# Risk assessment framework for power control systems with PMU-based intrusion response system

- 1.8k Downloads
- 8 Citations

## Abstract

Cyber threats are serious concerns for power systems. For example, hackers may attack power control systems via interconnected enterprise networks. This paper proposes a risk assessment framework to enhance the resilience of power systems against cyber attacks. The duality element relative fuzzy evaluation method is employed to evaluate identified security vulnerabilities within cyber systems of power systems quantitatively. The attack graph is used to identify possible intrusion scenarios that exploit multiple vulnerabilities. An intrusion response system (IRS) is developed to monitor the impact of intrusion scenarios on power system dynamics in real time. IRS calculates the conditional Lyapunov exponents (CLEs) on line based on the phasor measurement unit data. Power system stability is predicted through the values of CLEs. Control actions based on CLEs will be suggested if power system instability is likely to happen. A generic wind farm control system is used for case study. The effectiveness of IRS is illustrated with the IEEE 39 bus system model.

## Keywords

Cyber security Supervisory control and data acquisition (SCADA) Risk assessment Intrusion response system (IRS) Conditional Lyapunov exponents (CLEs) Phasor measurement unit (PMU) Voltage instability## 1 Introduction

Power systems are vulnerable to cyber attacks. Modern IT technologies are heavily used in today’s supervisory control and data acquisition (SCADA) systems of industrial control systems including power systems. While IT technologies bring a lot of benefits, many security risks are introduced as well. For example, the connectivity of SCADA systems and enterprise networks improves business visibility and efficiency, but it makes SCADA systems more vulnerable to cyber attacks. According to the 2003~2006 data from Eric Byres, BCIT, 49 % cyber attacks at industrial control systems are launched via connected enterprise networks. One highly publicized example is Stuxnet, which attacked an industrial control system by infecting those organization networks that interact with the target [1].

In 2006, US Department of Energy (DOE) published “Roadmap to secure control systems in the energy sector” (updated in 2011) [2]. It envisions that: in 10 years, control systems for critical applications will be designed, installed, operated, and maintained to survive an intentional cyber assault with no loss of any critical function. Much effort has been made to secure power facilities. The DOE National SCADA Test Bed (NSTB) Program, established in 2003, supports industry and government efforts to enhance cyber security of control systems in the energy sector. The NERC standards CIP-002-4 through CIP-009-4 provide a cyber security framework for the identification and protection of critical cyber assets to support reliable operations of the bulk electric system [3]. The International Electrotechnical Commission Technical Council (IEC TC 57), i.e., power system management and associated information exchange, has advanced the standard communication protocol security in IEC 62351 with stronger encryption and authentication mechanisms [4]. The Hallmark Project by Schweitzer Engineering Laboratories, Inc. presents the secure SCADA communications protocol (SSCP) technology which provides integrity for SCADA messages. United States Computer Emergency Readiness Team (US-CERT) has set up awareness programs about system vulnerabilities to improve control system security [5]. The cyber security audit and attack detection toolkit by Digital Bond, Inc. is developed to identify vulnerable configurations in control system devices and applications. Reference [6] presents a risk assessment methodology that accounts for both physical and cyber security of critical infrastructures. In [7], a SCADA security framework is proposed. System vulnerabilities are assessed quantitatively through an attack tree. The impact of a cyber attack on SCADA systems is studied systematically in [8]. It is evaluated by the resultant loss of load through a power flow computation.

This paper presents a new risk assessment framework for SCADA systems of power grids. Individual vulnerabilities within control systems are evaluated based on the duality element relative fuzzy evaluation method (DERFEM). An attack graph is developed to identify possible intrusion scenarios that exploit multiple security vulnerabilities. An intrusion response system (IRS) based on the phasor measurement unit (PMU) data is proposed to assess the impact of intrusion scenarios on power system dynamics.

The main contribution is IRS, which is an on-line monitoring and control scheme based on PMUs. It monitors the impact of cyber intrusions on power system dynamics in real time. If power system instability, such as voltage instability, is judged to be likely after a cyber attack, IRS will act as a mitigation mechanism to prevent power system instability. Unlike traditional security mechanisms, such as encryption and authentication, which increase the complexity of power systems, and may cost additional time in power system operations, IRS uses a control strategy based on the conditional Lyapunov exponents (CLEs) to enhance the resilience of power systems against cyber attacks.

## 2 Risk assessment framework

### 2.1 DERFEM

Assume that a cyber system has *l* identified vulnerabilities: *r* _{1}, *r* _{2}···*r* _{ l }. DERFEM is employed to assign each vulnerability a scaled value within [0, 1] which quantitatively characterizes the vulnerable level. The larger the scaled value is, the higher the vulnerable level will be.

DERFEM proceeds as follows.

