Publications

Abstract not provided.

Abstract not provided.

This study describes a cyber security research & development (R&D) gap analysis and research plan to address cyber security for industrial control system (ICS) supporting critical energy systems (CES). The Sandia National Laboratories (SNL) team addressed a long-term perspective for the R&D planning and gap analysis. Investment will posture CES for sustained and resilient energy operations well into the future. Acknowledgements The authors would like to acknowledge the funding and technical support from the Department of Energy Office of Electricity Delivery & Energy Reliability for the development of this report. The authors are very appreciative of the key contributions by other SNL personnel in supporting the analysis, particularly from Jennifer Depoy, Abraham Ellis, Derek Hart, Jordan Henry, John Mulder, and Jennifer Trasti. The authors would also like to thank the following government and non-government organiza- tions for their invaluable input to this study: Government Massachusetts Institute of Technology Lincoln Laboratory Construction Engineering Research Laboratory (CERL) Idaho National Laboratory Marine Corps Air Ground Combat Center, Twentynine Palms, California National Renewable Energy Laboratory National Institute of Standards and Technology Pacific Northwest National Laboratory U.S. Army Corps of Engineers U.S. Army Cyber Command U.S. Navy Installations Command Non-Government Customized Energy Solutions Electric Power Research Institute Enchanted Rock ICETEC Integrated Energy Solutions NEC Energy Solutions OpenADR Alliance PJM POWER Engineers Schweitzer Engineering Laboratory Southwest Research Institute Typhoon HIL, Inc. Executive Summary This study describes a long-term cyber security R&D plan to address ICS cyber security for CES. Long-term goals for ICS were assumed to be those that would require significant action and R&D to achieve, as opposed to being addressable by applying existing technology and best practices. Long-term R&D would roughly fall into the window of 5-10 years out. Investing in the identified R&D will posture CES for sustained resilient energy operations well into the future. The gaps were identified using a conventional gap analysis process. The current state of cyber security R&D was surveyed and summarized. Then, the desired future state of ICS cyber security was characterized, in terms of required capabilities for a secure and resilient ICS. Afterward, gaps were identified by comparing the current state of cyber security to the desired end-state. Finally, the gaps were prioritized and paired (where important) with the appropriate communities (industry, vendors, academia, etc.) suitable to address them. The baseline survey of the existing R&D focused on efforts in government, academia, feder- ally funded research and development centers (FFRDCs), and industry (including vendors). One primary source was existing DOE, Department of Homeland Security (DHS), and Department of Defense (DoD) programs, including Cybersecurity for Energy Delivery Systems (CEDS) and Defense Advanced Research Projects Agency (DARPA). Crucial documents from the National In- stitute of Standards and Technology (NIST) were also surveyed. On the academic side, the group included work from the Institute for Information Security & Privacy (IISP) and Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) research consortiums. Numerous other smaller efforts were cataloged as well. Overall, the results show significant attention on the cyber security issues faced by ICS, but with a definite tendency toward near-term solutions, and less defined long-term goals, particularly in terms of needed R&D. The surveyed concepts and goals were used to develop the desired state for long-term ICS cyber security. These were complemented by concepts and frameworks previously used for ICS cyber security. The overall result was the development of a matrix of needed technical capabilities for secure and resilient ICS in the long term. Eighteen cyber security concepts (referred to as "topics" for gap analysis) were identified and sorted according to their positions in the security lifecycle (secure design, reinforced implementation, operation and deployment, or cross-cutting capabilities) and security category (protect, detect, react, or recover). For each topic, a description was provided, as well as other discussion, including a comparison to existing work. The comparisons formed the basis for the gap analysis. Some security topics, although an essential part of a desired secure ICS state in the future, have significant R&D resources alieady working to realize the goal. Others, however, are only partially addressed. Besides the severity of the R&D gap, an important consideration is that perfect security is unattainable; therefore, strong security engineering must be complemented with additional security monitoring. The final rankings for long-term R&D, including specific opportunities and challenges, along with suggestions about which group or groups should be targeted for funding opportunities, are in Chapter of the report. Some of the key results include: 1. Trusted monitors, which act as out-of-band security sentinels, and security analytics, which fuse weak indicators to detect security anomalies, have very high priority for R&D. As men- tioned previously, no system can be completely trusted (or, given the potential ramifications, even reasonably trusted); therefore, monitoring is essential. 2. Virtualization is a key capability for many aspects of ICS cyber security; potential applica- tions include training environments, pre-deployment change testing, red/blue engagement, evaluating tactics-techniques-procedures (TTPs), and others. Virtualization capability would be greatly enhanced with better support for ICS field devices (like relays, programmable logic controllers, etc.) and automated model generation from design or operational system information. 3. Field devices have unique cyber security issues, and are critical to cyber risk given their application: straddling the cyber/physical domains Addressing these issues in an organized fashion (including their virtualization) is a priority R&D gap. This is also an example where industry (particularly vendors) must complement other R&D organizations.

