THE increasingly digitized power system offers more data,

Transcription

1 1 Cyber Risk Analysis of Combine Data Attacks Against Power System State Estimation Kaikai Pan, Stuent Member, IEEE, Anré Teixeira, Member, IEEE, Milos Cvetkovic, Member, IEEE, an Peter Palensky, Senior Member, IEEE arxiv: v1 [cs.cr] 28 Aug 217 Abstract Unerstaning smart gri cyber attacks is key for eveloping appropriate protection an recovery measures. Avance attacks pursue maximize impact at minimize costs an etectability. This paper conucts risk analysis of combine ata integrity an availability attacks against the power system state estimation. We compare the combine attacks with pure integrity attacks - false ata inection (FDI) attacks. A security inex for vulnerability assessment to these two kins of attacks is propose an formulate as a mixe integer linear programming problem. We show that such combine attacks can succee with fewer resources than FDI attacks. The combine attacks with limite knowlege of the system moel also expose avantages in keeping stealth against the ba ata etection. Finally, the risk of combine attacks to reliable system operation is evaluate using the results from vulnerability assessment an attack impact analysis. The finings in this paper are valiate an supporte by a etaile case stuy. Inex Terms Combine integrity an availability attack, false ata inection, risk analysis, power system state estimation I. Introuction THE increasingly igitize power system offers more ata, etails, an controls in a real-time fashion than its nonnetworke preecessors. One of the benefiting applications of this evelopment is State Estimation (SE): Remote Terminal Units (RTUs) provie measurement ata via Information an Communication Technology (ICT) infrastructure such as Supervisory Control an Data Acquisition (SCADA) system. The SE provies the operator with an estimate of the state of the electric power system. This state information is then use an processe by the energy management system (EMS) for optimal power flow (OPF), contingency analysis (CA), an automatic generation control (AGC). Security of supply epens on the EMS, which in turn epens on a reliable SE. As iscusse in [1], the SCADA system is vulnerable to a large number of security threats. A class of integrity ata attack, known as false ata inection (FDI) attack, has been stuie with consierable attention. With moifying the measurement ata, this attack can pass the Ba Data Detection (BDD) within SE to keep stealth [2], by tampering of RTUs, the communication links to the control center, or even the atabases an IT software in the control center. However, such FDI attack nees intensive attack resources such as the knowlege of the system moel an the capability to corrupt the integrity on a set of measurements. Denial-of-service (DoS) attacks [3] [4], a type of availability attack, are much cheaper to achieve, especially if RTUs communicate via insecure communication channels. In this paper, we focus on combine attacks where the SE is corrupte by both integrity attacks an availability attacks simultaneously. We compare combine attacks an FDI attacks uner ifferent levels of aversarial knowlege an resources. A. State of the Art Research in the literature has focuse on FDI attacks from many aspects of risk assessment [5], e.g., vulnerability analysis, attack impact assessment an mitigation schemes evelopment. As first shown in [2], a class of FDI attack, so-calle stealth attack, can perturb the state estimate without triggering alarms in BDD within SE. Vulnerability of SE to stealth FDI attacks is usually quantifie by computing attack resources neee by the attacker to alter specific measurements an keep stealth against the BDD [6] [8]. Since state estimates are inputs of many application specific tools in EMS, the corrupte estimates can infect further control actions. The estimate errors ue to FDI attacks were analyze in [9] an [1]. The results illustrate that the errors coul be significant even with a small number of measurements being compromise. The work in [11] an [12] stuie the potential economic impact of FDI attacks against SE by observing the noal price of market operation. The attacker coul obtain economic gain or cause operating costs in the market. Recent work in [13] stuie the physical impact of FDI attacks with the attacker s goal to cause a line overflow. In orer to efen against stealth FDI attacks, mitigation schemes have been propose to improve the ba ata etection algorithm or safeguar certain measurements from aversarial ata inection. Sequential etection (or quickest etection) of FDI attacks was esigne mainly base on well-known Cumulative Sum (CUSUM) algorithm in [14]. In reference [15], etection methos that leverage synchrophasor ata an other forecast information were presente. The network layer an application layer mitigation schemes, such as multi-path routing an ata authentication an protection, are prove to be effective to ecrease the vulnerability [16] [17]. It is worth noting that the maority of research has focuse on stealth FDI attacks from a specific aspect of vulnerability or impact assessment. The work in [4] first consiere aing a class of availability attack, so-calle amming attack, to the attack scenarios against SE. Our recent paper [17] stuie the stealth combine attacks with ifferent measurement routing topologies, concluing that such attacks may nee less attack resources than FDI attacks. The work above assume that the aversary has full knowlege of the system moel, yieling perfect stealth attacks. However, the ata of the system moel

2 2 is usually protecte well an har to be accesse by the aversary. In reality, the attacks are always execute with limite aversarial knowlege an have the possibility to be etecte by the BDD uner limite knowlege conitions. Thus for the vulnerability analysis, not only the attack resources neee by the attacker shoul be consiere but also the etection probability of attacks nees to be compute. In aition, vulnerability an impact of attacks can be combine together in the notion of risk. In [18], a high-level risk assessment methoology for power system applications incluing SE was presente. However, risk analysis methos an tools combining vulnerability an impact assessment for ata attacks are neee to implement risk assessment methoologies. In this paper, we exten our prior work reporte in [17] to formulate combine attacks with limite aversarial knowlege of the system moel an conuct the risk analysis. In orer to assess the risk, we first analyze vulnerability of SE with respect to attack resources neee by the aversary an calculate the etection probability of combine attacks. Next, we propose attack impact metric for evaluating attack impact on loa estimate. Combining the results from vulnerability an impact assessment, we present the risk which combine attacks bring to reliable system operation. We compare the vulnerability, impact an risk with those of FDI attacks. The simulation results show that combine attacks yiel higher risk in maority of consiere cases. B. Contributions an Outline As far as we know, our work is the first one to conuct risk analysis of combine attacks with limite aversarial knowlege. Our contributions are liste as follows: 1) The first part of vulnerability analysis is presente through the notion of security inex [7], which correspons to the minimum attack resources neee by the attacker to compromise the measurements while keeping stealth. The power system is more vulnerable to attacks with smaller security inex since such attacks can be execute with less resources. We show that, when availability attack an integrity attack have the same cost, the security inexes of combine attacks an FDI attacks coincie. 