Internet DRAFT - draft-wetterwald-detnet-utilities-reqs
draft-wetterwald-detnet-utilities-reqs
detnet P. Wetterwald
Internet-Draft Cisco
Intended status: Informational J. Raymond
Expires: January 1, 2016 Hydro-Quebec
June 30, 2015
Deterministic Networking Uitilities requirements
draft-wetterwald-detnet-utilities-reqs-02
Abstract
This paper documents the needs in Smart Grid industry to establish
multi-hop paths for characterized flows with deterministic
properties.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 1, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Wetterwald & Raymond Expires January 1, 2016 [Page 1]
Internet-DraDeterministic Networking Uitilities requirements June 2015
1. Introduction
[I-D.finn-detnet-problem-statement] defines the characteristics of a
deterministic flow as a data communication flow with a bounded
latency, extraordinarily low frame loss, and a very narrow jitter.
This document intends to define the utility requirements for
deterministic networking.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
3. Overview
Utility Telecom Networks
The business and technology trends that are sweeping the utility
industry will drastically transform the utility business from the way
it has been for many decades. At the core of many of these changes
is a drive to modernize the electrical grid with an integrated
telecommunications infrastructure. However, interoperability,
concerns, legacy networks, disparate tools, and stringent security
requirements all add complexity to the grid transformation. Given
the range and diversity of the requirements that should be addressed
by the next generation telecommunications infrastructure, utilities
need to adopt a holistic architectural approach to integrate the
electrical grid with digital telecommunications across the entire
power delivery chain.
Many utilities still rely on complex environments formed of multiple
application-specific, proprietary networks. Information is siloed
between operational areas. This prevents utility operations from
realizing the operational efficiency benefits, visibility, and
functional integration of operational information across grid
applications and data networks. The key to modernizing grid
telecommunications is to provide a common, adaptable, multi-service
network infrastructure for the entire utility organization. Such a
network serves as the platform for current capabilities while
enabling future expansion of the network to accommodate new
applications and services.
To meet this diverse set of requirements, both today and in the
future, the next generation utility telecommunnications network will
be based on open-standards-based IP architecture. An end-to-end IP
architecture takes advantage of nearly three decades of IP technology
development, facilitating interoperability across disparate networks
Wetterwald & Raymond Expires January 1, 2016 [Page 2]
Internet-DraDeterministic Networking Uitilities requirements June 2015
and devices, as it has been already demonstrated in many mission-
critical and highly secure networks.
IEC (International Electrotechnical Commission) and different
National Committees have mandated a specific adhoc group (AHG8) to
define the migration strategy to IPv6 for all the IEC TC57 power
automation standards. IPv6 is seen as the obvious future
telecommunications technology for the Smart Grid. The Adhoc Group
has disclosed, to the IEC coordination group, their conclusions at
the end of 2014.
It is imperative that utilities participate in standards development
bodies to influence the development of future solutions and to
benefit from shared experiences of other utilities and vendors.
4. Telecommunications Trends and General telecommunications
Requirements
These general telecommunications requirements are over and above the
specific requirements of the use cases that have been addressed so
far. These include both current and future telecommunications
related requirements that should be factored into the network
architecture and design.
4.1. General Telecommunications Requirements
o IP Connectivity everywhere
o Monitoring services everywhere and from different remote centers
o Move services to a virtual data center
o Unify access to applications / information from the corporate
network
o Unify services
o Unified Communications Solutions
o Mix of fiber and microwave technologies - obsolescence of SONET/
SDH or TDM
o Standardize grid telecommunications protocol to opened standard to
ensure interoperability
o Reliable Telecommunications for Transmission and Distribution
Substations
Wetterwald & Raymond Expires January 1, 2016 [Page 3]
Internet-DraDeterministic Networking Uitilities requirements June 2015
o IEEE 1588 time synchronization Client / Server Capabilities
o Integration of Multicast Design
o QoS Requirements Mapping
o Enable Future Network Expansion
o Substation Network Resilience
o Fast Convergence Design
o Scalable Headend Design
o Define Service Level Agreements (SLA) and Enable SLA Monitoring
o Integration of 3G/4G Technologies and future technologies
o Ethernet Connectivity for Station Bus Architecture
o Ethernet Connectivity for Process Bus Architecture
o Protection, teleprotection and PMU (Phaser Measurement Unit) on IP
4.1.1. Migration to Packet-Switched Network
Throughout the world, utilities are increasingly planning for a
future based on smart grid applications requiring advanced
telecommunications systems. Many of these applications utilize
packet connectivity for communicating information and control signals
across the utility's Wide Area Network (WAN), made possible by
technologies such as multiprotocol label switching (MPLS). The data
that traverses the utility WAN includes:
o Grid monitoring, control, and protection data
o Non-control grid data (e.g. asset data for condition-based
monitoring)
o Physical safety and security data (e.g. voice and video)
o Remote worker access to corporate applications (voice, maps,
schematics, etc.)
o Field area network backhaul for smart metering, and distribution
grid management
Wetterwald & Raymond Expires January 1, 2016 [Page 4]
Internet-DraDeterministic Networking Uitilities requirements June 2015
o Enterprise traffic (email, collaboration tools, business
applications)
WANs support this wide variety of traffic to and from substations,
the transmission and distribution grid, generation sites, between
control centers, and between work locations and data centers. To
maintain this rapidly expanding set of applications, many utilities
are taking steps to evolve present time-division multiplexing (TDM)
based and frame relay infrastructures to packet systems. Packet-
based networks are designed to provide greater functionalities and
higher levels of service for applications, while continuing to
deliver reliability and deterministic (real-time) traffic support.
