Professional Documents
Culture Documents
Bilis 2013
Bilis 2013
Abstract—This paper focuses on deliberate acts aimed at the electric power infrastructure, have already taken steps toward
disruption of the electric power infrastructure and their impact investigating the above concerns [10], [11].
on its operational capability. Metrics derived from complex net-
Attempts to capture the effect of physical malicious attacks
work theory and social network analysis are used to identify the
important elements of the electric power transmission grid. Using against electric power systems range from lessons learnt
the outcomes of this screening procedure as a guide, a number from historical records and enumeration of the critical points
of physical attack scenarios have been fabricated and applied. of an EPS [12], [13] to the use of game theory concepts,
The nature of these scenarios is either deterministic (targeted where the interaction between the threat and the defender
attacks) or stochastic (sets of elements are randomly attacked).
is envisaged as a game [8], [14]. Some simulation attempts
We appraise the effect of these attacks on the serviceability of
the electric power system by modeling of potential cascading focus on evaluating defense strategies [8], while others take
events through calculation of transmission grid components’ the defense scheme as given and try to quantify the economic
loading, a Monte Carlo simulation of hidden failures, and, impact of a potential attack [15].
finally, operator performance analysis based on a simple human This paper quantifies the effects of postulated attacks against
reliability model. The effect of each attack scenario is quantified
components of the electric transmission infrastructure using a
in terms of the blackout size (electric-power-not-served). To
illustrate the application of the developed model to the security hybrid approach: a complex network theory approach is used
assessment of targeted physical attacks against the electric power to fabricate the attack scenarios on an EPS and a realistic
infrastructure, the Swiss transmission grid is taken as the test model of the latter is used to appraise the effect of these
system. scenarios. Section II debates the characteristics of antagonistic
Index Terms—Cascading failures, centrality metrics, complex attacks against EPSs and whether the latter pose tempting
systems, industrial power system vulnerability, physical attacks. targets. Section III introduces a methodology for identifying
the most critical nodes of a transmission grid. To achieve that,
topological metrics borrowed from complex network theory
I. Introduction and social network analysis are used. The selected nodes
act as the targets in a number of targeted attack scenarios.
NERGY infrastructures have long been subject to de-
E liberate physical attacks in addition to cyber attacks
against their communication and control systems. A large
Section IV analyzes the response of a power system, following
a disruptive attack on a set of its elements. During the
system response analysis, potential cascading events following
portion of these physical attacks were toward the electric
the postulated attack are taken into consideration. Section V
power infrastructure [1]–[8]. Today, with the omnipresent
presents the simulated response of the Swiss transmission
threat of terrorism in industrialized countries, potential de-
system when sets of its components are damaged or destroyed
liberate attacks against electric power systems (EPS) receive
due to malicious physical attacks. The effect of the latter on the
extensive attention. A 2002 U.S. National Research Council
serviceability of the former is quantified. Sections VI and VII
panel stated that “a coordinated attack on a selected set
present the conclusion of the procedure introduced and future
of key points in the system could result in a long-term,
model additions and extensions.
multi-state blackout” [9]. Concerns include the impact on
the electric power infrastructure from a possible physical II. Physical Malicious Attacks Against the
attack, the economic and social consequences of the latter, and Electric Power Infrastructure
finally, discovering ways to impend potential attackers and to
mitigate the effects of such an attack. Many countries, having In the last 15 years, major electric power outages worldwide
realized the consequences of a targeted attack against their emphasized the vulnerability of electric power systems to a
wide range of phenomena and activities: natural disasters,
Manuscript received August 14, 2010; revised October 29, 2010; accepted component failures, erroneous actions by the system opera-
November 1, 2010. This work was supported in part by the Swiss Federal tor(s), and even acts of malicious intent all contributed in one
Office for Energy and Swisselectric Research.
The authors were with the former Laboratory of Safety Analysis, way or another to these wide area blackouts.
