Professional Documents
Culture Documents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Bo Chen
Takis Zourntos
I. I NTRODUCTION
It is well known that the smart grid promises increased reliability, efficiency and sustainability through the use of advanced
information (cyber) and energy (physical) infrastructure. This
greater dependence on information systems however raises
concerns as to how its integration will affect the cyber and
physical security of future power systems.
Historically, such cyber-enablement of classical application
fields including commerce, entertainment, and social interactions has led to improved functionality and efficiency at the
cost of security. Thus, we assert the importance of addressing
cyber and physical security issues of emerging cyber-enabled
power systems. A first step in such a study will require
the exploration of novel vulnerabilities stemming from cyberphysical integration, which we aim to address in this paper, to
better develop strategies for their mitigation.
There has been a movement toward addressing cyberphysical aspects of system security. For instance, information confidentiality has been addressed by studying cyberto-physical leakage via clues about cyber protocol activity
in power system voltage and current measurements [1], [2].
Novel risk analysis frameworks that account for the physical
impacts of cyber attacks have been presented [3], [4]. To
more comprehensively account for the interaction between the
power system and information network, empirical approaches
have been developed that harness realistic communications and
power systems simulators [5].
We argue that to identify insidious weaknesses stemming
from cyber-physical interaction and evaluate mitigation approaches, it is crucial that the physical notion of time be
incorporated into the modeling framework. Furthermore, we
believe that for the results to have useful meaning to electric
power utilities and for risk analysis, the model should loosely
represent select aspects of the system physics with appropriate
granularity. For this reason, our work represents a departure
Deepa Kundur
Karen Butler-Purry
Page 2 of 22
2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Page 3 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
(2)
(3)
(4)
Typically, the guarantee that Eq. (4) holds occurs for a local
region of state space. Thus a state trajectory would have to
enter this local region to guarantee attraction to the sliding
surface s = 0; once the state is within the region of attraction
persistent sliding mode switching will guarantee that the state
is attracted to s = 0 and remains on that surface.
Condition Eq. (4) does not guarantee that the individual
sliding surfaces si = 0 exist for i = 1, 2, . . . , m. If they
exist for a subset j S {1, 2, . . . , m} then the following
additional conditions must hold, again, for a possibly local
j S.
(5)
In the multi-switch cases that follow, we consider the scenario in which each of the m switches open and close according to the sign of a particular element of s = [s1 s2 sm ]T .
For example, the ith switch would open for si < 0 and close
when si 0. The terminal sliding surface for attack is the
intersection of all of the individual switching surfaces s = 0.
Moreover we assume that individual sliding surfaces exist for
sj = 0 for j S. The existence of individual sliding surfaces
provided by Eq. (5) enables the possibility of employing a
variety of multi-switch strategies that we investigate for power
system attack in this paper.
Throughout the paper the authors adopt a compact notation
common to systems theory to describe the dynamical representations and variables. However such a convention, albeit
simpler, may not readily provide information on temporal or
state dependencies that could better elucidate the concepts
and relationships in a power systems context. Therefore, we
provide a summary in Table I of the key variables of this paper
and their associated dependencies.
D. Attack Assumptions and Overview
A vulnerability in a system exists when there is a flaw
in the system, access to the flaw and a capability by an
opponent to exploit the flaw. We consider the vulnerability we
address in this paper to be cyber-physical in nature because
a physical weakness is exploited through access provided by
cyber (communications) means.
In order to study a worst-case scenario for disruption we
assume that attacker communication is ideal and that corrupted breakers are temporally synchronized in their switching.
Moreover, we assume that physical catastrophe instigated by
the proposed attack does not affect the performance of the
associated communication system.
1) Attacker Knoweldge: To leverage variable structure system theory to construct a smart grid attack, an opponent would
need:
1) to identify a set of (physical) target synchronous generators to attack denoted {Gt }, t = 1, 2, . . . , T ;
2) electromechanical switching control over m > 1 corrupted circuit breakers in the targets proximity;
3) knowledge of the targets states x; and
4) a local model of the smart grid system encompassing the
targets.
Physical means to obtain such measurement data and control
switching actions requires that the opponent employ geographically proximal and perhaps even distributed and unstealthy
techniques, which is impractical for resource constrained opponents. However, with the increased dependence on information technology and its proposed large-scale connectivity, it is
feasible that such approaches will be implemented remotely
through an effective sequence of cyber intrusions.
