156 ieee transactions on power systems, vol. 30, no. …...156 ieee transactions on power systems,...

156 IEEE TRANSACTIONS ON POWER SYSTEMS, VOL. 30, NO. 1, JANUARY 2015

A Probabilistic Risk Mitigation Modelfor Cyber-Attacks to PMU Networks

Seyedamirabbas Mousavian, Jorge Valenzuela, and Jianhui Wang, Senior Member, IEEE

Abstract—The power grid is becoming more dependent on in-formation and communication technologies. Complex networks ofadvanced sensors such as phasor measurement units (PMUs) areused to collect real time data to improve the observability of thepower system. Recent studies have shown that the power grid hassignificant cyber vulnerabilities which could increase when PMUsare used extensively. Therefore, recognizing and responding to vul-nerabilities are critical to the security of the power grid. This paperproposes a risk mitigation model for optimal response to cyber-at-tacks to PMU networks. We model the optimal response action asa mixed integer linear programming (MILP) problem to preventpropagation of the cyber-attacks and maintain the observability ofthe power system.

Index Terms—Cyber-attack, cyber-security, networks, observ-ability, phasor measurement units.

NOMENCLATURE

Sets and Indices

Set of buses.

Set of buses equipped with PMUs.

Set of PMUs detected as compromised.

Set of buses with conventional devices.

Set of branches with conventional devices.

Indices of buses.

Constants

Number of detected compromised PMUs.

Connectivity between buses and .

Threshold threat level (between 0 and 1) of .

Nodal distance between and .

Time that a propagation attempt takes.

Number of that the system operator takes torespond to the cyber-attack.

Manuscript received July 08, 2013; revised November 11, 2013 and February07, 2014; accepted April 08, 2014. Date of publication May 16, 2014; date ofcurrent version December 18, 2014. This work was supported by UChicagoArgonne, LLC, Operator of Argonne National Laboratory (Argonne). Argonne,a U.S. Department of Energy Office of Science laboratory, is operated underContract No. DE-AC02-06CH11357. Paper no. TPWRS-00883-2013.S. Mousavian and J. Valenzuela are with the Department of Industrial and

Systems Engineering, Auburn University, Auburn, AL, 36849 USA (e-mail:[email protected]; [email protected]).J. Wang is with Argonne National Laboratory, Argonne, IL 60439 USA

(e-mail: [email protected]).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TPWRS.2014.2320230

Decision Variables

Binary decision variable which equals 1 ifis kept connected to the network, and 0 otherwise.Observability number, number of times that bus isobserved, which is if bus is observable.Binary variable which equals 1 if the measurementfrom the conventional device at bus is assignedto compute the unknown voltage phasor of bus ,and 0 otherwise.Binary variable which equals 1 if the measurementfrom the conventional device at transmission line

is assigned to compute the unknown voltagephasor of bus , and 0 otherwise.

Random Variables

Random variable which equals 1 if isattacked, and 0 otherwise.

Probabilities

Probability that is attacked through .

Probability that an attack propagates through arouter.Probability that an attack propagates to a PMUthrough a router.Threat level of at time .

I. INTRODUCTION

T HE power grid is increasingly dependent on informationand communication technologies due to the integration of

intelligent measurement devices such as phasor measurementunits (PMU). Smart grid investment grants and demonstrationproject investments have significantly accelerated the pace ofphasor technology deployment [1]. According to [2], PMUswillultimately replace conventional devices. PMUs can measure inreal time synchronized phasors of bus voltages and currents forbetter observability of the power grid [3]. Synchronization isachieved by timing signals from the Global Positioning System(GPS) satellite. A PMU takes about 30 to 120 measurementsper second and sends its measurements to a phasor data concen-trator (PDC) through a wireless communication network basedon the NASPInet architecture [4], [5]. In the NASPInet architec-ture, PMUs are connected to an IP-based communication net-work like an Intranet. Although the communication network isdedicated Intranet and isolated from public networks, it is notimmune to cyber-attacks [6]. Currently, PMUs transmit theirmeasurements to a pre-defined PDC in a hierarchical mannerby using the IP Unicast routing protocol. However, hierarchical

