Saturday, May 9, 2015

On the Resilience of the Power Grid

The power generation and distribution system, for short "the grid." is an interesting system in a number of ways.  One of these is that, within fairly narrow limits, the supply must equal the demand.  There is a small amount of slack but little storage.  Supply decisions are made by utilities in 500 KWH increments while demand decisions are made by individuals 150 W at time.

Obviously such a system benefits from scale.  At least within limits, the more sources and uses in the system, the easier it is to achieve the necessary balance.  In order to achieve the scale, all providers and users,p within a geographic region embracing many large and small states, are connected in a market network.  Any supply, a generator, can be directed to any user.  Suppliers with excess capacity offer it for sale to all other suppliers in the grid.  Each supplier may buy from any other, and will do so,  as long as that suppliers offer is lower than his own marginal cost of generation.  

This market is highly automated and very efficient.  Not only does it provide a low average cost for all customers but it also provides reliability.  A utility that has a component, for example, a generator, failure, can use supply from any of its peers.  However, in the short run, the loss of supply may create an imbalance between supply and demand.  Other components may be momentarily overloaded.  Since a sustained overload might ultimately cause a component to fail in a destructive manner, components are designed to either shed load, e.g., from damage.   Within limits the system can absorb multiple simultaneous component failures, and re-balance, while maintaining, service to most users.

However, this design means that the grid is vulnerable to "cascading failures," in which the failure of one component may cause the protective shutdown of other components.  While the resilience of the system is continually improving, there will always be an upper bound to the number of simultaneous component failures that the system can tolerate.  When that threshold is crossed, apparently about once a generation, the system is designed to shut down in an orderly and non-destructive manner.  These successful shutdowns enable the system to resume normal service in hours to tens of hours. Such successful shutdowns will continue to be described by politicians and the media as "failures."  The designers and operators of the network will continue to think of them as successful "power grid security."

Notice that once the system has shut down, it must be restarted in a systematic way such that supply and demand are both added back to the system in such a way as to sustain the necessary balance between supply and demand.  Said another way, we cannot simply turn everything back on at once. This is complicated by the fact that many using components draw significantly more power at start-up than they do while up and running.  It is easy to imagine that restarting all the air-conditioners and refrigerators in a neighborhood at the same time, takes dramatically more power than sustaining them as they cycle on and off in normal operation.  While most components will restart automatically, some may require manual operation.  The more extensive the outage, the longer the re-start will take.  
Within limits we can increase the reliability of the grid by adding redundant capacity and automatic controls. Redundancy increases cost and drives down revenue per component.  Therefore, there is an economic limit to the amount of redundancy we will add.  As we add redundancy, we must add more automatic controls; redundant components and controls increase the complexity of the system.  At some point that increased complexity begins to cause more failures than it prevents.  A mean time to failure of infinity implies infinite cost; long before we reach that point, somewhere about a mean time to shut down of the entire grid of about twenty years, we will stop. 

Notice that even these massive shut downs are less disruptive than such natural disasters as ice storms where many homes may be without power or heat for days to weeks. 

Monday, May 4, 2015

Chip and PIN Compared to Chip and Signature

As we begin on the long process of changing credit cards from the obsolete magnetic stripe technology to smart (EMV) "chip" cards, there has been a lot of criticism of the decision of the credit card issuers not to implement "Chip and PIN."  Much of this discussion has asserted that "Chip and PIN" is more secure than the chosen chip card and signature strategy.  Apparently this position is so obvious that it has stifled analysis.

I assert that Chip and PIN is only marginally more secure than Chip and Signature. It protects against the fraudulent use of lost or stolen cards. However, fraudulent use of lost or stolen cards is only a small portion of the fraud. The largest part uses counterfeit cards; chips resist counterfeiting.
For both the individual and the issuer, the best protection against fraudulent use of lost or stolen cards is to report the card lost or stolen. The individual is now protected against any use of the card. The issuer will revoke the card and is now protected against any online use of the card.
Note that the effectiveness of revocation depends in part upon the market. In the U.S., where most transactions take place online, it is very effective. In markets where the infrastructure is less robust and many transactions take place offline, revocation is less effective. Thus in the U.S. issuers are opting for Chip and Signature while in other markets Chip and PIN is chosen.
Note that only the issuers know what the losses are for fraudulent use of lost or stolen cards is, that is, how much fraud might be reduced by the use of a PIN on all transactions. It is fair to assume that they know what they are doing.
Some have asserted that, in the absence of the PIN, security will rely upon clerks to reconcile a signature on the transaction document to,the reference signature on the card.  For most routine transactions we do not rely upon the clerk to verify the signature or even to touch the card. While in some places we still sign a chit, at checkout stands we sign on a little tablet (I hate them.) No one ever checks the signature unless the transaction is disputed. Said another way, at least in the U.S., we rely mostly on possession of a current card to authenticate most transactions; both signatures and PINs are backup and there is little to choose between them?