By Megan Culler
Reliable power is a cornerstone of the function of modern society. People expect the lights to turn on when they flip a switch and are inconvenienced if the power goes out. Our reliance on energy can make power grids a target for adversaries who wish to disrupt power service. While most blackouts are temporary and cause minor inconveniences, large scale blackouts can cause billions of dollars in damages and full recovery can take months. The August 2003 blackout in the northeast part of the United States caused an estimated $6.4 billion in financial loss.1 Moreover, the mortality risk of those affected by blackouts escalates for a variety of reasons. Cases of illness increase due to lack of potable water, lack of heating or cooling, and difficulty in obtaining necessary food or medicine while grocery stores or pharmacies are closed.2 Contacting emergency services may be impossible due to downed communication networks. In addition, individuals who rely on home medical equipment can be in great danger.3 Finally, blackouts can cause physical damage to vital equipment, not only to components of the power grid, but also in operations that need continuous power. The potential for disastrous consequences makes the grid a valuable target for adversaries, which motivates my research to explore attack detection methods and ensure the reliability of power grids in the modern cyber-connected world.
PEOPLE EXPECT THE LIGHTS TO TURN ON WHEN THEY FLIP A SWITCH...
Utility providers are better equipped to handle large scale blackouts that occur from regular part failure and maintenance than they were ten years ago. Control systems now prevent blackouts from cascading across a wide area. Operators can prepare the system for large weather events. Prediction models also account for other events that affect power usage, such as geopolitical events, seasonal trends, and social phenomena that cause power usage spikes, like the Super Bowl. However, cyberattacks are both hard to predict and dangerous to the stability of the system. Usually, when people think of cyberattacks, they imagine a hacker trying to steal a social security number or credit card details. In the context of power grids, however, attackers often want to cause a physical outcome that changes the behavior of the power system.4
An adversary’s goal in attacking a power grid may be to deny service to a particular group of customers, cause a large scale blackout, or damage the reputation of a local utility provider. All of these are denial-of-service attacks in some capacity. In a direct attack, overloading transmission lines causes physical damage to parts, and flipping breakers shuts off service to customers. In false data injection attack, an adversary can force an operator to make bad decisions by displaying false information. One example would be to indicate that the system is close to operating capacity. In this case, an operator might cut power to some customers to avoid a total blackout as demand rises. However, if the system is actually operating within acceptable limits, the company loses money and denies power to some customers. Alternatively, an adversary could inject data that indicates the system is stable, when in reality they are forcing the system to the limits of sustainable operation. They may even indicate that more power is needed when the system is at capacity, causing the operator to increase generation and overload lines without knowing that they are causing power flow violations.5 Of the two injection attacks, the latter would be considered an unobservable false data injection attack since the data injected suggests that the system is still stable.
The goal of this work is to identify unobservable false data injection attacks through sensor verification of power grids in a cyber-physical context. Unlike pure information networks, cyber-physical systems have two layers that work together to control the system. The physical layer has physical components that can be mapped in the real world, and its interactions can be easily modeled. The cyber layer is slightly more difficult to model since it is harder to visualize communication or control channels. However, modeling both layers, and more importantly, the interaction between the layers, is the key to this project.
In order to maintain stable control of a system, an operator needs the ability to make good decisions about the usage of the available generation units. These decisions can only be made by analyzing the data about the current voltage and power levels at various locations or “nodes” throughout the system. If this data cannot be trusted, a necessary component of stable operation is missing. Determining the trustworthiness of the data from the sensors at each node motivates this research. A real-time verification technique is used to score the trustworthiness of each sensor.
