Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | imogene-greene |
View: | 213 times |
Download: | 0 times |
North Carolina Agricultural and Technical State University
A Novel Approach for Identification of Cyber Physical Data Attack in Power Systems
using Spy Node
Khaled Alotaibi
Dept. of Electrical and Computer Engineering
North Carolina Agricultural and Technical State University
Drs. A. Homaifar (Advisor), Numan Dogan, Jinsheng Xu, Clinton Lee, and Ali Karimoddini
North Carolina Agricultural and Technical State University
2
Outline Motivation
Problem definition
Background» Remote Terminal Units (RTUs)» Supervisory Control and Data Acquisition (SCADA) systems » Flow for Data Transfer» State Estimation
Data Detection/False Data Injection» Procedure for Malicious (Bad) Data Detection» Procedure (steps) for False Data Injection (FDI)» Generate Malicious Data Attack» Simulation FDI & Failure in the sensors
State of the art Methods» Measurements encryption by using greedy algorithm » Measurements encryption by using probability experiments (success probability)» Reconfiguration of the system into two subsystems
Proposed Method » Apply spanning tree algorithm on the network » Calculate the measure values of the spy node
Preliminarily result of the proposed method
References
North Carolina Agricultural and Technical State University
3
Motivation
Reported in a National Communications System bulletin, attacks with the
highest impact are those against the supervisory control and data acquisition
SCADA system [1]
State Estimation (SE) receives system data from SCADA to find the best
estimate of the system state
SE is connected to other applications with the state of the system»Optimal Power Flow (OPF)»Contingency Analysis (CA)
OPF is used in the power area determine loading and congestion levels [2]
CA analyzing State Estimation outputPrevent the blackouts [3]
North Carolina Agricultural and Technical State University
4
Cont… Motivation and challenging
State Estimation in power system is used in the power market»By calculating “estimated branch flows” in the system [4]
State Estimation plays a big role in the future smart power grid [5]»The concerns for the protection against malicious cyber-attacks has raised a
great attention recently because of the smart-grid initiatives [6]
Malicious data injection leads to the control center making wrong decisions to
operate the power-grid network
Challenges »This type of scenario attack can be “insider threat”»The injected contaminated data comes from intelligent computational
algorithms [7]
North Carolina Agricultural and Technical State University
5
Problem Definition
The measured data includes active and reactive
power of generators in power system as well as the
transmission lines
Data is collected by Remote Terminal Units (RTUs)
SCADA in control center receives all data
Cyber attack has access to the data during transfers
from substation to control center [8][9]
The attacker figure out the system configuration and
contaminates the measurements in order to corrupt
state variables without being detected
The objective is to find out if the data is contaminated
due to the cyber attacks
North Carolina Agricultural and Technical State University
6
Remote Terminal Units (RTUs)
RTUs are type of data collection and
data transfer.
RTUs monitor and control input data
and make changes in the system
remotely [11]
RTUs enable commands from station
operators [10]
RTU is uniquely designed to accept
many inputs with different modules» EX: CI^2 port is I/O expander that
basically accepts additional I/O’s as needed [11]
Human Machine Interface (HMI) can
be connected to RTUs» HMI is used to set parameters and
view measurements values
North Carolina Agricultural and Technical State University
7
Supervisory Control and Data Acquisition (SCADA) systems
SCADA is a computer-based software
for data collection
SCADA systems are generally
Ethernet-based and are connected to
RTUs via the internet
SCADA system enables commands
from control center operators [12]
It has the capability to provide
automated control where it can assist
the system» SCADA can sense the system problems, and evaluate
these problems which allows it to make modifications and adjustments
Additional functions can be added by a
command from the control center [13]
North Carolina Agricultural and Technical State University
8
Flow for Data Transfer
Sensors deployed over substation to
read different values
Data is sent to RTUs by different
telecommunication ways
RTUs gather the data and send it to
SCADA through Wide Area Networks
or internet [10]
SCADA, receives all the measurements
from different substations and transfers
them to the Control Center to perform
State Estimation
Malicious Data is detected by using
hypothesis test
Attacker
North Carolina Agricultural and Technical State University
9
State Estimation
State Estimation in power system
intends to compute the variables of the
system state to enhance the system’s
reliability [14][15]
There are different variables to be
calculated such as voltage magnitude
and phase angle of each bus [16]
Measurements may include some error
Equation (1) presents State Estimation
Using the least squares method to
estimate state , in equation (1), will
result in (2) [14][16][17]
Estimated of , is calculated according
to measurements vector
(1)» the system measurements» the state variable » the errors in measurements» the observation matrix
(2)» the estimated »W the weighting matrix presents
the accuracy of each measurements
North Carolina Agricultural and Technical State University
10
Malicious Data Detection
Error (contamination) that may be
included in the measurements» Sensor accuracy» Lack in hardware performance » Cyber Physical Data Attack
(CPDA)
This will corrupt the calculated state
variables
Researchers in the field of power
system apply 2-norm as a hypothesis
test to ensure the integrity of the state
variables [18].
