StateEstimationfollowingCyberAttacksonthePowerGrid

SalehSoltan,Mihalis Yannakakis,GilZussmanElectricalEngineeringandComputerScience

ColumbiaUniversity,NewYork,NY

Security and Resilience

Physical Attacks/Failures Cyber Attacks/Failures

Control

Data Power

Power Grid Communication networks Physical Infrastructure

Supervisory Control and DataAcquisition (SCADA) system

Source: Report of the Commission to Assess the threat to the United States from Electromagnetic Pulse (EMP) Attack, 2008

FERC, DOE, and DHS, Detailed Technical Report on EMP and Severe Solar Flare Threats to the U.S. Power Grid, 2010

Large Scale Physical Attacks/Failures

◆ EMP (Electromagnetic Pulse) attack

◆ Solar Flares

Photos from National Geographic

◆ Other natural disasters

IdentifyingCommunicationsNetwork’sMost VulnerableParts

◆ Cutswith probabilisticproperties • Distancefrom theattack’s

epicenter• Thetopographyofthe

surroundingarea

• Thecomponent’sspecifications ◆ Anumberofsimultaneous

attacks ◆ Takeintoaccountprotection and

restoration

◆ Use computationalgeometrictools forcomplexityreduction

P. K. Agarwal, A. Efrat, S. K. Ganjugunte, D. Hay, S. Sankararaman, and G. Zussman, “The resilience of WDM networks to probabilistic geographical failures,” IEEE/ACM Transactions on Networking, vol. 21, no. 5, pp. 1525–1538, Oct. 2013.

Power Networks – Vulnerability and Cascade Analysis

A. Bernstein, D. Bienstock, D. Hay, M. Uzunoglu, and G. Zussman, “Power grid vulnerability to geographically correlated failures - Analysis and control implications,” in Proc. IEEE INFOCOM’14, 2014.

Power Networks – Vulnerability and Cascade Analysis

Power Networks – Vulnerability and Cascade Analysis

Power Networks – Vulnerability and Cascade Analysis

Power Networks – Vulnerability and Cascade Analysis

N-Resilient, Factor of Safety K = 1.2 ® Yield = 0.33 For (N-1)-Resilient ® Yield = 0.35 For K = 2 ® Yield = 0.7

(Yield - the fraction of the demand which is satisfied at the end of the cascade)

PowerNetworks– VulnerabilityandCascadeAnalysis

PowerGridAttackinSanJose(Apr.2014)◆ “AsniperattackinApril2014thatknockedoutanelectricalsubstationnear

SanJose,Calif.,hasraisedfearsthatthecountry'spowergridisvulnerabletoterrorism. ”–TheWallStreetJournal

CyberAttackinUkraine(Dec.2015)

◆ Unplugged225,000peoplefromtheUkrainianelectricitygrid• StealcredentialsforaccessingtheSCADAsystem,beforeJune2015• ExploreofSCADAsystemandplanattack, June-Dec.2015• Remotelyoperatecircuitbreakers,dayofattack• Phonejammingattackskeepsoperatorsunaware,dayofattack

Interdependencies(Nov.2012)

Hurricane Sandy Update

IEEE is experiencing significant power disruptions to our U.S. facilities in New Jersey and New York. As a result, you may experience disruptions in service from IEEE.

Interdependencies◆ FCCWorkshopworkshoponnetworkresiliency(2013)

https://edas.info/web/fcc-nr2013/program.html◆ ReportoftheCommissiontoAssessthethreattothe

UnitedStatesfromElectromagneticPulse(EMP)Attack,2008

◆ Modeling:• Simplecascades• Powercontrolwith

limitedcommunications/imperfectinformation

• Powerloss(eventual)impactoncommunications

Comm.LogicalLayer

Comm.PhysicalLayer

PowerGrid

S. V. Buldyrev, R. Parshani, G. Paul, H. E. Stanley, S. Havlin, “Catastrophic cascade of failures in interdependent networks,” Nature 464, 1025-1028 (15 April 2010) -> Google Scholar

BacktoAutonomousEnergyGrids

◆ Communicationiscrucialforcoordinateddistributedcontrol◆ Controlwithoutcommunicationorwithimperfectinformation– suboptimal?◆ Arethecellsresilientwithoutcommunication?

