http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = J. Mod. Power Syst. Clean Energy (2015) 3(3):321331 DOI 10.1007/s40565-015-0145-8

http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = http://crossmark.crossref.org/dialog/?doi=10.1007/s40565-015-0145-8&domain=pdf

Web End = Risk assessment framework for power control systems with PMU-based intrusion response system

Jie YAN, Manimaran GOVINDARASU, Chen-Ching LIU, Ming NI (&), Umesh VAIDYA

Abstract Cyber threats are serious concerns for power systems. For example, hackers may attack power control systems via interconnected enterprise networks. This paper proposes a risk assessment framework to enhance the resilience of power systems against cyber attacks. The duality element relative fuzzy evaluation method is employed to evaluate identied security vulnerabilities within cyber systems of power systems quantitatively. The attack graph is used to identify possible intrusion scenarios that exploit multiple vulnerabilities. An intrusion response system (IRS) is developed to monitor the impact of intrusion scenarios on power system dynamics in real time. IRS calculates the conditional Lyapunov exponents (CLEs) on line based on the phasor measurement unit

data. Power system stability is predicted through the values of CLEs. Control actions based on CLEs will be suggested if power system instability is likely to happen. A generic wind farm control system is used for case study. The effectiveness of IRS is illustrated with the IEEE 39 bus system model.

Keywords Cyber security, Supervisory control and data acquisition (SCADA), Risk assessment, Intrusion response system (IRS), Conditional Lyapunov exponents (CLEs), Phasor measurement unit (PMU), Voltage instability

1 Introduction

Power systems are vulnerable to cyber attacks. Modern IT technologies are heavily used in todays supervisory control and data acquisition (SCADA) systems of industrial control systems including power systems. While IT technologies bring a lot of benets, many security risks are introduced as well. For example, the connectivity of SCADA systems and enterprise networks improves business visibility and efciency, but it makes SCADA systems more vulnerable to cyber attacks. According to the 2003*2006 data from Eric Byres, BCIT, 49 % cyber attacks at industrial control systems are launched via connected enterprise networks. One highly publicized example is Stuxnet, which attacked an industrial control system by infecting those organization networks that interact with the target [1].

In 2006, US Department of Energy (DOE) published Roadmap to secure control systems in the energy sector (updated in 2011) [2]. It envisions that: in 10 years, control systems for critical applications will be designed, installed, operated, and maintained to survive an intentional cyber assault with no loss of any critical function. Much effort

CrossCheck date: 29 January 2015

Received: 17 April 2014 / Accepted: 29 January 2015 / Published online: 13 August 2015 The Author(s) 2015. This article is published with open access at

Springerlink.comJ. YAN, Market Engineering, MISO, Carmel, IN 46032, USA e-mail: [email protected]. GOVINDARASU, U. VAIDYA, Department of Electrical and Computer Engineering, Iowa State University, Ames,IA 50011, USAM. GOVINDARASU e-mail: [email protected]. VAIDYAe-mail: [email protected]. LIU, School of Electrical Engineering and Computer Science, Washington State University, Pullman, WA 99165, USAe-mail: [email protected]

M. NI, NARI Technology Co. Ltd., Nanjing 211106, China (&) e-mail: [email protected] [email protected]

123

322 Jie YAN et al.

has been made to secure power facilities. The DOE National SCADA Test Bed (NSTB) Program, established in 2003, supports industry and government efforts to enhance cyber security of control systems in the energy sector. The NERC standards CIP-002-4 through CIP-009-4 provide a cyber security framework for the identication and protection of critical cyber assets to support reliable operations of the bulk electric system [3]. The International Electrotechnical Commission Technical Council (IEC TC57), i.e., power system management and associated information exchange, has advanced the standard communication protocol security in IEC 62351 with stronger encryption and authentication mechanisms [4]. The Hallmark Project by Schweitzer Engineering Laboratories, Inc. presents the secure SCADA communications protocol (SSCP) technology which provides integrity for SCADA messages. United States Computer Emergency Readiness Team (US-CERT) has set up awareness programs about system vulnerabilities to improve control system security [5]. The cyber security audit and attack detection toolkit by Digital Bond, Inc. is developed to identify vulnerable congurations in control system devices and applications. Reference [6] presents a risk assessment methodology that accounts for both physical and cyber security of critical infrastructures. In [7], a SCADA security framework is proposed. System vulnerabilities are assessed quantitatively through an attack tree. The impact of a cyber attack on SCADA systems is studied systematically in [8]. It is evaluated by the resultant loss of load through a power ow computation.

This paper presents a new risk assessment framework for SCADA systems of power grids. Individual vulnerabilities within control systems are evaluated based on the duality element relative fuzzy evaluation method (DERFEM). An attack graph is developed to identify possible intrusion scenarios that exploit multiple security vulnerabilities. An intrusion response system (IRS) based on the phasor measurement unit (PMU) data is proposed to assess the impact of intrusion scenarios on power system dynamics.

The main contribution is IRS, which is an on-line monitoring and control scheme based on PMUs. It monitors the impact of cyber intrusions on power system dynamics in real time. If power system instability, such as voltage instability, is judged to be likely after a cyber attack, IRS will act as a mitigation mechanism to prevent power system instability. Unlike traditional security mechanisms, such as encryption and authentication, which increase the complexity of power systems, and may cost additional time in power system operations, IRS uses a control strategy based on the conditional Lyapunov exponents (CLEs) to enhance the resilience of power systems against cyber attacks.