4.2. Applications, Use cases and traffic patterns
Among the numerous applications and use cases that a utility deploys
today, many rely on high availability and deterministic behaviour of
the telecommunications networks. Protection use cases and generation
control are the most demanding and can't rely on a best effort
approach.
4.2.1. Transmission use cases
Protection means not only the protection of the human operator but
also the protection of the electric equipments and the preservation
of the stability and frequency of the grid. If a default occurs on
the transmission or the distribution of the electricity, important
damages could occured to the human operator but also to very costly
electrical equipments and perturb the grid leading to blackouts. The
time and reliability requirements are very strong to avoid dramatic
impacts to the electrical infrastructure.
4.2.1.1. Tele Protection
The key criteria for measuring Teleprotection performance are command
transmission time, dependability and security. These criteria are
defined by the IEC standard 60834 as follows:
o Transmission time (Speed): The time between the moment where state
changes at the transmitter input and the moment of the
corresponding change at the receiver output, including propagation
delay. Overall operating time for a Teleprotection system
includes the time for initiating the command at the transmitting
end, the propagation delay over the network (including equipments)
and the selection and decision time at the receiving end,
including any additional delay due to a noisy environment.
Wetterwald & Raymond Expires January 1, 2016 [Page 5]
Internet-DraDeterministic Networking Uitilities requirements June 2015
o Dependability: The ability to issue and receive valid commands in
the presence of interference and/or noise, by minimizing the
probability of missing command (PMC). Dependability targets are
typically set for a specific bit error rate (BER) level.
o Security: The ability to prevent false tripping due to a noisy
environment, by minimizing the probability of unwanted commands
(PUC). Security targets are also set for a specific bit error
rate (BER) level.
Additional key elements that may impact Teleprotection performance
include bandwidth rate of the Teleprotection system and its
resiliency or failure recovery capacity. Transmission time,
bandwidth utilization and resiliency are directly linked to the
telecommunications equipments and the connections that are used to
transfer the commands between relays.
4.2.1.1.1. Latency Budget Consideration
Delay requirements for utility networks may vary depending upon a
number of parameters, such as the specific protection equipments
used. Most power line equipment can tolerate short circuits or
faults for up to approximately five power cycles before sustaining
irreversible damage or affecting other segments in the network. This
translates to total fault clearance time of 100ms. As a safety
precaution, however, actual operation time of protection systems is
limited to 70- 80 percent of this period, including fault recognition
time, command transmission time and line breaker switching time.
Some system components, such as large electromechanical switches,
require particularly long time to operate and take up the majority of
the total clearance time, leaving only a 10ms window for the
telecommunications part of the protection scheme, independent of the
distance to travel. Given the sensitivity of the issue, new networks
impose requirements that are even more stringent: IEC standard 61850
limits the transfer time for protection messages to 1/4 - 1/2 cycle
or 4 - 8ms (for 60Hz lines) for the most critical messages.
4.2.1.1.2. Asymetric delay
In addition to minimal transmission delay, a differential protection
telecommunications channel must be synchronous, i.e., experiencing
symmetrical channel delay in transmit and receive paths. This
requires special attention in jitter-prone packet networks. While
optimally Teleprotection systems should support zero asymmetric
delay, typical legacy relays can tolerate discrepancies of up to
750us.
Wetterwald & Raymond Expires January 1, 2016 [Page 6]
Internet-DraDeterministic Networking Uitilities requirements June 2015
The main tools available for lowering delay variation below this
threshold are:
o A jitter buffer at the multiplexers on each end of the line can be
used to offset delay variation by queuing sent and received
packets. The length of the queues must balance the need to
regulate the rate of transmission with the need to limit overall
delay, as larger buffers result in increased latency. This is the
old TDM traditional way to fulfill this requirement.
o Traffic management tools ensure that the Teleprotection signals
receive the highest transmission priority and minimize the number
of jitter addition during the path. This is one way to meet the
requirement in IP networks.
o Standard Packet-Based synchronization technologies, such as
1588-2008 Precision Time Protocol (PTP) and Synchronous Ethernet
(Sync-E), can help maintain stable networks by keeping a highly
accurate clock source on the different network devices involved.
4.2.1.1.2.1. Other traffic characteristics
o Redundancy: The existence in a system of more than one means of
accomplishing a given function.
o Recovery time : The duration of time within which a business
process must be restored after any type of disruption in order to
avoid unacceptable consequences associated with a break in
business continuity.
o performance management : In networking, a management function
defined for controlling and analyzing different parameters/metrics
such as the throughput, error rate.
o packet loss : One or more packets of data travelling across
network fail to reach their destination.