B. Kroposki, E. Dall’Anese, A. Bernstein, Y. Zhang, B.-M. Hodge, “Autonomous Energy Grids ,” Proc. HICSS, 2018

Cascades and Interdependencies

Synthetic Power Grids

Cyber Attacks

Islanding, Limited Information

OngoingResearch

Prediction Detection

ControlEvaluation

DARPARADICSProgram

◆ RADICS- RapidAttackDetection,IsolationandCharacterizationSystems

◆ Respondtocyber-attacksonU.S.criticalinfrastructure

◆ TA1- Usegridmeasurementstoidentifyattacks

◆ Scenariosin“Exercise#1”(May2016):• Disconnectline+falsedatainjection• Disconnectlineandload+falsedata

injection• Largescalecascade

80-Bus Transmission system overlaid on the Washington DC area

StateEstimationafteraCyber-PhysicalAttack- Outline

◆ StateestimationundertheDCmodel◆ Stateestimationinthepresenceofmeasurementnoiseand

uncertainty◆ StateestimationundertheACmodel◆ Attackidentificationwhentheaffectedareaisunknown*focusontransmission

[1] Saleh Soltan, Mihalis Yannakakis, Gil Zussman, “Joint Cyber and Physical Attacks on Power Grids: Graph Theoretical Approaches for Information Recovery,” IEEE Transactions on Control of Network Systems (to appear), 2017.

[2] Saleh Soltan and Gil Zussman, “Power Grid State Estimation after a Cyber-Physical Attack under the AC Power Flow Model,” Proc. IEEE PES-GM’17, 2017.

[3] Saleh Soltan, Mihalis Yannakakis, Gil Zussman, “EXPOSE the Line Failures following a Cyber-Physical Attack on the Power Grid ,” in preparation.

[4] Saleh Soltan, Mihalis Yannakakis, Gil Zussman, “REACT to Cyber Attacks on Power Grids,” submitted.

Simplisticview ofa PowerGrids

Control Center

Commands

Data

Cyber Attack TargetPhysical Attack Target

Supervisory Control and Data Acquisition (SCADA) system

Power GridPhysical Infrastructure

Zone 1

Zone K-1

Zone K

PMUs PDC

PDC

Communication Network

PMUs

PMU

PMU

PMU

PMU

PMU PDC

Comm.Net.

PMU: Phasor Measurement UnitPDC: Phasor Data Concentrators

SimpleAttackModel

◆ AnadversaryattacksanareabyØ Disconnectingsomelineswithintheattackedarea(physicalattack)Ø Disallowingtheinformationfromthemeasurementdeviceswithintheareato

reachthecontrolcenter(cyberattack)◆ Assumeweknow!◆ Acyberonlyorphysicalonlyattackmayresultinasimilarsituation

"

!

AttackedArea

PowerFlowEquations- DCApproximation

◆ Representthegridbyaconnectedgraph" = (%, ')

◆ TheDCpowerflowisasolution()⃗, ,⃗) of:-,⃗ = .⃗

/01,⃗ = )⃗

0 ∈ {−1,0,1}8×::theincidencematrixofthegrid:

;<= = >

0, ifA=isnotincidenttonodeI,

1, ifA=iscomingoutofnodeI,

−1, ifA=isgoingintoofnodeI,

/ ∈ ℝ:×::thediagonalmatrixofadmittancevalues,

and- = 0/0N :theadmittancematrixofthegrid

O

P

Load (.Q < 0)Generator (.Q > 0)

,Q, .Q

,Q: Phase AngleUQV:Reactance

Objective

Objective:Usetheinformationavailableoutsideoftheattackedzone(,⃗′XY)andtheinformationbeforeattack(-, ,⃗)

Ø Recoverthephaseangles(,⃗′X)Ø Detectthedisconnectedlines(Z)or(-′)

! : an induced subgraph of " that represents the attacked zone!Y: "\!Z : Set of failed lines¡′ : The value of ¡ after an attack

"

!

AttackedArea

Z

,⃗′ =,⃗′X

,⃗′XY

RelatedWork

◆ Linefailuredetectionisacombinatorial problem◆ Previousworkonlinefailuresdetectionusingphaseanglemeasurements:

◆ Singleordoublelinefailures(TateandOverbye,2009)• Linefailureidentificationinaninternalsystemusingtheinformationfroman

externalsystem(ZhuandGiannakis,2012)• PMUlocationselectionforlineoutagedetection(Zhao,Goldsmith,Poor,2012)• Recoveryintransientstate(Garciaetal.,2016)• Topologyattacks(KimandTong,2013)• …

◆ WeusethealgebraicpropertiesoftheDCpowerflowequationsandthegridstructuretoefficiently(LP)detectlinefailures

◆ Weshow(empirically)thattheapproachoperateswellwithmeasurementnoiseandundertheACpowerflows

◆ WeextendtoACpowerflowsandcasesinwhichtheattackareaisunknown

InformationRecovery

◆ Assumethatsupply/demandvaluesdonotchangeorweknowchanges

\ -,⃗ = ]

