By Topic

IEEE Quick Preview
  • Abstract

SECTION I

INTRODUCTION

WE are witnessing the rapid technological evolution of numerous application fields including power systems, robotics and social networking. These systems will evolve into next-generation cyber-physical systems providing a spectrum of advantages over their predecessors. However, cyber-enablement of these systems naturally leads to issues of security requiring approaches to resilient system design. Tools for modeling cyber-physical systems are of paramount importance in enabling the judicious planning and vulnerability analysis.

A vulnerability in a system exists when there is a weakness in the system, access to the weakness and a capability by an opponent to exploit the weakness. We investigate a novel theoretical modeling framework based on variable structure system theory that enables the identification of a class of reconfiguration-based weaknesses in the power grid employing formal mathematical principles. Such an approach provides a prescriptive strategy to identify possible ways to trigger rotor angle instability in synchronous generators of power systems. Moreover, our model allows us to deduce steps for practical attack construction that are amenable to simulation demonstrating the potential capability of an opponent to exploit the flaw.

We assume that access to the flaw is facilitated through smart grid communication channels providing opponent(s) opportunities for remotely controlling physical power system components such as modern circuit breakers possibly via illicit security breaches and intrusion. Thus, our vulnerability is applicable to a smart grid system with remotely connected circuit breakers and one or more synchronous generators used as targets making it relevant to a broad class of modern and future power transmission systems.

We name the class of attacks that stems from our framework coordinated variable structure switching attacks whereby an opponent aims to destabilize the power grid by leveraging corrupted communication channels and/or control signaling to hijack relevant circuit breakers. Our work represents a novel departure from existing smart grid vulnerability analysis research in that it represents the first use of variable structure system theory for attack performance analysis. This enables a prescriptive approach to vulnerability identification in contrast to methods that make use of reverse-engineering or ad hoc “what-if” analysis [1]– [2] [3] [4] [5] [6] [7] [8] [9] [10] [11][12] leading to the identification of a new class of reconfiguration-based vulnerabilities. Moreover, we extend our recent work [13]– [14][15] by enhancing the theoretical foundation to better characterize the impact of attacks and perform necessarily robustness analysis of the attack construction under practical constraints of model error and partial information.

In Section II we focus on our attack development. Attack existence and characterization are presented in Section III. Attack construction and impact are studied in Sections IV and V. We then address issues involving limitations on attacker capability in Section VI followed by final remarks in Section VIII.

SECTION II

COORDINATED SWITCHING ATTACKS

A. Sliding Mode in Variable Structure Systems

Variable structure systems are nonlinear systems characterized by discontinuous dynamics [16]. Such systems are considered to exhibit both continuous and discrete forms of behavior much needed for the modeling cyber-physical systems while being conducive to software implementation. Consider the following elementary variable structure system described as: FormulaTeX Source$${\mathdot{x}}=\cases{f_{1}(x,t),&$s(x)>0$\cr f_{2}(x,t),&$s(x)\leq0$},\eqno{\hbox{(1)}}$$ where Formula$x\in\BBR^{n\times 1}$ is the system state vector, Formula$f_{i}(x,t)\in\BBR^{n\times 1}$ represents subsystem dynamics for Formula$i=1$, 2, Formula$s(x)\in\BBR$ is a state-dependent switching signal (sometimes denoted simply as Formula$s$), and Formula$s(x)=0$ is called the Formula$n$-dimensional switching surface. The state is a time-dependent quantity and therefore could also be denoted Formula$x(t)$. The evolution of Formula$x$ in time through state space is called the state trajectory of the system.

Equation (1) represents a system which abruptly switches dynamics between Formula$f_{1}(x,t)$ and Formula$f_{2}(x,t)$ according to the sign of Formula$s(x)$ and is effective in modeling the action of a circuit breaker in power systems. A block diagram linking a simple power system to (1) is provided in Fig. 1 to elucidate; here, the state vector Formula$x$ represents the physical quantities of generator phase angle and frequency. When the power system switch changes positions between loads Formula$Z_{1}$ (Position 1) and Formula$Z_{2}$ (Position 2) it has the effect of changing between system dynamics denoted Formula$f_{1}(x,t)$ and Formula$f_{2}(x,t)$, respectively.

Figure 1
Fig. 1. Elementary variable structure system example. (a) Elementary power system. (b) Block diagram.

Analysis of the system in (1) leads to a number of interesting properties one of which is termed sliding mode behavior [16], [17]. In the sliding mode, the state trajectory of the system of (1) is attracted and subsequently confined to the switching surface Formula$s(x)=0$, which in this case is also termed the sliding surface.

There are two crucial aspects to this phenomenon. The first necessary condition is that the switching surface is attractive meaning that within some subset of state space, trajectories converge to the switching surface making it a sliding surface. The second requirement is that the variable structure system behavior, confined to the sliding surface, exhibits certain desired properties such as asymptotic stability, exponential growth or oscillation. We assert that this collective behavior can be used to steer the state into a position of instability for attack.

Consider a specific case of (1) assuming linear dynamics, Formula$n=2$ and Formula$x={[x_{1}, x_{2}]}^{T}$: FormulaTeX Source$${\mathdot{x}}=\cases{A_{1}x,&$s(x)>0,$~where~$A_{1}=\left[\matrix{-1 &-10\cr3 &-0.3}\right]$\cr A_{2}x,&$s(x)\leq 0,$~where~$A_{2}=\left[\matrix{-0.3 & 3\cr-10 &-1}\right]$}\eqno{\hbox{(2)}}$$ for some Formula$s(x)$. The state trajectory Formula$x(t)$, as governed by its dynamics, can be viewed geometrically in a phase portrait. The phase portraits of the individual subsystems Formula$A_{1}$ and Formula$A_{2}$ (i.e., assuming static switch positions of 1 and 2, respectively) are shown in both Fig. 2(a) and (b) as dashed and dash-dot lines, respectively. As can be observed, both subsystem trajectories converge to the stable equilibrium point (0, 0) from the initial condition Formula$(25,-25)$. Moreover, it can be shown that because the subsystems are linear they are each globally asymptotically stable meaning that the trajectories will always converge to (0, 0) from any initial condition in Formula${\BBR}^{2}$ [18]. Thus, in this example, we can deduce that the system of (2) is stable when the switch is static in either position. This is analogous to a well-designed power system which will be stable for either an open or closed static breaker condition.

