Proceedings of the 35th Hawaii International Conference on System Sciences - 2002

Barriers to a Wide-Area Trusted Network Early Warning System

For Electric Power Disturbances

Paul W. Oman and Jeff Roberts

Schweitzer Engineering Laboratories, Inc.
Pullman, WA 99163-5603
(contact: paulom@selinc.com)

Abstract islanding are all means to dampen the wild system

It is apparent that perturbations of the North American
electric power grid follow the patterns and characteristics
of Self Organized Critical (SOC) systems. Published
studies show SOC systems exhibit statistical properties
that may result in early warning systems predicting
electric power instability and loss of reliability. However,
in order for such an early warning system to exist, a
trusted wide-area data network must collate information
from disparate subsystems and compile that information
into homogenous data records for input to a modeling
system. This paper explores similarities between wide-
area trusted computer networks and the needs of a wide-
area trusted network early warning system for electric
power instability. An analysis of commercial equipment
used in power stations uncovers disparate access methods
and protocols that inhibit interoperability, and yet that
problem has been mitigated in computer networking.
Recent advances lend hope that wide-area data collection
and modeling of electric power system perturbations will
be commonplace in the not to distant future.
I. Modeling Disturbance Data
oscillations evident during stages of transient stability.
The North American Electric Reliability Council
(NERC) has kept power system disturbance data for the
years 1984 to present. There have been several efforts to
model the data and although there are disagreements as to
the best statistical approach, most researchers agree that
the data exhibit three characteristics:
1. Nominally the data show a steady-state stability (aka,
slow dynamics or slow timescale), with only mild
fluctuations as the system rebalances to equilibrium
after normal load/generation fluctuations.
2. Major disturbances are manifest as transient stability
(aka, fast dynamics or fast timescale), with wild
oscillations triggered by faults due to natural
phenomena and/or sudden, unexpected system
perturbations.
3. The probability distribution function of power
demand/loss during cascading transient stability
exhibits an exponential “power law tail” (aka heavy
tail distribution) that can be linearly modeled in log-
log scaling.

The electric power grid can be modeled as a complex
system of dynamic load and generation balances
characterized by two types of stability. Steady-state
stability describes the nominal balancing of relatively
minor disturbances in load/generation fluctuations caused
by normal start-up and shut-down events associated with
the millions of appliances and equipment attached to the
grid. Constraints on operating parameters – nominally
voltage levels, current magnitudes and power flows – are
used to achieve steady-state equilibrium where the
generation input is matched to system losses and electrical
outputs. Whereas, transient stability describes the power
systems ability (or lack thereof) to absorb major
disturbances and return to a relatively balanced steady-
state. Load shedding, generation shedding, and regional
Several models have been constructed to analyze and
interpret the NERC disturbance data. Among them are
Self-Organized Criticality (SOC) first proposed by
Carreras, et al. [1] and later supported by collaborative
work with others [2,3,4]; Highly Optimized Tolerance
(HOT) proposed by Carlson and Doyle [5]; and the DC-
Fuse model recently proposed by Chen, Thorp, and
Parashar [6]. All three approaches parameterize both the
slow and fast dynamics of the disturbance data, and
exhibit probability distribution functions with power law
scaling and power tails that can be modeled as a linear
function of the power distribution exponent. Further
research is needed to determine relative accuracy and
benefits of each model, but initial results suggest that
disturbance prediction is feasible if the right global