Programmable logic controllers (PLCs) and other field devices are important components of many weapons platforms, including vehicles, ships, radar systems, etc. Many have significant cyber vulnerabilities that lead to unacceptable risk. Furthermore, common procedures used during Oper- ational Test and Evaluation (OT&E) may unexpectedly lead to unsafe or severe impacts for the field devices or the underlying physical process. This document describes an assessment methodology that addresses vulnerabilities, mitigations, and safe OT&E. Acknowledgements The authors would like to acknowledge the funding and technical support from the Office of the Director, Operational Test and Evaluation (DOT&E) for the development of this paper. Also, there were key contributions by other Sandia National Laboratories (SNL) personnel supporting the analysis, particularly from Mitch Martin, Tricia Schulz, Chris Davis, and Nick Pattengale, and from Pacific Northwest National Laboratory (PNNL), especially Chris Bonebrake, Jim Brown, and Katy Bragg. Executive Summary Industrial control system (ICS) field devices like PLCs play a critical role in the safe and reliable operation of Department of Defense (DOD) platforms and weapon systems operations. Unfor- tunately, these sorts of devices are often rife with cyber security vulnerabilities that can lead to significant risks for mission performance, or even unsafe conditions during routine OT&E. The cyber security issues faced by ICS differ from typical information technology (IT), and this re- quires a different and more specific approach to assess, test, and mitigate ICS vulnerabilities. In a typical IT system, data confidentiality and integrity are the primary concerns. In an ICS, mission operations, safety, public health, and avoiding equipment damage are the primary con- cerns. ICS devices directly control time critical processes and have little margin for delay. Outages or interruptions (even something as simple as a reboot) might not be acceptable, and if unplanned can result in significant risk to mission. Unlike IT system updates or patches, which can be done using automated server-based tools and are widely applicable, ICS updates are specific to the equipment vendor. OT&E on ICS field devices (on deployed platforms, or in high value test rigs) is often a neces- sary requirement, but this causes significant concern within the DOD ICS community. The concern is that implementing routine cyber security measures and testing on active ICS components and systems may damage the ICS or even underlying physical systems. Of particular concern are ICS field devices, which encompasses the specialized hardware that covers the boundary between the cyber and physical domains. Examples of field devices include PLCs, electric power relays, remote terminal units (RTUs), and other embedded devices. According to an Office of the Secretary of Defense (OSD) memorandum regarding "Proce- dures for Operational Test and Evaluation of Cybersecurity in Acquisition Programs," operational test agencies (OTAs) will "include cyber threats... with the same rigor as other threats" [1]. The purpose of cyber security operational test and evaluation is to evaluate the ability of a unit equipped with a system to support assigned missions in the expected environment. The "system" in this case is considered to encompass hardware, software, user operators, etc. This memorandum also spec- ifies the procedures to be used for testing oversight systems. The purpose of this docuemnt is to introduce a Field Device Assessment Methodology (FDAM) that parallels (with some differences due to the focus on ICS hardware and not the entire system) the procedures suggested in the mem- orandum. The FDAM approach is not intended to cover the entire oversight system as referenced in the memorandum; rather, it explains the procedures necessary to evaluate the ICS hardware devices. This focused approach on the hardware subset of the system is warranted because ICS field devices face very different issues than IT systems, and the risks associated with ICS cyber vulnerabilities can be significant. The goals of the FDAM are to research and rank field device vulnerabilities to be tested, sum- marize associated mitigations, and determine cyber test concerns by summarizing potential OT&E test damage/safety issues. The FDAM primarily supports the cooperative assessment stage of OT&E, although the results can also support adversarial assessments. This document provides guidance on tools and procedures that have been developed by SNL that are used to implement the FDAM approach, including an assessment framework, quantitative risk calculation, and ranked access/procedure pairs (APPs). The FDAM process itself is presented in Chapters through -- from initial research and discovery, to standalone lab testing, through to compiling the final report. It should be noted that because cyber security testing is inherently complex and detail-oriented, those performing the tests will generally have a wealth of knowledge and experience that is dif- ficult to fully document or simplify into a step by step process. In every testing situation, the background of the testers may influence how they choose to implement the process, and in which order. Although this document is presented as a logical process, it is not necessary to follow every step in the document as laid out. For example, a tester that is intimately familiar with ICS systems might choose to do the literature review and vulnerability scoring in conjunction with lab testing. Or, if project resources are limited, the best choice might be to do only a literature review and risk scoring without standalone lab testing or even a device teardown. The FDAM is intended to support OTAs, cyber protection teams (CPTs), and other organiza- tions within DOD that support OT&E on weapons platforms and systems, but it can also be applied to ICS used within DOD installations and other bases, particularly for infrastructure support. The DOT&E FDAM is applicable for mission platforms, which are heavily reliant on ICS, including naval shipboard systems (electrical plant management, machinery control, aircraft launch/recovery, radar, fire control, and others), advanced ground vehicle management, and aircraft/avionics. The FDAM also supports a range of DOD assessment requirements [2, 3] and the approach is suitable to varying classification levels, as application details and close-held government information can be included when desirable (and useful).