Figure 2
Fig. 2. Sliding mode system trajectories of (2) in the presence of variable structure switching. (a) For Formula$s(x)=-{\rm x}_{1}+{\rm x}_{2}$. (b) For Formula$s(x)=x_{1}+x_{2}$.

Variable structure system theory can be used to design a switching signal Formula$s(x)$ to achieve certain desired system behaviors in (1). Traditionally, Formula$s(x)$ has been designed to stabilize the variable structure system [16]. In this paper, we deviate from this philosophy and study how Formula$s(x)$ may be selected by an attacker to steer the trajectory of (1) to instability thus enabling large-scale disruption in the associated power system. In Fig. 1(a) this would equate to destabilizing the generator angle and frequency resulting in transient instability of the smart grid system.

Consider the linear subsystem example of (2). We consider the following two selections for the switching signal Formula$s(x)$, Formula$s(x)=-x_{1}+x_{2}$ and Formula$s(x)=x_{1}+x_{2}$, with associated phase portraits shown in Fig. 2(a) and (b), respectively. As is evident both selections instigate sliding mode behavior as convergence to the Formula$s(x)=0$ line is clearly observed. The former however results in stable sliding mode behavior while the latter results in instability. Making a simple analogy to smart grid systems, we thus purport that it may be possible for an opponent who can control the state of a circuit breaker to determine an Formula$s(x)$, and hence a switching sequence, that can destabilize the overall switched power system even though it is designed to exhibit stable behavior when the breaker is static.

B. Attack Assumptions and Overview

To leverage variable structure system theory for cyber-physical attack development in a smart grid, an opponent would therefore need:

  1. to first identify a (physical) target component to attack (i.e., destabilize);
  2. electromechanical switching control over a corrupted circuit breaker (or equivalent) in the target's proximity;
  3. a local model of the smart grid system in the vicinity of the target and breaker; and
  4. knowledge of the target's state Formula$x$.

Knowledge of a local model of the smart grid is a common assumption made in other attack literature [19], [20]. Conditions (A) and (C) collectively enable the identification of a variable structure system model of the smart grid to design a switching signal Formula$s(x)$, if one exists, that instigates unstable sliding mode behavior; this establishes the first stage of attack construction. Conditions (B) and (D) allow implementation of the attack in the second stage of attack execution. In Section VI we relax Conditions (C) and (D).

The reader should note that to achieve Conditions (B) and (D), an opponent would have to remotely access communication systems related to the breaker and the synchrophasor sensor of the target generator, respectively. In protected information systems, this would require that the attacker illicitly infiltrate the corresponding data transmission systems. For Condition (B), the opponent would have to inject fabricated breaker control signals into the communication network. For Condition (D), the opponent would have to infiltrate the associated SCADA or synchrophasor network to intercept generator state information.

Cyber intrusion or corruption of distributed systems is a necessary assumption for vulnerability analysis especially when studying system resilience. Numerous practical examples of cyber weaknesses in smart grid communication networks have been documented [21] that range from exploiting holes in well known operating systems used by measurement and control devices to distribution-area attacks such as the hijacking of smart meters that can enable the effective shutting on/off of loads to provide the type of switching attack presented in this paper. The types of cyber intrusions necessary to be able to execute a coordinated variable structure switching attack are specific to the actual protocols, software and hardware architecture and is beyond the scope of this work.

SECTION III

ATTACK EXISTENCE AND DYNAMICS

Assuming Conditions (A) to (D) of Section II-B hold, the existence of a coordinated variable-structure switching vulnerability for a given smart grid is directly related to the existence of a sliding mode for the associated breaker switched system. Sliding mode existence for the general class of systems in (1) is an open problem. Thus, in this section we provide existence conditions for incrementally linear subsystems to facilitate attack construction in Section IV. Moreover, we characterize the dynamics and stability properties of this class of systems during sliding mode behavior to better understand the impact of the attack. Our formulation conveniently represents the switching of a single corrupted circuit breaker or switch, but can be naturally scaled to multiple switches by increasing the number of subsystems.

The reasons for the incrementally linear assumption are three-fold. First, because many power system configurations can be approximated as linear about a local range of operating conditions, it allows for representation of a useful class; in Section V we demonstrate how one can successfully construct and execute attacks even on nonlinear power system models using this linearized model. Second, the linear approximation does not carry the same limitations for system destabilization as it would for stabilization. For stabilization, model linearization expands the region of convergence over the original nonlinear system making the system appear more stable than it really is. In contrast, we contend that such approximations for destabilization provide conservative impacts often demonstrating richer disruptions in the actual nonlinear systems. Finally, demonstrating the construction of an attack using linearized models provides intuition as to the practical feasibility of identifying such attacks with only approximate information.

A. Sliding Mode Existence

In general, the sliding mode existence condition is given by [16](note: Formula${\mathdot{s}}(x)$ is the time derivative of Formula$s(x)$): FormulaTeX Source$$s(x){\mathdot{s}}(x)<0\qquad{\rm for~s(x)~\ne 0}.\eqno{\hbox{(3)}}$$

1. Nonlinear Subsystems

Typically, sliding mode existence is local for nonlinear time-varying dynamics. Determining analytic existence conditions, in the form of parameter ranges for a structure of nonlinear dynamics, is often intractable. However, a visual approach employing overlapping phase portraits of the subsystems can be used based on the following interpretation. Equation (3) is equivalent to the following: FormulaTeX Source$$\lim_{s(x)\rightarrow 0^{+}}{{\mathdot{s}}(x)}<0~{\rm and}~\lim_{s(x)\rightarrow 0^{-}}{{\mathdot{s}}(x)}>0.\eqno{\hbox{(4)}}$$ The above equation implies that if we consider the state space to be partitioned into two regions corresponding to Formula$s(x)>0$ and Formula$s(x)<0$ then if the state is on, say, the Formula$s(x)>0(s(x)<0)$ side, its trajectory will be attracted to the other side (and across Formula$s(x)=0$) due to the requirement on the rate of change of Formula$s(x)$ that Formula${\mathdot s}(x)<0~({\mathdot s}(x)>0)$. The overall effect is an attraction to the Formula$s(x)=0$ surface whereby once the state crosses Formula$s(x)=0$ from one side to the other, it crosses right back. Visually in state-space, (3) can be evaluated by employing overlapping phase portraits of the subsystems and analyzing whether the state trajectories of the appropriate subsystems on either side of the surface push the state back to the sliding surface. Of course, the visual approach is limited to situations in which dimensionality is small.

