By Topic

• Abstract

SECTION I

## INTRODUCTION

WE are witnessing the rapid technological evolution of numerous application fields including power systems, robotics and social networking. These systems will evolve into next-generation cyber-physical systems providing a spectrum of advantages over their predecessors. However, cyber-enablement of these systems naturally leads to issues of security requiring approaches to resilient system design. Tools for modeling cyber-physical systems are of paramount importance in enabling the judicious planning and vulnerability analysis.

A vulnerability in a system exists when there is a weakness in the system, access to the weakness and a capability by an opponent to exploit the weakness. We investigate a novel theoretical modeling framework based on variable structure system theory that enables the identification of a class of reconfiguration-based weaknesses in the power grid employing formal mathematical principles. Such an approach provides a prescriptive strategy to identify possible ways to trigger rotor angle instability in synchronous generators of power systems. Moreover, our model allows us to deduce steps for practical attack construction that are amenable to simulation demonstrating the potential capability of an opponent to exploit the flaw.

We assume that access to the flaw is facilitated through smart grid communication channels providing opponent(s) opportunities for remotely controlling physical power system components such as modern circuit breakers possibly via illicit security breaches and intrusion. Thus, our vulnerability is applicable to a smart grid system with remotely connected circuit breakers and one or more synchronous generators used as targets making it relevant to a broad class of modern and future power transmission systems.

We name the class of attacks that stems from our framework coordinated variable structure switching attacks whereby an opponent aims to destabilize the power grid by leveraging corrupted communication channels and/or control signaling to hijack relevant circuit breakers. Our work represents a novel departure from existing smart grid vulnerability analysis research in that it represents the first use of variable structure system theory for attack performance analysis. This enables a prescriptive approach to vulnerability identification in contrast to methods that make use of reverse-engineering or ad hoc “what-if” analysis [1]– [2] [3] [4] [5] [6] [7] [8] [9] [10] [11][12] leading to the identification of a new class of reconfiguration-based vulnerabilities. Moreover, we extend our recent work [13]– [14][15] by enhancing the theoretical foundation to better characterize the impact of attacks and perform necessarily robustness analysis of the attack construction under practical constraints of model error and partial information.

In Section II we focus on our attack development. Attack existence and characterization are presented in Section III. Attack construction and impact are studied in Sections IV and V. We then address issues involving limitations on attacker capability in Section VI followed by final remarks in Section VIII.

SECTION II

## COORDINATED SWITCHING ATTACKS

### A. Sliding Mode in Variable Structure Systems

Variable structure systems are nonlinear systems characterized by discontinuous dynamics [16]. Such systems are considered to exhibit both continuous and discrete forms of behavior much needed for the modeling cyber-physical systems while being conducive to software implementation. Consider the following elementary variable structure system described as: TeX Source$${\mathdot{x}}=\cases{f_{1}(x,t),&s(x)>0\cr f_{2}(x,t),&s(x)\leq0},\eqno{\hbox{(1)}}$$ where $x\in\BBR^{n\times 1}$ is the system state vector, $f_{i}(x,t)\in\BBR^{n\times 1}$ represents subsystem dynamics for $i=1$, 2, $s(x)\in\BBR$ is a state-dependent switching signal (sometimes denoted simply as $s$), and $s(x)=0$ is called the $n$-dimensional switching surface. The state is a time-dependent quantity and therefore could also be denoted $x(t)$. The evolution of $x$ in time through state space is called the state trajectory of the system.

Equation (1) represents a system which abruptly switches dynamics between $f_{1}(x,t)$ and $f_{2}(x,t)$ according to the sign of $s(x)$ and is effective in modeling the action of a circuit breaker in power systems. A block diagram linking a simple power system to (1) is provided in Fig. 1 to elucidate; here, the state vector $x$ represents the physical quantities of generator phase angle and frequency. When the power system switch changes positions between loads $Z_{1}$ (Position 1) and $Z_{2}$ (Position 2) it has the effect of changing between system dynamics denoted $f_{1}(x,t)$ and $f_{2}(x,t)$, respectively.

Fig. 1. Elementary variable structure system example. (a) Elementary power system. (b) Block diagram.

Analysis of the system in (1) leads to a number of interesting properties one of which is termed sliding mode behavior [16], [17]. In the sliding mode, the state trajectory of the system of (1) is attracted and subsequently confined to the switching surface $s(x)=0$, which in this case is also termed the sliding surface.

There are two crucial aspects to this phenomenon. The first necessary condition is that the switching surface is attractive meaning that within some subset of state space, trajectories converge to the switching surface making it a sliding surface. The second requirement is that the variable structure system behavior, confined to the sliding surface, exhibits certain desired properties such as asymptotic stability, exponential growth or oscillation. We assert that this collective behavior can be used to steer the state into a position of instability for attack.

Consider a specific case of (1) assuming linear dynamics, $n=2$ and $x={[x_{1}, x_{2}]}^{T}$: TeX Source$${\mathdot{x}}=\cases{A_{1}x,&s(x)>0,~where~A_{1}=\left[\matrix{-1 &-10\cr3 &-0.3}\right]\cr A_{2}x,&s(x)\leq 0,~where~A_{2}=\left[\matrix{-0.3 & 3\cr-10 &-1}\right]}\eqno{\hbox{(2)}}$$ for some $s(x)$. The state trajectory $x(t)$, as governed by its dynamics, can be viewed geometrically in a phase portrait. The phase portraits of the individual subsystems $A_{1}$ and $A_{2}$ (i.e., assuming static switch positions of 1 and 2, respectively) are shown in both Fig. 2(a) and (b) as dashed and dash-dot lines, respectively. As can be observed, both subsystem trajectories converge to the stable equilibrium point (0, 0) from the initial condition $(25,-25)$. Moreover, it can be shown that because the subsystems are linear they are each globally asymptotically stable meaning that the trajectories will always converge to (0, 0) from any initial condition in ${\BBR}^{2}$ [18]. Thus, in this example, we can deduce that the system of (2) is stable when the switch is static in either position. This is analogous to a well-designed power system which will be stable for either an open or closed static breaker condition.

