Abstract
Supervisory control and data acquisition (SCADA) system has been widely used in traditional power systems for operation and control. As increasingly more ICT technologies are deployed to improve the smartness of the power grid, cyber security is becoming an important issue in the development of smart grids, for example, false data injection attack (FDIA) poses a serious threat. The paper analyzes the impact of false data injection attack on smart grid state estimation under random packet losses. First, a measurement model of power grids under random packet loss is established, and an attack vector range that can fool the attack detector is acquired. Then, a mean square error matrix of weighted least squares estimation is proposed, taking into account potential false data injection attacks. A IEEE-14 nodes system is used to evaluate the performance of the weighted least squares state estimation under three different scenarios, namely false data injection attack only, random packet loss only, and under both random packet loss and false data injection attack.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Modern power systems transmit electricity from generators to users via large-scale transmission and distribution networks. To ensure safe and reliable operation of the system, increasingly more ICT technologies are introduced into the power systems to improve the smartness [1]. However, the introduction of modern communication networks not only facilitates information interaction and wide-area system monitoring, protection and control of power grids but also makes it vulnerable to network invasion [2, 3]. In recent years, cyber-attacks on power grids around the world have been viewed as a principal threat, not just a conceptual one.
For example, Iran’s Blushehr nuclear power plant was attacked by the Stuxnet virus in 2010, which caused the delay of power generation and seriously damaged Iran’s industrial facilities [4]. The transmission lines in Ukraine were continuously tripped in 2015, while the information system was implanted with malicious software, which blocked the system restart [5]. In 2019, several cities in Venezuela including its capital city Caracas plunged into darkness, and power outages affected 21 of the country’s 23 states. According to the media reports, the direct cause of the power failure was a cyber-attack on the country’s largest hydropower station. Soon after, several transformer explosions occurred in the federal district of Caracas, causing another power failure [6].
The power system control center collects measurement data from different power devices and components through the supervisory control and provide instructions back to the system [7]. State estimation is a key functionality in real-time power system monitoring and supervisory control. By analyzing the data collected by the SCADA systems, the current operating state of the power grids can be estimated while bad data and anomalies in the collected measurements can be eliminated.
However, state estimation can be vulnerable to cyber-attack in the open network environment. The false data injection attack (FDIA) against the state estimator in the SCADA system was investigated by Liu et al. in 2009 [8], and it was found that existing bad data detection methods relying on Chi-square detector may not work in response to some false data injection attacks. An experienced attacker can deliberately design the attack vector such that these attacks can bypass the Chi-square detector. Once the sensor is successfully hacked, the tampered measurement will spread in the network, resulting in system performance degradation or even instability [9].
In the research area of false data injection attack, some researchers aim to identify the vulnerability of the system and build the attack models [10,11,12,13], and this helps to improve the understanding of the attack mechanism in order to design a better defense system. For example, a linear spoofing attack strategy and the corresponding feasibility constraints are demonstrated where fake data can be effectively designed to cause system failure [10]. In [11], the potential impact of unobservable attacks is investigated, and the least measurable attack strategy is proposed. Under the fully measurable model and partially measurable model, the existence conditions of unobservable subspace attacks are derived, based on which two attack strategies are proposed in [12]. The first strategy directly affects the system state by hiding attack vectors in the system subspace, and the second strategy misleads the bad data detection mechanism. Meanwhile, other researchers focus on the detection and defense of the system in the presence of attacks [14,15,16,17,18,19]. For example, both active detection and estimation-based detection are proposed in [14]. In the active detection method, a reasonable excitation signal is designed to be superimposed on the control signals, which improves the detectability of attacks on the actuator attack. The other method estimates the value of the attack by using the unknown input observer. In [15], a FDIA attack detection mechanism based on the increments of analytic measurements in the micro-grid environment was proposed.
Most existing researches are based on the analysis of the acquired measurements, but the impact of data communication is not considered. The FDIA in smart grid applications is an attack that reduces the integrity of data acquired by the system. In the existing communication technology, data transmitted through the network is often in the form of packets [20]. Most existing approaches construct the attack model and detect the attack using acquired measurements and the estimation of measurements [10,11,12,13,14,15,16,17,18]. However, in addition to potential FDIA, the data transmitted through the network may also be affected by network characteristics such as data losses during the transmission phase. This paper investigates the data injection attack on power system state estimation considering data losses in communication. The main contributions are as follows:
-
A DC (direct current) model of the system under data injection attack is deduced, taking into account the random packet losses.