2. (Incrementally) Linear Subsystems

Analytically, we present the following theorem regarding the existence of a sliding mode for incrementally linear subsystem dynamics.

Theorem 1 (Existence of a Sliding Mode)

Given the variable structure system: FormulaTeX Source$${\mathdot{x}}=\cases{A_{1}x+b_{1},&$s(x)>0$\cr A_{2}x+b_{2},&$s(x)\leq0$}\eqno{\hbox{(5)}}$$ where Formula$x\in\BBR^{n\times 1}$, Formula$A_{i}\in\BBR^{n\times n}$, Formula$b_{1}\in\BBR^{n\times 1}$ and Formula$s(x)=C x\in\BBR$ for constant row vector Formula$C=[c_{1}~c_{2}\cdots c_{n}]\in\BBR^{1\times n}$ the necessary and sufficient conditions for existence of the sliding mode are: FormulaTeX Source$$\cases{C(A_{1}x+b_{1})<0, &$s(x)>0$\cr C(A_{2}x+b_{2})>0, &$s(x)<0$}.\eqno{\hbox{(6)}}$$

Proof

The overall system of (5) can be represented as (for simplicity we denote Formula$s(x)$ as Formula$s$): FormulaTeX Source$${\mathdot{x}}=\left[{{1+{\rm sgn}(s)}\over{2}}\right](A_{1}x+b_{1})+\left[{{1-{\rm sgn}(s)}\over{2}}\right](A_{2}x+b_{2})\eqno{\hbox{(7)}}$$ where Formula${\rm sgn}(s)=1$ for Formula$s>0$ and Formula${\rm sgn}(s)=-1$ for Formula$s\leq 0$. From (3) a sliding mode exists if and only if Formula$s{\mathdot{s}}<0$; we determine the conditions to guarantee this inequality where we make use that Formula$s~{\rm sgn}(s)=\vert s\vert$: FormulaTeX Source$$\eqalignno{s{\mathdot{s}}=&\, sC{\mathdot{x}}=sC\left\{\left[{{1+{\rm sgn}(s)}\over{2}}\right](A_{1}x+b_{1})\right.\cr&\quad\qquad\qquad+\left.\left[{{1-{\rm sgn}(s)}\over{2}}\right](A_{2}x+b_{2})\right\}\cr=&\,{{1}\over{2}}sC(A_{1}+A_{2})x+{{1}\over{2}}\vert s\vert C(A_{1}-A_{2})x\cr=&\,{{1}\over{2}}(s+\vert s\vert)C(A_{1}x+b_{1})+{{1}\over{2}}(s-\vert s\vert)C(A_{2}x+b_{2})}$$ which is equivalent to (6) if we impose Formula$s{\mathdot s}<0$ and where we make use of the fact that Formula$s+\vert s\vert>0$ and Formula$s-\vert s\vert=0$ for Formula$s>0$, and Formula$s+\vert s\vert=0$ and Formula$s-\vert s\vert<0$ for Formula$s<0$. Formula$\blackboxfill$

Thus, Condition (6) is necessary and sufficient to guarantee that Formula$s{\mathdot{s}}<0$ and represents a convenient test for the existence of a sliding mode. An opponent would have to determine a vector Formula$C=[c_{1}~c_{2}\cdots c_{n}]$ (or an associated vector range) such that (6) holds for a region in state space.

The reader should note that (6) implies that the range of Formula$C$ for which the inequalities exist is in general dependent on the values of the state Formula$x$. This implies that the attraction condition exists for a given neighborhood of Formula$x$ and hence is local. To employ this criterion, an opponent would consider the neighborhood about the current equilibrium point Formula$x^{\ast}$, Formula$x\in{\cal N}(x^{\ast})$, and select a Formula$C$ such that Formula$sC(A_{1}x+b_{1})<0$ for Formula$s>0$ and Formula$sC(A_{2}x+b_{2})>0$ for Formula$s<0$ for Formula$x\in{\cal N}(x^{\ast})$.

We emphasize that the conditions above only guarantee attraction to the Formula$s=0$ surface and do not imply stability properties of the system. The next theorem characterizes the behavior of the state once attracted to the sliding surface thus providing insight on its stability properties.

B. Sliding Mode Dynamics

A sliding mode provides a steering quality to an opponent to shift a grid to a more vulnerable state. If a sliding mode is unstable, the state will attract to Formula$s=0$ and then continue on the surface to infinity. In the stable case, it will eventually converge to an equilibrium point on the Formula$s=0$ surface. To characterize the sliding mode dynamics and stability properties, we present the following theorem.

Theorem 2 (Sliding Mode Dynamics)

For the variable structure system: FormulaTeX Source$${\mathdot{x}}=\cases{A_{1}x+b_{1},&$s(x)>0$\cr A_{2}x+b_{2},&$s(x)\leq 0$}$$ where Formula$x\in\BBR^{n\times 1}$, Formula$A_{i}\in\BBR^{n\times n}$ and Formula$b_{i}\in\BBR^{n\times 1}$, assume that a sliding mode for Formula$s=Cx$, Formula$C\in\BBR^{1\times n}$, exists. Then, the sliding mode dynamics can be characterized by Formula$G(x)$ as follows: FormulaTeX Source$${\mathdot{x}}=G(x)\eqno{\hbox{(8)}}$$ where FormulaTeX Source$$\eqalignno{& G(x)={{1}\over{2}}\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]-{{1}\over{2}}[(A_{1}-A_{2}) x\cr&\qquad\qquad~~\qquad\quad+(b_{1}-b_{2})]\cdot{{C\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]}\over{C\left[(A_{1}-A_{2}) x+(b_{1}-b_{2})\right]}}}$$ Moreover, the local stability properties of the system about a neighborhood of the equilibrium point Formula$x^{\ast}\in\BBR^{n\times 1}$ can be determined stable if all non-trivial eigenvalues of Formula$G(x^{\ast})$ are on the left half plane and unstable otherwise.