2 Risk assessment framework

The risk assessment framework is shown in Fig. 1. For SCADA systems of a power system, the procedure starts with identication of the conguration of its cyber system. Vulnerabilities within the cyber system are then identied. Each vulnerability is evaluated quantitatively by DERFEM. An attack graph is built to identify possible intrusion scenarios that exploit multiple vulnerabilities. The probability of occurrence of every intrusion scenario is calculated. Once an intrusion scenario is successfully executed, IRS will monitor its impact on power system dynamics in real time. The impact is characterized by CLEs computed on PMU data. If the values of CLEs are high, it implies that voltage instability is likely to happen, and then control actions based on CLEs will be taken to prevent voltage instability.

2.1 DERFEM

Assume that a cyber system has l identied vulnerabilities: r1, r2 rl. DERFEM is employed to assign each vul

nerability a scaled value within [0, 1] which quantitatively characterizes the vulnerable level. The larger the scaled value is, the higher the vulnerable level will be.

DERFEM proceeds as follows.1) Compare a pair of different vulnerabilities (ri, rj) so

as to obtain the scaled values srjri and srirj. srjri

represents the vulnerable level of ri compared to rj. Likewise, srirj represents the vulnerable level of rj compared

to ri. 0 6 srjri 6 1; 0 6 srirj 6 1. If srjri [ srirj, it

implies that the vulnerability ri has a higher vulnerable level than rj does. srjri and srirj are from engineering

judgments. This method is valid, because engineering

Identify the configuration of a cyber system

Identify security vulnerabilities

Formulate an attack graph to identify intrusion scenarios

Evaluate each vulnerability by DERFEM

Monitor the impact of intrusion scenarios on power system dynamics through IRS

Compute the probability of occurrence of every intrusion scenario

Control actions

Y

Are CLEs high?

N

End

Fig. 1 Proposed risk assessment framework

123

Risk assessment framework for power control systems with PMU-based intrusion response system 323

judgments from different sources are statistically close when it is to compare two vulnerabilities.2) Continue the comparison of different pairs of individual vulnerabilities until a matrix like Table 1 is generated (sriri is set to be 1 here for convenience of the

calculation).3) In each row of Table 1, substitute srjri with sri=rj,

where sri=rj srjri=maxsrjri; srirj.

4) Finally, the vulnerable level of ri is quantitatively characterized by rri, rri minsri=r1, sri=r2; ;

sri=rn.

DERFEM does not measure the vulnerable level of certain vulnerability directly, which could be difcult. It reveals the relatively vulnerable level of the vulnerability compared to the others.

2.2 Attack graph

In practice, a hacker may have to compromise a couple of interconnected hosts within a cyber system before he/she gains access to the control systems. For example, an outside intruder has to compromise an enterprise network, and then attacks its connected industrial control systems via the enterprise network. This procedure is modeled as an intrusion scenario in this research. An intrusion scenario is comprised of several intrusion actions, each action involves exploiting one security vulnerability.

An attack graph is employed to capture possible intrusion scenarios within a cyber system. The attack graph depicts ways in which a hacker compromises interconnected hosts sequentially by exploiting the corresponding vulnerabilities so as to achieve a specic goal. The benets of the attack graph take into account the effects of interactions of local vulnerabilities and nd global security holes introduced by the interconnections [9].

Basic concepts of the attack graph are dened as follows.

Denition 1: Subject (ST). Subject is the initiator of actions. St [ ST can be an attacker or a compromised device.

Denition 2: node (ND). An electronic device in a cyber system is a node, using nd id; nd 2 ND to denote. id is

the identier of the node, and it could be set as an equipment name. If a node is compromised by a subject, the node itself will become a subject.

Denition 3: privilege (PG). It is used to describe the operating privilege of a subject in a node. When st [ ST and

nd [ ND, the function PG St; nd

! f0; 1; 2; 3; 4; 5g

expresses the privilege level of st in nd. PGsti; ndj 0

implies that subject sti has no access to node ndj; PGsti; ndj

1 indicates that subject sti is able to read the inbound and outbound messages of node ndj; PGsti; ndj 2 means that subject sti is able to block the inbound and outbound messages of node ndj; PGsti; ndj 3 represents that subject sti

can read and block the inbound and outbound messages of node ndj; PGsti; ndj 4 denotes that Subject sti can send

messages to node ndj; PGsti; ndj 5 signies that subject sti

has the full control access to node ndj.

Denition 4: state (Z). State is a triple z st; nd; PGst; nd. State is the prerequisite of the next attack

action to be implemented.

Denition 5: interconnection (IC). Interconnection refers to connections between nodes, using a quadruplet ic ndi; ndj; Cij; Mij, ic 2 IC, ndi; ndj 2 ND to denote. Cij

represents the communication channel between ndi and ndj. Cij could be copper wires, optical bers, wireless, dial-up, virtual private network (VPN), or digital microwave. Mij is

the type of messages from ndi to ndj. Mij could be measurements or control signals. Mij does not necessarily equal to Mji.

Denition 6: action (A). Action represents the set of possible actions of the subjects in a cyber system. Action is a quadruplet a nname; zs; zd; c, a 2 A, zs; zd 2 Z. nname is

the name of an attack action such as the denial-of-service (DOS) attack or the man-in-the-middle attack; zs and zd represent the initial and nal states of the action; c is the vulnerability exploited in the action. c is used to denote the difcult level of action a.