Swiss Federal Institute of Technology, Zürich 8092, Switzerland (e-mail: In this paper, however, the physical aspect of acts of
bilis@mavt.ethz.ch; wkroeger@ethz.ch). malicious intent will be investigated. This threat has re-
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org. ceived heightened attention since military campaigns, terrorist
Digital Object Identifier 10.1109/JSYST.2012.2223512 attacks, and acts of vandalism or sabotage targeted in one
1932-8184/$31.00
c 2012 IEEE
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
way or another the electricity infrastructure (e.g., in July 2010, 7) Since the deregulation in the electricity sector, power
Baksanskaya hydro plant in the North Caucasus area was shut grids are operating closer to their limits. This makes
down after an attack on the facility that left two people dead them more susceptible to cascading events and potential
[16]; NATO destroyed portions of the Serbian electric power wide-area blackouts following an initial system distur-
infrastructure in 1999 [4]). But what are the distinguishing bance [19].
characteristics of targeted physical attacks as compared to 8) Materials used in the electric power grids (e.g., high-
other more traditional threats and what makes the electric quality copper for transmission lines) are tempting tar-
power infrastructure a tempting target? gets for scavengers (nondirect threat against the electric
power infrastructure).
A. Deliberate Physical Attacks Against EPSs
To sum up, multiple sources of threats exist for the electric
Physical attacks, in contrast to other threats, e.g., natural power infrastructure (natural hazards, cyber attacks, etc.),
disasters, are deterministic in nature (attackers know which which probably pose a higher risk than physical threats [20],
components to target). Moreover, they share a number of [21]. Nevertheless, the EPSs have been physically attacked in
characteristics that make them stand out. the past and nothing precludes future attempts against them. To
1) They are selective. Does a successful attack affect more quote from [22], “Any legislation on national security threats
than the immediate victims? Does the target have a big to reliability should address not only cyber security threat, but
potential to produce disruptive and/or cascading events? also intentional physical malicious acts (targeting for example,
Is it loosely protected? It is more likely to be attacked critical substations and generating stations).”
in this case [17].
2) They exhibit temporal selectivity. The time of the attack III. Fabrication of Attack Scenarios
is chosen so that the effects are maximized (e.g., in the
case of EPS, launch of the attack during peak time). In this section, a number of attack scenarios against the
3) The effects of a successful physical attack are possible to electric energy infrastructure are fabricated. Complex network
be aggravated either directly (secondary attacks against theory is used to form the sets of EPS elements assumed as
the same target) or indirectly (instilled fear and exposure the salient targets in these scenarios. The selection of high
to an uncommon situation prolongs restoration process). voltage substations (and transmission lines in the random
attack scenarios, as described in Section III-C) as the only
B. EPS’s Vulnerability to Deliberate Physical Attacks potential targets of physical attacks was based on the following
Electric power systems have some inherent attributes that facts and assumptions.
render them tempting to malicious attacks. 1) Lines and substations belonging to the distribution level
1) Since terrorist attacks aim at having the largest impact on usually feed small industries and neighborhoods. As
society, EPSs pose a credible target; besides the direct a consequence, this lowest level of the electric power
economic damage of a massive blackout, lack of the infrastructure poses an unattractive target of attack.
necessary can instill fear in the citizenry [17]. 2) High voltage substations are important points of an
2) EPSs are extensive and usually distributed over a huge electric power grid since they constitute the part of an
geographic area. In conflict situations, remote facilities EPS that is responsible for the routing of electric power.
(e.g., substations), transmission lines, and generators They contain a plethora of critical components (massive
pose tempting targets. step-up/step-down transformers, circuit breakers, control
3) Critical elements are spatially concentrated (e.g., high rooms, etc.) and are mostly unprotected [23]. Partial or
voltage substations) making them susceptible to com- total incapacitation of a high voltage substation affects
mon cause initiating events. all customers within its electric power service area.
4) With the exception of nuclear plants and some gen- 3) In [7], it was shown that 60% of the analyzed ter-
erating stations, most EPS sites are loosely protected. rorist attacks on EPSs targeted lines and towers on
Moreover, as noted by NERC in [18], “Most elec- the transmission level. They pose easy targets since a
tricity sector members do not have in place business big portion of the transmission towers and cables pass
recovery plans that include procedures for dealing with through isolated and uninhabited locations, making the
widespread, well-planned attacks on physical facilities. attack easier. The potential effects of such an attack
Likewise, they do not include procedures for dealing could be disproportionally high. The situation can be
with deliberate attempts to hamper repair and restoration aggravated if multiple transmission lines are subjected
activities.” to coordinated and periodically repeated attacks.