0-7695-1435-9/02 $17.00 (c) 2002 IEEE 1

Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
 Proceedings of the 35th Hawaii International Conference on System Sciences - 2002
system conditions are accurately monitored and reported
in a timely fashion.
In their comparison of the NERC data to SOC sandpiles,
Carreras, et al. concluded that (a) excluding weather
related disturbances had little effect on the modeling, and
(b) correlations between blackouts can be attributed to
power system global dynamics rather than correlations in
events that trigger outages [2]. The idea that random
events (e.g., weather) can trigger a disturbance and still
have little effect on the model seems counter-intuitive, but
is easily expla ined by recognizing the “near-critical”
nature of the system and “near-trip” nature of system
events [3]:
“If the system operates close to a ‘critical’
point, some aspects of the response of the system
to random perturbation may have a universal
character.”
This strongly suggests that understanding the near-
critical global dynamics – and monitoring the near-trip
events that occur within the system – may lead to
predictive systems capable of providing warning that
steady-state equilibrium is in jeopardy and the system is
on the verge of slipping into transient stability.
Preliminary work has affirmed this suggestion and lends
support to the claim that major disturbances are somewhat
predictable. In their Markov model of a DC load flow
network, Dobson, et al. [4] define a system where:
“Lines fail probabilistically and the consequent
redistribution of power flows is calculated …
{such that} cascading line outages leading to a
blackout are modeled and the lines involved in a
blackout are predicted.”
II. Real-Time Predictive Modeling
Rapid progress in the modeling of electric power
disturbance events is evident in the last two years of
research from the CIN/SI federal funding program. 1 This
progress lends hope that real-time predictive modeling of
these events may be feasible in the near future. Such real-
time modeling may enable faster acting automated and
manual controls during the early stages of a disturbance in
order to dampen oscillations and improve transient
stability. For example, an analysis of the 1996 West
Coast cascading blackout suggests that an early warning
system operating within a 5-6 minute window could have
1. Complex Interactive Networks/Systems Initiative, a
DOD university research initiative.
0-7695-1435-9/02 $17.00 (c) 2002 IEEE
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
initiated load shedding of 300-400 MW and/or given
sufficient notification for operators in California to bring
auxiliary generation on line [7,8,9]. Data from [9] shows
several instances where a regional early warning system
for electric power disturbances could have alerted
operators to necessary actions prior to islanding, and thus
preserved service for the majority of customers. These
actions could have prevented the cascading outages and
subsequent islanding that affected 7.5M customers in 11
U.S. states and two Canadian provinces, and cost an
estimated $1.5B dollars in damages and lost service
revenues.
At the macro-economic level there are two approaches
to implementing a very wide-area (e.g., regional or
national) control/warning network: (1) strongly
centralized and (2) highly decentralized. Extreme
examples at both ends of the spectrum would be the
centralized DOD war-room model and the decentralized
Internet E-commerce model, respectively. For critical
applications, such as controlling inter-regional electric
power fluctuations, both approaches require very fast
calculations, high speed communications, uniform or
homogenized information structures, a robust
communications infrastructure that is resilient to attack
and natural phenomena, guaranteed quality of service
levels and service agreements, and an integrated trust
hierarchy (or framework).
In a trusted computing network, trusted paths or
channels are opened between the sender and receiver so
that information can be shared without compromising the
safe, reliable operation of the control functions of the
computing systems at either end of the communications
path. Hence, a trusted computing system requires:
• Access by trusted parties
• Denial of access to unauthorized persons
• Sender and receiver authentication
• Settings control and protection
• Communications integrity and confidentiality
• Accountability via access and alterations audit
logging
• Service policies and safeguards against denial of
service
• Mechanisms for both sender and receiver non-
repudiation
All of these mechanisms would have to be integrated
into any type of wide-area trusted network early warning
system for electric power disturbances. In the next
2
 Proceedings of the 35th Hawaii International Conference on System Sciences - 2002
section we list and discuss the barriers and obstacles to
implementing such a system.
III. Barriers to an Electric Power
Disturbance Early Warning System
Despite 18 years of research and development in the
area of trusted networked computer systems, robust,
reliable computer networks for critical applications and
infrastructures are still in their adolescence. Evidence of
the defensive weakness and fragility of E-Commerce,
telecommunications, and finance abound in the plethora
of cyber-attacks, intrusions, theft, and financial fraud
conducted electronically every day throughout the United
States [10]. Further, the security and reliability of
military defense systems is becoming increasingly suspect
due to increasing incidents of cyber-espionage and
information warfare [10]. It is clear that the vulnerability
of any networked computing system increases with the
number of network access points enabled within that
system. Thus, a wide-area early warning network for
electric power disturbances suffers from the same barriers
and obstacles seen in creating wide-area trusted
computing networks:
• Absence of a wide-area protection-level
communications infrastructure
• Fragility of the Internet
telecommunications infrastructures
• Lack of network quality of service guarantees and
industrial strength service agreements
• Immaturity, fragility, and lack of interoperability in
trust frameworks
• Lack of requirements and standards for reporting
below-threshold disturbance anomalies
• The variety of control station and substation
communications protocols and their lack of
interoperability
• Socio-economic and political resistance to regulatory
controls
Optimistically, we would assume that the same
technologies for mitigating risk and imple menting
interoperability in computer networks could be used for
control and protection in electric power systems.
Unfortunately, this is only partially true. The reliability
demands and time-critical nature of electric power
systems place additional burdens on quality of service
guarantees and high-speed authentication and trusted
communications. We now elaborate on each of the above
barriers.
0-7695-1435-9/02 $17.00 (c) 2002 IEEE
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
A. Absence of a Protection-Level Communications
Infrastructure
From their analysis of the 1996 West Coast outages,
Grudinin and Roytelman [7] conclude that a nationwide,
centralized control system modeled after the Russian
Centralized Emergency Preventive Automatic Control
(CEPAC) network would have been useful in diagnosing
the power disturbances and may possibly have reduced
the magnitude of the outage. In parallel arguments, (a)
