Slide 1

False Data Injection Attacks against State Estimation in Electric Power GridsPresenter: Raghu Ranganathan

ECE / CMRTennessee Technological UniversityMarch 22th, 2011

Smart grid seminar seriesYao Liu, Peng Ning, and Michael K. Reiter1Paper overviewA Power Grid is a complex system connecting electric generators to consumers through power transmission and distribution networks.System monitoring is necessary to ensure the reliable operation of power gridsState estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system modelsVarious techniques have been developed to detect and identify bad measurementsIn this paper, we present a new class of attacks, called false data injection attacks, against state estimation in electric power grids.We show that an attacker can take advantage of the power system configuration to launch such attacks Attacker can successfully bypass the existing techniques for bad measurement detection

2Paper overviewTwo realistic attack scenariosThe attacker is either constrained to some specific meters (due to the physical protection of the meters)limited in the resources required to compromise metersAttacker can systematically and efficiently construct attack vectors in both scenarios, affecting state estimationDemonstrate the success of these attacks through simulation using the IEEE 9-bus, 14-bus, 30-bus, 118-bus, and 300-bus systemsResults indicate that security protection of the electric power grid must be revisited.3Power Grid4

IntroductionThe security and reliability of power grids has critical impact on society and peoples daily life.System monitoring is necessary to ensure the reliable operation of power gridsprovides pertinent information on the condition of a power grid based on the readings of meters placed at important areas of the power grid.measurements may include bus voltages, bus real and reactive power injections, and branch reactive power flowsmeasurements are typically transmitted to a control centerMeasurements stored in a telemetry system, which is also known as Supervisory Control And Data Acquisition (SCADA) system5State EstimationState estimation is the process of estimating unknown state variables in a power grid based on the meter measurementsThe output of state estimation is typically used in contingency analysiscontrol the power grid components (e.g. increase the yield of the power generator)maintain the reliable operation (e.g. a generator breakdown) even if some faults occurAn attacker can compromise meters to introduce malicious measurementsLead to incorrect state estimationMislead the power grid control algorithms

6Bad measurement detection techniques: DrawbacksDetect and remove bad measurements Bad detection can be bypassed if the attacker knows the configuration of the power systemDetection based on the squares of differences between the observed and estimated measurements exceeding some thresholdThe attacker can generate bad measurements with knowledge of the system, thereby bypassing the bad data detection These new class of attacks are called false data injection attacksMislead the state estimation process

7Attack scenariosFirst attack scenario: attacker is constrained to accessing some specific meters due to, for example, different physical protection of the metersSecond attack scenario: attacker is limited in the resources required to compromise meters

Two realistic attack goalsRandom false data injection attacks: attacker aims to find any attack vector as long as it can lead to a wrong estimation of state variablesTargeted false data injection attacks: attacker aims to find an attack vector that can inject a specific error into certain state variables

8State EstimationMonitoring the power flows and voltages in a power system is important in maintaining system reliabilityMeters monitor the system components and report their readings to the control center, which then estimates the state of power system variables from these meter measuresThe state estimation problem is to estimate power system state variables based on the meter measurementsz = h(x) + eFor DC model state estimationz = Hx + eCommonly used state estimation methodsMaximum Likelihood (ML)Weighted Least Square (WLS)Minimum Variance criterion9

Weighted Least Squares State EstimationWhen meter error is normally distributed with zero mean, the state estimate is given as follows

W is a diagonal matrix whose elements are reciprocals of variances of the meter errors10

Bad measurement detectionMeasurement residual used to determine bad dataIf presence of bad data is assumedIf state variables are mutually independent, and meter error have normal distribution, follows a distribution with degrees of freedomIf , indicates bad measurements, with probability of false alarmRelated WorkBad measurements lead to large normalized measurement residualLarge normalized measurement residual method:works well for independent, non-interacting bad measurementsDoes not work for correlated bad measurements are called interacting bad measurements

11

False Data Injection Attacks: PrincipleAttacker knows the H matrixLet , where is the attack vector Let , where c reflects the estimation error injected by the attackerIf the attacker uses , then the norm of the measurement residual of equals that of , hence bypasses the bad data detection

12

Scenario I: Limited Access to meters13Assume attacker has access to k specific meters is the index of those metersAttacker can modify , where To launch false injection without being detectedFind a non-zero attack vector , such that for is a linear combination of the column vectors of H ( )14

1. Random False Data Injection attackVector c can be any valueCompute a which satisfies by eliminating cTo simplify let and

Vector a satisfies if and only if for Let the matrix ,and the length k vector 15

1. Random False Data Injection attack: Rank of If the rank of is less than k, is a rank deficient matrix, and there exists infinite number of non-zero solutionsIf the rank of is equal to k, is not a rank deficient matrix, and the relation has a unique solution Hence, no error can be injected into the state estimation

