Moving-Target Defense for Detecting Coordinated Cyber-Physical Attacks in Power Grids
Subhash Lakshminarayana, E. Veronica Belmega, H. Vincent Poor

TL;DR
This paper introduces a moving target defense strategy using D-FACTS devices to detect and mitigate coordinated cyber-physical attacks on power grids by actively perturbing transmission line reactances.
Contribution
It proposes a novel MTD approach with a systematic design and game-theoretic optimization for deploying D-FACTS devices to detect CCPAs effectively.
Findings
Effective detection of CCPAs demonstrated in simulations
Reduced defense costs through optimized D-FACTS deployment
Validated approach on IEEE bus system models
Abstract
This work proposes a moving target defense (MTD) strategy to detect coordinated cyber-physical attacks (CCPAs) against power grids. A CCPA consists of a physical attack, such as disconnecting a transmission line, followed by a coordinated cyber attack that injects false data into the sensor measurements to mask the effects of the physical attack. Such attacks can lead to undetectable line outages and cause significant damage to the grid. The main idea of the proposed approach is to invalidate the knowledge that the attackers use to mask the effects of the physical attack by actively perturbing the grid's transmission line reactances using distributed flexible AC transmission system (D-FACTS) devices. We identify the MTD design criteria in this context to thwart CCPAs. The proposed MTD design consists of two parts. First, we identify the subset of links for D-FACTS device deployment that…
| Bus system | ||
|---|---|---|
| IEEE 9-bus system | 9 | 1 |
| IEEE 14-bus system | 20 | 7 |
| IEEE 24-bus system | 38 | 15 |
| IEEE 39-bus system | 36 | 8 |
| Load scenario | NE D-FACTS perturbation set | Defense cost |
|---|---|---|
| Scenario 1 | {1,3,5,8,9,18,19} | 11.62 % |
| Scenario 2 | {1,3,5,8} | 2.86 % |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Moving-Target Defense for Detecting Coordinated Cyber-Physical Attacks in Power Grids
Subhash Lakshminarayana1, E. Veronica Belmega2 and H. Vincent Poor3
This work was supported in part by a startup grant at the University of Warwick and in part by the U.S. National Science Foundation under Grants DMS-1736417 and ECCS-1824710. 1 School of Engineering, University of Warwick, UK
2 ETIS, Université Paris Seine, Université Cergy-Pontoise, ENSEA, CNRS, Cergy-Pontoise, France
3 Department of Electrical Engineering, Princeton University, Princeton, NJ 08544, USA
Emails: [email protected], [email protected] 3 [email protected]
Abstract
This work proposes a moving target defense (MTD) strategy to detect coordinated cyber-physical attacks (CCPAs) against power grids. A CCPA consists of a physical attack, such as disconnecting a transmission line, followed by a coordinated cyber attack that injects false data into the sensor measurements to mask the effects of the physical attack. Such attacks can lead to undetectable line outages and cause significant damage to the grid. The main idea of the proposed approach is to invalidate the knowledge that the attackers use to mask the effects of the physical attack by actively perturbing the grid’s transmission line reactances using distributed flexible AC transmission system (D-FACTS) devices. We identify the MTD design criteria in this context to thwart CCPAs. The proposed MTD design consists of two parts. First, we identify the subset of links for D-FACTS device deployment that enables the defender to detect CCPAs against any link in the system. Then, in order to minimize the defense cost during the system’s operational time, we use a game-theoretic approach to identify the best subset of links (within the D-FACTS deployment set) to perturb which will provide adequate protection. Extensive simulations performed using the MATPOWER simulator on IEEE bus systems verify the effectiveness of our approach in detecting CCPAs and reducing the operator’s defense cost.
I Introduction
Cyber threats against power grids are of increasing concern due to the deep integration of information and communication technologies (ICT) into grid operation. A recent real-world example was the December 2015 cyber attack against the Ukraine’s power grid which resulted in large-scale outages that lasted several hours [1]. The attack was carried out by opening several transmission line circuit breakers and simultaneously blocking the information lines (e.g., telephone lines) to cover up the attacks. Such attacks have alerted us to a general class of attacks called the coordinated cyber-physical attacks (CCPAs).
