Systemic Risks in the Electric Power Infrastructure ?

As envisaged by developers, economic actors or politicians, advanced information and communication technologies (ICT) should be utilized in electricity infrastructures to an unprecedented level, mainly to enhance the capability to handle the more volatile power supply by renewable energy sources. However, the extended use of ICT can also be a source of additional risks, due to the increased “openness” of the ICT-intensive infrastructure, increased complexities, interdependencies or system-wide failures, potential failures of ever more complex governance structures, or incoherent technical and governance developments. We raise the question whether systemic risks may emerge in the electricity sector, and which research perspectives for technology assessment may then be useful.1

Recently, there is considerable political support for modernizing the electricity industry by developing and deploying advanced information and communication technologies (ICT), and to realize visions of the so-called "smart grid" or "internet of energy" (e.g., European Commission 2009;BMWi 2008;IEA 2011).One of the main goals of such strategies is to enhance the largescale integration of the volatile power supply by renewable energy sources, especially photovoltaic-and wind energy.Additionally, it is aimed at enhancing the reliability of the electricity system in view of an ageing electricity infrastructure.To these ends, a multitude of technical and organizational measures for bettering the balance of the generation, transmission, distribution and consumption of energy at all stages of the electricity value chain are currently being proposed, developed, deployed or enhanced (Table 1).
While ICT systems have been used in the electricity sector for decades, the ongoing and envisaged developments cause a higher degree of automation, connectivity, and virtualization for the management and control of the electricity sys-tem.On the one hand, this may have many advantages, such as increased economic and energy efficiency or enhanced reliability.On the other hand, it is also widely acknowledged that new vulnerabilities and cyber security issues are introduced.
Actors of public governance have already responded to them (e.g., NIST 2010;NERC 2010).In Germany, like in many other countries, the government has initiated a Critical Infrastructure Protection (CIP) strategy (named "KRITIS" strategy) that is, among other things, realized by the recent implementation of the Cyber Security Strategy, including the establishment of a National Cyber Response Centre and a National Cyber Security Council (BMI 2011).Additionally, national multi-actor crisis-management exercises (LÜKEX) are regularly carried out, of which the exercise in 2011 is explicitly dedicated to cyber attacks.Additionally, several laws 3 require security measures, and a broad range of standards and guidelines define ICT security, in particular the ISO/IEC 27000 standard series (overview given by Wendt 2011; see also DKE 2010).
In the following, we elaborate on the interactions of technological developments with governance structures, interpreting them as ambivalent relations.Governance is necessary to mitigate risks, but governance structures can also be sources of risks or even systemic risks.The following considerations are based on the assumption that the dependability of the system is not only attained by research, development and availability of potentially reliable ICT components, but the safety of real systems depends on the actual choice and deployment of system components within the constellation of the entire system and its overall architecture.In highly regulated industries, like the electricity industry, the actual design, choice and deployment of ICT components largely depends on the incentives and constraints given by governance structures and procedures.Therefore, we assume that governance may also provide incentives and constraints that may cause ICT-related risks that may have systemic consequences.After shedding some light on the understandings of systemic risks (Section 2), we point out potential sources of systemic risks in the electricity sector.In this paper, they are subdivided for a better understanding (Section 3 and 4), but in reality, such sources are closely related.

Fields Description
Wide-area monitoring and control Monitoring and control technologies, as well as advanced system analytics, enhance the data provision about the status of electricity systems components, behaviour and performance across interconnections and over large geographic areas.They help better to mitigate wide-area disturbances, for instance, by early warning systems, and improve transmission capacity and reliability, also better to balance volatile power supplies over long distances.Such applications necessitate cooperation across regional responsibilities for energy supply.

Transmission enhancement applications
Flexible alternating current transmission systems (FACTS) regulate the voltage and load flows in grids to handle incalculable load flows better, such as those from wind energy plants.High voltage direct current (HVDC) technologies are used to transport power across greater distances, like those from offshore wind farms.

Distribution grid management
Enhanced sensing and automation in distribution grid processes should reduce outage and repair time, for instance, by fault location or automatic network reconfigurations.It can also enable decentralized energy management, with local balancing between conventional and fluctuating energy technologies and transfers to the surrounding grid (see also the concept of "virtual power plants", "islanding" or "micro grids") (European Commission 2006, p. 27)

ICT integration
To reach the goals of the transformation to the "smart grid", it is stated that an "end-to-end" integration of all components of the energy system across different grids and across company boundaries with the help of a uniform communication infrastructure is necessary.For this integration, the metaphor of the "internet of energy" was coined (BDI 2010).One crucial step is enabling the bi-directional communication between the actors.The communication infrastructure uses private utility communication networks or public networks (cellular, cable, telephone networks, internet).

