North Carolina Agricultural and Technical State University A Novel Approach for Identification of Cyber Physical Data Attack in Power Systems using Spy.

North Carolina Agricultural and Technical State University

A Novel Approach for Identification of Cyber Physical Data Attack in Power Systems

using Spy Node

Khaled Alotaibi

Dept. of Electrical and Computer Engineering


Drs. A. Homaifar (Advisor), Numan Dogan, Jinsheng Xu, Clinton Lee, and Ali Karimoddini


2

Outline Motivation

Problem definition

Background» Remote Terminal Units (RTUs)» Supervisory Control and Data Acquisition (SCADA) systems » Flow for Data Transfer» State Estimation

Data Detection/False Data Injection» Procedure for Malicious (Bad) Data Detection» Procedure (steps) for False Data Injection (FDI)» Generate Malicious Data Attack» Simulation FDI & Failure in the sensors

State of the art Methods» Measurements encryption by using greedy algorithm » Measurements encryption by using probability experiments (success probability)» Reconfiguration of the system into two subsystems

Proposed Method » Apply spanning tree algorithm on the network » Calculate the measure values of the spy node

Preliminarily result of the proposed method

References


3

Motivation

Reported in a National Communications System bulletin, attacks with the

highest impact are those against the supervisory control and data acquisition

SCADA system [1]

State Estimation (SE) receives system data from SCADA to find the best

estimate of the system state

SE is connected to other applications with the state of the system»Optimal Power Flow (OPF)»Contingency Analysis (CA)

OPF is used in the power area determine loading and congestion levels [2]

CA analyzing State Estimation outputPrevent the blackouts [3]


4

Cont… Motivation and challenging

State Estimation in power system is used in the power market»By calculating “estimated branch flows” in the system [4]

State Estimation plays a big role in the future smart power grid [5]»The concerns for the protection against malicious cyber-attacks has raised a

great attention recently because of the smart-grid initiatives [6]

Malicious data injection leads to the control center making wrong decisions to

operate the power-grid network

Challenges »This type of scenario attack can be “insider threat”»The injected contaminated data comes from intelligent computational

algorithms [7]


5

Problem Definition

The measured data includes active and reactive

power of generators in power system as well as the

transmission lines

Data is collected by Remote Terminal Units (RTUs)

SCADA in control center receives all data

Cyber attack has access to the data during transfers

from substation to control center [8][9]

The attacker figure out the system configuration and

contaminates the measurements in order to corrupt

state variables without being detected

The objective is to find out if the data is contaminated

due to the cyber attacks


6

Remote Terminal Units (RTUs)

RTUs are type of data collection and

data transfer.

RTUs monitor and control input data

and make changes in the system

remotely [11]

RTUs enable commands from station

operators [10]

RTU is uniquely designed to accept

many inputs with different modules» EX: CI^2 port is I/O expander that

basically accepts additional I/O’s as needed [11]

Human Machine Interface (HMI) can

be connected to RTUs» HMI is used to set parameters and

view measurements values


7

Supervisory Control and Data Acquisition (SCADA) systems

SCADA is a computer-based software

for data collection

SCADA systems are generally

Ethernet-based and are connected to

RTUs via the internet

SCADA system enables commands

from control center operators [12]

It has the capability to provide

automated control where it can assist

the system» SCADA can sense the system problems, and evaluate

these problems which allows it to make modifications and adjustments

Additional functions can be added by a

command from the control center [13]


8

Flow for Data Transfer

Sensors deployed over substation to

read different values

Data is sent to RTUs by different

telecommunication ways

RTUs gather the data and send it to

SCADA through Wide Area Networks

or internet [10]

SCADA, receives all the measurements

from different substations and transfers

them to the Control Center to perform

State Estimation

Malicious Data is detected by using

hypothesis test

Attacker


9

State Estimation

State Estimation in power system

intends to compute the variables of the

system state to enhance the system’s

reliability [14][15]

There are different variables to be

calculated such as voltage magnitude

and phase angle of each bus [16]

Measurements may include some error

Equation (1) presents State Estimation

Using the least squares method to

estimate state , in equation (1), will

result in (2) [14][16][17]

Estimated of , is calculated according

to measurements vector

(1)» the system measurements» the state variable » the errors in measurements» the observation matrix

(2)» the estimated »W the weighting matrix presents

the accuracy of each measurements


10

Malicious Data Detection

Error (contamination) that may be

included in the measurements» Sensor accuracy» Lack in hardware performance » Cyber Physical Data Attack

(CPDA)

This will corrupt the calculated state

variables

Researchers in the field of power

system apply 2-norm as a hypothesis

test to ensure the integrity of the state

variables [18].