Birman [11] states that in order to run mission-critical
applications across wide spatial areas we need to develop
a Virtual Overlay Network (VON) separate from any next
generation Internet network that may evolve, (b)
Stahlkopf and Wilhelm [8] argue for a Wide Area
Measurement System (WAMS), and (c) EPRI has
proposed the Inter-control Center Communications
Protocol (ICCP) as the base of an inter-regional
communications infrastructure. The literal intent behind
VON, WAMS, and ICCP is to segregate infrastructure-
related critical data communications (e.g., power system
protection) from non-critical communications like E-
commerce.
B. Fragility of Internet and Other
Telecommunications Infr astructures
As an alternative to a separate protection-level
communications structure, several utilities and
and other engineering services have experimented with using the
Internet for access to control station data and substation
equipment. While Internet access is sufficient for casual
observation and maintenance planning, it is unsuitable for
real-time protection. The Internet is characterized by
“best-effort” non-deterministic delivery via unsecure
dynamic routing, and is vulnerable to snooping, hacking,
and deliberate overloading (e.g., denial of service flood
attacks). These frailties preclude its use for any aspect of
time-critical control applications. Other
telecommunications infrastructures include the Public
Switched Telephone Networks (PSTN) and leased lines
forming Asynchronous Transfer Mode (ATM) networks,
Frame -Relay Permanent Virtual Circuits (PVCs), and
Frame -Relay Switched Virtual Circuits (SVCs). The
ATM and PVC solutions have reliability and quality of
service suitable for critical applications and are discussed
in the next subsection. PSTN and SVC solutions have
reliability and quality of service concerns, respectively,
that create questions about their use in real-time
applications.
C. Network Quality of Service and Industrial
Strength Service Agreements
There are two mechanisms for ensuring quality of
service guarantees over a network: (1) leased resources
sufficient to handle the maximum load, and (2) packet
3
 Proceedings of the 35th Hawaii International Conference on System Sciences - 2002
prioritization that ensures priority packets are delivered at
near minimum connection times. Implementing packet
prioritization on proprietary networks has been done for
many years, but on Ethernet networks this is still a
research topic. As alternatives, several companies and
organizations have implemented Ethernet TCP packets
over leased ATM or PVC lines. Fortunately, these two
communications mechanisms do provide quality of
service guarantees suitable for time -critical applications.
Unfortunately, the end-to-end TCP flow-control necessary
for quality of service implementation can interfere with
ATM and Frame-Relay packet construction, thereby
causing an indeterminate degradation in service quality
[12]. Further work is needed to better define quality of
service mechanisms within ATM and Frame-Relay
packets.
D. Immature, Fragile Trust Frameworks
At the heart of a wide-area early warning system will be
the means for communicating anomalies and disturbances
across spatial, economic, and governing boundaries.
Hence, trusted communication between sender and
receiver is a vital prerequisite before instigating any
control or protective action. There are three structures, or
frameworks, for establishing trusted interconnections
between computing systems: (1) Internet Protocol
Security (IPSec), (2) Public Key Infrastructure (PKI), and
(3) an informal “web of trust.” IPSec is an effort of the
Internet Engineering Task Force (IETF) to add security
mechanisms to the TCP/IP layers within the Ethernet
protocol. PKI is an attempt to create a world-wide
infrastructure for secure communications based on
asymmetric public-key cryptography. As an alternative to
PKI, the Pretty Good Privacy (PGP) group has
implemented and advocates an informal “web of trust”
where trusted users vouch for and include others in
formalized lists of who to trust. Other mechanism for
establishing trust levels and trust frameworks are being
explored, but by-and-large all of these efforts are focused
o n E-commerce and are not now sufficiently robust for
electric power control systems.
E. Reporting Below-Threshold Anomalies
In electric power systems FERC requires utilities to
report outages affecting 50,000 customers for 3 hours or
more, and in telephone communications the FCC requires
utilities to report failures affecting 30,000 customers for
over 30 minutes. There are no reporting regulations or
requirements for wireless communications and mobile
network failures. In none of these three domains are there
any reporting requirements for “near-critical” conditions
and “near-trip” events. Such data would clearly be useful
in both modeling and predicting power system
disturbances, and modern digital protective relays have
the capability to record and report these conditions.
0-7695-1435-9/02 $17.00 (c) 2002 IEEE
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
Faults on critical supply lines, switching errors, and
large apparatus failures are the most commo n causes of
unstable power swings which leading to transient stability
oscillations. These swings are characterized by the loss of
synchronism between portions of the interconnected
power systems such as that shown in Figure 2. During
these swings, system voltages and currents can be quite
large. The task of detecting these swings has been
traditionally performed by autonomous out-of-step block
and trip-measuring elements in protective relaying located
in critical substations. These elements and the associated
logic detect and distinguish between recoverable and non-
recoverable power swing conditions.
Source S Source R
Figure 2. System Single-Line Diagram
During a fault, the real electrical power output of a
generator becomes less than the mechanical input to the
generator. This unbalance of input power to output power
increases the generator speed. The generator control
systems sense this speed increase and sends control
signals to decrease the rotor speed in an attempt to match
the input and output power. It may take many seconds for
the generator controls to effect this change (this is
especially true in hydroelectric installations where the
prime mover controls are rather large mechanical
apparatus). From the perspective of the sending and
receiving ends of the power system, suppose the
receiving-end of the power system is very load intensive
(e.g., California) and the sending-end is very generation
intensive (e.g., Pacific Northwest). During the fault
shown in Figure 2, the receiving-end is slowing down due
to a lack of received power. The sending-end during the
fault is speeding up. This condition where one end of the
system is slowing down while the other end is speeding
up, sets the condition for power oscillations that can lead
to massive blackouts.
With the fault cleared, the inequality of the sending and
receiving power requirements, and the increased
reactance results in a power swing. By this time the
receiving-end has absorbed the additional sending-end
rotor inertia energy. At this point, the power system is
close to equilibrium but the electrical output of the
sending-end has now exceeded its mechanical input and
the swing reverses. The swing follows continues to a
point somewhere below the mechanical/electrical
4
 Proceedings of the 35th Hawaii International Conference on System Sciences - 2002