Advanced metering infrastructure
The advanced metering infrastructure includes a range of technical deployments that should provide functionalities like sending remote price signals of power consumption, ability to collect, store and report customer energy consumption data, improve energy diagnostics, improve location of outages, remote connection or disconnection, or losses or theft detection.The components at the residential customer side are the so-called "smart meters", which are the digital substitutes for the common Ferraris meters.In many European countries, it is a legal duty to install "smart meters".2Commercial and industrial customers already use time-based measurement of their energy consumption.

Customer-side systems (building automation, "smart homes")
Such systems installed on the industrial or residential side include energy management systems, energy storage devices, "smart appliances", and distributed generation.They are used to manage energy consumption and generation in order to realize energy efficiency gains or peak demand reductions.An important part is the "demand response management" (or "demand side management") envisaged with manual control by the customer or automated response by price-sensitive appliances connected to an energy management system or remotely controlled by the utility or system operator.Dynamic pricing is the basis for "demand response management" (see below).

Charging infrastructure for electric vehicles
For the large-scale use of electric vehicles, a completely new infrastructure is necessary in order to facilitate decentralized charging, billing, or ancillary services, like peak load shaving or discharging, if electric vehicles serve as energy storages.In order to facilitate such transactions, interactions with the advanced meter infrastructure and customer-side systems become necessary.

Economic applications and new business models
With new business models it is planned that energy utility companies install and operate decentralized energy production plants, like micro gas turbines or combined heat and power (CHP) plants at the customer side ("contracting"), transmission and distribution grid operators provide information services of generation and sales data, a larger number of actors become market players at energy exchanges, or new consultancy services emerge, such as those for energy consumption optimization.For improving the shifting of power consumption by residential customers, energy companies have to provide dynamic pricing (e.g., time-differentiated pricing).All new business models require a functioning ICT infrastructure and standardized communication protocols that facilitate the automated processing of the large mass of transaction data.
One of the main tasks of technology assessment is to identify risks of technological developments and to develop options to cope with them, including political measures.Currently, analyses of technology assessment are also extended to systemic risks (Hellström 2009;Klinke, Renn 2006;Renn, Keil 2008;Keil et al. 2008).In the last years, analyses of systemic risks have gained considerable impetus through the financial crises, so that the majority of studies on systemic risks can be found in the field of finance and banking (e.g., Kaufman, Scott 2003;Kambhu et al. 2007) (see also Willke in this issue).Only a few studies use the approach of "systemic risks" in analyses of infrastructure risks, and they mostly point to a need for further research (Hellström 2007(Hellström , 2009;;Bartle, Laperrouza 2008;Laperrouza 2009;Mellstrand, Ståhl 2009).Besides the fact that there is currently no commonly accepted definition of "systemic risks", there is also a need for further research to characterize systemic risks and to develop methods for their analysis.
In the following, systemic risks are understood to be risks relating to or common to the entire system, or large parts of it, endangering its functioning, performances or attainment of societal goals.Systemic risks may emerge when the organizational and technological structures of the system would enable propagations of failures or system-wide failures (Section 3), when the sectororganizational and governance structures systematically lead to risk-generating behaviour or suboptimal risk management, or when governance structures do not develop adequately with technological or industrial developments endangering the achievement of societal goals like safety and the containment of risks, security of the energy supply, or social acceptability (Section 4).From this perspective, analyses of systemic risks in critical infrastructures have to take technical, industrial, institutional, and governance structures and the interactions among them into account.

