Time-Delay Switch Attack on Load Frequency Control in Smart Grid

Arman Sargolzaei1,a, Kang K. Yen1,b, MN. Abdelghani2,c

1Department of Electrical and Computer Engineering, Florida International University, Miami, USA 2Department of Mathematics and Statistical Sciences, University of Alberta, Edmonton, Canada

aasarg001@fiu.edu, bkang.yen@fiu.edu, cmnabdelghani@gmail.com

Keywords: Systems with delay, TDS attack, Smart grids, Load frequency control (LFC), Switched systems, Power systems component, Hybrid systems

Abstract. Current smart power grids have communication infrastructure to improve efficiency, reliability and sustainability of supply. However, their open communication architecture makes them vulnerable to cyber-attacks with potentially catastrophic consequences. In this paper, we propose a new model of time-delay switch (TDS) attack by introducing different time delays to each state in the dynamics of a power system. This means, we delay the telemetered sensed state of a plant by a specific amount of time delay for some specified attack time. Such an attack will have devastating consequences or introduce hidden inefficiency on smart grids if no prevention measures are considered in the design of these power systems. Here we will consider examples of the effects of the TDS attack on the dynamic performance of a power system. To do this, we first formulated a state space model of a smart power grid system under TDS attack using a hybrid systems approach. Then we prove by analysis and demonstrate by simulations how a TDS attack can be used to sabotage and destabilize a smart grid.

1. IntroductionPower grids and water supply systems are constantly updated by new telecommunication technologies for control and monitoring to improve efficiency, reliability and sustainability of supply and distribution. However, this modernization effort relies on computers and multi-purpose networks which make power grids and water supply systems vulnerable to cyber-attacks which may cause major impact on people’s life and economy. For example, the US power is operated with SCADA, i.e. supervisory control and data acquisition systems. SCADA systems are industrial control systems for large-scale processes that include multiple sites and are operated over long distances. Despite the precautions, several cyber-attacks on SCADA systems have been reported [1, 2, 3, 4, 5, 6]. Furthermore, replacing proprietary communication networks by open communication standards exposes process control and SCADA systems to risks associated with open networks such as corrupted data, network delays and cyber-attacks [7].

Investigating methods of attacks on industrial control systems of sensitive infrastructures and devising countermeasures and security control protocols have attracted the attention of academia, industries, and governments. All of their efforts have culminated in a large amount of studies many hardware and software systems dedicated to security countermeasures to prevent possible attacks on industrial systems. We will review some of the most common attacks and expand on an attack known as the time-delay switch attack or TDS for short.

Generally, an intruder enact an attack into the IT infrastructure of industrial control systems by obtaining access various sensors and control signals, and/or manipulateing them to disrupt and sabotage the systems. For instance, an intruder can disrupt a power system by increasing the load on

2013 International Conference on Advanced in Communication Technology Advances in Communication Technology, Vol.5

978-1-61275-063-7/10/$25.00 ©2013 IERI ICACT 2013

a particular power transformer, by shutting down one or more sections of a smart power grid, or by introducing inefficiencies in the power supply [8, 9, 10, 11].

The delay attack has been studied in [12] for sensor networks where can be happened in communication lines. A class of false data injection (FDI) attacks bypassing the bad data detection in SCADA systems was proposed by [11]. In [13], adversaries launched FDI attacks against state estimates of power systems knowing only the perturbed model of the power systems. Y. Mo et al. [14], studied FDI attacks on a control system equipped with Kalman filter. In [15], the smallest set of adversary controlled meters was identified to perform an unobservable attack. Recently, Amin et al. [8] considered denial of service (DoS) attacks on the communication channels in the measurements telemetered in remote terminal units (RTUs) sent to the control center of power systems. They demonstrated that an adversary may make power systems unstable by properly designing DoS attack sequences. Liu et al. [10] considered how a switched-DoS attack on a smart grid can affect the dynamic performance of its power systems. The Viking projects [16, 17] considered cyber-attacks to Load Frequency Control (LFC), one of a few automatic control loops in SCADA power systems. They analyzed the impacts of cyber-attacks on the control centers of power systems, by using reachability methods. However, they only considered attacks on the control centers which are usually harder to be attacked than the communication channels in the sensing loop of a power system.