Fig. 2. Sliding mode system trajectories of (2) in the presence of variable structure switching. (a) For $s(x)=-{\rm x}_{1}+{\rm x}_{2}$. (b) For $s(x)=x_{1}+x_{2}$.

Variable structure system theory can be used to design a switching signal $s(x)$ to achieve certain desired system behaviors in (1). Traditionally, $s(x)$ has been designed to stabilize the variable structure system [16]. In this paper, we deviate from this philosophy and study how $s(x)$ may be selected by an attacker to steer the trajectory of (1) to instability thus enabling large-scale disruption in the associated power system. In Fig. 1(a) this would equate to destabilizing the generator angle and frequency resulting in transient instability of the smart grid system.

Consider the linear subsystem example of (2). We consider the following two selections for the switching signal $s(x)$, $s(x)=-x_{1}+x_{2}$ and $s(x)=x_{1}+x_{2}$, with associated phase portraits shown in Fig. 2(a) and (b), respectively. As is evident both selections instigate sliding mode behavior as convergence to the $s(x)=0$ line is clearly observed. The former however results in stable sliding mode behavior while the latter results in instability. Making a simple analogy to smart grid systems, we thus purport that it may be possible for an opponent who can control the state of a circuit breaker to determine an $s(x)$, and hence a switching sequence, that can destabilize the overall switched power system even though it is designed to exhibit stable behavior when the breaker is static.

### B. Attack Assumptions and Overview

To leverage variable structure system theory for cyber-physical attack development in a smart grid, an opponent would therefore need:

1. to first identify a (physical) target component to attack (i.e., destabilize);
2. electromechanical switching control over a corrupted circuit breaker (or equivalent) in the target's proximity;
3. a local model of the smart grid system in the vicinity of the target and breaker; and
4. knowledge of the target's state $x$.

Knowledge of a local model of the smart grid is a common assumption made in other attack literature [19], [20]. Conditions (A) and (C) collectively enable the identification of a variable structure system model of the smart grid to design a switching signal $s(x)$, if one exists, that instigates unstable sliding mode behavior; this establishes the first stage of attack construction. Conditions (B) and (D) allow implementation of the attack in the second stage of attack execution. In Section VI we relax Conditions (C) and (D).

The reader should note that to achieve Conditions (B) and (D), an opponent would have to remotely access communication systems related to the breaker and the synchrophasor sensor of the target generator, respectively. In protected information systems, this would require that the attacker illicitly infiltrate the corresponding data transmission systems. For Condition (B), the opponent would have to inject fabricated breaker control signals into the communication network. For Condition (D), the opponent would have to infiltrate the associated SCADA or synchrophasor network to intercept generator state information.

Cyber intrusion or corruption of distributed systems is a necessary assumption for vulnerability analysis especially when studying system resilience. Numerous practical examples of cyber weaknesses in smart grid communication networks have been documented [21] that range from exploiting holes in well known operating systems used by measurement and control devices to distribution-area attacks such as the hijacking of smart meters that can enable the effective shutting on/off of loads to provide the type of switching attack presented in this paper. The types of cyber intrusions necessary to be able to execute a coordinated variable structure switching attack are specific to the actual protocols, software and hardware architecture and is beyond the scope of this work.

SECTION III

## ATTACK EXISTENCE AND DYNAMICS

Assuming Conditions (A) to (D) of Section II-B hold, the existence of a coordinated variable-structure switching vulnerability for a given smart grid is directly related to the existence of a sliding mode for the associated breaker switched system. Sliding mode existence for the general class of systems in (1) is an open problem. Thus, in this section we provide existence conditions for incrementally linear subsystems to facilitate attack construction in Section IV. Moreover, we characterize the dynamics and stability properties of this class of systems during sliding mode behavior to better understand the impact of the attack. Our formulation conveniently represents the switching of a single corrupted circuit breaker or switch, but can be naturally scaled to multiple switches by increasing the number of subsystems.

The reasons for the incrementally linear assumption are three-fold. First, because many power system configurations can be approximated as linear about a local range of operating conditions, it allows for representation of a useful class; in Section V we demonstrate how one can successfully construct and execute attacks even on nonlinear power system models using this linearized model. Second, the linear approximation does not carry the same limitations for system destabilization as it would for stabilization. For stabilization, model linearization expands the region of convergence over the original nonlinear system making the system appear more stable than it really is. In contrast, we contend that such approximations for destabilization provide conservative impacts often demonstrating richer disruptions in the actual nonlinear systems. Finally, demonstrating the construction of an attack using linearized models provides intuition as to the practical feasibility of identifying such attacks with only approximate information.

