Attack-Resilient Monitoring and Control of Power Grid

Attack-Resilient Monitoring and Control of Power Grid Submitted in partial fulfillment of the requirements for the degree of

MASTER OF TECHNOLOGY (Power Electronics & Power Systems)

by

Kaustav Chatterjee (153079014)

under the guidance of Prof. Shrikrishna A. Khaparde

Department of Electrical Engineering INDIAN INSTITUTE OF TECHNOLOGY BOMBAY June 2018

“Spite of despondence, of the inhuman dearth Of noble natures, of the gloomy days, Of all the unhealthy and oer-darkened ways Made for our searching: yes, in spite of all”

Acknowledgement No words are enough to capture the contributions of Prof. S. A. Khaparde in steering my academic journey at IIT. As an advisor, he has been balanced in letting me swim my own and then reigning me back if I drifted far. The association with him has been and continues to be an immense learning experience, both professionally and personally. I would also like to convey my gratitude to Prof. Manimaran Govindarasu (Iowa State University, USA) for allowing me to work in his laboratory in the summer of 2017. He has mentored me extensively with invaluable technical suggestions and warm encouragement. I fondly remember the classes of Prof. Anil Kulkarni and Prof. Harish Pillai, both were instrumental in shaping my interests. Thanks to Prof. Anupama Kowli for always keeping her door open. I am indebted to my friend Kaustav Dey for his comments, insights and positive criticism of my work. And to the ever charming Soumya Dutta for his constant support and the wild sense of humor. I would also thank Mousumi Di and Ayan. It is incomplete without a mention of my comrades in Machines Lab- Rudra, Jogi, Silba, Gnana, Sandeep, and Neeraj. These people have been extremely kind to me. Needless to say the contributions of my family and the sacrifices they endured. Maa and Kaku, thanks for being there and believing in me.

Kaustav Chatterjee

Abstract Rapid growth of cyber infrastructure in modern day power systems comes with the challenge of securing critical system operations from security breaches in the cyber layer. This thesis is an attempt in that direction to infuse resilience in the grid from malicious attacks tampering the properties of data. Without venturing into the detailed sophistication of hacking substation computers, the thesis proposes application layer defense measures driven by the domain knowledge of power system. The works outlined here empowers an operator in identifying the vulnerabilities in system operation and suggests defence measures in combating those. It outlines the potential threats and strives to sensitize the operator towards a secured and attack-resilient grid operation. In this thesis, the vulnerability of power system state estimation to false data injection is studied and a framework to rank the states on their relative vulnerability to corruption is developed. In the arena of attack detection, two novel schemes for detecting data replay attacks on wide-area monitoring are proposed. The possibility of a periodic jamming based switching attack on wide-area damping control is investigated and appropriate design considerations are recommended for attack mitigation.

The effectiveness of the

proposed methodologies is illustrated using simulation results from different test systems.

i

Contents List of Figures

v

List of Tables

vii

List of Symbols

vii

1 Introduction

1

1.1

Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1

1.2

Outline of the Thesis & Research Contributions . . . . . . . . . . . . . . .

2

2 Literature Review on Attacks Targeting System Operations

4

2.1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4

2.2

Attacks Targeting State Estimation . . . . . . . . . . . . . . . . . . . . . .

5

2.3

Attacks Targeting Automatic Generation Control . . . . . . . . . . . . . .

8

2.4

Attacks Targeting Energy Market . . . . . . . . . . . . . . . . . . . . . . . 11

3 Vulnerability Assessment of State Estimation Against Data Attacks

15

3.1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.3

3.4

3.2.1

Attacks with Minimal Cost

. . . . . . . . . . . . . . . . . . . . . . 16

3.2.2

Defending Against False Data Injection . . . . . . . . . . . . . . . . 16

Proposed Scheme for Vulnerability Assessment . . . . . . . . . . . . . . . . 18 3.3.1

Finding Interdependence Between Measurements

. . . . . . . . . . 18

3.3.2

Finding Measurement Sets Linked to a State . . . . . . . . . . . . . 20

3.3.3

Finding the Vulnerability Index of a State . . . . . . . . . . . . . . 21

Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.4.1

IEEE 14-bus Test Case . . . . . . . . . . . . . . . . . . . . . . . . . 22 ii

Attack-Resilient Monitoring and Control of Power Grid

3.5

3.4.2

765 kV Subsystem of the Western Grid

. . . . . . . . . . . . . . . 25

3.4.3


. . . . . . . . . . . . . . . 26

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4 Detection of Replay Attacks on Wide-Area Measurement System

28

4.1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.2

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.2.1

4.3

Proposed Detection Scheme Based on Singular Value Decomposition . . . . 32 4.3.1

4.4

Case Studies on 4-machine 10-bus System . . . . . . . . . . . . . . 35

Proposed Detection Scheme Based on Pearson Correlation . . . . . . . . . 37 4.4.1

4.5

Replay Attacks on WAMS . . . . . . . . . . . . . . . . . . . . . . . 30

Case Studies on 4-machine 10-bus System . . . . . . . . . . . . . . 40

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

5 Switching Attack on Wide-Area Damping Controller and Mitigation

43

5.1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

5.2

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5.3

5.4

5.5

5.2.1

Power Oscillation Damping Control . . . . . . . . . . . . . . . . . . 44

5.2.2

Communication Delay in the Feedback Path . . . . . . . . . . . . . 45

Switching Attack on Damping Controller . . . . . . . . . . . . . . . . . . . 47 5.3.1

Vulnerability Identification: Attacker’s Perspective . . . . . . . . . 49

5.3.2

Proposed Mitigation Strategy: Operator’s Perspective . . . . . . . . 49

Case Studies on 2-machine System . . . . . . . . . . . . . . . . . . . . . . 50 5.4.1

System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.4.2

Design of Damping Controller . . . . . . . . . . . . . . . . . . . . . 52

5.4.3

Impact of Delay on Stability . . . . . . . . . . . . . . . . . . . . . . 55

5.4.4

Impact of Switching on Stability . . . . . . . . . . . . . . . . . . . . 56

5.4.5

Impact of Feedback Signal on Switching Stability . . . . . . . . . . 57

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6 Conclusion and Future Scope

59

A Appendix

61

A.1 Power Oscillation Damping Department of Electrical Engineering

. . . . . . . . . . . . . . . . . . . . . . . . . . 61 iii

IIT Bombay


A.1.1 Small Signal Model of Power System . . . . . . . . . . . . . . . . . 61 A.1.2 Choice of Feedback Signal and Actuation Device . . . . . . . . . . . 64 A.1.3 Design of the Damping Controller . . . . . . . . . . . . . . . . . . . 65 A.1.4 Closed Loop System with the Damping Controller . . . . . . . . . . 66 A.1.5 Need for Wide Area Feedback Signals and Challenges . . . . . . . . 67 Bibliography

68

List of Publications

74

Department of Electrical Engineering

iv

IIT Bombay

List of Figures 3.1

Methodology for finding the measurement dependency sets and the optimal attack vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.2

Block diagram of the proposed vulnerability assesment methodology . . . . 21

3.3

IEEE 14-bus system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.4

Equivalent graph of IEEE 14-bus system . . . . . . . . . . . . . . . . . . . 24

3.5

Equivalent graph of the 765 kV System . . . . . . . . . . . . . . . . . . . . 25

4.1

4−machine 10−bus system from Kundur [1] . . . . . . . . . . . . . . . . . 31

4.2

Voltage waveform of Bus 9. Voltage dips at t = 5 s and t = 15 s cannot be distinguished as fault or replay attack

4.3

. . . . . . . . . . . . . . . . . . . . 31

Voltage waveform of all buses. Dip at t = 5 s is spatially correlated, but that at t = 15 s is only seen at Bus 9 . . . . . . . . . . . . . . . . . . . . . 32

4.4

Layout of the proposed detection scheme . . . . . . . . . . . . . . . . . . . 34

4.5

SVD based detection of fault replay attack at bus 9 . . . . . . . . . . . . . 35

4.6

SVD based detection of attack at Bus 9 replaying a topology change (opening of a line connecting buses 9 − 10) . . . . . . . . . . . . . . . . . . . . . 36

4.7

Scatter plot for voltage magnitudes of buses 6 & 9. Fault at bus 6. Window length = 2500 samples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

4.8

Bus 6 fault at t = 30 s, attack at t = 65 s . . . . . . . . . . . . . . . . . . . 40

4.9

Bus 8 fault at t = 30 s, attack at t = 65 s . . . . . . . . . . . . . . . . . . . 41

5.1

Two machine system with a TCSC for Case Study . . . . . . . . . . . . . . 51

5.2

Impact of delay time on eigen values of the system . . . . . . . . . . . . . . 55

5.3

Effect of switching time on the dominant eigen values of the transformed system with modal angle feedback

. . . . . . . . . . . . . . . . . . . . . . 56

v


5.4

Effect of switching time on eigen values of the transformed system with the non-local equivalent signal as feedback . . . . . . . . . . . . . . . . . . . . 57


vi

IIT Bombay

List of Tables 3.1

Vulnerability Ranking for IEEE 14-bus System . . . . . . . . . . . . . . . . 24

3.2

Vulnerability Ranking of States for 765 kV System of Indian Western Grid

5.1

System Data of the 2-machine system . . . . . . . . . . . . . . . . . . . . . 51

5.2

Results from Power Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.3

Eigen Analysis of the Open Loop System . . . . . . . . . . . . . . . . . . . 52

5.4

Relative Modal Observability in 2-machine system . . . . . . . . . . . . . . 53

5.5

Relative Modal Controllability in 2-machine system . . . . . . . . . . . . . 53

5.6

Eigen Analysis with Local Feedback . . . . . . . . . . . . . . . . . . . . . . 54

