Professional Documents
Culture Documents
Energy infrastructure faced with deregulation and coupled with life—what role can enabling technologies, business/eco-
interdependencies with other critical infrastructures and increased nomic analyses, and judicious policies play in predicting,
demand for high-quality and reliable electricity for our digital averting and/or managing future crises?
economy is becoming more and more stressed. The occurrence
of several cascading failures in the past 40 years has helped In the aftermath of the tragic events of 11 September
focus attention on the need to understand the complex phenomena 2001, there are increased national and international concerns
associated with these interconnected systems and to develop de- about the security and robustness of critical infrastructures
fense plans to protect the network against extreme contingencies in response to evolving spectra of threats. The sources of
caused by natural disasters, equipment failures, human errors, or vulnerability include natural disasters (e.g., earthquakes,
deliberate sabotage and attacks.
With dramatic increases in interregional bulk power transfers hurricanes, winter storms), equipment failures, human
and accelerating diversity of transactions among parties, the elec- errors, or deliberate sabotage and attacks. In addition,
tric power grid is being used in ways for which it was not originally “dual use” technologies will be addressed, including im-
designed. As the power grids become heavily loaded with long-dis- provements to the system that would improve the overall
tance transfers, the already complex system dynamics become even security/resilience to other modes of failures and disasters,
more important. The potential for rare events but high-impact cas-
cading phenomena represent just a few of many new science and such as floods, ice storms, earthquakes, etc.
technology challenges. We focus on the lessons learned as well as Virtually every crucial economic and social function de-
challenges associated with accomplishing these missions, including pends on the secure, reliable operation of energy, telecommu-
recent hardware, software, applications, and algorithmic develop- nications, transportation, financial, and other infrastructures.
ments. The Internet, computer networks, and our digital economy
Keywords—Critical infrastructure protection, electric power have increased the demand for reliable and disturbance-free
grid, emergency control, infrastructure defense plans, protection electricity; banking and finance depends on the robustness
against rare events and extreme contingencies. of electric power, cable, and wireless telecommunications.
Transportation systems, including military and commercial
I. INTRODUCTION aircraft and land and sea vessels, depend on communica-
tion and energy networks. Links between the power grid and
Secure and reliable operation of the energy infrastruc-
telecommunications and between electrical power and oil,
ture and other critical systems are fundamental to national
water, and gas pipelines continue to be a linchpin of energy
and international economy, security and quality of life.
supply networks. This strong interdependence means that an
Their very interconnectedness makes them more vulnerable
action in one part of one infrastructure network can rapidly
to global disruption, initiated locally by material failure,
create global effects by cascading throughout the same net-
natural calamities, intentional attack, or human error. The
work and even into other networks.
massive power outages in the United States, Canada, the
The potential ramifications of network failures have never
United Kingdom, and Italy in 2003 underscored electricity
been greater, as the transportation, telecommunications, oil
infrastructure’s vulnerabilities [1]–[16]. This vital yet com-
and gas, banking and finance, and other infrastructures de-
plex infrastructure underpins our society and quality of
pend on the continental power grid to energize and control
their operations.
Manuscript received April 30, 2002; revised February 27, 2005. Over the last century, various thrusts of power systems
The author is with the Center for the Development of Technological Lead- have continued to present numerous theoretical and practical
ership and the Department of Electrical and Computer Engineering, Univer-
sity of Minnesota, Minneapolis, MN 55454 USA (e-mail: amin@umn.edu). challenges to the electrical engineering community ranging
Digital Object Identifier 10.1109/JPROC.2005.847257 from control of electric motors to operation of electric
Fig. 1. Since the “crossover” point in about 1995, utility III. RELIABILITY ISSUES
construction expenditures have lagged behind asset depreciation.
This has resulted in a mode of operation of the system analogous
to “harvesting far more rapidly than planting new seeds” while
Several cascading failures during the past 40 years spot-
demand (load) continues to increase at about 2% per year (data lighted our need to understand the complex phenomena
provided by Edison Electric Institute (EEI); graph courtesy of associated with power network systems and the develop-
EPRI).
ment of emergency controls and restoration. Widespread
outages and huge price spikes during the past few years
over $1.5 billion and included all aspects of interconnected raised public concern about grid reliability at the national
infrastructures and even the environment. Most recently, the level [7]–[11], [17]. According to data from the North
14 August 2003 outage is estimated to have a cost in the American Electric Reliability Council (NERC) and analyses
range of $6 billion–$10 billion. Past disturbances provide from the EPRI, average outages from 1984 to the present
some idea of how cascading failures work. have affected nearly 700 000 customers per event annually.