-
The mechanism of weighted least squares state estimation and bad data detection are analyzed and an undetected range of attack vectors is derived.
-
Based on the established DC measurement model, the mean square error matrix of state estimation under the FDIA is analyzed.
The remainder of the paper is organized as follows. The transmission model of sensor measurements in the power grids under random packet loss is discussed in Sect. 2. Section 3 analyses the effects of random packet loss and data injection attacks on weighted least squares estimation, and the range of attack vectors is also studied. Simulation results are presented in Sect. 4, and the weighted least squares state estimation results under three different cases are compared.
2 Problem Formulation
2.1 Data Transmission Model
The SCADA system in the power grids collects sampled measurements from sensors through the communication network. However, due to limitations of the communication technology, data may get lost during the transmission. Figure 1 illustrates the whole process from data sampling and transmission to state estimation.
As shown in Fig. 1, at time instant \({{t}_{k-\text {1}}}\), the measurement device samples and transmit the sensor measurements to the network in the form of packets. Due to network induced delays, after the transmission delay \({{d}_{k-1}}\), the SCADA system will receive the sampled measurements at time instant \({{t}_{k-\text {1}}}+{{d}_{k-1}}\). Further, some data may be lost during the transmission process, such as the data at time instant \({{t}_{k}}\) shown in Fig. 1. Once the SCADA system obtains the measurements, the estimator can receive the data after the computing time delay of \({{c}_{k-1}}\). Power grids are typical complex cyber-physical systems with numerous sensors, and all sensor data will go through the similar process as shown in Fig. 1 when they are transmitted to the SCADA system.
Define the measurements received by the SCADA system at sampling instant k as \({{z}_{k}}\), \({{z}_{k}}\in {{R}^{m}}\) , and if there exists data packet losses, two popular compensated methods are often adopted. One is to directly replace the lost data with 0 [21]. Another is to replace the lost data with the previous sampled data. This paper adopts the first method, i.e., the loss packet is set as 0. For random packet losses, the received measurements can be expressed by
where \({{\lambda }_{k}}\in {{R}^{m\times m}}\) is a diagonal matrix whose diagonal elements are either 1 or 0. When a measurement is lost, its corresponding value is set to 0.
2.2 Power Grid Measurement Model
When the system is subject to a false data injection attack, the measurement process of the grids is shown in Fig. 2. When a sensor device samples measurements, it may be invaded by an attacker by deception, and false data are injected. Next, the sensor transmits the corrupted data to the SCADA over the network. When random packet loss is not considered at the sampling instant k, the AC measurement model can be described as
where \({{z}_{k}}\) is denoted as the measurement vector, \({{x}_{k}}\) is the system state vector, \({{v}_{k}}\) is the Gaussian measurement noise, and \(h({{x}_{k}})\) is the functional dependency between measurements and state variables.
If the ground admittance and branch conductance are ignored and assume that the voltage phase difference between two nodes is negligible, the voltage amplitude of the nodes is close to unit quantity 1. The DC measurement model can be used to approximate AC measurement model. The DC measurement model can be expressed as
where H is the steady-state functional dependency between measurements and state variables.
When only random packet loss is considered, at the sampling instant k, the DC measurement model can be expressed as
When only a data injection attack is considered and assume that the injected value is \({{a}_{k}}\)and \({{a}_{k}}\in {{R}^{m}}\). If \({{a}_{k}}\) is nonzero, the corresponding measurement is tampered. Then the measurement contains the attack vector \({{a}_{k}}\), which can be expressed as
where \({{a}_{k}}\) is the attack vector injected to measurement.
When random packet loss is considered, the measurement function can be expressed as
Equation (6) is the measurement model under the false data injection attack which considers both the influence of random packet loss and data injection attack on the measurements of the grid.