In this paper, we will focus on the impact of introducing time delays in the sensing loop (SL) or in the automatic generation control (AGC) signal--the only automatic closed loop between the IT and the power system on the controller area. When an adversary chooses to introduce delays in a control system, he or she is performing a time-delay-switch attack (TDS). Our work will show how TDS attacks could make any control system, in particular a power control system, unstable. Therefore, future smart grids will have to use advanced two-way communication and artificial intelligence technologies to provide better situational awareness of power grid states keeping smart grids reliable and safe from FDI, DOS or TDS attacks. While smart grid technologies will facilitate the aggregation and communication of both system-wide information and local measurement, they will for sure introduce their own cyber security challenges.

This paper is organized as follows: The power system and TDS attacks are modeled using hybrid systems approach in the second section. In section III damage and risk assessment of power systems under TDS attacks are analyzed using sabotage and instability analysis. In section IV we evaluate the effects of TDS attacks on an example of a LTI approximation of a two-area LFC model.

OtherParts

OtherParts

Load Frequency

Control

Communication channels

Communication channels

Attacker Attacker

Control SignalControl Signal

Tie line power felow

LoadsLoad

s

SensorsSensors

Reference Inputs

Power Area 1 Power Area 2

SW SW

Figure 1 Two-area power system with Load Frequency Control (LFC) under TDS attacks

2. Model of Power Systems with TDS Attacks It is reasonable to model a power system under TDS attacks as a hybrid system, by formulating TDS attacks as a switch action, “Off/Delay-by- ”, where is some random delay time, of the sensed system states or control signals of a power system. Here we will consider the TDS attack on the power LFC system.

Consider a two-area power system with automatic gain control in Fig.1 [10]. The LFC sends control signals to the plant and the controller gets updated by feedback states through the communication channels from/to the turbine and from the telemeter’s measurements for RTUs. The communication channels are wireless networks. Attacks can be lunched by jamming the communication channels (i.e. DOS attack), by distorting feedback signals (e.g. FDI attack) by injecting delays (i.e. TDS attack) in data coming from telemeters measurements.

An LFC is usually designed as an optimal feedback controller. For the LFC to operate optimally it requires power states estimation to be telemetered in real time. If an adversary introduces significant time delays in the telemetered control signals or measured states, the LFC will deviate from it optimality and in most cases the system will break down.

The two-area power system model and its extension to the multi-area interlock power system have been proposed in [10]. The dynamic model of the LFC for the thK area is given by

KK

Kl

LKK

KKK

K

XX

PtXftUBtXAtX

0)0(

)),(()()()( (1)

where 5RX and 5RU are the state and the control vectors, respectively. This model also depends on the thL power area. Matrices KKA and KB are constant matrices with appropriate dimensions, K

lP is the load deviation. Then KX0 is an initial value vector for the thK power area. The state vector is defined as

TKKpf

Ktu

Kg

KK ePPPftX )( (2) where Kf , K

gP , KtuP , K

pfP and Ke are frequency deviation, power deviation of generator, value position of the turbine, tie-line power flow and control error on the thK power area, respectively. The control error of the thK power area is expressed as

tK

KK dtfte

0

)( (3)

where K denotes the frequency bias factor. In the dynamic model of the LFC, KKA , KB , and )),(( K

lL PtXf are represented by

1000

00002

00101

00110

0101

1

K

N

LLK

KL

KgKgK

KtuKtu

KKK

K

KK

T

TT

TT

JJJ

A (4)

T

KgK T

B 00100 (5)

KlK

LN

LLK

KLK

lL PDtXAPtXf )()),((

1

(6)

where N is the total number of power areas, KJ , K , K , KgT and KtuT are the generator moment of inertia, the speed-droop coefficient, generator damping coefficient, the governor time constant, the turbine time constant in the thK power area and KLT is the stiffness constant between the thK and the

thL power area, respectively. Also we have

0000000002000000000000000

KL

KL

TA (7)

and T

KK J

D 00001 (8)

Equation 9 given the extension of the dynamic model (1) to the multi-area power system with attack model using Equations (4), (5), (6), (7) and (8).