1) Compare a pair of different vulnerabilities (*r* _{ i }, *r* _{ j }) so as to obtain the scaled values \(\tau_{{r_{j} }} (r_{i} )\) and \(\tau_{{r_{i} }} (r_{j} )\). \(\tau_{{r_{j} }} (r_{i} )\) represents the vulnerable level of *r* _{ i } compared to *r* _{ j }. Likewise, \(\tau_{{r_{i} }} (r_{j} )\) represents the vulnerable level of *r* _{ j } compared to *r* _{ i }. \(0 \leqslant \tau_{{r_{j} }} (r_{i} ) \leqslant 1\); \(0 \leqslant \tau_{{r_{i} }} (r_{j} ) \leqslant 1\). If \(\tau_{{r_{j} }} (r_{i} ) > \tau_{{r_{i} }} (r_{j} )\), it implies that the vulnerability *r* _{ i } has a higher vulnerable level than *r* _{ j } does. \(\tau_{{r_{j} }} (r_{i} )\) and \(\tau_{{r_{i} }} (r_{j} )\) are from engineering judgments. This method is valid, because engineering judgments from different sources are statistically close when it is to compare two vulnerabilities.

Comparison results of the vulnerabilities

Vulnerability | Scaled value | ||||
---|---|---|---|---|---|

| | | ··· | | |

| 1 | \(\tau_{{r_{2} }} (r_{1} )\) | \(\tau_{{r_{3} }} (r_{1} )\) | ··· | \(\tau_{{r_{1} }} (r_{1} )\) |

| \(\tau_{{r_{1} }} (r_{2} )\) | 1 | \(\tau_{{r_{3} }} (r_{2} )\) | ··· | \(\tau_{{r_{1} }} (r_{2} )\) |

| \(\tau_{{r_{1} }} (r_{3} )\) | \(\tau_{{r_{2} }} (r_{3} )\) | 1 | ··· | \(\tau_{{r_{1} }} (r_{3} )\) |

⋮ | ⋮ | ⋮ | ⋮ | ⋮ | |

| \(\tau_{{r_{1} }} (r_{l} )\) | \(\tau_{{r_{2} }} (r_{l} )\) | \(\tau_{{r_{3} }} (r_{l} )\) | ··· | 1 |

3) In each row of Table 1, substitute \(\tau_{{r_{j} }} (r_{i} )\) with \(\tau (r_{i} /r_{j} )\), where \(\tau (r_{i} /r_{j} ) = \tau_{{r_{j} }} (r_{i} )/\hbox{max} (\tau_{{r_{j} }} (r_{i} ),\tau_{{r_{i} }} (r_{j} ))\).

4) Finally, the vulnerable level of *r* _{ i } is quantitatively characterized by \(\sigma (r_{i} )\), \(\sigma (r_{i} ) = \hbox{min} (\tau (r_{i} /r_{1} )\), \(\tau (r_{i} /r_{2} ), \cdots ,\tau (r_{i} /r_{n} ))\).

DERFEM does not measure the vulnerable level of certain vulnerability directly, which could be difficult. It reveals the relatively vulnerable level of the vulnerability compared to the others.

### 2.2 Attack graph

In practice, a hacker may have to compromise a couple of interconnected hosts within a cyber system before he/she gains access to the control systems. For example, an outside intruder has to compromise an enterprise network, and then attacks its connected industrial control systems via the enterprise network. This procedure is modeled as an intrusion scenario in this research. An intrusion scenario is comprised of several intrusion actions, each action involves exploiting one security vulnerability.

An attack graph is employed to capture possible intrusion scenarios within a cyber system. The attack graph depicts ways in which a hacker compromises interconnected hosts sequentially by exploiting the corresponding vulnerabilities so as to achieve a specific goal. The benefits of the attack graph take into account the effects of interactions of local vulnerabilities and find global security holes introduced by the interconnections [9].

Basic concepts of the attack graph are defined as follows.

Definition 1: Subject (*S* ^{T}). Subject is the initiator of actions. *S* ^{t} ∈ *S* ^{T} can be an attacker or a compromised device.

Definition 2: node (*N* ^{D}). An electronic device in a cyber system is a node, using \(n^{\text{d}} = (i^{\text{d}} ),n^{\text{d}} \in N^{\text{D}}\) to denote. *i* ^{d} is the identifier of the node, and it could be set as an equipment name. If a node is compromised by a subject, the node itself will become a subject.

Definition 3: privilege (*P* ^{G}). It is used to describe the operating privilege of a subject in a node. When *s* ^{t} ∈ *S* ^{T} and *n* ^{d} ∈ *N* ^{D}, the function \(P^{\text{G}} \left( {S^{\text{t}} ,n^{\text{d}} } \right) \to \{ 0,1,2,3,4,5\}\) expresses the privilege level of *s* ^{t} in *n* ^{d}. \(P^{\text{G}} (s_{i}^{t} ,n_{j}^{\text{d}} ) = 0\) implies that subject \(s_{i}^{t}\) has no access to node \(n_{j}^{\text{d}}\); \(P^{\text{G}} (s_{i}^{t} ,n_{j}^{\text{d}} ) = 1\) indicates that subject \(s_{i}^{t}\) is able to read the inbound and outbound messages of node \(n_{j}^{\text{d}}\); \(P^{\text{G}} (s_{i}^{t} ,n_{j}^{\text{d}} ) = 2\) means that subject \(s_{i}^{t}\) is able to block the inbound and outbound messages of node \(n_{j}^{\text{d}}\); \(P^{\text{G}} (s_{i}^{t} ,n_{j}^{\text{d}} ) = 3\) represents that subject \(s_{i}^{t}\) can read and block the inbound and outbound messages of node \(n_{j}^{\text{d}}\); \(P^{\text{G}} (s_{i}^{t} ,n_{j}^{\text{d}} ) = 4\) denotes that Subject \(s_{i}^{t}\) can send messages to node \(n_{j}^{\text{d}}\); \(P^{\text{G}} (s_{i}^{t} ,n_{j}^{\text{d}} ) = 5\) signifies that subject \(s_{i}^{t}\) has the full control access to node \(n_{j}^{\text{d}}\).

