Cyber-Physical Security in Power Networks

Transcription

1 Cyber-Physical Security in Power Networks Fabio Pasqualetti Florian Dörfler Francesco Bullo Center for Control, Dynamical Systems & Computation University of California at Santa Barbara Optimization and Control for Smart rids 32nd CNLS Annual Conference, Santa Fe, NM F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control / 4

2 Security and Reliability of Power Networks One aspect of smart grid: complex physical system sophisticated cyber coordination Cyber-physical security is a fundamental obstacle challenging the smart grid vision. F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 2 / 4

3 Security and Reliability of Power Networks One aspect of smart grid: complex physical system sophisticated cyber coordination Cyber-physical security is a fundamental obstacle challenging the smart grid vision. H. Khurana, Cybersecurity: A key smart grid priority, IEEE Smart rid Newsletter, 2. S. Sridhar, A. Hahn, and M. ovindarasu Cyber-Physical System Security for the Electric Power rid Proceedings of the IEEE, 22. A. R. Metke and R. L. Ekl Security technology for smart grid networks, IEEE Transactions on Smart rid, 2. J. P. Farwell and R. Rohozinski Stuxnet and the Future of Cyber War Survival, 2. T. M. Chen and S. Abu-Nimeh Lessons from Stuxnet Computer, 2. S. Kuvshinkova SQL Slammer Worm Lessons Learned for Consideration by the Electricity Sector North American Electric Reliability Council, 23. F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 2 / 4

4 Cyber-Physical Security Cyber Security, Fault Tolerance Cyber-physical security complements cyber security Cyber security does not verify data compatible with physics/dynamics is ineffective against direct attacks on the physics/dynamics is never foolproof (e.g., insider attacks) Cyber-physical security extends fault tolerance fault detection considers accidental/generic failures cyber-physical security models worst-case attacks F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 3 / 4

5 Cyber-Physical Security Cyber Security, Fault Tolerance Cyber-physical security complements cyber security Cyber security does not verify data compatible with physics/dynamics is ineffective against direct attacks on the physics/dynamics is never foolproof (e.g., insider attacks) Cyber-physical security extends fault tolerance fault detection considers accidental/generic failures cyber-physical security models worst-case attacks F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 3 / 4

6 A Simple Example: WECC 3-machine 6-bus System b 3 g 2 g 3 b 2 b 6 b 4 b b g Sensors Physical dynamics: classical generator model & DC load flow 2 Measurements: angle and frequency of generator g 3 Attack: modify real power injections at buses b 4 & b 5 A. H. Mohsenian-Rad and A. Leon-arcia Distributed internet-based load altering attacks against smart power grids IEEE Transactions on Smart rid, 2 The attack affects the second and third generators while remaining undetected from measurements at the first generator F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 4 / 4

7 Outline Modeling framework for cyber-physical attacks 2 System & graph-theoretic characterizations 3 Centralized & distributed attack detection strategies 4 eometric & optimal attack design F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 4 / 4

8 Model of Power Networks under Attack Physics obey linear differential-algebraic dynamics: E ẋ(t) = Ax(t) 2 Measurements are in continuous-time: y(t) = Cx(t) 3 Cyber-physical attacks are colluding and omniscient: modeled as unknown inputs Bu(t) & Du(t) Eẋ(t) = Ax(t) + Bu(t) y(t) = Cx(t) + Du(t) This model includes genuine faults, physical attacks, and cyber attacks Q: attack ( Bu(t), Du(t) ) detectable/identifiable from measurements y(t)? F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 5 / 4

9 Prototypical Attacks Static stealth attack: corrupt measurements according to C Replay attack: affect system and reset output x(t) C + y(t) ũ(t) C Du ( t) x() Bū(t) x() (se A) (se A) x(t) C C + + y(t) Du(t) Covert attack: closed loop replay attack Dynamic false data injection: render unstable pole unobservable x() Bū(t) (se A) (se A) x(t) C C + y(t) Du(t) x() (se A) x(t) (s) (s p) C + y(t) Du(t) F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 6 / 4

10 Undetectable Attack Definition An attack remains undetected if its effect on measurements is undistinguishable from the effect of some nominal operating conditions Normal operating condition y(,,t) Undetectable attacks Detectable attacks y(,u(t),t) K (t),t) Definition (Undetectable attack set) The attack ( Bu(t), Du(t) ) is undetectable if there exist initial conditions x, x 2 such that, for all times t y(x, u, t) = y(x 2,, t). F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 7 / 4

11 Outline Modeling framework for cyber-physical attacks 2 System & graph-theoretic characterizations 3 Centralized & distributed attack detection strategies 4 eometric & optimal attack design F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 7 / 4