As the name suggests, a CCPA consists of two components, namely, a physical attack and a cyber attack. The physical attack involves disconnecting a transmission line, generator or transformer. On the other hand, a cyber attack involves manipulating the sensor measurements that are conveyed from the field devices to the control center, and has an effect of masking the physical attack. The attacker may readily launch such a cyber attack by exploiting the power grid’s communication vulnerabilities [2]. CCPAs can have severe effects on the grid, since undetected line/generator outages may trigger cascading failures, and have received significant recent attention [3, 4, 5, 6].
To defend against CCPAs, recent studies [4] and [6] have proposed strategies based on securing a set of measurements (e.g., by encryption) or relying on measurements from known-secure phasor measurement units (PMU) deployed in the grid. However, power grids consist of many legacy devices whose life cycles can last several decades, and incorporating major security upgrades in these devices can be quite expensive. Moreover, extensive research has shown that PMUs themselves are vulnerable to false data injection (FDI) attacks, which can be launched by spoofing their GPS receivers [7].
In this work, we propose a novel defense strategy to detect CCPAs based on the technique of moving target defense (MTD). As in prior works [3, 4, 5, 6], we only consider physical attacks that disconnect the transmission lines. We note that to craft an undetectable CCPA, the attacker must obtain an accurate knowledge of certain line reactances [4, 6]. The main idea of the proposed MTD defense in this context is to invalidate the attacker’s prior acquired knowledge by actively perturbing of the grid’s line reactance settings. This can be accomplished using distributed flexible AC transmission system (D-FACTS) devices, which are capable of performing active impedance injection and are being increasingly deployed in power grids [8]. The proposed MTD defense strategy has the potential to make it extremely difficult for the attacker to track the system’s dynamics and gather sufficient information to craft undetectable CCPA. The main contributions of this work are as follows:
- •
First, we formulate the MTD design problem to defend against CCPAs and identify the MTD design criteria in this context.
- •
We then propose a solution to the D-FACTS deployment problem using a graph-theoretic approach. Our proposed solution identifies the minimum-sized subset of links for D-FACTS deployment which enables the defender to detect CCPAs against any transmission line.
- •
However, an MTD solution that involves perturbing a large number the branch reactances can be expensive due to the MTD’s operational cost [9]. To reduce the operator’s cost of defense, during the system’s operational time, we use a game-theoretic formulation to identify the best subset of links to perturb that will provide adequate protection.
Extensive simulations conducted using the MATPOWER simulator shows the effectiveness of our solution. Moreover, the results show that the game-theoretic approach significantly reduces the operator’s defense cost.
II Prior Work
Power grid security has received significant interest in the past few years. In particular, FDI attacks against power grid state estimation have been extensively studied [10, 11, 12]. While FDI attacks affect only the sensor measurements that are conveyed to the control center (and hence consist only of a cyber attack), recent research [3, 4, 5, 6] has studied CCPAs attacks, which as noted above consist of both cyber and physical components. CCPAs were first proposed in [3] based on disconnecting a set of transmission lines and blocking sensor measurements from the attacked area. However, the proposed cyber attack cannot completely mask the effects of the physical attack. Moreover, under some conditions, it was shown that the operator can recover the phase angles and detect the physical attack using information from outside the attacked zone [3]. On the other hand, [4, 5] and [6] proposed the design of cyber attacks that can completely mask the effects of the physical attack under different assumptions about the attacker’s knowledge. Further, [4, 5] and [6] have also investigated defense against CCPAs relying on a subset of protected measurements, which however is vulnerable (see Section I).
Recently, the concept of MTD has been applied to defend against FDI attacks [13, 14, 9, 15]. In comparison to these works, we are the first to apply MTD for defense against CCPAs. Our analysis shows that MTD for defending against CCPAs requires the formulation of novel design criteria both in terms of D-FACTS placement as well as D-FACTS perturbation selection in comparison to aforementioned works. Finally, we note that while game theory has been used in the context of defense against FDI attacks [16, 17], this work is the first to apply it in the context of MTD design in power grids.