Definition 4: state (*Z*). State is a triple \(z = (s^{t} ,n^{\text{d}} ,P^{\text{G}} (s^{t} ,n^{\text{d}} ))\). State is the prerequisite of the next attack action to be implemented.

Definition 5: interconnection (*I* ^{C}). Interconnection refers to connections between nodes, using a quadruplet \(i^{\text{c}} = (n_{i}^{\text{d}} ,n_{j}^{\text{d}} ,C_{ij} ,M_{ij} )\), \(i^{\text{c}} \in I^{\text{C}}\), \(n_{i}^{\text{d}} ,n_{j}^{\text{d}} \in N^{\text{D}}\) to denote. *C* _{ ij } represents the communication channel between \(n_{i}^{\text{d}}\) and \(n_{j}^{\text{d}}\). *C* _{ ij } could be copper wires, optical fibers, wireless, dial-up, virtual private network (VPN), or digital microwave. *M* _{ ij } is the type of messages from \(n_{i}^{\text{d}}\) to \(n_{j}^{\text{d}}\). *M* _{ ij } could be measurements or control signals. *M* _{ ij } does not necessarily equal to *M* _{ ji }.

Definition 6: action (*A*). Action represents the set of possible actions of the subjects in a cyber system. Action is a quadruplet \(a = (n_{\text{name}} ,z_{\text{s}} ,z_{\text{d}} ,\gamma )\), \(a \in A\), \(z_{\text{s}} ,z_{\text{d}} \in Z\). *n* _{name} is the name of an attack action such as the denial-of-service (DOS) attack or the man-in-the-middle attack; *z* _{s} and *z* _{d} represent the initial and final states of the action; *γ* is the vulnerability exploited in the action. *γ* is used to denote the difficult level of action *a*.

The algorithm to construct an attack graph proceeds as follows.

1) Identify *N* ^{D} and *I* ^{C}. Develop a directed graph (*N* ^{D}, *I* ^{C}). The vertex is \(n^{\text{d}} \in N^{\text{D}}\), and the edge is \(i^{\text{c}} \in I^{\text{C}}\).

2) Identify the node \(n_{k}^{\text{d}}\) which will be the target of attacks. \(n_{k}^{\text{d}}\) could be a SCADA server or a programmable logic controller (PLC).

3) Determine the goals of attacks—the state of \(n_{k}^{\text{d}}\) after being attacked, formulated as follows: \(z_{\text{d}} = (s_{i}^{\text{t}} ,n_{k}^{\text{d}} ,P^{\text{G}} (s_{i}^{\text{t}} ,n_{k}^{\text{d}} ) > 0\)), in which \(s_{i}^{\text{t}}\) represents the initial intruding subject (hackers).

4) Traverse the directed graph (*N* ^{D}, *I* ^{C}). Identify the node \(n_{{k^{\prime}}}^{\text{d}}\) that is connected to \(n_{k}^{\text{d}}\) directly. Assume that node \(n_{{k^{\prime}}}^{\text{d}}\) has been compromised by \(s_{i}^{\text{t}}\), and it becomes an intruding subject, say \(s_{{i^{\prime}}}^{\text{t}}\).

5) Extract an attack action aimed at \(n_{{k}}^{\text{d}}\) from \(s_{{i^{\prime}}}^{\text{t}}\), such that \(a = (n_{\text{name}} ,z_{\text{s}} ,z_{\text{d}} ,\gamma_{\text{a}} )\), \(z_{\text{d}} = (s_{i'}^{\text{t}} ,n_{k}^{\text{d}} ,P^{\text{G}} (s_{i'}^{\text{t}} ,n_{k}^{\text{d}} ) = P^{\text{G}} (s_{i}^{\text{t}} ,n_{k}^{\text{d}} ))\). \(\gamma_{\text{a}}\) is the vulnerability of node \(n_{k}^{\text{d}}\) exploited in action *a*.

6) Establish the prerequisite of action *a*: *z* _{s}, formulated as follows: \(z_{\text{s}} = (s_{i}^{\text{t}} ,n_{{k^{\prime}}}^{\text{d}} ,P^{\text{G}} (s_{{i}}^{\text{t}} ,n_{{k^{\prime}}}^{\text{d}} ) > 0)\).

7) Set \(n_{{k^{\prime}}}^{\text{d}}\) as a new target node, and *z* _{s} becomes another *z* _{d}. Repeat step 4, 5 and 6, until \(s_{{i^{\prime}}}^{\text{t}} = s_{i}^{\text{t}}\).

After the attack graph is built, it gives a bird’s-eye view of possible intrusion scenarios. For each scenario, the probability of occurrence *P* ^{b} is calculated as follows.

*a*

_{ i }and

*a*

_{ j }, then

*a*

_{ i }and

*a*

_{ j }. Note that

*P*

^{b}is relative as \(\sigma (\gamma_{{a_{i} }} )\) and \(\sigma (\gamma_{{a_{j} }} )\) are relative.