4.2.1.1.2.2. Teleprotection network requirements
The following table captures the main network requirements (this is
based on IEC 61850 standard)
Wetterwald & Raymond Expires January 1, 2016 [Page 7]
Internet-DraDeterministic Networking Uitilities requirements June 2015
+-----------------------------+-------------------------------------+
| Teleprotection Requirement | Attribute |
+-----------------------------+-------------------------------------+
| One way maximum delay | 4-10 ms |
| | |
| Asymetric delay required | Yes |
| | |
| Maximum jitter | less than 250 us (750 us for legacy |
| | IED) |
| | |
| Topology | Point to point, point to Multi- |
| | point |
| | |
| Availability | 99.9999 |
| | |
| precise timing required | Yes |
| | |
| Recovery time on node | less than 50ms - hitless |
| failure | |
| | |
| performance management | Yes, Mandatory |
| | |
| Redundancy | Yes |
| | |
| Packet loss | 0.1% to 1% |
+-----------------------------+-------------------------------------+
Table 1: Teleprotection network requirements
4.2.1.2. Inter-Trip Protection scheme
Inter-tripping is the controlled tripping of a circuit breaker to
complete the isolation of a circuit or piece of apparatus in concert
with the tripping of other circuit breakers. The main use of such
schemes is to ensure that protection at both ends of a faulted
circuit will operate to isolate the equipment concerned. Inter-
tripping schemes use signaling to convey a trip command to remote
circuit breakers to isolate circuits.
Wetterwald & Raymond Expires January 1, 2016 [Page 8]
Internet-DraDeterministic Networking Uitilities requirements June 2015
+--------------------------------+----------------------------------+
| Inter-Trip protection | Attribute |
| Requirement | |
+--------------------------------+----------------------------------+
| One way maximum delay | 5 ms |
| | |
| Asymetric delay required | No |
| | |
| Maximum jitter | Not critical |
| | |
| Topology | Point to point, point to Multi- |
| | point |
| | |
| Bandwidth | 64 Kbps |
| | |
| Availability | 99.9999 |
| | |
| precise timing required | Yes |
| | |
| Recovery time on node failure | less than 50ms - hitless |
| | |
| performance management | Yes, Mandatory |
| | |
| Redundancy | Yes |
| | |
| Packet loss | 0.1% |
+--------------------------------+----------------------------------+
Table 2: Inter-Trip protection network requirements
4.2.1.3. Current Differential Protection Scheme
Current differential protection is commonly used for line protection,
and is typical for protecting parallel circuits. A main advantage
for differential protection is that, compared to overcurrent
protection, it allows only the faulted circuit to be de-energized in
case of a fault. At both end of the lines, the current is measured
by the differential relays, and based on Kirchhoff's law, both relays
will trip the circuit breaker if the current going into the line does
not equal the current going out of the line. This type of protection
scheme assumes some form of communications being present between the
relays at both end of the line, to allow both relays to compare
measured current values. A fault in line 1 will cause overcurrent to
be flowing in both lines, but because the current in line 2 is a
through following current, this current is measured equal at both
ends of the line, therefore the differential relays on line 2 will
not trip line 2. Line 1 will be tripped, as the relays will not
measure the same currents at both ends of the line. Line
Wetterwald & Raymond Expires January 1, 2016 [Page 9]
Internet-DraDeterministic Networking Uitilities requirements June 2015
differential protection schemes assume a very low telecommunications
delay between both relays, often as low as 5ms. Moreover, as those
systems are often not time-synchronized, they also assume symmetric
telecommunications paths with constant delay, which allows comparing
current measurement values taken at the exact same time.
+----------------------------------+--------------------------------+
| Current Differential protection | Attribute |
| Requirement | |
+----------------------------------+--------------------------------+
| One way maximum delay | 5 ms |
| | |
| Asymetric delay Required | Yes |
| | |
| Maximum jitter | less than 250 us (750us for |
| | legacy IED) |
| | |
| Topology | Point to point, point to |
| | Multi-point |
| | |
| Bandwidth | 64 Kbps |
| | |
| Availability | 99.9999 |
| | |
| precise timing required | Yes |
| | |
| Recovery time on node failure | less than 50ms - hitless |
| | |
| performance management | Yes, Mandatory |
| | |
| Redundancy | Yes |
| | |
| Packet loss | 0.1% |
+----------------------------------+--------------------------------+
Table 3: Current Differential Protection requirements
4.2.1.4. Distance Protection Scheme
Distance (Impedance Relay) protection scheme is based on voltage and
current measurements. A fault on a circuit will generally create a
sag in the voltage level. If the ratio of voltage to current
measured at the protection relay terminals, which equates to an
impedance element, falls within a set threshold the circuit breaker
will operate. The operating characteristics of this protection are
based on the line characteristics. This means that when a fault
appears on the line, the impedance setting in the relay is compared
to the apparent impedance of the line from the relay terminals to the
Wetterwald & Raymond Expires January 1, 2016 [Page 10]
Internet-DraDeterministic Networking Uitilities requirements June 2015
fault. If the relay setting is determined to be below the apparent
impedance it is determined that the fault is within the zone of
protection. When the transmission line length is under a minimum
length, distance protection becomes more difficult to coordinate. In
these instances the best choice of protection is current differential
protection.