5) Many critical EPS components are stationed in outdoor 4) We make the assumption that nuclear power plants and
locations, where they are vulnerable to a number of generating stations, in general, are well protected, and
threats (sabotage, material scavenging, etc.). are thus less attractive as targets and/or impervious to
6) Spares for some EPS components are rarely available physical malicious attacks.
(due to storage space deficiency or cost). The logistics
following the incapacitation of such a device could be A. Complex Network Theory as a Tool of EPS Analysis
lengthy (for high voltage transformers up to a year or Electric power systems gather some qualifications that al-
more). low their characterization as complex [24]. They are formed
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS 3
where d(v, y) is the length of the shortest path connecting Step 1) A given centrality metric is calculated for all nodes
vertices v and y. (substations). The node with the highest value (indi-
Low eccentricity of node v suggests that all other nodes are cation of maximal criticality) is placed on the top of
in proximity. the list linked with the metric and is deactivated. If
3) Betweenness Centrality: For a graph G = (V, E) with two nodes have the same centrality value, the node
n vertices, the betweenness centrality CB (v) of vertex v is to be deactivated is chosen at random. The centrality
defined as follows: metric is then recalculated for all the remaining
nodes. The node with the highest value is placed in
s=t
|σst (v)|
CB (v) = (4) position number 2 of the list linked with the metric.
s=v=t∈V
|σst | In this manner, a list comprising the chosen metric
values for all nodes is constructed. The above proce-
where σst is the set of shortest paths from s to t and σst (v) is dure is repeated for all the centrality metrics. In that
the subset of σst that pass through vertex v. way, five lists are created, each one corresponding to
For node v, high CB value means that this node, for certain each one of the centrality metrics used.
paths, is crucial to maintain node connections. Deactivation Step 2) The upper 5% of the nodes in each list is rooted
of v should cause a number of node pairs either to be out. That way, we are left with five lists, each one
disconnected or connected via longer paths [37]. containing the nodes that collected the 5% highest
4) Centroid Centrality: For a graph G = (V, E), the values for the corresponding metric.
centroid centrality CC (v) of vertex v is given by Step 3) A final list is created by selecting the nodes that
CC (v) = d(v) − min[d(y)] (5) appear at least in two of the lists created after Step 3.
y=v Given the discussion in Section III-B, the nodes (sub-
where d(v) is the status of vertex v stations) comprising this final list are good candidates
for the title of the most important network node.
d(v) = d(v, y). (6)
y∈V D. Attack Scenarios
This centrality metric suggests that a specific node has a The attack scenarios are comprised of: 1) targeted attacks
central position within a graph region, characterized by a high against the most critical nodes (substations); 2) random attacks
density of interacting nodes [37], [38]. against nodes (Swiss substations); and 3) random attacks
5) Radiality: This metric was introduced in [46]. For a against sets of edges (transmission lines).
graph G = (V, E), the computation of this metric is based on In the test case presented in Section V, we investigate
the distance matrix Dvy = d(v, y), where v, y V . The reverse diverse forms of the above attack scenarios.
distance matrix RD is defined as follows: We made the following assumptions when constructing the
targeted attack scenarios on nodes (substations).
RDvy = diameter (G) + 1 − Dvy . (7) 1) The choice of targets relies only on the importance of
the node, as dictated by the list created in Section III-
The diameter of a graph G is the maximum eccentricity of
C. In other words, the target is chosen on the basis of
the graph.
maximizing the negative consequences of the target’s
Given the above, the radiality CR of vertex v is defined as
deactivation.
follows:
2) The cost of disabling any node in the list is the same.
v=y RDvy 3) A targeted attack against a substation results in total
CR (v) = . (8)
(n − 1) damage (complete knockout of the node, along with the
deactivation of all links incident upon this node).