*P*

^{b}tells how possible an intrusion scenario is compared to the others.

*a*

_{ i }and

*a*

_{ j }, then

c) If the intrusion scenario is more complicated, the calculation of its *P* ^{b} will be the synthesis of (1) and (2).

### 2.3 Intrusion response system

If CLEs have only low values, the prediction is that voltage instability will not happen; otherwise, voltage instability is likely to occur, and the proposed algorithm will send proper control signals to the energy management system (EMS) to prevent voltage instability.

## 3 Proposed algorithm

### 3.1 Dynamical model

*i*= 1, 2,···,

*n*−

*m*;

*j*=

*n*–

*m*+ 1,

*n*–

*m*+ 2,···,

*n*;

*n*is the total number of buses;

*m*is the total number of generators;

*P*

_{D,i }+ j

*Q*

_{D,i }is the power consumption at load bus

*i*; \(P_{{{\text{D}},i}} = P_{0,i} \left[ {A_{i} + B_{i} \left( {\frac{{\left| {V_{i} } \right|}}{{\left| {V_{0,i} } \right|}}} \right) + C_{i} \left( {\frac{{\left| {V_{i} } \right|}}{{\left| {V_{0,i} } \right|}}} \right)^{2} } \right]\left( {1 + L_{P,i} \Delta f} \right);\) \(Q_{{{\text{D}},i}} = Q_{0,i} \left[ {D_{i} + E_{i} \left( {\frac{{\left| {V_{i} } \right|}}{{\left| {V_{0,i} } \right|}}} \right) + F_{i} \left( {\frac{{\left| {V_{i} } \right|}}{{\left| {V_{0,i} } \right|}}} \right)^{2} } \right]\left( {1 + L_{Q,i} \Delta f} \right);\)

*A*

_{ i },

*B*

_{ i },

*C*

_{ i },

*D*

_{ i },

*E*

_{ i },

*F*

_{ i },

*L*

_{ P,i }, and

*L*

_{ Q,i }are load parameters;

*P*

_{0,i }+ j

*Q*

_{0,i }is the steady-state power consumption;

*V*

_{0,i }is the steady-state voltage; \(\Delta f\) is the frequency deviation in p.u.;

*H*

_{ j }and

*O*

_{ j }are generator inertias;

*δ*

_{ j }is the rotor angle of generator

*j*;

*ω*

_{ j }is the angular speed of generator

*j*;

*ω*

_{Re}is the reference speed;

*Ω*

_{ j }is the internal voltage magnitude at generator

*j*;

*Z*

_{ j }is the impedance between generator

*j*and its generator bus;

*P*

_{m,j }is the mechanical power input to generator

*j.*

Excitation systems of the generators are assumed to function in some way to keep internal voltage magnitudes at reference values during the transient period. The time constant of modern excitation systems is less than 0.5 s. If a new reference value is issued to an excitation system, the corresponding voltage magnitude will change rapidly due to the fast response of the excitation system. CLEs will be computed based on an updated dynamical model to reassess system stability.

*denote \(\left[ {\left| {V_{1} } \right|,\angle V_{1} ,\left| {V_{2} } \right|,\angle V_{2} , \cdots ,\left| {V_{n} } \right|,\angle V_{n} } \right]^{\text{T}}\), and*

**x***denote \(\left[ {\delta_{1} ,\omega_{1} , \cdots ,\delta_{m} ,\omega_{m} } \right]^{\text{T}}\). Equations (3) and (4) are represented by:*

**y**

**G**_{ x }and

**G**_{ y }are the Jacobian matrixs of

*with respect to*

**G***and*

**x***.*

**y**When det(**G**_{ x }) = 0 and \(\varvec{G}_{\varvec{y}} \frac{{{\text{d}}\varvec{y}}}{{{\text{d}}t}} \ne 0\), \(\frac{{{\text{d}}\varvec{x}}}{{\text{d}t}}\) has very large values. Correspondingly, * x* will change dramatically, and voltage instability is likely to happen.

### 3.2 Methodology: CLEs

The notion of CLEs (originally called sub-Lyapunov exponents) is introduced by Pecora and Carroll in their study of synchronization of chaotic systems [10] and [11]. Similar to the full Lyapunov exponents, CLEs are well defined ergodic invariants.

*N*-dimensional continuous-time dynamical system \(\frac{{{\text{d}}\varvec{z}}}{{{\text{d}}t}} = \varvec{H}(z)\). Split the state vector

*into two vectors: \(\varvec{z}_{1} \in {\mathbf{R}}^{K}\), and \(\varvec{z}_{2} \in {\mathbf{R}}^{N - K}\) (0 <*

**z***K*

*<*

*N*), one will obtain two sub systems: \(\frac{{{\text{d}}\varvec{z}_{1} }}{{\text{d}}t} = \varvec{H}_{1} (\varvec{z}_{1} ,\varvec{z}_{2} )\) and \(\frac{{{\text{d}}\varvec{z}_{2}}}{{\text{d}}t} = \varvec{H}_{2} (\varvec{z}_{1} ,\varvec{z}_{2} )\). Let \(\varvec{z}_{1} \left( t \right) = \varvec{\varphi }(t,\varvec{v}_{1} ,\varvec{v}_{2} )\) be the solution of the first sub system at time

*t*starting from the initial conditions \(\varvec{z}_{1}^{0} = \varvec{v}_{1}\), \(\varvec{z}_{2}^{0} = \varvec{v}_{2}\). The CLEs

*C*

_{ i }for the sub system \(\frac{{{\text{d}}\varvec{z}_{1} }}{{{\text{d}}t}} = \varvec{H}_{1} (\varvec{z}_{1} ,\varvec{z}_{2} )\) are defined as eigenvalues of the following limiting.