0885-8950 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

MOUSAVIAN et al.: A PROBABILISTIC RISK MITIGATION MODEL FOR CYBER-ATTACKS TO PMU NETWORKS 157

architectures suffer from drawbacks such as delays of messages.A technical report from CISCO proposes that PMUs shouldsend measurements using the IP Multicast routing protocol [7].Under this protocol, a PMU is directly connected to a router andsends out data packets to pre-configured destinations. The list ofthese predetermined destinations can be further manipulated bya cyber-attacker to propagate the cyber-attack to other PMUs.The propagation of the cyber-attacks in shared communicationnetworks has been also studied in [8]–[13]. Furthermore, it hasbeen reported that the communication network shows poor net-work security and insufficient software security [14]. Moreover,the authors in [15] studied the spoofing attack as an optimizationproblem to maximize the PMU's receiver clock offset beforeand after the attack. The authors in [16] mentioned that thereis no available defense against GPS spoofing which is a threatto critical infrastructure applications such as PMUs that relyon the publicly known civilian GPS signal. Under these con-ditions, cyber-attackers could gain access to the PMU commu-nication network, inject false measurement data and propagatetheir cyber-attack to the other PMUs to endanger the reliabilityof the power grid.Dealing with erroneous data has been a concern of state esti-

mation programs since their inception in the late 1960s [17].It is shown in [18] that sophisticated attacks may not be de-tected by conventional state estimation algorithms. Thus, thedetection problem is considered to be challenging and severalalgorithms have been proposed. The authors in [19] presenteda principal component analysis (PCA) based approach to detectcyber-attacks in the optimal power flow (OPF) module. The au-thors in [20] showed how data attacks can endanger the physicalstructure of the power grid and developed a detection algorithmusing the artificial neural networks. The authors in [21] haveproposed new points of view to enrich the detection solutionssuch as modeling the dynamics of attacker versus defender. Theauthors in [22] developed greedy algorithms to obtain perfectprotection and partial protection against stealth attacks given alimited budget for protection. In [23], the authors used the gener-alized likelihood ratio test to develop a computationally efficientdetection algorithm where the cyber-attacker uses a graph the-oretic approach to launch stealthy malicious data attacks. Afterthe detection, actions need to be taken to prevent the propaga-tion of the cyber-attack.The authors of [13] have formulated an optimization model

to avoid propagation of the cyber-attacks in open-science com-puter network where collaboration and communication existamong network sites. The optimization model is a mixed in-teger linear programming problem, which determines the sitesto be disconnected from the network to maximize the numberof users connected to the network resources. The decision isconstrained to keep the threat levels of the sites below a certainthreshold value. However, such a model cannot be directlyapplied to a PMU network as that model is focused more onmaximizing the available connections on the network, which isnot a priority for PMUs. Additionally, observability is not anissue in open-science computer networks.In this paper, we propose an optimal response model to cyber-

attacks to PMU networks where the state estimation principally

relies on PMUs. Our model minimizes the threat levels by dis-abling known compromised PMUs and PMUs that are likelyto be compromised due to the propagation of the cyber-attacks,while keeping the power system observable. Here, a threat levelrepresents the probability of a PMU being contaminated at a cer-tain time.We first use a probabilistic model to estimate the threatlevels for PMUs and then formulate the optimal response as amixed-integer linear programming problem. Here, a responsestands for disconnecting the contaminated PMU buses to ensurethe resultant PMU network is secure and the grid is observable.The rest of this paper is organized as follows: Section II de-

scribes threat level estimation. Section III explains our proposedoptimization model. Experimental results are provided inSection IV and the conclusions are reported in Section V.

II. ESTIMATING THE THREAT LEVELS

In this section, we calculate the threat levels of the uncompro-mised PMUs if an intruder were to attacked one or more PMUs.Propagation of the cyber-attack has been studied on the othernetworks. As a case in point, the authors in [24] and [25] consid-ered worm propagation in mobile ad-hoc networks and energymeters in a secondary distribution network, respectively. Simi-larly in a PMUnetwork, the intruder controls the attacked PMUswhich can be used to transmit false measurements. Moreover,the intruder can use the communication links between PMUs todisseminate the attack to the other PMUs via the compromisedPMUs. If the attack propagates to more PMUs, it could jeop-ardize the observability of the power system even further. Theattack could propagate via all routers between the compromisedand uncompromised PMUs to contaminate the uncompromisedPMUs.Let us assume at time PMUs are detected to be

compromised while the remaining PMUs are uncompromised.It takes time to disable the compromised PMUs from thecommunication network. Naturally, their measurements willno longer be used for the state estimation software. DisablingPMUs can be done automatically by the detection softwareor manually by the system operator. During this time, thereis a chance that the attack could have been propagated touncompromised PMUs and the detection software has notdetected them yet. The reason is that the detection softwarecannot detect at 100% efficiency [21]. The cyber-attack canpropagate to uncompromised PMUs through a path of intercon-nected routers. If the cyber-attack successfully breaks into allrouters between the compromised and uncompromised PMUs,it is likely to contaminate the uncompromised PMUs as well.Moreover, these new compromised PMUs can further infectother PMUs, and so forth. We represent by the probability,

