Detecting Data Tampering Attacks in Synchrophasor Networks using Time Hopping

Transcription

1 Detecting Data Tampering Attacks in Synchrophasor Networks using Time Hopping Muhammad Naveed Aman, Kashif Javed, Biplab Sikdar, and Kee Chaing Chua Department of Electrical & Computer Engineering National University of Singapore Singapore Department of Electrical Engineering National University of Computer & Emerging Sciences Pakistan Abstract Phasor Measurement Units (PMUs) and Wide Area Measurement Systems (WAMS) have emerged as the enabling technologies for the real time monitoring, control, and operation of future smart grids. However, this cyber-infrastructure is vulnerable to a wide range of cyber security threats. Among these, one of the major threats is data tampering or data modification attacks. In these attacks, the adversary can modify/change the data of PMU packets to cause significant damage to the grid s operation and equipment. To address this problem, this paper presents a method for detecting data tampering in synchrophasor networks. The proposed protocol uses a random time hopping sequence to detect data tampering. The PMU and phasor data concentrator (PDC) share a secret seed to generate a random time hopping sequence, while a hash value of the packets combined with a secret key is used to validate the integrity of PMU packets. Security analysis of the proposed protocol shows that it can detect data tampering attacks such as data modification, data injection, and replay attacks. Our performance analysis shows that the scheme has the efficiency and robustness required for real time applications in a smart grid. I. INTRODUCTION The IEEE C standard defines a synchrophasor as a representation of the complex phasor of an alternating current (AC) power system at the nominal system frequency synchronized to UTC (coordinated universal time) [1]. PMUs are devices which measure synchrophasors for the voltage and current with high accuracy at different buses of the electric power grid. The PMUs have an accuracy better than 1% and receive time for synchronization from a highly reliable source such as the Global Positioning System (GPS) [1]. Submultiples of the power-line frequency can be used as the sampling rates for PMUs. The reporting rates of a PMU can be 10, 25 or 50 samples per second for 50Hz systems. PMUs send their data to a PDC over a communication network, whereas, the PDC after aggregating the data from multiple PMUs forwards it to a control center. The control center may use the PMU data for various power system applications such as system state estimation, fault event monitoring, postdisturbance analysis, system stability, security-dependability, and real time monitoring and control of a power system. Reliability is a critical requirement of a power grid due to the dependence of a nation s industry and population on the /16/$31.00 c 2016 IEEE smooth and uninterrupted supply of electricity. With the progressive move towards widespread deployment of smart grids, PMUs will play an important role in the real time monitoring, operation, and control of future power grids. Moreover, the reliance on measurement data for making critical decisions by system operators is on the rise. Increasingly, PMUs are being deployed at a diverse range of locations in the power system such as substations, control centers, transmission lines, and power generators to support such decision making. The fact that PMU data travels over legacy data networks and given the geographic disparity of their locations, makes PMUs vulnerable to a number of cyber attacks. The focus of this paper is on data tampering attacks. In such attacks, an adversary tries to modify the data of PMU packets, which in turn leads to an incorrect or biased estimate of the state of the power system. As a result, such attacks may mislead the system operators into making incorrect decisions. The consequences of such attacks are discussed in [2]. These include, but are not limited to, sub-optimal economic dispatch, increased robustness/resiliency losses, and blackouts resulting from cascading failures. To safeguard synchrophasor networks against such attacks, this paper presents a method to detect data tampering by attackers in a synchrophasor network. The proposed methodology is based on implementing a two-step, randomized strategy for sending validation information. The rest of the paper is organized as follows. In Section II we discuss the related work. Section III discusses the network model, assumptions and the threat model considered in this paper. Section IV presents the proposed protocol for detecting data tampering in synchrophasor networks. Section V discusses the effect of various attacks on the proposed protocol while Section VI presents a performance analysis of the proposed protocol. Finally Section VII concludes the paper. II. RELATED WORK Malicious data modifications may be viewed as bad data, a term which has traditionally been used to denote measurements from faulty equipment. Power system state estimators use bad data detection techniques based on a statistical analysis of the measurement residuals. An L 2 -norm or the Largest

