Today's Power Markets are Too Big

The span of power markets today is too big. Market participation by net metering applying tariffs across a whole region makes no sense if power from the seller cannot physically get to the would-be buyer. Power markets are intrinsically local. Atop this, one must factor in the line loss transforming up from the local small-scale prosumer

For such local markets, there needs to be some equivalence of market participant scale…

The span of power markets today is too big. Market participation by net metering applying tariffs across a whole region makes no sense if power from the seller cannot physically get to the would-be buyer. Power markets are intrinsically local. (This is net of transmission/distribution line capacity and topology, whether or not particular transformers can “run backward”, etc.). Atop this, one must factor in the line loss transforming up from the local small-scale prosumer

For such local markets, there needs to be some equivalence of market participant scale. A large factory does not order wholesale supplies from the corner store in any non-power market. A bidder who works at an order of magnitude larger scale than anyone else deforms the local market. A local market may reach aggregate scale large enough to participate with bigger players.

Once one breaks the market down into the local smaller markets, storage can easily participate, either as part of portfolio management within a prosumer, or independently as a merchant battery within the local market. Local markets open the way to replace central battery control with autonomous power storage systems.

Different storage systems have different participation characteristics; fast or slow charge, fast or slow discharge, switching from charge to discharge, etc. Running a specific storage technology into the wrong participation scenario can degrade the system, or even result in “rapid unplanned energy discharge” (fire and explosions). We need the room to experiment with different strategies for market participation for different storage technologies, or even hybrid storage systems wherein several technologies are working together as a single participant. This experimentation will not happen in a centrally owned, operated, and regulated environment.

Large central markets may try to emulate this by targeting specific prices at specific devices or groups of devices. This attempt at direct control by proxy across neighborhood and region will not work much better than direct control does.

Read More

Cyber Command & Control for OT Cybersecurity

In August of 2017, US Cyber Command was raised to the status of a unified combatant command. Organizationally, this put USCYBERCOM at the same level as the regional commands such as the European Command or the Indo-Asian Command, and the functional commands such as Special Forces. The term “unified” says that the commands cross the organizational boundaries such as Army, Navy, Air Force and Space Force.

USCYBERCOM is tasked with centralizing command of cyberspace operations, and strengthening DoD cyberspace capabilities. USCYBERCOM is concerned that the cyber-defense model of traditional monolithic systems that tightly couple the sensing, analytics, decision making and acting blocks of cyber-defense activities leads to brittle cyber-defense infrastructure that is relatively static and difficult to coordinate for inter-domain responses to cyber-attacks.

Accordingly, USCYBERCOM demands more responsive, flexible, product agnostic and interoperable cyber defense components include the standardization of interfaces and the adoption of standard protocols. The goal is to ease interoperability and enable unambiguous machine to machine command and control messages.

To achieve these goals, USCYBERCOM and the NSA are encouraging the development of the cybersecurity open command and control specification, OpenC2. It is their hope that OpenC2 will find wide acceptance making OpenC2 conformance readily available. It is a goal of USCYBERCOM to be able to use OpenC2 for all critical infrastructure.

This initiative will affect every participant in the smart building and operational technology (OT) markets. The twin goals of modern Defense Department specifications are to make technologies executable and readily available. Executable means that those who need custom applications, which includes systems which are designed for a specific building, will be able to use these requirements when going to bid, and be able to test whether those requirements were met. Readily available means that there are standard items on the market that meet the requirements. Integrators and suppliers will both be held to the new specifications—building owners will benefit from the new market.

USCYBERCOM intends OpenC2 as a cybersecurity command language for the Internet of Things, also known as Operational Technology (OT). Traditional cybersecurity commands are focused on the traditional networks of file servers, database servers, web servers, and desktop computers. Cybersecurity commands from firewall directives to interdiction of malware in documents have as their goal the protection of those administrative and data services. The communications requirements and systems architectures of OT are quite different than those of administrative systems, and the services provided by OT are far more diverse. The security directives for each type of OT system are just now being defined.

Read More

Spontaneous Order on a Continental Scale

A recent conversation about European power markets and some “glitches” in early June shown a light on profound issues in cybersecurity, in system architectures for big infrastructure, and to an extent the scalability problems with many of the hottest applications for the Internet of Things (IOT). The specific observations was a plea for direct central control, even as it used an example that showed the shortcoming of infrastructure architecture based on assumptions of central control. It then learned the wrong lesson, that spontaneous order is too “risky” at large scale.