Proof

We assign: Formula$G_{a}(x)={{1}\over{2}}[(A_{1}+A_{2})x+(b_{1}+b_{2})]$ and Formula$G_{d}(x)={{1}\over{2}}[(A_{1}-A_{2})x+(b_{1}-b_{2})]$. Then, the variable structure system can be represented in the form of a control system: FormulaTeX Source$$\cases{{\mathdot{x}}=G_{a}(x)+G_{d}(x)u\cr s=Cx\cr u={\rm sgn}(s).}\eqno{\hbox{(9)}}$$ where Formula$u\in\BBR$ is defined for a given Formula$s=C x$. Given sliding mode existence, we can characterize its traversal along Formula$s(x)=0$ using the method of equivalent control [17]. Here, we have:FormulaTeX Source$${\mathdot{s}}=C{\mathdot{x}}=C G_{a}(x)+CG_{d}(x)u.\eqno{\hbox{(10)}}$$ For the state confined on the sliding surface, Formula$s={\mathdot{s}}=0$. We solve for the equivalent control Formula$u_{eq}$ by setting (10) to zero and solving for Formula$u$. This gives Formula$u_{eq}=-{[CG_{d}(x)]}^{-1}CG_{a}(x)$ where the reader should note that Formula$CG_{a}(x)$, Formula$CG_{d}(x)\in\BBR$. The effective system dynamics on the sliding mode is therefore: FormulaTeX Source$$\eqalignno{{\mathdot{x}}=&\, G_{a}(x)+G_{d}(x)u_{eq}\cr=&\,{{1}\over{2}}\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]\cr&-{{1}\over{2}}[(A_{1}-A_{2}) x+(b_{1}-b_{2})]\cr&\cdot{{C\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]}\over{C\left[(A_{1}-A_{2}) x+(b_{1}-b_{2})\right]}}\cr=&\, G(x).}$$ The local stability properties easily follow by applying linearization and Theorems 15 and 27 of [18]. Formula$\hfill\square$

Equation (8) and (9) of Theorem III-B describe the sliding mode dynamics as a combination of the average (i.e., Formula${{1}\over{2}}\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]$) and difference (i.e, Formula${{1}\over{2}}\left[(A_{1}-A_{2}) x+(b_{1}-b_{2})\right]$) of the individual subsystem dynamics. The state-and sliding surface-dependent weight Formula${{C\left[(A_{1}+A_{2}) x+(b_{1}+b_{2})\right]}\over{C\left[(A_{1}-A_{2}) x+(b_{1}-b_{2})\right]}}\in{\BBR}$ scales the difference dynamics relative to the average dynamics to maintain the system on the sliding surface. Selection of Formula$C$ and hence the particular sliding mode to use for switching will have an effect on the behavior of the state. If Formula$C$ is more aligned (via the dot product measure) to the average dynamics, then the difference dynamics have greater influence than the average and vice versa.

For an attack, an opponent is concerned with power flow disruption and may be most interested in the stability properties of the sliding mode. Thus, unstable sliding modes can be leveraged through persistent switching until significant disruption results. Although perhaps not immediately obvious, stable sliding modes can also be leveraged as we demonstrate in Section V to steer the system across the stability boundary of one of the subsystems and then terminate switching to enable passive disruption.

SECTION IV

ATTACK CONSTRUCTION

Employing our framework, we provide the steps necessary for attack construction and apply it to a case study involving the Western Electricity Coordinating Council (WECC) 3-machine system, 9-bus system. The reader should note that, from our experience, existence of a sliding mode and hence ability to construct the attack for a target generator in the proximity of a corrupted breaker is typically high for most test systems considered.

A. Stages of Attack Construction

The stages of an attack construction are as follows.

  1. Mathematically represent the system under the switching attack as a variable structure system whereby the switching rule Formula$s(x)$ remains general.
  2. For general nonlinear systems, identify the equilibrium points and linearize the system about the equilibrium points.
  3. Determine the existence of and identify a class of sliding modes using Theorem III-A.2.
  4. Characterize the dynamical and stability properties of the sliding modes using Theorem III-B.
  5. Select and assign an identified sliding surface to Formula$s(x)$ for attack implementation.

We contend that the steps above apply to general nonlinear models of power system dynamics; the linearization stage is critical to make use of Theorems III-A.2 and III-B. However, for general nonlinear systems, pictorial approaches for identification of sliding modes are also possible as mentioned in Section III-A. A phase portrait of each nonlinear subsystem must be determined identifying stable foci and saddle points. These phase portraits must then be overlapped. A sliding surface Formula$s(x)=0$ may be identified visually if in the vicinity of Formula$s(x)=0$, the trajectory vectors of the subsystems point toward the switching surface in opposite directions; this ensures that the state trajectory of the switched system will be driven to the switching surface and will stay within a neighborhood of it. The interested reader is referred to [17]. We employ the visual approach to sliding mode identification as a brief check to verify our linearized model results, but would not typically be used by an opponent for attack construction.

A natural approach to attacking a power grid would be to exploit the unstable sliding mode of a system whereby the state is steered to an arbitrarily large value. However, the reader should note that it is possible to exploit both unstable and stable sliding modes for effective power system disruption.

To illustrate the use of our variable structure theory approach, we demonstrate the construction of an attack for the well known single machine infinite bus (SMIB) power system model presented in Fig. 3.

Figure 3
Fig. 3. Single machine infinite bus system model. The opponent coordinates switching of the load Formula$P_{L}$ based on the values of Generator Formula$G_{1}$'s state Formula$x=[\delta_{1}\omega_{1}]^{T}$.