, the likelihood of a PMU being compromised (also calledthreat level) at time . Notice that the threat levels increaseover time as long as the network still contains compromisedPMUs. It takes a time period of for the system operatorto run the optimization model to obtain the optimal responseand confirm that the alarm is not a false alarm. Thus, certainPMUs, determined by the optimization model, are disabled attime .


At time , (1) and (2) hold:

(1)

(2)

By time , all compromised PMUs are disabled. However,due to the possible propagation of the cyber-attack, there is achance that the remaining PMUs could have been compromisedand undetected. Therefore at time , (3) and (4) hold:

(3)

(4)

where is the probability that the attack propagates from com-promised to an uncompromised during the time, and it is given by (5):

(5)

In (5), is the probability that an attack propagates through arouter, is the probability that an attack propagates to anotherPMU and , called nodal distance, is the minimum numberof routers that connect and on the communica-tion network. It is likely that there are multiple shortest pathsbetween two PMUs in a large communication network. In thiscase, the value of would increase and would be given by (6):

(6)

where is the number of shortest paths between and. There may be other paths in addition to the shortest

paths. Considering that it may not be simple to find all paths be-tween every two PMUs, and that the probability decreasesexponentially when the distance increases, we use (6) to esti-mate the probability that the attack propagates from one PMUto another. This function indicates that the propagation becomesless probable when the nodal distance between the two PMUsbecomes larger.We have stated that it takes time to disable the compro-

mised PMUs. If, during , the system operator concludesthat the alarm is false, the disabled PMUs would be enabledagain. Otherwise, the operator would begin disabling the PMUsas determined by the optimization model discussed in the nextsection at and all contaminated PMUs would be disabledby time . Thus, we need to calculate the threat levelsat time . Since the threat levels are calculated in aniterative process, we need to calculate the threat levels at time

. Equations (7) and (8) hold at time :

(7)

(8)

In (8), we have expressions for all terms except for, which can be obtained from

(9):

(9)

We denote by . Therefore, we can rewrite(8) as (10) in terms of threat levels:

(10)

It can be shown that (11) is true when and can be used tocalculate threat levels for time and further:

(11)

If another cyber-attack is detected by time , thefundamental change due to the new attack is the change on set, meaning that the set of the detected compromised PMUs isadjusted to include the new detected PMUs. In this case, thethreat levels after the new cyber-attack are re-calculated by set-ting the initial threat levels to the threat levels of the previousattack. This is, if the second detection occurs at timeand

(12)

In the next step, (11) will be used to update the threat levels aftertime .

III. RESPONSE MODEL

The response to cyber-attacks to a PMU network is modeledusingmixed integer linear programming. The objective functionof the model is the minimization of the maximum threat level ofall connected PMUs at time , which is one afterdisabling the PMUs determined by the model. The threat levelsfrom time to are summarized in (13)–(19):

(13)

(14)


(15)

(16)

(17)

(18)

(19)

Notice the presence of the binary decision variable in (19),which equals 1 if the is kept connected to the network,and 0 otherwise. It should be also noted that threat levels fromtime to are all assumed to be con-stants, and the system operators cannot decrease them due tothe physical constraints such as control and communication de-lays in disabling PMUs from the network. However, disablingof suspicious PMUs occurs at time , which decreasesthe threat levels of the remaining PMUs at time . Infact, the response optimization model determines which PMUsshould be disabled such that the threat levels at timeare minimized.To be able to solve the response model more efficiently, we

reformulate (19) by an equivalent linear equation (20):

(20)

In obtaining (20), we have used the following equality whereis a constant (notice again that is a binary variable):

(21)

The objective function of the response model is the mini-mization of the maximum threat of all connected PMUs at time

:

(22)

Since and consequently the objective functionare not linear, we used its equivalent function given in (23),which can be reformulated linearly in (24)–(29):

(23)

Equation (23) can be represented by the following set of(24)–(29):

(24)

(25)

(26)

(27)

(28)

(29)

