1

Abstract – Large scale Information and Communication

Technology (ICT) infrastructure utilization is the foundation of smart grid and smart market scenarios. Thus, power system exposure to ICT infrastructure contingencies is naturally increasing. The paper at hand focuses on those types of ICT contingencies that may potentially affect transmission level reserve requirements. The analysis indicates that these contingencies are characterized by large scale power outages at very low probability. The German 2020 power generation scenario serves as study case for integrating the resulting risk of ICT failure into the calculation of reserve requirements using the method of recursive convolution. Calculated reserves with and without consideration of selected ICT contingencies are compared. The paper highlights the need for ICT infrastructure concepts that aim at safety by design from the beginning. It concludes by summarizing identified ‘safety-by-design’ criteria that merit further investigation.

Index Terms— ICT infrastructure design, ICT contingencies, power system reliability, reserve calculation, information and communication technology, safety by design, recursive convolution

I. INTRODUCTION Panteli and Kirschen have, to the knowledge of the authors,

been the first to examine the effect of ICT Infrastructure on Power System Reliability [1]. Yet, they focus on the effect of ICT contingencies on state estimation and the system operator’s resulting misperception of the actual system state using a small test system. The paper at hand investigates the relevance of ICT contingencies for reserve provisioning in a 2020 showcase scenario for Germany. Applying equipment failure considerations to ICT infrastructure devices resulted in identification of potential for power outage up to eight times bigger than that caused by the traditionally considered failure of the largest conventional power plant. Yet, the probability of these large-scale ICT incidents was estimated to be so low that under the current practice for secondary and tertiary reserve

1 The authors would like to thank the German Federal Ministry for the Environment, Nature Conservation and Nuclear Safety for the support of PV-Integrated (FKZ 0325224 A-D). Only the authors are responsible for the content of this publication.

1 E. Kämpf, M. Bauer and R. Schwinn are with the Fraunhofer Institute for Wind Energy and Energy System Technology (IWES) in 34119 Kassel, Germany (e-mail: erika.kaempf@iwes.fraunhofer.de).

M. Braun is with the Fraunhofer Institute for Wind Energy and Energy System Technology (IWES) in 34119 Kassel, Germany and with the University of Stuttgart, Germany (e-mail: martin.braun@iwes.fraunhofer.de).

provisioning, it would have nearly no effect on required reserves for the German 2020 scenario. As a consequence, the resulting risk of blackout would be carried by society. A considerable potential impact on primary reserve dimensioning is being identified, though. It is not the intention of the authors to suggest increasing reserve requirement levels because of potential ICT contingencies. Rather, the present article concludes by identifying starting points for making ICT infrastructure ‘safe by design’.

The paper is organized as follows: Section II introduces the principles and approach of classical reserve calculation. Section III highlights the changes introduced by considering ICT contingency characteristics. To this end, in a first step, ICT technologies promising most impact on 2020 reserve requirements are identified. In a second step, ICT contingencies are classified and an evaluation of available statistics on failures is carried out. The contingency impact depending on outage type is discussed. In a third step, use cases are depicted. Section IV describes the integration of selected ICT contingency scenarios into the German 2020 showcase; simulation results are explained and analyzed. The article concludes with a list of starting points for improving ‘safety by design’ of smart grid ICT infrastructures.

II. CLASSICAL RESERVE REQUIREMENT DETERMINATION

A. Primary reserve requirement Reserve requirements are classified into primary, secondary

and tertiary reserves according to the relevant time frames. The primary reserve requirement is defined in the UCTE operation hand book for the entire UCTE synchronous area: The value of 3000 MW is large enough to allow an overlapping failure of two of the largest power stations, i. e. 2 x 1500 MW [2].

B. Secondary and tertiary reserve requirement Secondary and tertiary reserve requirements from UCTE are

merely indicative [2], [3]. In the following the dimensioning for the latter two as applied by German Transmission System Operators (TSO) is introduced and applied to the German 2020 showcase as per reference [4]. The need for reserves is traditionally determined considering the following influence factor clusters:

- Stochastic variation of load - Stochastic variation of feed-in - Power plant outages

ICT Infrastructure Design Considering ICT Contingencies and Reserve Requirements on

Transmission Level E. Kämpf, M. Bauer, R. Schwinn, M. Braun1

2012 3rd IEEE PES Innovative Smart Grid Technologies Europe (ISGT Europe), Berlin

978-1-4673-2597-4/12/$31.00 ©2012 IEEE

2

- Forecast errors - Step-variation of schedules

Each of these clusters can be represented by one or several random variables. Using their statistical independence makes it possible to apply the theorem of recursive convolution whereby the probability density function of a sum of random variables, py(y) equals the convolution of the individual probability density functions, px1(X1), px2(X2).

