Bad Data Injection in Smart Grid: Attack and Defense Mechanisms Zhu Han University of Houston

Bad Data Injection in Smart Grid: Attack and Defense Mechanisms

Zhu HanUniversity of Houston

OverviewOverview

Introduction to Smart Grid

Power System State Estimation Model

Bad Data Injection

Defender Mechanism – Quickest Detection

Attacker Learning Scheme– Independent Component Analysis

Future Work

A Few Topics in Smart Grid Communication

Conclusions

Quick View of Amigo Lab

““Smarter” Power GridSmarter” Power Grid Sensing, measurement, and control devices with two-way

communications between the suppliers and customers.

Benefits both utilities, consumers & environment:– Reduce supply while fitting demand

– Save money, optimal usage.

– Improve reliability and efficiency of grid

– Integration of green energy, reduction of CO2

More than 3.4 billion from US federal stimulus bill is targeted.– Obama stimulus plan

One of hottest topic in research community– But what are the problems from signal processing, communication

and networking points of view?

Smart GridSmart GridAre more easily integrated into power sys. Less

depend on fossil fuel

Are more easily integrated into power sys. Less

depend on fossil fuel

Connect grid to charge overnight when demand is

low

Connect grid to charge overnight when demand is

low

Realtime analysis, Manage, plan, and forecast the energy system to meets the

needs

Realtime analysis, Manage, plan, and forecast the energy system to meets the

needs

Can generate own and sellback excess

energy

Can generate own and sellback excess

energy

Gather, monitor the usage so the supply more efficiently and

anticipate challenging peaks

Gather, monitor the usage so the supply more efficiently and

anticipate challenging peaks

Use sophisticated comm. Technology to find/fix problems

faster, enhancing reliability

Use sophisticated comm. Technology to find/fix problems

faster, enhancing reliability

in-home management tool to track usage

in-home management tool to track usage

Supervisory Control and Data Acquisition CenterSupervisory Control and Data Acquisition Center

Real-time data acquisition– Noisy analog measurements

Voltage, current, power flow– Digital measurements

State estimation– Maintain system in normal

state

– Fault detection

– Power flow optimization

– Supply vs. demand

SCADA TX data from/to Remote Terminal Units (RTUs), the

substations in the grid

SCADA TX data from/to Remote Terminal Units (RTUs), the

substations in the grid

Privacy & Security Concern Privacy & Security Concern

More connections, more technology are linked to the obsolete infrastructure.

– Add-on network technology: sensors and controls estimation

– More substations are automated/unmanned

Vulnerable to manipulate by third party– Purposely blackout

– Financial gain

– Story of Enron

How to tackle this issue at this moment?Provide one example

next

Power System State Estimation ModelPower System State Estimation Model

Transmitted active power from bus i to bus j– High reactance over resistance ratio

– Linear approximation for small variance

– State vector , measure noise e with covariance Ʃe

– Actual power flow measurement for m active power-flow branches

– Define the Jacobian matrix

– We have the linear approximation

– H is known to the power system but not known to the attackers

Bad Data Injection and Detection Bad Data Injection and Detection

State estimation from z

Bad data detection– Residual vector

– Without attacker

where

– Bad data detection (with threshold )

without attacker:

with attacker: otherwise

Stealth (unobservable) attack: z=Hx+c+e, where c=Hx

– Hypothesis test would fail in detecting the attacker, since the control center believes that the true state is x + x.

