Trustworthy Sensor Networks Security Protocols

Download Report

Transcript Trustworthy Sensor Networks Security Protocols

Speaker: Yee Wei Law
Collaborators: Umith Dharmaratna, Jiong Jin, Slaven Marusic,
Marimuthu Palaniswami
1




Introduction to the grid
Introduction to the grid sensors
Motivation for the Smart Grid
Smart Grid components
◦ Wide-area Monitoring System (WAMS)
◦ Distribution Automation (DA)

Conclusion
2
> 110kV
AS 600382000
“Standard
voltages”
66kV,
33kV
< 33kV
3

For conductor
◦ Temperature
RF
temperature
sensor
Ice build-up

For insulator, transmission line surge arrester
◦ Leakage current
RF leakage
current sensor
4

For transformers
◦ Detection of hydrogen in oil
Metal insulated
semiconducting
(MIS) sensor for
detecting hydrogen

For on-load tap changers
◦ Detection of gas in oil (symptom
of overheating)
Internally mounted
tap changer

For bushings
◦ Leakage current
15 kV
69 kV
242 kV
5
MIS sensor
Ref: EPRI, “Sensor Technologies for a Smart Transmission System,” white paper, Dec 2009.
6


Rating: maximum value of parameter (e.g. power, current)
Dynamic rating vs nominal rating
◦ increases capacity by 5-15%

The primary limitation on power flow is thermal
Example:
Thermal model of overhead lines [Black ‘83]:
𝑑𝑇
𝑚𝑐𝑝
= 𝑄𝑔𝑒𝑛 + 𝑄𝑠𝑢𝑛 − 𝑄𝑟𝑎𝑑 − 𝑄𝑐𝑜𝑛𝑣
𝑑𝑡
𝑚: mass of the line
𝑐𝑝 : specific heat of the line
𝑇: temperature
𝑄𝑔𝑒𝑛 : Ohmic loses per unit length
𝑄𝑠𝑢𝑛 : solar heat input per unit length
𝑄𝑟𝑎𝑑 : radiated heat loss per unit length
𝑄𝑐𝑜𝑛𝑣 : convected heat loss per unit length
7

Transmission-line robots
◦ Developed by Tokyo-based HiBot
◦ Able to navigate around obstacle
◦ Laser-based sensors for detecting scratches,
corrosion, changes in cable diameter
◦ HD camera for recording images of bolts and
spacers up close
◦ Energy is a constraint
8

Unmanned airborne vehicles aerial snapshot
◦ E.g. SP AusNet to automate conductor
localization and spacer detection [Li ‘10]
◦ Line detection: template matching
◦ Spacer detection: Gabor filtering
9


Ageing hardware + population growth = equipments at limits
Market deregulation
◦ Advances in communications infrastructure
Cost of outages in USA in 2002: $79B

Climate change
◦ Government initiatives (USA, Europe, China, Japan, Australia..)
◦ Renewable energy and distributed generation ($652m fund)
10

Smart grid = envisioned next-gen power grid that is [DOE,
USA]:
Accommodating
Intelligent
(senses
overload,
rerouting)
(renewable
energy)
Efficient
(meets
demand
without more
cost)
Motivating
Qualityfocused
(minimal
disturbances,
interruptions)
(demand
response)
“Green”
(minimal
environment
impact)
Resilient
(to attacks,
disasters)
11

Generation
◦ Distributed generation
◦ Microgrid

Transmission
◦ Wide-area monitoring system

Distribution
◦ Distribution automation

Consumption
◦ Demand response
12
Control center
Substation




Distribution network
Remotely and efficiently identify and resolve system problems
Alleviates overload conditions, and enables computeroptimized load shifting
Reconfigures the system after disturbances or interruptions
Facilitates coordination with customer services such as timeof-use pricing, load management and DERs
13



Auto-recloser: circuit breaker that re-closes after interrupting
short-circuit current
Voltage regulator: usually at the supply end, but also near
customers with heavy load
Switched capacitor bank: switched in when load is heavy,
switched out when otherwise
Recloser
Voltage
regulator
Switched
capacitor
bank
14


EPRI proposed advanced DA – complete automation of
controllable equipment
Two critical technologies identified:
◦ Open communication architecture
◦ Redeveloped power system for component interoperability


