Cyber-Physical Security in Power Networks

Cyber-Physical Security in Power Networks

Florian D¨orfler

Fabio Pasqualetti Francesco Bullo

Center for Control,

Dynamical Systems & Computation University of California at Santa Barbara http://motion.me.ucsb.edu

Security and Reliability of Power Networks

One aspect of smart grid: complex physical system

⊕sophisticated cyber coordination

Cyber-physical security is a fundamental obstacle challenging the smart grid vision.

Security and Reliability of Power Networks

One aspect of smart grid: complex physical system

⊕sophisticated cyber coordination

Cyber-physical security is a fundamental obstacle challenging the smart grid vision.

H. Khurana, “Cybersecurity: A key smart grid priority,”

IEEE Smart Grid Newsletter, 2011.

S. Sridhar, A. Hahn, and M. Govindarasu“Cyber-Physical System Security for the Electric Power Grid”

Proceedings of the IEEE, 2012.

A. R. Metke and R. L. Ekl“Security technology for smart grid networks,”

IEEE Transactions on Smart Grid, 2010.

J. P. Farwell and R. Rohozinski“Stuxnet and the Future of Cyber War”

Cyber-Physical Security

₆

=

Cyber Security, Fault Tolerance

Cyber-physical security complements cyber security

Cyber security

does not verify “data compatible with physics/dynamics” is ineffective against direct attacks on the physics/dynamics is never foolproof (e.g., insider attacks)

Cyber-physical security extends fault tolerance

fault detection considers accidental/generic failures

Cyber-Physical Security

₆

=

Cyber Security, Fault Tolerance

Cyber-physical security complements cyber security

Cyber security

does not verify “data compatible with physics/dynamics” is ineffective against direct attacks on the physics/dynamics is never foolproof (e.g., insider attacks)

Cyber-physical security extends fault tolerance

A Simple Example: WECC 3-machine 6-bus System

g1 g2 g3 b4 b1 b5 b2 b6 b3 10.80.6 0.40.200.20.40.6 0.81 10.80.60.40.2 00.20.40.60.81 10.8 0.60.40.200.20.4 0.60.81 Sensors t₁ t2 t₃

1 Physical dynamics: classical generator model & DC load flow

2 Measurements: angle and frequency of generatorg₁

3 Attack: modify real power injections at buses b₄ & b₅

A. H. Mohsenian-Rad and A. Leon-Garcia“Distributed internet-based load altering attacks against smart power grids”IEEE Transactions on Smart Grid, 2011

The attack affects the second and third generators while remaining undetected from measurements at the first generator

Outline

1 Modeling framework for cyber-physical attacks

2 _{System & graph-theoretic characterizations}

3 Centralized & distributed attack detection strategies

Model of Power Networks under Attack

1 Physicsobey linear differential-algebraic dynamics: Ex˙(t) =Ax(t)

2 Measurementsare in continuous-time: y(t) =Cx(t)

3 Cyber-physical attacks are colluding and omniscient:

modeled as unknown inputsBu(t) &Du(t)

Ex˙(t) =Ax(t) +Bu(t)

y(t) =Cx(t) +Du(t)

This model includes genuine faults,physical attacks, and cyber attacks

Prototypical Attacks

Dynamic false data injection:

(sE−A)−1 x(t) _C + y(t) x(0) Du(t) G(s)�(s−p)−1� Covert attack: (sE−A)−1 x(t) _C + y(t) x(0) Bu¯(t) Du(t)

Static stealth attack:

C x(t) + y(t) C Du(t) ˜ u(t) Replay attack: (sE−A)−1 x(t) _C + y(t) x(0) B¯u(t) Du(t) ˜ x(0) +− −

corrupt measurements according toC affect system and reset output

closed loop replay attack render unstable pole unobservable

(sE−A)−1 _C

Undetectable Attack

Definition

An attack remains undetected if its effect on measurements is

undistinguishable from the effect of some nominal operating conditions

Normal operating condition Undetectable attacks Detectable attacks y(·,0, t) yy((·, u·, uK((t)t), t, t))

Definition (Undetectable attack set)

The attack Bu(t),Du(t) is undetectable if there exist initial conditions

x1,x2 such that, for all times t

Outline

1 Modeling framework for cyber-physical attacks

2 _{System & graph-theoretic characterizations}

3 Centralized & distributed attack detection strategies

Vulnerabilities Analysis

Equivalent characterizations:

1 _{Vulnerability: undetectable attack y(x1},_u,_{t) =y(x2},₀,_t)