2) Our secon contribution is to aress the etection probability problem of combine attacks with limite aversarial knowlege. Here we relax the full knowlege assumption which is commonly use in the literature. We show that the optimal combine attack with limite aversarial knowlege can still keep stealth uner certain conitions. The empirical results also inicate that combine attacks have lower etection probability. 3) We propose risk metric to quantify the risk of combine attacks with limite aversarial knowlege. For the attacks with the same security inex, the risk metric is compute by multiplying 1) the probability of the attack not to be etecte, with 2) the attack impact on loa estimate. We particularly consier the attack impact on loa estimate because the loa estimates are inputs of other applications that compute optimal control actions in EMS. Base on the analysis of risk metrics of combine attacks an FDI attacks, we show that power system operations face higher risk uner combine attacks. The outline of the paper is as follows. Section II gives an introuction of SE an stealth FDI attacks mechanism. Section III extens the attack scenario to combine attacks an proposes security inex with computational metho for vulnerability analysis. In Section IV, the etectability of combine attacks with limite aversarial knowlege is iscusse. The risk metric is propose to measure the risk of attacks in Section V with the analysis of the vulnerability an attack impact. Section VI presents empirical results from a power system use case. In section VII we conclue the paper. C. Notation For an m n matrix H R m n, we enote the i-th row of H by H(i,:). For a vector of m values a R m, a(i) is the i-th entry of a. By iag(a), we enote an m m iagonal matrix with the elements of vector a on the main iagonal. II. Power System Moel an Data Attacks In this section, we review the state estimation an BDD techniques an the stealth ata attacks problem. A. State Estimation The power system we consier has n + 1 buses an n t transmission lines. The ata collecte by RTUs inclues line power flow an bus power inection measurements. These m measurements are enote by z = [z 1,...,z m ] T. The system state x is the vector of phase angles an voltage magnitues at all buses except the reference bus whose phase angle is set to be zero. For the analysis of cyber security an ba ata etection in SE, it is customary to escribe the epenencies of measurements an system state through an approximate moel calle DC power flow moel [8]. In the DC power flow moel, all the voltage magnitues are assume to be constant an the reactive power is completely neglecte. Thus the vector z refers to active power flow an inection measurements, an the state x refers to bus phase angles only. There are n phase angles to be estimate excluing the reference one, i.e. x = [x 1,..., x n ] T. Hence, z an x are relate by the equation WB T z = P WB T x + e := Hx + e, (1) B WB T where e N(,R) is the measurement noise vector of inepenent zero-mean Gaussian variables with the covariance matrix R = iag(σ 2 1,...,σ2 m), H R m n represents the system moel, epening on the topology of the power network, the line parameters an the placement of RTUs. Here the topology is escribe by a irecte incience matrix B R (n+1) n t in which the irections of the lines can be arbitrarily specifie [8]. Matrix B R n n t is the truncate incience matrix with the row in B corresponing to the reference bus remove. The line parameters are escribe by a iagonal matrix W R n t n t with iagonal entries being the reciprocals of transmission line reactance. Matrix P R m (2nt+n+1) is a matrix stacke by the

3 3 rows of ientity matrices, inicating which power flows or bus inections are measure. Usually a large egree of reunancy of measurements is employe to make H full rank. The state estimate ˆx is obtaine by the following weighte least squares (WLS) estimate: ˆx := argmin x (z Hx) T R 1 (z Hx), (2) which can be solve as ˆx = (H T R 1 H) 1 H T R 1 z := Kz. The estimate state ˆx can be use to estimate the active power flows an inections by ẑ = H ˆx = HKz := Tz, (3) where T is the so-calle hat matrix [19]. The BDD scheme uses such estimate measurements to ientify ba ata by comparing ẑ with z, see below. B. Ba Data Detection Measurement ata may be corrupte by ranom errors. Thus there is a built-in BDD scheme in EMS for ba ata etection. The BDD is achieve by hypothesis tests using the statistical properties of the measurement resiual: r = z ẑ = (I T)z := S z = S e, (4) i where r R m is the resiual vector, I R m m is an ientity matrix an S is the so-calle resiual sensitivity matrix [19]. We now introuce the J( ˆx)-test base BDD. For the measurement error e N(, R), the new ranom variable y = m R 1 ii e 2 i where R ii is the iagonal entry of the covariance matrix R has a χ 2 istribution with m n egrees of freeom. Note the quaratic cost function J( ˆx) = R 1/2 r 2 2 = R 1/2 S e 2 2. For the inepenent m measurements we have rank(s ) = m n, which implies that J( ˆx) has a so-calle generalize chi-square istribution with m n egrees of freeom [2]. The BDD uses the quaratic function as an approximation of y an checks if it follows the istribution χ 2 m n. Defining α [,1] as the significance level corresponing to the false alarm rate, an τ(α) such that τ(α) f (x)x = 1 α, (5) where f (x) is the probability istribution function (PDF) of χ 2 m n. Hence, the BDD scheme becomes { Goo ata, if R 1/2 r 2 τ(α), Ba ata, if R 1/2 r 2 > (6) τ(α), C. Stealth FDI Attacks The goal of an attacker is to perturb the SE while remaining hien from the BDD. If only ata integrity attacks are consiere, the attacker coul inect false ata on a set of measurements, moifying the measurement vector z into z a := z+a. Here the FDI attack vector a R m is the corruption ae to the original measurement z. We have