6
Mitigating the Impact of Attacks on the Power System

Power systems are routinely designed and built to resist a variety of natural disruptions and continue to operate (NERC, 2006a,b). For example, they can often withstand, or rapidly recover from, events such as lightning strikes, wind and ice storms, fires, and various equipment malfunctions. Some of the features that have been designed into systems to enable them to withstand such “normal” events also offer protection against attacks of modest scale by terrorists. As the sophistication of various technologies grows, the evolving electric power system can be guided toward an even more resilient configuration.1

Simply adding generation and transmission capacity does not always make the system more robust. Furthermore, unless carefully planned, such additions can sometimes cause added congestion and decreased reliability in other parts of the system (Blumsack, 2006; Clark, 2004).

As described in Chapters 1 and 2, the nation’s electrical grid is highly stressed due to the growth in new generation and load without a concomitant increase in transmission capacity. An intelligently planned and well-coordinated terrorist attack could result in local or regional outages of significant duration and disrupt activities for a large segment of the population. The catastrophic failure caused by the 2005 hurricanes Katrina and Rita in several southern states resulted in widespread damage to system components, and it took several months to restore certain portions of the system.

If terrorist attacks targeted large critical components such as high-voltage transformers, for which spare parts are limited, restoration to pre-event levels of operation could take much longer (see Chapters 3 and 8). This chapter explores ways in which the electric system can be made resilient in the face of some attacks, and how any failures that do occur can be minimized. The reader also is referred to Chapter 3 for a discussion of physically protecting key facilities and Chapter 4 for cyber protection. Much of this chapter is necessarily technical, but the findings and recommendations at the end are intended to be understood without reading the entire chapter.

The chapter covers several technical topics:

1. Planning and operational design of the system to withstand simultaneous multiple outages;

2. Monitoring and protection systems, which play a critical role in mitigating the impact of an attack on the system;

3. Mechanisms to enhance the “graceful degradation” of the system in the event of an actual action or disturbance; and

4. Measures to increase the robustness and resilience of the distribution system2 through networked distribution system architecture and other means such as distributed generation.

Together, these types of system design and operational approaches can help to mitigate the effects of an attack, and may in fact make it less attractive to attack the electric system.

BULK POWER SYSTEM ENGINEERING

Interconnected bulk power systems3 are planned and operated in accordance with reliability criteria designed to ensure survivability following a range of plausible disturbances. The criteria are currently developed by NERC (as ERO) and regional reliability council processes (NERC, 2006a). Until recently, they have been voluntary but are

_____________________

1For example, new technologies for diagnosis and control of disruptions and the widespread use of distributed generation could considerably strengthen the ability of the system to continue to provide service to most customers in the face of even fairly large-scale attacks (Benner and Russell, 2004).

2In the United States, distribution voltage is typically 4-34.5 k V.

3The term “bulk power system” generally applies to large central generation stations and those portions of the transmission system operated at voltages of 100 kV or higher.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 55
6 Mitigating the Impact of Attacks on the Power System Power systems are routinely designed and built to resist for a discussion of physically protecting key facilities and a variety of natural disruptions and continue to operate Chapter 4 for cyber protection. Much of this chapter is nec- (NERC, 2006a,b). For example, they can often withstand, or essarily technical, but the findings and recommendations at rapidly recover from, events such as lightning strikes, wind the end are intended to be understood without reading the and ice storms, fires, and various equipment malfunctions. entire chapter. Some of the features that have been designed into systems The chapter covers several technical topics: to enable them to withstand such "normal" events also offer protection against attacks of modest scale by terrorists. As 1. Planning and operational design of the system to the sophistication of various technologies grows, the evolv- withstand simultaneous multiple outages; ing electric power system can be guided toward an even more 2. Monitoring and protection systems, which play a resilient configuration.1 critical role in mitigating the impact of an attack on Simply adding generation and transmission capacity the system; does not always make the system more robust. Furthermore, 3. Mechanisms to enhance the "graceful degradation" unless carefully planned, such additions can sometimes of the system in the event of an actual action or dis- cause added congestion and decreased reliability in other turbance; and parts of the system (Blumsack, 2006; Clark, 2004). 4. Measures to increase the robustness and resilience As described in Chapters 1 and 2, the nation's electrical of the distribution system2 through networked distri- grid is highly stressed due to the growth in new generation bution system architecture and other means such as and load without a concomitant increase in transmission distributed generation. capacity. An intelligently planned and well-coordinated terrorist attack could result in local or regional outages of Together, these types of system design and operational significant duration and disrupt activities for a large segment approaches can help to mitigate the effects of an attack, of the population. The catastrophic failure caused by the and may in fact make it less attractive to attack the electric 2005 hurricanes Katrina and Rita in several southern states system. resulted in widespread damage to system components, and it took several months to restore certain portions of the system. BULK POWER SYSTEM ENGINEERING If terrorist attacks targeted large critical components such as high-voltage transformers, for which spare parts are lim- Interconnected bulk power systems3 are planned and ited, restoration to pre-event levels of operation could take operated in accordance with reliability criteria designed to much longer (see Chapters 3 and 8). This chapter explores ensure survivability following a range of plausible distur- ways in which the electric system can be made resilient in bances. The criteria are currently developed by NERC (as the face of some attacks, and how any failures that do occur ERO) and regional reliability council processes (NERC, can be minimized. The reader also is referred to Chapter 3 2006a). Until recently, they have been voluntary but are 1For example, new technologies for diagnosis and control of disrup- tions and the widespread use of distributed generation could considerably 2In the United States, distribution voltage is typically 434.5 kV. strengthen the ability of the system to continue to provide service to most 3The term "bulk power system" generally applies to large central gen- customers in the face of even fairly large-scale attacks (Benner and Rus- eration stations and those portions of the transmission system operated at sell, 2004). voltages of 100 kV or higher. 55