Data for this project is collected from models in PowerWorld, a software that allows users to visualize power systems and perform complex analysis. It is not feasible to collect data from actual power grids for attack detection research, and utilities rarely share the power and voltage information from their systems. This project used a simple eight-substation power network model, originally developed as a live data feed model in PowerWorld. Substations are modeled with multiple nodes and breakers, which connect the data collected from sensors to the controls of the physical system. Added protective relays and control networks were developed by experts based on real utility controls.6 Despite its small size, this network, shown in Figure 1, is well tested and accurately models real systems. A total of 52 nodes are defined within the eight substations, which each measure voltage, current, real power, and reactive power. Real power is measured in the mathematical real space and reactive power is measured in the mathematical imaginary space.
A technique for real-time probing of the system is used to determine if an adversary currently has control over any substations. Two cases are initialized, one run with normal operation, and one run as if an adversary has control over a single substation. A small probe signal is sent through each system in both versions. The probe is large enough to cause a measurable change in sensor data but also small enough so as to still make the system solvable. Measurements are taken before and after the probe is sent. The results from the normal power flow solution indicate what an operator would expect to see, while the results from the compromised power flow solution indicate what would actually be observed if the system was compromised. We compare the results to determine if any nodes have been compromised.
A variety of probing techniques were tested to achieve the most reliable detection of the specific substation under attack. The first probe tested was a small change to the voltage at a single generator node. Although operators usually want to keep voltage levels very stable at generators, very small deviations are allowable. The feasible probe size is limited to keep the voltage stable in this case. The second probe tested was a real power probe, which is analogous to increasing the output of a generator by a small amount for a short period of time. A change of this size will not unbalance the system since mid-size generator outputs are always changing to respond to changing demand. Finally, a reactive power probe was tested at load nodes, which is where the power is consumed. This type of probing is realistic because it acts like regular voltage control at a load.
In the attacked power flow simulation, one substation was compromised for experimentation as follows. The adversary forces the sensors for the generator at this substation to indicate that at 50 megavolt-amps-reactive (a unit of reactive power) less reactive power is generated than what is actually true and shows another node in the system as having low voltage. By doing this, the adversary tries to make operators increase generator output above acceptable levels by showing false low measurements.
The operator then sends the probe through the system to test the validity of the measurements they see. The power flow simulation is resolved for two cases. The first solves the attacked case, showing what the operator would actually see. The second solves the power flow under normal operating conditions, which is what the operator expects to see. Sensor measurements were collected and compared between the attacked (observed) case and the normal (expected) case.
For each simulation, four final state value measurements were collected at each node. These were voltage magnitude, voltage angle, real power, and reactive power, which together allow an operator to calculate any other value of interest in the system. On their own, they reveal critical information about the system since all of these values typically have strict bounds into which they should fall. Comparisons between the expected and observed simulation cases can reveal critical information about the state of the system.
The first probe, the modified voltage at a generator, did not produce very promising results. The results for realistically-sized probes were too small to be observable within the normal fluctuations of the system.
For the real power probe, the compromised substation clearly indicated different behavior than expected in the real power measurements and voltage angle measurements. The results were consistent regardless of the placement of the probe and scaled with the size of the probe, suggesting a true correspondence between real system values and the probe’s influence.
Finally, the reactive power probe had promising but less clear results. The measurements also showed potential to identify the compromised substation based on voltage angle. However, unlike the real power probe, the reactive power probe results did not clearly identify the compromised substation for all probe source nodes. Since operators cannot foresee attack locations, a collection of probes from different sources are required to identify the compromised substation with a reactive power probe.
The real power probes seemed to be the most efficient at correctly identifying the compromised substation, as shown in Figure 2. This probe not only gave the most consistent results regardless of probe source location, but also represented the case that is most feasible to implement. The voltage probe was limited by the desire to keep voltage levels fairly constant in a system in order to protect power flow. The reactive power probe is a signal that would be harder to control, and the results depended strongly on the source location, which in a larger system, would make it much more difficult to find the compromised substation.
THE REAL-TIME PROBING SOLUTION COULD DISCOVER THE LOCATION OF A COMPROMISED SUBSTATION...