OverviewOverview

Introduction to Smart Grid

Power System State Estimation Model

Bad Data Injection

Defender Mechanism – Quickest Detection

Attacker Learning Scheme– Independent Component Analysis

Future Work

A Few Topics in Smart Grid Communication

Conclusions

Quick View of Amigo Lab

Basics of Quickest Detection (QD)Basics of Quickest Detection (QD)

Detect distribution changes of a sequence of observations as quick as possible with the constraint of false alarm or detection probability.

min [processing time]

s.t. Prob(true ≠ estimated) < ŋ Classification

1. Bayesian framework: known prior information on probability SPRT (e.g. quality control, drug test, )

2. Non-Bayesian framework: unknown distribution and no prior CUSUM (e.g. spectrum sensing, abnormal detection )

QD System Model QD System Model

Assuming Bayesian framework with non-stealthy attack– the state variables are random with

The binary hypothesis test:

The distribution of measurement z under binary hyp: (differ only in mean)

We want a detector– False alarm and detection probabilities

Detection Model - NonBayesianDetection Model - NonBayesian Non-Bayesian approach

– unknown prior probability, attacker statistic model

The unknown parameter exists – in the post-change distribution and may changes over the

detection process.

– You do not know how attacker attacks.

Minimizing the worst-case effect via detection delay:

We want to detect the intruder as soon as possible while maintaining PD.

Actual time of active attack

Actual time of active attack

Detection time

Detection time

Detection delay

Detection delay

Multi-thread CUSUM AlgorithmMulti-thread CUSUM Algorithm

CUSUM Statistic:

where Likelihood ratio term of m measurements:

By recursion, CUSUM Statistic St at time t:

Average run length (ARL) for declaring attack with threshold h

How about the unknown?

How about the unknown?

Declare the attacker is existing!

Otherwise, continuous to the process.

Linear Solver for the UnknownLinear Solver for the Unknown

Rao test – asymptotically equivalent model of GLRT:

The linear unknown solver for m measurements:

Recursive CUSUM Statistic w/ linear unknown parameter solve:– Modified CUSUM statistics The unknown is no long

involvedThe unknown is no long

involved

Simulation: Adaptive CUSUM algorithmSimulation: Adaptive CUSUM algorithm

2 different detection tests: FAR: 1% and 0.1%

Active attack starts at time 5

Detection of attack at time 7 and 8, for different FARs

Markov Chain based Analytical ModelMarkov Chain based Analytical Model

Divide statistic space into discrete states between 0 and threshold– Obtain the transition probabilities

– Obtain expectation of detection delay, false alarm rate and missing probability

OverviewOverview

Introduction to Smart Grid

Power System State Estimation Model

Bad Data Injection

Defender Mechanism – Quickest Detection

Attacker Learning Scheme– Independent Component Analysis

Future Work

A Few Topics in Smart Grid Communication

Conclusions

Quick View of Amigo Lab

Independent Component Analysis (ICA)Independent Component Analysis (ICA)

Linear Independent Component Analysis– find a linear representation of the data so that components are

as statistically independent as possible.

– i.e., among the data, find how many independent sources.

Question for bad data injection:– Without knowing H, the attacker can be caught.

– Could attacker launch stealthy attack to the system even without knowledge about H?

– Using ICA, attacker could estimate H and consequently, lunch an undetectable attack.

ICA BasicsICA Basics

A special case of blind source separation

u = G v

u = [ui, i = 1, 2, … m]: observable vector

G = [gij, i = 1, 2, … m, j = 1, 2, … n]: mixing matrix

(unknown)

v = [vi, i = 1, 2, … n]: source vector (unknown)

Linear ICA implementation: FastICA from [Hyvärinen]

Stealth False Data Injection with ICAStealth False Data Injection with ICA

Supposing that the noise is small, then we what to do the

mapping:

u = G v z = H x

Problem: state vector x is highly correlated

Consider: x = A y, where– A: constant matrix that can be estimated

– y: independent random vectors

Then we can apply Linear ICA on z = HA y

– We cannot know H, but we can know HA

– Stealthy attack: Z=Hx+HAy+e

Numerical Simulation SettingNumerical Simulation Setting Simulation setup

– 4-Bus test system, IEEE 14-Bus and 30-bus

– Matpower

Numerical Results Numerical Results MSE of ICA inference (z-Gy) vs. the number of observations

(14-bus case).

