Bad Data Injection in Smart Grid: Attack and Defense Mechanisms

lettucestewElectronics - Devices

Nov 21, 2013 (3 years and 6 months ago)

63 views

Bad Data Injection in Smart Grid:

Attack and Defense Mechanisms


Zhu Han

University of Houston





Overview


Introduction to Smart Grid


Power System State Estimation Model


Bad Data Injection


Defender Mechanism


Quickest Detection


Attacker Learning Scheme


Independent Component Analysis


Future Work


A Few Topics in Smart Grid Communication


Conclusions


Quick View of Amigo Lab





“Smarter” Power Grid


Sensing, measurement, and control devices with two
-
way
communications between the suppliers and customers.


Benefits both utilities, consumers & environment:


Reduce supply while fitting demand


Save money, optimal usage.


Improve reliability and efficiency of grid


Integration of green energy, reduction of CO
2


More than 3.4 billion from US federal stimulus bill is targeted.


Obama stimulus plan


One of hottest topic in research community


But what are the problems from signal processing, communication
and networking points of view?







Smart Grid

Are more easily
integrated into
power sys. Less
depend on fossil fuel

Connect grid to
charge overnight
when demand is low

Realtime

analysis,
Manage, plan, and
forecast the energy
system to meets the
needs

Can generate own and
sellback excess energy

Gather, monitor the
usage so the supply more
efficiently and anticipate
challenging peaks

Use sophisticated
comm. Technology
to find/fix problems
faster, enhancing
reliability

in
-
home management
tool to track usage





Supervisory Control and Data Acquisition Center


Real
-
time data acquisition


Noisy a
nalog measurements


Voltage, current, power flow


Digital measurements


State estimation


Maintain system in
normal


state


Fault detection


Power flow optimization


S
upply vs. demand


SCADA TX data from/to Remote
Terminal Units (RTUs), the
substations in the grid





Privacy & Security Concern


More connections, more technology are linked to the obsolete


infrastructure.


Add
-
on network technology: sensors and controls estimation


More substations are automated/unmanned


Vulnerable to manipulate by third party


Purposely blackout


Financial gain


Story of Enron


How to tackle this
issue at this moment?

Provide one example
next





Power System
State Estimation Model


Transmitted active power from bus i to bus j


High reactance over resistance ratio



Linear approximation for small variance


State vector



, measure noise
e
with covariance Ʃe


Actual power flow measurement for m active power
-
flow branches



Define the Jacobian matrix


We have the linear approximation



H is known to the power system but not known to the attackers





Bad Data Injection and Detection


State estimation from z


Bad data detection


Residual vector


Without attacker


where


Bad data detection (with threshold

)


without attacker:



with attacker:

otherwise


Stealth (unobservable) attack: z=Hx+c+e, where c=H

x



Hypothesis test would fail in detecting the attacker, since the
control center believes that the true state is x +

x.






Overview


Introduction to Smart Grid


Power System State Estimation Model


Bad Data Injection


Defender Mechanism


Quickest Detection


Attacker Learning Scheme


Independent Component Analysis


Future Work


A Few Topics in Smart Grid Communication


Conclusions


Quick View of Amigo Lab






Basics of Quickest Detection (QD)


Detect distribution changes of a sequence of observations


as quick as possible


with the constraint of false alarm or detection probability.




min [processing time]



s.t. Prob(true ≠ estimated) < ŋ


Classification

1.
Bayesian framework:



known prior information on probability



SPRT (e.g. quality control, drug test, )

2.
N
on
-
Bayesian framework:



unknown distribution and no prior



CUSUM

(e.g. spectrum sensing, abnormal detection )








QD System Model


Assuming Bayesian framework with non
-
stealthy attack


the state variables are random with


The binary hypothesis test:



The distribution of measurement z under binary hyp: (differ
only in mean)





We want a detector


False alarm and detection probabilities





Detection Model
-

NonBayesian


Non
-
Bayesian approach


unknown prior probability, attacker statistic model


The unknown parameter exists


in the post
-
change distribution and may changes over
the detection process.


You do not know how attacker attacks.


Minimizing the worst
-
case effect via detection delay:




We want to detect the intruder as soon as possible
while maintaining P
D.


Actual time of
active attack

Detection
time

Detection
delay





Multi
-
thread CUSUM Algorithm


CUSUM Statistic:




where Likelihood ratio term of
m

measurements:






By recursion, CUSUM Statistic S
t

at time t:



Average run length (ARL) for declaring attack with threshold h




How about the
unknown?

Declare the attacker is existing!


Otherwise, continuous to the process.

S
t

m
a
x
[
S
t

1

L
t
(
Z
t
)
,
0
]




Linear Solver for the Unknown


Rao test


asymptotically equivalent model of GLRT:





The linear unknown solver for m measurements:


Recursive CUSUM Statistic w/ linear unknown parameter solve:


Modified CUSUM statistics







S
t

m
a
x
S
t

1

Z
t
T

Z

1


T


Z

1
Z
t






l

1
m

,
0






The unknown is no long
involved





Simulation: Adaptive CUSUM algorithm


2 different detection tests: FAR: 1% and 0.1%


Active attack starts at time 5


Detection of attack at time 7 and 8, for different FARs





Markov Chain based Analytical Model


Divide statistic space into discrete states between 0 and threshold


Obtain the transition probabilities


Obtain expectation of detection delay, false alarm rate and missing
probability





Overview


Introduction to Smart Grid


Power System State Estimation Model


Bad Data Injection


Defender Mechanism


Quickest Detection


Attacker Learning Scheme


Independent Component Analysis


Future Work


A Few Topics in Smart Grid Communication


Conclusions


Quick View of Amigo Lab






Independent Component Analysis (ICA)


Linear

Independent

Component

Analysis


find

a

linear

representation

of

the

data

so

that

components

are

as

statistically

independent

as

possible
.


i
.
e
.
,

among

the

data,

find

how

many

independent

sources
.