• November 1965—A cascaded system collapse Smaller outages occur much more frequently and affect tens
blackout in ten states in the northeastern United to hundreds of thousands of customers every few weeks or
States affected about 30 million people. months, while larger outages occur every two to nine years
• 1967—The Pennsylvania–New Jersey–Maryland and affect millions. Much larger outages affect 7 million or
(PJM) blackout occurred. more customers per event each decade. These analyses are
• May 1977—15 000 square miles and 1 million cus- based on data collected for the U.S. Department of Energy
tomers in Miami, FL, lost electricity. (DOE), which requires electric utilities to report system
• July 1977—In New York’s suburbs, lightning caused emergencies that include electric service interruptions,
overvoltages and faulty protection devices, which voltage reductions, acts of sabotage, unusual occurrences
caused 10 million people to lose power for over 24 h, that can affect the reliability of bulk power delivery systems,
resulting in widespread looting, over 4000 arrests, and and fuel problems [1], [3]–[6], [10], [11], [17], [23].
ultimately the ouster of New York City’s mayor. Coupling these analyses with diminished infrastructure
• December 1978—Blackout in part of France due to investments, and noting that the crossover point for the
voltage collapse. utility construction investment versus depreciation occurred
• January 1981—1.5 million customers in Idaho, Utah, in 1995 (Fig. 1), we analyzed the number and frequency
and Wyoming were without power for 7 h. of major outages along with the number of customers af-
• March 1982—Over 900 000 lost power for 1.5 h due fected during the decade 1991–2000; splitting it into the two
to high-voltage line failure in Oregon. periods 1991–1995 and 1996–2000 (Fig. 2). Based on the
• December 1994—2 million customers from Arizona to EPRI’s analyses [1], [15] of data in the NERC’s Disturbance
Washington State lost power. Analysis Working Group (DAWG) database [1], [10], [11],
• July 1996—A high-voltage line touched a tree branch 41% more outages affected 50 000 or more consumers in
in Idaho. The resulting short circuit caused blackouts the second half of the 1990s than in the first half (58 out-
for 2 million customers in 14 states for approximately ages in 1996–2000 versus 41 outages in 1991–1995). The
6 h. average outage affected 15% more consumers from 1996 to
• August 1996—Following the 2 July blackout, two 2000 than from 1991 to 1995 (average size per event was
high-voltage lines fell in Oregon and caused cascading 409 854 customers affected in the second half of the decade
outages affecting over 7 million customers in 11 versus 355 204 in the first half of the decade). In addition,
western U.S. states and two Canadian provinces. there were 76 outages of size 100 MW or more in the second
• January 1998—Ice storms caused over 3 million half of the decade, compared to 66 such occurrences in
people to lose power in Canada, New York, and New the first half. During the same period, the average lost load
England. caused by an outage increased by 34%, from 798 MW from
1991 to 1995 to 1067 MW from 1996 to 2000 (Fig. 2) [1], Several utilities and energy companies have installed
[10], [11], [15]–[17]. dynamic recording devices capable of storing measured
voltage, current, and frequency data at typically 6–30 sam-
ples per second. Based on the recorded data, an event
IV. BRIEF OVERVIEW OF SYSTEM OPERATION analyzer has been developed that is able to classify the
At its most fundamental level, the electricity infrastructure disturbances. The scheme identifies single-event distur-
form a vertically integrated hierarchical network consisting bances very reliably. More investigation is required to
of the generation layer (noted above) and then three network develop a reliable identification scheme for multiple-event
levels [18]. The first is the transmission network, which is disturbances.
meshed networks combining extra-high voltage (above 300 Several pertinent theories on power system operating
kV) and high voltage (100–300 kV), connected to large gen- conditions have been provided in the literature; these con-
eration units and very large customers and, via tie lines, to tributions not only provide mathematical foundations but
neighboring transmission networks and to the subtransmis- also include some guidance on how to measure and adapt
sion level. The second level is subtransmission, which con- to disturbances. A power system can be characterized as
sists of a radial or weakly coupled network including some having multiple states, or “modes,” during which specific
high voltage (100–300 kV) but typically 5–15 kV, connected operational and control actions and reactions are taking
to large customers and medium-size generators. Finally, the place:
third network level is distribution, which is typically a tree • normal mode: economic dispatch, load frequency con-
network including low voltage (110–115 or 220–240 V) and trol, maintenance, forecasting, etc.;
medium voltage (1–100 kV) connected to small generators, • disturbance mode: faults, instability, load shedding,
medium-size customers, and local low-voltage networks for etc.;
small customers. • restorative mode: rescheduling, resynchronization,
In a large interconnected power system, security is load restoration, etc.
primarily focused on transient and dynamic stability con- In the normal mode, the priority is on economic dispatch,
siderations. As such, the main concerns are on the loss of load frequency control, maintenance, and forecasting. In the
generation or power import, the loss of transmission lines in disturbance mode, attention shifts to faults, instability, and
heavily loaded power transfer interfaces, and the possibility load shedding. In the restorative mode, priorities include
of undamped or growing oscillations. These events have rescheduling, resynchronization, and load restoration. Some
time scales of 0.1–10 s. authors include an alert mode before the disturbance actually
electronic systems for metering, scheduling, trading, or dispersed assets that can never be absolutely defended
e-commerce imposes numerous financial risks implied by against a determined attack.