2 2 Normalized Residual (LNR) of the measurements is used to detect outliers/bad measurements [3], [4], [5]. However, these techniques assume that the bad data is due to measurement errors or communication errors. Thus, most bad data detection techniques assume the measurement residuals to be independent. This independence assumption can be exploited by an adversary by introducing structured interactions among the bad data and causing the bad data detector to fail against data tampering attacks. The authors of [6] were the first to describe a method to to carry out a data injection attack on power system state estimation. They showed that by using the knowledge of the configuration of a power system, an adversary can introduce arbitrary errors into the state variables by fooling a bad data detector. The authors of [7] show the minimum number of measurements an adversary needs to modify in order to affect the state model. In [8] the authors introduce security indices for state estimators. They show that these indices can be used to quantify the effort needed to succeed in a data modification attack. In another work by [9], the authors investigate the problem of defending against data tampering attacks from the perspective of an operator. They show a minimum size set of measurements which needs to be protected, to ensure observability of the system. The authors of [2], developed metrics to assess the economic impact of data integrity attacks on electric power grids. They showed that data integrity attacks can lead to specious decisions by the operators, causing significant economic and physical damage. In [10], the authors show that by protecting a small subset of measurements a power system may defend itself against data injection attacks. They show that the problem of selecting such subsets is a complex combinatorial problem and can be solved using a greedy approach. Most of the existing work on data tampering attacks is based on the assumption that a subset of PMUs can be protected and made completely safe. However, this assumption is not feasible given the large number of PMUs and the diversity of the location. Thus, this paper addresses the problem of securing synchrophasor networks without making such strong assumptions. III. NETWORK MODEL, ASSUMPTIONS, AND THREAT A. Network Model MODEL Figure 1 describes our network model. In this model we have PMUs, routers, the Internet, and a PDC. Each PMU is connected to the GPS satellites to obtain synchronized clock information. Moreover, the PMUs connect to the network through a router and the data is carried over the Internet to the PDC. B. Assumptions We make the following assumptions regarding the network model and proposed protocol: Fig. 1. Network Model a. PMU packet format is according to the IEEE std C [1]. The various fields and their sizes for a typical PMU packet are shown in Table I. TABLE I DATA PACKET FORMAT FOR A PMU [1] No. Field Size (bytes) 1 SYNC 2 2 FRAMESIZE 2 3 IDCODE 2 4 SOC 4 5 FRASEC 4 6 STAT 2 7 PHASORS 4/8 per phasor 8 FREQ 2/4 9 DFREQ 2/4 10 ANALOG 2/4 per value 11 DIGITAL 2 per value 12 CHK 2 b. PMUs use the UDP-only method for communication. In this method the PMU send all their data using UDP. Moreover, it is assumed that each PMU sends its data to only one PDC i.e., a unicast address. c. Each PMU packet is inserted into the payload of a UDP packet, and the resulting UDP segment is further encapsulated using the normal TCP/IP protocol suite. d. The hash function used in the proposed protocol is public. e. The adversary can listen to all the traffic going through the network, maliciously inject packets into the network, repeat previous messages, and imitate another node. f. The PDC is secure. However, the PMUs and other network entities such as routers and communication links may be compromised. g. The PMU data may or may not be encrypted. However, the adversary is capable of breaking the encryption. h. The first sixteen bytes of the ANALOG field of the PMU packet are reserved for data validation. If a PMU needs to send some extra data in this field, it can do so by skipping the first sixteen bytes.

