Transcript Presentation

On Security Indices for State Estimators
in Power Networks
Henrik Sandberg, André Teixeira,
and Karl Henrik Johansson
Automatic Control Lab, ACCESS Linnaeus Center
Royal Institute of Technology, Stockholm, Sweden
First Workshop on Secure Control Systems
April 12th, 2010
Northeast U.S. Blackout of 2003
• August 14th, 2003: 55 million people affected
• One plant in Ohio offline during peak hour )
Cascading failure ) Over 100 plants shut down
• Software bug in state estimator stalled alarm systems
for over an hour
• Incorrect state estimate can have serious
consequences
SCADA Systems and
False-Data Deception Attacks
• SCADA/EMS systems used to
monitor and control power
networks
• Sampling frequency ¼ 1/min
• Redundant power flow and
voltage measurements (zi)
• State estimator used to obtain
accurate state information at all
times, and to identify faulty
equipment.
(SCADA/EMS = Supervisory Control and Data Acquisition/Energy Management Systems)
Attacker Model and Bad Data
Detection in Control Center
• Intelligent attacker can find attacks a that do not trigger alarms
in the Bad-Data Detector (BDD) [Liu et al., 2009]
• But can we measure how difficult it is to perform such attacks?
Power Network and Estimator Models
• Steady-state models:
• WLS-Estimates of bus phase angles i (in vector
• Linear approximation:
):
Bad-Data Detection and
Undetectable Attacks
• The “hat matrix” K:
• Bad-Data Detection triggers on anomalies in the residual
• False-data deception attacks [Liu et al., 2009]:
• The attacker has a lot of freedom in the choice of attack
vector a! Which a are more likely to be applied?
The New Security Indices k and k
• Measures of “least-effort attacks” on measurement zk
• Large indices k and k ) It requires a large
coordinated attack involving many sensors and large
elements in a to attack zk
( i|ai|¸ k|ak|)
• More generally:
Example of the Index k
• Attack vectors corresponding to k:
• Compare with the hat matrix:
IEEE 14-bus Network
IEEE 14-bus Network (cont’d)
(ο) k upper bound
(•) rk1:=#{|Kik /Kkk|¸0.33}
(ο) k
(•)
• Hat-matrix-based heuristics (•) misleading when it
comes to judging sparsity of attacks (k)
• Heuristic OK to estimate size of elements in a (k)
IEEE 14-bus Attack Vectors (z16)
Conclusions
• Security of state estimators has not been much
studied before
• Two security indices (k,k) introduced here
• Can be used to locate measurements that are
relatively easy to attack
• The hat matrix K can be misleading with
respect to security of measurements
• Efficient computation of k? How to re-design
system to maximize the indices?
References
•
•
•
4-Bus Example
• Hat matrix:
• Many non-zero elements in rows ) Large measurement
redundancy (except z4)
• z1, z2, z3, z5 have lots of redundancy. But are they all
hard to attack? No!
Attack Synthesis for Measurement zk
• When p=2, the columns of scaled hat matrix (R=I)
gives the solution [Teixeira et al., 2010]:
• This study: Sparse attacks a more likely, since they
involve fewer sensors. Study p=0 and p=1
Some Possible Extensions
• Increase risk of detection with 
• Multiple attack goals
• Sensitivity matrix S=I-K
• Lagrange multipliers and location of
encryption devices?