Distributed Energy Resources (DER) are being added to the nation's electric grid, and as penetration of these resources increases, they have the potential to displace or offset large-scale, capital-intensive, centralized generation. Integration of DER into operation of the traditional electric grid requires automated operational control and communication of DER elements, from system measurement to control hardware and software, in conjunction with a utility's existing automated and human-directed control of other portions of the system. Implementation of DER technologies suggests a number of gaps from both a security and a policy perspective. This page intentionally left blank.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Microgrids are a focus of localized energy production that support resiliency, security, local con- trol, and increased access to renewable resources (among other potential benefits). The Smart Power Infrastructure Demonstration for Energy Reliability and Security (SPIDERS) Joint Capa- bility Technology Demonstration (JCTD) program between the Department of Defense (DOD), Department of Energy (DOE), and Department of Homeland Security (DHS) resulted in the pre- liminary design and deployment of three microgrids at military installations. This paper is focused on the analysis process and supporting software used to determine optimal designs for energy surety microgrids (ESMs) in the SPIDERS project. There are two key pieces of software, an ex- isting software application developed by Sandia National Laboratories (SNL) called Technology Management Optimization (TMO) and a new simulation developed for SPIDERS called the per- formance reliability model (PRM). TMO is a decision support tool that performs multi-objective optimization over a mixed discrete/continuous search space for which the performance measures are unrestricted in form. The PRM is able to statistically quantify the performance and reliability of a microgrid operating in islanded mode (disconnected from any utility power source). Together, these two software applications were used as part of the ESM process to generate the preliminary designs presented by SNL-led DOE team to the DOD. Acknowledgements Sandia National Laboratories and the SPIDERS technical team would like to acknowledge the following for help in the project: * Mike Hightower, who has been the key driving force for Energy Surety Microgrids * Juan Torres and Abbas Akhil, who developed the concept of microgrids for military instal- lations * Merrill Smith, U.S. Department of Energy SPIDERS Program Manager * Ross Roley and Rich Trundy from U.S. Pacific Command * Bill Waugaman and Bill Beary from U.S. Northern Command * Tarek Abdallah, Melanie Johnson, and Harold Sanborn of the U.S. Army Corps of Engineers Construction Engineering Research Laboratory * Colleagues from Sandia National Laboratories (SNL) for their reviews, suggestions, and participation in the work.

This document describes a microgrid cyber security reference architecture leveraging defense- in-depth techniques that are executed by first describing actor communication using data exchange attributes, then segmenting the microgrid control system network into enclaves, and finally grouping enclaves into functional domains. To illustrate the design approach, two notional microgrid control implementations are presented. Both include a discussion on types of communication occurring on that network, data exchange attributes for the actors, and examples of segmentation via enclaves and functional domains. The second example includes results from Red Team analysis and quantitative scoring according to a novel system that derives naturally from the implementation of the cyber security architecture. Acknowledgements Sandia National Laboratories and the SPIDERS technical team would like to acknowledge the following for help in the project: * Mike Hightower, who has been the key driving force for Energy Surety Microgrids * Juan Torres and Abbas Akhil, who developed the concept of microgrids for military installations * Merrill Smith, U.S. Department of Energy SPIDERS Program Manager * Ross Roley and Rich Trundy from U.S. Pacific Command * Bill Waugaman and Bill Beary from U.S. Northern Command * Tarek Abdallah, Melanie Johnson, and Harold Sanborn of the U.S. Army Corps of Engineers Construction Engineering Research Laboratory * Colleagues from Sandia National Laboratories (SNL), Oak Ridge National Laboratory (ORNL), Idaho National Laboratory (INL), Massachusetts Institute of Technology Lincoln Laboratory (MIT-LL), United States Pacific Command (USPACOM), and the Joint Information Operations Warfare Center (JIOWC) for their reviews, suggestions, and participation in the work.

