IEEE Transactions on Emerging Topics in Computing

Download PDF

Keywords

Computational Modeling, Power System Stability, Variable Structure Systems, Smart Grids, Power System Dynamics, Network Security, Computer Security, Computer Hacking, Cyber Physical Systems, Security Modeling, Variable Structure Systems, Coordinated Switching Attacks

Abstract

Security issues in cyber-physical systems are of paramount importance due to the often safety-critical nature of its associated applications. A first step in understanding how to protect such systems requires an understanding of emergent weaknesses, in part, due to the cyber-physical coupling. In this paper, we present a framework that models a class of cyber-physical switching vulnerabilities in smart grid systems. Variable structure system theory is employed to effectively characterize the cyber-physical interaction of the smart grid and demonstrate how existence of the switching vulnerability is dependent on the local structure of the power grid. We identify and demonstrate how through successful cyber intrusion and local knowledge of the grid an opponent can compute and apply a coordinated switching sequence to a circuit breaker to disrupt operation within a short interval of time. We illustrate the utility of the attack approach empirically on the Western Electricity Coordinating Council three-machine, nine-bus system under both model error and partial state information.

I.   Introduction

We are witnessing the rapid technological evolution of numerous application fields including power systems, robotics and social networking. These systems will evolve into next-generation cyber-physical systems providing a spectrum of advantages over their predecessors. However, cyber-enablement of these systems naturally leads to issues of security requiring approaches to resilient system design. Tools for modeling cyber-physical systems are of paramount importance in enabling the judicious planning and vulnerability analysis.

A vulnerability in a system exists when there is a weakness in the system, access to the weakness and a capability by an opponent to exploit the weakness. We investigate a novel theoretical modeling framework based on variable structure system theory that enables the identification of a class of reconfiguration-based weaknesses in the power grid employing formal mathematical principles. Such an approach provides a prescriptive strategy to identify possible ways to trigger rotor angle instability in synchronous generators of power systems. Moreover, our model allows us to deduce steps for practical attack construction that are amenable to simulation demonstrating the potential capability of an opponent to exploit the flaw.

We assume that access to the flaw is facilitated through smart grid communication channels providing opponent(s) opportunities for remotely controlling physical power system components such as modern circuit breakers possibly via illicit security breaches and intrusion. Thus, our vulnerability is applicable to a smart grid system with remotely connected circuit breakers and one or more synchronous generators used as targets making it relevant to a broad class of modern and future power transmission systems.

We name the class of attacks that stems from our framework coordinated variable structure switching attacks whereby an opponent aims to destabilize the power grid by leveraging corrupted communication channels and/or control signaling to hijack relevant circuit breakers. Our work represents a novel departure from existing smart grid vulnerability analysis research in that it represents the first use of variable structure system theory for attack performance analysis. This enables a prescriptive approach to vulnerability identification in contrast to methods that make use of reverse-engineering or ad hoc “what-if” analysis [1][12] leading to the identification of a new class of reconfiguration-based vulnerabilities. Moreover, we extend our recent work [13][15] by enhancing the theoretical foundation to better characterize the impact of attacks and perform necessarily robustness analysis of the attack construction under practical constraints of model error and partial information.

In Section II we focus on our attack development. Attack existence and characterization are presented in Section III. Attack construction and impact are studied in Sections IV and V. We then address issues involving limitations on attacker capability in Section VI followed by final remarks in Section VIII.

II.   Coordinated Switching Attacks

A. Sliding Mode in Variable Structure Systems

Variable structure systems are nonlinear systems characterized by discontinuous dynamics [16]. Such systems are considered to exhibit both continuous and discrete forms of behavior much needed for the modeling cyber-physical systems while being conducive to software implementation. Consider the following elementary variable structure system described as: (1)x˙={f1(x,t),s(x)>0f2(x,t),s(x)0, where xRn×1 is the system state vector, fi(x,t)Rn×1 represents subsystem dynamics for i=1, 2, s(x)R is a state-dependent switching signal (sometimes denoted simply as s), and s(x)=0is called the n-dimensional switching surface. The state is a time-dependent quantity and therefore could also be denoted x(t). The evolution of x in time through state space is called the state trajectory of the system.

Equation (1) represents a system which abruptly switches dynamics between f1(x,t) and f2(x,t) according to the sign of s(x) and is effective in modeling the action of a circuit breaker in power systems. A block diagram linking a simple power system to (1) is provided in Fig. 1 to elucidate; here, the state vector x represents the physical quantities of generator phase angle and frequency. When the power system switch changes positions between loads Z1 (Position 1) and Z2 (Position 2) it has the effect of changing between system dynamics denoted f1(x,t) and f2(x,t), respectively. Graphic: Elementary variable structure system example. (a) Elementary power system. (b) Block diagram.

Fig. 1.

Analysis of the system in (1) leads to a number of interesting properties one of which is termed sliding mode behavior [16], [17]. In the sliding mode, the state trajectory of the system of (1) is attracted and subsequently confined to the switching surface s(x)=0, which in this case is also termed the sliding surface.

There are two crucial aspects to this phenomenon. The first necessary condition is that the switching surface is attractive meaning that within some subset of state space, trajectories converge to the switching surface making it a sliding surface. The second requirement is that the variable structure system behavior, confined to the sliding surface, exhibits certain desired properties such as asymptotic stability, exponential growth or oscillation. We assert that this collective behavior can be used to steer the state into a position of instability for attack.