3 Analysis of Weighted Least Squares Estimation
State estimation is used for monitoring the operating state of the grid and remove bad data, and the weighted least square method is a popular state estimation method. The false data injection attack aims to mislead the state estimation, and it is necessary to have a detailed analysis of the state estimator. According to the weighted least squares estimation, the objective function can be expressed as
where W is the weighted matrix. The estimation of the system state can be expressed as
Define \({{\hat{z}}_{k}}=H{{\hat{x}}_{k}}\) as the state estimation of the system, and the residual between the real and the measurement estimation is defined as \({{r}_{k}}\), and \({{r}_{k}}\) can be expressed as
According to the Chi-square detector, 2-norm of the residual must be less than the threshold to consider that there is no bad data, i.e.,
where \(\tau \) is the threshold of the Chi-square detector, which can be obtained by checking the Chi-square distribution table. When there is only a false data injection attack, the injected increment must meet certain conditions in order not to be detected. According to (8), for a given \({{a}_{k}}\), the state estimation can be expressed as
where \({{\hat{x}}_{ak}}\) the corrupted estimation due to FDIA. The estimate of the measurement is \({{\hat{z}}_{ak}}=H{{\hat{x}}_{ak}}\), and the residuals can be expressed as
To evade the detector, Eq. (13) must be satisfied, that is
Let \(B=(I-H{{\left( {{H}^{T}}WH \right) }^{-1}}{{H}^{T}}W)\), Eq. (13) can be re-written as
According to the compatibility
when \({{\left\| B \right\| }_{2}}{{\left\| ({{z}_{k}}+{{a}_{k}}) \right\| }_{2}}\le \tau \) hold, the Eq. (14) will be hold, where \({{\left\| B \right\| }_{2}}=\sqrt{{{\eta }_{\max }}({{B}^{T}}B)}\) is the induced norm and \({{\eta }_{\max }}({{B}^{T}}B)\) is the maximum eigenvalue of the matrix \({{B}^{T}}B\).
Therefore,
Remark 1
Inequality (16) represents a subset of the attack vector which will not trigger an alarm from the bad data detector.
Corollary 1
Equation (17) is the non-detectable spoofing range of the attack vector.
According to the triangle inequality, it’s easy to prove Corollary 1 is true. The specific derivation is given as follows.
According to the triangle inequality of vector 2-norm,
when \({{\left\| {{z}_{k}} \right\| }_{2}}\text {+}{{\left\| {{a}_{k}} \right\| }_{2}}\le \frac{\tau }{{{\left\| B \right\| }_{2}}}\) hold, the Eq. (16) will be hold. So Eq. (17) is a safe range of the attack vector.
When packets are randomly lost, the integrity of the collected data by SCADA is destroyed. However, due to the redundancy of data in data acquisition of the power grids, the effect of the loss of a small number of measurements may small. To study the effect of data injection attack on the performance of state estimation under random packet losses, the mean square error (MSE) of weighted least squares state estimation under random packet losses is derived.
Suppose that the state vector \({{x}_{k}}\), the attack vector \({{a}_{k}}\), and the noise \({{v}_{k}}\) obey the Gaussian distribution where the mean value is \({{\mu }_{{{x}_{k}}}}=0\), and the variance is \({{R}_{{{x}_{k}}}}\), \({{R}_{{{a}_{k}}}}\), \({{R}_{v}}\). When there is random packet loss, the measurement model of the system is shown by Eq. (6). Combined Eq. (11) with Eq. (6), the state estimation of the system can be expressed as
When the system state estimation residual is defined as \({{\varepsilon }_{{{x}_{k}}}}={{\hat{x}}_{lak}}-{{x}_{k}}\), \({{\varepsilon }_{{{x}_{k}}}}\) can be expressed as
When there is random packet losses and data injection attack, the mean square error matrix of system state estimation is
Let \({{B}_{k}}=({{H}^{T}}{{\lambda }_{k}}WH)\), \({{R}_{{{\varepsilon }_{{{x}_{k}}}}}}\) can be expressed as
Ideally, when there is no packet losses and data injection attacks, \({{\lambda }_{k}}=I\), \({{a}_{k}}=0\). Then the mean square error matrix of the weighted least squares state estimation is
Comparing Eq. (22) and (23), it can be found that the existence of random packet losses will not only affect the state estimation, but also affect the effect of data injection attack.
4 Simulation Study
To assess the impact of data injection attack under random packet losses on smart grid state estimation, IEEE-14 node system is used in the simulation experiments, as shown in Fig. 3. IEEE-14 node system has 54 measurements, where 1–14 are the measurements of the active power of the bus, 15–34 are the measurements of branch power of the incoming node, and 35–54 are the measurements of branch power of the outgoing node. Assuming that the noise of each measurement obeys the Gaussian distribution, i.e., \({{v}_{i}}\tilde{\ }N(0,{{0.02}^{2}})\), where \(i=1,2,\cdots ,54\). Considering the phase angle of the reference bus \({{\delta }_{1}}=0\), it is only necessary to estimate the state quantity of the other 13 nodes, and \(H\in {{R}^{54\times 13}}\).