2-norm or residual test is commonly
used in malicious data detection [16]» Some malicious values created by (CPDA) can
bypass this type of test without being detected
The malicious data detection trigger the
alarm when » > threshold » otherwise, there is no malicious
data
This test can detect random
contamination
Drawback of 2-norm test:» However, some attack scenarios are
aware of this type of test and it allows the attacker to pass the test successfully by applying certain procedures [16][19]
North Carolina Agricultural and Technical State University
11
False data injection (FDI)
FDI is a new class of data attack against power system state estimation [16]
Yao Liu & Micheal Reterier from NCSU & UNC at Chapel Hill propose
attack strategy to meet FDI attack conditions
The basic idea of FDI is to add nonzero vectors to the original measurements
Those vectors should be generated based on the knowledge of the power grid
such as measurement values and system configuration [7][16][19]
CPDA can utilize those information to generate the attacking vector
Control center receive () instead of
This kind of data contamination can easily bypass the malicious data detection
is the corrupted vector in the estimated due to the contamination
North Carolina Agricultural and Technical State University
12
Generate Malicious Data Attack
An attacker can determine H matrix
(configuration matrix) by utilizing
system information
The hacker finds the vectors lie in the
null space as in equation (4) » If only zero vector meets condition
in (5)» If there will be a nonzero vector
meeting equation (5) condition
These vectors are linear combination
of the vectors in the null space of
CPDA procedure to generate malicious
vectors
1. Determine
2. Find the null space of
A. Find the projection matrix of , (3)
B. (4)
3. Find all attacking vectors
A.
A.Where (5)
North Carolina Agricultural and Technical State University
13
Case Study
In this work, the standard IEEE 9-bus system is considered as the case study» The system has 26 different type of measurements as following:
PF is the real power injected from end of branch;
PT is the real power injected to end of branch;
PG is the real power injection of generator;
QF is the reactive power injected from end of branch;
QT is the reactive power injected to end of branch; and
QG is the reactive power injection of generator
» The system has 16 state variables to calculate ( voltage magnitude & phase angle)» Each bus consist of two variables » The reference bus variables are known» The reference bus in this standard is bus # 1 » This case study assume four sensors fail
• Chosen four sensors randomly• Changed the values of those measurements
North Carolina Agricultural and Technical State University
14
An Example for detecting sensor failure
Type DataFailure
inSensor
PF 1 0.7195 0.7195
PF 2 0.3072 0.4072
PF 3 -0.5945 -0.5945
PF 4 0.8500 0.8500
PF 5 0.2411 0.2411
PF 6 -0.7592 -0.7592
PF 7 -1.6300 -1.6300
PF 8 0.8699 0.8699
PF 9 -0.4096 -0.4096
PT 2 -0.3055 -0.3055
PT 5 -0.2401 -0.2401
PT 7 1.6300 1.6300
PT 9 0.4123 0.4123
PG 1 0.7195 0.7195
PG 2 1.6300 1.6300
PG 3 0.8500 0.95
QF 1 0.2407 0.3407
QF 3 -0.1631 -0.1631
QF 5 0.0454 0.0454
QF 8 -0.0253 -0.0253
QT 4 0.0789 0.0789
QT 6 0.0026 0.0026
QT 8 -0.1428 -0.2428
QG 1 0.2407 0.2407
QG 2 0.1446 0.1446
QG 3 -0.0365 -0.0365
Norm( 0.098 0.134
• Measurements number 2, 16,17, and 23 are chosen randomly
• Those measurements are active power, generator active power, reactive power, and reactive power respectively
• The malicious data detection was different from clean data and partial data contaminated due to the failure in the sensors
North Carolina Agricultural and Technical State University