From the resulting probability density function the reserve requirement is obtained by introducing an accepted deficit level. In a subsequent process a distribution of the required reserve into secondary and tertiary reserves may be obtained. For more detail refer e.g. to [5], [6].

III. SMART GRID RESERVE REQUIREMENT CALCULATION

A. ICT as core of smart grids 1) Overview

There is unanimous agreement that ICT is the foundation of smart grids [7] - [9]. There is an abundance of smart grid use cases relying on ICT infrastructure. Concepts spread from smart meter connection via agent-based distribution system operation and smart integration of electric vehicles to virtual power plants (VPP), to name only a few. 2) ICT technologies considered

The present article concentrates on those ICT technologies that promise immediate and considerable impact on reserve requirement in case of ICT contingency, either already to date, or at latest in the 2020 scenario. Communication technologies may be subdivided by their respective transmission medium used by the physical layer into power line based, radio communications based and internet based variants.

Power line based technologies are not further investigated in this article: At present, they have not reached a market penetration in the energy automation domain that would be relevant for secondary and tertiary reserve calculations. It cannot be foreseen whether they will have by the year 2020.

Among radio communications based technologies, radio ripple control and long wave radio transmission (EFR) are most popular in Germany. Radio ripple control architecture is by nature decentralized. Accordingly, related ICT contingencies are expected to have a rather limited effect on overall reserve requirement.

EFR signal transmission in Germany however relies on two large transmission posts. Should EFR continue to be as popular for remote power reduction of PV plants as it is to today, failure of one post under sunny conditions in 2020 would leave about 3 GW of PV capacity without possibility for remote power reduction, refer to section IV A 2) for more details.

Internet based alternatives are to date the most popular means for establishing bidirectional connections with DER up to 1-2 MWp installed capacity. An ‘internet-based’ variant is defined as a technology that is connected to the Tier 1 internet backbone as per Fig. 1. Among these are UMTS, GPRS and DSL, but also ISDN and the traditional telephone and modem communications.

Fig. 1 further illustrates the underlying architecture. Although the Internet is often referred to as a network of interconnected networks, this only applies to the protocols on its logical level. In fact, the logical networks are based on physical links between points of presence (PoPs) of Internet Service Providers (ISPs) of different size. Each ISP operates his own network that is generally distinct from other ISPs’ networks, but such networks may be connected via so-called Internet Exchange Points (IXPs). Internet traffic is routed between such interconnected networks by means of the Border Gateway Protocol (BGP) based on a peering agreement. In case physical connections or IXPs fail, the automatic routing mechanism implemented by means of BGP may ensure reachability between nodes connected to the Internet by selecting alternative routes.

End users connect to the Internet through access network technology. In the following, we consider two access technologies, digital subscriber line (DSL) and mobile communication technologies (GPRS and UMTS) as they are the most likely to be used for connecting DER. As an illustrative example, the position of a VPP control center (CC) has been entered in the hierarchy level in Fig. 1.

ISPISPISP

ISP

ISPISPISP

Access Network

Tier 3 ISP

Tier 2 ISP

Tier 1 ISP

„Internet“

DER

DERDER

DER

DER

DER

DER

DER

DER DER

DER

DER

IXP

CC

ISP’s PoP

IXP IXP

IXPIXP

IXP IXP

IXP

IXP

IXP

IXP IXP

IXP

IXP

IXP

Fig. 1. Internet architecture from tier 1 to access network. The CC is shown to be connected to Tier-2-ISPs, aiming at increased availability.

