12/15/2014 SecurityofStateEstimationintheSmartGrid

SecurityofStateEstimationintheSmartGrid

WeiFan,weifan(at)wustl.edu(ApaperwrittenundertheguidanceofProf.RajJain) Download

Abstract:
Thepowersystemisoneofthemostcriticalnationalinfrastructures,thesecurityandstabilityofwhichisthefoundationof
socialstabilityandplaysakeyroleonthefastandhealthydevelopmentofthenationaleconomy.Asacoremoduleofthe
onlinesecurityanalysissystem,powersystemstateestimationisamajorpartofmodernenergymanagementsystem.

Thispaperdescribesthesecurityrisks,securityobjectivesandsecurityresearchtrendsinsmartgridtechnology.Weintroduce
thefaultdetectionandbadvaluesoftraditionalpowersystemstateestimationmethods,andthenfurtherdescribefalsedata
injectionattacks.

Keywords:SmartGrid,StateEstimation,SCADA,FalseDataInjectionAttack,PowerSystem,Security

TableofContents:
1Introduction
2Introductionofsmartgridsecurityissues
2.1Securityriskofthesmartgrid
2.2Securitygoalsofthesmartgrid
3Powersystemstateestimation
3.1Powersystemoperatingstate
3.2Powersystemsecurityanalysis
3.3Powersystemstateestimation
3.4StateEstimationbadvaluedetectiondefects
4Falsedatainjectionattacks
4.1DCstateestimationandbadvaluedetection
4.2Theprincipleoffalsedatainjectionattacks
4.3Requirementsandtheactualmeaningoftheattack
4.4Attackscenario
5Summary
6Reference
7Acronyms

1Introduction
Atraditionalelectricpowersystemincludesgeneration,transmission,transformation,distributionandutilization.Withtherapid
developmentofsociety,peoplesdemandonthesystemshasincreased,whichmeansthetraditionalpowersystemwillbe
unabletomeetthegrowingdemandforelectricity.Inthiscase,thesmartgridemergesattherightmoment.

Thesmartgrid,asthenextgenerationpowergridsystem,whichneedstointegrateavarietyofrenewableenergyresources,
alsoneedstointegrateahighspeed,reliableandsecuredatacommunicationsnetworksandintelligentdataprocessingcenter
todealwithincreasinglycomplexgridsystem,andprovideefficientandintelligentmanagement.Moreprecisely,thesmartgrid

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 1/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

isanewtypeofelectricpowersystem.Itintegratestwoway,secureinformationandcommunicationtechnologiesand
computationalintelligencewiththegeneration,transmission,transformation,distribution,utilizationandallaspectsofelectricity,
inordertobuildaclean,reliable,flexible,efficient,sustainableandsafepowersystem.[1]

Atraditionalelectricpowersystemtransfersthepowerthatisgeneratedbycentralpowergeneratorstomanyusersand
consumers.Incontrast,thesmartgridusesatwowayflowofinformationtocreateahighlevelofautomationanda
distributedenergydeliverynetwork.Table1givesasimplecomparisonoftheexistinggridandsmartgrid.

Table1:Asimplecomparisonoftraditionalgridandsmartgrid

Smartgridisanimportantstepintheelectricpowersysteminordertomeetthenewneedsoftoday'suserswhohave
appearedandpossibleusersinthefuture.Thedevelopmentofsmartgridpowersystembringsmanynewfinefeatures.Atthe
sametime,itintroducessomenewsecurityissuestothepowergrid,whichmakesitvulnerabletopotentialnetworkattacks.

Toensurethesafetyandthereliabilityofthepowersystem,thecontrolcenterelectricpowersystemusesanindustrialdata
acquisitionandthecontrolsystem,namedSupervisoryControlAndDataAcquisition(SCADA)system,formonitoringand
controlofeachinterconnectedcomponentintheelectricpowersystem.TheSCADAsystem,obtainstheinformationofthe
powersystemsstatusevery24seconds[2]byreadingthepowermeasuringinstrumentserectedonthekeycomponents.
Whatthemeasuringinstrumentsmeasureincludebusbarvoltage,busbaractiveandreactivepowerinjectionandreactiveflow
foreachsubsystem.Thesemeasurementsaretransmittedtothecontrolcenter,andthestaffsinthecontrolcentercollect
importantsystemdataandprovidecentralizedmonitoringandcontrolcapabilitiesforthepowersystemwiththeaidof
computers.

