Smart grid seminar series
Yao Liu, Peng Ning, and Michael K. Reiter
Presenter:
Raghu Ranganathan
ECE / CMR
Tennessee Technological University
March 22th, 2011
Paper overview
 A Power Grid is a complex system connecting electric generators to
consumers through power transmission and distribution networks.
 System monitoring is necessary to ensure the reliable operation of power
grids
 State estimation is used in system monitoring to best estimate the power
grid state through analysis of meter measurements and power system
models
 Various techniques have been developed to detect and identify bad
measurements
 In this paper, we present a new class of attacks, called false data injection
attacks, against state estimation in electric power grids.
 We show that an attacker can take advantage of the power system
configuration to launch such attacks
 Attacker can successfully bypass the existing techniques for bad
measurement detection
2
Paper overview
 Two realistic attack scenarios
 The attacker is either constrained to some specific meters (due to the
physical protection of the meters)
 limited in the resources required to compromise meters
 Attacker can systematically and efficiently construct attack vectors in both
scenarios, affecting state estimation
 Demonstrate the success of these attacks through simulation using the IEEE
9-bus, 14-bus, 30-bus, 118-bus, and 300-bus systems
 Results indicate that security protection of the electric power grid must be
revisited.
3
Power Grid
4
Introduction
 The security and reliability of power grids has critical impact on society and
people’s daily life.
 System monitoring is necessary to ensure the reliable operation of power
grids
 provides pertinent information on the condition of a power grid based on
the readings of meters placed at important areas of the power grid.
 measurements may include bus voltages, bus real and reactive power
injections, and branch reactive power flows
 measurements are typically transmitted to a control center
 Measurements stored in a telemetry system, which is also known as
Supervisory Control And Data Acquisition (SCADA) system
5
State Estimation
 State estimation is the process of estimating unknown state variables in a
power grid based on the meter measurements
 The output of state estimation is typically used in contingency analysis
 control the power grid components (e.g. increase the yield of the power
generator)
 maintain the reliable operation (e.g. a generator breakdown) even if
some faults occur
 An attacker can compromise meters to introduce malicious measurements
 Lead to incorrect state estimation
 Mislead the power grid control algorithms
6
Bad measurement detection techniques: Drawbacks
 Detect and remove bad measurements
 Bad detection can be bypassed if the attacker knows the
configuration of the power system
 Detection based on the squares of differences between the
observed and estimated measurements exceeding some
threshold
 The attacker can generate bad measurements with knowledge
of the system, thereby bypassing the bad data detection
 These new class of attacks are called false data injection
attacks
 Mislead the state estimation process
7
Attack scenarios
 First attack scenario: attacker is constrained to accessing some
specific meters due to, for example, different physical protection
of the meters
 Second attack scenario: attacker is limited in the resources
required to compromise meters
 Two realistic attack goals
 Random false data injection attacks: attacker aims to find any
attack vector as long as it can lead to a wrong estimation of
state variables
 Targeted false data injection attacks: attacker aims to find an
attack vector that can inject a specific error into certain state
variables
8
State Estimation
 Monitoring the power flows and voltages in a power system is important in
maintaining system reliability
 Meters monitor the system components and report their readings to the
control center, which then estimates the state of power system variables
from these meter measures
 The state estimation problem is to estimate power system state variables
x  ( x1, x2 ,....,xn )T
T
based on the meter measurements z  ( z1, z2 ,....,zm )
z = h(x) + e
 For DC model state estimation
z = Hx + e
 Commonly used state estimation methods
 Maximum Likelihood (ML)
 Weighted Least Square (WLS)
 Minimum Variance criterion
9
Weighted Least Squares State Estimation
 When meter error is
normally distributed with zero mean,
^
the state estimate x is given as follows
^
x  (HT WH)1 H T Wz
 W is a diagonal matrix whose elements are reciprocals of
variances of the meter errors
 1-2

-2

2
W







.