5.7

Eigen Analysis with Wide Area Feedback . . . . . . . . . . . . . . . . . . . 54

vii

26

List of Symbols δ

Generator Rotor Angle

ω

Generator Rotor Speed

Psh

Shunt Injected Real Power

Pe

Electric Power Output of a Generator

Pser

Shunt Injected Real Power

Xser

Series Connected Reactance

IR

Shunt Injected Reactive Power

V

Bus Voltage Magnitude

φ

Bus Voltage Angle

I

Line Current Magnitude

ζ

Line Current Phase Angle

H

System Topology Matrix for State Estimation

z

Measurements from Sensors

a

Attack Vector

x

System State Variables

viii

Chapter 1 Introduction 1.1

Motivation

Last few decades have been witness to profound transformations happening in the operation of the electric power grid. Leveraging the benefits of distributed control, synchronized measurements and bi-directional information flow the grid has become better responsive to variations and faults than ever. Integration of high speed communication links to the existing power network has made it more dynamic in terms of energy management capabilities. However, increased reliance on cyber networks for transport of data across wide geographies has rendered these applications vulnerable to threats associated with security breaches in the cyber layer [2–4]. It has been demonstrated in the Ukrainian attack [5] of December 2015, that people with malicious intent may hack into substation computers and suitably modify the operating conditions to push the system to jeopardy [6]. Thus, cyber security of power system applications [7] has emerged as an topic of active interest among professionals in both industry and academia. The National Institute of Standards and Technology (NIST) Smart Grid Interoperability Panel has identified Availability, Integrity and Confidentiality as the high level security requirements for the proper functioning of the grid [8]. Availability ensures timely and reliable access to information, Integrity implies protection against illegal and improper modification of information and Confidentiality prevents unauthorized access to proprietary information [2]. The taxonomy of cyber attacks on the power system is constantly evolving with fresh discoveries of vulnerabilities and attack surfaces [9]. Similarly, the literature on


attack detection and defense is also expanding with newer results pouring in from system studies and from experiences of real-life attacks. Although not exhaustive, the attacks can be classified as− attacks targeting integrity of data, like false data injection [10], and attacks targeting availability of data, like denial-of-service [11] and time-delay attacks [12]. Beyond these broad classifications there can be sophisticated attacks combining one or more features of these individual types, like a coordinated attack which involves manipulating multiple sensors spread over space and time, or like a replay attack [13] where data packets previously recorded are played back to the operator at some future time instant. The motive and purpose behind these attacks can be plenty, some involving monetary gains [14] while others being simply disruptive. Success of an attack depends on the ability of the attacker to bypass the intrusion detection systems to break into the substation automation. The probability of successful intrusion is a function of multiple factors like- the number of access points, strength of the firewall and the rate of attack on the network [15]. Thus, it is imperative of a vigilant operator to gain sufficient knowledge of the vulnerabilities to be able to synthesize attack-resilient system designs. Attack resilience is a broad term covering know-hows as diverse as computer architecture, communication protocols, network theory and power system operations [16], each of which has definite contributions to make in securing the system. However, the scope of this thesis is limited to understanding and assessing the impacts of an attack on the system operation from the parlance of a power engineer and thereby, focusing on designing application specific attack detection and mitigation strategies. The works in this thesis do not invoke the challenges of hacking a substation computer but assume a theoretical possibility of these being breached. Thus, attention is laid on development of independent, power system domain specific security measures which could act as secondary lines of defense.

1.2

Outline of the Thesis & Research Contributions

The thesis is structured encompassing three aspects of resilience− vulnerability assessment, attack detection and mitigation. Aligned to these themes, three sub-problems have been addressed concerning attacks on wide-area monitoring and control of power grid. The problems range from identifying the critical sensor locations in an estimation appli-


2

IIT Bombay


cation to real-time attack detection, to examining possibility of newer threat models and towards striving to mitigate them. Case studies have been presented wherever necessary to illustrate the salient points and to validate the claims. The thesis is organized in six chapters. • Chapter 2 presents a brief review of existing literature on data manipulation attacks and their impacts on three major grid operations− State Estimation, Automatic Generation Control and Energy Market. This helps in understanding the attack models and vulnerabilities. It serves as the focal point in motivating the need for the defense mechanisms in subsequent chapters. • Chapter 3 highlights the vulnerability of state estimation to sensors data corruption. A methodology for computing the relative vulnerability of a state variable is proposed and an order of ranking is developed. The ranking serves to identify the most susceptible nodes in a network and thus, recommends a prioritized protection. • Chapter 4 proposes novel data-driven methodologies based on− Singular Value Decomposition and Pearson Correlation, for online detection of replay attacks on wide-area measurements. The detection schemes discussed exploit spatio-temporal correlation in sensor data. • Chapter 5 introduces the possibility of a jamming induced switching attack on wide-area damping controller and suggests design requirements for mitigating such attacks. It is proposed that with suitable choice of wide-area feedback signals the wait-time for switching to local feedback may be reduced without leading to instability. • Chapter 6 concludes the thesis with the summary of results and discusses the scopes of future work.


3

IIT Bombay

Chapter 2 Literature Review on Attacks Targeting System Operations 2.1

Overview

Data integrity attacks [10], as discussed in the previous chapter, manipulate the sensor data sent out from the substation to the control center. This could involve hijacking the substation computer terminal or can be typical man-in-the middle type of attacks where data packets are sniffed on transit [16]. If an attacker has to modify data values without triggering any bad data detection alarm at the control center, then it has to be assumed that the attacker has knowledge of system parameters (and dynamics). This apparent unrealistic assumption can very much be the case if the attack is orchestrated by an disgruntled insider. This can also happen in a situation in which a faithful but callous employee responds to phishing mails and thus giving the access to an attacker, like that of the 2015 Ukrainian attack [6]. In a more realistic setup, the attacker can replay prerecorded data packets thereby suppressing periods of disturbance with ambient data or vice versa, prompting the operator to take wrong corrective action. More on this replay attacks and the detection methods will be discussed in Chapter 4. In a Denial-of-Service (DoS) attack [11], the perpetrator floods the computer of the targeted controller with superfluous requests to overload the system to the extent that legitimate data packets do not reach the controller. This has serious consequences in the operation of closed loop controllers. Not only can this degrade their performance sustained DoS may lead to instability. Effect of DoS in realtime energy market has been


discussed in Section 2.4 of this chapter. Outline of the Chapter This chapter will review the literature on mechanism and impact of these data integrity attacks on three major power system operations- State Estimation (SE), Automatic Generation Control (AGC) and Energy Market, from the parlance of a power engineer engineer without delving into the background of computer hardware and/or software mechanisms for orchestrating an attack. The focus is on understanding which data is more susceptible to attack and how a modification can result in a system wide catastrophe. The reason for choosing these three applications is their time scales of operation. AGC being faster and more frequent than SE is expected to have lesser data validity checks in place. The motive is convey the idea that each of these applications pose different challenges for the attacker, thereby identifying how an intelligent attacker can overcome this. This understanding can then help the operator in designing appropriate defense mechanisms for respective applications.

2.2

Attacks Targeting State Estimation

State estimation is an important energy management application that runs at control centres and is key to many operational decisions [17, 18]. Measurement data from different locations like power injections, line flows, voltage measurements and the status information of breakers and switches are telemetered to the control centres. The control centre then runs an elaborate algorithm to process this data and estimate the system states (voltage magnitudes and angles) from it. Decisions like ramping of generators, opening or closing of lines, changing position of transformer taps are often based on these estimates. A state estimation problem in power system can be formulated as z = h(x) + e

(2.1)

In equation (2.1), z = (z1 , z2 , ..., zm )T is the set of sensor measurements, x = (x1 , x2 , ..., xn )T represent the true states of the system (bus voltage angles in this case), h is the vector function relating measurements to state variables and e is the vector of zero mean Gaussian noise in the measurements. Department of Electrical Engineering

5

IIT Bombay


A linear approximation to the problem can be stated as z = Hx + e

(2.2)

where, H is a constant matrix of network data and the states include only the the angles of the voltage at each bus. The solution is obtained from a weighted least squares problem

ˆ = (HT WH)−1 HT Wz x

(2.3)

W is the diagonal matrix of the weights assigned to the measurements. The elements in W are the reciprocals of variances in meter errors. In a seminal work [19] Liu et al. have demonstrated that an attacker armed with the knowledge of the network topology can corrupt the measurement data to inject predefined errors into the estimate of system states without being detected at the control center. Authors in [10,20] have presented a comprehensive review of false data injection in power system state estimation. Let a = (a1 , a2 , ..., am )T be the corrupted data added to the original measurement vector z such that za = z + a is the modified measurement seen by the control center. The corrupted measurement set can pass the χ2 bad data detection test [21] if a is in the column span of H, i.e., a = Hc [19], where c is the error in the estimates due to the attack. x â = (HT WH)−1 HT W(ˆ x + Hc) ˆ+c x â = x

(2.4)

||za − Hˆ xa || = ||z + a − H(ˆ x + c)|| = ||z − Hˆ x||

(2.5)

L2 norm of the measurement residual with manipulated data is same as that of the case without manipulation. Authors in [22] have analyzed the case for a generalized false data injection against a non linear estimation. The measurement residues under such a scenario can be calculated as ra = za − h(xa ) = z + a − h(xa ) + h(x) − h(x)

(2.6)

= r + a − h(xa ) + h(x) Department of Electrical Engineering

6

IIT Bombay


A perfect attack to go undetected should have,

a = h(xa ) − h(x)

(2.7)

For generalized attacks to avoid detection with high probability, the attacker has to ensure, ||a − h(xa ) + h(x)|| < τ [22]. However, the attacker’s access to topology information is limited with no real-time knowledge of transformer tap positions and circuit breaker statuses. In [23] false data injection attacks with incomplete information were mathematically characterized from both an attacker and a grid operator’s perspective. Attacker’s knowledge of matrix H can be modelled as ¯ =H+δ H

(2.8)

where, δ is m × n matrix of errors in attacker’s knowledge of H. The estimated values of system states would be x â = (HT WH)−1 HT W(z + Hc + δc)

(2.9)

x â = x ˆ + c + (HT WH)−1 HT Wδc

(2.10)

The residue in the estimates of state variables for attacks with limited information would be ra = za − Hˆ xa ra = z + a − Hˆ x − Hc − H(HT WH)−1 HT Wδc ra = r + (I − H(HT WH)−1 HT W)δc