15
An Example for not detecting contaminated data (FDI)
Type DataFDI
v MD in SCADA
PF 1 0.7195 0.0962 0.8157
PF 2 0.3072 0.2062 0.5134
PF 3 -0.5945 -0.2488 -0.8433
PF 4 0.8500 -0.1964 0.6536
PF 5 0.2411 -0.4520 -0.2109
PF 6 -0.7592 0.1393 -0.6199
PF 7 -1.6300 0.0037 -1.6263
PF 8 0.8699 0.3113 1.1812
PF 9 -0.4096 0.0082 -0.4014
PT 2 -0.3055 -0.2047 -0.5102
PT 5 -0.2401 0.4496 0.2095
PT 7 1.6300 -0.0037 1.6263
PT 9 0.4123 -0.0070 0.4053
PG 1 0.7195 0.0962 0.8157
PG 2 1.6300 -0.0037 1.6263
PG 3 0.8500 -0.1964 0.6536
QF 1 0.2407 0.0033 0.2440
QF 3 -0.1631 -0.0694 -0.2325
QF 5 0.0454 0.0726 0.1180
QF 8 -0.0253 0.1701 0.1448
QT 4 0.0789 -0.0370 0.0419
QT 6 0.0026 -0.3376 -0.3350
QT 8 -0.1428 -0.0784 -0.2212
QG 1 0.2407 0.0033 0.2440
QG 2 0.1446 0.2729 0.4175
QG 3 -0.0365 0.0135 -0.0230
Norm( 0.098 0.098
Clean data
Contamination vector
Sum of clean data
and contaminati
on
The norm of the data before and after the
contamination are the same
North Carolina Agricultural and Technical State University
16
State of the art methods
1. Measurements encryption by using greedy algorithm [20]
The method of this paper is encryption based
It aims to encrypt a sufficient amount of data buses to minimize the system
configuration to the attacker
It Uses greedy algorithm for bus selection
The number of encrypted measurements must be equal to the number of state variables» Therefore, the attacker will have zero vectors for contamination
Disadvantages » For encryption this method uses PMU sensors, which are very expensive» The installation and maintenance of PMUs are also expensive» For expandable grid, its hard to maintain the encrypted measurements equal to the
number of the state variables
[20] Strategic Protection Against Data Injection Attacks on Power Grids, by Tùng T. Kim & H. Vincent Poor. Princeton University, NJ
North Carolina Agricultural and Technical State University
17
State of the art methods
2. Measurements encryption by using probability experiments (success probability)
The objective of this method is to select a set of sensors to be protected as well as
verifying a set of state variable independently
This method also use PMUs sensors for protection purpose » PMUs can measure the value of bus magnitude or phase angle directly with a high accuracy
The difference between this method and the previous one is in the selection of
measurements to be protected» This method use probability experiment (success probability) for measurement selection
• Picks measurements at random to manipulate
The execution time required to either construct an attack vector or conclude that the
attack is infeasible
[21] Detecting False Data Injection Attacks on State Estimation, by Rakesh B. Bobba, and Thomas J. Overbye. University of Illinois, Urbana-Champaign
North Carolina Agricultural and Technical State University
18
State of the art methods
The relationship between is shown
If the success probability of an attacker
is less than 1 for a given k» it implies that there exist sets of m − k measurements such that an attacker cannot
inject false data without being detected when the measurements are protected » For example in 9-bus IEEE standard system
• Attacker needs to compromise about 80% of total measurements • A lower bound on the number of sensors that need to be protected is
North Carolina Agricultural and Technical State University
19
State of the art methods
3. Reconfiguration of the system into two subsystems
The objective of this method is to reconfigure the system inorder to form two sub
system instead of one » The configuration matrix for each sub system should form a full Rank matrix» Therefore, the attacker will not have a nonzero vector