the following efinition of a k a -tuple FDI attack, Definition 1 (k a -tuple FDI attack). An attack with an FDI attack vector a R m is calle a k a -tuple FDI attack if a number of k a measurements are inecte with false ata, i.e. a = k a. As shown in [2], an attacker with full knowlege of the system moel (i.e., the matrix H) an the capability to corrupt specific measurements can keep steath if the FDI attack vector follows a = Hc where c R n is non-zero. The corrupte measurements z a becomes z a = H(x + c) + e. This leas to the state estimate perturbe by a egree of c, while the resiual for BDD checking remains the same. It has been verifie that such stealth FDI attacks base on the DC moel can be performe on a real SCADA/EMS testbe avoiing the ba ata etection with full nonlinear AC power flow moel [9]. To escribe the vulnerability of SE to stealth FDI attacks, the security inex is introuce as the minimum number of measurements that nee to be corrupte by the attacker in orer to keep stealth [7]. The security inex is given by α :=min c a s.t. a = Hc, a( ) = µ, where a( ) enotes the inecte false ata on measurement, an µ is the non-zero attack magnitue etermine by the attacker. The result α is the security inex that quantifies the vulnerability of measurement to stealth FDI attacks. Here the compute α belongs to one of the FDI attacks with the minimum k a (k a = α ) for measurement. It is known that this optimization problem above is NP-har (See [21]). In [8], the authors propose an approach using the big M metho to express (7) as a mixe integer linear programming (MILP) problem which can be solve with an appropriate solver, α := min c,y m y(i) i=1 (7) s.t. Hc My, (8a) Hc My, (8b) H(,:)c = µ, (8c) y(i) {,1} for all i. In (8), M is a constant scalar that is greater than the maximum absolute value of entries in Hc, for some optimal solution c of (7). At optimality, for any i that H(i,:)c =, the corresponing y(i) is zero. Thus an optimal solution to (8) is exactly the same optimal solution to (7) with y(i) = 1 inicating that the measurement i is corrupte by an FDI attack. III. Stealth Combine Data Attacks FDI attacks are resource-intensive since the aversary nees to coorinate integrity attacks on a specific number of measurements. This usually gives the aversary more power than possible in practice [1]. In reality, an attacker woul try to reuce the attack resources an woul prefer ata availability attacks (e.g., DoS attacks, amming attacks) since monitoring systems are always more vulnerable to this type of attacks [22]. Thus, we focus on the scenario that the aaversary woul launch combine ata integrity an availability attacks. A. Combine Data Integrity an Availability Attacks For a large-scale SCADA system, missing ata an failing RTUs are common [7]. When some of the measurements

4 4 are missing, the typical solution wiely employe wiely in SE is to use the remaining ata before the system becomes unobservable. Another solution is to use pseuo measurements (e.g., previous ata, forecast information), but these measurements woul still lose confience in further time intervals as long as the availability attacks continue. The combine attacks we introuce here are assume not to make system unobservable an lea to non-convergence of the SE algorithm but try to keep stealth against the BDD. Thus we keep the assumption in this paper that SE uses remaining ata if availability attacks take place. We introuce the availability attack vector {,1} m for the availability attacks an (i) = 1 means that measurement i is unavailable. Thus the moel for remaining measurements an system state can be escribe by z = H x + e, (9) where e R m an z R m are the noise vector an measurement vector respectively, an the entries of them are zero if the corresponing measurements are unavailable. Matrix H R m n enotes the moel of the remaining measurements an it is obtaine from H by replacing some rows with zero row vectors ue to availability attacks on these measurements, i.e. H := (I iag())h. We can further obtain the hat matrix an resiual sensitivity matrix when availability attacks occur, K := (H T R 1 H ) 1 H T R 1, (1) T := H K, S := I T. (11) For the combine attacks, the attacker woul still launch FDI attacks on the remaining measurements in concert with availability attacks, making z change into z a, := z + a. Similarly, a (k a,k )-tuple combine attack can be efine as Definition 2 ((k a,k )-tuple combine attack). A combine attack with an FDI attack vector a R m an an availability attack vector {,1} m escribe above is calle a (k a,k )- tuple combine attack if a = k a, = k. B. Security Inex for Combine Attacks Similar to the FDI attacks, if the attack vectors of a (k a,k )- tuple attack satisfy a = H c, such combine attacks can still keep stealth as the FDI attack vector a lies on the column space of the matrix H. Using the formulation of security inex in (7) for FDI attacks, we propose an intuitive security inex for combine attacks as the minimum number of measurements that nee to be compromise by the attacker, β := min a + c, s.t. a = H c, (12a) H = (I iag())h, (12b) a( ) = µ, (12c) (i) {,1} for all i. Here we also assume a( ) = µ where µ is the non-zero attack magnitue. The result β is the security inex that quantifies how vulnerable measurement is to combine attacks. The compute β belongs to one of the combine attacks that have minimum k a +k (k a +k = β ) for measurement. To solve this NP-har problem above, we propose a computation solution which uses the big M metho to formulate a MILP problem: β := min c,w, m m w(i) + (k) i=1 k=1 s.t. Hc M(w + ), (13a) Hc M(w + ), (13b) H(,:)c = µ, (13c) w(i) {,1} for all i, (13) (k) {,1} for all k, (13e) where w, {,1} m with w(i) = 1 an (k) = 1 meaning FDI attack an ata availability attack on measurement i an k. The following theorem shows that the optimal solution to (12) can be obtaine from the optimal solution of (13). Theorem 1. For any inex {1,...,m} an non-zero µ, let (c, w, ) be an optimal solution to (13). Then an optimal solution to (12) can be compute as (c, ), an β = β. Proof. The proof follows by re-writing (12) as (13). First, note that the constraint of (12), a = (I iag())hc, can be formulate as a set of inequality constraints with auxiliary binary variables by using the big M metho, yieling Mw (I iag())hc Mw, where w {,1} m an a = w(i). Since is a vector of binary variables, the pair of inequality constraints pertaining the i-th measurement can be written as (1 (i))h(i,:)c Mw(i). The latter can be rea as { H(i,:)c =, if w(i) = (i) =, H(i,:)c M, if w(i) = 1 or (i) = 1, which can be rewritten as H(i,:)c M((i) + w(i)). Hence, recalling that a(i) = (1 (i))h(i,:)c, we conclue that the constraints of (12) can be equivalently re-written as the constraints of (13). The