-^,⃗^ = ]⇒ - ,⃗ − ,⃗^ = -^ − - ,⃗^

⇒-X|a-XY|a

,⃗ − ,⃗^ =-′X|a − -X|a

-XY|a^ − -XY|a

,⃗^

-XY|a ,⃗ − ,⃗′ = 0 -X|a ,⃗ − ,⃗′ = 0XU⃗

-XY|a ,⃗ − ,⃗′ = 0

-X|a ,⃗ − ,⃗′ = 0XU⃗

Recover the phase angles Detect Line Failures

Simultaneous phase angles recovery and failed lines detection

" !

Z

!Y: "\!¡′ : The value of ¡after an attack

Does not depend on the number of line failures

RecoveryofPhaseAngles

◆ ,⃗′X canberecoveredafteranyattackon!,if-XY|X haslinearlyindependentcolumns

◆ ,⃗′X canberecoveredalmostsurelyifthereisamatchingbetweenthenodesinsideandoutsideof! thatcovers%X

H

-XY|a ,⃗ − ,⃗′ = 0 ⇒ -XY|X,⃗X^ =-XY|a,⃗ − -XY|XY,⃗XY

^

- =-X|a-XY|a

=-X|X -X|XY

-XY|X -XY|XY, ,⃗′ = ,⃗′X

,⃗′XY

Matching: A set of pairwise nonadjacent lines

DetectingFailedlines

◆ bO.. U⃗ : SetofnonzeroelementsofvectorU⃗

◆ Failedlinescanbedetected,if! isacyclic◆ Whatifthesetoflinefailuresissparse?

min ∥ U⃗ ∥d b. f. 0XU⃗ = -X|a(,⃗ − ,⃗′) (∗)

Lemma. There exists a vector U⃗ ∈ ℝ hi such that 0XU⃗ = -X|a ,⃗ − ,⃗^

and bO.. U⃗ gives indices of the failed lines.

Lemma. The solution U⃗ is unique, if and only if ! is acyclic.

DetectingFailedlines

Theorem. In a planar graph !, the solution to (∗)min ∥ U⃗ ∥d b. f. 0XU⃗ = -X|a(,⃗ − ,⃗′)

is unique and bO.. U⃗ gives indices of the failed lines, if the following conditions hold:(i) for any cycle, less than half of its lines are failed,(ii)Z∗ can be covered by edge-disjoint cycles in !∗

!

Lemma. If ! is a cycle and less than half of the lines are failed, then the solution U⃗ to the optimization (∗)is unique and bO.. U⃗ gives indices of the failed lines.

min ∥ U⃗ ∥d b. f. 0XU⃗ = -X|a(,⃗ − ,⃗′) (∗)

Example

SimultaneousPhaseAnglesRecoveryandFailedlinesDetection

◆ FindvectorsU⃗ ∈ ℝ|hi| and,⃗′X ∈ ℝ|ki| suchthat0XU⃗ = -X|a(,⃗ − ,⃗′)

-XY|a ,⃗ − ,⃗′ = 0

◆ Uniquesolutionif,andonlyif,1. ! isacyclic2. Thereisamatchingbetweenthenodesin! and!Y

◆ bO..(U⃗) givestheindicesofthefailedlines

◆ Assumingthesetoflinefailuresissparse:

min ∥ U⃗ ∥d b. f.

0XU⃗ = -X|a(,⃗ − ,⃗′)

-XY|a ,⃗ − ,⃗′ = 0

(∗∗)

SimultaneousPhaseAnglesRecoveryandFailedLinesDetection

◆ Example.

Theorem. Under some conditions on Z and ! the solution U⃗, ,⃗′X to(∗∗) is unique and can recover the missing information.

min ∥ U⃗ ∥d b. f.

0XU⃗ = -X|a(,⃗ − ,⃗′)

-XY|a ,⃗ − ,⃗′ = 0

(∗∗)

!-inner-connected

!

ConditionsandConstraints

External Conditions Internal Conditions Attack Constraints

Matching Acyclic None

Matching Planar Less than half of the edges in each cycle are failed

Partial Matching AcyclicLess than half of the edges

connected to an internal node are failed

Partial Matching Planar Two above conditions

"

!