12 Vulnerabilities Analysis Equivalent characterizations: Vulnerability: undetectable attack y(x, u, t) = y(x 2,, t) 2 System theory: intruder/monitor system has invariant zero 3 raph theory # attacked signals > size of input/output linking g 2 g 3 b 2 b 6 b 4 b 5 b 3 b 6 g g 3 2 b b 2 b 4 b 5 g u (t) Sensors b b 3 y(t) u 2 (t) Attack ( Bu(t), Du(t) ) is not detectable by measurements y(t) & destabilizes the system ω (t) =y(t) 2 ω 2 (t) ω 3 (t) 3 Sensors g F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 8 / 4

13 Vulnerabilities Analysis Equivalent characterizations: Vulnerability: undetectable attack y(x, u, t) = y(x 2,, t) 2 System theory: intruder/monitor system has invariant zero 3 raph theory # attacked signals > size of input/output linking g 2 g 3 u (t) b 2 Sensors b 6 b 4 b 5 b g b 3 u 2 (t) y(t) By linearity, an undetectable attack is such that y(x x 2, u, t) =. the input output system Eẋ(t) = Ax(t) + Bu(t) y(t) = Cx(t) + Du(t) has an invariant zero. F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 8 / 4

14 Vulnerabilities Analysis Equivalent characterizations: Vulnerability: undetectable attack y(x, u, t) = y(x 2,, t) 2 System theory: intruder/monitor system has invariant zero 3 raph theory # attacked signals > size of input/output linking b 3 δ 2 δ 3 g 2 g 3 b 2 b 6 b 4 b 5 ω 2 θ 2 u θ 4 θ 6 θ 3 ω 3 u (t) b u 2 (t) y 2 ω θ θ 5 u 2 Sensors g y(t) y δ F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 8 / 4

15 Outline Modeling framework for cyber-physical attacks 2 System & graph-theoretic characterizations 3 Centralized & distributed attack detection strategies 4 eometric & optimal attack design F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 8 / 4

16 Centralized Detection Monitor Design System under attack ( Bu(t), Du(t) ) : Proposed centralized detection filter: Eẋ(t) = Ax(t) + Bu(t) Eẇ(t) = Aw(t) + ( Cw(t) y(t) ) y(t) = Cx(t) + Du(t) r(t) = Cw(t) y(t) Theorem (Centralized Attack Detection Filter) Assume w() = x(), (E, A + C) is Hurwitz, and attack is detectable. Then r(t) = if and only if u(t) =. the design is independent of B, D, and u(t) if w() x(), then asymptotic convergence a direct centralized implementation may not be feasible due to high dimensionality, spatial distribution, communication complexity,... F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 9 / 4

17 Centralized Detection Monitor Design System under attack ( Bu(t), Du(t) ) : Proposed centralized detection filter: Eẋ(t) = Ax(t) + Bu(t) Eẇ(t) = Aw(t) + ( Cw(t) y(t) ) y(t) = Cx(t) + Du(t) r(t) = Cw(t) y(t) Theorem (Centralized Attack Detection Filter) Assume w() = x(), (E, A + C) is Hurwitz, and attack is detectable. Then r(t) = if and only if u(t) =. the design is independent of B, D, and u(t) if w() x(), then asymptotic convergence a direct centralized implementation may not be feasible due to high dimensionality, spatial distribution, communication complexity,... F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 9 / 4

18 Centralized Detection Monitor Design System under attack ( Bu(t), Du(t) ) : Proposed centralized detection filter: Eẋ(t) = Ax(t) + Bu(t) Eẇ(t) = Aw(t) + ( Cw(t) y(t) ) y(t) = Cx(t) + Du(t) r(t) = Cw(t) y(t) Theorem (Centralized Attack Detection Filter) Assume w() = x(), (E, A + C) is Hurwitz, and attack is detectable. Then r(t) = if and only if u(t) =. the design is independent of B, D, and u(t) if w() x(), then asymptotic convergence a direct centralized implementation may not be feasible due to high dimensionality, spatial distribution, communication complexity,... F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 9 / 4

19 Distributed Monitor Design Partition the physical system with geographically deployed control centers: E E = E N A =, C = A A N... A N A N C C N Area 2 Area IEEE 8 Bus System Area 3 Area 4 Area 5 (i) control center i knows E i, A i, and C i, and neighboring A ij (ii) control center i can communicate with control center j A ji (iii) C is blockdiagonal, (E i, A i ) is regular & (E i, A i, C i ) is observable F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control / 4