Question for bad data injection:


Without knowing
H
, the attacker can be caught.


Could attacker launch stealthy attack to the system even
without knowledge about
H
?


Using ICA, attacker could estimate
H

and consequently, lunch
an undetectable attack.







ICA Basics


A special case of blind source separation

u = G v


u

= [u
i
, i = 1, 2, … m]: observable vector


G

= [g
ij
, i = 1, 2, … m, j = 1, 2, … n]: mixing matrix


(unknown)


v

= [v
i
, i = 1, 2, … n]: source vector
(unknown)


Linear ICA implementation: FastICA from [Hyvärinen]







Stealth False Data Injection with ICA


Supposing that the noise is small, then we what to do the
mapping:

u = G v z = H x


Problem: state vector
x

is highly correlated


Consider:
x = A y
, where


A
: constant matrix that can be estimated


y
: independent random vectors


Then we can apply Linear ICA on
z = HA y


We cannot know
H
, but we can know
HA


Stealthy attack:
Z=Hx+HA

礫e





Numerical Simulation Setting


Simulation

setup


4
-
Bus

test

system,

IEEE

14
-
Bus

and

30
-
bus


Matpower







Numerical Results


MSE of ICA inference (z
-
Gy) vs. the number of observations
(14
-
bus case).





Performance of the Attack

The PDF is the same w or w/o attacking.

So log likelihood is equal to 1


unable to detect





Overview


Introduction to Smart Grid


Power System State Estimation Model


Bad Data Injection


Defender Mechanism


Quickest Detection


Attacker Learning Scheme


Independent Component Analysis


Future Work


A Few Topics in Smart Grid Communication


Conclusions


Quick View of Amigo Lab






1. Distributed Smart Grid State Estimation


The deregulation has led to the creation of many regional
transmission organizations within a large interconnected power
system.


A distributed estimation and control is need .


Distributed observability analysis


Bad data detection


Challenges:


Bottleneck and reliability problems with one coordination center.


Need for wide area monitoring and control


Convergence and optimality






Fully
-
Distributed State Estimation


With N substations/nodes









By iteratively exchanging information with neighbors


All local control center can achieve an unbiased consensus of
system
-
wide state estimation.








Local
observati
on matrix

Unknown
State

Local Jacobian
matrix

Useful
information
to be
detected





2. Optimality of Fault Detection Algorithm


Detecting the attack as an intermediate step towards obtaining a
reliable estimate about the injected false data


Facilitates eliminating the disruptive effects of the false data


Joint estimation and detection problem


Define an estimation performance measure


Seek to the optimize it while ensuring satisfactory of the detection
performance


Performance
measurement





3.
Manipulate

Electricity

Market


Example: Ex Post Market


Market that recalculate optimal points for generation and

consumption based on real
-
time data


Min :


St:












I
i
i
i
i
Pg
Pg
C
1
*
)
(
L
l
F
F
F
I
i
Pg
Pg
Pg
P
Pg
l
l
l
i
i
i
I
i
L
I
i
i
,...,
1
,...,
1
max
*
min
max
min
1
1





















[
28
]

Generation

Cost

Power Balance

Generation & Transmission limits





4. PMU


PMU can measure voltage angle directly


Defender: placement problem, no need to place nearby


Attackers’ new strategy with existence of PMU


1

6

2

5

7

3

4

PMU

PMU

PMU

PMU

PMU

PMU

PMU

[
29
]





5
. Game
Theory Analysis



(attacker,

defender)

N

A

N

(0,0)

(b,
-
b)

D

(c,
-
c)

(
-
a,a)

a, b, c

t

How to formulate the game?





A Few Topics in Smart Grid Communications


Bad data injection


Demand side management


Peak to average ratio


Scheduling problem


Renewable energy


The renewable energy is unreliable.


Have to use diesel generators during shortage


Not cheap and not green


PHEV


routing, scheduling and resource allocation


Communication link effect on the smart grid






Conclusions


Bad

data

injection

problem

formulation


From

defender

point

of

view


detect

malicious

bad

data

injection

attack

as

quick

as

possible



Adaptive

CUSUM

algorithm


From

attacker

point

of

view


can

estimate

both

the

system

topology

and

power

states

just

by

observing

the

power

flow

measurements


Independent

component

analysis

algorithm

to

obtain

information


Once

the

information

is

at

hand,

malicious

attacks

can

be

launched

without

triggering

the

detection

system


Many

possible

future

work


Edited

book

2012

by

Cambridge

with

E
.

Hossain

and

V
.

Poor
.


Possible

future

collaboration








Overview of Wireless Amigo Lab


Lab Overview


7 Ph.D. students, 2 joint postdocs (with Rice and Princeton)


supported by 5 NSF,1 DoD, and 1 Qatar grants


Current Concentration


Game theoretical approach for wireless networking


Compressive sensing and its application


Smartgrid communication


Bayesian nonparametric learning


Security: trust management, belief network, gossip based Kalman


Physical layer security


Quickest detection


Cognitive radio routing/security


Sniffing: femto cell and cloud computing


USRP2 Implementation Testbed








Questions



Thank you for listening and supporting!