### A. Sliding Mode Existence

In general, the sliding mode existence condition is given by [16](note: ${\mathdot{s}}(x)$ is the time derivative of $s(x)$): TeX Source$$s(x){\mathdot{s}}(x)<0\qquad{\rm for~s(x)~\ne 0}.\eqno{\hbox{(3)}}$$

#### 1. Nonlinear Subsystems

Typically, sliding mode existence is local for nonlinear time-varying dynamics. Determining analytic existence conditions, in the form of parameter ranges for a structure of nonlinear dynamics, is often intractable. However, a visual approach employing overlapping phase portraits of the subsystems can be used based on the following interpretation. Equation (3) is equivalent to the following: TeX Source$$\lim_{s(x)\rightarrow 0^{+}}{{\mathdot{s}}(x)}<0~{\rm and}~\lim_{s(x)\rightarrow 0^{-}}{{\mathdot{s}}(x)}>0.\eqno{\hbox{(4)}}$$ The above equation implies that if we consider the state space to be partitioned into two regions corresponding to $s(x)>0$ and $s(x)<0$ then if the state is on, say, the $s(x)>0(s(x)<0)$ side, its trajectory will be attracted to the other side (and across $s(x)=0$) due to the requirement on the rate of change of $s(x)$ that ${\mathdot s}(x)<0~({\mathdot s}(x)>0)$. The overall effect is an attraction to the $s(x)=0$ surface whereby once the state crosses $s(x)=0$ from one side to the other, it crosses right back. Visually in state-space, (3) can be evaluated by employing overlapping phase portraits of the subsystems and analyzing whether the state trajectories of the appropriate subsystems on either side of the surface push the state back to the sliding surface. Of course, the visual approach is limited to situations in which dimensionality is small.

#### 2. (Incrementally) Linear Subsystems

Analytically, we present the following theorem regarding the existence of a sliding mode for incrementally linear subsystem dynamics.

#### Theorem 1 (Existence of a Sliding Mode)

Given the variable structure system: TeX Source$${\mathdot{x}}=\cases{A_{1}x+b_{1},&s(x)>0\cr A_{2}x+b_{2},&s(x)\leq0}\eqno{\hbox{(5)}}$$ where $x\in\BBR^{n\times 1}$, $A_{i}\in\BBR^{n\times n}$, $b_{1}\in\BBR^{n\times 1}$ and $s(x)=C x\in\BBR$ for constant row vector $C=[c_{1}~c_{2}\cdots c_{n}]\in\BBR^{1\times n}$ the necessary and sufficient conditions for existence of the sliding mode are: TeX Source$$\cases{C(A_{1}x+b_{1})<0, &s(x)>0\cr C(A_{2}x+b_{2})>0, &s(x)<0}.\eqno{\hbox{(6)}}$$

#### Proof

The overall system of (5) can be represented as (for simplicity we denote $s(x)$ as $s$): TeX Source$${\mathdot{x}}=\left[{{1+{\rm sgn}(s)}\over{2}}\right](A_{1}x+b_{1})+\left[{{1-{\rm sgn}(s)}\over{2}}\right](A_{2}x+b_{2})\eqno{\hbox{(7)}}$$ where ${\rm sgn}(s)=1$ for $s>0$ and ${\rm sgn}(s)=-1$ for $s\leq 0$. From (3) a sliding mode exists if and only if $s{\mathdot{s}}<0$; we determine the conditions to guarantee this inequality where we make use that $s~{\rm sgn}(s)=\vert s\vert$: TeX Source\eqalignno{s{\mathdot{s}}=&\, sC{\mathdot{x}}=sC\left\{\left[{{1+{\rm sgn}(s)}\over{2}}\right](A_{1}x+b_{1})\right.\cr&\quad\qquad\qquad+\left.\left[{{1-{\rm sgn}(s)}\over{2}}\right](A_{2}x+b_{2})\right\}\cr=&\,{{1}\over{2}}sC(A_{1}+A_{2})x+{{1}\over{2}}\vert s\vert C(A_{1}-A_{2})x\cr=&\,{{1}\over{2}}(s+\vert s\vert)C(A_{1}x+b_{1})+{{1}\over{2}}(s-\vert s\vert)C(A_{2}x+b_{2})} which is equivalent to (6) if we impose $s{\mathdot s}<0$ and where we make use of the fact that $s+\vert s\vert>0$ and $s-\vert s\vert=0$ for $s>0$, and $s+\vert s\vert=0$ and $s-\vert s\vert<0$ for $s<0$. $\blackboxfill$

Thus, Condition (6) is necessary and sufficient to guarantee that $s{\mathdot{s}}<0$ and represents a convenient test for the existence of a sliding mode. An opponent would have to determine a vector $C=[c_{1}~c_{2}\cdots c_{n}]$ (or an associated vector range) such that (6) holds for a region in state space.

The reader should note that (6) implies that the range of $C$ for which the inequalities exist is in general dependent on the values of the state $x$. This implies that the attraction condition exists for a given neighborhood of $x$ and hence is local. To employ this criterion, an opponent would consider the neighborhood about the current equilibrium point $x^{\ast}$, $x\in{\cal N}(x^{\ast})$, and select a $C$ such that $sC(A_{1}x+b_{1})<0$ for $s>0$ and $sC(A_{2}x+b_{2})>0$ for $s<0$ for $x\in{\cal N}(x^{\ast})$.

We emphasize that the conditions above only guarantee attraction to the $s=0$ surface and do not imply stability properties of the system. The next theorem characterizes the behavior of the state once attracted to the sliding surface thus providing insight on its stability properties.

### B. Sliding Mode Dynamics

A sliding mode provides a steering quality to an opponent to shift a grid to a more vulnerable state. If a sliding mode is unstable, the state will attract to $s=0$ and then continue on the surface to infinity. In the stable case, it will eventually converge to an equilibrium point on the $s=0$ surface. To characterize the sliding mode dynamics and stability properties, we present the following theorem.

