Network segmentation of a power grid's communication system can make the grid more resilient to cyberattacks. Here we develop a novel trilevel programming model to optimally segment a grid communication system, taking into account the actions of an information technology (IT) administrator, attacker, and grid operator. The IT administrator is allowed to segment existing networks, and the attacker is given a budget to inflict damage on the grid by attacking the segmented communication system. Finally, the grid operator can redispatch the grid after the attack to minimize damage. The resulting problem is a trilevel interdiction problem that we solve using a branch and bound algorithm for bilevel problems. We demonstrate the benefits of optimal network segmentation through case studies on the 9-bus Western System Coordinating Council (WSCC) system and the 30-bus IEEE system. These examples illustrate that network segmentation can significantly reduce the threat posed by a cyberattacker.
We consider a bilevel attacker–defender problem to find the worst-case attack on the relays that control transmission grid components. The attacker infiltrates some number of relays and renders all of the components connected to them inoperable with the goal of maximizing load shed. The defender responds by minimizing the resulting load shed, redispatching using a DC optimal power flow (DCOPF) problem on the remaining network. Though worst-case interdiction problems on the transmission grid have been studied for years, there remains a need for exact and scalable methods. Methods based on using duality on the inner problem rely on the bounds of the dual variables of the defender problem in order to reformulate the bilevel problem as a mixed integer linear problem. Valid dual bounds tend to be large, resulting in weak linear programming relaxations and, hence, making the problem more difficult to solve at scale. Often smaller heuristic bounds are used, resulting in a lower bound. In this work, we also consider a lower bound, but instead of bounding the dual variables, we drop the constraints corresponding to Ohm’s law, relaxing DCOPF to capacitated network flow. We present theoretical results showing that, for uncongested networks, approximating DCOPF with network flow yields the same set of injections and, thus, the same load shed, which suggests that this restriction likely gives a high-quality lower bound in the uncongested case. Furthermore, we show that, in the network flow relaxation of the defender problem, the duals are bounded by one, so we can solve our restriction exactly. Finally, because the big-M values in the linearization are equal to one and network flow has a well-known structure, we see empirically that this formulation scales well computationally with increased network size. Through empirical experiments on 16 networks with up to 6,468 buses, we find that this bound is almost always as tight as we can get from guessing the dual bounds even for congested networks in which the theoretical results do not hold. In addition, calculating the bound is approximately 150 times faster than achieving the same bound with the reformulation guessing the dual bounds.
Chen, Qi; Johnson, Emma S.; Bernal, David E.; Valentin, Romeo; Kale, Sunjeev; Bates, Johnny; Siirola, John D.; Grossmann, Ignacio E.
We present three core principles for engineering-oriented integrated modeling and optimization tool sets—intuitive modeling contexts, systematic computer-aided reformulations, and flexible solution strategies—and describe how new developments in Pyomo.GDP for Generalized Disjunctive Programming (GDP) advance this vision. We describe a new logical expression system implementation for Pyomo.GDP allowing for a more intuitive description of logical propositions. The logical expression system supports automated reformulation of these logical constraints to linear constraints. We also describe two new logic-based global optimization solver implementations built on Pyomo.GDP that exploit logical structure to avoid “zero-flow” numerical difficulties that arise in nonlinear network design problems when nodes or streams disappear. These new solvers also demonstrate the capability to link to external libraries for expanded functionality within an integrated implementation. We present these new solvers in the context of a flexible array of solution paths available to GDP models. Finally, we present results on a new library of GDP models demonstrating the value of multiple solution approaches.
In the face of increasing natural disasters and an aging grid, utilities need to optimally choose investments to the existing infrastructure to promote resiliency. This paper presents a new investment decision optimization model to minimize unserved load over the recovery time and improve grid resilience to extreme weather event scenarios. Our optimization model includes a network power flow model which decides generator status and generator dispatch, optimal transmission switching (OTS) during the multi-time period recovery process, and an investment decision model subject to a given budget. Investment decisions include the hardening of transmission lines, generators, and substations. Our model uses a second order cone programming (SOCP) relaxation of the AC power flow model and is compared to the classic DC power flow approximation. A case study is provided on the 73-bus RTS-GMLC test system for various investment budgets and multiple hurricane scenarios to highlight the difference in optimal investment decisions between the SOCP model and the DC model, and demonstrate the advantages of OTS in resiliency settings. Results indicate that the network models yield different optimal investments, unit commitment, and OTS decisions, and an AC feasibility study indicates our SOCP resiliency model is more accurate than the DC model.
