Cyber Physical Power Systems Fall 2015 Security
Review from 1st week To find the power flow along lines we need to calculate: To calculate the above equation we need to solve This is an undetermined system of equations (the matrix is singular) then, the voltage (magnitude and angle) at a bus (called slack or swing bus) is set (usually a relative per unit voltage of 1 with an angle of 0). As a result, the equation for the slack bus replaced by this set voltage value and the real and reactive power at this bus are now unknown. Other knows and unknowns are: In a PQ (load) bus: P and Q are known, voltage is unknown In a PV (generator) bus: P and V are known, reactive power and voltage angle are unknown.
Review from 1st week Operation of a power grid is controlled from a dispatch center. Responsible for monitoring power flow and coordinating operations so demand and generation are match in an economically optimal way. That is, from a stability perspective demand (plus losses) needs to equal generation but from an operational perspective, such match needs to be achieve in an economically optimal way. Source: Scientific American
Review from 1st week Operation and monitoring of electric power grids is usually performed with a SCADA (supervisory control and data acquisition) system. At a basic level a SCADA system includes: Remote terminals Central processing unit Data acquisition (sensing) units Telemetry Human interfaces (usually computers). SCADA systems require communication links but, usually, these are dedicated links separate from the public communication networks used by people for their every day lives.
Power grids cyber-physical infrastructure Physical infrastructure (from 1st week). Generation Distribution / consumption Transmission Generation Generation Distribution / consumption
Power grids cyber-physical infrastructure ISO Energy Market Wide Area Network Generation Control Center Transmission Control Center Distribution Control Center
Past Cyber-intrusions/attacks on Energy Infrastructure “ISIS is attacking the US energy grid (and failing)” CNN-Money 10/15/15. Other events from CRS June 2015 “Cybersecurity Issues for the Bulk Power System.” BlackEnergy (Trojan horse designed to attack critical energy infrastructure): Reported in 2007. Targets human-machine interface. Modular. Modules include keylogging, audio recording, and grabbing screenshots. A module can destroy hard disks. Can migrate through network files into removable storage media. HAVEX: Reported in 2013 Used as a remote access tool (RAT) to extract data from Outlook address books and ICS-related software files used for remote access from the infected computer to other servers. The cyberattack leaves the company’s system in what appears to be a normal operating condition, but the attacker now has a backdoor to access and possibly control the company’s ICS or SCADA operations. Sandworm: Reported in 2014 affecting GE’s SCADA human-machine interface
Control Architecture Hierarchical control: At the highest level an economical optimization algorithm is run in order to produce a set point for power generation units. Local autonomous controllers at the power generation units use droop controls that uses the set point inputs produced by the higher level controller. Additional controllers exist at the power transmission and distribution levels to ensure electric power is delivered according to the specified power quality parameters. The economic dispatch algorithm implies solving power flow equations and also knowing other information (e.g. market conditions, prices from each unit, etc.). In addition to considering economic profitability, stable system operation needs to be ensured by the controller. Also power flow and other constrains exist…… All of these factors affect control decisions
Control Architecture Control decisions require state estimation. I.e. knowing voltages and angles. State estimation, in turn, requires measuring real, reactive powers or current flows. It also require knowing system parameters (e.g. lines data). Measured data needs to be transmitted to the dispatch center so a cybernetic infrastructure is needed. This cyber infrastructure includes sensors and communications infrastructure. Additionally, system parameters need to be stored so they can be accessed and used when running the economic dispatch algorithm. Hence, optimal operation requires communication Limited operation of a power grid can still be performed without communications thanks to the droop controllers. However, this operation will be economically suboptimal and with reduced stability margins.
Communications Architecture In general, power grids use dedicated networks so intrusive access is difficult. However, some legacy equipment may still use resources from public communication networks.
Communications Architecture Smart grids, Internet of things and other increasingly used technologies (e.g., demand response or electric vehicles), may motivate increased used of public communication networks or the Internet as a result of the need for more bandwidth or more access points.