+-------------------------------+-----------------------------------+
| Distance protection | Attribute |
| Requirement | |
+-------------------------------+-----------------------------------+
| One way maximum delay | 5 ms |
| | |
| Asymetric delay Required | No |
| | |
| Maximum jitter | Not critical |
| | |
| Topology | Point to point, point to Multi- |
| | point |
| | |
| Bandwidth | 64 Kbps |
| | |
| Availability | 99.9999 |
| | |
| precise timing required | Yes |
| | |
| Recovery time on node failure | less than 50ms - hitless |
| | |
| performance management | Yes, Mandatory |
| | |
| Redundancy | Yes |
| | |
| Packet loss | 0.1% |
+-------------------------------+-----------------------------------+
Table 4: Distance Protection requirements
4.2.1.5. Inter-Substation Protection Signaling
This use case describes the exchange of Sampled Value and/or GOOSE
(Generic Object Oriented Substation Events) message between
Intelligent Electronic Devices (IED) in two substations for
protection and tripping coordination. The two IEDs are in a master-
slave mode.
The Current Transformer or Voltage Transformer (CT/VT) in one
substation sends the sampled analog voltage or current value to the
Merging Unit (MU) over hard wire. The merging unit sends the time-
Wetterwald & Raymond Expires January 1, 2016 [Page 11]
Internet-DraDeterministic Networking Uitilities requirements June 2015
synchronized 61850-9-2 sampled values to the slave IED. The slave
IED forwards the information to the Master IED in the other
substation. The master IED makes the determination (for example
based on sampled value differentials) to send a trip command to the
originating IED. Once the slave IED/Relay receives the GOOSE trip
for breaker tripping, it opens the breaker. It then sends a
confirmation message back to the master. All data exchanges between
IEDs are either through Sampled Value and/or GOOSE messages.
+----------------------------------+--------------------------------+
| Inter-Substation protection | Attribute |
| Requirement | |
+----------------------------------+--------------------------------+
| One way maximum delay | 5 ms |
| | |
| Asymetric delay Required | No |
| | |
| Maximum jitter | Not critical |
| | |
| Topology | Point to point, point to |
| | Multi-point |
| | |
| Bandwidth | 64 Kbps |
| | |
| Availability | 99.9999 |
| | |
| precise timing required | Yes |
| | |
| Recovery time on node failure | less than 50ms - hitless |
| | |
| performance management | Yes, Mandatory |
| | |
| Redundancy | Yes |
| | |
| Packet loss | 1% |
+----------------------------------+--------------------------------+
Table 5: Inter-Substation Protection requirements
4.2.1.6. Intra-Substation Process Bus Communications
This use case describes the data flow from the CT/VT to the IEDs in
the substation via the merging unit (MU). The CT/VT in the
substation send the sampled value (analog voltage or current) to the
Merging Unit (MU) over hard wire. The merging unit sends the time-
synchronized 61850-9-2 sampled values to the IEDs in the substation
in GOOSE message format. The GPS Master Clock can send 1PPS or
IRIG-B format to MU through serial port, or IEEE 1588 protocol via
Wetterwald & Raymond Expires January 1, 2016 [Page 12]
Internet-DraDeterministic Networking Uitilities requirements June 2015
network. Process bus communication using 61850 simplifies
connectivity within the substation and removes the requirement for
multiple serial connections and removes the slow serial bus
architectures that are typically used. This also ensures increased
flexibility and increased speed with the use of multicast messaging
between multiple devices.
+----------------------------------+--------------------------------+
| Intra-Substation protection | Attribute |
| Requirement | |
+----------------------------------+--------------------------------+
| One way maximum delay | 5 ms |
| | |
| Asymetric delay Required | No |
| | |
| Maximum jitter | Not critical |
| | |
| Topology | Point to point, point to |
| | Multi-point |
| | |
| Bandwidth | 64 Kbps |
| | |
| Availability | 99.9999 |
| | |
| precise timing required | Yes |
| | |
| Recovery time on Node failure | less than 50ms - hitless |
| | |
| performance management | Yes, Mandatory |
| | |
| Redundancy | Yes - No |
| | |
| Packet loss | 0.1% |
+----------------------------------+--------------------------------+
Table 6: Intra-Substation Protection requirements
4.2.1.7. Wide Area Monitoring and Control Systems
The application of synchrophasor measurement data from Phasor
Measurement Units (PMU) to Wide Area Monitoring and Control Systems
promises to provide important new capabilities for improving system
stability. Access to PMU data enables more timely situational
awareness over larger portions of the grid than what has been
possible historically with normal SCADA (Supervisory Control and Data
Acquisition) data. Handling the volume and real-time nature of
synchrophasor data presents unique challenges for existing
application architectures. Wide Area management System (WAMS) makes
Wetterwald & Raymond Expires January 1, 2016 [Page 13]
Internet-DraDeterministic Networking Uitilities requirements June 2015
it possible for the condition of the bulk power system to be observed
and understood in real-time so that protective, preventative, or
corrective action can be taken. Because of the very high sampling
