The purpose of the proof of concept is to validate certain hypotheses about the effects of the reduced trustworthiness of measurements on the estimated state variables and their uncertainties. The hypotheses are the following: Hypothesis 1 The trustworthiness of measurements from a single bus influences the trustworthiness of state variables in most cases not noticeable. Hypothesis 2 The trustworthiness of measurements from multiple buses influences the trustworthiness of state variables in most cases noticeable. Hypothesis 3 The trustworthiness of measurements from a single bus influences the estimation of state variables in most cases not noticeable. Hypothesis 4 The trustworthiness of measurements from multiple buses influences the estimation of state variables in most cases noticeable.
The definition of the term “noticeable” depends on the state variable of investigation. Typically, the uncertainty of voltage magnitudes u(Vm) is negligible, i.e. u(Vm)≤0.001 p.u. The uncertainty of voltage angles u(Va) is typically higher if no measurements from phasor measurement units but only from RTUs are available. Therefore, we consider an uncertainty for a voltage angle as noticeable if u(Va)>0.03∘ holds. For voltage magnitude values, the standard deviation of the metering devices is used as a threshold for the term “noticeable”, i.e. the estimated voltage magnitudes should not vary more than the maximum standard deviation of the metering devices compared to a scenario with full trustworthiness. This approach is not feasible for voltage angles because we neither have metering devices nor standard deviations for them. We consider triple the maximum standard deviation of the metering devices compared to a scenario with full trustworthiness as the threshold for the term “noticeable”.
The reason for the hypotheses is that the state estimation should be able to use other measurements from buses in the neighborhood if only measurements from one bus are affected. If a complete neighborhood is affected, the deviations (errors) of the measurements are no longer independent as expected in the state estimation process (Abur and Exposito 2004). In the remainder of this section, information about the setup is provided. Afterward, the results of the proof of concept are presented and discussed.
Setup
The setup for the proof of concept is divided into the setup of the CPS and the setup of the trust assessment.
Cyber-Physical system
The physical part of the CPS of investigation is the IEEE 39-bus system (Pai et al. 1989). It consists of 29 PQ buses, i.e. buses for which active (P) and reactive (Q) power measurements are available, 9 PV buses, i.e. buses for which P and voltage magnitude (Vm) measurements are available, and a slack bus, i.e. a bus for which a Vm measurement is available and the voltage angle (Va) is defined as 0∘. We assume one RTU per bus transmitting the measurements of the respective bus. The ICT system is assumed to be structured as the power system, i.e. 39 routers, one per RTU, connected according to the branches of the power system. The router at bus 16 is assumed to be connected to the router of the control room. The configuration of the state estimator is the following. It stops the iterative process if the improvement compared to the last iteration is less or equal than ε=0.001 or if it needs 50 iterations.
Trust assessment
Figure 2 shows an instantiation of the trust pyramid (cf. Fig. 1) for the proof of concept. The object of investigation is the data acquisition process with three relevant types of components: metering devices, RTUs, and routers. Trust inputs are the standard deviations of the metering devices, CPU load information of the RTUs and routers, and network traffic information. Accordingly, three anomaly detectors (transformation functions) are used. The first is a static one that transforms the standard deviation of the metering devices into a trust value for the functional correctness facet: \(\phantom {\dot {i}\!}t_{stdDev}(y) = 1 - stdDev_{m_{y}}\). y is a measurement, my the device metering y, and \(\phantom {\dot {i}\!}stdDev_{m_{y}}\) the standard deviation of that metering device. The second anomaly detector is named “network security anomaly detector” and provides a trust value for the security facet. It is based on alerts from an IDS. The calculation of a trust value based on alerts for potentially several devices that are involved in the data acquisition of measurement is based on Liu et al. (2015).
$$ \Omega_{i} = \sqrt{1+\sum_{k \in a(i)} m^{p(k)}} $$
(1)
The so-called network impact factor (Liu et al. 2015) Ω of alerts for a specific device i is calculated as shown in Equation 1. a(i) is the set of alerts for i, p(k) the priority of an alert k, and m a weight coefficient for the threat priority (Liu et al. 2015). Ω increases with the amount and severity of alerts. It’s boundaries are 1 for |a(i)|=0 and \({\lim }_{|a(i)|\to \infty } \Omega _{i} = \infty \).
$$ t_{netSec}(y) = \frac{|I|}{\sum_{i \in I} \Omega_{i}} $$
(2)
Based on the network impact factor, we define the trustworthiness tnetSec(y) of a measurement y as in Equation 2. I is the set of devices involved in the data acquisition of y. The boundaries of tnetSec(y) are 1 for Ω=|I| and \({\lim }_{\Omega \to \infty } t_{netSec}(y) = 0\).
