ESSENCE is a project funded by the CIPS EU programme to evaluate costs and benefits of applying emerging security standards to the European power grid controls systems, based on two case studies. Those systems are vulnerable to cyber-attacks that can inhibit their operation, corrupt valuable data, or expose private information. Attacks might affect large portions of the European power system, make repair difficult and cause huge societal impact.

To counter this threat, which is common to several networked infrastructures such as the oil and gas and the water networks, and power, oil and chemical process plants, several standard frameworks are being proposed. It is difficult to evaluate costs and benefits of their adoption, although experimentation so far has shown that they are huge. Thus there is a need for establishing the economic and organisational impact of their implementation in Europe.

The objective of ESSENCE is to identify costs and benefits on an objective basis, and outline organisational processes wherever beneficial.

_________________________________________

 


 

                   

 

Executive Summary

(Preliminary version)

ESSENCE – Emerging Security Standards to the EU power network controls and other Critical Equipment

 

Partners of the project are:

CNR-Ceris (Coordinator) (Italy); Università del Piemonte Orientale Amedeo Avogadro (Italy);
Deloitte Advisory S.l. (Spain); Antonio Diu Masferrer Nueva Empresa SLNE (Spain);
Enel Ingegneria e Ricerca S.p.A. (Italy); Abb S.p.A. – Power systhems division (Italy);
 
IEN - Institute of power engineering (Poland); PSE – Operator SA (Poland).

 

 

 

 

 

 

 

 

With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme European Commission - Directorate-General Home Affairs

The Commission is not responsible for any use that may be made of the information contained therein,
the sole responsibility lies with the authors.

 

 

Premise

As it is well known, power system controls are vulnerable to cyber-attacks that can inhibit their operation, corrupt valuable data, and expose private information. Such attacks may affect large portions of the European power system, make repair difficult and cause huge societal impact, so that pressure to ensure cyber-security of control and communication systems is now very strong worldwide. To that aim, several cyber-security frameworks have been developed or are under development at present, both in the form of guidelines and proper standards, but it was rather difficult to anticipate costs and benefits of their adoption, although worldwide experience had shown that both are huge. Over 2012-2014, the ESSENCE project performed a study in order to evaluate these costs and benefits on a rational base, including:

 

·         The development of a common understanding of industrial needs and requirements regarding the security of control systems and the related standardisation efforts.

·       Identification of the main power system vulnerabilities induced by control systems, and estimating the likely socio-economic impact of failures due to faults and attacks exploiting those vulnerabilities.

·         Evaluation of the main emergent frameworks for ensuring industrial control systems security[1], so as to establish the costs of their adoption on an objective basis.

 

The project conclusions were largely based on the outcome of two case studies, concerning a broad portion of the Italian power generation capability (involving one large Italian Region) and the Polish Transmission System. Both confirmed that cyber-attacks able to properly exploit current vulnerabilities of the two systems could turn into large and extended blackouts. In the main:

 

·         Current Industrial Control Systems (ICS) of power generation plants and transmission grids bear important vulnerabilities.

·         These can be exploited by attacks that may lead to sudden shutdown of some power generation plants and substations of the transmission grid.

·         In special cases (e.g. multiple attacks, attacks to special places and/or when the transmission grid is somewhat ‘weak’), these attacks may bring to significant blackouts that may involve million inhabitants and last several hours.

·         These power system weaknesses are clearly confirmed by some past blackouts due to natural phenomena and technical failures that caused domino effects involving tenths of millions of citizens[2]. These events may cause very high direct damage, both to the productive sector (agriculture, industry, services) and to residential users.

 

Alargeblackoutmay also result into indirect damagethat does not directly depend on production loss. Although this cannot be wholly quantified by a macroeconomic approach, some qualitativeinformation may be extracted by analyzing past blackouts. They relate to emerging costs related to damages to production lines, to the deterioration of raw materials and products and to long restarting times in case of firms, and to the social damage induced by theblackout.This last was partlyincorporated into theestimation methodadoptedfor the calculationof the costfor households, whilecollective social costs(e.g.difficultyto ensurevital services, such as telecommunications, securityandhealth care) were not evaluated. Inconsideration of this,the provided estimates must be considered asa sort oflower bound for the realdamagethata blackoutwould bring.