2 System theory: intruder/monitor system has invariant zero 3 Graph theory # attacked signals > size of input/output linking

g1 g2 g3 b4 b1 b5 b2 b6 b3 10.80.6 0.40.20 0.20.40.6 0.81 10.8 0.60.40.2 00.20.4 0.60.81 10.8 0.60.40.2 00.20.4 0.60.8 1 Sensors y(t) u1(t) u2(t) Attack Bu(t),Du(t) is not detectable by measurementsy(t)

& destabilizes the system

g1 g2 g3 b4 b1 b5 b2 b6 b3 Sensors t1 t₂ t₃ ω1(t) =y(t) ω2(t) ω3(t)

Vulnerabilities Analysis

Equivalent characterizations:

1 _{Vulnerability: undetectable attack y(x1},_u,_{t) =y(x2},₀,_t)

2 System theory: intruder/monitor system has invariant zero

3 Graph theory # attacked signals > size of input/output linking

g2 g3 b4 b1 b5 b2 b6 b3 1 0.80.60.4 0.200.2 0.40.60.8 1 10.8 0.60.40.2 00.20.4 0.60.81 u1(t) u2(t)

By linearity, an undetectable attack is such thaty(x1−x2,u,t) = 0.

⇔the input output system

Vulnerabilities Analysis

Equivalent characterizations:

1 Vulnerability: undetectable attack y(x₁,u,t) =y(x₂,0,t)

2 _{System theory: intruder/monitor system has invariant zero}

3 _{Graph theory # attacked signals} > _{size of input/output linking}

g1 g2 g3 b4 b1 b5 b2 b6 b3 10.8 0.60.40.2 00.20.4 0.60.81 10.80.6 0.40.20 0.20.40.6 0.81 10.80.6 0.40.20 0.20.40.6 0.81 Sensors y(t) u1(t) u2(t) θ1 ω1 δ1 y2 θ5 u2 δ3 ω3 θ3 u1 θ4 δ2 ω2 θ2 y1 θ6

Outline

1 Modeling framework for cyber-physical attacks

2 _{System & graph-theoretic characterizations}

3 Centralized & distributed attack detection strategies

Centralized Detection Monitor Design

System under attack Bu(t),Du(t):

Ex˙(t) =Ax(t) +Bu(t)

y(t) =Cx(t) +Du(t)

Proposed centralized detection filter:

Ew˙(t) =Aw(t) +G Cw(t)−y(t)

r(t) =Cw(t)₋y(t)

Theorem (Centralized Attack Detection Filter)

Assume w(0) =x(0),(E,A+GC) is Hurwitz, and attack is detectable. Then r(t) = 0 if and only if u(t) = 0.

,

the design is independent of B,D, andu(t)

,

ifw(0)₆=x(0), then asymptotic convergence

/

a direct centralized implementation may not be feasible

Centralized Detection Monitor Design

System under attack Bu(t),Du(t):

Ex˙(t) =Ax(t) +Bu(t)

y(t) =Cx(t) +Du(t)

Proposed centralized detection filter:

Ew˙(t) =Aw(t) +G Cw(t)−y(t)

r(t) =Cw(t)₋y(t)

Theorem (Centralized Attack Detection Filter)

Assume w(0) =x(0),(E,A+GC) is Hurwitz, and attack is detectable. Then r(t) = 0 if and only if u(t) = 0.

,

the design is independent of B,D, andu(t)

Centralized Detection Monitor Design

System under attack Bu(t),Du(t):

Ex˙(t) =Ax(t) +Bu(t)

y(t) =Cx(t) +Du(t)

Proposed centralized detection filter:

Ew˙(t) =Aw(t) +G Cw(t)−y(t)

r(t) =Cw(t)₋y(t)

Theorem (Centralized Attack Detection Filter)

Assume w(0) =x(0),(E,A+GC) is Hurwitz, and attack is detectable. Then r(t) = 0 if and only if u(t) = 0.

,

the design is independent of B,D, andu(t)

,

ifw(0)₆=x(0), then asymptotic convergence

/

a direct centralized implementation may not be feasible

Distributed Monitor Design

Partition the physical system with geographically deployed control centers:

E=    E1 0 0 . . . . .. ... 0 0 EN    , C=    C1 0 0 . . . . .. ... 0 0 CN    A=    A1 · · · A1N . . . ... ... AN1 · · · AN    G G G G G G G G G G G G G G G G G G G G G G G G GG G G G G G G G G G G G G G G G G G G G G G G G G G G G G Area 1 Area 2 Area 4 Area 5 Area 3

IEEE 118 Bus System

(i) control centeri knowsEi,Ai, andCi, and neighboringAij

Distributed Monitor Design

1 Local monitoringwith measurements and continuous-time filters

& discrete communication between neighboring control centers

Eiw˙_i(k)(t) =Aiw_i(k)(t) +Gi Ciw_i(k)(t)−yi(t) r_i(k)(t) =yi(t)−Ciwi(k)(t) +X j6=iAijw (k−1) j (t)

