tepco iec, inc. · s / per year) tepco power grid. state of new york. state of ... alstom grid....

TEPCO IEC, Inc.

This document may contain confidential information of TEPCO IEC,Inc. and Tokyo Electric Power Company Holdings, Incorporated (TEPCO) /or other companies. We prohibit the use of the contents of this document for any purposes other than its original purpose and acts of disclosure to third parties without our permission. TEPCO IEC,Inc.

© 2017 TEPCO IEC,Inc.

©TEPCO Power Grid, Inc. All Rights Reserved.

Efforts to stable power supply


3

2014～

1.1. Power System Enhancements & Advancements over the years

2018～ Next Gen. SCADA

～2017～2010s～1970s

Improvements were implemented as the demand for SCADA increased over the years.

TEPCO is usually the one to define the specification of the SCADA they want to be developed.

TEPCO shall define the entire specification for Next Gen. SCADA, and do RFP.

8.4

20.2

31.9

46.7

0102030405060

1950

1957

1961

1965

1969

1973

1977

1981

1985

1989

1993

1997

2001

2005

2009

2013

[GW]Peak Demand(daily peak at generation end)

History of SCADA


4

1.2. History of Substation Remote Monitoring & Control

～1970s

～2000s

～FY2017

FY2018～

49.1 70.7

88.4 95.6

97.3

98.3

99.9

755762

9921232

1584

1619

1580

5007009001,1001,3001,5001,700

0

20

40

60

80

100

1955

1975

1995

2002

2004

2006

2008

2010

2012

2014

2016

(Loc

atio

ns)

(%)

×500

×99

×10

800+

1,500+1,500+

1,500+

TEPCO has successfully created “unattended substations” as the no. of substations increased.

Control centers have been centralized by increasing the no. of substations that are controlled by SCADA.

Next Gen. SCADA will be able to perform supervisory control among 1,580 substations simultaneously.

More than one control center can be set up.

Automation rate in substations

×1

substations


5

1.3. SAIDI & SAIFI

19

3625

1016

818

4 7 7 123 3 5 5 5 4 4 4 4 3

122 7 2 3 4 3 2

152

9 515

4

0.28

0.36

0.27

0.220.25

0.1

0.39

0.08

0.21

0.23

0.29

0.10.08

0.22

0.19

0.130.13

0.1

0.180.18

0.1

0.12

0.11

0.1

0.05

0.13

0.05

0.12

0.05

0.33

0.10.07

0.14

0.07

0

0.1

0.2

0.3

0.4

0.5

0

20

40

60

80

100

120

140

160

1981

1984

1987

1990

1993

1996

1999

2002

2005

2008

2011

2014

Freq

uenc

y of

out

ages

per

hou

seho

ld

(tim

es)

Dur

atio

n of

out

ages

per

hou

seho

ld

(min

utes

)

SAIDI SAIFI

Contracts are increasing but SAIFI and SAIDI are decreasing. SAIFI and SAIDI were high in FY 2010 due to the great east Japan

earthquake on 11 March 2011. SAIFI and SAIDI have been at normal levels since FY 2011.

22.74

26.6728.73

0

5

10

15

20

25

30

Num

ber o

f Cus

tom

ers

(mill

ion)

Number of Customers


6

1.4. SAIDI & SAIFI (Cont’d)

4.0 20.0 21.0

133.8

32.8

83.6

61.0

0

20

40

60

80

100

120

140

160

(min

utes

/ per

yea

r)

A huge number of facilities were broken by the great east Japan earthquake in 2011, TEPCO overcame this situation and has been providing high-quality power until today.

0.07 0.16 0.13

1.06

0.29

0.90

0.65

0.0

0.2

0.4

0.6

0.8

1.0

1.2

(tim

es/ p

er y

ear)

TEPCOPow

er Grid

State ofN

ew York

State ofCalifornia

JAPAN

German

France

UnitedKingdom

TEPCOPow

er Grid

State ofN

ew York

State ofCalifornia

JAPAN

German

France

UnitedKingdom

Duration of Outage per contract of each country Frequency of Outage per contract of each country

As of the end of FY 2015


Next Generation SCADA～ Aiming for a SCADA built with resilience ～


From the many things we learnt from the great east Japan earthquake and in order to succeed in 2020 International events, TEPCO shall develop a next generation SCADA, which aims to accomplish not only a stable power supply but also a resilient power grid.