The algorithm to construct an attack graph proceeds as follows.1) Identify ND and IC. Develop a directed graph (ND, IC). The vertex is nd 2 ND, and the edge is ic 2 IC.

2) Identify the node ndk which will be the target of attacks. ndk could be a SCADA server or a programmable logic controller (PLC).

3) Determine the goals of attacksthe state of ndk after being attacked, formulated as follows: zd sti; ndk;

PGsti; ndk [ 0), in which sti represents the initial intruding

subject (hackers).

Table 1 Comparison results of the vulnerabilities

Vulnerability Scaled value

r1 r2 r3 rlr1 1 sr2r1 sr3r1 sr1r1 r2 sr1r2 1 sr3r2 sr1r2 r3 sr1r3 sr2r3 1 sr1r3 : : : : :

rl sr1rl sr2rl sr3rl 1

123

324 Jie YAN et al.

4) Traverse the directed graph (ND, IC). Identify the node ndk0 that is connected to ndk directly. Assume that node ndk0 has been compromised by sti, and it becomes an intruding subject, say sti0 .

5) Extract an attack action aimed at ndk from sti0 , such that a nname; zs; zd; ca, zd sti0 ; ndk; PGsti0 ; ndk PGsti; ndk.

ca is the vulnerability of node ndk exploited in action a.6) Establish the prerequisite of action a: zs, formulated as follows: zs sti; ndk0 ; PGsti; ndk0 [ 0.

7) Set ndk0 as a new target node, and zs becomes another zd. Repeat step 4, 5 and 6, until sti0 sti.

After the attack graph is built, it gives a birds-eye view of possible intrusion scenarios. For each scenario, the probability of occurrence Pb is calculated as follows.a) If the intrusion scenario is comprised of two serial intrusion actions ai and aj, then

Pb rcaircaj 1

where cai and caj are the local vulnerabilities exploited in the attack actions ai and aj. Note that Pb is relative as rcai

and rcaj are relative. Pb tells how possible an intrusion

scenario is compared to the others.b) If the intrusion scenario consists of two parallel intrusion actions ai and aj, then

Pb r cai

r caj

EMS

Real-time data server

Ethernet

Proposed algorithm

Control center

Data concentrator

State estimator

GPS satellite Communication links

...

PMU

PMU

PMU

Fig. 2 Concept of IRS

rcaircaj 2

c) If the intrusion scenario is more complicated, the calculation of its Pb will be the synthesis of (1) and (2).

2.3 Intrusion response system

The concept of IRS is illustrated in Fig. 2. It is intended to be an application in the control center of a power system. The proposed algorithm, which will be discussed in detail in Section 3, obtains updated power network congurations from the state estimator (SE), say, every 5 minutes. If an intrusion scenario is executed successfully, and it results in disruptions in power system operations such as breaker opening or loss of generation, such sudden changes of the power network congurations will be reported to the proposed algorithm through SCADA systems in real time. The post-attack dynamical model of the power system is then built. After that, the algorithm extracts synchronized phasor measurements from the PMU data concentrator, which obtains real time PMU data from substations equipped with PMUs. A number of the state variables of the dynamical model are observed from PMU data. Based on the dynamical model and PMU measurements, CLEs are calculated to monitor the impact of the intrusion on power system dynamics.

If CLEs have only low values, the prediction is that voltage instability will not happen; otherwise, voltage instability is likely to occur, and the proposed algorithm will send proper control signals to the energy management system (EMS) to prevent voltage instability.

3 Proposed algorithm

3.1 Dynamical model

In this algorithm, generators are represented by classical models, and loads are represented by ZIP models. After a cyber intrusion, the dynamical model of a power system is established as shown below:

Ybus _

V

8

>

<

>

:

_

I

_ I i PD;i jQD;i _

Vj _

I j

_

Vj Zj

3

_

Vj Xj\dj

(

4

where i = 1, 2, , n - m; j = n m ? 1, n m ? 2, , n;

n is the total number of buses; m is the total number of generators; PD,i ? jQD,i is the power consumption at

ddj dt

xj

2Hj xRe

dxj dt

OjxRe xj Pm;j ReXj\dj

_

I j

123

Risk assessment framework for power control systems with PMU-based intrusion response system 325

" #

1 LP;iDf

; QD;i Q0;i Di Ei

Ci

2

load bus i; PD;i P0;i Ai Bi

Vi

j j

V0;i

j j

j j

Vi

j j

V0;i

" #

1 LQ;iDf

Fi

2

j j

Vi

j j

V0;i

j j

Vi

j j

V0;i

Similar to the full Lyapunov exponents, CLEs are well dened ergodic invariants.

Consider a N-dimensional continuous-time dynamical system dzdt Hz. Split the state vector z into two vectors:

z1 2 RK, and z2 2 RN K (0 \ K \ N), one will obtain two

sub systems: dz1

dt

H1z1; z2 and

dz2 dt

; Ai, Bi, Ci, Di, Ei, Fi, LP,i, and LQ,i are load

parameters; P0,i ? jQ0,i is the steady-state power consumption; V0,i is the steady-state voltage; Df is the frequency deviation in p.u.; Hj and Oj are generator inertias; dj is the rotor angle of generator j; xj is the angular speed of generator j; xRe is the reference speed; Xj is the internal voltage magnitude at generator j; Zj is the impedance between generator j and its generator bus; Pm,j is the

mechanical power input to generator j.