equilibriu m point, where the power swing direction
reverses again. This oscillation continues unless
generator control action or system switching takes place.
From this discussion it should be obvious that several
instances of near-critical and near-trip conditions exist,
and that these conditions can be monitored to provide
real-time notification that the system is approaching
instability.
F. Control and Substation Protocols With Minimal
Interoperability
In a typical control station or substation you find a
plethora of communications protocols including a
multitude of proprietary protocols as well as: EIA-232,
EIA-485, Ethernet, Utility Communications Architecture
(UCA), Distributed Network Protocol (DNP), Modicom’s
Modbus and Modbus-Plus, Profibus, Foundation
Fie ldbus, and ControlNet. These protocols are used to
connect the protection equipment such as breakers,
reclosers, relays and Intelligent Electronic Devices
(IEDs), to control equipment like Remote Terminal Units
(RTUs), Data Processing Units (DPUs), communications
controllers, local PCs, and SCADA devices. Figure 3
shows an example substation configuration with varying
communication protocols within and external to the
station. The diversity and lack of interoperability in these
communication protocols create obstacles for anyone
attempting to retrieve disturbance data (trip, near-trip,
critical, or near-critical) from the station.
G. Resistance to Regulatory Controls
Despite the calls for centralized control structures and
increased regulatory requirements (discussed earlier), it is
doubtful whether today’s socio-economic and political
climate would support such actions. The failed
deregulation attempt in California have slowed but not
stopped similar efforts in the Southeast U.S. Thus, it
seems that the electric power industry will undergo the
same deregulatory actions and influences experienced by
U.S. telephone, railroad, and airline industries. It remains
questionable, however, if a keystone critical infrastructure
like the electric power grid should be stressed and
jeopardized by deregulatory machinations.