0)0(

)()()(

XX

PDtBUtAXtX l (9)

where

NNNNN

N

N

N

AAAA

AAAAAAAAAAAA

A

321

3333231

2232221

1131211

(10)

}{ 321T

NBBBBdiagB (11) }{ 321

TNDDDDdiagD (12)

The optimal feedback controller is given by XKU ˆ (13)

and the new state after the attack can be modeled by

)(

)()(

ˆ

ˆˆ

2

1

2

1

dN

d

d

N ttX

ttXttX

X

XX

(14)

In (14), ...,, 21 dd tt and dNt are different time-delays and are positive integers. When dNdd ttt ...,,, 21 are all zero, the system is in the normal operation. An adversary can get access to the communication line and switch on/off a delay attack on the line to cause the system to abnormal operations. This paper analyzes TDS attacks in some detail and shows how it can be used to switch a system to unstable states.

The analysis starts with the design of an optimal controller for the LFC in the normal operation (i.e., with no attack), then we analyze the behavior of the system under attacks. Consider the system model described by (9) with the performance index described by

dttRUtUtQXtXJ Tt

Tf

)}()()()({21

0

(15)

where matrix nnRQ is positive semi-definite and mmRR is positive definite. Then the optimal control problem is to the obtain optimal control )(* tU that minimize the performance index (15), subject to the dynamic of the system with no time-delay in its states.

3. Sabotage and Destability AnalysisTo show that TDS attacks can destabilize the systems, we use the following proof for our hybrid system. Before commenceing the proof the instibilzing effect of the TDS attack, we assume that the LFC can be approximated by a linear time-invarient (LTI) system and its optimal controller has the form ).()( tKXtU

Where under a TDS attack, the control can be described by

b

ba

a

tttXKttttXK

tttXKtU

)()(

)()( (16)

where is a set of dNdd ttt ,,, 2,1 , at is the start time of attack and bt is the end time of an attack. It is obvious that the system is stable for all att and maybe stable for btt by the definition of the optimal controller. However, for ba ttt it is not obvious that the system would be stable.

Theorem 1: Without loss of generality we suppose bt . Then we consider the system described in (9) with an attack described by (16). The system under attack is not stable if the hybrid dynamic model of system has at least one positive eigenvalue or at least one pole in the right hand plane (RHP).

Proof: Consider (9) with 0lP (for simplicity). Applying (16) to (9) for att , we obtain )()()( tBKXtAXtX (17)

Its characteristic equation is 0)( BKAsI (18)

Solving (18) for ‘ s ’ gives the eigenvalues of the system before attack. For att the system is described by

)()()( tXBKtAXtX (19) Taking the Laplace transform from of the above equation, we obtain

XBKeAXsX s (20) Let stetX )( be a proposed solution of (19), then we have

stsstst eBKeAeIse (21) Here ‘ s ’ must satisfy the characteristic equation of the delay system (19), i.e.

0)( sBKeAsI (22) In order to keep the system in the same stable situation as before the attack, the new eigenvalues

should be at the same place as those eigenvalues right before the attack. So from (18) and (22) we obtain

IIeIeIBK ss 0)( (23) Equation (23) is satisfies if and only if 0 . Then we can conclude for 0 , the system (9) will be

disturbed for those subspaces (time-delays), where for larger time-delays, the system will be unstable.

4. Demonstration of Instability by Simulation Simulation studies have been conducted to evaluate the effects of TDS attacks on the dynamics of the system. Based on the Pontryagin’s minimum principle [18], the optimal control law can be found for the system in its normal operation. For simplicity of discussion, we set 2N , which means a two-power-area system. Table 1 shows parameter values used in this process. Since simulation on certain duration tracks a step load change, we also set 1

lP and 02lP .

Table 1 Parameter values for two area power system optimal controller design

Parameter Value Paramet

er Value

1J 10 1 05.0

1 5.1 1gT s12.0

1tuT s2.0 2tuT s45.0

12T radpu /198.0 21T radpu /198.0

2J 12 2 05.0

2 1 2gT s18.0

R 100 fQ 0 Q 100 ft

1 5.21 2 21

Then the instability of the system can be studies by finding the eigenvalues of the system before and after the attack. Roots (zeros) of (22) determine the stability of the system. For simulation simplicity, the fifth order Pade approximation [19] has been used to approximate se .