Disadvantage » Dividing the configuration matrix in two children such as child 1 and child 2, the
null space for the children will stay the same as the mother matrix H» Reconfigure the system doesn’t guaranteed the observability
[22] Secure Power Systems Against Malicious Cyber-Physical Data Attacks: Protection and Identification Talebi, Morteza, Jianan Wang, and Zhihua Qu, Central Florida University
North Carolina Agricultural and Technical State University
20
Proposed Method
The idea of my contribution is to identify whether the power grid data is
manipulated due to adversary attack or not.
“Pseudo measurements can be generated based on short term load forecasts, generation
dispatch, historical records, or other similar approximation methods. It can be used as
error free measurements in the state estimation formulation and referred to as “virtual
measurements” [23] The attacker access through a channel to explore the data and system configuration
In general the attackers explore the actual data to find out the system configuration
By adding the virtual measurements the attacker will be misled and finds the wrong
configuration of the system
we can generate virtual measurements in power grid along with the actual data by considering:
The power system having a virtual bus referred to as spy node Spy nodes, considered as extra measurements along with the actual network measurements are
the kind of data that the attacker may access This data works as spy data in the data set and is free of error
North Carolina Agricultural and Technical State University
21
Proposed Method
Two problems need to be solved
1. The correct places of the spy nodes to be considered for calculation purposes applying a spanning tree algorithm on the system [24] to generate the list of the nodes with highest
priorities
2. Finding the new parameters for the transmission lines between the spy and
actual nodes calculating the values of the spy node measurements based on the model of the power transmission
line and the values of the line resistance, inductance and capacitance on which this virtual node is
located
North Carolina Agricultural and Technical State University
22
Apply Spanning tree algorithm in the network
1. Find the node with highest degree that has
most injected branches. In this case the
candidate nodes are {4, 7, and 9} with
degree of importance equal to 3 due to the
injected branches. Node 7 is selected among
the three candidate nodes. Therefore, 7 is the
1st priority
2. All nodes that are connected to node 7 are
the candidate nodes to perform the spanning
tree algorithm. Nodes {2, 5, 8} are the
candidate nodes in this case study.
North Carolina Agricultural and Technical State University
23
Apply Spanning tree algorithm in the network
3. Only nodes 5 and 8 have the highest degree
among the candidates (same degrees). It should
be checked which one is connected to the node
with a higher degree. Node 4, 9 with degree 3. In
this case no preference to select. Node 5 is
selected for next step.
4. Node 4 is the only node connected to node 5,
and it is the only candidate. So node 4 is selected
for next step
North Carolina Agricultural and Technical State University
24
Apply Spanning tree algorithm in the network
5. Nodes {1, 6} are the candidate nodes in this
step. Node 6 has the highest degree, therefore it
is selected for the next step
6. Node 6 is the only connected node to 9 and it
is selected for the next step
North Carolina Agricultural and Technical State University
25
Apply Spanning tree algorithm in the network
7. Finally node 9 is connected with one node,
which is node 3. Node 3 was the last candidate
and last priority for our purpose.
