impact analysis of data integrity attacks on power...
TRANSCRIPT
Impact Analysis of Data Integrity Attacks on PowerElectronics and Electric Drives
Bowen Yang, Lulu Guo, Fangyu Li, Jin Ye, Wenzhan SongCenter for Cyber-Physical Systems
University of GeorgiaAthens, Georgia USA
Email: {bowen.yang, lulu.guo, fangyu.li, jin.ye, wsong}@uga.edu
Abstract—In this paper, the impact of various data integrityattacks on power electronics and electric drives is analyzedbased on the predefined performance metrics. The cyber physicalsystem (CPS) models of power electronics and electric drives arefirstly proposed to investigate the interaction between physicalsystems and cyber systems. Then, a few predefined performancemetrics are introduced, which are needed to evaluate the impactof data integrity attacks on power electronics and electric drives.The simulation is conducted to quantitatively analyze the impactunder different attack scenarios for electric drive systems inelectric vehicles as a case study. Simulation results show that themetrics are greatly impacted by data integrity attacks and haveobvious features different from the ones under healthy conditions.For example, the total harmonic distortion could be increased byover 70% and the torque ripple could be increased up to 300%by maliciously reducing the current feedback signal to 10% ofthe original value.
Index Terms—data integrity attack, electric drive, power elec-tronics, impact analysis
I. INTRODUCTION
With the development of Internet of Things (IoT) enabledintelligent transportation, connected and automated electricvehicles (EVs) are becoming more vulnerable to cyber andphysical threats, due to the direct connection with batterycharging infrastructure and more centralized control architec-ture. While the number of EVs has grown significantly and theschedules of replacing traditional internal combustion enginevehicles with electric and hybrid electric vehicles has beenwidely discussed, the cyber-physical security challenge havenot yet been fully explored, which would lead to devastatingconsequences if not detected in the early stage. Recently, somepreliminary works on electric vehicle charging cyber securityhave been published, such as [1]–[5]. However, none of theminvestigates the impacts of cyber attacks on power electronicsand electric drive systems (EDSs).
Due to the increased cyber threats on physical systems [6],cyber physical systems (CPS) models have been developed toinvestigate the interaction between physical systems and cybersystems in smart grids [7]–[9], which can then be used toassess the operational reliability and vulnerability, the transientangle and voltage stability, and the frequency and electricitymarket operation due to cyber attacks [10]. The impact of cyberattacks on control systems of solar inverter and energy storage
Our research is partially sponsorred by NSF-ECCS-1725636.
are also analyzed in the Monte-Carlo simulation to evaluatemicrogrid cyber security risks [11]. Although crucial insightson the interaction between control system (cyber system) andphysical microgrid are emphasized in these works based onoperational cost analysis of microgrids, some other importantperformance metrics of power electronics (e.g., total harmonicdistortion, etc) are yet to be addressed. To our best knowledge,to date, no CPS model has been developed for power electronicsand electric drives in EVs, which are needed to explore theimpacts of cyber attacks on EDSs, as well as the overall vehicleperformance.
Fig. 1: Electric vehicle system.
In this paper, a CPS model of EDSs in an EV is introduced,based on which, the impacts of various data integrity attacks onthe predefined performance metrics are analyzed. The paper isorganized as follows. In section II, the CPS model of EDSs in anEV is presented. In section III, several potential cyber attacksare classified and analyzed. The simulation and evaluationresults of data integrity attacks are provided to verify theformer discussion in section IV, and finally, conclusion andfuture work are given in section V.
II. CYBER-PHYSICAL SYSTEM MODEL OF EDSS
As shown in Fig. 1, the EDS of an EV consists ofbatteries, power electronics, electric machines and controllers,
978-1-5386-9310-0/19/$31.00 ©2019 IEEE
Fig. 2: CPS model of an EDS.
