Security Issues in Drinking Water Distribution Networks
Demetrios G. Eliades and Marios M. Polycarpou*
KIOS Research Center for Intelligent Systems and Networks
Dept. of Electrical and Computer Engineering
University of Cyprus, CY-1678 Nicosia, Cyprus
{eldemet,mpolycar}@ucy.ac.cy
Abstract. This paper formulates the security problem of sensor placement in water distribution
networks for contaminant detection. An initial attempt to develop a problem formulation is
presented, suitable for mathematical analysis and design. Multiple risk-related objectives are
minimized in order to compute the Pareto front of a set of possible solutions; the considered
objectives are the contamination impact average, worst-case and worst-cases average. A multiobjective optimization methodology suitable for considering more that one objective function is
examined and solved using a multiple-objective evolutionary algorithm.
Keywords: contamination, water distribution, sensor placement, multi-objective optimization,
security of water systems.
1
Introduction
A drinking water distribution network is the infrastructure which facilitates delivery
of water to consumers. It is comprised of pipes which are connected to other pipes at
junctions or connected to tanks and reservoirs. Junctions represent points in the network where pipes are connected, with inflows and outflows. Each junction is assumed
to serve a number of consumers whose aggregated water demands are the junction’s
demand outflow. Reservoirs (such as lakes, rivers etc.) are assumed to have infinite
water capacity which they outflow to the distribution network. Tanks are dynamic
elements with finite capacity that fill, store and return water back to the network.
Valves are usually installed to some of the pipes in order to adjust flow, pressure, or
to close part of the network if necessary. Water quality monitoring in distribution
networks involves manual sampling or placing sensors at various locations to determine the chemical concentrations of various species such as disinfectants (e.g. chlorine) or for various contaminants that can be harmful to the consumers.
Distribution networks are susceptible to intrusions due to their open and uncontrolled nature. Accidental faults or intentional actions could cause a contamination,
that may affect significantly the health and economic activities of a city. Contaminants are substances, usually chemical, biological or radioactive, which travel along
the water flow, and may exhibit decay or growth dynamics. The concentration dynamics of a substance in a water pipe can be modelled by the first-order hyperbolic
*
This work is partially supported by the Research Promotion Foundation (Cyprus) and the
University of Cyprus.
E. Corchado et al. (Eds.): CISIS 2008, ASC 53, pp. 69–76, 2009.
springerlink.com
© Springer-Verlag Berlin Heidelberg 2009
70
D.G. Eliades and M.M. Polycarpou
equations of advection and reaction [1]. When a contaminant reaches a water consumer node, it can expose some of the population served at risk, or cause economic
losses.
The issue of modelling dangerous contaminant transport in water distribution networks was examined in [2], where the authors discretized the equations of contaminant transport and simulated a network under contamination. Currently, in water
research an open-source hydraulic and quality numerical solver, called EPANET, is
frequently used for computing the advection and reaction dynamics in discrete-time
[3]. The security problem of contaminant detection in water distribution networks was
first examined in [4]. The algorithmic “Battle of the Water Sensor Networks” competition in 2006 boosted research on the problem and established some benchmarks [5].
While previous research focused on specific cases of the water security problem, there
has not been a unified problem formulation. In this work, we present an initial attempt
to develop such a problem formulation, suitable for mathematical analysis and design.
In previous research the main solution approach has been the formulation of an
integer program which is solved using either evolutionary algorithms [6] or mathematical programming [7]. Various groups have worked in an operational research
framework in formulating the mathematical program as in the ‘p-median’ problem
[8]. Although these formulations seek to minimize one objective, it is often the case
the solutions are not suitable with respect to some other objectives. In this work
we propose a multi-objective optimization methodology suitable for considering more
that one objective function.
Some work has been conducted within a multi-objective framework, computing the
Pareto fronts for conflicting objectives and finding the sets of non-dominant feasible
solutions [9], [10]. However some of the objectives considered did not capture
the contamination risk. The most frequently used risk objective metric is the average
impact on the network. Recently, other relevant metrics have also been applied [11],
[7], such as the ‘Conditional Value at Risk’ (CVaR) which corresponds to the average
impact of the worst case scenarios. In this work we present a security-oriented formulation and solution of the problem when the average, the worst-case (maximum impact) and the average of worst-cases (CVaR) impact is considered. For computing the
solution, we examine the use of a multi-objective evolutionary algorithm.