High radiality means that node v is, with respect to the
graph diameter, close to the other nodes. Low radiality can be
interpreted as the node being peripheral. IV. System Response Analysis
The aim of the system response analysis conducted here is
C. A Heuristic Methodology for Rooting out the Most Critical to provide the state of the system that would be seen by an
Nodes operator, after the electric power system is inflicted by damage
From Section III-B, it is obvious that specific centrality caused from targeted or random physical attacks.
metrics are more suitable for different types of graphs (biolog-
ical networks, social networks, infrastructure networks, etc.). A. AC Power Model
Moreover, in the case of targeted attacks, the centrality metric The AC power model developed in [20] is used here. It can
used dictates the attack vector(s) (the sets of nodes that will capture a wide area of interactions and events in a transmis-
be deactivated). sion grid, on many different levels (sympathetic tripping of
Here, we propose a heuristic procedure for the selection of transmission lines due to misoperation of their protection and
the most important nodes of a graph, where the five centrality control systems, checking for abnormal voltages in bus bars,
metrics presented in the previous section are equally weighted checking for overloading in transmission lines, and a simple
and combined. operator model).
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS 5
B. Centrality Analysis
The Swiss high-voltage grid was represented by an undi-
rected and unweighted graph; the nodes of this graph repre-
sented high-voltage substations, power plants, and loads inside
Swiss borders, as well as substations outside Swiss borders
that were neighbors to their Swiss counterparts. Fig. 3. ENTSO-E grid (purple and orange colored countries). Former syn-
We followed the procedure proposed in Section III to root chronous UCTE grid in purple, with Switzerland highlighted in darker
out the most critical Swiss substations, thus most attractive for purple.
targeted attacks. That left us with eight nodes (substations).
E. Simulations
For security reasons, their names are not disclosed here. We
refer to them as HVS1–HVS8. For each one of the 121 (46 targeted and 75 random) attack
scenarios, we repeated the system response analysis procedure
30 times. The average of these 30 simulating results had been
C. Attack Scenarios taken as the result for the corresponding scenario.
We postulated 46 targeted attack scenarios against the Swiss A number of assumptions and parameter values were used
HV substations. Eight of them targeted each one of the eight during the simulation procedure.
critical nodes, as mentioned in Section III-B, 28 had pairs of 1) Attack against a substation leads to its complete in-
these eight nodes as targets and ten had triplets of these eight capacitation. No redundancy (e.g., spare or alternate
nodes (simultaneous targeted attacks) as targets. This set of transformers) is taken into account.
targeted attacks was followed by a set of 15 attack scenarios 2) Line redundancy (double lines between two terminal
that implemented random node removal in triplets. spots) is taken into account during the system response
Finally, 60 attack scenarios that implemented random link analysis.
(transmission line) removals were simulated. 3) The hidden failure probability was taken equal to
0.5%.
4) It was assumed that only one operator manages the
D. Response Analysis of the Swiss Transmission System whole grid.
Considering its position as a European electricity hub, 5) During the system response analysis, the upper limit of
it was decided to treat the Swiss transmission grid not as the current that transmission lines can carry before the
a stand-alone, isolated system; during the system response automatic protection system trips them was set to 150%
analysis the whole synchronous UCTE network was modeled with respect to the maximum rated current [54].
(Fig. 3). In that way, we were able to capture interactions 6) No abnormal conditions or hidden failures were taken
with the neighboring countries’ transmission networks, i.e., into account for the grids that do not neighbor with a
consequences of potential outages inside the Swiss’ borders on Swiss transmission line or substation.
other countries’ high voltage grids. Moreover, the transmission
lines of neighboring countries could take on part of the F. Results
additional load in case of outages inside the Swiss borders, 1) Targeted Node Attacks: Thirty-six attack scenarios
helping us avoid overestimation of an impact. were investigated. For scenarios HVS1–HVS8, each one of
The input that dictated the initial intact state of the UCTE the critical substations (as dictated by the centrality analysis
grid (and consequently of the Swiss high voltage grid) became described) is deactivated in turn. In every one of the following
available to the authors in the form of UCTE files. They 28 scenarios (HVS1–HVS2 to HVS7–HVS8), the critical sub-
are appropriately constructed to mirror a specific topology stations are deactivated in pairs (e.g., scenario HVS1–HVS2
and loading of the former UCTE transmission network at a represents the deactivation of substation HVS1 and HVS2).