In the response model, we used (20) in (26)–(27) to obtainequivalent linear equations. Hence, (26)–(27) can be repre-sented as (30)–(31), respectively:

(30)

(31)

We add (32) to keep PMUs with threat levels less than athreshold value connected to the network:

(32)

which can be represented by

(33)

We can reformulate the right-hand side to a linear equivalentequation as

(34)

Using (20), (34) can be represented linearly as (35):

(35)

Disabling PMUs may affect the observability of the system, sothere should be a set of constraints to ensure full observability.To have a full observable power system, the voltage phasors(state variables) of all buses need to be known. The values ofthe voltage phasors allow the calculation of all other variablessuch as current, real power, and reactive power. Hence, the ob-servability function is given in (36) [26]:

(36)

where shows the connectivity between buses and . Thefirst term of the right hand side, , provides observ-ability of the buses through the remaining connected PMUs;


the second term, , calculates the observabilityof the buses through conventional devices installed at buses,and the third term, , represents the observ-ability through conventional devices installed on branches. Toguarantee the full observability, the observability variable valueshould be greater than or equal to one as given in (37):

(37)

Conventional devices are used to observe a group of buseswhen they are not observable by PMUs direct measurements.In such cases, a system of equations is solved to obtain the un-known state variables. To guarantee the solvability of the systemof equations, we need to ensure that each conventional measure-ment is tied to one state variable [26]. Hence, (38)–(39) need tobe met. Equation (38) ensures that a conventional voltage mea-surement is tied to one state variable and (39) ensures that aconventional current measurement is tied to one state variable.When the system is under attack, measurements of the conven-tional devices may be more reliable because the attacker needsto have complete knowledge of system topology and consider-able resources in order to consistently manipulate conventionalmeasurements. Thus, we use (40) to force the measurements ofconventional devices to observe more buses:

(38)

(39)

(40)

where is a binary variable which equals 1 if the state variableof bus is computed by a conventional device at branch , and0 otherwise. Finally, (41) determines that the decision variablesare binary:

(41)

To summarize, the objective function given in (22) determinesthe PMUs to be disabled from the network such that the max-imum threat level of the PMUs still connected to the network isminimized. If the threat level of a PMU exceeds the thresholdvalue, the objective function would disable that PMU from thenetwork only if it does not affect the observability. If the threatlevel of a PMU is less than the threshold value, the PMU iskept connected to the network. This is guaranteed by (32). Fi-nally, (36) ensures that all buses are observable at least once byeither PMUs or conventional devices. The proposed responsemodel is given by the following mixed integer linear program-ming problem:

(42)

subject to the constraints given inEquations (13)–(18)Equation (25)Equations (28)–(29)Equations (30)–(31)Equation (35)Equations (36)–(41).

Fig. 1. The 6-bus test system.

Finally, it is important to notice that the cyber-attack couldinvolve blocking the communication to and from the PMUs,which may prevent the disabling of the compromised PMUsafter detection. This situation is less likely to occur because theintruders would want to be undetected and a fault in the com-munication network would alert the system operators immedi-ately. Nevertheless, if the communication is blocked, the PMUswould be isolated from the communication network, which hasthe same effect as disabling the compromised PMUs. The mea-surements would not be used by the state estimation software,and there would be no propagation of the cyber-attack to otherPMUs.

IV. EXPERIMENTAL RESULTS

We test the performance of our response optimization modelon the 6-bus and 24-bus test systems introduced in [27] and[28], respectively. We use the small power system to describethe cyber-attack propagation problem and our methodology.Weuse the middle size power system to test our approach. Thispower system includes conventional devices. We intentionallyconsider a few conventional devices because we want to showthe use of our optimization response model where PMUs are themain devices for power system state estimation.In our experiments, we assume that an attack to a PMU prop-

agates through a router with probability , and it effec-tively compromises another PMU with probability .For simplicity, we also assume that there is only one shortestpath between PMUs. We set . We set to 0.1 s,

(s), and the threshold values to 0.005, . Ina real case, experiments can be conducted to estimate the valuesof these parameters. Experimental network infrastructures suchas the Virtual Network Infrastructure (VINI), X-Bone, and Vi-olin can be used to run these experiments with real traffic androuting software [29].

A. 6-Bus Test System

The 6-bus test system includes six buses, three generators andeleven transmission lines. Fig. 1 shows the 6-bus test system.


TABLE INODAL DISTANCES BETWEEN PMUS IN THE 6-BUS TEST SYSTEM

Fig. 2. Threat levels in case of no response action.

