False Data Injection Attacks - Tennessee Tech University

louisianabodyElectronics - Devices

Nov 21, 2013 (3 years and 8 months ago)

89 views

Presenter:

Raghu

Ranganathan


ECE / CMR

Tennessee Technological University

March 22th, 2011




Smart grid seminar series

Yao Liu,
Peng

Ning
, and Michael K. Reiter

Paper overview


A

Power

Grid

is

a

complex

system

connecting

electric

generators

to

consumers

through

power

transmission

and

distribution

networks
.


System

monitoring

is

necessary

to

ensure

the

reliable

operation

of

power

grids


State

estimation

is

used

in

system

monitoring

to

best

estimate

the

power

grid

state

through

analysis

of

meter

measurements

and

power

system

models


Various

techniques

have

been

developed

to

detect

and

identify

bad

measurements


In

this

paper,

we

present

a

new

class

of

attacks,

called

false

data

injection

attacks,

against

state

estimation

in

electric

power

grids
.


We

show

that

an

attacker

can

take

advantage

of

the

power

system

configuration

to

launch

such

attacks



Attacker

can

successfully

bypass

the

existing

techniques

for

bad

measurement

detection


2

Paper overview


Two

realistic

attack

scenarios


The attacker is either constrained to some specific meters (due to the
physical protection of the meters)


limited in the resources required to compromise meters


Attacker can systematically and efficiently construct attack vectors in both
scenarios, affecting state estimation


Demonstrate the success of these attacks through simulation using the IEEE
9
-
bus, 14
-
bus, 30
-
bus, 118
-
bus, and 300
-
bus systems


Results indicate that security protection of the electric power grid must be
revisited.

3

Power Grid

4

Introduction


The

security

and

reliability

of

power

grids

has

critical

impact

on

society

and

people’s

daily

life
.


System

monitoring

is

necessary

to

ensure

the

reliable

operation

of

power

grids


provides

pertinent

information

on

the

condition

of

a

power

grid

based

on

the

readings

of

meters

placed

at

important

areas

of

the

power

grid
.


measurements

may

include

bus

voltages,

bus

real

and

reactive

power

injections,

and

branch

reactive

power

flows


measurements

are

typically

transmitted

to

a

control

center


Measurements stored in a telemetry system, which is also known as
Supervisory Control And Data Acquisition (SCADA) system

5

State Estimation


State

estimation

is

the

process

of

estimating

unknown

state

variables

in

a

power

grid

based

on

the

meter

measurements


The

output

of

state

estimation

is

typically

used

in

contingency

analysis


control

the

power

grid

components

(e
.
g
.

increase

the

yield

of

the

power

generator)


maintain

the

reliable

operation

(e
.
g
.

a

generator

breakdown)

even

if

some

faults

occur


An

attacker

can

compromise

meters

to

introduce

malicious

measurements


Lead

to

incorrect

state

estimation


Mislead

the

power

grid

control

algorithms



6

Bad measurement detection techniques: Drawbacks


Detect and remove bad measurements


Bad detection can be bypassed if the attacker knows the
configuration of the power system


Detection based on the
squares of differences between the
observed and estimated measurements
exceeding some
threshold


The attacker can generate bad measurements with knowledge
of the system, thereby bypassing the bad data detection


These new class of attacks are called
false data injection
attacks


Mislead the state estimation process


7

Attack scenarios


First attack scenario
: attacker is constrained to accessing some
specific meters due to, for example, different physical protection
of the meters


Second attack scenario
: attacker is limited in the resources
required to compromise meters



Two realistic attack goals


Random false data injection attacks
: attacker aims to find any
attack vector as long as it can lead to a wrong estimation of
state variables


Targeted false data injection attacks
: attacker aims to find an
attack vector that can inject a specific error into certain state
variables



8

State Estimation


Monitoring

the

power

flows

and

voltages

in

a

power

system

is

important

in

maintaining

system

reliability


Meters

monitor

the

system

components

and

report

their

readings

to

the

control

center,

which

then

estimates

the

state

of

power

system

variables

from

these

meter

measures


The

state

estimation

problem

is

to

estimate

power

system

state

variables


based

on

the

meter

measurements

z = h(x) + e


For

DC

model

state

estimation

z = Hx + e


Commonly

used

state

estimation

methods


Maximum

Likelihood

(ML)


Weighted

Least

Square

(WLS)


Minimum

Variance

criterion

9

T
n
x
x
x
)
,....,
,
(
x
2
1

T
m
z
z
z
)
,....,
,
(
z
2
1

Weighted Least Squares State Estimation


When meter error is normally distributed with zero mean,
the state estimate is given as follows




W is a diagonal matrix whose elements are reciprocals of
variances of the meter errors