III System Model
Power Grid Model
We consider a power grid consisting of buses and transmission lines. The set of buses and transmission lines are denoted by and respectively. An example of the IEEE-4 bus system with links is shown in Fig. 1. At bus we denote the amount of generation and load by and respectively. We let denote a transmission line that connects bus and bus and its reactance by The power flowing on the corresponding line is denoted by which under the DC power flow model [18] is given by where and are the voltage phase angles at buses respectively. In vector form, the power flow vector is related to the voltage phase angle vector \hbox{\boldmath\theta}=[\theta_{1},\dots,\theta_{N}] as {\bf f}={\bf D}{\bf A}^{T}\hbox{\boldmath\theta}, where the matrix is the branch-bus incidence matrix [18] and is a diagonal matrix of the reciprocals of link reactances. We denote the set of links on which D-FACTS devices are deployed by where D-FACTS devices enable the reactances of these lines to be varied within a pre-defined range where are the reactance limits achievable by the D-FACTS devices.
Optimal Power Flow
For any given load condition , the system operator sets the generation dispatch and line reactance settings by solving the optimal power flow (OPF) problem, stated as follows:
[TABLE]
where is the generation cost at bus Equation (1a) is the nodal power balance constraint, where the matrix Constraints (1c) correspond to the branch power flows, generator limits, and D-FACTS limits, respectively, where and and is the maximum permissible line power flow (i.e., the thermal limit) and are the generator limits. We note that in the absence of D-FACTS, OPF optimizes over the generator dispatch values only.
State Estimation & Bad Data Detection
The system state, i.e., the voltage phase angles \hbox{\boldmath\theta}, are estimated from the noisy sensor measurements using the state estimation (SE) technique. The sensor measurements, which we denote by correspond to the nodal power injections, and the forward and reverse branch power flows, i.e. and is the total number of measurements, where We denote the sensor measurement noises by a vector which is assumed to follow a Gaussian distribution. Under the DC power flow model, the relationship between and is given by {{\bf z}}={\bf H}\hbox{\boldmath\theta}+{\bf n}, where is the system’s measurement matrix given by ( denotes the row concatenation of matrices and ). The maximum likelihood (ML) technique is used for system state estimation [18]. Under ML estimation, the estimate \widehat{\hbox{\boldmath\theta}} is related to the measurements as \widehat{\hbox{\boldmath\theta}}=({{\bf H}^{T}}{\bf W}{\bf H})^{-1}{{\bf H}^{T}}{\bf W}{\bf z}, where is a diagonal weighting matrix whose elements are reciprocals of the variances of the sensor measurement noise components.
After state estimation, a bad data detector (BDD) computes a quantity referred to as the residual, which we denote by as r=||{\bf z}-{\bf H}\widehat{\hbox{\boldmath\theta}}||. A bad data alarm is flagged if the residual exceeds a predefined threshold The threshold is adjusted to ensure that the false positive (FP) rate does not exceed where (usually a small value close to zero).
Undetectable False Data Injection Attacks
We denote the FDI attack vector by which the attacker injects into the sensor measurements and the measurement vector with the FDI attack by , given by It has been shown [10] that an FDI attack of the form where remains undetected by the BDD. Specifically, the probability of detection for such attacks is equal to the FP rate We call these attacks undetectable FDI attacks.
Coordinated Cyber and Physical Attack
While an FDI attack only modifies the sensor measurements, a CCPA attacks the grid physically followed by a coordinated FDI attack on the sensor measurements, as noted above. In particular, we consider physical attacks that disconnect a set of transmission lines, e.g., by opening the line circuit breakers. The physical attack will alter the power grid’s topology and power flow, and the mismatch between the pre-attack (i.e., line disconnections) and post-attack measurements can generally be detected by the BDD. However, it has been shown that if the attacker injects a carefully-constructed coordinated FDI attack on the sensor measurements, then the effect of the physical attack on the BDD residual can be completely masked [6]. Hence, the attack remains undetected by the BDD.
Denote the set of links disconnected by the attacker under a physical attack by We use the subscript to denote the power grid parameters following the physical attack. It can be shown that the grid measurements post the physical attack are related to the pre-attack measurements by where {\bf a}_{p}={\bf H}\Delta\theta+\Delta{\bf H}\hbox{\boldmath\theta}_{p}, where is the change in the measurement matrix before and after the physical attack, given by, Reference [6] showed that in order to mask the effect of the physical attack and remain undetected by the BDD, the attacker must inject a coordinated FDI attack of the form {\bf a}=\Delta{\bf H}\hbox{\boldmath\theta}_{p}.