Cost of countermeasures

Based on current and prospected security standards, the project identified the key organizational and technical countermeasures needed to increase the security level of the involved infrastructures so as to neutralize possible attacks. Although these do not totally eliminate existing vulnerabilities, they make the occurrence of serious events much less likely.

The analysis estimates the cost that a country should deal with in the adoption of security standards in the transmission and generation of electricity. The methodology adopted quantifies the cash flows for the implementation and maintenance of the security standards. Some of the costs, specifically the ones related to the design, acquisition and implementation of countermeasures, are investment costs to be borne only once, at the initial time; other costs, specifically those related to the maintenance of the countermeasures, are operational costs to be borne annually.

The costs for a large multinational company or a national TSO is much higher than the direct cost the company or the TSO bears in the event of a blackout but much less than the damage to production and residential end users.

In both cases two situations have been considered: costs that should be borne if no security standards had been implemented yet (Cost starting from 0) and costs that should be borne starting from the current situation in order to manage a higher supplementary security (Delta cost).

Table 1: Total cost of implementing and maintaining countermeasures in Poland and in Italy (000 €)[3]

 

COST STARTING FROM 0

DELTA COST

 

Implementing

Maintaining

Implementing

Maintaining

Electricity transmission in Poland

26,016

5,016

7,486

2,457

Electricity generation in Italy

27,730-52,480

6,480-11,980

20,000-40,000

3,480-5,980

 

Just as a case of exercise, if the situation of the adoption of security standards in the transmission system by a country without any previous security may occur, table 2 shows a simulation for a smaller and larger TSO than PSE -, the Polish TSO - involving a total of 30 and 200 substations, respectively. While the data for Poland are the same of table 1 with the subdivision of maintaining costs in software and labour, for the two example cases the simulation adopts a non-proportional scale with regard the size of the TSO.

Table 2: Total cost of implementing and maintaining countermeasures in a TSO (€)

   

SMALLER
COUNTRY

POLAND

LARGER
COUNTRY

Implementing

Substations 

6,047,200

15,118,000

27,212,400

Information control systems

1,453,280

3,633,200

6,539,760

Office systems

2,905,920

7,264,800

1,3076,640

TOTAL IMPLEMENTING

10,406,400

26,016,000

46,828,800

Maintaining

Software

Substations 

834,900

2,087,250

3,757,050

Information control systems

155,216

388,040

698,472

Office systems

510,496

1,276,240

2,297,232

Total maintaining Software

1,500,612

3,751,530

6,752,754

Maintaining

Labour

Substations 

208,800

696,000

1,392,000

Information control systems

54,000

180,000

360,000

Office systems

116,700

389,000

778,000

Total maintaining labour

379,500

1,265,000

2,530,000

 

TOTAL MAINTAINING

1,880,112

5,016,530

9,282,754

Assessment of the economic impact involved

Electricity supply security is a very important feature of the whole electric service. Over time, most human activities in developed countries have become more and more dependent on the stable presence of electric energy. This is true not only for the productive sectors (industry and services), but also for most part of the every-day home activities, such as housework, cooking, or leisure activities: watching TV, surfing on the internet, and also reading, at least in the evening. In most developed countries, service reliability has reached very high levels, so that an outage is often considered as an exceptional event. For this reason, when it happens (especially if it is unexpected), it creates huge inconveniences.

Although consumers would surely agree that electricity supply security has a relevant value, how high this value is (in monetary terms) makes a very difficult issue. The main difficulties to this evaluation are related to the fact that supply security is a non-tradable public good[4]. Public goods have the common properties of being non-rival and non-exclusive in consumption. Non-rivalry implies that consumption of that good by one person does not limit its use by other people. Non-exclusivity indicates that individuals cannot be excluded from consumption. In general, public goods are also non-tradable, i.e. there is no market were they can be sold or purchased. This implies that no price is available for them. This is the main point that makes the economic evaluation difficult: the value of a good is often reflected in its market price. Since there is no market price for supply security, its value must be inferred in a different way.

