Contact Us

New IncSys Cyber Attack Training at WSO 2018

Incremental Systems


IncSys and PowerData delivered training over three weeks for the April of 2018 Wisconsin System Operators (WSO) program. The WSO training brings together transmission and generation operators from Alliant Energy, American Transmission Company, Madison Gas and Electric, We Energies, and Wisconsin Public Service. The exercises on day one covered routine topics like SOLs, IROLs, and Real-Time Reliability Assessments. On days two and three, IncSys debuted completely new cyber-attack scenarios.

In response to rapidly growing concerns over recent cyber incidents, IncSys has devoted significant resources to constructing realistic and challenging scenarios that present the operator with a credible attack on their SCADA system. As Idaho National Labs observed in 2017, “Among the greatest challenges is a lack of knowledge or strategy to mitigate new risks that emerge as a result of an exponential rise in complexity of modern control systems.” These new courses are designed to remedy that lack of knowledge while providing the required simulation and standards CEHs.

The WSO attendees operated a hypothetical system model in PowerSimulator to contain outages, prevent equipment damage, and regain control of their system. All of this had to be accomplished while adhering to existing NERC standards. This sparked some in-depth discussion of the quickly evolving cyber threat and regulatory landscape. Because it’s impossible to say when the next attack will occur or what form it will take, it’s important for system operators to analyze recent examples and develop strategies for responding based on current knowledge.

Each operator attended one three-day session and earned 24 Continuing Education Hours, all of which counted for both Simulation and Standards. Members of different utilities were placed in teams of four with each team sharing one instance of our simulated Cascadia system. This session was the first WSO to use the latest PowerSimulator application: Contingency Analysis. CA predicts SOL and IROL violations based on the current state of the system and filters them into Voltage Collapse, Loss of Load, and Overload categories. The ease of filtering and sorting data is a major advantage of PowerSimulator, which surpasses some EMS products in efficiency and ease of use. One operator praised CA for its role as a “silent partner” looking ahead to warn of potential violations. This application is now a part of all instructor-led IncSys training and available as an add-on to existing simulator clients.

The new scenarios created strong immersion, and provoked audible gasps when the more unusual contingencies occurred. Discussions between scenarios covered important issues, including the ways that realistic simulation training can help them identify clear courses of action in advance and help prevent “analysis paralysis” during a real contingency. Some utilities in Wisconsin have recently expanded operator authority to act when control systems appear compromised, underscoring the importance of training operators to identify such incidents quickly. The exercises also helped to counteract the helplessness some operators voice with regard to cyber-attacks, by showing that there are effective responses even with compromised equipment and unreliable data.

The focus and seriousness with which the WSO operators approached the exercises was a validation of the work IncSys has done so far, and provided vital feedback that will be used to refine future versions of this course. To inquire about IncSys classroom or online training fill out the contact form here.

To quote one attendee “I found the simulator and technology provided was by far the best of any training class I’ve attended.”

WSO 2018 training at a glance:

Day 1 

Training began with an overview of West Wing Outage focusing on situational awareness and human performance. This was followed by an introduction to PowerSimulator, Cascadia, and system monitoring with Contingency Analysis. Next the operators were guided through detecting SOL and IROL violations, system islanding, and performing a Real-Time Reliability Assessment with CA. Finally they conducted a generation re-dispatch for loss of 500/230kV transformer. Operating standards covered:

  • BAL-001-2 
  • IRO-008-2
  • TOP-001-3
  • COM-002

Day 2 

The second day of training focused on operator response to cyber-attack and security penetration events. Operators were required to detect abnormal system events, identify compromised equipment, and isolate equipment to prevent damage. After containing the contingency, they analyzed the event and ran Contingency Analysis to return the system to an N-1 secure state. Operating standards covered:

  • BAL-002
  • EOP-011
  • BAL-001-2
  • IRO-008-2
  • TOP-001-3
  • COM-002 

Day 3 

The final day covered data quality analysis and restoration after a complex outage. Operators responded to a system-wide disturbance involving protection system failure and breaker backup failure. After assessing the quality of their data and the extent of the disturbance, operators ran Contingency Analysis and returned their system to an N-1 secure state. Operating standards covered:

  • PRC-001-1
  • BAL-001-2
  • BAL-002
  • EOP-011
  • IRO-008-2
  • TOP-001-3
  • COM-002