proof conclues by noting that the obective functions of both problems satisfy the equality a + = w(i) + (i). Corollary 1.1. For any inex {1,...,m} an non-zero µ, let (c, w, ) be an optimal solution to (13). Then an optimal solution to (7) can be compute as c, an α = β. Proof. The proof follows straightforwarly from Theorem 1, which establishes that an optimal solution to (12) can be obtaine from an optimal solution to (13): comparing (13) an (8), we can easily see that an optimal solution to (8) can be compute as (c, y ) with y = w +, an α = β. Since (8) provies the exact solution to (7), an optimal solution to (7) can be compute as c, an also α = β = β. Corollary 1.1 implies that a set of compromise measurements is an optimal solution to (12) if an only if this set is an optimal solution to (7), an the two security inexes β an α coincie. In fact, in [23] it was shown that the set of compromise measurements in a k a -tuple FDI attack obtaine by solving (7) is a sparsest critical tuple containing the target measurement. A sparsest critical tuple is characterize by the measurements that o not belong to a critical tuple of lower orer. A critical tuple contains a set of measurements,

5 5 where removal all of them will cause the system to be unobservable. If any subset of the critical tuple is remove, it woul not lea to the loss of observability [19]. Accoring to Corollary 1.1 an its proof, we can see that the set of compromise measurements of FDI attacks in this critical tuple is also an optimal solution to the security inex problem (12) of combine attacks. The interpretation of the security inex problem as a critical tuple problem provies the means for comparing security inexes of attacks with full an limite aversarial knowlege; see Section IV-C for etails. The security inexes erive so far in (7) an (12) coul ientify the compromise measurements set of attacks but i not consier the attack costs. In what follows, we inclue the costs in the formulation. To simplify the iscussion, we assume that the availability an integrity attacks have the costs C A an C I, respectively, per measurement. The worst case for power gris is that the aversary succees with minimum attack resources. Uner these attack costs, we formulate a security inex for attack resources of combine attacks as γ a, := min c,w, s.t. m m C I w(i) + C A (k) i=1 (13a) (13e). k=1 (14) By making vector in (14) to be zero, we can get the security inex γ a for FDI attacks. We can also see that the set of compromise measurements from the optimal solution of (14) is also the optimal solution to (12) an (7). As previously iscusse, it is reasonable to assume that availability attacks can cost less attack resources compare with integrity attacks. If we take the values that satisfy C A < C I, the optimal solution of w an in (14), w.r.t. measurement, woul lea to w (i) = 1 an (k) = β 1. This means that the optimal combine attack in the case of C A < C I is to corrupt one measurement with an integrity attack an make other measurements in this critical tuple unavailable. This statement is mae formal in the following proposition which will be valiate in Section VI-A. Proposition 1. When C A < C I, the optimal strategy of combine attack is to inect false ata on the targete measurement an make other measurements in the critical tuple unavailable to the SE, yieling a (1,β 1)-tuple combine attack with optimal attack cost γ a, = C I + (β 1)C A. IV. Attacks with Limite Aversarial Knowlege In this section we consier the scenario in which the aversary has limite knowlege of the system moel an iscuss how this affects the etectability of combine attacks. A. Relaxing Assumption on Aversarial Knowlege For the combine attacks above, the aversary is assume to have full knowlege of H in (1) that inclues the topology of the power network, the placement of RTUs an the transmission line reactance. This system ata is usually kept in the atabase of control center, which is ifficult to be accesse by the attacker. We exten the previous analysis by replacing the full knowlege assumption. Hence, in what follows the attacker only has limite knowlege of the system moel. An attacker coul acquire limite knowlege as a result of analyzing an out-ate or estimate moel using power network topoloy ata but limit information of transmission line parameters [24] [25]. Looking at the problem from the attacker s perspective, we enote the perturbe system moel as H, such that H = H + H, (15) where H R m n enotes the part of moel uncertainty. We still consier that the attacker uses the same linear policies to compute attack vectors, i.e. a = H c for combine attacks an a = Hc for FDI attacks an H := (I iag()) H. B. Detectability of Data Attacks 1) Combine Attacks: When the measurements are corrupte by a (k a,k )-tuple attack, the measurement resiual r(a,) can be written as r(a,) = S z a, = S e + S a. (16) As iscusse in Section III-B, when the attack vectors of the combine attack satisfy a = H c, the resiual r(a,) = S e + S H c = S e ue to S H =, then the resiual is not affecte by a an no aitional alarms are triggere; the BDD treats the measurements attacke by availability attacks as a case of missing ata. However, for the attack with limite knowlege, the attack vector a becomes a = H c an S a may be nonzero. In this case, the resiual is incremente an the attack can be etecte with some possibility. Note that the quaratic cost function with the combine attack becomes J a, ( ˆx) = R 1/2 S e + R 1/2 S a 2 2. Here the mean of (R 1/2 S e + R 1/2 S a) is non-zero R 1/2 S a incremente by the attack. Recalling the J( ˆx)-test base BDD, J a, ( ˆx) has a generalize non-central chi-square istribution with m n k egrees of freeom uner the combine attack. We use J a, ( ˆx) as an approximation of having the non-central chi-square istribution χ 2 m n k ( R 1/2 S a 2 2 ) to calculate the etection probability, where λ a, = R 1/2 S a 2 2 is the noncentrality parameter. Further we will valiate such approximation using empirical results from Monte Carlo simulation in Section VI-B. We can further obtain τ (α) f λa, (x)x = 1 δ a,, (17) where f λa, (x) is the PDF of χ 2 m n k ( R 1/2 S a 2 2 ), τ (α) is the threshol set in the BDD using (5) but with the PDF of χ 2 m n k, an δ a, is the etection probability. 2) FDI Attacks: For a k a -tuple FDI attack with limite knowlege, the quaratic function J a ( ˆx) can also be approximate to have a non-central chi-square istribution but with m n egrees of freeom, namely the istribution χ 2 m n( R 1/2 S a 2 2 ). Similar to (17), the etection probability can be compute by solving τ(α) f λa (x)x = 1 δ a, (18) where λ a = R 1/2 S a 2 2 enotes the non-centrality parameter, τ(α) is the threshol set in the BDD using (5), an δ a is the etection probability of the FDI attack.