#### Theorem 2 (Sliding Mode Dynamics)

For the variable structure system: TeX Source$${\mathdot{x}}=\cases{A_{1}x+b_{1},&s(x)>0\cr A_{2}x+b_{2},&s(x)\leq 0}$$ where $x\in\BBR^{n\times 1}$, $A_{i}\in\BBR^{n\times n}$ and $b_{i}\in\BBR^{n\times 1}$, assume that a sliding mode for $s=Cx$, $C\in\BBR^{1\times n}$, exists. Then, the sliding mode dynamics can be characterized by $G(x)$ as follows: TeX Source$${\mathdot{x}}=G(x)\eqno{\hbox{(8)}}$$ where TeX Source\eqalignno{& G(x)={{1}\over{2}}\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]-{{1}\over{2}}[(A_{1}-A_{2}) x\cr&\qquad\qquad~~\qquad\quad+(b_{1}-b_{2})]\cdot{{C\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]}\over{C\left[(A_{1}-A_{2}) x+(b_{1}-b_{2})\right]}}} Moreover, the local stability properties of the system about a neighborhood of the equilibrium point $x^{\ast}\in\BBR^{n\times 1}$ can be determined stable if all non-trivial eigenvalues of $G(x^{\ast})$ are on the left half plane and unstable otherwise.

#### Proof

We assign: $G_{a}(x)={{1}\over{2}}[(A_{1}+A_{2})x+(b_{1}+b_{2})]$ and $G_{d}(x)={{1}\over{2}}[(A_{1}-A_{2})x+(b_{1}-b_{2})]$. Then, the variable structure system can be represented in the form of a control system: TeX Source$$\cases{{\mathdot{x}}=G_{a}(x)+G_{d}(x)u\cr s=Cx\cr u={\rm sgn}(s).}\eqno{\hbox{(9)}}$$ where $u\in\BBR$ is defined for a given $s=C x$. Given sliding mode existence, we can characterize its traversal along $s(x)=0$ using the method of equivalent control [17]. Here, we have:TeX Source$${\mathdot{s}}=C{\mathdot{x}}=C G_{a}(x)+CG_{d}(x)u.\eqno{\hbox{(10)}}$$ For the state confined on the sliding surface, $s={\mathdot{s}}=0$. We solve for the equivalent control $u_{eq}$ by setting (10) to zero and solving for $u$. This gives $u_{eq}=-{[CG_{d}(x)]}^{-1}CG_{a}(x)$ where the reader should note that $CG_{a}(x)$, $CG_{d}(x)\in\BBR$. The effective system dynamics on the sliding mode is therefore: TeX Source\eqalignno{{\mathdot{x}}=&\, G_{a}(x)+G_{d}(x)u_{eq}\cr=&\,{{1}\over{2}}\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]\cr&-{{1}\over{2}}[(A_{1}-A_{2}) x+(b_{1}-b_{2})]\cr&\cdot{{C\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]}\over{C\left[(A_{1}-A_{2}) x+(b_{1}-b_{2})\right]}}\cr=&\, G(x).} The local stability properties easily follow by applying linearization and Theorems 15 and 27 of [18]. $\hfill\square$

Equation (8) and (9) of Theorem III-B describe the sliding mode dynamics as a combination of the average (i.e., ${{1}\over{2}}\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]$) and difference (i.e, ${{1}\over{2}}\left[(A_{1}-A_{2}) x+(b_{1}-b_{2})\right]$) of the individual subsystem dynamics. The state-and sliding surface-dependent weight ${{C\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]}\over{C\left[(A_{1}-A_{2}) x+(b_{1}-b_{2})\right]}}\in{\BBR}$ scales the difference dynamics relative to the average dynamics to maintain the system on the sliding surface. Selection of $C$ and hence the particular sliding mode to use for switching will have an effect on the behavior of the state. If $C$ is more aligned (via the dot product measure) to the average dynamics, then the difference dynamics have greater influence than the average and vice versa.

For an attack, an opponent is concerned with power flow disruption and may be most interested in the stability properties of the sliding mode. Thus, unstable sliding modes can be leveraged through persistent switching until significant disruption results. Although perhaps not immediately obvious, stable sliding modes can also be leveraged as we demonstrate in Section V to steer the system across the stability boundary of one of the subsystems and then terminate switching to enable passive disruption.

SECTION IV

## ATTACK CONSTRUCTION

Employing our framework, we provide the steps necessary for attack construction and apply it to a case study involving the Western Electricity Coordinating Council (WECC) 3-machine system, 9-bus system. The reader should note that, from our experience, existence of a sliding mode and hence ability to construct the attack for a target generator in the proximity of a corrupted breaker is typically high for most test systems considered.

### A. Stages of Attack Construction

The stages of an attack construction are as follows.

1. Mathematically represent the system under the switching attack as a variable structure system whereby the switching rule $s(x)$ remains general.
2. For general nonlinear systems, identify the equilibrium points and linearize the system about the equilibrium points.
3. Determine the existence of and identify a class of sliding modes using Theorem III-A.2.
4. Characterize the dynamical and stability properties of the sliding modes using Theorem III-B.
5. Select and assign an identified sliding surface to $s(x)$ for attack implementation.

We contend that the steps above apply to general nonlinear models of power system dynamics; the linearization stage is critical to make use of Theorems III-A.2 and III-B. However, for general nonlinear systems, pictorial approaches for identification of sliding modes are also possible as mentioned in Section III-A. A phase portrait of each nonlinear subsystem must be determined identifying stable foci and saddle points. These phase portraits must then be overlapped. A sliding surface $s(x)=0$ may be identified visually if in the vicinity of $s(x)=0$, the trajectory vectors of the subsystems point toward the switching surface in opposite directions; this ensures that the state trajectory of the switched system will be driven to the switching surface and will stay within a neighborhood of it. The interested reader is referred to [17]. We employ the visual approach to sliding mode identification as a brief check to verify our linearized model results, but would not typically be used by an opponent for attack construction.

