Professional Documents
Culture Documents
Toward Modeling Alarm Handling in SCADA PDF
Toward Modeling Alarm Handling in SCADA PDF
Toward Modeling Alarm Handling in SCADA PDF
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPWRS.2019.2916025, IEEE
Transactions on Power Systems
1
P. Mahmoudi-Nasr is with the University of Mazandaran, Babolsar 47416-13534, and also with Tarbiat Modares University CERT (APA), Iran (e-mail:
P.Mahmoudi@umz.ac.ir).
0885-8950 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPWRS.2019.2916025, IEEE
Transactions on Power Systems
2
This paper is organized as follows. Section 2 presents the System status Event or alarm
related works and contributions. Section 3 describes the monitoring acknowledgment
proposed AH model. Section 4 provides validation and
Control setting
simulation results. Section 5 gives the conclusions. modifications by using
RTU
<<include>>
II. RELATED WORKS AND CONTRIBUTIONS
Dispatcher <<include>> Requesting repair or
In a SCADA system, RTUs collect real time information of maintenance servive
the field devices and transfer them to the control room through Reaction to
<<include>>
0885-8950 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPWRS.2019.2916025, IEEE
Transactions on Power Systems
3
Wrong-Command
getting alarm dp
/event (P error )
Status message Dispatcher threat
for clearing
Monitor Referesh/
Disseminate Right-Command Alarm not cleared
dp
Update (1-P error )
Wrong-Operation
Referesh op
Display (P error )
OP threat
for clearing
(a) System status monitoring Right-Operation
op Alarm not cleared
(1-P error )
Acknowledge tokens with time stamp. The color is equivalent to type, and
Referesh time is used for evaluating performance indices. In addition, the
CTPN integrates the abilities of PN for process interaction with
Update
Referesh the abilities of a high-level programming language for the
definition of data types and the manipulations of data values.
(b) Message acknowledgement Hence, the CTPN is suitable to model complex systems [25].
The proposed CTPN model of AH is presented in Fig. 4.
This CTPN model represents the data communication processes
Dispatcher HMI HIS RTU
in a SCADA system in order to identify and prevent conditions
Command that may cause risks to a CI application. . Table I shows the
Command
Referesh Update
meaning of places. The set of places P is partitioned into
Command
values P S C NET . The set S collects the substation objects:
Referesh S AAj , RTU1 , RTU 2 , OP, CLR, NoCLR and the set C
Status message collects the control room objects: C HMI1 , HMI 2 , HIS . A
Referesh
Display token in a place of p S C is an massage to be sent or
Report status
Referesh
received by the corresponding object. Note that a token in AAj
represents a fault agent in a field device for alarm type j. Tokens
(c) Remote alarm clearing by dispatcher in RTU1 are alarm messages should be sent from remote
substation to control room, and a token in RTU2 is a dispatcher’s
Substation's command set message should be sent to field devices for
Dispatcher HMI HIS RTU
operator updating setting values and clearing corresponding alarm.
Requesting repair Moreover, a token in the place OP represents a dispatcher’s
command set message should be executed carefully by OPs
Repair
Status devoted to handling the alarm. A token in place (No)CLR
Status message message represents a (no)cleared alarm. In addition, for modeling
Display Report
status purpose, the place HMI is described by two places: tokens in
Referesh
HMI1 are alarm messages should be acknowledged, and tokens
in HMI2 are alarm messages should be cleared by a dispatcher.
(d) Alarm clearing by OP cooperation
Each token in HIS represents a recorded message. The place set
Fig. 2. Sequence diagram of the messages in SCADA system. NET={NET1, NET2} represents the communication network.
occur an insider attack when he/she commits an error of Each token in NET1 is an alarm message, which has been sent
commission. Therefore, the probability of clearing an alarm through RTU1, and a token in NET2 is a command set message
0885-8950 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPWRS.2019.2916025, IEEE
Transactions on Power Systems
4
0885-8950 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPWRS.2019.2916025, IEEE
Transactions on Power Systems
5
0885-8950 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPWRS.2019.2916025, IEEE
Transactions on Power Systems
6
TABLE V
The real performance indices for major alarms.