2 Centralized performanceis recovered

3 _{Design and analysis relies on waveform relaxation technique}

An Illustrative Example: IEEE 118 Bus System

G G G G G G G G G G G G G G G G G G G G G G G G GG G G G G G G G G G G G G G G G G G G G G G G G G G G G G Area 1 Area 2 Area 4 Area 5 Area 3

IEEE 118 Bus System

Convergence of distributed filter:

60 80 100 120 rr or

Physics: classical generator model

and DC load flow model

Measurements: generator angles

Attackon all measurements in Area 1

Residualsr_i(k)(t) fork= 100: 0 5 10 15 20 25 30 35 40 ï1 0 1 0 5 10 15 20 25 30 35 40 ï1 0 1 0 5 10 15 20 25 30 35 40 ï1 0 1 0 1 Residual Area 1 Residual Area 2 Residual Area 4 Residual Area 3

Outline

1 Modeling framework for cyber-physical attacks

2 _{System & graph-theoretic characterizations}

3 Centralized & distributed attack detection strategies

Geometric & optimal attack design

A Case Study: Competitive Power Generation Environment

10 1 2 3 4 5 6 7 8 9 11 12 13 14 15 16 South Arizona SoCal NoCal PacNW Canada North Montana Utah

Reduced WECC grid

scenario: a subset of utility

companiesK form a coalition

goal: disrupt the power

generation of competitors

strategy: choose K∗ _⊂K

sacrificial generators and design

an input not affectingK _\K∗

while maximizing damage at non-colluding generators

additionally here: design such

Geometric & optimal attack design

malicious coalition: K =_{1,9_} (PacNW)

with sacrificial machineK∗=_{9_} control minimizes_kω9(t)kL∞

subject to_kω16(t)kL∞ ≥1 (Utah)

⇒ non-colluding generators will be damaged

0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 0 5 10 ï1 ï0.5 0 0.5 1 ω1 ω5 ω9 ω13 ω2 ω3 ω4 ω6 ω7 ω8 ω10 ω11 ω12 ω14 ω15 ω16 10 1 2 3 4 5 6 7 8 9 11 12 13 14 15 16 South Arizona SoCal NoCal PacNW Canada North Montana Utah

Reduced WECC grid

0 1 2 3 4 5 6 7 8 9 10 ï1 ï0.5 0 0.5 1

Conclusion

We have presented:

1 a modeling framework for cyber-physical attacks in power networks

2 fundamental system- and graph-theoretic detection conditions

3 centralized & distributed detection procedures 4 geometric & optimal attack design

We have analogous results for the identification problem. Ongoing and future work:

References

F. Pasqualetti, F. D¨orfler, and F. Bullo.“Attack Detection and Identification in Cyber-Physical Systems - Part I: Models and Fundamental Limitations,”inIEEE Transactions on Automatic Control, Feb. 2012, Submitted.

F. Pasqualetti, F. D¨orfler, and F. Bullo.“Attack Detection and Identification in Cyber-Physical Systems - Part II: Centralized and Distributed Monitor Design,”inIEEE Transactions on Automatic Control, Feb. 2012, Submitted. F. Pasqualetti, A. Bicchi, and F. Bullo.Consensus computation in unreliable networks: A system theoretic approach.

IEEE Transactions on Automatic Control, , 57(1):90-104, 2012.

F. Pasqualetti, R. Carli, and F. Bullo.Distributed estimation and false data detection with application to power networks.

Automatica, 48(5):747-758, 2012.

F. Pasqualetti, A. Bicchi, and F. Bullo.A graph-theoretical characterization of power network vulnerabilities.

InAmerican Control Conference, San Francisco, CA, USA, June 2011.

F. Pasqualetti, F. D¨orfler, and F. Bullo.Cyber-physical attacks in power networks: Models, fundamental limitations and monitor design.InIEEE Conf. on Decision and Control, Orlando, FL, USA, December 2011.

F. D¨orfler, F. Pasqualetti, and F. Bullo.“Distributed detection of cyber-physical attacks in power networks: A waveform relaxation approach,”inAllerton Conf. on Communications, Control and Computing, Sep. 2011.

F. Pasqualetti, F. D¨orfler, and F. Bullo.Cyber-physical security via geometric control: Distributed monitoring and malicious attacks.submittedIEEE Conf. on Decision and Control, Maui, HI, USA, December 2012.

Cyber-Physical Security in Power Networks

Florian D¨orfler

Fabio Pasqualetti Francesco Bullo

Center for Control,

Dynamical Systems & Computation University of California at Santa Barbara http://motion.me.ucsb.edu