This report summarizes the activities performed as part of the Science and Engineering of Cybersecurity by Uncertainty quantification and Rigorous Experimentation (SECURE) Grand Challenge LDRD project. We provide an overview of the research done in this project, including work on cyber emulation, uncertainty quantification, and optimization. We present examples of integrated analyses performed on two case studies: a network scanning/detection study and a malware command and control study. We highlight the importance of experimental workflows and list references of papers and presentations developed under this project. We outline lessons learned and suggestions for future work.
In this work, we describe new capabilities for the Pyomo.GDP modeling environment, moving beyond classical reformulation approaches to include non-standard reformulations and a new logic-based solver, GDPopt. Generalized Disjunctive Programs (GDPs) address optimization problems involving both discrete and continuous decision variables. For difficult problems, advanced reformulations such as the disjunctive “basic step” to intersect multiple disjunctions or the use of procedural reformulations may be necessary. Complex nonlinear GDP models may also be tackled using logic-based outer approximation. These expanded capabilities highlight the flexibility that Pyomo.GDP offers modelers in applying novel strategies to solve difficult optimization problems.
ANS IHLRWM 2017 - 16th International High-Level Radioactive Waste Management Conference: Creating a Safe and Secure Energy Future for Generations to Come - Driving Toward Long-Term Storage and Disposal
Transportation of spent nuclear fuel (SNF) is expected to increase in the future, as the nuclear fuel infrastructure continues to expand and fuel takeback programs increase in popularity. Analysis of potential risks and threats to SNF shipments is currently performed separately for safety and security. However, as SNF transportation increases, the plausible threats beyond individual categories and the interactions between them become more apparent. A new approach is being developed to integrate safety, security, and safeguards (3S) under a system-theoretic framework and a probabilistic risk framework. At the first stage, a simplified scenario will be implemented using a dynamic probabilistic risk assessment (DPRA) method. This scenario considers a rail derailment followed by an attack. The consequences of derailment are calculated with RADTRAN, a transportation risk analysis code. The attack scenarios are analyzed with STAGE, a combat simulation model. The consequences of the attack are then calculated with RADTRAN. Note that both accident and attack result in SNF cask damage and a potential release of some fraction of the SNF inventory into the environment. The major purpose of this analysis was to develop the input data for DPRA. Generic PWR and BWR transportation casks were considered. These data were then used to demonstrate the consequences of hypothetical accidents in which the radioactive materials were released into the environment. The SNF inventory is one of the most important inputs into the analysis. Several pressurized water reactor (PWR) and boiling water reactor (BWR) fuel burnups and discharge times were considered for this proof-of-concept. The inventory was calculated using ORIGEN (point depletion and decay computer code, Oak Ridge National Laboratory) for 3 characteristic burnup values (40, 50, and 60 GWD/MTU) and 4 fuel ages (5, 10, 25 and 50 years after discharge). The major consequences unique to the transportation of SNF for both accident and attack are the results of the dispersion of radionuclides in the environment. The dynamic atmospheric dispersion model in RADTRAN was used to calculate these consequences. The examples of maximum exposed individual (MEI) dose, early mortality and soil contamination are discussed to demonstrate the importance of different factors. At the next stage, the RADTRAN outputs will be converted into a form compatible with the STAGE analysis. As a result, identification of additional risks related to the interaction between characteristics becomes a more straightforward task. In order to present the results of RADTRAN analysis in a framework compatible with the results of the STAGE analysis, the results will be grouped into three categories: • Immediate negative harms •Future benefits that cannot be realized •Additional increases in future risk By describing results within generically applicable categories, the results of safety analysis are able to be placed in context with the risk arising from security events.