2-norm or residual test is commonly

used in malicious data detection [16]» Some malicious values created by (CPDA) can

bypass this type of test without being detected

The malicious data detection trigger the

alarm when » > threshold » otherwise, there is no malicious

data

This test can detect random

contamination

Drawback of 2-norm test:» However, some attack scenarios are

aware of this type of test and it allows the attacker to pass the test successfully by applying certain procedures [16][19]


11

False data injection (FDI)

FDI is a new class of data attack against power system state estimation [16]

Yao Liu & Micheal Reterier from NCSU & UNC at Chapel Hill propose

attack strategy to meet FDI attack conditions

The basic idea of FDI is to add nonzero vectors to the original measurements

Those vectors should be generated based on the knowledge of the power grid

such as measurement values and system configuration [7][16][19]

CPDA can utilize those information to generate the attacking vector

Control center receive () instead of

This kind of data contamination can easily bypass the malicious data detection

is the corrupted vector in the estimated due to the contamination


12

Generate Malicious Data Attack

An attacker can determine H matrix

(configuration matrix) by utilizing

system information

The hacker finds the vectors lie in the

null space as in equation (4) » If only zero vector meets condition

in (5)» If there will be a nonzero vector

meeting equation (5) condition

These vectors are linear combination

of the vectors in the null space of

CPDA procedure to generate malicious

vectors

1. Determine

2. Find the null space of

A. Find the projection matrix of , (3)

B. (4)

3. Find all attacking vectors

A.

A.Where (5)


13

Case Study

In this work, the standard IEEE 9-bus system is considered as the case study» The system has 26 different type of measurements as following:

PF is the real power injected from end of branch;

PT is the real power injected to end of branch;

PG is the real power injection of generator;

QF is the reactive power injected from end of branch;

QT is the reactive power injected to end of branch; and

QG is the reactive power injection of generator

» The system has 16 state variables to calculate ( voltage magnitude & phase angle)» Each bus consist of two variables » The reference bus variables are known» The reference bus in this standard is bus # 1 » This case study assume four sensors fail

• Chosen four sensors randomly• Changed the values of those measurements


14

An Example for detecting sensor failure

Type DataFailure

inSensor

PF 1 0.7195 0.7195

PF 2 0.3072 0.4072

PF 3 -0.5945 -0.5945

PF 4 0.8500 0.8500

PF 5 0.2411 0.2411

PF 6 -0.7592 -0.7592

PF 7 -1.6300 -1.6300

PF 8 0.8699 0.8699

PF 9 -0.4096 -0.4096

PT 2 -0.3055 -0.3055

PT 5 -0.2401 -0.2401

PT 7 1.6300 1.6300

PT 9 0.4123 0.4123

PG 1 0.7195 0.7195

PG 2 1.6300 1.6300

PG 3 0.8500 0.95

QF 1 0.2407 0.3407

QF 3 -0.1631 -0.1631

QF 5 0.0454 0.0454

QF 8 -0.0253 -0.0253

QT 4 0.0789 0.0789

QT 6 0.0026 0.0026

QT 8 -0.1428 -0.2428

QG 1 0.2407 0.2407

QG 2 0.1446 0.1446

QG 3 -0.0365 -0.0365

Norm( 0.098 0.134

• Measurements number 2, 16,17, and 23 are chosen randomly

• Those measurements are active power, generator active power, reactive power, and reactive power respectively

• The malicious data detection was different from clean data and partial data contaminated due to the failure in the sensors


15

An Example for not detecting contaminated data (FDI)