B. ICT contingency characteristics 1) Classification of contingencies

Contingency reasons may be classified into technical and human failures on the one hand, and malicious attacks on the other hand. Examples for malicious attacks are (distributed) denial of service (D)DoD attacks. These can be executed by manipulating networking components, routing tables, by manipulating a sufficiently high number of end devices or by manipulating the control center itself. Even more critical, although more difficult to achieve, are attacks aiming at hijacking controllers or similarly sensitive electronic devices [10], [11]. Concluding, it shall be pointed out that malicious attacks can also be executed physically, e.g. by means of explosive devices. Internet-related technologies have proven to be particularly prone to malicious so-called ‘cyber security’ attacks on a day-to-day basis, whereas physical attacks have been exceptional, ‘once in decades’ occurrences.

)(*)()()( 221121 XpXpXXpyp xxyy =+=

3

Characteristic of malicious attacks is the possibility of n-2 or worse contingencies, since the attack is usually systematically aiming at maximizing damage. Traditional reserve calculations do not consider the risk of such malicious attacks. This seems reasonable given that traditional power systems were by design not menaced by cyber security events. From the analysis in the previous section it follows that this is not the case any more for the smart grid. Therefore in the study at hand it is undertaken to show how estimates of malicious attack probabilities could be integrated into the overall reserve requirement calculation, too, section IV A 1). 2) Evaluation of statistics on internet-related contingencies

Despite an impressive set of sophisticated countermeasures, large scale failures of communication infrastructure do occur. In order to obtain an estimate of the likelihood of such events, the authors consulted databases reporting incidents that have happened in Germany in the past [12], [13].

i. Examples of performance degradation − In April 2003, the world’s largest IXP, DE-CIX,

failed for 1.5 hours during maintenance measures. Although this incident did not cause severe consequences at the time, performance degradations were perceived by users. An IXP on the alternative route perceived twice the amount of traffic compared to before and after the event. For VPPs exchanging information every 2 seconds with their plants on secondary regulation, such performance degradation may pose a serious threat. Please refer to section III B 3) for more details.

− In late November 2010, the backbone network of Germany’s largest ISP failed due to a software bug, causing intermittent disconnections for 5 hours.

ii. Examples of complete connection outage − In late April 2003, a power outage localized in a

major city caused the network of a mobile service provider to fail in many regions all over Germany for 8 hours.

− In December 2003, a power outage caused the Home Location Register of a large mobile service provider to fail, resulting in more than 100,000 customers not able to access the mobile services.

− In late September 2004, the network of the same mobile service provider was unavailable for 12 hours due to a server failure.

− In mid-April 2009, the voice and authentication services of the mobile network of a national service provider failed for at least 3 hours. The failure affected all parts of Germany.

On an international level, the following incidences are worth mentioning, as they caused inaccessibility to services and servers for significant parts of the Internet worldwide:

− From mid-March until end of March 2008, the interconnections between two Tier-1-ISPs were severed, resulting in servers hosted by merely one of the ISPs being inaccessible to customers of the other ISP. Reasons for the disruption are unspecific. Presumably, the ISPs disagreed with each other over terms of their peering agreement.

− In mid-February 2009, parts of the Internet suffered from performance degradation due to a misconfiguration of BGP parameters in one router causing problems on the routing performed by other routers.

− In mid-April 2010, the misconfiguration of BGP parameters of one router caused a redirection of internet traffic originally destined to about 37,000 other IP networks, which led to an unavailability of specific services on the internet.

The evaluation shows that incidents are rare, but do occur.

The probabilities listed in Table 1 have been largely arbitrarily deduced from the available data.

Event estimated to occur once every x years

Estimated duration of interruption or performance degradation [h]

Internet backbone outage 30 24

Country-wide mobile communications provider outage 4 8

Outage of one single mobile communications provider covering ¼ of the market

1 8

Table 1. Internet-related outage probabilities 3) Impact of internet-related contingencies

The impact of contingencies may be subdivided into performance degradations, such as delays and intermittent connections, and complete connection failures. In fact, for the controllability of a virtual power plant performance degradations will in many cases result in connection outage, as shall be illustrated in the following:

Contingencies of some physical components represented in Fig. 1 may be mitigated because of multiple routes between one specific source and one specific destination. Under ordinary operating conditions the most efficient route is chosen. Alternative routing under conditions of partial outage is likely to result in increased latency because of more required hops. Re-routing under outage conditions may result in congestion, causing additional delays or even packet loss in the worst case.