Thestateestimationofelectricpowersystemisanessentialfunctionforsystemmonitoring,whichisanimportantpartof
modernenergymanagementsystem(EMS).Thestateestimationofelectricpowersystemusestheredundancyof
measurementdataprovidedbySCADAtoimprovetheaccuracyofdata,automaticallyexcludeerrormessagescausedby
randominterference,andestimateorforecasttherunningstateofthesystem.Itmakestheoptimalpowersystemstate
estimationthroughthemeasurementsofinstrumentsandanalysisofpowersystemmodels.Staffsinthecontrolcenterusethe
outputsofthestateestimationprocessasthebaseforaccidentanalysis.Intheaccidentanalysis,theyjudgepotential
operationalproblems,andgiveoutoperationalguidancetoavoidtheseproblems,aswellaspossiblesideeffectscausedby
theseactions.

BecauseSCADAplaysacrucialroleinthestateestimationoftheelectricpowersystem,whichprovidesthesourceofdata,
becomesoneofthemostvulnerabletargetsforattack.Theoretically,LiuY.[3]proposedfalsedatainjectionattacksfroman
attackersperspective,whichaimsatthestateestimationofelectricpowersystem.Thismethodconsistsofsystematically
tamperingwiththemeasurementdataofmeters,bypassingthetraditionalerrordatamonitoring,thensuccessfullyinfluencing
thestateestimation.Also,literature[4][5]didaresearchontheimpactoffalsedatainjectionattackstotherealtimeelectricity
market.Thiskindofattackcanachieveimproperfinancialprofitbyinfluencingthemarginalpriceofnodesintheelectricity
market,whichprovidessufficientmotivationforattackers.

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 2/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

2Introductionofsmartgridsecurityissues
Withtheintroductionofexcellentnewfeaturesanddiversefunctionsintothesmartgridsystem,andmorecooperationover
thenetwork,thesecurityissuesofsmartpowersystemsdeservefurtherattention.

2.1Securityriskofthesmartgrid

Thesmartgridtechnologywillallowthecurrentelectricitysystemtoaddnewfunctionsandfeatures.However,itwillalso
bringnewsecurityriskstotheelectricpowersystem.Werelyonthepowersupplysystem,andthiskindofstrong
dependenceonthepowersystemalsomakethepowersystemacrucialpropertyandindispensablecriticalinfrastructureto
supportsocialfunctioning.Interruptionoftheelectricalenergysupplywouldbringenormoussocialimpact.Thesecurityofthe
powersystemisanimportantissue.Thesecurityrisksintroducedbythesmartgridarerelatedtoitscommunicationneeds,
systemautomation,newtechnologyandthedatacollection[6].

Thesmartgridsbackboneisitscomputernetwork,whichconnectdifferentcomponentstoasmartgrid,andprovideit
withatwowaycommunications.Networkedcomponentswouldbringmoresecurityriskstothesystem.However,thisis
requiredforthesmartgridtoachievemanyofthemajorfunctions.Meanwhile,thenetworkedcomponentsalsoincreasethe
complexityofpowersystem,whichbringsmoreopportunitiestosecurityvulnerabilities.Inaddition,thenetworkedcomponent
alsomakesmoreentitiescanaccesstheelectricpowersystem.

Thesmartgridusesacomputernetworktotransmitdata,andusessoftwaretoautomatethemaintenanceofelectrical
systems.Datatransmissionsystemsthatrelyoncomputernetworkscanintroducesecurityrisks.Somecomponentsrequire
realtimedata,andcommunicationdelayorlossofdatamayendangertheelectricpowersystem.Relatedmanagement
softwareofthepowersystemwillalsofacetheriskofmaliciouscode.Communicationorsystemstatusmanagementsoftware
interruptsmaycauseenergyloss,andinextremecasesmayalsocausecasualties.Differentnetworkedcomponentsinpower
systemrequireinteroperabilitybetweendifferenttechnologies,andthisprocesswillalsointroducesecurityrisks.Takingthe
sizeandcostofelectricpowersystemsintoaccount,thelegacysystemscannotbereplacedinashortperiod.Inthiscase,the
newsmartgridsystemsmustbecompatiblewithlegacysystems.However,thelegacysystemsdidnotimplementnewsecurity
featuresthatmodernsystemshave,andthelegacygridsystemswillbetheweaknessofsmartgridsafety.Inaddition,thenew
technologyusedinthesmartgridmayalsohavesomehiddensecurityvulnerabilitiestoexplore.

