Cyber Security in Smart Grids

Full text

(1)Cyber Security in Smart Grids EE 772 : Smart Grids Prof. S. A. Khaparde Indian Institute of Technology Bombay.

(2) Introduction to Cyber-Physical Systems -. -. Communication between physical devices through a cyber layer - Sensors and Actuators Network (SANET) Each physical device is given one IP address - Internet of Things (IoT) Concurrent cyber and physical links - hardwired link between sensor and meter, communication link between sensor, meter and data center Requires analysing both the physical layer dynamics (power system faults, small signal stability) as well as communication layer dynamics (latencies, packet drops) Tested by HIL simulations - Use of RTDS(simulating the physical system), real communication links, servers and control centers.

(3) Cyber-Physical Interaction.

(4) Power and Information Flow in CPS Environment.

(5) Cyber Physical Testbed -. Integrates both cyber and physical components - physical network and devices, communication layer and real time control algorithms. -. Co-simulation of cyber and physical components to capture the influence of one’s dynamics on the other. -. Useful tool to study - system vulnerabilities, intrusion points, reliability, impact analysis and performance of mitigation algorithms. -. Associated with visualization tools for impact analysis and operator training.

(6) Cyber-Physical Testbed Components in a CPS Testbed: 1. Software - Various SCADA and EMS applications that monitor and control the physical system 2. Hardware - IEDs and PMUs that bridge the cyber and physical domains 3. Real-time Simulator - FPGA model of power system to compute updated grid state in real time 4. Algorithms - To perform automated control functions 5. Communication Links/ HW Interface - To interface the IEDs with power system simulator and control center 6. Architectures and Protocols - Real word SCADA protocols.

(7) Cyber-Physical Testbeds : Applications.

(8) Cyber-Physical Testbed : Applications.

(9) Cyber Physical Testbed 1. Physical System: - RTDS simulation platform with capability to perform real-time power system simulation, allows integration of IEDs and associated hardwares through standard protocols IEC 61850 and DNP3, closely mimics the physical response of the power system when subjected to fault type scenarios - DIgSILENT Power factory for non real time power system simulation. Unlike RTDS does not allow physical connection of devices, however allows simulation of larger systems with limited RT constraints, has capability for advanced system analysis - tools for SE and Contingency Analysis.

(10) Cyber Physical Testbed 2. Control Center - A computer capable of collecting measurements and status from field devices, managing historic data, advanced computing and decision making, human-in-loop interfaces and sending control actions to virtual substations.. 3. Substation - Can be a computer (RTU) connected to hardware IEDs and communicating with control center, or could be virtual substations with virtual IEDs communicating with control center. Capable of computing and actuating capabilities related to protection..

(11) Cyber Physical Testbed 4. Communications -. -. Wide area network - communication between CC and substation RTU using real life SCADA protocols (DNP3 over IP) Internet scale cyber attack generation environment to orchestrate DoS and malicious data injection Within the substations, the IEC 61850 protocol is used to communicate status and commands between both other IEDs and the RTU Manufacturing Message Specification (MMS) protocols are used to communicate analog and binary values between the IEDs and RTUs.

(12) Cyber-Physical Testbed. Logical Block Diagram of a CPS Environment.

(13) Cyber-Physical Testbed at Iowa State University.

(14) Major Cyber Attacks in Recent Past.

(15) Types of Attacks 1. Denial of Service Attacks - Attacker floods the targeted controller (RTU/CC computer) with superfluous requests - system unavailable to legitimate users - packets drop - link fails - loss of necessary information Eg : SYN flood. DoS attack can be stopped by identifying and blocking the IP which causes the traffic.

(16) Types of Attacks 2. Distributed DoS Attack -. Severe form of Denial of Service attacks where the traffic flooding the victim originates from multiple sources..