For a VPP this means that critical combinations of command delays may result in power swings in the network and thus – under certain conditions - pose a threat to system stability. Larger power system outages originating in this kind of stability issues are not further considered in the following. Instead, it is assumed that critical delay conditions will be detected timely enough by the VPP CC to suspend control of the DER plants in question. In the worst case, this kind of latency introduced by package rerouting will then result in an outage of the entire VPP capacity. Since statistics on the effect of communication performance degradation on VPP controllability were not available to the authors, for the purpose of this study, performance degradations were treated like full communication interruptions.

4

C. Use Case Selection A selection of communication technologies to be considered

in this study has already been carried out in section III A 2). Yet, a complete analysis of all relevant use cases for the chosen subset of technologies is beyond the scope of this article. The authors deliberately focus on a selection of use cases guided by the criteria:

− Use case already in commercial operation today − Use case is expected to still have a significant impact

on reserve requirement in the show case scenario for 2020.

The ultimate goal in the German show case under study is to provide 80 % of electricity from renewable sources by 2050. This in turn means that Renewable Power Producers must take a share in system services like voltage and frequency control. In Germany, availability of ‘green’ energy sources is strongly distributed and largely intermittent. Whereas primary frequency control is carried out locally, secondary and tertiary frequency control are by nature dependent on communication. 1) Virtual Power Plants providing power by schedule

Conventional power plants are expected to be increasingly replaced by Virtual Power Plants that aggregate Distributed Energy Resources and potentially Demand Side Management into a commercially tradable schedule of defined magnitude and availability. The communication link between TSO control center and VPP control center is quite similar in nature and reliability to the one between TSO control center and conventional power plants. The weak points in terms of newly introduced risk of ICT contingencies are the connections between VPP and small-scale distributed DER. They are characterized by a large number of connections routed over publicly accessible infrastructure, see III A 2). To date virtual power plants already successfully provide secondary and tertiary reserves with DER. Numerous large research projects are concerned with enlarging their portfolio to include e.g. PV power plants. Power reduction of DER via long wave radio transmission

Power reduction of intermittent renewable DER is the second use case considered here. Since 2012 all newly connected PV plants in Germany with more than 30 kWp installed capacity are obliged to provide an interface for remote down-scaling For connecting the smallest plants up to several hundred kWp installed capacity distribution system operators currently tend to choose either radio ripple control or long wave radio transmission (EFR). As discussed in section III A 2) this article focuses on EFR-related contingencies and therefore considers the use case ‘down-scaling of intermittent DER via EFR’.

IV. INTEGRATION OF ICT CONTINGENCIES INTO THE GERMAN 2020 SHOWCASE

A. Simulation scenarios 1) Description of outage scenarios

Reference case for reserve calculations is the 2020 scenario as per BMU Leitstudie 2011 [1]. This scenario does not yet

incorporate any ICT contingencies. It is based on the currently applied methods of reserve calculation as introduced in section II.

This reference case is complemented by a scenario that includes the result of the preliminary estimation of additional risks introduced by ICT carried out in this paper, “2020 incl. ICT risks”. In this scenario, the following risks are considered:

(1) Outage of EFR posts (2) Internet backbone outage (3) Mobile communications provider outage (4) Hacking-induced outages of VPPs

2) Estimation of generation affected by EFR outage The installed capacity affected by disabled EFR posts was

estimated based on the following assumptions: 60 % of the capacity installed between 2012 and 2020 in the class 30 kWp to 1 MWp and 50 % of the class up to 30 kWp are connected by EFR2. Considering the installed capacity beginning of 2012 as per [15] and the 2020 installed PV capacity as per [1], and assuming the distribution of installed capacity within the sizing classes remains constant, this results in 11.5 GW PV capacity under EFR control in Germany by 2020.

Concerning wind power under EFR control, several tendencies should be noted. First, with a view to 2020, it is expected that for plant sizes beyond 500 kW installed capacity EFR will increasingly be substituted by truly bidirectional communication facilities. Second, since 2009 the number of newly installed plants below 500 kW capacity is negligible, [15]. In line with these assumptions, and to obtain an estimate which is overall conservative, wind power capacity controllable only via EFR is neglected for the 2020 showcase. To the same end combined heat and power capacity controllable via EFR is neglected. It is assumed that due to their special characteristics, depending on size, the majority of these plants will rather be controlled in a truly bidirectional way, if at all.