rate of measurements and the strict requirement for time
synchronization of the samples, WAMS has stringent telecommunications
requirements in an IP network that are captured in the following
table:
+----------------------+--------------------------------------------+
| WAMS Requirement | Attribute |
+----------------------+--------------------------------------------+
| One way maximum | 50 ms |
| delay | |
| | |
| Asymetric delay | No |
| Required | |
| | |
| Maximum jitter | Not critical |
| | |
| Topology | Point to point, point to Multi-point, |
| | Multi-point to Multi-point |
| | |
| Bandwidth | 100 Kbps |
| | |
| Availability | 99.9999 |
| | |
| precise timing | Yes |
| required | |
| | |
| Recovery time on | less than 50ms - hitless |
| Node failure | |
| | |
| performance | Yes, Mandatory |
| management | |
| | |
| Redundancy | Yes |
| | |
| Packet loss | 1% |
+----------------------+--------------------------------------------+
Table 7: WAMS Special Communication Requirements
4.2.1.8. IEC 61850 WAN engineering guidelines requirement
classification
The IEC (International Electrotechnical Commission) has recently
published a Technical Report which offers guidelines on how to define
and deploy Wide Area Networks for the interconnections of electric
Wetterwald & Raymond Expires January 1, 2016 [Page 14]
Internet-DraDeterministic Networking Uitilities requirements June 2015
substations, generation plants and SCADA operation centers. The IEC
61850-90-12 is providing a classification of WAN communication
requirements into 4 classes. You will find herafter the table
summarizing these requirements:
+----------------+------------+------------+------------+-----------+
| WAN | Class WA | Class WB | Class WC | Class WD |
| Requirement | | | | |
+----------------+------------+------------+------------+-----------+
| Application | EHV (Extra | HV (High | MV (Medium | General |
| field | High | Voltage) | Voltage) | purpose |
| | Voltage) | | | |
| | | | | |
| Latency | 5 ms | 10 ms | 100 ms | > 100 ms |
| | | | | |
| Jitter | 10 us | 100 us | 1 ms | 10 ms |
| | | | | |
| Latency | 100 us | 1 ms | 10 ms | 100 ms |
| Asymetry | | | | |
| | | | | |
| Time Accuracy | 1 us | 10 us | 100 us | 10 to 100 |
| | | | | ms |
| | | | | |
| Bit Error rate | 10-7 to | 10-5 to | 10-3 | |
| | 10-6 | 10-4 | | |
| | | | | |
| Unavailability | 10-7 to | 10-5 to | 10-3 | |
| | 10-6 | 10-4 | | |
| | | | | |
| Recovery delay | Zero | 50 ms | 5 s | 50 s |
| | | | | |
| Cyber security | extremely | High | Medium | Medium |
| | high | | | |
+----------------+------------+------------+------------+-----------+
Table 8: 61850-90-12 Communication Requirements; Courtesy of IEC
4.2.2. Distribution use case
4.2.2.1. Fault Location Isolation and Service Restoration (FLISR)
As the name implies, Fault Location, Isolation, and Service
Restoration (FLISR) refers to the ability to automatically locate the
fault, isolate the fault, and restore service in the distribution
network. It is a self-healing feature whose purpose is to minimize
the impact of faults by serving portions of the loads on the affected
circuit by switching to other circuits. It reduces the number of
customers that experience a sustained power outage by reconfiguring
Wetterwald & Raymond Expires January 1, 2016 [Page 15]
Internet-DraDeterministic Networking Uitilities requirements June 2015
distribution circuits. This will likely be the first wide spread
application of distributed intelligence in the grid. Secondary
substations can be connected to multiple primary substations.
Normally, static power switch statuses (open/closed) in the network
dictate the power flow to secondary substations. Reconfiguring the
network in the event of a fault is typically done manually on site to
operate switchgear to energize/de-energize alternate paths.
Automating the operation of substation switchgear allows the utility
to have a more dynamic network where the flow of power can be altered
under fault conditions but also during times of peak load. It allows
the utility to shift peak loads around the network. Or, to be more
precise, alters the configuration of the network to move loads
between different primary substations. The FLISR capability can be
enabled in two modes:
o Managed centrally from DMS (Distribution Management System), or
o Executed locally through distributed control via intelligent
switches and fault sensors.
There are 3 distinct sub-functions that are performed:
1. Fault Location Identification
This sub-function is initiated by SCADA inputs, such as lockouts,
fault indications/location, and, also, by input from the Outage
Management System (OMS), and in the future by inputs from fault-
predicting devices. It determines the specific protective device,
which has cleared the sustained fault, identifies the de-energized
sections, and estimates the probable location of the actual or the
expected fault. It distinguishes faults cleared by controllable
protective devices from those cleared by fuses, and identifies
momentary outages and inrush/cold load pick-up currents. This step
is also referred to as Fault Detection Classification and Location
(FDCL). This step helps to expedite the restoration of faulted
sections through fast fault location identification and improved
diagnostic information available for crew dispatch. Also provides
visualization of fault information to design and implement a
switching plan to isolate the fault.