B. Variable Structure Representation

A typical power system is piecewise time-invariant; that is, within a short window of time representing the attack duration before disruption, the system parameters can be considered to be constant. Thus, for the purposes of our modeling for attack construction, we make use of time-invariant parameters in a swing equation-based model of the power system. Thus, the SMIB model can be expressed as [22]: FormulaTeX Source$$\cases{\quad\;\;{\mathdot{\delta}}_{1}=\omega_{1}\cr M_{1}{\mathdot{\omega}}_{1}=P_{M1}-E_{1}^{2}G_{11}\cr\qquad\qquad-s_{L}P_{L}-E_{1}E_{\infty}B_{1\infty}\sin\delta_{1}-D_{1}\omega_{1}\cr\qquad\!\!\quad=P_{1}-C_{1\infty}\sin\delta_{1}-D_{1}\omega_{1}}\eqno{\hbox{(11)}}$$ where Formula$\delta_{1}$ and Formula$\omega_{1}$ are the rotor angle and rotor speed deviation of Generator Formula$G_{1}$, respectively, and collectively form the state Formula$x=[\delta_{1}~\omega_{1}]^{T}$, Formula$M_{1}$, Formula$D_{1}$, Formula$E_{1}$, Formula$P_{M1}$ are the moment of inertia, damping coefficient, internal voltage and mechanical power of Formula$G_{1}$, respectively, Formula$E_{\infty}$ is the voltage at the infinite bus, Formula$P_{L}$ is the local load at Bus 1, Formula$s_{L}$ is the load switch status (Formula$s_{L}=1$, if the load is connected; Formula$s_{L}=0$, otherwise), and Formula$B_{1\infty}$ is the transfer susceptance of the line between Bus 1 and the infinite bus. We assign Formula$P_{1}=P_{M1}-E_{1}^{2}G_{11}-s_{L}P_{L}$ and Formula$C_{1\infty}=E_{1}E_{\infty}B_{1\infty}$.

Assuming that Formula$C_{1\infty}=1$, Formula$D_{1}=0.1$, Formula$M_{1}=0.1$, Formula$P_{M1}-E_{1}^{2}G_{11}-P_{L}=0$, Formula$P_{M1}-E_{1}^{2}G_{11}=0.9$, the overall variable structure system can be represented as: FormulaTeX Source$$\eqalignno{& A_{1}:\cases{{\mathdot{\delta}}_{1}=\omega_{1}\cr{\mathdot{\omega}}_{1}=-10\sin\delta_{1}-\omega_{1}}\quad{\rm if}~s_{L}=1\cr& A_{2}:\cases{{\mathdot{\delta}}_{1}=\omega_{1}\cr{\mathdot{\omega}}_{1}=9-10\sin\delta_{1}-\omega_{1}}{\rm if}~s_{L}=0.&{\hbox{(12)}}}$$

It is straightforward to determine from (12) that system Formula$A_{1}$'s stable foci are at Formula$(2n\pi, 0)$ and the saddle points are at Formula$(2n\pi+\pi, 0)$ where Formula$n\in{\BBZ}$ as shown in the phase portrait of Fig. 4(a). Any point within a stability boundary will converge to the corresponding stable focus. Similarly, for system Formula$A_{2}$, the stable foci are at Formula$(2n\pi+1.1198, 0)$ and Formula$(2n\pi+2.0218, 0)$, and the saddle points are at Formula$(2n\pi+2.0218, 0)$ as shown in the phase portrait of Fig. 4(b).

Figure 4
Fig. 4. Individual and overlapping phase portraits of subsystems of (12). (a) Phase portrait of system Formula$A_{1}$. (b) Phase portrait of system Formula$A_{2}$. (c) Close-up of overlapping phase portraits.

As discussed in Section IV-A, for a general nonlinear system the existence of a sliding mode can be determined pictorially from the overlapping phase portraits. Here, one interprets (3) visually in state space whereby a sliding surface Formula$s(x)=0$ must be found such that in the neighborhood of this surface the trajectory vectors of each subsystem point toward the switching surface but in opposite directions. The switching between subsystems would be assigned such that when on one side of the sliding surface Formula$s(x)=0$, the system would switch to the subsystem with trajectories pointing toward that surface. This ensures that the state trajectory of the variable structure system will be driven to the switching surface and will stay within a region of it [17].

To determine the possibility of a sliding mode in this way, the overlapping phase portraits are shown in Fig. 4(c). Visual inspection suggests there are multiple possibilities for linear sliding surfaces such as Formula$s=6\delta_{1}+\omega_{1}$. However, in Section V we demonstrate the utilization of Theorems III-A.2 and III-B on the linearized system to determine the range of possible sliding surfaces for attack. In this way, we demonstrate the mathematical and numerical ease in determining such a vulnerability.

C. SMIB Attack Construction

To apply Theorems III-A.2 and III-B to our SMIB power system model of (12), we must linearize its representation. Approximating Formula$\sin\delta_{1}\approx\delta_{1}$ for Formula$\delta_{1}$ small and assuming Formula$s>0~(s\leq 0)$ corresponds to the load switch being closed to give Formula$A_{1}$ (open to give Formula$A_{2}$), we obtain:FormulaTeX Source$$\eqalignno{&{\mathdot{\delta}}_{1}=\omega_{1}\cr&{\mathdot{\omega}}_{1}=\cases{-10\delta_{1}-\omega_{1}, &$s>0$\cr 9-10\delta_{1}-\omega_{1},&$s\leq0$}&{\hbox{(13)}}}$$ corresponding to Formula$A_{1}=A_{2}=\left[\matrix{0 & 1\cr-10 &-1}\right]$, Formula$b_{1}=\left[\matrix{0 & 0}\right]^{T}$ and Formula$b_{2}=\left[\matrix{0 & 9}\right]^{T}$ in (5). Theorem III-A.2 provides the following sliding mode existence conditions for Formula$s=c_{1}\delta_{1}+c_{2}\omega_{1}$: FormulaTeX Source$$\cases{\hfill c_{1}\omega_{1}-10c_{2}\delta_{1}-c_{2}\omega_{1}<0 & for~$c_{1}\delta_{1}+c_{2}\omega_{1}>0$\cr c_{1}\omega_{1}-10c_{2}\delta_{1}-c_{2}\omega_{1}+9c_{2}>0 & for~$c_{1}\delta_{1}+c_{2}\omega_{1}<0$}.\eqno{\hbox{(14)}}$$ Fig. 5 illustrates this overall region; the regions delineated Formula$s<0$ and Formula$s>0$ denote the values of Formula$(c_{1},c_{2})$ for which Formula$c_{1}\omega_{1}-10c_{2}\delta_{1}-c_{2}\omega_{1}<0$ and Formula$c_{1}\omega_{1}-10c_{2}\delta_{1}-c_{2}\omega_{1}+9c_{2}>0$ about Formula$x^{\ast}=[1.1198~~0]^{T}$, respectively. We can construct an attack by selecting Formula$C=[6~1]$ corresponding to Formula$s=6\delta_{1}+\omega_{1}$. Applying Theorem III-B, we find that it is a stable sliding mode.