0)30420336015120302403042033601512030240( 55443322

55443322

ssssssssssBKAsI (24)

Fig. 2 shows the results of the system eigenvalues before and after different TDS attacks. As tends to be larger than zero, the eigenvalues move from the LHP to the RHP. It clearly shows that

the system become unstable for time-delay larger than sec3.0 . In Fig.2 crosses, points, circles and stars denote eigenvalues of the system with no attack and attacks with time delay sec1.0 ,

sec4.0 and sec6.0 , respectfully. Fig. 3 shows the maximum eigenvalue track based on different time-delay. Figures 2 and 3 clearly show that the system become unstable when delay value increases.

-12 -10 -8 -6 -4 -2 0 2 4-20

-15

-10

-5

0

5

10

15

20

Figure 2 Eigenvalues of the system for normal operation and attack by different time-delays

Figure 3 Maximum Eigenvalues for different time-delay attacks

The total simulation time is 40 seconds. We deliberate that the adversary has an access to switch SW in figure 1 and starts the TDS attack T

dndd ttt 21 . Consider that the attack occurs at time at . In the figures we only show the dynamics of the first area of the two-area system in the normal

operation and under different attack conditions. In, Figures 4 the graphs (a), (b), (c) and (d) show the simulation results of the frequency deviation, the power deviation of the generator, the value position of the turbine and the tie-line power flow, respectively.

Case 1:The adversary attacks all of the states at sta 15 , with the same time-delay pattern. In Figures 4 (a),

(b), (c) and (d), the black lines show normal operation. TDS attack 1(Blue dashes) and 2(Red dot-dashes) denote time-delay attacks with 4.0,,4.0,4.0 1021 ddd ttt and

6.0,,6.0,6.0 1021 ddd ttt , respectively. It is clear that system moves into the unstable region with the attacks.

Case 2: The attack starts at time sta 5 , and the hacker attacks only one state of the system. In the Figures

5, the graphs (a), (b), (c) and (d), TDS attacks 1 and 2 denote attacks with time-delay of 6.01dt and 11dt , respectively (It means that there is no time-delay attack for other states). In the case of TDS

attack at 3.01dt , the system is disturbed but still stable. The result of Case 1 and Case 2 results, conclude that the adversary can cause instability to the

system even by attacking one state of the system.

5. ConclusionThis paper considers TDS attacks, a new type of attack on the cyber layer of smart grids that can sabotage the dynamic performance of power systems. The LFC power system under TDS attacks modeled using hybrid systems, and the TDS attacks are formulated as switch action “Off/Delay-by- ” sensing channels or control inputs. Then the destabilizing action of TDS attacks on power systems has been studied by using methods from hybrid systems theories. A two-area LFC LTI model has been simulated to evaluate the effects of TDS attacks. The results show that TDS attacks affect the dynamic performance of the LFC system and in many cases could destroy the system stability which can be launched at any time during the operation of the power system. Our future work will focus on trying to make controllers and communication protocols robust under this type of attack.

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7-4

-2

00

0.2

0.4

0.6

0.8

Time-delayImag

Maximum Eigenvalue

Figure 4-(a) Frequency deviation, Kf

Figure 4-(b) Power deviation of generator, KgP

Figure 4-(c) Value position of the turbine, KtuP Figure 4-(d) Tie-line power flow, 1

pfP

0 5 10 15 20 25 30 35 40-0.1

-0.08

-0.06

-0.04

-0.02

0

0.02

0.04

0.06

0.08

0.1 NormalTDS 1TDS2

0 5 10 15 20 25 30 35 40-4

-3

-2

-1

0

1

2

3

4

5NormalTDS 1TDS 2

0 5 10 15 20 25 30 35 40-6

-4

-2

0

2

4

6

Time

NormalTDS 1TDS 2

0 5 10 15 20 25 30 35 40-0.15

-0.1

-0.05

0

0.05

0.1

0.15

0.2

Time

NormalTDS 1TDS 2

Figure 5-(a) Frequency deviation, Kf Figure 5-(b) Power deviation of generator, KgP

Figure 5-(c) Value position of the turbine, KtuP Figure 5-(d) Tie-line power flow, 1

pfP

References

[1] Gorman, S. (2009, April 8, 2009). Electricity Grid in U.S. Penetrated By Spies. The Wall Street Journal, A1.

[2] Greenberg, A. (2008, January 18 2008). Hackers Cut Cities' Power, Forbes.