2. Fault Type Determination
I. Indicates faults cleared by controllable protective devices by
distinguishing between:
a. Faults cleared by fuses
b. Momentary outages
Wetterwald & Raymond Expires January 1, 2016 [Page 16]
Internet-DraDeterministic Networking Uitilities requirements June 2015
c. Inrush/cold load current
II. Determines the faulted sections based on SCADA fault indications
and protection lockout signals
III. Increases the accuracy of the fault location estimation based
on SCADA fault current measurements and real-time fault analysis
3. Fault Isolation and Service Restoration
Once the location and type of the fault has been pinpointed, the
systems will attempt to isolate the fault and restore the non-faulted
section of the network. This can have three modes of operation:
I. Closed-loop mode : This is initiated by the Fault location sub-
function. It generates a switching order (i.e., sequence of
switching) for the remotely controlled switching devices to isolate
the faulted section, and restore service to the non-faulted sections.
The switching order is automatically executed via SCADA.
II. Advisory mode : This is initiated by the Fault location sub-
function. It generates a switching order for remotely and manually
controlled switching devices to isolate the faulted section, and
restore service to the non-faulted sections. The switching order is
presented to operator for approval and execution.
III. Study mode : the operator initiates this function. It analyzes
a saved case modified by the operator, and generates a switching
order under the operating conditions specified by the operator.
With the increasing volume of data that are collected through fault
sensors, utilities will use Big Data query and analysis tools to
study outage information to anticipate and prevent outages by
detecting failure patterns and their correlation with asset age,
type, load profiles, time of day, weather conditions, and other
conditions to discover conditions that lead to faults and take the
necessary preventive and corrective measures.
Wetterwald & Raymond Expires January 1, 2016 [Page 17]
Internet-DraDeterministic Networking Uitilities requirements June 2015
+----------------------+--------------------------------------------+
| FLISR Requirement | Attribute |
+----------------------+--------------------------------------------+
| One way maximum | 80 ms |
| delay | |
| | |
| Asymetric delay | No |
| Required | |
| | |
| Maximum jitter | 40 ms |
| | |
| Topology | Point to point, point to Multi-point, |
| | Multi-point to Multi-point |
| | |
| Bandwidth | 64 Kbps |
| | |
| Availability | 99.9999 |
| | |
| precise timing | Yes |
| required | |
| | |
| Recovery time on | Depends on customer impact |
| Node failure | |
| | |
| performance | Yes, Mandatory |
| management | |
| | |
| Redundancy | Yes |
| | |
| Packet loss | 0.1% |
+----------------------+--------------------------------------------+
Table 9: FLISR Communication Requirements
4.2.3. Generation use case
4.2.3.1. Frequency Control / Automatic Generation Control (AGC)
The system frequency should be maintained within a very narrow band.
Deviations from the acceptable frequency range are detected and
forwarded to the Load Frequency Control (LFC) system so that required
up or down generation increase / decrease pulses can be sent to the
power plants for frequency regulation. The trend in system frequency
is a measure of mismatch between demand and generation, and is a
necessary parameter for load control in interconnected systems.
Automatic generation control (AGC) is a system for adjusting the
power output of generators at different power plants, in response to
Wetterwald & Raymond Expires January 1, 2016 [Page 18]
Internet-DraDeterministic Networking Uitilities requirements June 2015
changes in the load. Since a power grid requires that generation and
load closely balance moment by moment, frequent adjustments to the
output of generators are necessary. The balance can be judged by
measuring the system frequency; if it is increasing, more power is
being generated than used, and all machines in the system are
accelerating. If the system frequency is decreasing, more demand is
on the system than the instantaneous generation can provide, and all
generators are slowing down.
Where the grid has tie lines to adjacent control areas, automatic
generation control helps maintain the power interchanges over the tie
lines at the scheduled levels. The AGC takes into account various
parameters including the most economical units to adjust, the
coordination of thermal, hydroelectric, and other generation types,
and even constraints related to the stability of the system and
capacity of interconnections to other power grids.
For the purpose of AGC we use static frequency measurements and
averaging methods are used to get a more precise measure of system
frequency in steady-state conditions.
During disturbances, more real-time dynamic measurements of system
frequency are taken using PMUs, especially when different areas of
the system exhibit different frequencies. But that is outside the
scope of this use case.
Wetterwald & Raymond Expires January 1, 2016 [Page 19]
Internet-DraDeterministic Networking Uitilities requirements June 2015
+---------------------------------------------------+---------------+
| FCAG (Frequency Control Automatic Generation) | Attribute |
| Requirement | |
+---------------------------------------------------+---------------+
| One way maximum delay | 500 ms |
| | |
| Asymetric delay Required | No |
| | |
| Maximum jitter | Not critical |
| | |
| Topology | Point to |
| | point |
| | |
| Bandwidth | 20 Kbps |
| | |
| Availability | 99.999 |
| | |
| precise timing required | Yes |
| | |
| Recovery time on Node failure | N/A |
| | |
| performance management | Yes, |
| | Mandatory |
| | |
| Redundancy | Yes |
| | |
| Packet loss | 1% |
+---------------------------------------------------+---------------+
Table 10: FCAG Communication Requirements
4.3. Specific Network topologies of Smart Grid Applications
Utilities often have very large private telecommunications networks.
It covers an entire territory / country. The main purpose of the
network, until now, has been to support transmission network
monitoring, control, and automation, remote control of generation
sites, and providing FCAPS (Fault. Configuration. Accounting.
Performance. Security) services from centralized network operation
centers.
