Bad Data Injection in Smart Grid:
Attack and Defense Mechanisms
Zhu Han
University of Houston
Overview
Introduction to Smart Grid
Power System State Estimation Model
Bad Data Injection
Defender Mechanism
–
Quickest Detection
Attacker Learning Scheme
–
Independent Component Analysis
Future Work
A Few Topics in Smart Grid Communication
Conclusions
Quick View of Amigo Lab
“Smarter” Power Grid
Sensing, measurement, and control devices with two

way
communications between the suppliers and customers.
Benefits both utilities, consumers & environment:
–
Reduce supply while fitting demand
–
Save money, optimal usage.
–
Improve reliability and efficiency of grid
–
Integration of green energy, reduction of CO
2
More than 3.4 billion from US federal stimulus bill is targeted.
–
Obama stimulus plan
One of hottest topic in research community
–
But what are the problems from signal processing, communication
and networking points of view?
Smart Grid
Are more easily
integrated into
power sys. Less
depend on fossil fuel
Connect grid to
charge overnight
when demand is low
Realtime
analysis,
Manage, plan, and
forecast the energy
system to meets the
needs
Can generate own and
sellback excess energy
Gather, monitor the
usage so the supply more
efficiently and anticipate
challenging peaks
Use sophisticated
comm. Technology
to find/fix problems
faster, enhancing
reliability
in

home management
tool to track usage
Supervisory Control and Data Acquisition Center
Real

time data acquisition
–
Noisy a
nalog measurements
Voltage, current, power flow
–
Digital measurements
State estimation
–
Maintain system in
normal
state
–
Fault detection
–
Power flow optimization
–
S
upply vs. demand
SCADA TX data from/to Remote
Terminal Units (RTUs), the
substations in the grid
Privacy & Security Concern
More connections, more technology are linked to the obsolete
infrastructure.
–
Add

on network technology: sensors and controls estimation
–
More substations are automated/unmanned
Vulnerable to manipulate by third party
–
Purposely blackout
–
Financial gain
–
Story of Enron
How to tackle this
issue at this moment?
Provide one example
next
Power System
State Estimation Model
Transmitted active power from bus i to bus j
–
High reactance over resistance ratio
–
Linear approximation for small variance
–
State vector
, measure noise
e
with covariance Ʃe
–
Actual power flow measurement for m active power

flow branches
–
Define the Jacobian matrix
–
We have the linear approximation
–
H is known to the power system but not known to the attackers
Bad Data Injection and Detection
State estimation from z
Bad data detection
–
Residual vector
–
Without attacker
where
–
Bad data detection (with threshold
)
without attacker:
with attacker:
otherwise
Stealth (unobservable) attack: z=Hx+c+e, where c=H
x
–
Hypothesis test would fail in detecting the attacker, since the
control center believes that the true state is x +
x.
Overview
Introduction to Smart Grid
Power System State Estimation Model
Bad Data Injection
Defender Mechanism
–
Quickest Detection
Attacker Learning Scheme
–
Independent Component Analysis
Future Work
A Few Topics in Smart Grid Communication
Conclusions
Quick View of Amigo Lab
Basics of Quickest Detection (QD)
Detect distribution changes of a sequence of observations
as quick as possible
with the constraint of false alarm or detection probability.
min [processing time]
s.t. Prob(true ≠ estimated) < ŋ
Classification
1.
Bayesian framework:
known prior information on probability
SPRT (e.g. quality control, drug test, )
2.
N
on

Bayesian framework:
unknown distribution and no prior
CUSUM
(e.g. spectrum sensing, abnormal detection )
QD System Model
Assuming Bayesian framework with non

stealthy attack
–
the state variables are random with
The binary hypothesis test:
The distribution of measurement z under binary hyp: (differ
only in mean)
We want a detector
–
False alarm and detection probabilities
Detection Model

NonBayesian
Non

Bayesian approach
–
unknown prior probability, attacker statistic model
The unknown parameter exists
–
in the post

change distribution and may changes over
the detection process.
–
You do not know how attacker attacks.
Minimizing the worst

case effect via detection delay:
We want to detect the intruder as soon as possible
while maintaining P
D.
Actual time of
active attack
Detection
time
Detection
delay
Multi

thread CUSUM Algorithm
CUSUM Statistic:
where Likelihood ratio term of
m
measurements:
By recursion, CUSUM Statistic S
t
at time t:
Average run length (ARL) for declaring attack with threshold h
How about the
unknown?
Declare the attacker is existing!
Otherwise, continuous to the process.
S
t
m
a
x
[
S
t
1
L
t
(
Z
t
)
,
0
]
Linear Solver for the Unknown
Rao test
–
asymptotically equivalent model of GLRT:
The linear unknown solver for m measurements:
Recursive CUSUM Statistic w/ linear unknown parameter solve:
–
Modified CUSUM statistics
S
t
m
a
x
S
t
1
Z
t
T
Z
1
T
Z
1
Z
t
l
1
m
,
0
The unknown is no long
involved
Simulation: Adaptive CUSUM algorithm
2 different detection tests: FAR: 1% and 0.1%
Active attack starts at time 5
Detection of attack at time 7 and 8, for different FARs
Markov Chain based Analytical Model
Divide statistic space into discrete states between 0 and threshold
–
Obtain the transition probabilities
–
Obtain expectation of detection delay, false alarm rate and missing
probability
Overview
Introduction to Smart Grid
Power System State Estimation Model
Bad Data Injection
Defender Mechanism
–
Quickest Detection
Attacker Learning Scheme
–
Independent Component Analysis
Future Work
A Few Topics in Smart Grid Communication
Conclusions
Quick View of Amigo Lab
Independent Component Analysis (ICA)
Linear
Independent
Component
Analysis
–
find
a
linear
representation
of
the
data
so
that
components
are
as
statistically
independent
as
possible
.
–
i
.
e
.
,
among
the
data,
find
how
many
independent
sources
.
Question for bad data injection:
–
Without knowing
H
, the attacker can be caught.
–
Could attacker launch stealthy attack to the system even
without knowledge about
H
?
–
Using ICA, attacker could estimate
H
and consequently, lunch
an undetectable attack.
ICA Basics
A special case of blind source separation
u = G v
u
= [u
i
, i = 1, 2, … m]: observable vector
G
= [g
ij
, i = 1, 2, … m, j = 1, 2, … n]: mixing matrix
(unknown)
v
= [v
i
, i = 1, 2, … n]: source vector
(unknown)
Linear ICA implementation: FastICA from [Hyvärinen]
Stealth False Data Injection with ICA
Supposing that the noise is small, then we what to do the
mapping:
u = G v z = H x
Problem: state vector
x
is highly correlated
Consider:
x = A y
, where
–
A
: constant matrix that can be estimated
–
y
: independent random vectors
Then we can apply Linear ICA on
z = HA y
–
We cannot know
H
, but we can know
HA
–
Stealthy attack:
Z=Hx+HA
礫e
Numerical Simulation Setting
Simulation
setup
–
4