A natural approach to attacking a power grid would be to exploit the unstable sliding mode of a system whereby the state is steered to an arbitrarily large value. However, the reader should note that it is possible to exploit both unstable and stable sliding modes for effective power system disruption.

To illustrate the use of our variable structure theory approach, we demonstrate the construction of an attack for the well known single machine infinite bus (SMIB) power system model presented in Fig. 3.

Fig. 3. Single machine infinite bus system model. The opponent coordinates switching of the load $P_{L}$ based on the values of Generator $G_{1}$'s state $x=[\delta_{1}\omega_{1}]^{T}$.

### B. Variable Structure Representation

A typical power system is piecewise time-invariant; that is, within a short window of time representing the attack duration before disruption, the system parameters can be considered to be constant. Thus, for the purposes of our modeling for attack construction, we make use of time-invariant parameters in a swing equation-based model of the power system. Thus, the SMIB model can be expressed as [22]: TeX Source$$\cases{\quad\;\;{\mathdot{\delta}}_{1}=\omega_{1}\cr M_{1}{\mathdot{\omega}}_{1}=P_{M1}-E_{1}^{2}G_{11}\cr\qquad\qquad-s_{L}P_{L}-E_{1}E_{\infty}B_{1\infty}\sin\delta_{1}-D_{1}\omega_{1}\cr\qquad\!\!\quad=P_{1}-C_{1\infty}\sin\delta_{1}-D_{1}\omega_{1}}\eqno{\hbox{(11)}}$$ where $\delta_{1}$ and $\omega_{1}$ are the rotor angle and rotor speed deviation of Generator $G_{1}$, respectively, and collectively form the state $x=[\delta_{1}~\omega_{1}]^{T}$, $M_{1}$, $D_{1}$, $E_{1}$, $P_{M1}$ are the moment of inertia, damping coefficient, internal voltage and mechanical power of $G_{1}$, respectively, $E_{\infty}$ is the voltage at the infinite bus, $P_{L}$ is the local load at Bus 1, $s_{L}$ is the load switch status ($s_{L}=1$, if the load is connected; $s_{L}=0$, otherwise), and $B_{1\infty}$ is the transfer susceptance of the line between Bus 1 and the infinite bus. We assign $P_{1}=P_{M1}-E_{1}^{2}G_{11}-s_{L}P_{L}$ and $C_{1\infty}=E_{1}E_{\infty}B_{1\infty}$.

Assuming that $C_{1\infty}=1$, $D_{1}=0.1$, $M_{1}=0.1$, $P_{M1}-E_{1}^{2}G_{11}-P_{L}=0$, $P_{M1}-E_{1}^{2}G_{11}=0.9$, the overall variable structure system can be represented as: TeX Source\eqalignno{& A_{1}:\cases{{\mathdot{\delta}}_{1}=\omega_{1}\cr{\mathdot{\omega}}_{1}=-10\sin\delta_{1}-\omega_{1}}\quad{\rm if}~s_{L}=1\cr& A_{2}:\cases{{\mathdot{\delta}}_{1}=\omega_{1}\cr{\mathdot{\omega}}_{1}=9-10\sin\delta_{1}-\omega_{1}}{\rm if}~s_{L}=0.&{\hbox{(12)}}}

It is straightforward to determine from (12) that system $A_{1}$'s stable foci are at $(2n\pi, 0)$ and the saddle points are at $(2n\pi+\pi, 0)$ where $n\in{\BBZ}$ as shown in the phase portrait of Fig. 4(a). Any point within a stability boundary will converge to the corresponding stable focus. Similarly, for system $A_{2}$, the stable foci are at $(2n\pi+1.1198, 0)$ and $(2n\pi+2.0218, 0)$, and the saddle points are at $(2n\pi+2.0218, 0)$ as shown in the phase portrait of Fig. 4(b).

Fig. 4. Individual and overlapping phase portraits of subsystems of (12). (a) Phase portrait of system $A_{1}$. (b) Phase portrait of system $A_{2}$. (c) Close-up of overlapping phase portraits.

As discussed in Section IV-A, for a general nonlinear system the existence of a sliding mode can be determined pictorially from the overlapping phase portraits. Here, one interprets (3) visually in state space whereby a sliding surface $s(x)=0$ must be found such that in the neighborhood of this surface the trajectory vectors of each subsystem point toward the switching surface but in opposite directions. The switching between subsystems would be assigned such that when on one side of the sliding surface $s(x)=0$, the system would switch to the subsystem with trajectories pointing toward that surface. This ensures that the state trajectory of the variable structure system will be driven to the switching surface and will stay within a region of it [17].

To determine the possibility of a sliding mode in this way, the overlapping phase portraits are shown in Fig. 4(c). Visual inspection suggests there are multiple possibilities for linear sliding surfaces such as $s=6\delta_{1}+\omega_{1}$. However, in Section V we demonstrate the utilization of Theorems III-A.2 and III-B on the linearized system to determine the range of possible sliding surfaces for attack. In this way, we demonstrate the mathematical and numerical ease in determining such a vulnerability.