6 6 C. Special Case: Attacks with Structure Moel Uncertainty An interesting analysis can be mae to unerstan what the moel uncertainty H is to the aversary. As state in [24], the scenarios where the uncertainty is more structure are of greater interest. Here we assume that the attacker knows the exact topology of the power network an the placement of RTUs, but has to estimate the line parameters. This assumption is feasible since the attacker can analyze the topology accoring to the breaker status ata an compute the moel base on available power flow measurements, while usually the attacker has limite access to the knowlege of the exact length of the transmission line an type of the conuctor being use [25]. Thus the moel with such structure uncertainty becomes WB T H = P WB T B WB T. (19) where W is erive from W but with errors. Now we consier the security inex of attacks w.r.t. H in (19). As we have iscusse in Section III-B, the security inex problem can be interprete as a critical tuple problem. In the remaining part of this paper we aopt the following assumption, Assumption 1. The system with perturbe moel H in (19) has the same sets of critical tuples as the system with original moel H in (1). Assumption 1 is expecte to hol in the case that the system with H in (1) is topologically observable [26]. Defining the security inexes for compromise measurements set uner structure uncertainty moel as α an β, the following theorem shows that the security inex remains the same although the moel is perturbe with structure uncertainty. Theorem 2. For any measurement inex {1,...,m} an non-zero µ, uner Assumption 1, let ( c, w, ) be an optimal solution to (13) w.r.t. H in (19). Then there exists some c such that (c, w, ) with w = w an = is an optimal solution to (13) w.r.t. H in (1), (c, y ) with y = w + is an optimal solution to (8) w.r.t. H in (1), an β = β = α = α. Proof. The optimal solution with w an ientifies a sparsest critical tuple containing measurement for the perturbe moel H in (19), which is also a sparsest critical tuple for the moel H in (1) accoring to Assumption 1. Then the set of measurements in this critical tuple is an optimal solution to the security inex problem of (13) w.r.t. H in (1). Accoring to Theorem 1 an Corollary 1.1, the set of measurements in this critical tuple is also an optimal solution to the security inex problem of (8) w.r.t. H in (1). With respect to the security inex for attack resources, let γ a, an γ a be the security inexes of combine attacks an FDI attacks from (14) but w.r.t. perturbe moel H in (19). We can see that the set of compromise measurements from optimal solution to (14) w.r.t. H in (19) is also the optimal solution to (13) an (8) accoring to Theorem 2. When it is the case that C A < C I, the optimal solution of w an from (14) w.r.t. H, woul lea to w (i) = 1 an (k) = β 1. Such (1, β 1)-tuple combine attack can be launche with least attack resources when C A < C I an in the following we show that it also can achieve minimize etectability. As iscusse in Section IV-B, the etection probability woul increase when attacker has limite knowlege of the system moel. However, for the combine attacks, the following proposition states that the combine attacks with structure moel uncertainty can still keep stealth against the BDD if the following conitions are satisfie: 1) structure moel uncertainty is efine as in (19); 2) Assumption 1 hols. Proposition 2. For any inex {1,...,m} an non-zero µ, uner Assumption 1, let ( c, w, ) with w (i) = 1 be an optimal solution to (13) w.r.t. H in (19). Then this (1, β 1)- tuple combine attack from ( c, w, ) is a stealth attack. Proof. The FDI attack vector of this combine attack is a = H c. Accoring to Theorem 2, there exists c such that (c, w, ) with w = w an = is an optimal solution to (13) w.r.t. H in (1). Using the attack strategy above, k a = w (i) = 1 an the only non-zero entry of the attack vector a is µ while other measurements in this critical tuple are attacke by availability attacks. Thus this combine attack is with the vector a = (I iag( )) H c = (I iag( ))Hc = H c, which can keep stealth w.r.t. H in (1). V. Risk Assessment for Data Attacks The previous sections focus on vulnerability assessment of SE to combine attacks with limite knowlege. Following the proceure of risk analysis in [18], in this section we efine an analyze the risk brought by attacks with limite knowlege. Usually the total risk of ata attacks is efine as the likelihoo of attack multiplie by the potential attack impact [5]. For a (k a,k )-tuple combine attack, the risk metric R(a,) can be expresse as R(a,) = L(a,) I(a,) (2) where L(a, ) enotes the likelihoo of the combine attack with attack vectors a an, an I(a,) enotes the attack impact. For the attacks with larger risk metrics, they bring more risk to reliable system operation. In the following we iscuss how L(a,) an I(a,) are formulate. A. Likelihoo of Data Attacks The attack likelihoo relates to the vulnerability of the system. In this work, the likelihoo of the attack is taken as the probability that the attack is launche an the probability that the attack can keep stealth against the etection schemes, L(a, ) = P(a, )P(s a, ), (21) where P(s a, ) enotes the conitional probability of the combine attack passing the BDD if it has been performe. For the attack with limite knowlege, the etection probability δ a, can be obtaine from (17), thus we have P(s a,) = 1 δ a,. In (21), P(a, ) represents the probability that a particular aversary woul perform a combine attack an successfully corrupt the ata. Obtaining meaningful an realistic ata for calculating P(a, ) remains an unsolve an open issue for most of the establishe approaches [27]. The propose