(17) Type of Attacks 3. Time Delay Attacks - Attackers can introduce deliberate delays into the sensing and feedback loops by jamming the network or by attacking the routing tables. Time delays can severely degrade the performance of control systems, can even lead to small signal instability. In protection paradigm, information is time critical. Latencies can lead to malfunctioning of relays.. 4.. GPS Spoofing Attacks - A GPS spoofing attack attempts to deceive a. GPS receiver by broadcasting incorrect GPS signals, structured to resemble a set of normal GPS signals, or by rebroadcasting genuine signals captured elsewhere or at a different time. PMUs are susceptible to these attacks..

(18) Type of Attacks 5. False Data Injection Attacks - Attacker hacks into the system and corrupts the sensor readings in a way that it gets undetected by the bad data detection system in control center. Due to high degree of correlation between the sensor readings in power system (thanks to KCL and KVL), the attacker has to have access to a large set of meter readings, geographically spread across locations. This form of a coordinated attack is difficult to realize.. Even if the control center identifies the source of bad data and purges those set of meter readings, the attacker may aim to spoil many meters so as to render the system unobservable. State Estimators are prone to these attacks..

(19) Type of Attacks 6. Eavesdropping and Replay Attacks - A kind of Man-in-the-Middle attack in which the attacker hacks into the communication system and gains access to the data packets being transferred. It may not be able to decode the message due to encryption, but can make a copy of these packets and store them. Simultaneously, observes the response of the controller to these messages. This helps the attacker to correlate an action with a packet. (Eg. Opening of a breaker with packet A, closing with B, so on..) When it needs that action to be reperformed (malicious breaker tripping) it simply obstructs the actual packets, and replays the previously stored packets..

(20) Cyber Attack on Power System Operations.

(21)

(22) Power injection & flow measurement Data from remote sensors. Control Centre. System States. Operation Decisions.

(23) False Data Injection Attacks. PERFECT ATTACKS – Attacker has knowledge of topology. Attacker modifies either the MEASUREMENT DATA received by the control centre or the NETWORK TOPOLOGY as perceived by the control centre. IMPERFECT ATTACKS – Attacks constructed from measurement data alone. Knowledge of Topology is NOT EXACT !. Attacker’s Intention: Economic Merit in Market, Large Scale Terrorism. Corruption is intelligent to AVOID DETECTION. WRONG ESTIMATES lead to WRONG DECISIONS in merit of the attacker.

(24) To avoid detection the Attack Vector has to be in the column span of the H matrix. a=Hc.

(25) False Data Injection on AC State Estimation. Residues :. For Generalized False Data Injection.

(26) Perfect Attack: To Ensure.

(27)

(28) Automatic Generation Control. AREA CONTROL ERROR. Adjust GENERATOR OUTPUTS to maintain FREQUENCY and TIE LINE FLOWS to scheduled values. Very fast acting : ACE signals every 5 secs No elaborate algorithm to validate data. If ACE is positive, it is a signal to the generators to Ramp Down. If ACE is negative, it is a signal to the generators to Ramp Up. But… perceived change in FREQUENCY and perceived change in LOAD should be consistent. An attacker modifies the sensor outputs of TIE LINE flows and FREQUENCY to orchestrate an attack.

(29) Types of Attacks on Automatic Generation Control. Scaling attacks act faster than Ramp Attacks, but AGCs are equipped with rate limiters… High rate of change of ACE as in Scaling attacks can get detected by rate limiters.

(30) Attacks in a Two Area Power System. Any change in TIE LINE flow is perceived as a change in LOAD and hence change in frequency has to corroborate with it.

(31) Attacks in a Two Area Power System. Interpreted by AGC as excess generation in area 1, send signal to ramp down. Load Generation Mismatch …. Shortage in generation…. Fall in frequency. Under-frequency relays trip… Large regions are isolated.

(32)

(33) Generator Bids and Forecasted Loads. Day Ahead Market Ex-Ante LMP at each Node. State Estimation. Real Time Market. Attacker has the information about ExAnte LMPs and Line Flows. Manipulated Sensor Data. Optimal Generation Schedule Expected Line Flows. Variations. ExPost LMP. Attack.

