The Internet doesn't suit companies
that are vulnerable to security or financial risk (em
like electric transmission providers.
THE RUSH IS ON TO SET OASIS IN MOTION.
First proposed by the Federal Energy Regulatory Commission (FERC) in its so-called electric "mega-NOPR" as "Real-time Information Networks" (RINs), and then codified in FERC Order 889 as the "Open-access, Same-time Information System" (OASIS), the idea is to bring the market for electric transmission capacity out into the sunshine.
But which factor should pose the greater concern: The approach taken by the RINs program designers in FERC Order 889, or the scope of the problem they attempted to solve in the first place? Both merit more serious thought despite the rush to implement OASIS, now set to begin on a test basis on December 2, and for commercial operation on January 3, 1997.
The Joint Transmission Services Information Network, an industry task force with 250 company members and nearly half the nation's transmission mileage, has awarded a contract to develop a system to carry capacity information and transact sales over the Internet. Each utility will have a "node" on OASIS that lists its available transmission capacity.1 A working prototype of an OASIS node is currently accessible at: http://www.tsin.com.
Nevertheless, is the Internet a safe and secure place for companies to do business? Probably not, at least not for companies with a great deal of safety vulnerability or financial risk. Electric transmission operations feature both of these characteristics.
The Internet: An Open Door?
For obvious technical reasons, most industries have not felt the need to transact electronic commerce across the Internet. "Even its most zealous supporters know that the Internet is not yet a utility-grade system," reported the Institute of Electrical and Electronic Engineers (IEEE).2 The most obvious reason lies with security, but reliability also poses concerns. While cryptographic technology appears readily available, its use so far has been limited by the U.S. Government as a "munition." Netscape is now allowed to distribute software for the World Wide Web that contains theoretically unbreakable algorithms, but by the company's own admission, the scope of this security remains limited.3 The U.S. National
Research Council4 further notes that cryptography "may lead [a determined] opponent to exploit some other vulnerability in the system." A 1995 study of Pentagon computers revealed as many as 250,000 attempts to penetrate military computers, of which 65 percent were successful. Only one in 150 intrusions was detected.5
The general reliability of Internet-based systems is also suspect. The New York Times reported this summer that during one week in June 1996, major Internet providers America Online (AOL), Microsoft, and Netcom went "down" for a total of nearly 24 hours, inconveniencing over seven million customers.6 AT&T has found it necessary to reserve up to eight hours of downtime each week for scheduled maintenance of its Internet infrastructure. Internet communications remain subject to "denial of service" (em connections "upstream" can be attacked, disabling corporate and individual end users. In September, InternetMCI lost its ability to route messages, effectively disconnecting Minnesota from the Internet for 12 hours.7 An officer of AOL remarked to IEEE that "the equipment the Internet is built on is not telco-grade. 'Just reboot the router' is not a rational statement."8
Moreover, with all the attention paid to the Web portion of OASIS, has anyone paid enough attention to the "back-end" systems such as dispatching and billing, or are these tasks expected to be performed manually?
Commercial Risks
Is the Internet the right model for electronic commerce in the first place?
In industries marked by small, well-established supplier chains, electronic commerce has carried on quietly and successfully for over a decade without the Internet. The automotive, retailing, pharmaceutical, and transportation industries, for instance, emphasize well-defined and timely transactions as opposed to high-tech communications. These industries define "real-time" to mean within a day, never within an hour or a minute.
What benefits could be realized by implementing an information system on the Internet? For most firms engaged in electronic commerce, the advantage probably comes from the easy access to a large retail market. Indeed, technophiles would be comfortable making a credit-card purchase from a vendor across the Net (to date, not a single credit-card number has been stolen during a transaction9). But the OASIS market remains limited to a few hundred utilities and energy brokers at this time, not millions of end users. The technology cuts both ways for the privilege of riding the Internet wave. Millions of potentially
adversarial individuals will acquire the opportunity, electronically, to "stick their keys in the door" and see whether they can get in.
The classic definition of risk holds two parts: magnitude and probability. For the electric industry, those two elements can be restated as follows: 1) How severe are the consequences of entering a fraudulent order into the transmission system?, and 2) Given 40 million Internet users and an unproven security infrastructure, how likely is a successful system invasion? Until real safeguards prove effective, the OASIS system must rely for its defense on "security by obscurity."
To maintain most of the innovations of the OASIS and overcome most of the security issues, the system could and should run on a private data network. This network would not be private in the physical sense; the OASIS nodes would be connected by circuits leased from telecommunications carriers. In most cases, utilities are already implementing digital voice and data networks that feature this capability, and the marginal cost of an OASIS link is negligible. Connections to other utilities can be meshed physically or logically to provide reliability through redundancy. In this way, OASIS could use the same Internet Web software and electronic commerce techniques, while ensuring network performance and avoiding externally launched attacks.
Transmission Operation
The larger issue clouding the formation of a real-time network for information is the management of transmission per se: Transactions must take place within the physical-capacity constraints of the transmission network. Whether a transaction should take place depends on the capacity of the
system to transmit current to one or more points of delivery. The engineering decision as to whether such a sale can take place depends on systemwide information (em i.e., calculations, including possible loop flows. Responding to the mega-NOPR, the "What" group of the North American Electric Reliability Council (NERC) commented: "It does not seem possible to post the availability of Network Integration Transmission Services" on an OASIS.10 An engineer developing his company's OASIS remarked: "The power flows according to the laws of physics, not according to who is selling power to whom. . . . The grid systems have many bottlenecks."11
The July 2 disturbance in the Western States Coordinating Council (WSCC) clearly illustrates the dynamics of power flows. A flashover between a tree and a 345-Kv transmission line created an outage covering 15 states and affecting two million customers, all within 35 seconds. As the WSCC has noted, if this flashover had been the only incident, customer outages would not have occurred.12 But in hindsight, simultaneous record-high load, near-record-high generation, and significant power transfers were also taking place. The incident underscores the effect of a single point of failure (em one similar to undercapacity that could result from uncoordinated wheeling.
In contrast to the distributed Internet paradigm currently in development, the natural approach might lie in a small number of regional or central trading systems. With proper instrumentation and input, a central trading system could allocate capacity within engineering limits to try to meet the needs of buyers and sellers. A common database (em we might call this the "NASDAQ" approach, after the automated stock market (em might also contribute to better financial reconciliation among parties. For reliability, a central system could maintain standby computers on line at geographically separate locations.
Neither a Bottleneck Nor a Lake
The latent technical issue of OASIS is not whether the Internet is appropriate, but rather, whether a distributed system based on simple bilateral transactions can effectively manage a regional or national transmission network. Electricity does not become congested at bottlenecks, like cars queuing at an intersection. Nor is it a lake, as another has suggested, which lacks interaction among transactions.13 As experience in the United Kingdom has shown, a central database and simulation tool are needed to contain capacity plans and load commitments.
As far as OASIS access over the Internet is concerned, the potential consequences of a security breach or other failure far outweigh any possible benefit, given the current wholesale market and legal limitations on encryption. Utilities should consider the Internet as a means of communicating informally with customers and suppliers, but should only entrust their wheeling transactions to a closed network. t
John Hoag is a graduate research associate at The National Regulatory Research Institute and a PhD candidate in industrial and systems engineering at Ohio State University. His engineering experience includes creating Internet services for government and military purposes and developing demand-side management technology. E-mail: j.hoag@ieee.org.
Articles found on this page are available to Internet subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.