Cyber-Attacks on Electric Power System€¦ · EPS Cyber-Attacks: The Good • Recent cyber-attacks...
Transcript of Cyber-Attacks on Electric Power System€¦ · EPS Cyber-Attacks: The Good • Recent cyber-attacks...
Cyber-Attacks on Electric Power System: Vulnerability and Resiliency Analysis
Cyber-Attacks on Electric Power System: Vulnerability and Resiliency Analysis
Lalitha SankarArizona State University
PSERC Workshop, Stevenson, WA
July 13, 2015
1
Overview
• Electric power system is a distributedhybrid-hierarchical system.
• top-bottom (intra-regional) and• lateral connections (inter-regional)
• At each level, SCADA and EMSmanage and monitor the system.
• SCADA, Communication network, and Data Center will always be vulnerable to cyber attacks.
Hierarchical Cyber-physical Power System
2
Overview
• Electric power system is a distributedhybrid-hierarchical system.
• top-bottom (intra-regional) and• lateral connections (inter-regional)
• At each level, SCADA and EMSmanage and monitor the system.
• SCADA, Communication network, and Data Center will always be vulnerable to cyber attacks.
• What are the consequences of cyber-attacks on the transmission system? Hierarchical Cyber-physical Power System
3
Motivation
• Large-scale outages are causes for concern and often involve operator error.• Recently cyber and physical attacks have also been contributors.
4
Motivation
In 2003, a line out in Ohiowas not conveyed in time toMISO, leading to theNortheast blackout.
5
• Large-scale outages are causes for concern and often involve operator error.• Recently cyber and physical attacks have also been contributors.
Motivation
In 2003, a line out in Ohiowas not conveyed in time toMISO, leading to theNortheast blackout.
In 2007, Aurora GeneratorTest shows that cyber attackscan lead to generator gettingout of phase and finallyexploding.
6
• Large-scale outages are causes for concern and often involve operator error.• Recently cyber and physical attacks have also been contributors.
Motivation
In 2010, Stuxnetmalware attackedSCADA systems,infecting 14 plantsin Germany.
In 2003, a line out in Ohiowas not conveyed in time toMISO, leading to theNortheast blackout.
In 2007, Aurora GeneratorTest shows that cyber attackscan lead to generator gettingout of phase and finallyexploding.
7
• Large-scale outages are causes for concern and often involve operator error.• Recently cyber and physical attacks have also been contributors.
Motivation
• Attack attempt statistics collected by DHS.
In 2010, Stuxnetmalware attackedSCADA systems,infecting 14 plantsin Germany.
In 2003, a line out in Ohiowas not conveyed in time toMISO, leading to theNortheast blackout.
In 2007, Aurora GeneratorTest shows that cyber attackscan lead to generator gettingout of phase and finallyexploding.
DHS recorded 161 cyber attacks on the energy sector in2013, compared to 31 in 2011.
8
Cyber-Attacks on EPS
9
• Remote hacking, firewall break-in, malware introduction, trojans/virus, false data injection, …
EPS Cyber-Attacks: The Good
• Recent cyber-attacks involve hacking into databases and learning/revealing information.
• Electric Power System (EPS): does it suffice to just hack into the data networks?
10
Target Breach Involved Two-Stage Cyber-Attack
-- steal data from a machine not connected to the Internet
-- move to another machine which can send the data to an FTP
(server) – Dec, 2014
Hacking of Government
Computers Exposed 21.5 Million People
-- Jul. 2015, NY Times
EPS Cyber-Attacks: The Good
• Recent cyber-attacks involve hacking into databases and learning/revealing information.
• Data processing at heart of EPS cyber system – data integrity has to be comprised intelligently to cause serious damage.
• More sophisticated attacks needed to manipulate data
11
Target Breach Involved Two-Stage Cyber-Attack
-- steal data from a machine not connected to the Internet
-- move to another machine which can send the data to an FTP
(server) – Dec, 2014
Hacking of Government
Computers Exposed 21.5 Million People
-- Jul. 2015, NY Times
EPS Cyber-Attacks: The Bad
• All networks have zero day vulnerabilities (Target attack testament to that)• Successful attacks on communication and computer networks are inevitable
• Intelligent attacks can restrict information flows and availability for real-time response and situational awareness
• Can combine cyber and physical attacks to create more havoc
• Well designed cyber attacks can mimic information or system loss due to natural disasters
• And will be designed to be unobservable (at least locally within the attack module)
12
EPS Cyber-Attacks: The Ugly
• Attacks on information sharing networks can quickly lead to cascading failures• Can a coordinated attack mimic the Northeast Blackout of 2003?
• Many classes of cyber-attacks – depending on sub-systems attacked • Generation, topology, SCADA measurements, AGC, cyber-physical attacks, substation, DER• All involve compromising the integrity of cyber data intelligently.
• Availability of intrusion detection decisions (during attack) and resiliency mechanisms (post-attack) crucial for human-operator based cyber systems.
• One size fits all solution will not work
13
EPS: Resiliency
• Electric Power Systems are resilient systems built to withstand real-time changes to generation, dispatch, transmission and distribution failures/outages.
• But cyber-attacks and natural disasters can cause an order of magnitude large change to the system in a very short time.
• Can operators manage under partial or complete lack/loss of information?
• Need vulnerability analysis (including attack modeling)• What are the consequences of realistic cyber-attacks on the EPS?
• Design of resiliency mechanisms
14
Cyber-attacks on EPS: State of the ArtCyber attacks on state estimator:• Y. Liu, M. K. Reiter, and P. Ning, “False data injection attacks against state estimation in
electric power grids,” Proceedings of the 16th ACM CCCS, 2009.• Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks on the smart grid,”
IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 645–658, 2011.• L. Jia, R. J. Thomas, and L. Tong, “On the nonlinearity effects on malicious data attack on
power system,” in Proc. 2012 PES General Meeting, Jul. 2012.• G. Hug and J. A. Giampapa, “Vulnerability assessment of AC state estimation with
respect to false data injection cyber-attacks,” IEEE Trans. Smart Grid, vol. 3, no. 3, pp. 1362–1370, 2012.
• X. Liu and Z. Li, "Local Load Redistribution Attacks in Power Systems With Incomplete Network Information," Smart Grid, IEEE Transactions on, vol. 5, no. 4, pp. 1665-1676, July 2014.
• M. Rahman and H. Mohsenian-Rad, “False data injection attacks against nonlinear state estimation in smart power grids,” in Power and Energy Society General Meeting (PES), 2013 IEEE, July 2013, pp. 1–5.
• A. H. Mohsenian and A. Leon-Garcia "Distributed internet-based load altering attacks against smart power grids", IEEE Trans. Smart Grid, vol. 2, no. 4, pp.667 -674, 2011.
15
Cyber-attacks on EPS: State of the ArtCyber attacks on generation control:• S. Sridhar and M. Govindarasu, “Model-based attack detection and mitigation for
automatic generation control,” IEEE Transactions on Smart Grid, vol. 5, no. 2, pp. 580–591, 2014.
• J. Wei, D. Kundur, T. Zourntos, and K. Butler-Purry, “A flocking-based dynamical systems paradigm for smart power system analysis,” in Power and Energy Society General Meeting, 2012 IEEE, 2012, pp.1–8.
Cyber attacks on topology:• J. Kim and L. Tong, “On topology attack of a smart grid: Undetectable attacks and
countermeasures,” IEEE Transactions on Smart Grid, vol. 31, no. 7, pp. 1294–1305, 2013.• M. A. Rahman, E. Al-Shaer, “Impact Analysis of Topology Poisoning Attacks on
Economic Operation of the Smart Power Grid,” in Proceedings of IEEE Distributed Computing Systems (ICDCS), Madrid, Spain, July, 2014.
• A. Ashok and M.Govindarasu, “Cyber Attacks on Power System State Estimation through Topology Errors,” in Proceedings of IEEE PES General Meeting, San Diego, CA, USA, July, 2012.
16
Cyber-attacks on EPS: State of the ArtCyber attacks: impact on markets:• L. Jia, J. Kim, R. J. Thomas, and L. Tong, “Impact of data quality on real-time locational marginal
price,” IEEE Trans. Power Systems, vol. 29, no. 2, 2014.• L. Xie, Y. Mo, and B. Sinopoli, “Integrity data attacks in power market operations,” IEEE TSG,
vol. 2, no. 4, 2011.• D.-H. Choi and L. Xie, "Impact analysis of locational marginal price subject to power system
topology errors," in Proc. SmartGridComm, 2013.Optimization problem for cyber attacks:• J. Salmeron, K. Wood, and R. Baldick, “Analysis of electric grid security under terrorist threat,”
Power Systems, IEEE Transactions on, vol. 19, no. 2, pp. 905–912, 2004.• Y. Yuan, Z. Li, and K. Ren, “Modeling load redistribution attacks in power systems,” IEEE TSG,
vol. 2, no. 2, pp. 382–390, 2011.• A. Giani, R. Bent, M. Hinrichs, M. McQueen, and K. Poolla, “Metrics for assessment of smart grid
data integrity attacks,” in PES General Meeting, July 2012, pp. 1–8.• A. Motto, J. Arroyo and F. Galiana, "A Mixed-Integer LP Procedure for the Analysis of Electric
Grid Security Under Disruptive Threat,” Trans. Power Systems, Aug 2005. • Y. Yuan , Z. Li and K. Ren "Quantitative analysis of load redistribution attacks in electric
grid," IEEE Trans. Parallel Distrib. Syst., vol. 23, no. 9, 2012.
17
Cyber-attacks on EPS: State of the Art
Cyber attacks consequences:• A. Teixeira, S. Amin, H. Sandberg, K. Johansson, and S. Sastry, “Cyber security
analysis of state estimators in electric power systems,” in 2010 49th IEEE Conference on Decision and Control (CDC), 2010, pp. 5991–5998.
• J. Liang, O. Kosut, and L. Sankar, “Cyber-attacks on AC state estimation: Unobservability and physical consequences,” in IEEE PES General Meeting, Washington, DC, July 2014.
• J. Zhang, L. Sankar and K. W. Hedman, "Implications of Cyber Attacks on Distributed Power System Operations," in CIGRE Grid of the Future Symposium, 2014.
• J. Zhang and L. Sankar, "Implications of Cyber-physical Unobservable State-and-Topology Attacks on Electric Power Systems," in preparation for IEEE Trans. Smart Grid Communications, Special Issue, Sep. 2015.
18
Cyber-attacks on EPS: ASU-lead Research
Consequences of unobservable attacks on SE and topology data:• [1] and [3]: A congested line can be physically overloaded while appearing
perfectly normal in the cyber-data• [2]: Attacks on data-sharing between inter-areas can lead to unobservable
overloads and violations.
[1] J. Liang, O. Kosut, and L. Sankar, “Cyber-attacks on AC state estimation: Unobservability and physical consequences,” in IEEE PES General Meeting, Washington, DC, July 2014.[2] J. Zhang, L. Sankar and K. W. Hedman, "Implications of Cyber Attacks on Distributed Power System Operations," in CIGRE Grid of the Future Symposium, 2014.[3] J. Zhang and L. Sankar, "Implications of Cyber-physical Unobservable State-and-Topology Attacks on Electric Power Systems," in preparation for IEEE Trans. Smart Grid Communications, Special Issue, Sep. 2015.
19
Cyber-attacks on EPS: ASU-lead Research• Resiliency mechanisms?
• Large complex systems are only locally unobservable • Modular processing can be exploited to detect anomalous and systematic data changes
• Real-time load monitoring and forecasting (machine learning), anomalous re-dispatch monitoring, real-time topology processing, …..
[1] J. Liang, O. Kosut, and L. Sankar, “Cyber-attacks on AC state estimation: Unobservability and physical consequences,” in IEEE PES General Meeting, Washington, DC, July 2014.[2] J. Zhang, L. Sankar and K. W. Hedman, "Implications of Cyber Attacks on Distributed Power System Operations," in CIGRE Grid of the Future Symposium, 2014.[3] J. Zhang and L. Sankar, "Implications of Cyber-physical Unobservable State-and-Topology Attacks on Electric Power Systems," in preparation for IEEE Trans. Smart Grid Communications, Special Issue, Sep. 2015.