I ADTJ (min) MDTJ (min) ANA
6 227.52 2292.42 53.76
8 225.89 2524.36 71.23
10 228.43 2815.23 83.35
TABLE VI
The real performance indices for minor alarms.
I ADTI (min) MDTI (min) ANA
6 446.68 2089.26 9.66
8 446.33 2437.52 12.63
10 438.57 2529.19 14.81
TABLE VII
Single mean test results for ADTJ at 3 months. Fig. 5. The average delay/maximum delay for clearing major alarms.
Mean Std. error Real Simulated
I t Sig.
difference mean mean mean
6 0.364 0.717 17.63 48.43 245.15 227.52
8 0.714 0.478 34.63 48.51 260.52 225.89
10 0.384 0.702 19.02 49.60 247.45 228.43
TABLE VIII
Single mean test results for ADTI at 3 months.
Mean Std. error Real Simulat
I t Sig.
difference mean mean ed mean
6 0.85 0.41 1558.05 1827.20 2004.73 446.68
8 -0.51 0.62 -93.26 183.17 353.07 446.33
10 -0.47 0.65 -85.50 183.17 353.07 438.57
evaluate the system behavior:
- The average delay time for clearing major alarms (ADTJ);
- The average delay time for clearing minor alarms (ADTI); Fig. 6. The average delay/maximum delay for clearing minor alarms.
- The average maximum delay time for clearing major alarms
(MDTJ);
- The average maximum delay time for clearing minor alarms
(MDTI);
- The average number of alarms (ANA) that are waiting in the
place HMI1.
The defined performance indices are analyzed considering
different values of the number of substations (i.e. I=6, 8, 10)
and by a simulation run of 129600 time units (minutes) which
it is equivalent to 3 months. The performance indices are
concluded by 1000 independent iterations with a 95%
confidence interval. Besides, the half width of the confidence
interval is about 1.3% for ADTJ and 2.2% for ADTI in the worst Fig. 7. The average number of alarms for each type of alarm.
case, which confirms sufficient precision of the performance results are a consequence of the fact that the skilled dispatchers
indices estimation. Tables V and VI show the results for each with cooperation OPs, in order to maintain network reliability,
type of alarm with the corresponding half width confidence try to keep unchanged the average delay time despite their
intervals. workload has been increased. However, Fig. 7 represents, as
In addition, a simulation validation has been performed expected, that the average number of major and minor alarms
thanks to the cooperation of the AOC dispatchers. In order to tends to increase with the number of substations. This result
validate the proposed CTPN model and determine how closely illustrates that the study and analysis of the AH and the
the simulation model illustrates the real system, a standard associated workload of the dispatchers and OPs are of most
statistical procedure, which is known as single mean test, is important issue for ensuring CI reliability.
employed. A single mean test results on the ADTJ and ADTI at
A. Insider attack Scenarios
3 months indicates that, with 95% confidence interval, there is
not a significant difference between the simulation and the real In this section, two insider attack scenarios (no-response
data samples. Tables VII and VIII represent the test results for attack and delayed attack) are considered to evaluate the
major and minor alarms, respectively. response of the proposed CTPN model, when an alarm appears
Moreover, Figs. 5, 6 compare the average and maximum and the dispatcher/OP does not intend to clear it perfectly. In
delays for each type of alarm. The figures represent that when each scenario, different intensities of attack can be studied by
the number of substations increases from I= 6 to 10 the average assigning different values to the parameters.
maximum time of delay increases. Instead, the average time of In no-response attack scenarios, the dispatcher and/or OP do
delay is almost unchanged by the number of substations. Such not send correct response for clearing alarms. The value of the
0885-8950 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPWRS.2019.2916025, IEEE
Transactions on Power Systems
7
TABLE IX
The values of the parameters for no-response attack scenarios.
( , )major (4.59,1.67) , ( , )minor (5.12,1.93)
dp op
Perror Perror K1 K2 I
0 to 0.6 0 and 0.5 14400 (min) 86400 (min) 10
TABLE X
The values of the parameters for delayed attack scenarios.
K1=14400(min), K2=86400(min), I=10
dp
Perror op
Perror major major minor minor
0 0 1 to 10 1.67 6 to 15 1.93
0885-8950 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPWRS.2019.2916025, IEEE
Transactions on Power Systems
8
0885-8950 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.