ThreatSim

A Threat Simulator for Training Power Control System Operators
& War Gaming

Roger N. Anderson and Albert Boulanger
Columbia University

Executive Summary

We are seeking partners and funding to develop "ThreatSim" -- a threat simulation environment needed to train Power Control System (PCS) operators in how to respond quickly to prevent interruption of electric service within the North American Power Grid, if and when the system comes under sustained terrorist attack.  We also see the use of ThreatSim for "war gaming" exercises of cross-connected infrastructure under threat.

In the aftermath of 9/11, a new generation of American engineers and managers must be trained in electricity production and distribution under attack. Such threats, if intelligently directed and sustained over a period of time, will drive the electricity grid to more and more non-linear behavior, causing breakdowns that have not been foreseen from previous experiences in peacetime. 

A significant problem for the country at the moment is that the regional grid of primary electricity generators connected through (>100,000 volt) power lines to transformer substations is managed by separate “silo’s of responsibility” from the local distribution networks off your local utility (all <100,000 volts). An integration of the topologies of the large-scale regional grid and the small-scale local grids is required if adequate training against threats (Figure 1).

Figure 1. A coordinated attack on the northeastern power grid would spread disruptions to the rest of the country on only 3 minutes.

We believe one of the missing ingredients to the homeland defense is the need for electric grid threat simulators for war gaming -- one that allows hundreds of threat scenarios to be examined on the computer and responses devised and trained for.  First and foremost, the topologies of the regional high voltage grids managed by Regional Transmission Operators (RTO) and Independent System Operators (ISO) must be combined on the computer with local power grids, and more generally, distribution networks managed by utilities such as ConEd in New York City, Keyspan on Long Island, PSE&G in New Jersey, and hundreds of other public and private generation and distribution companies across the country.

Consider a coordinated attack on the local components of the power grid. In sequence, they attack the microwave communications of SCADA data, then a power generator, a transformer substation, and a compressor fuel transportation station, all within several minutes of each other. The cascading failures results in escalating problems throughout the local grid that soon affect the national high voltage grid.

Suppose now that this attack is followed a few minutes later by a coordinated attack on the high voltage regional transmission grid. The first hit takes out one of the high voltage transmission lines delivering regional power to the local utility, as for example, in northeastern Maine (Figure 1). Within 3 minutes, catastrophic failure has spread throughout the northeastern United States if remedial action to deliver missing power and reroute electricity is not activated on a massive scale - and within about 5 minutes. The question is: what system do we use to train for such scenarios?

Developing an adequate Electric Grid Threat Simulator is not a matter of simply joining the various computer systems that currently run the grids. As the Pentagon found out in trying to integrate computer systems from the different armed forces into unified, battlefield “Infosphere” command-and-control systems, predictability declines as the integration tasks become more and more non-linear. Breakdowns occur that have not been foreseen from historical experiences with the smaller, more linear systems that in the past acted independently.

We participated in a detailed analyses of current and planned technical improvements in the transmission and generation Power Control System (PCS) of a major regional electricity supplier considered to be a technological leader in the electricity industry.  The grid under its management supplies a major urban area of the United States (not New York City) that includes more than 5000 square miles and several million people.  This PCS is operated and supported 24 hours a day, 7 days a week, by approximately 100 conscientious and well trained people. Its mission is to balance power loads among private consumers, businesses, and industrial users against the various generation resources available to it, both from internally owned generators and from external purchases available through company’s trading floor. Figure 2 below illustrates some of the infrastructural dependencies and the supply chain in power production.

Figure 2. The complex  supply chain for maintaining Power by the PCS (Peerenboom, 2001).

The Electric Grid Threat Simulator must not be too general. It must focus on critical failures that have specific remedies.  The chaining of these events is where the simulator becomes powerful. Each element of a transfer function that covers both the regional, national, and local grid topologies can then be transformed into responses. Closure can then be computed. Global behavior is then determined from the synthesis of the component models.  Put directly, what are the threats, and what are the failure points. These must be determined through a learning harness overlain upon the topological models of the various scales of the grid.

To learn more about our technical approach to creating a 4D Infrastructure Nervous System using the ThreatSim learning harness, please contact Roger Anderson to get a username to access our ThreatSim documents.