particular point in time. The file used in our analysis was a For each one of the 36 attack scenarios, we repeated the system
so-called reference case snapshot: a merged set of balanced response analysis procedure 30 times. The average of these 30
snapshots of all the UCTE countries, done by Amprion, simulating results is taken as the result for the corresponding
Germany. Two files are created per year. Without going into scenario.
more details, the file used for load flow analysis represented In Figs. 4–6, the mean load lost, generating power lost,
an average load day in winter, close to peak load. and mean imbalance ratio are shown, respectively, for the 36
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS 7
Fig. 4. Mean load lost (in MW) for each targeted attack scenario.
Fig. 5. Mean generating power lost (in MW) for each targeted attack scenario.
targeted attack scenarios postulated (single substation out or LLCF = 7.73 MW, which appeared for the attack scenario
pairs of substations out). HVS3–HVS7.
These figures, as well the results of the 1080 simulation 3) Overloading of remaining transmission lines arose only
runs, have shown the following. from a few simulations (44 out of 1080). This shows
1) The load flow problem converged to a solution in that the operation of the Swiss transmission grid has
all the attack scenarios. This is a good indica- good safety margins; the remaining transmission lines
tion that no highly unstable/major-blackout conditions are able, in most situations, to take on the additional
emerged from the targeted attack of the most critical load induced by the hypothetical physical attacks against
substations. substations. In almost all the response analysis iterations
2) The effect of cascading failures was very small; the that featured overloaded lines, substation HVS3 was
maximum mean generation and load lost solely due to involved.
cascading failures was, respectively, GLCF = 40.8 MW 4) Frequency stability refers to the ability of an EPS to
and appeared for the attack scenario (HVS4-HVS7), and maintain steady frequency following a severe system
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Fig. 7. Mean load lost (in MW) for each random attack scenario.
disturbance [55]. We used the safety margins used in cascade and transform into a wide area outage [56]).
[54] that are dictated by the ratio of the total power 2) Random Transmission Line Attacks: Sixty attack sce-
demand to the total power supply as narios were investigated. For the first 30 scenarios, sets of
Total Power Demand ten transmission lines were randomly selected while for the
0.95 > > 1.05. other 30, sets of 15 transmission lines were randomly selected.
Total Power Supply
These sets dictated the sets of transmission lines that were
As can be seen in Fig. 6, many attack scenarios deactivated during the attack scenarios (10L-1 to 10L-30 are
demonstrated a ratio outside the safety margins. This the code names for the ten-line attack scenarios and 15L-1 to
imbalance could potentially lead to some synchronous 15L-30 the code names for the 15-line attack scenarios).
machines tripping and could be translated into a minor In Figs. 7–9, the mean load lost, generating power lost,
underestimation of the targeted attacks’ consequences and mean imbalance ratio are shown, respectively, for the 60
(since historical events show that frequency instabilities hypothetical random attack scenarios.
can cause the tripping of some synchronous generators Comparing the above results with the corresponding results
but protective systems do not allow the disturbance to for targeted node attacks, we can see that the effects of
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS 9
Fig. 8. Mean generating power lost (MW) for each random attack scenario.
targeted node (high voltage substations) attacks are far greater load lost and mean generating power lost for each scenario
than random link (transmission lines) attacks: 1) generating are shown in Figs. 10 and 11. Comparing the results presented
power lost was greater than 100 MW only in 5 out of 60 in these figures, we can see that the effects of targeted high
random attack scenarios; 2) no scenarios demonstrated load voltage substation attacks are far greater than random high
loss greater than 25 MW; and 3) the power demand/power voltage substation attacks.
supply only in one scenario (10L-5) fell outside the [0.95, 1) In one of the targeted attack scenarios, a convergent
1.05] safety margins. solution of the power flow equations could not be ob-
3) Targeted Versus Random Node Removals: Ten targeted tained (nonconvergence indicates an unstable condition
attack scenarios against triplets of the five most critical nodes and possible wide-area blackout). No such situations
were investigated. This set of simulations was followed by a emerged during the random node-attack scenarios.
set of 15 attack scenarios against randomly picked triplets of 2) Generating power lost was greater than 1000 MW in six
all the node graphs (Swiss substations). The attacks against the out of ten targeted attack scenarios. The same applied
triplets of attacked substations are assumed to be synchronous. only to one out of 15 random attack scenarios.