 m-2 
10
Bad measurement detection
^
 Measurement residual z  H x used to determine bad data
^
 If z  H x   presence of bad data is assumed
 If state variables are mutually
independent, and meter error have normal
^ 2
2
distribution, L(x)  z  H x
follows a  (v)
distribution with v  m  n degrees of freedom
 If P( L(x)   2 )   , L(x)   2 indicates bad measurements, with probability
of false alarm 
Related Work
 Bad measurements lead to large normalized measurement residual
 Large normalized measurement residual method:
 works well for independent, non-interacting bad measurements
 Does not work for correlated bad measurements are called interacting bad
measurements
11
False Data Injection Attacks: Principle
 Attacker knows the H matrix
 Let za  z  a , where a  (a1 , a2 ,....,am )
T
is the attack vector
 Let x bad  x  c , where c reflects the estimation error injected
by the attacker
 If the attacker uses a  Hc , then the L2 norm of the measurement residual
of za equals that of z , hence bypasses the bad data detection
^
^
^
^
z a  H x bad  z  a  H(x  c)
^
 z  H x  (a  Hc)
^
 z  H x 
12
Scenario I: Limited Access to
meters
13
 Assume attacker has access to k specific meters
 I m  {i1, i2 ,.....,ik } is the index of those meters
 Attacker can modify zi , where i j  I m
j
 To launch false injection without being detected
 Find a non-zero attack vector a  (a1, a2 ,.....,am )T , such that
ai  0 for i  I m

a is a linear combination of the column vectors of H
( a  Hc)
14
1. Random False Data Injection attack
 Vector c can be any value
 Compute a which satisfies a  Hc by eliminating c
 To simplify let P  H(HT H)1 HT and B  P  I  PH  H
a  Hc  P a  PHc  P a  Hc  P a  a
 P a - a  0  (P  I)a  0
 Ba  0
 Vector a satisfies a  Hc if and only if
 Ba  0
ai  0 for i  I m
'
 Let the m x k matrix B  (bii , bi2 ,.....,bik ) ,and the length k vector

a '  (aii , ai2 ,.....,aik )T
Ba  0  B'a '  0
15
1. Random False Data Injection attack: Rank of
B'
'
'
B
B
 If the rank of is less than k, is a rank deficient matrix,
and there exists infinite number of non-zero solutions
 If the rank of B' is equal to k, B' is not a rank deficient
matrix, and the relation B'a '  0 has a unique solution a '  0
Hence, no error can be injected into the state estimation
16
17
2. Targeted False Data Injection Attack
 Attacker intends to inject specific errors into certain chosen state
estimation variables
 Mathematically, this is represented as follows
 Let I v  {i1 , i2 ,.....,ir } , where r  n denote the set of indices of the r
target state variables, i.e. xii , xi2 ,.....,xir are the target state variables
 Attacker intends to construct a such that the result state estimate
^
^
T
x bad  x  c where c  (c1 , c2 ,.....,cn ) and ci for i  I
is the specific
^
v
error that is added to x i
 Two cases;
 Constrained: attacks only the target variables without affecting other
variables
 Unconstrained: attacker has no concerns about the non target variables
18
Constrained attack
 ai  0 for i  I m
 Every element ci in c is fixed, either the chosen value when i  I v
or 0 when i  I v
 Attacker substitutes c back into a  Hc , and checks if ai  0
for i  I m
 If yes, attack possible
19
Unconstrained attack
20
Scenario II: Limited resources to
compromise meters
21
 Assume
attacker has limited resources to
compromise up to k meters
 Unlike Scenario I, no restriction on what meters the
attackers can chose
 Attacker needs to find a k-sparse, nonzero attack
vector a that satisfies a  Hc
22
1. Random False Data Injection Attack
 Attacker may use a brute-force approach to construct a to
compromise up to k meters
 Attacker may try all possible a’s containing k unknown non-zero
elements
 For each candidate a, check if there is a non zero solution to Ba  0
 If yes, attack vector exists
23
2. Targeted False Data Injection Attack
 Constrained Case
 Attacker substitutes c in the relation
a  Hc
 If the resulting a is k-sparse, attacker is successful in finding the
attack vector
 Unconstrained Case
 Attacker needs to find a k-sparse vector a that satisfies Bs a  y
 Minimum Weight Solution for Linear Equations problem
 Can be heuristically solved using Matching Pursuit (MP), and
Basis Pursuit (BP) methods
24
Experimental Results
 The false data injection attacks are validated through experiments using
IEEE 9-bus, 14-bus, 30-bus, 118-bus, and 300-bus systems
 DC power flow model is used
 MATPOWER, a MATLAB package is used for solving the power flow
problems
 Experiments based on the matrix H, and meter measurements obtained from
MATPOWER
 State variables are voltage angles of all buses
 Meter measurements are real power injections of all buses and real power
flows of all branches
25
Results of Scenario I
 For random false data injection attacks, k varied from 1 to the maximum
number of meters in each test system.
 For each k, we randomly choose k specific meters to attempt an attack
vector construction.
 We repeat this process 100 times for both IEEE 118-bus and 300-bus
systems and 1,000 times for the other systems
 Estimate the success probability pk (probability of successfully constructing
an attack vector with k given meters )
pk 
# successful trials
# trials
 Rk denotes the percentage of the specific meters under the attacker’s
control, i.e.
k
total num berof m eters
26
27
28
Targeted false data injection attack: Constrained Case
 Randomly pick 6 sets of meters for the IEEE 118-bus and
300-bus systems.
 In each set, there are 350 meters and 700 meters for the
IEEE 118-bus and 300-bus systems, respectively.
 Check the number of individual target state variables that
can be affected by each set of meters in the constrained
case (i.e., without affecting the estimation of the
remaining state variables).
29
30
31
32
Results of Scenario II
 Attacker has limited resources to compromise up to k meters.
 Compared with Scenario I, the restriction on the attacker is relaxed in the
sense that any k meters can be used for the attack.
 Two evaluation metrics
 number of meters to compromise in order to construct an attack vector
 execution time required for constructing an attack vector.
 Three cases examined
 random false data injection attacks
 targeted false data injection attacks in the constrained case
 targeted false data injection attacks in the unconstrained case
33
34
 For all test systems, the attacker can construct an attack vector for





random false data injection attacks by only compromising 4 meters.
This is mainly due to the fact that the H matrices of all these IEEE
test systems are sparse.
For example, the H matrix of the IEEE 300-bus system is a
1,122×300 matrix, but most of the entries are 0’s.
In particular, the sparsest column in H only has 4 non-zero elements.
In practice, components in a power system that are not physically
adjacent to each other are usually not connected.
As a result, the H matrices of the power systems are often sparse.
35
Targeted false data injection attack: Constrained Case
 In the experiments, we randomly choose l (1  l  10) target state variables
and generate malicious data for each of them.
 The malicious values are set to be 100 times larger than the real estimates
of the state variables.
 Examine how many meters need to be compromised in order to inject the
malicious data (without changing the other non-target state variables).
 For each l , perform the above experiment 1,000 times to examine the
distribution of the number of meters that need to be compromised.
36
37
38
39
Targeted false data injection attack: Unconstrained
Case
 In the unconstrained case, the attacker wants to inject malicious data into
specific state variables
 Matching Pursuit algorithm is used to find attack vectors
 Two evaluation metrics
 number of meters to compromise in order to construct an attack vector
 execution time required for constructing an attack vector.
40
41
42
43
44
45
46
Conclusions
 In this paper, a new class of attacks, called false data injection




attacks was presented, against state estimation in electric power
systems.
It is shown that an attacker can take advantage of the configuration
of a power system to launch such attacks to bypass the existing
techniques for bad measurement detection.
Two realistic attack scenarios:
 attacker is either constrained to some specific meters,
 limited in the resources required to compromise meters.
Simulations were performed on IEEE test systems to demonstrate
the success of these attacks
Results in this paper indicate that the security protection of the
electric power grid must be revisited
47