7 7 security inex γ a, w.r.t. perturbe moel H captures the efforts require by a combine attack an essentially can be relate to the probability P(a,). We assume that if the attacks have the same security inex of γ a,, they have the same probability of P(a,). In this paper, to compare the risk of attacks with the same security inex, we normalize P(a, ) to be 1, meaning that the attacks have been performe successfully. The following risk metric applies to the attacks with the same security inex of γ a,, R(a,) = P(a,)P(s a,)i(a,) = (1 δ a, )I(a,), (22) For the k a -tuple FDI attacks with the same security inex of γ a, the formulation of risk metric is similar, i.e. R(a) = (1 δ a )I(a) where δ a is the etection probability from (18), I(a) enotes the attack impact an R(a) is the risk metric. Thus in the case of γ a, = γ a, the risk of combine attacks an FDI attacks is comparable. B. Attack Impact: Errors of Loa Estimate The estimate information from SE is use by further applications in EMS to compute optimal control actions. These are typically compute by minimizing network operation costs which are obtaine by solving OPF algorithms. As the work in [13] shows, the OPF application uses the loa estimate as the inputs. If ata attacks take place an pass the BDD, the loa estimates get perturbe which influences the control actions. Therefore, we consier the impact metric as a function of the bias introuce by the attack on the loa estimate. Assuming that there are m in inection measurements incluing loas, we consier the impact on the errors of estimating net power inections, which can be escribe as ɛ = ẑ in,a, z in, (23) where z in R m in is the original inection measurements incluing loas an ẑ in,a, R m in is the vector of estimate measurements uner a (k a,k )-tuple combine attack. Thus ɛ = H in ˆx a, (H in x + e in ), (24) where ˆx a, = K (z +a) = x+k e +K a, H in R m in n enotes the submatrix of H by keeping the rows corresponing to inection measurements incluing loas, an e in R m in is the noise vector of these measurements. We can further obtain ɛ = H in K a + H in K e e in where the term introuce by the attacks is H in K a. Here K is the function of the matrix H as efine in (1). The expecte value of ɛ is E(ɛ) = H in K a. (25) We have the following efinition of the attack impact metric for combine attacks. Definition 3. The impact metric I(a, ) for quantifying attack impact of a combine attack with FDI attack vector a an availability vector on loa estimate is efine as the 2-norm of H in K a, i.e. I(a,) := H in K a 2. Similar to the combine attacks, we efine the attack impact metric I(a) = H in Ka 2 for a k a -tuple FDI attack with attack vector a. We continue to aopt the linear attack policies to compute attack vectors for attacks with limite knowlege, i.e., a = H c for combine attacks an a = Hc for FDI attacks. Security Inex γ < 4 γ = 4 γ > 4 a, a, a, Figure 1. The IEEE 14-bus system. The measurements are labele ifferent colors accoring to their security inex γ a, from Figure 2. The most vulnerable measurements with small inex (< 4) are color coe re. The measurements that have large inex (> 4) are color coe green. The others are color coe blue an their vulnerabilities lie somewhere in between. A similar figure of measurements uner FDI attacks can be foun in [8]. VI. Case Stuy In this section we apply the analysis to the IEEE 14-bus system (Figure 1). We conuct simulations on DC moel for the purposes of: 1) illustrating vulnerability of SE to combine attacks;2) proviing insights into how combine attack can iffer from FDI attack; 3) evaluating the risk of ata attacks an giving the risk prioritization. In the performe experiments, measurements are place on all the buses an transmission lines to provie large reunancy. The per-unit system is use an the power base is 1MW. The measurements are generate uner the DC moel with Gaussian noise (σ =.2 for any measurement ). For the limite knowlege moel, we assume that the attacker knows the exact topology but has estimate line parameters with errors up to ±2%. A. Security Inex for Vulnerability Analysis In orer to expose vulnerability of SE to ata attacks, we calculate the security inex using the computation solutions of (13) (accoring to Theorem 1) an (8) for both combine attacks an FDI attacks. Thus the minimum number of compromise measurements an attack resources neee by the attacker to corrupt SE an pass the BDD are etermine. Figure 2 shows the security inexes γ a, an γ a of combine attacks an FDI attacks, where the x-axis inicates the measurement targete by the attacker to inect false ata of µ =.1p.u.. The results illustrate the attack resources neee by the attacker to keep stealth. The security inex of combine attacks is also showe in Figure 1 where the measurements are color coe to inicate which ones are more vulnerable. Combining Figure 2 an Figure 1, the security inex can illustrate the security week point in a power system. The values of security inex uner combine attacks are smaller than the ones uner FDI attacks when C A < C I from Figure 2. For instance, in orer to corrupt measurement = 9, the FDI attack nees a value of 11 for attack resources (i.e. a 11-tuple FDI attack) while the combine attack only nees a value of 6 (i.e. a (1,1)-tuple combine attack). This implies that SE is more vulnerable to combine attacks with less attack resources. The results also show that k a = 1 for the combine

