1 © A. Kwasinski, 2015 Cyber Physical Power Systems Fall 2015 Security.

1

© A. Kwasinski, 2015

Cyber Physical Power Systems

Fall 2015

Security

2


• To find the power flow along lines we need to calculate:

• To calculate the above equation we need to solve

• This is an undetermined system of equations (the matrix is singular) then, the voltage (magnitude and angle) at a bus (called slack or swing bus) is set (usually a relative per unit voltage of 1 with an angle of 0). As a result, the equation for the slack bus replaced by this set voltage value and the real and reactive power at this bus are now unknown.

• Other knows and unknowns are:• In a PQ (load) bus: P and Q are known, voltage is unknown• In a PV (generator) bus: P and V are known, reactive power and

voltage angle are unknown.

Review from 1st week

1

( )N

k kj k jjj k

P B

( )kj kj k jP B

3


Review from 1st week

• Operation of a power grid is controlled from a dispatch center.• Responsible for monitoring power flow and coordinating operations so

demand and generation are match in an economically optimal way. That is, from a stability perspective demand (plus losses) needs to equal generation but from an operational perspective, such match needs to be achieve in an economically optimal way.

Source: Scientific American

4


Review from 1st week• Operation and monitoring of electric power grids is usually

performed with a SCADA (supervisory control and data acquisition) system. At a basic level a SCADA system includes:• Remote terminals• Central processing unit• Data acquisition (sensing) units• Telemetry• Human interfaces (usually computers).

• SCADA systems require communication links but, usually, these are dedicated links separate from the public communication networks used by people for their every day lives.

5


Power grids cyber-physical infrastructure

• Physical infrastructure (from 1st week).

Generation

Generation

Generation

Transmission

Distribution / consumption

Distribution / consumption

6


Power grids cyber-physical infrastructure

• Cyber-Physical infrastructure

Wide Area Network

ISO Energy Market

Distribution Control Center

Transmission Control Center

Generation Control Center

7


• “ISIS is attacking the US energy grid (and failing)” CNN-Money 10/15/15.• Other events from CRS June 2015 “Cybersecurity Issues for the Bulk

Power System.”• BlackEnergy (Trojan horse designed to attack critical energy

infrastructure):• Reported in 2007. Targets human-machine interface.• Modular. Modules include keylogging, audio recording, and grabbing

screenshots. A module can destroy hard disks. • Can migrate through network files into removable storage media.

• HAVEX:• Reported in 2013• Used as a remote access tool (RAT) to extract data from Outlook address

books and ICS-related software files used for remote access from the infected computer to other servers. The cyberattack leaves the company’s system in what appears to be a normal operating condition, but the attacker now has a backdoor to access and possibly control the company’s ICS or SCADA operations.

• Sandworm:• Reported in 2014 affecting GE’s SCADA human-machine interface

Past Cyber-intrusions/attacks on Energy Infrastructure

8


• Hierarchical control:• At the highest level an economical optimization algorithm is run

in order to produce a set point for power generation units.• Local autonomous controllers at the power generation units use

droop controls that uses the set point inputs produced by the higher level controller.

• Additional controllers exist at the power transmission and distribution levels to ensure electric power is delivered according to the specified power quality parameters.

• The economic dispatch algorithm implies solving power flow equations and also knowing other information (e.g. market conditions, prices from each unit, etc.).

• In addition to considering economic profitability, stable system operation needs to be ensured by the controller. Also power flow and other constrains exist…… All of these factors affect control decisions

Control Architecture

9


• Control decisions require state estimation. I.e. knowing voltages and angles.

• State estimation, in turn, requires measuring real, reactive powers or current flows. It also require knowing system parameters (e.g. lines data).

• Measured data needs to be transmitted to the dispatch center so a cybernetic infrastructure is needed. This cyber infrastructure includes sensors and communications infrastructure.

• Additionally, system parameters need to be stored so they can be accessed and used when running the economic dispatch algorithm.

• Hence, optimal operation requires communication• Limited operation of a power grid can still be performed without

communications thanks to the droop controllers. However, this operation will be economically suboptimal and with reduced stability margins.

Control Architecture

10


• In general, power grids use dedicated networks so intrusive access is difficult.

• However, some legacy equipment may still use resources from public communication networks.

Communications Architecture

11


• Smart grids, Internet of things and other increasingly used technologies (e.g., demand response or electric vehicles), may motivate increased used of public communication networks or the Internet as a result of the need for more bandwidth or more access points.