For each one of the 25 simulated attack scenarios, we repeated 3) Nine out of ten targeted attack scenarios demonstrated
the system response analysis procedure 30 times. The mean load loss greater than 500 MW. The same applied only
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
VII. Outlook
The future steps should include the following:
1) attack scenarios combining concurrent targeted node and
random link attacks;
2) targeted attack scenarios against links (transmission
lines) by calculating graph-based, link related metrics;
3) sensitivity analysis of our model by varying the sys-
tem response analysis model parameters (hidden failure
probability, human error probability, etc.);
4) investigation of the impact that a partial node destruction
(HV substation not fully functional after attack) would
Fig. 11. Mean generating power lost (in MW) and mean load lost (in MW)
for random attack scenarios against triplets of substations.
have on the serviceability of the power system.
BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS 11
[12] A. E. Farrell, H. Zerriffi, and H. Dowlatabadi, “Energy infrastructure [34] K. Okamoto, W. Chen, and X. Li, “Ranking of closeness centrality for
and security,” Annu. Rev. Environment Resources, vol. 29, pp. 421–469, large-scale social networks,” in Springer Lecture Notes in Computer
Aug. 2004. Science. Berlin, Germany: Springer, 2008, pp. 186–195.
[13] A. Volkanovski, M. Èepin, and B. Mavko, “Application of the fault tree [35] R. V. Solé et al. “Robustness of the European power grids under
analysis for the power system reliability,” Reliab. Eng. Syst. Saf., vol. intentional attack,” Phys. Rev. E, vol. 77, no. 2, p. 026102, 2008.
94, no. 6, pp. 1116–1127J, 2009. [36] S. Wuchty and P. Stadler, “Centers of complex networks,” J. Theor. Biol.,
[14] E. Bompard et al., “Risk assessment of malicious attacks against power vol. 223, nos. 45–53, pp. 45–53, 2003.
systems,” IEEE Trans. Syst., Man, Cybern. A, Syst. Humans, vol. 39, [37] F. Harary, “Status and contrastatus,” Sociometry, vol. 22, no. 1, pp. 23–
no. 5, pp. 1074–1085, Sep. 2009. 43, 1959.
[15] A. Rose, “Economic resilience to natural and man-made disasters: [38] P. J. Slater, “Maximum facility location,” J. Res. Natl. Bur Stand. B,
Multidisciplinary origins and contextual dimensions,” Environmental vol. 79, pp. 107–115, 1975.
Hazards, vol. 7, no. 4, pp. 383–398, 2007. [39] L. C. Freeman, “A set of measures of centrality based on betweenness,”
[16] T. Maxim. (2010, Jul. 21). Power Plant Ter- Sociometry, vol. 40, no. 1, pp. 35–41, 1977.
ror Attack Kills 2 in Russia [Online]. Available: [40] D. Koschützki et al., “Network analysis: Methodological foundations,”
http://edition.cnn.com/2010/WORLD/europe/07/21/russia.station.attack/index.htmlin Centrality Indices, Chapter 3 in Brandes and Erlebach (LNCS
[17] E. Bompard et al., Approaches to the Security Analysis of Power Tutorial, vol. 3418). Berlin, Germany: Springer 2003.