Fig. 3. Effect of on threat level of .

Buses 1, 2, 3, 4, and 6 are equipped with PMUs whichmake the system fully observable. Phasor measurements suchas voltage magnitudes and voltage angles are transmitted tothe PDCs by the five PMUs through a digital communicationnetwork. The communication network is depicted in Fig. 1 andit consists of interconnected routers.Table I shows the nodal distances between the PMUs installed

in the 6-bus test system. Notice that the greater the nodal dis-tance between two PMUs, the less likely that the cyber-attackcan propagate from one PMU to another one.For this case study, we assume that at time the system

operator is informed that and have been attackedby a cyber-intruder. In Fig. 2, we show the threat levels of thethree uncompromised PMUs over time when the system oper-ator does not disable the compromised PMUs from the network.Notice that the threat levels increase nonlinearly until all PMUsbecome compromised with probability 1. is more at riskbecause it is closer to the compromised PMUs. The nodal dis-tance from to is 1 while to is 3. Fig. 3 il-lustrates the effect of the value of on the threat level of .To avoid propagation, the system operator should disable the

compromised and and other PMUs which maybe compromised because of the propagation. There are eightpossible choices which are shown in Table II. The smallestthreat levels can be obtained when all PMUs are disabled.

However, this solution is not feasible since the power systemwould no longer be observable. The second candidate is todisable and but the threat level of is lessthan the threshold value, , and therefore it shouldremain connected to the network. The third candidate is todisable . This action keeps the power network observ-able and minimizes the maximum threat level of all connectedPMUs. In Table III, we give the optimal solution, observabilitynumber of the buses obtained from (36), and the threat level ofeach connected PMU right after disabling .We show in Fig. 4 the maximum threat level of the connected

PMUs when just the compromised and are dis-abled and when is also disabled from the network. No-tice that the threat levels still increase after the response. How-ever, the reduction in threat levels is considerable if the optimalresponse action is taken.We have assumed that the optimization results are obtained

in 0.1 seconds. To see the effect of greater computational time,we consider that the optimal results are available at times 0.1,2, and 5 seconds. In all of these cases, the optimal solution is todisable . In Fig. 5, we show the threat level for each case.Certainly, a shorter processing time is desired.

B. 24-Bus Test System

The proposed response model is tested using the IEEE 24-bustest system which consists of 38 transmission lines, 24 busesand 33 generators. The 24-bus test system is shown in Fig. 6.We refer the readers to [28] and [30] for additional system data.We use the optimal placement of seven PMUs given in [31]

and add seven more PMUs and five conventional measuring de-vices to increase the observability of the power system. ThePMUs are located at buses 1, 2, 3, 4, 8, 10, 11, 15, 16, 17, 21,and 23 and the conventional units are located at buses 1, 19, 22and transmission lines 9 and 17. The initial observability of thebuses is given in Table IV. Table V gives PMUs' nodal distancesrandomly generated between 1 and 4.First, we assume that just one PMU is compromised at time

zero. We consider two cases to show the propagation effect ofthe cyber-attack. We assume: 1) is compromised and 2)

is compromised at time zero. In both cases, it is as-sumed that the compromised PMU stays connected to the net-work (no response action). Fig. 7 shows the threat levels of aselected group of PMUs, PMUs 4, 10, and 15, under case (a)while Fig. 8 shows the threat level for the same PMUs undercase (b). Notice that is less affected by a cyber-attackto but it is considerably affected if the attack occurs on

.Next, we study the effect of simultaneous cyber-attacks. We

assume that PMUs 1, 3, 7, and 10 are compromised at time zeroand they remain connected to the network (no response action).Fig. 9 illustrates the threat level of under a single attackto and the multiple attacks. Notice the increase on thethreat level of under a multiple attack.To show the effect of the computational time (time to

obtain the optimal response) on the threat levels, we use themul-tiple attacks case. We change the value of from 1 to 700,i.e., the time that the system operator takes to respond to the


TABLE IICANDIDATE RESPONSES FOR THE 6-BUS TEST SYSTEM

TABLE IIIOPTIMAL RESPONSE ACTION IN THE 6-BUS SYSTEM

Fig. 4. Comparison of two potential responses.

