A Detection Mechanism Against Load-Redistribution Attacks in Smart Grids
Ramin Kaviani, Kory W. Hedman

TL;DR
This paper introduces a real-time, physics-based detection mechanism for load-redistribution attacks in smart grids, improving detection speed and accuracy by leveraging domain knowledge and optimization algorithms.
Contribution
It proposes a novel detection method based on power system physics and a greedy algorithm to identify sensitive attack points, enhancing existing bad data detection systems.
Findings
Successfully applied to a 2383-bus Polish test system
Achieved over 10x faster attack problem solving compared to traditional methods
Enhanced detection capability by integrating with existing mechanisms
Abstract
This paper presents a real-time non-probabilistic detection mechanism to detect load-redistribution (LR) attacks against energy management systems (EMSs). Prior studies have shown that certain LR attacks can bypass conventional bad data detectors (BDDs) and remain undetectable, which implies that presence of a reliable and intelligent detection mechanism to flag LR attacks, is imperative. Therefore, in this study a detection mechanism to enhance the existing BDDs is proposed based on the fundamental knowledge of the physics laws in the electric grid. A greedy algorithm, which can optimize the core LR attack problems, is presented to enable a fast mechanism to identify the most sensitive locations for critical assets. The main contribution of this detection mechanism is leveraging of power systems domain insight to identify an underlying exploitable structure for the core problem of LR…
| Attack Scenarios | ||||
| Cyber Results | LA (MW) | LA (MW) | ||
| LB (MW) | LB (MW) | |||
| LRef (MW) | LRef (MW) | |||
| P (MW) | P (MW) | |||
| P (MW) | P (MW) | |||
| P (MW) | P (MW) | |||
| P (MW) | P (MW) | |||
| Cost ($) | Cost ($) | |||
| Physical Results | P (MW) | P (MW) | ||
| P (MW) | P (MW) | |||
| P (MW) | P (MW) | |||
| Bus | load (MW) | PTDF | (MW) | (MW) |
| Bus | PTDF | Best | (MW) | (MW) | ||
| load | Attack | Magnitude | ||||
| (MW) | (MW) | Threshold | ||||
| Line No. | 169 |
| Continuous Thermal Rating (MW) | 926.62 |
| Cyber Power Flow (MW) | -926.62 |
| Physical Power Flow (MW) | -1178.136 |
| Overflow (MW) | 251.516 |
| Random Attack | Normal Noise | |||||||||||||||||||||||||
|
|
TNSB |
|
NPDSB |
|
|
NPDSB |
|
|
|||||||||||||||||
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
A Detection Mechanism against Load-Redistribution Attacks in Smart Grids
Ramin Kaviani[ ID
](https://orcid.org/0000-0001-9443-1474), Kory W. Hedman[ ID
](https://orcid.org/0000-0003-3993-206X)
This work has been implemented to fulfill a part of the project: “A Verifiable Framework for Cyber-Physical Attacks and Countermeasures in a Resilient Electric Power Grid” funded by the National Science Foundation (NSF) Award under Grant 1449080. R. Kaviani and K. W. Hedman are with the School of Electrical, Computer, and Energy Engineering, Arizona State University, Tempe, AZ 85281 USA (e-mail: [email protected]; [email protected]).
Abstract
This paper presents a real-time non-probabilistic approach to detect load-redistribution (LR) attacks, which attempt to cause an overflow, in smart grids. Prior studies have shown that certain LR attacks can bypass traditional bad data detectors and remain undetectable, which implies that the presence of a reliable and intelligent detection mechanism is imperative. Therefore, in this study a detection mechanism is proposed based on the fundamental knowledge of the physics laws in electric grids. To do so, we leverage power systems domain insight to identify an underlying exploitable structure for the core problem of LR attacks, which enables the prediction of the attackers’ behavior. Then, a fast greedy algorithm is presented to find the best attack vector and identify the most sensitive buses for critical transmission assets. Finally, a security index, which can be used in practice with minimal disruptions, is developed for each critical asset with respect to the identified best attack vector and sensitive buses. The proposed approach is applied to 2383-bus Polish test system to demonstrate the scalability and efficiency of the proposed algorithm.
Index Terms:
cyber-attack detection, false data injection attack (FDIA), greedy algorithm, linear programming (LP), load-redistribution attack detection
Nomenclature
Sets and Indices
Set of all generation units.
Index for generation unit.
Set of all generation units at bus .
Index for bus.
Set of all transmission branches.
Index for transmission branch.
Set of all measurements.
Index for measurement.
Set of all buses.
Parameters, Vectors and Matrices
Load shift factor.
The minimum load shift factor that is the start point for transmission asset to have overflow.
Production cost of unit .
vector of measurement noise errors.
Jacobian matrix of the system.
dependency matrix between power injection measurements and state variables.
row of ().
Active load (MW) at bus .
Lower bound for load deviation at each bus .
Number of states that can be compromised by attacker.
Number of buses.
Number of transmission branches.
Number of measurements.
Fixed dispatch point of unit .