(2.11)

where, r = z − Hˆ x This would pass the bad data detection tests designed for residue r provided the contribution of δc is very less. Authors in [23] classified attacks as perfect or imperfect depending on the value of δc. For perfect attacks it is possible to assure δc = 0 with δ 6= 0. Authors in [24] studied the impact of introducing topology errors in state estimation. They focused on identifying critical branches, which when removed can impact the flows on Department of Electrical Engineering

7

IIT Bombay


some other lines significantly. An attacker would fake a line outage by suitably changing the status of the breakers and measurement from corresponding meters. An operator comprehending a change in topology would then recalculate the safe operating limits for the lines. If the flows in some lines exceed these limits the operator would ideally redispatch the generators to bring the system back to safe operating points. Meanwhile, the dispatch could mean significant economic gains for the attacker. In summary, the attacks on state estimation can come from an attacker intelligently modifying the sensor data or deceiving the operator with a wrong configuration of the topology. In the later case, the corrupted network configuration has to relate to the readings of the corresponding meters. In situations where the attack is not a well coordinated, the operator can detect the presence of bad data, and eliminate those measurements for the estimation purpose. However, if too many measurements are discarded the system may become unobservable and the estimation may not be feasible. This can also come in advantage of the attacker who might intend to hide the health of the system from the operator for a period of time. The motive behind leading attacks on power system state estimation can range from causing large scale blackouts, as in the case of Ukrainian attack of 2015 [5], to gain short term financial profit in everyday energy market. Financial gains in an energy market from attacks on state estimation will be discussed in Section 2.4.

2.3

Attacks Targeting Automatic Generation Control

In an interconnected power system, the function of Automatic Generation Control (AGC) is to adjust the power output of specific generators in an area to ensure that the system frequency remains within acceptable limits and the power exchange between neighbouring areas are limited to the scheduled values [18, 25]. It functions like a closed-loop feedback control system with minimal intervention from the human operator [26]. Unlike state estimation which runs in timescale of minutes, the AGC has to issue control signals in timescale of seconds. Hence, it cannot afford to employ elaborate data validation algorithms and an attacker taking advantage of this can manipulate the measurements without detailed mathematics. Data integrity attacks and their impact on AGC have been reported in [26–28]. Department of Electrical Engineering

8

IIT Bombay


Studies in [27, 28] assume that an attacker has access to all necessary information including the system load, scheduled tie line flows, generator droop constant (R) and the load frequency sensitivity parameter (D). In modelling the impact of the attack, following attack templates were used by the authors• Scaling Attack: Modification involves adding a scaled value of the measurement to the original value y ∗ (t) =

  y(t),

for t 6∈ τa

 (1 + λs ) ∗ y(t), for t ∈ τa • Ramping Attack: Modification involves adding a ramp function that gradually increases with time y ∗ (t) =

  y(t),

for t 6∈ τa

 y(t) + λr ∗ t, for t ∈ τa where, τa is the time duration of the attack and y(t) can be power or frequency measurements. The ramping adjustments for the generators in each balancing area, called the Area Control Error (ACE), is calculated as [18] ACEi = Σ(Ptie − Psch ) + βi (f − fo )

(2.12)

where, βi is the frequency bias for the areai and Psch is the scheduled flow in each tie line. In the attack model discussed in [27], the attacker manipulates the measurements of Ptie and f in order to achieve a desired ramping in the generators. But any arbitrary modification in these values would make the measurements inconsistent. The manipulation in frequency should be a function of the manipulations in power flow. Let us assume a two area system, where the attacker corrupts the sensor readings of the tie line flow based on the attacking templates discussed. The objective of the attacker is to fool the AGC to believe that there is excess generation in the area. AGC would then send out commands to ramp down generation. Since, in reality there was no generation surplus, this would lead to fall in frequency and eventual load shedding. The AGC in area 1 can be tricked to ramp down in either of the following ways-


9

IIT Bombay


• Increase in tie line flow and fall in frequency, AGC of area 1 perceives increase in load in area 2 and generation excess in area 1. So, it instructs generators in area 1 to ramp down. • Increase in tie line flow and increase in frequency, AGC of area 1 assumes loss of load in area 1 and instructs generators in area 1 to ramp down. Any change in tie line flow is perceived as a change in system loading and thus frequency. So, an increase or decrease in tie line flow made by the attacker should be followed by an appropriate manipulation in the frequency measurement to be consistent. The change in frequency that should be made for ∆Ptie change in flow can be calculated as −∆PL 1 n=1 ( Ri + Di )

∆f = P2

(2.13)

The choice of parameters λs and λr in the attack template should be such that the ACE for area 1 is positive. This would be interpreted by the AGC as excess generation in area 1 and it would send control signal to its generators to ramp down. In reality there was no load increase but the generators have been tricked to decrease their output. This would cause frequency to fall sharply. If the fall of frequency is below the settings of the under-frequency sensing relays, the relays would trip. Thus, an attacker can achieve large scale load shedding in area 1. Although there are no elaborate data processing algorithms running at centers, the attacker still needs to be careful about few things while deciding on attack template parameters. • Rate limiting alarms would be triggered if ACE exceeds some preset value. • The under-frequency relays would be triggered only if the frequency falls below a certain value. So choice of attack parameters should be appropriate. A high value would imply large dip in frequency and a high ACE, which would increase the chance of the rate alarm being triggered. On the other hand if the attack vector is small, the dip in frequency may be small enough to cause the under-frequency relays to trip [27]. The attacks on AGC are conceived with a motive to cause large scale stability issues in the grid. A load generation mismatch would cause center of inertia motion in the generator frequencies, and if there is sufficient fall in frequency the under-frequency relays Department of Electrical Engineering

10

IIT Bombay


would sense this and isolate large regions from the main grid. To add to the misery, if load generation balance is not maintained in the isolated regions this isolation can go on in a cumulative manner cascading to a large scale load shedding or blackout.

2.4

Attacks Targeting Energy Market

Energy markets are heavily reliant on the consumer’s access to information about real time prices and operator’s assessment of the correct state of the system. Information is key to competitive functioning and any malpractice with data can shift the balance in favor of a select few. Attacks on market operations can be either denial of service (DoS) or deliberate injection of wrong data or a combination of both. Jamming of price signals is a common DoS attack for manipulating the market to gain short term economic benefit [29]. Injecting false data into sensor readings is the way in which locational prices can be manipulated. In a denial of service attack, the attacker jams the price signals to a group of selected users. The jammed users unaware of the price change keep taking consumption decisions based on the old price. Now when the real time prices change significantly from the jammed values the attacker releases jamming. Once the jamming is relieved the users would adapt to the new price signal, if the new price is low they would increase their demand and if high they would curtail their demand with high probability. The attacker being aware of both the prices pre and post jamming can predict this behavior and take unfair advantage of it. If a large group of users suddenly decrease their demand, the prices would fall, an attacker under this situation would buy power at a cheap rate. On the other hand, if prices increase from increase in demand, the attacker would sell previously bought cheaper power at high prices in the spot market [29]. Impact of false data injection in electricity markets have been extensively studied in [14, 30, 31]. These studies are based on operations in PJM market [32]. The attacker manipulating the nodal prices through a faked congestion is central to these studies. In a deregulated environment, multiple forward and real time markets run at different time scales and a combination of ex-ante and ex-post methods are adopted for calculation of real time Locational Marginal Prices (LMP). In the day ahead market the ISO calculates the optimal generation schedule and the ex-ante LMPs based on day ahead bids and


11

IIT Bombay


forecasted loads using a security constrained optimal power flow program [32]. This optimal generation schedule, PG∗ i is then sent out to the generators with an expectation that they would follow this in real time. The optimal schedule would maximize their profits and simultaneously avoid overloading of lines. Because of the stochastic nature of the quantities the real time values of generation, flows and the loads will be different from their optimal values. This necessitates recalculation of real time LMPs based on run time data. The operator performs a state estimation from the data obtained from real time measurements. Any difference of import or export of power in real time from the day ahead values are priced at the real time LMP (Locational Marginal Price). The real time LMPs are calculated in the ex-post market using the incremental OPF below min

∆PGi

s.t.

N X

Ci (PˆGi + ∆PGi )

i=1 N X

∆PGi = 0

i=1

(2.14)

∆PGmin i

≤ ∆PGi ≤

∆PGmax , i

∀i = 1 . . . N

∆Fl ≤ 0, ∀l ∈ C+ ∆Fl ≥ 0, ∀l ∈ C− where, C+ and C− are the set of positively and negatively congested lines. The Lagrangian of the above formulation can be written as

L=

N X

Ci (PˆGi + ∆PGi ) + λ

i=1

N X

∆PGi +

i=1

+

N X

N X

µmax (∆PGi − PGmax ) i i

i=1

µmin (PGmin − ∆PGi ) + i i

X

ηl (∆Fl ) +

l∈L+

i=1

X

ζl (∆Fl ) (2.15)

l∈L−

where, η and ζ are Lagrange multipliers associated with positive and negative congestion respectively and λ is the LMP at the reference node. The locational marginal prices at any node is calculated from the Lagrange multipliers associated with minimization of the above objective function. The LMP at node j is given by

λj = λ +

L X

(ηl − ζl )

l=1


12

δFl δPDj

(2.16)

IIT Bombay


If Hlj =

δFl δPDj

, then λj = λ + HT j (η − ζ)

(2.17)

The difference in LMP of two nodes is then calculated as T λj1 − λj2 = (HT j1 − Hj2 )(η − ζ)

(2.18)

The attacker can take advantage of this market design and participate in virtual bidding. It has been assumed in [30] the attacker has access to all market related information and also has the provision to corrupt a series of meters. • In a day ahead market, the attacker offers to buys and sell power at locations j1 D and j2 at prices λD j1 and λj2 .

• In real time the attacker manipulates the sensor readings to inject some error and modifies the ex-post nodal prices from their day ahead values. • In ex-post market sells and buys power at nodes j1 and j2 at prices λj1 and λj2 . D P rof it = λj1 − λj2 − λD j1 + λj2

(2.19)

• The manipulation that the attacker performs has to ensure profit to be nonzero, also with the condition that it is not detected.