Fig. 5. Effect of computational time on threat level of .

cyber-attack varies from 0.1 to 70 s. We obtain the optimal re-sponse for each value of . The results are given in Table VI.In Fig. 10, we show the maximum threat level of the system

(objective function of the optimization problem) when only thecompromised PMUs are disabled from the network and whenthe optimal response is implemented. The figure shows the re-sults under different response times. Notice that when the pro-posed model is used the maximum threat level is reduced for all

Fig. 6. IEEE 24-bus test system.

TABLE IVINITIAL OBSERVABILITES OF THE 24-BUS SYSTEM

TABLE VNODAL DISTANCES BETWEEN PMUS IN THE 24-BUS TEST SYSTEM


Fig. 7. Threat levels for no response to compromised .

Fig. 8. Threat levels for no response to compromised .

Fig. 9. Effect of single and multiple attacks on threat levels.

TABLE VIEFFECT OF RESPONSE TIME ON THE OPTIMAL SOLUTION

IN CASE OF MULTIPLE ATTACKS

response times considered. The reduction increases as the re-sponse time increases.

C. Dealing With Large Power Systems

Since the main contribution of the paper is the formulation ofthe MILP and the modeling of the probabilistic threat levels,we demonstrated our approach using a small and a mediumsize power system. All experiments were performed on a 64-bitlaptop with an Intel Core i5 2.4-GHz processor and 4 GB of

Fig. 10. Maximum threat levels for two potential responses.

TABLE VIIOPTIMAL RESPONSE FOR SINGLE CYBER-ATTACKS

TO THE 24-BUS TEST SYSTEM

RAM. The computation time consists of two components, thethreat level calculation and the optimization time. For the exper-iment on the IEEE 24-bus test system, the threat level calcula-tions using MATLAB R2012a took 6.95 s and the optimizationusing the optimization software LINGO 11.0 took 1 s.It is known that MILP solvers suffer from the curse of di-

mensionality and therefore waiting to obtain the optimal solu-tion for a larger power system can threaten the security of thepower systemmore severely. However, considering that a singlecyber-attack is more likely to occur, the proposed model canbe run offline for all possible single attacks. The system oper-ator would already know the optimal response when a singleattack occurs in the network. In Table VII, we show the optimalresponses within 20 s for all single attacks to a PMU on the24-bus test system. This approach, however, would not workfor multiple attacks due to the numerous possible combinationsof cyber-attacks to PMUs. In this case, the optimization soft-ware can be stopped at a predetermined time. A trade-off has tobe made between the closeness of the obtained solution at thepredetermined time to the optimal solution and the increase ofthe threat levels over that time.

D. Discussion

We have developed a response optimization model to a cyber-attack to power systems that rely heavily on PMUs for the stateestimation. Thus, the proposed model becomes more beneficialas the ratio of PMUs to conventional devices increases. It isexpected that in the near future, as PMUs become widespread,the state estimation process will be more influenced by PMUmeasurements.The proposed model disables PMUs restricted to secure

system observability. However, pseudo measurements that areused to handle measurement unavailability in conventionalstate estimation could be also used to remove additional PMUs


at the cost of loss of observability. This feature can be incorpo-rated to our model by adding a set of new constraints.Furthermore, if information from a detection scheme is avail-

able it can serve as an input to our model. For example, giventhe estimation on the likelihood of infection of all uncompro-mised PMUs at the time of the detection of the cyber-attack, theinitial threat level of uncompromised PMUs, , can be setto this value. For the sake of simplicity, in our experiments weassume that no information comes from the detection softwareand therefore all initial threat levels are set to zero.

V. CONCLUSION

Observability of the power system is important for grid op-eration and control. An attacker could design a cyber-attack toPMUs that endangers the observability of the power system.Weshowed that in addition to disabling the compromised PMUs,other PMUs should also be disabled to reduce the probability ofpropagation of the cyber-attack. We developed a mixed integerlinear programming model to determine the PMUs that shouldbe disabled under the restriction that the remaining PMUs con-tinue to maintain the observability of the power system. Themodel minimizes the maximum threat level of the PMUs thatremain connected to the network. We have shown experimentalresults for two power systems. The results in both cases demon-strated a significant reduction in the propagation of the cyber-at-tacks when the solution obtained by the optimization model isimplemented.

REFERENCES

[1] “Real-time application of synchrophasors for improving reliability,”North American Electric Reliability Corporation (NERC), Oct. 2010.

[2] H. Lin, Y. Deng, S. Shukla, J. Thorp, and L. Mili, “Cyber securityimpacts on all-PMU state estimator—A case study on co-simulationplatform GECO,” in Proc. IEEE SmartGridComm Symp.—Wide AreaProtection and Control (WAMPAC), 2012.