wherein, the controllers (including sensors and actuators) arethe main source of gathering information, computing andgenerating the control signals. Meanwhile, it also takes chargeof communicating with other devices, facilities and higherlevel control centers. Therefore, the controllers are consideredvulnerable to cyber attacks. Once the controllers in the diagramare compromised, many critical systems like batteries and driveswill be impacted and are most likely to be damaged if notdetected in the early stage. More details are shown in Fig. 2,which presents the cyber-physical system model of the electricdrive systems. In order to quantitatively analyze the impact onEDS, detailed mathematical models of the electric machine(physical system) and controller (cyber system) are discussedas follows.A. Electric machine
As interior permanent magnet synchronous machines (IPMs)are widely used in applications of electric vehicles for itssmooth torque production, high efficiency and high power
density, it is adopted in this paper as a case study [12]. Underthe traditional three-phase stationary reference frame, voltageequation of IPMs is described as
Λa
Λb
Λc
Λf
=
Laa Lab Lac Laf
Lba Lbb Lbc Lbf
Lca Lcb Lcc Lcf
Lfa Lfb Lfc Lff
iaibicif
, (1)
vavbvcvf
=
Ra 0 0 00 Rb 0 00 0 Rc 00 0 0 Rf
iaibicif
+d
dt
Λa
Λb
Λc
Λf
.(2)
where Λx, ix, vx, and Rx (x = a, b, c) are the flux linkage,phase current, phase voltage and winding resistance of eachphase; Lxy (x, y = a, b, c) is the inductance of and betweeneach phase. As the rotor of IPM is mounted with permanent
magnet instead of windings, Λf = Λpm is the flux linkageproduced by the magnet, and vf , if , Rf are the equivalentexcitation voltage, current and resistance, respectively; Lfx
and Lxf (x = a, b, c) reflect the flux linkage in each phaseprovided by the rotor magnet.
To simplify the analyzing process, Direct-Quadrant-Zero(DQZ) Transformation is adopted to transfer the AC variablesin the stator stationary reference frame to the DC variablesin the rotating d-q axis reference frame. The transformationis achieved by multiplying the original vectors with the ParkMatrix, expressed as
Sdq0 = P · Sabc, (3)
where Sdq0 = [Sd, Sq, S0]T is the transformed variables inthe d-q axis reference frame, Sabc = [Sa, Sb, Sc]
T is theoriginal variables in the stator reference frame, and the Parktransformation matrix is defined as
P =2
3
cos(θr) cos(θr − ν) cos(θr + ν)− sin(θr) − sin(θr − ν) − sin(θr + ν)
1/2 1/2 1/2
,where ν = 120°. Then, the electric machine model can bedescribed as follows:
1) Flux Linkage: {Λd = Ldid + Λpm,Λq = Lqiq.
(4)
2) Voltage:{vd = Rsid + Ld
diddt − ωeLqiq.
vq = Rsiq + Lqdiqdt + ωeLdid + ωeΛpm.
(5)
3) Torque:
Te =3
2p[Λpmiq + (Ld − Lq)idiq]. (6)
where Ld and Lq are the inductance of d-axis and q-axis,respectively; ωe is the electrical angular speed; p is number ofpole pairs; Rs is the equivalent winding resistance in the d-qaxis reference frame. It should be pointed out that when thestator winding is connected in ’Y’ model, the zero componentwill always be 0, as suggested by Kirchhoffs Law. Thus, thezero component is not included in the DQZ model.
Fig. 3: Control diagram of the three PI controllers.
B. Controllers Design
The proportional-Integral (PI) controller are used in studiedEDS for both torque control and current control. The model
is shown in Fig. 3, wherein, the transfer functions of each PIcontrollers are
iqref = (Tref − Te)(λTp +λTis
), (7)
vdref = (idref − id)(λidp +λidis
), (8)
vqref = (iqref − iq)(λiqp +λiqis
). (9)
where λTp , λTi , λidp , λidi , λiqp , and λiqi are the PI parameters.
Fig. 4: Diagram of the reference current vector optimization.
C. Maximum Torque Per Ampere (MTPA) Control
MTPA control is widely adopted in the industrial applicationfor copper loss minimization purpose. To minimize the copperloss, the minimum current should be achieved to generatemaximum torque. The optimal current reference is chosen by
idref =Λpm
2(Lq − Ld)−
√Λ2pm
4(Lq − Ld)2+ i2qref . (10)
Meanwhile, it should be noted that the IPM has current andvoltage limitation, derived by
Is =√i2d + i2q 6 Ismax, Vs =
√v2d + v2q 6 Vsmax. (11)
When the optimal current vector is out of the boundary, fluxweakening control should be adopted, as
idref = −Λpm
Ld+
1
Ld
√(Vsmax
ωe)2 − (Lqiqref )2. (12)
The optimal current vector should be chosen in the area OABdepicted in Fig. 4 to achieve the copper loss minimization.
III. CLASSIFICATION OF POTENTIAL CYBER ATTACKS
As shown in Fig. 2, the virus icons denote the signalsbetween cyber and physical systems, which is most likelyto be attacked. According to the confidentiality, integrityand availability (CIA) triad, one of the core principles ofinformation security, cyber attacks could be classified asfollows [7], [13]:
Fig. 5: y = 0.1y, t ∈ TATK, targeting phase A. *(S1 − S4) are normalized.