Since direct measurements of the value of service reliability are in general considered as very difficult tasks, a reasonable and broadly accepted approach to evaluate supply security is estimating the damage that would occur in case of failure[5]. Failures may assume different forms, such as blackouts (loss of power lasting a period of time), brownouts (non-complete drop in voltage), transient faults (loss of power lasting few seconds), etc. Our study focused on the consequence of blackouts in selected areas, since this is the kind of failure considered in the Italian and Polish case studies.

Blackouts may generate several different kinds of damage; we made distinction between economic and non-economic (social) costs[6]. Some damage categories present an evident causal relationship with the interruption, while in other cases this link is weaker.

Among the immediate effects of the cessation of supply, the main drawback for the productive sectors is production losses. However, depending on the production process characteristics, other damage categories are relevant. This is the case of idle or spoiled production factors (labour, materials, capital), damaged equipment, re-starting costs. For households, food spoilage is one annoying inconvenience. All these sources of damage can be classified as economic, since they generate either a monetary (“out-of-pocket”) loss, or a profit reduction, or both.

Anyway, other sources of inconvenience play important roles, though they do not generate monetary losses: these can be classified as social costs of interruptions and involve the loss of leisure time, the inconvenience due to the lack of services, uncomfortable temperature in buildings, mental stress, etc. It is clear that these costs apply to individuals, while firms mainly face purely “economic” damages. Finally, other costs arise as mediate consequences of the interruptions, such as the increase in criminal activity, and their evaluation is even more complex. Developing a methodology including all the possible sources of damage is not practically feasible. Thus we decided to focus on some costs categories only:

 

·         For individuals we have adopted a survey-based methodology aimed to evaluate the whole damage suffered by a household during a blackout. Therefore, both economic and social costs were included with reference to the domestic life of individuals.

·         For companies, we evaluate the damage in terms of lost production only.

 

As said above, other kinds of damage also play a relevant role, but they were not included in our quantitative analysis[7]. Also, social costs do not involve the domestic life of individuals only, they may relate to availability of essential collective services such as public health, transports, or communications. These costs as well were not included in our quantitative analysis which, thus it must be considered a lower bound prudent estimate.

We employ a mixed methodology relying on the “production function” approach for the non-household sector, while an econometric method based on survey data (stated preferences) is used for household consumers. Finally, a separate evaluation was carried on with reference to the electricity sector. The evaluation is applied specifically to the hypothetical blackouts described in the Italian and Polish trials, and it follows precisely both blackout scenarios, including time and geographical framework, type of customers, features of the economic system, recovery process.

With reference to the Italian case, we found a total damage for non-households ranging from 35 to 46 € millions, while for the residential segment the blackout cost is between 36 and 64 € millions, with a believable value set around 52 € millions considering the characteristics of the average consumer in that area. The damage for the electricity sector due to non-sold energy is about 2 € millions.

In relation to the Polish trial, we found a damage for non-households of 25-35 € millions, while for households the range is between 30 and 61 € millions. If we consider the characteristics of the average residential consumer, we get a total cost of about 52 € millions. For the electric operators the damage is about 0.7 € millions. In conclusion, the estimated damage for households is in both cases higher by far than for non-households[8]. The damage for the electricity sector (not taking into account the damage to reputation) is a very small fraction of the total estimated damage.

Conclusions

Our analysis clearly shows that from a mere economic viewpoint electric companies should not increase their security levels, as the annual costs of those countermeasures is much greater than their direct cost of a single blackout. However the total cost of an event for the society as a whole is by far greater than the annual cost of the said countermeasures. Therefore it is of interest for the community to take actions to raise the security level and ultimately reduce global risk.

The whole European Electric System is interconnected. An event on the electricity grid in one of the EU countries may have repercussions onto many others. Therefore it is up to public authorities require the overall adoption of current security standards and countermeasures to the companies operating in the electric system of the European Union. The nature of public good of security underlines the necessity to fund this operation, but the extent of this funding and the way this will be managed have still to be discussed.  The aim should be to achieve a certain level of security, correlated to a pre-determined risk, by all the European utilities – as the security level of the European power system is ultimately equal to the one of the weakest utility.

