Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT Dependable Systems and Networks, June 29 th , 2017 Joint work with Saurabh Amin, MIT Pengfei Sun and Saman Zonouz, Rutgers 1
Focus of the talk Economic dispatch Generation Transmission lines • United States - 4 Billion MWh of energy produced • Around 400 Billion $ revenues per annum • Day-ahead market, real-time operations Substation Question - Cybersecurity of economic dispatch Distribution lines software (in the control center) in the wake of Control Central semantics-aware memory data compromises Typical communication New communication requirenments
Security failures (attacks): post Stuxnet Cyberspies: hacking into US electric grid (2009) Dragonfly: DERs give backdoor entry (2013) Sniper attack: PG&E’s Metcalf substation (2013) Ukraine: Outages & equipment damage (2016) Shelar 3
Motivation Characteristics of previous attacks • Not geographically diverse attack • Control center node attacks • Sub-optimal attacks • Did not fully exploit the physics of the underlying system • In Ukraine attack, attacker had full control of the grid controller • Power was restored after 6 hours Question • Can there be a more damaging attack with lesser attacker control? Shelar 4
Our contributions Semantic data attack on power grid controller software • Attack on control algorithm – Economic Dispatch (ED) • Using network and power system knowledge • Game-theoretic framework for optimal attack strategy • Implementation based on memory data corruption • Leverage logical memory invariants in the software • Implemented on widely used ED software Shelar 5
Overall approach Attacker’s 3-step plan Memory pattern extraction using Controller&So/ware& offline software analysis Controller&So/ware& control"loop" control"loop" memory"control"" data"corrup6on" measurements" control"commands" measurements" control"commands" Optimal attack generation for Cyber" Protected" modifiable parameters Physical" Exposed" …" …" …" …" sensors" actuators" sensors" actuators" Run-time attack: Control-sensitive Power&System& Power&System& data location and corruption Shelar 6
Related Work Cyber security issues of the power system • M. Reiter et al. – False data injection attacks against state estimation • Z. Zhang et al. – Bad data identification based on measurement • Z. Kalbarczyk et al. – False data injection attacks against automatic generation control Physical vulnerabilities of the power system • Bienstock et al. – N-k problem, cascades • Kevin Wood et al. – Network interdiction problem Comments • Lack of integrated approach to implement optimal attack into the control algorithm • Assume that the attacker can directly compromise distributed sensors or components • Assume knowledge of network parameters that usually resides at the control center Shelar 7
Attacker’s 3-step plan Memory pattern extraction using offline software analysis Optimal attack generation for modifiable parameters Run-time attack: Control-sensitive data location and corruption Shelar 8
Optimal attack generation A sequential game between attacker and defender (operator) • Attacker moves first • Stealthily manipulates parameters of the economic dispatch • Defender (operator) moves next • Computes economic dispatch Problem statement: • Determine optimal attack plan (i.e. parameter manipulation) to maximize power system violations • Assuming defender does economic dispatch with manipulated DLR values Shelar 9
Economic Dispatch • Inputs • network topology • Generator / demand data • Network parameters • Constraints • Device limits • Power flows • Supply-demand balance • Output • Generation levels • Objective • Minimize cost of generation Shelar 10