(34) Day Ahead Market. Dispatch Schedule & ExAnte LMP Calculation. Real Time Market. Need to recalculate LMP based on run time data to charge the difference in consumption/generation. Stochastic Nature of Loads…. Variation in Dispatch…. LMP calculated from Lagrange Multipliers. Dispatch Instruction sent to Generators. Real time generation and flows are different.

(35) Real Time Market. Incremental OPF on the estimated flows. Difference in LMP between two nodes.

(36) Virtual Trading. N. Node. Node. j1. j2. Buy at Day Ahead Market & Sell at Real Time Market. Attacking Principle Corrupt sensor data such that. Ensure:. Sell at Day Ahead Market & Buy at Real Time Market.

(37)

(38)

(39) ATTACKS ON VOLTAGE CONTROL. Attacks targeted on TAP CHANGING TRANSFORMERS. Under Normal Operating Conditions. Attackers compromise sensors. Reported values lower than actual Attacks targeting efficient operation Attacks on Voltage Stability. Operators increase tap setting System operates inefficiently at higher voltage Voltage stress on equipment.

(40) ATTACKS ON VOLTAGE CONTROL. Attacks targeted on TAP CHANGING TRANSFORMERS. Under Conditions of Voltage Drop. Attackers compromise sensors. Attacks targeting Voltage Stability. Reported values higher than actual. Operators decrease tap setting. System voltage further drops. Voltage collapse.

(41) Types of Attacks on Voltage Control. De-synchronization Attacks. Data Injection Attacks Denial of Cooperation Attacks. Delay in Time critical voltage signals for control. DoS attack on the communication network by flooding it with junk packets. Insertion of malicious data into voltage measurements.

(42) Conclusion 1. The attacker has to be intelligent to design an attack with time scale of. the operation in mind. 2. State estimation runs every 5min, involving high data consistency. checks… Attacks targeting SE should be intelligent to bypass these checks. 3.. AGC and Voltage Control runs every 5sec… Attacks targeting AGC has to be fast considering the scale of events. 4. Operations like Market clearing where SE forms a building block can be. manipulated by manipulation of SE.

(43) Attack-Resilient Monitoring and Control of Power Grid Kaustav Chatterjee. Department of Electrical Engineering Indian Institute of Technology Bombay. M.Tech. Presentation, 2018 Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 1 / 41.

(44) Part II Detection of Replay Attack on Wide-Area Measurement System. Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 12 / 41.

(45) Replay Attack on WAMS Attacker hacks PMU - records data - later replays disturbance data to mislead the operator Can suppress the periods of disturbance with recorded ambient data Cannot be detected by observing individual PMU data - Need for centralized detector Bus 9. voltage, pu. 1. Attack Duration 0.5. Actual Fault. Fault Replay. 0 0. 2. 4. 6. 8. 10. 12. 14. 16. 18. time, s Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 13 / 41.

(46) Replay Attack on WAMS Attacker hacks PMU - records data - later replays disturbance data to mislead the operator Can suppress the periods of disturbance with recorded ambient data Cannot be detected by observing individual PMU data - Need for centralized detector Bus 1 Bus 2 Bus 3 Bus 4 Bus 5 Bus 6 Bus 7 Bus 8 Bus 9 Bus 10. voltage, pu. 1 0.8 0.6 0.4 0.2. Attack Duration Fault Replay. Actual Fault. 0 0. 2. 4. 6. 8. 10. 12. 14. 16. 18. time, s Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 13 / 41.

(47) Replay Attack Detection Objective: Distinguish between data from actual disturbance and replay attack Previous Works: Kalman Filter and LQG Control based detector Injecting harmonic oscillations 2. 1. ,. Needs accurate linearized system model - would vary with operating point - knowledge of system parameters Proposed Detectors: Data-driven, model free, looks into the trends in PMU data in unison SVD based, Pearson Correlation based Theme: Correlation in data, and lack of during an attack 1. Y. Mo and B. Sinopoli, “Secure Control Against Replay Attacks,” in Forty-SeventhAnnual Allerton Conference, July 2009,. 2. A. Hoehn and P. Zhang, “Detection of Replay Attacks in Cyber-Physical Systems”, in 2016 American Control Conference (ACC), July 2016, Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 14 / 41.

