Cyber Security Analysis of State Estimators in Electric Power Systems

Similar documents
Electric Power Network Security Analysis via Minimum Cut Relaxation

Network-aware Mitigation of Data Integrity Attacks on Power System State Estimation

A Survey on False Data Injection Attack and Detection in Smart Grid

Improved Protection Scheme for Data Attack on Strategic Buses in the Smart Grid

Resilient Smart Grids

Graphs and Network Flows IE411. Lecture 21. Dr. Ted Ralphs

Malicious Data Attacks on Smart Grid State Estimation: Attack Strategies and Countermeasures

False Analog Data Injection Attack Towards Topology Errors: Formulation and Feasibility Analysis

Modeling Load Redistribution Attacks in Power Systems

Integer Programming Theory

Ali Abur Northeastern University Department of Electrical and Computer Engineering Boston, MA 02115

A Polynomial-Time Method to Find the Sparsest Unobservable Attacks in Power Networks

IMPLEMENTATION ISSUES FOR HIERARCHICAL, DISTRIBUTED STATE ESTIMATORS

Distributed Agent-Based Intrusion Detection for the Smart Grid

Network Design and Optimization course

Detecting Data Tampering Attacks in Synchrophasor Networks using Time Hopping

Fast-Lipschitz Optimization

Chapter 2 State Estimation and Visualization

Semantic Security Analysis of SCADA Networks to Detect Malicious Control Commands in Power Grids

Retiming. Adapted from: Synthesis and Optimization of Digital Circuits, G. De Micheli Stanford. Outline. Structural optimization methods. Retiming.

Crew Scheduling Problem: A Column Generation Approach Improved by a Genetic Algorithm. Santos and Mateus (2007)

Javad Lavaei. Department of Electrical Engineering Columbia University

Evolution of Control for the Power Grid

Cyber Security for Smart Grid Devices

Multi-area Nonlinear State Estimation using Distributed Semidefinite Programming

Degrees of Freedom in Cached Interference Networks with Limited Backhaul

Outline. Column Generation: Cutting Stock A very applied method. Introduction to Column Generation. Given an LP problem

Column Generation: Cutting Stock

Solving the challenge

Javad Lavaei. Graph-theoretic Algorithm for Nonlinear Power Optimization Problems. Department of Electrical Engineering Columbia University

Robust validation of network designs under uncertain demands and failures

State Estimation for Distribution Networks Definition

Awareness of the Situation

Two-stage column generation

A Serializability Violation Detector for Shared-Memory Server Programs

Graphs and Network Flows IE411. Lecture 13. Dr. Ted Ralphs

On Bounded Rationality in Cyber-Physical Systems Security: Game-Theoretic Analysis with Application to Smart Grid Protection

ipcgrid 2015 March 26, 2015 David Roop Director Electric Transmission Operations Dominion Virginia Power

3 INTEGER LINEAR PROGRAMMING

How AlienVault ICS SIEM Supports Compliance with CFATS

Integer Programming ISE 418. Lecture 1. Dr. Ted Ralphs

Distributed Internet-Based Load Altering Attacks Against Smart Power Grids Authors: A.-H. Mohsenian-Rad and A. Leon-Garcia

Approximation Algorithms

Mathematical Tools for Engineering and Management

Introduction to Mathematical Programming IE406. Lecture 20. Dr. Ted Ralphs

Postprint.

PMU Time Source Security

Questions & Answers From Thursday, September 16 Webinar Alternatives Case Examples Frequency and Spectrum Planning Security WiMAX Capabilities

Wireless frequency auctions: Mixed Integer Programs and Dantzig-Wolfe decomposition

Cloud Branching MIP workshop, Ohio State University, 23/Jul/2014

AUTOMATED SECURITY ASSESSMENT AND MANAGEMENT OF THE ELECTRIC POWER GRID

Principles of Wireless Sensor Networks

State Estimation at All India Level

Smart Grid Communications and Networking

Discrete Optimization with Decision Diagrams

On Testing a Linear State Estimator Using Hardware in the Loop Testing Facilities

B553 Lecture 12: Global Optimization

Principles of Wireless Sensor Networks. Routing, Zigbee, and RPL

TRESCCA Trustworthy Embedded Systems for Secure Cloud Computing

3 No-Wait Job Shops with Variable Processing Times

False Data Injection Attacks against State Estimation in Electric Power Grids

Stanford University CS359G: Graph Partitioning and Expanders Handout 1 Luca Trevisan January 4, 2011

Solving the Euclidean Steiner Tree Problem in n-space

Randomized rounding of semidefinite programs and primal-dual method for integer linear programming. Reza Moosavi Dr. Saeedeh Parsaeefard Dec.