Itisestimatedthattheamountofdatainsmartgridwillincreaseanorderofmagnitude.Asubstantialincreaseintheamountof
datawillbringtheproblemsofprivacyandsecurity.Also,smartgridwillalsocollectsomenewtypesofdata,whichmayalso
leadtoprivacyproblems.

2.2Securitygoalsofthesmartgrid

Thesecurityobjectivesofsmartgridaredifferentfromotherindustrialproducts.Oneofthemostimportantthingsisthatany
securitymeasuresimplementationshouldnotimpedetheavailabilityandsafetyofpoweruse.Forexample,lockingthesystem
afterseveralfailedpasscodeattemptscannotbeusedinasmartgridsystem,becauselockingthepowersystemmayleadto
securitypersonnelproblemsinemergencysituations.Typically,theimportanceofsecurityobjectivesisintheorderof
confidentiality,integrityandavailability.Formostindustrialproducts,confidentialityandintegrityaremoreimportantthan
availability.Butintheelectricpowersystem,wemustkeepthepoweralwaysavailable,whichmeanstheavailabilityisthefirst
one,thentheintegrity,andthenconfidentiality.

Availabilityisthemostimportantsecuritygoalinelectricpowersystem.Itisestimatedthatthemaximumdelaythatthecritical
realtimesmartgridsystemcantolerateis4milliseconds.Anyinterruptionofmonitoringorcommunicationinsmartgrid
systemcanresultinenergylosses.Table2liststheapproximatemaximumcommunicationdelayrequirements[6].Availabilityis
notonlythemostimportantgoalforthepowersystem,butalsoacrucialobjectiveforthemajorityofcomponentsinthe
powersystem.

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 3/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

Table2:Maximumcommunicationdelayrequirements

Theimportanceofintegrityinsmartgridisbehindavailability.Thesmartgridgathersdatafromagencyorbyusingvarious
sensors.Thenitusestheoriginaldatawiththeestimationofpowersystemstate,tomonitorthecurrentstateofelectricpower
system.Theintegrityofthisdataisveryimportant.Unauthorizeddatamodification,orinsertingdatafromanunknownsource,
willresultinerrorsorevendestroyoftheelectricpowersystem.Powersupplysystemsnotonlyneedtobeavailableinany
time,butalsorequireahighquality.Thepowerqualityassuranceisalsodependentonthestateestimationofthpowersystem.
Thequalityofestimationdependsonmanyfactors,whiledataintegrityisoneofthemostimportantfactors.

Thethirdobjectiveofanelectricpowersystemsecurityisconfidentiality.Forasmartgrid,thecostofconfidentialitylossis
smallerthanlossofavailabilityorintegrity.Ofcourse,insomedomainsofsmartgridapplication,therequirementsof
confidentialitywillbehigher,suchaspersonaluserinformation,companyinformationandelectricpowermarkedinformation.

3Powersystemstateestimation
PowersystemstateestimationisoneofthemostimportantpartsofEMSinmodernpowersystem.Itbuildsthecoremodules
ofelectricpowersystemonlinesecurityfeaturesanalysis.Itislikeafiltersetupbetweentheoriginaldataandallapplications
thatneedtousethedataofcurrentsystemstate.

PowersystemstateestimationusingaSCADAsystemtoprovidemeasurementdataredundancytoimprovedataaccuracy,
automaticallyexcludefromtheerrormessagecausedbyrandominterference,andestimateorforecasttherunningstateof
systems.

3.1Powersystemoperatingstate

Atagiventimepoint,ifthenetworkmodelofthepowersystemandeachbusbarvoltagevectorisknown,thentheoperating
stateofthepowersystemcanbedetermined.Sincethevoltagevectorsetscanbedescribedcompletely,itiscalledthestatic
stateinelectricpowersystem.Accordingtotheliterature[7],withchangesintheoperatingstate,thesystemmightenterthe
followingthreestates:thenormalstate,theemergencystate,andtherestorativestate.