### C. SMIB Attack Construction

To apply Theorems III-A.2 and III-B to our SMIB power system model of (12), we must linearize its representation. Approximating $\sin\delta_{1}\approx\delta_{1}$ for $\delta_{1}$ small and assuming $s>0~(s\leq 0)$ corresponds to the load switch being closed to give $A_{1}$ (open to give $A_{2}$), we obtain:TeX Source\eqalignno{&{\mathdot{\delta}}_{1}=\omega_{1}\cr&{\mathdot{\omega}}_{1}=\cases{-10\delta_{1}-\omega_{1}, &s>0\cr 9-10\delta_{1}-\omega_{1},&s\leq0}&{\hbox{(13)}}} corresponding to $A_{1}=A_{2}=\left[\matrix{0 & 1\cr-10 &-1}\right]$, $b_{1}=\left[\matrix{0 & 0}\right]^{T}$ and $b_{2}=\left[\matrix{0 & 9}\right]^{T}$ in (5). Theorem III-A.2 provides the following sliding mode existence conditions for $s=c_{1}\delta_{1}+c_{2}\omega_{1}$: TeX Source$$\cases{\hfill c_{1}\omega_{1}-10c_{2}\delta_{1}-c_{2}\omega_{1}<0 & for~c_{1}\delta_{1}+c_{2}\omega_{1}>0\cr c_{1}\omega_{1}-10c_{2}\delta_{1}-c_{2}\omega_{1}+9c_{2}>0 & for~c_{1}\delta_{1}+c_{2}\omega_{1}<0}.\eqno{\hbox{(14)}}$$ Fig. 5 illustrates this overall region; the regions delineated $s<0$ and $s>0$ denote the values of $(c_{1},c_{2})$ for which $c_{1}\omega_{1}-10c_{2}\delta_{1}-c_{2}\omega_{1}<0$ and $c_{1}\omega_{1}-10c_{2}\delta_{1}-c_{2}\omega_{1}+9c_{2}>0$ about $x^{\ast}=[1.1198~~0]^{T}$, respectively. We can construct an attack by selecting $C=[6~1]$ corresponding to $s=6\delta_{1}+\omega_{1}$. Applying Theorem III-B, we find that it is a stable sliding mode.

Fig. 5. Valid sliding mode parameter region about neighborhood of $x^{\ast}=[1:1198~0]^{T}$.
SECTION V

## ATTACK EXECUTION AND IMPACT

In this section we execute a coordinated variable structure switching attack using our sliding mode selection of $s=6\delta_{1}+\omega_{1}$ on the nonlinear SMIB and a more realistic test system to demonstrate the value of Theorems III-A.2 and III-B for attack construction on linearized models. Our target in both cases is Generator $G_{1}$ and the corrupted breaker is that associated with load switching.

### A. Nonlinear SMIB Case Study

Consider application of a switching attack on the nonlinear SMIB model of (12). We assume that the load is initially disconnected (i.e., is at $A_{2}$) and apply the attack from 0 to 2.5 seconds, which drives the system trajectory across the stability boundary of subsystem $A_{2}$ at which time the attack finally switches the system dynamics to $A_{2}$ permanently as observed in Fig. 6(a). Thus, $G_{1}$ is destabilized within seconds by steering its state over the stability boundary via the switching attack. The reader should note that as discussed $s=6\delta_{1}+\omega_{1}$ is a stable sliding mode. Thus, persistent switching (opposed to that limited to 2.5 s) will result in steering the power system from the initial stable focus of (1.1198, 0) to the stable focus of (0, 0) as presented in Fig. 6(b).

Fig. 6. Switching attack on System (12) for $s=6\delta_{1}+\omega_{1}$. (a) Stop time of 2.5 seconds. (b) No stop time.

### B. WECC 3-Generator, 9-Bus Case Study

To further demonstrate the utility of the attack, we consider a variant of the well-known Western Electricity Coordinating Council (WECC) 3-machine, 9-bus system [23] presented in Fig. 7. This system can be approximated with the second order nonlinear SMIB model of (12). Thus, we apply the same sliding surface $s=6\delta_{1}+\omega_{1}$ for attack.

Fig. 7. One-line diagram of revised WECC system.

The test system in question is simulated in PSCAD (Power System Computer Aided Design, https://hvdc.ca/pscad/) software, one of the most popular power system simulation tools. PSCAD enables the modeling of generator controls including governors and exciters as well as protective relays to demonstrate the potential of our approach to disrupt real power system operation. The test system is based on the WECC system, with the addition of a transmission line, a local load, and a gas turbine generator. Here, the base MVA is 100, the system normal frequency is 60 Hz and the generator parameters are shown in Table I. The transmission line connecting Generator $G_{1}$ and the infinite bus are modeled using an inductor of 0.014 H. The local load $P_{L}$ is chosen to be 32.4 MW modeled using a constant resistor. The PSCAD step size was chosen to be 50 $\mu{\rm s}$.

TABLE I Generator Parameters for Fig. 7 System

For consistent comparison, simulations of the WECC system are presented for the same system initial conditions and stop time as employed for the second order nonlinear SMIB model of the previous section. Specifically, the initial state of the WECC system is set to to the stable focus of (1.1198, 0). If $s>0$, the system dynamics switch to system $A_{1}$ and if $s\leq 0$, they switch to $A_{2}$. The switching attack is applied from 0.2248 to 2.7248 seconds (the non-zero start time is necessary for PSCAD implementation of the attacked system), which once again drives the system trajectory across the stability boundary of $A_{2}$ at which point the switch is permanently set to $A_{2}$ making the system unstable. The frequency relays of all generators including $G_{1}$ are set to trip for a deviation more than ${\pm}{5\%}$ of the nominal frequency (of $2\pi\times 60=377~{\rm rad}/{\rm s}$), which corresponds to 18.8 rad/sec; in this way we also take into account the response of the non-corrupted breakers to the switching attack. PSCAD simulations demonstrate in Fig. 8(a) how at time 2.7248 seconds (which corresponds to 2.5 seconds in the SMIB simulation due to the delayed start time), the system state diverges. The deviation from nominal frequency, phase angle and output voltage of Generator $G_{1}$ during the attack is shown in Fig. 8(b)–(d), respectively. As observed, the frequency and voltage of $G_{1}$ become unstable right after application of the attack.