Resilient in face of natural disasters

Maintain an up-to-date & highly reliable design

Develop the Next Generation SCADA8

2020International Events

Reliable cyber security


2.1. International standard Corresponding to the CIM Standard

Platform CIM Standard

EMS/DMS/NMS Core DBMS Import/Export

Network Manager No Yes

eTerra No Yes

PowerOnAdvantage/Reliance No Yes

Spectrum Power Yes Yes

ADMS/Oasys No Yes

Next Generation SCADA(Toshiba’s Middle ware) Yes Yes

Schneider Electric

Siemens

General Electric(GE)

Alstom Grid

Asea Brown Boveri(ABB)

The only two platforms with the Database (DBMS) adapted IEC61970 and IEC61968 are Spectrum Power and our TOSHIBA’s middle ware installed in Next Gen. SCADA.

© 2017 TEPCO IEC,Inc. 9

2.2. International standard Corresponding to the CIM Standard

By designing DBMS with CIM, it is possible to drastically reduce DB conversion cost at system replacement.

OS

DB (Original)

Application CIM I/F(MW)

OS

DB (Original)

Application CIM I/F(MW)

Replace

Huge Cost

International standard

OS

DB (IEC61970/61968)

Application

OS

DB (IEC61970/61968)

Application

Replace

Low Cost

CIM I/F(MW)

CIM I/F(MW)


Server 1 Server 2

Client 1 Client n

Server 1 Server 2 Server 3

Client 1 Client n・・・・・・・・・・

Transmission CC ×10Distribution CC ×56

Transmission CC ×10Distribution CC ×56

2.3.

Next Generation SCADA

Flexible Redundancy Flexible redundant configuration depending on the degree of importance

Realizing redundant configuration using basic SCADA to suit the needs Realizing not only redundant servers, but also widely distributed servers All the clients consist of Thin-Client. Next Gen. SCADA consists of 10 transmission control centers and 56 distribution

control centers. Redundant servers can be distributed and placed in different places.


2.4. Cost Down Complete thin client configuration realizes overwhelming cost reduction

Next Gen. SCADA has achieved overwhelming downsizing that has never existed before.

Three servers can realize about 50 GW of power transmission system and all operation of power distribution system.

The control center has a thin client configuration, so flexible design of the control center is possible.

TCC 1

TCC 2

TCC 10

・・・

Wide area Communication Network

average 5 to 6

CommunicationNetwork 1

DCC 1

DCC 5

average 5 to 6

DCC 6

DCC 10

average 5 to 6

DCC 51

DCC 56


CommunicationNetwork 10・・・

・・・

DataCenter 1

Wide area Communication Network

・・・

Server1

DataCenter 2

Server2

DataCenter 3

Server3

TCC 1

Thin-Client

TCC 2

Thin-Client

TCC 10

Thin-Client

DCC 1

Thin-Client

DCC 6

Thin-Client

DCC 51 Thin-Client

DCC 5

Thin-Client

DCC 10 Thin-Client

DCC

56 Thin-Client




・・・

・・・

・・・

Next Generation SCADAUp to now SCADA


2.5.


Client 1 Client 2

Substation Substation


Client 1 Client 2


Master

Next Gen. SCADA enables stable operation even in a state of “Split-Brain Syndrome”. The Control Center keeps running as long as there is at lest one master sever

connected to the network. Since “Slave” is synchronized with “Master”, it can be shifted to single master mode

when “Split –Brain Syndrome” happens, automatically.

Master Slave Slave Master Slave

High Redundancy

Event of failure

After recovery

High Redundancy Allows stable operation in a state of Split-Brain Syndrome


2.6.



Client 1

GW

Sub-Area Network× 10 Network

Wide-Area Network× 1 Network

×10 Locations

×56Locations

Number of TC*1 = MAX 48

It can be configured with redundancy of the network freely depending on the importance of SCADA

e.g. Next Generation SCADA

Main network consists of 2-route optical fibers.

Wide-area network configures ring-groups with OPGWs and under ground cables.

Considering of using micro-wave as back up.

Four route transmission will be used for GW transmission which collects RTU’s data.**1～4 route transmission designs are available

Multiple transmission Up to four can be chosen freely to route transmission

*1 TC : Tele-Control


2.7.

SCADA

SubstationTCP/IP

Substation

HDLC orCDT etc. GW

TCP/IP

SCADA

The communication system between SCADA and substations should be highly reliable. Currently, Internet Protocol (IP) transmission is mainly used between SCADA and substations. TCP/IP is used in many SCADAs. TCP/IP is also used in Next Gen. SCADA, however there are some problems.

TCP/IP

Accomplish conditions ・Orderliness・Continuity

Concerned conditions ・Real-time・MTU restriction

Using UDP？

UDP/IP・Real-time・1:N Communication・Orderliness・Continuity

PMCN having advantages of both TCP/IP and UDP/IP is employed.