The results indicated that the real-time probing solution could discover the location of a compromised substation with a high degree of accuracy. Although this was a good first step developing new security awareness, there is still more work to be done.
All probes tested here were simple, time-independent additions to the current values. Probe shapes that vary with time or scale based on current system parameters might have different effects on the system. The probes could take many forms without compromising the integrity of the system, and future work may reveal what type of probe is most effective at identifying attacked substations without changing the stability of the system. In addition, all tests for this experiment focused on a single probe from a single node. However, combinations of different types of probes, or experimenting with sending multiple probes from different nodes simultaneously, might make the probing technique more robust.
The next step of this project is to expand beyond the scope of the eight-substation model to verify the accuracy of the probing solution. Larger systems should be tested, and cases when multiple substations are compromised must also be considered. If it is possible for hackers to access one substation, it is likely that they can use their current knowledge to work their way deeper into the system. We can simulate this case by expanding the attack area in our simulations.
This project explored the effects that cyberattacks can have on physical systems and proposed a method to detect cyber intrusions using physical signals. Improving the modelling of cyber-physical connections will be key to developing these detection methods further, and future work will include developing new models and visualization tools, and validating the models that are currently used. The cybersecurity realm is still in its early stages, and is an exciting and vital area of continuing study.
This work was supported by the National Science Foundation under Award #1446471. I would like to thank my research adviser, Dr. Kate Davis, for her support and guidance. Thanks also go to the Undergraduate Research Scholars program at Texas A&M for help with the research process and Donald Okoye and Hao Huang for their aid.
Megan Culler '19
Megan Culler is a junior electrical engineering major from Albuquerque, New Mexico. Megan completed her research while participating in the 2017–2018 class of the Undergraduate Research Scholars under the guidance of Dr. Katherine Davis. Megan hopes to attend graduate school to get a Master’s in electrical engineering. After her education, Megan plans to work in industry or government, where she will combine her interests in electrical engineering and cybersecurity.
1. Anderson, Patrick L., and Ilhan K. Geckil. 2003. “Northeast Blackout Likely To Reduce US Earnings By $6.4 Billion”. AEG Working Paper 2003. Lansing, MI: Anderson Economic Group.http://www.andersoneconomicgroup.com/Portals/0/upload/Doc544.pdf.
2. Beatty, Mark E., Scot Phelps, Chris Rohner, and Isaac Weisfuse. 2006. “Blackout Of 2003: Public Health Effects And Emergency Response”. Public Health Reports 121 (1): 36–44. doi:10.1177/003335490612100109.
3. Anderson, G. Brooke, and Michelle L. Bell. 2012. “Lights Out: Impact of the August 2003 power outage on mortality in New York, NY”. Epidemiology 23 (2): 189–193. doi:10.1097/ede.0b013e318245c61c.
4. Fawzi, Hamza, Paulo Tabuada, and Suhas Diggavi. 2014. “Secure Estimation And Control For Cyber-Physical Systems Under Adversarial Attacks”. IEEE Transactions On Automatic Control 59 (6): 1454–1467. doi:10.1109/tac.2014.2303233
5. Davis, Katherine R., Kate L. Morrow, Rakesh Bobba, and Erich Heine. 2012. “Power Flow Cyber Attacks And Perturbation-Based Defense”. 2012 IEEE Third International Conference On Smart Grid Communications (Smartgridcomm). doi:10.1109/smartgridcomm.2012.6486007.
6. Weaver, Gabriel A., Kate Davis, Charles M. Davis, Edmond J. Rogers, Rakesh B. Bobba, Saman Zonouz, Robin Berthier, Peter W. Sauer, and David M. Nicol. 2016. “Cyber-Physical Models For Power Grid Security Analysis: 8-Substation Case”. 2016 IEEE International Conference On Smart Grid Communications (Smartgridcomm). doi:10.1109/smartgridcomm.2016.7778752.