Smart grid seminar series False Data Injection Attacks against State Estimation in Electric Power Grids Yao Liu, Peng Ning, and Michael K. Reiter Presenter: Raghu Ranganathan ECE / CMR Tennessee Technological University March 22th, 2011

Paper overview A Power Grid is a complex system connecting electric generators to consumers through power transmission and distribution networks. System monitoring is necessary to ensure the reliable operation of power grids State estimation is used in system monitoring to best estimate the power grid state through analysis of meter measurements and power system models Various techniques have been developed to detect and identify bad measurements In this paper, we present a new class of attacks, called false data injection

attacks, against state estimation in electric power grids. We show that an attacker can take advantage of the power system configuration to launch such attacks Attacker can successfully bypass the existing techniques for bad measurement detection 2 Paper overview Two realistic attack scenarios The attacker is either constrained to some specific meters (due to the

physical protection of the meters) limited in the resources required to compromise meters Attacker can systematically and efficiently construct attack vectors in both scenarios, affecting state estimation Demonstrate the success of these attacks through simulation using the IEEE 9-bus, 14-bus, 30-bus, 118-bus, and 300-bus systems Results indicate that security protection of the electric power grid must be revisited. 3 Power Grid

4 Introduction The security and reliability of power grids has critical impact on society and peoples daily life. System monitoring is necessary to ensure the reliable operation of power grids provides pertinent information on the condition of a power grid based on the readings of meters placed at important areas of the power grid. measurements may include bus voltages, bus real and reactive power

injections, and branch reactive power flows measurements are typically transmitted to a control center Measurements stored in a telemetry system, which is also known as Supervisory Control And Data Acquisition (SCADA) system 5 State Estimation State estimation is the process of estimating unknown state variables in a power grid based on the meter measurements The output of state estimation is typically used in contingency analysis

control the power grid components (e.g. increase the yield of the power generator) maintain the reliable operation (e.g. a generator breakdown) even if some faults occur An attacker can compromise meters to introduce malicious measurements Lead to incorrect state estimation Mislead the power grid control algorithms 6 Bad measurement detection techniques: Drawbacks Detect and remove bad measurements

Bad detection can be bypassed if the attacker knows the configuration of the power system Detection based on the squares of differences between the observed and estimated measurements exceeding some threshold The attacker can generate bad measurements with knowledge of the system, thereby bypassing the bad data detection These new class of attacks are called false data injection attacks Mislead the state estimation process

7 Attack scenarios First attack scenario: attacker is constrained to accessing some specific meters due to, for example, different physical protection of the meters Second attack scenario: attacker is limited in the resources required to compromise meters Two realistic attack goals Random false data injection attacks: attacker aims to find any

attack vector as long as it can lead to a wrong estimation of state variables Targeted false data injection attacks: attacker aims to find an attack vector that can inject a specific error into certain state variables 8 State Estimation Monitoring the power flows and voltages in a power system is important in maintaining system reliability

Meters monitor the system components and report their readings to the control center, which then estimates the state of power system variables from these meter measures The state estimation problem is to estimate power system state variables x ( x1 , x2 ,...., xn )T based on the meter measurements z ( z1 , z 2 ,...., z m )T z = h(x) + e For DC model state estimation z = Hx + e Commonly used state estimation methods Maximum Likelihood (ML) Weighted Least Square (WLS) Minimum Variance criterion

9 Weighted Least Squares State Estimation When meter error is normally distributed with zero mean, ^ the state estimate x is given as follows ^ x (H T WH) 1 H T Wz W is a diagonal matrix whose elements are reciprocals of

variances of the meter errors 1-2 -2 2 W

. m-2 10 Bad measurement detection ^

Measurement residual z H x used to determine bad data ^ If z H x presence of bad data is assumed If state variables are mutually independent, and meter error have normal ^ 2 distribution, L( x) z H x follows a 2 (v) distribution with v m n degrees of freedom If P ( L( x ) 2 ) , L( x ) 2 indicates bad measurements, with probability of false alarm Related Work

Bad measurements lead to large normalized measurement residual Large normalized measurement residual method: works well for independent, non-interacting bad measurements Does not work for correlated bad measurements are called interacting bad measurements 11 False Data Injection Attacks: Principle Attacker knows the H matrix Let z a z a , where a (a1 , a2 ,...., am )T is the attack vector

Let x^ bad x^ c , where c reflects the estimation error injected by the attacker If the attacker uses a Hc , then the L2 norm of the measurement residual of z a equals that of z , hence bypasses the bad data detection ^ ^ z a H x bad z a H( x c) ^

z H x (a Hc) ^ z H x 12 Scenario I: Limited Access to meters 13 Assume attacker has access to k specific meters

I m {i1 , i2 ,.....,ik } is the index of those meters Attacker can modify zi , where i j I m To launch false injection without being detected j Find a non-zero attack vector a (a , a ,....., a )T , such 1 2 m that a 0

i i Im for is a linear combination of the column vectors of H a Hc ( ) a

14 1. Random False Data Injection attack Vector c can be any value Compute a which satisfies a Hc by eliminating c To simplify let P H(H T H) 1 H T and B P I PH H a Hc Pa PHc Pa Hc Pa a Pa - a 0 ( P I)a 0 Ba 0 Vector a satisfies a Hc if and only if

Ba 0 ai 0 for i I m ' Let the m x k matrix B (bii , b i 2 ,....., b i k ) ,and the length k vector a ' (aii , ai2 ,....., aik )T