Excitation systems of the generators are assumed to function in some way to keep internal voltage magnitudes at reference values during the transient period. The time constant of modern excitation systems is less than 0.5 s. If a new reference value is issued to an excitation system, the corresponding voltage magnitude will change rapidly due to the fast response of the excitation system. CLEs will be computed based on an updated dynamical model to reassess system stability.

Let x denote V1

j j; \V1; V2

j j; \V2; ; Vn

j j; \Vn

H2z1; z2. Let

z1 t ut; v1; v2 be the solution of the rst sub system at

time t starting from the initial conditions z01 v1, z02 v2. The CLEs Ci for the sub system dz1dt H1z1; z2 are dened

as eigenvalues of the following limiting.

Kv1 lim

t!1

KTt; v1; v2Kt; v1; v2

1

2t

9

v1 10 where i = 1, 2, , K; K(t, v1, v2) is the Jacobian matrix of

u(t, v1, v2) with respect to v1;

ki

Civ1 ln

v1 is the ith eigenvalue of

Kv1. The existence of CLEs is guaranteed under the same

conditions that establish the existence of the Lyapunov exponents [12].

The relationship between CLEs and system stability is discussed in the following. In ergodic theory of dynamical systems, the Lyapunov exponents are used to characterize the exponential divergence or convergence of nearby trajectories, as shown in Fig. 3. For the sub system

dz1 dt

H1z1; z2, its maximal conditional Lyapunov expo

nent (MCLE) MMCLE determines the exponential convergence of nearby system trajectories. This is true due to the approximation of

Dz1t

k k eMMCLEt Dz01

T, and y

denote d1; x1; ; dm; xm

T. Equations (3) and (4) are

represented by:

G x; y

0 5 dydt F x; y

6

Since

dG x; y

dt 0 Gx

dxdt Gy

dydt 7

11 If dz1

dt has very large values, the nearby system trajectories will diverge. Correspondingly, MMCLE 0.

Otherwise, the nearby trajectories will converge, and MCLE has a low or even negative value. Therefore, the value of MCLE reveals the magnitude of time derivatives of related state variables. When the state variables are

0

1

z

It is obtained that:

dxdt Gx

1Gy

dydt Gx

1GyF x; y

8 where Gx and Gy are the Jacobian matrixs of G with respect to x and y.

When det(Gx) = 0 and Gy dydt 6 0,

dxdt has very large values. Correspondingly, x will change dramatically, and voltage instability is likely to happen.

3.2 Methodology: CLEs

The notion of CLEs (originally called sub-Lyapunov exponents) is introduced by Pecora and Carroll in their study of synchronization of chaotic systems [10] and [11].

z

1( )

t

z

1( )

t

z

0

1

Fig. 3 Nearby trajectories in the state space

123

326 Jie YAN et al.

voltages of a power system, MCLE can be used to monitor the magnitude of time derivatives of the voltages, and hence voltage stability.

In this work, the dynamical system in (8) is split into n sub systems. The ith sub system has the state variables

Vi

j j; \Vi

T, where i = 1, 2, , n. MCLE is computed for

each sub system to monitor voltage stability within it.Let Gy dydt U 2 R2n, one may obtain

8 U2i 1 VijjXi cos \ ViZi diZijj ddidt

Q0;i Di Ei

Vi

j j

V0;i

2

" #LQ;i dDfdt

< U2i VijjXi sin \ ViZi diZijj ddidt

P0;i Ai Bi

Vi

j j

V0;i

Fi

j j

j j

Vi

j j

V0;i

2

" #LP;i dDfdt

Ci

j j

j j

Vi

j j

V0;i

12

where i = 1,2,,n. Xi = 0, |Zi| = ?, and di = 0 if there is no generator at bus i.

As dDfdt is small,

U2i 1

Vi

8

>

>

<

>

>

:

j jXi cos \ Vi Zi di

Zi

j j

xi

j jXi sin \ Vi Zi di

Zi

j j

13

One can assume that Gx is diagonal in computation without compromising the accuracy, and then the ith sub system of (8) is represented by:

d Vi

j j

dt

U2i 1 Gx2i 1; 2i 1 d\Vidt

U2i

Gx2i; 2i

U2i

Vi

xi

14

where i = 1, 2,,n; Gx(2i - 1, 2i - 1) is the element at row 2i - 1 and column 2i - 1 of Gx. It is noted that d Vijjdt

d\Vi dt

0 if there is no generator at bus i, which is reason

able since the change of the voltages at load buses is driven

by the voltages at generator buses. Consequently, d Vijjdt and

d\Vidt do not depend on |Vi| and \Vi.

The proposed algorithm calculates MCLEs of the sub systems that have generators at the corresponding buses. The computation method is introduced in the following.

3.3 Computation method

MCLEs are calculated over a limited time window. PMU measurements are extracted to observe time-varying values of the state variables of the sub systems. The unobservable part of the state variables is approximated through the

implicit integration method with trapezoidal rule [13]. At the same time, the observable part is estimated by the same method as a backup of PMU data. If a PMU is compromised, it will be detected by comparing the PMU data and the corresponding estimation results. The estimation results will be used in the MCLE calculation. The algorithm in [13], the standard method with Gram-Schmidt reorthonormalization (GSR), is then used to compute MCLEs. If the values of MCLEs are over a predened limit, it is predicted that voltage instability will happen. Control signals will be sent to EMS to prevent the voltage instability.

