Presenter:
Raghu
Ranganathan
ECE / CMR
Tennessee Technological University
March 22th, 2011
Smart grid seminar series
Yao Liu,
Peng
Ning
, and Michael K. Reiter
Paper overview
A
Power
Grid
is
a
complex
system
connecting
electric
generators
to
consumers
through
power
transmission
and
distribution
networks
.
System
monitoring
is
necessary
to
ensure
the
reliable
operation
of
power
grids
State
estimation
is
used
in
system
monitoring
to
best
estimate
the
power
grid
state
through
analysis
of
meter
measurements
and
power
system
models
Various
techniques
have
been
developed
to
detect
and
identify
bad
measurements
In
this
paper,
we
present
a
new
class
of
attacks,
called
false
data
injection
attacks,
against
state
estimation
in
electric
power
grids
.
We
show
that
an
attacker
can
take
advantage
of
the
power
system
configuration
to
launch
such
attacks
Attacker
can
successfully
bypass
the
existing
techniques
for
bad
measurement
detection
2
Paper overview
Two
realistic
attack
scenarios
The attacker is either constrained to some specific meters (due to the
physical protection of the meters)
limited in the resources required to compromise meters
Attacker can systematically and efficiently construct attack vectors in both
scenarios, affecting state estimation
Demonstrate the success of these attacks through simulation using the IEEE
9

bus, 14

bus, 30

bus, 118

bus, and 300

bus systems
Results indicate that security protection of the electric power grid must be
revisited.
3
Power Grid
4
Introduction
The
security
and
reliability
of
power
grids
has
critical
impact
on
society
and
people’s
daily
life
.
System
monitoring
is
necessary
to
ensure
the
reliable
operation
of
power
grids
provides
pertinent
information
on
the
condition
of
a
power
grid
based
on
the
readings
of
meters
placed
at
important
areas
of
the
power
grid
.
measurements
may
include
bus
voltages,
bus
real
and
reactive
power
injections,
and
branch
reactive
power
flows
measurements
are
typically
transmitted
to
a
control
center
Measurements stored in a telemetry system, which is also known as
Supervisory Control And Data Acquisition (SCADA) system
5
State Estimation
State
estimation
is
the
process
of
estimating
unknown
state
variables
in
a
power
grid
based
on
the
meter
measurements
The
output
of
state
estimation
is
typically
used
in
contingency
analysis
control
the
power
grid
components
(e
.
g
.
increase
the
yield
of
the
power
generator)
maintain
the
reliable
operation
(e
.
g
.
a
generator
breakdown)
even
if
some
faults
occur
An
attacker
can
compromise
meters
to
introduce
malicious
measurements
Lead
to
incorrect
state
estimation
Mislead
the
power
grid
control
algorithms
6
Bad measurement detection techniques: Drawbacks
Detect and remove bad measurements
Bad detection can be bypassed if the attacker knows the
configuration of the power system
Detection based on the
squares of differences between the
observed and estimated measurements
exceeding some
threshold
The attacker can generate bad measurements with knowledge
of the system, thereby bypassing the bad data detection
These new class of attacks are called
false data injection
attacks
Mislead the state estimation process
7
Attack scenarios
First attack scenario
: attacker is constrained to accessing some
specific meters due to, for example, different physical protection
of the meters
Second attack scenario
: attacker is limited in the resources
required to compromise meters
Two realistic attack goals
Random false data injection attacks
: attacker aims to find any
attack vector as long as it can lead to a wrong estimation of
state variables
Targeted false data injection attacks
: attacker aims to find an
attack vector that can inject a specific error into certain state
variables
8
State Estimation
Monitoring
the
power
flows
and
voltages
in
a
power
system
is
important
in
maintaining
system
reliability
Meters
monitor
the
system
components
and
report
their
readings
to
the
control
center,
which
then
estimates
the
state
of
power
system
variables
from
these
meter
measures
The
state
estimation
problem
is
to
estimate
power
system
state
variables
based
on
the
meter
measurements
z = h(x) + e
For
DC
model
state
estimation
z = Hx + e
Commonly
used
state
estimation
methods
Maximum
Likelihood
(ML)
Weighted
Least
Square
(WLS)
Minimum
Variance
criterion
9
T
n
x
x
x
)
,....,
,
(
x
2
1
T
m
z
z
z
)
,....,
,
(
z
2
1
Weighted Least Squares State Estimation
When meter error is normally distributed with zero mean,
the state estimate is given as follows
W is a diagonal matrix whose elements are reciprocals of
variances of the meter errors
10
Wz
H
WH)
(H
x
T
1
T
^
^
x
2