Type DataFDI

v MD in SCADA

PF 1 0.7195 0.0962 0.8157

PF 2 0.3072 0.2062 0.5134

PF 3 -0.5945 -0.2488 -0.8433

PF 4 0.8500 -0.1964 0.6536

PF 5 0.2411 -0.4520 -0.2109

PF 6 -0.7592 0.1393 -0.6199

PF 7 -1.6300 0.0037 -1.6263

PF 8 0.8699 0.3113 1.1812

PF 9 -0.4096 0.0082 -0.4014

PT 2 -0.3055 -0.2047 -0.5102

PT 5 -0.2401 0.4496 0.2095

PT 7 1.6300 -0.0037 1.6263

PT 9 0.4123 -0.0070 0.4053

PG 1 0.7195 0.0962 0.8157

PG 2 1.6300 -0.0037 1.6263

PG 3 0.8500 -0.1964 0.6536

QF 1 0.2407 0.0033 0.2440

QF 3 -0.1631 -0.0694 -0.2325

QF 5 0.0454 0.0726 0.1180

QF 8 -0.0253 0.1701 0.1448

QT 4 0.0789 -0.0370 0.0419

QT 6 0.0026 -0.3376 -0.3350

QT 8 -0.1428 -0.0784 -0.2212

QG 1 0.2407 0.0033 0.2440

QG 2 0.1446 0.2729 0.4175

QG 3 -0.0365 0.0135 -0.0230

Norm( 0.098 0.098

Clean data

Contamination vector

Sum of clean data

and contaminati

on

The norm of the data before and after the

contamination are the same


16

State of the art methods

1. Measurements encryption by using greedy algorithm [20]

The method of this paper is encryption based

It aims to encrypt a sufficient amount of data buses to minimize the system

configuration to the attacker

It Uses greedy algorithm for bus selection

The number of encrypted measurements must be equal to the number of state variables» Therefore, the attacker will have zero vectors for contamination

Disadvantages » For encryption this method uses PMU sensors, which are very expensive» The installation and maintenance of PMUs are also expensive» For expandable grid, its hard to maintain the encrypted measurements equal to the

number of the state variables

[20] Strategic Protection Against Data Injection Attacks on Power Grids, by Tùng T. Kim & H. Vincent Poor. Princeton University, NJ


17


2. Measurements encryption by using probability experiments (success probability)

The objective of this method is to select a set of sensors to be protected as well as

verifying a set of state variable independently

This method also use PMUs sensors for protection purpose » PMUs can measure the value of bus magnitude or phase angle directly with a high accuracy

The difference between this method and the previous one is in the selection of

measurements to be protected» This method use probability experiment (success probability) for measurement selection

• Picks measurements at random to manipulate

The execution time required to either construct an attack vector or conclude that the

attack is infeasible

[21] Detecting False Data Injection Attacks on State Estimation, by Rakesh B. Bobba, and Thomas J. Overbye. University of Illinois, Urbana-Champaign


18


The relationship between is shown

If the success probability of an attacker

is less than 1 for a given k» it implies that there exist sets of m − k measurements such that an attacker cannot

inject false data without being detected when the measurements are protected » For example in 9-bus IEEE standard system

• Attacker needs to compromise about 80% of total measurements • A lower bound on the number of sensors that need to be protected is


19


3. Reconfiguration of the system into two subsystems

The objective of this method is to reconfigure the system inorder to form two sub

system instead of one » The configuration matrix for each sub system should form a full Rank matrix» Therefore, the attacker will not have a nonzero vector

Disadvantage » Dividing the configuration matrix in two children such as child 1 and child 2, the

null space for the children will stay the same as the mother matrix H» Reconfigure the system doesn’t guaranteed the observability

[22] Secure Power Systems Against Malicious Cyber-Physical Data Attacks: Protection and Identification Talebi, Morteza, Jianan Wang, and Zhihua Qu, Central Florida University


20

Proposed Method

The idea of my contribution is to identify whether the power grid data is

manipulated due to adversary attack or not.

“Pseudo measurements can be generated based on short term load forecasts, generation

dispatch, historical records, or other similar approximation methods. It can be used as

error free measurements in the state estimation formulation and referred to as “virtual

measurements” [23] The attacker access through a channel to explore the data and system configuration

In general the attackers explore the actual data to find out the system configuration

By adding the virtual measurements the attacker will be misled and finds the wrong

configuration of the system

we can generate virtual measurements in power grid along with the actual data by considering:

The power system having a virtual bus referred to as spy node Spy nodes, considered as extra measurements along with the actual network measurements are

the kind of data that the attacker may access This data works as spy data in the data set and is free of error


21

Proposed Method

Two problems need to be solved

1. The correct places of the spy nodes to be considered for calculation purposes applying a spanning tree algorithm on the system [24] to generate the list of the nodes with highest

priorities

2. Finding the new parameters for the transmission lines between the spy and

actual nodes calculating the values of the spy node measurements based on the model of the power transmission

line and the values of the line resistance, inductance and capacitance on which this virtual node is

located


22

Apply Spanning tree algorithm in the network

1. Find the node with highest degree that has

most injected branches. In this case the

candidate nodes are {4, 7, and 9} with

degree of importance equal to 3 due to the

injected branches. Node 7 is selected among

the three candidate nodes. Therefore, 7 is the

1st priority

2. All nodes that are connected to node 7 are

the candidate nodes to perform the spanning

tree algorithm. Nodes {2, 5, 8} are the

candidate nodes in this case study.


