IIIA Technical Paper 04-01

Transcription

1 Network Security Risk Assessment Modeling (NSRAM) Application to Municipal Electric Power Grid IIIA Technical Paper May 2004 IIIA Institute for Infrastructure & Information Assurance James Madison University Harrisonburg, VA (540) ; Fax (540)

2 Network Security Risk Assessment Modeling (NSRAM) Application to Municipal Electric Power Grid J. McManus, MBA, G. Baker, Ph.D., S. Redwine, M.S., P. Riley, M.S. College of Integrated Science and Technology, James Madison University, Harrisonburg, Virginia, U.S.A. George Baker is a member of the faculty at James Madison University and is involved in consulting with industry and government in the areas of critical infrastructure assurance, high power electromagnetics, nuclear and directed energy effects, and ground sensors. He is the former director ( ) of the Defense Threat Reduction Agency s Springfield Research Facility involved in assessing, protecting and targeting critical underground, infrastructure and mobile systems. Much of his career was spent at the Defense Nuclear Agency directing RDT&E related to hardening systems to nuclear effects. He is presently a staff member of the Congressional EMP Commission and serves on the National committee of the American Electromagnetic (AMEREM) conference. He is past chairman of the Nonproliferation and Arms Control Technology Working Group (NPAC) focus group on buried facilities, the Underground Site Infrastructure Applications Working Group, and the international Technical Cooperation Program EMP Group. He is a member of IEEE and an EMP Fellow. He holds a Ph.D. from the U.S. Air Force Institute of Technology. Samuel T. Redwine, Jr. is a long-time figure in software engineering. He is past editor of the IEEE computer Society Software Engineering Technical Council Newsletter. He has received several major awards and has authored over 50 publications. His interests include software engineering, quality (particularly correctness), technology, and management; organizational improvement; R&D management; technology transfer; and computer security. Mr. Redwine has worked in industry and consulting for more than 25 years including time at Mitre, Institute for Defense Analyses, and the Software Productivity Consortium. He is an Associate Professor of Computer Science at James Madison University. Previously he was an Adjunct Professor at George Mason University and Virginia Tech. He has a B.S. and M.S. degrees from M.I.T. and is a member of IEEE, ACM, and the American Society for Quality (ASQ). James McManus is the Risk Assessment Modeler for the Critical Infrastructure Protection Project. His background includes over seventeen years of experience in the aerospace industry as design engineer and manager, risk assessment, and requirements management roles. He was also a director at a small research and development company where he oversaw research projects and overall operations of his office. Mr. McManus has a Bachelors in Aerospace Engineering from Georgia Tech, and an MBA from Kennesaw State University. Phil Riley is a Programmer/Analyst for the Critical Infrastructure Protection Project. His main interests are in Java development and mathematical computing. His degrees include AB, Math, University of Chicago; MA, Math, Duke University; and MS, Computer Science, James Madison University.

3 ABSTRACT Under the Critical Infrastructure Protection (CIP) program, The James Madison University (JMU) CIPP research team is developing Network Security Risk Assessment Modeling (NSRAM) tools that will enable the assessment of both cyber and physical infrastructure security risks. The effort is driven by the need to predict and compute the probability of adverse effects stemming from system attacks and malfunctions, to understand their consequences, and to improve existing systems to minimize these consequences. The tools are targeted at systems supporting critical infrastructures varying from individual systems to organization-wide systems, as well as systems covering entire geographical regions. Early work emphasizes computing systems, but systems sharing the network nature of computing systems, such as electrical and water supply systems are potential targets. Our development strategy emphasizes interaction with infrastructure service providers early-on to ensure that the final product is useful and user-friendly. The tools are being developed as part of a larger infrastructure assessment methodology development effort. As one of our first cooperative real-world case studies, we have used a developmental version of our network flow simulation tool to model Valleyville s" municipal electric power grid. We discuss the tool design, system characterization and modeling, and lessons learned from this case-study INTRODUCTION In 2003, the Department of Homeland Security issued national strategy documents for the protection of physical and cyber infrastructures that call for vulnerability assessments of critical infrastructure systems. 1,2 Modeling tools for simulation of network security and risk assessment will be an important part of such assessments. Critical infrastructure systems and facilities are subject to many different failure modes. It is important to anticipate the possible modes, the likelihood of their occurrence, and the relative seriousness of their consequences. Failures may be due to many causes, intentional and nonintentional, including cyber attacks, accidents, aging or sabotage from insiders or external malefactors. Failures can propagate such that seemingly minor problems may lead to complete functional failures. Some serious failure modes may be counter-intuitive. Of particular concern is the presence of single point failure locations known to exist in many existing critical facilities. Assessments provide an important basis for determining the most serious failure modes, implementing cost-effective countermeasures, and planning for reconstitution. To facilitate balanced assessments of both physical and cyber security problems, we are pursuing tools which extend probabilistic risk assessment into the time domain. 1 The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, U.S. Dept of Homeland Security, February The National Strategy to Secure Cyberspace, U.S. Dept of Homeland Security, February 2003

4 NSRAM TOOL The NSRAM tool is a complex network system simulation modeling tool that is currently in development at JMU as part of the CIPP effort. The NSRAM tool concept emphasizes the analysis of large interconnected multi-infrastructure models. JMU is also developing the concept of sophisticated repair element sets that interact via pre-defined algorithms to more accurately simulation repair personnel reaction to system insults or malfunctions. These repair element sets are unique in that they interact with the simulation network model in a pre-determined manner, but their operating rules can be changed to allow the user to optimize repair strategies. The NSRAM tool design includes a graphical user interface for developing models, developing scenarios, and interpreting output. The tool is designed to be portable, and uses portable and expandable database and model structures. The tool also provides a framework to simulate large networks and analyze their behavior under conditions where the network suffers failures or structural breakdowns. In order to accurately portray the severity of network failures, repair variables (time to repair, cost to repair, repair priorities) must be taken into account. The NSRAM tool provides a repair element set that allows the user to develop an accurate repair capability that can model the effects of repair personnel or part scarcity, communication requirements, and uncertainty. The repair element set is a specialized network made of elements and flows (the same as all NSRAM networks) that interact with the modeled network via predefined repair action rules. An initial set of repair elements was used in the Valleyville case study described below. The repair element set is a unique capability of the NSRAM tool. This capability will allow the user to accurately simulate any configuration of fault detection and repair schemes. The repair element set consists of repair entities with specialized functions. These specialized elements can be combined and customized by the user as desired to provide accurate and realistic repair and maintenance functionality to the network model. All repair element set actions will simulate the actions of agents in real time. Therefore, time to travel, cost, etc. will be variables that can be tracked. The repair element set will also collect statistical data of failure frequency, mean time to repair (MTTR) and other variables as required to determine repair effectiveness. The intent of these repair element sets is to more accurately model the human response to perceived system damage. The repair element sets identify symptoms, test the system to determine the elements that are damaged, attempt to repair the damage, and then attempt system recovery. If symptoms are still present, the repair elements repeat the above cycle until the system is recovered. Inspection routines will also be accommodated so that preventative maintenance effects are accurately incorporated. The repair element set design is a large task, and JMU is currently at the beginning of this effort. In order to incorporate the repair sets into the model as quickly as possible, they are being designed with extensibility in mind. That way, as the repair sets are developed, they can be easily modified and capabilities added to enhance fidelity and/or flexibility. We will initially incorporate relatively simple repair capabilities and add capabilities to accommodate client needs.

5 VALLEYVILLE MUNICIPAL ELECTRIC POWER GRID CASE-STUDY An important part of the NSRAM development strategy is early interaction with clients to ensure that the model is responsive to real-world needs in terms of input problems and output information. The client interaction is doubly important, because the tool is being developed as part of a larger vulnerability assessment methodology to treat realistic infrastructure problems. As one of our first clients, we have been able to work with a local municipal public works department to do an initial case study on their electric power distribution system. We used the codename Valleyville for this project to provide security for our client. The Valleyville case study project involved a broad set of objectives culminating in modeling the system using NSRAM. We organized an assessment team including faculty experts on electric power, risk assessment and modeling and simulation. A field team, including students, was deployed to survey and map the electric power system. All major power transformers and electrical distribution lines were mapped. This map provided the information required to develop both a physical and a logical (power flow) map of the town s power grid. The team also reviewed system engineering documents to gather information on network operating parameters and component design. In consultation with the public works department, we identified the critical system elements including grid components and locations of critical infrastructure facilities supplied by the grid. Critical facilities included water supply, waste treatment, government, police, fire and rescue services. Facilities having backup generators were noted. Repair resources and their capabilities were identified. We developed a comprehensive list of threats and hazards that might affect the system and discussed these with the public works department to determine those of highest concern.. MODELING VALLEYVILLE Once information gathering and physical mapping was complete we developed a one-line diagram of the system and selected a network subset for our initial NSRAM modeling. The modeling investigated the effect of various outage scenarios on the municipality. While the town and electrical power grid model are modest in size the task enabled us to exercise the graphical user interface model design scheme, build a realistic model, and provide feedback to the software developers to help design algorithms that make model creation intuitive. The Valleyville power grid is composed of three separate AC electrical circuits, each separated by 120 degrees of phase separation. These phases are noted as Phase A, B, and C. Power is purchased from a regional distributor and enters the municipal grid at 19.9 KV. This voltage level is stepped down at the main substation from 19.9 KV to 4.2 KV (phase to ground.) The 4.2 KV voltage is stepped down to the familiar household 120/240 V via distribution transformers. Distribution transformers generally provide power for three to ten homes. Businesses generally have a dedicated distribution transformer, and in several cases used power from different phase circuits simultaneously. The municipal grid has no active monitoring, and relies on inspections and trouble calls from customers to alert Valleyville Power Company to problems. The NSRAM tool used the Valleyville power flow map to develop an electrical grid functional model. While the three single phase circuits are physically very close (the three distribution lines generally are attached to the same power distribution poles) from a power distribution point of

