1

Cyber Attack-resilient Control for Smart Grid

Siddharth Sridhar, Student Member, IEEE, Adam Hahn, Student Member, IEEE,
and Manimaran Govindarasu, Senior Member, IEEE
AbstractThe smart grid further intensies the dependence
of power system operation on cyber infrastructure for control
and monitoring purposes. With the advent of new-generation
applications like wide-area measurement systems and demand
side management, power utilities are in the process of plan-
ing/building additional communication infrastructure to support
their operational requirements. This expansion increases the
effective attack surface available to an adversary and exposes
the control applications that depend on it. Hence, in addition
to improving cyber security of the communication network, it
becomes imperative to develop control system algorithms that
are both, attack resilient and tolerant. In this paper, we identify
the types of cyber attacks that are directed at industrial control
systems. We then identify key control loops in power systems
operation and then determine the types of attacks that will be
effective against each control loop. In the end, we present basic
concepts of attack resilient control.
Index TermsCyber-Physical Systems, Smart Grid, SCADA
I. INTRODUCTION
The smart electric grid expands the capabilities of the tra-
ditional electric power grid to make reliable, green, and cheap
electric power available to the consumers. The various sub-
systems within the smart grid enable control over distributed
generation resources on one end of the spectrum, to customer
loads like washer/dryers on the other end. These features are
made possible by modern communication and control infras-
tructures that span across huge geographical areas to form a
complex cyber-physical system. These critical infrastructures
are often targeted by adversaries to cause damage to life and
property that depend on it.
The several control systems within the smart grid obtain
measurements from geographically dispersed sensors through
wide-area network communications. Similarly, control com-
mands from the control center are also dispatched to de-
vices that are distant from the control center. However, these
communication networks could be targeted by adversaries to
disrupt normal operation. This paper identies and analyzes
the threats to the smart grid and its components from the cyber
space.
II. CONTROL LOOP MODEL
Fig. 1 shows a generic control loop model that represents
interactions between a control center and a physical system.
In this gure-
Siddharth Sridhar and Adam Hahn are graduate students in the Department
of Electrical and Computer Engineering, Iowa State University.
Manimaran Govindarasu is a Professor in the Department of Electrical and
Computer Engineering, Iowa State University.
This work was funded by the National Science Foundation (Grant: CNS
0915945).
Sensors are eld devices that measure physical parame-
ters (e.g. voltage, temperature).
Machine/Device is that component of the physical system
that is being monitored.
Actuators are mechanical devices that implement the
change on the machine (e.g. transformer tap changers).
The Control Center is where measurement data from
sensors is analyzed, to make operational decisions.
y
i
(t) represents measurement signals from the sensors.
u
i
(t) represents control messages that carry operational
decisions.
In most control systems, the measurement and control
signals are transmitted using a wide-area communication net-
work. An adversary could exploit vulnerabilities in the com-
munication network to cause an impact on the physical system
by directing attacks at either measurement or control signals.
These attacks can be broadly classied into the following
types.
Data Integrity Attacks involve manipulating the signals
to spurious values that could either force the control
center to make wrong decisions, or force the actuator
to incorrectly modify the physical device, depending on
what signal is attacked.
Denial of Service (DoS) Attacks will result in delayed
control action. In a scenario where the physical system
requires deadline-constrained corrective control, a DoS
attack could drive the system to instability.
Replay Attacks involve the retransmission of legitimate
control or measurement packets. This may result in
incorrect decision making.
Timing Attacks are a variation of the DoS attack. Instead
of completely denying communication between the sys-
tem and control, the adversary will introduce a delay in
signal transmission.
Desynchronization Attacks, a variation of timing attacks,
are attacks that target controls that require strict synchro-
nization.
In [1], DoS and data integrity attack templates were imple-
mented on a chemical plant to observe impacts on system
pressure and temperature. In the next section, key control
loops under generation, transmission and distribution have
been identied along with known vulnerabilities and potential
attack templates.
III. POWER SYSTEM CONTROL LOOPS
The previous section introduced a generic control system
model and identied the types of attacks that might be directed
at different components of the system. This section presents
control loops specic to power systems and analyzes the
978-1-4577-2159-5/12/$31.00 2011 IEEE
2
Fig. 1: A Typical Power System Control Loop
impact of the dened attacks on these loops. Fig. 2 classies
key power system control loops into generation, transmission
and distribution, and identies the impact caused by specic
attacks on these control loops.
The automatic voltage regulator and governor control
schemes are local control schemes that do not rely on SCADA
telemetry for operation. Hence, attacks such as integrity, DoS,
replay, timing and desynchronization are not applicable in this
case. Malware attacks, attacks that are a result of infected
control modules of the system, can have an impact on all the
control loops in the system.
The Automatic Generation Control (AGC) loop is vul-
nerable to data integrity attacks as the Area Control Error
(ACE), or the generation correction, that is calculated depends
on these measurements. This attack was demonstrated in
[2] where the attack resulted in abnormal system operating
conditions. The DoS attack need not necessarily have an
impact on AGC as it is only effective if implemented when
AGC is operational. Timing attacks will have an impact on
AGC as delayed dispatch of the generator correction could
result in unstable operating conditions. Also, replay attacks
will also have an impact as the ACE will be calculated based
on old system state. Desynchronization attacks can be targeted
on AGC operation by forcing ACE to be calculated based
on frequency and tie-line measurements from different time
instances.