Systems: Defense Strategies Against Malicious Threats, EUR 22683 EN, [41] E. Bompard, R. Napoli, and F. Xue, “Analysis of structural vulnerabili-
JRC36743, 2007. ties in power transmission grids,” Int. J. Crit. Infrastructure Protection,
[18] North American Electric Reliability Council (NERC), An Approach vol. 2, no. 1, pp. 5–12, 2009.
to Action for the Electricity Sector. Princeton, NJ: North American [42] V. Agoston, P. Csermely, and S. Pongor, "Multiple weak hits confuse
Electric Reliability Council (NERC) Working Group Forum on Critical complex systems: A transcriptional regulatory network as an example,"
Infrastructure Protection, 2001. Phys. Rev. E, vol. 71, no. 5, p. 051909, 2005.
[19] M. Schläpfer and H. Glavitsch, “Learning from the past: Electric power [43] V. Latora and M. Marchiori, “Vulnerability and protection of infrastruc-
blackouts and near misses in Europe,” in Critical Infrastructures at ture networks,” Phys. Rev. E, vol. 71, no. 1, p. 015103, 2005.
Risk—Securing the European Electric Power System, A. V. Gheorghe, [44] H. Hines and S. Blumsack, “A centrality measure for electrical net-
M. Masera, M. P. C. Weijnen, and L. J. De Vries, Eds. Dordrecht, The works,” in Proc. 41st Hawaii Int. Conf. Syst. Sci., 2008, p. 185.
Netherlands: Springer, 2006. [45] Y. Yan-Ping et al., “Multiple partial attacks on complex networks,” Chin.
[20] E. Bilis, M. Raschke, and W. Kroeger, “Seismic response of the swiss Phys. Lett., vol. 25, no. 2, pp. 769–772, 2008.
transmission grid,” unpublished. [46] T. W. Valente and R. K. Foreman, “Integration and radiality: Measur-
[21] I. Eusgeld and C. Nan, “Creating a simulation environment for critical ing the extent of an individual’s connectedness and reachability in a
infrastructure interdependencies study,” in Proc. IEEE Int. Conf. Ind. network,” Social Netw., vol. 1, no. 1, pp. 89–105, 1998.
Eng. Eng. Manage., Dec. 2009, pp. 2104–2108. [47] R. Sergel, Letter to NERC Board of Trustees and NERC Stakeholders,
[22] Testimony of Joseph McClelland, Director, Office of Electric Reliability, Apr. 24, 2009.
Federal Energy Ragulatory Commission, Before the Committee on [48] A. G. Phadke and J. S. Thorp, “Expose hidden failures to prevent
Homeland Security, Subcommittee on Emerging Threats, Cybersecurity cascading outages,” IEEE Comput. Appl. Power, vol. 9, no. 3, pp. 20–23,
and Science and Technology, United States House of Representatives. Jul. 1996.
(2009, July 21) [Online]. Available: (http://www.ferc.gov/eventcalendar/ [49] K. Bae and J. S. Thorp, “An importance sampling application: 179
Files/20090721140215-Joe\%20McClelland\%20Testimony.pdf) bus WSCC system under voltage based hidden failures and relay
[23] J. M. Arroyo and F. D. Galiana, “On the solution of the bilevel misoperation,” in Proc. 31st Hawaii Int. Conf. Syst. Sci., vol. 3. 1998,
programming formulation of the terrorist threat problem,” IEEE Trans. pp. 39–46.
Power Syst., vol. 20, no. 2, pp. 789–797, May 2005. [50] J. Chen, J. S. Thorp, and I. Dobson, “Cascading dynamics and mitigation
[24] M. E. J. Newman, “The structure and function of complex networks,” assessment in power system disturbances via a hidden failure model,”
SIAM Rev., vol. 45, no. 2, p. 167, 2003. Int. J. Electron. Power Energy Syst., vol. 27, no. 4, pp. 318–326,
[25] L. A. N. Amaral and J. M. Ottino, "Complex networks— 2005.
Augmenting the framework for the study of complex [51] V. M. Andersen and E. T. Burns, “Human error probability models in
systems," Eur. Phys. J. B, vol. 38, pp. 147–162, the BWR individual plant evaluation methodology,” in Proc. 4th IEEE
May 2004. Conf. Human Factors Power Plants, Jun. 1988, pp. 323–342.