Consider a specific case of (1) assuming linear dynamics, n=2 and x=[x1,x2]T: Math not terminated in text box for some s(x). The state trajectory x(t), as governed by its dynamics, can be viewed geometrically in a phase portrait. The phase portraits of the individual subsystems A1 and A2 (i.e., assuming static switch positions of 1 and 2, respectively) are shown in both Fig. 2(a) and (b) as dashed and dash-dot lines, respectively. As can be observed, both subsystem trajectories converge to the stable equilibrium point (0, 0) from the initial condition (25,25). Moreover, it can be shown that because the subsystems are linear they are each globally asymptotically stable meaning that the trajectories will always converge to (0, 0) from any initial condition in R2[18]. Thus, in this example, we can deduce that the system of (2) is stable when the switch is static in either position. This is analogous to a well-designed power system which will be stable for either an open or closed static breaker condition. Graphic: Sliding mode system trajectories of (2) in the presence of variable structure switching. (a) For $s(x)=-{\rm x}_{1}+{\rm x}_{2}$. (b) For $s(x)=x_{1}+x_{2}$.

Fig. 2.

Variable structure system theory can be used to design a switching signal s(x) to achieve certain desired system behaviors in (1). Traditionally, s(x) has been designed to stabilize the variable structure system [16]. In this paper, we deviate from this philosophy and study how s(x) may be selected by an attacker to steer the trajectory of (1) to instability thus enabling large-scale disruption in the associated power system. In Fig. 1(a) this would equate to destabilizing the generator angle and frequency resulting in transient instability of the smart grid system.

Consider the linear subsystem example of (2). We consider the following two selections for the switching signal s(x), s(x)=x1+x2 and s(x)=x1+x2, with associated phase portraits shown in Fig. 2(a) and (b), respectively. As is evident both selections instigate sliding mode behavior as convergence to the s(x)=0 line is clearly observed. The former however results in stable sliding mode behavior while the latter results in instability. Making a simple analogy to smart grid systems, we thus purport that it may be possible for an opponent who can control the state of a circuit breaker to determine an s(x), and hence a switching sequence, that can destabilize the overall switched power system even though it is designed to exhibit stable behavior when the breaker is static.

B. Attack Assumptions and Overview

To leverage variable structure system theory for cyber-physical attack development in a smart grid, an opponent would therefore need:

  1. to first identify a (physical) target component to attack (i.e., destabilize);
  2. electromechanical switching control over a corrupted circuit breaker (or equivalent) in the target's proximity;
  3. a local model of the smart grid system in the vicinity of the target and breaker; and
  4. knowledge of the target's state x.

Knowledge of a local model of the smart grid is a common assumption made in other attack literature [19], [20]. Conditions (A) and (C) collectively enable the identification of a variable structure system model of the smart grid to design a switching signal s(x), if one exists, that instigates unstable sliding mode behavior; this establishes the first stage of attack construction. Conditions (B) and (D) allow implementation of the attack in the second stage of attack execution. In Section VI we relax Conditions (C) and (D).

The reader should note that to achieve Conditions (B) and (D), an opponent would have to remotely access communication systems related to the breaker and the synchrophasor sensor of the target generator, respectively. In protected information systems, this would require that the attacker illicitly infiltrate the corresponding data transmission systems. For Condition (B), the opponent would have to inject fabricated breaker control signals into the communication network. For Condition (D), the opponent would have to infiltrate the associated SCADA or synchrophasor network to intercept generator state information.

Cyber intrusion or corruption of distributed systems is a necessary assumption for vulnerability analysis especially when studying system resilience. Numerous practical examples of cyber weaknesses in smart grid communication networks have been documented [21] that range from exploiting holes in well known operating systems used by measurement and control devices to distribution-area attacks such as the hijacking of smart meters that can enable the effective shutting on/off of loads to provide the type of switching attack presented in this paper. The types of cyber intrusions necessary to be able to execute a coordinated variable structure switching attack are specific to the actual protocols, software and hardware architecture and is beyond the scope of this work.

III.   Attack Existence and Dynamics

Assuming Conditions (A) to (D) of Section II-B hold, the existence of a coordinated variable-structure switching vulnerability for a given smart grid is directly related to the existence of a sliding mode for the associated breaker switched system. Sliding mode existence for the general class of systems in (1) is an open problem. Thus, in this section we provide existence conditions for incrementally linear subsystems to facilitate attack construction in Section IV. Moreover, we characterize the dynamics and stability properties of this class of systems during sliding mode behavior to better understand the impact of the attack. Our formulation conveniently represents the switching of a single corrupted circuit breaker or switch, but can be naturally scaled to multiple switches by increasing the number of subsystems.

The reasons for the incrementally linear assumption are three-fold. First, because many power system configurations can be approximated as linear about a local range of operating conditions, it allows for representation of a useful class; in Section V we demonstrate how one can successfully construct and execute attacks even on nonlinear power system models using this linearized model. Second, the linear approximation does not carry the same limitations for system destabilization as it would for stabilization. For stabilization, model linearization expands the region of convergence over the original nonlinear system making the system appear more stable than it really is. In contrast, we contend that such approximations for destabilization provide conservative impacts often demonstrating richer disruptions in the actual nonlinear systems. Finally, demonstrating the construction of an attack using linearized models provides intuition as to the practical feasibility of identifying such attacks with only approximate information.

A. Sliding Mode Existence

In general, the sliding mode existence condition is given by [16](note: s˙(x) is the time derivative of s(x)): (3)s(x)s˙(x)<0for s(x) 0.