20
21
Topology-targeted Man-in-the-Middle Communication Attack
Topology-targeted Man-in-the-middle Attacks
Motivation:• Data sharing amongst entities in electric grid is essential for reliability.• Successful cyber attacks on inter-area communications can have serious
consequences and should be studied.• Mimicking outage and information sharing conditions that led to the
Northeast blackout in 2003.
Objectives• Introduce a class of topology-targeted man-in-the-middle communication
attacks.• Study attack consequences using a time progression model for cyber
operations.
22
System Model and Attack
• Attacker capability: the attacker hasaccess to the data being shared betweenareas and can corrupt the data:
• Participate in creating a line outage in onearea/ be aware of such an outage
• Corrupt the topology information shared withthe other area.
• Modeling human error:• Contingency communication delays.• Line switch miscommunications.
23
Attack Process
Time
Event
0 t 2t …… 20t
Event 0:Line outage
in Area 1
Event 1:Joint dispatch ……
Topology-targeted MiMattackInformation sharing
t=computation time period
OPF Calculation
Event 20:Joint dispatch
Event 0:Line outage
in Area 1
Event 1:Joint dispatch
Replace the updated topology with old topology
Shareupdated topology
1. Area 1 run local OPF2. Area 2 run local OPF
Local generation schedule exchange
Shareestimated loads
Both areas calculate power flow
Share tie-line measurements
Power flow calculationState estimationTopology processingSCADA
Event 2:Joint dispatch
24
Attack Consequences
25
Table: System behavior with sustained attack for IEEE 24-bus system
Pie chart indicating attack statistics for IEEE 24-bus system
Feasible Case
Physical PF Overload
Cyber PF Overload
Non-Convergence
of PFNo Violation
Cases
Cyber-Physical PF Overload
540 24.82% 14.26% 30.00% 23.33% 7.59%
Tie-line interchange fixed with only 10% variation.
25%
14%
30%
23%
8% Physical PF Overload
Cyber PF Overload
Not Converge
No Violation Cases
Cyber-Physical PFOverload
Countermeasures
• Tie-line power flow mismatch: yet another countermeasure
• Immediate communication of violations between areas following power flow calculation.
• N-1 contingency analysis (over both areas) prior to attack can give a list of local elements whose outage caused the violation in neighboring area.
• Enable external contingency list sharing between areas. (not widespread)
• Broader issue: information sharing across SEAMS crucial for resiliency and situational awareness.
26
Resilient Energy Management Systems
• An intelligent cyber attack decision support tool that goes hand in hand with the EMS is needed.
• Monitors anomalous changes in a systematic manner • Existing intelligence in the grid (statistical, operator) etc. can be translated to intelligent
machine learning algorithms
• Does PMU data provide additional resiliency?
• Are generator attacks realistic?
• Can voltage and frequency regulation as well as system dynamics be exploited to detect anomalous behavior?
27
Systematic Resiliency Mechanism
• Cyber attack decision support tool
28
Questions?Thank you!
29
Attack Consequences
• For area with false topology, sustained attacks cause mismatches of the physical power flow and the power flow monitored in cyber level:
1) Prevent operators from detecting the severity of physical overload problem.2) Create false overload alert in cyber level, lead to mis-operation.
• In comparison with using correct topology information (both areas) for dispatch:1) Cause more cases with overload problem to occur during
simulation time period.2) Increase the physical overload severity.
30
Attack Consequences
• Tested the attack on IEEE 24-bus system and found the following consequences:• Prevents operators from detecting the severity of physical overload problem.• Creates false overload alert in cyber level, lead to mis-operation.• Severe lack of convergence of OPF.• No violation.• Cyber-physical overload.
• Attack success: % of lines with overflows: 69.08%• critical attack cases (physical power flow > 105%) is 11.11%.
31