OCR for page 55
56 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM becoming mandatory as a consequence of energy legislation load shedding is universally applied for controlled or uncon- enacted in 2005. trolled separations (islanding). Undervoltage load shedding A key feature of the FERC-approved reliability standards may be applied in areas where voltage collapse is a concern. is a performance table showing planning and operating crite- These and other automatic controls attempt to restore equi- ria for normal operations (Category A) and three categories librium conditions within the electric power system or por- of disturbances.4 For single or multiple outages, the follow- tions thereof. Loss of components due to malicious attacks ing apply: would also cause imbalances and, if necessary, such controls would also be activated to mitigate the detrimental effects. 5. Category B, events such as a short circuit causing According to the NERC performance table, actions such loss of a single element or component in the system as reduced power transfers and canceling of planned outages (i.e., an N1 event with outage of a single genera- (e.g., for maintenance) may occur during abnormal condi- tor, transmission line, or transformer).5 The power tions such as storms or forest fires. Similar actions should system must remain stable (no cascading) and within be taken during elevated terrorist threats resulting in a DHS thermal and voltage limits. Loss of load or curtail- red alert status. ment of firm transfer (i.e., sales of energy that have The U.S.-Canadian power system currently consists of been agreed upon by contracts) is not allowed. For four large regions (see Chapter 2) within which all connected operations, the system must be readjusted within 30 generators operate synchronously. Asynchronous connec- minutes to withstand another outage. tions between the regions are accomplished with DC tie 6. Category C, certain related (non-independent) events lines or back-to-back AC-DC-AC converters (asynchronous causing outages of multiple elements. An outage of links). Large synchronous regions evolved for economic two circuits of a multiple circuit is one example. power transfers and for the mutual support inherent with Similar performance to Category B is required except AC transmission.7 Under some operating conditions, how- that planned/controlled load shedding and/or firm ever, large synchronous interconnections are vulnerable to transfer curtailment are allowed. Cascading must be large cascading failures when certain faults occur.8 (For prevented. examples, see Table 1.1.) Upgrades of AC transmission 7. Category D, extreme events resulting in multiple ele- capability to improve the strength of the existing intercon- ments removed or cascading out of service. Selected nections, the selective addition of advanced controls, and events may be evaluated for risks and consequences. power electronics-based equipment, and other solutions such as prioritized modernization of power plant and substation To date, NERC standards have given little consideration to equipment, including emergency control and protection are scenarios in which multiple facilities are destroyed by terror- urgently needed.9 ists. In the future it may be prudent to design and operate bulk power systems to withstand multiple outages (Category D) Substation Design and Modernization that have some likelihood or history of occurring, or that are vulnerable to well-thought-out terrorist attacks. Such a A critical component of the bulk power system is the standard would likely be expensive to implement and might design and layout of transmission substations and switch- reduce transfer capacity until additional facilities are added, yards. Substations are designed for reliability, flexibility of but some movement in this direction is probably warranted.6 operation (including access), and cost. Substations provide For Category D events, controls may be applied to prevent the ability to safely switch equipment out of service during or mitigate cascading and massive loss of load. These are either scheduled or unscheduled outages while maintaining sometimes termed safety nets. For example, underfrequency service. Several substation configurations have evolved to 4See Table 1 at ftp://www.nerc.com/pub/sys/all_updl/standards/rs/TPL- 7For example, for an outage in one line, power automatically shifts to 001-0.pdf. other parallel lines in a fraction of a second. With DC links, special controls 5Simulations for N1 planning/operating criteria often involve a rarely are needed. occurring three-phase fault at a critical location with outage of a key line or 8One theoretically possible approach to containing the extent of such transformer during peak load or transfer. The three-phase fault "umbrella" outages would be to reduce the size of synchronous regions. For example, events are more severe than many multiple outages, especially those the large Eastern and Western interconnections could be restructured into occurring during less stressed (off peak) operating conditions. regions similar in size to the Quebec and the Texas interconnections. This 6Recall also that an N2 event is defined as one in which the system would require breaking up these two large interconnections into smaller would continue to operate reliably without two elements. Note, however, ones connected by asynchronous links. Such a change would prevent the that there is no requirement for the frequent N2 event of a short circuit propagation of disturbances across very large areas. However, this approach with line outage, and with simultaneous outage of a parallel line or line with would have serious limitations. It would undermine the kind of automatic common termination because of a protective relay mis-operation. Storms, support now provided by a large interconnected AC grid when large loads fires, airplanes, and terrorists may also cause loss of parallel lines on the or generators are tripped. Further, asynchronous links are expensive. same right-of-way. However, moving to n reliability standards in which 9Such control equipment may include selective conversion to asynchro- n is larger than 2 should only be undertaken after a careful quantitative nous links, such as a link proposed between Ontario and Michigan that might probabilistic assessment of costs and benefits. have reduced the extent of the August 14, 2003, blackout.

OCR for page 55
MITIGATING THE IMPACT OF ATTACKS ON THE POWER SYSTEM 57 achieve reliability and flexibility. The configurations consist existing substations to a size that jeopardizes reliability if of different bus and circuit breaker schemes which, when those substations completely shut down. Likewise, bypass- switched, provide alternate network paths.10 The bus con- ing substations in a hopscotch fashion along a multi-line figurations could have a significant impact on maintaining transmission path reduces the effect of a complete substation reliability in the event of a malicious attack on the power shutdown, and reduces choke points. system, especially if a transformer, circuit breaker, instru- ment transformer, or bus work fails violently. For example, a Power System Protective Relaying buswork or circuit breaker failure can cause complete substa- tion outage with one bus configuration, but no loss of con- The electric power system consists of expensive gen- nectivity with another. Appendix F compares four common erators, apparatus, and lines that can quickly be damaged bus configurations and indicates their relative advantages and or destroyed as a result of short circuits (faults), thermal disadvantages. Older, usually lower-voltage, configurations overload, or other abnormal conditions. Protection systems and protection schemes tend to be less reliable.11 are designed to automatically detect and isolate lines and Whether it is caused by a terrorist attack or some natural apparatus following electrical faults or disturbances in order cause, once a transmission or substation short circuit has to protect equipment from damage due to voltage, current, occurred, circuit breakers must interrupt tens of thousands or frequency excursions outside the design limits. Primary of amperes to isolate the faulty equipment and protect equip- protection devices include relays, reclosers, fuses, circuit ment that is not yet damaged. If the circuit breaker fails, addi- breakers, and switches. In response to short circuits, protec- tional breakers may be required to open, and, depending on tive relays detect abnormal electrical signals and open circuit bus configuration, may cause outage of multiple additional breakers to isolate faulty equipment.13 lines and transformers. Furthermore, a circuit breaker failure Protection systems are critical to ensuring safe and reli- may be explosive, damaging nearby equipment and causing a able operation of interconnected transmission networks fire. Breaker failure protective relaying is often nonredundant and should have the characteristics shown in Figure 6.1. or may not be installed, potentially resulting in even larger A protection system must be dependable and secure in all disruption and possible cascading blackout. Breaker failures its operations. Dependability means that protection devices have initiated large-scale power interruptions. properly respond when changes in electrical conditions indi- Modern circuit breaker technologies are available to cate an abnormal or dangerous condition. Security means replace underrated or unreliable breakers.12 Prioritization of that protection systems will not mis-operate under normal breaker replacements is relatively straightforward, and, as conditions or for conditions outside the operational design budgets permit, power companies replace underrated break- of the protection system. Usually an increase in system ers. Prioritization is based on breaker type and reliability, dependability means a decrease in security or vice versa. For interrupting rating relative to short circuit currents, bus example, protection system dependability can be enhanced configuration, and the potential system impact of a failure. by incorporating device redundancy. Increased redundancy Difficulties with cost recovery must be overcome in order through the use of multiple relays to monitor a transmission for such modernization to occur. line for abnormal conditions improves the probability that an For major new transmission line construction, it may be event will be detected and thus improves reliability. However, preferable to construct new substations rather than enlarging multiple relays acting in parallel can also decrease security through greater complexity and greater exposure to com- 10Most ponent failure and mis-operation. Consequently, reliability switchyards and substations have open-air bus work. At much higher cost, bus work may be placed in pipes insulated with SF6, rather requires a fine balance between dependable operation and than open air. Switchgear is incorporated in the gas-insulated equipment. security against inappropriate operations. The substation is then much more compact and can be installed indoors or Many design issues and approaches can affect the char- underground. Gas-insulated substations are commonly used in urban areas, acteristics of protection and control systems, including the particularly in Europe and Japan, where land prices are high. Obviously, following: stations that are indoor or underground can be more secure against attacks. 11As an example, a bus fault at an old 400-kV substation led to a massive cascading power system blackout in Brazil on March 11, 1999. Lack of local bus protection and an unnecessary zone 3 relay operation at another station contributed to the failure. Following the blackout, potential system improvements were prioritized considering risk to the system, cost, and 13In the August 14, 2003, blackout event, lines sagging into trees caused other factors. Many of the changes involved relatively low cost substation a short-circuit current that was detected by relays and cleared by proper configuration improvements, and protection modernization. operation of breakers. The transmission line remained undamaged and 12A recent Fitch report states that 60 percent of circuit breakers in the capable of being placed into service. In other words, the protection devices bulk power system are now more than 30 years old (Anderson et al., 2006). correctly operated in response to faults caused by external factors (i.e., Many may be underrated or marginally rated for present day short-circuit contact with trees). However, in that case, successive loss of multiple lines currents. Modern circuit breakers are technically superior and much more due to short-circuit or overload conditions resulted in instability and suc- reliable, and are available at about the same cost as old circuit breakers, cessive protection system operations that ultimately gave rise to a cascading despite general inflation. failure and a blackout.

OCR for page 55
58 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM tance) relay was a proximate cause of the November 9, 1965, Northeast blackout. The relay performed correctly based on its setting, but it had not been reset as system load grew. High load but nonfault electri- cal conditions caused the relay to operate. Emphasis should be given to remote monitoring of protective relay settings and improving maintenance and test procedures that mitigate the possibility of improper and insecure operation of relays. Addressing the "overreach" of protection systems. Overreaching distance protection, mainly in the form of zone 3 relays, has caused or contributed to many blackouts. Overreaching protection is generally applied as backup protection in the case of breaker FIGURE 6.1 Protection and control system characteristics. failure in a distant substation. In other words, if a local protection system fails to detect a fault, sur- rounding substations "overreach" to detect the fault Speed at which protection systems operate. A rapid and eliminate fault current in-feeds to the local sub- decision to trip a breaker may prevent instability station. Sensitive settings are required, and so the Fig 6-1 and permanent damage to lines or apparatus under relays are prone to operate on nonfault conditions of fault conditions. However, disturbances and system overload, depressed voltage, or electromechanical dynamics may create electrical signals that emulate swings among generators. There are several solutions fault or overload conditions that can only be distin- to this problem, including redundant local relays, guished with sufficient analysis time. Consequently, breaker failure relays, bus protection, and restrictions a quick decision to trip may be required under certain on the reach of impedance relays. NERC and the conditions, but also may result in an improper deci- industry have addressed the backup relay problem in sion under different dynamic conditions. response to the 2003 blackout. Thousands of changes Testing and maintenance practices. These can were made by North American power companies. result in improper protection settings or inadvertent (Reports are available at www.nerc.com.) Eternal changes in protection logic. These have also caused vigilance, however, is required to ensure that relays large-scale blackouts. For example, even a cursory respond only to short circuits. analysis of the August 2003 blackout shows several areas of concern with respect to protection system The above approaches do not address all of the protection design, as integrated with system operations and issues that can cause or exacerbate a cascading blackout. communications. The loss of the first transmission With millions of protective relays and protection schemes line was caused by the correct operation of relays in place, undesirable or unnecessary operations cannot to clear a fault caused by the line sagging into trees. be prevented. However, fruitful areas of investigation and This resulted in heavier loading of parallel lines with improvement include the following: the effect of subsequent loss of multiple lines due to faults and overload conditions. The lines associ- Improvement in intelligent, digital relays allowing for ated with these events were properly protected and self-evaluation and remote evaluation of settings and preserved and could have immediately been placed relay health to ensure reliable operation. back in operation had operators had adequate knowl- Integration of protection systems with other control edge and awareness of the dynamic events that were and operation systems to ensure that operators have occurring. full operational awareness as conditions change and Systems to enhance awareness of operating condi- deteriorate during a cascading event. tions. New digital relays with advanced communi- Improved control philosophies and strategies for mul- cations and information sharing capability coupled tiple contingency events occurring in close time prox- to control and information systems can decrease the imity. Such improvements could address situations probability of cascading failures as a consequence of in which the proper operations of relays in response multiple protection system operations. to changing conditions, when taken as a whole, can Proper settings of relays. Improper settings have create unrecoverable instability in the power system. resulted in cascading blackouts caused by the trip- Methods to prioritize modernization of protection ping of transmission lines under nonfault conditions. relays and schemes, including communications such An improper setting of a "zone 3" impedance (dis- as by fiber optics between stations.