Performance of the AttackPerformance of the Attack

The PDF is the same w or w/o attacking. So log likelihood is equal to 1– unable to detect

OverviewOverview

Introduction to Smart Grid

Power System State Estimation Model

Bad Data Injection

Defender Mechanism – Quickest Detection

Attacker Learning Scheme– Independent Component Analysis

Future Work

A Few Topics in Smart Grid Communication

Conclusions

Quick View of Amigo Lab

1. Distributed Smart Grid State Estimation 1. Distributed Smart Grid State Estimation

The deregulation has led to the creation of many regional transmission organizations within a large interconnected power system.

A distributed estimation and control is need .– Distributed observability analysis

– Bad data detection

Challenges:– Bottleneck and reliability problems with one coordination center.

– Need for wide area monitoring and control

– Convergence and optimality

Fully-Distributed State EstimationFully-Distributed State Estimation

With N substations/nodes

– By iteratively exchanging information with neighbors

– All local control center can achieve an unbiased consensus of system-wide state estimation.

Local observation matrix

Unknown State

Local Jacobian matrix

Useful information to be detected

2. Optimality of Fault Detection Algorithm 2. Optimality of Fault Detection Algorithm

Detecting the attack as an intermediate step towards obtaining a reliable estimate about the injected false data– Facilitates eliminating the disruptive effects of the false data

Joint estimation and detection problem– Define an estimation performance measure

– Seek to the optimize it while ensuring satisfactory of the detection performance

Performance measurement

3. Manipulate Electricity Market 3. Manipulate Electricity Market

Example: Ex Post MarketMarket that recalculate optimal points for generation and

consumption based on real-time data

Min :

St:

I

iiii PgPgC

1

* )(

LlFFF

IiPgPgPg

PPg

lll

iii

I

iL

I

ii

,...,1

,...,1max*min

maxmin

11

[28]

Generation Cost

Power Balance

Generation & Transmission limits

4. PMU4. PMU

PMU can measure voltage angle directly– Defender: placement problem, no need to place nearby

– Attackers’ new strategy with existence of PMU

1

6

2

5

7

3

4

PMU PMUPMU

PMU

PMUPMU

PMU

[29]

5. Game Theory Analysis5. Game Theory Analysis

(attacker,defender)

N A

N (0,0) (b,-b)

D (c,-c) (-a,a)

a, b, c

t

How to formulate the game?

A Few Topics in Smart Grid CommunicationsA Few Topics in Smart Grid Communications

Bad data injection

Demand side management– Peak to average ratio

– Scheduling problem

Renewable energy– The renewable energy is unreliable.

– Have to use diesel generators during shortage

– Not cheap and not green

PHEV – routing, scheduling and resource allocation

Communication link effect on the smart grid

ConclusionsConclusions

Bad data injection problem formulation From defender point of view

– detect malicious bad data injection attack as quick as possible – Adaptive CUSUM algorithm

From attacker point of view– can estimate both the system topology and power states just by

observing the power flow measurements– Independent component analysis algorithm to obtain information– Once the information is at hand, malicious attacks can be launched

without triggering the detection system Many possible future work Edited book 2012 by Cambridge with E. Hossain and V. Poor. Possible future collaboration

Overview of Wireless Amigo LabOverview of Wireless Amigo Lab Lab Overview

– 7 Ph.D. students, 2 joint postdocs (with Rice and Princeton)

– supported by 5 NSF,1 DoD, and 1 Qatar grants

Current Concentration– Game theoretical approach for wireless networking

– Compressive sensing and its application

– Smartgrid communication

– Bayesian nonparametric learning

– Security: trust management, belief network, gossip based Kalman

– Physical layer security

– Quickest detection

– Cognitive radio routing/security

– Sniffing: femto cell and cloud computing

USRP2 Implementation Testbed

QuestionsQuestions

Thank you for listening and supporting!