8 Security Inexes ~. a; an ~. a Detection Probability FDI attacks Combine attacks:ca=ci = : tuple FDI attack (5,6)-tuple combine attack (2,9)-tuple combine attack (1,1)-tuple combine attack 11-tuple FDI attack (2,9)-tuple combine attack Measurement Inex Figure 2. The security inex γ a, uner combine attacks an γ a uner FDI attacks are plotte versus measurement inex. Here the cost of FDI attack on per measurement is assume to be 1 an C A =.5 as C A /C I = Attack Magnitue 7 /p.u. Figure 3. The etection probability is plotte versus the attack magnitue. The attacks are uner structure uncertainty moel an performe in the set of 11 measurements an the false alarm rate α is.5. attacks an the optimal attack cost is C I + (β 1)C A for the case C A < C I, which is consistent with Proposition 1. B. Detectability of Attacks with Limite Knowlege Using the attack policy a = H c for combine attacks an a = Hc for FDI attacks with the given moel uncertainty, the etection probability of attacks can be obtaine accoring to (17) an (18). From Theorem 2 we see that the compromise measurements set from the optimal solutions of (14) w.r.t. H in (19) is in the same critical tuple with the one w.r.t. H in (1). Thus a set of 11 measurements (a critical tuple) containing measurement = 9 nees to be compromise by the attacker from the security inex in Figure 2. For the sake of comparison, the combine attacks an FDI attacks are performe in the same set of these 11 measurements. Figure 3 shows the etection probability of combine attacks an FDI attacks targeting these 11 measurements. In aition to the theoretical results, the empirical etection probability results are also presente for the 11-tuple FDI attack an (2,9)-tuple combine attack respectively. To obtain the empirical etection probability, we use Monte Carlo simulations. Taking the (2,9)-tuple combine attack as an example, 2 ifferent points of attack magnitue µ were taken in ranom from to.5 p.u. an the corresponing attack vectors were built. For each attack vector with the taken magnitue µ, total 1 Monte Carlo runs were execute to obtain the etection probability of such attack. In each Monte Carlo simulation, the measurements were create by the DC moel with Gaussian noise an the attack vector was ae to the measurements. For the attacke measurements, the SE an BDD with the false alarm rate.5 were execute. From Figure 3 we can see that the empirical results of etection probability follow the theoretical one. This proves that using the approximation of the istribution of J a, ( ˆx) an J a ( ˆx) can provie the etection probability, an it is reliable to use theoretical etection probability for risk analysis in the following. The results in Figure 3 illustrate that combine attacks can have lower etection probability comparing with FDI attacks, meaning that SE is more vulnerable to combine attacks as they have higher probability not to be iscovere by the BDD. An interesting result is that with smaller k a the combine attack also has lower probability to be etecte. In the case that k a = 1 an k = 1, the (1,1)-tuple combine attack can keep stealth, which is consistent with Proposition 2. C. Risk Metrics for Attacks We continue with the risk analysis of combine attacks. Simulations were conucte on the same scenarios as Section VI-B where the attacker manipulates the set of 11 measurements (a critical tuple). We analyze the attack impact an present the risk of the combine attacks an FDI attacks. For the risk analysis, we take the attack cost values that satisfy C A = C I, thus the security inexes γ a, an γ a w.r.t. H in (19) of these attacks are equal to each other an the probability P(a, ) can be normalize as iscusse in Section IV-B. The results for attack impact metrics versus etection probability are given in Figure 4. The values of risk metrics for combine attacks an FDI attacks are shown in Figure 5. Uner the perturbe moel with uncertainty, the attacker has the possibility to be etecte by the BDD while introucing errors on loa estimate. From Figure 4, we see that combine attacks can have similar attack impact metrics with FDI attacks but lower etection probability with the same attack magnitue µ (.15 p.u. or.25 p.u. as shown in Figure 4). Especially the (1,1)-tuple combine attack has larger impact metrics than attacks with limite knowlege for the both cases that attack magnitue µ =.15p.u. or µ =.25p.u.. For the risk metrics in Figure 5, when the attack magnitue µ increases from zero, the risk metric increases ue to the low etection probability. After µ reaches certain values, the risk metric ecreases since the attacks can be iscovere with high probability. It s also shown that combine attacks can have larger risk metrics especially the cases of (1,1)-tuple an (2,9)-tuple combine attacks. It shoul be note that though we assume C A = C I to obtain the risk metrics, the risk prioritization of these attacks in Figure 5 woul not change if C A < C I is assume. This is because the combine attacks can be launche with less attack resources when C A < C I, resulting in larger risk values comparing with FDI attacks. VII. Discussion an Conclusion In this paper we see that combine attacks can succee with less resources (if C A < C I ) an lower etection probability