Cascading or System-wide Failures
Critical infrastructure systems, especially the electricity-, telecommunication-, computation-, and transport infrastructures increasingly converge on each other (e.g., Amin 2005) leading to increased interdependencies among infrastructure systems.Such interdependencies, especially among the electricity-, IT-and communication infrastructures, are already subjects of risk analyses and simulations to consider cascading effects in particular (Rinaldi et al. 2001;IRGC 2006IRGC , 2010;;Panzieri, Setola 2008;Petermann et al. 2011).The analyses demonstrate that the larger interdependencies among infrastructures, especially the increased integration of electricity networks with the internet, significantly lead to systemic risks, as exemplified by wide-area electric power outages.Internet connections are used for control and communication in the electricity sector, but the operation of the internet infrastructure itself depends on electricity, and has usually only limited energy reserves (Bartle, Laperrouza 2008;Petermann et al. 2011, pp. 70-93).However, besides such analyses, many questions are still open, such as who is responsible, with which scope, capabilities, cooperation models, or authority to monitor and govern interdependencies among infrastructures, and how several new cyber security issues and new interdependent components and actors, like internet service providers, trust services, certification services, or energy consultancy services, are included.
The realization of the "smart grid" necessitates a high level of connectivity in order to overcome "islands of automation" (NERC 2010, p. 12).To a large extent this should be based on Internet Protocol (IP) networks.On the one hand, IP networks facilitate a real-time, two-way communication that is essential for the "smart grid", are also highly cost-effective by using existing internet communication lines (especially to households facilitating demand-side management), use a flexible and widely accepted communication standard, and have some reliability advantages due to the dynamic routing capabilities (e.g., Davies 2010; Pearson 2011, p. 5214).
On the other hand, the use of IP networks brings more "openness" for accidental behaviour or malicious attacks, such as denial-of-service attacks by flooding, exploits, viruses or worms (e.g.IRGC 2006, pp. 43-48).However, the actual realization of "internet-induced" risks depends on casespecific deployments of security levels in IP communication and the specific protection measures used such as encryption, access control, authentication, etc.What makes the use of IP networks a factor for systemic risks is their common use and widespread knowledge about their vulnerabilities.If used on a mass scale, this implies "... making any vulnerabilities they carry also exploitable on a mass scale."(Pearson 2011, p. 5214) The same holds true for the large-scale use of commercialoff-the-shelf (COTS) hard-and software (including operating systems) instead of using customized solutions.This is a common trend in the electricity sector (e.g., Ericsson 2010; Pearson 2011, p. 5214; see also Perrow in this issue).If, for example, IPconnected and standardized "smart meters" based on commodity hard-and software are deployed on a mass scale, malicious hackers can turn off "smart meters" on a mass scale, which would have negative systemic impacts at the distribution level (McDaniel, McLaughlin 2009, pp. 76-77).
In addition, the "smart grid" infrastructure will be built on existing ICT applications in the electricity sector, so-called "legacy systems", besides the newly-added "intelligent" systems.Therefore, vulnerabilities of the legacy systems could lead to compromises of the new "smart grid" technologies with systemic consequences (Flick, Morehouse 2011, pp. 54-55).The mixture of newly-added and legacy ICT systems could lead to strange and hardly predictable behaviour, especially because a large portion of ICT components stem from third parties (Mellstrand, Ståhl 2009, p. 3).This is especially relevant in cases of software updates, where the interaction of added and legacy systems is often problematic to predict, with the result that they are often the reason for IT-related incidents in critical infrastructures (Tervo, Wiander 2010).
Another source of systemic risk can be seen in the massive amount of sensitive data transferred in the "smart grid", like data from monitoring and control devices, administrative and personal data, like metering and billing information, or data of building controllers.Such data transfers have to be encrypted, necessitating a cryptographic-key management infrastructure.The high costs of maintaining such an infrastructure and the limited capabilities of such processors, that are likely to be installed in mass-uses, to conduct high-performance encryptions contradict attaining such protection goals (Khurana et al. 2010, pp. 83-84).

Problematic Governance Structures
In the following, we assume that systematically-created risks are caused by failures in sector-organizational and regulative structures, in other words, the governance structures.In the normal running of businesses, inappropriate incentive structures may stimulate rational actors to generate risk factors.Here, the system itself produces conditions that endanger its functions and performances.If governance structures work system-wide, the implications do also.From this perspective, an assessment of systemic risks is an analysis of social processes that create, maintain or endanger a socio-technical infrastructure system (see also Büscher in this issue).Thus, we focus on the incentives and constraints that are imposed by governance structures and that influence how risks are actually handled by individual actors and, therefore, influence the dependability of components and of the entire system.

Problematic Incentives and Regulation
In general, we assume that, if governance structures do not stimulate or demand other behaviour, actors may create risks by system applications that follow especially an economic logic that might deviate from a security-engineering logic.In general, insights from behavioural, economic and sociological research indicate that actors -in trading off external governance requirements (e.g., laws or regulations) or competitive advantages by high security reputation against profitability or capacities -do not invest in ICT security at a level that would be optimal from an security-engineering viewpoint (e.g., Croll 2010; Gordon, Loeb 2004;Dynes et al. 2008).
Governance reforms for liberalization and privatization impose economic pressures on infrastructure operators (e.g., van der Vleuten, Lagendijk 2010).That has led to decreasing redundancy or redundant back-up systems and letting electricity systems be operated closer to the margin (e.g., IRGC 2006, pp. 20-29;Cohen 2010, p. 62).Cost considerations are also relevant when actors connect control systems or Supervisory Control and Data Acquisition (SCADA) systems to IP connections or utilize the aforementioned COTS systems (e.g., Apt et al. 2006, p. 222;Nartmann et al. 2009;IRGC 2006).Furthermore, infrastructure operators are less incentivized to report and share information about reliability problems, software failures or cyber threats, thus hampering the learning important in risk prevention (Apt et al. 2006, pp. 226-229;US GAO 2011, pp. 24-25).
Another example is the certification of IT security, as one often favoured policy instrument for software security 4 , that is controversially discussed (e.g., Anderson, Fuloria 2009).Many certification schemes for software dependability examine the existence of standard proof procedures and not the evidence of the actual fulfilment of dependability goals (Jackson 2009, p. 80).Additionally, a performance audit of risks governance structures conducted by the United States Government Accountability Office in 2009 to 2011 indicates that infrastructure utilities are focusing more on compliance with cyber security requirements, in particular on meeting minimum regulatory requirements, instead of designing a comprehensive approach to system security (US GAO 2011, p. 23).Furthermore, consumers are sub-optimally informed about the options and benefits of secure systems, and consequently have a low willingness to pay for secure products.Here, improvements in governance with the help of effective certification and labelling schemes are needed (US GAO 2011, p. 23).