1. Nonlinear Subsystems

Typically, sliding mode existence is local for nonlinear time-varying dynamics. Determining analytic existence conditions, in the form of parameter ranges for a structure of nonlinear dynamics, is often intractable. However, a visual approach employing overlapping phase portraits of the subsystems can be used based on the following interpretation. Equation (3) is equivalent to the following: (4)lims(x)0+s˙(x)<0 and lims(x)0s˙(x)>0. The above equation implies that if we consider the state space to be partitioned into two regions corresponding to s(x)>0 and s(x)<0 then if the state is on, say, the s(x)>0(s(x)<0) side, its trajectory will be attracted to the other side (and across s(x)=0) due to the requirement on the rate of change of s(x) that s˙(x)<0 (s˙(x)>0). The overall effect is an attraction to the s(x)=0 surface whereby once the state crosses s(x)=0 from one side to the other, it crosses right back. Visually in state-space, (3) can be evaluated by employing overlapping phase portraits of the subsystems and analyzing whether the state trajectories of the appropriate subsystems on either side of the surface push the state back to the sliding surface. Of course, the visual approach is limited to situations in which dimensionality is small.

2. (Incrementally) Linear Subsystems

Analytically, we present the following theorem regarding the existence of a sliding mode for incrementally linear subsystem dynamics.

Theorem 1 (Existence of a Sliding Mode)

Given the variable structure system: (5)x˙={A1x+b1,s(x)>0A2x+b2,s(x)0 where xRn×1, AiRn×n, b1Rn×1 and s(x)=CxR for constant row vector C=[c1 c2cn]R1×n the necessary and sufficient conditions for existence of the sliding mode are: (6){C(A1x+b1)<0,s(x)>0C(A2x+b2)>0,s(x)<0.

Proof

The overall system of (5) can be represented as (for simplicity we denote s(x) as s): (7)x˙=[1+sgn(s)2](A1x+b1)+[1sgn(s)2](A2x+b2) where sgn(s)=1 for s>0 and sgn(s)=1 for s0. From (3) a sliding mode exists if and only if ss˙<0; we determine the conditions to guarantee this inequality where we make use that s sgn(s)=|s|: ss˙=sCx˙=sC{[1+sgn(s)2](A1x+b1)+[1sgn(s)2](A2x+b2)}=12sC(A1+A2)x+12|s|C(A1A2)x=12(s+|s|)C(A1x+b1)+12(s|s|)C(A2x+b2) which is equivalent to (6) if we impose ss˙<0 and where we make use of the fact that s+|s|>0 and s|s|=0 for s>0, and s+|s|=0 and s|s|<0 for s<0. ■

Thus, Condition (6) is necessary and sufficient to guarantee that ss˙<0 and represents a convenient test for the existence of a sliding mode. An opponent would have to determine a vector C=[c1 c2cn] (or an associated vector range) such that (6) holds for a region in state space.

The reader should note that (6) implies that the range of C for which the inequalities exist is in general dependent on the values of the state x. This implies that the attraction condition exists for a given neighborhood of x and hence is local. To employ this criterion, an opponent would consider the neighborhood about the current equilibrium point x, xN(x), and select a C such that sC(A1x+b1)<0 for s>0 and sC(A2x+b2)>0 for s<0 for xN(x).

We emphasize that the conditions above only guarantee attraction to the s=0 surface and do not imply stability properties of the system. The next theorem characterizes the behavior of the state once attracted to the sliding surface thus providing insight on its stability properties.

B. Sliding Mode Dynamics

A sliding mode provides a steering quality to an opponent to shift a grid to a more vulnerable state. If a sliding mode is unstable, the state will attract to s=0and then continue on the surface to infinity. In the stable case, it will eventually converge to an equilibrium point on the s=0 surface. To characterize the sliding mode dynamics and stability properties, we present the following theorem.

Theorem 2 (Sliding Mode Dynamics)

For the variable structure system: x˙={A1x+b1,s(x)>0A2x+b2,s(x)0 where xRn×1, AiRn×n and biRn×1, assume that a sliding mode for s=Cx, CR1×n, exists. Then, the sliding mode dynamics can be characterized by G(x) as follows: (8)x˙=G(x) where G(x)=12[(A1+A2)x+(b1+b2)]12[(A1A2)x  +(b1b2)]C[(A1+A2)x+(b1+b2)]C[(A1A2)x+(b1b2)] Moreover, the local stability properties of the system about a neighborhood of the equilibrium point xRn×1 can be determined stable if all non-trivial eigenvalues of G(x) are on the left half plane and unstable otherwise.

Proof

We assign: Ga(x)=12[(A1+A2)x+(b1+b2)] and Gd(x)=12[(A1A2)x+(b1b2)]. Then, the variable structure system can be represented in the form of a control system: (9){x˙=Ga(x)+Gd(x)us=Cxu=sgn(s). where uRis defined for a given s=Cx. Given sliding mode existence, we can characterize its traversal along s(x)=0 using the method of equivalent control [17]. Here, we have:(10)s˙=Cx˙=CGa(x)+CGd(x)u. For the state confined on the sliding surface, s=s˙=0. We solve for the equivalent control ueq by setting (10) to zero and solving for u. This gives ueq=[CGd(x)]1CGa(x) where the reader should note that CGa(x), CGd(x)R. The effective system dynamics on the sliding mode is therefore: x˙=Ga(x)+Gd(x)ueq=12[(A1+A2)x+(b1+b2)]12[(A1A2)x+(b1b2)]C[(A1+A2)x+(b1+b2)]C[(A1A2)x+(b1b2)]=G(x). The local stability properties easily follow by applying linearization and Theorems 15 and 27 of [18]. □

Equation (8) and (9) of Theorem III-B describe the sliding mode dynamics as a combination of the average (i.e., 12[(A1+A2)x+(b1+b2)]) and difference (i.e, 12[(A1A2)x+(b1b2)]) of the individual subsystem dynamics. The state-and sliding surface-dependent weight C[(A1+A2)x+(b1+b2)]C[(A1A2)x+(b1b2)]R scales the difference dynamics relative to the average dynamics to maintain the system on the sliding surface. Selection of C and hence the particular sliding mode to use for switching will have an effect on the behavior of the state. If C is more aligned (via the dot product measure) to the average dynamics, then the difference dynamics have greater influence than the average and vice versa.

