Cyber Security in Smart Grids EE 772 : Smart Grids Prof. S. A. - - PowerPoint PPT Presentation

Cyber Security in Smart Grids

EE 772 : Smart Grids

• Prof. S. A. Khaparde

Indian Institute of Technology Bombay

Introduction to Cyber-Physical Systems

• Communication between physical devices through a cyber layer - Sensors

and Actuators Network (SANET)

• Each physical device is given one IP address - Internet of Things (IoT)
• Concurrent cyber and physical links - hardwired link between sensor

and meter, communication link between sensor, meter and data center

• Requires analysing both the physical layer dynamics (power system -

faults, small signal stability) as well as communication layer dynamics (latencies, packet drops)

• Tested by HIL simulations - Use of RTDS(simulating the physical system),

real communication links, servers and control centers

Cyber-Physical Interaction

Power and Information Flow in CPS Environment

Cyber Physical Testbed

• Integrates both cyber and physical components - physical network and

devices, communication layer and real time control algorithms

• Co-simulation of cyber and physical components to capture the

influence of one’s dynamics on the other

• Useful tool to study - system vulnerabilities, intrusion points, reliability,

impact analysis and performance of mitigation algorithms

• Associated with visualization tools for impact analysis and operator

training

Cyber-Physical Testbed

Components in a CPS Testbed:

• 1. Software - Various SCADA and EMS applications that monitor and control

the physical system

• 2. Hardware - IEDs and PMUs that bridge the cyber and physical domains
• 3. Real-time Simulator - FPGA model of power system to compute updated

grid state in real time

• 4. Algorithms - To perform automated control functions
• 5. Communication Links/ HW Interface - To interface the IEDs with power

system simulator and control center

• 6. Architectures and Protocols - Real word SCADA protocols

Cyber-Physical Testbeds : Applications

Cyber-Physical Testbed : Applications

Cyber Physical Testbed

• 1. Physical System:
• RTDS simulation platform with capability to perform real-time power

system simulation, allows integration of IEDs and associated hardwares through standard protocols IEC 61850 and DNP3, closely mimics the physical response of the power system when subjected to fault type scenarios

• DIgSILENT Power factory for non real time power system simulation.

Unlike RTDS does not allow physical connection of devices, however allows simulation of larger systems with limited RT constraints, has capability for advanced system analysis - tools for SE and Contingency Analysis

Cyber Physical Testbed

• 2. Control Center - A computer capable of collecting measurements and

status from field devices, managing historic data, advanced computing and decision making, human-in-loop interfaces and sending control actions to virtual substations.

• 3. Substation - Can be a computer (RTU) connected to hardware IEDs and

communicating with control center, or could be virtual substations with virtual IEDs communicating with control center. Capable of computing and actuating capabilities related to protection.

Cyber Physical Testbed

• 4. Communications
• Wide area network - communication between CC and substation RTU

using real life SCADA protocols (DNP3 over IP)

• Internet scale cyber attack generation environment to orchestrate DoS

and malicious data injection

• Within the substations, the IEC 61850 protocol is used to communicate

status and commands between both other IEDs and the RTU

• Manufacturing Message Specification (MMS) protocols are used to

communicate analog and binary values between the IEDs and RTUs

Cyber-Physical Testbed

Logical Block Diagram of a CPS Environment

Cyber-Physical Testbed at Iowa State University

Major Cyber Attacks in Recent Past

Types of Attacks

• 1. Denial of Service Attacks - Attacker floods the targeted controller

(RTU/CC computer) with superfluous requests - system unavailable to legitimate users - packets drop - link fails - loss of necessary information Eg : SYN flood DoS attack can be stopped by identifying and blocking the IP which causes the traffic

Types of Attacks

• 2. Distributed DoS Attack -

Severe form of Denial of Service attacks where the traffic flooding the victim

• riginates from multiple

sources.

Type of Attacks

3. Time Delay Attacks - Attackers can introduce deliberate delays into the sensing and feedback loops by jamming the network or by attacking the routing tables. Time delays can severely degrade the performance of control systems, can even lead to small signal instability. In protection paradigm, information is time critical. Latencies can lead to malfunctioning of relays. 4. GPS Spoofing Attacks - A GPS spoofing attack attempts to deceive a

GPS receiver by broadcasting incorrect GPS signals, structured to resemble a set of normal GPS signals, or by rebroadcasting genuine signals captured elsewhere or at a different time. PMUs are susceptible to these attacks.

Type of Attacks

5. False Data Injection Attacks - Attacker hacks into the system and corrupts the sensor readings in a way that it gets undetected by the bad data detection system in control center. Due to high degree of correlation between the sensor readings in power system (thanks to KCL and KVL), the attacker has to have access to a large set

• f meter readings, geographically spread across locations. This form of a

coordinated attack is difficult to realize. Even if the control center identifies the source of bad data and purges those set of meter readings, the attacker may aim to spoil many meters so as to render the system unobservable. State Estimators are prone to these attacks.