Many critical loads rely on simple backup generation to provide electricity in the event of a power outage. An Energy Surety Microgrid TM can protect against outages caused by single generator failures to improve reliability. An ESM will also provide a host of other benefits, including integration of renewable energy, fuel optimization, and maximizing the value of energy storage. The ESM concept includes a categorization for microgrid value proposi- tions, and quantifies how the investment can be justified during either grid-connected or utility outage conditions. In contrast with many approaches, the ESM approach explic- itly sets requirements based on unlikely extreme conditions, including the need to protect against determined cyber adversaries. During the United States (US) Department of Defense (DOD)/Department of Energy (DOE) Smart Power Infrastructure Demonstration for Energy Reliability and Security (SPIDERS) effort, the ESM methodology was successfully used to develop the preliminary designs, which direct supported the contracting, construction, and testing for three military bases. Acknowledgements Sandia National Laboratories and the SPIDERS technical team would like to acknowledge the following for help in the project: * Mike Hightower, who has been the key driving force for Energy Surety Microgrids * Juan Torres and Abbas Akhil, who developed the concept of microgrids for military installations * Merrill Smith, U.S. Department of Energy SPIDERS Program Manager * Ross Roley and Rich Trundy from U.S. Pacific Command * Bill Waugaman and Bill Beary from U.S. Northern Command * Melanie Johnson and Harold Sanborn of the U.S. Army Corps of Engineers Construc- tion Engineering Research Laboratory * Experts from the National Renewable Energy Laboratory, Idaho National Laboratory, Oak Ridge National Laboratory, and Pacific Northwest National Laboratory

Abstract not provided.

Microgrids consist of a combination of generation resources and load, forming an electrically sustainable entity. Although the feeder configuration, including location of circuit breakers or switches, and selection of protective devices can change from one microgrid to another, some characteristics like size of microgrid and behavior of sources feeding a fault remains similar. Due to the non-uniformity of configuration, no definite choices of protection schemes have emerged. This paper analyzes the performance of three most commonly used principles of protection - overcurrent, distance, and differential - on a microgrid topology based on three actual microgrid designs. Importance and implementation of safe islanding and resynchronization are also discussed. Though this research was done primarily for microgrids at United States military bases, the analysis and conclusions may be applied to microgrids in general.

Abstract not provided.

Abstract not provided.

Abstract not provided.

In 2012, Hurricane Sandy devastated much of the U.S. northeast coastal areas. Among those hardest hit was the small community of Hoboken, New Jersey, located on the banks of the Hudson River across from Manhattan. This report describes a city-wide electrical infrastructure design that uses microgrids and other infrastructure to ensure the city retains functionality should such an event occur in the future. The designs ensure that up to 55 critical buildings will retain power during blackout or flooded conditions and include analysis for microgrid architectures, performance parameters, system control, renewable energy integration, and financial opportunities (while grid connected). The results presented here are not binding and are subject to change based on input from the Hoboken stakeholders, the integrator selected to manage and implement the microgrid, or other subject matter experts during the detailed (final) phase of the design effort.

Abstract not provided.

Abstract not provided.