To conclude, concerning the installed capacity affected by outage of EFR posts, the following is supposed: Recurring to the geographical reach of the two EFR posts in Germany as per [17] and a rough extrapolation of the geographical distribution of installed PV capacity given in [18], 30 % of installed PV capacity connected via EFR in Germany would be affected by a single outage of the EFR post located in Mainflingen. A simultaneous outage of both the Burg and the Mainflingen EFR post would result in the entire German EFR-connected installed PV capacity – the assumed 11.5 GW - being non-controllable. An impact on the required reserve could only be observed if the sun was shining during the time of outage. To account for this in the case of partial outage estimated to last for eight hours, two strategies exist:

− Reduce the likelihood and/or affected capacity of the event

2 Consider this is a simplification: In fact, all legacy PV plants beyond 100

kWp have to provide a facility for remote reduction of feed-in power. In addition, for sizing classes from 30 kWp to 100 kWp installed between 1st of January 2009 and 31st of December 2011 a retrofit with a remote reduction interface is foreseen [14]. For plants below 30 kWp owners may opt for a constant reduction of feed-in power to 70 % of installed module STC capacity. According to the informal information available, this option is little used in practice though.

5

− Change neither likelihood nor affected capacity The latter option was chosen here. Malicious attack being a

key potential reason for EFR outage, a worst case timing should be considered in reserve calculations. EFR outage affects the negative reserve only, independent of whether at the moment of outage power reduction is active or not. 3) Estimation of generation affected by internet-related outages

VPPs with a total generating capacity of 12.3 GW are included into the simulation. The capacity has been determined by assuming that the 2020 load is 10 % below the 2010 level due to efficiency gains [1]. To cover this need, a conventional generation capacity of 82.1 GW is expected to be available in 2020. This capacity is 22.8 GW lower than the capacity available in 2010. VPPs are taken to close the remaining gap considering efficiency gain.

The impact of risks type (2) to (4) is related to the installed VPP capacity. As can be seen from Fig. 1, internet backbone outage will affect the entire installed VPP capacity.

The mobile communications market in Germany is currently dominated by four companies. Assuming an equal distribution of the VPP market to four companies to prevail in 2020, the outage of a single provider would affect one quarter of VPP capacity. However, we further suppose that 1/3 of capacity controllable via VPPs is connected via DSL. Hence the outage in question would be relevant for 1/4*2/3 = 1/6 of installed VPP capacity.

In addition to full outage, partial outage of a mobile communications provider was considered, too. Please refer to the appendix for more details.

Due to lack of available statistics on comparable events the following - largely arbitrary - assumptions were taken to estimate the impact of hacking-induced VPP outage: No more than two per year of the estimated total 10-50 VPPs in the market suffer from an outage due to successful hacking. Beyond single VPP outage there is a risk of security holes affecting several VPPs. This would allow simultaneous manipulation of larger capacities. A simultaneous hacking incident affecting 30 % of installed VPP capacity once every 20 years for 12 hours was included into the simulation. A comprehensive overview of assumptions is given in the appendix. 4) Responsibility for reserve provisioning

Reserve calculations as carried out by German TSOs today consider any outage only up to a duration of 1 hour. After this period, responsibility for providing alternative source of power to compensate for the disabled equipment is with the so-called balance responsible party.

One key purpose of this article is to depict the implications of ICT contingency risks for system security. By providing a calculation variant that deliberately includes the entire time frame of ICT contingency events into reserve calculations the authors hope to make the related implications on society level more tangible. The variant is a purely hypothetical one, though.