Continuous thermal rating of transmission branch .
Lower limit on generation capacity of unit .
Upper limit on generation capacity of unit .
Power transfer distribution factor for branch and bus (injection) with regard to reference bus R (withdrawal).
Residual-based bad data detector threshold.
Upper bound for load deviation at each bus .
vector of measurements.
Variables
vector of false data introduced to bus angles by attacker.
Active load deviation at bus .
Dispatch point of unit .
Active power flow on target line .
vector of actual state variables.
vector of estimated state variables.
I Introduction
In power systems, state estimation (SE) is one of the key functions of energy management systems (EMSs) since many real-time operational and market decisions are driven by its results. SE is the process of using fields’ measurements to estimate systems’ state variables with minimum error. Due to some limitations, like sensor calibration errors, topology errors, data transfer inaccuracies, and cyber-attacks, received measurements (inputs to SE) are not clean (include noise or false data), which would affect the accuracy of the SE process. To reduce the effect of noisy measurements on the SE process, state estimators are equipped with bad data detectors (BDDs) to flag and remove noisy data.
False data injection attacks are a class of cyber-attacks that attempt to maliciously change the measurements and interfere in the SE process by targeting the vulnerability of BDDs. BDDs are not looking for intelligent attackers; rather, they are looking for physical limitation driven events—measurement errors, faulty equipments, etc. Therefore, it would be an easy task for intelligent attackers to bypass BDDs and remain undetectable. The researchers in [1, 2, 3] showed the incapability of BDDs to detect generated FDIAs against both direct current state estimation (DCSE) and alternating current state estimation (ACSE). Likewise, they addressed the conditions under which an attacker with complete information about a system could bypass the BDD and remain undetectable. The authors in [4] demonstrated that without the assumption of having access to all measurements, launching an FDIA with the least number of measurements to be compromised is an NP-hard problem. To tackle this issue, the authors in [5, 6, 7, 8, 9, 10, 11] attempted to generate FDIAs with incomplete information about the systems’ topology by applying heuristic methods, greedy algorithms, graph-theoretic approaches, and sparse optimization methods. The research study in [12] illustrated that even without any information about systems’ topology, attackers could construct undetectable FDIAs.
The focus of this study is on the load-redistribution (LR) attack, which is a way to implement a FDIA against power systems. In LR attacks, the attackers attempt to falsify bus injection measurements to either physically or economically damage the power systems. Various researchers proposed bi-level or attacker-defender optimization problems to model LR attacks with different objectives, like maximizing operation cost or maximizing power flow on a target line [13, 14, 15, 16, 17, 18, 19], where the latter is the focus of this study. For instance, the attack model in [13] was designed in a bi-level format, in which the upper level models the attacker’s objective, maximizing the operation cost (generation cost + load shedding cost), and the lower level models the system’s response to the attack based on a base-case security-constrained economic dispatch (SCED). Likewise, the attack models in [14] and [15] were developed in bi-level formats. Their upper level objectives maximized the physical damage of a target line, and their lower levels modeled the systems’ response using a nonlinear alternating current optimal power flow (ACOPF) and direct current optimal power flow (DCOPF), respectively. Moreover, the study in [18] investigated the physical and economic effects of LR attacks considering both immediate and delayed fashions. For the immediate attacking goal, they proposed a bi-level problem to identify the worst-case attack scenario with an economic goal. For the delayed attacking purpose, they introduced a tri-level problem to maximize the operation cost as a delayed effect of tripping an overloaded line.
The authors in [20] proposed a bi-level mixed integer linear programming to design an LR attack against multiple transmission assets. LR attacks with incomplete systems’ information were designed in [21] and [22] by finding the best local attacking region.
Such prior studies have done a great job demonstrating the vulnerability of traditional BDDs, which were previously designed to detect anomalies caused by some physical limitations. It is easy not to be detected when nobody is looking for you or, in other words, “The greatest trick the devil ever pulled was convincing the world he didn’t exist” [23].
Now, researchers have acknowledged the existence of attackers and their ability to remain undetectable, which has pushed them to seek a solution. In the first place, standing against intelligent attackers starts by protecting power systems from FDIAs. Protection-based actions refer to some preventive actions, which are done at the pre-attack stage, to make it hard for attackers to launch FDIAs against power systems. In this regard, the authors in [24] proposed to place secure phasor measurement units (PMUs) at key buses in the system to defend against FDIAs.