D P rof it = λj1 − λj2 − λD j1 + λj2

(2.20)

D = (GTj1 − GTj2 )(η − ζ) + λD j2 − λj1

An effective strategy to ensure profit > 0 is illustrated below, • Let the set of transmission lines be divided into two sets L+ and L−

D P rof it = λD j2 − λj1 +

X

L+ = {l : Gl,j1 > Gl,j2 }

(2.21)

L+ = {l : Gl,j1 < Gl,j2 }

(2.22)

(GTj1 − GTj2 )(η − ζ) +

l∈L+

X

(GTj2 − GTj1 )(ζ − η)

(2.23)

l∈L−

The attacker has to ensure the following: Department of Electrical Engineering

13

IIT Bombay


• For lines l ∈ L+, Fl > Flmin . These lines should not be negatively congested, this implies ζ = 0. • For lines l ∈ L−, Fl < Flmin . These lines should not be positively congested, this implies η = 0. D • λD j1 < λj2 . Based on the experience the attacker buys at a low price node and sells

at a high price node in the day ahead market.

D P rof it = λD j2 − λj1 +

X

(GTj1 − GTj2 )η +

l∈L+

X

(GTj2 − GTj1 )ζ

(2.24)

l∈L−

Thus, P rof it > 0 This section demonstrates how an intelligent attacker can gain monetary benefit by unfair means through manipulation of sensor data. If the attacker is a participant in a competitive market, such manipulations can lead to concentration of market power in the hands of the attacker. The objective of this chapter was to motivate the reader towards the need for investing in appropriate defence mechanism while reviewing the attack principles and vulnerabilities. It has to be understood that the complexities and time scales of operation of different applications sets different requirements on the attack detection and mitigation algorithms.


14

IIT Bombay

Chapter 3 Vulnerability Assessment of State Estimation Against Data Attacks 3.1

Introduction

In Section 2.2 of the preceding chapter, false data injection attacks targeting power system state estimation has been discussed in detail. Although control centres are equipped with algorithms to check presence of bad data in measurements [21], it was observed that an attacker with knowledge of network topology can introduce predefined errors into estimates bypassing the chi-square based bad data detector [19]. Mathematical analysis in Section 2.2 show that for such attacks to be successful, the error introduced in measurements should be a vector in the column span of the system matrix [19]. This has prompted researchers to look for prevention and protection measures. In [33] it was proposed that when a set of measurements which independently make the system observable is protected from corruption the attacker would fail to launch an attack and errors would not be introduced in the estimate of any state variable. In a large power system not all states are equally important in terms of system operation. Some state variables are more critical and it is sufficient to protect these states alone. Taking cue from this authors in [34] proposed an algorithm which enables the operator to choose and prevent manipulation in few selected states by protecting lesser number of meters (measurements) than the observability set for the full system. This idea was extended to sequential protection in which in each phase of security installation, protection schemes were deployed for a small set of meters to protect a subset of the total


states. In every installation phase, few more meters were protected thus, adding few more states on the protected list. However, to implement a sequential protection it is necessary to rank the states in an order of priority. Main Contribution: This chapter proposes a methodology for ranking the state variables depending on their vulnerability to corruption from false data injection. It is argued that the states which have lesser number of measurements linked to it are more vulnerable compared to others. This is because lesser number of measurements imply lesser effort and cost on part of the attacker. The ranking scheme proposed also accounts the fact that states at higher voltage level should be given more priority over the one at lower voltage level (A substation at 765 kV is crucial than a 132 kV substation in terms of system operation). Such a ranking scheme can be useful to an system operator who is constrained by available resources to selectively upgrade protection features at the only few sensor terminals.

3.2

Background

3.2.1

Attacks with Minimal Cost

If we attach some cost to corruption of each meter then the attacker would want to minimize the cost of an attack by minimizing the number of measurements being corrupted. If it is assumed that corrupting any meter is equally costly (in terms of the effort in breaching the security), the adversary would like to find the vector a in the column span of H with minimal non-zero entries (sparsest a, such that a = Hc) [35].

3.2.2

Defending Against False Data Injection

Bobba et al. in [33] demonstrated in a system with n − 1 (excluding the slack ) states it is necessary and sufficient to protect n − 1 linearly independent measurements to defend all n − 1 states from false data injection. Let the total number of measurements be m out of which p measurements are protected. So the attacker has access to remaining k measurements where k = m − p. Let P


16

IIT Bombay


be the set of protected measurements such that |P| = p     H ap  =  p×n  c a= Hk×n ak

(3.1)

Since set P is protected ap = 0. Equation (5) can be split into two equations and can be rewritten as 0 = Hp×n c

(3.2)

ak = Hk×n c

(3.3)

If the number of measurements protected is n (ie, p = n) and if these measurements constitute an observability set (linearly independent) then Hpn is full rank. In such a case, only solution to equation (3.2) is the trivial solution (c = 0). Now substituting this into equation (3.3) gives ak = 0, implying attack under such a scenario is not feasible [33]. Sequential Protection of Selected States In a large power system it is often unnecessary and not practical to defend all system states. Some states are more critical in terms of system operation and it is sufficient to defend these states alone. As all states need not be defended the number of measurements protected is less than number of states (p < n). Thus rank of Hpn is always less than or equal to p as decided by the number of linearly independent rows and columns. The choice for the set of protected measurements P should be such that the following holds with minimal number of meters protected [34]. rank(Hp×n ) = rank(Hp×|M/T | ) + |T |

(3.4)

where, M is the set of all states and T is the set of states protected. Security installations however take time, meanwhile attackers may be able to launch an undetectable attack taking advantage of the unfinished installation. In [34] authors devised an algorithm that allows the operator to protect critical state variables in any given priority sequence. The idea behind this was given the limitation in resources the security installations should be done in a way such that most vulnerable and critical states are protected first followed by the next most and so on.


17

IIT Bombay


In this chapter we attempt to extend this idea by identifying the order in which the states need protection. In the next section we explain the methodology followed to the rank the states in increasing order of vulnerability to false data injections.

3.3

Proposed Scheme for Vulnerability Assessment

In order to protect the system from false data injection, it is necessary to find out which states and measurements are more susceptible to threat. These are the states or measurements which would need more protection. A state shall be called more vulnerable if it takes less effort by the attacker to corrupt it. Here, effort is the count of measurements that are directly linked in the estimation of the state. Thus, corrupting any of these measurements will bring a change in the estimated value of the state. Because of interdependence between the measurements, any change in a measurement by an attacker needs to be supplemented with changes in other correlated measurements as well, to avoid detection. The corruption in measurements has to happen such that attack vector is in the column span of H. Also, an attacker would be interested in having a least effort attack where the number of attacked measurements is minimized. The attack vector has to satisfy two objectives- it has to be sparse and it has to be in column span of H.

3.3.1

Finding Interdependence Between Measurements

The reduced row echelon form (rref) of a matrix obtained through Gaussian elimination of its rows can be used to find the columns which are linearly independent and also the columns which are dependent on these independent columns. This idea has been extended to the problem of finding the interdependence between the measurements. Reduced row echelon form (rref) of HT yields the rows which are sparse and are in the column span of H. For example, consider a 3 bus system with 6 measurements where the transpose of H in row reduced form is given below,   1 0 0 × 0 ×     rref (HT ) = 0 1 0 0 × ×   0 0 1 0 0 × Department of Electrical Engineering

18

(3.5)

IIT Bombay


In the example above, it can be seen that rows 1, 2 and 3 of HT are linearly independent. Now if the attacker chooses to corrupt only measurement number(location number) 1, the attack vector a would be h i aT = × 0 0 0 0 0

(3.6)

Input: System Matrix H

i = 1

No

i≤m

Output: MeasLink

Yes i = i+1

Find HT

Interchange ith column with 1st column of HT

Find rref( HT )

Extract the 1st row and inter-

Transpose and store

change 1st entry with ith entry

in Attack(1 : m, i)

Find locations of non-zero entries in the array and store this locations in MeasLink(i, 1 : end) Figure 3.1: Methodology for finding the measurement dependency sets and the optimal attack vectors Clearly, this aT is not in the row span of rref (HT ) or (HT ) and hence, such an attack would be detected. To avoid this the attacker has to simultaneously corrupt measurement numbers 4 and 6 following the first row of rref (HT ). So, it can be said that measurement Department of Electrical Engineering

19

IIT Bombay


1 is linked to measurements 4 and 6. Similarly, measurement 2 with measurements 5 and 6. Any change in measurement 2 has to be supplemented with a change in measurements 5 and 6, otherwise, consistency checks would figure out a possible data corruption. In the following paragraphs all those measurements which need to be corrupted together will be called a measurement dependency set. Thus, measurement sets 1,4,6 and 2,5,6 would be referred to as the measurement dependency sets for measurements 1 and 2 respectively. The methodology to find the measurement dependency sets for each of m measurements in a n-bus network is illustrated in Figure 3.1. The ith row of MeasLink contain the dependency set corresponding to the ith measurement. The optimal attack vector (Attack) for each set is the row corresponding to the basic measurement. Like for measurement 2 it is ( 0 1 0 0 × × )T . All least effort attacks modifying measurement 2 should be in the span of its optimal attack vector.