3 3 TABLE II NOTATIONS Notation ID i H(X) [Ex] Mem [Ex] Rec F [a : b] Description IDCODE of a PMU stream XOR operation Hash of X Concatenation operator Expression Ex is evaluated using the device s memory Expression Ex is evaluated using the values from the received message Bytes a to b of the F field in a PMU packet C. Threat Model PMUs send the measured synchrophasors to the PDC using a communication network. The PMUs use UDP/IP to send data over the Internet to a PDC, and the PMU data may traverse multiple network routers and communication links. An adversary is assumed to have compromised one or more of these network entities or the PMU itself to launch a data tampering attack. The objective of the adversary is to manipulate the PMU data in such a way as to cause maximum damage. However, he/she wants to achieve this objective without being detected. The adversary wishes to induce inaccuracies in the state estimation, which may results in power outages, equipment damage, and other undesirable consequences. The objective of this paper is develop a mechanism to detect data tampering in synchrophasor networks. IV. PROPOSED SECURE DATA TRANSFER PROTOCOL FOR PMUS Fig. 2. Protocol Flow In this section we describe the proposed mechanism for detecting data tampering in synchrophasor networks. The set of notations used to describe the protocol are given in Table II. We assume that there is a secure way of establishing a symmetric key between the PDC and PMU before the proposed protocol begins its operation and that the key is refreshed on a regular basis to avoid replay attacks. The PMU saves in its memory the hash of the IDCODE H(ID i ) and a shared key k i for each of its data streams, while, the PDC saves a pair of k i and H(ID i ) for all PMU streams. Figure 2 shows a top level flow of the protocol. Figure 2 shows that the proposed protocol checks the validity of the PMU data by using packets at random points in time to carry the validation information. In other words, the PMU puts in the validation check in random packets and the PDC validates all the previous PMU data by checking this validation information. The proposed protocol can be divided into two phases: an initial seed sharing phase and a data transfer phase. A. Seed Sharing The seed sharing phase is shown in Figure 3. This is a two way protocol to share a seed between the PMU and PDC. This seed is used in the data transfer phase to generate the random Fig. 3. Seed Sharing Phase time hopping sequence. The seed sharing protocol works as follows: 1) The PMU initially sends the following four pieces of information to the server H(ID i ) (1) H(H(ID i ) k i ) (2) k i R A (3) H(H(ID i ) R A k i ) (4) where k i is the symmetric key shared between the PDC and PMU, and R A is a random number generated by the PMU. 2) The PDC searches its memory for H(ID i ) of the current PMU stream. If the search fails, the PDC rejects the seed sharing request. Otherwise, the PDC checks the following: [H(H(ID i ) k i )] Mem. = [H(H(IDi ) k i )] Rec (5)

4 4 i.e., the PDC constructs H(H(ID i ) k i ) using the parameters from its memory and compares it to the same expression received in the seed sharing message. If Equation (5) does not hold, the PDC rejects the message. Otherwise, the PDC calculates the random number generated by the PMU using the following: R A = k i [k i R A ] Rec. (6) The PDC then verifies the following: [H(H(ID i ) R A k i )] Mem. = [H(H(IDi ) R A k i )] Rec. (7) If Equation (7) fails verification, the PDC stops here. Otherwise, the PDC generates a random number R B and sends the following to the PMU: k i R B (8) H(H(ID i ) R A R B k i ). (9) 3) The PMU calculates the PDC s random number using the following R B = k i [k i R B ] Rec. (10) The PMU then verifies [H(H(ID i ) R A R B k i )] Mem. = [H(H(ID i ) R A R B k i )] Rec. (11) If Equation (11) does not hold the PMU cancels the seed sharing request. Otherwise, the secret seed to be used for the random sequence generator at the PMU and PDC is established as follows S i = H(R A ) H(R B ). (12) We denote this seed as S i. Moreover, to hide the validation information during the data phase, the PMU and PDC generate another secret key, which we call the time hopping key K T H. K T H is established using R A and R B as follows K T H = H(R A R B ). (13) To ensure freshness of the seed and time hopping key, the PMU and PDC may repeat the seed sharing after regular intervals of time. B. Data Transfer Once the seed sharing is complete, the PMU and PDC share three secrets, namely: two symmetric keys k i and K T H, and a secret seed S i. The proposed protocol for the data transfer phase is shown in Figure 4. The PMU and PDC generate a random time hopping sequence using the shared secret seed. It is desirable to use a technique which produces random sequences with good hamming correlation characteristics. Well known techniques for providing such sets of sequences may be adopted [11]. Let us assume that the PMU and PDC generate the follow- Fig. 4. ing time hopping sequence Data Transfer Phase T H Sequence = T 1, T 2, T 3 (14) The idea behind using this random sequence is that the adversary should not be able to infer the timing of the validation packets. Moreover, the adversary should not be able to differentiate between the normal and validation packets. To hide the validation information in the packets, we use the ANALOG field of a PMU packet. Each PMU will send sixteen bytes in the AN ALOG field. A non-validation packet will have randomly generated dummy values in this field while the validation packets will contain a hash of the previous data packets to be used for validation. The hash value is calculated as follows H CHK = H(P Ti H(P 2 H(P 1 K T H )) ). (15)