Bus
test
system,
IEEE
14

Bus
and
30

bus
–
Matpower
Numerical Results
MSE of ICA inference (z

Gy) vs. the number of observations
(14

bus case).
Performance of the Attack
The PDF is the same w or w/o attacking.
So log likelihood is equal to 1
–
unable to detect
Overview
Introduction to Smart Grid
Power System State Estimation Model
Bad Data Injection
Defender Mechanism
–
Quickest Detection
Attacker Learning Scheme
–
Independent Component Analysis
Future Work
A Few Topics in Smart Grid Communication
Conclusions
Quick View of Amigo Lab
1. Distributed Smart Grid State Estimation
The deregulation has led to the creation of many regional
transmission organizations within a large interconnected power
system.
A distributed estimation and control is need .
–
Distributed observability analysis
–
Bad data detection
Challenges:
–
Bottleneck and reliability problems with one coordination center.
–
Need for wide area monitoring and control
–
Convergence and optimality
Fully

Distributed State Estimation
With N substations/nodes
–
By iteratively exchanging information with neighbors
–
All local control center can achieve an unbiased consensus of
system

wide state estimation.
Local
observati
on matrix
Unknown
State
Local Jacobian
matrix
Useful
information
to be
detected
2. Optimality of Fault Detection Algorithm
Detecting the attack as an intermediate step towards obtaining a
reliable estimate about the injected false data
–
Facilitates eliminating the disruptive effects of the false data
Joint estimation and detection problem
–
Define an estimation performance measure
–
Seek to the optimize it while ensuring satisfactory of the detection
performance
Performance
measurement
3.
Manipulate
Electricity
Market
Example: Ex Post Market
Market that recalculate optimal points for generation and
consumption based on real

time data
Min :
St:
I
i
i
i
i
Pg
Pg
C
1
*
)
(
L
l
F
F
F
I
i
Pg
Pg
Pg
P
Pg
l
l
l
i
i
i
I
i
L
I
i
i
,...,
1
,...,
1
max
*
min
max
min
1
1
[
28
]
Generation
Cost
Power Balance
Generation & Transmission limits
4. PMU
PMU can measure voltage angle directly
–
Defender: placement problem, no need to place nearby
–
Attackers’ new strategy with existence of PMU
1
6
2
5
7
3
4
PMU
PMU
PMU
PMU
PMU
PMU
PMU
[
29
]
5
. Game
Theory Analysis
(attacker,
defender)
N
A
N
(0,0)
(b,

b)
D
(c,

c)
(

a,a)
a, b, c
t
How to formulate the game?
A Few Topics in Smart Grid Communications
Bad data injection
Demand side management
–
Peak to average ratio
–
Scheduling problem
Renewable energy
–
The renewable energy is unreliable.
–
Have to use diesel generators during shortage
–
Not cheap and not green
PHEV
–
routing, scheduling and resource allocation
Communication link effect on the smart grid
Conclusions
Bad
data
injection
problem
formulation
From
defender
point
of
view
–
detect
malicious
bad
data
injection
attack
as
quick
as
possible
–
Adaptive
CUSUM
algorithm
From
attacker
point
of
view
–
can
estimate
both
the
system
topology
and
power
states
just
by
observing
the
power
flow
measurements
–
Independent
component
analysis
algorithm
to
obtain
information
–
Once
the
information
is
at
hand,
malicious
attacks
can
be
launched
without
triggering
the
detection
system
Many
possible
future
work
Edited
book
2012
by
Cambridge
with
E
.
Hossain
and
V
.
Poor
.
Possible
future
collaboration
Overview of Wireless Amigo Lab
Lab Overview
–
7 Ph.D. students, 2 joint postdocs (with Rice and Princeton)
–
supported by 5 NSF,1 DoD, and 1 Qatar grants
Current Concentration
–
Game theoretical approach for wireless networking
–
Compressive sensing and its application
–
Smartgrid communication
–
Bayesian nonparametric learning
–
Security: trust management, belief network, gossip based Kalman
–
Physical layer security
–
Quickest detection
–
Cognitive radio routing/security
–
Sniffing: femto cell and cloud computing
USRP2 Implementation Testbed
Questions
Thank you for listening and supporting!
Comments 0
Log in to post a comment