Ifallloadsunderthesystemobtainelectricpowersupplywithoutviolatinganyoperatingrestrictions,thenwesaytheelectric
powersysteminanormalstate.Operatingrestrictionsincludesthelimitoftransfercurrentandtheminimumandmaximum
busbarvoltagelimits.Ifasystemisunderthenormalstate,afteranyaccidentthatlistintheeventpreventiontable,thesystem
canstillmaintainanormalstate,thenwesaythatthisnormalstateissafe.Generalaccidentsincludeequipmentfailuresand

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 4/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

transmissionlinefailurecausedbybadweather.Ontheotherhand,ifalltheoperationsofsystemarerestrictedwithoutcross
border,butthesystemisstillsensitivetosomeaccidentthatiswithinsomescopesofconsideration,thenwesaythatsucha
statusisnotsafe.Ifthestatusofasystemisnormalbutnotsafe,thensomeactionsshouldbetakenimmediatelytopreventthe
systemtransferintotheemergencystate.Suchpreventivecontrolcanbedeterminedwiththehelpofoptimalsecurity
restrictionsprograms.

Duetoanunexpectedevent,theoperatingstatemaychangedrastically,whichcanleadviolationofoperatingrestriction,inthe
caseofcontinuouselectricpowersupply.Insuchacase,wesaythattheelectricpowersystemisundertheemergencystate,
whichneedstheoperatortotakecorrectiveactionurgentlytomakethesystembacktonormalstate.

Whenthesystemisinastateofemergency,thecorrectedcontroloperationscanreducevariousloads,lines,transformersand
otherequipmentinordertoavoidasystemcrash.Inthatcase,theviolationofoperationrestrictionsiseliminated.Thesystem
willrecoverstabilitybycuttingdownloadsandreconfiguringthetopology.Besides,inordertosupplypowertoallloads,
thoseloadsthatbreakthebalanceofpowerloadswillalsoberecovered.Thisstateofoperationiscalledtherestorativestate.
Theoperationthatreturnsthesystemtothenormalstateiscalledcontrolrecovery.Figure1illustratesthepossibleconversion
processbetweenthestatesdefinedabove.

Figure1Powersystemoperatingstatetransformationdiagram

3.2Powersystemsecurityanalysis

Theoperatorsincontrolcentercontroltheelectricpowersystems.Themaintasksfortheseoperatorsaremaintainingthe
normalandsafetystateunderdifferentdailyoperation.

Toachievethisgoal,continuousmonitoringofsystemstatusandstateofoperationarerequired.Necessaryprotective
measuresmustalsobedeterminedforwhenthesystemisinanotsafestate.Thissequenceofoperationsiscalledasecurity
analysisofthesystem.

Thefirststepofsecurityanalysisismonitoringthecurrentstateofsystem.Thisprocessusesmeasurementvaluesthroughout
thewholesystem,andprocessesthisdatatodeterminethestateofsystem.Themeasuredvaluescanbeeitheranalogor
digital.Substationsareequippedwithremoteterminalunits(RTU).AnRTUisresponsibleforcollectingvarioustypesof
measurementsandtransferringthesedatabacktothecontrolcenter.However,inthecurrentcase,theintelligentelectronic
devices(IED)aregraduallycomplementingandreplacingtheRTUdevices.ItispossibletoformaLANbyconnecting
SCADAsystemsandotherequipment.SCADAsystemhelpstransmittingthecollecteddatatotheSCADAhostthatplaced
incontrolcenter.Thehostincontrolcentercollectdatathroughallpossiblecommunicationlinks,suchasopticalfiber,satellite,
microwaveandsoon.Figure2showsatypicalsystemconfigurationofEMS/SCADAsystem.

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 5/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

Figure2EMS/SCADAsystemconfiguration

Themeasuredvaluesthatarereceivedbycontrolcenterincludinglineflow,busbarvoltage,thegeneratoroutput,load,and
lineswitchstatus.Theseoriginaldataandmeasurementvaluesareprocessedbythestateestimatortofilteroutmeasurement
noiseanddetectseriouserrors.Intheavailablemeasurementsandsystemmodelingassumptions,thestateestimatorwillgive
theoptimalsolutionsofpowersystemstateestimation.Then,theoptimalestimatewillbedeliveredtoallEMSapplications,
suchasfaultanalysis,automaticgenerationcontrol,andloadforecastingandflowoptimization.Also,thesameinformationcan
beconnectedtothecorporateofficethroughLANaccess.Intheoffice,otheranalysisfunctionscanbedoneoffline.