1) Interception refers to attacks targeting the informationconfidentiality, which means an unauthorized party gainsaccess to a cyber asset. Losing such information maymake the vehicle systems even more vulnerable todangers such as crashes and lane deviations. Typical in-terception attacks are eavesdropping, wiretapping, fibber-tapping, packet-sniffing, keystroke logging and trafficmonitoring.
2) Modification refers to attacks targeting the informationintegrity, which means an unauthorized party gains accessto and tampers with a cyber asset. It could also becalled as data integrity attack. For example, the attackermay try to change the parameter of the controllers andsensors, which cause the system performance damagedand even unstable. Some typical integrity attacks aresensor feedback signal modification and controller outputcontrol signal modification.
3) Interruption refers to attacks targeting the informationavailability, which means an unauthorized party destroysa cyber asset or makes it unavailable, for example,the attacker blocks the control signals of a controllerto damage the stability of the system. It is mainlycaused by denial-of-service (DoS) attacks, which includescommunication link jamming, software modification toprevent accurate execution and data erasure.
In this paper, only data integrity attacks targeting on phasecurrent sensors are considered, but notice that the methodologyand models we proposed can be used to analyze other typesof cyber attacks.
IV. SIMULATION AND IMPACT ANALYSIS
To quantitatively evaluate the impact on the electric system,a model based on a 50kW IPM is constructed in MATLABSimulink. Five metrics are defined for the evaluation, as
S1 =Tmax(t)− Tmin(t)
Tave(t), S2 =
nmax(t)− nmin(t)
nave(t),
S3 =
√√√√∫ fl−∞ I(f)2df +
∫ +∞fu
I(f)2df∫ fuflI(f)2df
,
S4 =
√∫ t0+Tw
t0(Tref (t)− Te(t))2dt/Tw
Tref.
(13)
where S1 and S2 are the torque and speed ripple, respectively;S3 denotes the current distortion, which is calculated by FourierTransformation; S4 reflects the torque tracking error. Anothermetrics S5 is calculated from the asymmetry component methodto show the current unbalance component [14].
Meanwhile, we introduce four kinds of attacks to the system.For clear description, the attacked signal is marked as y; theoriginal signal is y; the attack duration is defined as a timeperiod TATK; and all the values are calculated within a slidingwindow with a window size of Tw.
A. Case A: Decreasing Attack
When the sensor signal is modified, decreasing the originalvalue by some coefficients is a common manipulating method.In case A, an attack is introduced to phase A current sensor,expressed by Eq.(14) Here the current feedback signal of phaseA is decreased to 10% of the original value. The results are
Fig. 6: y = y + white noise, t ∈ TATK, targeting phase A. *(S1 − S4) are normalized.
shown in Fig. 5. As the feedback signal is reduced, the actualcurrent flowing in phase A will increase to trace the currentreference. Once the current of phase A increases, the current ofphase B and phase C will drop to fulfill the Kirchhoff currenttheorem. The consequence is that the three phases becomeunbalanced, which is reflected by S5 profile. Meanwhile, dueto the inaccuracy of the current value, torque ripples will beincreased and the current distortion will be worsened. Besides,when the attack is eliminated, the system could be restored,but transient period is required.
y =
{y (t /∈ TATK)0.1y (t ∈ TATK).
(14)
B. Case B: White Noise AttackNoise attacks are also one of the most common attacks on
the sensor signals. In such attacks, a white noise with certainamount of energy is injected into phase A current feedbacksignal, as
y =
{y (t /∈ TATK)y + white noise (t ∈ TATK).
(15)
where the white noise has a frequency of 1000Hz. As shownin Fig. 6, because the low-power attack noise is mixed withthe original noise, it is hard to observe the attack from thecurrent distortion. However, as the noise introduced randomvariation of the signals, the current unbalance component hasan obvious change, so does the torque ripple and trackingerror. In addition, the power of the noise in this simulation isconsidered relatively low, once raising the noise power, thiskind of attack could easily damage the system’s stability.
C. Case C: Mixed AttackEq.(16) models an attack combining the attacks described
in case A and case B. And the results are shown in Fig. 8.And Fig. 7 shows the raw waveform of three phase current toprovide a more direct observation.
y =
{y (t /∈ TATK)0.1y + white noise (t ∈ TATK).
(16)
As shown in these figures, when the attacks are addedtogether, it is more likely to generate more ripples and distortion.As the attack targets on single phase, the unbalance componentS5 will increase.
Fig. 7: Raw current waveform of Case C.
