Cyber-physical Models of Power System State Estimation Security György Dán School of Electrical Engineering KTH, Royal Institute of Technology Stockholm, Sweden Joint work with: Ognjen Vuković, Henrik Sandberg, Kin Cheong Sou, André Teixeira, Karl-Henrik Johansson, Gunnar Karlsson TCIPG Seminar Series 7 December 2012
Supervisory Control and Data Acquistion (SCADA) • Computerized monitoring and control - Real-time data acquisition Metering • – Voltage, current, power Status information • – Breakers • Control • Energy Management System (EMS) - Short circuit calculation - Contingency analysis - Optimal power flow - ... A. Teixeira et al, ``Optimal Power Flow: Closing the Loop over Corrupted Data,‘’ in Proc. of American Control Conference (ACC), Jun. 2012 - State estimation L. Xie et al, “False Data Injection Attacks in Electricity Markets,” in Proc. of IEEE SmartGridComm, Oct. 2010 2 György Dán http://www.ee.kth.se/~gyuri
Model-based State Estimation z 2 X 12 X 13 z 1 •Steady-state power flow model •Estimation of phase angles i ,( vector) based on ( z ) - Weighted Least Squares (WLS) estimation - Gauss-Newton algorithm 3 György Dán http://www.ee.kth.se/~gyuri
Bad Data Detector (BDD) ' z 2 • Measurement residual ˆ ˆ r : z z h ( x ) e h ( x ) • Hypothesis testing - H0: Random measurement noise - Various methods 2 test (Normal distribution) • ˆ x State Bad Data Maximum normalized residual • estimator Detector ˆ r z z z=h(x)+e x ˆ ˆ , z • BDD alarm Alarm Contingency Optimal Analysis Power Flow x u u 1 2 Operator u 4 György Dán http://www.ee.kth.se/~gyuri
State Estimator and BDD ˆ x State Bad Data estimator ˆ Detector r z z z=h(x)+e x ˆ ˆ , z Contingency Optimal Analysis x Power Flow u u 1 2 Operator u 5 György Dán http://www.ee.kth.se/~gyuri
Naïve Attack on the State Estimator Attacker a ˆ x State Bad Data + a estimator Detector r z z ˆ z a =h(x)+a+e a a a z=h(x)+e ˆ ˆ x a z , a Alarm! Contingency Optimal Analysis x Power Flow u u 1 2 Operator u 6 György Dán http://www.ee.kth.se/~gyuri
State Estimator and BDD ˆ x State Bad Data estimator ˆ Detector r z z z=h(x)+e x ˆ ˆ , z Contingency Optimal Analysis x Power Flow u u 1 2 Operator u 7 György Dán http://www.ee.kth.se/~gyuri
Stealth Attack on the State Estimator h ( x ) H Attacker x x 0 a=Hc x ˆ c State Bad Data + estimator ˆ Detector r z z z a =h(x)+a+e z=h(x)+e ˆ ˆ x c , z a No Contingency alarm… Optimal Analysis x Power Flow u u 1 2 Operator u Y. Liu, P. Ning, and M. Reiter, “False data injection attacks against state estimation in electric power grids,” in Proc. ACM CCS , 2009, pp. 21–32. 8 György Dán http://www.ee.kth.se/~gyuri
Two Examples • Simple network • 40 bus training network - Real and pseudo measurement data (66 measurement points) 9 György Dán http://www.ee.kth.se/~gyuri
Minimum Effort Stealth Attacks 40 bus training network • : maximum metering redundancy • : actual metering redundancy • Based on linear approximation • Pseudo measurements unchanged 10 György Dán http://www.ee.kth.se/~gyuri
Specific Attack: „Naive” Attack • Attack of transmission line (measurement 33) • Manipulation of 1 measurement value at BLOO 11 György Dán http://www.ee.kth.se/~gyuri
Specific Attack: „Stealth” Attack • Attack of transmission line (measurement 33) • Manipulation of 7 measurements at 5 substations 12 György Dán http://www.ee.kth.se/~gyuri
Experiment: „Stealthy” vs „Naive” Attack Target Estimated # BDD bias value Alarms (MW) (MW) 0 -14.8 0 50 36.2 0 100 86.7 0 Bad data detected & 150 137.5 0 removed 200 Non - convergent • SCADA/EMS system Transmission line nom. rat.: 260 MVA • Complete state estimator (active and reactive power) • Attacked data written to SCADA database Teixeira et al, “A Cyber Security Study of a SCADA Energy Management System: Stealthy Deception Attacks on the State Estimator,‘’ in Proc. of IFAC World Congress, Aug. 2011 13 György Dán http://www.ee.kth.se/~gyuri