Urban networks: fiber optics
Rural networks: wireless
15
Urban area
NAN
Transmission grid
Distribution grid
Low voltage
(((
HAN
))
)
Collector
)))
(((
))
)
City power plant
)))
NAN
BAN
)))
Collector
(((
))
Collector
(((
))
Industrial customers
)
IAN
)
)))
Substations as
gateways
FAN
Rural
area
(((
))
)
(((



))
)
Pole with
wireless
communication
capability
Distributed Energy Resources
NAN = Neighborhood Area Network; FAN = Field Area Network
HAN/BAN/IAN = Home/Building/Industry Area Network
WAN standard is TCP/IP
16
SecureMesh
17
Jemena, United Energy, Citipower and Powercor
Interoperability
Capacity
Latency
Interference
rejection
CDMA2000
GE-MDS 900MHz
Open standard
Proprietary
76.8 kbps (80-ms frame)
153.6 kbps (40-ms
frame)
307.2 kbps (20-ms
frame)
Hundreds of milliseconds
19.2 kbps (80 km)
115 kbps (48 km)
1 Mbps (32 km)
DSSS, 2 GHz frequency
band allows frequency
band re-use
Transmission Nation-wide service
range
coverage
Configuration Point-to-multipoint
SP AusNet and Energy Australia
Silver Spring
Networks
Proprietary
Wi-Fi/IEEE 802.11
100 kbps
54 Mbps (802.11a)
11 Mbps (802.11b)
54 Mbps (802.11g)
72 Mbps (802.11n)
Open standard
Tens of milliseconds Tens of
Milliseconds
milliseconds
FHSS, 902-928 MHz FHSS, 902-928 802.11a: ODFM, 5 GHz
MHz
802.11b: DSSS, 2.4 GHz
802.11g: OFDM/DSSS,
2.4 GHz
802.11n: OFDM, 2.4/5
GHz
*2.4 GHz band is
crowded; 5 GHz less so
80 km
Unknown
802.11a: 120 m
802.11b/g: 140 m
802.11n: 250 m
Point-to-point,
Point-to-point Point-to-point, pointpoint-to-multipoint
to-multipoint
WiMAX/IEEE
802.16
Open standard
9 Mbps
Milliseconds
OFDM, 3.65-3.70
GHz
20 km
Point-tomultipoint
* Note: ZigBee is not in here
18
Year
2002
2004
First published
Beyer et al. “Tutorial: 802.16 MAC Layer Mesh
Extensions Overview”:
• Centralized scheduling
• Coordinated distributed scheduling
• Uncoordinated distributed scheduling
802.16.2-2004 describes recommended practice
for coexistence of point-to-multipoint and mesh
systems
802.16j-2009 adds relay (tree) support
2009
4G status not until 802.16m
19
Silver Spring Networks UtilityIQ:
20
Itron OpenWay:
21





Standard by HART foundation
Physical layer: IEEE 802.15.4 (since version 7); DSSS+FHSS
Data link layer: TDMA
Network layer: Graph routing or source routing
Notable player: Dust Networks (founded by the Smart Dust
people)
Source: Lennvall et al. “A Comparison of WirelessHART
and ZigBee for Industrial Applications,” IEEE WFCS 2008
22






IPv6 for low-power wireless personal area networks
Motivation: interoperability with existing IP-based devices
Standardized by IETF in RFC4919, RFC4944 etc.
Physical and data link layer: IEEE 802.15.4
Network layer: still being standardized by the ROLL working
group (Routing Over Low power and Lossy networks)
Notable player: Sensinode
23

DA makes dynamic reconfiguration possible

Multi-objective optimization problem
◦ Objectives: minimize real losses, regulate voltage profile, loadbalancing
◦ Optimal topology: quadratic minimum spanning tree (q-MST) is
NP-hard
◦ Bio-inspired heuristics, e.g. Artificial Immune System and Ant
Colony Optimization
24
Grid Sensors
Smart Grid
Distribution
Automation
Wide-Area
Monitoring System
25




8-10% energy lost in transmission and distribution
networks
Energy Management System (EMS): control
generation, aggregation, power dispatch
EMS performs optimal power flow
However, SCADA-based EMS gives incomplete view
of system steady state
Hence WAMS
26
PMU
PMU
...
PMU
PMU
WAN
Layer 2: Data management
PDC
Application Data Buffer
Real-Time
Monitoring
Real-Time
Control
Layer 1: Data acquisition
Layer 3: Data services
Real-Time
Protection
Layer 4: Applications
27