Fig. 8. PSCAD simulation results of WECC system for $s=6\delta_{1}+\omega_{1}$ switching from 0 to 2:5 seconds. (a) System state trajectory. (b) $G_{1}$ deviation from nominal frequency. (c) $G_{1}$ phase angle. (d) $G_{1}$ output voltage.

To illustrate how the sliding mode exploited for the attack is in fact stable, the same coordinated switching is applied indefinitely with results presented in Fig. 9.

Fig. 9. PSCAD simulation results of WECC system in the presence of persistent variable structure switching for $s=6\delta_{1}+\omega_{1}$ from 0 seconds. (a) System state trajectory. (b) $G_{1}$ deviation from nominal frequency. (c) $G_{1}$ phase angle. (d) $G_{1}$ output voltage.

### C. Efficacy of Linearized Results

We assert that the attack theory and analysis presented in this paper has the potential to be employed, in part, as a tool to understand possibility vulnerabilities in future smart grid systems as well as the worst-case impact of switching attacks. One measure of the degree of weakness exhibited by a system could relate to the range of possible sliding modes available for an opponent to exploit.

For this reason, Theorem III-A.2 can be a useful tool when applied to a linearized smart grid system. To demonstrate the value of the linearized results, we present in Table II the ranges of $c_{1}$ corresponding to the existence or lack of sliding mode for the three systems: linearized SMIB, nonlinear SMIB and high-order WECC. It is clear that there is a large overlap in the existence of a sliding mode in both the nonlinear and linearized versions demonstrating how our approximation does not significantly affect the degree of vulnerability present in the system.

TABLE II Empirical Existence of Sliding Surface $s=c_{1}\delta_{1}+\omega_{1}$ for Linearized SMIB, Nonlinear SMIB, Nonlinear SMIB With Parameter Errors and WECC Test System. Simulation Tests Were Conducted for $c_{1}\in{Z}$ and ${-}20\leq c_{1}\leq 20$
SECTION VI

## LIMITATIONS ON ATTACKER KNOWLEDGE

To construct and apply a successful coordinated variable structure switching attack, an opponent would need to leverage cyber intrusion to enable Conditions (B) and (D) of Section II-B as well as have a local model of the smart grid in the proximity of the target and corrupt breaker.

Given the need for timed coordination in the attack, switching control is imperative for success. However, in this section, we assess the effect of limitations on opponent knowledge to the ability to construct and execute an attack. We focus on model error, which affects the ability to construct a feasible attack and strategies to contend with only partial state information, which affects attack execution.

### A. Model Parameter Error

Questions naturally arise as to the effects of model error on attack construction. Consider the system of (12) with parameter error: TeX Source\eqalignno{&A_{1}:\cases{{\mathdot{\delta}}_{1}=0(1+\varepsilon_{11})+(1+\varepsilon_{12})\omega_{1}\cr{\mathdot{\omega}}_{1}=(-10+\varepsilon_{13})\sin\delta_{1}+(-1+\varepsilon_{14})\omega_{1}}\cr& A_{2}:\cases{{\mathdot{\delta}}_{1}=0(1+\varepsilon_{21})+(1+\varepsilon_{22})\omega_{1}\cr{\mathdot{\omega}}_{1}=9+(-10+\varepsilon_{23})\sin\delta_{1}+(-1+\varepsilon_{24})\omega_{1}.}&{\hbox{(15)}}} where $\{\varepsilon_{ij}\}$ are specific parameter error values. The existence conditions of Theorem III-A.2 become: TeX Source\eqalignno{& c_{1}(1+\varepsilon_{12})\omega_{1}-10c_{2}(1+\varepsilon_{13})\delta_{1}-c_{2}(1+\varepsilon_{14})\omega_{1}<0\cr&\hskip 14em{\rm for}~c_{1}\delta_{1}+c_{2}\omega_{1}>0\cr&c_{1}(1+\varepsilon_{22})\omega_{1}-10c_{2}(1+\varepsilon_{23})\delta_{1}-c_{2}(1+\varepsilon_{24})\omega_{1}\cr&\hskip 18em+9c_{2}>0\cr&\hskip 14em{\rm for}~c_{1}\delta_{1}+c_{2}\omega_{1}<0} Fig. 10 illustrates the effects of errors; the associated change in slope of the region boundaries due to parameter errors result in both false positives and false negatives for the determination of $C$. Study of Fig. 10 reveals that a robust strategy for the selection of $C$ would be to select a value internal to the region boundaries. If bounds on $\varepsilon_{ij}$ are available, then it is possible guarantee a robust selection of $C$ that is far enough from the boundaries.

Fig. 10. Effect of model error on sliding mode identification. Selection of $C=[6~1]$ is internal to the boundaries and guarantees robustness against a degree of model error.

### B. Partial State Information

The opponent may gain target state information through cyber intrusion and eavesdropping. The feasibility of this depends on the communication media and protocols used; further discussion is beyond the scope of this paper.

In this section, we investigate the efficacy of our attack approach when only partial state information is available. Here, we assume that the opponent aims to estimate the missing state information, from say other available information, resulting in an increase in attack complexity.

We consider the case in which an attack is applied to the revised WECC test system of Fig. 7. We assume that the Generator $G_{1}$ frequency $\omega_{1}$ is known to the opponent, but the rotor angle $\delta_{1}$ must be estimated in some way. Specifically, we assume as an example the terminal voltage and current of an associated transmission line is known and must be used in the estimation of $\delta_{1}$.