Ba 0 B'a ' 0 15 1. Random False Data Injection attack: Rank of If the rank ofB' B' ' is less thanB k, is a rank deficient

matrix, and there exists infinite number of non-zero solutions B' B' If the rank of is equal is not a rank deficient a ' 0 B'a ' to 0k, matrix, and the relation has a unique solution

Hence, no error can be injected into the state estimation 16 17 2. Targeted False Data Injection Attack Attacker intends to inject specific errors into certain chosen state estimation variables Mathematically, this is represented as follows Let I {i , i ,....., i } , where r n denote the set of indices of the r

v 1 2 r target state variables, i.e. xii , xi2 ,....., xir are the target state variables Attacker intends to construct a such that the result state estimate ^ ^ x bad x c where c (c1 , c2 ,....., cn )T and

error that is added to x^ i ci for i Iv is the specific Two cases; Constrained: attacks only the target variables without affecting other

variables Unconstrained: attacker has no concerns about the non target variables 18 Constrained attack ai 0 for i I m Every element ci in c is fixed, either the chosen value when i I v or 0 when i I v Attacker substitutes c back into a Hc , and checks if a 0 i

for i I m If yes, attack possible 19 Unconstrained attack 20 Scenario II: Limited resources to compromise meters

21 Assume attacker has limited resources to compromise up to k meters Unlike Scenario I, no restriction on what meters the attackers can chose Attacker needs to find a k-sparse, nonzero attack vector a that satisfies a Hc 22

1. Random False Data Injection Attack Attacker may use a brute-force approach to construct a to compromise up to k meters Attacker may try all possible as containing k unknown non-zero elements For each candidate a, check if there is a non zero solution to Ba 0 If yes, attack vector exists 23

2. Targeted False Data Injection Attack Constrained Case Attacker substitutes c in the relation a Hc If the resulting a is k-sparse, attacker is successful in finding the attack vector Unconstrained Case Attacker needs to find a k-sparse vector a that satisfies B a y s Minimum Weight Solution for Linear Equations problem Can be heuristically solved using Matching Pursuit (MP), and Basis Pursuit (BP) methods

24 Experimental Results The false data injection attacks are validated through experiments using IEEE 9-bus, 14-bus, 30-bus, 118-bus, and 300-bus systems DC power flow model is used MATPOWER, a MATLAB package is used for solving the power flow problems Experiments based on the matrix H, and meter measurements obtained from MATPOWER

State variables are voltage angles of all buses Meter measurements are real power injections of all buses and real power flows of all branches 25 Results of Scenario I For random false data injection attacks, k varied from 1 to the maximum number of meters in each test system. For each k, we randomly choose k specific meters to attempt an attack vector construction.

We repeat this process 100 times for both IEEE 118-bus and 300-bus systems and 1,000 times for the other systems Estimate the success probability p (probability of successfully constructing k an attack vector with k given meters ) pk # successful trials # trials Rk

denotes the percentage of the specific meters under the attackers control, i.e. k total number of meters 26 27 28

Targeted false data injection attack: Constrained Case Randomly pick 6 sets of meters for the IEEE 118-bus and 300-bus systems. In each set, there are 350 meters and 700 meters for the IEEE 118-bus and 300-bus systems, respectively. Check the number of individual target state variables that can be affected by each set of meters in the constrained case (i.e., without affecting the estimation of the remaining state variables). 29

30 31 32 Results of Scenario II Attacker has limited resources to compromise up to k meters. Compared with Scenario I, the restriction on the attacker is relaxed in the sense that any k meters can be used for the attack.

Two evaluation metrics number of meters to compromise in order to construct an attack vector execution time required for constructing an attack vector. Three cases examined random false data injection attacks targeted false data injection attacks in the constrained case targeted false data injection attacks in the unconstrained case 33 34

For all test systems, the attacker can construct an attack vector for random false data injection attacks by only compromising 4 meters. This is mainly due to the fact that the H matrices of all these IEEE test systems are sparse. For example, the H matrix of the IEEE 300-bus system is a 1,122300 matrix, but most of the entries are 0s. In particular, the sparsest column in H only has 4 non-zero elements. In practice, components in a power system that are not physically adjacent to each other are usually not connected. As a result, the H matrices of the power systems are often sparse.

35 Targeted false data injection attack: Constrained Case In the experiments, we randomly choose l (1 l 10) target state variables and generate malicious data for each of them. The malicious values are set to be 100 times larger than the real estimates of the state variables. Examine how many meters need to be compromised in order to inject the malicious data (without changing the other non-target state variables). For each l , perform the above experiment 1,000 times to examine the

distribution of the number of meters that need to be compromised. 36 37 38 39 Targeted false data injection attack: Unconstrained Case In the unconstrained case, the attacker wants to inject malicious data into

specific state variables Matching Pursuit algorithm is used to find attack vectors Two evaluation metrics number of meters to compromise in order to construct an attack vector execution time required for constructing an attack vector. 40 41 42

43 44 45 46 Conclusions In this paper, a new class of attacks, called false data injection

attacks was presented, against state estimation in electric power systems. It is shown that an attacker can take advantage of the configuration of a power system to launch such attacks to bypass the existing techniques for bad measurement detection. Two realistic attack scenarios: attacker is either constrained to some specific meters, limited in the resources required to compromise meters. Simulations were performed on IEEE test systems to demonstrate the success of these attacks Results in this paper indicate that the security protection of the electric power grid must be revisited

47