Cyber-Attacks on Electric Power System: Vulnerability and Resiliency Analysis

Cyber-Attacks on Electric Power System: Vulnerability and Resiliency Analysis

Lalitha SankarArizona State University

PSERC Workshop, Stevenson, WA

July 13, 2015

1

Overview

• Electric power system is a distributedhybrid-hierarchical system.

• top-bottom (intra-regional) and• lateral connections (inter-regional)

• At each level, SCADA and EMSmanage and monitor the system.

• SCADA, Communication network, and Data Center will always be vulnerable to cyber attacks.

Hierarchical Cyber-physical Power System

2

Overview

• Electric power system is a distributedhybrid-hierarchical system.

• top-bottom (intra-regional) and• lateral connections (inter-regional)

• At each level, SCADA and EMSmanage and monitor the system.

• SCADA, Communication network, and Data Center will always be vulnerable to cyber attacks.

• What are the consequences of cyber-attacks on the transmission system? Hierarchical Cyber-physical Power System

3

Motivation

• Large-scale outages are causes for concern and often involve operator error.• Recently cyber and physical attacks have also been contributors.

4

Motivation

In 2003, a line out in Ohiowas not conveyed in time toMISO, leading to theNortheast blackout.

5

• Large-scale outages are causes for concern and often involve operator error.• Recently cyber and physical attacks have also been contributors.

Motivation

In 2003, a line out in Ohiowas not conveyed in time toMISO, leading to theNortheast blackout.

In 2007, Aurora GeneratorTest shows that cyber attackscan lead to generator gettingout of phase and finallyexploding.

6

• Large-scale outages are causes for concern and often involve operator error.• Recently cyber and physical attacks have also been contributors.

Motivation

In 2010, Stuxnetmalware attackedSCADA systems,infecting 14 plantsin Germany.

In 2003, a line out in Ohiowas not conveyed in time toMISO, leading to theNortheast blackout.

In 2007, Aurora GeneratorTest shows that cyber attackscan lead to generator gettingout of phase and finallyexploding.

7

• Large-scale outages are causes for concern and often involve operator error.• Recently cyber and physical attacks have also been contributors.

Motivation

• Attack attempt statistics collected by DHS.

In 2010, Stuxnetmalware attackedSCADA systems,infecting 14 plantsin Germany.

In 2003, a line out in Ohiowas not conveyed in time toMISO, leading to theNortheast blackout.

In 2007, Aurora GeneratorTest shows that cyber attackscan lead to generator gettingout of phase and finallyexploding.

DHS recorded 161 cyber attacks on the energy sector in2013, compared to 31 in 2011.

8

Cyber-Attacks on EPS

9

• Remote hacking, firewall break-in, malware introduction, trojans/virus, false data injection, …

EPS Cyber-Attacks: The Good

• Recent cyber-attacks involve hacking into databases and learning/revealing information.

• Electric Power System (EPS): does it suffice to just hack into the data networks?

10

Target Breach Involved Two-Stage Cyber-Attack

-- steal data from a machine not connected to the Internet

-- move to another machine which can send the data to an FTP

(server) – Dec, 2014

Hacking of Government

Computers Exposed 21.5 Million People

-- Jul. 2015, NY Times

EPS Cyber-Attacks: The Good

• Recent cyber-attacks involve hacking into databases and learning/revealing information.

• Data processing at heart of EPS cyber system – data integrity has to be comprised intelligently to cause serious damage.

• More sophisticated attacks needed to manipulate data

11

Target Breach Involved Two-Stage Cyber-Attack

-- steal data from a machine not connected to the Internet

-- move to another machine which can send the data to an FTP

(server) – Dec, 2014

Hacking of Government

Computers Exposed 21.5 Million People

-- Jul. 2015, NY Times

EPS Cyber-Attacks: The Bad

• All networks have zero day vulnerabilities (Target attack testament to that)• Successful attacks on communication and computer networks are inevitable

• Intelligent attacks can restrict information flows and availability for real-time response and situational awareness

• Can combine cyber and physical attacks to create more havoc

• Well designed cyber attacks can mimic information or system loss due to natural disasters

• And will be designed to be unobservable (at least locally within the attack module)

12

EPS Cyber-Attacks: The Ugly

• Attacks on information sharing networks can quickly lead to cascading failures• Can a coordinated attack mimic the Northeast Blackout of 2003?