For an attack, an opponent is concerned with power flow disruption and may be most interested in the stability properties of the sliding mode. Thus, unstable sliding modes can be leveraged through persistent switching until significant disruption results. Although perhaps not immediately obvious, stable sliding modes can also be leveraged as we demonstrate in Section V to steer the system across the stability boundary of one of the subsystems and then terminate switching to enable passive disruption.

IV.   Attack Construction

Employing our framework, we provide the steps necessary for attack construction and apply it to a case study involving the Western Electricity Coordinating Council (WECC) 3-machine system, 9-bus system. The reader should note that, from our experience, existence of a sliding mode and hence ability to construct the attack for a target generator in the proximity of a corrupted breaker is typically high for most test systems considered.

A. Stages of Attack Construction

The stages of an attack construction are as follows.

  1. Mathematically represent the system under the switching attack as a variable structure system whereby the switching rule s(x) remains general.
  2. For general nonlinear systems, identify the equilibrium points and linearize the system about the equilibrium points.
  3. Determine the existence of and identify a class of sliding modes using Theorem III-A.2.
  4. Characterize the dynamical and stability properties of the sliding modes using Theorem III-B.
  5. Select and assign an identified sliding surface to s(x) for attack implementation.

We contend that the steps above apply to general nonlinear models of power system dynamics; the linearization stage is critical to make use of Theorems III-A.2 and III-B. However, for general nonlinear systems, pictorial approaches for identification of sliding modes are also possible as mentioned in Section III-A. A phase portrait of each nonlinear subsystem must be determined identifying stable foci and saddle points. These phase portraits must then be overlapped. A sliding surface s(x)=0 may be identified visually if in the vicinity of s(x)=0, the trajectory vectors of the subsystems point toward the switching surface in opposite directions; this ensures that the state trajectory of the switched system will be driven to the switching surface and will stay within a neighborhood of it. The interested reader is referred to [17]. We employ the visual approach to sliding mode identification as a brief check to verify our linearized model results, but would not typically be used by an opponent for attack construction.

A natural approach to attacking a power grid would be to exploit the unstable sliding mode of a system whereby the state is steered to an arbitrarily large value. However, the reader should note that it is possible to exploit both unstable and stable sliding modes for effective power system disruption.

To illustrate the use of our variable structure theory approach, we demonstrate the construction of an attack for the well known single machine infinite bus (SMIB) power system model presented in Fig. 3. Graphic: Single machine infinite bus system model. The opponent coordinates switching of the load $P_{L}$ based on the values of Generator $G_{1}$'s state $x=[\delta_{1}\omega_{1}]^{T}$.

Fig. 3.

B. Variable Structure Representation

A typical power system is piecewise time-invariant; that is, within a short window of time representing the attack duration before disruption, the system parameters can be considered to be constant. Thus, for the purposes of our modeling for attack construction, we make use of time-invariant parameters in a swing equation-based model of the power system. Thus, the SMIB model can be expressed as [22]: (11){δ˙1=ω1M1ω˙1=PM1E12G11sLPLE1EB1sinδ1D1ω1=P1C1sinδ1D1ω1 where δ1 and ω1 are the rotor angle and rotor speed deviation of Generator G1, respectively, and collectively form the state x=[δ1 ω1]T, M1, D1, E1, PM1 are the moment of inertia, damping coefficient, internal voltage and mechanical power of G1, respectively, E is the voltage at the infinite bus, PL is the local load at Bus 1, sL is the load switch status (sL=1, if the load is connected; sL=0, otherwise), and B1 is the transfer susceptance of the line between Bus 1 and the infinite bus. We assign P1=PM1E12G11sLPL and C1=E1EB1.

Assuming that C1=1, D1=0.1, M1=0.1, PM1E12G11PL=0, PM1E12G11=0.9, the overall variable structure system can be represented as: A1:{δ˙1=ω1ω˙1=10sinδ1ω1if sL=1(12)A2:{δ˙1=ω1ω˙1=910sinδ1ω1if sL=0.

It is straightforward to determine from (12) that system A1's stable foci are at (2nπ,0) and the saddle points are at (2nπ+π,0) where nZ as shown in the phase portrait of Fig. 4(a). Any point within a stability boundary will converge to the corresponding stable focus. Similarly, for system A2, the stable foci are at (2nπ+1.1198,0) and (2nπ+2.0218,0), and the saddle points are at (2nπ+2.0218,0) as shown in the phase portrait of Fig. 4(b). Graphic: Individual and overlapping phase portraits of subsystems of (12). (a) Phase portrait of system $A_{1}$. (b) Phase portrait of system $A_{2}$. (c) Close-up of overlapping phase portraits.

Fig. 4.

As discussed in Section IV-A, for a general nonlinear system the existence of a sliding mode can be determined pictorially from the overlapping phase portraits. Here, one interprets (3) visually in state space whereby a sliding surface s(x)=0 must be found such that in the neighborhood of this surface the trajectory vectors of each subsystem point toward the switching surface but in opposite directions. The switching between subsystems would be assigned such that when on one side of the sliding surface s(x)=0, the system would switch to the subsystem with trajectories pointing toward that surface. This ensures that the state trajectory of the variable structure system will be driven to the switching surface and will stay within a region of it [17].