F G
A
IED
IED Modem
C Remote Access
Remote Control IED
IED Network
Interface
IED
Local Control E Remote Access
B H
Substation
Controller
LAN 1 Network
Interface IED IED IED IED
F

D C
E G

Modem
Router to WAN Remote Monitoring Remote Access
A. Proprietary SCADA or Ethernet E. Local Ethernet or Internet
B. Proprietary, EIA232, EIA485, Ethernet, UCA, or ControlNet F. EIA-232
C. Proprietary G. V.32, V.34, WAP, or WEP
D. Ethernet H. DNP, Modbus, Profibus, or Fieldbus

Figure 3. Substation Communication Protocols

0-7695-1435-9/02 $17.00 (c) 2002 IEEE 5

Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
 Proceedings of the 35th Hawaii International Conference on System Sciences - 2002
IV. Emerging Technologies Reducing
Barriers and Obstacles
We have drawn parallels between the problem of
constructing wide-area trusted computer networks and the
need for a wide-area trusted network for monitoring and
controlling electric power grids. We now identify
technologies from computer networking and electric
power system protection that might be used to overcome
obstacles and foster development of such an early
warning system:
• Recognition for and the development of information
infrastructures
• Investigations into improved quality of service LAN
parameters and service level agreements
• Tunneling utility protocols within Ethernet’s TCP/IP
layers
• Improvements in hardware for authentication and
secure network tunneling
• Research in trusted third-party infrastructures
• Next generation FACTS and Intelligent Electronic
Devices (IEDs)
• Revisiting the issue of deregulation
Figure 4. A Protection-Level Network Overlay
0-7695-1435-9/02 $17.00 (c) 2002 IEEE
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
A. The Development of Information Infrastructures
There have been several calls for a nationwide
information infrastructure that could be used for electric
power management. Bakken and Bose [13] are working
on GridStat, an information infrastructure for gathering
and disseminating electric power grid status information.
Similarly, Stahlkopf and Wilhelm [8] propose a Wide-
Area Measurement System (WAMS) consisting of GPS-
based phasor measuring instruments, power system
monitors, and FACTS devices, all combined with
substation data via ICCP. They suggest that such an early
warning system could have prevented the 1996 West
Coast cascading blackout by giving California operators
sufficient time to bring auxiliary generators on-line in the
time between the initial faults occurring in Oregon and
the subsequent loss of the North-South inter-tie in
Northern California roughly 6 minutes later. In that
particular case, a virtual overlay network early warning
system, as depicted in Figure 4, may have given operators
in Southern California sufficient time to shed load or
increase generation prior to the separation of the North-
South inter-tie. The figure shows how an independent
protection-level communication infrastructure might be
overlaid on the Western U.S. power grid with inter-loop
gateways and access paths to key control stations and cut-
points. Advances in fiber-optics (e.g., SONET) make this
type of network feasible today.
6
 Proceedings of the 35th Hawaii International Conference on System Sciences - 2002
B. Improved LAN Quality and Service Level
Agreements
There is a growing recognition of the need for quality of
service parameters on the Internet in general, and over
time-critical LANs/WANs in particular. For example,
Dixit and Ye [12] looked into quality of service
implementations over TCP/IP stacks and concluded that
the need for ultra-high speed data-centric networks was
just around the corner and that existing LAN structures
were inadequate to meet that need. They call for the
definition and implementation of new service mechanisms
built into the IP layer of a fi ber-optic LAN backbone.
Advancements in robustness and quality of service over
leased lines (e.g., ATM and Frame -Relay) may be seen in
the near future. The Frame -Relay Forum and the ATM
Forum have combined to form a task group investigating
mechanisms for increased interoperability and higher
levels of service. The are working on, among other
things, Frame -Relay to ATM protocol conversion and
ways to partition real-time data (e.g., voice and video)
into Frame -Relay packets without loss of quality.
C. Tunneling Utility Protocols Within Ethernet’s
TCP/IP Layer
In spite of all of its frailties, there are several success
stories of implementing utility protocols over Ethernet’s
TCP/IP and UDP/IP stacks. For example, Schweitzer
Engineering Laboratories (SEL) recently implemented the