Initially,theelectricpowersystemisonlymonitoredandcontrolledbyremotesystem.Thosesystemsareessentially
monitoringandcontrollingthecircuitinsubstations.InordertocooperatewithapplicationssuchasAutomaticGeneration
Control(AGC)andEconomicDispatch(ED),themeasurementofgeneratoroutputpowerandsystemfrequencyarealso
required.Gradually,thoseremotecontrolsystemsstrengthentohaverealtimedataacquisitioncapabilities,sothatthecontrol
centercancollectavarietyofmeasurementsdataandswitchstatusofcircuitfromthepowersystem.However,thedata
providedbytheSCADAsystem,thankstothepresenceofmeasurementnoise,communicationerror,andthetelemetrynoise,
isnotalwaysreliable.Besides,themeasuredvaluesthatarecollectedcannotdirectlyprovidetheoperationstates.

3.3Powersystemstateestimation

AboveproblemsfirstraisedbyFredSchweppe,andhealsofirstproposedpowersystemstateestimation[8,9,10].The
introductionofstateestimationfunctionbroadtheabilityoftheSCADAsystem,andalsomakestheEMSsystemtobe
constructed.EMSsystemwillbeequippedwithanonlinestateestimator.

Inordertoidentifythecurrentoperatingstateofelectricpowersystem,thestateestimatormonitorstheoperationalrestriction
inanaccurateandefficientwaywiththehelpoftheloadontransmissionlineandvoltageofbusbar.Theyprovidereliableand
realtimedatabaseforthepowersystem,includingsafetyassessmentmodulesanddatatoanalysis.

Stateestimatortypicallyincludesthefollowingfunctions:

TopologyProcessing:collectthestatusofcircuitbreakersandswitches,andconfigurethesystemsonlinediagram
form.
Observabilityanalysis:determinewhethertheexistingmeasurementsvalueisadequatetoestimatetheentirepower
systemsstateandsolutions.Also,recognizeunobservedbranchandobservabilityislandinsystem.
Estimatesolution:Basedonthenetworkmodelandsystemmeasurementsthatcollected,determinetheoptimal
estimationoftheentiresystem.Also,itwillprovideallthelinesflow,loads,generatoroutputandtransformertaps

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 6/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

optimalestimation.
Badvalueprocessing:detectthepresenceofsignificanterrorsofmeasurementvalues.Identifyandremovebad
measurementvaluesundertheconditionswithsufficientredundancy.
Numbererrorsandstructureserrorsprocessing:Estimatethevariousnetworkparameterssuchastransmissionline
modelparameters.
Networkparametersestimation:estimatevariousnetworkparameters,suchastransmissionlinemodelparameters,tap
changingtransformerparameters,bypasscapacitorsandreactorsparameters.Detecterrorsofnetworkconfiguration
results,andidentifyerrorsinthemeasuredvaluewithsufficientredundancy.

Therefore,thepowersystemstateestimatorbuiltthecoremoduleofonlinesecurityanalysis.Itissetuplikeafilterbetween
theoriginaldataandtheapplicationsthatneedtousethosereliabledata.Figure3describesthedatastateestimatorandonline
staticsecurityassessmentprocess,inwhichinvolvesavarietyofapplicationsandfunctionalinterface.

Figure3Linestaticsecurityassessmentcapabilitiesschematic

3.4StateEstimationbadvaluedetectiondefects

Inthepowersystemstateestimationprocess,itisconceivablethattheattackerscouldachieveacertaingoalbyinjecting
http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 7/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

maliciousmeasurements.Forexample,anattackercandirectlyinvademetersubstationsorstoredmetermeasurementsto
injectmaliciousdata.Ifthesebadmeasurementsaffectthestatusoftheestimatedoutput,thentheerrormessagegeneratedwill
misleadthecontrolcenter,helpingtheattackertofurtherachievetheirgoals.

Researchershaverealizedthethreatofbadmeasurementsinpowersystemsandstudiedtherelevantprocessing
methods[1,2,11,12].Thesemethodsarethefirstmonitorwhetherthedataisbad,andthentrytoidentifyandremovethose
baddata.