• Many classes of cyber-attacks – depending on sub-systems attacked • Generation, topology, SCADA measurements, AGC, cyber-physical attacks, substation, DER• All involve compromising the integrity of cyber data intelligently.

• Availability of intrusion detection decisions (during attack) and resiliency mechanisms (post-attack) crucial for human-operator based cyber systems.

• One size fits all solution will not work

13

EPS: Resiliency

• Electric Power Systems are resilient systems built to withstand real-time changes to generation, dispatch, transmission and distribution failures/outages.

• But cyber-attacks and natural disasters can cause an order of magnitude large change to the system in a very short time.

• Can operators manage under partial or complete lack/loss of information?

• Need vulnerability analysis (including attack modeling)• What are the consequences of realistic cyber-attacks on the EPS?

• Design of resiliency mechanisms

14

Cyber-attacks on EPS: State of the ArtCyber attacks on state estimator:• Y. Liu, M. K. Reiter, and P. Ning, “False data injection attacks against state estimation in

electric power grids,” Proceedings of the 16th ACM CCCS, 2009.• Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks on the smart grid,”

IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 645–658, 2011.• L. Jia, R. J. Thomas, and L. Tong, “On the nonlinearity effects on malicious data attack on

power system,” in Proc. 2012 PES General Meeting, Jul. 2012.• G. Hug and J. A. Giampapa, “Vulnerability assessment of AC state estimation with

respect to false data injection cyber-attacks,” IEEE Trans. Smart Grid, vol. 3, no. 3, pp. 1362–1370, 2012.

• X. Liu and Z. Li, "Local Load Redistribution Attacks in Power Systems With Incomplete Network Information," Smart Grid, IEEE Transactions on, vol. 5, no. 4, pp. 1665-1676, July 2014.

• M. Rahman and H. Mohsenian-Rad, “False data injection attacks against nonlinear state estimation in smart power grids,” in Power and Energy Society General Meeting (PES), 2013 IEEE, July 2013, pp. 1–5.

• A. H. Mohsenian and A. Leon-Garcia "Distributed internet-based load altering attacks against smart power grids", IEEE Trans. Smart Grid, vol. 2, no. 4, pp.667 -674, 2011.

15

Cyber-attacks on EPS: State of the ArtCyber attacks on generation control:• S. Sridhar and M. Govindarasu, “Model-based attack detection and mitigation for

automatic generation control,” IEEE Transactions on Smart Grid, vol. 5, no. 2, pp. 580–591, 2014.

• J. Wei, D. Kundur, T. Zourntos, and K. Butler-Purry, “A flocking-based dynamical systems paradigm for smart power system analysis,” in Power and Energy Society General Meeting, 2012 IEEE, 2012, pp.1–8.

Cyber attacks on topology:• J. Kim and L. Tong, “On topology attack of a smart grid: Undetectable attacks and

countermeasures,” IEEE Transactions on Smart Grid, vol. 31, no. 7, pp. 1294–1305, 2013.• M. A. Rahman, E. Al-Shaer, “Impact Analysis of Topology Poisoning Attacks on

Economic Operation of the Smart Power Grid,” in Proceedings of IEEE Distributed Computing Systems (ICDCS), Madrid, Spain, July, 2014.

• A. Ashok and M.Govindarasu, “Cyber Attacks on Power System State Estimation through Topology Errors,” in Proceedings of IEEE PES General Meeting, San Diego, CA, USA, July, 2012.