10

Wz
H
WH)
(H
x
T
1
T
^


^
x















2
-
m
2
-
2
-2
1
.
W



Bad measurement detection


Measurement residual used to determine bad data


If presence of bad data is assumed


If state variables are mutually independent, and meter error have normal


distribution, follows a


distribution with degrees of freedom


If , indicates bad measurements, with probability
of false alarm

Related Work


Bad

measurements

lead

to

large

normalized

measurement

residual


Large

normalized

measurement

residual

method
:


works

well

for

independent,

non
-
interacting

bad

measurements


Does

not

work

for

correlated

bad

measurements

are

called

interacting

bad

measurements



11

^
x
H
z




^
x
H
z
2
^
x
H
z
)
x
(


L
)
(
2
v





)
)
x
(
(
2
L
P
2
)
x
(


L

n
m
v


False Data Injection Attacks: Principle


Attacker

knows

the

H

matrix


Let

,

where

is

the

attack

vector



Let , where c reflects the estimation error injected
by the attacker


If

the

attacker

uses

,

then

the

norm

of

the

measurement

residual

of

equals

that

of

,

hence

bypasses

the

bad

data

detection





12

T
m
a
a
a
)
,....,
,
(
a
2
1

a
z
z
a


c
x
x
^
bad
^


Hc
a

2
L
a
z
z













^
^
^
^
bad
a
x
H
z



Hc)
(a
x
H
z



c)
x
H(
a
z
x
H
z
Scenario I:
Limited Access to
meters

13


Assume attacker has access to
k

specific meters



is the index of those meters


Attacker can modify , where


To launch false injection without being detected


Find a non
-
zero attack vector , such that


for



is a linear combination of the column vectors of
H


( )

14

}
,.....,
,
{
2
1
k
m
i
i
i
I

j
i
z
m
j
I
i

T
m
a
a
a
)
,.....,
,
(
a
2
1

0

i
a
m
I
i

Hc
a

a
1
. Random False Data Injection attack


Vector
c
can be any value


Compute
a

which satisfies by eliminating
c


To simplify let and






Vector
a

satisfies if and only if






for


Let the matrix ,and the length
k

vector

15

Hc
a

T
1
T
H
H)
H(H
P


H
PH
I
P
B





0
Ba


0
I)a
P
(
0
a
-
Pa


a
Pa
Hc
Pa
PHc
Pa
Hc
a














Hc
a

0
Ba

0

i
a
m
I
i

k
m
x
)
b
,.....,
b
,
(b
B
k
2
i
i
i
i
'

T
i
i
i
k
i
a
a
a
)
,.....,
,
(
a
2
'

0
a
B
0
Ba
'
'



1
. Random False Data Injection attack: Rank of


If

the

rank

of

is

less

than

k
,

is

a

rank

deficient

matrix,

and

there

exists

infinite

number

of

non
-
zero

solutions


If

the

rank

of

is

equal

to

k
,

is

not

a

rank

deficient

matrix,

and

the

relation

has

a

unique

solution


Hence,

no

error

can

be

injected

into

the

state

estimation


16

0
a
B
'
'

0
a
'

'
B
'
B
'
B
'
B
'
B
17

2
. Targeted False Data Injection Attack


Attacker intends to inject specific errors into certain chosen state
estimation variables


Mathematically, this is represented as follows


Let , where denote the set of indices of the
r

target state variables, i.e. are the target state variables


Attacker intends to construct
a

such that the result state estimate


where and for is the specific
error that is added to


Two cases;


Constrained: attacks only the target variables without affecting other
variables


Unconstrained: attacker has no concerns about the non target variables




18

}
,.....,
,
{
2
1
r
v
i
i
i
I

n
r

r
i
i
i
i
x
x
x
,.....,
,
2
c
x
x
^
bad
^


T
n
c
c
c
)
,.....,
,
(
c
2
1

i
c
i
^
x
v
I
i

Constrained attack



for


Every element in is fixed, either the chosen value when


or 0 when


Attacker substitutes back into , and checks if


for


If yes, attack possible

19

0

i
a
m
I
i

i
c
c
v
I
i

v
I
i

c
Hc
a

0

i
a
m
I
i

Unconstrained attack

20

Scenario II: Limited resources to
compromise meters

21


Assume

attacker

has

limited

resources

to

compromise

up

to

k

meters


Unlike

Scenario

I,

no

restriction

on

what

meters

the

attackers

can

chose


Attacker

needs

to

find

a

k
-
sparse,

nonzero

attack

vector

a

that

satisfies


22

Hc
a

1. Random False Data Injection Attack


Attacker may use a brute
-
force approach to construct
a
to
compromise up to
k
meters


