Sandia: Critical Infrastructure

Energy and Critical Infrastructures
(Notes from UFTO visit to Sandia 12/97.)

Sam Varnado, Director
Energy and Critical Infrastructure Technology Center

Sandia is at the forefront of the big wave of attention currently being paid to “critical infrastructure surety” as it impacts national security. (Surety means “assurance”, and encompasses safety, integrity, authenticity, security, reliability, and technology.) Coming at the issue from a long background in systems analysis in the nuclear energy and weapons programs, they’ve emerged as a major player. Their experience in probabilistic risk assessment (PRA) is seen as directly translatable to infrastructure systems analysis. Since it is impractical to define threats, the approach is “consequence based”, as a means to determine why and where protections are required. It begins by identifying consequences that must be avoided, and then finds the system failure modes that could lead to them.

Sandia supported the President’s Commission on Critical Infrastructure Protection (PCCIP), which has an extensive website ( featuring the complete text of their major report issued in October 1997. An Interim Group is continuing the Commission’s work. Also, the National Security Council is heading another interagency group that is drafting a Presidential Decision Directive to assign responsibility for the different infrastructures to the different agencies (due to be released soon).

The PCCIP report identifies the electric power grid as one of the most critical infrastructure sectors, notably in terms of the high degree of interdependence and interconnectedness of power with all the other sectors: telecommunications, finance and banking, oil and gas distribution, transportation, and vital human services (e.g. banking depends on information systems which depend on power). The power grid is very susceptible to physical and cyber threats, the latter especially in light of the increasing role of computers in the hardware, markets and financial dealings of the industry.

There is also a high degree of concern over the uncertain implications of utility industry restructuring. The transition from regulated rate based monopolies to competitive energy markets will most certainly impact reliability of service and vulnerability to disruption. Existing reliability models are not capable of accurately reflecting the issues that will arise.

Safety and Reliability of Nuclear Systems

Nestor Ortiz, Director, Nuclear Energy Technology Center,

For the DOE Nuclear Energy Program, there is research in Plant Lifetime Improvement, Aging of Reactor Components, and Instrumentation and Control Upgrade.

Sandia developed and maintains several noteworthy PRA codes. To mention some of them:
– MELCOR is used internationally and by the NRC. Modeling fully integrated engineering systems, it simulates the propagation accident to consequences. (U.S. utilities use MAP).
– CONTAIN is a research and design certification tool for containment systems
– RADTRAD design basis dose calculations for NUREG 1475. Revised baselines may eliminate the need for some equipment and maintenance procedures.

¥ Loss of Off Site Power (LOSP)
Of particular note, Loss of Off Site Power (LOSP) studies have led to major concerns over the potential impact of restructuring. In the PRA safety analysis of a nuclear power plant, the probability of loss of offsite power (i.e. power on the grid) is a very important factor. Plant safety systems are stressed by LOSP events, contributing over time to increased probabilities of malfunctions (e.g. resulting in higher probabilities of a loss of coolant accident).

While grid reliability has generally been excellent (

At the same time, Sandia has extensive experience and has developed a Generic Network Reliability Analysis Toolset, which is extremely effective for analysis telecomm networks. However, preliminary efforts to investigate the applicability of this model indicate that it is not immediately extensible to networks with direction and capacity constraints inherent in bulk power grids.

Contact Dennis Berry, 505-844-0234,

Electricity Interdependencies – Estimating Economic Risks

Sandia has surveyed existing economic risk models to see if they can be usefully applied to estimate impacts of electric power disruptions.
– Lifeline LLEQE — effects of earthquake, for insurance
– FEMA – consequence assessment tool
– Electric Sector — 44 different models
– NDAC – telecom

They chose ENERGY 2020, the most recent incarnation of the Dartmouth (“Club of Rome” and FOSSIL 89) systems dynamic modeling approach, which has been used by EPA to analyze effects of green house gases on the electric system. It is “agent-based” and adaptable, and is available for free.

It feeds into REMI, a commercial (expensive!) dynamic regional macro-economic model. In preliminary runs with the Texas grid study results, it showed clearly that regions could experience permanent loss of jobs and increased costs. Future work will include use of Sandia’s own ASPEN model, an agent-based simulation of the US economy.

Contact Diane Marozas, 505-844-5504,

Impacts of Storage on National Grid Reliability

Storage on the power grid can be seen in several different lights: 1. as a source of peak supply; 2. as a load and demand-side management option, and 3. as a means to render renewable generation more reliable from a systems operation perspective. Sandia has just completed an initial scoping study relating the 3rd option, to develop recommendations for how modeling methodologies need to be enhanced in order to address the question. In particular, the NEMS model could be used for such analyses with some modifications. (NEMS is DOE/EIA’s general equilibrium model of the national energy system. It’s Electricity Market Module doesn’t currently have the capability to model storage on the national grid.)