Knowledge Required to Launch a CCPA
Next, we enlist the knowledge required by the attacker to construct an FDI attack of the form {\bf a}=\Delta{\bf H}\hbox{\boldmath\theta}_{p}. Assume that the attacker disconnects a single branch that connects buses and It can be easily verified that depends on the tripped branch reactance only. Therefore, to construct the attack {\bf a}=\Delta{\bf H}\hbox{\boldmath\theta}_{p}, the attacker must obtain knowledge of the branch reactance and the difference in phase angles of the buses and following the physical attack, i.e., [6]. The knowledge of can be obtained by monitoring the line power flows following the physical attack as follows:
[TABLE]
where is any alternative path between nodes and in the residual power network following the physical disconnections, i.e., Each path in turn is a collection of links such that and and is the number of links in the path We denote by a collection of all alternative paths between buses and where is the number of such alternative paths. Note that the subscript denotes the disconnected link.
In the IEEE-4 bus example, assume that the attcker disconnects link 1. After the disconnection, there are two alternative paths between buses and and hence, These paths are given by with and with The attacker can compute the phase angle difference between nodes 1 and 2 using (2) as or,
In (2), the attacker can obtain the knowledge of power flows by monitoring the line flow sensor measurements. On the other hand, the line reactances can be learned by monitoring the grid power flows over a period of time using existing techniques [19, 20]. The attacker can also learn the reactance of the disconnected branch similarly.
IV Moving-Target Defense for CCPAs
In this work, we propose a solution to defend the system against CCPAs based on the MTD technique. The main idea behind this approach is to periodically perturb the branch reactances of certain transmission lines to invalidate the attacker’s acquired knowledge. Hence, an attack constructed using outdated knowledge of the system can be detected by the BDD. (The reader can refer to [20] for practical guidance on how frequently the branch reactances must be perturbed.) In this section, we first formalize the MTD design problem to defend against CCPAs. The solution to the MTD design problem is presented in Section V. The details are presented next.
Recall from (2) that to construct an undetectable CCPA, the attacker must acquire the following: (i) knowledge of the reactance of the tripped branch, and (ii) knowledge of branch reactances in at-least one alternate paths between the nodes and Therefore, under MTD, the defender can thwart the CCPA by invalidating one of the two:
- C1.
Invalidate the attacker’s knowledge of the tripped branch’s reactance .
- C2.
Invalidate the attacker’s knowledge of at-least one of the branches in the path between nodes and
Note that the defender however cannot have prior knowledge of which link the attacker chooses to disconnect. Moreover, for a disconnected link the defender has no way of knowing which path the attacker may have used to compute the phase angle difference as in (2). Thus, the defender must invalidate the attacker’s knowledge of the reactance of at-least one branch in every path The defender must do so for every link (such that the attacker cannot launch a CCPA by disconnecting any link in the grid). Based on the arguments above, the MTD perturbation selection problem can be stated as follows:
Problem 1** (MTD problem).**
For each branch invalidate the knowledge of at-least one of the branches in
The MTD perturbation problem poses constraints on the D-FACTS deployment set since a preliminary requirement to invalidate the attacker’s knowledge of a branch reactance is the presence of a D-FACTS device on that link. Thus, must be chosen in a way that it gives the defender the ability to protect every link . A trivial solution is to deploy a D-FACTS device on every link of the power grid. However, a system operator may wish to minimize the number of D-FACTS devices installed in order to minimize the device deployment cost.
On the other hand, MTD perturbations incur an opeartional cost for the defender. Reference [9] characterized this cost in terms of the increase in OPF cost of the grid due to the MTD perturbations111Note that in the absence of MTD, the D-FACTS settings are adjusted to minimize the OPF cost as in (1a). Thus, the MTD perturbations will increase the OPF cost, and the MTD operational cost in non-negative.. Perturbing the reactances of a large number of links may be expensive. Thus, at the system’s operational time, the defender may wish to perturb the reactances of only a subset of links, which we denote by where such that the attacker cannot launch CCPAs against some specific links that are perceived to be important and vulnerable to attack.
In what follows, we provide solutions to both the aforementioned aspects of MTD design problem. Specifically, we first present an algorithm to find the D-FACTS deployment set that satisfies the MTD design problem with a minimum number of devices based on a graph-theoretic approach. Subsequently, we present a solution to the problem of selecting a subset of links for reactance perturbation at the operational time based on a game-theoretic approach.
V Solution to the MTD Design Problem
In this section, we solve the MTD design problem formalized in Section IV. We first address the problem of finding the D-FACTS deployment set.