Figure 5
Fig. 5. Valid sliding mode parameter region about neighborhood of Formula$x^{\ast}=[1:1198~0]^{T}$.
SECTION V

ATTACK EXECUTION AND IMPACT

In this section we execute a coordinated variable structure switching attack using our sliding mode selection of Formula$s=6\delta_{1}+\omega_{1}$ on the nonlinear SMIB and a more realistic test system to demonstrate the value of Theorems III-A.2 and III-B for attack construction on linearized models. Our target in both cases is Generator Formula$G_{1}$ and the corrupted breaker is that associated with load switching.

A. Nonlinear SMIB Case Study

Consider application of a switching attack on the nonlinear SMIB model of (12). We assume that the load is initially disconnected (i.e., is at Formula$A_{2}$) and apply the attack from 0 to 2.5 seconds, which drives the system trajectory across the stability boundary of subsystem Formula$A_{2}$ at which time the attack finally switches the system dynamics to Formula$A_{2}$ permanently as observed in Fig. 6(a). Thus, Formula$G_{1}$ is destabilized within seconds by steering its state over the stability boundary via the switching attack. The reader should note that as discussed Formula$s=6\delta_{1}+\omega_{1}$ is a stable sliding mode. Thus, persistent switching (opposed to that limited to 2.5 s) will result in steering the power system from the initial stable focus of (1.1198, 0) to the stable focus of (0, 0) as presented in Fig. 6(b).

Figure 6
Fig. 6. Switching attack on System (12) for Formula$s=6\delta_{1}+\omega_{1}$. (a) Stop time of 2.5 seconds. (b) No stop time.

B. WECC 3-Generator, 9-Bus Case Study

To further demonstrate the utility of the attack, we consider a variant of the well-known Western Electricity Coordinating Council (WECC) 3-machine, 9-bus system [23] presented in Fig. 7. This system can be approximated with the second order nonlinear SMIB model of (12). Thus, we apply the same sliding surface Formula$s=6\delta_{1}+\omega_{1}$ for attack.

Figure 7
Fig. 7. One-line diagram of revised WECC system.

The test system in question is simulated in PSCAD (Power System Computer Aided Design, https://hvdc.ca/pscad/) software, one of the most popular power system simulation tools. PSCAD enables the modeling of generator controls including governors and exciters as well as protective relays to demonstrate the potential of our approach to disrupt real power system operation. The test system is based on the WECC system, with the addition of a transmission line, a local load, and a gas turbine generator. Here, the base MVA is 100, the system normal frequency is 60 Hz and the generator parameters are shown in Table I. The transmission line connecting Generator Formula$G_{1}$ and the infinite bus are modeled using an inductor of 0.014 H. The local load Formula$P_{L}$ is chosen to be 32.4 MW modeled using a constant resistor. The PSCAD step size was chosen to be 50 Formula$\mu{\rm s}$.

Table 1
TABLE I Generator Parameters for Fig. 7 System

For consistent comparison, simulations of the WECC system are presented for the same system initial conditions and stop time as employed for the second order nonlinear SMIB model of the previous section. Specifically, the initial state of the WECC system is set to to the stable focus of (1.1198, 0). If Formula$s>0$, the system dynamics switch to system Formula$A_{1}$ and if Formula$s\leq 0$, they switch to Formula$A_{2}$. The switching attack is applied from 0.2248 to 2.7248 seconds (the non-zero start time is necessary for PSCAD implementation of the attacked system), which once again drives the system trajectory across the stability boundary of Formula$A_{2}$ at which point the switch is permanently set to Formula$A_{2}$ making the system unstable. The frequency relays of all generators including Formula$G_{1}$ are set to trip for a deviation more than Formula${\pm}{5\%}$ of the nominal frequency (of Formula$2\pi\times 60=377~{\rm rad}/{\rm s}$), which corresponds to 18.8 rad/sec; in this way we also take into account the response of the non-corrupted breakers to the switching attack. PSCAD simulations demonstrate in Fig. 8(a) how at time 2.7248 seconds (which corresponds to 2.5 seconds in the SMIB simulation due to the delayed start time), the system state diverges. The deviation from nominal frequency, phase angle and output voltage of Generator Formula$G_{1}$ during the attack is shown in Fig. 8(b)–(d), respectively. As observed, the frequency and voltage of Formula$G_{1}$ become unstable right after application of the attack.

Figure 8
Fig. 8. PSCAD simulation results of WECC system for Formula$s=6\delta_{1}+\omega_{1}$ switching from 0 to 2:5 seconds. (a) System state trajectory. (b) Formula$G_{1}$ deviation from nominal frequency. (c) Formula$G_{1}$ phase angle. (d) Formula$G_{1}$ output voltage.

To illustrate how the sliding mode exploited for the attack is in fact stable, the same coordinated switching is applied indefinitely with results presented in Fig. 9.

Figure 9
Fig. 9. PSCAD simulation results of WECC system in the presence of persistent variable structure switching for Formula$s=6\delta_{1}+\omega_{1}$ from 0 seconds. (a) System state trajectory. (b) Formula$G_{1}$ deviation from nominal frequency. (c) Formula$G_{1}$ phase angle. (d) Formula$G_{1}$ output voltage.

C. Efficacy of Linearized Results

We assert that the attack theory and analysis presented in this paper has the potential to be employed, in part, as a tool to understand possibility vulnerabilities in future smart grid systems as well as the worst-case impact of switching attacks. One measure of the degree of weakness exhibited by a system could relate to the range of possible sliding modes available for an opponent to exploit.

For this reason, Theorem III-A.2 can be a useful tool when applied to a linearized smart grid system. To demonstrate the value of the linearized results, we present in Table II the ranges of Formula$c_{1}$ corresponding to the existence or lack of sliding mode for the three systems: linearized SMIB, nonlinear SMIB and high-order WECC. It is clear that there is a large overlap in the existence of a sliding mode in both the nonlinear and linearized versions demonstrating how our approximation does not significantly affect the degree of vulnerability present in the system.