UCA GOOSE (Generic Object-Oriented Substation
Events) and GOMSFE (Generic Object Models for
Substation and Feeder Equipment) models over TCP/IP.
Analysis of those implementations with respect to IEC-
834 standards for power systems’ teleprotection show that
for closed-LAN communications tunneling the UCA
protocols under TCP are more than adequate to meet the
time-critical needs for substation protection events [14].
Other efforts by SEL and various protective relay
manufacturers are having success implementing utility
protocols over TCP/IP and UDP/IP. Thus, it seems that
Ethernet has provided us with a common protocol for
most, if not all, LAN-based substation equipment data
communication.
D. Improvements in Hardware for Authentication
and Secure Tunneling
Advances in hardware and cryptographic authentication
devices have been well proven in large financial
transactions and military applications, and can be directly
implemented in the electric power control and monitoring
domain. Microcontrollers and ASICs for
cryptographically secured communications are now
available from a variety of commercial vendors. Intel, for
example, is now marketing a network interface card with
0-7695-1435-9/02 $17.00 (c) 2002 IEEE
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
an onboard crypto-chip that boasts 113 Mbps throughput
while running a 168-bit Triple -DES encryption algorithm
on all I/O. Integration and automation engineers are
starting to recognize the value of these turn-key
commercial solutions.
E. Research in Trusted Third-Party Infrastructures
Because of the boom in cyber-hacking activity targeted
against E-commerce and military computer installations
there has been much attention focused on developing trust
levels and flexible trust frameworks within computer
networks. For example, Vogt, et al. [15] suggest a
framework for exchange protocols that increase in trust
and expense as the importance of the exchange heightens.
And Wichert, et al. [16] show how a non-repudiation
scheme could be implemented in CORBA middleware
using an XML document format based on the IETF’s
digital signature standard. When combined with
hardware authentication devices like SmartCards, digital
signatures may provide the extra layer of authentication
and non-repudiation necessary for critical applications.
F. Next Generation FACTS and Intelligent Electronic
Devices
Technologies specific to electric power system
management are also evolving into next generation
devices that will help enable a wide-area early warning
network. Flexible AC Transmission System (FACTS)
devices are using new sensor technologies and better
algorithms for faster power transfers across wider control
areas. This helps optimize power transmission and
distribution. Similar advances are being made in
microprocessor controlled protective relays and IEDs.
Today’s IEDs are nominally capable of measuring and
storing 960 voltage, current, and phasor samples per
second, and state-of-the-art devices are being released
with nearly 10 times that capability. Combined with this
faster/larger sampling are improved techniques for
device-to-device communications and LAN
interconnections. Analyses and experiments at SEL show
that multi-device protection schemes can be optimized for
sensitivity, security, and operational time [17].
G. Revisiting Deregulation
Lessons have been learned from the California
deregulation fiasco. Other regions have slowed or
adapted their deregulation efforts, politicians are calling
for increased production and conservation, and engineers
are looking for better, more efficient solutions to bulk
power transfers. As part of this last effort, on-line
stability analysis and modeling, state estimation functions,
and adaptive algorithms for inter-tie cut-sets will have to
be developed. Together with post-emergency balancing
procedures, these are the issues that Grudinin and
7
 Proceedings of the 35th Hawaii International Conference on System Sciences - 2002
Roytelman identified in 1997 as missing components to
an improved wide-area automatic control system [7].
Thus, it would be ironic if failed deregulation efforts were
the impetus for adopting a centralized scheme for inter-
regional load balancing and protection.
V. Conclusion
We are approaching an era in which electric power
system anomalies can be modeled in real-time using data
from disturbances, near-critical conditions, and near-trip
events. These models can then be used to prescribe
corrective actions to maintain steady-state equilibrium, or
at least dampen transient-state fluctuations. Concurrent