23


3. Only nodes 5 and 8 have the highest degree

among the candidates (same degrees). It should

be checked which one is connected to the node

with a higher degree. Node 4, 9 with degree 3. In

this case no preference to select. Node 5 is

selected for next step.

4. Node 4 is the only node connected to node 5,

and it is the only candidate. So node 4 is selected

for next step


24


5. Nodes {1, 6} are the candidate nodes in this

step. Node 6 has the highest degree, therefore it

is selected for the next step

6. Node 6 is the only connected node to 9 and it

is selected for the next step


25


7. Finally node 9 is connected with one node,

which is node 3. Node 3 was the last candidate

and last priority for our purpose.

8. Following table shows a final result

Node# Node priority Possible place to spy node. According to selected node

7 1st 7-8, 7-5, 7-2

5 2nd 5-4

4 3rd 4-6, 4-1

6 4th 6-9

9 5th 9-8, 9-3

The priority of the nodes in the 9-bus system standard to place a spy node


26

Calculating the Measured Values of the Spy Node

In π model of the transmission line, R (Ω/km) and L

(H/km) are the resistance and inductance of the line

C (F/km) is the shunt capacitance of the transmission

line that half of it is considered to be lumped at each

end of the line

The resistance, inductance and capacitance are

uniformly distributed along the transmission line

The spy node is considered in the middle of two

parts as shown in Figure 3, note that the amounts of

R, L and C do NOT change because their units are

per km [25].

Since the spy node is going to be considered between

two nodes with higher priority

Two back to back π models are considered for the

two transmission lines (one between bus A and spy

node and the other between spy node and bus B,

forming two cascade π models)

Figure 2. Nominal π model of a transmission line

Figure 3. Nominal π model of the transmission line with spy node

Figure 4. Nominal π model of the transmission line without spy node


27

Proposed Procedure

1. Virtual measurements can be added to the actual measurements set 1. are measurements set, and are virtual measurements [12] known as spy data produced from spy node based

on the network configuration

2. Because of the capability of the RTU, it is possible to add extra data as spy data along with actual data by utilizing input modules

2. The SCADA can be programmed to simply remove the spy data from the measurements

set and send the remaining data to the state estimator in the control center

3. The state estimator sends the actual data to malicious data detector to calculate the norm

Attacker intercepts and finds out the configuration of the system to generate attacking vector


28

Another criteria of test

The proposed method can have another way of detecting the data

contamination» any change in the values of the virtual measurements (spy data) shows contamination

of the data set » It can be considered as an alternative countermeasure against cyber-attack, because

the spy data is without any noise and should remain unchanged


29

What will be delivered

The standard IEEE 9-bus system will be considered as the case study to verify the

proposed method » The system has 26 different type of measurements as following:

PF is the real power injected from end of branch;

PT is the real power injected to end of branch;

PG is the real power injection of generator;

QF is the reactive power injected from end of branch;

QT is the reactive power injected to end of branch; and

QG is the reactive power injection of generator.

I will consider the spy node between nodes 7 and 8 with the highest priorities» I will use two measurements (active and reactive power) as spy data» The number of measurements from the viewpoint of attacker is 28 » If the attacker generate the attacking vectors based on this data set

• Those vectors will not be a linear combination to data set of the actual system configuration • Therefore, malicious data detection will show different norm values for actual data before and

after attack


30

Conclusion

The idea of this novel approach is to mislead the attackers with a configuration

different than that of the real power system

By considering spy node(s) in power grid, attackers intercept the actual

measurements along with virtual measurements

Increasing the number of measurements of the system leads to the attacker’s

being misled and getting a wrong attacking vector according to the data set

Our proposed method requires minimal changes to the existing SCADA system

It is very easy to implement with the minimal additional cost

It can also be combined with other protective methods to provide an extra layer

of security. For example, if the encryption protocol was broken for cipher-

based protection method, this method will identify the cyber attack against the

power grid


31

References [1] Office of the Manager, National Communications System, Supervi-sory Control and Data Acquisition (SCADA) Systems,TIB 04-1 ed Arlington, VA, 2004

[2] Chiang, Mung. "Balancing transport and physical layers in wireless multihop networks: Jointly optimal congestion control and power control." Selected Areas in Communications, IEEE

Journal on 23.1 (2005): 104-116.