In [25], the authors addressed a way to find the most efficient sets of measurement sensors that need to be protected from the operators’ point of view and identified the optimal sets using the brute-force approach. In [26], the authors modeled the problem of finding the least-budget defense strategy as a mixed integer nonlinear programming and applied Benders’ decomposition to solve the proposed model. In [27], the interaction between an attacker and defender is modeled by a two-person zero-sum strategic game where the players attempt to find the Nash equilibrium and maximize their profits, considering the fact that attackers and system operators are not able to attack and defend all measurements. In [28], the authors proposed a method to find the smallest set of measurements, which provides a protection scheme against the worst-case scenario in which the attack affects the values of the most vulnerable state variables. In [29], the authors investigated the graph theory to find the minimum set of measurements that need to be protected. The authors in [28] and [29] developed their methods based on greedy algorithms for solving NP-hard protection-based problems. The authors in [30] determined the smallest set of protected measurements based on an iterative path augmentation algorithm for both perfect protection and non-perfect protection cases, which refer to protection schemes with zero possibility of hidden attacks and possibility of hidden attacks, respectively. In [31], the authors proposed an algorithm to secure the SE process, as well as a method to reconstruct the attacked signals. However, they focused on a noiseless framework, which is not the case in reality.
Referring to [32], attackers still could launch an attack even when all measurements have been protected from FDIAs except one of them, which implies the necessity of a detection scheme. Therefore, designing intelligent false data detectors is the next step to stand against intelligent attackers. Various FDIA detection methods were proposed and developed in [33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43] based on various techniques like the Kalman filter, adaptive cumulative sum, low-rank decomposition (LD), Kullback-Leibler distance (KLD), sparse optimization, machine learning, and deep learning.
In this study, we develop a non-probabilistic detection mechanism based on the fundamental knowledge of the laws of physics in power systems to detect LR attacks, which attempt to cause overflows on transmission assets. This is an online monitoring mechanism that allows operators to track load deviations (given a target asset) at each time interval and flag malicious movements.
Our approach differs from other existing methods in different aspects, like,
- •
Our method successfully detects LR attacks (even the weakened ones) assuming that attackers have no limitation for altering state variables. For instance, in [33] and [36], the authors developed their proposed detection methods based on the assumption that attackers are limited to alter some of the state variables. Moreover, compared to these studies, our proposed method is modeled based on a linear and convex problem. At the same time, the authors in [33] and [36] used the matrix low rank decomposition technique to detect false data, which introduces non-linear convex optimization problems with more computational complexity.
- •
Our method successfully distinguishes random attacks from normal noise errors. In this regard, the study in [34] proposed to use the Kalman filter and a Euclidean distance metric to overcome the disability of existing Chi-Square statistic-based detectors to detect FDIAs, which are wisely designed to fit the distribution of historical data or normal noise errors. The authors reported accuracy to filter false positives due to the noise errors, but they set the threshold three times bigger than the standard deviation of the generated random noise errors. Whereas, our method perfectly distinguishes LR attacks scenarios (even the weakened ones) from different samples of Gaussian and non-Gaussian noise errors with realistic assumptions. In other words, our method is successful in detecting unobservable LR attacks, which are wisely created in such a way that the deviations fall into the potential spectrum of generally accepted noise errors but have the preferred values be at preferred buses.
- •
Compared to [35] and [37], our method has not been developed based on the historical or statistical data; instead, it uses the current data of the system (the SE output) to detect any malicious movement.
- •
In [38, 39, 40, 41, 42], the authors developed detection mechanisms against cyber-attacks based on machine learning. Machine learning can make cyber security simpler, less expensive, and far more effective. However, it can only do these things when there is a large amount of underlying historical data that provides a complete picture of the environment. However, the proposed method in this study can detect LR attacks regardless of the quantity and quality of the available historical data.
The main contributions of our study are summarized as follows:
Leveraging power systems domain insights to identify an underlying exploitable structure in LR attack problems, which helps operators to predict the attackers’ behavior. 2. 2.
Mathematically proving the ability of a greedy algorithm to solve the exploitable structure of LR attack problems to optimality, which leads system operators to find the most sensitive buses very fast even for large interconnections. 3. 3.
Proposing the number of proper deviations at sensitive buses (NPDSB) as an index that can detect LR attacks and determine a perfect boundary between LR attacks and normal noise errors. 4. 4.
Developing a real-time approach to detect LR attacks, with the goal of causing an overflow on a transmission asset, without significant changes and disruptions in existing EMSs.
This paper is organized as follows. Sec. II presents a short background on DCSE, the condition to launch an undetectable FDIA against DCSE, and LR attacks. Sec. III is divided into two subsections; the first one identifies the exploitable structure of the core problem of more sophisticated LR attack problems and the second one provides a mathematical proof to demonstrate the ability of a greedy algorithm to obtain a global optimum for the identified structure of the core problem. Sec. IV and V present simulation results and concluding remarks, respectively.
II Background
II-A DCSE and Undetectable FDIA
In the DCSE process, measurements are linked to state variables (voltage angles) via linear equations. Eq. II.1 represents these linear equations in a matrix form:
[TABLE]
where is the vector of measurements, is the vector of actual state variables of the system that needs to be estimated, is the Jacobian matrix of the system, and represents the vector of measurement noise errors.
A common approach to measure the accuracy of the SE process is to compare the -norm of the measurements residual with a certain threshold (). Then, if the -norm of the residual for a set of measurements () is greater than , it means that contains unacceptable bad data. The -norm of the residual is determined as shown in equation II.2, where is the vector of estimated states and the denotes the -norm of a vector, also known as the Euclidean norm, which calculates the distance of a vector coordinate from the origin of the vector space.