Table 2
TABLE II Empirical Existence of Sliding Surface Formula$s=c_{1}\delta_{1}+\omega_{1}$ for Linearized SMIB, Nonlinear SMIB, Nonlinear SMIB With Parameter Errors and WECC Test System. Simulation Tests Were Conducted for Formula$c_{1}\in{Z}$ and Formula${-}20\leq c_{1}\leq 20$
SECTION VI

LIMITATIONS ON ATTACKER KNOWLEDGE

To construct and apply a successful coordinated variable structure switching attack, an opponent would need to leverage cyber intrusion to enable Conditions (B) and (D) of Section II-B as well as have a local model of the smart grid in the proximity of the target and corrupt breaker.

Given the need for timed coordination in the attack, switching control is imperative for success. However, in this section, we assess the effect of limitations on opponent knowledge to the ability to construct and execute an attack. We focus on model error, which affects the ability to construct a feasible attack and strategies to contend with only partial state information, which affects attack execution.

A. Model Parameter Error

Questions naturally arise as to the effects of model error on attack construction. Consider the system of (12) with parameter error: FormulaTeX Source$$\eqalignno{&A_{1}:\cases{{\mathdot{\delta}}_{1}=0(1+\varepsilon_{11})+(1+\varepsilon_{12})\omega_{1}\cr{\mathdot{\omega}}_{1}=(-10+\varepsilon_{13})\sin\delta_{1}+(-1+\varepsilon_{14})\omega_{1}}\cr& A_{2}:\cases{{\mathdot{\delta}}_{1}=0(1+\varepsilon_{21})+(1+\varepsilon_{22})\omega_{1}\cr{\mathdot{\omega}}_{1}=9+(-10+\varepsilon_{23})\sin\delta_{1}+(-1+\varepsilon_{24})\omega_{1}.}&{\hbox{(15)}}}$$ where Formula$\{\varepsilon_{ij}\}$ are specific parameter error values. The existence conditions of Theorem III-A.2 become: FormulaTeX Source$$\eqalignno{& c_{1}(1+\varepsilon_{12})\omega_{1}-10c_{2}(1+\varepsilon_{13})\delta_{1}-c_{2}(1+\varepsilon_{14})\omega_{1}<0\cr&\hskip 14em{\rm for}~c_{1}\delta_{1}+c_{2}\omega_{1}>0\cr&c_{1}(1+\varepsilon_{22})\omega_{1}-10c_{2}(1+\varepsilon_{23})\delta_{1}-c_{2}(1+\varepsilon_{24})\omega_{1}\cr&\hskip 18em+9c_{2}>0\cr&\hskip 14em{\rm for}~c_{1}\delta_{1}+c_{2}\omega_{1}<0}$$ Fig. 10 illustrates the effects of errors; the associated change in slope of the region boundaries due to parameter errors result in both false positives and false negatives for the determination of Formula$C$. Study of Fig. 10 reveals that a robust strategy for the selection of Formula$C$ would be to select a value internal to the region boundaries. If bounds on Formula$\varepsilon_{ij}$ are available, then it is possible guarantee a robust selection of Formula$C$ that is far enough from the boundaries.

Figure 10
Fig. 10. Effect of model error on sliding mode identification. Selection of Formula$C=[6~1]$ is internal to the boundaries and guarantees robustness against a degree of model error.

B. Partial State Information

The opponent may gain target state information through cyber intrusion and eavesdropping. The feasibility of this depends on the communication media and protocols used; further discussion is beyond the scope of this paper.

In this section, we investigate the efficacy of our attack approach when only partial state information is available. Here, we assume that the opponent aims to estimate the missing state information, from say other available information, resulting in an increase in attack complexity.

We consider the case in which an attack is applied to the revised WECC test system of Fig. 7. We assume that the Generator Formula$G_{1}$ frequency Formula$\omega_{1}$ is known to the opponent, but the rotor angle Formula$\delta_{1}$ must be estimated in some way. Specifically, we assume as an example the terminal voltage and current of an associated transmission line is known and must be used in the estimation of Formula$\delta_{1}$.

Modeling the standard WECC system in relation to Formula$G_{1}$ as a SMIB system, we obtain the system in Fig. 11. Applying Kirchoff's law gives: FormulaTeX Source$$\eqalignno{E_{1}\angle\delta_{1}=&\, jX^{\prime}_{d}I\angle\alpha+E\angle\theta\cr=&\, (E\cos\theta-X^{\prime}_{d}I\cdot\sin\alpha)+j(E\sin\theta-X^{\prime}_{d}I\cos\alpha)}$$ where Formula$E_{1}\angle\delta_{1}$ is the generator internal voltage, Formula$jX^{\prime}_{d}$ is the impedance of transmission line, Formula$I\angle\alpha$ is the current of transmission line and Formula$E\angle\theta$ is the terminal voltage. Thus, the generator internal voltage Formula$E_{1}$ and phase angle Formula$\delta_{1}$ can be estimated using the following equations: FormulaTeX Source$$E_{1}=\sqrt{{(E\cos\theta-X^{\prime}_{d}I\cdot\sin\alpha)}^{2}+{(E\sin\theta-X^{\prime}_{d}I\cos\alpha)}^{2}}\eqno{\hbox{(16)}}$$ and Formula$\tan\delta_{1}={{E\sin\theta+X^{\prime}_{d}I\cos\alpha}\over{E\cos\theta-X^{\prime}_{d}I\sin\alpha}}$.

Figure 11
Fig. 11. SMIB system approximation for partial state estimation.