20 Distributed Monitor Design Local monitoring with measurements and continuous-time filters & discrete communication between neighboring control centers ( E i ẇ (k) i (t) = A i w (k) i (t) + i r (k) i (t) = y i (t) C i w (k) i (t) C i w (k) i ) (t) y i (t) ( + A ijw (k ) j i j ) (t) 2 Centralized performance is recovered 3 Design and analysis relies on waveform relaxation technique and decentralized control methods for large-scale systems F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control / 4

21 An Illustrative Example: IEEE 8 Bus System Area 2 Area IEEE 8 Bus System Error Area 3 Area 4 Area 5 Convergence of distributed filter: Iterations Physics: classical generator model and DC load flow model Measurements: generator angles Attack on all measurements in Area Residuals r (k) i (t) for k = : Residual Area Residual Area Residual Area Residual Area Residual Area F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 2 / 4 Time

22 Outline Modeling framework for cyber-physical attacks 2 System & graph-theoretic characterizations 3 Centralized & distributed attack detection strategies 4 eometric & optimal attack design F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 2 / 4

23 eometric & optimal attack design A Case Study: Competitive Power eneration Environment Canada 2 PacNW 9 NoCal 3 5 SoCal 5 7 North Montana Utah South Arizona Reduced WECC grid scenario: a subset of utility companies K form a coalition goal: disrupt the power generation of competitors strategy: choose K K sacrificial generators and design an input not affecting K \ K while maximizing damage at non-colluding generators additionally here: design such that impact on K is minimal C. L. DeMarco and J. V. Sariashkar and F. Alvarado The potential for malicious control in a competitive power systems environment IEEE International Conference on Control Applications, 996 F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 2 / 4

24 eometric & optimal attack design malicious coalition: K = {, 9} (PacNW) with sacrificial machine K = {9} Canada 2 PacNW North 5 7 Montana control minimizes ω 9 (t) L subject to ω 6 (t) L (Utah) 9 NoCal non-colluding generators will be damaged 3 5 Utah.5.5 ω 5 ω5.5.5 ω2 ω3 ω ω6 ω7 ω South Arizona SoCal Reduced WECC grid ω ω ω ω ω ω4 ω5 ω governor control input F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 2 / 4

25 Conclusion We have presented: a modeling framework for cyber-physical attacks in power networks 2 fundamental system- and graph-theoretic detection conditions 3 centralized & distributed detection procedures 4 geometric & optimal attack design We have analogous results for the identification problem. Ongoing and future work: more detailed and realistic models, noise, & uncertainties 2 quantitative analysis of cost and effect of attacks F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 3 / 4

26 References F. Pasqualetti, F. Dörfler, and F. Bullo. Attack Detection and Identification in Cyber-Physical Systems - Part I: Models and Fundamental Limitations, in IEEE Transactions on Automatic Control, Feb. 22, Submitted. F. Pasqualetti, F. Dörfler, and F. Bullo. Attack Detection and Identification in Cyber-Physical Systems - Part II: Centralized and Distributed Monitor Design, in IEEE Transactions on Automatic Control, Feb. 22, Submitted. F. Pasqualetti, A. Bicchi, and F. Bullo. Consensus computation in unreliable networks: A system theoretic approach. IEEE Transactions on Automatic Control,, 57():9-4, 22. F. Pasqualetti, R. Carli, and F. Bullo. Distributed estimation and false data detection with application to power networks. Automatica, 48(5): , 22. F. Pasqualetti, A. Bicchi, and F. Bullo. A graph-theoretical characterization of power network vulnerabilities. In American Control Conference, San Francisco, CA, USA, June 2. F. Pasqualetti, F. Dörfler, and F. Bullo. Cyber-physical attacks in power networks: Models, fundamental limitations and monitor design. In IEEE Conf. on Decision and Control, Orlando, FL, USA, December 2. F. Dörfler, F. Pasqualetti, and F. Bullo. Distributed detection of cyber-physical attacks in power networks: A waveform relaxation approach, in Allerton Conf. on Communications, Control and Computing, Sep. 2. F. Pasqualetti, F. Dörfler, and F. Bullo. Cyber-physical security via geometric control: Distributed monitoring and malicious attacks. submitted IEEE Conf. on Decision and Control, Maui, HI, USA, December 22. F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 4 / 4

27 Cyber-Physical Security in Power Networks Fabio Pasqualetti Florian Dörfler Francesco Bullo Center for Control, Dynamical Systems & Computation University of California at Santa Barbara Optimization and Control for Smart rids 32nd CNLS Annual Conference, Santa Fe, NM F. Dörfler, F. Pasqualetti, F. Bullo UCSB Cyber-Physical Security in Power Networks Smart rid Opt. & Control 4 / 4