V-A D-FACTS Deployment
Our key observation to solve the D-FACTS deployment set problem is that each set of links forms a loop in the graph For example, in the 4-bus example in Figure 1, assuming that the attacker disconnects link 1, the links and form loops in the corresponding graph. If a DFACTS device is installed on a subset of links in the graph such that every loop in the network has at least one link with a D-FACTS device installed, then the attacker cannot launch an undetectable CCPA.
In graph-theoretic terms, the problem is equivalent to removing a subset of links in the network such that the residual graph has no loops. For optimized deployment, must be the minimum number of such links. If each link is assigned a weight of then must be a subset of links with minimum weight.
The set can be found by solving the minimum weight feedback edge set problem in an undirected graph [21]. The solution proceeds by finding the maximum weight spanning tree (MWST). Specifically, let be the MWST of the graph If D-FACTS devices are installed on the links then the attacker cannot find a loop within the graph whose branches do not have a D-FACTS device installed. Equivalently, the attacker cannot launch an undetectable CCPA. Further, since the links in form a maximum-weighted spanning tree, are the links with minimum weight which can be disconnected. Equivalently, the links are the minimum number of links that satisfy the D-FACTS desgin problem described in Section IV. Thus, the D-FACTS deployment set
Consider the D-FACTS deployment set chosen according to the above arguments. Assume that the defender perturbs the reactances of the set of links Then, we have the following:
- •
A physical attack against a link can be detected by the BDD if the links in ensure that the conditions listed in Problem 1 are satisfied for that link. We will henceforth refer to such a link to being “protected” under the MTD link perturbation set
- •
Naturally, based on the arguments stated in this section, if then all the links are protected from the physical attacks.
V-B MTD Perturbation Selection Using Game Theory
MTD perturbations incur an operational cost, and perturbing the reactances of a large set of links may not be cost effective. In this section, we answer the question of how to select the appropriate perturbation set . The main idea is to protect only a subset of links from physical attacks depending on the operational state of the system, as well as the perceived threat to those links. This is approached using a game-theoretic formulation. The details are presented next.
V-B1 Game Formulation
We define the strategic interactions between the attacker and the defender as a two-player non-cooperative game. To formalize this, we define the game as a triplet in which the components are: (i) the set of players ; (ii) and the sets of actions that defender and attacker can take respectively; and (iii) the payoffs of the players for where measures the benefit obtained by player when the action profile that has been played is .
We denote the attacker’s and the defender’s action sets by and respectively, where and are the cardinality of the sets and respectively. The attacker’s action set is the subset of links it disconnects physically. We denote the set of links disconnected by the attacker under action by where, The action corresponds to the case when the attacker does not attack any link. The defender’s action is to select a subset of links within whose reactances will be perturbed. We denote the set of links chosen by the defender under action by where, The action corresponds to the case when the defender does not perturb the reactance of any link.
Next, we characterize the attacker’s and the defener’s payoffs. The cost of damage due to the attack can be characterized as follows. If the attacker disconnects a link that is protected by the defender (due to the MTD perturbations), then the CCPA will be detected by the BDD, and the system operator can quickly restore the link to ensure that the attack does not result in any further damage. For instance, the defender can quickly restore the circuit breaker of the disconnected link to a closed position. On the other hand, if the attacker disconnects a link that is not protected by the defender, then the CCPA will go undetected. The link disconnection will result in redistribution of power flows. Consequently, all the links on which the power flows exceeds the corresponding thermal limits will experience physical damage, and will get disconnected from the grid. In this case, the system operator will have to initiate load shedding in order to ensure that the attack does not result in further damage. (Herein, we assume that the BDD will detect the attack once additional links are disconnected, since the attacker’s data injection will only mask the effect of disconnection of the first link.) We denote the cost of load shedding at bus by where is the quantity of load that is shed. We denote
Let denote the OPF cost when the attacker takes an action and the defender takes an action It can be computed as follows:
[TABLE]
where is given by Here, is the bus-branch connectivity matrix when the attacker and the defender choose actions and respectively. These quantities are computed as in Algorithm 1.
