Cyber Security in Smart Grids EE 772 : Smart Grids Prof. S. A. Khaparde Indian Institute of Technology Bombay
Introduction to Cyber-Physical Systems - Communication between physical devices through a cyber layer - Sensors and Actuators Network (SANET) - Each physical device is given one IP address - Internet of Things (IoT) - Concurrent cyber and physical links - hardwired link between sensor and meter, communication link between sensor, meter and data center - Requires analysing both the physical layer dynamics (power system - faults, small signal stability) as well as communication layer dynamics (latencies, packet drops) - Tested by HIL simulations - Use of RTDS(simulating the physical system), real communication links, servers and control centers
Cyber-Physical Interaction
Power and Information Flow in CPS Environment
Cyber Physical Testbed - Integrates both cyber and physical components - physical network and devices, communication layer and real time control algorithms - Co-simulation of cyber and physical components to capture the influence of one’s dynamics on the other - Useful tool to study - system vulnerabilities, intrusion points, reliability, impact analysis and performance of mitigation algorithms - Associated with visualization tools for impact analysis and operator training
Cyber-Physical Testbed Components in a CPS Testbed: 1. Software - Various SCADA and EMS applications that monitor and control the physical system 2. Hardware - IEDs and PMUs that bridge the cyber and physical domains 3. Real-time Simulator - FPGA model of power system to compute updated grid state in real time 4. Algorithms - To perform automated control functions 5. Communication Links/ HW Interface - To interface the IEDs with power system simulator and control center 6. Architectures and Protocols - Real word SCADA protocols
Cyber-Physical Testbeds : Applications
Cyber-Physical Testbed : Applications
Cyber Physical Testbed 1. Physical System: - RTDS simulation platform with capability to perform real-time power system simulation, allows integration of IEDs and associated hardwares through standard protocols IEC 61850 and DNP3, closely mimics the physical response of the power system when subjected to fault type scenarios - DIgSILENT Power factory for non real time power system simulation. Unlike RTDS does not allow physical connection of devices, however allows simulation of larger systems with limited RT constraints, has capability for advanced system analysis - tools for SE and Contingency Analysis
Cyber Physical Testbed 2. Control Center - A computer capable of collecting measurements and status from field devices, managing historic data, advanced computing and decision making, human-in-loop interfaces and sending control actions to virtual substations. 3. Substation - Can be a computer (RTU) connected to hardware IEDs and communicating with control center, or could be virtual substations with virtual IEDs communicating with control center. Capable of computing and actuating capabilities related to protection.
Cyber Physical Testbed 4. Communications - Wide area network - communication between CC and substation RTU using real life SCADA protocols (DNP3 over IP) - Internet scale cyber attack generation environment to orchestrate DoS and malicious data injection - Within the substations, the IEC 61850 protocol is used to communicate status and commands between both other IEDs and the RTU - Manufacturing Message Specification (MMS) protocols are used to communicate analog and binary values between the IEDs and RTUs
Cyber-Physical Testbed Logical Block Diagram of a CPS Environment
Cyber-Physical Testbed at Iowa State University
Major Cyber Attacks in Recent Past
Types of Attacks 1. Denial of Service Attacks - Attacker floods the targeted controller (RTU/CC computer) with superfluous requests - system unavailable to legitimate users - packets drop - link fails - loss of necessary information Eg : SYN flood DoS attack can be stopped by identifying and blocking the IP which causes the traffic
Types of Attacks 2. Distributed DoS Attack - Severe form of Denial of Service attacks where the traffic flooding the victim originates from multiple sources.
Type of Attacks 3. Time Delay Attacks - Attackers can introduce deliberate delays into the sensing and feedback loops by jamming the network or by attacking the routing tables. Time delays can severely degrade the performance of control systems, can even lead to small signal instability. In protection paradigm, information is time critical. Latencies can lead to malfunctioning of relays. 4. GPS Spoofing Attacks - A GPS spoofing attack attempts to deceive a GPS receiver by broadcasting incorrect GPS signals, structured to resemble a set of normal GPS signals, or by rebroadcasting genuine signals captured elsewhere or at a different time. PMUs are susceptible to these attacks.