(48) SVD Based Detection Uses the relative change in the dominant singular values of the moving window of measurements as the metric i . Total Let mth PMU measurement at i th time step be denoted by ym measurements be M and the window length for computation be N.. Measurement window of interest at k th time step:  k  y1 y1k−1 y1k−2 . . . y1k−N+1   .. .. .. .. Y (k) =  ...  . . . . k−1 k−2 k−N+1 k yM yM yM . . . yM Singular Value Decomposition (SVD) of Y (k) is Y (k) = UΣV T (k). Detection metric: %∆σi Kaustav Chatterjee. (k). =. (n). σi −σi (n) σi. × 100%. M.Tech Presentation. EE, IIT Bombay. 15 / 41.

(49) SVD Based Detection: Case Study Window Size = 200 samples, PMU Reporting Rate = 100 Hz, Voltage Magnitude measurements of 4-machine 10-bus System. 3. Case Study I: Attack at Bus 9, Replaying Fault at Bus 9 Case Study II: Attack at Bus 9, Replaying Opening of Line 9-10. 3. P. Kundur, Power System Stability and Control. McGraw-Hill, Inc., 1994. Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 17 / 41.

(50) Attack at Bus 9 Replaying Fault at Bus 9. σ1. 46 42 5. 10. 15. 20. 25. 30. 35. 40. 45. 50. 5. 10. 15. 20. 25. 30. 35. 40. 45. 50. 5. 10. 15. 20. 25. 30. 35. 40. 45. 50. σ2. 4 0. σ3. 0.4 0. time, s Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 18 / 41.

(51) Attack at Bus 9 Replaying Opening of Line 9-10 Bus 6. Bus 7. Bus 9. Bus 10. voltage, pu. 1. 0.98. Replay Attack. 0.96 Topology Change 10. 20. 30. 40 time, s. 50. 60. 70. 80. σ1. 44.9. 44.8 10. 20. 30. 40. 50. 60. 70. 80. 10. 20. 30. 40. 50. 60. 70. 80. 10. 20. 30. 40. 50. 60. 70. 80. σ2. 0.1. 0. σ3. 0.04. 0. time, s Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 19 / 41.

(52) Pearson Correlation Based Detection Uses time correlation in voltage measurements of neighboring buses Unless arrested by voltage control devices- voltage dip from fault propagate across network x and y be two time series representation of two measurements, then the Pearson Correlation coefficient r for an window of length N is, N P. r=s. (xi − x¯)(yi − y¯). i=1 N P. N P. (xi − x¯)2. i=1. (yi − y¯)2. i=1. Range: −1 ≤ r ≤ 1 (r = ± 1 =⇒ high correlation =⇒ Ambient/Fault Condition, r = 0 =⇒ no correlation =⇒ Replay) Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 21 / 41.

(53) Case Study: Typical r Values. V9, pu. V9, pu. Window of Pre-fault Ambient Data 0.976 r = 0.9851. 0.973 0.9825. 0.9835. 1. Window of Post-fault Data r = 0.9894. 0.95. 0.9 0.9. 0.95. 1. V6, pu. V6, pu. Window of Pre-fault & Fault Data 1. Window of Attack r = 0.0085. V9, pu. V9, pu. r = 0.9985. 0.5. 0 0. 0.5. 1.05. 1. 0.96. 0.94 0. V6, pu. 0.5. 1. V6, pu. Figure: Scatter plot for voltage magnitudes of buses 6 & 9. Fault at bus 6. Window length = 2500 samples. Kaustav Chatterjee. M.Tech Presentation. EE, IIT Bombay. 22 / 41.

(54)

No results found