B. Simulation Results and Analysis 1) Primary reserve

Assuming that the UCTE rules for determining primary reserve were interpreted to include the effects of the above-mentioned ‘once in decades’ ICT contingency risks, the primary reserve requirement would increase sharply. In fact, for dimensioning required primary reserve the ICT contingency risk estimation carried out for Germany here would have to be undertaken for the entire UCTE synchronous area. Whereas primary reserve is currently in the magnitude of 3 GW, single ICT incidents in the magnitude of 12 GW have been estimated for Germany alone, refer to the assumptions in section III B 2). A detailed dynamic analysis would need to be carried out to account for incidents of this type. However, this article does not suggest a re-dimensioning of UCTE primary reserve at this point. The authors rather raise another question: While we are facing the emergence of new kinds of threats to system stability, should we not carefully reconsider their deeper roots and tackle them in the first place? This topic is further elaborated in section V. 2) Secondary and tertiary reserves

In this section, the potential effect of ICT contingencies on reserve requirement, depending on the given deficit level, and responsibility for long-term reserve provisioning is analyzed. To this end, a demonstration of the change in the sum of secondary and tertiary reserves shall suffice in a first approach. Fig. 2 illustrates the results of the simulations for several scenarios. There is a distinction between reserve requirements stemming from outage durations up to one hour, and beyond one hour. Further, the calculations have been carried out for two deficit levels, 0.0125 % and 0.025 %. For the deficit levels studied, a larger impact of the simulated ICT contingencies on reserve requirements is only observed for the more demanding deficit level, and only assuming the TSO is responsible for provisioning alternative sources of energy even for periods beyond 1 h, as discussed in section IV A 4).

The more constraining deficit level of 0.0125 % used to be applicable until 2010, when it was replaced by 0.025 % [19]. Allowing for more hours per year during which Germany’s reserve requirements cannot be met by nationally available sources has been justified considering the large amount of existing emergency assistance agreements with neighboring TSOs, and following a restructuring of the German TSO reserve provisioning [19]3.

However, with consideration of high-impact, low-probability ICT contingencies, if the lower deficit level was to be maintained, the emergency assistance agreements would need to be reviewed, whether they actually can provide the reserves required - 12 GW as per the scenario investigated in this paper. Also, potential cross-border transmission capacity limitations towards the relevant neighboring countries would need to be reviewed.

3 These however, exist only on tertiary reserve level. Therefore the level of

0.025 is applied to tertiary reserve with 90 % and to secondary reserve only with 10 % [19].

6

-6

-4

-2

0

2

4

6

8

10

12

Base Base + ICT Base Base + ICT

0,0125% 0,0125% 0,0250% 0,0250%

Rese

rve

Requ

irem

ent

[GW

]

Base and Base + ICT scenarios for two deficit levels

Positive secondary and tertiary (S&T) reserve requirements: entire outage duration under TSO responsibilityPositive S&T reserve requirements: 1 h outage duration

Negative S&T reserve requirements: entire outage duration under TSO responsibility

Negative S&T reserve requirements: 1 h outage duration

Fig. 2. 2020 secondary and tertiary reserve requirements for different scenarios

Fig. 3 shows an intermediate step in the process of recursive convolution as introduced in section II. FC refers to forecast, so the curve pvFCError for instance stands for the probability density of PV forecast errors. Each of the influence factors identified in section II B) is represented by a function. In fact, to account for unsymmetrical forecast errors in the case of wind, wind forecast errors are separated into wind on and wind off errors. Curves convSC and convTotal represent the result of convolution from which eventually the secondary and total reserve requirements are calculated.

-14000 -12000 -10000 -8000 -6000 -4000 -20000

1

2

3

4

5x 10

-7

Pro

babi

lity

dens

ity

Regulating reserve forecast error [MW]

powerStatErrorscheduleErrorloadErrorloadNoisewindOnFCErrorwindOffFCErrorpvFCErrorconvSCconvTotal

Fig. 3. Probability density for forecast error components. Fictitious variant: TSO assumed to be responsible for providing compensation for ICT related outages independent of outage duration.

The power station deficit probabilities and their impact have already been convoluted with each other. The result is represented by curve powerStatError. The small spikes between -14 and -12 GW represent the probability density of a failure of the specific deficit magnitudes. They are a result of the convolution process and represent combined failures of one of the many conventional power plants with one of the two large scale ICT incidents of this magnitude. It can be seen that the probability densities of the further factors to be considered in the calculation become sizeable only at much lower levels of forecast error.

So, what is introduced by ICT contingencies into the probability density curve is a somewhat special variant of the ‘fat tail’ phenomenon. This is a general tendency that probabilities of low forecast errors are getting lower, whereas the probabilities of high forecast errors are actually increasing [19].