m
2

2
2
1
.
W
Bad measurement detection
Measurement residual used to determine bad data
If presence of bad data is assumed
If state variables are mutually independent, and meter error have normal
distribution, follows a
distribution with degrees of freedom
If , indicates bad measurements, with probability
of false alarm
Related Work
Bad
measurements
lead
to
large
normalized
measurement
residual
Large
normalized
measurement
residual
method
:
works
well
for
independent,
non

interacting
bad
measurements
Does
not
work
for
correlated
bad
measurements
are
called
interacting
bad
measurements
11
^
x
H
z
^
x
H
z
2
^
x
H
z
)
x
(
L
)
(
2
v
)
)
x
(
(
2
L
P
2
)
x
(
L
n
m
v
False Data Injection Attacks: Principle
Attacker
knows
the
H
matrix
Let
,
where
is
the
attack
vector
Let , where c reflects the estimation error injected
by the attacker
If
the
attacker
uses
,
then
the
norm
of
the
measurement
residual
of
equals
that
of
,
hence
bypasses
the
bad
data
detection
12
T
m
a
a
a
)
,....,
,
(
a
2
1
a
z
z
a
c
x
x
^
bad
^
Hc
a
2
L
a
z
z
^
^
^
^
bad
a
x
H
z
Hc)
(a
x
H
z
c)
x
H(
a
z
x
H
z
Scenario I:
Limited Access to
meters
13
Assume attacker has access to
k
specific meters
is the index of those meters
Attacker can modify , where
To launch false injection without being detected
Find a non

zero attack vector , such that
for
is a linear combination of the column vectors of
H
( )
14
}
,.....,
,
{
2
1
k
m
i
i
i
I
j
i
z
m
j
I
i
T
m
a
a
a
)
,.....,
,
(
a
2
1
0
i
a
m
I
i
Hc
a
a
1
. Random False Data Injection attack
Vector
c
can be any value
Compute
a
which satisfies by eliminating
c
To simplify let and
Vector
a
satisfies if and only if
for
Let the matrix ,and the length
k
vector
15
Hc
a
T
1
T
H
H)
H(H
P
H
PH
I
P
B
0
Ba
0
I)a
P
(
0
a

Pa
a
Pa
Hc
Pa
PHc
Pa
Hc
a
Hc
a
0
Ba
0
i
a
m
I
i
k
m
x
)
b
,.....,
b
,
(b
B
k
2
i
i
i
i
'
T
i
i
i
k
i
a
a
a
)
,.....,
,
(
a
2
'
0
a
B
0
Ba
'
'
1
. Random False Data Injection attack: Rank of
If
the
rank
of
is
less
than
k
,
is
a
rank
deficient
matrix,
and
there
exists
infinite
number
of
non

zero
solutions
If
the
rank
of
is
equal
to
k
,
is
not
a
rank
deficient
matrix,
and
the
relation
has
a
unique
solution
Hence,
no
error
can
be
injected
into
the
state
estimation
16
0
a
B
'
'
0
a
'
'
B
'
B
'
B
'
B
'
B
17
2
. Targeted False Data Injection Attack
Attacker intends to inject specific errors into certain chosen state
estimation variables
Mathematically, this is represented as follows
Let , where denote the set of indices of the
r
target state variables, i.e. are the target state variables
Attacker intends to construct
a
such that the result state estimate
where and for is the specific
error that is added to
Two cases;
Constrained: attacks only the target variables without affecting other
variables
Unconstrained: attacker has no concerns about the non target variables
18
}
,.....,
,
{
2
1
r
v
i
i
i
I
n
r
r
i
i
i
i
x
x
x
,.....,
,
2
c
x
x
^
bad
^
T
n
c
c
c
)
,.....,
,
(
c
2
1
i
c
i
^
x
v
I
i
Constrained attack
for
Every element in is fixed, either the chosen value when
or 0 when
Attacker substitutes back into , and checks if
for
If yes, attack possible
19
0
i
a
m
I
i
i
c
c
v
I
i
v
I
i
c
Hc
a
0
i
a
m
I
i
Unconstrained attack
20
Scenario II: Limited resources to
compromise meters
21
Assume
attacker
has
limited
resources
to
compromise
up
to
k
meters
Unlike
Scenario
I,
no
restriction
on
what
meters
the
attackers
can
chose
Attacker
needs
to
find
a
k

sparse,
nonzero
attack
vector
a
that
satisfies
22
Hc
a
1. Random False Data Injection Attack
Attacker may use a brute

force approach to construct
a
to
compromise up to
k
meters
Attacker may try all possible
a
’s
containing
k
unknown non

zero
elements
For each candidate
a,
check if there is a non zero solution to
If yes, attack vector exists
23
0
Ba
2
. Targeted False Data Injection Attack
Constrained Case
Attacker substitutes
c
in the relation
If the resulting
a
is
k