5 5 The protocol works as follows in the data transfer phase: 1) The PMU calculates the first hash value as H(P 1 K T H ) for the first packet P 1, and sends P 1 to the PDC. 2) The PDC receives P 1 and calculates the first hash value just like the PMU. 3) The PMU calculates the next hash value as follows: H CHK = H(P 2 H CHK ) (16) = H(P 2 H(P 1 K T H )). 4) This process continues until we reach a validation packet i.e. T 1 in this case. The PMU calculates the new hash value for validation and puts it in the first sixteen bytes of the ANALOG field of the PMU packet. The PMU sends this validation packet to the PDC. 5) The PDC calculates the new validation hash value i.e., H CHK. However, when P kt count reaches the respective time hop in the random time hopping sequence, the PDC reads the first sixteen bytes of the ANALOG field in the PMU packet and verifies the calculated H CHK with the one received in the ANALOG field. The process is as follows [H CHK ] REC = ANALOG[1 : 16] (17) Verify: [H CHK ] MEM. = [HCHK ] REC. (18) If Equation (18) is validated the data transfer continues. Otherwise, the PDC raises an alarm and alerts the operator of suspicious activity. V. SECURITY ANALYSIS In this section we present a security analysis of the proposed protocol, and show that it is not only immune to the data tampering attack but also to other types of attacks. A. Data Tampering Attack Most of the encryption schemes are based on secret keys. However, keys may be broken, stolen or accidentally revealed. If the encryption scheme of a synchrophasor network is broken, an adversary can cause significant damage to the power system in the form of power outages, high voltage surges, and so on. There are three ways an adversary may launch a data tampering attack: (i) through data modification, (ii) through data injection, and (iii) through data replay. Next, we discuss the impact of these attacks on the proposed protocol. 1) Data Modification: An adversary may try to change the values of the phasors or the time stamps being carried in a PMU packet. An adversary can break our scheme only if he/she can put the correct validation information in the correct validation packet. Just by looking at the contents of the AN ALOG field an adversary can not infer any information regarding the location or value of the validation hash function. To get a better understanding, consider Figure 5 Figure 5 shows the ANALOG fields of each PMU packet. As we can see this field contains dummy values except for the packets at the random time hopping sequence. Note that if an adversary starts observing the packets right from the first packet P 1, he/she may be able to take the hash of each packet, update the hash value and compare the resulting with the contents of the AN ALOG field of future packets. However, without having the time hopping key K T H, he/she can not construct the first hash function i.e., H(P 1 K T H ). Thus, the adversary is unable to modify the contents of any PMU packet without being detected. 2) Data Injection: In a data injection attack, an adversary may try to insert malicious packets into the PMU data stream. The adversary tries to construct valid data and send it as a PMU packet posing as coming from a legitimate PMU. To successfully launch this kind of attack the adversary needs the knowledge of the current validation hash value. However, as shown in Section V-A1, an adversary cannot gain information regarding the current validation hash value just by looking at the PMU packets. 3) Replay Attack: An adversary may try to resend older packets. However, due to the random time hopping scheme the validation packet of the older incarnation will not lie at the same place as the current run of the protocol. Thus, our scheme can easily detect this kind of attack. B. Identity Protection PMUs should not reveal information about the location from which the measurements were taken. An adversary can use this information to launch an attack on a specific entity or part of the power system. The proposed protocol uses a hash of the identity of the PMU stream. This ensures that the PMUs identity is hidden from the adversary. C. Comparison with Message Authentication Codes Traditional message authentication codes (MACs) for verifying the integrity of data packets use a hash of the message with a shared secret as the means to identify data tampering. However, an implicit assumption for data tampering or modification attacks is that the attacker has the ability to break encryption schemes. Given this assumption, If MACs are used to verify the integrity of every PMU packet, the adversary can break the MACs. On the other hand, under our scheme the adversary has no information regarding the random time hopping sequence and does not know which packets carry the validation information. Thus, the adversary cannot break the validation scheme. The proposed method to detect data tampering attacks acts as an extra layer of protection to hide information that the adversary may exploit. VI. PERFORMANCE ANALYSIS In this section we analyze the performance of our proposed protocol. One of the important requirements for synchrophasor security protocols is that it should be computationally efficient and have very low verification delays. This is necessary for the paramount requirement of availability in synchrophasor networks i.e., information should always be available at the right time. Thus, a good security protocol for synchrophasor networks should be able to support real time applications.