Synchronized phasor measurement units or synchrophasors for
measuring voltage and current (phasor: 𝐴𝑒 𝑗𝜙 )
Typically 30 time-stamped samples per sec
Invented by Phadke and Thorp of Virginia Tech in 1988
IEEE 1344 completed in 1995, replaced by C37.118 in 2005
For
frequency,
use
Frequency
Disturbance
Recorder
28
Macrodyne’s
model 1690
ABB’s RES521
MiCOM P847
29
Source: North American SynchroPhasor Initiative (NASPI)
30

Oscillation control


Voltage control
The goal is to
calculate maximum
loadability using
optimal power flow


Frequency control
The goal is to select
which loads to shed,
to minimize
overvoltages or
steady-state angle
differences
References:
• M. Zima et al., “Design aspects for wide-area monitoring and
control Systems,” Proc. IEEE, 93(5):980–996, 2005.
• M. Larsson et al., “Predictive Frequency Stability Control based on
Wide-area Phasor Measurements,” IEEE Power Engineering Soc.
Summer Meeting, 2002.
31

𝑧1
𝑒1
ℎ1 (𝜃1 , … , 𝜃𝑛 , 𝑉1 , … , 𝑉𝑛 )
⋮
System equation: ⋮ =
+ ⋮
𝑧𝑚
𝑒𝑚
ℎ𝑚 (𝜃1 , … , 𝜃𝑛 , 𝑉1 , … , 𝑉𝑛 )
Measurements

Errors
Weighted least square
◦ 𝑥 𝑘+1 = 𝑥 𝑘 + 𝐻 𝑥 𝑘 𝑅−1 𝐻 𝑥 𝑘
Measurement
Jacobian
−1
𝐻 𝑥 𝑘 𝑅−1 [𝑧 − ℎ(𝑥 𝑘 )]
PMU measurement
s.d.
32

Observability: whether the system state can be uniquely
estimated
◦ unobservable when 𝐻 𝑥 𝑘 𝑅−1 𝐻 𝑥 𝑘 cannot be inverted

Critical measurement: absence of which destroys
observability
◦ Residual sensitivity matrix 𝑆 = 𝐼 − 𝐻 𝐻𝑇 𝑅−1 𝐻 −1 𝐻𝑇 𝑅−1
◦ If row 𝑖 and column 𝑖 are zeroes, then 𝑖th measurement is critical

Redundant measurement: non-critical measurement
33

For an 𝑛-bus system, the PMU placement problem can be
formulated as an integer programming problem:
𝑛
min
𝑐𝑖 𝑥𝑖
𝑖
s.t. 𝑓 𝑋 ≥ 𝟏, 𝑋 = 𝑥1



… 𝑥𝑛
𝑇
• 𝑐𝑖 is cost of installing
a PMU at bus 𝑖
• 𝑥𝑖 = 1 if a PMU is
installed at bus 𝑖
𝑓(𝑋) is a vector function, whose entries are non-zero if the
corresponding bus voltage is solvable given the measurement
– the problem becomes defining 𝑓 𝑋
Identify critical measurements; so that their removal doesn’t
cause unobervability [Chen ‘05]
Recent study [Emami ‘10]:
◦ To improve robustness against contingencies and failures
◦ To detect bad data among critical measurements
34
Classification
Multiple
Single
#1
#2
#3
#4
#5
Bus
Non-interacting
e.g. #1 and #6
not correlated




Interacting
#6
Non-conforming
Conforming
e.g. #2 and #5
not correlated
e.g. #2 and #5
correlated
Linearized model: 𝑧 = 𝐻𝑥 + 𝑒
Common bad data detection mechanism 𝑧 − 𝐻 𝑥 > 𝜏
Q: Suppose true state is 𝑥, error in measurement is 𝛼, how much
error in measurements will result in estimated state 𝑥 = 𝑥 + 𝑐?
A: By def. 𝑧 − 𝐻𝑥 ≤ 𝜏, (𝑧 + 𝛼) − 𝐻𝑥 = 𝑧 − 𝐻𝑥 + (𝛼 − 𝐻𝑐) ≤ 𝜏, 𝛼 =
𝐻𝑐 maximizes probability that (𝑧 + 𝛼) − 𝐻 𝑥 ≤ 𝜏
Opportunity
for attack
35
Attacker controls 𝑘 PMUs [Liu ‘09]
Don’t care about 𝑐
𝑘 ≥ 𝑚 − 𝑛 + 1?
yes
𝛼 always exists
no
𝛼 exists
depending on
structure of 𝐻
Want specific 𝑐
Suppose, for example
Unfixed
Fixed
𝑐=
, 𝛼 exists
Unfixed
Fixed
depending on structure
of 𝐻
Symbols:
𝑘 = number of hacked PMUs
𝑚 = number of measurements
𝑛 = number of system states
𝑐 = deviation from true states
𝛼 = induced measurement errors
36