To determine the possibility of a sliding mode in this way, the overlapping phase portraits are shown in Fig. 4(c). Visual inspection suggests there are multiple possibilities for linear sliding surfaces such as s=6δ1+ω1. However, in Section V we demonstrate the utilization of Theorems III-A.2 and III-B on the linearized system to determine the range of possible sliding surfaces for attack. In this way, we demonstrate the mathematical and numerical ease in determining such a vulnerability.

C. SMIB Attack Construction

To apply Theorems III-A.2 and III-B to our SMIB power system model of (12), we must linearize its representation. Approximating sinδ1δ1 for δ1 small and assuming s>0 (s0) corresponds to the load switch being closed to give A1 (open to give A2), we obtain:δ˙1=ω1(13)ω˙1={10δ1ω1,s>0910δ1ω1,s0 corresponding to A1=A2=[01101], b1=[00]T and b2=[09]T in (5). Theorem III-A.2 provides the following sliding mode existence conditions for s=c1δ1+c2ω1: (14){c1ω110c2δ1c2ω1<0 for c1δ1+c2ω1>0c1ω110c2δ1c2ω1+9c2>0 for c1δ1+c2ω1<0.Fig. 5 illustrates this overall region; the regions delineated s<0 and s>0 denote the values of (c1,c2) for which c1ω110c2δ1c2ω1<0 and c1ω110c2δ1c2ω1+9c2>0 about x=[1.1198  0]T, respectively. We can construct an attack by selecting C=[6 1] corresponding to s=6δ1+ω1. Applying Theorem III-B, we find that it is a stable sliding mode. Graphic: Valid sliding mode parameter region about neighborhood of $x^{\ast}=[1:1198~0]^{T}$.

Fig. 5.

V.   Attack Execution and Impact

In this section we execute a coordinated variable structure switching attack using our sliding mode selection of s=6δ1+ω1 on the nonlinear SMIB and a more realistic test system to demonstrate the value of Theorems III-A.2 and III-B for attack construction on linearized models. Our target in both cases is Generator G1 and the corrupted breaker is that associated with load switching.

A. Nonlinear SMIB Case Study

Consider application of a switching attack on the nonlinear SMIB model of (12). We assume that the load is initially disconnected (i.e., is at A2) and apply the attack from 0 to 2.5 seconds, which drives the system trajectory across the stability boundary of subsystem A2at which time the attack finally switches the system dynamics to A2 permanently as observed in Fig. 6(a). Thus, G1 is destabilized within seconds by steering its state over the stability boundary via the switching attack. The reader should note that as discussed s=6δ1+ω1 is a stable sliding mode. Thus, persistent switching (opposed to that limited to 2.5 s) will result in steering the power system from the initial stable focus of (1.1198, 0) to the stable focus of (0, 0) as presented in Fig. 6(b). Graphic: Switching attack on System (12) for $s=6\delta_{1}+\omega_{1}$. (a) Stop time of 2.5 seconds. (b) No stop time.

Fig. 6.

B. WECC 3-Generator, 9-Bus Case Study

To further demonstrate the utility of the attack, we consider a variant of the well-known Western Electricity Coordinating Council (WECC) 3-machine, 9-bus system [23] presented in Fig. 7. This system can be approximated with the second order nonlinear SMIB model of (12). Thus, we apply the same sliding surface s=6δ1+ω1 for attack. Graphic: One-line diagram of revised WECC system.

Fig. 7.

The test system in question is simulated in PSCAD (Power System Computer Aided Design, https://hvdc.ca/pscad/) software, one of the most popular power system simulation tools. PSCAD enables the modeling of generator controls including governors and exciters as well as protective relays to demonstrate the potential of our approach to disrupt real power system operation. The test system is based on the WECC system, with the addition of a transmission line, a local load, and a gas turbine generator. Here, the base MVA is 100, the system normal frequency is 60 Hz and the generator parameters are shown in Table I. The transmission line connecting Generator G1 and the infinite bus are modeled using an inductor of 0.014 H. The local load PL is chosen to be 32.4 MW modeled using a constant resistor. The PSCAD step size was chosen to be 50 μs.

TABLE I Generator Parameters for Fig. 7 System

For consistent comparison, simulations of the WECC system are presented for the same system initial conditions and stop time as employed for the second order nonlinear SMIB model of the previous section. Specifically, the initial state of the WECC system is set to to the stable focus of (1.1198, 0). If s>0, the system dynamics switch to system A1 and if s0, they switch to A2. The switching attack is applied from 0.2248 to 2.7248 seconds (the non-zero start time is necessary for PSCAD implementation of the attacked system), which once again drives the system trajectory across the stability boundary of A2 at which point the switch is permanently set to A2 making the system unstable. The frequency relays of all generators including G1 are set to trip for a deviation more than ±5% of the nominal frequency (of 2π×60=377 rad/s), which corresponds to 18.8 rad/sec; in this way we also take into account the response of the non-corrupted breakers to the switching attack. PSCAD simulations demonstrate in Fig. 8(a) how at time 2.7248 seconds (which corresponds to 2.5 seconds in the SMIB simulation due to the delayed start time), the system state diverges. The deviation from nominal frequency, phase angle and output voltage of Generator G1 during the attack is shown in Fig. 8(b)–(d), respectively. As observed, the frequency and voltage of G1 become unstable right after application of the attack. Graphic: PSCAD simulation results of WECC system for $s=6\delta_{1}+\omega_{1}$ switching from 0 to 2:5 seconds. (a) System state trajectory. (b) $G_{1}$ deviation from nominal frequency. (c) $G_{1}$ phase angle. (d) $G_{1}$ output voltage.