[3] Amin, S. Massoud, and Bruce F. Wollenberg. "Toward a smart grid: power delivery for the 21st century." Power and Energy Magazine, IEEE 3.5 (2005): 34-41.

[4] Wu, Tong, et al. "Pricing energy and ancillary services in integrated market systems by an optimal power flow." Power Systems, IEEE Transactions on 19.1 (2004): 339-347.

[5] Dán, György, and Henrik Sandberg. "Stealth attacks and protection schemes for state estimators in power systems." Smart Grid Communications (SmartGridComm), 2010 First IEEE

International Conference on. IEEE, 2010.

[6] Yang, Qingyu, et al. "On a hierarchical false data injection attack on power system state estimation." Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE . IEEE, 2011.

[7] Yu, Wei. "False data injection attacks in smart grid: Challenges and solutions." Proceeding of NIST Cyber Security for Cyber-Physical System (CPS) Workshop . 2012.

[8] Sou, Kin Cheong, Henrik Sandberg, and Karl Henrik Johansson. "On the exact solution to a smart grid cyber-security analysis problem." Smart Grid, IEEE Transactions on 4.2 (2013): 856-865.

[9] Hug, Gabriela, and Joseph A. Giampapa. "Vulnerability assessment of AC state estimation with respect to false data injection cyber-attacks." Smart Grid, IEEE Transactions on 3.3 (2012):

1362-1370.

[10] Bailey, David, and Edwin Wright. Practical SCADA for industry. Newnes, 2003.

[11] Complete SCADA solution for Remote Monitoring and Control”, found at www.FF-Automation.com

[12] ] Fabio Terezinho, “SCADA Systems Automate Electrical Distribution” , Indussoftware.

[13] Queiroz, Carlos, Abdun Mahmood, and Zahir Tari. "SCADASim—A framework for building SCADA simulations." Smart Grid, IEEE Transactions on 2.4 (2011): 589-597.

[14] A. Albur and A. G. Exposito, Power System State Estimation: Theory and Implementation . CRC Press.

[15] F. C. Schweppe, J. Wildes, and D. B. Rom, “Power system static stat estimation. parts 1, 2, 3,” IEEE Transactions on Power Apparatus andSystems, vol. 89, no. 1, pp. 120–135, January

1970.

[16] Liu, Yao, Peng Ning, and Michael K. Reiter. "False data injection attacks against state estimation in electric power grids." ACM Transactions on Information and System Security (TISSEC)

14.1 (2011): 13.

[17] Gol, M., and Ali Abur. "Identifying vulnerabilities of state estimators against cyber-attacks." PowerTech (POWERTECH), 2013 IEEE Grenoble. IEEE, 2013.

[18] Yang, Qingyu, et al. "On a hierarchical false data injection attack on power system state estimation." Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE . IEEE, 2011.

[19] Talebi, Morteza, Jianan Wang, and Zhihua Qu. "Secure Power Systems Against Malicious Cyber-Physical Data Attacks: Protection and Identification." International Conference on Power

Systems Engineering. 2012.

[20] Kim, Tung T., and H. Vincent Poor. "Strategic protection against data injection attacks on power grids." Smart Grid, IEEE Transactions on 2.2 (2011): 326-333.

[21] Bobba, Rakesh B., et al. "Detecting false data injection attacks on dc state estimation." Preprints of the First Workshop on Secure Control Systems, CPSWEEK . Vol. 2010. 2010.

[22] Talebi, Morteza, Jianan Wang, and Zhihua Qu. "Secure Power Systems Against Malicious Cyber-Physical Data Attacks: Protection and Identification." International Conference on Power

Systems Engineering. 2012.

[23] Abur, Ali, and Antonio Gomez Exposito. Power system state estimation: theory and implementation . CRC Press, 2004, P 4-5

[24] Wu, Y., M. Kezunovic, and T. Kostic. "Cost minimization in power system measurement placement." Power System Technology, 2006. PowerCon 2006. International Conference on . IEEE,

2006

[25] Saadat, Hadi. Power system analysis. WCB/McGraw-Hill, 1999

http://www.ff-automation.com/


Questions?

North Carolina Agricultural and Technical State University A Novel Approach for Identification of Cyber Physical Data Attack in Power Systems using Spy.

Documents