Selection of the length of the time interval could be arbitrary. Study shows that MCLEs exhibit robustness to the length of the time interval: MCLEs computed over different length time intervals all have very high values if voltage instability is going to happen. In this research, the time interval length is set to be 0.2 s, so that it is short while it has enough PMU measurements.

3.4 Control actions

When the value of MCLE of a sub system is over a predened limit, the proposed algorithm will send a control signal to the excitation system of the generator related to the sub system through EMS. The reference value of the generator internal voltage magnitude is modied as follows:

Xref;newGen 1

MMCLE

Cconst

Xref;oldGen 15

where Cconst is a predened constant value. Voltage instability can be prevented with the fast response of the exciting system.

4 Case study

Wind farm SCADA systems are selected for case study due to the fact that wind power is a fast-emerging renewable resource on power grids, and it has the potential to affect the dynamical performance of power systems.

4.1 Wind farm SCADA systems

The generic network conguration of wind farm SCADA systems is identied and shown in Fig. 4. Every wind turbine is equipped with a wind turbine control panel (WTCP), which monitors and controls the wind turbine. WTCP is normally mounted in the tower base and is easily accessible. Through WTCPs, servers in a control room support monitoring and control of the wind turbines within a wind farm. However the control room is normally not

123

Risk assessment framework for power control systems with PMU-based intrusion response system 327

WTCPs in a wind farm, 1); z6 = (hacker, WTCPs in a wind farm, 4); z7 = (hacker, SCADA server in the control room,3); z8 = (hacker, SCADA server in the control room, 0); z9 = (hacker, SCADA server in the control room, 4); z10 = (hacker, SCADA server in the control center, 2);

z11 = (hacker, SCADA server in the control center, 0); z12 = (hacker, SCADA server in the control room, 5); z13 = (hacker, workstation in the control room, 5);

z14 = (hacker, workstation in the control room, 0); z15 = (hacker, SCADA server in the control center, 5);

z16 = (hacker, workstation in the control center, 5); z17 = (hacker, workstation in the control center, 0); z18 = (hacker, workstation in the corporate LAN, 5);

z19 = (hacker, workstation in the corporate LAN, 0); z20 = (hacker, remote access point, 5); z21 = (hacker, remote access point, 0); a1 = (password cracking, z2, z1, r1); a2 = (jamming, z4, z3, r4); a3 = (passive tapping, z4, z5, r5); a4 = (man-in-the-middle attack, z7, z6, r2); a5 = (active tapping, z8, z7, r5); a6 = (spoof, z9, z6, r2);

a7 = (spoof, z10, z9, r3); a8 = (DOS attack, z11, z10, r6); a9 = (jamming, z11, z10, r7); a10 = (spoof, z12, z6, r2); a11 = (internal attack, z8, z12, r12); a12 = (malware infection, z13, z12, r8); a13 = (infected portable storage device attack, z14, z13, r12); a14 = (malware infection, z15, z12, r3); a15 = (malware infection, z16, z15, r9); a16 = (infected portable storage device attack, z17, z16, r12); a17 = (mal-

ware infection, z18, z16, r11); a18 = (infected portable

storage device attack, z19, z18, r12); a19 = (phishing, z19, z18, r12); a20 = (malware infection, z20, z18, r10);

a21 = (infected portable storage device attack, z21, z20, r12); a22 = (phishing, z21, z20, r12).

4.2 Simulation results

The IEEE 39 bus system [15] shown in Fig. 6 is used for simulations. Generator G5 and G9 (marked with two rectangles) are replaced by two wind farms comprised of hundreds of variable speed wind turbines utilizing the doubly-fed induction generators (DFIGs). The rating of each wind turbine is 2.0 MW. From the system point of view, the wind farms are considered as constant negative loads during the transient period, due to the fast control capacity of the power electronic technology within wind turbines. The other generators are classically modeled and the loads are represented by ZIP models.

MCLEs are calculated for the generator buses (except G5 and G9) by the proposed algorithm every 0.2 s to monitor power system stability. Assume that at t = 0.4 s, a hacker maliciously manipulates the power output of G5 (or G9) to some extent. Part of the simulation results is shown in Table 4.

The explains of Table 4 are as following.

WT1

WT2

WTx

...

WTCP

WTCP

WTCP

Ethernet

Workstation Data storage

Control room

SCADA server

Application server

Router

Communication

links

Remote

access

Firewall

Control WAN

Firewall

Firewall

Corporate LAN

View node

Router Redundant LAN

SCADA

Workstation server

Data

storage

Application server

Main Control Center

Engineering

Fig. 4 Generic network conguration of wind farm SCADA systems

staffed and it is only for maintenance occasions. Wind farms in separate locations are integrated into a single EMS in a main control center through a control wide area network (WAN). In the control center, system analysts oversee every turbine at the wind farms. The control center interfaces restrictively with corporate networks for business and operational reasons.

Vulnerabilities are identied in [14], including conguration management of WTCPs (r1), implicit trust between

WTCPs and a control room (r2), implicit trust between control rooms and a control center (r3), wireless network (r4), optical bers (r5), virtual private network (r6), digital microwave (r7), poor access control within a control room (r8), poor access control within a control center (r9), bad conguration of remote access (r10), weak rewall policy (r11), and human errors (r12).