Increased Complexity of Actor Constellations
In general, economic and behavioural research on ICT security indicates that, in systems deployed and run by many actors, system safety may also have the characteristics of a "public good", with the tendency that individual actors "free-ride" on the contributions by others, leading to an inefficient overall security level (e.g.

Incoherent Technological and Governance Developments
If governance structures and technologies do not develop correspondingly over the course of time, this can also cause systemic risks, in the sense that social goals like system safety, data protection, privacy, accessibility, social acceptability etc. (see also Finger et al. 2005;IRGC 2010, pp. 33-37) are not attained.For instance, this would be the case when the security-supervisory and regulative structure of critical infrastructures do not cover new risks or have inappropriate approaches in view of new risks, such as those from increased interdependencies, when security regulations would be too slow to adapt to fast-evolving cyber threats, or when the now prevailing self-organization of security measures would turn out to be ineffective.
As an example, "smart grid"-related regulatory efforts by the German Federal Office of Information Security (BSI) focus mainly on the Protection Profile for "smart meters".In contrast, security issues of IP-connected Energy Management Systems in residential premises are at the moment unregulated, and are left to the decisions of customers.With the aforementioned information lack about security issues, which customers usually have, and the resulting low willingness to pay for secure products, it is likely that the market outcome is a suboptimal security level.
Examples of further adverse governance structures in the electricity sector are unsuitable constellations of actors and the current version of the incentive regulation 6 that hinder or do not suf-ficiently stimulate the necessary investments in the modernization of networks with "intelligent" systems (SRU 2011, pp. 477-484;Brunekreeft et al. 2011).Additionally, governmental actors involved in public-private partnerships are highly dependent on the expertise of developers and operators.This dependence is increasing ever more with the extended use of ICT in critical infrastructures.Therefore, governance structures with a changed role of governments must be adapted to changed structures of expertise and knowledge (Dunn-Cavelty, Suter 2009;Mills et al. 2008).
Furthermore, a large portion of mechanisms and rules for managing and controlling the abundance of transactions, such as system monitoring, metering, billing, etc., have to be programmed in software systems to be manageable at all ("software as an institution").However, if softwarebased rules are not coherent with the existing regulative framework and with the expectations and values of users or affected actors -for instance, regarding access, affordability, treatment of personal data, or fairness of market conditions -then the acceptability of and the trust in the system are endangered, and their legitimacy questioned. 7 Advanced models of stakeholder participation in system development, standardization and use may contribute to preventing or mitigating such problems (e.g., Orwat, Raabe et al. 2010).

Conclusion
Risk assessments that focus only on the reliability of single components and physical interconnections are important, but seems not fully sufficient from a systemic viewpoint due to experiences with ICT-related organizational and regulative failures, increased interdependencies and complexities, and incoherence between technical and governance developments as potential sources of risks.Instead, a complementary systemic perspective that explicitly takes the interactions and codevelopment of technologies, social-organizational, regulative structures into account, seems more adequate to analyse reasons for dysfunctional behaviour of ICT systems, organizations or people, which may result from inappropriate incentives or controls of governance structures.From this perspective, the task of technology assessment is also to ask about the effectiveness and efficiency of risk governance structures, or whether the interplay of technology developments, sectoral-organizational and regulative governance structures causes new risks or even systemic risks.Other laws provide general IT security requirements, such as the Telecommunications Act ( § 109 Telekommunikationsgesetz -TKG) or the Federal Data Protection Act ( § 9 Bundesdatenschutzgesetz -BDSG) (Gaycken, Karger 2011, pp.6-7).4) See, for instance, the ISO/IEC 27002 information security standard, including certification, the "Common Criteria" certification scheme, or the standards for IT security management by the German Federal Office of Information Security (BSI).5) The current problem of incompatible data formats for smart meter communication, i.e.EDIFACT versus the XML standard, is an example.6) Compare the Incentive Regulation Ordinance (Anreizregulierungsverordnung -ARegV).7) For example, due to consumer concerns on privacy issues the installation of "smart meters" is no longer compulsory in the Netherlands.