“Modeling of Battery Energy Storage in the National Energy Modeling System”,
SAND97-2926, Dec 1997

Contact Paul Butler, 505-844-7874,

Vital Issues Panel

Sandia uses its own “Vital Issues Panel” methodology to identify strategic issues in areas of national importance, particularly where there is a potential for Sandia to make contributions from its technological capabilities. Topics have included Global Climate, Environmental Security (i.e. the environment as a national security issue (e.g. effluents used aggressively, destabilization potential in Eastern Europe, terrorist targets, etc.) Infrastructure has been examined in two case studies, Critical Issues and Vulnerabilities in the Electric Sector, and separately, Vulnerabilities of the North American Power Grid.

Critical Issues and Vulnerabilities in the Electric Sector

To study vulnerabilities associated with the Electric Sector, Sandia convened a panel of experts representing the electric utility sector(April 1997). The group and identified critical issues and discussed how technology can help address those issues. They determined the top eight most critical issues arising from industry restructuring. In priority order, they are:

– Management and ownership of data streams
– The importance of consumer choice
– Competitive market pricing systems that will determine the mix of options
– Environmental issues
– State/federal role in collaborative and strategic research
– Integration of the national electric grid
– Incentives for keeping distribution systems up to date
– Accelerated retirement of a significant amount of generating capacity.

The panel also discussed the past, present and future of utility R&D, and ranked federal and private R&D spending priorities:
– Federal: Integration of the national grid and environmental issues
— Private: Importance of consumer choice, management and ownership of data streams, and environmental issues.

A concern remains whether the utility participants were sufficiently representative of the industry, and whether they – or the industry – appropriately estimate the importance of broader security issues, as compared with individual business concerns (e.g. with data ownership and dividing of system responsibilities). The Sandia team is anxious to have greater involvement from the industry in these efforts.

The discussions are summarized in the report: SAND97-1659, August 1997
Contact Arnie Baker, 505-284-4462,

North American Power Grid (NAPG)

In April and June 1997, panels attended by stakeholders from government, industry and academe discussed vulnerabilities associated with the NAPG. The first panel was tasked to develop a mission statement and to define criteria by which risks and threats could be identified and prioritized. The second panel identified and defined categories of risk to the NAPG and assessed their relative importance, based on the groundwork laid by the first group.

The overall results:

–Criteria: Likelihood, Consequence, Timeframe, Cost/Benefit

–Risks: In rank order of importance
– Unrecognized risks embedded in new technologies and operating structures
– “Tragedy of the Commons” *
– Physical Threats and non-natural disaster
– Shorter time horizons driven by cost reduction
– Reliability and liability implications of reregulation
– Cyber threats

*”Tragedy of the Commons” (a term originated by Garrett Hardin his classic 1968 article in Science Magazine), is the idea that no single actor has enough concern for the whole system, but each has the ability and self-interest to overtax available resources. In the context of the power grid, obligation to serve and cooperation are being replaced by competition and opportunism.

A partial outline of the results are available at:
It hasn’t been decided yet whether the report will be released outside Sandia, in view of proprietary information it contains.

Center for System Reliability

Contact Robert Cranwell, 505-844-8368,

Sandia technologies and expertise:
Modeling, simulation, optimization, maintenance strategies, network reliability/vulnerability, risk management, sensitivity/uncertainty analyses, human factors/human reliability, life-cycle cost analysis, software reliability, prob. risk assessment.

Applied to:
Power Generation, telecommunications, transportation, health care, equipment

Sandia has done analyses for many large corporations, e.g., design for reliability; predict and optimize impact of upgrades; optimization of spares inventory, etc.

Reliability Analysis Software Packages
Reliability enters into every phase of a product life cycle, from concept to design to production and operation to phase-out. Sandia has developed computer models to support the entire reliability engineering cycle.

WinR –Over 100 copies sold, available on a commercial basis from Sandia (they’re looking for a vendor). PC based reliability modeling and analysis provides a “dashboard” showing status of system components and performance.