OCR for page 55
MITIGATING THE IMPACT OF ATTACKS ON THE POWER SYSTEM 59 Sensors trol centers may attempt manual (SCADA) line reclosure to determine if the fault is permanent. For permanent faults, As noted in Chapter 4, supervisory control and data crews are dispatched, possibly including aircraft for visual acquisition (SCADA) provides two-way communication and inspection. control capability for control centers, power plants, and sub- Monitoring the structural integrity of transmission lines stations. Every few seconds, control centers receive massive is helpful in assessing the effects of mechanical events. amounts of data, most of it reflecting electrical conditions Equipped with adequate cryptographic and security features, across the grid. However, determining what it all means, and wireless sensors for collecting structural information can what exactly happened following a natural event or a terrorist provide a seamless sensing environment thanks to their main attack, may be difficult. characteristics: ease of installation and replacement, low There are various sensor-related strategies to improve cost, networking, and small size. the situation. One, for example, is to increase the amount Innovative technologies should be employed for detection of data by using and analyzing data from a large number of failures in power systems before they become catastro- of distributed sensors.14 These enable detection of potential phes. Novel approaches that involve the implementation intrusions and sabotage, and postmortem studies after fail- of a sensor network design for the national electric energy ures. Although it is very difficult to avoid or predict terrorist infrastructure combined with the use of nonconventional acts, quick assessment of the situation can help operators mechanical sensors may significantly improve the robustness take actions in order to avoid cascading events and the con- of power systems against catastrophic failures. This would sequent partial or total blackouts. include wireless sensor network technology for detection of The mechanical failures resulting from malicious attacks mechanical failures in transmission lines, such as conduc- on a transmission line are similar to extreme natural events tor failure, tower collapses, hot spots, extreme mechanical affecting a transmission line. Thus, work done in the latter conditions, and so on. It also involves the installation of area can also help to guide preventive and corrective action mechanical sensors in predetermined towers of a transmis- for acts of sabotage. A basic method to assess damage sion line, communicating via a wireless network. Sensors caused by any physical event on the transmission grid is include accelerometers, tension/strain gauges, and tilt and visual inspection, but this is difficult for transmission lines temperature sensors. The main goal is to obtain a complete dispersed over hundreds of kilometers.15 physical and electrical picture of the power system in real Various techniques can address this issue. For example, time and determine appropriate control measures that could digital distance relays can report approximate fault location be automatically taken and/or suggested to the system based on the impedance calculation for a fault. Transmission operators. fault locator devices based on traveling wave propagation A variety of nontraditional sensors should also be con- or other methods can more precisely determine fault loca- sidered and evaluated. These include sensors for mechanical tion. Real-time determination of the fault location (e.g., as a motion; sound; visual spectrum (e.g., closed-circuit televi- percentage of line length), and then communication of this sion and automatic processing of closed-circuit television information to the control rooms and reliability coordinators, signals); infrared; chemical, gas, ozone, nitrate, CO, and CO2 allows the operators to take appropriate control actions, and sensors; electromagnetic radiation, Poynting vector (based if terrorism is suspected to quickly alert law enforcement on electric and magnetic fields), partial discharge detectors; about the exact location of the problem. The mapping of the biological sensors; conduit continuity/resistance; incipient fault location as a percentage of line length to a particular fault detection; and vibration. Also, the use of unmanned geographic location is usually straightforward, provided that aerial vehicles (UAVs) could be considered. Sensor additions global information system models of the line are available. will require new software to process (filter and prioritize) Single-phase switching or three-phase automatic reclos- the data for presentation to operators who may already be ing attempts provide information on the type of fault and overwhelmed with data and alarms following events. whether it is transient (e.g., lightning caused) or permanent. In situations where information is limited, operators in con- Automatic Controls for Power Systems 14These might include nonconventional sensors and innovative instru- While there has been much discussion regarding the mentation located in the power system by some prioritized strategy. Metrics actions of operators, particularly after the August 14, 2003, include system observability, power usage, enhancement of communication failure, terrorist attacks and other disturbances can evolve capabilities, and size of data for operations and enhanced operational deci- sion making. into instability in a few seconds or tens of seconds, in many 15Problems occurring in concentrated environments (substations or cases too fast for operators to determine what is happen- generating plants) are not difficult to find and assess with a small crew, or ing and take appropriate corrective actions. During certain through video surveillance. Recent blackouts in the United States and Italy relatively familiar events in which alarms become activated, have shown that failure to assess and understand the condition of the power operators may act within a few minutes. In new situations, 15 system, and the delay in taking appropriate corrective actions after just a single outage, can lead to blackouts across large areas. to 30 minutes may be required for assessment and operator

OCR for page 55
60 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM Power System Disturbances switch capacitor/reactor banks direct Power detection System y (SPS) trip generators/loads Dynamics Continuous Discontinuous Feedback Controls controlled separation Controls (generators) response detection FIGURE 6.2 Power system stability controls. SPS, special protection systems; WACS, wide-area stability and voltage control system. (WACS) actions, especially if load shedding is required. Thus, various economically through the use of automatic controls. What is types of automatic controls are required. required is implementation of industry best practices, priori- The following are some of the examples of automatic tized upgrading of old analog controls, and development and controls the committee has identified: implementation of wide-area controls. Techniques for shedding load and generation to FIGURE 6.2 POWER SYSTEM OPERATIONS AND ENERGY enhance power system dynamic response capa- MANAGEMENT SYSTEMS bilities, including simple and low-cost approaches to avoiding voltage collapse; In North America, the bulk power system is monitored Techniques for maintaining proper transmission net- and managed at energy control centers, also called SCADA- work voltage profiles; EMSs or simply energy management systems (EMSs). Data Primary automatic controls to prevent cascading acquisition and remote control are performed by computer instability that are located mainly at power plants; systems called SCADA systems. Figure 6.3 shows a sche- Transmission-level power electronic devices and matic of a modern EMS. Note that a SCADA system com- mechanical devices; municates with generating plants, substations, and other Local load-shedding practices and techniques; remote devices. A class of controls termed special protection systems Because of the historical evolution of the electric utili- (SPSs) or remedial action schemes; ties in the different geographic regions, these EMSs are Wide-area feedback/response-based controls, either functionally similar but not identical. All these different continuous or discontinuous; and EMSs result in significant additional complexity. Of the Sophisticated control algorithms (using various four synchronous interconnections in North America, the techniques such as adaptive or "intelligent" con- Quebec and Texas interconnections each constitute a "bal- trol) as part of digital control and communication ancing area"--an organizational jurisdiction responsible for capabilities. balancing its load and generation and each requiring its own EMS with automatic generation control. By contrast, the Appendix G provides further descriptive details concern- two other interconnections (the Western and Eastern) are too ing each of these types of controls. Figure 6.2 illustrates a large to have only one balancing area each and, instead, have possible configuration of power system stability controls. dozens of them.16 With so many EMSs in these two inter- The special protection systems path is feedforward. The connections, it is difficult to monitor all that is happening continuous feedback controls are normally local and mainly in a large interconnection, and so reliability coordinators or at generation facilities, but could be wide area. The feedback independent system operators that coordinate large portions (response-based) discontinuous controls are often wide area, of the interconnection have been set up and sometimes have but could be local (e.g., underfrequency or undervoltage load shedding). 16The Eastern Interconnection has about 100 and the Western about In summary, power system robustness, resilience, and 40, with the numbers fluctuating over time as organizational jurisdictions survivability in the face of major disturbances, including change. Note that some balancing areas in these two interconnections are so large that the EMS is hierarchical, with some of the functions distributed modest terrorist attacks, can be increased significantly and over several control centers.