3.3.2

Finding Measurement Sets Linked to a State

Once the optimal attack vector corresponding to each measurement dependency set is known, the error in the estimates of the states due to the attack can be obtained from the relation below. For attack in k th measurement set, the error in estimates can be calculated as ∆ˆ xk = (HT H)−1 HT ak

(3.7)

where, ∆xˆk is a vector of length n − 1 (exculding the slack bus) and ak is the attack vector of length m. The vectors of change in estimates for each of m attack vectors can be arranged into a matrix ∆X of dimension (n − 1) × m. h i ˆ ∆X = ∆ˆ x1 ∆ˆ x2 ... ∆ˆ xk ... ∆ˆ xm

(3.8)

Next objective is to find for each state the measurement sets whose corruption brings in maximum change in its estimate. We decide on a threshold (ideally this should be zero, but because of numerical errors one may get some spurious but small numerical values, ˆ ij | > |threshold|, we can say that the state thus threshold was set at 0.0001), if |∆X corresponding to ith row is strongly linked with measurement set j. Recalling from our previous discussion, measurement set j is the set of measurements dependent on the basic measurement j. Department of Electrical Engineering

20

IIT Bombay


3.3.3

Finding the Vulnerability Index of a State

Once the measurement sets linked with a state is known and the number of measurements in those sets are known, one can find out the set with minimal number of measurements for each state. The number of measurements in that set is the index of vulnerability for that state. The state which has more number of measurements linked is less vulnerable as it would take greater effort on the part of the attacker to manipulate its estimate. Ranking is an indication of how vulnerable the state is and hence specifies the order in which states need protection in a resource limited condition. A state which comes first in the ranking order is most vulnerable and is linked to minimal number of measurements. H matrix obtained from topology information For each set find the Find the measurement deoptimal attack vector (Attack) pendency sets MeasLink and scale it appropriately

For each set using the optimal attack vector calculate the Find the number of

corruption in estimate of the states

elements in each set For each state find the measurement sets which induce significant corruption in its estimate (greater than a threshold)

For each state find the measurement set with minimum elements Number of elements in that measurement set is the vulnerability index of that particular state Figure 3.2: Block diagram of the proposed vulnerability assesment methodology As we go down the ranking order states become less vulnerable. Among states having Department of Electrical Engineering

21

IIT Bombay


same vulnerability index (minimum number measurements needed to corrupt it) ranking is decided by comparing norm of the deviation in estimate produced by the optimal attack sequence for that state. For calculating the norm of the deviation in the estimates the optimal attack vectors were scaled such that the largest magnitude element in the attack vector was less than 5% of the base case measurement. The summary of the proposed methodology is presented in Figure 3.2.

3.4

Case Studies

The vulnerability indexing and ranking methodology discussed in the preceding section was applied on three sample cases and the simulation results are presented in this section. The test cases chosen were the IEEE 14bus system and the 765 kV and 400 kV subsystems of the Western Region of the Indian power grid. All simulations were performed in MATLAB (R2015a) using some inbuilt functions from MATPOWER [36] package. The measurement data were generated from a DC power flow and the measurement set consisted of flow measurement on each line and injection measurement at each bus. The voltage angles at each bus was the state variable of interest and the vulnerability index pertains to these states alone. As, discussed previously, while ranking between two nodes with equal vulnerability, the per unit sensitivity of the state variable to an optimal attack has been considered as the deciding parameter.

3.4.1

IEEE 14-bus Test Case

The test system with all network interconnections are shown in Figure 3.3. Bus 1 is the slack bus and serves as the reference for angle computations. The reason that it is not included in the ranking is because, there is no meaning to attach vulnerability to a slack bus. The bus voltage angle for the slack is assigned zero and serves as the reference for other buses. The topology of the network was reduced to an equivalent graph with nodes as buses and edges as transmission lines as shown in Figure 3.4. The steps as detailed in Figure 3.2 was were followed to obtain the dependency set for each measurement and finally the vulnerability index for every bus (with voltage angles being the state variable of interest).


22

IIT Bombay


Figure 3.3: IEEE 14-bus system

In the analysis six different vulnerability clusters were observed in the network. The states and their respective vulnerability indices and ranks are listed in Table 3.1. • The study suggests that the estimate of the voltage angle of bus 8 is easiest to manipulate as it would take the attacker only 3 measurements to compromise. • Buses 7, 3, 11, 12, 14 and 10 have same relative vulnerability and can be manipulated with a minimum of 5 measurements. However, per unit deviation in estimation from the base case is more in 7 and 3 compared to 14, 10 and 13. Hence, 7 and 3 appears before 10 and 13 in the ranking order. • The study identifies states corresponding to buses 5, 4 and 2 as least vulnerable. This can be explained by the fact that each of these buses have at least 4 branches connected to it. And flow through each branch is metered, which increases the correlation between the measurements. Thus it becomes difficult for an attacker to corrupt since at least 13 measurements needs to be compromised to be consistent. • Bus 8 being most vulnerable, it is suggested that the attacker takes appropriate measures to protect those meters/measurements which has an effect on the estimation of the voltage angle at 8. Department of Electrical Engineering

23

IIT Bombay


14

12 13

8

7

6

9

11 4 3

5 2

10

1

Figure 3.4: Equivalent graph of IEEE 14-bus system

State/

Minimum No. of Measurements

Vulnerability

Bus No.

to modify the State

Rank

8

3

1

7

5

2

3

5

3

11

5

4

12

5

5

14

5

6

10

5

7

13

7

8

6

9

9

9

11

10

2

13

11

4

13

12

5

13

13

Table 3.1: Vulnerability Ranking for IEEE 14-bus System


24

IIT Bombay


3.4.2


The substations corresponding to 765 kV level were extracted from the Western grid of India with appropriate load equivalencing. The outgoing lines from these buses connecting a bus of a different voltage level have been represented by an equivalent bulk load at that bus. The data for our study were obtained from [37] [20]. The Western region has 26 nodes corresponding to 765 kV.

Figure 3.5: Equivalent graph of the 765 kV System Out of these 26 nodes - 22 nodes are interconnected to other 765 kV nodes and remaining 4 nodes are not directly connected to the 22 node subsystem through 765 kV line. This 22 node sub-system was chosen for the case study. Node 327008 is a generator bus and was chosen as the slack bus. The study suggests that the nodes can be grouped into four clusters of different relative vulnerabilities. 337009 is most vulnerable owing to connectivity. Vulnerabilities of all 21 nodes and their location in the system is listed in Table 3.2.


25

IIT Bombay


State/

Location/

Minimum No. of

Vulnerability

Bus No.

Substation Name

Measurements to

Rank

modify the State 337009

PUNE GIS

3

1

357002

SIPAT7

4

2

357005

TAMNAR

4

3

337004

RAIPUR P

4

4

337006

DHULE BDTC 8

5

5

327006

BHOPAL-BDTCL

5

6

357007

CHAMPA

5

7

327001

SEONI

6

8

327002

SATNA

6

9

327003

GWALIOR

6

10

327004

INDORE

6

11

327005

BINA-PG

6

12

327007

VINDHYACL-PS

6

13

317001

VADODRA

6

14

327009

JABALPUR-PS

6

15

337003

WARDHA

6

16

337005

AURANGABAD

6

17

357001

BLPSR WR

6

18

357003

RAIGARH KOTR

6

19

357004

RAIPUR P

6

20

357006

DHARAMJGRH

6

21

Table 3.2: Vulnerability Ranking of States for 765 kV System of Indian Western Grid

3.4.3


Same study was extended to the 400 kV system extracted from the western region of the Indian power grid. All 175 buses could not be listed in the chapter, however some highlights of the results are presented. 314035 is selected as the slack bus.


26

IIT Bombay


• 8 different vulnerability clusters with effort of 3, 4, 5, 6, 7, 8, 10 and 11 measurements to compromise were observed. • 354032 was found to be the most vulnerable bus along with 354035 and 354047 each having a possibility of being manipulated with a corruption of 3 measurements. • Estimates of nodes 354016 and 354017 turned out be most difficult to corrupt each requiring 11 other measurements to be compromised.

3.5

Summary

This chapter proposes a methodology to compare relative vulnerabilities of different power system state variables to false data injection. The analysis is entirely based on the network connectivity and interdependence between measurement sets. The ranking order obtained is particularly useful for the system operator to know which states are at a high risk from producing incorrect estimates. This is also useful if the operator is interested in protecting the states and corresponding meters but is constrained by the physical resources. In such a situation one can use this ranking order to protect a subset of these states in each phase of installation. However, the analysis does not include the case where buses or nodes are at different voltage levels and does not consider the influence of loading on the ranking. The future work would be in analyzing the impact of loading conditions on the vulnerability of a power system node from false data injection.


27

IIT Bombay

Chapter 4 Detection of Replay Attacks on Wide-Area Measurement System 4.1

Introduction

Large-scale deployment of Phasor Measurement Units (PMU) augmented by rapid advances in communication technologies have helped the operator with better visualization and monitoring of events. Wide Area Monitoring System (WAMS), as it is called, forms the backbone of the transmission system providing the control room with the situational awareness necessary for operating the grid reliably under disturbances. However, the security of these applications hinges on the security of the cyber infrastructure for transport of data. Recent studies [4, 16, 38] have explored the vulnerabilities associated with the cyber layer and possibilities of malicious intrusions jeopardizing the secure operation of WAMS. These have emphasized on the need for anomaly detection engines to be incorporated within the traditional WAMS for detecting and filtering out malicious data from regular measurements [39]. This chapter proposes two different approaches to detect a kind of cyber intrusion, called replay attack, wherein pre-recorded data packets are played back to deceive the operator at some future time. Attacks replaying pre-recorded data packets are difficult to detect since these are copies of actual disturbance data from a previous time instant. Assuming that only a few sensors can actually be tampered at any given time, it is suggested that the incoherence between the actual and tampered sensor readings be used in flagging an attack.


Main Contributions: The focus of this chapter is to design an anomaly detection engine which would act as a pre-processing block to differentiate between data packets coming from an actual fault or a disturbance and that being replayed by an attacker from a previous fault instant. The degree of correlation in the sensor measurements and the extent to which they reflect a common trend is central to the detection approaches presented here. The contributions of this chapter are as follows• Development of a singular value decomposition based replay attack detection scheme which uses the relative change in the dominant singular values of moving window of measurements as a metric for detection, • Development of a Pearson correlation based detection scheme exploiting the correlation in time-series measurement data, which in addition to triggering alarms for replay attacks can identify the location of the attack bus. Both the detection schemes suggested in the paper are data-driven, thus, eliminates the imperfections arising out of modeling inaccuracies.