In Section 2 the problem is formulated; in Section 3, the solution methodology is
described and an algorithmic solution is presented. In Section 4 simulation results are
demonstrated using a realistic water distribution network. Finally, the results are summarized and future work is discussed in Section 5.
2
Problem Formulation
We first express the network into a generic graph with nodes and edges. We consider
nodes in the graph as locations in the distribution network where water consumption
can occur, such as reservoirs, pipe junctions and tanks. Pipes that transport water from
one node to another are represented as edges in the graph. Let V be the set of n nodes
in the network, such that V={v1,…,vn} and E be the set of m edges connecting pairs of
nodes, where for e∈E, e=(vi,vj). The two sets V and E capture the topology of the
water distribution network. The function g(t), g:ℜ+ a ℜ + describes the rate of
Security Issues in Drinking Water Distribution Networks
71
contaminant’s mass injection in time at a certain node. A typical example of this injection profile is a pulse signal of finite duration.
A contamination event ψ i ( g v (t )) is the contaminant injection at node vi∈V with rate
i
g vi (t ) . A contamination scenario s={ψ1,…,ψn} is defined as the set of contamination
events ψi at each node vi describing a possible “attack” on the network. Typically, the
contamination event ψi at most nodes will be zero, since the injection will occur at a
few specific nodes. The set of nodes where intrusion occurs for a scenario s is V*={vi |
ψi≠0, ψi∈s}, so that V*⊆V. Let S be the set of all possible contamination scenarios
w.r.t the specific water distribution system. We define the function ω̃(s,t),
ω̃:S×ℜ+ a ℜ , as the impact of a contamination scenario s until time t, for s∈S. This
impact is computed through
ω~( s, t ) = ∑ ϕ (vi , s, t ),
vi ∈V
(1)
where φ:V×S×ℜ+ a ℜ is a function that computes the impact of a specific scenario s
at node vi until time t. The way to compute φ(⋅) is determined by the problem
specifications; for instance it can be related to the number of people infected at each
node due to contamination, or to the consumed volume of contaminated water.
For edge (vi,vj)∈Ε, the function τ(vi,vj,t), τ:V×V×ℜ+ a ℜ , expresses the transport
time between nodes vi and vj, when a particle departs node vi at time t. This is computed by solving the network water hydraulics with a numerical solver for a certain
time-window and for a certain water demands, tank levels and hydraulic control actions. This corresponds to a time-varying weight for each edge. We further define the
function τ*:S×V a ℜ so that when for a scenario s, τ*(s,vi) is the minimum transport
time for the contaminant to reach node vi∈V. To compute this we consider
τ * ( s, vi ) = min F (vi , v j , s ), where for each intrusion node vj∈V* during a scenario s, the
v ∈V *
j
function F(·) is a shortest path algorithm for which the contaminant first reaches node
vi. Finally we define function ω:S×V a ℜ , in order to express the impact of a contamination scenario s until it reaches node vi, such that ω(vi,s)= ω̃(s,τ*(s,vi)). This
function will be used in the optimization formulation in the next section.
3
Solution Methodology
Since the set of all possible scenarios S is comprised of infinite elements, an increased
computational complexity is imposed to the problem; moreover, contaminations in
certain nodes are unrealistic or have trivial impacts. We can relax the problem by
considering S0 as a representative finite subset of S, such that S0⊂S. In the simulations
that follow, we assume that a scenario s∈S0 has a non-zero element for ψi and zero
elements for all ψj for which i≠j. We further assume that the non-zero contamination
event is ψi=g0(t,θ), where g0(·) is a known signal structure and θ is a parameter vector
in the bounded parameter space Θ, θ∈Θ. Since Θ has infinite elements, we perform
grid sampling and the selected parameter samples constitute a finite set Θ0⊂Θ. We
assume that the parameter vector θ of a contamination event ψi also belongs to Θ0,
72
D.G. Eliades and M.M. Polycarpou
such that θ∈Θ0. Therefore, a scenario s∈S0 is comprised of one contamination event
with parameter θ∈Θ0; the finite scenario set S0 is comprised of |V|·|Θ0| elements.