Based on the formulation above, the defender’s payoff is given by
[TABLE]
and the attacker’s payoff is
[TABLE]
where is an indicator variable to represent the success () or failure of an attack (). Both players aim to choose their actions such that their own payoff is maximized and although the game is not a zero-sum game, we can see that the two players have contradictory objectives. The above payoffs can be explained as follows. First, denotes the benchmark operating cost of the defender when none of the players takes an action to either disrupt or defend the system. The term denotes the the additional cost incurred by the defender and caused by a successful attack, when the attacker chooses and the defender chooses ; the defender’s aim is to minimize this cost whereas the attacker wants to maximize it. The term represents the additional cost incurred by the defender for choosing an action against an unsuccessful attack ; the defender will seek to minimize this cost while neutralizing the attack. Of course, the benefit of the attacker if its attack fails is equal to zero.
V-B2 Solving the Game Formulation
The game described above is discrete and finite. In such an interactive situation, a natural solution is the Nash equilibrium (NE), which is a stable state to unilateral deviation. Mathematically this is defined as:
Definition 1**.**
A strategy profile is an NE for the game if the following conditions are met:
This means that neither player has any incentive to unilaterally deviate and will lose in terms of utility otherwise. This type of game may not have a pure NE solution but it always has at least one mixed-strategy NE [22], which is the NE of the extension of the game to mixed strategies. It is defined as follows: . The action sets of the extended game are the probability simplices of dimension , : where is the discrete probability vector of player such that and represent the probability of choosing the action by the defender and the probability of choosing the action by the attacker, respectively. The modified payoffs are simply the resulting expected payoffs following the randomization of play:
[TABLE]
The mixed NE can be defined similarly to the pure strategy NE.
Definition 2**.**
A mixed strategy profile is a mixed an NE for the game if it is a NE for the extended game and the following conditions are met: and
The mixed NE can be computed by using the Von-Neumann indifference principle [22], which basically says that: i) player is rendered indifferent (in terms of its expected payoff) between its pure actions that are played at the NE with strictly positive probability, by the choice of the other’s mixed action , for any ; and ii) the actions that are not played at the NE (their probability equals 0 at the NE) give strictly lower payoffs than the ones that are played (see i)), for both players. Formally, this is stated in the following.
Definition 3**.**
A mixed strategy profile is a mixed NE for the game if it is an NE for the extended game and the following conditions are met:
both players are indifferent among their own pure actions that are played with positive probability at the NE
[TABLE] 2. 2.
the pure actions that result in strictly smaller payoffs are played with zero probability at the NE
[TABLE]
where the sets denote the actions that are played with strictly positive probability at the NE: and .
All defender’s actions that are not in the set have zero probability at the NE (they are not played at all at the NE) and the same goes for the attaker, all actions have zero probability at the NE. Definition 3 provides a simple way to compute the mixed NEs by solving a system of linear equations and checking some conditions, which we adopt in this work.
VI Simulation Results
In this section, we perform simulations to show the effectiveness of the proposed defense. All the simulations are carried out using the MATPOWER simulator.
First, we examine the D-FACTS deployment set problem. We perform simulations using the IEEE-14 bus system. As proposed in Section V-A, we solve the minimum weight feedback edge set problem for the graph corresponding to the IEEE-14 bus system. Following this approach, the D-FACTS deployment set is given by We then perturb the reactances of all the links in the set We simulate physical attacks against the three most important links in the system, i.e., Links 1, 2 and 3 (which have the maximum power flow among all the links in the bus system) by disconnecting the links (one at a time), and injecting a corresponding CCPA of the form {\bf a}=\Delta{\bf H}\hbox{\boldmath\theta}_{p}, where both and \hbox{\boldmath\theta}_{p} are computed using outdated knowledge of the system. We plot the BDD’s attack detection probability for each case in Fig. 2 as a function of the percentage change in line reactances. It can be observed that the CCPAs can be detected with a high probability following the MTD approach. Moreover, about perturbation in the line reactances is sufficient to achieve a high detection rate. We also enlist the size of the D-FACTS deployment set for different IEEE bus systems in Table I. It can be observed that the proposed algorithm enables the defender to protect all the links in the system with only a few D-FACTS devices. Moreover, this is also the minimum-sized D-FACTS deployment set that can detect any CCPA against the grid. From the table, we can also conclude that depends on not just the size of the bus system, but also its actual topology (e.g., for the 24 bus system, where as for the 39-bus system).