sparse, attacker is successful in finding the
attack vector
Unconstrained Case
Attacker needs to find a
k

sparse vector
a
that satisfies
Minimum Weight Solution for Linear Equations
problem
Can be heuristically solved using Matching Pursuit (MP), and
Basis Pursuit (BP) methods
24
Hc
a
y
a
B
s
Experimental Results
The false data injection attacks are validated through experiments using
IEEE 9

bus, 14

bus, 30

bus, 118

bus, and 300

bus systems
DC power flow model is used
MATPOWER, a MATLAB package is used for solving the power flow
problems
Experiments based on the matrix
H,
and meter measurements obtained from
MATPOWER
State variables are voltage angles of all buses
Meter measurements are real power injections of all buses and real power
flows of all branches
25
Results of Scenario I
For
random
false
data
injection
attacks,
k
varied
from
1
to
the
maximum
number
of
meters
in
each
test
system
.
For
each
k
,
we
randomly
choose
k
specific
meters
to
attempt
an
attack
vector
construction
.
We
repeat
this
process
100
times
for
both
IEEE
118

bus
and
300

bus
systems
and
1
,
000
times
for
the
other
systems
Estimate
the
success
probability
(probability
of
successfully
constructing
an
attack
vector
with
k
given
meters
)
denotes
the
percentage
of
the
specific
meters
under
the
attacker’s
control,
i
.
e
.
26
k
p
trials
trials
successful
p
k
#
#
k
R
meters
of
number
total
k
27
28
Targeted false data injection attack: Constrained Case
Randomly
pick
6
sets
of
meters
for
the
IEEE
118

bus
and
300

bus
systems
.
In
each
set,
there
are
350
meters
and
700
meters
for
the
IEEE
118

bus
and
300

bus
systems,
respectively
.
Check
the
number
of
individual
target
state
variables
that
can
be
affected
by
each
set
of
meters
in
the
constrained
case
(i
.
e
.
,
without
affecting
the
estimation
of
the
remaining
state
variables)
.
29
30
31
32
Results of Scenario II
Attacker
has
limited
resources
to
compromise
up
to
k
meters
.
Compared
with
Scenario
I,
the
restriction
on
the
attacker
is
relaxed
in
the
sense
that
any
k
meters
can
be
used
for
the
attack
.
Two
evaluation
metrics
number of meters to compromise in order to construct an attack vector
execution time required for constructing an attack vector.
Three cases examined
random false data injection attacks
targeted false data injection attacks in the constrained case
targeted false data injection attacks in the unconstrained case
33
34
For
all
test
systems,
the
attacker
can
construct
an
attack
vector
for
random
false
data
injection
attacks
by
only
compromising
4
meters
.
This
is
mainly
due
to
the
fact
that
the
H
matrices
of
all
these
IEEE
test
systems
are
sparse
.
For
example,
the
H
matrix
of
the
IEEE
300

bus
system
is
a
1
,
122
×
300
matrix,
but
most
of
the
entries
are
0
’s
.
In
particular,
the
sparsest
column
in
H
only
has
4
non

zero
elements
.
In
practice,
components
in
a
power
system
that
are
not
physically
adjacent
to
each
other
are
usually
not
connected
.
As
a
result,
the
H
matrices
of
the
power
systems
are
often
sparse
.
35
Targeted false data injection attack: Constrained Case
In the experiments, we randomly choose target state variables
and generate malicious data for each of them.
The malicious values are set to be 100 times larger than the real estimates
of the state variables.
Examine how many meters need to be compromised in order to inject the
malicious data (without changing the other non

target state variables).
For each , perform the above experiment 1,000 times to examine the
distribution of the number of meters that need to be compromised.
36
)
10
1
(
l
l
l
37
38
39
Targeted false data injection attack: Unconstrained
Case
In the unconstrained case, the attacker wants to inject malicious data into
specific state variables
Matching Pursuit algorithm is used to find attack vectors
Two
evaluation
metrics
number of meters to compromise in order to construct an attack vector
execution time required for constructing an attack vector.
40
41
42
43
44
45
46
Conclusions
In this paper, a new class of attacks, called false data injection
attacks was presented, against state estimation in electric power
systems.
It is shown that an attacker can take advantage of the configuration
of a power system to launch such attacks to bypass the existing
techniques for bad measurement detection.
Two realistic attack scenarios:
attacker is either constrained to some specific meters,
limited in the resources required to compromise meters.
Simulations were performed on IEEE test systems to demonstrate
the success of these attacks
Results in this paper indicate that the security protection of the
electric power grid must be revisited
47
Comments 0
Log in to post a comment