3.1 Optimization Problem
In relation to the sensor placement problem, when there is more than one sensor in the
network, the impact of a fault scenario s∈S0 is the minimum impact among all the
impacts computed for each node/sensor; essentially it corresponds to the sensor that
detects the fault first.
We define three objective functions fi:X a ℜ , i={1,2,3}, that map a set of nodes
X⊂V to a real number. Specifically, f1(X) is the average impact of S0, such that
f1 ( X ) =
1
∑ min ω ( x, s).
| S 0 | s∈S0 x∈X
(2)
Function f2(X) is the maximum impact of the set of all scenarios, such that
f 2 ( X ) = max min ω ( x, s).
s∈S0
x∈X
(3)
Finally, function f3(X) corresponds
to the CVaR risk metric and is the average impact
*
S
0
of the scenarios in the set ⊂S0 with impact larger that αf2(X), where α∈[0,1],
⎫⎪
⎧⎪ 1
f3 ( X ) = ⎨
min ω ( x, s ) :s ∈ S 0* ⇔ min ω ( x, s ) ≥ αf 2 ( X ) ⎬ .
∑
x∈X
⎪⎭
⎪⎩| S 0* | x∈S0* x∈X
(4)
The multi-objective optimization problem is formulated as
min{ f1 ( X ), f 2 ( X ), f 3 ( X )} ,
X
(5)
subject to X⊂V' and |X|=N, where V'⊆V is the set of feasible nodes and N the number
of sensors to be placed. Minimizing an objective function may result in maximizing
others; it is thus not possible to find one optimal solution that satisfies all objectives at
the same time. It is possible however to find a set of solutions, laying on a Pareto
front, where each solution is no worse that the other.
3.2 Algorithmic Solution
In general a feasible solution X is called Pareto optimal if for a set of objectives Γ and
i,j∈Γ, there exists no other feasible solution X' such that fi(X')≤fi(X) with fj(X')<fj(X)
for at least one j. Stated differently, a solution is Pareto optimal if there is no other
feasible solution that would reduce some objective function without simultaneously
causing an increase in at least one other objective function [15, p.779].
The solution space is extremely big, even for networks with a few nodes. The set
of computed solutions may or may not represent the actual Pareto front. Heuristic
searching [9] or computational intelligence techniques such as multi-objective evolutionary algorithms [16], [17], [6] have been applied for this problem. In this work we
consider an algorithm suitable for the problem, the NSGA-II [18]. This algorithm is
examined in the multi-objective sensor placement formulation for risk minimization.
Security Issues in Drinking Water Distribution Networks
73
In summary, the algorithm randomly creates a set of possible solutions P; these solutions are examined for non-dominance and are separated in ranks. Specifically, the
subset of solutions that are non-dominant in the set is P1⊂P. By removing P1, the
subset of solutions that are non-dominant in the set is P2⊂{P-P1}, and so on. A
‘crowding’ metric is used to express the proximity of one solution to its neighbour
solutions; this is used to achieve ‘better’ spreading of solutions on the Pareto front. A
subset of P is selected for computing a new set of solutions, in a rank and crowding
metric competition. The set of new solutions P' is computed through genetic algorithm operators such as crossover and mutation. The sets P are P' are combined and
their elements are ranked with the non-dominance criterion. The best solutions in the
mixed set are selected to continue to the next iteration. The algorithm was modified in
order to accept discrete inputs, specifically the index number of nodes.
4 Simulation Results
To illustrate the solution methodology we examine the sensor placement problem in a
realistic distribution system. The network model is comprised by the topological information as well as the outflows for a certain period of time. A graphical representation of the network is shown in Fig. 1.
Fig. 1. Spatial schematic of network. The Source represents a reservoir supplying water to the
network and Tanks are temporary water storage facilities. Nodes are consumption points.
The network has 126 nodes and 168 pipes; in detail it consists of two tanks, one
infinite source reservoir, two pumps and eight valves. All nodes in the network are
possible locations for placing sensors. The water demands across the nodes are not
uniformly distributed; specifically, 20 of the nodes are responsible for more than 80%
of all water demands. The network is in EPANET 2.0 format and was used in the
‘Battle of the Water Sensor Networks’ design challenge [5, 17]. The demands for a
typical day are provided in the network.