OCR for page 55
MITIGATING THE IMPACT OF ATTACKS ON THE POWER SYSTEM 61 OPERATING SYSTEM DATABASE UTILITIES, SERVICES APPLICATIONS Operations Training LOAD MANAGEMENT ENERGY MANAGEMENT TRAINING SIMULATOR AUTOMATIC Data SCADA GENERATION CONTROL EMS Acquisition FUNCTIONS Supervisory Control And POWER Data SYSTEM Acquisition SECURITY SIMULATION CONTROL Supervisory INSTRUCTIONAL Control SYSTEM FIGURE 6.3 Modern emergency management system. footprints covering many balancing areas. Figure 6.4 shows could be main targets for cyber attacks.17 Historically, the the balancing authorities in North America. Figure 2.1 in communication systems between these EMSs and remote ter- Chapter 2 shows the four interconnections. minal units (RTUs), and between EMSs, have been dedicated FIGURE 6.3 Thus, the control center EMSs that represent the balancing redundant channels and are not paths for intrusion. However, areas have the most control of the grid, but each can control connections between the EMSs and other information sys- only a small portion of the Western or the Eastern Intercon- tems have increased in recent years, and such connections nection. The reliability coordinators have a wider view of the need to be secured and made trustworthy. grid but no coordinator covers the whole Western or Eastern Although some automatic controls, like automatic genera- Interconnection, and coordinators do not always have direct tion control, are part of an EMS, the main function of the control of their portion of the grid. No single entity has the EMS is to allow the operator to monitor the present condition full real-time view of either the Western or the Eastern Inter- of the system (including alarming and analysis of the present connections, but some balancing authorities and reliability conditions) and to take manual control actions as necessary coordinators do exchange real-time data with their neighbors to reliably operate the grid. Because the final cascading, like to increase their situational awareness beyond their own that in the 2003 Northeast blackout, can happen too fast for borders. More such data exchange will be needed and even the operator to intervene, it is important for the operator (with a central monitoring center for these large interconnections the help of the EMS software) to recognize developing pat- has been suggested in the 2005 EPAct and elaborated further terns that endanger the system. An operator in an EMS can by USDOE and FERC (DOE/FERC, 2006). observe the electrical performance of the system and take Because the balancing area control centers have the abil- appropriate actions. However, neither the operator nor the ity to switch breakers and control other parameters, these 17Cyber security is discussed in more detail in Chapter 4.

OCR for page 55
62 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM FIGURE 6.4 Balancing areas (also called control areas). For definitions of acronyms, see Appendix D. SOURCE: NERC. Available at http:// www.nerc.com/regional/NERC_Regions_BA.jpg. Accessed October 2007. automated control system can distinguish between a physi- to alarm the operator. Such alarm processing using advanced cal disruption in the system and an electrical disturbances methods of pattern recognition is needed.18 It also would be (e.g., if the base of a transmission tower is bombed and the valuable to coordinate, in real-time, the display of line outage line goes down causing a contact with the ground, the circuit information across reliability coordinator boundaries. If a breakers will operate to isolate the transmission line from group of terrorists were to strike a number of electrical tar- the rest of the system). For an operator in the control center, gets distributed across a large geographic region, the sooner the primary indication is that the circuit breakers operated the malicious nature of the event was uncovered, the quickly to open and isolate the transmission line. The operator, protective actions could be taken. Currently there is only however, cannot distinguish whether this is a temporary situ- limited sharing of real-time information across reliability ation or a permanent one. If this information was available, coordinator boundaries (Figure 6.5), with no one seeing the then the operator in all probability would make decisions to big picture for a grid such as the Eastern Interconnection. maneuver the system to a more secure state. The ability to Hence, there would likely be a delay in determining that the provide this additional information is the primary focus of near simultaneous loss of multiple lines in multiple regions the steps needed to protect, mitigate, and enhance graceful was likely due to malicious activity. degradation. In order to facilitate these steps, various initia- Just as redundancies are needed in the design of the tives would be needed to harden the system against malicious power grid to increase its reliability and its ability to with- disruptions. These steps are outlined and discussed below. stand physical attacks, so also are redundancies needed in Especially after the 2003 U.S.-Canada blackout, the "situ- the EMS, in both the hardware and the software, to ensure ational awareness" of the operator has emerged as a major reliability of this critical function. Redundancies in the concern. Operators at the EMS where the power system communication channels to the RTUs and redundancies in conditions were deteriorating were not aware of these con- the computer hardware (including automatic checkpointing ditions. Although trending and alarming for limit violations and failover) have been common practice. Redundancies in and abnormal conditions of individual measurements are software and its graceful degradation have been less com- commonplace in control centers, the recognition that abnor- mon. The loss of the alarming system in a key EMS during mal patterns are developing (e.g., the depression of voltage over a large region as opposed to voltage limit violations at 18For example, it is likely that multiple attacks on the transmission sys- individual buses) is dependent on the experience and alert- tem will not occur precisely simultaneously even if planned that way. Even ness of the operator. Automatic capture of such disturbing small differences in the time of failures could give important indications trends by the EMS computers would be an enormous help that an attack is occurring and allow remedial actions before the full effect of multiple failures would be felt.

OCR for page 55
MITIGATING THE IMPACT OF ATTACKS ON THE POWER SYSTEM 63 NERC Reliability Coordinators FIGURE 6.5 Reliability coordinators. SOURCE: NERC. Available at http://www.nerc.com/~filez/Logs/relcoors.htm. Accessed October 2007. the 2003 U.S.-Canada blackout was a critical element figure in 6-5 electric power distributed in the United States is delivered the operator not being aware of the deteriorating conditions at less than 15,000 volts. in the power system. Better design of software redundancy The majority of distribution subsystems in the United and degradation should be a critical part of EMS design, as States consist of overhead feeders typified by the common discussed in Chapter 4. wood pole construction and pole-mounted transformers In addition to technology improvements, it is necessary found in rural and most urban areas. A growing number of to ensure that the operators themselves have the training to distribution customers are served by underground cables. understand and deal with rapidly deteriorating situations. Whether built as overhead lines or with underground cable, High-quality system simulators are now available to train the majority of distribution is of a radial "single-feed" nature, operators to understand and manage complex disruptions of meaning that the loss of the distribution feeder results in a the transmission system. Much greater and more uniform customer interruption, since there is no alternative source use should be made of such systems during the training of of power. system operators. Conventional overhead lines in a radial configuration usu- ally are the least expensive way to distribute electric power to customers. However, overhead lines are vulnerable to natural DISTRIBUTION ENGINEERING and man-made attack. While any one line can be repaired Another area where there are design and operational quickly, multiple outages, such as after a hurricane, can result strategies to mitigate the effect of attacks is the engineering in long periods of service interruption. The use of under- of the distribution system. Once electric power has been ground cable, multiple feeds to the customer with automatic transmitted in bulk over transmission lines, it is delivered to switching, loop circuits whereby customers can be switched distribution or bulk power delivery substations where it is from one feeder to the next, and other forms of redundancy distributed to customers. Distribution substations consist of significantly improve reliability at additional expense. In the multiple step-down transformers that reduce the relatively case of critical loads such as a manufacturing facility or a high voltage of transmission lines to lower distribution volt- hospital, distribution designers often provide a twin or dual ages. Although some large industrial customers take electric feed, namely, an alternative feeder that provides redundancy power at higher voltages, more than 90 percent of all the in case the primary feeder is lost. Obviously, the cost to

