Siddharth Sridhar, Student Member, IEEE, Adam Hahn, Student Member, IEEE, and Manimaran Govindarasu, Senior Member, IEEE AbstractThe smart grid further intensies the dependence of power system operation on cyber infrastructure for control and monitoring purposes. With the advent of new-generation applications like wide-area measurement systems and demand side management, power utilities are in the process of plan- ing/building additional communication infrastructure to support their operational requirements. This expansion increases the effective attack surface available to an adversary and exposes the control applications that depend on it. Hence, in addition to improving cyber security of the communication network, it becomes imperative to develop control system algorithms that are both, attack resilient and tolerant. In this paper, we identify the types of cyber attacks that are directed at industrial control systems. We then identify key control loops in power systems operation and then determine the types of attacks that will be effective against each control loop. In the end, we present basic concepts of attack resilient control. Index TermsCyber-Physical Systems, Smart Grid, SCADA I. INTRODUCTION The smart electric grid expands the capabilities of the tra- ditional electric power grid to make reliable, green, and cheap electric power available to the consumers. The various sub- systems within the smart grid enable control over distributed generation resources on one end of the spectrum, to customer loads like washer/dryers on the other end. These features are made possible by modern communication and control infras- tructures that span across huge geographical areas to form a complex cyber-physical system. These critical infrastructures are often targeted by adversaries to cause damage to life and property that depend on it. The several control systems within the smart grid obtain measurements from geographically dispersed sensors through wide-area network communications. Similarly, control com- mands from the control center are also dispatched to de- vices that are distant from the control center. However, these communication networks could be targeted by adversaries to disrupt normal operation. This paper identies and analyzes the threats to the smart grid and its components from the cyber space. II. CONTROL LOOP MODEL Fig. 1 shows a generic control loop model that represents interactions between a control center and a physical system. In this gure- Siddharth Sridhar and Adam Hahn are graduate students in the Department of Electrical and Computer Engineering, Iowa State University. Manimaran Govindarasu is a Professor in the Department of Electrical and Computer Engineering, Iowa State University. This work was funded by the National Science Foundation (Grant: CNS 0915945). Sensors are eld devices that measure physical parame- ters (e.g. voltage, temperature). Machine/Device is that component of the physical system that is being monitored. Actuators are mechanical devices that implement the change on the machine (e.g. transformer tap changers). The Control Center is where measurement data from sensors is analyzed, to make operational decisions. y i (t) represents measurement signals from the sensors. u i (t) represents control messages that carry operational decisions. In most control systems, the measurement and control signals are transmitted using a wide-area communication net- work. An adversary could exploit vulnerabilities in the com- munication network to cause an impact on the physical system by directing attacks at either measurement or control signals. These attacks can be broadly classied into the following types. Data Integrity Attacks involve manipulating the signals to spurious values that could either force the control center to make wrong decisions, or force the actuator to incorrectly modify the physical device, depending on what signal is attacked. Denial of Service (DoS) Attacks will result in delayed control action. In a scenario where the physical system requires deadline-constrained corrective control, a DoS attack could drive the system to instability. Replay Attacks involve the retransmission of legitimate control or measurement packets. This may result in incorrect decision making. Timing Attacks are a variation of the DoS attack. Instead of completely denying communication between the sys- tem and control, the adversary will introduce a delay in signal transmission. Desynchronization Attacks, a variation of timing attacks, are attacks that target controls that require strict synchro- nization. In [1], DoS and data integrity attack templates were imple- mented on a chemical plant to observe impacts on system pressure and temperature. In the next section, key control loops under generation, transmission and distribution have been identied along with known vulnerabilities and potential attack templates. III. POWER SYSTEM CONTROL LOOPS The previous section introduced a generic control system model and identied the types of attacks that might be directed at different components of the system. This section presents control loops specic to power systems and analyzes the 978-1-4577-2159-5/12/$31.00 2011 IEEE 2 Fig. 1: A Typical Power System Control Loop impact of the dened attacks on these loops. Fig. 2 classies key power system control loops into generation, transmission and distribution, and identies the impact caused by specic attacks on these control loops. The automatic voltage regulator and governor control schemes are local control schemes that do not rely on SCADA telemetry for operation. Hence, attacks such as integrity, DoS, replay, timing and desynchronization are not applicable in this case. Malware attacks, attacks that are a result of infected control modules of the system, can have an impact on all the control loops in the system. The Automatic Generation Control (AGC) loop is vul- nerable to data integrity attacks as the Area Control Error (ACE), or the generation correction, that is calculated depends on these measurements. This attack was demonstrated in [2] where the attack resulted in abnormal system operating conditions. The DoS attack need not necessarily have an impact on AGC as it is only effective if implemented when AGC is operational. Timing attacks will have an impact on AGC as delayed dispatch of the generator correction could result in unstable