Firstly, node 1 is selected as the reference node, and the state truth value and the measurement truth value are obtained by 100 power flow calculations. It is assumed that the white noise obeys the Gaussian distribution \((0,{{0.02}^{2}})\) and the measurement error covariance matrix is constant.
Performance Index: From Eq. (23) under ideal conditions, when there is no data injection attack and transmission packet losses, the mean square error matrix of system state estimation is \({{R}_{{{\varepsilon }_{{{x}_{k}}}}}}={{({{H}^{T}}WH)}^{-1}}\). In order to measure the state estimation performance, Eq. (24) is used as the performance index.
where xreal is system status truth value, \(\hat{x}\) is the estimation, and \({{\left\| {} \right\| }_{F}}\) is frobenius norm of matrix.
When there only exist data injection attacks, while Eq. (17) is satisfied, three different attacks are randomly selected, where one measurement is tampered in \({{a}_{88}}\), five measurements are tampered in \({{a}_{41}}\), and ten measurements tampered in \({{a}_{55}}\). The dimension of each non-zero in the attack vector was randomly selected in \([-(\frac{\tau }{{{\left\| B \right\| }_{2}}}-{{\left\| {{z}_{k}} \right\| }_{2}})/p,(\frac{\tau }{{{\left\| B \right\| }_{2}}}-{{\left\| {{z}_{k}} \right\| }_{2}})/p]\), where p is the number of the tampered devices. The details of the attack vector are shown in Table 1. The estimated results are also illustrated in Fig. 4.
According to Fig. 4, the data injection attack has a great impact on the survivability of system state estimation. However, with the increase of attack dimensions, the impact of the attack on the estimation decreases gradually if the attack vector remains non-detectable by satisfying Eq. (16).
The performance index is also illustrated in Fig. 5. This is a result from the attack vector limited by Eq. (17). The more dimensions of the attack, the lower the amplitude of each dimension in the attack vector will become.
In the packet loss only scenario, three packet loss rates are randomly selected, which are 2%, 5% and 10% respectively. The specific information of random packet losses is shown in Table 2, and the estimation results are illustrated in Fig. 6.
As show in Figs. 6 and 7, a small amount of random data packet loss in the data transmission of the sensor does not have significant impact on the system state estimation. This is due to the existence of the measurement redundancy of the power system, which guarantees the safety and reliability of power system state estimation.
Furthermore, comparing Fig. 4 with Fig. 6, it is clear that the data injection attack has a greater impact on the system state estimation. Again, the performance indexes as shown in Figs. 5 and 7 are not in the same order of magnitude.
When both packet losses and data injection attacks are presented, 5% packet loss rate and 5 dimensions attacked are simulated.
Three scenarios, including random packet losses and data injection attack are not coincidences, some coincident, and all occurred coincidently are analyzed. The specific information of random packet loss and attack vectors are listed in Table 3, and the estimation results are illustrated in Fig. 8. It can be seen that notification of data injection attack and random packet loss will have a great impact on system state estimation results.
As shown in Fig. 9, when the random packet losses occur coincidently with the attack, and the estimation performance is better than the non-overlap, but the impact of the attack vector itself is greater.
5 Conclusions
This paper has analyzed the impact of false data injection attacks on smart grid state estimation under random packet losses. Firstly, the measurement model of power grid under random packet losses is established, and an attack vector range that can escape the detector is derived. Then, the weighted least squares estimation is analyzed, and a non-detectable range of attack vectors in the data injection attack is derived. It is proved that as long as the attack vectors are selected in the derived range, the existing “bad data” detection device will not respond. Further, considering the false data injection attack, the mean square error matrix of the weighted least squares estimation is provided. Finally, simulation experiments on a IEEE-14 node system is used to compare the effects of data injection attack, random packet loss, and simultaneous random packet loss and data injection attack on the system state estimation.