[TABLE]
A key theorem in [1] states that the vector of contaminated measurements , in which vector represents the malicious data added to actual measurements, is able to bypass residual-based BDDs if it is a linear combination of the column vectors of the Jacobin matrix . Therefore, the authors in [1] defined , in which is the state variable errors’ vector, and proved the residual-based BDD deficiency to detect the attack vector .
Proof: Assume that the vector of estimated state variables after adding vector to the actual vector of measurements is , then the -norm of the residual after the attack is . After substituting with and with , the -norm of the residual is converted to . Then, considering the first and main assumption in the theorem (), equation II.3 is true.
[TABLE]
II-B LR Attacks
Every LR attack starts by falsifying bus injection measurements. In this paper, it is assumed that the attackers in LR attacks avoid changing the measurements related to the generation part since the control center directly communicates with the power plants’ control rooms. Moreover, there should not be deviations at zero injection buses.
In this paper, the only way to damage power systems through an LR attack is to increase the loads at some buses and decrease the loads at other buses. The net load should remain unchanged to avoid frequency issues. Likewise, attackers should modify power flow measurements to follow load deviations. In addition, the load deviation at each bus should be neither more nor less than pre-determined constant values. If so, the operator would flag that set of load measurements since it has load deviations far from the short-term load forecasting. These constant values are usually determined by a percentage of the forecasted load value at each bus in different directions.
At the end, after generating an undetectable LR attack, the SCED is fed with a contaminated set of loads and provides a set of fake dispatch points that leads the system to an insecure or inefficient operating state.
For instance, Fig. 1 illustrates an example of a bi-level LR attack problem to maximize the flow of a target transmission branch (line ) with limited access to specific meters [15]. In the upper-level, the attacker attempts to maximize the power flow on the target line subject to the number of available resources () and the limitations on load deviations. The lower-level is a DCOPF that models the system’s response to the attack vector generated in the upper-level.
III Modeling and Methodology
There are some drawbacks associated with protection-based schemes, such as they reduce measurement redundancy [35] and they could not guarantee a perfect protection against FDIAs [32]. Therefore, we proposed a detection mechanism against LR attacks, which is developed based on the deep knowledge of power systems. To do so, firstly, an exploitable structure for the core problem of bi-level LR attack problems is identified. Then, based on a theorem for the optimality conditions of that exploitable structure, the proposed approach is developed and described.
III-A The Identified Exploitable Structure of the Core Problem
LR attacks are designed in such a way that they move load measurements up and down so that attackers achieve the maximum physical damage on a target transmission asset. Changing the load pattern will affect power flows. Power transfer distribution factors (PTDFs), or shift factors (SFs), determine the impact of the load change at each bus on a particular transmission asset. For instance, assume an operator wants to remove MW overflow on a particular line. To do so, the operator will take a generator at a bus with PTDF equals to for that line and move it by MW. Then he/she will take a different generator at another bus that has a PTDF for that line at and move it by MW. This procedure would result in MW and [math] MW change in the line’s flow and total supply, respectively.
Hence, the trivial approach for an operator who wants to reduce the flow on a particular line, with minimum changes, is to rank all PTDFs with flexible resources from largest to smallest (the most positive to the most negative). Then, he/she simply starts reducing the net injection of the resource at the top and simultaneously (MW for MW), increasing the resource at the bottom. If either resource runs out of capacity he/she moves to the next resource on that end and continues until the overflow disappears.
The essence of the attackers’ approach is also the same as the operators’ approach. Still, attackers are limited by the number of changes they can apply to the original resources to avoid being detected. Consequently, problem III.1-III.3 is defined as the core problem of LR attack problems, which attempts to maximize a branch overflow (in a proper direction) relative to the flexibility of resources throughout the system.
[TABLE]
[TABLE]
[TABLE]
where is the power transfer distribution factor for branch with respect to the injection at bus and withdrawal from the reference bus . is equal to , which is the malicious load deviation at bus . We used to emphasize the fact that attackers need to change bus angles in order to get appropriate deviations in loads. For instance, if the above problem results in MW load deviation at bus ( MW), the attacker needs to design vector in such a way that the value of is equal to MW. The load shift factor and forecasted load at each bus are presented by and , respectively.
In problem III.1-III.3, the main decision variables are the load deviations and the objective is to maximize the overflow on a target transmission asset. The notation implies that the overflow direction on a target transmission asset could be both positive and negative, and depends on the target asset’s pre-attack power flow direction. For instance, if an attacker wants to cause an overflow on a target asset with the pre-attack power flow equals to MW, he/she should use in equation (III.1), and if the target asset’s pre-attack power flow is MW, the attacker should use in equation (III.1).
Constraints in III.2 impose the deviation at each bus to be neither more nor less than or percent of the forecasted load at that bus (they also impose no change at zero injection buses), respectively. Constraint III.3 ensures that the net load after the LR attack remains unchanged.