According to our solution methodology, we assumed that g0(·) is a pulse signal with
three parameters: θ1=28.75 Kg/hr the rate of contaminant injection, θ2=2 hr the duration of the injection and 0≤θ3≤24 hr the injection start time (as in [5]). By performing 5
minute sampling on θ3, the finite set Θ0 is build with |Θ0|=288 parameters. All nodes
74
D.G. Eliades and M.M. Polycarpou
were considered as possible intrusion locations, and it is assumed that only that only
one node can be attacked at each contamination scenario. Therefore, the finite scenario
set S0 has |S0|=126⋅288= 36,288 elements. Impact φ(⋅) is computed using a nonlinear
function described in [5] representing the number of people infected due to contaminant consumption. Hydraulic and quality dynamics were computed using the EPANET
software.
(a)
(b)
Fig. 2. (a): Histogram of the maximum normalized impact affected in all contamination scenarios. (b): Histogram of the maximum normalized impact affected in all contamination scenarios,
when 6 sensors are placed for minimizing average impact.
For simplicity and without loss of generality, the impact metrics presented hereafter are normalized. Figure 2(a) depicts the histogram of the maximum normalized
impact in all contamination scenarios. From Fig. 2(a) it appears that about 40% of all
scenarios under consideration have impacts more that 10% w.r.t the maximum. The
long tail in the distribution shows that there is subset of scenarios which have a large
impact on the network. From simulations we identified two locations that on certain
scenarios, they achieve the largest impact, specifically near the reservoir and at one
tank (labelled with numbers ‘1’ and ‘2’ in Fig. 1). The worst possible outcome from
all intrusions is for contamination at node ‘1’ at time 23:55, given that the contaminant propagates undetected in the network.
The optimization problem is to place six sensors at six nodes in order to minimize
the three objectives described in the problem formulation. For the third objective we
use α=0.8. The general assumption is that the impact of a contamination is measured
until a sensor has been triggered, i.e. a contaminant has reached at a sensor node;
afterwards it is assumed that there are no delays in stopping the service.
For illustrating the impact reduction by placing sensors, we choose one solution
from the solution set computed with the smallest average impact; the proposed six
sensor locations are indicated as nodes with circles in Fig. 1. Figure 2(b) shows the
histogram of the maximum impact on the network when these six sensors are installed. We observe a reduction of the impact to the system, with worst case impact
near 20% w.r.t. the unprotected worst case.
We performed two experiments with the NSGA-II algorithm to solve the optimization problem. In the one experiment, the parameters were 200 solutions in population
Security Issues in Drinking Water Distribution Networks
75
for 1000 generations; for the second experiment it was 400 and 2000 respectively.
The Pareto fronts are depicted in Fig. 3, along with the results computed using a deterministic tree algorithm presented in [10]. The simulations have shown that for our
example, the maximum impact objective was almost the same in all computed Pareto
solutions and is not presented in the figures.
Fig. 3. Pareto fronts computed by the NSGA-II algorithm, as well as from a deterministic algorithm for comparison. The normalized tail average and total average impact are compared.
5 Conclusions
In this work we have presented the security problem of sensor placement problem in
water distribution networks for contaminant detection. We have presented an initial
attempt to formulate the problem in order to be suitable for mathematical analysis. Furthermore, we examined a multiple-objective optimization problem using certain risk
metrics and demonstrated a solution on a realistic network using a suitable multiobjective evolutionary algorithm, the NSGA-II. Good results were obtained considering
the stochastic nature of the algorithm and the extremely large solution search space.
Security of water systems is an open problem where computational intelligence
could provide suitable solutions. Besides sensor placement, other interesting aspects
of the security problem are the fault detection based on telemetry signals, the
identification and the accommodation of the problem.
