Energy Management Systems
Cyber security considerations for Energy Management Systems
The control center of a grid coordinator likely reminds you of the bridge of the Starship Enterprise, right? The large wrap-around screens with complicated images displayed on them? Instead of steering a large ship, the operators behind these screens are steering a large electrical power grid. What exactly are they steering and what are the potential cyber security considerations? Well, that’s what we’re going to try and figure out in this post…
Feel free to explore some of the other topics we have covered in this series including Substations, Coal Power Stations, Process Control, and Nuclear Power Stations.
Security consideration: throughout this post you will find these security
considerations. These are used to highlight some of the important processes
that may be worth considering from a security perspective. This is not an
all-encompasing analysis, though, so try and keep the following questions
in mind when reading the post -
[1] Is this a critical process that may be worth protecting?
[2] What should we do to protect the system?
* Disclaimer: this information should not be used for nefarious or unauthorised
purposes but rather as an educational tool (see the Welcome post of this
blog).
Introduction
Due to the fluctuating conditions on the electrical grid, the management of the grid is a fairly complicated process. This is due to the fact that supply and demand need to be balanced. If we recall our Fundamentals of the Electrical Grid post we discussed how the grid is a ‘just-in-time’ process since electricity needs to be produced as it is consumed (we do not typically make use of large battery banks). In order to balance supply and demand, we require the assistance of various tools in order to increase our efficiency.
Before getting into too much detail regarding the systems we use to manage the grid, we should first consider a bit of theory regarding the different states a power system may find itself in. Figure 1, below, highlights the states and their respective transitions.
The Normal state describes the state in which supply meets demand (equality constraints). We enter into the Alert state when the equality constraints are still being met but the probability of a disturbance has increased. If the conditions were to deteriorate we are likely to see voltages or currents exceeding their limits (inequality constraints) resulting in a transfer into the Emergency state. If the conditions continue to deteriorate the system will move into the Extremis state whereby both the equality and inequality constraints are violated. In this case, the supply and demand need to be isolated in order to ensure that the system is stabilized. If the grid has not collapsed, operators can begin to re-attach loads (demand) by means of the Restorative state.
Security consideration: the Extremis state is highly undesirable as this
likely results in consumers being cut off from their power supply. Any actions
that move the system into this state are likely to have economic effects on
the producers (due to their inability to supply their product) and the consumers
(who likely require the electricity to produce their own goods/services).
There are various factors that could have an impact on the stability of the grid including, for example, the failure of protection/control devices and various other faults (see System Protection for more information). In order to effectively manage these states, the operator not only requires insight into the conditions of the grid but also the ability to make changes.
Energy Management Systems
An Energy Management System (EMS) is typically implemented on the SCADA systems we have discussed in various other posts. Figure 2, below, highlights the core functions of an EMS.
Generation Operation Management
Generation operation management ensures that the grid is operating optimally by managing generation and distribution. The first important component is Load Forecasting (LF). LF is an important aspect of a ‘just-in-time’ since the proper forecasting of loads is likely to help with the supply/demand balance discussed above. LF makes use of Automation Generation Control (AGC) to ensure that the generation is operating correctly whereas Automatic Load Dispatch (ALD) manages the distribution of load across generators.
Short-Term Load Forecasting (STLF) relates to forecasting in the range of almost immediate to a few weeks. The STLF algorithm makes use of various inputs:
- Load history (available from the SCADA servers).
- The type of day (holiday/normal working day etc.)
- Weather data.
Security consideration: Load forecasting is only as good as the input data that
it receives. Should the data be incorrect, faulty, or intentionally malicious,
incorrect forecasting may lead to incorrect Unit Commitment (UC). This in
turn may result in an under-supply of generating capacity.
Figure 3, below, shows how the different functions interact with one another.
Unit Commitment (UC) relates to the commitment of a generation unit to be online during a certain time slot. Figure 4 provides an overview of what a unit commitment schedule may look like. The reason for the scheduling is that certain generation units may take a longer time to start up (e.g. coal generation units) resulting in the need to plan their start-up and shutdown.
Side Note: Certain generation units such as Open-Cycle Gas Turbines have a comparatively quick start-up time and are often employed as ‘peaking stations’ (such as Unit IV in Figure 4).
Side Note: Spinning reserve refers to the capacity of a plant to counteract emergency losses of generation power. For example, if a plant is theoretically capable of supplying 900MW, it may not be able to supply all of this since some of it needs to be kept on standby in the event that a sudden loss of generation capacity occurs. The spinning reserve may differ from plant to plant but can, for example, be set to the power output of the largest generation unit since this may have to be replaced in the event of an emergency.
Once the Units have been assigned, it is up to the Economic Dispatch (ED) unit to ensure that the optimal combination of units is utilized. This is performed by managing the output of a plant as well as individual generation units in order to minimize the overall cost of fuel.