The vulnerabilities are evaluated through DERFEM. The results are shown in Table 2. An attack graph is built as shown in Fig. 5. Nine possible intrusion scenarios are identied, and the probability of occurrence of every scenario is calculated, as shown in Table 3.

The intrusion scenarios show that, if successfully executed, a hacker will gain some levels of control access to several or even hundreds of WTCPs. The output of compromised wind farms will be maliciously manipulated. The impact on power system dynamics is studied next.

In Fig. 5, z1 = (hacker, WTCP, 5); z2 = (hacker, WTCP, 0); z3 = (hacker, WTCPs in a wind farm, 2);

z4 = (hacker, WTCPs in a wind farm, 0); z5 = (hacker,

123

328 Jie YAN et al.

Table 2 Results of DERFEM

Vulnerability r1 r2 r3 r4 r5 r6 r7 r8 r9 r10 r11 r12 r(r2)

r1 1 0.8 0.8 0.8 0.8 0.8 0.8 0.8 0.8 0.8 0.8 0.8 1.0r2 0.6 1 0.9 0.7 0.5 0.8 0.8 0.6 0.6 0.5 0.6 0.4 0.75r3 0.4 0.6 1 0.5 0.4 0.7 0.8 0.3 0.2 0.3 0.2 0.5 0.50r4 0.5 0.4 0.6 1 0.7 0.7 0.7 0.6 0.5 0.4 0.6 0.5 0.5714 r5 0.4 0.3 0.3 0.4 1.0 0.3 0.3 0.5 0.5 0.6 0.5 0.6 0.50r6 0.2 0.2 0.3 0.2 0.2 1.0 0.3 0.2 0.2 0.3 0.2 0.2 0.25r7 0.1 0.1 0.2 0.1 0.1 0.1 1.0 0.1 0.1 0.2 0.1 0.1 0.125 r8 0.5 0.5 0.5 0.5 0.4 0.6 0.3 1.0 0.4 0.5 0.4 0.4 0.625 r9 0.2 0.3 0.1 0.3 0.2 0.2 0.2 0.2 1.0 0.2 0.2 0.1 0.25 r10 0.7 0.4 0.6 0.5 0.4 0.6 0.5 0.6 0.6 1.0 0.6 0.4 0.6667 r11 0.4 0.5 0.4 0.5 0.4 0.5 0.3 0.5 0.5 0.5 1.0 0.5 0.5r12 0.3 0.3 0.4 0.3 0.3 0.2 0.2 0.3 0.3 0.3 0.2 1.0 0.375

z1 z2

z3

z4

z5

z6

a1

Table 3 Intrusion scenarios and probabilities

Intrusion scenario Pb

a1 1

a2 0.5714 a3 0.5a5 ? a4 or a11 ? a10 0.5508 a8 (or a9) ? a7 ? a6 0.1289 a13 ? a12 ? a10 0.1758

a16 ? a15 ? a14 ? a10 0.0352

a18 (or a19) ? a17 ? a15 ? a14 ? a10 0.0176 a21 (or a22) ? a20 ? a17 ? a15 ? a14 ? a10 0.0117

a2

a3

a5

a4 a6

z7 z8

z9 z10 z11

a7

a8

a9

a10 a11

z13

a12

z12

a13

a14

z14

QGen of G5 is reduced by half. PGen of G9 is reduced by half. Attack 14: PGen of G5 is reduced by 30 MW. QGen of

G5 is reduced by15 Mvar. PGen of G9 is reduced by 50

MW. QGen of G9 is reduced by 10 Mvar.

The simulation results come to the following conclusions.1) The values of MCLEs are close to 0, when the power system is in the steady state.2) Upon an attack, the values of MCLEs oscillate as time evolves, but have limited values if voltage instability is not likely to happen. During Attack 2, the reactive power output of G5 is reduced by 10 Mvar at t = 0.4 s. MCLEs increase for a while, and then decrease, as shown in Fig. 7a. The values are below 200.3) The values of MCLEs constantly increase as time evolves, if voltage instability is likely to happen within the power system. During Attack 10, the reactive power output of G5 is reduced by half at t = 0.4 s. Voltage instability happens at t = 1.42 s, as shown in Fig. 7b. The values of MCLEs keep increasing after the attack, as shown in Fig. 7c.

z15

a15 z17

a16

z16

a18 a19

z20

a17

z18

z19

a20

a21

a22

z21

Fig. 5 Constructed attack graph

Attack 1: PGen of G5 is reduced by 10 MW. Attack 2: QGen of G5 is reduced by 10 Mvar. Attack 3: PGen of G5 is reduced by 100 MW. Attack 4: QGen of G5 is reduced by

100 Mvar. Attack 5: PGen of G9 is reduced by 10 MW. Attack 6: QGen of G9 is reduced by 7.5 Mvar. Attack 7:

PGen of G9 is reduced by 100 MW. Attack 8: QGen of G9 is reduced by 75 Mvar. Attack 9: PGen of G5 is reduced by

half. Attack 10: QGen of G5 is reduced by half. Attack 11: QGen of G5 is reduced to -QGen. Attack 12: PGen of G9 is reduced by half. Attack 13: PGen of G5 is reduced by half.