Protection against „Stealth” Attacks • Calculate the effort needed for attack • Increase the effort needed for attack - Maximize attack cost for budget MM arg max min k : C ( P ) k M - Make attacks impossible Protection of at least n measurements • Y. Liu, P. Ning, and M. Reiter, “False data injection attacks against state estimation in electric power grids,” in Proc. ACM CCS , 2009, pp. 21–32. R. Bobba et al, “Detecting false data injection attacks on DC state estimation,” in Preprints of the First Workshop on Secure Control Systems, CPSWEEK 2010, 2010. G. Dán, H. Sandberg, “Stealth Attacks and Protection Schemes for State Estimators in Power Systems,” in Proc. of IEEE SmartGridComm, Oct. 2010 14 György Dán http://www.ee.kth.se/~gyuri
Protection against „Stealth” Attacks 1 3 • Calculate the effort needed for attack • Increase the effort needed for attack - Maximize attack cost for budget MM arg max min k : C ( P ) k M - Make attacks impossible Protection of at least n measurements • Y. Liu, P. Ning, and M. Reiter, “False data injection attacks against state estimation in electric power grids,” in Proc. ACM CCS , 2009, pp. 21–32. R. Bobba et al, “Detecting false data injection attacks on DC state estimation,” in Preprints of the First Workshop on Secure Control Systems, CPSWEEK 2010, 2010. G. Dán, H. Sandberg, “Stealth Attacks and Protection Schemes for State Estimators in Power Systems,” in Proc. of IEEE SmartGridComm, Oct. 2010 15 György Dán http://www.ee.kth.se/~gyuri
Protection against „Stealth” Attacks 1 • Calculate the effort needed for attack • Increase the effort needed for attack - Maximize attack cost for budget MM arg max min k : C ( P ) k M - Make attacks impossible Protection of at least n measurements • • Effort? Y. Liu, P. Ning, and M. Reiter, “False data injection attacks against state estimation in electric power grids,” in Proc. ACM CCS , 2009, pp. 21–32. R. Bobba et al, “Detecting false data injection attacks on DC state estimation,” in Preprints of the First Workshop on Secure Control Systems, CPSWEEK 2010, 2010. G. Dán, H. Sandberg, “Stealth Attacks and Protection Schemes for State Estimators in Power Systems,” in Proc. of IEEE SmartGridComm, Oct. 2010 16 György Dán http://www.ee.kth.se/~gyuri
SCADA Attack Surface and Costs • Attack cost - Number of attacked infrastructure components • Protection cost - Number of protected infrastructure components Equipment upgrades • - Key management IEC 60870-5/PSTN - Performance implications 2 1 • Heterogeneous infrastructure 4 - Point-to-point links (PSTN, leased line) 3 - Multi-hop links (OPGW) 17 György Dán http://www.ee.kth.se/~gyuri
SCADA Attack Surface and Costs • Attack cost - Number of attacked infrastructure components • Protection cost - Number of protected infrastructure components Equipment upgrades • - Key management - Performance implications 2 IEC 60870-5/OPGW 1 • Heterogeneous infrastructure 4 - Point-to-point links (PSTN, leased line) 3 - Multi-hop links (OPGW) 18 György Dán http://www.ee.kth.se/~gyuri
Cyber-Physical Infrastructure Model 2 1 n 1 buses 4 M Set of measurements 3 S Set of substations s o Control center c m M o Measurement taken at substation S ( m ) G ( S , E ) Communication system: undirected graph s S Set of established routes for substation 1 2 R ( s ) i i i R { r , r ,..., r }, r S , s r , s r s s s s s s c s s | R ( s ) | 1 , all measurement data are sent over a single route to o c s | R ( s ) | | R ( s ) | 1 , all data are split equally over routes to o c O.Vuković et al., ``Network-aware Mitigation of Data Integrity Attacks on Power System State Estimation,‘’ IEEE Journal on Selected Areas in Communications (JSAC), vol. 30, no. 6, July 2012 György Dán http://www.ee.kth.se/~gyuri 19
Mitigation Schemes Bump-in-the-wire (BITW) authentication E S set of substations that use BITW authentication o i E r ( ) set of substations where data is susceptible to attack o s i s E , ( r ) { s } E s , i i s E ( r ) r E s s Physical protection o Guards or video surveillance P s c S , P o 20 György Dán http://www.ee.kth.se/~gyuri
Illustration: IEEE 118 Bus Network • Topology - Star - Mesh • Baseline scenario - Single path routing - Shortest path 21 György Dán http://www.ee.kth.se/~gyuri
Recommend
More recommend