4.2

Background

Detection and resilient control against replay attacks have been studied in [13, 40, 41]. Authors in [13] assume that the system model is known apriori and based on this linear time-invariant model Kalman filter based and Linear Quadratic Gaussian Controller based detection methods are developed. However, for large transmission networks, it is hard to develop accurate linearized models of the system without much approximation. Even then, the linearized models would depend heavily on the knowledge of system parameters and would vary with loading conditions. In contrast, the methods suggested in this chapter are model-free and the detection schemes are designed based on spatio-temporal correlation between sensor readings. As an alternative to this approach, researchers in [41] have injected harmonic oscillations in the system at non-linear time intervals. Since the attacker cannot respond to these random disturbances the attack can be detected using signal processing. However, generating a nonlinear function that can approximate a given inverse describing function (needed for producing robust oscillations) remains a challenge under a practical set up involving hundreds of buses. Department of Electrical Engineering

29

IIT Bombay


4.2.1

Replay Attacks on WAMS

Attacks aimed at jeopardizing the stable operation of a power system seek to invade into the substation measurement and/or communication system thereby taking control of the data packets being sent out from the substation. The phasor measurement units can be potential targets as they serve as the point of coupling between the physical system, involving relays and CT/PTs, and the cyber system, for communication and transport of data. In replay attacks, the adversary would normally sniff the data packets being sent to the phasor data concentrator, and at times of attack alter the actual packets with pre-recorded ones. Analyzing the recorded data set the adversary identifies the periods of disturbances and separates it from ambient data. This pre-recorded disturbance data is then replayed from the sensor terminals to fool the operator to take actions which could potentially benefit the adversary. It may also happen that a replay attack may suppress a disturbance from being noticed by the control center by replaying ambient data during the period of disturbance. Since the recorded packets are copies of the original packets and are framed in the same protocol they cannot be identified as anomalies by usual methods. It is interesting that to launch a replay attack, the adversary need not know the dynamics or the model of the system. However, due to replay protection feature in some protocols launching such attacks is difficult from multiple points. It will be assumed that the attacker cannot take hold of all PMUs at any instant of time. This is a reasonable argument citing the inbuilt security schemes in the devices and protocols. The paper only seeks to provide an added layer of defense in case the primary layer is compromised. For the purpose of illustration, let us assume that the PMU of bus 9 in the 4-machine 10-bus system in Figure 1 is compromised. During the period when the PMU data is being observed by the attacker, there happens a three-phase fault at the bus at t = 5 s. The fault is cleared at t = 5.2 s, but transient waveform of this period is captured by the attacker and is played back to the operator at t = 15 s. The voltage magnitude of the bus as reported to the control center is shown in Figure 2. It is to be noted that because of the nature of the attack, the voltage dips at t = 5 s and t = 15 s appear exactly similar and cannot be distinguished by merely observing the voltage waveform of bus 9 alone. This prompts the control center to take corrective action against the presumed fault at t = 15 s, by opening some breaker or by disconnecting a line. This could of benefit to the Department of Electrical Engineering

30

IIT Bombay


attacker as opening a line between two regions would mean reduction in power transfer capacity which can impact nodal prices by congesting the line in service.

Figure 4.1: 4−machine 10−bus system from Kundur [1] Bus 9

voltage, pu

1

Attack Duration 0.5

Actual Fault

Fault Replay

0 0

2

4

6

8

10

12

14

16

18

time, s Figure 4.2: Voltage waveform of Bus 9. Voltage dips at t = 5 s and t = 15 s cannot be distinguished as fault or replay attack But if one looks at voltages of all other buses in collection as shown in Figure 3, one can clearly identify the event at t = 15 s as an anomaly. This is because in an actual fault, the neighbouring load bused would also participate in the voltage dip as shown at t = 5 s of Figure 3. However, in a large system involving few hundreds of nodes or more the operator is not at a luxury of plotting all waveforms. Thus, an automated system needs to be designed which would account for the spatio-temporal correlation in the bus voltage magnitudes to detect anomalies coming from replay attacks. Department of Electrical Engineering

31

IIT Bombay


Bus 1 Bus 2 Bus 3 Bus 4 Bus 5 Bus 6 Bus 7 Bus 8 Bus 9 Bus 10

voltage, pu

1 0.8 0.6 0.4 0.2

Attack Duration Fault Replay

Actual Fault

0 0

2

4

6

8

10

12

14

16

18

time, s Figure 4.3: Voltage waveform of all buses. Dip at t = 5 s is spatially correlated, but that at t = 15 s is only seen at Bus 9 In the subsequent sections, two detection schemes exploiting the correlation in the voltage measurements would be presented. The first method is based on how the singular values of a measurement window vary differently under ambient condition, fault and attack. The second method is based on the correlation in time series data of neighbouring buses and their relative participation in voltage dips resulting from faults.

4.3

Proposed Detection Scheme Based on Singular Value Decomposition

The detection scheme presented in this section is based on the idea that under ambient conditions the vectors of PMU data at different instances of time would be copies of one another with minor variations due to measurement inaccuracies and system noise. This would mean, that the matrix formed by assembling these vectors is low-rank with a single dominant singular value and other values insignificantly small (capturing the variations due to noise). However, on the onset of a disturbance - like a fault, the dynamics of the event would reflect itself on all singular values and these values which were previously small would increase few folds. It has been studied in this paper that, for an attack on a single PMU, only the second largest singular value increases in magnitude, whereas if the event is a disturbance like a fault or topology change, the increase can be seen in all singular values including the second. The percentage increase in the second and the third largest singular values is used


32

IIT Bombay


as a metric for detection. A sudden jump in the second largest singular value triggers an alarm to check the next largest singular value. If the jump is also observed in the third largest singular value and if the percentage increase is above a designed threshold we call it an regular event, else it triggers the alarm for replay attack. i Let the mth PMU measurement available at ith time step be denoted by ym . If there

are M measurements in total and if the window length for computation be N , then the measurement matrix at k th instant formed by assembling previous N data samples is written as,

Y (k)

...

y1k−N +1



... .. .

y2k−N +1

k−1 k−2 k yM yM ... yM

k−N +1 yM

      



y1k

y1k−1

y1k−2

   =   

y2k

y2k−1

y2k−2

.. .

.. .

.. .

.. .

(4.1)

The Singular Value Decomposition (SVD) [42] of the matrix Y (k) is given by Y (k) = U ΣV T

(4.2)

where, U and V T are the orthogonal matrices of left and right singular vectors and the matrix Σ is represented as,  Σ=

Σ1 0

 (4.3)



Σ1 is the diagonal matrix of the singular values of Y (k) , arranged in descending order of magnitude.     Σ1 =    

σ1

0

0 .. .

σ2

0

0

0

...

0



  ... 0    .. . 0   . . . σr

(4.4)

The computation of singular values is done on a sliding window of fixed number of data samples. As and when PMU data is streamed in, a fixed number of data samples (window length) is taken from history to form the measurement matrix Y (k) . The computation can be made faster by using recursive algorithms for singular value decomposition. It should be noted that the jumps in the singular values on onset of an event may not be instantaneous, but gradual over few samples. Thus, checking percentage rise over two immediate windows can lead to false negatives (alarm not triggered when desired). Department of Electrical Engineering

33

IIT Bombay


This can be avoided by comparing the singular values from the immediate window with that of a window few instants past in time. This can be ideally 3 − 5 time steps, left to the design as allowed by the operator. In our analysis, this past window is denoted by sample number n. Since the increase in not instantaneous, the time taken to detect an anomaly is also delayed by few samples. The metrics used for detection are as follows(1) Percentage increase in σ2 , (k)

(k)

%∆σ2 =

(n)

σ2 − σ2 (n)

× 100%

(4.5)

× 100%

(4.6)

σ2

(2) Percentage increase in σ3 , (k)

(k)

%∆σ3 =

(n)

σ3 − σ3 (n)

σ3

Initialize Data , k = 1

Increment, k = k + 1

SVD for k th window

(k)

%∆σ2 > T hσ2

No

Ambient Condition

Yes

(k)

%∆σ3 > T hσ3

WAMS Analytics Yes

Disturbance

No Replay Attack

ALARM

Figure 4.4: Layout of the proposed detection scheme The layout of the detection scheme proposed in this section is outlined in the Figure 4.4. The thresholds (T hσ2 and T hσ3 ) are subject to design requirements and are to be Department of Electrical Engineering

34

IIT Bombay


chosen based on system operating conditions. It is important to note that this SVD based method can raise an alarm on the onset of an attack but cannot isolate its location. This is because the individual time-series information of the PMUs get hidden in the composite singular value indices and cannot be identified separately.

4.3.1

Case Studies on 4-machine 10-bus System

The proposed detection method is tested on the system in Figure 4.1. The system model with parameters and network data is taken from [1]. The transient stability program developed by [43] is used for dynamic simulations and the packages for detection are prepared in MATLAB (R2015a). Multiple instants of attacks replaying bus faults and opening of lines were simulated and the performance of the detection was validated for each of these cases. However, due to paucity of space only two such results are reproduced in this paper. The PMU data streaming rate has been assumed to be 100 Hz. A moving window of 200 samples is taken for computation and thus, there is an initial buffer time of 2 s.

σ1

46 42 5

10

15

20

25

30

35

40

45

50

5

10

15

20

25

30

35

40

45

50

5

10

15

20

25

30

35

40

45

50

σ2

4 0

σ3

0.4 0

time, s Figure 4.5: SVD based detection of fault replay attack at bus 9 Department of Electrical Engineering

35

IIT Bombay


Figure 4.5 shows an attack scenario where a three phase bus to ground fault at bus 9 at t = 5 s is replayed at t = 40 s. Observe the pattern in the singular values, as the computation window slides into the disturbance data a rise in σ2 is seen, which is also the case as the window slides into the replay-attack data at t = 40 s. σ2 remains high as long as window contains a combination of pre-disturbance and disturbance data or disturbance and post-disturbance data. The rise in σ2 triggers the onset of an event, however, it is yet to be identified if it is a disturbance or an anomaly. This can be addressed by observing the pattern in σ3 . Note that the rise in σ3 is significantly more at t = 5 s compared to that at t = 40 s. This clearly classifies the event at t = 5 s as a disturbance and that at t = 40 s as a replay attack.