In the following, the impacts of two different LR attacks, created by solving problem III.1-III.3, on a particular line in a 3-bus system (Fig. 2) is illustrated and the results are presented in Table I.
There are generation units at all buses and bus C is the reference bus. The minimum and maximum capacities of all three units are [math] and MW, respectively. Line is the target line, and two different attack vectors were created based on two different load shift factors ( and ). To get the results in Table I, we: 1) solved problem III.1-III.3 to find the most damaging attack vectors, 2) used the generated attack vectors to falsify the original loads, 3) ran the DCOPF problem to achieve the fake dispatch points, and 4) ran the DC power flow (DCPF), considering the actual loads and fake dispatch points, to find the actual physical power flows on all transmission lines.
In case , when was , malicious deviations ( = MW, = MW) led the DCOPF to provide a set of fake dispatch points (P = MW, P = MW, and P = [math]). Considering the actual loads (LA = MW, LB = MW), this set of fake dispatch points caused P = MW, P = MW, and P = MW, which showed overflow on line . In case , when was , all simulations were repeated. This time the physical line flows were P = MW, P = MW, and P = MW, which showed overflow on line .
The results demonstrate that as the attack’s energy increases ( increases), the damage could be more significant, which at some point in time could cause the target line trips offline and results in a cascading blackout. However, there should be a trade-off between the attack’s energy and the detection probability since as the energy increases, the detection probability increases.
In this study, linear optimal power flow models have been considered; this work is extendable for non-convex ACOPF formulations since the underlying special structure in the classical DCOPF is caused by Kirchhoff’s Voltage Law (KVL) and Kirchhoff’s Current Law (KCL), which remain present in all optimal power flows (OPFs).
III-B Proving the Application of a Greedy Algorithm to Solve the Core Problem of the LR Attack
After identifying the special structure of the core problem, the next step is to prove that this problem, which is a variant of the fractional knapsack problem [44] from an operations research perspective, can be solved to optimality with a greedy algorithm. Hence, in this part, the ability of greedy algorithms to optimize problem III.1-III.3 has been proved and presented.
Greedy methods attempt to build up a solution for a mathematical problem by making a sequence of choices. These choices depend on each other, and the previous choices in the solving process affect the other decisions that can be made later in the process. Considering the values of possible choices at each step, a greedy algorithm selects the best local choice. This choice is called a greedy choice, and the resulting algorithm is called a greedy algorithm. Greedy algorithms produce good solutions for some mathematical problems. For example, it provides the global optimum for the fractional knapsack problem [44].
In the following, a mathematical proof is presented to demonstrate that a greedy algorithm can solve problem III.1-III.3 to optimality.
After applying a greedy algorithm to solve this problem, at least one of the decision variables () is either at its lower bound or upper bound , so optimality follows from the theorem below.
Theorem 1**.**
Feasible solution is optimal if and only if, whenever , we find that or (or both).
Proof.
Suppose by contradiction that there is an optimal solution for which , , and . Compute . Then, add to and subtract it from , which gives another feasible solution. However, increases by , which is positive. Hence the solution cannot be optimal.
Suppose by contradiction is a feasible solution for which whenever , or but is not an optimal solution. Choose an optimal solution in which the number of times that , () is as small as possible. Note that . Because there is an item for which and another item for which . It follows that and (by the conditions that S satisfies), and hence that . Let . In , subtract from and add to , to get a feasible solution that changes by . Now if , yields a larger sum that does ; this contradicts the optimality of . So, this must mean that . Then is also optimal but, by construction, has fewer items than , in which it disagrees with ; this contradicts the requirement that is an optimal solution with fewest such differences. Therefore, it is concluded that no such can exist, and hence that is optimal. ∎
This proof for global optimality results in developing a mechanism to predict the attackers’ moves and find the sensitive buses, given a target transmission asset. In fact, this proof shows that the identified structure of the core problem is solvable by a trivial sorting approach, and there is no reason to solve any complicated problem for operators to detect LR attacks, since the attackers’ strategies are strikingly simple and trivial for this type of attacks. By using this mechanism, operators can swiftly determine the sensitive buses for any critical transmission asset and track the deviations at those buses to flag any set of changes that contributes to overload that asset. Consequently, achieving a global solution (also near optimality) becomes impossible for attackers. Therefore, attackers have to introduce some form of randomness to avoid being detected. It is predictable that even though attackers can create a situation where randomness is applied to their strategy, so much of the feasible space is cut off by the proposed attack detection mechanism, and the impacts of this class of attacks is rendered to be very low.