Modeling the standard WECC system in relation to $G_{1}$ as a SMIB system, we obtain the system in Fig. 11. Applying Kirchoff's law gives: TeX Source\eqalignno{E_{1}\angle\delta_{1}=&\, jX^{\prime}_{d}I\angle\alpha+E\angle\theta\cr=&\, (E\cos\theta-X^{\prime}_{d}I\cdot\sin\alpha)+j(E\sin\theta-X^{\prime}_{d}I\cos\alpha)} where $E_{1}\angle\delta_{1}$ is the generator internal voltage, $jX^{\prime}_{d}$ is the impedance of transmission line, $I\angle\alpha$ is the current of transmission line and $E\angle\theta$ is the terminal voltage. Thus, the generator internal voltage $E_{1}$ and phase angle $\delta_{1}$ can be estimated using the following equations: TeX Source$$E_{1}=\sqrt{{(E\cos\theta-X^{\prime}_{d}I\cdot\sin\alpha)}^{2}+{(E\sin\theta-X^{\prime}_{d}I\cos\alpha)}^{2}}\eqno{\hbox{(16)}}$$ and $\tan\delta_{1}={{E\sin\theta+X^{\prime}_{d}I\cos\alpha}\over{E\cos\theta-X^{\prime}_{d}I\sin\alpha}}$.

Fig. 11. SMIB system approximation for partial state estimation.

Given the approximation that $\tan\delta_{1}\approx\delta_{1}$ when $\delta_{1}$ is small, we have TeX Source$$\delta_{1}\approx\tan\delta_{1}={{E\sin\theta+X^{\prime}_{d}I\cos\alpha}\over{E\cos\theta-X^{\prime}_{d}I\sin\alpha}}.\eqno{\hbox{(17)}}$$ Therefore, $\delta_{1}$ can be estimated via the terminal voltage $E\angle\theta$ and current $I\angle\alpha$ of transmission line as follows: TeX Source$$\left[\matrix{{\mathhat\delta}_{1}\cr\omega_{1}}\right]=\left[\matrix{{{E\sin\theta+X^{\prime}_{d}I\cos\alpha}\over{E\cos\theta-X^{\prime}_{d}I\sin\alpha}}\cr\omega_{1}}\right].\eqno{\hbox{(18)}}$$

Using this estimation approach, we apply the attack from 0 to 2.5 seconds on a PSCAD simulation of the test system of Fig. 7; as shown in Fig. 12, the system dynamics follow the sliding mode to subsequently produce instability and disruption.

Fig. 12. Coordinated switching attack with partial state knowledge on test system of Fig. 7. (a) G1 phase angle. (b) G1 deviation from nominal frequency. (c) Switch Status.
SECTION VII

## RELATED WORK

Our work builds on the body of recent research that has focused on the interaction between the cyber and physical aspects of a smart grid to aid in vulnerability analysis takes on a variety of flavors. These techniques can be classified into a number of categories. Static approaches [1] consider the topological information about the smart grid in order to study vulnerabilities often using graph-theoretic means. Compact relationships between system components that can lead to cascading corruption and failure are identified. Empirical approaches [12] [13]– [14][15] harness research and development of realistic communications and power systems simulators. These two forms of simulators are combined such that an attack is applied in the communication simulator that transfers data to the power systems simulator which makes decisions based on this possibly corrupt information. Typical traditional power system reliability metrics are used to assess impact of the cyber attacks. Such approaches are valuable in providing indications of attack impacts, but often require exhaustive ‘what-if’ forms of attack case analysis that are limited from providing general principles for grid design. In cyber-physical leakage approaches [24], [25] confidentiality of the cyber network is studied by identifying how voltage and current measurements of the physical power system can be successfully analyzed for any clues about cyber protocol activity. Testbed research addresses the exploration of practical vulnerabilities through SCADA testbed development and construction [11], [12]. Although some insights on how to protection industrial control systems for SCADA are provided. There exists room to develop more prescriptive approaches to provide more general design guidelines for future smart grid systems.

SECTION VIII

## FINAL REMARKS

A grand challenge in cyber-physical systems research is the development of models that elegantly interface the discrete-time characteristics of the cyber infrastructure with the analog nature of the physical system. We believe that our use of variable structure system theory conveniently interfaces the switching cyber-control within power systems to provide a novel way to understand the cyber-physical interaction and in the case of this paper gain insight into new forms of vulnerability. In addition, it lends itself to a natural mathematical framework and formalism useful for automatic identification of vulnerabilities. The use of dynamical systems allows for flexible granularity and can conveniently be implemented for simulation.

Our work demonstrates the efficacy of coordinated variable structure switching attacks by demonstrating how attack construction on a linearized version of the system still executes on nonlinear and realistic models of the system. Moreover, the attack can be successful even under conditions of model error and partial state knowledge. Future work will aim to apply variable structure system theory to model robotics systems as discussed in [26] and [27] and generalized social networking contexts when switched dynamics may be appropriate for representing simple cyber-assisted human decision-making amongst finite choices such as those made when gambling or in elections.

## Footnotes

This work was supported by the National Science Foundation under NSF Grant EECS-1028246 and the Norman Hackerman Advanced Research Program under Project 000512-0111-2009.

## References

No Data Available

## Cited By

No Data Available

None

## Multimedia

No Data Available
This paper appears in:
No Data Available
Issue Date:
No Data Available
On page(s):
No Data Available
ISSN:
None
INSPEC Accession Number:
None
Digital Object Identifier:
None
Date of Current Version:
No Data Available
Date of Original Publication:
No Data Available