8. Following table shows a final result
Node# Node priority Possible place to spy node. According to selected node
7 1st 7-8, 7-5, 7-2
5 2nd 5-4
4 3rd 4-6, 4-1
6 4th 6-9
9 5th 9-8, 9-3
The priority of the nodes in the 9-bus system standard to place a spy node
North Carolina Agricultural and Technical State University
26
Calculating the Measured Values of the Spy Node
In π model of the transmission line, R (Ω/km) and L
(H/km) are the resistance and inductance of the line
C (F/km) is the shunt capacitance of the transmission
line that half of it is considered to be lumped at each
end of the line
The resistance, inductance and capacitance are
uniformly distributed along the transmission line
The spy node is considered in the middle of two
parts as shown in Figure 3, note that the amounts of
R, L and C do NOT change because their units are
per km [25].
Since the spy node is going to be considered between
two nodes with higher priority
Two back to back π models are considered for the
two transmission lines (one between bus A and spy
node and the other between spy node and bus B,
forming two cascade π models)
Figure 2. Nominal π model of a transmission line
Figure 3. Nominal π model of the transmission line with spy node
Figure 4. Nominal π model of the transmission line without spy node
North Carolina Agricultural and Technical State University
27
Proposed Procedure
1. Virtual measurements can be added to the actual measurements set 1. are measurements set, and are virtual measurements [12] known as spy data produced from spy node based
on the network configuration
2. Because of the capability of the RTU, it is possible to add extra data as spy data along with actual data by utilizing input modules
2. The SCADA can be programmed to simply remove the spy data from the measurements
set and send the remaining data to the state estimator in the control center
3. The state estimator sends the actual data to malicious data detector to calculate the norm
Attacker intercepts and finds out the configuration of the system to generate attacking vector
North Carolina Agricultural and Technical State University
28
Another criteria of test
The proposed method can have another way of detecting the data
contamination» any change in the values of the virtual measurements (spy data) shows contamination
of the data set » It can be considered as an alternative countermeasure against cyber-attack, because
the spy data is without any noise and should remain unchanged
North Carolina Agricultural and Technical State University
29
What will be delivered
The standard IEEE 9-bus system will be considered as the case study to verify the
proposed method » The system has 26 different type of measurements as following:
PF is the real power injected from end of branch;
PT is the real power injected to end of branch;
PG is the real power injection of generator;
QF is the reactive power injected from end of branch;
QT is the reactive power injected to end of branch; and
QG is the reactive power injection of generator.
I will consider the spy node between nodes 7 and 8 with the highest priorities» I will use two measurements (active and reactive power) as spy data» The number of measurements from the viewpoint of attacker is 28 » If the attacker generate the attacking vectors based on this data set
• Those vectors will not be a linear combination to data set of the actual system configuration • Therefore, malicious data detection will show different norm values for actual data before and
after attack
North Carolina Agricultural and Technical State University
30
Conclusion
The idea of this novel approach is to mislead the attackers with a configuration
different than that of the real power system
By considering spy node(s) in power grid, attackers intercept the actual
measurements along with virtual measurements
Increasing the number of measurements of the system leads to the attacker’s
being misled and getting a wrong attacking vector according to the data set
Our proposed method requires minimal changes to the existing SCADA system
It is very easy to implement with the minimal additional cost
It can also be combined with other protective methods to provide an extra layer
of security. For example, if the encryption protocol was broken for cipher-
based protection method, this method will identify the cyber attack against the
power grid
North Carolina Agricultural and Technical State University
31
References [1] Office of the Manager, National Communications System, Supervi-sory Control and Data Acquisition (SCADA) Systems,TIB 04-1 ed Arlington, VA, 2004
[2] Chiang, Mung. "Balancing transport and physical layers in wireless multihop networks: Jointly optimal congestion control and power control." Selected Areas in Communications, IEEE
Journal on 23.1 (2005): 104-116.
[3] Amin, S. Massoud, and Bruce F. Wollenberg. "Toward a smart grid: power delivery for the 21st century." Power and Energy Magazine, IEEE 3.5 (2005): 34-41.