Type of Attacks 5. False Data Injection Attacks - Attacker hacks into the system and corrupts the sensor readings in a way that it gets undetected by the bad data detection system in control center. Due to high degree of correlation between the sensor readings in power system (thanks to KCL and KVL), the attacker has to have access to a large set of meter readings, geographically spread across locations. This form of a coordinated attack is difficult to realize. Even if the control center identifies the source of bad data and purges those set of meter readings, the attacker may aim to spoil many meters so as to render the system unobservable. State Estimators are prone to these attacks.
Type of Attacks 6. Eavesdropping and Replay Attacks - A kind of Man-in-the-Middle attack in which the attacker hacks into the communication system and gains access to the data packets being transferred. It may not be able to decode the message due to encryption, but can make a copy of these packets and store them. Simultaneously, observes the response of the controller to these messages. This helps the attacker to correlate an action with a packet. (Eg. Opening of a breaker with packet A, closing with B, so on..) When it needs that action to be reperformed (malicious breaker tripping) it simply obstructs the actual packets, and replays the previously stored packets.
Cyber Attack on Power System Operations
Power injection & flow measurement Data from remote sensors Control Centre System States Operation Decisions
Attacker modifies either the False Data Injection Attacks MEASUREMENT DATA received by the control centre or the NETWORK TOPOLOGY as perceived by the control centre PERFECT ATTACKS – Attacker has knowledge of topology Corruption is intelligent to IMPERFECT ATTACKS – AVOID Attacks constructed from DETECTION measurement data alone. Knowledge of Topology is NOT EXACT ! WRONG ESTIMATES lead to WRONG DECISIONS in merit Attacker’s Intention: Economic Merit in Market, Large Scale Terrorism of the attacker
To avoid detection the Attack Vector has to be in the column span of the H matrix a = H c
False Data Injection on AC State Estimation Residues : For Generalized False Data Injection
Perfect Attack: To Ensure
Adjust GENERATOR OUTPUTS to Automatic Generation Control maintain FREQUENCY and TIE LINE FLOWS to scheduled values AREA CONTROL ERROR Very fast acting : ACE signals every 5 secs No elaborate algorithm to validate data If ACE is positive, it is a signal to the generators to Ramp Down But… perceived change in FREQUENCY and perceived change in LOAD should be consistent If ACE is negative, it is a signal to the generators to Ramp Up An attacker modifies the sensor outputs of TIE LINE flows and FREQUENCY to orchestrate an attack
Types of Attacks on Automatic Generation Control Scaling attacks act faster than Ramp Attacks, but AGCs are equipped with rate limiters… High rate of change of ACE as in Scaling attacks can get detected by rate limiters
Attacks in a Two Area Power System Any change in TIE LINE flow is perceived as a change in LOAD and hence change in frequency has to corroborate with it
Attacks in a Two Area Power System Interpreted by AGC as excess generation in area 1, send signal to ramp down Load Generation Mismatch …. Shortage in generation…. Fall in frequency Under- frequency relays trip… Large regions are isolated
Generator Bids and Forecasted Loads Day State Real Time Ahead Ex- Estimation Market Post Market LMP Attacker has the Ex-Ante LMP at information about Ex- each Node Manipulated Ante LMPs and Line Sensor Data Flows Optimal Generation Schedule Expected Line Attack Variations Flows
Dispatch Day Ahead Schedule & Ex- Real Time Market Ante LMP Market Calculation Need to recalculate LMP based on run time data to charge the difference in consumption/generation Stochastic Nature of Loads…. Variation in Dispatch… LMP calculated Real time generation Dispatch and flows are different from Lagrange Instruction sent to Multipliers Generators
Real Time Market Difference in Incremental OPF LMP between on the estimated two nodes flows
Recommend
More recommend