9 Risk Metric R(a; ) /p.u. Attack Impact Metric I(a; ) /p.u tuple FDI attack (5,6)-tuple combine attack (2,9)-tuple combine attack (1,1)-tuple combine attack 7 = :15 p.u. 7 = :25 p.u Detection Probability Figure 4. The attack impact metric is plotte versus the etection probability. The attacks are uner structure uncertainty moel an performe in the set of 11 measurements. Here we assume C A = C I an false alarm rate α is tuple FDI attack (5,6)-tuple combine attack (2,9)-tuple combine attack (1,1)-tuple combine attack Attack Magnitue 7 /p.u. Figure 5. The risk metric is plotte versus the attack magnitue. The attacks are uner structure uncertainty moel an performe in the set of 11 measurements. Here we assume C A = C I an false alarm rate α is.5. when the aversarial knowlege is limite, bringing more risk to reliable system operation. It also shoul be note that this paper assumes that the SE treats unavailable measurements ue to attacks as a case of missing ata, although the amount of missing ata uner attacks is larger than the one uner normal conitions. In aition, availability attacks like DoS attacks coul trigger alerts on ICT-specific measures (e.g., intrusion etection). These two features give the opportunities to evelop better cross-omain etection schemes for availability portion of the attacks improving the overall combine attacks etection. Other research irections to explore in the future inclue evaluating physical impact of combine attacks an exploring the vulnerability of other monitoring/control applications to combine attacks. References [1] A. Giani, S. Sastry, K. H. Johansson, an H. Sanberg, The viking proect:an initiative on resilient control of power networks, in 2n International Symposium on Resilient Control Systems, 29, pp [2] Y. Liu, P. Ning, an M. K. Reiter, False ata inection attacks against state estimation in electric power gris, in Proc. of the 16th ACM Conf. on Computer an Comm. Security, New York, 29, pp [3] W. Wang an Z. Lu, Cyber security in the smart gri: Survey an challenges, Computer Networks, vol. 57, no. 5, pp , 213. [4] D. Deka, R. Balick, an S. Vishwanath, Optimal ata attacks on power gris: Leveraging etection measurement amming, in Proc. of IEEE Int. Conf. Smart Gri Communications (SmartGriComm), Miami Floria, USA, Nov. 215, pp [5] R. S. Ross, Nist sp rev 1: Guie for conucting risk assessments, NIST, techreport, Sep [6] G. Hug an J. A. Giampapa, Vulnerability assessment of AC state estimation with respect to false ata inection cyber-attacks, IEEE Transactions on Smart Gri, vol. 3, no. 3, pp , Sep [7] H. Sanberg, A. Teixeira, an K. H. Johansson, On security inices for state estimators in power networks, in First Workshop on Secure Control Systems (SCS), Stockholm, 21. [8] A. Teixeira, K. C. Sou, H. Sanberg, an K. H. Johansson, Secure control systems: A quantitative risk management approach, IEEE Control Systems, vol. 35, no. 1, pp , 215. [9] A. Teixeira, G. Dán, H. Sanberg, an K. H. Johansson, A cyber security stuy of a SCADA energy management system: Stealthy eception attacks on the state estimator, Proceeings of IFAC Worl Congress, Aug 211. [1] O. Kosut, L. Jia, R. J. Thomas, an L. Tong, Malicious ata attacks on the smart gri, IEEE Transactions on Smart Gri, vol. 2, no. 4, pp , 211. [11] L. Xie, Y. Mo, an B. Sinopoli, Integrity ata attacks in power market operations, IEEE Transactions on Smart Gri, vol. 2, no. 4, pp , 211. [12] L. Jia, J. Kim, R. J. Thomas, an L. Tong, Impact of ata quality on real-time locational marginal price, IEEE Transactions on Power Systems, vol. 29, no. 2, pp , Mar [13] J. Liang, L. Sankar, an O. Kosut, Vulnerability analysis an consequences of false ata inection attack on power system state estimation, IEEE Trans. on Power Systems, vol. 31, no. 5, pp , Sep [14] S. Li, Y. Yılmaz, an X. Wang, Quickest etection of false ata inection attack in wie-area smart gris, IEEE Transactions on Smart Gri, vol. 6, no. 6, pp , 215. [15] A. Ashok, M. Govinarasu, an V. Aarapu, Online etection of stealthy false ata inection attacks in power system state estimation, IEEE Transactions on Smart Gri, vol. PP, no. 99, p. 1, 216. [16] O. Vukovic, K. C. Sou, G. Dan, an H. Sanberg, Network-aware mitigation of ata integrity attacks on power system state estimation, IEEE Journal on Selecte Areas in Communications, vol. 3, no. 6, pp , 212. [17] K. Pan, A. M. H. Teixeira, M. Cvetkovic, an P. Palensky, Combine ata integrity an availability attacks on state estimation in cyberphysical power gris, in Proc. IEEE Int. Conf. Smart Gri Communications (SmartGriComm), Nov. 216, pp [18] S. Srihar, A. Hahn, an M. Govinarasu, Cyber physical system security for the electric power gri, Proceeings of the IEEE, vol. 1, no. 1, pp , Jan [19] A. Abur an A. G. Exposito, Power system state estimation: theory an implementation. CRC press, 24. [2] D. Jones, Statistical analysis of empirical moels fitte by optimization, Biometrika, pp , [21] J. M. Henrickx, K. H. Johansson, R. M. Jungers, H. Sanberg, an K. C. Sou, Efficient computations of a security inex for false ata attacks in power networks, IEEE Transactions on Automatic Control, vol. 59, no. 12, pp , 214. [22] J. D. Markovic-Petrovic an M. D. Stoanovic, Analysis of scaa system vulnerabilities to os attacks, in 11th Int. Conf. on TELSIKS, vol. 2. Nis, Serbia: IEEE, 213, pp [23] K. C. Sou, H. Sanberg, an K. H. Johansson, On the exact solution to a smart gri cyber-security analysis problem, IEEE Transactions on Smart Gri, vol. 4, no. 2, pp , 213. [24] A. Teixeira, S. Amin, H. Sanberg, K. H. Johansson, an S. S. Sastry, Cyber security analysis of state estimators in electric power systems, in Proc. 49th IEEE Conf. CDC, Dec. 21, pp [25] M. A. Rahman an H. Mohsenian-Ra, False ata inection attacks with incomplete information against smart power gris, in IEEE Global Communications Conf.(GLOBECOM). IEEE, 212, pp [26] G. R. Krumpholz, K. A. Clements, an P. W. Davis, Power system observability: A practical algorithm using network topology, IEEE Transactions on Power Apparatus an Systems, vol. PAS-99, no. 4, pp , Jul [27] A. Ashok, M. Govinarasu, an J. Wang, Cyber-physical attackresilient wie-area monitoring, protection, an control for the power gri, Proceeings of the IEEE, 217.