Attacker may try all possible
a
’s

containing
k

unknown non
-
zero
elements


For each candidate
a,
check if there is a non zero solution to


If yes, attack vector exists

23

0
Ba

2
. Targeted False Data Injection Attack


Constrained Case


Attacker substitutes
c

in the relation


If the resulting
a

is
k
-
sparse, attacker is successful in finding the
attack vector


Unconstrained Case


Attacker needs to find a
k
-
sparse vector
a

that satisfies


Minimum Weight Solution for Linear Equations
problem


Can be heuristically solved using Matching Pursuit (MP), and
Basis Pursuit (BP) methods


24

Hc
a

y
a
B
s

Experimental Results


The false data injection attacks are validated through experiments using
IEEE 9
-
bus, 14
-
bus, 30
-
bus, 118
-
bus, and 300
-
bus systems


DC power flow model is used


MATPOWER, a MATLAB package is used for solving the power flow
problems


Experiments based on the matrix
H,

and meter measurements obtained from
MATPOWER


State variables are voltage angles of all buses


Meter measurements are real power injections of all buses and real power
flows of all branches

25

Results of Scenario I


For

random

false

data

injection

attacks,

k

varied

from

1

to

the

maximum

number

of

meters

in

each

test

system
.


For

each

k
,

we

randomly

choose

k

specific

meters

to

attempt

an

attack

vector

construction
.


We

repeat

this

process

100

times

for

both

IEEE

118
-
bus

and

300
-
bus

systems

and

1
,
000

times

for

the

other

systems


Estimate

the

success

probability

(probability

of

successfully

constructing

an

attack

vector

with

k

given

meters

)






denotes

the

percentage

of

the

specific

meters

under

the

attacker’s

control,

i
.
e
.


26

k
p
trials
trials
successful
p
k

#


#

k
R
meters
of
number
total
k



27

28

Targeted false data injection attack: Constrained Case


Randomly

pick

6

sets

of

meters

for

the

IEEE

118
-
bus

and

300
-
bus

systems
.


In

each

set,

there

are

350

meters

and

700

meters

for

the

IEEE

118
-
bus

and

300
-
bus

systems,

respectively
.


Check

the

number

of

individual

target

state

variables

that

can

be

affected

by

each

set

of

meters

in

the

constrained

case

(i
.
e
.
,

without

affecting

the

estimation

of

the

remaining

state

variables)
.

29

30

31

32

Results of Scenario II


Attacker

has

limited

resources

to

compromise

up

to

k

meters
.


Compared

with

Scenario

I,

the

restriction

on

the

attacker

is

relaxed

in

the

sense

that

any

k

meters

can

be

used

for

the

attack
.


Two

evaluation

metrics


number of meters to compromise in order to construct an attack vector


execution time required for constructing an attack vector.


Three cases examined


random false data injection attacks


targeted false data injection attacks in the constrained case


targeted false data injection attacks in the unconstrained case

33

34


For

all

test

systems,

the

attacker

can

construct

an

attack

vector

for

random

false

data

injection

attacks

by

only

compromising

4

meters
.


This

is

mainly

due

to

the

fact

that

the

H

matrices

of

all

these

IEEE

test

systems

are

sparse
.


For

example,

the

H

matrix

of

the

IEEE

300
-
bus

system

is

a

1
,
122
×
300

matrix,

but

most

of

the

entries

are

0
’s
.


In

particular,

the

sparsest

column

in

H

only

has

4

non
-
zero

elements
.


In

practice,

components

in

a

power

system

that

are

not

physically

adjacent

to

each

other

are

usually

not

connected
.


As

a

result,

the

H

matrices

of

the

power

systems

are

often

sparse
.

35

Targeted false data injection attack: Constrained Case


In the experiments, we randomly choose target state variables
and generate malicious data for each of them.


The malicious values are set to be 100 times larger than the real estimates
of the state variables.


Examine how many meters need to be compromised in order to inject the
malicious data (without changing the other non
-
target state variables).


For each , perform the above experiment 1,000 times to examine the
distribution of the number of meters that need to be compromised.


36

)
10
1
(



l
l
l
37

38

39

Targeted false data injection attack: Unconstrained
Case


In the unconstrained case, the attacker wants to inject malicious data into
specific state variables


Matching Pursuit algorithm is used to find attack vectors


Two

evaluation

metrics


number of meters to compromise in order to construct an attack vector


execution time required for constructing an attack vector.



40

41

42

43

44

45

46

Conclusions


In this paper, a new class of attacks, called false data injection
attacks was presented, against state estimation in electric power
systems.


It is shown that an attacker can take advantage of the configuration
of a power system to launch such attacks to bypass the existing
techniques for bad measurement detection.


Two realistic attack scenarios:


attacker is either constrained to some specific meters,


limited in the resources required to compromise meters.


Simulations were performed on IEEE test systems to demonstrate
the success of these attacks


Results in this paper indicate that the security protection of the
electric power grid must be revisited

47