Arramis – PRA for larger systems

WinR-PdM — Predictive Maintenance — combine real time sensor data with WinR for a dynamic view of component aging and overall system reliability. Demo at Allied Signal on a flexible manufacturing system

CRAX — The CassandRA eXoskeleton (CRAX) is a new reliability analysis tool that is being developed at Sandia National Laboratories to support the Materials Aging and Reliability Program (another key capability at Sandia is the detailed understanding of the physics of aging phenomena–fatigue, fracture, corrosions, etc., which have myriad and complex implications for systems reliability).

There are three major elements to CRAX:

Analysis Engine (Cassandra)
User Interface (Tcl/Tk GUI)
Physical Model (User Supplied)

The Cassandra uncertainty analysis engine consists of a number of software routines which permit the user to select a variety of methods for including uncertainty in their analyses. Cassandra is CORBA compliant and platform independent permitting easy interface with many of the new engineering design and analysis software packages. Existing uncertainty analysis techniques include a variety of Monte Carlo and analytically based approaches. The specific methods are constantly being updated and improved.

In addition to the CORBA interface structure, access to the Cassandra uncertainty analysis engine is also available via a Tcl/Tkgraphical user interface. There is also an effort to permit this interface to be accessed through a WWW browser. This will greatly aid in access to the analysis software within the using community.

The final element of CRAX is the physical model. A major decision early in the development of CRAX was the decision to not include any physical modeling tools. Rather than develop a new modeling tool (e.g. finite element model or fault tree tool) it was decided to let the engineer rely on the existing tools that they were comfortable with and had confidence in. While not the ideal situation in terms of analysis speed, it was felt that for the engineers to become comfortable with incorporating uncertainty into their deterministic models, we did not want to stretch their belief system too far. Hence the reliance on existing, deterministic analysis tools and the reference to CRAX as an exoskeleton. Within CRAX is the capability to either recompile the existing software into the tool, thereby significantly increasing computational efficiency, or rely on ‘hand-shaking’ between the CRAX program and the existing software. TheTcl/Tk GUI handles either of these situations very easily.

David G. Robinson; 505-844-5883,

Strategic Surety & Risk Management

Contact Laura Gilliom, 505-844-9104,

(Surety means “assurance”, and encompasses safety, integrity, authenticity, security, reliability, and technology.)

(The following discussion is extremely sketchy–intended only to bring identify some of these subject areas and to highlight Sandia’s involvement and expertise.)

This program addresses itself to the state-of-the-art of “surety”, bringing together many of Sandia’s core capabilities. It’s overarching goal is to bring risk and reliability analysis from its current statistical foundations to become a predictive capability. “Consequences” are the starting point, as mentioned earlier, and “interdependencies” are a major theme. The work proceeds by combining what is done at the level of engineering design codes with analyses of scenarios for risk.

Risk Management is broadly defined as a management tool that encompasses these different but closely related activities:
1. Identification of hazards associated with a technical system
2. Determination of the risks (consequences and likelihoods) of those hazards.
3. Reduction of risks to acceptable levels through appropriate design and control measures.
4. Thorough documentation of the above 3 activities.
5. Continuing reevaluation to improve the system or solution.

At Sandia, several hundred professional staff apply these activities in 8 major areas :
– Environment and environmental restoration
– Information systems
– Nuclear Reactors
– Physical Security
– Production and Manufacturing
– Transportation
– Waste Management
– Weapons

To realize benefits of overlapping interests, these staff participate in an internal organization of risk professionals at Sandia, called Sandia’s International Institute for Systematic Risk Studies (SIIRS, or “scissors”).

–High Integrity Software
Abstract Synthesis Transformation — make short pieces of code that are “provably correct.”
Software Event Execution Reliability (SEER) involves a math overlay to be sure that sequences occur correctly.

–Information Assurance- Cryptography
Most methods of cryptography involve the use of a key and function. Sandia has developed a new approach to split the function, so no one person can have everything.

Sandia is the only DOE lab allowed to do R&D on cryptography, primarily for use and control of nuclear weapons. They have a major crypto library which is widely licensed.

–Devices–safe and secure. Doing new research to have confidence in the behavior of a system when a “chip makes a decision”.

–Authentication Center of Excellence (ACE) for banking, devices and software…physical tokens of authenticity; smart cards and highly secure smart card readers–systems for the Defense Department. (Think about SCADA systems and how susceptible they are to outside interference and control!)

–Information Warfare assessments–information and physical security. Imagine the havoc of an all out cyber war, i.e. an attack from an enemy country or syndicate, not just hackers.

–Auctions – imagine a new player who wants to disrupt it–gray areas between gaming the system and dishonesty….not just an issue of terrorists, but of businesses vulnerable to other players. How can bids/contracts be authenticated and when and how can they be disowned or repudiated?

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply