Probabilistic Bounds on the Impact of Potential Data ...€¦ · analysis. 1. Introduction...

Probabilistic Bounds on the Impact of Potential Data Integrity Attacks inMicrogrids

Hao Jan Liu, Hyungjin Choi, Paprapee Buason, and Alfonso Valdes ∗

Department of Electrical and Computer Engineering and Information Trust Institute, University of Illinois at Urbana-ChampaignEmails: {haoliu6,hjchoi12,buason2,avaldes}@illinois.edu

Abstract

Microgrids are being increasingly adopted inelectric power distribution systems to facilitatedistributed energy resource integration and to provideresilient operations. Modern microgrids rely onsophisticated cyber communications and controlsto maintain stable operation. Attacks on this cyberinfrastructure can cause the system to undertake apotentially destabilizing control action. In this work, wepresent the results of a reachability analysis in which wedetermine whether a potential attack vector can resultin actions that make an unstable state “reachable” insome time interval from the current state. Specifically,our analysis must be executed on a timescale that headsoff the destabilizing system states due to maliciousattacks. To that end, we propose a sensitivity analysisthat assesses the worst-case impact of attack scenariosof interest while identifying reachable unstable statesin the required time budget. This concept can be usedto develop a tool to support DER control decisionsunder adverse conditions. Numerical tests are providedto validate the effectiveness of the attack reachabilityanalysis.

1. Introduction

Microgrids (MGs) are increasingly being introducedin distribution networks to promote the integration

∗The work described here was performed with funding fromthe Dept. of Energy (DOE) under Cooperative AgreementDE-OE0000831, under subcontract to ABB US Corporate ResearchCenter. The views expressed are those of the authors. This reportwas prepared as an account of work sponsored by an agency of theUnited States Government. Neither the United States Government norany agency thereof, nor any of their employees, makes any warranty,express or implied, or assumes any legal liability or responsibilityfor the accuracy, completeness, or usefulness of any information,apparatus, product, or process disclosed, or represents that its usewould not infringe privately owned rights. Reference herein toany specific commercial product, process, or service by trade name,trademark, manufacturer, or otherwise does not necessarily constituteor imply its endorsement, recommendation, or favoring by the UnitedStates Government or any agency thereof. The views and opinions ofauthors expressed herein do not necessarily state or reflect those of theUnited States Government or any agency thereof.

of distributed energy resources (DERs) and elasticloads, coupled with a significant modernization ofmetering, computing, and communication infrastructure[1]. Meanwhile, MGs’ ability to operate in two modes,i.e., islanded and grid-connected, further enhancessystem reliability and resiliency against disturbances inthe bulk power networks [2].

However, deployment of MGs requires a hierarchicalcontrol framework that includes sensors, actuators, andother intelligent control components communicatingover a cyber network, to perform functions such asthe distributed voltage and frequency controls in [3–6].Consequently, there are growing concerns about thestable and reliable operation of MGs where vulnerabilityto cyber attacks on communication, measurement, andcontrol systems poses significant threats; see, e.g.,[7–11] and references therein. Such attacks are nothypothetical, as evidenced by recent cyber-inducedoutages in Ukrainian power systems [9]. Accordingly,there is a pressing need to develop an online analytictool to continuously monitor for and predict thepotential impact of cyber attacks on MGs while offeringpreventive countermeasures. Such a tool would beimportant in providing decision support for DERcoordination under adversarial environments.

There have been active research efforts to address thecybersecurity concerns with MGs. Real-time simulatorssuch as RTDS and testbeds have been used to analyzethe impact of malicious cyber events and test real-timehardware-in-the-loop systems [12–14]. In addition,prior work in [10, 15, 16] has developed defenseframeworks and countermeasures against maliciousattacks. Nonetheless, prior efforts have fallen shortof continuously monitoring and predicting potentialcybersecurity impacts. Accordingly, repeated numericalsimulations, such as Monte Carlo methods, have beenproposed to analyze the impact of cyber attacks onMG dynamic states, e.g, angle and frequency [17–20]. From a practical point of view, those numericalsimulations are computationally burdensome when allpossible attack scenarios are considered. To the

Proceedings of the 52nd Hawaii International Conference on System Sciences | 2019

URI: https://hdl.handle.net/10125/59787ISBN: 978-0-9981331-2-6(CC BY-NC-ND 4.0)

Page 3514

best of our knowledge, none of the prior work canbe implemented in a real-time setting that reflectsthe physical structure of MGs directly related to thedynamical stability of the system. Thus, we aim toimprove the computational feasibility of the analysiswhile facilitating the protection of systems from cyberattacks in a nearly online fashion.

Aligned with the need for comprehensive methodsto improve the cybersecurity of MGs, we propose asensitivity-based reachability analysis to quantify theimpact of cyber attacks on measurement and controlcommands to transient stability of MGs. This studyprovides the worst-case upper and lower bounds ondynamic states (voltage and frequency) under a specifiedattack. By reachability, we mean that an unstable stateis “reachable” from the current state in the presenceof particular attacks. Henceforth, our analysis may beutilized to predict any potential fault conditions inducedby violating the safety limits of protection systemssuch as relays. The core of our proposed method isthreefold. First, we adopt the reduced-order modelto describe the dynamics of droop-controlled DERinterface converters (DICs) [21] and DC power-flowassumptions [22] to speed up the computation time ofour analysis. Next, sensitivity analysis is introducedto approximate the coupling among dynamic statesand attack inputs. Last but not least, we modelthe attack on the measurement as a random variablefor which sensitivity analysis is executed to estimatethe worst-case bounds on all possible variations indynamical states. Overall, the reachability analysiswill provide the probabilistic estimation bounds in anearly online fashion to quantify the potential impactof cyber attacks. Therefore, our approach contributes asystematic solution to estimating the worst-case impactof cyber attacks on the dynamical behavior of MGswithout applying repeated time-domain simulations orcomplex mathematical algorithms. In addition, thesensitivity evaluation can provide crucial cybersecurityinformation to counter attacks on cyber-physical MGnetworks by facilitating DER coordination decisions.

The remainder of this paper is as follows. Sec.2 presents the modeling of MGs, while Sec. 3defines an attack scenario based on corruption of thevoltage measurement and then describes sensitivityanalysis of attacks on dynamical states. In Sec. 4,we describe how we validate the effectiveness of theproposed reachability analysis by performing MonteCarlo simulation. We conclude in Sec. 5.

Physical

Network

1DIC

1Bus n +

Physical connection

Primary

Controller

1Bus

Bus m

Control signal

Power

Calculation

1,abcV

1,abcI1 1,P Q

nDIC

Primary

Controller

Bus n

Power

Calculation

,n nP Q ,n abcV,n abc

I

1L

nP+

LmP

Figure 1. A cyber-physical MG network with DICs, inwhich Vi,abc and Ii,abc are the instantaneous

three-phase voltage and current measurement samplevalues, respectively.

2. Modeling of a Microgrid

Given an islanded MG that includes all gridcomponents, such as DICs, loads, and lines, as depictedin Fig. 1, we represent an MG with a connected graph(NM , EM ). Without loss of generality, the set NMconsists of the subsets ND := {1, · · · , n} and NL :={n + 1, · · · ,m}, representing the DIC and load buses,respectively. In addition, the line segments connectingthe buses are represented by the set EM . Per bus-i,Vi and θi are defined as the voltage magnitude andphase angle, respectively, and Vi,abc is the three-phaseinstantaneous voltage sample value. Moreover, we let Pi(Qi) represent the active (reactive) power injection fromDICi, while PMi denotes its active power rating, and PLi(QLi ) is the active (reactive) power demand of the ith

load bus. For notational convenience in the rest of thepaper, the frequency deviation is represented by ωi :=(θi − ωref), where θi := dθi/dt is the frequency, andωref is the reference frequency set-point. To facilitatethe ensuing reachability analytics, we also make thefollowing assumptions:

AS 1. The power lines are short, so line loss isnegligible.

AS 2. The angular difference (θi − θj),∀i, j ∈ EM issmall.

AS 3. Each bus voltage magnitude Vi is fixed at nearunity (expressed as per unit).

AS 4. The active power demand PLi ,∀i ∈ NL isconstant during each control interval.

AS 5. All possible load variations under the isolatedMG are supported by DICs without violating the active

Page 3515

��

,i abcV

eabc dq→

&i iP Q

calculation

,i dqV ,i dqI

iθ

PI

Predictivecurrent

controller

*

,i dqV

,i dqV

PWMmodulator

iθ,i dqI

Voltage & Current Controller

Local Droop

,i abcI

,0iV

iP

refω

iω 1

s

iV∆

edq abc→

iQ

*

iQ1

,q ik−

*

iP

iθ

idV

dt

1

iD

,

1

q iD

,i abcV,i abcI

1

s

1

s

Figure 2. The figurative control diagram representation for an individual DICi.

power rating limits of the DICs.

Assumption 1 is often adopted in the MG literature;see, e.g., [3, 10, 11, 23, 24]. This assumption can bejustified because of the short power lines in MGs. Thus,line losses are negligible compared to line flows. Inaddition, one can assume that all lines have a uniformhomogeneous resistance-to-inductance ratio, and thuswe can recover a lossless model by performing a lineartransformation to decouple lossy and lossless injections;see, e.g., [25, Remark 1]. Regarding angular differenceamong buses in Assumption 2, these values should besmall due to the proximity of buses within a MG. Asfor the constant voltage in Assumption 3, it can beensured through the fast inner voltage control loop ofDICs, see, e.g., [26]. Together with the voltage-droopcontroller, the DIC output voltage can track the voltagereference setpoint by managing DICs’ reactive poweroutput at a much faster time-scale than that of thefrequency controller. Earlier work in [3, 11, 24, 27]has supported such a time-scale separation betweenfrequency and voltage dynamics. We also assume thatsome active or passive shunt compensators or somecontrol mechanisms exist throughout the network tomaintain a healthy voltage profile. Henceforth, thevoltage magnitude at each bus can be presumed constantat nearly unity at the timescale of the frequency controldesign. The constant power demand in Assumption 4comes from the design of the proposed controller to besufficiently fast to stabilize the system in response toa load disturbance before the next disturbance occurs.Finally, Assumption 5 can be satisfied through carefulsystem planning at the MG deployment stage. Tosum up, we consider only the reachability analysisof the frequency control design while neglecting thevoltage arguments from all related functions. Althoughwe adopt those assumptions to facilitate the ensuinganalysis, the numerical test in Sec. 4 will be basedon a realistic lossy MG model with fully detailed DICdynamics that includes the inner voltage and outercurrent control loops to showcase the effectiveness ofthe proposed analysis.

2.1. Frequency-Based Active Power Control

For an islanded MG, each DICi behaves like avoltage source by regulating Vi and θi via the feedbackdroop-based control; see, e.g., [3, 24, 28]. Fig. 2depicts a high-order converter model consisting offast inner- and outer-control loops and frequency- andvoltage-droop controllers. As the converter’s internaldynamics are much faster than those of the system states,it has been shown in [21] that ignoring the former wouldneither compromise the modeling fidelity nor affectthe stability conditions of the latter at the time-scaleof power system analysis. Accordingly, we adoptthe reduced-order model (see, e.g., µROm2 in [21])in this paper. Using Assumption 3, one can derivethe reduced-order dynamic equations per DICi from afully detailed converter model by ignoring the voltagedynamics, as given by

1

ωi

dPidt

= −Pi + Pi, (1a)

Diωi = PMi − Pi, (1b)

where ωi > 0 is the cut-off frequency of the ith low-passfilter, and Pi is the filtered active power injection ofDICi. The effect of the low-pass filter is capturedby (1a), while the frequency droop control design isgoverned by (1b). Differentiating (1b) from (1a) andsubstituting the result into (1a), we have the followingsimplified dynamics of the droop-controlled DICi:

dωidt

= −ωiωi +ωiDi

(PMi − Pi),∀i ∈ ND. (2)

As detailed below in Sec. 3, the sensors at DICi thatmeasure active power injection Pi are considered to bepotentially vulnerable to malicious attacks. In addition,note that the frequency deviation ωi at steady-state is anonzero value unless PMi = Pi,∀i ∈ ND. Adjustingthe frequency back to the reference set-point requiresan additional control layer (i.e., a secondary frequency

516

control design [3,10,24,27]) and is beyond the scope ofthis work.

2.2. Load Model

Power loads usually depend on both bus voltage(which is assumed constant under Assumption 3) andfrequency. Without loss of generality, the load dynamicscan be represented by either a dynamics-free constantZIP or a frequency-dependent load model. The formerconsists of impedance (i.e., resistor and inductor),current source, and real and reactive power load (i.e.,PQ load), while the latter is a frequency-sensitive load,in which the power consumption increases linearly withthe frequency deviation ωi and its velocity ωi, e.g., amotor-type load [29]. In this work, all loads, unlessspecifically stated otherwise, are assumed to be of thefrequency-sensitive type. Therefore, the dynamics isgiven by

Jiωi +Diωi = −PLi − Pi,∀i ∈ NL, (3)

where Ji > 0 and Di > 0 represent the physical inertiaand damping constant associated with the ith load bus,respectively [30].

2.3. DC Power Flow

Real and reactive power-flow balance at bus i ∈NM is described by the following nonlinear algebraicequations:

0 =∑j∈Ni

ViVj (Gij cos(θi − θj) +Bij sin(θk − θj))

− Pi, (4a)

0 =∑j∈Ni

ViVj (Gij sin(θi − θj)−Bij cos(θk − θj))

−Qi, (4b)

where Ni := {j | (i, j) ∈ EM} denotes the set ofneighbor buses of bus i, andBij (Gij) is the susceptance(conductance) of the line between bus i and bus j.Using Assumptions 1–3 and concatenating all scalarsinto vectors, one can simplify (4) to the well-known DCpower flow, as given by

0 = Bθ −P. (5)

By solving (5), we have the explicit solution for the busangle

θ = B−1P, (6)

which, together with (2) and (3), gives the power systemdifferential and algebraic equations.

3. Reachability Analysis

In this section, given attacks on measurementand control inputs, we develop a methodology forreachability analysis on dynamical states. We firstdescribe the data integrity attack model and then proposea linear sensitivity analysis to approximate the couplingamong dynamic states and attack inputs. All possiblevariations of the dynamic state due to attacks can beeffectively determined by a linear transformation thatuses the sensitivity analysis.

3.1. Data Integrity Attacks

Under the assumption that the attacker can accesssome of the sensors and communication network toalter the measurement data or control commands, thedynamics of the MG network model with two-state DERdynamics (e.g., angle and frequency) is described by aset of differential equations as follows:

dxidt

= fi(x, u), for i = 1, . . . , 2m, (7)

where x := [θ;ω] ∈ R2m represents the dynamicstates (i.e., angle and frequency), and u ∈ R` collectsthe attacked control and measurement inputs. Notethat our MG model does not contain any internal busesthat are without any generations or loads. For a moregeneral setting in which we have algebraic equationscoupling power-flow balance in the internal buses, wecan also remove those buses by performing networkreduction techniques such as Kron reduction and recoverthe differential equations in (7) [31].

Without loss of generality, we define a data integrityattack as a malicious modification of an original signalu by the attack input ξ such that

uj = (1 + ξj) · uj , for j = 1, . . . , `. (8)

Note that an uncorrupted input signal uj is equivalentto setting ξj = 0. The following example explainsthe dynamic equations with attacks on the instantaneousvoltage measurement sample Vi,abc for a simple two-bussystem, as shown in Fig. 3.Example 1. Fig. 3 illustrates the aforementionedattack model for the single-line per unit diagram of thetwo-bus power system. To better explain the impact ofcorrupted measurements on dynamic states, we simplifythe network model by only considering a DIC at bus 1and a constant PQ load at bus 2, resulting in fewerdynamic states. Nominal parameters and inputs areV1 = 1, V2 = 1, XL = 0.15, PL2 = 0.2,QL2 = 0.1, PM1 = 0.3, D1 = 50 [s/rad], and

Page 3517

Figure 3. Two-bus system (from Example 1) with DERat bus 1 and a constant PQ load at bus 2.

ω1 = 31.4 [rad/s]. All quantities are per-unit unlessotherwise explicitly specified. We assume that thevoltage measurement at bus 1 is corrupted (as denotedby V1), so that the attacker alters the true measurementsby the multiplicative scale factor ∆V1, i.e.,

V1 = (1 + ∆V1) · V1,

and thus corrupts the original droop-based frequencycontrol scheme. Similar analysis can be applied todroop-based voltage control design [32]. Note that themultiplicative attack in (8) on V1,abc is equivalent toscaling of the phasor voltage magnitude by ∆V1.

Accordingly, the network dynamic equation based on(7) becomes

dω1

dt= f1(x, u)

= −ω1ω1 +ω1

D1

(PM1 − (1 + ∆V1)PL2

). (9)

Note that (9) is a result of DC power flow assumptionsunder which θ2 = θ1−PL2 XL. For this simple case, wehave x = ω1 and ξ = ∆V1. �

Remark 1 (Attack Generalizations). In this study, wemodel the attack as a malicious multiplier that scalesthe true measurement as shown in (8). Nonetheless, ourmethod is not limited to this specific attack and can bedesigned to account for various types of attacks, such asfalse data injection, in which attack vectors are added tothe original measurement.

3.2. Linear Approximation and Dynamics ofSensitivity Variables

Following the dynamic equation of the MG networkin (7), we let x(t, ξ) be the solution of dynamic statesunder the attack vector ξ. Hence, the first-order linearapproximation of dynamic states in terms of ξ is

x(t, ξ) ≈ x(t,0) + Φξ, (10)

where x(t,0) is the nominal solution without attacks,and the matrix Φ ∈ R2m×` with its entry φij := ∂xi

∂ξj

accounts for the sensitivity of dynamic states in terms of

the attack vector ξ. Based on our previous work in [33],we can determine Φ at each instance of time by solvingthe following differential equations (see Appendix A fordetails):

d

dtΦ = Λx

∣∣∣ξ=0

Φ + Λξ

∣∣∣ξ=0

, (11)

where Λx and Λξ are the Jacobian of f in terms of

x and ξ, respectively. As our MG model does notcontain any internal buses, we do not have algebraicterms or algebraic sensitivity equations correspondingto the dynamics of internal buses. We refer readersto [33] for cases in which we included algebraic terms toincorporate the effectiveness of the attack on power-flowbalance in the internal network. By solving (11) togetherwith the original dynamic equations in (7) for ξ = 0 ateach time t, we would obtain the value of x(t,0) as wellas the time-varying sensitivity matrix Φ.

The following example depicts the linearapproximation of a state and the formulation ofsensitivity equations for the two-bus system continuedfrom Example 1.Example 2 (Example 1 continued). The matrix Φin (10) for the linear approximation of the dynamic statex in terms of the attack ξ is given by

Φ =∂ω1

∂∆V1. (12)

Thus, the nominal solution for the state is determinedby solving (9) under ξ = 0. Based on the formulationof sensitivity equations (11), we obtain the relevantmatrices as follows.

Λx

∣∣∣ξ=0

= −ω1, Λξ

∣∣∣ξ=0

= − ω1PL2

D1.

We can calculate the sensitivity matrix Φ bysolving (11), and we can subsequently completethe linear approximation in (10). �

As detailed subsequently, we propagate the attackξ drawn from some probability distribution functionsto estimate the probabilistic bounds on all possiblevariations of x(t, ξ) due to the attack ξ.Remark 2 (Approximation Errors). Neglecting thehigher-order terms leads to an approximation errorin (11). It is possible to improve accuracy atthe cost of additional computational burden byincorporating such higher-order terms, e.g., 2nd-orderand mixed-sensitivity terms as discussed in [33]. Thatenhancement is beyond the scope of this paper and willbe a future research direction.

Page 3518

3.3. Probabilistic Worst-Case Bounds onDynamic States

We describe the jth attack, ξj , as a probabilisticrandom variable with normal distribution, i.e.,ξj ∼ N (0, σ2

j ), and individual attacks are mutuallyindependent. Without loss of generality, an offlinecomprehensive study of all possible undetectable attackscenarios is assumed and thus justifies the probabilisticattack model. Then, based on (10), the ith state underthe attack, xi(t, ξ), also follows a normal distributionwith a mean value of xi(t,0) and a variance given bythe sum of variances of ξ scaled by sensitivity variables,{φij}`j=1, i.e.,

xi(t, ξ) ∼ N

xi(t,0),∑j=1

φ2ijσ2j

, (13)

which provides normally distributed worst-case boundson the state xi for the given attack ξ. The followingexample demonstrates probabilistic worst-case boundson dynamic states for the two-bus power systemcontinued from Examples 1 and 2.Example 3 (Examples 1 and 2 continued). In thisexample, the multiplicative attack ξ is described interms of normally distributed random variables withzero mean values,

ξ = ∆V1 ∼ N (0, σ1) ,

with standard deviations σ1 = 5. We let the initialcondition at t = 0 be ω1(0) = 377.9991 [rad/s]disturbed from the normal operating point. Accordingly,the worst-case bounds on the dynamic state aredetermined from (13) by calculating x(t,0) and Φ ateach time t in Examples 1 and 2. The result is shownin Fig. 4. Red and blue curves show the estimatedworst-case upper and lower bounds, respectively. Eachcurve indicates confidence levels of 99.7%, 95%, and68% around the nominal trajectory denoted by blackdotted lines. We verified the result via repeatedtime-domain simulations (denoted by green lines) for100 randomly sampled attack values drawn from thenormal distribution.

Remark 3 (Scalability). Thanks to Assumptions 1–5,the reduced-order DIC models introduced in Sec. 2, andthe probabilistic attack description in (13), the proposedreachability analysis shows computational advantagesover prior solutions while maintaining fair accuracy, andthus it can be adopted for larger MGs. As a comparisonwith [33] regarding scalability, the full MG dynamics is

0 0.2 0.4 0.6 0.8 1

t [sec]

376.8

377

377.2

377.4

377.6

377.8

378

ω1[rad

/s]

Upper bound (99.7%)

Upper bound (95%)

Upper bound (68%)

Lower bound (99.7%)

Lower bound (95%)

Lower bound (68%)

Figure 4. Worst-case bounds on the dynamic state x

for the two-bus system (from Examples 1–3). Red andblue curves show the estimated worst-case upper andlower bounds, respectively, with different confidencelevels, i.e., 99.7%, 95%, and 68%, around the nominal

trajectory denoted by the black dotted lines. Inaddition, 100 repeated time-domain simulations,

denoted by green lines, are also plotted to verify theeffectiveness of the reachability analysis.

simplified to an ordinary differential equation (2), whilethe worst-case bounds are described by probabilisticdistributions that do not resort to convex optimization.As detailed in the following section, our approach wouldsignificantly improve the scalability of the proposedmethod.

4. Numerical Tests

We have showcased the application of our proposedapproach to quantify the impact of attacks onmeasurements based on the reachability analysisoutlined in Sec. 3. We now consider a more realisticlossy MG model composed of three DICs governedby the droop-controlled scheme in the low-voltagedistribution network. Fig. 5 provides a one-line diagramof the MG model under investigation. The systemreference frequency ωref = 377 rad · s−1. The localcontrol in the primary level works with a sampling rateof 20 kHz, which is needed to maintain a good outputpower quality, e.g., minimal frequency harmonics. Forease of observation, we set the rating of all DICs tothe same value of 2 kW while fixing the droop gainuniformly as 50 kW · s · rad−1. The dynamic load atbus 4 has the inertia constant J4 = 0.005 s · rad−2,the damping constant D4 = 10 s · rad−1, and thenominal apparent power demand S4 = 1.5 kW +j0.525 kvar. Meanwhile, the MG is warm-startedand initially operated at steady-state. In addition, the

Page 3519

4S

4 1 2

2DIC

3.00 kW 1.050 kvarj+

1.50 kW 0.525 kvarj+

1DIC

14Z

12Z

13Z

140.0002 0.000754Z j= +

120.2 0.754Z j= +

13 120.5Z Z=

3

3DIC

communication lines

transmission lines

Figure 5. One-line diagram of the MG model for thenumerical demonstration of our proposed method.

Three droop-controlled DICs are connected to one loadthrough the low-voltage distribution network.

probabilistic worst-case bounds are estimated at thebeginnings of successive intervals of 2 seconds(s), atwhich times all parameters, including load demandsand attack distribution, are known and remain constantduring the time interval. Last, we introduce a 100% loadincrease at t = 2 s to further evaluate the effectivenessof the proposed analysis. Physical details of the MG,including inner-voltage and outer-current control loopsand pulse width modulation emulation, are included andimplemented in MATLAB Simulink®.

As for the reachability analysis, the dynamicsof DICs are described by the simplified model asshown in (2). Dynamical states, including phaseangles and frequencies of all DERs, are denoted byx = [θ1, ω1, θ2, ω2, θ3, ω3]T. Also, we assume thatAssumptions 1–5 are satisfied in our MG model,and thus the power-flow balance in the network isrepresented by the DC power flow; see Sec. 2.3.

Under a multiplicative attack on the voltagemeasurement V2 at DIC2, we estimate the probabilisticworst-case bounds on all DIC frequencies. We modelthe attack on the voltage measurement of the DIC2,denoted by ξ = ∆V2, as a normally distributed randomvariable with zero mean and the standard deviation σ2 =0.5. Thus, the voltage measurement is scaled by theattack as in (8). Consequently, the power injectioncalculation P2 is maliciously corrupted from the truesample value. Subsequently, we evaluate (11) to get thesensitivity variable Φ in (10) at each time t as

Φ =

[∂θ1∂∆V2

,∂ω1

∂∆V2,∂θ2∂∆V2

,∂ω2

∂∆V2,∂θ3∂∆V2

,∂ω3

∂∆V2

]T.

Matrices and vectors required for the sensitivity

equations (11) are given by

Λx =

0 1 0 0 0 0

− ω1(∑3

i=2 Bii)

D1−ω1

ω1B22

D10 ω1B33

D10

0 0 0 1 0 0ω2B22

D20 − ω2B22

D2−ω2 0 0

0 0 0 0 0 1ω3B33

D30 0 0 − ω3B33

D3−ω3

,

Λξ =

[0, 0, 0,− ω2P2

D2, 0, 0

]T,

where both Λx and Λξ are evaluated at ξ = 0. With the

nominal values of the frequency calculated by solvingthe reduced-order dynamic equations of the MG, we candetermine probabilistic worst-case bounds on all DICfrequencies by following the equation in (13).

Fig. 6 shows the results of the estimated boundsfor all DIC frequencies. In each part of the figure,upper and lower bounds (denoted by red and bluelines) are plotted for different confidence levels (i.e.,99.7%, 95%, and 68%, corresponding to 1, 2, and 3standard deviations) with black dotted lines representingnominal trajectories without the attack. Green lines aretrajectories obtained from 100 Monte Carlo simulationsof the original nonlinear MG model with fully detailedDIC dynamics. Compared to the repeated simulationresults, we can verify that the estimated bounds on thefrequency of the proposed method accurately describethe worst-case system dynamics due to the potentialattack. The bound estimate is instrumental for providingcountermeasures by facilitating DER coordination underadversarial environments. Our approach supports usecases involving multi-microgrid environments, in whichpeer MGs with some interconnecting tie lines and apower sharing agreement can support critical loads inresponse to an adverse condition. For example, weconsider the two-MG system shown in Fig. 7. BothMGs have a main MG bus and a critical load bus,with normally open inter-ties between these buses. Weassume that the systems are in island mode. Thereachability analysis indicates that an unsafe state isreachable because of a likely voltage attack at the DICon the critical load bus in MG 1 (Event 1 and 2). Welet the MG controllers exchange messages, with ourimplementation eventually using OpenFMB/DDS1 [34].

1OpenFMB is an emerging grid edge communication standardto enable grid edge interoperability. Another research thrust of theproject that supports the work described in the present paper isconsidering OpenFMB communications across local area networks(for example, between peer microgrids) over software-definednetworks (SDN). The eventual goal of the work is to unifythe reachability analysis, frequency stabilization, and secureinter-microgrid OpenFMB messaging as an OpenFMB use case.

Page 3520

(a)

(b)

(c)

Figure 6. Simulation results of the MG are plotted forfrequencies at DIC buses 1–3 (figures (a)–(c),

respectively). Upper and lower bounds for differentconfidence levels are denoted by red and blue lines.Nominal trajectories (i.e., without any attack) are

represented by black dotted lines. Green lines are theresults from 100 repeated simulations based on the

original fully detailed MG model.

Table 1. Computation Time for different network sizes.

Case Number of ComputationDICs attacks time [s]

13 Bus 3 2 0.0234 Bus 9 6 0.04

123 Bus 30 10 0.2325 1.1

In response to the reachability analysis (Event 2), thecontrollers reach consensus to close the tie line, and MG1 trips off the faulted DER. The secondary frequencycontrol algorithm quickly stabilizes the now connectedtwo-MG system (Event 3).

In addition, the result proves that our approach iscomputationally efficient compared to other methodsbased on repeated numerical simulations such as MonteCarlo methods. Computation for the bound estimationtook 0.0286 s for a 2 s interval to estimate the worst-caseprobabilistic bounds. Computing the Monte Carlosimulation over the same interval required 2200 s ona 2.53 GHz Intel® Processor, demonstrating that ourproposed method has computational advantages overrepeated numerical simulations and can be implementedin a nearly online fashion. To further validate thescalability of the proposed reachability analysis for largeMGs, we compare computation times of a 2 s intervalfor estimating probabilistic bounds under different IEEEdistribution feeder test cases (i.e., 13-bus, 34-bus,and 123-bus with arbitrary DIC locations), as shownin Table 1. Note that computation time increases withthe network size and the number of attacks. As a MGtypically consists of a few buses and DICs, these resultsshow that the proposed method is suitable for nearlyreal-time MG stability-monitoring applications.

However, our method leads to over estimation insome cases (as shown in Fig. 6(a)), mainly becauseof errors from the linear approximation in (10). Also,some of the large transients at t = 2 s (reflectingload step-change) are not effectively captured by thebounds as a consequence of the simplified assumptionsof our MG model. To improve the accuracy, wecan incorporate higher-order terms in the analysisas discussed in [33, 35], adopt more accurate MGmodels (refer to different reduced-order DIC modelsin [21]), and consider the original nonlinear power-flowequations to capture the accurate transient phenomena atthe cost of computational resources.

5. Conclusions and Future Work

In this paper, we focused on developing asystematic framework to analyze the cybersecurity

Page 3521

V

V

Figure 7. One-line diagram and sequence of operations for the two-MG system under a potential malicious attack.

impact on a microgrid in the presence of maliciousattacks on measurement and control commands. Weproposed a computationally efficient method to estimateprobabilistic worst-case bounds on dynamic statesunder potential attacks. In addition, we were ableto achieve computational advantages over exhaustivesimulation-based methods, while accurately describingthe worst-case system behavior. Consequently, weanticipate that the proposed approach will be useful inmultiple contexts, e.g., in online stability monitoringagainst cyber attacks and in providing advisoryinformation to microgrid operators to effectivelycoordinate DERs in a system.

The remaining shortcomings of our method includeover estimated results due to errors from the linearapproximation and failures to capture large transientsof the dynamics as a result of the simplified microgridmodel. To address those challenges in our futurework, we plan to incorporate higher-order terms in theapproximation and adopt different levels of model-orderreduction to improve the accuracy of the analysis whileminimizing computational burden. Furthermore, wewill validate the performance of the event sequenceintroduced in Fig. 7 with a real-time simulator whileextending our analysis by introducing new elements,such as protection devices and other hierarchical controlschemes (e.g., secondary frequency control).

Appendix

A. Derivation of Sensitivity Equations

Assume that the network dynamics in (7) arecontinuously differentiable with respect to (x, ξ), andthat there exists a unique solution for the nominal states,xi(t,0), at each instance. Then the solution of the ith

state for a given ξ is given as:

xi(t, ξ) = xi(t0,0) +

∫ t

τ=t0

fi(x, ξ)dτ. (14)

Taking partial derivatives of (14) in terms of ξj , we have:

∂xi∂ξj

=

∫ t

τ=t0

m∑k=1

∂fi∂xk

∂xk∂ξj

+∂fi∂ξj

dτ. (15)

By taking a derivative of (15) in terms of t, we get:

d

dtφij =

m∑k=1

∂fi∂xk

∣∣∣ξ=0

φij +∂fi∂ξj

∣∣∣ξ=0

(16)

Collecting (16) ∀i, j, we can express the compact matrixform shown in (11).

References

[1] B. Lasseter, “Microgrids [distributed power generation],”in Proc. 2001 IEEE Power Engineering Society WinterMeeting, pp. 146–149.

[2] P. Borazjani, N. I. A. Wahab, H. B. Hizam, and A. B. C.Soh, “A review on microgrid control techniques,” inProc. 2014 IEEE Innovative Smart Grid Technologies -Asia, pp. 749–753.

[3] H. J. Liu, L.-Y. Lu, Z. Wu, and A. Valdes, “Distributedoptimization approach for frequency control withemulated virtual inertia in islanded microgrids,” in Proc.Innovative Smart Grid Technologies Asia, 2018.

[4] H. J. Liu, W. Shi, and H. Zhu, “Distributed voltagecontrol in distribution networks: Online and robustimplementations,” IEEE Trans. Smart Grid, 2016, (EarlyAccess).

[5] ——, “Hybrid voltage control in distribution networksunder limited communication rates,” IEEE Trans. SmartGrid, 2016, (Early Access).

Page 3522

[6] Z. Wu, W. Gao, T. Gao, W. Yan, H. Zhang, S. Yan, andX. Wang, “State-of-the-art review on frequency responseof wind power plants in power systems,” Journal ofModern Power Systems and Clean Energy, vol. 6, no. 1,pp. 1–16, Jan. 2018.

[7] H. F. Habib, C. R. Lashway, and O. A. Mohammed, “Onthe adaptive protection of microgrids: A review on howto mitigate cyber attacks and communication failures,” inProc. 2017 IEEE Industry Applications Society AnnualMeeting, pp. 1–8.

[8] B. Chen, K. L. Butler-Purry, S. Nuthalapati, andD. Kundur, “Network delay caused by cyber attacks onSVC and its impact on transient stability of smart grids,”in Proc. 2014 IEEE PES General Meeting, pp. 1–5.

[9] R. Lee, M. Assante, and T. Conway, “Analysis of thecyber attack on the Ukrainian power grid,” E-ISAC,March 2016. [Online]. Available: https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

[10] H. J. Liu, M. Backes, R. Macwan, and A. Valdes,“Coordination of DERs in microgrids with cybersecureresilient decentralized secondary frequency control,”in Proc. Hawaii International Conference on SystemSciences, 2018. [Online]. Available: http://hdl.handle.net/10125/50226

[11] L. Y. Lu, H. J. Liu, and H. Zhu, “Distributed secondarycontrol for isolated microgrids under malicious attacks,”in Proc. IEEE North American Power Symposium, 2016,pp. 1–6.

[12] V. Venkataramanan, A. Srivastava, and A. Hahn,“Real-time co-simulation testbed for microgridcyber-physical analysis,” in Proc. 2016 Workshopon Modeling and Simulation of Cyber-Physical EnergySystems, pp. 1–6.

[13] M. Chlela, G. Joos, M. Kassouf, and Y. Brissette,“Real-time testing platform for microgrid controllersagainst false data injection cybersecurity attacks,” inProc. 2016 IEEE Power and Energy Society GeneralMeeting, pp. 1–5.

[14] V. Venkataramanan, P. Wang, A. Srivastava, A. Hahn,and M. Govindarasu, “Interfacing techniques in testbedfor cyber-physical security analysis of the electricpower grid,” in Proc. 2017 Workshop on Modeling andSimulation of Cyber-Physical Energy Systems, pp. 1–6.