16

Cyber-attacks on EPS: State of the ArtCyber attacks: impact on markets:• L. Jia, J. Kim, R. J. Thomas, and L. Tong, “Impact of data quality on real-time locational marginal

price,” IEEE Trans. Power Systems, vol. 29, no. 2, 2014.• L. Xie, Y. Mo, and B. Sinopoli, “Integrity data attacks in power market operations,” IEEE TSG,

vol. 2, no. 4, 2011.• D.-H. Choi and L. Xie, "Impact analysis of locational marginal price subject to power system

topology errors," in Proc. SmartGridComm, 2013.Optimization problem for cyber attacks:• J. Salmeron, K. Wood, and R. Baldick, “Analysis of electric grid security under terrorist threat,”

Power Systems, IEEE Transactions on, vol. 19, no. 2, pp. 905–912, 2004.• Y. Yuan, Z. Li, and K. Ren, “Modeling load redistribution attacks in power systems,” IEEE TSG,

vol. 2, no. 2, pp. 382–390, 2011.• A. Giani, R. Bent, M. Hinrichs, M. McQueen, and K. Poolla, “Metrics for assessment of smart grid

data integrity attacks,” in PES General Meeting, July 2012, pp. 1–8.• A. Motto, J. Arroyo and F. Galiana, "A Mixed-Integer LP Procedure for the Analysis of Electric

Grid Security Under Disruptive Threat,” Trans. Power Systems, Aug 2005. • Y. Yuan , Z. Li and K. Ren "Quantitative analysis of load redistribution attacks in electric

grid," IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 9, 2012.

17

Cyber-attacks on EPS: State of the Art

Cyber attacks consequences:• A. Teixeira, S. Amin, H. Sandberg, K. Johansson, and S. Sastry, “Cyber security

analysis of state estimators in electric power systems,” in 2010 49th IEEE Conference on Decision and Control (CDC), 2010, pp. 5991–5998.

• J. Liang, O. Kosut, and L. Sankar, “Cyber-attacks on AC state estimation: Unobservability and physical consequences,” in IEEE PES General Meeting, Washington, DC, July 2014.

• J. Zhang, L. Sankar and K. W. Hedman, "Implications of Cyber Attacks on Distributed Power System Operations," in CIGRE Grid of the Future Symposium, 2014.

• J. Zhang and L. Sankar, "Implications of Cyber-physical Unobservable State-and-Topology Attacks on Electric Power Systems," in preparation for IEEE Trans. Smart Grid Communications, Special Issue, Sep. 2015.

18

Cyber-attacks on EPS: ASU-lead Research

Consequences of unobservable attacks on SE and topology data:• [1] and [3]: A congested line can be physically overloaded while appearing

perfectly normal in the cyber-data• [2]: Attacks on data-sharing between inter-areas can lead to unobservable

overloads and violations.

[1] J. Liang, O. Kosut, and L. Sankar, “Cyber-attacks on AC state estimation: Unobservability and physical consequences,” in IEEE PES General Meeting, Washington, DC, July 2014.[2] J. Zhang, L. Sankar and K. W. Hedman, "Implications of Cyber Attacks on Distributed Power System Operations," in CIGRE Grid of the Future Symposium, 2014.[3] J. Zhang and L. Sankar, "Implications of Cyber-physical Unobservable State-and-Topology Attacks on Electric Power Systems," in preparation for IEEE Trans. Smart Grid Communications, Special Issue, Sep. 2015.

19

Cyber-attacks on EPS: ASU-lead Research• Resiliency mechanisms?

• Large complex systems are only locally unobservable • Modular processing can be exploited to detect anomalous and systematic data changes

• Real-time load monitoring and forecasting (machine learning), anomalous re-dispatch monitoring, real-time topology processing, …..

[1] J. Liang, O. Kosut, and L. Sankar, “Cyber-attacks on AC state estimation: Unobservability and physical consequences,” in IEEE PES General Meeting, Washington, DC, July 2014.[2] J. Zhang, L. Sankar and K. W. Hedman, "Implications of Cyber Attacks on Distributed Power System Operations," in CIGRE Grid of the Future Symposium, 2014.[3] J. Zhang and L. Sankar, "Implications of Cyber-physical Unobservable State-and-Topology Attacks on Electric Power Systems," in preparation for IEEE Trans. Smart Grid Communications, Special Issue, Sep. 2015.