Bus 6

Bus 7

Bus 9

Bus 10

voltage, pu

1

0.98

Replay Attack

0.96 Topology Change 10

20

30

10

20

30

10

20

10

20

40 time, s

50

60

70

80

40

50

60

70

80

30

40

50

60

70

80

30

40

50

60

70

80

σ1

44.9

44.8

σ2

0.1

0

σ3

0.04

0

time, s

Figure 4.6: SVD based detection of attack at Bus 9 replaying a topology change (opening of a line connecting buses 9 − 10) Department of Electrical Engineering

36

IIT Bombay


Figure 4.6 simulates opening of a line connecting buses 9 and 10 at t = 10 s. The bus voltage variation recorded at bus 9 is replayed at t = 70 s. Similar to Figure 5, the rise in σ2 signals onset of an event. The nature of the event is ascertained by observing the trend in σ3 . The event at t = 10 s is classified as a disturbance and that at t = 70 s as a replay attack. Note that the increase in σ2 at t = 70 s is slow, which justifies the proposition to compare the singular value at every instant with that of a window few samples past in time and not with that from the immediate past window. Although effective the method is computationally intensive because of flops involved in singular value decomposition. Another limitation of the method lies in its inability to identify the location of the attack. Also the fact that rise in singular values may be gradual over few samples there is a lag in detection. These limitations have been addressed in the detection scheme proposed in the next section.

4.4

Proposed Detection Scheme Based on Pearson Correlation

It has been discussed in the preceding sections how a disturbance following a fault or a topology change would reflect in the voltage waveform of more than one bus. For instance, the voltage dip resulting from a fault would propagate to neighbouring buses, unless a voltage controlled device is installed at the other bus. The degree to which two nodes respond to a disturbance and follow a trend is central to our detection problem. Aligned to this broad theme, detection scheme proposed in this section exploits the statistical correlation between the voltage time series data of neighboring buses as an indicator to detect malicious corruption in individual PMUs. Contrary to the SVD based method, the algorithm proposed here does not process the PMU data in blocks but analyzes them as individual time series. This not only helps paralyzing the computation but is also the key to isolating the point of attack. The correlation coefficient in statistics, is defined as a measure of the strength and direction of a linear relationship between two variables on a scatter plot. In an algebraic notation, if x and y are two time series representation of data points {x1 , x2 , ..., xi , ..., xn } and {y1 , y2 , ..., yi , ..., yn }, then the Pearson correlation coefficient r [44] for an window of


37

IIT Bombay


length N is defined as, N P

Corr(x, y) = r = s

(xi − x¯)(yi − y¯)

i=1 N P

(4.7)

N P (xi − x¯)2 (yi − y¯)2

i=1

i=1

where, x¯ and y¯ are the means of respective variables in the time window of correlation. The coefficient r can take values between +1 and −1, with ±1 indicating an exact linear (positive +1, negative −1) relationship and 0 implying no correlation at all. The coefficient of determination, expressed as r2 , is defined as the variations in values of y that can be explained by the variation in values of x [44]. However, in a practical data set with finite entries it is possible to obtain a non-zero r even when no correlation exits between the variables. Thus, like any other statistical value, r is of little importance unless interpreted properly. One way to do this is to plot the data sets on a scatter plot to observe if at all any linear relationship exist.

V9, pu

V9, pu

Window of Pre-fault Ambient Data 0.976 r = 0.9851

0.9835

Window of Post-fault Data r = 0.9894

0.95

0.9 0.9

0.95

1

1.05

V6, pu

V6, pu

Window of Pre-fault & Fault Data 1

Window of Attack r = 0.0085

r = 0.9985

V9, pu

V9, pu

0.973 0.9825

1

0.5

0 0

0.5

1

V6, pu

0.96

0.94 0

0.5

1

V6, pu

Figure 4.7: Scatter plot for voltage magnitudes of buses 6 & 9. Fault at bus 6. Window length = 2500 samples. Figure 4.7 shows the scatter plot for voltage magnitudes of buses 6 and 9 and the correlation coefficients under pre-fault ambient condition, fault, post-fault and replay Department of Electrical Engineering

38

IIT Bombay


attack scenarios. It can be seen that as the window slides over data samples from prefault, fault and post-fault instances, a significantly high correlation is seen between the voltage values of the two buses, which implies that both these buses respond to any variations and disturbances in unison. As expected, during a replay attack, the voltage magnitudes of bus 9 and 6 do not follow a common trend, this is reflected in the poor value of correlation. The sudden fall in the value r on onset of an attack on a single PMU would be used in this section, as the tool for detecting replay attacks. Instead of computing correlation between every pair of nodes (bus), the proposed method reduces the computation by calculating it only between the pairs of nodes connected over an edge (line). The rationale behind such a choice is that the voltage dip/rise following a disturbance reflects more intensely in the electrical neighborhood of the source bus unless controlled by reactive power injection devices. Thus, with an assumption that only a single PMU can be compromised at any time and no voltage support in place, it is good to check correlation in the immediate electrical neighborhood. Between two successive instants of time, if the per unit decrease in r2 between a pair of directly connected nodes exceeds a predefined threshold, an alarm is triggered for a replay attack. The edges (pairs of nodes) triggering the alarm are isolated for analysis and the common node of incidence of these edges is suspected to be the point of attack. In our analysis, the threshold of detection is kept at 0.5. The condition for attack detection, 2 − rk2 rk−1 > 0.5 2 rk−1

(4.8)

where, rk2 is the coefficient of determination for k th window of PMU data. The detection of anomaly is almost instantaneous, as comparison is made with an immediate past window. The merit of the method is that it can isolate and identify the attack location from the node pairs which trigger the violation alarm. Also, the calculation of the correlation coefficient requires elementary vector scalar products and summations, thus involving less computations compared to singular value decomposition. However, this is somewhat negated by need for larger computation window for correlation calculation compared to SVD. More the number of samples, larger is the window and more accurate is the interpretation of r.


39

IIT Bombay


4.4.1

Case Studies on 4-machine 10-bus System

The proposed detection scheme was tested for multiple attack scenarios on the system described in Figure 4.1. As, discussed in Section 4.3, the system data has been adapted from [1] and the simulations are performed in MATLAB (R2015a). The PMU reporting rate is assumed to be 100 Hz and a moving window of 2500 samples (25 s) is taken for correlation calculation. In one of many cases, a three-phase fault was simulated at bus 6 at t = 30 s and was cleared in 0.2 s. The fault data was then replayed at the same bus at t = 65 s. As one can see in Figure 4.8, the correlation between bus 6 and all other buses connected to it- buses 9, 5 and 7 falls sharply at t = 65.02 s, triggering the detection alarm of Section 4.4 and thereby, indicating the possibility of an attack. The detection is accurate and almost instantaneous with a detection lag of 1 sample time. Not shown in the figure is correlation between other pairs of connected nodes which either remain high or fall slow enough to trigger the alarm.

r2

1

0.5 Bus 9-6

0 25

30

Bus 5-6

35

40

Replay Attack

Bus 2-6

45

50

time, s

55

60

65

70

Figure 4.8: Bus 6 fault at t = 30 s, attack at t = 65 s As discussed in Section 4.4, if one looks into all the node pairs which see a sharp fall in correlation, buses 9 and 6, 5 and 6 and 2 and 6, one can identify bus 6 as the common node of incidence of these edges or node pairs. It can be said that because of a data manipulation at bus 6 these node pairs have suffered the sharp drop in correlation. Thus, it is flagged as the point of attack. Since the data was originally replayed at bus 6 in our simulation, the detection validates the correctness of the proposed approach. It is to be noted that a drop in correlation in bus pair 2 and 6 is also observed at t = 55 s, but this does not trigger an alarm. This is because the drop is not instantaneous but slow and gradual. The reason being that, as the window of 25 s crosses t = 55.2 s, it Department of Electrical Engineering

40

IIT Bombay


has also crossed t = 30.2 s at the other end. This implies that the window now comprises only of immediate post fault data, rich in inter-bus voltage oscillations. Bus 6 being a load bus participates in the post fault voltage oscillations but 2 being a generator bus has smaller variations. This results in a drop in the r2 value, but not sharp enough to trigger alarm.

r2

1

Replay Attack

0.5

Bus 8-7

0 25

30

Bus 8-3

35

40

45

50

55

60

65

70

time, s Figure 4.9: Bus 8 fault at t = 30 s, attack at t = 65 s Similar results have also been reported for a replay attack at bus 8 in Figure 4.9. A 0.2 s fault at t = 30 s is replayed at t = 65 s. It is detected at t = 65.02 s with the sharp fall in r2 values of node pairs 8 − 3 and 8 − 7. Bus 8 is the common node and the suspected point of attack. The gradual decline in r2 for the pair 8 − 7, starting at t = 55.2 s is because of post fault oscillations as explained before. Although not seen clearly there is an instantaneous drop in r2 at t = 65.02 s for the pair 8 − 7.

4.5

Summary

The chapter presents two different schemes for detecting replay attack on wide area measurements. The singular value based approach discussed in Section 4.4, analyses the trends in magnitudes of dominant singular values of a window of measurements under multiple operating scenarios, and presents a condition for separating faults and outages from attacks based on the relative change in the magnitudes of second and third singular values. The method however is slow due to computational overheads and cannot locate the source of the attack. This either needs to be augmented with separate algorithms for attack localization or with resilient monitoring algorithms [39] which when triggered replace an anomaly with an estimation of the expected data. But it is robust and is not prone to false triggering under post-fault oscillations. Department of Electrical Engineering

41

IIT Bombay


On the other hand, the Pearson correlation based method in Section 4.4, exploits the correlation in the time series measurement data to isolate the location of an attack bus. The detection is almost instantaneous. But unlike the SVD based approach, it is not robust to false triggering in a post fault window when there may be relative oscillation between buses. One way to overcome this could be computing correlation between those buses which have common observability of a mode of oscillation. This would be taken into account in an extension of this work in future. Although the methods have been tested with voltage magnitudes as measurement data, same can be applied on line current measurements and bus frequency measurements with appropriate processing. However, the relative detection performance with different types of measurement data taken together needs to be tested in future.