Optimal Proxy-Limited Lines for Representing Voltage Constraints in a DC Optimal Powerflow

DEGENERACY AND THE FUNDAMENTAL THEOREM

Problem Definition. Clustering nonlinearly separable data:

Theorem 2.9: nearest addition algorithm

The Encoding Complexity of Network Coding

Low-Cost Traffic Analysis of Tor

Solving basis pursuit: infeasible-point subgradient algorithm, computational comparison, and improvements

Automation Services and Solutions

Planning and Optimization

Distributed Control for Optimal Reactive Power Compensation in Smart Microgrid

Outline. 1 The matching problem. 2 The Chinese Postman Problem

Security and Privacy Issues In Smart Grid

The Future of Real-Time Energy Management Systems For Transmission System Operations

Introduction to Mathematical Programming IE496. Final Review. Dr. Ted Ralphs

Giovanni De Micheli. Integrated Systems Centre EPF Lausanne

Smart Distribution Technology

9 th Electricity Conference at CMU

Chapter 5 Graph Algorithms Algorithm Theory WS 2012/13 Fabian Kuhn

Constructive and destructive algorithms

Solving lexicographic multiobjective MIPs with Branch-Cut-Price

15.083J Integer Programming and Combinatorial Optimization Fall Enumerative Methods

Machine Learning (BSMC-GA 4439) Wenke Liu

Modified Iterative Method for Recovery of Sparse Multiple Measurement Problems

Substation. Communications. Power Utilities. Application Brochure. Typical users: Transmission & distribution power utilities

An Introduction to Bilevel Programming

DETERMINISTIC OPERATIONS RESEARCH

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

15-780: MarkovDecisionProcesses

TIM 206 Lecture Notes Integer Programming

MVE165/MMG630, Applied Optimization Lecture 8 Integer linear programming algorithms. Ann-Brith Strömberg

USE CASE 14 CONTROLLED ISLANDING

Advanced Operations Research Prof. G. Srinivasan Department of Management Studies Indian Institute of Technology, Madras

Location Spoofing Attack and Its Countermeasures in Database-Driven Cognitive Radio Networks

Toward the joint design of electronic and optical layer protection

Recursive column generation for the Tactical Berth Allocation Problem

Combinatorial optimization and its applications in image Processing. Filip Malmberg

Transcription:

Cyber Security Analysis of State Estimators in Electric Power Systems H. Sandberg, G. Dán, A. Teixeira, K. C. Sou, O. Vukovic, K. H. Johansson ACCESS Linnaeus Center KTH Royal Institute of Technology, Stockholm, Sweden LCCC Workshop on Dynamics, Control and Pricing in Power Systems May 19 th, 2011

Outline On state estimation, bad-data detection, and cyber stealth attacks in power systems A security index Definition and experimental validation Computation Protection and mitigation strategies Conclusions

Background and Motivation Northeast U.S. Blackout of August 14 th, 2003: 55 million people affected Software bug in energy management system stalled alarms in state estimator for over an hour Cyber attacks against the power network control center systems pose a real threat to society

SCADA Systems and False-Data Attacks SCADA/EMS used to obtain accurate state information to identify faulty equipment, power flow optimization, contingency analysis, Redundant power flow and voltage measurements (z i ) currently sent over unencrypted communication network How do we strengthen security incrementally against attacks A1-A3? (SCADA/EMS = Supervisory Control and Data Acquisition/Energy Management Systems)

Attacker Model and Bad Data Detection in Control Center Scenario: Attacker injects malicious data a to corrupt analog measurements in the power grid First characterize the set of undetectable malicious data a

Power Network and Estimator Models Steady-state models: For example: [Abur and Exposito, 2004] WLS-Estimates of bus phase angles i (in vector ): Linear DC approximation (¼ML-estimate): H := @h(x) @x x=0

Bad-Data Detection and Undetectable Attacks Bad-Data Detection triggers when residual r is large r := z ^z = z H^x = z H(H T R 1 H) 1 H T R 1 z Characterization of undetectable malicious data a: The attacker has a lot of freedom in the choice of a! a k 0 means measurement device k is corrupted. Attacker likely to seek sparse solutions a! [Liu et al., 2009]

Security Index k Assume attacker wants to make undetectable attack against measurement k k := min kak c 0 (sparsest possible attack) a = Hc (undetectable attack) a k = 1 (targets measurement k) Estimates complexity of least-effort undetectable attack on measurement k Example: 1 =2 ) undetectable attack against measurement 1 involves at least two measurements Non-convex optimization problem. How solve efficiently? [Sandberg, Teixeira, and Johansson, 2010]

Example of the Index k Sparse attack corresponding to k : Compare with the hat matrix : Hat matrix misleading for judging sparsity of attacks!