Privatization of electricity market recent (‘80s)
Locational marginal pricing (LMP) aka nodal pricing
◦ Case no constraint on Tx line: uniform market clearing price is the
highest marginal generator cost
◦ Case congestion on Tx line: price varies with location
Attack [Xie ‘10]:
1. In the day-ahead forward market,
buy and sell virtual power at two
different locations 𝑃1 and 𝑃2
2. Inject false data to manipulate
the nodal price of the Ex Post
market
3. In the Ex Post market, sell and
buy virtual power at 𝑃1 and 𝑃2
respectively
4. Profit
37
Notable omission in this presentation:
• Distributed generation, microgrid
• Demand response



Grid modernization stimulates multi-disciplinary research
National priority vs. business priority
In progress:
◦ $100m Smart Grid, Smart City demo project in Newscastle
◦ Intelligent Grid: CSIRO and five universities

What’s next?
38










B.K. Panigrahi et al., “Computational Intelligence in Power Engineering”, Springer-Verlag
Berlin Heidelberg, 2010.
A. Monticelli and F.F. Wu, “Network Observability: Theory,” IEEE Trans. Power Apparatus
and Systems, PAS-104(5):1042-1048, 1985.
A. Monticelli, “Electric Power System State Estimation,” Proc. IEEE, pp. 262-282, 2000.
A. Abur and A.G. Exposito, “Power System State Estimation: Theory and Implementation,”
Marcel Dekker Inc., 2004.
J. Chen and A. Abur, “Improved Bad Data Processing via Strategic Placement of PMUs,”
IEEE Power Engineering Society General Meeting, 2005.
R. Emami and A. Abur, “Robust Measurement Design by Placing Synchronized Phasor
Measurements on Network Branches,” IEEE Trans. Power Systems, 25(1):38-43, 2010.
Y. Liu et al., “False data injection attacks against state estimation in electric power
grids,” Proc. 16th ACM Computer and Communications Security, 2009.
O. Kosut et al., “Limiting false data attacks on power system state estimation,” Proc. 44th
Conf. Information Sciences and Systems, 2010.
L. Xie et al., “False data injection attacks in electricity markets,” Proc. 1st International
Conference on Smart Grid Communications, 2010.
J. Momoh and L. Mili, “Economic Market Design and Planning for Electric Power Systems,”
IEEE-Wiley Press, 2010.
39
(corrosion, vandalism, animals)
*TLSA=Transmission Line Surge Arrester
RF
temperature
sensor
RF leakage
current sensor
Ice build-up
Ref: EPRI, “Sensor Technologies for a Smart Transmission System,” white paper, Dec 2009.
40
Ref: EPRI, “Sensor Technologies for a Smart Transmission System,” white paper, Dec 2009.
41

1 if 𝑖 = 𝑗
𝑓 𝑥 = 𝐹 ∙ 𝐴 ∙ 𝑋, where 𝐴𝑖𝑗 = 1 if branch 𝑖𝑗 exists
0 otherwise
Bus-to-bus connectivity matrix
1
1
𝐴= 0
0
1

1
1
1
1
1
0
1
1
1
0
0
1
1
1
0
1
1
0
0
1
bus
bus
𝐹 is to make sure every pair of observable islands upon removal of each
critical bus will have at least one PMU
1
0
𝐹=
1
0
1
0
1
0
1
0
1
0
1
0
1
0
0
1
0
1
bus
Branch 1-2
Bus 2
island
J. Chen et al. “Improved Bad Data Processing via Strategic Placement of PMUs,” IEEE Power
Engineering Society General Meeting, 2005
42
Centralized scheduling
Coordinated distributed
scheduling
Uncoordinated distributed
scheduling
schedule
43
Where the measurements are used:
Real-time contingency
analysis
Real-time network
analysis
Study network analysis
44
Tropos GridCom:
45