42

IIT Bombay

Chapter 5 Switching Attack on Wide-Area Damping Controller and Mitigation 5.1

Introduction

Attacks may not only aim at manipulating the integrity of a sensor data but can also be targeted at altering the timing of data packets, resulting in unaccounted delays in communication or complete loss of information. As discussed in Chapter 2, unavailability of data can be critical to real-time applications like wide-area damping control, relay coordination [16] and wide-area voltage control [45] because of stringent timing requirements. Thus, people with malicious intent may attempt to delay, block or deny time critical information, so as to drive the system to instability. In a typical Denial-of-Service (DoS) attack, the perpetrator would flood the computer of the targeted controller with superfluous requests to overload the system to the extent that legitimate data packets do not reach the controller. Impact of delays and loss of data on the stability of damping controllers have been extensively studied in [12, 46–48]. It has been observed that prolonged wait-times can degrade the performance to the extent that beyond a permissible delay margin the closed loop system could loose stability [46]. It is suggested in literature [49] that if a controller senses significant latencies in remote channel communication it has an option to switch to available local feedback signals. Moreover, it has an incentive to switch early enough to avoid performance degradation from a large wait time. However, if the pre-programmed maximum wait time (switch-over time) in controller is sufficiently small, the controller


under periods of jamming and no-jamming will keep switching between local and remote signals at a rate fast enough to cause switching instability. It is alluded that an intelligent attacker aware of this automated logic can periodically block and release data packets forcing the system to switch back and forth between the signals. It is obvious that to retain stability the switch-over should happen before the delay margin is hit and at the same time it is suggested that the dwell time should not be small enough to cause switching instability. The novelty of this work is in identifying this allowable lower bound on switching time. It is proposed that with proper choice of feedback signals the system can be made stable to any switching frequency. Main Contributions: (1) Investigating an attack strategy in which the communication channel is periodically jammed and released for a controller with small wait-time, which forces it to switch between feedback signals at a rate fast enough to cause instability, (2) Identifying the lower limit on the switch-over time so as to disarm the attacker on the above mentioned strategy, and (3) Deciding on the choice of local and remote feedback signals for which switched system is stable for any switching rate.

5.2

Background

5.2.1

Power Oscillation Damping Control

Ideally speaking, the power system is never truly at equilibrium. Because of load fluctuations and other minor variations the system states experience small oscillations about the operating point. Unless damped adequately these oscillations can grow on the onset of a disturbance pulling the system to instability. The objective of an damping controller is to adjust the set points of power injection devices like- FACTS, HVdc and Power System Stabilizers to meet the damping requirements [50], [51]. Input to these controllers can be locally measured feedback signals or remote signals synthesized from multiple wide-area measurements. As highlighted in Appendix A wide-area damping has certain merits over local feedback signals. To study the slow varying electro-mechanical modes it would be reasonably accurate to eliminate the modes associated with network transients and approximate the system with a reduced order classical model. Modeling approximations and the swing equations describing the reduced order non-linear model can be referred from Appendix A. Department of Electrical Engineering

44

IIT Bombay


Linearization of the swing equation yields, ∆δ˙ = ∆ω

(5.1)

M∆ω˙ = −∆Pe

(5.2)

The linearized state space model of the system can be written as x˙ = Ax + Bu (5.3) y = Cx + Du where, xT =

h

∆δ T ∆ω T

i

where, u and y are the controllable inputs and the observable outputs of the linearized system as described in equations (A.7) and (A.8) of Appendix A. The matrices A, B, C and D have been derived in equations (A.11) − (A.16). The eigen values of A are the swing modes of interest. To introduce (or enhance) damping into these modes of interest proper choice of feedback signals and control inputs have to be made based on observability and controllability measures. The detailed design procedure for the damping controller with choice of input-output pair has been highlighted in Appendix A.

5.2.2

Communication Delay in the Feedback Path

Let us assume that the data packets reach the controller at a delay of τ time. The stability of the time delayed system with variation in τ has been studied in this subsection. State Space Equations of the Open-loop system: x(t) ˙ = Ax(t) + BPT u(t)

(5.4)

ywac (t) = PCx(t)

(5.5)

The wide area feedback signal:

State Space Equations of the Damping Controller: x˙ c (t) = Ac xc (t) + Bc uc (t)

(5.6)

yc (t) = Cc xc (t) + Dc uc (t) Department of Electrical Engineering

45

IIT Bombay


Let us assume a constant delay τ be introduced by the jammer in the path of the feedback signal to the controller, uc (t) = ywac (t − τ )

u(t) = yc (t)

(5.7)

Thus, x(t) ˙ = Ax(t) + BPT Cc xc (t) + BPT Dc uc (t) T

(5.8)

T

= Ax(t) + BP Cc xc (t) + BP Dc PCx(t − τ ) And, x˙ c (t) = Ac xc (t) + Bc ywac (t − τ )

(5.9)

= Ac xc (t) + Bc PCx(t − τ ) Combining equations (41) and (42),       x(t − τ ) x(t) ˙ x(t)    = Aˆ   + Aˆd  xc (t − τ ) x˙ c (t) xc (t)

(5.10)

where,  Aˆ =   Aˆd = 

T

A BP Cc 0

Ac



T

BP Dc PC 0 Bc PC

(5.11)



0

 

(5.12)

The stability of the time delay system can be inferred from its eigen values. The characteristic equation of the time delay system can be written as, det(λI − Aˆ − Aˆd e−λτ ) = 0

(5.13)

Substituting τ = 0, in the equation above yields the closed loop delay free swing modes (eigen values) of the system. Starting with τ = 0, the transcendental equation is solved iteratively with small increments in τ , till the roots (λ, eigen value) become purely imaginary. The value of τ at which λ becomes purely imaginary is the Delay Margin, τm . 1) For τ ≥ τm , the system is unstable 2) For τ ≤ τm , the system is stable This implies that an attacker can drive a system to instability by blocking a signal beyond the delay margin. Several methods have been reported in the literature to compute the delay margin for stability. These methods involve numerical techniques of varied complexities and precision Department of Electrical Engineering

46

IIT Bombay


in computing the imaginary roots of the transcendental equation. Some methods are computationally efficient but end up with conservative margins. A detailed review of the methods, comparing their strengths and weakness, can be found in [52]. Switching to local feedback Delay margin is the maximum wait-time permissible for the controller to avoid instability. But in practice the controller would be programmed to switch to the available substitutes much before this limit is hit. This is because large wait time would degrade system performance. If the feedback signal does not reach the controller within this prescribed threshold, the controller would perceive the situation as a failure of the wide-area communication link would switch to the available local feedback signal. However, this might introduce instability in the system in more than one way. • Firstly, the unavailability of the feedback signal can change the closed loop system matrix A in a way that it may have some eigen values with positive real part, • Secondly, even if the new system remains stable, very fast switching between two stable systems can lead to switching instability The first phenomena is intuitive and has been discussed in [48]. The second phenomena of instability due to fast switching will be discussed in the next section as a jamming induced switching attack.

5.3

Switching Attack on Damping Controller

In the preceding section the impact of delay on the performance of a damping controller has been discussed and the need for switching over to local signals under communication failures have been emphasized. It has been highlighted that the maximum waiting time (and conversely, the minimum switching frequency) is decided by the delay margin of the controller. However, the lower limits on switching time are yet to be identified. In this section we shall explore the impact of fast switching on the stability of the system. We shall investigate on the stability of the system under a situation, in which the switch over time (also, wait time) of controller is kept low and attacker periodically blocks and releases the wide area signal to force the controller to periodically switch between local and non Department of Electrical Engineering

47

IIT Bombay


local feedback actions. The focus of this section is to project the vulnerability associated with keeping an early switch over time without considering the aspect of jamming induced switching instability. As the feedback path changes, the dynamics is made to switch between two closed loop systems. Let A1 model the system with the wide area feedback action in place and, A2 model the system with the wide area signal blocked and the local signal in place. If the wide area communication channel is periodically blocked, the system switches periodically between A1 and A2 . The state space equation of the periodically switched system can be written as,   A1 x(t), if t0 + nT ≤ t < t0 + (n + d)T . ˙ (5.14) x(t) =  A2 x(t), if t0 + (n + d)T ≤ t < t0 + (n + 1)T where, T is the time period of the switching cycle and dT is the maximum wait time of the wide area controller in each switching state, n = 0, 1, 2, 3... 0

Attack-Resilient Monitoring and Control of Power Grid

Attack-Resilient Monitoring and Control of Power Grid

Suggest Documents

Byzantine Fault Tolerance for Electric Power Grid Monitoring and Control

Byzantine Fault Tolerance for Electric Power Grid Monitoring and Control

Instability Monitoring and Control of Power Systems

Limited Power Control of a Grid Connected

Synchronous Power Control of Grid-Connected

Smart Grid Power System Condition Monitoring Using

Cyber-Vulnerability of Power Grid Monitoring and ... - Semantic Scholar

Power Monitoring and Control - Steven Engineering

monitoring and control of active distribution grid - IET Digital Library

Remote Monitoring and Control: Smart Grid Solutions and ... - Tessco

Overview of Control and Grid Synchronization for Distributed Power

Distributed Monitoring and Control of Future Power ... - CiteSeerX

Active and Reactive Power Control Strategy for Grid-Connected Six ...

Smart Grid: Power System Control and Security - IJAREEIE

Active and Reactive Power Control Strategy for Grid-Connected Six ...

Power Monitoring & Control - Schneider Electric Canada

Modeling, control, and power management for a grid ... - DergiPark

ST100 ST100 Grid Control - Alaska Center for Energy and Power

Power Electronics and Control in Grid-Connected PV Systems - ECEE

A New Smart Grid Control and Operation Concept - Autonomic Power ...

Control of Power Converter for Grid Integration of

Distributed Monitoring and Control of Future Power ... - CiteSeerX

ST100 ST100 Grid Control - Alaska Center for Energy and Power

Optimal Control of Cascading Power Grid Failures - Columbia University