Finally, we show the effectiveness of the game-theoretic approach in reducing the operator’s defense cost. The simulations are done on a IEEE-14 bus system. The generation cost is assumed to be linear, i.e., The generators’ capacities at buses are MWs and {\bf f}{\max}1601,600,21.7,94.2,47.8,7.6,11.2,0,0,29.5,9,3.5,6.1,13.5,14.90,100,94.2,47.8,30,11.2,0,0,0;0,0,0,0,0d{1}={1},d_{2}={1,3},d_{3}={1,3,5},d_{4}={1,3,5,8},d_{5}={1,3,5,8,9,18,19}.d_{5}=\mathcal{L}{D},which protects all the links of the system from CCPA. The attacker in turn launches a CCPA by disconnecting one of the links at a time. Under this set-up, we compute the NE solution in each of two scenarios according to Definition 3 and the results are listed in Table [II](#S6.T2). It can be observed that the D-FACTS perturbation sets in the two scenarios are different. While, in the heavily loaded scenario (scenario 1), all the links in\mathcal{L}{D}$ need to be perturbed, in the lightly loaded scenario (scenario 2), it is sufficient to perturb only a subset of links. The rationale is that in the lightly loaded scenario, only a subset of links need to be protected from physical attacks, since the attacker is unlikely to target the unimportant links (i.e., the links that have very little power flow). We also list the defense cost, which is the percentage increase in the OPF cost. The NE solution of scenario 2 incurs much lower defense cost, since only a subset of links are perturbed. The above experiments show that the MTD perturbation set depends on the operational state of the system. By following the proposed game-theoretic approach, the operator can reduce its defense cost.
VII Conclusions and Future Work
In this work, we have proposed a novel strategy to detect CCPAs based on MTD and presented MTD design criteria in this context. We have identified the subset of links for D-FACTS device deployment that enables the defender to detect physical attacks against any link in the system. Further, to reduce the operator’s defense cost, we have identified the set of links whose reactances must be perturbed at the operational time based on a game-theoretic approach.
There are still many open problems. First, D-FACTS devices are traditionally deployed in the grid with an objective of minimizing the transmission losses [23]. On the other hand, in this work, we discuss the D-FACTS device deployment problem from a security point of view only. These considerations suggest that the D-FACTS deployment problem will generally involve a trade-off between minimizing the transmission power losses and the security application. Another important problem arises in the game-theoretic formulation. Definition 3 provides a simple way to compute the mixed NEs by solving a system of linear equations and checking some conditions. Still, in order to use it, one would have to know in advance the faces of the simplex on which the NE lies, i.e., one would have to know the sets and for all NEs in advance. An exhaustive search has exponential complexity: the -dimesional simplex has faces and all possibilities will have to be considered. Thus, a low-complexity algorithm must be found to compute the NE. We plan to investigate these issues in our future work.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] “Analysis of the cyber attack on the Ukrainian power grid,” http://bit.ly/2oh Nw J 1 .
- 2[2] “Hackers infiltrated power grids in U.S., Spain,” https://bit.ly/2Wx Fxoj .
- 3[3] S. Soltan, M. Yannakakis, and G. Zussman, “Joint cyber and physical attacks on power grids: Graph theoretical approaches for information recovery,” in Proc. ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS) , 2015, pp. 361–374.
- 4[4] Z. Li, M. Shahidehpour, A. Alabdulwahab, and A. Abusorrah, “Bilevel model for analyzing coordinated cyber-physical attacks on power systems,” IEEE Trans. Smart Grid , vol. 7, no. 5, pp. 2260–2272, Sep. 2016.
- 5[5] ——, “Analyzing locally coordinated cyber-physical attacks for undetectable line outages,” IEEE Trans. Smart Grid , vol. 9, no. 1, pp. 35–47, Jan. 2018.
- 6[6] R. Deng, P. Zhuang, and H. Liang, “CCPA :Coordinated cyber-physical attacks and countermeasures in smart grid,” IEEE Trans. Smart Grid , vol. 8, no. 5, pp. 2420–2430, Sept. 2017.
- 7[7] D. P. Shepard, T. E. Humphreys, and A. A. Fansler, “Evaluation of the vulnerability of phasor measurement units to GPS spoofing attacks,” International Journal of Critical Infrastructure Protection (IJCIP) , vol. 5, pp. 146–153, 2012.
- 8[8] D. Divan and H. Johal, “Distributed FACTS; A new concept for realizing grid power flow control,” IEEE Trans. Power Syst. , vol. 22, no. 6, pp. 2253–2260, Nov 2007.