use of this technology. Because critical infrastructures touch us all, the growing
Any complex dynamic infrastructure network typically potential for infrastructure problems stems from multiple
has many layers and decision-making units and is vulner- sources. These sources include system complexity, deregu-
able to various types of disturbances. Effective, intelligent, lation, economic effects, power-market impacts, terrorism,
distributed control is required that would enable parts of and human error. The existing power system is also vulner-
the networks to remain operational and even automatically able to natural disasters and intentional attacks. Regarding
reconfigure in the event of local failures or threats of failure. the latter, a November 2001 EPRI assessment developed in
The paper in this issue by Shahidehpour and Wiedman, response to the 11 September 2001 attacks highlights three
“Natural Gas Infrastructure Protection for Supplying the different kinds of potential threats to the U.S. electricity
Electric Power Plants,” focuses on the interdependencies infrastructure [1]–[3], [13].
with markets and gas pipelines. The restructuring of elec- • Attacks upon the power system. In this case, the elec-
tricity has introduced new risks associated with the security tricity infrastructure itself is the primary target—with
of natural gas infrastructure on a significantly large scale, ripple effects, in terms of outages, extending into the
which entails changes in physical capabilities of pipelines, customer base. The point of attack could be a single
operational procedures, sensors and communications, component, such as a critical substation or a transmis-
contracting (supply and transportation), and tariffs. The sion tower. However, there could also be a simulta-
authors discuss the essence of protecting the natural gas neous, multipronged attack intended to bring down the
infrastructure for supplying the ever-increasing number of entire grid in a region of the United States. Similarly,
gas-powered units and its impact on the reliability of the the attack could target electricity markets, which be-
electricity infrastructure. cause of their transitional status are highly vulnerable.
To extend this further to the larger interconnected sys- • Attacks by the power system. In this case, the ulti-
tems incorporating the power system, protective system, mate target is the population, using parts of the elec-
fuel supply infrastructure, and the communications system, tricity infrastructure as a weapon. Power plant cooling
methods are needed to overcome the computational com- towers, for example, could be used to disperse chem-
plexity introduced by the massive size and interconnected- ical or biological agents.
ness of these complex systems. • Attacks through the power system. In this case,
the target is the civil infrastructure. Utility networks
V. INFRASTRUCTURES UNDER THREAT include multiple conduits for attack, including lines,
The terrorist attacks of September 11 have exposed crit- pipes, underground cables, tunnels, and sewers. An
ical vulnerabilities in America’s essential infrastructures: electromagnetic pulse, for example, could be coupled
Never again can the security of these fundamental systems through the grid with the intention of damaging com-
be taken for granted. Electric power systems constitute the puter and/or telecommunications infrastructure.
fundamental infrastructure of modern society. A successful
terrorist attempt to disrupt electricity supplies could have VI. THE DILEMMA: SECURITY AND QUALITY NEEDS
devastating effects on national security, the economy, and The specter of terrorism raises a profound dilemma for
the lives of every citizen. Yet power systems have widely the electric power industry: How to make the electricity in-
during 1998–2001 to enable critical infrastructures to adapt visualizing and analyzing large-scale emergent be-
to a broad array of potential disturbances, including terrorist havior in complex infrastructures;
attacks, natural disasters, and equipment failures. • management: deciding what to do—to develop dis-
The CIN/SI overcame the long-standing problems of com- tributed systems of management and control to keep
plexity, analysis, and management for large interconnected infrastructures robust and operational.
systems—and systems of systems—by opening up new con- In all, more than 300 technical papers have been published
cepts and techniques. Dynamical systems, statistical physics, to date, and 19 promising technologies have been extracted
information and communication science, and computational from CIN/SI findings for commercial development. These
complexity were extended to provide practical tools for mea- results address diverse areas, including electricity grid anal-
suring and modeling the power grid, cell phone networks, the ysis and control, Internet communications and security, man-
Internet, and other complex systems. For the first time, global ufacturing process control, command and control networks,
dynamics for such systems can be understood fundamentally traffic flow over highway nets, long-term design of critical
(Fig. 4). infrastructures, and integrated assessment of design and poli-
Funded effort included six consortia, consisting of 107 cies in a global context. CIN/SI results also addressed the dif-
professors and numerous researchers and graduate students ficult qualitative aspects of modeling the bounded rationality
in 26 U.S. universities, focused on advancing basic knowl- of the human participants in complex systems. Such anal-
edge and developing breakthrough concepts in modeling and ysis is critical because humans are the components in any
simulation, measurement sensing and visualization, control system most susceptible to failure and the most adaptable in
systems, and operations and management. A key concern managing recovery. Together, these results provide an initial
was the avoidance of widespread network failure due to cas- technical foundation for projecting key dynamics on a global
cading and interactive effects—to achieve this goal, technical scale.
objectives were defined in three broad areas: As part of enabling a self-healing grid, we have developed
• modeling: understanding the “true” dynamics—to de- adaptive protection and coordination methods that minimize
velop techniques and simulation tools that help build a impact on the whole system performance (load dropped as
basic understanding of the dynamics of complex infra- well as robust rapid restoration). There is a need to coor-
structures; dinate the protection actions of such relays and controllers
• measurement: knowing what is or will be hap- with each other to achieve overall stability; single controller
pening—to develop measurement techniques for or relay cannot do all, and they are often tuned for worst