AttackedArea

Z

PartitioningoftheColoradostategridinto6attack-resilientzones

◆ NP-Hard◆ Developedgoodapproximations

Outline

◆ Stateestimationunderacyberandphysicalattack◆ Stateestimationinthepresenceofmeasurementnoiseand

uncertainty◆ StateestimationundertheACpowerflows◆ Attackidentificationwhentheaffectedareaisunknown

MeasurementNoiseandUncertainty

◆ Assume- ,⃗ − n = .⃗

n isaGaussianmeasurementnoise

◆ lmn = 20log∥p∥q

∥r∥q

◆ Relaxtheconstraintsasin(∗∗∗)

◆ Secondorderconeprogramming

min ∥ U⃗ ∥d b. f.

||0XU⃗ − -X|a ,⃗ − ,⃗^ ||s < td

||-XY|a ,⃗ − ,⃗′ ||s < ts

∗∗∗

"!

NumericalResults

NumericalResults

Could not detect failure in Ad

NumericalResults

False Negative: Not detecting a failed lineFalse Positive: Detecting an operating line as failed

StateEstimationundertheACPowerFlows

◆ PhaseangleofthenodesarecomputedundertheACpowerflows

◆ Usedifferenttd andts valuesandstatisticallydetectthelinefailures

◆ IEEE118-bussystem- anattackedareawith21nodesand22lines

min ∥ U⃗ ∥d b. f.

||0XU⃗ − -X|a ,⃗ − ,⃗^ ||s < td

||-XY|a ,⃗ − ,⃗′ ||s < ts

∗∗∗"

!

Saleh Soltan and Gil Zussman, “Power Grid State Estimation after a Cyber-Physical Attack under the AC Power Flow Model,” Proc. IEEE PES-GM’17, July 2017.

StateEstimationundertheACPowerFlows

◆ Thephaseanglescanbeestimatedwithlessthan1%errorfor1-,2-,and3-linefailures

◆ Linefailurescanalsobedetectedwithlessthan20%error(falsepositivesornegatives)

The CDF of the number of false negatives and positives in detecting triple line failures (100 cases).

DealingwithACDirectly

◆ Recoveringthevoltages• Similarconditions• Non-linearbutconvex

◆ DC-basedmethod:

◆ AC-basedmethod:

◆ EvaluationwhenZonedoesnotsatisfyconditions

Saleh Soltan, Mihalis Yannakakis, Gil Zussman, “REACT to Cyber Attacks on Power Grids,” in preparation.

118-bus 300-bus

Detected Lines

Fa

ile

d L

ine

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

Detected Lines

Fa

ile

d L

ine

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

Outline

◆ Stateestimationunderacyberandphysicalattack◆ Stateestimationinthepresenceofmeasurementnoiseand

uncertainty◆ StateestimationundertheACpowerflows◆ Attackidentificationwhentheaffectedareaisunknown

◆ Detectthelinefailuresaswellastheattackedarea! afteracyber-physicalattack

BacktoDC- LocationUnknown

Saleh Soltan, Mihalis Yannakakis, Gil Zussman, “REACT to Cyber Attacks on Power Grids,” submitted.

◆ Twotypesofcyberattacks• Datadistortion• DataReplay

◆ ,⃗⋆ istheobservedphaseanglesaftertheattackwhichisdifferentfromtheactual,⃗′

◆ NP-Hard◆ Approximatesolutions

LocationUnknown- CyberAttacks

◆ Approximatelydetecttheattackedareain3steps◆ Identifylinefailureswithsomeconfidence

Example

◆ Simulationsontwoattackedareaswithin300-bussystem• Attackedareaswith15and31nodes

Simulations

Performance- SmallArea

1001,2,3-linefailuresamples

◆ Replayattacksaremuchhardertocopewith

◆ IEEE300-bus◆ 3linefailures

Distortionvs.ReplayAttacks

Performance- LargeArea

1001,2,3-linefailuresamples

Summary

◆ Developedschemesfordetectinglinefailuresfollowinganattackusingpartialinformation

◆ Identifiedtradeoffsbetweenthestructuralcomplexityoftheattackareaandtheaccuracyofdatarecovery

◆ EvaluatedundermeasurementnoiseandACmodel◆ DevelopedanAC-basedalgorithm◆ Consideredthecaseinwhichattackedareaisunknownandthereare

falsedatainjections◆ (near)futurework:dealwitha(streaming)simulatedattackona

~1500busgrid…

PostdoctoralPositions– PowerGridResilience◆ ThegroupsofD.Bienstock andG.Zussman (ColumbiaUniversity)◆ DARPA,DOE,DTRA,andARPA-Eprojects◆ Backgroundandexperienceinsomeofthefollowing:optimization,power,

machinelearning,control,algorithmdesign,andcomputationalimplementation

◆ dano@columbia.edu ,gil@ee.columbia.edu◆ wimnet.ee.columbia.edu