A recent conversation about European power markets and some “glitches” in early June shown a light on profound issues in cybersecurity, in system architectures for big infrastructure, and to an extent the scalability problems with many of the hottest applications for the Internet of Things (IOT).

The specific observations was a plea for direct central control, even as it used an example that showed the shortcoming of infrastructure architecture based on assumptions of central control. It then learned the wrong lesson, that spontaneous order is too “risky” at large scale.

>>> Something went wrong on the 6., 12. and 25. June 2019.
>>> The belief in the Market to fix everything ... may end up in a big
>>> blackout.
>>>
>>> Add-On (2019-07-03):
>>> Today I found more details on the likely reason why we were so close
>>> to big trouble:
>>>
>>> "Due to a faulty data package, the European electricity
>>> exchange EPEX in Paris decoupled the European
>>> electricity market on June 7, 2019. This caused a great
>>> deal of excitement on the markets. Johannes Päffgen,
>>> Head of Energy Trading at Next Kraftwerke, explains the
>>> causes and consequences in an interview.
>>>
>>> Christian Sperling: Johannes - What happened? Why
>>> was there so much trouble at EPEX on the Friday before
>>> the Whitsun holidays?
>>>
>>> Johannes Päffgen: Well - in the end it's a computer error...
>>> but we should go into that later. At about 11:40 this Friday
>>> we noticed that something was wrong at EPEX.
>>> We couldn't place any more bids for the day-ahead electricity
>>> auction on Saturday. ..."
>>>
>>> I guess it was a human error ... somebody didn't take into account
>>> that corrupted data packages will be sent and received ... how could
>>> a faulty package have such a dangerous result?!?!
>>>

While Transactive Energy is superficially similar to the way the bulk power markets have long operated, the power of TE is in local markets. The first benefit of TE is to hide the control complexity/diversity of different technologies behind common signaling. The second benefit is to permit diversity of motivation of each participant in the TE market, as those are also hidden behind the common signals. The power of TE is to allow an emergent order to arise, with balancing of supply and demand occurring without respect to technology or control system or personal beliefs.

One can think of TE as embracing that the Knowledge Problem described by Economics applies to the world of things as well, and that we can use markets, i.e., small decisions made by the participants to participate or not at each moment, to solve power availability without central control. The evolution of life on Earth, of language, of the brain, and of a free market economy are considered systems which evolved through spontaneous order. Naturalists often point to the inherent "watch-like" precision of uncultivated ecosystems and to the universe itself as ultimate examples of this phenomenon.

TE implementations must be aligned with the newer methodology of Laminar Control. Mid-level lamina can coordinate lower level nodes, but do not reach in to provide direct controls. Lamina may however share situation awareness, local effects up, wider area conditions down, to improve the decision-making within each. No Lamina requires the situation awareness of the adjacent lamina.

This has important implications for security and for future technological evolution of power systems on the grid. Aside from the very top level, all lamina are discontinuous. The layer that controls one neighborhood is not actually connected to the controls of a nearby neighborhood except through a common higher level lamina.

The loose coupling of component systems based on abstract communications is characterized as an anti-fragile software pattern. Lightly managed systems coordinated by abstract communications create spontaneous order. Spontaneous orders are distinguished as being scale-free networks, as opposed to the hierarchical networks traditionally used in power distribution management. Spontaneous order is defined as the result of actions, not of design.

For anti-fragile patterns to create resilience and stability, their interactions must be properly scoped so at to not create additional dependencies that create fragility. For TE, this means that not only must the market be local, consistent with the grid lamina, but each market must not rely on additional fragile elements. Making local decisions directly dependent on the communications infrastructure and market infrastructure far away, say at EPEX in Paris, reduces grid resiliency and introduces new cybersecurity challenges.

Besides, the grid is not Magic, and one really cannot buy power from Castille in Antwerp absent the power transmission capability to support such local delivery.

The markets of Transactive Energy will work best when they are based on local markets, able to balance not only power but voltage and frequency within the local distribution loop. Another market may use TE in the district, managing flows between the local distribution systems, and, again, not requiring detailed knowledge of what is inside each. Ideally the market for each will be collocated with the nodes and the controls for each.