[3] D. Dua, S. Dambhare, R. K. Gajbhiye, and S. A. Soman, “Optimalmultistage scheduling of PMU placement: An ILP approach,” IEEETrans. Power Del., vol. 23, pp. 1812–1820, 2008.

[4] W. Wang and Z. Lu, “Cyber security in the smart grid: Survey andchallenges,” Comput. Netw., 2013.

[5] “Data bus technical specifications for North American Syncro-PhasorInitiative Network (NASPInet),” North American Syncro-Phasor Ini-tiative Network, May 2009.

[6] H. Lin, Y. Deng, S. Shukla, J. Thorp, and L. Mili, “Cyber security im-pacts on all-PMU state estimator-a case study on co-simulation plat-form GECO,” in Proc. IEEE 3rd Int. Conf. Smart Grid Communica-tions (SmartGridComm), Nov. 2012, pp. 587–592.

[7] “PMU networking with IP multicast,” CISCO Public, 2012.[8] T. Liu, X. Guan, Q. Zheng, and Y. Qu, “A new worm exploiting IPv6

and IPv4–IPv6 dual-stack networks: Experiment, modeling, simula-tion, and defense,” IEEE Netw., vol. 23, pp. 22–29, 2009.

[9] B. Sun, G. Yan, Y. Xiao, and T. A. Yang, “Self-propagatingmal-packets in wireless sensor networks: Dynamics and defenseimplications,” Ad Hoc Netw., vol. 7, pp. 1489–1500, 2009.

[10] W. Xiaoming and L. Yingshu, “An improved SIR model for analyzingthe dynamics of worm propagation in wireless sensor networks,” Chi-nese J. Electron., vol. 18, pp. 8–12, 2009.

[11] C. C. Zou, D. Towsley, and W. Gong, “Modeling and simulation studyof the propagation and defense of internet e-mail worms,” IEEE Trans.Depend. Secure Comput., vol. 4, pp. 105–118, 2007.

[12] B. Stephenson and B. Sikdar, “A quasi-species model for the propaga-tion and containment of polymorphic worms,” IEEE Trans. Comput.,vol. 58, pp. 1289–1296, 2009.

[13] M. Altunay, S. Leyffer, J. T. Linderoth, and Z. Xie, “Optimal responseto attacks on the open science grid,” Comput. Netw.: Int. J. Comput.Telecommun. Netw., vol. 55, pp. 61–73, Jan. 2011.

[14] NSTB Assessments Summary Report: Common Industrial ControlSystem Cyber Security Weaknesses, Idaho National Laboratory (INL),Tech. Rep., 2010.

[15] J. Xichen, Z. Jiangmeng, B. J. Harding, J. J. Makela, and A. D.Dominguez-Garcia, “Spoofing GPS receiver clock offset of phasormeasurement units,” IEEE Trans. Power Syst., vol. 28, pp. 3253–3262,2013.

[16] D. P. Shepard, T. E. Humphreys, and A. A. Fansler, “Evaluation of thevulnerability of phasor measurement units to GPS spoofing attacks,”Int. J. Critic. Infrastruct. Protect., vol. 5, pp. 146–153, 2012.

[17] F. C. Schweppe, J. Wildes, and D. B. Rom, “Power system static stateestimation, parts I, II, and III,” IEEE Trans. Power App. Syst., vol.PAS-89, pp. 120–135, 1970.

[18] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks againststate estimation in electric power grids,” inProc. 16th ACMConf. Com-puter and Communications Security, 2009, pp. 21–32.

[19] J. Valenzuela, J. Wang, and N. Bissinger, “Real-time intrusion detec-tion in power system operations,” IEEE Trans. Power Syst., to be pub-lished.

[20] S. Mousavian, J. Valenzuela, and J. Wang, “Real-time data reassurancein electrical power systems based on artificial neural networks,” Elect.Power Syst. Res., vol. 96, pp. 285–295, Mar. 2013.

[21] C. Shuguang, H. Zhu, S. Kar, T. T. Kim, H. V. Poor, and A. Tajer,“Coordinated data-injection attack and detection in the smart grid: Adetailed look at enriching detection solutions,” IEEE Signal Process.Mag., vol. 29, pp. 106–115, Sep. 2012.

