REACT to Cyber Attacks on Power Grids

TL;DR

This paper addresses cyber attacks on power grids that disrupt physical infrastructure and data, proposing a polynomial-time algorithm to detect and contain such attacks despite their complexity and the NP-hardness of the problem.

Contribution

It introduces the REACT algorithm for approximate detection of attacked areas and line failures, advancing cybersecurity measures for power grid resilience.

Findings

REACT performs well in detecting attacked areas.

Effective in identifying single, double, and triple line failures.

Works on small and large attacked areas.

Abstract

Motivated by the recent cyber attack on the Ukrainian power grid, we study cyber attacks on power grids that affect both the physical infrastructure and the data at the control center. In particular, we assume that an adversary attacks an area by: (i) remotely disconnecting some lines within the attacked area, and (ii) modifying the information received from the attacked area to mask the line failures and hide the attacked area from the control center. For the latter, we consider two types of attacks: (i) data distortion: which distorts the data by adding powerful noise to the actual data, and (ii) data replay: which replays a locally consistent old data instead of the actual data. We use the DC power flow model and prove that the problem of finding the set of line failures given the phase angles of the nodes outside of the attacked area is strongly NP-hard, even when the attacked area is known. However, we introduce the polynomial time REcurrent Attack Containment and deTection (REACT) Algorithm to approximately detect the attacked area and line failures after a cyber attack. We numerically show that it performs very well in detecting the attacked area, and detecting single, double, and triple line failures in small and large attacked areas.