PMCN (Protocol for Mission Critical industrial Network use)

Duplicated transmission support Adopted a communication system with enhanced reliability

TC : IP Transmission

TC : None IP Transmission

GW : IP Transmission


2.8. What's PMCN? PMCN is a protocol that enables maximum use of the Internet protocol in mission-critical

monitoring and control system.

Obtaining data orderliness Implementation

TCP/IP

Physical LayerData Link Layer

Network LayerTransport Layer

Session LayerPresentation Layer

Application Layer

UDP

PMCN

Mounted on the UDP Standardized by The Japan Electrical

Manufacturers‘ Association (JEMA) Library, etc. are provided from JEMA

Obtaining data continuity TCP/IP

Obtaining data in real-time UDP/IP

Duplicated transmission support None

1:N communication* (*Multicast Communication) UDP/IP

Data transmission support without MTU restriction None

Ability to implement


2.9. e.g. Duplicated transmission support

(Fragment)

SEQ Num 1SEQ Num 1

A-LAN

Wait for the rest of the A-LAN data of SEQ num2.

B-LAN

SEQ Num 2SEQ Num 2

SEQ Num 1

SEQ Num 2

SEQ Num 2

SEQ Num 3

SEQ Num 2

SEQ Num 1

SEQ Num 2

(Fragment)

SEQ Num 3

SEQ Num 2

SEQ Num 2

SEQ Num 3

SEQ Num 4

SEQ Num 3

Disposal

Disposal

Disposal

Disposal

Disposal

Reception processing (TCP Layer)

SEQ Num 1

(Fragment)

SEQ Num 2

(Fragment)

SEQ Num 2

SEQ Num 3

SEQ Num 4

Retransmission request(SEQ Num3)

Can’t receive split packets from different LAN.

Can’t be received until the reception processing of SEQ Num2 is completed.

In the case where duplicated transmission is realized using TCP / IP


2.10. e.g. Duplicated transmission support (Cont’d)

(Fragment)

SEQ Num 1SEQ Num 1

A-LAN

Wait for the rest of the A-LAN data of SEQ num2.

B-LAN

SEQ Num 2SEQ Num 2

SEQ Num 1

SEQ Num 2

SEQ Num 2

SEQ Num 3

SEQ Num 2

SEQ Num 1

SEQ Num 2

(Fragment)

SEQ Num 3

SEQ Num 2

SEQ Num 2

SEQ Num 3

SEQ Num 4

SEQ Num 3

Disposal

Disposal

Reception processing (PMCN Layer)

SEQ Num 1

(Fragment)

SEQ Num 2

(Fragment)

SEQ Num 2

SEQ Num 3

SEQ Num 4

Possible to receive a split packet from B-LAN.

SEQ Num 4

Disposal

Disposal

In the case where duplicated transmission is realized using PMCN + UDP / IP

The sequence number is managed by the PMCN.


2.11. TEPCO's GW enables highly reliable transmission by converting various non-IP

transmissions to IP. (DNP 3.0 is also possible) In FEP efficiently many data format has been converted to IEC61970/61968.

SubstationTC*1 TC*1

HDLC

IF*2

TCP/IP

LAN-IF*3

Token Ring

RTU*4

TCP/IP

SAS*5

TCP/IP

GW

SCADA

TCP/IP PMCN+UDP/IP

Multi-Transmission Protocol Developed The GW that supports a number of protocols

FEP1 FEP2 FEP3

CDT

TCP/IP TCP/IP TCP/IP

Data Format ProtocolJapan Original CDT

HDLC (Compliance) HDLC or TCP/IP

Japan Original Token Ring

IEC60870 (in future) TCP/IP

IEC61850 (in future) TCP/IP

IEC61970 TCP/IP

Only Protocol Conversion

*1 Tele-Control *2 IP method of Tele-Control *3 Token-Ring *4,*5 in future


2.12. Goal for strong SCADA

Power Control Technology Able to perform an operating support function which suits the needs of clients

Function that auto-creates operation sequences From current to the future network, operation sequences are automatically created by indicating the facilities users want to be operated

Control areas are flexibleBackup control can be performed from the other control area in the case of emergency

Audio guidance functionAn audio guidance is carried out to announce the faults and confirm the operation

Training simulator function Operation training is available using operation clients. It is also available to simulate previous faults and display faults flexibly.

Notification to asset management departmentIt can make information from the control center available to the asset management department


～ Aiming for a SCADA secured from Cyber threats～



22

3.1. Constructing Organization for Comprehensive SecurityOrganization and Operations are important for comprehensive security. We must consider not only cyber attacks, but internal crime like information theft.