State Estimation need not necessarily be impacted by data
integrity, DoS, replay and timing attacks as the algorithm
performs computations even in the presence of corrupt data
or in the absence of measurements from certain number of
meters. However, in [3], the authors have shown that state
estimation can be impacted by data integrity attacks.
VAR compensation is done by Coordinating Flexible AC
Transmission Systems Devices (CFDs) - Flexible AC Trans-
mission Systems (FACTS) devices that communicate with one
another to exchange operational information and determine
setpoints. The communication is critical to stable operation
of CFDs and hence, any attack on this will impact VAR
compensation operation. In [4], the impact of data injection
attacks on CFDs is presented.
Phasor measurement unit-based wide-area measurement
systems (WAMS) are being widely deployed in the United
States. Currently, measurements provided by PMUs are not
being used for real-time control. However in [5], PMU-based
real-time control schemes that include HVDC and FACTS
control are proposed. All attack types will have an impact
on such WAMS-based applications.
Load shedding is performed at the distribution level to
prevent blackout-type scenarios in the system. During such
contingencies, under-frequency relays are triggered and the
distributed feeder opened. Modern relays support communica-
tion protocols such as IEC 61850 over Ethernet. An attack on
the relay communication infrastructure or a malicious change
to the control logic could result in unexpected tripping of
distribution feeders, leaving load segments unserved. DoS,
Timing and Replay attacks might not necessarily have an
impact on this control loop as it is operational only during
rare contingencies. De-sync attacks are not applicable in this
case.
The Smart Meter-based Advanced Metering Infrastructure
(AMI) is currently undergoing wide-installation. Using smart
meters, utilities will be able to disable customer loads when the
system demand is too high and reschedule them to hours when
wind energy is available. This feature is called demand side
management [6]. The introduction of vast communication in-
frastructure at the residential level presents adversaries with a
huge attack surface. Integrity attacks on the AMI infrastructure
may result in unexpected operation of loads leading to system
stability problems. DoS and timing-based attacks may prevent
utilities from having precise control over loads. Malware in
AMI and associated infrastructure could potentially lead to
loss in privacy, and unexpected operation of domestic devices.
IV. ATTACK RESILIENT CONTROL
State estimation has been the traditional technique for bad
data detection in power systems. As the attackers become more
sophisticated and as more resources are available to them,
legacy attack detection techniques might not be sufcient. To
detect attacks of the type described in the previous section,
advanced cyber defense techniques that incorporate power
system concepts have to be developed.
Attack resilient control algorithms provide defense in depth
to the control system by adding security at the application
3
Fig. 2: Power Applications and Attack Scenarios
layer. Hence, Domain-specic anomaly detection and intrusion
tolerance algorithms that are able to classify measurements
and commands as good/bad have to be implemented. The
defense algorithms must be developed with the assumption
that the attacker has knowledge of system operation. As
a basic test, the algorithm should perform a range check
to see if the obtained measurements lie within acceptable
values. Additional tests that are based on forecasts, histor-
ical data and engineering sense should also be devised to
ascertain the current state of the system. In most cases, the
physical parameters of the system (e.g. generator constants)
are protected by utilities. These parameters play a part in
determining the state of the system and system response to an
event. Hence, algorithms that incorporate such checks could
help in identifying malicious data when an attacker attempts
to mislead the operator into executing incorrect commands.
Intelligent power system control algorithms that are able to
keep the system within stability limits during contingencies
are critical. Additionally, the development of enhanced power
management systems capable of addressing high-impact con-
tingency scenarios.
V. CONCLUSION
In this paper, the importance of cyber security in the
smart grid environment was highlighted. The types of attacks
targeted at control systems were identied and their impacts
on specic power system control loops were analyzed. These
attacks can have a wide range of impacts ranging from system
stability to nancial impacts. Attack resilient controls are key
to securing the smart grid. Traditional cyber security hardware
and software have to be backed by such attack detection
algorithms at the application layer, to further intensify security.
REFERENCES
[1] Y.-L. Huang, A. A. Cardenas, S. Amin, Z.-S. Lin, H.-Y. Tsai, and
S. Sastry, Understanding the physical and economic consequences of
attacks on control systems, International Journal of Critical Infrastruc-
ture Protection, vol. 2, no. 3, pp. 73 83, 2009. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S1874548209000213
[2] S. Sridhar and G. Manimaran, Data integrity attacks and their impacts on
SCADA control system, in Power and Energy Society General Meeting,
2010 IEEE, Jul. 2010, pp. 1 6.
[3] Y. Liu, P. Ning, and M. K. Reiter, False data injection attacks against
state estimation in electric power grids, in Proceedings of the 16th ACM
conference on Computer and communications security, ser. CCS 09.
New York, NY, USA: ACM, 2009, pp. 2132.
[4] S. Sridhar and G. Manimaran, Data integrity attack and its impacts on
voltage control loop in power grid, in Power and Energy Society General
Meeting, 2011 IEEE, Jul. 2011.
[5] A. Phadke and J. S. Thorp, Synchronized Phasor Measurements and Their
Applications, 2008.
[6] D. Callaway and I. Hiskens, Achieving controllability of electric loads,
Proceedings of the IEEE, vol. 99, no. 1, pp. 184 199, Jan. 2011.