This white paper focuses on "advanced microgrids," but sections do, out of necessity, reference today's commercially available systems and installations in order to clearly distinguish the differences and advances. Advanced microgrids have been identified as being a necessary part of the modern electrical grid through a two DOE microgrid workshops, the National Institute of Standards and Technology, Smart Grid Interoperability Panel and other related sources. With their grid-interconnectivity advantages, advanced microgrids will improve system energy efficiency and reliability and provide enabling technologies for grid-independence to end-user sites. One popular definition that has been evolved and is used in multiple references is that a microgrid is a group of interconnected loads and distributed-energy resources within clearly defined electrical boundaries that acts as a single controllable entity with respect to the grid. A microgrid can connect and disconnect from the grid to enable it to operate in both grid-connected or island-mode. Further, an advanced microgrid can then be loosely defined as a dynamic microgrid.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Design and operation of the electric power grid (EPG) relies heavily on computational models. High-fidelity, full-order models are used to study transient phenomena on only a small part of the network. Reduced-order dynamic and power flow models are used when analysis involving thousands of nodes are required due to the computational demands when simulating large numbers of nodes. The level of complexity of the future EPG will dramatically increase due to large-scale deployment of variable renewable generation, active load and distributed generation resources, adaptive protection and control systems, and price-responsive demand. High-fidelity modeling of this future grid will require significant advances in coupled, multi-scale tools and their use on high performance computing (HPC) platforms. This LDRD report demonstrates SNL's capability to apply HPC resources to these 3 tasks: (1) High-fidelity, large-scale modeling of power system dynamics; (2) Statistical assessment of grid security via Monte-Carlo simulations of cyber attacks; and (3) Development of models to predict variability of solar resources at locations where little or no ground-based measurements are available.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

The development continues for Finite State Abstraction (FSA) methods to enable Impacts Analysis (IA) for cyber attack against power grid control systems. Building upon previous work, we successfully demonstrated the addition of Bounded Model Checking (BMC) to the FSA method, which constrains grid conditions to reasonable behavior. The new FSA feature was successfully implemented and tested. FSA is an important part of IA for the power grid, complementing steady-state approaches. It enables the simultaneous evaluation of myriad dynamic trajectories for the system, which in turn facilitates IA for whole ranges of system conditions simultaneously. Given the potentially wide range and subtle nature of potential control system attacks, this is a promising research approach. In this report, we will explain the addition of BMC to the previous FSA work and some testing/simulation upon the implemented code using a two-bus test system. The current FSA approach and code allow the calculation of the acceptability of power grid conditions post-cyber attack (over a given time horizon and for a specific grid topology). Future work will enable analysis spanning various topologies (to account for switching events), as well as an understanding of the cyber attack stimuli that can lead to undesirable grid conditions.

Abstract not provided.

To analyze the risks due to cyber attack against control systems used in the United States electrical infrastructure, new algorithms are needed to determine the possible impacts. This research is studying the Reliability Impact of Cyber ttack (RICA) in a two-pronged approach. First, malevolent cyber actions are analyzed in terms of reduced grid reliability. Second, power system impacts are investigated using an abstraction of the grid's dynamic model. This second year of esearch extends the work done during the first year.

Process Control System (PCS) security is critical to our national security. Yet, there are a number of technological, economic, and educational impediments to PCS owners implementing effective security on their systems. OPSAID (Open PCS Security Architecture for Interoperable Design), a project sponsored by the US Department of Energy's Office of Electricity Delivery and Reliability, aims to address this issue through developing and testing an open source architecture for PCS security. Sandia National Laboratories, along with a team of PCS vendors and owners, have developed and tested this PCS security architecture. This report describes their progress to date.2 AcknowledgementsThe authors acknowledge and thank their colleagues for their assistance with the OPSAID project.Sandia National Laboratories: Alex Berry, Charles Perine, Regis Cassidy, Bryan Richardson, Laurence PhillipsTeumim Technical, LLC: Dave TeumimIn addition, the authors are greatly indebted to the invaluable help of the members of the OPSAID Core Team. Their assistance has been critical to the success and industry acceptance of the OPSAID project.Schweitzer Engineering Laboratory: Rhett Smith, Ryan Bradetich, Dennis GammelTelTone: Ori Artman Entergy: Dave Norton, Leonard Chamberlin, Mark AllenThe authors would like to acknowledge that the work that produced the results presented in this paper was funded by the U.S. Department of Energy/Office of Electricity Delivery and Energy Reliability (DOE/OE) as part of the National SCADA Test Bed (NSTB) Program. Executive SummaryProcess control systems (PCS) are very important for critical infrastructure and manufacturing operations, yet cyber security technology in PCS is generally poor. The OPSAID (Open PCS (Process Control System) Security Architecture for Interoperable Design) program is intended to address these security shortcomings by accelerating the availability and deployment of comprehensive security technology for PCS, both for existing PCS and inherently secure PCS in the future. All activities are closely linked to industry outreach and advisory efforts.Generally speaking, the OPSAID project is focused on providing comprehensive security functionality to PCS that communicate using IP. This is done through creating an interoperable PCS security architecture and developing a reference implementation, which is tested extensively for performance and reliability.This report first provides background on the PCS security problem and OPSAID, followed by goals and objectives of the project. The report also includes an overview of the results, including the OPSAID architecture and testing activities, along with results from industry outreach activities. Conclusion and recommendation sections follow. Finally, a series of appendices provide more detailed information regarding architecture and testing activities.Summarizing the project results, the OPSAID architecture was defined, which includes modular security functionality and corresponding component modules. The reference implementation, which includes the collection of component modules, was tested extensively and proved to provide more than acceptable performance in a variety of test scenarios. The primary challenge in implementation and testing was correcting initial configuration errors.OPSAID industry outreach efforts were very successful. A small group of industry partners were extensively involved in both the design and testing of OPSAID. Conference presentations resulted in creating a larger group of potential industry partners.Based upon experience implementing and testing OPSAID, as well as through collecting industry feedback, the OPSAID project has done well and is well received. Recommendations for future work include further development of advanced functionality, refinement of interoperability guidance, additional laboratory and field testing, and industry outreach that includes PCS owner education. 4 5 --This page intentionally left blank --