Going forward, one network will support operation and maintenance of
electrical networks (generation, transmission, and distribution),
voice and data services for ten of thousands of employees and for
exchange with neighboring interconnections, and administrative
services. To meet those requirements, utility may deploy several
physical networks leveraging different technologies across the
country: an optical network and a microwave network for instance.
Wetterwald & Raymond Expires January 1, 2016 [Page 20]
Internet-DraDeterministic Networking Uitilities requirements June 2015
Each protection and automatism system between two points has two
telecommunications circuits, one on each network. Path diversity
between two substations is key. Regardless of the event type
(hurricane, ice storm, etc.), one path shall stay available so the
SPS can still operate.
In the optical network, signals are transmitted over more than tens
of thousands of circuits using fiber optic links, microwave and
telephone cables. This network is the nervous system of the
utility's power transmission operations. The optical network
represents ten of thousands of km of cable deployed along the power
lines.
Due to vast distances between transmission substations (for example
as far as 280km apart), the fiber signal can be amplified to reach a
distance of 280 km without attenuation.
4.4. Precision Time Protocol
Some utilities do not use GPS clocks in generation substations. One
of the main reasons is that some of the generation plants are 30 to
50 meters deep under ground and the GPS signal can be weak and
unreliable. Instead, atomic clocks are used. Clocks are
synchronized amongst each other. Rubidium clocks provide clock and
1ms timestamps for IRIG-B. Some companies plan to transition to the
Precision Time Protocol (IEEE 1588), distributing the synchronization
signal over the IP/MPLS network.
The Precision Time Protocol (PTP) is defined in IEEE standard 1588.
PTP is applicable to distributed systems consisting of one or more
nodes, communicating over a network. Nodes are modeled as containing
a real-time clock that may be used by applications within the node
for various purposes such as generating time-stamps for data or
ordering events managed by the node. The protocol provides a
mechanism for synchronizing the clocks of participating nodes to a
high degree of accuracy and precision.
PTP operates based on the following assumptions :
It is assumed that the network eliminates cyclic forwarding of PTP
messages within each communication path (e.g., by using a spanning
tree protocol). PTP eliminates cyclic forwarding of PTP messages
between communication paths.
PTP is tolerant of an occasional missed message, duplicated
message, or message that arrived out of order. However, PTP
assumes that such impairments are relatively rare.
Wetterwald & Raymond Expires January 1, 2016 [Page 21]
Internet-DraDeterministic Networking Uitilities requirements June 2015
PTP was designed assuming a multicast communication model. PTP
also supports a unicast communication model as long as the
behavior of the protocol is preserved.
Like all message-based time transfer protocols, PTP time accuracy
is degraded by asymmetry in the paths taken by event messages.
Asymmetry is not detectable by PTP, however, if known, PTP
corrects for asymmetry.
A time-stamp event is generated at the time of transmission and
reception of any event message. The time-stamp event occurs when the
message's timestamp point crosses the boundary between the node and
the network.
IEC 61850 will recommend the use of the IEEE PTP 1588 Utility Profile
(as defined in IEC 62439-3 Annex B) which offers the support of
redundant attachment of clocks to Paralell Redundancy Protcol (PRP)
and High-availability Seamless Redundancy (HSR) networks.
5. IANA Considerations
This memo includes no request to IANA.
6. Security Considerations
6.1. Current Practices and Their Limitations
Grid monitoring and control devices are already targets for cyber
attacks and legacy telecommunications protocols have many intrinsic
network related vulnerabilities. DNP3, Modbus, PROFIBUS/PROFINET,
and other protocols are designed around a common paradigm of request
and respond. Each protocol is designed for a master device such as
an HMI (Human Machine Interface) system to send commands to
subordinate slave devices to retrieve data (reading inputs) or
control (writing to outputs). Because many of these protocols lack
authentication, encryption, or other basic security measures, they
are prone to network-based attacks, allowing a malicious actor or
attacker to utilize the request-and-respond system as a mechanism for
command-and-control like functionality. Specific security concerns
common to most industrial control, including utility
telecommunication protocols include the following:
o Network or transport errors (e.g. malformed packets or excessive
latency) can cause protocol failure.
o Protocol commands may be available that are capable of forcing
slave devices into inoperable states, including powering-off
Wetterwald & Raymond Expires January 1, 2016 [Page 22]
Internet-DraDeterministic Networking Uitilities requirements June 2015
devices, forcing them into a listen-only state, disabling
alarming.
o Protocol commands may be available that are capable of restarting
communications and otherwise interrupting processes.
o Protocol commands may be available that are capable of clearing,
erasing, or resetting diagnostic information such as counters and
diagnostic registers.
o Protocol commands may be available that are capable of requesting
sensitive information about the controllers, their configurations,
or other need-to-know information.
o Most protocols are application layer protocols transported over
TCP; therefore it is easy to transport commands over non-standard
ports or inject commands into authorized traffic flows.
o Protocol commands may be available that are capable of
broadcasting messages to many devices at once (i.e. a potential
DoS).
o Protocol commands may be available to query the device network to
obtain defined points and their values (i.e. a configuration
scan).
o Protocol commands may be available that will list all available
function codes (i.e. a function scan).
o Bump in the wire (BITW) solutions : A hardware device is added to
provide IPSec services between two routers that are not capable of
IPSec functions. This special IPsec device will intercept then
intercept outgoing datagrams, add IPSec protection to them, and
strip it off incoming datagrams. BITW can all IPSec to legacy
hosts and can retrofit non-IPSec routers to provide security
benefits. The disadvantages are complexity and cost.