123

Risk assessment framework for power control systems with PMU-based intrusion response system 329

Fig. 6 IEEE 10 generator 39 bus system

Table 4 MCLE of bus G3

Attack MCLE Voltage

instability

0*0.2 s 0.2*0.4 s 0.4*0.6 s 0.6*0.8 s 0.8*1 s 1*1.2 s 1.2*1.4 s 1.4*1.6s 1.6*1.8 s

1 -2.77 9 10-3 -2.62 9 10-2 9.88 9 10-1 2.77 3.84 3.69 2.96 3.55 7.29 N/A2 -2.77 9 10-3 -2.62 9 10-2 7.25 2.81 9 10 6.23 9 10 1.14 9 102 1.90 9 102 1.83 9 102 6.98 9 10 N/A3 -2.77 9 10-3 -2.62 9 10-2 6.90 9 10 2.11 9 102 3.94 9 102 6.83 9 102 1.22 9 103 t = 1.57 s 4 -2.77 9 10-3 -2.62 9 10-2 1.17 9 102 4.08 9 102 9.12 9 102 1.98 9 103 t = 1.20 s 5 -2.77 9 10-3 -2.62 9 10-2 -1.01 -2.27 -3.16 -4.08 -4.58 -4.23 -2.78 N/A6 -2.77 9 10-3 -2.62 9 10-2 6.04 2.21 9 10 4.65 9 10 8.18 9 10 1.32 9 102 1.09 9 102 4.81 N/A7 -2.77 9 10-3 -2.62 9 10-2 3.45 9 10 1.05 9 102 2.00 9 102 3.51 9 102 6.12 9 102 1.10 9 103 2.17 9 103 t = 1.86 s 8 -2.77 9 10-3 -2.62 9 10-2 1.05 9 102 3.48 9 102 7.27 9 102 1.43 9 103 t = 1.24 s 9 -2.77 9 10-3 -2.62 9 10-2 2.31 9 102 7.65 9 102 1.72 9 103 t = 1.03 s 10 -2.77 9 10-3 -2.62 9 10-2 7.12 9 10 2.45 9 102 5.27 9 102 1.03 9 103 2.05 9 103 t = 1.42 s 11 -2.77 9 10-3 -2.62 9 10-2 3.55 9 102 1.37 9 103 t = 0.8 s 12 -2.77 9 10-3 -2.62 9 10-2 2.91 9 102 1.03 9 103 2.72 9 103 t = 1.06 s 13 -2.77 9 10-3 -2.62 9 10-2 8.33 9 102 t = 0.76 s 14 -2.77 9 10-3 -2.62 9 10-2 6.43 9 10 2.07 9 102 4.10 9 102 7.47 9 102 1.38 9 103 t = 1.56 s

4) Voltage instability is likely to occur around the generator buses where MCLEs have high values. Take Attack 10 as an example, MCLEs of G2, G3, G4, G6 and G7 (circled in Fig. 6) are over 1000 at t = 1.4 s. Time-domain simulation results show that voltage instability happens around those generator buses. It is reasonable as G2, G3, G4, G6 and G7 are close to G5.

Based on the simulation results, a predened limit for the values of MCLEs is set to be 800. If the value of MCLE of a generator bus exceeds the limit, it is predicted that voltage instability will happen around the generator bus. Control signal

Xref;newGen 1

MMCLE

10000

Xref;oldGen 15

will be sent to the excitation system of the related generator. Simulation results show that voltage instability can be avoided. For example, during Attack 10, MCLEs of G3, G4, G6 and G7 are over 800 at t = 1.2 s. The corresponding control signals are then sent to G3, G4, G6 and G7. Voltage instability is prevented, as shown in Fig. 7d.

5 Conclusion

A risk assessment framework with a PMU-based IRS is proposed for power control systems. The main idea of IRS is to calculate MCLEs for generator buses in order to monitor voltage stability. The higher values MCLEs have, the more likely voltage instability occur around the corresponding generator buses. MCLE method is based on a solid analytical foundation and it is validated by simulation results.

This research leads to signicant contributions to the development of a more reliable and secure power grid. Future research includes the following aspects.1) For a large cyber system with numerous security vulnerabilities, DERFEM may not be sufcient. Some statistical analysis techniques may be coupled with DERFEM to improve evaluation results.2) A dedicated control strategy will be developed in IRS for control actions to prevent voltage instability. The voltages are over 1.2 after 1.8 s in Fig. 7d. It is because IRS employs a control action on a simplied excitation system. The dedicated control strategy will be studied with full-scale excitation systems.

123

330 Jie YAN et al.

use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

References

[1] Falliere N, Murchu LO, Chien E (2011) W32.stuxnet dossier. Symantec, Cupertino

[2] Roadmap to secure control systems in the energy sector. http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/roadmap.pdf%23search%3d%e2%80%98Roadmap%2bto%2bSecure%2bControl%2bSystems%2bin%2bthe%2bEnergy%2bSector

Web End =http:// http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/roadmap.pdf%23search%3d%e2%80%98Roadmap%2bto%2bSecure%2bControl%2bSystems%2bin%2bthe%2bEnergy%2bSector

Web End =energy.gov/sites/prod/les/oeprod/DocumentsandMedia/roadmap. http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/roadmap.pdf%23search%3d%e2%80%98Roadmap%2bto%2bSecure%2bControl%2bSystems%2bin%2bthe%2bEnergy%2bSector

Web End =pdf#search=Roadmap?to?Secure?Control?Systems?in?the? http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/roadmap.pdf%23search%3d%e2%80%98Roadmap%2bto%2bSecure%2bControl%2bSystems%2bin%2bthe%2bEnergy%2bSector

