6th International Disaster and Risk Conference IDRC 2016 Integrative Risk Management - Towards Resilient Cities. 28 August - 01 September 2016 in Davos, Switzerland
Resilient Cities, SMEs, Communities and Infrastructure Four Pioneering Projec...
Resilient Energy Infrastructures Energy Security and Sustainability Implications, Robert ROSNER
1. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Resilient Energy Infrastructure:
Energy Security and Sustainability Implications
Robert Rosner1
, Peter Burgherr2
, Matteo Spada2
& Rebecca Lordan1,3
1
Energy Policy Institute of Chicago, The University of Chicago, USA
2
Paul Scherrer Institute (PSI), Switzerland
3
Harris School of Public Policy Studies, The University of Chicago, USA
2. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
• Why does resilience matter for energy infrastructure?
• A national energy supply underlies virtually all of a nation’s ability
to produce wealth …
– Significant interruptions in energy supply thus have significant
economic impacts
• The complexity – and the history – of energy infrastructure
deployment make it extremely vulnerable to both accidental and
intentional disruptions ...
Energy security Energy infrastructure resilience
• The key question: How can we achieve resilience?
• My message: there exist tools for answering this question in a
systematic and productive manner
3. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
The potential points of disruption are everywhere …
4. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
It can be nature acting up …
The eastern U.S. blackout of 14 August, 2003
The causes:
•Hot weather leads to high-tension power line sagging, and eventual contact with ground …
•Huge power transfer to alternate routes trips overload sensors in Northeast grid ...
x
• 50 million people affected …
• >61,800 MW power lost ...
• Damage US$ 7-14 billion
5. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
It can be an external human adversary …
The issue:
•Transformers need cooling, which is done
via mineral oil
•Sniper(s) shot holes into the oil reservoirs
•Loss of cooling oil almost led to destruction
of the transformers …
•These transformers cannot be rapidly
replaced – it takes months ...
•Transformer loss would have meant no
power for months in the San Jose area ...
The Metcalf, California substation attack on
16 April, 2013
6. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
It can be an internal human adversary …
The story:
•A valve was opened in the
non-nuclear part of the plant
(“balance of plant”), resulting
in a leak of 65,000 liters of oil,
leading to catastrophic
overheating of the main
turbine
•Plant was off-line until 19 Dec.
2014
•No evidence of an outside
intruder entering the plant …
The Doel 4 nuclear reactor incident in Belgium, August 2014
7. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
So: how do we think about preventing these sorts of
events?
There are three concepts that can guide one’s thinking …
•Probabilistic Risk Assessment (PRA)
– An engineering assessment based method for “... estimating risk by
computing real numbers to determine what can go wrong, how likely it is,
and what are its consequences” (NRC)
•Defense in Depth (DiD)
– An engineering approach for protecting against possible failures by
providing multiple redundancies at all critical failure points ...
•Design Basis Threat (DBT)
– A methodology for determining what protective measures need to be in
place to guard against attack, and entails
• Determine likely adversaries ..
• Determine their likely course of action ...
• Determine the likeley capabilities of the adversaries ...
• Determine the nature of likely defensive measures that can prevent or
appropriately delay the adversary’s actions ...
8. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
What one does will depend on what we’re worried about
…
• There is no universal recipe …
• One always starts with a version of Probabilistic Risk Assessment
(PRA)
– Step 1: An event tree or fault tree analyses …
– Step 2: Designing a countering strategy … which can involve a mix of
“Defense in Depth” and “Design Basis Threat” (DBT) analyses
9. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Example #1: Power plants …
• “Probabilistic Risk Assessment” (PRA) and “Defense in Depth” need
to be used to guard against damage from natural disasters
– Neither were appropriately used at Fukushima Dai-ichi …
• PRA, “Defense in Depth”, and “Design Basis Threat” (DBT) analyses
are used together when thinking about adversarial attack
– The key here is not to consider repelling an attack, but in delaying the
adversary sufficiently to allow the arrival of the “cavalry” …
10. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
What went wrong at Fukushima Dai-ichi?
1. Sea wall too low2. Emergency generators below grade – and not sealed against
water infiltration …
3. Why no seals: design was U.S. origin – and designed for protection against tornadoes …
11. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
The nature of the power plant matters …
• Attacks against fossil fuel power plants by and large would focus on
disabling the plant …
– Historically, there has been little attention paid to protecting such plants; the
focus has been on protecting the attached power substation (more on this
later!)