References
Yan, J., Guo, F., Wen, C.: False data injection against state estimation in power systems with multiple cooperative attackers. ISA Trans. 101(10), 225–233 (2020)
Sahoo, S., Dragicevic, T., Blaabjerg, F.: Cyber security in control of grid-tied power electronic converterschallenges and vulnerabilities. IEEE J. Emer. Sel. Top. Power Electr. 15, 1–15 (2019)
Shu, J., Guo, Z., Han, B.: A bilevel optimization model for power network spurious data injection attack. Autom. Electr. Power Syst. 43(10), 95–101 (2019)
Liang, G., Zhao, J., Luo, F., Weller, S.R., Dong, Z.Y.: A review of false data injection attacks against modern power systems. IEEE Trans. Smart Grid 8(4), 1630–1638 (2017)
Liang, G., Weller, S.R., Zhao, J., Luo, F., Dong, Z.Y.: The 2015 Ukraine blackout: implications for false data injection attacks. IEEE Trans. Power Syst. 32(4), 3317–3318 (2017)
Gong, X.: Analysis of the situation of the power outage in Venezuela and recommendations for the safety of critical infrastructure. J. Inf. Technol. Network Secur. 38(04), 1–2+14 (2019)
Gong, X.: Upadhyay, D., Sampalli, S.: Scada (supervisory control and data acquisition) systems: Vulnerability assessment and security recommendations. Comput. Secur. 89, 101666 (2020)
Liu, Y., Ning, P., Reiter, M.K.: False data injection attacks against state estimation in electric power grids. ACM Trans. Inf. Syst. Secur. 14(1), 1–33 (2011)
Li, L., Yang, H., Xia, Y., Yang, H.: Event-based distributed state estimation for linear systems under unknown input and false data injection attack. Signal Process. 170, 107423 (2020)
Guo, Z., Shi, D., Johansson, K., Shi, L.: Optimal linear cyber-attack on remote state estimation. IEEE Trans. Control Network Syst. 4, 4–13 (2016)
Zhao, Y., Goldsmith, A., Vincent Poor, H.: Minimum sparsity of unobservable power network attacks. IEEE Trans. Autom. Control 62(7), 3354–3368 (2017)
Kim, J., Lang, T., Thomas, R.J.: Subspace methods for data attack on state estimation: a data driven approach. IEEE Trans. Signal Process. 63(5), 1102–1114 (2015)
Zhong, H., Du, D., Li, C., Li, X.: A novel sparse false data injection attack method in smart grids with incomplete power network information. Complexity 1–16 (2018)
Muniraj, D., Farhood, M.: Detection and mitigation of actuator attacks on small unmanned aircraft systems. Control Eng. Pract. 83, 188–202 (2019)
Huaye, P., Chen, P., Hongtao, S., Mingjin, Y.: Incremental detection mechanism of microgrid under false data injection attack. Inf. Control 48(5), 522–527 (2019)
Chen, R., Li, X., Zhong, H., Fei, M.: A novel online detection method of data injection attack against dynamic state estimation in smart grid. Neurocomputing 344, 73–81 (2019)
Du, D., Chen, R., Li, X., Wu, L., Zhou, P., Fei, M.: Malicious data deception attacks against power systems: a new case and its detection method. Trans. Inst. Measur. Control 41(6), 1590–1599 (2019)
Du, D., Li, X., Li, W., Chen, R., Fei, M., Wu, L.: ADMM-based distributed state estimation of smart grid under data deception and denial of service attacks. IEEE Trans. Syst. Man Cybernet.-Syst. 49(8), 1698–1711 (2019)
Xia, M., Du, D., Fei, M., Li, X., Yang, T.: A novel sparse attack vector construction method for false data injection in smart grids. Energies 13(11) (2020)
Aghanoori, N., Masoum, M.A., Abu-Siada, A., Islam, S.: Enhancement of microgrid operation by considering the cascaded impact of communication delay on system stability and power management. Int. J. Electr. Power Energy Syst. 120, 105964 (2020)
Ding, D., Han, Q.L., Xiang, Y., Ge, X., Zhang, X.M.: A survey on security control and attack detection for industrial cyber-physical systems. Neurocomputing 275, 1674–1683 (2018)
Acknowledgement
Supported by Natural Science Foundation of China (No. 61633016, 61533010), Key Project of Science and Technology Commission of Shanghai Municipality (No. 19510750300, 19500712300, 16010500300), Industrial Internet Innovation and Development Project (TC190H3WL).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Xia, M., Du, D., Fei, M., Li, K. (2020). Impact Analysis of False Data Injection Attack on Smart Grid State Estimation Under Random Packet Losses. In: Fei, M., Li, K., Yang, Z., Niu, Q., Li, X. (eds) Recent Featured Applications of Artificial Intelligence Methods. LSMS 2020 and ICSEE 2020 Workshops. LSMS ICSEE 2020 2020. Communications in Computer and Information Science, vol 1303. Springer, Singapore. https://doi.org/10.1007/978-981-33-6378-6_5
Download citation
DOI: https://doi.org/10.1007/978-981-33-6378-6_5
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-33-6377-9
Online ISBN: 978-981-33-6378-6
eBook Packages: Computer ScienceComputer Science (R0)