References
1. LeVeque, R.: Nonlinear Conservation Laws and Finite Volume Methods. In: LeVeque,
R.J., Mihalas, D., Dor, E.A., Müller, E. (eds.) Computational Methods for Astrophysical
Fluid Flow, pp. 1–159. Springer, Berlin (1998)
2. Kurotani, K., Kubota, M., Akiyama, H., Morimoto, M.: Simulator for contamination diffusion in a water distribution network. In: Proc. IEEE International Conference on Industrial
Electronics, Control, and Instrumentation, vol. 2, pp. 792–797 (1995)
3. Rossman, L.A.: The EPANET Programmer’s Toolkit for Analysis of Water Distribution
Systems. In: ASCE 29th Annual Water Resources Planning and Management Conference,
pp. 39–48 (1999)
76
D.G. Eliades and M.M. Polycarpou
4. Kessler, A., Ostfeld, A., Sinai, G.: Detecting accidental contaminations in municipal water
networks. ASCE Journal of Water Resources Planning and Management 124(4), 192–198
(1998)
5. Ostfeld, A., Uber, J.G., Salomons, E.: Battle of the Water Sensor Networks (BWSN): A
Design Challenge for Engineers and Algorithms. In: ASCE 8th Annual Water Distibution
System Analysis Symposium (2006)
6. Huang, J.J., McBean, E.A., James, W.: Multi-Objective Optimization for Monitoring Sensor Placement in Water Distribution Systems. In: ASCE 8th Annual Water Distibution
System Analysis Symposium (2006)
7. Hart, W., Berry, J., Riesen, L., Murray, R., Phillips, C., Watson, J.: SPOT: A sensor
placement optimization toolkit for drinking water contaminant warning system design. In:
Proc. World Water and Environmental Resources Conference (2007)
8. Berry, J.W., Fleischer, L., Hart, W.E., Phillips, C.A., Watson, J.P.: Sensor Placement in
Municipal Water Networks. ASCE Journal of Water Resources Planning and Management 131(3), 237–243 (2005)
9. Eliades, D., Polycarpou, M.: Iterative Deepening of Pareto Solutions in Water Sensor Networks. In: Buchberger, S.G. (ed.) ASCE 8th Annual Water Distibution System Analysis
Symposium. ASCE (2006)
10. Eliades, D.G., Polycarpou, M.M.: Multi-Objective Optimization of Water Quality Sensor
Placement in Drinking Water Distribution Networks. In: European Control Conference,
pp. 1626–1633 (2007)
11. Watson, J.P., Hart, W.E., Murray, R.: Formulation and Optimization of Robust Sensor
Placement Problems for Contaminant Warning Systems. In: Buchberger, S.G. (ed.) ASCE
8th Annual Water Distibution System Analysis Symposium (2006)
12. Rockafellar, R., Uryasev, S.: Optimization of Conditional Value-at-Risk. Journal of
Risk 2(3), 21–41 (2000)
13. Rockafellar, R., Uryasev, S.: Conditional Value-at-Risk for General Loss Distributions.
Journal of Banking and Finance 26(7), 1443–1471 (2002)
14. Topaloglou, N., Vladimirou, H., Zenios, S.: CVaR models with selective hedging for international asset allocation. Journal of Banking and Finance 26(7), 1535–1561 (2002)
15. Rao, S.: Engineering Optimization: Theory and Practice. Wiley-Interscience, Chichester
(1996)
16. Preis, A., Ostfeld, A.: Multiobjective Sensor Design for Water Distribution Systems Security. In: ASCE 8th Annual Water Distibution System Analysis Symposium (2006)
17. Ostfeld, A., Uber, J.G., Salomons, E., Berry, J.W., Hart, W.E., Phillips, C.A., Watson, J.P.,
Dorini, G., Jonkergouw, P., Kapelan, Z., di Pierro, F., Khu, S.T., Savic, D., Eliades, D.,
Polycarpou, M., Ghimire, S.R., Barkdoll, B.D., Gueli, R., Huang, J.J., McBean, E.A.,
James, W., Krause, A., Leskovec, J., Isovitsch, S., Xu, J., Guestrin, C., VanBriesen, J.,
Andc, M.S., Andd, P.F., Preis, A., Propato, M., Piller, O., Trachtman, G.B., Wu, Z.Y.,
Walski, T.: The Battle of the Water Sensor Networks (BWSN): A Design Challenge for
Engineers and Algorithms. ASCE Journal of Water Resources Planning and Management
(to appear, 2008)
18. Deb, K., Pratap, A., Agarwal, S., Meyarivan, T.: A fast and elitist multiobjective genetic
algorithm: NSGA-II. IEEE Transactions on Evolutionary Computation 6(2), 182–197
(2002)