Professional Documents
Culture Documents
3 Distributed Detection of Cyber Attacks and Faults For Power Systems
3 Distributed Detection of Cyber Attacks and Faults For Power Systems
Abstract: We consider distributed methods for detection of cyber attacks and faults in power
networks. The approach is based on grouping of buses in the system, and for each group,
we design filters for detection and isolation of faults applied to the buses within the group.
The scheme is distributed in the sense that it uses only locally available data such as the
generated power, loads, and power flows. Specifically, a fault detection method based on a
geometric approach is applied to two different settings. Depending on the availability of phasor
measurement units, we develop indirect and direct methods and compare their characteristics
in performance and computation. A numerical example is provided to illustrate the results.
Keywords: Power systems, Cyber security, Fault detection and isolation, Distributed systems
The paper is organized as follows. In Section 2, we intro- of generated power and load are 1200 [W] and 1000 [W],
duce the model of power systems subject to attacks/faults respectively. Then the true power input is ui = 1200 −
and state the problem of fault detection and isolation. In 1000 = 200. However, if due to manipulation in data, the
Section 3, the FDI filter technique employed in this paper measured value becomes −100 [W], then we have ui =
is reviewed. In Section 4, we provide an indirect detection −100. The difference between these values is represented
method for power system. The results are then extended by the fault signal fi = 200 − (−100) = 300.
in Section 5 to the case when PMU measurements are
available. In Section 6, we examine the proposed method It is noted that, in general power systems, some buses
through a numerical example. Concluding remarks are are not connected to generators or motors, resulting in
given in Section 7. algebraic constraints in the system. In the model above,
one way to include such load buses in an approximated
We list the notation employed in this paper: For a given sense is to set the inertia and damping coefficients small.
matrix X ∈ Rn×m , the matrix after removing the ith
column from X is denoted by X i ∈ Rn×(m−1) . Similarly, In this paper, we develop a detection and isolation method
let X i,j ∈ Rn×(m−2) be the matrix after the removal of the for the fault signals fi in the power system (1). In particu-
ith and jth columns from X. The identity matrix of size lar, the faults may be caused by highly coordinated attacks
n × n is given by In . Let 1n be the vector in Rn with all by malicious intruders. Therefore, we must explicitly con-
entries equal to 1. The standard basis of Rn is denoted by sider cases when multiple faults occur simultaneously.
{ein }ni=1 . The Kronecker product is expressed by ⊗. Moreover, the detection is to be done in a distributed
manner by using only local information of the system. We
N
2. PROBLEM FORMATION introduce a cover of the node set V, denoted by Ṽi i=1 ,
that is, Ṽi ⊂ V for i = 1, . . . , N and V = ∪i Ṽi . Each set
In this section, we present the modeling of the power net-
work and the grouping of buses for distributed detection. Ṽi ⊂ V in the cover is called a group, and the subgraph
The problem considered in the paper is then formulated. consisting of nodes in Ṽi is assumed to be connected.
Hence, the N groups may have overlaps so that nodes can
belong to multiple groups. The design procedure provided
2.1 Power System Model with Faults and Grouping
in the following is to be applied to each group Ṽi . Hence,
for the ease of notation, we omit the index i and consider
Consider a power system whose network structure is
represented by a graph, denoted by G := (V, E). Here, a group with g nodes denoted as Ṽ := {v1 , · · · , vg }.
the nodes correspond to the buses and the edges are For the detection of faults occurring in the group, locally
the transmission lines. The total number of buses is n. available data are used. This includes the power inputs ui
The node set and the edge set are respectively given by and the power flows pij from all buses in the group as well
V := {1, · · · , n} and E ⊂ V × V. We assume that all nodes as those from the immediate neighbors of the group. We
are connected to generators or motors. Then, the dynamics will explain more on this point in the next subsection.