V. CONCLUSION AND OUTLOOK

In traditional power systems contingencies on equipment and power plant level are a regular occurrence of limited effect. From the analyses in this article it emerges that contingencies in the ICT infrastructure with measurable effect on reserve requirements tend to be rare occurrences resulting in potentially considerable damage, however. From this, several questions may be deduced: Are we, as a society, prepared to accept these risks, since

their likelihood is so small without considering any countermeasures?

If we are not prepared to accept these risks without having investigated ways of dealing with it, what are our preferred measures?

The authors suggest that at the present point, where we still have the freedom to shape the future, we systematically look for ways to avoid the above-mentioned drawbacks of ICT usage. From the analysis undertaken several promising starting points emerge: Develop a coherent definition and management of ‘fall-

back’ values for ICT controlled equipment – especially generation equipment - in case of communication failure. It would be helpful during contingency management to be able to estimate the generation from plants without communication connection by recurring to weather nowcasts and known fall-back values.

Investigate possibilities to reduce the impact of any single ICT contingency to 1.5 GW. This implies the assumption that the current primary reserve level is sufficient for the future smart grid scenario, too.

Foresee an ICT architecture that ensures statistical independence of individual ICT contingencies. The idea is to reduce e.g. the risk of simultaneous hacking of several VPPs.

Some ICT outage risks would be reduced if there was an own, dedicated physical network infrastructure supporting Smart Grid Applications based on Internet technology, possibly redundant to the existing Internet infrastructure. This new network could be designed as a critical infrastructure from the beginning. There would be no risk of being affected e.g. by re-routing of non-smart-grid internet traffic in the event of contingencies. The likelihood of smart grid ICT outage could be systematically reduced in this way.

The present study is a mere first step in a direction where

many more are urgently needed. Estimation of ICT contingency risks should be carried out in more detail, and the horizon of considered contingencies widened to include the various smart grid ICT usages and technologies under discussion.

7

VI. APPENDIX TABLE A.

SUMMARY OF ASSUMPTIONS CONCERNING ICT OUTAGE PROBABILITIES Event

estimated to occur once every x years

Estimated duration of interruption or performance degradation [h]

Resulting loss of generation [GW]

Single outage of EFR posts 80 3 2.8 Double outage of EFR posts 10 24 11.5

Internet backbone outage 30 24 12.3

Country-wide mobile communications provider outage

4 8 2

Partial mobile communications provider outage

1 8 1

Hacking-induced outage of a single virtual power plant 1 12 1

Hacking-induced outage of a cluster of VPPs 20 12 3.7

VII. REFERENCES [1] M. Panteli, D. S. Kirschen, “Assessing the Effect of Failures in the

Information and Communication Infrastructure on Power System Reliability,” in Proc. 2011 IEEE/PES Power System Conference and Exposition, pp. 1-7.

[2] UCTE, “UCTE Operation Handbook, P1 – Policy 1: Load-Frequency Control and Performance [C],” approved by SC on 19 March 2009.

[3] UCTE, “A1 – Appendix 1: Load-Frequency Control and Performance [E],” final 1.9 E, 16.06.2004.

[4] DLR, IWES, IFNE, „Langfristszenarien und Strategien für den Ausbau der erneuerbaren Energien in Deutschland bei Berücksichtigung der Entwicklung in Europa und global,“ Report for the BMU, 29.03.2012.

[5] CONSenTEC/Haubrich, „Gutachten zur Höhe des Regelenergiebedarfs,“ Report for the Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen, Aachen, 10.12.2008.

[6] O. Brückl, „Wahrscheinlichkeitstheoretische Bestimmung des Regel- und Reserveleistungsbedarfs in der Elektrizitätswirtschaft,“ Ph.D. dissertation, Dept. Of Electric. Eng. And Inf. Science, Technical University of Munich, 2006.

[7] H. E. Brown, S. Suryanarayanan, “A Survey Seeking a Definition of a Smart Distribution System,” in Proc. 2009 North American Power Symposium, pp. 1-7.

[8] IEEE Standards Association, “IEEE Guide for Smart Grid Interoperability of Energy Technology and Information Technology Operation with the Electric Power System (EPS), End-Use Applications, and Loads,” New York, 10 September 2011.

[9] B. Panajotovic, M. Jankovic, B. Odadzic, “ICT and Smart Grid,” in Proc. 10th International Conference on Telecommunication in Modern Satellite Cable and Broadcasting Services, 2011, pp. 118 – 121.