6 6 Fig. 5. Flow of Data Packets A. Computational Efficiency Let N H, and N denote the number of hash operations, and number of exclusive-or operations, respectively. Table III shows the computational complexity of the proposed protocol. TABLE III COMPUTATIONAL BURDEN OF THE PROPOSED PROTOCOL Task PMU PDC Seed Sharing 5N H + 3N 5N H + 3N K T H Construction Data Packets (Per Packet) Table III shows that the computational burden is very low. On the other hand, signature based schemes are much more computationally complex. For example, the RSA digital signature requires atleast 1500 arithmetic operations for a 1024 bit key. B. Verification Delay Table III shows that once the seed sharing is done, the per packet computational requirement is just one hash operation. This low computational complexity translates into low verification delay. Thus, the proposed protocol has excellent delay characteristics and can support real time applications such as real time modeling of the power system. C. Communication Overhead If we assume the output of the hash function to be 128 bits, the proposed protocol requires 16 bytes of extra overhead to be sent with each PMU packet. However, many encryption based schemes require much more overhead typically in the range of 128 to 256 bytes. Thus, the proposed protocol requires very low communication overhead as compared to other security schemes. D. Storage Requirement The PMU and PDC only store the H(ID i ), k i, K T H, and S i. Assuming each one is 128 bits, we need to store only 512 bits in the PDC as well as the PMU. This shows that the proposed protocol has very low storage requirements. VII. CONCLUSIONS This paper presented a method to detect data tampering in synchrophasor networks. The protocol has two phases, the initial seed sharing phase and a data transfer phase. The seed sharing phase is used to establish a secret seed and a time hopping key using random numbers generated by the PMU and PDC. The data transfer phase uses the secret seed to generate a random time hopping sequence. This time hopping sequence is used by the PMU and PDC to identify the packets which carry validation information. The data packets are validated using a hash function of the packets and the time hopping key. The security analysis of the protocol shows that it is immune to data tampering attacks such as data modification and data injection. We also showed that the proposed protocol is safe against replay attacks and also keeps the identity of PMUs hidden. A performance analysis of the protocol showed that the proposed protocol has low computational complexity, verification delay, communication overhead, and storage requirements. These characteristics make the proposed protocol suitable for real time applications in synchrophasor networks. REFERENCES [1] Synchrophasor Data Transfer for Power Systems, IEEE Standard C , [2] A. Giani, R. Bent, M. Hinrichs, M. McQueen, and K. Poolla, Metrics for assessment of smart grid data integrity attacks, IEEE Power and Energy Society General Meeting, pp.1-8, July [3] E. Handschin, F. Schweppe, J. Kohlas, and A. Fiechter, Bad data analysis for power system state estimation, IEEE Transactions on Power Apparatus and Systems, vol. 94, no.2, pp , March [4] M. Baran, and A. Abur, Power System State Estimation, Wiley Encyclopedia of Electrical and Electronics Engineering, [5] Y. Deng, and S. Shukla. Vulnerabilities and Countermeasures: A Survey on the Cyber Security Issues in the Transmission Subsystem of a Smart Grid, J. Cyber Security and Mobility, vol. 1, no. 2, pp , [6] Y. Liu, P. Ning, and M. K. Reiter, False data injection attacks against state estimation in electric power grids, Proceedings of ACM Conference on Computer and Communications Security, pp.21-32, Chicago, IL, November [7] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, Malicious Data Attacks on the smart grid, IEEE Transactions on Smart Grid, vol. 2, no. 4, pp , [8] H. Sandberg, A. Teixeira, and K. Johansson, On Security Indices for State Estimators in Power Networks, First Workshop on Secure Control Systems, Stockholm, Sweden, [9] R. B. Bobba, K. M. Rogers, Q. Wang, and H. Khurana, Detecting false data injection attacks on DC state estimation, Proceedings of the First Workshop on Secure Control Systems, [10] T. T. Kim, and H. V. Poor, Strategic Protection Against Data Injection Attacks on Power Grids, IEEE Transactions on Smart Grid, vol.2, no.2, pp.326,333, June [11] M. K. Simon, J. K. Omura, R. A. Scholtz, and B. K. Levitt, Spread Spectrum Communications Handbook,revised ed. New York: McGraw Hill, 1994.