of the phase of the complex voltage of the ith bus can be
described by the socalled swing equation as (Machowski
et al. (2008)) 2.2 Dynamics of Buses in a Group
mi δ̈i (t) + di δ̇i (t) = ui (t) + fi (t) − pij (t), Here, we rewrite the model of the power system in (1)
j∈Ni
for group Ṽ in the vector form. Let the state x be
i = 1, 2, . . . , n, (1) T
given by x(t) := xv1 (t)T · · · xvg (t)T where xi (t) :=
where mi is the inertia coefficient, di is the damping T
coefficient, δi is the phase angle, ui represent the power δi (t) δ̇i (t) , i ∈ Ṽ. And, let the input be u(t) :=
T
input (the mechanical input minus the load), Ni is the uv1 (t) · · · uvg (t) . Here,
we have introduced the modified
set of nodes connected to bus i directly (that is, the input ui (t) := ui (t)− j∈Ni ,j ∈/ Ṽ pij (t) by adding the power
neighborhood of bus i), pij is the active power flow from input and the power flowing from outside the group. Under
bus i to bus j. Under the condition δi − δj ≈ 0, this pij this modification, we can regard the dynamics of this group
can be approximated through linearization as to be a closed system and thus can reduce the order of this
pij (t) = |v̂i ||v̂j |b̂ij (δi (t) − δj (t)), system.
where |v̂i | and |v̂j | are respectively the magnitudes of the Besides, we define the fault vector f by
voltages at buses i and j, b̂ij is the susceptance of the T
f (t) := fv1 (t) · · · fvg (t) .
transmission line connecting buses i and j. For simplicity
of notation, let zij := |v̂i ||v̂j |b̂ij and let pij (t) = zij (δi (t) − Based on the setting above, the overall state-space equa-
δj (t)). tion of group Ṽ becomes as follows:
In this model, faults occurred at bus i are denoted by ẋ(t) = (A + L ⊗ D)x(t) + Bu(t) + Bf (t), (2)
the signal fi . This represents unexpected changes in the
where the matrices A, B, and D are given by
power generation or consumption. More precisely, fi is ⎡ ⎤ ⎡ ⎤
the difference between the true value of the input power Av1 O B v1 O
and its measured data obtained as ui . Hence, if any data ⎢ .. ⎥ ⎢ . ⎥ 00
A := ⎣ . ⎦ , B := ⎣ . . ⎦ , D := .
manipulation is made in the injection power, fi takes a 10
nonzero value. For example, suppose that the true values O Avg O B vg
11933
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
11934
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
When the condition in the proposition is satisfied, the cor- 4.2 Indirect Detection Approach
responding FDI filter can be designed through a modified
version of an algorithm given in (Wonham (1985)). It is Here, we propose an alternative indirect approach and
noted that the dimension di of the filter (6) is given by clarify conditions under which FDI filters can be designed.
d = n − dim(Si∗ ), (9) Specifically, we consider designing a filter which generates
∗ ∗
i a residual rij which takes nonzero value if and only if either
where Si := S j=i ImL j . In fact, the state w i of
the filter has the following property: Let Rn /Si∗ be the fi or fj or both becomes nonzero for i, j ∈ Ṽ with i
= j.
quotient space and let Pi be the corresponding canonical The distributed FDI filter for detecting the pair fi and fj
projection. Then, we focus on the error si between the is expressed by
state wi and the projection of x via Pi , that is, si (t) := ẇij (t) = Fij wij (t) − Eij y(t) + Gij u(t),
(10)
wi (t) − Pi x(t). The dynamics of the FDI filter can be rij (t) = Mij wij (t) − Hij y(t) + Kij u(t),
expressed by this error and the residual as where wij is the state, and rij is the residual signal.