[4] Wu, Tong, et al. "Pricing energy and ancillary services in integrated market systems by an optimal power flow." Power Systems, IEEE Transactions on 19.1 (2004): 339-347.
[5] Dán, György, and Henrik Sandberg. "Stealth attacks and protection schemes for state estimators in power systems." Smart Grid Communications (SmartGridComm), 2010 First IEEE
International Conference on. IEEE, 2010.
[6] Yang, Qingyu, et al. "On a hierarchical false data injection attack on power system state estimation." Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE . IEEE, 2011.
[7] Yu, Wei. "False data injection attacks in smart grid: Challenges and solutions." Proceeding of NIST Cyber Security for Cyber-Physical System (CPS) Workshop . 2012.
[8] Sou, Kin Cheong, Henrik Sandberg, and Karl Henrik Johansson. "On the exact solution to a smart grid cyber-security analysis problem." Smart Grid, IEEE Transactions on 4.2 (2013): 856-865.
[9] Hug, Gabriela, and Joseph A. Giampapa. "Vulnerability assessment of AC state estimation with respect to false data injection cyber-attacks." Smart Grid, IEEE Transactions on 3.3 (2012):
1362-1370.
[10] Bailey, David, and Edwin Wright. Practical SCADA for industry. Newnes, 2003.
[11] Complete SCADA solution for Remote Monitoring and Control”, found at www.FF-Automation.com
[12] ] Fabio Terezinho, “SCADA Systems Automate Electrical Distribution” , Indussoftware.
[13] Queiroz, Carlos, Abdun Mahmood, and Zahir Tari. "SCADASim—A framework for building SCADA simulations." Smart Grid, IEEE Transactions on 2.4 (2011): 589-597.
[14] A. Albur and A. G. Exposito, Power System State Estimation: Theory and Implementation . CRC Press.
[15] F. C. Schweppe, J. Wildes, and D. B. Rom, “Power system static stat estimation. parts 1, 2, 3,” IEEE Transactions on Power Apparatus andSystems, vol. 89, no. 1, pp. 120–135, January
1970.
[16] Liu, Yao, Peng Ning, and Michael K. Reiter. "False data injection attacks against state estimation in electric power grids." ACM Transactions on Information and System Security (TISSEC)
14.1 (2011): 13.
[17] Gol, M., and Ali Abur. "Identifying vulnerabilities of state estimators against cyber-attacks." PowerTech (POWERTECH), 2013 IEEE Grenoble. IEEE, 2013.
[18] Yang, Qingyu, et al. "On a hierarchical false data injection attack on power system state estimation." Global Telecommunications Conference (GLOBECOM 2011), 2011 IEEE . IEEE, 2011.
[19] Talebi, Morteza, Jianan Wang, and Zhihua Qu. "Secure Power Systems Against Malicious Cyber-Physical Data Attacks: Protection and Identification." International Conference on Power
Systems Engineering. 2012.
[20] Kim, Tung T., and H. Vincent Poor. "Strategic protection against data injection attacks on power grids." Smart Grid, IEEE Transactions on 2.2 (2011): 326-333.
[21] Bobba, Rakesh B., et al. "Detecting false data injection attacks on dc state estimation." Preprints of the First Workshop on Secure Control Systems, CPSWEEK . Vol. 2010. 2010.
[22] Talebi, Morteza, Jianan Wang, and Zhihua Qu. "Secure Power Systems Against Malicious Cyber-Physical Data Attacks: Protection and Identification." International Conference on Power
Systems Engineering. 2012.
[23] Abur, Ali, and Antonio Gomez Exposito. Power system state estimation: theory and implementation . CRC Press, 2004, P 4-5
[24] Wu, Y., M. Kezunovic, and T. Kostic. "Cost minimization in power system measurement placement." Power System Technology, 2006. PowerCon 2006. International Conference on . IEEE,
2006
[25] Saadat, Hadi. Power system analysis. WCB/McGraw-Hill, 1999
North Carolina Agricultural and Technical State University
Questions?