Security consideration: if the parameters of the ED are not correctly
configured, the efficiency of the generation units may be compromised resulting
in increased costs.
Automatic Generation Control (AGC) is primarily responsible for managing the different generation units and ensuring, among other parameters, that the correct frequency is achieved/maintained (this is, in turn, done with respect to the load). Frequency control is typically managed at two levels, namely, the generator and the area level. The area-level frequency problem relates to the combining of various generators (and their subsequent frequencies) by means of tie lines (connections between different areas). If the load/generation balance is perfectly achieved, the Area Control Error (ACE) is zero.
It should be noted that the generation units are not necessarily all located in the same geographical area. In order to manage the flow of power, we may need to exchange it with different areas. In our AGC system, this is referred to as a Scheduled Interchange, namely, the agreement that a certain amount of power will, for a certain period of time, be transferred to another area. The Actual Interchange, in turn, refers to the actual power that was transferred. This is determined by a range of meters and other measuring devices.
Security Consideration: Should the AGC receive incorrect input data, incorrect
decisions may be taken. If the Actual Interchange exceeds / falls short of
the Scheduled Interchange, protection measures may intercede (in the best
case) potentially isolating systems.
There are various control modes for AGC:
- Flat frequency control: This method only responds to changes in the frequency whilst neglecting the power requirements.
- Flat tie line: This method only responds to power changes and is typically only used for brief periods of time when frequency readings are not available.
- Tie line bias control: This control method is a combination of the previous two methods. This in turn implies that we want to keep the power and frequency at agreed-upon limits. The equation acknowledges that if the frequency decreases and the power entering the system decreases, the need for power is in the adjacent area. In turn, if the frequency decreases and the power entering the system increases, then the need for power is within the current area.
Figure 5, below, highlights an example. Area A is generating 5000 MW, consuming 4000 MW, and transferring 1000 MW to Area B.
In Figure 6, the load in A is increased by 300 MW. The frequency is decreased and a tie line error is observed (change in power).
Area A needs to increase its generation capacity in order to account for the change in load. Note that a discrepancy is now observed between the Schedule Interchange and the Actual Interchange.
Due to the agreement, Area A will continue to increase generation capacity until it can once again meet its obligations and the ACE returns to 0, as seen in Figure 7 below.
Side Note: “A balancing authority is an entity in the US electric system that is responsible for grid balancing”
Transmission Operations Management
Network configuration and topology processors are used to monitor conditions on the grid in order to determine which components are live, where issues may be present, and how the network can/should be adapted based on these parameters.
State Estimation, in turn, is employed to provide an estimate of a certain state for which we may not have the exact information. Errors may present themselves due to, for example, nonlinearity errors in equipment, Electromagnetic interference (EMI), redundant measurements etc. Nevertheless, provided data can be provided as input for a model of the system in order to define a state. Various methods exist for the derivation of the state, however, this is considered to be out of scope for this post. The models subsequently provide us with an estimate of the actual conditions. We can use this information for our decision-making processes.
Due to the fact that failures tend to happen very quickly, allowing an operator only limited time to respond, Contigency Analysis is employed. CA essentially allows an operator to model certain failure conditions in order to determine how the grid will respond.
Security Consideration: Faulty CA (perhaps due to incorrect data/parameter
tuning may result in the Management System not reacting sufficiently/over-
reacting in the event of a fault/change in conditions.
A technique employed to manage an imbalance between load and generation is that of Islanding which refers to the intentional isolation of systems in order to preserve the larger state. A system is said to be load-rich (associated with a decrease in frequency) if there is insufficient generation and generation-rich (associated with an increase in frequency) if there is insufficient load. In order to resolve such a condition, coordination between protection systems, power stations, and the transmission grid is required.
Stability
A final interesting topic to consider with regard to energy management systems is that of stability. Stability refers to the ability of a power system to respond to disturbances in an attempt to return to a steady state. As previously discussed, a change in load will result in a change in frequency. Stability subsequently relates to the ability of the system, and generators in general, to respond to these changes. Importantly, generators are mechanical components and typically do not respond as quickly as the grid may change. If a generator falls out of sync with the grid it has to be tripped and re-synchronized which increases the load on the other generators.
Three types of stability conditions are defined:
- Steady-state: the ability of the system to maintain a state during normal operating conditions.
- Transient: the ability of a system to maintain stability when subjected to a change.
- Dynamic: the ability of the system to maintain stability after the transient change and whilst returning to the steady-state.
Conclusion
In this post, we spent a bit of time looking at the intricacies of Energy Management Systems. We considered the different components needed to manage an electrical grid and the complex processes that attempt to ensure that stability is maintained. Of particular interest is Automatic Generation Control which ensures that system stability is maintained. These control systems are largely reliant on data and as such, if the data is incorrect/faulty incorrect decisions may be made.
Security consideration: we managed to identify several security
considerations throughout this post. Nevertheless, we may have missed
something. Feel free to leave a comment with additional considerations!