operating conditions. Also, replay attacks will also have an impact as the ACE will be calculated based on old system state. Desynchronization attacks can be targeted on AGC operation by forcing ACE to be calculated based on frequency and tie-line measurements from different time instances. State Estimation need not necessarily be impacted by data integrity, DoS, replay and timing attacks as the algorithm performs computations even in the presence of corrupt data or in the absence of measurements from certain number of meters. However, in [3], the authors have shown that state estimation can be impacted by data integrity attacks. VAR compensation is done by Coordinating Flexible AC Transmission Systems Devices (CFDs) - Flexible AC Trans- mission Systems (FACTS) devices that communicate with one another to exchange operational information and determine setpoints. The communication is critical to stable operation of CFDs and hence, any attack on this will impact VAR compensation operation. In [4], the impact of data injection attacks on CFDs is presented. Phasor measurement unit-based wide-area measurement systems (WAMS) are being widely deployed in the United States. Currently, measurements provided by PMUs are not being used for real-time control. However in [5], PMU-based real-time control schemes that include HVDC and FACTS control are proposed. All attack types will have an impact on such WAMS-based applications. Load shedding is performed at the distribution level to prevent blackout-type scenarios in the system. During such contingencies, under-frequency relays are triggered and the distributed feeder opened. Modern relays support communica- tion protocols such as IEC 61850 over Ethernet. An attack on the relay communication infrastructure or a malicious change to the control logic could result in unexpected tripping of distribution feeders, leaving load segments unserved. DoS, Timing and Replay attacks might not necessarily have an impact on this control loop as it is operational only during rare contingencies. De-sync attacks are not applicable in this case. The Smart Meter-based Advanced Metering Infrastructure (AMI) is currently undergoing wide-installation. Using smart meters, utilities will be able to disable customer loads when the system demand is too high and reschedule them to hours when wind energy is available. This feature is called demand side management [6]. The introduction of vast communication in- frastructure at the residential level presents adversaries with a huge attack surface. Integrity attacks on the AMI infrastructure may result in unexpected operation of loads leading to system stability problems. DoS and timing-based attacks may prevent utilities from having precise control over loads. Malware in AMI and associated infrastructure could potentially lead to loss in privacy, and unexpected operation of domestic devices. IV. ATTACK RESILIENT CONTROL State estimation has been the traditional technique for bad data detection in power systems. As the attackers become more sophisticated and as more resources are available to them, legacy attack detection techniques might not be sufcient. To detect attacks of the type described in the previous section, advanced cyber defense techniques that incorporate power system concepts have to be developed. Attack resilient control algorithms provide defense in depth to the control system by adding security at the application 3 Fig. 2: Power Applications and Attack Scenarios layer. Hence, Domain-specic anomaly detection and intrusion tolerance algorithms that are able to classify measurements and commands as good/bad have to be implemented. The defense algorithms must be developed with the assumption that the attacker has knowledge of system operation. As a basic test, the algorithm should perform a range check to see if the obtained measurements lie within acceptable values. Additional tests that are based on forecasts, histor- ical data and engineering sense should also be devised to ascertain the current state of the system. In most cases, the physical parameters of the system (e.g. generator constants) are protected by utilities. These parameters play a part in determining the state of the system and system response to an event. Hence, algorithms that incorporate such checks could help in identifying malicious data when an attacker attempts to mislead the operator into executing incorrect commands. Intelligent power system control algorithms that are able to keep the system within stability limits during contingencies are critical. Additionally, the development of enhanced power management systems capable of addressing high-impact con- tingency scenarios. V. CONCLUSION In this paper, the importance of cyber security in the smart grid environment was highlighted. The types of attacks targeted at control systems were identied and their impacts on specic power system control loops were analyzed. These attacks can have a wide range of impacts ranging from system stability to nancial impacts. Attack resilient controls are key to securing the smart grid. Traditional cyber security hardware and software have to be backed by such attack detection algorithms at the application layer, to further intensify security. REFERENCES [1] Y.-L. Huang, A. A. Cardenas, S. Amin, Z.-S. Lin, H.-Y. Tsai, and S. Sastry, Understanding the physical and economic consequences of attacks on control systems, International Journal of Critical Infrastruc- ture Protection, vol. 2, no. 3, pp. 73 83, 2009. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S1874548209000213 [2] S. Sridhar and G. Manimaran, Data integrity attacks and their impacts on SCADA control system, in Power and Energy Society General Meeting, 2010 IEEE, Jul. 2010, pp. 1 6. [3] Y. Liu, P. Ning, and M. K. Reiter, False data injection attacks against state estimation in electric power grids, in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS 09. New York, NY, USA: ACM, 2009, pp. 2132. [4] S. Sridhar and G. Manimaran, Data integrity attack and its impacts on voltage control loop in power grid, in Power and Energy Society General Meeting, 2011 IEEE, Jul. 2011. [5] A. Phadke and J. S. Thorp, Synchronized Phasor Measurements and Their Applications, 2008. [6] D. Callaway and I. Hiskens, Achieving controllability of electric loads, Proceedings of the IEEE, vol. 99, no. 1, pp. 184 199, Jan. 2011.