Economic Dispatch min $,&,' 𝐷(𝑞) Minimize total cost of generation Total Supply = Total demand , 𝑞 - = , 𝑒 subject to 2 -∈/ 2∈3 Ohm’s law (DC power flow) 𝑔 -2 = 𝛾 -2 𝜄 - − 𝜄 ∀{𝑗, 𝑘} ∈ 𝐹 2 Power flow conservation , = , 𝑞 : 𝑔 − 𝑒 - ∀𝑗 ∈ 𝑊 -2 2: -,2 ∈9 :∈/ ; Line capacity limits 𝑔 -2 ≤ 𝑣 -2 ∀{𝑗, 𝑘} ∈ 𝐹 >-? ≤ 𝑞 - ≤ 𝑞 - Generation bounds >@A 𝑞 - ∀𝑗 ∈ 𝐻 Generation cost functions K + 𝑐 - 𝑞 - + 𝑑 - 𝐷 𝑞 = ,𝑏 - 𝑞 - -∈/ Shelar 11
Dynamic Line Ratings (DLR) Y if 𝑗, 𝑘 ∈ 𝐹 [ (static) 𝑣 -2 𝑣 -2 = X ] if 𝑗, 𝑘 ∈ 𝐹 ^ (DLR) 𝑣 -2 Lower and upper bounds for DLR values >-? ≤ 𝑣 -2 ] ≤ 𝑣 -2 >@A 𝑣 -2 Shelar 12
Economic dispatch g,h 1 𝑧 ⋆ 𝑣 ] ,𝑡 ⋆ 𝑣 ] 2 𝑧 k 𝐼𝑧 + ℎ n k 𝑧 + ℎ K ∈ argmin Subject to 𝐶𝑧 + 𝑡 = 𝑐 𝑡 ≥ 0 Shelar 13
Illustration of DLR manipulation • G2 has lower costs • Load, 𝑒 r = 300. ] = 𝑣 Kr ] = 150 , then • If 𝑣 nr • 𝑞 n = 𝑞 K = 150 • 𝑔 nr = 𝑔 Kr = 150 @ = 100, 𝑣 Kr @ = 200 , then • If 𝑣 nr • 𝑞 n = 0, 𝑞 K = 300 MW • 𝑔 nr = 100, 𝑔 Kr = 200, 33% violation Shelar 14
Sequential Game Sequential interaction between the attacker and the defender (operator) Attacker model ] = 𝑣 -2 ⋆ @ 𝑔 Action set – Compromise DLR values 𝑣 -2 -2 € ] = 𝑣 @ ≔ max z { 𝑉 }~• 𝑣 -,2 ∈‚ ƒ 100 max ] − 1 >-? ≤ 𝑣 -2 @ ≤ 𝑣 -2 >@A 𝑣 -2 such that 𝑣 -2 „ Objective – Maximize the maximum line capacity where 𝑞 ⋆ ,𝜄 ⋆ ,𝑔 ⋆ (𝑣 € ] ) ∈ arg min $,&,' 𝐷(𝑞) violation over all DLR lines s.t. economic dispatch constraints Defender model Assume the (possibly manipulated) DLR values Compute the economic dispatch solution Shelar 15
KKT-based Mixed Integer Linear Program 2 𝐹 ^ subproblems A, ‰ ⋆ , Y ⋆ k 𝑧 ⋆ max Focus on one DLR line at a time s. t. 𝐵𝑦 ≤ 𝑓 †𝐶𝑧 ⋆ + 𝑡 ⋆ = 𝑐 − 𝐺𝑦 Primal feasibility k 𝑧 ⋆ max 𝑡 ⋆ ≥ 0 A 𝜇 ⋆ ≥ 0 s.t. 𝐵𝑦 ≤ 𝑓 Dual feasibility 1 𝑧 ⋆ ,𝑡 ⋆ ∈ arg min 2𝑧 k 𝐼𝑧 + ℎ n k 𝑧 + ℎ K 𝐼𝑧 ⋆ + ℎ n + 𝐶 k 𝜇 ⋆ = 0 Stationarity ‰ ⋆ ≤ M(1 − 𝜈 - ) ⋆ = 0 ⋆ 𝑡 - s.t. 𝐶𝑧 + 𝑡 = 𝑐 − 𝐺𝑦 Complementarity † 𝜇 - 𝜇 - ⋆ ≤ M𝜈 - slackness 𝑡 ≥ 0 𝑡 - 𝜈 - ∈ {0,1} 16 M is an upper bound on dual and slack variables Shelar
Optimal attack strategy on 3 node network 3-bus system Attacker strategy (largely) exhibits a bang-bang policy. Attacker’s gain and operator’s cost True line capacity ratings and demand over 24 hour horizon Shelar 17
Optimal attack strategy on 118 node network - Bang-bang policy holds for larger network. - The line capacity violation under AC power flows can be smaller than those of DC power flows - Attacker’s approximate model may overestimate the impact of the attack Shelar 18
Attacker’s 3-step plan Memory pattern extraction using offline software analysis Optimal attack generation for modifiable parameters Run-time attack: Control-sensitive data location and corruption 19 Shelar
Semantics-aware memory attack Post-attack power system state Shelar 20
Memory Data Manipulation Attack Critical data source (e.g., sensors) Critical data region locator Candidate Logical graph-based Memory structural within the dynamic memory memory memory pattern pattern extraction (through memory taint tracking) addresses predicates Controller executable Extracted code and data Binary code Instantiated object and member field data Memory Exploit pointers and their generation type reverse engineering vulnerability interdependencies exploit Shelar 21
Logical memory structural patterns • Intra-class type patterns • Code pointer-instruction patterns • Data pointer-based patterns Ø Intra-class Ø Fixed offset Ø Data types and/or values Shelar 22
Logical memory structural patterns • Intra-class type patterns • Code pointer-instruction patterns • Data pointer-based patterns Ø Code segments read-only Ø Virtual function table Ø Virtual function prologue Shelar 23
Logical memory structural patterns • Intra-class type patterns • Code pointer-instruction patterns • Data pointer-based patterns Ø Inter-object dependencies Ø Recursive pointer traversal Ø Directed graph ED Software - PowerWorld, NEPLAN, PowerFactory, PowerTools, SmartGridToolbox Shelar 24
Recommend
More recommend