The third anomaly detector is named “device load anomaly detector” and provides a trust value for the functional correctness facet. It is based on CPU load information (Lewis 2019) for devices from an IT monitoring system.
$$ t_{devLoad}(i) = \left\{\begin{array}{ll} 0 & {l_{CPU,5} > 5 \cdot c}\\ 0.25& {c < l_{CPU,5} \leq 5 \cdot c}\\ 0.5 & {0.7 \cdot c < l_{CPU,5} \leq c}\\ 1 & {{else}}\\ \end{array}\right. $$
(3)
The trustworthiness of a single device y based on the average CPU load of the last five minutes (lCPU,5) is calculated as shown in Equation 3. c is the number of available cores. The calculation of a trust value based on average load information is based on Lewis (2019). We chose the average of the last five minutes because the average of the last minute is too volatile and the average of the last fifteen minutes is too long-running in our scenario, where we get measurements every fifty milliseconds. The thresholds of 5·c, c, and 0.7·c are based on the rules described in Lewis (2019). They are configurable and, in general, all anomaly detectors and the choice of the anomaly detectors are configurable.
$$ t_{devLoad}(y) = \frac{1}{|I|} \sum_{i \in I} t_{devLoad}(i) $$
(4)
Based on the device load metric for single devices, we define the trustworthiness tdevLoad(y) of a measurement y as in Equation 4. I is the set of devices involved in the data acquisition of y. The boundaries of tdevLoad(y) are 1 for tdevLoad(i)=1 ∀i∈I and 0 for tdevLoad(i)=0 ∀i∈I.
Scenarios
In our proof of concept, we want to investigate seven scenarios. In the scenarios, we investigate the influence of a high priority IDS alert, of a high average device load, or both. Furthermore, we investigate the behavior if the reduced trustworthiness is for an RTU, concrete at bus 26, or for a router that is involved in the data acquisition of measurements from several RTUs, concrete the router at bus 26. The scenarios are the following: Scenario 1 no anomaly detectors except the static standard deviation of the metering devices (baseline), Scenario 2 an IDS alert for RTU 26, Scenario 3 a high device load average for RTU 26, Scenario 4 a combination of Scenario 2 and 3, Scenario 5 an IDS alert for router 26, Scenario 6 a high device load average for router 26, and Scenario 7 a combination of Scenario 5 and 6.
tnetSec(y) is calculated based on Equation 1 and 2 with m=2, p(k)=3 for a single alert, and five routers involved. The trust value is \(t_{netSec}(y) = \frac {6}{5 + \sqrt {9}} = 0.75\) for all y provided by RTU 26 in Scenario 2. In Scenario 5, |I| is 6, 7, 8, and 9 for measurements provided by RTU 26, 28, 29, and 38, respectively. tdevLoad(y) is calculated based on Equation 3 and 4 with c=1 and an average load of the last five minutes of c<lCPU,5≤5·c. The trust value is \(t_{devLoad}(y) = \frac {5 + 0.25}{6} = 0.875\) for all y provided by RTU 26 in Scenario 3. In Scenario 6, |I| is on the lines of Scenario 5. For Scenario 4 and Scenario 7, the multiplication of all single trust values (tstdDev(y)·tnetSec(y)·tdevLoad(y)) is used to aggregate the complex trust values to a single one.
Results
Table 1 gives an overview of the key findings on a grid-wide scale. The number of used iterations in the state estimation process and even whether it converges or not differs for the particular scenarios. In Scenario 1, six iterations are needed. For a decreased trustworthiness of measurements of a single bus (Scenario 2–Scenario 4), the state estimator converges and the used iterations increase with a decrease of the trustworthiness of the measurements. The state estimator does not converge when the trustworthiness of measurements from several buses is decreased (Scenario 5–Scenario 7). This shows the influence of changing the trustworthiness in terms of standard deviations of the input measurements on the state estimation behavior.
Table 1 Overview of the results for the respective scenarios compared to the baseline Scenario 1 The Vm and Va values are always compared to the baseline while the u(Vm) and u(Va) values are absolute. The amounts of buses with noticeable deviations or uncertainties are calculated based on our assumptions of noticeable values (cf. Proof of concept). The results do not comply with Hypothesis 1 (no noticeable uncertainties in Scenario 2–Scenario 4). There are noticeable values for up to four Vm and thirty-eight Va values. The uncertainties for Vm values are low (max. 0.004 p.u.) but can be high for Va values (max. 0.82∘). For Hypothesis 2 (noticeable uncertainties in Scenario 5–Scenario 7), the results are as expected. There are noticeable uncertainties for up to thirty-one Vm and thirty-eight Va values. The uncertainties for Vm and Va values can be high (max. 0.146 p.u. and 4.011∘, respectively). The results do also comply with Hypothesis 3 and Hypothesis 4 (no noticeable value changes).
The content of Table 2 is focused on the buses with measurements for which the trustworthiness has been reduced in the different scenarios. It can be seen that the value differences and uncertainties match the maximum values in Table 1. In other words, the state variables, related to buses to which also the measurements with reduced trustworthiness are related to, and their uncertainties are affected most.
Table 2 Results for specific buses and the respective scenarios compared to the baseline Scenario 1 Discussion
The results comply with three of four hypotheses. The fact that the data does not comply with Hypothesis 1 is not a bad result either. It shows that, at least in this setup, also the reduced trustworthiness of measurements from a single bus influences the uncertainty of the related state variables.
Another key finding is that the state estimator does not converge when the trustworthiness of several data sources is reduced. This is an unintended issue. The reason is most probably that, in a typical state estimation, the measurement errors are assumed to be independent. Our results show that for dependent measurement errors, expressed by reduced trustworthiness, the convergence of the state estimation is not given any more in all scenarios. Therefore, we are convinced that it is not an optimal solution to convert complex trust values to standard deviations of measurements. We should rather investigate on a solution that reflects the trustworthiness of the measurements but does not affect the convergence of the state estimation.