[15] R. Macwan, C. Drew, P. Panumpabi, A. Valdes,N. Vaidya, P. Sauer, and D. Ishchenko, “Collaborativedefense against data injection attack in IEC61850 basedsmart substations,” in Proc. 2016 IEEE Power andEnergy Society General Meeting, pp. 1–5.

[16] Z. Li and M. Shahidehpour, “Defense-in-depthframework for microgrid secure operations againstcyberattacks,” in Proc. 2017 IEEE Power Energy SocietyGeneral Meeting, pp. 1–5.

[17] B. Chen, S. Mashayekh, K. L. Butler-Purry, andD. Kundur, “Impact of cyber attacks on transient stabilityof smart grids with voltage support devices,” in Proc.2013 IEEE Power Energy Society General Meeting, pp.1–5.

[18] A. Farraj, E. Hammad, and D. Kundur, “On the impact ofcyber attacks on data integrity in storage-based transientstability control,” IEEE Trans. Industrial Informatics,vol. 13, no. 6, pp. 3322–3333, Dec. 2017.

[19] X. Liu, M. Shahidehpour, Y. Cao, L. Wu, W. Wei, andX. Liu, “Microgrid risk analysis considering the impactof cyber attacks on solar PV and ESS control systems,”IEEE Trans. Smart Grid, vol. 8, no. 3, pp. 1330–1339,May 2017.

[20] K. J. Timko, A. Bose, and P. M. Anderson, “MonteCarlo simulation of power system stability,” IEEE Trans.Power Apparatus and Systems, vol. PAS-102, no. 10, pp.3453–3459, Oct. 1983.

[21] A. Olaoluwapo, A. D. Domínguez-García, andP. Sauer, “A hierarchy of models for inverter-basedmicrogrids,” Coordinated Science Lab tech reportUILU-ENG-17-2201, University of Illinois atUrbana-Champaign, May 2017. [Online]. Available:https://www.ideals.illinois.edu/handle/2142/96001

[22] B. Stott, J. Jardim, and O. Alsac, “DC power flowrevisited,” IEEE Trans. Power Systems, vol. 24, no. 3,pp. 1290–1300, Aug. 2009.

[23] J. W. Simpson-Porco, F. Dörfler, and F. Bullo,“Synchronization and power sharing fordroop-controlled inverters in islanded microgrids,”Automatica, vol. 49, no. 9, pp. 2603–2611, Sep. 2013.

[24] M. Zholbaryssov and A. D. Domínguez-García,“Distributed enforcement of phase-cohesiveness forfrequency control of islanded inverter-based microgrids,”IEEE Trans. Control Netw. Syst., 2018, to be published.

[25] F. Dörfler, J. Simpson-Porco, and F. Bullo, “Breaking thehierarchy: Distributed control & economic optimalityin microgrids,” IEEE Trans. Control Netw. Syst., vol. 3,no. 3, pp. 241–253, Sep. 2016.

[26] J. Rocabert, A. Luna, F. Blaabjerg, and P. Rodriguez,“Control of power converters in AC microgrids,” IEEEPower Electron. Lett., vol. 27, no. 11, pp. 4734–4749,Nov. 2012.

[27] S. T. Cady, A. D. Domínguez-García, and C. N.Hadjicostis, “A distributed generation controlarchitecture for islanded AC microgrids,” IEEE Trans.Control Syst. Technol., vol. 23, no. 5, pp. 1717–1735,Sep. 2015.

[28] H. Han, X. Hou, J. Yang, J. Wu, M. Su, and J. M.Guerrero, “Review of power sharing control strategiesfor islanding operation of AC microgrids,” IEEE Trans.Smart Grid, vol. 7, no. 1, pp. 200–215, Jan. 2016.

[29] C. Zhao, U. Topcu, N. Li, and S. Low, “Design andstability of load-side primary frequency control in powersystems,” IEEE Trans. Autom. Control, vol. 59, no. 5, pp.1177–1189, May 2014.

[30] P. Anderson and A. Fouad, Power System Control andStability, 2nd ed. Wiley India Pvt. Limited, 2008.[Online]. Available: https://books.google.com/books?id=2BXOzA34qBkC

[31] F. Dörfler and F. Bullo, “Kron reduction of graphs withapplications to electrical networks,” IEEE Trans. CircuitsSyst. I, vol. 60, no. 1, pp. 150–163, Jan. 2013.

[32] H. Zhu and H. J. Liu, “Fast local voltage controlunder limited reactive power: Optimality and stabilityanalysis,” IEEE Trans. Power Syst., vol. 31, no. 5, pp.3794–3803, Sep. 2016.

[33] H. Choi, P. J. Seiler, and S. V. Dhople, “Propagatinguncertainty in power-system DAE models withsemidefinite programming,” IEEE Trans. PowerSyst., vol. 32, no. 4, pp. 3146–3156, Jul. 2017.

[34] “Open field message bus,” https://openfmb.github.io,accessed: 2018-09-04.

[35] H. Choi, P. J. Seiler, and S. V. Dhople, “Propagatinguncertainty in power flow with the alternating directionmethod of multipliers,” IEEE Trans. Power Syst., vol. 33,no. 4, pp. 4124–4133, 2017.

Page 3523

Probabilistic Bounds on the Impact of Potential Data ...€¦ · analysis. 1. Introduction...

Documents

Transcript of Probabilistic Bounds on the Impact of Potential Data ...€¦ · analysis. 1. Introduction...