 

Ceris Technical Reports
Special ESSENCE series on security standards for critical infrastructures

 N. 47: Considerations on the implementation of SCADA standards on critical infrastructures of power grids.

Ugo Finardi, Elena Ragazzi and Alberto Stefanini .

http://essence.ceris.cnr.it/images/documenti/RT_47.pdf

 

 N. 48:  Attack scenarios. Threats, vulnerabilities and attack scenarios along with their selection criteria

Fernando Garcı́a, Marco Alessi , Hanna Bartoszewicz-Burczy, Andrés Cortes, Daniela Pestonesi , Tadeusz Włodarczyk

http://essence.ceris.cnr.it/images/documenti/RT_48.pdf

 

N. 51:  Terms of Reference for the trials.

Antonio Diu

http://essence.ceris.cnr.it/images/documenti/RT_51.pdf

 

N. 52: Benefit analysis. Assessing the cost of blackouts in case of attack. Evaluation based on Italian and Polish case studies.

Clementina Bruno, Graziano Abrate, Hanna Bartoszewicz-Burczy, Andrés Cortes, Antonio Diu, Enrique Doheijo, Fabrizio Erbetta, Greta Falavigna, Ugo Finardi, Giovanni Fraquelli, Luca Guidi, Azahara Lorite-Espejo, Valentina Moiso, Daniela Pestonesi, Elena Ragazzi, Tadeusz Wlodarczyk

http://www.ceris.cnr.it/ceris/rt/RT_52.pdf

 

N. XX Cost analysis of standard implementation in the SCADA Systems of electric critical infrastructures.

Giulio Calabrese, Ugo Finardi, Elena Ragazzi, with Alberto Stefanini.

In press

 

N.XX   Evaluation of the trials

Fernando Garcı́a, Elena Ragazzi, Alberto Stefanini

In press.

 



[1] Ceris Technical Report Special ESSENCE series on security standards for critical infrastructures. N. 47: Considerations on the implementation of SCADA standards on critical infrastructures of power grids . Ugo Finardi, Elena Ragazzi and Alberto Stefanini . http://www.ceris.cnr.it/ceris/rt/RT_47.pdf

[2] e.g. Italy 2003, USA and Canada 2003, Germany and other Europe countries 2006, India 2012.

[3]In the Polish case the assessment is more precise due to the fact that a unique transmission system operator is in charge of the system, whereas in the Italian case a lot of big and small generation companies operate. Due to this reason an estimation range was pointed out in the latter case.

[4]Garcia Gutierrez, F., Schmidthaler, M., Reichl, J., Voronca, S., Roman, T.E. (2013). Public effects knowledge base. Deliverable D2.2. SESAME “ Securing the European Electricity Supply against malicious and accidental threats.

[5] R. Ghajar and R. Billinton, “Economic Costs of Power Interruptions: A Consistent Model & Methodology”, Journal of Electrical Power & Energy Systems, Vol. 28, 2006, pp. 29-35.

[6]R. Billington (chair); Methods to consider customer interruption costs in power system analysis. Task Force 38.06.01, CIGRE 2001

[7]This is the case of damage to equipment and plants, losses in raw materials and long re-starting times for firms.

[8]Since for non-households, only production losses were considered, the project performed three case studies highlighting different types of additional costs. Although they are very different in terms of source and of economic impact and are very difficult to quantify, their magnitude may be important. These  vary a lot, even within single industries and do not depend only on the type of production process, but also on the company organisation as well as the whole value chain. These costs include: spoiled raw materials or products (or their depreciation), staff-cost for extraordinary maintenance and damage repair, restarting times, damages to production or electrical equipment, extra organisational costs for just-in-time processes. The competitive advantage on reduced time to market would also suffer.  Losses in reputation and in customer satisfaction are difficult to quantify, but they may prove important in highly competitive markets.