20

21

Topology-targeted Man-in-the-Middle Communication Attack

Topology-targeted Man-in-the-middle Attacks

Motivation:• Data sharing amongst entities in electric grid is essential for reliability.• Successful cyber attacks on inter-area communications can have serious

consequences and should be studied.• Mimicking outage and information sharing conditions that led to the

Northeast blackout in 2003.

Objectives• Introduce a class of topology-targeted man-in-the-middle communication

attacks.• Study attack consequences using a time progression model for cyber

operations.

22

System Model and Attack

• Attacker capability: the attacker hasaccess to the data being shared betweenareas and can corrupt the data:

• Participate in creating a line outage in onearea/ be aware of such an outage

• Corrupt the topology information shared withthe other area.

• Modeling human error:• Contingency communication delays.• Line switch miscommunications.

23

Attack Process

Time

Event

0 t 2t …… 20t

Event 0:Line outage

in Area 1

Event 1:Joint dispatch ……

Topology-targeted MiMattackInformation sharing

t=computation time period

OPF Calculation

Event 20:Joint dispatch

Event 0:Line outage

in Area 1

Event 1:Joint dispatch

Replace the updated topology with old topology

Shareupdated topology

1. Area 1 run local OPF2. Area 2 run local OPF

Local generation schedule exchange

Shareestimated loads

Both areas calculate power flow

Share tie-line measurements

Power flow calculationState estimationTopology processingSCADA

Event 2:Joint dispatch

24

Attack Consequences

25

Table: System behavior with sustained attack for IEEE 24-bus system

Pie chart indicating attack statistics for IEEE 24-bus system

Feasible Case

Physical PF Overload

Cyber PF Overload

Non-Convergence

of PFNo Violation

Cases

Cyber-Physical PF Overload

540 24.82% 14.26% 30.00% 23.33% 7.59%

Tie-line interchange fixed with only 10% variation.

25%

14%

30%

23%

8% Physical PF Overload

Cyber PF Overload

Not Converge

No Violation Cases

Cyber-Physical PFOverload

Countermeasures

• Tie-line power flow mismatch: yet another countermeasure

• Immediate communication of violations between areas following power flow calculation.

• N-1 contingency analysis (over both areas) prior to attack can give a list of local elements whose outage caused the violation in neighboring area.

• Enable external contingency list sharing between areas. (not widespread)

• Broader issue: information sharing across SEAMS crucial for resiliency and situational awareness.

26

Resilient Energy Management Systems

• An intelligent cyber attack decision support tool that goes hand in hand with the EMS is needed.

• Monitors anomalous changes in a systematic manner • Existing intelligence in the grid (statistical, operator) etc. can be translated to intelligent

machine learning algorithms

• Does PMU data provide additional resiliency?

• Are generator attacks realistic?

• Can voltage and frequency regulation as well as system dynamics be exploited to detect anomalous behavior?

27

Systematic Resiliency Mechanism

• Cyber attack decision support tool

28

Questions?Thank you!

29

Attack Consequences

• For area with false topology, sustained attacks cause mismatches of the physical power flow and the power flow monitored in cyber level:

1) Prevent operators from detecting the severity of physical overload problem.2) Create false overload alert in cyber level, lead to mis-operation.

• In comparison with using correct topology information (both areas) for dispatch:1) Cause more cases with overload problem to occur during

simulation time period.2) Increase the physical overload severity.

30

Attack Consequences

• Tested the attack on IEEE 24-bus system and found the following consequences:• Prevents operators from detecting the severity of physical overload problem.• Creates false overload alert in cyber level, lead to mis-operation.• Severe lack of convergence of OPF.• No violation.• Cyber-physical overload.

• Attack success: % of lines with overflows: 69.08%• critical attack cases (physical power flow > 105%) is 11.11%.

31