*i*= 1, 2,···,

*K*;

*(*

**K***t*,

**v**_{1},

**v**_{2}) is the Jacobian matrix of

*(*

**φ***t*,

**v**_{1},

**v**_{2}) with respect to

**v**_{1}; \(\bar{\lambda }_{i} (\varvec{v}_{1} )\) is the

*i*th eigenvalue of \(\varvec{\varLambda}(\varvec{v}_{1} )\). The existence of CLEs is guaranteed under the same conditions that establish the existence of the Lyapunov exponents [12].

*M*

_{MCLE}determines the exponential convergence of nearby system trajectories. This is true due to the approximation of

If \(\frac{{{\text{d}}\varvec{z}_{1} }}{{{\text{d}}t}}\) has very large values, the nearby system trajectories will diverge. Correspondingly, \(M_{\text{MCLE}} \gg 0\). Otherwise, the nearby trajectories will converge, and MCLE has a low or even negative value. Therefore, the value of MCLE reveals the magnitude of time derivatives of related state variables. When the state variables are voltages of a power system, MCLE can be used to monitor the magnitude of time derivatives of the voltages, and hence voltage stability.

In this work, the dynamical system in (8) is split into *n* sub systems. The *i*th sub system has the state variables \(\left[ {\left| {V_{i} } \right|,\angle V_{i} } \right]^{\text{T}}\), where *i* = 1, 2,···, *n*. MCLE is computed for each sub system to monitor voltage stability within it.

*i*= 1,2,

*…*,

*n*.

*Ω*

_{i}= 0, |

*Z*

_{ i }| = ∞, and

*δ*

_{ i }= 0 if there is no generator at bus

*i*.

**G**_{ x }is diagonal in computation without compromising the accuracy, and then the

*i*th sub system of (8) is represented by:

*i*= 1, 2,

*…*,

*n*;

**G**_{ x }(2

*i*− 1, 2

*i*− 1) is the element at row 2

*i*

*−*1 and column 2

*i*− 1 of

**G**_{ x }. It is noted that \(\frac{{{\text{d}}\left| {V_{i} } \right|}}{{\text{d}t}} = \frac{{{\text{d}}\angle V_{i} }}{{\text{d}t}} = 0\) if there is no generator at bus

*i*, which is reasonable since the change of the voltages at load buses is driven by the voltages at generator buses. Consequently, \(\frac{{{\text{d}}\left| {V_{i} } \right|}}{{{\text{d}}t}}\) and \(\frac{{{\text{d}}\angle V_{i} }}{{{\text{d}}t}}\) do not depend on |

*V*

_{ i }| and \(\angle V_{i}\).

The proposed algorithm calculates MCLEs of the sub systems that have generators at the corresponding buses. The computation method is introduced in the following.

### 3.3 Computation method

MCLEs are calculated over a limited time window. PMU measurements are extracted to observe time-varying values of the state variables of the sub systems. The unobservable part of the state variables is approximated through the implicit integration method with trapezoidal rule [13]. At the same time, the observable part is estimated by the same method as a backup of PMU data. If a PMU is compromised, it will be detected by comparing the PMU data and the corresponding estimation results. The estimation results will be used in the MCLE calculation. The algorithm in [13], the standard method with Gram-Schmidt reorthonormalization (GSR), is then used to compute MCLEs. If the values of MCLEs are over a predefined limit, it is predicted that voltage instability will happen. Control signals will be sent to EMS to prevent the voltage instability.

Selection of the length of the time interval could be arbitrary. Study shows that MCLEs exhibit robustness to the length of the time interval: MCLEs computed over different length time intervals all have very high values if voltage instability is going to happen. In this research, the time interval length is set to be 0.2 s, so that it is short while it has enough PMU measurements.

### 3.4 Control actions

*C*

_{const}is a predefined constant value. Voltage instability can be prevented with the fast response of the exciting system.

## 4 Case study

Wind farm SCADA systems are selected for case study due to the fact that wind power is a fast-emerging renewable resource on power grids, and it has the potential to affect the dynamical performance of power systems.

### 4.1 Wind farm SCADA systems

Vulnerabilities are identified in [14], including configuration management of WTCPs (*r* _{1}), implicit trust between WTCPs and a control room (*r* _{2}), implicit trust between control rooms and a control center (*r* _{3}), wireless network (*r* _{4}), optical fibers (*r* _{5}), virtual private network *(r* _{6}), digital microwave (*r* _{7}), poor access control within a control room (*r* _{8}), poor access control within a control center (*r* _{9}), bad configuration of remote access (*r* _{10}), weak firewall policy (*r* _{11}), and human errors (*r* _{12}).