[10] T. M. Chen, S. Abu-Nimeh, “Lessons from Stuxnet,” Computer, 2011, vol. 44, issue 4, pp. 91 – 93, Apr. 2011.

[11] T. Miyachi, H. Narita, H. Yamada, H. Furuta, “Myth and reality on control system security revealed by Stuxnet,” in Proc. of SICE 2011 Annual Conference , pp. 1537 – 1540.

[12] Heise Online, [Online]. Available: http://www.heise.de/netze/news/archiv/

[13] Heise Online, [Online]. Available: http://www.heise.de/mobil [14] German Federal Law: “Gesetz über den Vorrang Erneuerbarer

Energien,” version from 22.12.2011. [15] Deutsche Gesellschaft für Sonnenenergie, “Energymap,” [Online].

Available: www.energymap.info [16] Fraunhofer IWES, „Windenergie Report 2011,“ Kassel, April 2012. [17] EFR Europäische Funk-Rundsteuerung GmbH, „Empfangsgebiet,“

[Online]. Available: www.efr.de [18] Fraunhofer IWES, “Vorstudie zur Integration großer Anteile

Photovoltaik in die elektrische Energieversorgung,” report for BSW, Bundesverband Solarwirtschaft e.V., Kassel, November 2011.

[19] CONSenTEC, „Gutachten zur Dimensionierung des Regelleistungsbedarfs unter dem NRV,“ Report for the Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen, Aachen, 17.12.2010.

VIII. BIOGRAPHIES Prof. Dr.-Ing. Martin Braun studied Electrical Engineering and Economics at the University of Stuttgart and received a European Ph.D. at the University of Kassel on “Provision of Ancillary Services by Distributed Generators”. He was researcher in the group “Electricity Grids” at the research institute ISET in Kassel in 2005-2008. In 2009 Martin Braun established and coordinated a new research group on “Decentralized Ancillary Services” at the Fraunhofer-Institute for Wind Energy and Energy System Technology (IWES) in Kassel, Germany. Since October 2010, Martin Braun has been Juniorprofessor for „Smart Power Grids“ at the IEH at the University of Stuttgart. In parallel he has established and coordinated a new department on “Distribution System Operation” at the Fraunhofer IWES since 2012. His research activities focus on technical and economical analyses of the integration of distributed generators, storage and loads into the electrical power system. The technological focus is on photovoltaic systems and other generators, stationary storage systems, and electrical vehicles. In addition, planning and operational procedures for distribution grids are developed as well as energy management and aggregation strategies. Michael Bauer graduated with a Dipl.-Ing. degree in electrical engineering and information technology from Karlsruhe Institute of Technology (KIT) and received his Dr. Ing. degree from the same university in 2011. During his time as a research associate with KIT, he was involved in the development of communication systems for power line communication and contributed to the EU-funded project OPEN meter. His research interests include communication theory and distributed systems for automation applications. Since 2011, he is with the Fraunhofer Institute for Wind Energy and Energy System Technology (IWES) and is currently working on information and communication technology for smart grids. Erika Kämpf received a Dipl.-Ing. in Electrical Power Systems Engineering in 2002 from Karlsruhe Institute of Technology (KIT). After working as free-lance analyst for Siemens Technology Accelerator (Munich) and Emcon Consulting Engineers (Namibia), she received a Dipl.Wi.-Ing. in technically-oriented Business Administration from RWTH Aachen, Germany in 2005. From 2005 to 2011 she was with Siemens Energy Automation, Nürnberg, Germany. Since mid-2011 she is research associate and project lead with the Institute for Wind Energy and Energy System Technology (IWES) in Kassel, Germany. Rainer Schwinn studied physics in Würzburg and ecological agriculture and renewable energies in Kassel. He graduated with Dipl.-Ing. in agriculture about biomass extraction processes under the aspect of energetic utilization. In his master thesis he investigated how modified rules on the control reserve markets will impact the potential of control reserve provided by renewable virtual power plants. He came to the Institute for Wind Energy and Energy System Technology (IWES) in 2011 where he is currently working on the control reserve need and provision in future energy supply scenarios, load curve smoothing by demand-side-management and unit commitment optimization in the national and European generation system.