Given the approximation that Formula$\tan\delta_{1}\approx\delta_{1}$ when Formula$\delta_{1}$ is small, we have FormulaTeX Source$$\delta_{1}\approx\tan\delta_{1}={{E\sin\theta+X^{\prime}_{d}I\cos\alpha}\over{E\cos\theta-X^{\prime}_{d}I\sin\alpha}}.\eqno{\hbox{(17)}}$$ Therefore, Formula$\delta_{1}$ can be estimated via the terminal voltage Formula$E\angle\theta$ and current Formula$I\angle\alpha$ of transmission line as follows: FormulaTeX Source$$\left[\matrix{{\mathhat\delta}_{1}\cr\omega_{1}}\right]=\left[\matrix{{{E\sin\theta+X^{\prime}_{d}I\cos\alpha}\over{E\cos\theta-X^{\prime}_{d}I\sin\alpha}}\cr\omega_{1}}\right].\eqno{\hbox{(18)}}$$

Using this estimation approach, we apply the attack from 0 to 2.5 seconds on a PSCAD simulation of the test system of Fig. 7; as shown in Fig. 12, the system dynamics follow the sliding mode to subsequently produce instability and disruption.

Figure 12
Fig. 12. Coordinated switching attack with partial state knowledge on test system of Fig. 7. (a) G1 phase angle. (b) G1 deviation from nominal frequency. (c) Switch Status.
SECTION VII

RELATED WORK

Our work builds on the body of recent research that has focused on the interaction between the cyber and physical aspects of a smart grid to aid in vulnerability analysis takes on a variety of flavors. These techniques can be classified into a number of categories. Static approaches [1] consider the topological information about the smart grid in order to study vulnerabilities often using graph-theoretic means. Compact relationships between system components that can lead to cascading corruption and failure are identified. Empirical approaches [12] [13]– [14][15] harness research and development of realistic communications and power systems simulators. These two forms of simulators are combined such that an attack is applied in the communication simulator that transfers data to the power systems simulator which makes decisions based on this possibly corrupt information. Typical traditional power system reliability metrics are used to assess impact of the cyber attacks. Such approaches are valuable in providing indications of attack impacts, but often require exhaustive ‘what-if’ forms of attack case analysis that are limited from providing general principles for grid design. In cyber-physical leakage approaches [24], [25] confidentiality of the cyber network is studied by identifying how voltage and current measurements of the physical power system can be successfully analyzed for any clues about cyber protocol activity. Testbed research addresses the exploration of practical vulnerabilities through SCADA testbed development and construction [11], [12]. Although some insights on how to protection industrial control systems for SCADA are provided. There exists room to develop more prescriptive approaches to provide more general design guidelines for future smart grid systems.

SECTION VIII

FINAL REMARKS

A grand challenge in cyber-physical systems research is the development of models that elegantly interface the discrete-time characteristics of the cyber infrastructure with the analog nature of the physical system. We believe that our use of variable structure system theory conveniently interfaces the switching cyber-control within power systems to provide a novel way to understand the cyber-physical interaction and in the case of this paper gain insight into new forms of vulnerability. In addition, it lends itself to a natural mathematical framework and formalism useful for automatic identification of vulnerabilities. The use of dynamical systems allows for flexible granularity and can conveniently be implemented for simulation.

Our work demonstrates the efficacy of coordinated variable structure switching attacks by demonstrating how attack construction on a linearized version of the system still executes on nonlinear and realistic models of the system. Moreover, the attack can be successful even under conditions of model error and partial state knowledge. Future work will aim to apply variable structure system theory to model robotics systems as discussed in [26] and [27] and generalized social networking contexts when switched dynamics may be appropriate for representing simple cyber-assisted human decision-making amongst finite choices such as those made when gambling or in elections.

Footnotes

This work was supported by the National Science Foundation under NSF Grant EECS-1028246 and the Norman Hackerman Advanced Research Program under Project 000512-0111-2009.

References

No Data Available

Authors

Shan Liu

Shan Liu

Shan Liu received her Ph.D. degree in electrical and computer engineering from Texas A&M University, in 2013. Her research interests focus on the cyber security of the electric smart grid and cyber-physical system theory. She has received the ACM CSIIRW'11 Best Paper and multiple travel grant awards. She is currently an Assistant Professor at the Communication University of China.

Salman Mashayekh

Salman Mashayekh

Salman Mashayekh is currently pursuing the Ph.D. degree in electrical and computer engineering with Texas A&M University. His research interests include power management systems, and physical security and cyber security of power systems.

Deepa Kundur

Deepa Kundur

Deepa Kundur is a Professor of electrical and computer engineering with the University of Toronto. She is an Appointed Member of the NERC Smart Grid Task Force, was an Elected Member of the IEEE Information Forensics and Security Technical Committee, and was the Inaugural Vice-Chair of the Security Interest Group of the IEEE Multimedia Communications Technical Committee. She was a Chair of the Trustworthy Cyber-Physical Systems and Infrastructures Track of the NSF and PNNL-sponsored 2011 Workshop on Cooperative Autonomous Resilient Defenses in Cyberspace and was an invited speaker to the NSF-sponsored 2011 Workshop on Cyber-Physical Applications in Smart Grids. She is the author of several widespread tutorial papers, including two articles in the IEEE Signal Processing Magazine in 1996 and 2004 and three articles in the Proceedings of the IEEE in 1999, 2004, and 2008.

Takis Zourntos

Takis Zourntos

Takis Zourntos is with Texas A&M University and OCAD University. He received the B.A.Sc., M.A.Sc., and Ph.D. degrees in electrical and computer engineering from the University of Toronto in 1993, 1996, and 2003, respectively. He has over 15 years of experience at the interface of microelectronics and control theory, which he currently applies to cyber-physical systems applications, such as power systems and robotics. His recent cyber-physical systems robotics research has been featured in Popular Science Magazine's 2009 Best of What's New: Security Innovation and wired.com.

Karen Butler-Purry

Karen Butler-Purry

Karen Butler-Purry is a Professor of electrical and computer engineering and an Associate Provost Graduate Studies with Texas A&M University. She is a well-known authority in the areas of computer and intelligent systems application to power distribution systems, distribution automation and management, fault diagnosis, estimation of remaining life of transformers, intelligent reconfiguration, and modeling and simulation for hybrid vehicles.

Cited By

No Data Available

Keywords

Corrections

None

Multimedia

No Data Available
This paper appears in:
No Data Available
Issue Date:
No Data Available
On page(s):
No Data Available
ISSN:
None
INSPEC Accession Number:
None
Digital Object Identifier:
None
Date of Current Version:
No Data Available
Date of Original Publication:
No Data Available

Text Size