Type of Attacks

• 6. Eavesdropping and Replay Attacks - A kind of Man-in-the-Middle attack in

which the attacker hacks into the communication system and gains access to the data packets being transferred. It may not be able to decode the message due to encryption, but can make a copy of these packets and store them. Simultaneously, observes the response of the controller to these messages. This helps the attacker to correlate an action with a packet. (Eg. Opening of a breaker with packet A, closing with B, so on..) When it needs that action to be reperformed (malicious breaker tripping) it simply obstructs the actual packets, and replays the previously stored packets.

Cyber Attack on Power System Operations

Power injection & flow measurement Data from remote sensors Control Centre System States Operation Decisions

False Data Injection Attacks

Attacker modifies either the MEASUREMENT DATA received by the control centre or the NETWORK TOPOLOGY as perceived by the control centre Corruption is intelligent to AVOID DETECTION

WRONG ESTIMATES lead to WRONG DECISIONS in merit

• f the attacker

PERFECT ATTACKS – Attacker has knowledge of topology IMPERFECT ATTACKS – Attacks constructed from measurement data alone. Knowledge of Topology is NOT EXACT ! Attacker’s Intention: Economic Merit in Market, Large Scale Terrorism

To avoid detection the Attack Vector has to be in the column span

• f the H

matrix

a = H c

False Data Injection on AC State Estimation

Residues :

For Generalized False Data Injection

Perfect Attack: To Ensure

Automatic Generation Control

Adjust GENERATOR OUTPUTS to maintain FREQUENCY and TIE LINE FLOWS to scheduled values Very fast acting : ACE signals every 5 secs No elaborate algorithm to validate data But… perceived change in FREQUENCY and perceived change in LOAD should be consistent

AREA CONTROL ERROR

If ACE is positive, it is a signal to the generators to Ramp Down If ACE is negative, it is a signal to the generators to Ramp Up An attacker modifies the sensor outputs of TIE LINE flows and FREQUENCY to orchestrate an attack

Types of Attacks on Automatic Generation Control Scaling attacks act faster than Ramp Attacks, but AGCs are equipped with rate limiters… High rate of change of ACE as in Scaling attacks can get detected by rate limiters

Attacks in a Two Area Power System

Any change in TIE LINE flow is perceived as a change in LOAD and hence change in frequency has to corroborate with it

Attacks in a Two Area Power System

Interpreted by AGC as excess generation in area 1, send signal to ramp down Load Generation Mismatch …. Shortage in generation…. Fall in frequency Under-frequency relays trip… Large regions are isolated

Day Ahead Market State Estimation Real Time Market

Ex-Ante LMP at each Node Optimal Generation Schedule Expected Line Flows

Generator Bids and Forecasted Loads

Attack Variations

Manipulated Sensor Data

Ex- Post LMP

Attacker has the information about Ex- Ante LMPs and Line Flows

Dispatch Schedule & Ex- Ante LMP Calculation Day Ahead Market LMP calculated from Lagrange Multipliers Dispatch Instruction sent to Generators

Stochastic Nature of Loads…. Variation in Dispatch… Real time generation and flows are different Need to recalculate LMP based on run time data to charge the difference in consumption/generation

Real Time Market

Real Time Market

Incremental OPF

• n the estimated

flows

Difference in LMP between two nodes

N

Virtual Trading j1

Node

j2

Node Buy at Day Ahead Market & Sell at Real Time Market Sell at Day Ahead Market & Buy at Real Time Market

Attacking Principle

Corrupt sensor data such that Ensure:

ATTACKS ON VOLTAGE CONTROL

Attacks targeted on TAP CHANGING TRANSFORMERS

Attacks on Voltage Stability Attacks targeting efficient

• peration

Attackers compromise sensors Reported values lower than actual Operators increase tap setting System operates inefficiently at higher voltage Voltage stress on equipment

Under Normal Operating Conditions

ATTACKS ON VOLTAGE CONTROL

Attacks targeted on TAP CHANGING TRANSFORMERS

Attacks targeting Voltage Stability

Under Conditions of Voltage Drop

Attackers compromise sensors Reported values higher than actual Operators decrease tap setting System voltage further drops Voltage collapse

Types of Attacks on Voltage Control

De-synchronization Attacks

Denial of Cooperation Attacks

Data Injection Attacks

DoS attack on the communication network by flooding it with junk packets Delay in Time critical voltage signals for control Insertion of malicious data into voltage measurements

Conclusion

1.

The attacker has to be intelligent to design an attack with time scale of the operation in mind

2.

State estimation runs every 5min, involving high data consistency checks… Attacks targeting SE should be intelligent to bypass these checks

3.

AGC and Voltage Control runs every 5sec… Attacks targeting AGC has to be fast considering the scale of events

4.