[22] G. Dan and H. Sanberg, “Stealth attacks and protection schemes forstate estimators in power systems,” in Proc. IEEE Int. Conf. Smart GridCommunications, Gaithersburg, MD, USA, Oct. 2010.

[23] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks onsmart grid state estimation: Attack strategies and countermeasures,” inProc. IEEE Int. Conf. Smart Grid Communications, Gaithersburg, MD,USA, Oct. 2010.

[24] R. G. Cole, N. Phamdo, M. A. Rajab, and A. Terzis, “Requirements onworm mitigation technologies in MANETS,” in Proc. Workshop Prin-ciples of Advanced and Distributed Simulation, 2005, pp. 207–214.

[25] Y. H. Chang, P. Jirutitijaroen, and C.-W. Ten, “A simulation model ofcyber threats for energy metering devices in a secondary distributionnetwork,” in Proc. 5th Int. Conf. Critical Infrastructure (CRIS), Bei-jing, China, 2010, pp. 1–7.

[26] S. Azizi, B. G. Gharehpetian, G. Hug-Glanzmann, and A. Dobakhshari,“Optimal integration of phasor measurement units in power systemsconsidering conventional measurements,” IEEE Trans. Smart Grid,vol. 4, pp. 1113–1121, 2012.

[27] A. J. Wood and B. F. Wollenberg, Power Generation, Operation andControl. New York, NY, USA: Wiley, 1996.

[28] Subcommittee, “IEEE reliability test system,” IEEE Trans. Power App.Syst., vol. PAS-98, pp. 2047–2054, 1979.

[29] A. Bavier, N. Feamster, M. Huang, L. Peterson, and J. Rexford, “InVINI veritas: Realistic and controlled network experimentation,” inProc. 2006 Conf. Applications, Technologies, Architectures, and Pro-tocols for Computer Communications (SIGCOMM '06), Oct. 2006, vol.36, pp. 3–14.

[30] R. D. Zimmerman, C. E. Murillo-Sanchez, and R. J. Thomas, “MAT-POWER: Steady-state operations, planning, and analysis tools forpower systems research and education,” IEEE Trans. Power Syst., vol.26, pp. 12–19, 2011.

[31] B. K. S. Roy, A. K. Sinha, and A. K. Pradhan, “An optimal PMU place-ment technique for power system observability,” Int. J. Elect. PowerEnergy Syst., vol. 42, pp. 71–77, 2012.

Seyedamirabbas Mousavian received the B.S.degree in industrial engineering from Sharif Uni-versity of Technology, Tehran, Iran, in 2007. Afterthe M.B.A. degree in 2010, he received an M.S.degree in industrial and systems engineering in2012 from Auburn University, Auburn, AL, USA.He is currently pursuing the Ph.D. degree in theDepartment of Industrial and Systems Engineeringat Auburn University.He will join the School of Business at Clarkson

University, Potsdam, NY, USA, in August 2014 as anAssistant Professor of the Engineering & Management program. His researchinterests include smart grid, cyber-security and operations research.Mr. Mousavian is a member of INFORMS and IIE.


Jorge Valenzuela received the Ph.D. degree in in-dustrial engineering at the University of Pittsburgh,Pittsburgh, PA, USA, in 2000.He is the Chair of the industrial and systems en-

gineering department at Auburn University, Auburn,AL, USA. His research interests are applied andtheoretical stochastic modeling and optimization.Recent research involves stochastic models for theevaluation of production costs and optimizationof electric power generation. Currently he teachescourses on Engineering Economy, Stochastic Opera-

tions Research, and Information Technology at Auburn University.Dr. Valenzuela is a member of INFORMS and IIE.

Jianhui Wang (M'07–SM'12) received the Ph.D. de-gree in electrical engineering from Illinois Instituteof Technology, Chicago, IL, USA, in 2007.Presently, he is a Computational Engineer with the

Decision and Information Sciences Division at Ar-gonne National Laboratory, Argonne, IL, USA. He isalso an affiliate professor at Auburn University andan adjunct professor at University of Notre Dame.Dr. Wang is the chair of the IEEE Power &

Energy Society (PES) power system operationmethods subcommittee. He is an editor of the IEEE

TRANSACTIONS ON POWER SYSTEMS, the IEEE TRANSACTIONS ON SMARTGRID, an associate editor of Journal of Energy Engineering, an editor of theIEEE PES Letters, and an associate editor of Applied Energy.

156 ieee transactions on power systems, vol. 30, no. …...156 ieee transactions on power systems,...

Documents