After finding the sensitive buses associated with all critical transmission assets, the NPDSB determines whether the current set of estimated loads is malicious or normal. To find the NPDSB related to each set of deviations, operators need to check both direction and magnitude of deviations at sensitive buses. Checking the direction of each deviation is simple and straightforward. For instance, if the greedy algorithm results in the load at sensitive bus to increase, but the deviation related to the current set of estimated loads at sensitive bus is negative, regardless of the deviation magnitude, it does not count as a proper deviation at sensitive bus . In the next step, the deviation magnitude should be checked; a deviation with a small magnitude could not contribute significantly and it might be a normal noisy deviation. To do so, operators need to have an appropriate threshold value to differentiate malicious and significant deviations from normal noise errors. This threshold value is different for each transmission asset in the system. However, considering a system with five critical assets that can be overloaded, as can be a maximum of , calculating the threshold values for these five assets is sufficient. In this regard, we defined a factor of the forecasted load at each bus as the threshold value for deviation at that bus; if the deviation at a bus is more than its threshold value, it counts as a proper deviation and vice versa. In this study, we used as the factor of the forecasted load to find the magnitude threshold for each critical transmission asset. This is the minimum value of the load shift factor that causes an overflow on asset . This policy was made based on the trivial fact that every attack, which is created with less than , is not an effective attack to cause an overflow on the target asset, and no attacker attempts to attack a system without any damage.
At this point, after finding the NPDSB associated with the current set of loads, operators should make a decision based on the value of the NPDSB and categorize the current deviations either as malicious or normal. Therefore, another threshold for the value of the NPDSB should be defined, which enables operators to determine whether the system is under an LR attack from the viewpoint of flow violations. In this study, if the NPDSB associated with a set of deviations is more than the half of the total number of sensitive buses (TNSBs), which is the number of buses with the PTDF values more than (the cut-off value for PTDFs), then that set of deviations is flagged as a malicious set. The flowchart in Fig. 3 gives a better view of how the proposed detection mechanism works.
IV Simulation and Results
IV-A Illustrative Test Case
Here, for more clarification, the small IEEE 6-bus test case, shown in Fig. 4, is used to illustrate the gains from our proposed approach. In this experiment, we generated two random vectors ( and ) in such a way that one of them is an attack vector and the other is not; then, we used our proposed mechanism to find the attack vector.
Both vectors are samples from a normal distribution, but the one that is the attack is simply arranged in such a way that causes an overload on the vulnerable line from bus to bus (line 3-5); this is the basic technique of an unobservable attack: have the deviations fall into the potential spectrum of generally accepted noise error but have the preferred values be at preferred buses. All required information including the load at each bus, PTDFs with respect to line 3-5, and vector and are shown in Table II.
The detection process starts by solving problem III.1-III.3 to optimality using the greedy algorithm (Algorithm 1) to find the best attack vector against line 3-5, and also determines the most sensitive buses associated with this line. In Algorithm 1, all buses are sorted based on their PTDF absolute values in descending order. Then, considering alpha , the maximum possible deviation is assigned to each bus from the top to the bottom, and constraints III.2 and III.3 are imposed on each step. The proposed algorithm sorts the buses based on their values for the target asset (PTDFs), and then it uses a for-loop to find the optimum point. The main time-consuming step is to sort all of the items in decreasing order of their values. If the buses are already arranged in the required order, then for-loop takes O(N) time (N is the number of variables). Otherwise, since the average time complexity of the sorting step is O(NlogN), the total time is O(NlogN).
The best attack vector, PTDFs, vector , and vector are reordered and shown in Table III.
As shown in Table III, considering as the cut-off value for PTDFs, the TNSB for line 3-5 is (buses 3, 6, 5, and 2). Likewise, is (assuming that flow deviation more than MW cause an overflow), which means that the magnitude of each bus’s deviation should be compared with percent of the forecasted load at that bus.
Vector has deviations at three buses with proper directions and magnitudes to cause an overload on line 3-5, which means that the NPDSB of this vector is (buses , , and ). On the other hand, vector has one deviation with proper direction and magnitude (bus ), which implies that the NPDSB of this vector is . Consequently, the ratio of the NPDSB of vector to the TNSB is , so it is flagged as an attack (considering as the threshold for NPDSBs). However, this ratio for vector is , which implies that vector is not a malicious set of deviations.
Fig. 4 visually displays and compares the best attack vector with random attack vector . The circle on the left-hand side of each bus is related to vector , and the circles on the right-hand side are related to the best attack vector. The size of each circle indicates the load deviation magnitude (a larger circle implies a more sensitive bus), and the color of each circle indicates the load deviation direction (red circles mean positive deviations and green circles mean negative deviations).
IV-B Case Study on the Modified 2383-Bus Polish Test System
In this case, we evaluated the scalability of our detection scheme by using a modified version of the 2383-Bus Polish Test System [45]. The modifications include: decreasing the line continuous thermal ratings to create base case attacks and setting the negative loads to zero. In this section, we did multiple evaluations to show the promising features of our proposed detection approach. First, we generated two attack vectors for line by solving problem III.1-III.3 two times. The first time we solved this problem with a commercial optimization package and the second time with the proposed greedy algorithm. The goal of this experiment was to numerically demonstrate the ability of the proposed greedy algorithm to find the global solution for problem III.1-III.3 and get the same results as the commercial solver. Second, we analyzed the effectiveness and efficiency of the generated attack vector by showing the power flows in the control room that operators see and the actual physical power flows after the attack. Third, we demonstrated the ability of the proposed mechanism to detect random LR attacks and distinguish them from both Gaussian and non-Gaussian noise errors.