12


• Secure Communications• Commonly used protocols (unsecure): Modbus, DNP3, IEC61850,

ICCP.• Mitigating approaches:

• Encryption: • VPN may be a solution but added latency and use of non-IP networks

makes this solution inapplicable in many cases.• Ongoing research is aiming at retrofitting SCADA protocols such as

Modbus, DNP3 and ICCP, or addition of encryption hardware (e.g. bump in the wire).

• Authentication (remote keys and passwords):• Research is being done with the goal of developing flexible, robust,

adaptive and highly available authentication mechanisms.• Access Control

• The goal is use proper software configuration and protocol usage to protect against internal attackers or attackers that have gained access to the system.

• Use firewalls at multiple levels and creating vertical and horizontal separated secure cyber-areas.


13


• Device Security• Embedded devices creates important vulnerabilities as more of

these devices are added with grids migrating into smart grids and the deployment of IoT. Smart meters are a special point of concern.

• Addressing issues with device security involves the development of remote attestation mechanisms.

• From “Principles of Remote Attestation” by Coker et. al.:• “Attestation is the activity of making a claim to an appraiser about the

properties of a target by supplying evidence which supports that claim. An attester is a party performing this activity. An appraiser's decision-making process based on attested information is appraisal.”

• “An appraiser is a party, generally a computer on a network, making a decision about some other party or parties. A target is a party about which an appraiser needs to make such a decision.”

• “An attestation protocol is a cryptographic protocol involving• a target, an attester, an appraiser, and possibly other principals serving as trust

proxies. The purpose of an attestation protocol is to supply evidence that will be considered authoritative by the appraiser, while respecting privacy goals of the target (or its owner).”


14


• SCADA system:• Primarily developed as proprietary solution operating in an

isolated system.• Power grids are migrating into using integration of off-the-shelf

sensing and management equipment in an interconnected environment.

• Modern SCADA systems are increasingly relying on Internet for various functions, such as remote access or remote monitoring, thus, creating additional vulnerabilities.

• IT Management systems are in some cases integrated with the SCADA system adding complexity and potential security vulnerabilities.

• Mitigating strategies:• Decouple SCADA and IT management systems.• Use firewalls between administrative and operational areas

of power grids.

Sensing Architecture

15


• PMUs may be another potential point of entry or a piece of equipment that can be acted upon directly leading to state estimation errors.

• Additional entry points:• Renewable energy sources generation location.• Smart meters• Home energy management systems• Electric vehicles• Internet of Things equipment (e.g. appliances).• Supply chain (e.g. firmware in new equipment, memory sticks,

etc.)

• Cyber dependencies create vulnerabilities. Examples of cyber dependencies include:

• GPS systems• Weather and other important external data.

Sensing Architecture

16


• Cyber attacks may directly target:• State estimation (state estimation is important for optimal power

flow operation, contingency analysis, automatic generator control, etc.).

• Parameter database• Act directly by sending commands to equipment (e.g. relays

controlling circuit breakers).

• Indirect cyber attacks: those targeting cyber-lifelines directly and leading to power grids operation disruptions indirectly.

• Type of cyber attacks:• Reconnaissance• Denial of Service• Command injection• Measurement injection

Cyber Attacks Modeling

17


• The idea here is to model cyber attacks as additive inputs affecting the state and the inputs (from “Attack Detection and Identification in Cyber-Physical Systems – Part I: Models and Fundamental Limitations” by Pasqualetti et. al.)

• The system (a power grid) is modeled by simplicity as a LTI system:

• It is assumed that each state and output variable can be independently compromised by an attacker. So B= [I,0] and D=[0,I].

• Hence, the attack (Bu(t);Du(t)) = (ux(t); uy(t)) can be classified as state attack affecting the system dynamics and as output attack corrupting directly the measurements vector.


( ) ( )

( ) ( ) ( )

Ex Ax t Bu t

y t Cx t Du t

18


• Attack strategies:• Stealth attacks correspond to output attacks compatible with the

measurements equation;

• Replay attacks are state and output attacks which affect the system dynamics and reset the measurements;


19


• Attack strategies:• Covert attacks are closed-loop replay attacks, where the output attack

is chosen to cancel out the effect on the measurements of the state attack;

• (Dynamic) false-data injection attacks are output attacks rendering an unstable mode (if any) of the system unobservable. E.g., load redistribution attacks leading to suboptimal power dispatch or loss of stability

• Notice that the referenced paper does not consider attacks affecting system parameters. Model such attack will make the system non LTI. In fact, it will become a switched system, as A=A(t) based on a switched behavior.


1 © A. Kwasinski, 2015 Cyber Physical Power Systems Fall 2015 Security.

Documents

reactive power

bulk power system

monitoring power flow

cyber physical power

scada supervisory control

slack bus

voltage angle

hierarchical control