[3] Meserve, J. (2007, September 26 2007). Sources: Staged cyber attack reveals vulnerability in power grid. CNN.

[4] News, B. (2000, January 18 2000). Colombia rebels blast power pylons. Retrieved from http://news.bbc.co.uk/2/hi/americas/607782.stm

[5] Pidd, H. (2012, 31 July 2012 ). India blackouts leave 700 million without power. The Guardian.

[6] Vijayan, J. (2010, July 26, 2010). Stuxnet renews power grid security concerns. Computer world.

[7] Byres, E., & Lowe, J. (2004). The Myths and Facts behind Cyber Security Risks for Industrial Control Systems. Paper presented at the VDE Kongress, Berlin, Germany.

0 5 10 15 20 25 30 35 40-0.03

-0.02

-0.01

0

0.01

0.02

0.03

0.04

0.05

Time

Normal operationTDS 1TDS 2TDS 4

0 5 10 15 20 25 30 35 40-1.5

-1

-0.5

0

0.5

1

1.5

Time

Normal operationTDS 1TDS 2TDS 3

0 5 10 15 20 25 30 35 40-1.5

-1

-0.5

0

0.5

1

1.5

Time

Normal operationTDS 1TDS 2TDS 3

0 5 10 15 20 25 30 35 40-0.05

0

0.05

0.1

0.15

0.2

Time

Normal operationTDS 1TDS 2TDS 3

[8] Amin, S., Cardenas, A. A., & Sastry, S. S. (2009). Safe and Secure Networked Control Systems under Denial-of-Service Attacks. Paper presented at the Proceedings of the 12th International Conference on Hybrid Systems: Computation and Control, San Francisco, CA.

[9] Cardenas, A. A., Amin, S., & Sastry, S. (2008). Research challenges for the security of control systems. Paper presented at the Proceedings of the 3rd conference on Hot topics in security, San Jose, CA.

[10]Liu, S., Liu, X. P., & Saddik, A. E. (2013). Denial-of-Service (dos) attacks on load frequency control in smart grids. Paper presented at the Innovative Smart Grid Technologies (ISGT), 2013 IEEE PES.

[11]Liu, Y., Ning, P., & Reiter, M. K. (2009). False data injection attacks against state estimation in electric power grids. Paper presented at the 16th ACM conference on Computer and communications security, ser. CCS 09, New York, NY, USA.

[12]Hui Song, Sencun Zhu, Guohong Cao, Attack-resilient time synchronization for wireless sensor networks, Ad Hoc Networks, Volume 5, Issue 1, January 2007, Pages 112-125, ISSN 1570-8705.

[13]Teixeira, A., Amin, S., Sandberg, H., Johansson, K. H., & Sastry, S. S. (2010, 15-17 Dec. 2010). Cyber security analysis of state estimators in electric power systems. Paper presented at the Decision and Control (CDC), 2010 49th IEEE Conference on.

[14]Mo, Y., & Sinopoli, B. (2010, April 2010). False data injection attacks in control systems. Paper presented at the 1st Workshop on Secure Control Systems, Stockholm, Sweden.

[15]Kosut, O., Liyan, J., Thomas, R. J., & Lang, T. (2011). Malicious Data Attacks on the Smart Grid. Smart Grid, IEEE Transactions on, 2(4), 645-658. doi: 10.1109/tsg.2011.2163807

[16]Esfahani, P. M., Vrakopoulou, M., Margellos, K., Lygeros, J., & Andersson, G. (2010). A robust policy for automatic generation control cyber attack in two area power network. Paper presented at the Decision and Control (CDC), 2010 49th IEEE Conference on.

[17]Mohajerin Esfahani, P., Vrakopoulou, M., Margellos, K., Lygeros, J., & Andersson, G. (2010). Cyber attack in a two-area power system: Impact identification using reachability. Paper presented at the American Control Conference (ACC), 2010.

[18]Sargolzaei, A., Yen, K. K., Noei, S., & Ramezanpour, H. (2013). Assessment of He's homotopy perturbation method for optimal control of linear time-delay systems. Applied Mathematical Sciences, 7(8), 349-361.

[19]Golub, G. H. and C. F. Van Loan, Matrix Computations, Johns Hopkins University Press, Baltimore, 1989, pp. 557-558.