Security Metric k for 40-bus Network = Current measurement config. Ο = Upgraded measurement config. At least 7 measurements need to be involved in an undetectable attack Attack 33 (7 measurements) [Teixeira et al.,2011]

Experiments on KTH SCADA/EMS Testbed False value (MW) Estimated value (MW) -14.8-14.8 0 35.2 36.2 0 85.2 86.7 0 135.2 137.5 0 # BDD Alarms 185.2 Non convergent Bad Data Detected & Removed - Attacks of 150 MW (¼55% of nominal value) pass undetected in a real system! [Teixeira et al.,2011]

Summary so Far Multiple interacting bad data is hard to detect. What if attacker exploits this well-known fact? Security index k identifies measurements that are relatively easy to attack (it locates weak spots) Analysis of the hat matrix can be misleading for judging the sparsity of possible attacks How do we compute k, and can we use it for protection and mitigation?

Combinatorial Optimization Problem k : min H 0 subject to H k,: 1 Mixed integer linear program (MILP) Combinatorial optimization problem. Expensive! Typical convex heuristics: LASSO ( 0! 1 ) We will exploit structure in H instead: T ADA T H DA, A arc-to-node incidence matrix, D pos. diag. matrix T DA

H Graph Interpretation phase angles injections and flows induced by phase angles T H 2 DA cost 0 0 ADA T 2 (# arc with flow) 0 # node with injection 1 =1 Cost = 2 2+3 = 7 2 =0 3 =0 H k,: 1 Fix two phase angles H min 0 Determine the rest to minimize cost (D ii = 1) 4 =0

Optimal Solution is Binary Vector Can always construct no worse 0-1 feasible solution negative->0 0 0-2 attacks 1 1 4 1 0 (D ii = 1) 1 4 positive->1-2 attacks 1 +1 attack Cost = 2 5+3=13 attacks Cost = 2 3+4=10 attacks [Sou, Sandberg, and Johansson; 2011]

Reformulation as Graph Partitioning Optimal i are either 0 or 1, for all i Consider only partitioning of nodes For example Each cut arc requires 2 attacks Each node incident to at least one cut arc requires 1 attack Pick partition of Minimum # cost

MIN-CUT Relaxation Min cost partitioning difficult; Relaxation: ignore injection cost T T H 2 DA ADA 0 0 0 2 (# cut arcs) # node with injection Partitioning with minimum #of cut arcs MIN-CUT problem Enumerate ALL MIN-CUT partitions for best relaxation! [Sou, Sandberg, and Johansson; 2011]

IEEE 14-bus Security Indices MIN-CUT incurs no error, LASSO is very bad here

Large-Scale Examples IEEE 300-bus: Exact 6700 sec., LASSO 42.5 sec., MIN- CUT 0.044 sec. Polish 2383-bus: Exact ¼ 5.7 days, MIN-CUT 30 sec.

Outline On state estimation, bad-data detection, and stealth attacks in power systems A security index Definition and experimental validation Computation Protection and mitigation strategies Conclusions

Protection Against Stealth Attacks Set of protected measurements Cost of protection Protection goals Perfect protection Limited budget Max-min Max-ave C ( ) min C ( ) s. t. k k P C ( )

Protection with Limited Budget π Maximize minimum attack cost k Greedy iterative algorithm (MSM) P=0 Iterate until Calculate k given P (k=1,,m) Find most frequently appearing meters in minimal attacks corresponding to min k k and put in M j Set MM arg max min : C ( P) M M j k C ( P) M k [Dán and Sandberg, 2010]

Numerical Results IEEE 14-bus and 118-bus networks Meters on every load and transmission line 54 and 490 measurements

Attack cost ( i ) Attack cost ( i ) Minimal Attacks - No Protection IEEE-14 13 10 7 Bound Exact Non-meshed buses IEEE-118 4 21 19 16 13 10 7 1 10 20 34 Measurement ID (i) Bound Exact 4 1 50 100 150 200 250 304 Measurement ID (i)

Incremental Protection (IEEE 14-bus) Increase protection budget π=0,1,,n Perfect protection for π=n=13 Incremental deployment efficient (compare with random deployment)

Impact of the Network Layer Optical ground wire topology along transmission lines Attack targets Substation switching equipment Security metrics Substation attack impact (I s ) # measurements exposed by substation Measurement attack cost ( m ) # substations needed to attack measurement Mitigation Routing single and multipath Encryption tamper proofness Physical protection, surveillance

Reroute Physically Correlated Measurements (IEEE 118-bus) [Dán, Sou, and Sandberg, 2011]

Summary Undetectable false-data attack against power systems possible. Verified both in theory and practice Attacks are local, and require basic power systems knowledge Why would an attacker do this? Disturb optimal power generation pattern Disturb contingency analysis Security metric k defined and computed with MIN- CUT/MAX-FLOW relaxation Metric k used to Allocate limited number of encryption devices Design routing tables that make attacks as hard as possible

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback