

on EMP. I have heard there is a non-nuclear EMP
I am not an expert on the details and I can not evaluate
the possibility of EMP being used as an act of terrorism
but I remember Clark Gellings of EPRI saying after
Katrina that Katrina had exhausted the supply of parts
for substation, insulators, transformers, etc.
We have a strategic petroleum reserve but I am pretty
sure we have no reserve of digital relays, ( there are
2.5M of them) PMUs, IED (Intelligent Electronic
Devices), etc. many of which would be need to be
replaced after an EMP event. On the other hand we are
glad we did not stock up on IEDs 15 years ago.

At Transmission level :

Advanced communications and measurement technologies are

required to deal with the system that will have to be created. (NASPI
NET). DC lines, DC-DC connections, and FACTS, will be required to
control power flow beyond Kirchhoff's laws.

All of these present opportunities for cyber security problems.

The conventional CS cyber security techniques developed for
conventional computer and communication systems can not be
applied blindly. The threats are different.
Premise is that power system expertise is required. I spent the
summer of 2010 talking to new audiences in SCIFs

May 10th and 12th

May 10th
Joseph McClelland, director of FERCs Office of Electric Reliability, told
the Senate Committee on Energy and Natural Resources last week that
FERC needs expanded authority over the electricity grid in order to fulfill
its mandate to protect the grid from physical and cyber attacks

May 12th
The U.S. government is warning critical-infrastructure operators of a
serious hole in software used in oil and gas; water; electric utilities; and
manufacturing plants around the world.
The stack overflow vulnerability affects the Genesis32 supervisory control
and data acquisition (SCADA) and BizViz software sold by ICONICS,
according to an advisory (PDF) released yesterday by the Department of
Homeland Security's ICS-CERT (Industrial Control Systems Cyber
Emergency Response Team). ICONICS has issued a patch to close the
hole, which could allow an attacker to remotely execute code and take
control of the computer.

Attacks

I was asked to consider a device that can destroy a city block.

Could you place ~20 of them so as to seriously disrupt the
grid for an extended period?
Recovery from 2003 blackout was much better than 1965 or
1977. No equipment damaged. The protection system
worked. The extended period part seems to require damaging
things that are hard to replace.
Transformers almost no spare transformers
Surry Nuclear plant with two nuclear units hit by tornado this
spring. Had to shut down both units. A dumpster was thrown
50 feet into a transformer. The guts of the transformer were
Ok but bushings damaged.

The consensus was that destroying substations that fed

peninsulas or islands. (Manhattan or San Francisco) was
more likely than taking on the entire eastern interconnection.

So add transformers to the strategic power system reserve.

And worry about where to locate the spare transformers.

More Issues

Spoofing GPS: Made the PC World list of six

biggest threats

Security expert Roger Johnston, a systems engineer at the Argonne

National Laboratory in Chicago, says spoofing GPS signals is the
greater danger, explaining that GPS receivers are low-power devices
that latch on to any strong signal. In tests, he has set up a GPS
spoofing signal, operated out of a passenger car, that sends
erroneous GPS information to nearby receivers. "You don't have to
know anything about electronics or GPS to set these up; they are
very user-friendly," says Johnston.
The Argonne National Lab set up a spoofing system that fed
inaccurate data to GPS receivers -- such as those found in
ambulances or delivery trucks -- from the trunk of a car.

Application: Wrong time means the phasor data

concentrator will align the wrong signals and
produce incorrect answers. Incorrect estimates
mean the locational nodal prices in the market are
wrong. Can manipulate the market.

Geomagnetic Storms - Geomagnetically

Induced Currents (GIC)

GICs are a result of erupting sunspots. Sunspots are massive dark areas on
the surface of the sun that lie on top of hurricanes of electrified gas. When
sunspots erupt, they release a coronal mass ejection (CME) at approximately
2 million miles per hour. Geomagnetic storms occur when the CME impacts
the Earth's magnetosphere, thereby disturbing the solar wind and reducing
the global magnetic field. While these powerful storms usually trigger
auroras, they can also damage energy and communication systems.
1 According to Faraday's law of induction, a temporal change of a magnetic
field is always accompanied by an electric field. Therefore, an electric field is
associated with geomagnetic activity. The geomagnetic variation and the
geoelectric field observed at the earth's surface depend primarily on
ionospheric-magnetospheric currents and secondarily on currents and
charges induced in earth. A part of the earth currents can flow into man-made
conductors, like power transmission systems, pipelines, telecommunication
cables and railroads. Such currents are called geomagnetically induced
currents (GIC).

Geomagnetic storms can affect power operations when GICs flow through
power lines to substation transformers, saturating the transformer core with
electricity. GIC is DC. The extra voltage fluctuations produced in the
transformer cause relay operations that can suddenly prevent power lines
from functioning. As well, the stability of the entire system can be
compromised when compensators switch out of service due to irregularities
in voltage levels.

Power stations may experience increased vulnerability due to advances in

technology. Modern power systems are interconnected in such a way that
they are quite stable and are safeguarded against localized failures. This
interconnectedness, however, can lead to increased vulnerability in some
circumstances. When a solar storm damages one system, systems
connected to it can experience failure as well. Also, some systems that
experienced problems during the last peak in Solar Cycle 22 may be stressed
because they are currently increasing the electrical load on their systems
and, in turn, can be more affected by geomagnetic events that happen during
Solar Cycle 23.

Preventative measures have been implemented to avoid events such as the

1989 Quebec blackout. System operators in Canada have developed and
implemented procedures to respond to these emergencies, thereby reducing
potential damage due to GICs. Since 1989, Hydro-Quebec has spent more
than $1.2 billion installing transmission line series capacitors. (block DC)
These capacitors block GIC flow in order to prevent them from causing
damage to the system. Hydro-Quebec has also installed monitoring
equipment that spots voltage fluctuations and immediately notifies operators
so that they may redistribute the load to other parts of the network. Additional
protective measures include disconnecting the links between power grids,
desensitizing automatic control systems, delaying power station maintenance
and delaying the replacement of equipment. Utilities are also relying on space
weather forecasting to help remain operational during geomagnetic storms.
Operators can implement conservative operating procedures once they have
receive an advance warning of a storm threat