OCR for page 55
64 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM provide such redundancy makes similar wholesale structural alize a feeder or perform switching operations to changes to the existing distribution systems unlikely. restore power by isolating faults. This action restores Some use is made of "network" distribution, primarily power to a large number of customers, minimizing in high-density urban areas. The low-voltage outputs of the duration of an outage by quickly locating and multiple distribution transformers are connected to create isolating the faulted section. New developments a network to which customers are attached. This inherently include automated sectionalizing and restoration of creates multiple feeds to customers. While these networks healthy feeder sections, after a fault, using intelligent, are more complex to operate than a simple radial distribu- distributed RTUs. tion, they have certain advantages in both efficiency and Advanced communication systems. Advanced com- reliability. The cost is greater than radial distribution but munications systems are being introduced into distri- can be generally justified for serving the dense loads of a bution systems, including radio and cell communica- downtown area. tions, to acquire data and to control remote devices. The loss of a distribution feeder results in the immediate The distribution feeder itself is used as a communica- loss of electric power to several hundred to several thou- tion medium in power-line communication systems. sand customers--but such a disruption is often relatively As communications improve, the functionality and small in the context of the entire utility system. Distribution the complexity of distribution automation grow. will most likely be subject to physical attack when specific Other advances in distribution automation. These customers or critical industry are targeted. The distribution include the use of intelligent electronic devices, apparatus used today is operationally rugged and relatively automatic meter reading, and continuous high-fre- easy to repair, but because the distribution system is rarely quency monitoring of distribution feeders to identify monitored, the only notice the utility receives that power has the incipient failure of distribution equipment and been lost to a customer is the customer calling to complain. to detect very-low-current, arcing faults. If failing Often distribution power outages last for several hours sim- equipment can be detected and repaired or replaced ply because the utility is initially unaware of the problem, before catastrophic failure, the number and length and then it takes substantial time to dispatch the repair crew of outages can be reduced. Computer-based intel- to locate a fault and identify and replace damaged equipment. ligent electronic devices can be applied to monitor Through the use of automated distribution, significant and protect distribution feeders, resulting in a wealth opportunities exist to improve the reliability of electric power of information that supports system restoration and distribution without rebuilding the existing distribution sys- improved reliability (Benner and Russell, 2004; tem. In general, these include: EPRI, 2005). Automation of distribution systems, including It is obvious that the existing electric distribution system SCADA systems. This approach consists of the use in the United States is vulnerable to attack because it is of advanced sensors with communications infra- highly distributed geographically. But the huge investment structure so that an electric utility can monitor and already made in electric distribution makes significant struc- remotely control distribution. SCADA systems as tural changes both expensive and long term. Consequently, part of distribution substations allow electric utility efforts must focus on maintaining the health and robustness dispatchers to monitor feeder information, such as of distribution with an emphasis on restoring power after voltage level and feeder loading, with the coincident outages and maintaining the continuity of electric service to ability to open and close feeder breakers remotely. critical customers. Systems for automated distribution and control Over the next decade, efforts can prudently be concen- can be incrementally introduced and are already in trated on the following areas: place in some parts of the country. Compelling argu- ments concerning economic development can be 1. Critical customers should be identified and specific advanced for at least some such improvements, since attention given to ensuring service continuity and distribution-system disturbances account for most of maintenance of critical functions during a terrorist the power outages experienced by customers. State attack. This level of protection can be accomplished regulators should require local companies engaged by providing multiple power feeds to distribution in distribution to undertake studies that explore the customers and by providing onsite generation in case potential benefits and costs of such upgrades, and of the loss of bulk transmission. Recent experiences then to mount programs of improvement that have in large-scale blackouts have shown that many criti- clear positive net benefits. cal loads are vulnerable and do not have adequate Use of RTUs scattered throughout the distribution auxiliary power backup. system. Such systems would be installed at the feeder 2. Distribution automation can be applied at reason- level, allowing a distribution dispatcher to section- able cost, significantly improving the reliability of

OCR for page 55
MITIGATING THE IMPACT OF ATTACKS ON THE POWER SYSTEM 65 distribution and making system restoration more Distributed generation at substations. The placement deterministic and rapid. Emphasis should be given of distributed generation at transmission/distribu- to applying improved SCADA, intelligent electronic tion substations has been used in the past to provide devices, advanced communication, and sophisticated emergency power. There are proposals to increase the (broad-bandwidth) monitoring that provide con- level of distributed generation at substations to take tinuous control and high-quality data concerning the advantage of the space and facilities at many of these operation of distribution. These devices can provide substations. immediate notice of an outage, confirmation of the IEEE standards, recommended practice, and guides cause of the outage, and the specific information for emergency power generation 20 (Daley and necessary to restore service as rapidly as possible. Siciliano, 2003a,b; Davis and Stratford, 1988; IEEE, 3. Robust distribution is needed, which requires careful 1987), and certain other specialized systems.21 These attention to system upgrades and maintenance. Distri- standardized procedures are largely in place in com- bution systems operating at close to design limits or mercial and industrial applications in the United systems operating with degraded equipment fail more States today. At the time this report was prepared, easily and make restoration of service more difficult. there were no recommended practices for residential Consideration should be given to the applications systems. that monitor and diagnose the health and robustness Back-up power installation. The technology of of distribution, and to supporting condition-based back-up power is well known and commercialized. maintenance and repair. Such continual maintenance The appropriate IEEE standards for emergency and also provides the opportunity for upgrading not just standby power technology are IEEE 446 ( IEEE to new power equipment but also to the distribution Recommended Practice for Emergency and Standby automation technologies mentioned above. Power Systems for Industrial and Commercial Appli- cations) and 141 (Recommended Practice For Elec- tric Power Distribution for Industrial Plants). DISTRIBUTED GENERATION/ENERGY SOURCES Considerable volume of material on case studies for One way to mitigate the effects of attacks on the electric distributed generation. A sampling in the literature power delivery system is to make end uses more resilient, as of materials that relate to the potential of this tech- well as capable of operations when disconnected from the nology, especially in the arena of emergency supply, grid. Distributed generation refers to the use of relatively include Ault et al. (2000, 2003). Daly and Morrison small generators spread throughout the electrical system, (2001), and Golshan and Arefifar (2006). In Daley and typically connected at distribution primary voltages, or and Siciliano (2003b), the specific case is made for perhaps at the subtransmission level. The generators may distributed generation for emergencies. In Dugan et be operated either by a utility or by other parties that have al. (2001), some cautions are outlined for cases of connected to the grid. Although widely used in some parts of high penetration (i.e., high installed power levels) of Europe, such as the Netherlands, distributed generation has distributed generation. been slow to develop in the United States. Safety. Perhaps the greatest fear in installing distrib- Because of the economics, regulatory barriers, and other uted generation is the safety issue of circuits being factors, the technology has not really expanded yet, but there fed from the load end (Dugan et al., 2001). During is a prospect for widespread use of distributed generation. restoration of power after large disturbances, this Because there are now so many types of distributed gen- safety issue could be very important (Barker and De eration systems,19 as their use becomes more widespread, Mello, 2000; Caire et al., 2002). they should be introduced in a way that aligns with--rather Interest in renewable energy sources to alleviate than undermines--key Institute of Electrical and Electronic dependence on natural resources. Renewable sources Engineers (IEEE) standards (Standards 1159, Recommended appear to be well suited for low-power scenarios, Practice for Monitoring Electric Power Quality and 1547, and the public acceptance of these sources is high. If Interconnecting Distributed Resources with the Electric the economics can be made favorable, there is a real Power System). Some of the key technical issues in inte- prospect for the increased use of renewable sources. grating distributed generation systems into the grid are as follows. 20Additional recent developments for emergency generation are discussed in Daley and Siciliano (2003a,b) and in Davis and Stratford (1988). 19Some distributed generation is categorized as 60-Hz synchronous 21IEEE Standard 141 (1986)--Recommended practice for electric generation and its conventional controls. Other distributed generation may power distribution for industrial plants; IEEE Standard 241 (1983)-- be interfaced with the distribution system through an electronic converter. Recommended practice for electric power systems in commercial build- Penetration levels in the time span 20062010 are not expected to exceed ings; IEEE Standard 493 (1980)--Recommended practice for the design of 10 percent of the total demand. However, localized high penetration levels reliable industrial and commercial power systems; and IEEE Standard 602 may occur. (1986)--Recommended practice for electric systems in health care facilities.