However,Liu[3]pointedoutthatifanattackerknowsthecurrentconfigurationofthepowersystem,andthevalueofall
existingdetectionalgorithmsbasedonbaddirectcurrent(DC)modelshavesimilardefects,anattackercanbypasstheir
protection.ThebasicreasonisthatalltheavailablemodelsbasedonDCmeasurementvaluedetectionandidentificationof
badalgorithmsarebasedontheassumptionthatthedifferencebetweenthemeasuredvalue"occurswhenbadmeasurements,
theobservedandtheircorrespondingestimateofsquareisgreat."Theliterature[3]givesproofthatthisassumptionisnot
alwaystrue.Fromtheattackerspointofview,falsedatainjectionattackscanbemade,whichcanbypasstraditionalbad
valuedetectionalgorithms.

4Falsedatainjectionattacks
Falsedatainjectionattacksisoneofthemostcommonformofattackingforthesmartgridsystems.Inthischapterwewill
discusstheprinciple,requirementsandscenariooffalsedatainjectionattacks.

4.1DCstateestimationandbadvaluedetection

Inordertoensurethecontinuedoperationofthepowersystem,evenifsomecomponentsoferror,electricalengineersusethe
metertomonitorsystemcomponents.Thesemeterswillmeasuretheactivepowerflowinthepowersystemandbranchactive
powerinjectionofeachbusbar,andthemeasuredvaluewillbesubmittedtothecontrolcenter,whichwillcontrolcenteruse
themeasurementvaluetoestimatethestatevariables.Statevariablesincludebusbarvoltagephaseangleandamplitude(inDC
loadflowmodel,thevoltageamplitudeandreactivepowerflowisusuallyunnecessarytoconsider,sothestatevariablesare
usuallyonlyvoltagephaseangles).Afterobtainingtheestimatedvaluesofthestatevariables,thecontrolcenterdetermines
whethertheentiresystemisinnormalstate.Inaword,theproblemofstateestimationistousethemeasurementvalueto
estimatestatevariablesofelectricpowersystem.

Moreprecisedefinitionisasfollows.Usex=(x1,x2,,xn)Tandz=(z1,z2,,zm)Ttodenotethestatevariablesand
measuredvalues,nisthenumberofstatevariables,misthenumberofmeasuredvalues,andmn.Usee=(e1,e2,
,em)Ttodenotemeasurementerror.Statevariablesandthemeasuredvaluelinkedviaz=h(x)+e.[13].Typically,thenumber
ofmetersisfarmorethanthenumberofstatevariables.Thus,overdeterminedlinearequationswithmequationsandn
unknownnumberwillresult.Takingintoaccounttheexistenceoftheerror,theoverdeterminedlinearequationscannotbe
solved.Thefollowingthreemethodsareusuallyusedinstateestimation:maximumlikelihoodestimation,theweightedleast
squaresestimation,andtheminimumvarianceestimation[14].Whenthemeasurementvaluesobeynormaldistributionwith
meanzero,theabovethreecriteriawillexportsameoptimalestimationresults.

Duetovariousreasons,suchasthemetererrorandmaliciousattackswillintroducebadmeasurementsvalues.Therehave
beenmanystudiesonthebadvaluedetectiontechnologytoprotectstateestimation[14,15].Intuitively,thenormal
measurementmetertypicallygeneratesavalueclosetotheactualstatevariable.Ifthestateestimatorthinkstheremightbea
badmeasurementvalue,itwillissueanalert.

4.2Theprincipleoffalsedatainjectionattacks

Supposetherearemmetersprovidingmmeasurementsvalues:z1,z2,,zm,andelectricpowersystemwithnstate
variables:x1,x2,,xn.TherelationshipbetweenthemmeasurementvaluesandnstatevariablesrepresentasanMN

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 8/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

matrixH.Ingeneral,Hmatrixisdeterminedbythepowersystemtopologyandlineimpedanceofthepowersystem.Howto
buildHmatrixhavebeenexplainedinliterature[15].AssuminganattackercanaccesstheHmatrixoftargetpowersystem,
andcanmanipulateacertainnumberofmeasurementvalueofmeters.Thentheattackercanmodifythemeasurementvalues
systematically,andbypassthebadvaluedetectionalgorithm,andaffecttheoptimalestimationvalueofelectricpowersystem
byinjectingbaddata.