Fig. 8.

To illustrate how the sliding mode exploited for the attack is in fact stable, the same coordinated switching is applied indefinitely with results presented in Fig. 9. Graphic: PSCAD simulation results of WECC system in the presence of persistent variable structure switching for $s=6\delta_{1}+\omega_{1}$ from 0 seconds. (a) System state trajectory. (b) $G_{1}$ deviation from nominal frequency. (c) $G_{1}$ phase angle. (d) $G_{1}$ output voltage.

Fig. 9.

C. Efficacy of Linearized Results

We assert that the attack theory and analysis presented in this paper has the potential to be employed, in part, as a tool to understand possibility vulnerabilities in future smart grid systems as well as the worst-case impact of switching attacks. One measure of the degree of weakness exhibited by a system could relate to the range of possible sliding modes available for an opponent to exploit.

For this reason, Theorem III-A.2 can be a useful tool when applied to a linearized smart grid system. To demonstrate the value of the linearized results, we present in Table II the ranges of c1 corresponding to the existence or lack of sliding mode for the three systems: linearized SMIB, nonlinear SMIB and high-order WECC. It is clear that there is a large overlap in the existence of a sliding mode in both the nonlinear and linearized versions demonstrating how our approximation does not significantly affect the degree of vulnerability present in the system.

TABLE II Empirical Existence of Sliding Surface s=c1δ1+ω1for Linearized SMIB, Nonlinear SMIB, Nonlinear SMIB With Parameter Errors and WECC Test System. Simulation Tests Were Conducted for c1Zand 20c120

VI.   Limitations on Attacker Knowledge

To construct and apply a successful coordinated variable structure switching attack, an opponent would need to leverage cyber intrusion to enable Conditions (B) and (D) of Section II-B as well as have a local model of the smart grid in the proximity of the target and corrupt breaker.

Given the need for timed coordination in the attack, switching control is imperative for success. However, in this section, we assess the effect of limitations on opponent knowledge to the ability to construct and execute an attack. We focus on model error, which affects the ability to construct a feasible attack and strategies to contend with only partial state information, which affects attack execution.

A. Model Parameter Error

Questions naturally arise as to the effects of model error on attack construction. Consider the system of (12) with parameter error: A1:{δ˙1=0(1+ε11)+(1+ε12)ω1ω˙1=(10+ε13)sinδ1+(1+ε14)ω1(15)A2:{δ˙1=0(1+ε21)+(1+ε22)ω1ω˙1=9+(10+ε23)sinδ1+(1+ε24)ω1. where {εij} are specific parameter error values. The existence conditions of Theorem III-A.2 become: c1(1+ε12)ω110c2(1+ε13)δ1c2(1+ε14)ω1<0for c1δ1+c2ω1>0c1(1+ε22)ω110c2(1+ε23)δ1c2(1+ε24)ω1+9c2>0for c1δ1+c2ω1<0Fig. 10 illustrates the effects of errors; the associated change in slope of the region boundaries due to parameter errors result in both false positives and false negatives for the determination of C. Study of Fig. 10 reveals that a robust strategy for the selection of C would be to select a value internal to the region boundaries. If bounds on εij are available, then it is possible guarantee a robust selection of C that is far enough from the boundaries. Graphic: Effect of model error on sliding mode identification. Selection of $C=[6~1]$ is internal to the boundaries and guarantees robustness against a degree of model error.

Fig. 10.

B. Partial State Information

The opponent may gain target state information through cyber intrusion and eavesdropping. The feasibility of this depends on the communication media and protocols used; further discussion is beyond the scope of this paper.

In this section, we investigate the efficacy of our attack approach when only partial state information is available. Here, we assume that the opponent aims to estimate the missing state information, from say other available information, resulting in an increase in attack complexity.

We consider the case in which an attack is applied to the revised WECC test system of Fig. 7. We assume that the Generator G1 frequency ω1 is known to the opponent, but the rotor angle δ1 must be estimated in some way. Specifically, we assume as an example the terminal voltage and current of an associated transmission line is known and must be used in the estimation of δ1.

Modeling the standard WECC system in relation to G1 as a SMIB system, we obtain the system in Fig. 11. Applying Kirchoff's law gives: E1δ1=jXdIα+Eθ=(EcosθXdIsinα)+j(EsinθXdIcosα) where E1δ1 is the generator internal voltage, jXd is the impedance of transmission line, Iα is the current of transmission line and Eθ is the terminal voltage. Thus, the generator internal voltage E1 and phase angle δ1 can be estimated using the following equations: (16)E1=(EcosθXdIsinα)2+(EsinθXdIcosα)2 and tanδ1=Esinθ+XdIcosαEcosθXdIsinα. Graphic: SMIB system approximation for partial state estimation.

Fig. 11.

Given the approximation that tanδ1δ1 when δ1 is small, we have (17)δ1tanδ1=Esinθ+XdIcosαEcosθXdIsinα. Therefore, δ1 can be estimated via the terminal voltage Eθ and current Iα of transmission line as follows: (18)[δ^1ω1]=[Esinθ+XdIcosαEcosθXdIsinαω1].

Using this estimation approach, we apply the attack from 0 to 2.5 seconds on a PSCAD simulation of the test system of Fig. 7; as shown in Fig. 12, the system dynamics follow the sliding mode to subsequently produce instability and disruption. Graphic: Coordinated switching attack with partial state knowledge on test system of Fig. 7. (a) G1 phase angle. (b) G1 deviation from nominal frequency. (c) Switch Status.

Fig. 12.

VII.   Related Work

Our work builds on the body of recent research that has focused on the interaction between the cyber and physical aspects of a smart grid to aid in vulnerability analysis takes on a variety of flavors. These techniques can be classified into a number of categories. Static approaches [1] consider the topological information about the smart grid in order to study vulnerabilities often using graph-theoretic means. Compact relationships between system components that can lead to cascading corruption and failure are identified. Empirical approaches [12][13][15] harness research and development of realistic communications and power systems simulators. These two forms of simulators are combined such that an attack is applied in the communication simulator that transfers data to the power systems simulator which makes decisions based on this possibly corrupt information. Typical traditional power system reliability metrics are used to assess impact of the cyber attacks. Such approaches are valuable in providing indications of attack impacts, but often require exhaustive ‘what-if’ forms of attack case analysis that are limited from providing general principles for grid design. In cyber-physical leakage approaches [24], [25] confidentiality of the cyber network is studied by identifying how voltage and current measurements of the physical power system can be successfully analyzed for any clues about cyber protocol activity. Testbed research addresses the exploration of practical vulnerabilities through SCADA testbed development and construction [11], [12]. Although some insights on how to protection industrial control systems for SCADA are provided. There exists room to develop more prescriptive approaches to provide more general design guidelines for future smart grid systems.

VIII.   Final Remarks

A grand challenge in cyber-physical systems research is the development of models that elegantly interface the discrete-time characteristics of the cyber infrastructure with the analog nature of the physical system. We believe that our use of variable structure system theory conveniently interfaces the switching cyber-control within power systems to provide a novel way to understand the cyber-physical interaction and in the case of this paper gain insight into new forms of vulnerability. In addition, it lends itself to a natural mathematical framework and formalism useful for automatic identification of vulnerabilities. The use of dynamical systems allows for flexible granularity and can conveniently be implemented for simulation.

Our work demonstrates the efficacy of coordinated variable structure switching attacks by demonstrating how attack construction on a linearized version of the system still executes on nonlinear and realistic models of the system. Moreover, the attack can be successful even under conditions of model error and partial state knowledge. Future work will aim to apply variable structure system theory to model robotics systems as discussed in [26] and [27] and generalized social networking contexts when switched dynamics may be appropriate for representing simple cyber-assisted human decision-making amongst finite choices such as those made when gambling or in elections.