Abstract not provided.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Supervisory Control and Data Acquisition (SCADA) systems for automation are very important for critical infrastructure and manufacturing operations. They have been implemented to work in a number of physical environments using a variety of hardware, software, networking protocols, and communications technologies, often before security issues became of paramount concern. To offer solutions to security shortcomings in the short/medium term, this project was to identify technologies used to secure "traditional" IT networks and systems, and then assess their efficacy with respect to SCADA systems. These proposed solutions must be relatively simple to implement, reliable, and acceptable to SCADA owners and operators. 4This page intentionally left blank.

Abstract not provided.

Abstract not provided.

Abstract not provided.

This report presents a classification scheme for risk assessment methods. This scheme, like all classification schemes, provides meaning by imposing a structure that identifies relationships. Our scheme is based on two orthogonal aspects--level of detail, and approach. The resulting structure is shown in Table 1 and is explained in the body of the report. Each cell in the Table represent a different arrangement of strengths and weaknesses. Those arrangements shift gradually as one moves through the table, each cell optimal for a particular situation. The intention of this report is to enable informed use of the methods so that a method chosen is optimal for a situation given. This report imposes structure on the set of risk assessment methods in order to reveal their relationships and thus optimize their usage.We present a two-dimensional structure in the form of a matrix, using three abstraction levels for the rows and three approaches for the columns. For each of the nine cells in the matrix we identify the method type by name and example. The matrix helps the user understand: (1) what to expect from a given method, (2) how it relates to other methods, and (3) how best to use it. Each cell in the matrix represent a different arrangement of strengths and weaknesses. Those arrangements shift gradually as one moves through the table, each cell optimal for a particular situation. The intention of this report is to enable informed use of the methods so that a method chosen is optimal for a situation given. The matrix, with type names in the cells, is introduced in Table 2 on page 13 below. Unless otherwise stated we use the word 'method' in this report to refer to a 'risk assessment method', though often times we use the full phrase. The use of the terms 'risk assessment' and 'risk management' are close enough that we do not attempt to distinguish them in this report. The remainder of this report is organized as follows. In Section 2 we provide context for this report--what a 'method' is and where it fits. In Section 3 we present background for our classification scheme--what other schemes we have found, the fundamental nature of methods and their necessary incompleteness. In Section 4 we present our classification scheme in the form of a matrix, then we present an analogy that should provide an understanding of the scheme, concluding with an explanation of the two dimensions and the nine types in our scheme. In Section 5 we present examples of each of our classification types. In Section 6 we present conclusions.

Abstract not provided.

Abstract not provided.

Abstract not provided.

This report documents work supporting the Sandia National Laboratories initiative in Distributed Energy Resources (DERs) and Supervisory Control and Data Acquisition (SCADA) systems. One approach for real-time control of power generation assets using feedback control, Quantitative feedback theory (QFT), has recently been applied to voltage, frequency, and phase-control of power systems at Sandia. QFT provided a simple yet powerful philosophy for designing the control systems--allowing the designer to optimize the system by making design tradeoffs without getting lost in complex mathematics. The feedback systems were effective in reducing sensitivity to large and sudden changes in the power grid system. Voltage, frequency, and phase were accurately controlled, even with large disturbances to the power grid system.

Abstract not provided.