[26] R. Albert, I. Albert, and G. L. Nakarado, “Structural vulnerability of the [52] J. C. Williams, “A data-based method for assessing and reducing human
North American power grid,” Phys. Rev. E, vol. 69, no. 2, p. 025103-7, error to improve operational performance,” in Proc. IEEE 4th Conf.
2004. Human Factors Power Plants, Jun. 1988, pp. 439–450.
[27] P. Crucitti, V. Latora, and M. Marchiori, “A topological analysis of the [53] Swiss Federal Office of Energy, Report on the blackout in Italy on 28
Italian electric power grid,” Phys. A Statist. Mech. Its Appl., vol. 338, September 2003, Nov. 2003.
nos. 1–2, pp. 92–97, 2004. [54] M. Shinozuka et al., “Advances in seismic performance evaluation
[28] R. Kinney et al., “Modeling cascading failures in the North American of power systems,” in Research Progress and Accomplishments 2001-
power grid,” Eur. Phys. J. B Condens. Matter, vol, 46, no. 1, pp. 101– 2003. Buffalo, NY: Multidisciplinary Center for Earthquake Engineering
107, 2005. Research, University at Buffalo, 2003.
[29] D. P. Chassin and C. Posse, “Evaluating North American electric grid [55] P. Kundur et al., “Definition and classification of power system stability,”
reliability using the Barabasi–Albert network model,” Phys. A: Statist. IEEE Trans. Power Syst., vol. 19, no. 3, pp. 1387–1401, Aug. 2004.
Mech. Its Appl., vol. 355, nos. 2–4, pp. 667–677, 2005. [56] Y. Sherif, “Earthquakes: Risk, damage and recovery,” Reliab. Eng. Syst.
[30] A. J. Holmgren, “Using graph models to analyze the vulnerability of Safety, vol. 31, no. 1, pp. 117–126, 1991.
electric power networks,” RiskAnalysis, vol. 26, no. 4, pp. 955–969,
2006.
[31] M. I. Rosas-Casals, S. Valverde, and R. V. Sole, “Topological vulner-
Evangelos I. Bilis received the M.Sc. degree in
ability of the European power grid under errors and attacks,” Int. J.
radioelectrology and telecommunications.
Bifurcation Chaos, vol. 17, no. 7, pp. 2465–2475, 2007.
He is currently a Physicist with the Laboratory
[32] L. Buzna, L. Issacharoff, and D. Helbing, “The evolution of the topology of Safety Analysis, Swiss Federal Institute of Tech-
of high-voltage electricity networks,” Int. J. Crit. Infrastructures, vol. 5, nology, Zürich, Switzerland. His current research
no. 1, pp. 72–85, 2009. interests include applications of group theory to
[33] L. Dueñas-Osorio and S. M. Vemuru, “Cascading failures in complex quantum mechanics, string theory, and modeling of
infrastructure systems,” Structural Safety, vol. 31, no. 2, pp. 157–167, complex systems.
2009.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
Wolfgang Kröger received the Doctorate degree Cen Nan received the M.Eng. degree in oil and
in mechanical engineering from RWTH Aachen, gas engineering from the Memorial University of
Aachen, Germany, in 1974, and the Habilitation Newfoundland, Canada, in 2007, and the Doctorate
degree in 1986. degree in process and mechanical engineering from
He has been an Ordinarius of Safety Technology ETH Zurich, Zurich, Switzerland, in 2012.
with the Swiss Federal Institute of Technology, He is currently a Research Assistant at ETH
Zurich (ETH) since 1990 and the Director of the Zurich. His current research interests include the de-
Laboratory for Safety Analysis until his retirement velopment of advanced modeling/simulation meth-
in 2011. In parallel he was the Head of Research on ods for assessing complex behaviors of infrastructure
nuclear energy and safety with the Paul Scherrer In- systems.
stitute, Switzerland, where he was also on the Board
of Directors until he was elected as Founding Rector of the International Risk
Governance Council in 2003. His current research interests include methodical
issues pertaining to modeling, analysis, and optimization of complex technical
systems in view of reliability, risk, and vulnerability. Currently, he is the
Executive Director of the ETH Risk Center.