Communications Architecture Secure Communications Commonly used protocols (unsecure): Modbus, DNP3, IEC61850, ICCP. Mitigating approaches: Encryption: VPN may be a solution but added latency and use of non-IP networks makes this solution inapplicable in many cases. Ongoing research is aiming at retrofitting SCADA protocols such as Modbus, DNP3 and ICCP, or addition of encryption hardware (e.g. bump in the wire). Authentication (remote keys and passwords): Research is being done with the goal of developing flexible, robust, adaptive and highly available authentication mechanisms. Access Control The goal is use proper software configuration and protocol usage to protect against internal attackers or attackers that have gained access to the system. Use firewalls at multiple levels and creating vertical and horizontal separated secure cyber-areas.
Communications Architecture Device Security Embedded devices creates important vulnerabilities as more of these devices are added with grids migrating into smart grids and the deployment of IoT. Smart meters are a special point of concern. Addressing issues with device security involves the development of remote attestation mechanisms. From “Principles of Remote Attestation” by Coker et. al.: “Attestation is the activity of making a claim to an appraiser about the properties of a target by supplying evidence which supports that claim. An attester is a party performing this activity. An appraiser's decision-making process based on attested information is appraisal.” “An appraiser is a party, generally a computer on a network, making a decision about some other party or parties. A target is a party about which an appraiser needs to make such a decision.” “An attestation protocol is a cryptographic protocol involving a target, an attester, an appraiser, and possibly other principals serving as trust proxies. The purpose of an attestation protocol is to supply evidence that will be considered authoritative by the appraiser, while respecting privacy goals of the target (or its owner).”
Sensing Architecture SCADA system: Primarily developed as proprietary solution operating in an isolated system. Power grids are migrating into using integration of off-the-shelf sensing and management equipment in an interconnected environment. Modern SCADA systems are increasingly relying on Internet for various functions, such as remote access or remote monitoring, thus, creating additional vulnerabilities. IT Management systems are in some cases integrated with the SCADA system adding complexity and potential security vulnerabilities. Mitigating strategies: Decouple SCADA and IT management systems. Use firewalls between administrative and operational areas of power grids.
Sensing Architecture PMUs may be another potential point of entry or a piece of equipment that can be acted upon directly leading to state estimation errors. Additional entry points: Renewable energy sources generation location. Smart meters Home energy management systems Electric vehicles Internet of Things equipment (e.g. appliances). Supply chain (e.g. firmware in new equipment, memory sticks, etc.) Cyber dependencies create vulnerabilities. Examples of cyber dependencies include: GPS systems Weather and other important external data.
Cyber Attacks Modeling Cyber attacks may directly target: State estimation (state estimation is important for optimal power flow operation, contingency analysis, automatic generator control, etc.). Parameter database Act directly by sending commands to equipment (e.g. relays controlling circuit breakers). Indirect cyber attacks: those targeting cyber-lifelines directly and leading to power grids operation disruptions indirectly. Type of cyber attacks: Reconnaissance Denial of Service Command injection Measurement injection
Cyber Attacks Modeling The idea here is to model cyber attacks as additive inputs affecting the state and the inputs (from “Attack Detection and Identification in Cyber-Physical Systems – Part I: Models and Fundamental Limitations” by Pasqualetti et. al.) The system (a power grid) is modeled by simplicity as a LTI system: It is assumed that each state and output variable can be independently compromised by an attacker. So B= [I,0] and D=[0,I]. Hence, the attack (Bu(t);Du(t)) = (ux(t); uy(t)) can be classified as state attack affecting the system dynamics and as output attack corrupting directly the measurements vector.
Cyber Attacks Modeling Attack strategies: Stealth attacks correspond to output attacks compatible with the measurements equation; Replay attacks are state and output attacks which affect the system dynamics and reset the measurements;
Cyber Attacks Modeling Attack strategies: Covert attacks are closed-loop replay attacks, where the output attack is chosen to cancel out the effect on the measurements of the state attack; (Dynamic) false-data injection attacks are output attacks rendering an unstable mode (if any) of the system unobservable. E.g., load redistribution attacks leading to suboptimal power dispatch or loss of stability Notice that the referenced paper does not consider attacks affecting system parameters. Model such attack will make the system non LTI. In fact, it will become a switched system, as A=A(t) based on a switched behavior.