6 view they are completely isolated. The three phases of electrical power were modeled as three separate models, however the naming convention used allowed us to investigate a situation where insults occur that could physically affect all three power phases simultaneously (for example, if a power distribution pole is knocked down.) Due to the relatively small size of the power grid, we were able to easily model the system at a detailed level. However, as in all modeling exercises, some abstractions were made. For this model, the power loads were simplified. Each power load element represents three to seven residential consumers power consumption needs or a commercial load. These loads are variable and are a function of time of year, time of day, temperature and a number of other variables; however in the first generation of this model the loads are considered to be constant. This simplification is acceptable because our original outage scenario focuses on power outages caused by large external events, such as lightning strikes, rather than power outages caused by customers overloading the system. The development approach for the NSRAM tool is to simultaneously develop the software while using early versions to solve client problems. Through exercising the tool via real world applications, we are attempting to modify our requirements while still in the design stages to enable the team to develop a more useable tool in the end. RESULTS Phase A of the Valleyville power grid was initially modeled as a capability demonstration. The model consisted of approximately 60 elements and 74 connections between those elements. Valleyville power usage was abstracted as total power demand at the final distribution transformer, that is, customer houses were lumped together as a distribution transformer load. Figure 1 is a screenshot from the demonstration showing the logical network of the power grid. Figure 2 shows details from the model. This figure shows individual elements (different icons for each type of element modeled), input and output ports (dots around the elements) and connections (lines.)

7 Figure 1 NSRAM Demonstration Model Figure 2 Model Details

8 The model was subjected to a major outage condition simulating a municipal grid line failing. This failure caused the household loads to exceed the power available at the distribution transformer, which caused the loads to shut down. The loads (households or commercial) wait a random amount of time before phoning the power company to notify it of a failure condition. The repair element set for this case study was an initial set designed specifically for Valleyville that consists of two repair agents and the main power company. When the power company is notified that a failure occurred, it radios one of the repair agents and sends it to the notification location. The repair agent has a delay built into the programming to simulate the need to drive to the location. When the agent reaches the location, it tests the element to determine if the element has failed. If so, the agent repairs it. If the element is operational, the repair agent travels to the first element between the previously checked one and the main power station. It repeats that cycle, working its way towards the main power station until it finds a failed element, which it repairs. Then it notifies the main power company that it has finished its work and returns to base. This behavior accurately simulates the methods used in Valleyville. When a customer calls in the repair truck is dispatched to that location. The power lines are traced back towards the main substation until the problem is found and repaired. The demonstration run consisted of one of the municipal grid lines failing. This lead to a large number of customers losing power, which provided a large set of starting points for the repair agents to begin their diagnoses. As this line is fairly well upstream the repair agents would on average check several elements prior to discovering the major power line failure. This study simulates a large lightning strike, the intentional destruction of a power line or a similar event. Below is an example of a resultant output graph from the case study where operational impact occurred. The output shows the percentage chance that power is available at that element. Initially, the power grid is allowed to come to equilibrium and operate for a short period of time. The sudden decrease indicates the failure event. Then, depending on where the repair agent initially starts its search, the percentage chance that power is available begins to climb back towards nominal. The three lines on the graph indicate the mean values and one standard deviation above and below that value.

9 Figure 3 Typical NSRAM Output Graph LESSONS LEARNED FROM CASE STUDY The strategy of using a modeling tool that is in development to assist in a client analysis has been both fruitful and frustrating. It was sometimes frustrating to the modeler that the NSRAM tool is still in development and many of its features are more difficult to access than would be expected in a mature tool. This caused the development of the electrical grid models to be delayed somewhat and incurred extra time in building those models. In addition, the development team was busy testing the next revision of the software during the time the models were developed. Although the development team was quite helpful, it was unrealistic to expect them to have the time to solve all discovered problems in time to help with the initial phase of model building. However, this exercise provided helpful feedback on several features of the software that are either in development or are planned to be developed in the next release. The team feels that this feedback helped to focus the development team planning for the next internal release task. It also provided the modeler with a better understanding of the developers targeted usage of the tool and the developers with a better understanding of how the tool will ultimately be used. CONCLUSION We are developing risk analysis modeling tools that address physical and cyber infrastructures. The tools extend probabilistic risk assessment into the time domain and include a time domain fault tree technique and a network flow simulation based techniques. The fault tree technique provides a simple, top level calculation of overall system mission functionality vs. time. The network flow based technique provides detailed system service performance, security and risk metrics vs. time. For critical infrastructure networks the JMU models and tools will provide insights into failure and degradation including possibilities, probabilities, modes, cascading effects, and durations. They should provide useful insights into probable failure points and most cost effective protection and/or upgrade approaches. Results will be useful for estimating the cost of service degradation or outage.

10 The tools are still in the developmental stage. The initial products will be somewhat technical in nature, designed for the use of JMU consultant level experts, with current development work concentrating on modeling repair, computer security phenomena, user interface refinements to increase accessibility and capabilities needed to model client infrastructure networks. Successful application of these tools requires that they be used as part of a well defined risk assessment methodology and that system subject matter experts be involved in defining input parameters to ensure reliable results. May, 2004 Institute for Infrastructure & Information Assurance