with the research progress in modeling these events are
advances in networking technologies for high(er) speed
wide-area trusted computing systems spanning a
multitude of spatial, operational, and commercial
distances. Technological and socio-political barriers to
the successful implementation of a wide-area electric
power disturbance early warning system are similar to
those of implementing a trusted wide-area computer
network for E-commerce or finance, but more exacting
because of the ultra-fast time constraints inherent in
electric power system protection. So, while we can learn
from advances in computer networking, and we can glean
technologies from that domain, we cannot implement
those solutions in toto. Thus, as we approach an ever
increasing digital information society we must invest in
the electric power infrastructure that fuels our automation
and quality of life.
References
1. B. Carreras, D. Newman, I. Dobson, and A. Poole, “Initial
Evidence for Self-Organized Criticality in Electric Power
System Blackouts,” Proceedings of the 33 rd Hawaii
International Conference on System Sciences, (Jan. 4-7,
2000, Maui, Hawaii, USA), IEEE Computer Society, Los
Alamitos, CA, 2000.
2. B. Carreras, D. Newman, I. Dobson, and A. Poole,
“Evidence for Self-Organized Criticality in Electric Power
System Blackouts,” Proceedings of the 34 th Hawaii
International Conference on System Sciences, (Jan. 3-6,
2001, Maui, Hawaii, USA), IEEE Computer Society, Los
Alamitos, CA, 2001.
3. B. Carreras, V. Lynch, M. Sachtjen, I. Dobson, and D.
Newman, “Modeling Blackout Dynamics in Power
Transmission Networks with Simple Structure,”
Proceedings of the 34 th Hawaii International Conference
on System Sciences, (Jan. 3-6, 2001, Maui, Hawaii, USA),
IEEE Computer Society, Los Alamitos, CA, 2001.
4. I. Dobson, B. Carreras, V. Lynch, and D. Newman, “An
Initial Model of Complex Dynamics in Electric Power
System Blackouts,” Proceedings of the 34 th Hawaii
International Conference on System Sciences, (Jan. 3-6,
0-7695-1435-9/02 $17.00 (c) 2002 IEEE
Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS-35’02)
0-7695-1435-9/02 $17.00 © 2002 IEEE
2001, Maui, Hawaii, USA), IEEE Computer Society, Los
Alamitos, CA, 2001.
5. J. Carlson and J. Doyle, “Highly Optimized Tolerance: A
Mechanism for Power Laws in Designed Systems,”
Physical Review E, Vol. 60(2), August 1999, pp. 1412-
1427.
6. J. Chen, J. Thorp, and M. Parashar, “Analysis of Electric
Power System Disturbance Data,” Proceedings of the 34 th
Hawaii International Conference on System Sciences, (Jan.
3-6, 2001, Maui, Hawaii, USA), IEEE Computer Society,
Los Alamitos, CA, 2001.
7. N. Grudinin and I. Roytelman, “Heading Off Emergencies
in Large Electric Grids,” IEEE Spectrum, Vol. 34(4), April
1997, pp. 42-47.
8. K. Stahlkopf and M. Wilhelm, “Tighter Controls for Busier
Systems,” IEEE Spectrum, Vol. 34(4), April 1997, pp. 48-
52.
9. J. Daume, “Summer of Our Disconnects: 1996 Western
Systems Coordinating Council Power System
Disturbances,” Paper #1, 24 th Annual Western Protective
Relay Conference, (Oct. 21-23, Spokane, WA), 1997.
10. CSI/FBI, 2000 CSI/FBI Computer Crime and Security
Survey, Computer Security Institute, 600 Harrison St., San
Francisco, CA, 94107, 2000.
11. K. Birman, “The Next -Generation Internet: Unsafe at Any
Speed?,” IEEE Computer, Vol. 33(8), August 2000, pp. 54-
60.
12. S. Dixit and Y. Ye, “Streamlining the Internet-Fiber
Connection, IEEE Spectrum, Vol. 38(4), Apr. 2001, pp. 52-
57.
13. D. Bakken, T. Evje, and A. Bose, “Survivable Status
Dissemination in the Electric Power Grid,” to appear in
Proceedings of the Information System Survivabiilty
Workshop, IEEE/IFIP, Goteborg, Sweden, July 2001.
14. G. Scheer and D. Woodward, “Speed and Reliability of
Ethernet Networks for Teleprotection and Control,” Paper
#8, Western Power Delivery Automation Conference, (Apr.
10-12, Spokane, WA), 2001. Available from
www.selinc.com.
15. H. Vogt, H. Pagnia, and F. Gartner, “Modular Fair
Exchange Protocols for Electonic Commerce,” Proceedings
of the 15 th Annual Computer Security Applications
Conference, (Dec. 6-10, Phoenix, AZ), IEEE Computer
Society, Los Alamitos, CA, 1999, pp. 3-11.
16. M. Wichert, D. Ingham, and S. Caughey, “Non-repudiation
Evidence Generation for CORBA using XML,”
Proceedings of the 15 th Annual Computer Security
Applications Conference, (Dec. 6-10, Phoenix, AZ), IEEE
Computer Society, Los Alamitos, CA, 1999, pp. 320-327.
17. E. Schweitzer, “Advancing the Quality of Protection,”
IEEE Computer Applications In Power, Vol. 11(1), January
1998, pp. 12-13.
8