Loosely coupled systems in organized in an anti-fragile pattern are manage by objectives and for results. They have no need to expose their internal operations or controls. From a security perspective, this greatly reduces potential attack surfaces. From a policy perspective, this reduces barriers to rapid future introduction of new technologies into a system of systems.

ASHRAE finished defining the Facility/Smart Grid Information Model (FSGIM) some years ago to describe what a Facility should know about itself to participate in these distributed local markets (ASHRAE 201). The abstract information model is consistent with the information model of the Transactive Energy market operations. A Facility that knows its FSGIM, is ready to participate in the local market. Local distribution markets can then replace the wasteful statistical and historic models that manage local power delivery today.

From the SCADA Security perspective, this model moves intrinsically toward defense in depth. From a social and organizational level, each market is a move toward liquid democracy as neighborhoods with their own goals interact with the wider grid. From a technology market perspective, this enables more rapid introduction of new technologies, including those of distributed generation and storage.

Read More

Cybersecurity of Power—Resources

As we work to define the cybersecurity of things, power demands its own security models, outside of SCADA security and distributed controls. Power is both a resource and a vector, and each of these offers vulnerabilities to cyberattack. This article describes cybersecurity of the resource.

As we work to define the cybersecurity of things, power demands its own security models, outside of SCADA security and distributed controls. Power is both a resource and a vector, and each of these offers vulnerabilities to cyberattack. This article describes cybersecurity of the resource. A later article will discuss cybersecurity of the vector.

Distributed cybersecurity is a model that distributes responsibility across autonomous nodes or systems. These nodes may send or receive cybersecurity directives. They may request or share situation awareness. Each node is responsible for securing itself and reporting when it is under attack.

The developing OASIS OpenC2 (Open Command & Control) specification defines cybersecurity as a service. The sender of a command requests what it wants accomplished without using step-by-step instructions. If the receiver accepts the command it must determine and execute its own procedure to fulfill that request.

As a resource, a power system must defend certain characteristics. These characteristics include frequency, voltage, and the shape of the waveform itself. Cyberattacks on the power resource can interfere with proper system operation or they can escalate into direct cyberphysical effects. The well-known Aurora demonstration by DHS used repeated subtle waveform manipulation, to cause a large dynamo to rip itself out of its concrete moorings. Any cyberprocess that is able to manipulate the fundamental power signal can be an effective attack on the Internet of Things.

When a distributed cybersecurity language such as OpenC2 shares information about an attack through the power vector, it may act as a warning, or it may describe what the requestor wants reported back. Because Power is likely shared between many nodes on the same circuit, anything that has a strong effect on one node, perhaps low-value and poorly defended, can be a means to attack other nodes on the same circuit. I know of substations in the Midwest, supplying a limited number of industrial customers, wherein the operating margin is so small that activity in one factory can cause and has caused significant damage to equipment in another factory. Situation awareness coming back from one node may be useful to gain a broader understanding of attacks on other nodes.

Attacks on power through a nearby un-protected node can cause damage to all nodes on the same circuit. A large user can cause changes to voltage, to power factor, or to other power attributes even without the subtle wave harmonics demonstrated in Aurora. They may even cause delayed effects, as a sustained reduction in power factor may prevent power storage systems from re-charging properly over several days. As tomorrow’s grid incorporates a growing number of renewables, this offers a growing vulnerability.

Because they are working sharing a resource, a cyber-response may help defend nearby nodes. If a node is able to actively manage frequency or power factor, it may defend nearby resources.

I will write soon on Power Distribution as a Cybersecurity Vector.

Read More

New Daedalus

Daedalus designed buildings, automated statues, and built wings for human flight. Daedalus worked by eye and hand, his designs scratched with a stylus on wax tablets. Until recently, we merely perfected his means of work, using better pens, and paper, and finally drawing on computers.

It is only recently that we have begun to leave the methods of Daedalus behind.

Simulations and digital twins guide each decision. Intelligence, or at least behaviors, imbue each system and device. Cyberphysical systems replace household servants and chauffeurs, operate factories, and manage energy logistics. The most pressing concerns are how intelligent systems and buildings will respond to us, and to each other.


What would the concerns of a New Daedalus be, in our world, with our tools, and facing our challenges?