Operations like Market clearing where SE forms a building block can be manipulated by manipulation of SE

Attack-Resilient Monitoring and Control

• f Power Grid

Kaustav Chatterjee

Department of Electrical Engineering Indian Institute of Technology Bombay

M.Tech. Presentation, 2018

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 1 / 41

Part II Detection of Replay Attack on Wide-Area Measurement System

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 12 / 41

Replay Attack on WAMS

Attacker hacks PMU - records data - later replays disturbance data to mislead the operator Can suppress the periods of disturbance with recorded ambient data Cannot be detected by observing individual PMU data - Need for centralized detector

time, s

2 4 6 8 10 12 14 16 18

voltage, pu

0.5 1

Bus 9

Fault Replay Attack Duration Actual Fault

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 13 / 41

Replay Attack on WAMS

Attacker hacks PMU - records data - later replays disturbance data to mislead the operator Can suppress the periods of disturbance with recorded ambient data Cannot be detected by observing individual PMU data - Need for centralized detector

time, s

2 4 6 8 10 12 14 16 18

voltage, pu

0.2 0.4 0.6 0.8 1

Bus 1 Bus 2 Bus 3 Bus 4 Bus 5 Bus 6 Bus 7 Bus 8 Bus 9 Bus 10

Fault Replay Attack Duration Actual Fault

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 13 / 41

Replay Attack Detection

Objective: Distinguish between data from actual disturbance and replay attack Previous Works: Kalman Filter and LQG Control based detector 1 , Injecting harmonic oscillations 2 Needs accurate linearized system model - would vary with operating point - knowledge of system parameters Proposed Detectors:

Data-driven, model free, looks into the trends in PMU data in unison SVD based, Pearson Correlation based Theme: Correlation in data, and lack of during an attack

1 Y. Mo and B. Sinopoli, “Secure Control Against Replay Attacks,” in Forty-SeventhAnnual Allerton Conference, July 2009, 2 A. Hoehn and P. Zhang, “Detection of Replay Attacks in Cyber-Physical Systems”, in 2016 American Control Conference (ACC), July 2016, Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 14 / 41

SVD Based Detection

Uses the relative change in the dominant singular values of the moving window of measurements as the metric Let mth PMU measurement at ith time step be denoted by yi

• m. Total

measurements be M and the window length for computation be N. Measurement window of interest at kth time step: Y (k) =    yk

1

yk−1

1

yk−2

1

. . . yk−N+1

1

. . . . . . . . . . . . . . . yk

M

yk−1

M

yk−2

M

. . . yk−N+1

M

   Singular Value Decomposition (SVD) of Y (k) is Y (k) = UΣV T Detection metric: %∆σ(k)

i

= σ(k)

i

−σ(n)

i

σ(n)

i

× 100%

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 15 / 41

SVD Based Detection: Case Study

Window Size = 200 samples, PMU Reporting Rate = 100 Hz, Voltage Magnitude measurements of 4-machine 10-bus System 3 Case Study I: Attack at Bus 9, Replaying Fault at Bus 9 Case Study II: Attack at Bus 9, Replaying Opening of Line 9-10

• 3P. Kundur, Power System Stability and Control. McGraw-Hill, Inc., 1994.

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 17 / 41

Attack at Bus 9 Replaying Fault at Bus 9

5 10 15 20 25 30 35 40 45 50

σ1

42 46 5 10 15 20 25 30 35 40 45 50

σ2

4

time, s

5 10 15 20 25 30 35 40 45 50

σ3

0.4

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 18 / 41

Attack at Bus 9 Replaying Opening of Line 9-10

time, s 10 20 30 40 50 60 70 80

voltage, pu

0.96 0.98 1

Bus 6 Bus 7 Bus 9 Bus 10

Replay Attack Topology Change 10 20 30 40 50 60 70 80

σ1

44.8 44.9 10 20 30 40 50 60 70 80

σ2

0.1

time, s

10 20 30 40 50 60 70 80

σ3

0.04 Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 19 / 41

Pearson Correlation Based Detection

Uses time correlation in voltage measurements of neighboring buses Unless arrested by voltage control devices- voltage dip from fault propagate across network x and y be two time series representation of two measurements, then the Pearson Correlation coefficient r for an window of length N is, r =

N

• i=1

(xi − ¯ x)(yi − ¯ y)

• N
• i=1

(xi − ¯ x)2

N

• i=1

(yi − ¯ y)2 Range: −1 ≤ r ≤ 1 (r = ± 1 = ⇒ high correlation = ⇒ Ambient/Fault Condition, r = 0 = ⇒ no correlation = ⇒ Replay)

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 21 / 41

Case Study: Typical r Values

V6, pu 0.9825 0.9835 V9, pu 0.973 0.976 Window of Pre-fault Ambient Data

V6, pu 0.9 0.95 1 1.05

V9, pu 0.9 0.95 1 Window of Post-fault Data r = 0.9894 r = 0.9851

V6, pu

0.5 1

V9, pu

0.94 0.96 Window of Attack

V6, pu

0.5 1

V9, pu

0.5 1 Window of Pre-fault & Fault Data r = 0.9985 r = 0.0085

Figure: Scatter plot for voltage magnitudes of buses 6 & 9. Fault at bus 6. Window length = 2500 samples.

Kaustav Chatterjee M.Tech Presentation EE, IIT Bombay 22 / 41