Results of DERFEM

Vulnerability | | | | | | | | | | | | | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|

| 1 | 0.8 | 0.8 | 0.8 | 0.8 | 0.8 | 0.8 | 0.8 | 0.8 | 0.8 | 0.8 | 0.8 | 1.0 |

| 0.6 | 1 | 0.9 | 0.7 | 0.5 | 0.8 | 0.8 | 0.6 | 0.6 | 0.5 | 0.6 | 0.4 | 0.75 |

| 0.4 | 0.6 | 1 | 0.5 | 0.4 | 0.7 | 0.8 | 0.3 | 0.2 | 0.3 | 0.2 | 0.5 | 0.50 |

| 0.5 | 0.4 | 0.6 | 1 | 0.7 | 0.7 | 0.7 | 0.6 | 0.5 | 0.4 | 0.6 | 0.5 | 0.5714 |

| 0.4 | 0.3 | 0.3 | 0.4 | 1.0 | 0.3 | 0.3 | 0.5 | 0.5 | 0.6 | 0.5 | 0.6 | 0.50 |

| 0.2 | 0.2 | 0.3 | 0.2 | 0.2 | 1.0 | 0.3 | 0.2 | 0.2 | 0.3 | 0.2 | 0.2 | 0.25 |

| 0.1 | 0.1 | 0.2 | 0.1 | 0.1 | 0.1 | 1.0 | 0.1 | 0.1 | 0.2 | 0.1 | 0.1 | 0.125 |

| 0.5 | 0.5 | 0.5 | 0.5 | 0.4 | 0.6 | 0.3 | 1.0 | 0.4 | 0.5 | 0.4 | 0.4 | 0.625 |

| 0.2 | 0.3 | 0.1 | 0.3 | 0.2 | 0.2 | 0.2 | 0.2 | 1.0 | 0.2 | 0.2 | 0.1 | 0.25 |

| 0.7 | 0.4 | 0.6 | 0.5 | 0.4 | 0.6 | 0.5 | 0.6 | 0.6 | 1.0 | 0.6 | 0.4 | 0.6667 |

| 0.4 | 0.5 | 0.4 | 0.5 | 0.4 | 0.5 | 0.3 | 0.5 | 0.5 | 0.5 | 1.0 | 0.5 | 0.5 |

| 0.3 | 0.3 | 0.4 | 0.3 | 0.3 | 0.2 | 0.2 | 0.3 | 0.3 | 0.3 | 0.2 | 1.0 | 0.375 |

Intrusion scenarios and probabilities

Intrusion scenario | |
---|---|

| 1 |

| 0.5714 |

| 0.5 |

| 0.5508 |

| 0.1289 |

| 0.1758 |

| 0.0352 |

| 0.0176 |

| 0.0117 |

The intrusion scenarios show that, if successfully executed, a hacker will gain some levels of control access to several or even hundreds of WTCPs. The output of compromised wind farms will be maliciously manipulated. The impact on power system dynamics is studied next.

In Fig. 5, *z* _{1} = (hacker, WTCP, 5); *z* _{2} = (hacker, WTCP, 0); *z* _{3} = (hacker, WTCPs in a wind farm, 2); *z* _{4} = (hacker, WTCPs in a wind farm, 0); *z* _{5} = (hacker, WTCPs in a wind farm, 1); *z* _{6} = (hacker, WTCPs in a wind farm, 4); *z* _{7} = (hacker, SCADA server in the control room, 3); *z* _{8} = (hacker, SCADA server in the control room, 0); *z* _{9} = (hacker, SCADA server in the control room, 4); *z* _{10} = (hacker, SCADA server in the control center, 2); *z* _{11} = (hacker, SCADA server in the control center, 0); *z* _{12} = (hacker, SCADA server in the control room, 5); *z* _{13} = (hacker, workstation in the control room, 5); *z* _{14} = (hacker, workstation in the control room, 0); *z* _{15} = (hacker, SCADA server in the control center, 5); *z* _{16} = (hacker, workstation in the control center, 5); *z* _{17} = (hacker, workstation in the control center, 0); *z* _{18} = (hacker, workstation in the corporate LAN, 5); *z* _{19} = (hacker, workstation in the corporate LAN, 0); *z* _{20} = (hacker, remote access point, 5); *z* _{21} = (hacker, remote access point, 0); *a* _{1} = (password cracking, *z* _{2}, *z* _{1}, *r* _{1}); *a* _{2} = (jamming, *z* _{4}, *z* _{3}, *r* _{4}); *a* _{3} = (passive tapping, *z* _{4}, *z* _{5}, *r* _{ 5 }); *a* _{4} = (man-in-the-middle attack, *z* _{7}, *z* _{6}, *r* _{2}); *a* _{5} = (active tapping, *z* _{8}, *z* _{7}, *r* _{5}); *a* _{6} = (spoof, *z* _{9}, *z* _{6}, *r* _{2}); *a* _{7} = (spoof, *z* _{10}, *z* _{9}, *r* _{3}); *a* _{8} = (DOS attack, *z* _{11}, *z* _{10}, *r* _{6}); *a* _{9} = (jamming, *z* _{11}, *z* _{10}, *r* _{7}); *a* _{10} = (spoof, *z* _{12}, *z* _{6}, *r* _{2}); *a* _{11} = (internal attack, *z* _{8}, *z* _{12}, *r* _{12}); *a* _{12} = (malware infection, *z* _{13}, *z* _{12}, *r* _{8}); *a* _{13} = (infected portable storage device attack, *z* _{14}, *z* _{13}, *r* _{12}); *a* _{14} = (malware infection, *z* _{15}, *z* _{12}, *r* _{3}); *a* _{15} = (malware infection, *z* _{16}, *z* _{15}, *r* _{9}); *a* _{16} = (infected portable storage device attack, *z* _{17}, *z* _{16}, *r* _{12}); *a* _{17} = (malware infection, *z* _{18}, *z* _{16}, *r* _{11}); *a* _{18} = (infected portable storage device attack, *z* _{19}, *z* _{18}, *r* _{12}); *a* _{19} = (phishing, *z* _{19}, *z* _{18}, *r* _{12}); *a* _{20} = (malware infection, *z* _{20}, *z* _{18}, *r* _{10}); *a* _{21} = (infected portable storage device attack, *z* _{21}, *z* _{20}, *r* _{12}); *a* _{22} = (phishing, *z* _{21}, *z* _{20}, *r* _{12}).