ṡi (t) = Fi si (t) − Pi Li fi (t),
Though this filter alone is not able to detect attacks on
ri (t) = Mi si (t).
one bus, we propose a method that identifies the attacked
Hence, the filter is driven only by the ith fault signal and buses by (i) designing the above filter for all pairs i, j ∈ Ṽ,
is completely decoupled from other faults. Note that Fi is i
= j), and then (ii) checking the combination of nonzero
a stable matrix by design, and thus the error will converge residuals rij . Notice that, for example, if all residuals
to zero as long as fi is zero even if initially si (0)
= 0.
which have the index i ∈ Ṽ take nonzero values, then
4. FAULT DETECTION FOR POWER SYSTEMS we can conclude that bus i is being attacked. If the level
of maliciousness is high, multiple buses may be attacked
In this section, we develop the distributed detection filters simultaneously. We show that such attacks can also be
for attack detection in power systems based on the method identified to a certain extent, depending on the number of
introduced in the previous section. Here, we focus on buses being attacked.
the case of (3) where the output does not contain PMU We are now ready to state the main result of the paper,
measurements. showing a sufficient condition to apply this method.
4.1 Limitation on Direct Detection Theorem 4.1. For the power system (2) and (3) without
PMUs, the distributed indirect fault detection filter (10)
A natural way to approach the problem is to find an FDI can be designed if for the pair vi , vj ∈ Ṽ, i
= j, it holds
filter of the form in (6) to detect the fault signal fi based that
on the input u and the output y of the power system (2) dv i dv
= j . (11)
and (3). However, in (Hashimoto and Hayakawa (2011)), mv i mv j
it is shown that such an FDI filter does not exist. This fact
is stated in the next proposition.
This result shows that for malicious attack detection in a
Proposition 2. For the power system (2) and (3) without group without PMUs, the indirect approach can be useful.
PMUs, it is not possible to design an FDI filter to directly In particular, we can verify the possibility of designing the
detect the fault signal fi for each i. FDI filter through the sufficient condition in the theorem,
which requires only all ratios of inertia to damping co-
This result presents a limitation in the FDI design in
efficients to be different. This is a mild condition, which
the context of power systems. In particular, it shows that
should hold in general, because of individual differences
regardless of the way groups are formed, detection of faults
in the parameters of generators and motors. Thus, we do
that occurred within a group cannot be detected from the
not need to check the condition given in Proposition 1,
local information collected within the group. This result is
involving the computation of the (C, A)-unobservability
based on Proposition 1 and can be shown by establishing
subspace.
that
S∗ Im Bj Im Bi
= 0, 4.3 Issues Related to Performance and Computation
j=i
where Bi is the ith column of the B-matrix in (2). Before finishing this section, we examine the tradeoff
Intuitively, the reason for this impossibility result can be between the performance in the attack detections and the
explained by the fact that all measurements related to the amount of computation with respect to the group sizes.
phases δj are obtained through the power flows in (3).
In the indirect approach for fault detection discussed so
In (Hashimoto and Hayakawa (2011)), an indirect ap- far, an FDI filter is designed for each pair of buses in
proach is proposed where an FDI filter is designed for the group. Hence, in a group consisting of g buses, the
detecting the difference fi −fj for each pair fi and fj . Such total number of FDI filters to be constructed becomes
a filter however has the problem of not being sensitive to g C2 = g(g − 1)/2. As mentioned earlier, the fault in bus
the case when two fault signals are the same, i.e., fi = fj . i can be identified when all residuals rjk whose indices
This can potentially become a weakness in the system from contain i take nonzero values. This holds true even in
the viewpoint of cyber security, where malicious attacks the case when multiple buses experience faults. However,
may be expected in a highly coordinated manner. The note that the maximum number of simultaneous attacks
situation is quite different from multiple faults occurring that can be identified is g − 2 (Meskin and Khorasani
simultaneously by chance. (2009)); see also the example in Section 6. If the number of
11935
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
11936
19th IFAC World Congress
Cape Town, South Africa. August 24-29, 2014
r15
0 0 FDI methods to enhance performance and robustness.
−200 −100
0 5 10 15 0 5 10 15 REFERENCES
time [s] time [s]
r25
0 0
−200 −100 Dekker, New York.
0 5 10 15 0 5 10 15 Dibagi, S. and Ishii, H. (2014). Resilient consensus of
time [s] time [s] double-integrator multi-agent systems. In Proc. Ameri-
400 200 can Control Conf., to appear.
200
Ding, S. (2008). Model-based Fault Diagnosis Techniques:
r26
r56
0 0
−200 Design Schemes, Algorithms, and Tools. Springer, Lon-
−400 −200 don.