IV-B1 Solving Problem III.1-III.3 by Two Methods
In this subsection, we demonstrated the ability of the proposed algorithm to solve the special structure of the core problem to optimality by comparing its results with the results of solving problem III.1-III.3 by a commercial optimization package (GUROBI [46]). To do so, we solved problem III.1-III.3 for line , considering equals to . Both simulations were run in JAVA on an Intel(R) Xeon(R) CPU with 48 GB of RAM. The attack vectors from both methods perfectly matched each other. Fig. 5 shows the false deviations associated with some of the most sensitive buses.
IV-B2 Attack Efficiency Analysis
Here, similar to the example in subsection III-A, we applied the attack vector to the initial load and ran the DCOPF and DCPF to find both cyber and actual physical power flows on the target line. The results showed that the attack was effective and efficient to cause an overflow.
Here, by effectiveness and efficiency, we meant that the created attack has enough energy to damage the target line. Table IV provides the target line power flow results after the attack, including the cyber flow (the control room flow), physical flow, and the amount of overflow.
As shown in Table IV, the generated attack was successful in causing MW overflow on the target line, where it was undetectable for the system operator who saw MW power flow on this line, which is not more than its continuous thermal rating.
IV-B3 Detection Mechanism Efficiency Analysis
In this section, we investigated and analyzed the ability and success rate of the proposed method to detect some random weakened LR attacks and distinguish them from noise errors. To do so, we broke this subsection down into two parts. First, we did some experiments by targeting line , and second, we took line as the target line, and repeated all the tests, similar to line . Then, we created different sets of random LR attacks and Gaussian/non-Gaussian noise errors against both target lines while demonstrating the physical effect versus the NPDSB of each set.
Line 169
This line is categorized as a critical line since there is at least one scenario of LR attack with at most that could make this line physically overloaded. Its continuous thermal rating is MW, pre-attack power flow is negative (we had to use in equation III.1 to find the best attack), TNSB is (cut-off value is ), and is .
To validate the capability of the proposed method in order to detect and distinguish random LR attacks from normal noise errors, we did two experiments. First, we generated random LR attack vectors and compared their physical effects with the physical effects of random Gaussian noise errors. Second, we generated random LR attacks and random Cauchy noise errors (non-Gaussian) and, similar to the first experiment, compared their physical effects.
To achieve each random attack vector, we solved problem III.1-III.3, and each time () was multiplied to a random number between and —based on the fact that for less than there is no successful attack with enough energy to damage line . Next, we added a constraint to force the deviations at randomly selected sensitive buses (for line ) to be zero.
We generated Gaussian random noise vectors from a Gaussian distribution with and in such a way that the deviation at each bus was limited to percent of the forecasted load in either directions. There was no change at zero injection buses, and the net load change in the system was very small. Moreover, we extracted the Cauchy noise vectors from a Cauchy distribution with location and scale [47]. All random Cauchy noise errors were created and subjected to the same three constraints, which were applied to the process of creating random Gaussian noise errors.
Fig. 6 demonstrates different physical flows on the target line associated with each set versus their respective NPDSBs. This figure includes two sub-figures, where sub-figure (a) shows the comparison between sets of random LR attacks and sets of Cauchy noise errors and sub-figure (b) shows the same comparison for another sets of random LR attacks and sets of Gaussian noise errors. To get the physical power flows in Fig. 6, we followed the same procedure for the 3-bus system example in subsection III-A.
As illustrated in Fig. 6, our method flagged of the scenarios of random LR attacks against line (red points); all points with NPDSBs more than were considered as malicious movements. Likewise, considering both random Gaussian and non-Gaussian noise errors, the results validated the accuracy of the proposed method to differentiate random attacks from noise errors (blue points).
Line 251
Similar to line , line is a critical line with the continuous thermal rating at MW, TNSB at (cut-off value is ), at , and negative pre-attack power flow.
In this part, we did all the simulations that we did for line to evaluate the functionality of the proposed method to detect LR attacks against another target line. As illustrated in Fig. 7, our scheme successfully detected all scenarios of random LR attack (red points); every point with the NPDSB more than was flagged as a malicious movement. Furthermore, the proposed method distinguished both types of noise errors from the random LR attacks against this target line, even those, which could not cause an overflow.
According to the results, there were some random attack scenarios, which had not enough energy to cause an overflow on the target line (red points above the line related to continuous thermal rating). It is because some of the randomly selected buses with zero deviations were among the most sensitive buses. Although these scenarios were not successful in causing an overflow on the target line, the proposed method flagged them as a malicious movement since their NPDSBs were more than the determined thresholds. We generated these scenarios to show our method’s capability, while this may not be the case in reality.
Due to the large number of scenarios and limited space, all the results were depicted in Fig. 6 and Fig. 7. Additionally, we presented detailed results for eight scenarios in Table V.
