Copyright © 2012, The MITRE Corporation. All rights reserved.
Electric Power Grid Indications & Warning Tool
David Koester, Ph.D.
The MITRE Corporation
26 Electronic Parkway
Rome, NY 13341 USA
dkoester@mitre.org
Michael Cohen, Ph.D.
The MITRE Corporation
7525 Colshire Drive
McLean, VA 22102-7539 USA
mlc@mitre.org
Abstract—The Electric Power grid makes an attractive target
because it is the foundational critical infrastructure that
underlies all others. A successful attack on the power grid
causing a wide-area long-term outage would have significant
national security, economic, and public health and safety
consequences. Power grid outages could even cause additional
cascading failures in other critical infrastructures due to the high
dependency on electrical power. Hence, it is imperative that
public and private authorities receive Indications and Warnings
(I&W) when such attacks are in the early operational phases in
order to mitigate their consequences. Towards that end, we have
developed a prototype Electric Power I&W tool to provide near
real-time I&W to alert private and public sector authorities when
the likely causes of outage events are malicious activity. We have
developed new business intelligence-style metrics to quantify the
consequences of power system outages and we have developed
techniques to identify multiple, cotemporaneous attacks. We
demonstrate the ability to minimize false alarms due to severe
weather. Similar techniques can be employed to minimize false
alarms caused by high temperatures and wind or geomagnetic
storms. For this capability to be used in the private and public
sectors, a commercialized product based on this research would
need be developed that would be: (1) part of a larger grid
management capability or (2) part of state and metropolitan area
fusion centers’ capabilities where potential attacks on multiple
critical infrastructure components are monitored continually.
I. INTRODUCTION
The Electric Power grid makes an attractive target because
it is the foundational critical infrastructure that underlies all
others. A successful attack on the power grid causing a wide-
area long-term outage would have significant national security,
economic, and public health and safety consequences [1][2].
Power grid outages could even cause additional cascading
failures in other critical infrastructures due to the high
dependency on electrical power [3][4]. Hence, it is imperative
that public and private authorities receive Indications and
Warnings (I&W) when such attacks are in the early operational
phases in order to mitigate their consequences. Towards that
end, we have developed a prototype tool to provide near real-
time I&W to alert private and public sector authorities when
the likely causes of power grid outage events are malicious
activity. This prototype I&W tool compares automated
messages describing grid component failures to a malicious
activity profile to determine whether the likely cause is due to
either natural causes/accidents or due to malicious activity. The
I&W tool provides two useful outputs (1) an I&W Temporal
Message stream and (2) an I&W Spatial Message stream – both
triggered when metrics exceed respective thresholds.
The intent is to use this capability to detect potential attacks
in near real-time in order to alert regional and national, private
and public authorities in a timely manner. Having the ability to
gain advance knowledge that power grid problems are due to
malicious activities and not having to wait until the damage is
done to determine the intentional vs. unintentional nature of the
event should be a strong Homeland Security incentive to
support further development of this I&W tool. The tool could
be deployed as (1) a stand-alone capability, housed at a central
location like the North American Electrical Reliability
Corporation (NERC), with I&W messages going to DHS,
DOE, and FERC, or (2) as an integrated part of every
distributed electric utility’s and control area’s grid management
capability.
In this paper, we describe the technical capabilities of our
prototype I&W tool and the context where the tools have
applicability. We discuss the various timeline options that are
available as a function of the intended uses in section 2. Next,
we describe the Resilient Grid I&W tool features. In section 4,
we include discussions of how this R&D work could be
productized and be used as: (1) part of a larger grid
management capability incorporating all elements of an
integrated Resilient Grid tool suite or (2) part of
state/metropolitan area Fusion Centers’ capabilities where
potential attacks on multiple critical infrastructure components
are monitored continually. In the concluding section, we
describe our plans for further research on adapting the tool to
the detection and warning of coordinated cyber-attacks on the
power grid and/or Smart Grid.
II. TIMELINE OPTIONS FOR REAL-TIME DATA ANALYTICS
Multiple possible analytics options exist that cover the time
continuum from pre-event prediction/detection to post-event
forensics and historical analysis. The differences in the various
analysis options are the time windows within which we are
required to develop critical results. The tool we describe in this
paper is best described as a post-event (post attack) near real-
time indications and warnings (I&W) capability. Analytics
examples along this continuum are depicted in Fig. 1. The
placement of our tool in the center is not indicative of the scale
Approved for Public Release; Distribution Unlimited
Case # 12-3623