Zaindicatesthemeasurementvaluematrixcontainingmaliciousdata,whichcanbeexpressedasZa=z+a.Inwhichz=(z1,z2,
,zm)Tdenotestheoriginalmeasurementvector,a=(a1,a2,,am)Tisthemaliciousdataaddedtotheoriginal
measurementvalue,alsoknownasattackvectors.Anattackercanchooseanynonzerovectorasanattackvectora,then
constructamaliciousmeasurementvalueasZa=z+a.IftheattackvectorisalinearcombinationofmatrixH,thenitcanpass
thetraditionalbadvaluedetection.Thiskindofattackiscalledunobservableattack,orfalsedatainjectionattack.

4.3Requirementsandtheactualmeaningoftheattack

Toachievethefalsedatainjectionattacks,thetherearealotofthingsthatattackersneedtodo.

First,theattackermustknowthecurrentconfigurationofthetargetelectricpowersystem,inparticularthetopologyofthe
system.Thepowersystemsconfigurationchangesfrequentlybecauseoftheplannedandunexpectedmaintenance.
Typically,thisinformationisonlyaccessibleforcontrolcenter.Takingthesensitivityofthecontrolcenterintoaccount,the
physicalaccessofthecontrolcenterishighlyregulatedandprotected.Therefore,itisverydifficultforanattackertoobtain
configurationinformationtolaunchtheattack.

Second,theattackermustbeabletomanipulateacertainnumberofmeasurementvalues.Anattackerwouldneedto
physicallytamperthemeterormodifythemeasurementvaluesbeforetheyaretransmittedtothecontrolcenter.However,in
mostcases,metersareinaplacewithprotectionagainstunauthorizedaccess,suchassubstations.Therefore,itisnoteasyto
manipulatethesemeters.

Thekeybenefitforstudyingfalsedatainjectionattacksistoexposetheweaknessoftheexistingstateestimationtechniques.
Theexactimpactoftheattackisnotonlydependentontheintroductionoferrors,butalsoonhowtousethesemeasurement
values.Inoneparticularapplicationintoday'spowersystem,staffincontrolcentersusuallyneedtojointhedecisionmaking
process.Experiencedoperatorsmaybeabletoidentifyanomaliescausedbythisattack.Inordertoclarifytheseattacks
meaningsindifferentscenarios,moreresearchwillbenecessary.

4.4Attackscenario

Literature[16]consideredtwopossibletargets,whicharerandomfalsedatainjectionattackandpurposefulfalsedatainjection
attacks.Inrandomfalsedatainjectionattack,thepurposeofattackeristofindanyattackvectorsthatcancause
miscalculationofthestateestimation.Inpurposefulfalsedatainjectionattacks,attackertriestoinjectspecificerrorstoa
particularstatevariable.Theformerattackiseasiertoachieve,whilethelattermaycauseagreaterhazard.

Besides,literature[3]alsomentionedthefollowingtwopossibleattackscenarios,anddiscussattackershowtofindtheattack
vectorsandlaunchunobservableattacks.Scenario1isforlimitedaccesstometers.Inthisscenario,theattackercanonly
accesssomelimitedandspecificmeasurementmeter.Thecauseofthisphenomenonmaybetheexistenceofdifferentphysical
protectionofthemeter,suchassomemetersareinsidesubstationandundergreatmonitoring,whileothersareoutsideand
onlyprotectedwithanironbox.Scenario2isforlimitedresourcesavailable.Inthiscase,attackersresourcesonly
enoughtoaccesslimitednumberofmeters.Soattackerswilltrytofindtheattackvectorwithminimumcost.

5Summary
Thepowersystemisoneofthemostcriticalnationalinfrastructures,thesecurityandstabilityofwhichisthefoundationof
socialstabilityandplaysakeyroleonthefastandhealthydevelopmentofnationaleconomy.Asacoremoduleoftheonline
http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 9/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

securityanalysissystem,powersystemstateestimationisamajorpartofamodernenergymanagementsystem.Thispaper
describesthesecurityrisks,securityobjectivesandsecurityresearchtrendsinsmartgrid.Weintroducethefaultdetectionand
badvaluesoftraditionalpowersystemstateestimationmethod,andthenfurtherdescribesthefalsedatainjectionattacks.