References


  • [1]D. C. de Leon, J. Alves-Foss, A. Krings, and P. Oman, “Modeling complex control systems to identify remotely accessible devices vulnerable to cyber attack,” in Proc. 1st Workshop Sci. Aspects Cyber Terrorism, Nov. 2002, pp. 1–3.
  • [2]D. D. Dudenhoeffer, M. R. Permann, S. Woolsey, R. Timpany, C. Miller, A. McDermott, and M. Manic, “Interdependency modeling and emergency response,” in Proc. Summer Comput. Simul. Conf., Jul. 2007, pp. 1230–1237.
  • [3]B. Rozel, M. Viziteu, R. Caire, N. Hadjsaid, and J.-P. Rognon, “Towards a common model for studying critical infrastructure interdependencies,” in Proc. IEEE Power Energy Soc. General Meeting Convers. Del. Electr. Energy 21st Century, IEEE, Jul. 2008, pp. 1–6.
  • [4]N. HadjSaid, C. Tranchita, B. Rozel, M. Viziteu, and R. Caire, “Modeling cyber and physical interdependencies—Application in ICT and power grids,” in Proc. IEEE Power Syst. Conf. Exposit., IEEE, Mar. 2009, pp. 1–6.
  • [5]J. Stamp, A. McIntyre, and B. Ricardson, “Reliability impacts from cyber attack on electric power systems,” in Proc. IEEE Power Syst. Conf. Exposit., IEEE, Mar. 2009, pp. 1–8.
  • [6]S. Sheng, W. L. Chan, K. K. Li, D. Xianzhong, and Z. Xiangjun, “Context information-based cyber security defense of protection system,” IEEE Trans. Power Delivery, IEEE, vol. 22, pp. 1477–1481, Jul.2007.
  • [7]D. Edwards, S. K. Srivastava, D. A. Cartes, S. Simmons, and N. Wilde, “Implementation and validation of a multi-level security model architecture,” in Proc. Int. Conf. Intell. Syst. Appl. Power Syst., Nov. 2007, pp. 1–4.
  • [8]T. Mander, F. Nabhani, L. Wang, and R. Cheung, “Integrated network security protocol layer for open-access power distribution systems,” in Proc. IEEE Power Eng. Soc. General Meeting, IEEE, Jun. 2007, pp. 1–8.
  • [9]K. Xiao, N. Chen, S. Ren, L. Shen, X. Sun, K. Kwiat, and M. Macalik, “A workflow-based non-intrusive approach for enhancing the survivability of critical infrastructures in cyber environment,” in Proc. 3rd Int. Workshop Softw. Eng. Secure Syst., May 2007, pp. 1–4.
  • [10]C. M. Davis, J. E. Tate, H. Okhravi, C. Grier, T. J. Overbye, and D. Nicol, “SCADA cyber security testbed development,” in Proc. 38th North Amer. Power Symp., Sep. 2006, pp. 483–488.
  • [11]A. Giani, G. Karsai, T. Roosta, A. Shah, B. Sinopoli, and J. Wiley, “A testbed for secure and robust SCADA systems,” SIGBED Rev., vol. 5, no. 2, pp. 1–4, Jul.2008.
  • [12]G. Dondossola, F. Garrone, and J. Szanto, “Supporting cyber risk assessment of power control systems with experimental data,” in Proc. IEEE Power Syst. Conf. Expo., IEEE, Mar. 2009, pp. 1–3.
  • [13]S. Liu, X. Feng, D. Kundur, T. Zourntos, and K. L. Butler-Purry, “Switched system models for coordinated cyber-physical attack construction and simulation,” in Proc. IEEE 1st Int. Conf. Smart Grid Commun., IEEE, Oct. 2011, pp. 49–54.
  • [14]S. Liu, X. Feng, D. Kundur, T. Zourntos, and K. Butler-Purry, “A class of cyber-physical switching attacks for power system disruption,” in Proc. 7th CSIIRW, Oct. 2011, pp. 1–4.
  • [15]S. Liu, S. Mashayekh, D. Kundur, T. Zourntos, and K. Butler-Purry, “A smart grid vulnerability analysis framework for coordinated variable structure switching attacks,” in Proc. IEEE Power Energy Soc. General Meeting, IEEE, Jul. 2012, pp. 1–6.
  • [16]Z. Sun and S. S. Ge, Switched Linear Systems: Control and Design, New York, NY USA: Springer-Verlag, 2005.
  • [17]R. A. DeCarlo, S. H. Zak, and G. P. Matthews, “Variable structure control of nonlinear multivariable systems: A tutorial,” Proc. IEEE, IEEE, vol. 76, pp. 212–232, Mar.1988.
  • [18]M. Vidyasagar, Nonlinear Systems Analysis, Upper Saddle River, NJ USA: Prentice-Hall, 1993.
  • [19]Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against state estimation in electric power grids,” in Proc. 16th ACM Conf. Comput. Commun. Security, Nov. 2009, pp. 21–32.
  • [20]R. Bobba, K. M. Rogers, Q. Wang, H. Khurana, K. Nahrstedt, and T. J. Overbye, “Detecting false data injection attacks on DC state estimation,” in Proc. 1st Workshop Secure Control Syst., Apr. 2010, pp. 1–9.
  • [21]T. Flick and J. Morehouse, Securing the Smart Grid: Next Generation Power Grid Security, Boston, MA USA: Syngress, 2011.
  • [22]P. Kundur, Power System Stability and Control, New York, NY USA: McGraw-Hill, 1994.
  • [23]P. W. Sauer and M. A. Pai, Power System Dynamics and Stability, Champaign, IL USA: Stipes Publishing, 2007.
  • [24]H. Tang and B. McMillin, “Security property violation in CPS through timing,” in Proc. 28th Int. Conf. Distrib. Comput. Syst. Workshops, 2008, pp. 519–524.
  • [25]B. McMillin, “Complexities of information security in cyber-physical power systems,” in Proc. IEEE Power Syst. Conf. Exposit., IEEE, Mar. 2009, pp. 1–2.
  • [26]V. Utkin, J. Guldner, and J. Shi, Sliding Mode Control in Electro-Mechanical Systems, New York, NY USA: Taylor & Francis, 1999.
  • [27]A. Sabanovic, “Variable structure systems with sliding modes in motion control—A survey,” IEEE Trans. Ind. Inf., IEEE, vol. 7, no. 2, pp. 212–223, May2011.

Graphic:
Shan Liu received her Ph.D. degree in electrical and computer engineering from Texas A&M University, in 2013. Her research interests focus on the cyber security of the electric smart grid and cyber-physical system theory. She has received the ACM CSIIRW'11 Best Paper and multiple travel grant awards. She is currently an Assistant Professor at the Communication University of China.
Graphic:
Salman Mashayekh is currently pursuing the Ph.D. degree in electrical and computer engineering with Texas A&M University. His research interests include power management systems, and physical security and cyber security of power systems.
Graphic:
Deepa Kundur is a Professor of electrical and computer engineering with the University of Toronto. She is an Appointed Member of the NERC Smart Grid Task Force, was an Elected Member of the IEEE Information Forensics and Security Technical Committee, and was the Inaugural Vice-Chair of the Security Interest Group of the IEEE Multimedia Communications Technical Committee. She was a Chair of the Trustworthy Cyber-Physical Systems and Infrastructures Track of the NSF and PNNL-sponsored 2011 Workshop on Cooperative Autonomous Resilient Defenses in Cyberspace and was an invited speaker to the NSF-sponsored 2011 Workshop on Cyber-Physical Applications in Smart Grids. She is the author of several widespread tutorial papers, including two articles in the IEEE Signal Processing Magazine in 1996 and 2004 and three articles in the Proceedings of the IEEE in 1999, 2004, and 2008.
Graphic:
Takis Zourntos is with Texas A&M University and OCAD University. He received the B.A.Sc., M.A.Sc., and Ph.D. degrees in electrical and computer engineering from the University of Toronto in 1993, 1996, and 2003, respectively. He has over 15 years of experience at the interface of microelectronics and control theory, which he currently applies to cyber-physical systems applications, such as power systems and robotics. His recent cyber-physical systems robotics research has been featured in Popular Science Magazine's 2009 Best of What's New: Security Innovation and wired.com.
Graphic:
Karen Butler-Purry is a Professor of electrical and computer engineering and an Associate Provost Graduate Studies with Texas A&M University. She is a well-known authority in the areas of computer and intelligent systems application to power distribution systems, distribution automation and management, fault diagnosis, estimation of remaining life of transformers, intelligent reconfiguration, and modeling and simulation for hybrid vehicles.

Related Articles