In order to implement the attack remotely an opponent
must exploit one or more cyber vulnerabilities within the
associated communications and computing devices. Numerous
Page 4 of 22
4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
TABLE I: Variable dimensions, dependencies and notation. Please note that model parameters such as C, ci , Ai and bi are
constants with no temporal or state dependencies.
Quantity
Dependencies
state
state trajectory/derivative
state element
state element derivative
switching vector
switching signal
derivative of switching vector
derivative of switching signal
equivalent control
system transformation matrix
input matrix
sliding mode coefficients
switching surface
linear sliding surface
rotor angle of Gi
rotor angle derivative
rotor speed of Gi
rotor speed derivative
time
time
time
time
state (for this paper)
state (for this paper)
state and time
state and time
state and switching vector
n/a (constant)
n/a (constant)
n/a (constant)
state
state
time
time
time
time
Common
notation(s) used
x
x
xi
x i
s(x) or s
si (x) or si
s
s i
u
A
B
C
s=0
s = Cx = 0
i
i
i
i
Dimensions
Rn1
Rn1
R
R
Rm1
R
Rm1
R
Rm1
Rnn
Rnm
Rmn
R
R
R
R
Other possible
description(s)
x(t)
x(t)
xi (t)
i (t)
x i (t), dxdt
s(x(t))
si (x(t))
s(x)
s i (x), s i (x(t))
u(t), u(x, s)
s(x) = 0
Cx(t) = 0
i (t)
i (t)
i (t)
i (t)
Page 5 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
0
1
0
x1
0 0
u
0
1 x2 + 0 1 1 .
x(t)
=0
(6)
u
1 2 3
x3
1 0 | {z2 }
{z
} | {z } | {z } u
|
A
(8)
u1,2 =
x 1 =x2
1
1
1
1
1
)
c
1
1
2
2
3
3
1,2
2
1
2
2
x 3 = 2
c12 + c13
(10)
(11)
Page 6 of 22
6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
x 1 =x2
x 2 = 3 1
. (13)
c13 c22 c12 c23
1 2
2 1
2
1
x 3 = 2 1
c13 c22 c12 c23
1) Unstable Sliding Modes: Sliding mode control has been
conventionally employed for stabilization. Thus, the resulting
dynamics after the state reaches the sliding surface and remains there are stable. In contrast, for power system disruption, opponents aim to identify unstable sliding modes through
appropriate selection of C.
(12)
(14)
Ax + Bueq = Ax B(CB)
(I B(CB) C)Ax
0
1
0
x1
1 2
1 2
0 c31 c12 c11 c32 0
x
c3 c2 c2 c3
2 .
c11 c22 c12 c21
x
3
0 c1 c2 c1 c2 0
3 2
|
{z 2 3
}
CAx
(15)
(16)
(17)
(IB(CB)1 C)A
(18)
Page 7 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
C. Progressive Switching
Consider the case in which the sliding surface s = 0 and
an individual sliding surface s1 = 0, say, both exist. For such
a situation, it is possible for an opponent to apply concurrent
switching as discussed in the previous section. There however
may be disadvantages to this for a successful attack. First, the
region of convergence for the s = 0 sliding surface may be
difficult to reach for certain system conditions in which say the
equilibrium position is distant from the region of convergence.
Furthermore, the opponent may prefer to be stealthy for a
period of time slowly moving the trajectory to a seemingly
stable but vulnerable position prior to an appropriately timed
disruption. The additional timing control that this provides
(C 1 Ax) (C 1 B)
sgn(s1 ),
(20)
x 1 =x2
1
2
2
2
1
1
(c
)
+
(c
)
3
2
2
+2(c12 ) + c12 c13 3 )x3 c12 sgn(s1 )
.
1
2
2
2
2
1
1
1
1
2
2
(c13 ) + (c12 )
2
2
+c13 c11 )x2 + (2(c13 ) 3 + (c12 ) 3 + c13 c12 )x3 c13 sgn(s1 )
(21)
Page 8 of 22
8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
IV. S IMULATIONS
x 1 =x2
1 1
1 1
1
1 1
1
2
2
1
1
1
1
1
1
1
x 3 =
2
2
(c13 ) + (c12 )
(22)
Analogous to Section III-B we can select C to guarantee, in
contrast, the stability of the s1 = 0 sliding surface.