Accordingtowhatismentionedabove,erroneousdatainjectionattackscanbeachievedbytakingadvantageofthe
shortcomingsoftraditionalbadvaluedetectionalgorithms.Thispaperanalyzesthebasicprincipleofthisattack,theattack
conditionsandscenarios.However,wedidnotdiscusshowtopreventthiskindofattack,althoughsomeresearchesindicate
thatthisproblemmightbesolvedbythedeploymentofphasormeasurementunit(PMU)[17].Thus,whatwecandointhe
futureistofindsomeappropriatewaytopreventthefalsedatainjectionattack,aswellasmoreadvancedattackmethods.

6Reference
1. FangX,MisraS,XueG,etal.SmartgridThenewandimprovedpowergrid:Asurvey[J].Communications
Surveys&Tutorials,IEEE,2012,14(4):944980.
2. BobbaRB,RogersKM,WangQ,etal.Detectingfalsedatainjectionattacksondcstateestimation[C]//Preprintsof
theFirstWorkshoponSecureControlSystems,CPSWEEK.2010,2010.
3. LiuY,NingP,ReiterMK.Falsedatainjectionattacksagainststateestimationinelectricpowergrids[J].ACM
TransactionsonInformationandSystemSecurity(TISSEC),2011,14(1):13.
4. XieL,MoY,SinopoliB.Falsedatainjectionattacksinelectricitymarkets[C]//SmartGridCommunications
(SmartGridComm),2010FirstIEEEInternationalConferenceon.IEEE,2010:226231.
5. JiaL,ThomasRJ,TongL.Maliciousdataattackonrealtimeelectricitymarket[C]//Acoustics,SpeechandSignal
Processing(ICASSP),2011IEEEInternationalConferenceon.IEEE,2011:59525955.
6. MetkeAR,EklRL.Securitytechnologyforsmartgridnetworks[J].SmartGrid,IEEETransactionson,2010,1(1):
99107.
7. LiaccoTED.Realtimecomputercontrolofpowersystems[J].ProceedingsoftheIEEE,1974,62(7):884891.
8. SchweppeFC,RomDB.Powersystemstaticstateestimation,PartII:Approximatemodel[J].powerapparatusand
systems,ieeetransactionson,1970(1):125130.
9. SchweppeFC,RomDB.Powersystemstaticstateestimation,PartI:Exactmodel[J].powerapparatusand
systems,ieeetransactionson,1970(1):120125.
10. SchweppeFC.Powersystemstaticstateestimation,PartIII:Implementation[J].PowerApparatusandSystems,
IEEETransactionson,1970(1):130135.
11. MorrowKL,HeineE,RogersKM,etal.Topologyperturbationfordetectingmaliciousdatainjection[C]//System
Science(HICSS),201245thHawaiiInternationalConferenceon.IEEE,2012:21042113.
12. AburA,ExpositoAG.Powersystemstateestimation:theoryandimplementation[M].CRCPress,2004.
13. GomezExpositoA,AburA,RousseauxP,etal.OntheuseofPMUsinpowersystemstateestimation[C]//Proc.17th
PowerSystemsComputationConference.2011:2226.
14. WoodAJ,WollenbergBF.Powergeneration,operation,andcontrol[M].JohnWiley&Sons,2012.
15. MonticelliA.Stateestimationinelectricpowersystems:ageneralizedapproach[M].Springer,1999.
16. HuXH.Interpretationofthelatestdevelopmentsintheinternationalnetworkwarfare[J].InformationSecurityand
CommunicationsPrivacy,2009(9):79.
17. ChenJ,AburA.PlacementofPMUstoenablebaddatadetectioninstateestimation[J].PowerSystems,IEEE
Transactionson,2006,21(4):16081615.

7Acronyms
AGC:AutomaticGenerationControl
DC:DirectCurrent
ED:EconomicDispatch
EMS:EnergyManagementSystem
IED:IntelligentElectronicDevices

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 10/11
12/15/2014 SecurityofStateEstimationintheSmartGrid

PMU:PhasorMeasurementUnit
RTU:RemoteTerminalUnits
SCADA:SupervisoryControlAndDataAcquisition

LastModified:December1,2014
Thisandotherpapersoncurrentissuesinnetworksecurityareavailableonlineathttp://www.cse.wustl.edu/~jain/cse571
14/index.html
BacktoRajJain'sHomePage

http://www.cse.wustl.edu/~jain/cse57114/ftp/smart_grid_security/index.html 11/11