• Attacks against nuclear power plants may have much more complex
motivations ...
– Disabling the plant, viz. attacking the steam turbines, since the nuclear
reactor itself is typically highly hardened against intrusions – think Doel 4 ...
– Attacking the used (“spent”) fuel storage facility, with the idea of spreading
the material over a large populated area (“dirty bomb”)
• The really vulnerable part of a plant is its cooling pools, where the used fuel is first
deposited after being removed from the reactor core ...
• This part of a nuclear power plant is typically relatively accessible, when compared
to the reactor core ...
• For this reason, “Design Basis Threat” analyses usually suggest a combination of
added physical defenses (e.g., hardened building structures) and a “protective
force”, both designed to delay ...
12. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Example #2: Transmission lines …
• Too many points of attack for effective protection against both nature and
adversaries ...
– But PRA dictate that certain precautions should be implemented: clear lines-of-
sight, minimize risk of shorting out lines via sag, winds, object impacts, ...
• Implication: The only sure way to achieve resilience is to implement a
“defense in depth” strategy, no matter what the origin of damage is:
– Energy transmission from energy source A to energy user B must rely on
multiple redundant pathways ...
– The capacity of alternate pathways must suffice to handle potential excess loads
...
ching’$of$electric$power$is$
plex$that$you$might$think!$
A
B
Note: The instincts of governments is to try to obfuscate
how resilience is achieved … this is usually done by
declaring all information regarding transmission or
pipeline routing as ‘secret’ or ‘confidential’ ... But in a
world in which all of us have access to satellite imagry, this
is unfortunately not very effective ... In other words, here
‘design basis threat’ analysis is not very helpful ...
13. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
However: This approach to resilience does not work
for all transmission lines …
• It works for long-distance high-voltage
transmission lines …
• It will not work for local (lower voltage)
distribution transmission lines, such as the ones
that bring power to your house or building ...
– It’s not feasible to build redundant local transmission
nets
– Instead, the key point is rapid identification of problems:
e.g., the location + nature of break(s), and reserve
supply of distribution gear ...
– A “smart grid” is a key tool ... and its use for rapid
identification of grid problems is one of the key
motivators for utilities pushing towards a “smart grid”!
14. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Example #3: Substations
• Substations are the points at which power is distributed – from (a) power
stations to the high-voltage (HV) transmission lines, from (b) the HV lines
to the lower-voltage local distribution transmission lines, and then (c) to
the final line transformers that connect the grid to your home.
(a)
(b)
(c)
15. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
It is the big substations that are the problem …
• The local pole-attached line transformers can be treated just line the local
transmission lines – e.g.,
– Use “smart grid” technology to identify problematic transformers, and
– Maintain a repository for spare replacement transformers
– This is what is in fact currently done …
• The problem at big substations rests with the transformers themselves,
e.g., transformers w/ capacities > 100 MW*
– Such large power transformers (“LPTs”) are rarely kept in stock – they are
typically manufactured on demand, with lead times up to 20 (!) months
• They can weigh up to 400 tons, and cost in the millions of dollars ...
• These are the kinds of transformers attacked at the Metcalf Transmission
substation …
• What can we do?
– This is a case where the full complement of PRA, ‘defense in depth’ and
“design basis threat” analysis can be brought to bear ...
*
U.S. Dept. of Energy Report “Large Power Transformers and the U.S. Electric Grid” (2012)
16. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
How do we deal with big substations??
• Probabilistic Risk Assessment (PRA), involving event/fault tree
analyses, must be used to identify vulnerabilities …
• Design Basis Threat (DBT) analysis argues for delay:
– Early detection of problems (substations are usually not staffed!)
– Efficient, protected and redundant sensors … and early detection of sensor
failure ...
– Site protective measures (fencing, walls, breaking lines of sight, …)
• Defense in Depth (DiD) argues for redundancy
– Build out backup substations, as part of a more highly redundant grid
architecture …
– Reconstitute the transformer supply chain (bringing down transformer
replacement times to weeks or perhaps even days) ...
• Probabilistic Risk Assessment (PRA) can assess the effectiveness of the
measures instituted as a result of DBT and DiD analyses …
– Validation of PRA can involve game theory-based scenario analyses, as
well as full-scale emergency drills ...
17. 6th
International Disaster and Risk Conference IDRC 2016
‘Integrative Risk Management – Towards Resilient Cities‘ • 28 Aug – 1 Sept 2016 • Davos • Switzerland
www.grforum.org
Now …
It’s time for questions and discussion!!!