OCR for page 55
66 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM The main nonhydroelectric renewable source is wind be protected from physical as well as cyber attacks, and a power. Photovoltaic panels coupled with battery backup control center should be available. Adjacent control storage have considerable potential for distributed centers (e.g., PJM Interconnection and Midwest Independent generation as prices drop. Transmission System Operator [MISO]) should partially Energy storage to allow for increased use of renew- back each other up. ables and to improve resiliency of the entire grid. Improving the system load factor and utilizing renew- Finding 6.5 Much greater and more uniform use should able sources that are time and weather dependent be made of simulators during the training of electric power require the use of energy storage. Prospects include system operators. batteries, pumped storage, compressed-air storage, and supercapacitors. Finding 6.6 Undesirable and unnecessary operations of protective relays during power system disturbances have contributed to many cascading power failures. These relays FINDINGS AND RECOMMENDATIONS are intended to detect short circuits or other specific condi- tions in a protection zone, but can operate inappropriately Findings during other conditions such as overload and/or voltage sag. While commendable industry-wide improvements were Findings on the Transmission Network--Short to Medium implemented following the August 14, 2003, blackout, con- Term tinual vigilance and careful design are required. Coordina- Finding 6.1 Any increase in the reliability of the power grid tion among various control and protection devices is essential makes the system more capable of withstanding terrorist to system reliability. attacks, more able to mitigate the impacts of such, and less interesting as a target of terrorists. Findings on Transmission Research and Other Long-term Needs Finding 6.2 In many cases, increased performance of the electric power system may be achieved through stronger Finding 6.7 The electric power transmission system should ERO reliability criteria and additional controls such as spe- move toward large-scale use of sensors that provide a com- cial protection systems. For example, the ERO and FERC plete physical and electrical picture of the power system could require NERC Category C performance for the com- in real time, and appropriate control measures that could mon N-2 event of a short circuit on a line with line outage, be taken automatically and rapidly or suggested to system and with simultaneous outage of a parallel line or line with operators. Research needed to make such a system a reality common termination because of protective relay misop- is discussed in Chapter 9. With today's digital control and eration. Meeting this requirement would improve system communication capabilities, there are many opportunities for robustness and help protect against terrorist actions on lines application of sophisticated local, distributed, and high-level on the same right-of-way. As an example of new operat- control algorithms using various techniques such as adaptive ing procedures, the DHS red-alert condition could require or "intelligent" control coupled with wide-area measure- more conservative system operation similar to storm-watch ments and adaptive islanding. procedures. Finding 6.8 Improved intelligent, digital relays are needed Finding 6.3 The robustness and resilience of power systems that allow for self-evaluation and remote evaluation of set- can be significantly improved by prioritized modernization tings and status to ensure reliable operation. of power plant and transmission infrastructure and deploy- ment of technological advancements. Many power plant Finding 6.9 Improved control philosophies and strategies and substation enhancements can be rapidly implemented at are needed for multiple contingency events occurring in close low cost compared to the construction of new transmission time proximity. The proper operations of relays in response lines. Potential upgrades include modern circuit protection to changing conditions, when taken as a whole, can create systems, communications, generator excitation equipment, unrecoverable instability in the power system. and shunt capacitor banks to increase generator reactive power reserve. Finding 6.10 Consideration should be given to redesigning some critical substations using buswork in pipes insulated Finding 6.4 The control center is the nerve center of the with SF6 with switchgear incorporated in the gas-insulated power system, and its resiliency is extremely important. equipment. This approach allows more compact substa- The computer hardware and software in the EMS should tion design, and the critical facility could then be relocated be designed to withstand failures and to degrade grace- indoors or underground to provide more security against fully when necessary. The control center as a whole must attacks.