Web End =Energy?Sector

[3] Standards. http://www.nerc.com/pa/stand/Pages/default.aspx

Web End =http://www.nerc.com/pa/stand/Pages/default.aspx [4] Cleveland F (2006) IEC TC57 security standards for the power systems information infrastructureBeyond simple encryption. In: Proceedings of the 2005/2006 IEEE PES transmission and distribution conference and exhibition, Dallas, 2124 May 2006, pp 10791087

[5] Sheldon F, Batsell S, Prowell S et al (2005) Control systems cybersecurity awareness. United States Computer Emergency Readiness Team (US-CERT), Washington, DC

[6] Depoy J, Phelan J, Sholander P et al (2005) Risk assessment for physical and cyber-attacks on critical infrastructures. In: Proceedings of the IEEE military communications conference (MILCOM05), vol 3, Atlantic City, 1720 Oct 2005, pp 19611969

[7] Ten CW, Maninaran G, Liu CC (2010) Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybern A 40(4):853865

[8] Ten CW, Liu CC, Maninaran G (2008) Vulnerability assessment of cybersecurity for SCADA systems. IEEE Trans Power Syst 23(4):18361846

[9] Sheyner OM (2004) Scenario graphs and attack graphs. Ph D Thesis, Carnegie Mellon University, Pittsburgh

[10] Pecora LM, Carroll TL (1990) Synchronization in chaotic systems. Phys Rev Lett 64:821824

[11] Pecora LM, Carroll TL (1991) Driving systems with chaotic signals. Phys Rev A 44(4):23742385

[12] Vilela-Mendes R (1998) Conditional exponents, entropies and a measure of dynamical self-organization. Phys Rev A 248(2/3/4):167171[13] Yan J, Liu CC, Vaidya U (2011) PMU-based monitoring of rotor angle dynamics. IEEE Trans Power Syst 26(4):21252133[14] Yan J, Liu CC, Govindarasu M (2011) Cyber intrusion of wind farm SCADA system and its impact analysis. In: Proceedings of the 2011 IEEE PES power systems conference and exposition, Phoenix, 2023 Mar 2011, 6 pp

[15] IEEE 10 generator 39 bus system. http://sys.elec.kitami-it.ac.jp/ueda/demo/WebPF/39-New-England.pdf

Web End =http://sys.elec.kitami-it.ac.jp/ http://sys.elec.kitami-it.ac.jp/ueda/demo/WebPF/39-New-England.pdf

Web End =ueda/demo/WebPF/39-New-England.pdf

Jie YAN received his Ph.D. degree from Iowa State University. He is currently a market engineer in MISO.

Manimaran GOVINDARASU received the Ph.D. degree in computer science and engineering from the Indian Institute of Technology, Madras, India, in 1998. He is currently an associate professor with the Department of Electrical and Computer Engineering, Iowa State University (ISU). His research expertise is in the areas of resource management in real-time systems and networks, overlay networks, network security, and their applications to critical infrastructures such as the electric grid. He has published over 100 peer-reviewed research publications. He is the coauthor of the book

Fig. 7 Simulation results

3) IRS is not only able to monitor voltage stability under cyber intrusions, but also can be used to monitor voltage stability after disturbances. It is promising to integrate IRS and the on-line monitor scheme in [13], so that a control center can monitor both voltage dynamics and rotor angle dynamics.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/

Web End =http:// http://creativecommons.org/licenses/by/4.0/

Web End =creativecommons.org/licenses/by/4.0/ ), which permits unrestricted

123

Risk assessment framework for power control systems with PMU-based intrusion response system 331

entitled Resource Management in Real-Time Systems and Networks (MIT Press, 2001). He received the Young Engineering Research Faculty Award at ISU in 2003. He has given tutorials on Internet infrastructure security in conferences, such as the IEEE Infocom 2004 and IEEE ComSoc Tutorials Now (2004), and served as Workshop Cochair, Symposium Cochair, and Session Chair on many occasions.

Chen-Ching LIU received his Ph.D. degree from the University of California, Berkeley. He is currently the Boeing distinguished professor of the School of Electrical Engineering and Computer Science at Washington State University, and a professor of power systems at University College Dublin, Ireland as well. During 2006 to 2008, he was palmer chair professor of electrical and computer engineering at Iowa State University. Prior to joining ISU, he was a professor of electrical engineering at the University of Washington, Seattle. He received the IEEE PES Outstanding Power Engineering Educator Award in 2004. He served as Chair of the Technical Committee on Power System Analysis, Computing, and Economics, IEEE Power and Energy Society, during 2005 to 2006.

Ming NI received his B.S. and Ph.D. degrees in electrical engineering in 1991 and 1996 respectively, from Southeast University of China. He is now the special expert in NARI Technology Co. Ltd. His main research interest include mutual-impact between ICT and power system. Before joining Technology Co. Ltd. in 2012, he was the manager of economic studies in MISO, Minnesota, USA.

Umesh VAIDYA received the Ph.D. degree in mechanical engineering from the University of California at Santa Barbara, Santa Barbara, in 2004. He was a research engineer at the United Technologies Research Center (UTRC), East Hartford, CT. He is currently an assistant professor in the Department of Electrical and Computer Engineering, Iowa State University. His research interests include dynamical systems and control theory, in particular analysis and control of nonequilibrium behavior in nonlinear systems and application of ergodic theory methods to control problems.

123