0 5 10 15 0 5 10 15
time [s] time [s] Giani, A., Bitar, E., Garcia, M., McQueen, M., Khar-
gonekar, P., and Poolla, K. (2011). Smart grid data in-
Fig. 2. Time responses of the residue signals rij of the tegrity attacks: Characterizations and countermeasures.
indirect detection filters (with no PMU) In Proc. IEEE Smart Grid Comm., 232–237.
Hashimoto, H. and Hayakawa, T. (2011). Distributed
cyber attack detection for power network systems. In
1000 1000 Proc. 50th IEEE Conf. on Decision and Control, 5820–
5824.
Liu, Y., Ning, P., and Reiter, M. (2011). False data
r2
r1
0 0
injection attacks against state estimation in electric
−1000 −1000 power grids. ACM Trans. Information and System
0 5 10 15 0 5 10 15 Security, 14, 13: 1–33.
time [s] time [s]
1000 1000
Machowski, J., Bialek, J., and Bumby, J. (2008). Power
System Dynamics: Stability and Control, 2nd edition.
Wiley.
r5
r6
0 0
Massoumnia, M., Verghese, G., and Willsky, A. (1989).
Fault detection and identification. IEEE Trans. Autom.
−1000 −1000 Control, 34, 316–321.
0 5 10 15 0 5 10 15
time [s] time [s] Meskin, N. and Khorasani, K. (2009). Actuator fault
detection and isolation for a network of unmanned
Fig. 3. Time responses of the residue signals ri of the direct vehicles. IEEE Trans. Autom. Control, 54, 835–840.
detection filters (with a PMU) Mo, Y. and Sinopoli, B. (2010). False data injection
attacks in control systems. In Proc. 1st Workshop on
is being manipulated, and (iii) during t ≥ 8, both buses 5 Secure Control Systems.
and 6 are attacked. Pasqualetti, F., Bicchi, A., and Bullo, F. (2011). A graph-
theoretical characterization of power network vulnera-
(2) Direct detection with PMU data: Here, bus 1 is bilities. In Proc. American Control Conf. 3918–3923.
equipped with a PMU so that in addition to the measure- Shames, I., Teixeira, A., Sandberg, H., and Johansson, K.
ments in case (1) above, the phase δ1 is available to the FDI (2011). Distributed fault detection for interconnected
filters. After designing the filters, we ran the simulation second-order systems. Automatica, 47, 2757–2764.
under the same attack scenario as above. The behaviors Sou, K., Sandberg, H., and Johansson, K. (2011). Elec-
of the four residuals r1 , r2 , r5 , and r6 are shown in Fig. 3. tric power network security analysis via minimum cut
From the plots, we can easily verify that the attacks could relaxation. In Proc. 50th IEEE Conf. on Decision and
be detected and isolated. Clearly, r5 responds to f5 at time Control, 4054–4059.
t = 4, and then r6 becomes nonzero after time t = 8. The Wonham, W. (1985). Linear Multivariable Control: A
other two residuals r1 and r2 remained almost constant at Geometric Approach, Third Edition. Springer, New
zero as expected. York.
Zhang, H. and Sundaram, S. (2012). Robustness of
7. CONCLUSION complex networks with implications for consensus and
contagion. In Proc. 51st IEEE Conf. on Decision and
In this paper, we have proposed a distributed attack Control, 3426–3432.
detection method by using the scheme of grouping of buses Zhang, Q., Chakhchoukh, Y., Vittal, V., Heydt, G., Logic,
and modeling of a power system by the swing equation. We N., and Sturgill, S. (2013). Impact of PMU measurement
have considered two problem settings depending on the buffer length on state estimation and its optimization.
presence of PMUs. When such sensors are not available, IEEE Trans. Power Systems, 28, 1657–1665.
a sufficient condition has been developed for realizing
indirect detection of faults. It has then been shown that
even if PMUs are placed only at a limited number of buses,
direct detection is possible; this is a more advantageous
11937