16

1617

2. Targeted False Data Injection AttackAttacker intends to inject specific errors into certain chosen state estimation variablesMathematically, this is represented as followsLet , where denote the set of indices of the r target state variables, i.e. are the target state variablesAttacker intends to construct a such that the result state estimate where and for is the specific error that is added toTwo cases;Constrained: attacks only the target variables without affecting other variablesUnconstrained: attacker has no concerns about the non target variables 18

18Constrained attack forEvery element in is fixed, either the chosen value when or 0 when Attacker substitutes back into , and checks if for If yes, attack possible19

19Unconstrained attack20

20Scenario II: Limited resources to compromise meters21Assume attacker has limited resources to compromise up to k metersUnlike Scenario I, no restriction on what meters the attackers can choseAttacker needs to find a k-sparse, nonzero attack vector a that satisfies 22

1. Random False Data Injection AttackAttacker may use a brute-force approach to construct a to compromise up to k meters Attacker may try all possible as containing k unknown non-zero elementsFor each candidate a, check if there is a non zero solution toIf yes, attack vector exists23

232. Targeted False Data Injection AttackConstrained CaseAttacker substitutes c in the relationIf the resulting a is k-sparse, attacker is successful in finding the attack vector Unconstrained CaseAttacker needs to find a k-sparse vector a that satisfiesMinimum Weight Solution for Linear Equations problemCan be heuristically solved using Matching Pursuit (MP), and Basis Pursuit (BP) methods

24

24Experimental ResultsThe false data injection attacks are validated through experiments using IEEE 9-bus, 14-bus, 30-bus, 118-bus, and 300-bus systemsDC power flow model is usedMATPOWER, a MATLAB package is used for solving the power flow problemsExperiments based on the matrix H, and meter measurements obtained from MATPOWERState variables are voltage angles of all busesMeter measurements are real power injections of all buses and real power flows of all branches25Results of Scenario IFor random false data injection attacks, k varied from 1 to the maximum number of meters in each test system.For each k, we randomly choose k specific meters to attempt an attack vector construction.We repeat this process 100 times for both IEEE 118-bus and 300-bus systems and 1,000 times for the other systemsEstimate the success probability (probability of successfully constructing an attack vector with k given meters )

denotes the percentage of the specific meters under the attackers control, i.e. 26

27

28

Targeted false data injection attack: Constrained CaseRandomly pick 6 sets of meters for the IEEE 118-bus and 300-bus systems.In each set, there are 350 meters and 700 meters for the IEEE 118-bus and 300-bus systems, respectively.Check the number of individual target state variables that can be affected by each set of meters in the constrained case (i.e., without affecting the estimation of the remaining state variables).2930

31

32

Results of Scenario IIAttacker has limited resources to compromise up to k meters.Compared with Scenario I, the restriction on the attacker is relaxed in the sense that any k meters can be used for the attack.Two evaluation metricsnumber of meters to compromise in order to construct an attack vectorexecution time required for constructing an attack vector.Three cases examinedrandom false data injection attackstargeted false data injection attacks in the constrained casetargeted false data injection attacks in the unconstrained case3334

For all test systems, the attacker can construct an attack vector for random false data injection attacks by only compromising 4 meters.This is mainly due to the fact that the H matrices of all these IEEE test systems are sparse.For example, the H matrix of the IEEE 300-bus system is a 1,122300 matrix, but most of the entries are 0s.In particular, the sparsest column in H only has 4 non-zero elements.In practice, components in a power system that are not physically adjacent to each other are usually not connected.As a result, the H matrices of the power systems are often sparse.35Targeted false data injection attack: Constrained CaseIn the experiments, we randomly choose target state variables and generate malicious data for each of them.The malicious values are set to be 100 times larger than the real estimates of the state variables.Examine how many meters need to be compromised in order to inject the malicious data (without changing the other non-target state variables).For each , perform the above experiment 1,000 times to examine the distribution of the number of meters that need to be compromised.

36

37

38

39

Targeted false data injection attack: Unconstrained CaseIn the unconstrained case, the attacker wants to inject malicious data into specific state variablesMatching Pursuit algorithm is used to find attack vectorsTwo evaluation metricsnumber of meters to compromise in order to construct an attack vectorexecution time required for constructing an attack vector.

4041

42

43

44

45

46

ConclusionsIn this paper, a new class of attacks, called false data injection attacks was presented, against state estimation in electric power systems.It is shown that an attacker can take advantage of the configuration of a power system to launch such attacks to bypass the existing techniques for bad measurement detection.Two realistic attack scenarios: attacker is either constrained to some specific meters, limited in the resources required to compromise meters.Simulations were performed on IEEE test systems to demonstrate the success of these attacksResults in this paper indicate that the security protection of the electric power grid must be revisited47