### 4.2 Simulation results

*t*= 0.4 s, a hacker maliciously manipulates the power output of G5 (or G9) to some extent. Part of the simulation results is shown in Table 4.

MCLE of bus G3

Attack | MCLE | Voltage instability | ||||||||
---|---|---|---|---|---|---|---|---|---|---|

0~0.2 s | 0.2~0.4 s | 0.4~0.6 s | 0.6~0.8 s | 0.8~1 s | 1~1.2 s | 1.2~1.4 s | 1.4~1.6s | 1.6~1.8 s | ||

1 | −2.77 × 10 | −2.62 × 10 | 9.88 × 10 | 2.77 | 3.84 | 3.69 | 2.96 | 3.55 | 7.29 | N/A |

2 | −2.77 × 10 | −2.62 × 10 | 7.25 | 2.81 × 10 | 6.23 × 10 | 1.14 × 10 | 1.90 × 10 | 1.83 × 10 | 6.98 × 10 | N/A |

3 | −2.77 × 10 | −2.62 × 10 | 6.90 × 10 | 2.11 × 10 | 3.94 × 10 | 6.83 × 10 | 1.22 × 10 | | ||

4 | −2.77 × 10 | −2.62 × 10 | 1.17 × 10 | 4.08 × 10 | 9.12 × 10 | 1.98 × 10 | | |||

5 | −2.77 × 10 | −2.62 × 10 | −1.01 | −2.27 | −3.16 | −4.08 | −4.58 | −4.23 | −2.78 | N/A |

6 | −2.77 × 10 | −2.62 × 10 | 6.04 | 2.21 × 10 | 4.65 × 10 | 8.18 × 10 | 1.32 × 10 | 1.09 × 10 | 4.81 | N/A |

7 | −2.77 × 10 | −2.62 × 10 | 3.45 × 10 | 1.05 × 10 | 2.00 × 10 | 3.51 × 10 | 6.12 × 10 | 1.10 × 10 | 2.17 × 10 | |

8 | −2.77 × 10 | −2.62 × 10 | 1.05 × 10 | 3.48 × 10 | 7.27 × 10 | 1.43 × 10 | | |||

9 | −2.77 × 10 | −2.62 × 10 | 2.31 × 10 | 7.65 × 10 | 1.72 × 10 | | ||||

10 | −2.77 × 10 | −2.62 × 10 | 7.12 × 10 | 2.45 × 10 | 5.27 × 10 | 1.03 × 10 | 2.05 × 10 | | ||

11 | −2.77 × 10 | −2.62 × 10 | 3.55 × 10 | 1.37 × 10 | | |||||

12 | −2.77 × 10 | −2.62 × 10 | 2.91 × 10 | 1.03 × 10 | 2.72 × 10 | | ||||

13 | −2.77 × 10 | −2.62 × 10 | 8.33 × 10 | | ||||||

14 | −2.77 × 10 | −2.62 × 10 | 6.43 × 10 | 2.07 × 10 | 4.10 × 10 | 7.47 × 10 | 1.38 × 10 | |

The explains of Table 4 are as following.

Attack 1: *P* _{Gen} of G5 is reduced by 10 MW. Attack 2: *Q* _{Gen} of G5 is reduced by 10 Mvar. Attack 3: *P* _{Gen} of G5 is reduced by 100 MW. Attack 4: *Q* _{Gen} of G5 is reduced by 100 Mvar. Attack 5: *P* _{Gen} of G9 is reduced by 10 MW. Attack 6: *Q* _{Gen} of G9 is reduced by 7.5 Mvar. Attack 7: *P* _{Gen} of G9 is reduced by 100 MW. Attack 8: *Q* _{Gen} of G9 is reduced by 75 Mvar. Attack 9: *P* _{Gen} of G5 is reduced by half. Attack 10: *Q* _{Gen} of G5 is reduced by half. Attack 11: *Q* _{ Gen } of G5 is reduced to -*Q* _{Gen}. Attack 12: *P* _{Gen} of G9 is reduced by half. Attack 13: *P* _{Gen} of G5 is reduced by half. *Q* _{Gen} of G5 is reduced by half. *P* _{Gen} of G9 is reduced by half. Attack 14: *P* _{Gen} of G5 is reduced by 30 MW. *Q* _{Gen} of G5 is reduced by15 Mvar. *P* _{Gen} of G9 is reduced by 50 MW. *Q* _{Gen} of G9 is reduced by 10 Mvar.