TEPCO, McAfee and TOSHIBA are teaming up to develop world-class electric power control system with security in mind.

To introduce advanced technology developed by TEPCO and TOSHIBA, including multifactor authentication with IC card and Biometrics etc.

Commit 1 To Develop SCADA with Cutting-edge Security Controls

Commit 2 To Create An Organization with Governance and Management

Separation of governance organization (CSIRT) and management organization (SOC) clarify our Responsibility, Role and Authority. Consequently, flexible operations are done against any risk.

Governance: CSIRT

Management: SOC

ManagementFeedback

CIO/CISO Audit

Evaluate

Plan Build Run Monitor

MonitorDirect

Business Needs

TEPCOPower Grid, Inc.


23

3.2. A SCADA secured from Cyber threats TEPCO has conducted a risk assessment during the request for proposal phase. TOSHIBA, together with a Security consultancy has also conducted a risk assessment. The assessments were made in line with Japan’s domestic guidelines , NIST SP 800-

82 Rev2 and the ISO/IEC14408

Enable security measures selection depending on security level of SCADA

Strengthening of firewall Implementation of Security measure at Network gateway and Logging function

Installation of IDS / IPS Defends widely from Intrusion Detection to Intrusion Prevention

Block of unused LAN ports and USB ports Block LAN ports and USB ports logically.Block Important Facilities physically.

Two-factor authentication function Implementation of Two-factor authentication, IC card authentication and Biometric authentication

Access control Enable flexible access control setting by use of IC card


24

3.3. A SCADA secured from Cyber threats (Cont’d)

Login authentication for Server system Login authentication and Logging during system maintenance

Encryption of authentication information Encrypt IC card information and Biometric information

Sequential control Implementation of system which protects field devices in substations from illegal control

Employment of White list system Prevent execution of unauthorized program

Construction of Log management infrastructure

Implementation of Event data search function, access permission setting function, etc.


25

3.4. Two-factor authentication function Strengthening security measures by implementing a combination of non-contact IC

card and biometric authentication as compared to the two-factor authentication used in conventional ID & Password systems.

If the Employee Card is compatible with the non-contact IC card(ISO/IEC18092 Compliance), it is also possible to use the Employee Card.

Palm vein authentication

IC card authentication

500kV Substation SCADA


26

3.5. Biometric authentication by palm vein

1. Control is allowed through IC card authentication and palm vein authentication.

2. Configuration changes and approval of the control operations can be carried out only through IC card authentication.

3. Operator control authority will vary depending on the IC card.4. If both the card and the palm vein is not authenticated, SCADA does not

output a control signal.5. Operators can be controlled from anywhere in the control center by

setting an IC card ID.6. All operations will be recorded through individual operator logs.

Authentication accuracy

FAR (False Acceptance Rate) 0.00001%

FRR (False Rejection Rate) 0.01% (Including one retry)Source ©FUJITSU LIMITED 2016


27

Next Gen. SCADA

MainServer

authenticationServer

IC Card

BiometricDevice

Thin-ClientControl Center

IC Card

BiometricDevice


IC Card

BiometricDevice


3.6. Flexible access to Control Center By matching the IC card details with a definable range of operations, users can set

which operations are controllable and accessible for each employee. This function can be set through employee IDs and departments as the Operation

Area and Control Center Client are not fixed.

Configuration changes can be granted the authority to either Control Center to grant privileges to employees.

Next Gen. SCADA

MainServer

authenticationServer

IC Card

BiometricDevice


IC Card

BiometricDevice


IC Card

BiometricDevice


Emergency


～ Aiming the strong SCADA to business innovation ～



Implementation of functions flexible enough to suit varying needs

Adopting IEC61970 in network modeling and Database Configuration

4.1. Create a flexible SCADA fit for work restructuring TEPCO has been developing SCADA systems based on the idea that supervisory control

technologies and company /utility/customer structures are always changing In order to create flexible and resilient SCADA systems that can keep up with the fast-changing

industry, TEPCO aims to continuously adapt to market-defined standards and globally standardized technologies.

TEPCO shall develop the new generation SCADA systems using its reputable craft and know-how in power management technologies, and not just depend on existing solution packages offered by current vendors .

A variety of choices is available to address a wider range of customer needs, in a more customized approach

Development of power management technologies in software modules

Configuration of data models using IEC61970; less vendor dependency

Implementation of PI System

Implementation of OSIsoft’s PI System, which is an industrial standard for enterprise historians is available.


TEPCO IEC, Inc.


tepco iec, inc. · s / per year) tepco power grid. state of new york. state of ... alstom grid....

Documents