All attack scenarios in Table V made the target lines physically overloaded. Although there was no overflow on either of the target lines based on the cyber power flows, our method successfully flagged all attack cases since the ratios of their NPDSBs to the TNSBs were more than the determined thresholds. For example, in case for line , the attack could successfully cause a physical overflow on line ( overflow), but the cyber power flow in the control room showed MW, which is within the thermal limits of the line. This value of cyber power flow prevents the operator from being notified of the existence of an attack in the system. However, for an EMS equipped with our proposed method, even though the control room power flow shows a secure point of operation, the operator can flag the attack since the ratio of the NPDSB to the TNSB is .
On the other hand, the ratios of all the NPDSBs to the TNSBs associated with random noise scenarios were less than the thresholds, based on which our method did not flag these sets of load deviations. Likewise, the physical power flows on all transmission assets were all within their capacity limits, which confirmed the decisions made by our method. For instance, case for line is categorized as a normal noise since the ratio of its NPDSB to the TNSB is , which is not even close to the proposed threshold.
V Conclusion and Future Work
Developing an efficient, fast, and practical detection mechanism for real-time operations that causes minimum changes in the structure of existing EMSs is a challenging task. In this study, by using a deeper understanding of power systems, a real-time, fast, and intelligent false data detector that flags LR attacks is introduced, designed, and evaluated. We first used power systems domain insights to identify an exploitable model for the core problem of LR attacks. Then, by proving that a simple greedy algorithm is able to solve this model to optimality, the proposed detection mechanism is designed to find the most sensitive buses with respect to their impact on a target transmission asset. The results demonstrated that the greedy algorithm is pretty fast; Algorithm takes only several milliseconds to find the global solution (for each transmission asset).
Likewise, the efficiency of the proposed method to detect some weakened random LR attacks and its ability to distinguish malicious deviations from both random Gaussian and non-Gaussian noise errors were evaluated. According to Fig. 6 and Fig. 7, the proposed method can detect all random attack scenarios and distinguish them from all sets of random noise errors, which implies a success rate in detecting and distinguishing these scenarios.
Regarding the discrepancies between AC and DC modeling of power systems, we examined the accuracy of our method by comparing the physical consequences of a random attack vector, created by problem (III.1)-(III.1), after running both AC/DC power flows. The results demonstrated negligible differences between the DC and AC power flows on the target assets, which implies our method functionality when operators use AC equations to model transmission assets’ power flows. Moreover, we should mention that the color of each circle at the right-hand side of each bus (Fig. 4), which is related to the best attack vector, does not change from red to green or vice versa in the AC modeling of power systems. Hence, based on these two facts, our method still could be applied to real-world EMSs.
In this study, we developed a detection mechanism by claiming that using protection schemes are not enough to fight against cyber-attacks. However, detecting a set of false measurements is not enough to complete all security actions against cyber-attacks without any fast and appropriate corrective action. Therefore, a good direction for future study could be developing corrective actions, which are compatible with this method.
Acknowledgment
The authors would like to thank Dr. Charlie Colbourn at Arizona State University for his kind help through this study. Likewise, I want to thank the supports from M. Ghaljehei and R. Khalilisenobari.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against state estimation in electric power grids,” ACM Transactions on Information and System Security (TISSEC) , vol. 14, no. 1, p. 13, 2011.
- 2[2] J. Kim and L. Tong, “On topology attack of a smart grid: Undetectable attacks and countermeasures,” IEEE Journal on Selected Areas in Communications , vol. 31, no. 7, pp. 1294–1305, 2013.
- 3[3] G. Hug and J. A. Giampapa, “Vulnerability assessment of ac state estimation with respect to false data injection cyber-attacks,” IEEE Transactions on Smart Grid , vol. 3, no. 3, pp. 1362–1370, 2012.
- 4[4] Q. Yang, J. Yang, W. Yu, D. An, N. Zhang, and W. Zhao, “On false data-injection attacks against power system state estimation: Modeling and countermeasures,” IEEE Transactions on Parallel and Distributed Systems , vol. 25, no. 3, pp. 717–729, 2014.
- 5[5] J. Hao, R. J. Piechocki, D. Kaleshi, W. H. Chin, and Z. Fan, “Sparse malicious false data injection attacks and defense mechanisms in smart grids,” IEEE Transactions on Industrial Informatics , vol. 11, no. 5, pp. 1–12, 2015.
- 6[6] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks on the smart grid,” IEEE Transactions on Smart Grid , vol. 2, no. 4, pp. 645–658, 2011.
- 7[7] M. Ozay, I. Esnaola, F. T. Vural, S. R. Kulkarni, and H. V. Poor, “Sparse attack construction and state estimation in the smart grid: Centralized and distributed models,” IEEE Journal on Selected Areas in Communications , vol. 31, no. 7, pp. 1306–1318, 2013.
- 8[8] M. A. Rahman and H. Mohsenian-Rad, “False data injection attacks with incomplete information against smart power grids,” in Global Communications Conference (GLOBECOM), 2012 IEEE . IEEE, 2012, pp. 3153–3158.