The simulation results come to the following conclusions.

1) The values of MCLEs are close to 0, when the power system is in the steady state.

*t*= 0.4 s. MCLEs increase for a while, and then decrease, as shown in Fig. 7a. The values are below 200.

3) The values of MCLEs constantly increase as time evolves, if voltage instability is likely to happen within the power system. During Attack 10, the reactive power output of G5 is reduced by half at *t* = 0.4 s. Voltage instability happens at *t* = 1.42 s, as shown in Fig. 7b. The values of MCLEs keep increasing after the attack, as shown in Fig. 7c.

4) Voltage instability is likely to occur around the generator buses where MCLEs have high values. Take Attack 10 as an example, MCLEs of G2, G3, G4, G6 and G7 (circled in Fig. 6) are over 1000 at *t* = 1.4 s. Time-domain simulation results show that voltage instability happens around those generator buses. It is reasonable as G2, G3, G4, G6 and G7 are close to G5.

*t*= 1.2 s. The corresponding control signals are then sent to G3, G4, G6 and G7. Voltage instability is prevented, as shown in Fig. 7d.

## 5 Conclusion

A risk assessment framework with a PMU-based IRS is proposed for power control systems. The main idea of IRS is to calculate MCLEs for generator buses in order to monitor voltage stability. The higher values MCLEs have, the more likely voltage instability occur around the corresponding generator buses. MCLE method is based on a solid analytical foundation and it is validated by simulation results.

This research leads to significant contributions to the development of a more reliable and secure power grid. Future research includes the following aspects.

1) For a large cyber system with numerous security vulnerabilities, DERFEM may not be sufficient. Some statistical analysis techniques may be coupled with DERFEM to improve evaluation results.

2) A dedicated control strategy will be developed in IRS for control actions to prevent voltage instability. The voltages are over 1.2 after 1.8 s in Fig. 7d. It is because IRS employs a control action on a simplified excitation system. The dedicated control strategy will be studied with full-scale excitation systems.

3) IRS is not only able to monitor voltage stability under cyber intrusions, but also can be used to monitor voltage stability after disturbances. It is promising to integrate IRS and the on-line monitor scheme in [13], so that a control center can monitor both voltage dynamics and rotor angle dynamics.

## References

- [1]Falliere N, Murchu LO, Chien E (2011) W32.stuxnet dossier. Symantec, CupertinoGoogle Scholar
- [2]Roadmap to secure control systems in the energy sector. http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/roadmap.pdf#search=‘Roadmap+to+Secure+Control+Systems+in+the+Energy+Sector‘
- [3]
- [4]Cleveland F (2006) IEC TC57 security standards for the power system’s information infrastructure—Beyond simple encryption. In: Proceedings of the 2005/2006 IEEE PES transmission and distribution conference and exhibition, Dallas, 21–24 May 2006, pp 1079–1087Google Scholar
- [5]Sheldon F, Batsell S, Prowell S et al (2005) Control systems cybersecurity awareness. United States Computer Emergency Readiness Team (US-CERT), Washington, DCGoogle Scholar
- [6]Depoy J, Phelan J, Sholander P et al (2005) Risk assessment for physical and cyber-attacks on critical infrastructures. In: Proceedings of the IEEE military communications conference (MILCOM’05), vol 3, Atlantic City, 17–20 Oct 2005, pp 1961–1969Google Scholar
- [7]Ten CW, Maninaran G, Liu CC (2010) Cybersecurity for critical infrastructures: attack and defense modeling. IEEE Trans Syst Man Cybern A 40(4):853–865CrossRefGoogle Scholar
- [8]Ten CW, Liu CC, Maninaran G (2008) Vulnerability assessment of cybersecurity for SCADA systems. IEEE Trans Power Syst 23(4):1836–1846CrossRefGoogle Scholar
- [9]Sheyner OM (2004) Scenario graphs and attack graphs. Ph D Thesis, Carnegie Mellon University, PittsburghGoogle Scholar
- [10]Pecora LM, Carroll TL (1990) Synchronization in chaotic systems. Phys Rev Lett 64:821–824zbMATHMathSciNetCrossRefGoogle Scholar
- [11]Pecora LM, Carroll TL (1991) Driving systems with chaotic signals. Phys Rev A 44(4):2374–2385CrossRefGoogle Scholar
- [12]Vilela-Mendes R (1998) Conditional exponents, entropies and a measure of dynamical self-organization. Phys Rev A 248(2/3/4):167–171Google Scholar
- [13]Yan J, Liu CC, Vaidya U (2011) PMU-based monitoring of rotor angle dynamics. IEEE Trans Power Syst 26(4):2125–2133CrossRefGoogle Scholar
- [14]Yan J, Liu CC, Govindarasu M (2011) Cyber intrusion of wind farm SCADA system and its impact analysis. In: Proceedings of the 2011 IEEE PES power systems conference and exposition, Phoenix, 20–23 Mar 2011, 6 ppGoogle Scholar
- [15]IEEE 10 generator 39 bus system. http://sys.elec.kitami-it.ac.jp/ueda/demo/WebPF/39-New-England.pdf

## Copyright information

**Open Access**This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.