Stage 3: The system state x is driven to the s = 0 sliding
surface at the intersection of s1 = 0 and s2 = 0. To illustrate
this behavior, we once again set sT s < 0 to give the Stage 3
dynamics of Eq. (13).
1) Numerical Illustration: Once again, we consider the
stable canonical system for 1 = 1, 2 = 2 and 3 = 3.
Using parallel reasoning to the concurrent switching example,
the two switching surfaces are selected as:
1
2 1
.
(23)
C=
2 1 1
The corresponding simulation results of system trajectories,
system states, switches are shown in Fig. 8. As shown, during
Stages 1 and 2, the system trajectory is attracted to the s1 =
0 sliding surface and remains stable as Switch 1 is applied.
However, when Switch 2 is applied the joint switching has the
effect of destabilization the overall system when it is attracted
to the s = 0 sliding surface.
i =i s
,
1
i =
[Pmi 10
k=1 Ei Ek |Yik | cos (i k Yik )]
Mi
(24)
where i , i , Mi , Pmi and Ei are the phase angle, frequency
(with nominal frequency being 60 Hz), moment of inertia,
mechanical power and terminal voltage of the ith generator.
Yik is the Kron-reduced equivalent admittance between the
ith and kth generators. Typical parameter values for the New
England system are assumed. The jth (corrupted) breaker in
the system is assumed to target Generator t and incorporate
the following switching signal with coefficients cj1 and cj2 :
s j = c j1 t + c j 2 t .
(25)
Page 9 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Page 10 of 22
10
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
In this environment of rushed development and rapid deployment, we contend that there is a timely and critical need
for research that takes a systematic view of smart grid vulnerability analysis and protection in order to provide engineering
principles of more general use. This paper presented a worstcase scenario for a multi-switch attack making use of variable
structure system theory for power system disruption. We have
demonstrated the utility of employing multiple switches for
creating transient instability in target generators of a power
grid.
Future work will focus on developing analytical bounds on
the time to catastrophe in the presence of ideal and non-ideal
inter-attacker communications. Based on these results we will
aim develop adaptive distributed control strategies that aim
to minimize damage through effective system reconfiguration
such as islanding. Moreover, we will aim to identify peer-
Page 11 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
TABLE II: Cascading failure process of New England 10-machine, 39-bus Power System.
Time (s)
0-10
10-11
11-16.38
16.38-20
20-21
21-26.9
26.9-31.3
31.3-50
50-50.74
50.74-50.78
50.78-50.82
50.82-51.03
51.03-51.15
51.15-51.26
51.26-51.28
51.28-51.29
51.29-51.47
51.47-53.66
53.66-62.1
62.1-80
Event Recording
Normal operating
Switching attacks implemented on Generator 9
Generator 9 loses synchronous, and is tripped by over-frequency relay at 16.38 second
System is operating at 59.8 HZ after tripping Generator 9
Switching attacks implemented on Generator 8
Generator 8 loses synchronous, and is tripped by over-frequency relay at 26.9 second
Generator 5 loses synchronous, and is tripped by over-frequency relay at 31.3 seccond
Line 21-22 active power increases, and is tripped by overload transmission line protection relay at 50 second
Generator 7 loses synchronous, and is tripped by over-frequency relay at 50.74 second
Generator 6 loses synchronous, and is tripped by over-frequency relay at 50.78 second
Bus 3 frequency decreases, the load on Bus 3 is tripped by UFLS at 50.82 second
Bus 16 frequency decreases, the load on Bus 16 is tripped by UFLS aT 51.03 second
Generator 4 loses synchronous, and is tripped by over-frequency relay at 51.15 second
Bus 15 and 18 frequencies decrease, the loads on Bus 15 and 18 are tripped by UFLS at 51.26 second
Generator 2 loses synchronous, and is tripped by over-frequency relay at 51.28 second
Generator 3 loses synchronous, and is tripped by over-frequency relay at 51.29 second
Bus 7 frequency decreases, the load on Bus 7 is tripped by UFLS at 51.47 second
Bus 25, 26 and 28 frequencies decrease, the loads on Bus 25, 26 and 28 are tripped by UFLS at 53.66 second
Generator 1 loses synchronous, and is tripped by over-frequency relay at 62.1 second
Generator 10 provides power to the remaining loads under fairly low frequency and voltage, which can not
meet the normal power requirements.
Page 12 of 22
12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60