These inherent vulnerabilities, along with increasing connectivity
between IT an OT networks, make network-based attacks very feasible.
Simple injection of malicious protocol commands provides control over
the target process. Altering legitimate protocol traffic can also
alter information about a process and disrupt the legitimate controls
that are in place over that process. A man- in-the-middle attack
could provide both control over a process and misrepresentation of
data back to operator consoles.
Wetterwald & Raymond Expires January 1, 2016 [Page 23]
Internet-DraDeterministic Networking Uitilities requirements June 2015
6.2. Security Trends in Utility Networks
Although advanced telecommunications networks can assist in
transforming the energy industry, playing a critical role in
maintaining high levels of reliability, performance, and
manageability, they also introduce the need for an integrated
security infrastructure. Many of the technologies being deployed to
support smart grid projects such as smart meters and sensors can
increase the vulnerability of the grid to attack. Top security
concerns for utilities migrating to an intelligent smart grid
telecommunications platform center on the following trends:
o Integration of distributed energy resources
o Proliferation of digital devices to enable management, automation,
protection, and control
o Regulatory mandates to comply with standards for critical
infrastructure protection
o Migration to new systems for outage management, distribution
automation, condition-based maintenance, load forecasting, and
smart metering
o Demand for new levels of customer service and energy management
This development of a diverse set of networks to support the
integration of microgrids, open-access energy competition, and the
use of network-controlled devices is driving the need for a converged
security infrastructure for all participants in the smart grid,
including utilities, energy service providers, large commercial and
industrial, as well as residential customers. Securing the assets of
electric power delivery systems, from the control center to the
substation, to the feeders and down to customer meters, requires an
end-to-end security infrastructure that protects the myriad of
telecommunications assets used to operate, monitor, and control power
flow and measurement. Cyber security refers to all the security
issues in automation and telecommunications that affect any functions
related to the operation of the electric power systems.
Specifically, it involves the concepts of:
o Integrity : data cannot be altered undetectably
o Authenticity : the telecommunications parties involved must be
validated as genuine
o Authorization : only requests and commands from the authorized
users can be accepted by the system
Wetterwald & Raymond Expires January 1, 2016 [Page 24]
Internet-DraDeterministic Networking Uitilities requirements June 2015
o Confidentiality : data must not be accessible to any
unauthenticated users
When designing and deploying new smart grid devices and
telecommunications systems, it's imperative to understand the various
impacts of these new components under a variety of attack situations
on the power grid. Consequences of a cyber attack on the grid
telecommunications network can be catastrophic. This is why security
for smart grid is not just an ad hoc feature or product, it's a
complete framework integrating both physical and Cyber security
requirements and covering the entire smart grid networks from
generation to distribution. Security has therefore become one of the
main foundations of the utility telecom network architecture and must
be considered at every layer with a defense-in-depth approach.
Migrating to IP based protocols is key to address these challenges
for two reasons:
1. IP enables a rich set of features and capabilities to enhance the
security posture
2. IP is based on open standards, which allows interoperability
between different vendors and products, driving down the costs
associated with implementing security solutions in OT networks.
Securing OT (Operation technology) telecommunications over packet-
switched IP networks follow the same principles that are foundational
for securing the IT infrastructure, i.e., consideration must be given
to enforcing electronic access control for both person-to-machine and
machine-to-machine communications, and providing the appropriate
levels of data privacy, device and platform integrity, and threat
detection and mitigation.
7. Acknowledgements
Faramarz Maghsoodlou, Ph. D. IoT Connected Industries and Energy
Practice Cisco
Pascal Thubert, CTAO Cisco
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
Wetterwald & Raymond Expires January 1, 2016 [Page 25]
Internet-DraDeterministic Networking Uitilities requirements June 2015
8.2. Informative References
[I-D.finn-detnet-problem-statement]
Finn, N. and P. Thubert, "Deterministic Networking Problem
Statement", draft-finn-detnet-problem-statement-03 (work
in progress), June 2015.
[IEC61850-90-12]
TC57 WG10, IEC., "IEC 61850-90-12 TR: Communication
networks and systems for power utility automation - Part
90-12: Wide area network engineering guidelines", 2015.
[IEC62439-3:2012]
TC65, IEC., "IEC 62439-3: Industrial communication
networks - High availability automation networks - Part 3:
Parallel Redundancy Protocol (PRP) and High-availability
Seamless Redundancy (HSR)", 2012.
Authors' Addresses
Patrick Wetterwald
Cisco Systems
45 Allees des Ormes
Mougins 06250
FRANCE
Phone: +33 4 97 23 26 36
Email: pwetterw@cisco.com
Jean Raymond
Hydro-Quebec
1500 University
Montreal H3A3S7
Canada
Phone: +1 514 840 3000
Email: raymond.jean@hydro.qc.ca
Wetterwald & Raymond Expires January 1, 2016 [Page 26]