Meanwhile, it could be observed that the feature of thereducing attack demonstrated in case A is dominant in Fig.
Fig. 8: y = 0.1y + white noise, t ∈ TATK, targeting phase A. *(S1 − S4) are normalized.
8. This is because the white noise power is relatively small.However, as it is discussed in case B, once the white noisepower is large enough, its feature will be more obvious.
V. CONCLUSION AND FUTURE WORK
In this paper, the impact of various data integrity attackson EDSs has been analyzed and compared in various casesbased on redefined performance metrics. The simulation resultsshow that cyber attacks could have malicious impacts on theoverall performance of EDSs and could be a big threat tonext generation EVs. Meanwhile, the evaluation results alsoindicate that the predefined metrics are useful tools for detectingand diagnosing the cyber attacks, as good designed metricscould reflect the features of the attacks. In our future work,in order to assure the security of the EDSs, we will focuson more advanced models and more sophisticated metrics toreflect accurate relationship between cyber attacks and physicalresponse, and provide general guidelines for further detectionand diagnosis of EDSs.
REFERENCES
[1] I. Sajjad, D. D. Dunn, R. Sharma, and R. Gerdes, “Attack mitigationin adversarial platooning using detection-based sliding mode control,”in Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy. ACM, 2015, pp. 43–53.
[2] R. M. Gerdes, C. Winstead, and K. Heaslip, “Cps: an efficiency-motivatedattack against autonomous vehicular transportation,” in Proceedings ofthe 29th Annual Computer Security Applications Conference. ACM,2013, pp. 99–108.
[3] Y. Fraiji, L. B. Azzouz, W. Trojet, and L. A. Saidane, “Cyber securityissues of internet of electric vehicles,” in Wireless Communications andNetworking Conference (WCNC), 2018 IEEE. IEEE, 2018, pp. 1–6.
[4] K. Harnett, B. Harris, D. Chin, G. Watson et al., “Doe/dhs/dot volpetechnical meeting on electric vehicle and charging station cybersecurityreport,” John A. Volpe National Transportation Systems Center (US),Tech. Rep., 2018.
[5] S. Sripad, S. Kulandaivel, V. Pande, V. Sekar, and V. Viswanathan,“Vulnerabilities of electric vehicle battery packs to cyberattacks,” arXivpreprint arXiv:1711.04822, 2017.
[6] F. Li, Y. Shi, A. Shinde, J. Ye, and W. Song, “Enhanced Cyber-physicalSecurity in Internet of Things through Energy Auditing,” IEEE Internetof Things Journal, accepted.
[7] B. Chen, S. Mashayekh, K. L. Butler-Purry, and D. Kundur, “Impact ofcyber attacks on transient stability of smart grids with voltage supportdevices,” in Power and Energy Society General Meeting (PES), 2013IEEE. IEEE, 2013, pp. 1–5.
[8] D. Kundur, X. Feng, S. Liu, T. Zourntos, and K. L. Butler-Purry, “Towardsa framework for cyber attack impact analysis of the electric smart grid,”in Smart Grid Communications (SmartGridComm), 2010 First IEEEInternational Conference on. IEEE, 2010, pp. 244–249.
[9] S. Xin, Q. Guo, H. Sun, B. Zhang, J. Wang, and C. Chen, “Cyber-physical modeling and cyber-contingency assessment of hierarchicalcontrol systems,” IEEE Transactions on Smart Grid, vol. 6, no. 5, pp.2375–2385, 2015.
[10] S. Liu, S. Mashayekh, D. Kundur, T. Zourntos, and K. Butler-Purry, “Aframework for modeling cyber-physical switching attacks in smart grid,”IEEE Transactions on Emerging Topics in Computing, vol. 1, no. 2, pp.273–285, 2013.
[11] P. Zhang, W. Li, S. Li, Y. Wang, and W. Xiao, “Reliability assessmentof photovoltaic power systems: Review of current status and futureperspectives,” Applied energy, vol. 104, pp. 822–833, 2013.
[12] Y. Miao, H. Ge, M. Preindl, J. Ye, B. Cheng, and A. Emadi, “Mtpa fittingand torque estimation technique based on a new flux-linkage model forinterior-permanent-magnet synchronous machines,” IEEE Transactionson Industry Applications, vol. 53, no. 6, pp. 5451–5460, Nov 2017.
[13] T. Flick and J. Morehouse, Securing the smart grid: next generationpower grid security. Elsevier, 2010.
[14] A. Von Jouanne and B. Banerjee, “Assessment of voltage unbalance,”IEEE transactions on power delivery, vol. 16, no. 4, pp. 782–790, 2001.