OCR for page 55
MITIGATING THE IMPACT OF ATTACKS ON THE POWER SYSTEM 67 Finding 6.11 As advanced storage technologies become N-2) planned by an intelligent adversary. In cases where available, strategies should be explored to use them to major, long-term outages are possible, reinforcements should increase the performance and the resiliency of power be considered as long as costs are commensurate with the systems. reduction of vulnerability and other possible benefits. Recommendation 6.3 The ERO and FERC should develop Findings on the Distribution System best practices and standards in improving system-wide Finding 6.12 Being able to reduce load, and to focus on instrumentation and the ability of near-real-time state estima- serving critical customers, can make the power delivery tion and security assessments, since otherwise operators are system far more robust in the face of natural disruption or at a disadvantage trying to understand and manage system terrorist attack. In many distribution systems, it is currently disruptions as they unfold. System operators should be able difficult or impossible to serve only a subset of customers to observe what is going on well beyond their own borders on a distribution feeder. However, the technology is readily whenever necessary. Reliability coordinators can oversee available to facilitate such selective service through distribu- larger areas, maybe comprising several balancing authorities, tion automation and intelligent load shedding. but new entities should be established to oversee the whole Western and Eastern interconnection. Finding 6.13 Distribution systems operating at close to their design limits or systems operating with degraded Recommendation 6.4 Local load-serving entities should equipment fail more easily and make restoration of service work with local private and public sector groups to iden- more difficult. State regulators should require distribution tify critical customers and plan a series of technical and companies to assess the status of their systems and, where organizational arrangements that can facilitate restricted appropriate, require the installation of systems that monitor service to critical customers during times of system stress. and diagnose the health and robustness of distribution, and DHS could accelerate this process by initiating and partially support condition-based maintenance and repair. Systems funding a few local and regional demonstrations that could that are operating with adequate capacity margins, and with provide examples of best practice for other regions across all apparatus in good condition, are clearly more robust in the country. the face of attacks or outages. BIBLIOGRAPHY Finding 6.14 Greater use of automated distribution and load-shedding management holds the potential to reduce the Anderson, K.L., D. Furey, and K. Omar. 2006. "Frayed Wires: U.S. vulnerability of the existing power system. Increased deploy- Transmission System Shows Its Age." Available at www.fitchratings. com. Summary available at http://tdworld.com/news/fitch-electric- ment of distributed generation and planning for the use of transmission-report/. Accessed August 2007. these facilities in the event of contingencies could greatly Ault, G.W., A. Cruden, and J.R. McDonald. 2000. "Specification and Test- reduce the impact of an extended outage. Most of the needed ing of a Comprehensive Strategic Analysis Framework for Distributed technology for these concepts already exists. Generation." Pp. 18171822 in Proceedings of the 2000 IEEE Summer Power Engineering Society Meeting, Vol. 3. New York: IEEE. Ault, G.W., J.R. McDonald, and G.M. Burt. 2003. "Strategic Analysis Recommendations Framework for Evaluating Distributed Generation and Utility Strate- gies." IEEE Proceedings--Generation, Transmission and Distribution Recommendation 6.1 The electric reliability organization 150(4): 475481. (ERO) should require power companies to reexamine their Barker, P.P., and R.W. De Mello. 2000. "Determining the Impact of Dis- critical substations to identify serious vulnerabilities to tributed Generation on Power Systems. I. Radial Distribution Systems." Pp. 16451656 in Proceedings of the 2000 IEEE Power Engineering terrorist attack. Where such vulnerabilities are discovered, Society Summer Meeting, Vol. 3. New York: IEEE. physical and cyber protection should be applied. In addition, Benner, C.L., and B.D. Russell. 2004. "Investigation of Incipient Conditions the design of these substations should be modified with the Leading to the Failure of Distribution System Apparatus." Pp. 703708 goal of making them more flexible to allow for efficient in Proceedings of the IEEE PES Power Systems Conference and Exposi- reconfiguration in the event of a malicious attack on the tion, Vol. 2. New York: IEEE. Blumsack, S.A. 2006. Network Topologies and Transmission Investment power system. The bus configurations in these substations Under Electric-Industry Restructuring. Ph.D. Thesis, Department of En- could have a significant impact on maintaining reliability gineering and Public Policy, Carnegie Mellon University, Pittsburgh, Pa. in the event of a malicious attack on the power system. Bus Caire, R., N. Retiere, S. Martino, C. Andrieu, and N. Hadjsaid. 2002. layout or configuration could be a significant factor if a trans- "Impact Assessment of LV Distributed Generation on MV Distribution former, circuit breaker, instrument transformer, or bus work Network." Pp. 14231428 in Proceedings of the 2000 IEEE Power En- gineering Society Summer Meeting, Vol. 3. New York: IEEE. is blown up, possibly damaging nearby equipment. Clark, H.K. 2004. "It's Time to Challenge Conventional Wisdom." Trans- mission & Distribution World. October 1. Available at http://tdworld. Recommendation 6.2 The ERO and FERC should direct com/mag/power_time_challenge_conventional/index.html. Accessed greater attention to vulnerability to multiple outages (e.g., August 2007.

OCR for page 55
68 TERRORISM AND THE ELECTRIC POWER DELIVERY SYSTEM Daly, P.A., and J. Morrison. 2001. "Understanding the Potential Benefits of Nedwick, P., A.F. Mistr Jr., and E.B. Croasdale. 1995. "Reactive Manage- Distributed Generation on Power Delivery Systems." Pp. A2/1A213 in ment: A Key to Survival in the 1990s." IEEE Transactions on Power Proceedings of the Rural Electric Power Conference. New York: IEEE. Systems 10(2): 10361043. Daley, J.M., and R.L. Siciliano. 2003a. "Application of Emergency and NERC (North American Electric Reliability Council). 2006a. Reliability Standby Generation for Distributed Generation. I. Concepts and Hypoth- Standards. Available at https://standards.nerc.net/. August 2007. eses." IEEE Transactions on Industry Applications 39(4): 12141225. NERC. 2006b. Operating Manual. Available at http://www.nerc.com/~oc/ Daley, J.M., and R.L. Siciliano. 2003b. "Application of Emergency and operatingmanual.html. Accessed August 2007. Standby Generation for Distributed Generation. II. Experimental Evalu- Taylor, C.W. 2001. "Power System Stability Controls." Chapter 11.6 in The ations." IEEE Transactions on Industry Applications 39(4): 12261233. Electric Power Engineering Handbook. Boca Raton, Fla.: CRC Press/ Davis, W.K., and R.P. Stratford. 1988. "Operation of UPS on Emergency IEEE Press. Generation." Pp. 1114 in Proceedings of the Industrial and Commercial U.S.Canada Power System Outage Task Force. 2004. Final Report on the Power Systems Technical Conference. Piscataway, N.J.: IEEE. August 14, 2003, Blackout in the United States and Canada: Causes Dugan, R.C., T.E. McDermott, and G.J. Ball. 2001. "Planning for Distrib- and Recommendations. Natural Resources Canada and the U.S. Depart- uted Generation." IEEE Industry Applications Magazine 7(2): 8088. ment of Energy. April. Available at http://www2.nrcan.gc.ca/es/erb/erb/ EPRI (Electric Power Research Institute). 2005. Distribution Fault Anticipa- english/View.asp?x=690&oid=1221. tor: Phase II Algorithm Development and Second-Year Data Collection. DOE/FERC (U.S. Department of Energy and Federal Energy Regula- Final report prepared for the Electric Power Research Institute. Publica- tory Commission). 2006. Steps to Establish a Real-time Transmission tion 1010662. Palo Alto, Calif.: EPRI. November, 58 pp. Monitoring System for Transmission Owners and Operators within the Golshan, M.E.H., and S.A. Arefifar. 2006. "Distributed Generation, Reactive Eastern and Western Interconnection--A Report to Congress Pursuant Sources and Network-Configuration Planning for Power and Energy- to Section 1839 of the Energy Policy Act of 2005. February. Loss Reduction." IEEE Proceedings--Generation, Transmission and Yang, B., V. Vittal, and G.T. Heydt. 2006. "Slow-Coherency-Based Con- Distribution 153(2): 127136. trolled Islanding--A Demonstration of the Approach on the August 14, Hsu, S.-M., H.J. Holley, W.M. Smith, and D.G. Piatt. 2000. "Voltage Profile 2003 Blackout Scenario." IEEE Transactions on Power Systems 21(4): Improvement Project at Alabama Power Company: A Case Study." Pp. 18401847. 20392044 in Proceedings of the 2000 IEEE Power Engineering Society Zerriffi, H. 2004. Electric Power Systems Under Stress: An Evaluation of Summer Meeting, Vol. 4. New York: IEEE. Centralized Versus Distributed System Architectures. Ph.D. Thesis, De- IEEE (Institute of Electrical and Electronic Engineers). 1987. IEEE Recom- partment of Engineering and Public Policy, Carnegie Mellon University, mended Practice for Emergency Standby Power Systems for Industrial Pittsburgh, Pa. and Commercial Applications. Std. 446. Piscataway, N.J.: IEEE.