a cyber-physical security analysis of synchronous … · a cyber-physical security analysis of...

DOI: http://dx.doi.org/10.14236/ewic/ICS2015.6

A Cyber-Physical Security Analysis ofSynchronous-Islanded Microgrid Operation

Ivo FriedbergQueen’s University Belfast

AIT Austrian Institute of [email protected]

David Laverty, Kieran McLaughlinQueen’s University Belfast

david.laverty, [email protected]

Paul SmithAIT Austrian Institute of Technology

[email protected]

Cyber-security research in the field of smart grids is often performed with a focus on either the powerand control domain or the Information and Communications Technology (ICT) domain. The characteristicsof the power equipment or ICT domain are commonly not collectively considered. This work provides ananalysis of the physical effects of cyber-attacks on microgrids – a smart grid construct that allows continuedpower supply when disconnected from a main grid. Different types of microgrid operations are explained(connected, islanded and synchronous-islanding) and potential cyber-attacks and their physical effects areanalyzed. A testbed that is based on physical power and ICT equipment is presented to validate the resultsin both the physical and ICT domain.

Keywords: testbed, microgrid, smart grid, cyber security, vulnerability, synchronous islanded generation

1. INTRODUCTION

Supervisory Control and Data Acquisition (SCADA)systems are widely used in industrial control systemsto collect information on the system state and issuecontrol commands to remote actuators. Incidents likethe attack on a German steel mill (Lee et al. 2014)show the ability of successful cyber-attacks to causephysical damage. A close relationship betweenInformation and Communication Technologies (ICT)and the physical domain needs to be establishedto effectively counter these attacks. Models ofIntrusion Detection Systems (IDS) can be enhancedwith the constraints of the physical system. Thesame holds for control loops in the physicaldomain which can benefit from knowledge aboutthe state of the ICT domain. Current researchon SCADA system security is often based on ananalysis of ICT protocols or network layouts, and istherefore strongly biased by cyber-security researchin the ICT domain. The benefits that come froman understanding of the physical system that isunder control are often ignored: Intrusion DetectionSystems (IDS) as well as mitigation strategies forIndustrial Control Systems (ICS) can leverage thelaws of physics; they should be developed basedon concrete domains and use cases to bridge the

gap between the ICT and physical domains moreeffectively.

The development of current power grids intoa smart grid revolves around a change froma centralized, uni-directional communication andpower transmission layout, towards a meshedinfrastructure as highlighted by Farhangi (2010).Considine et al. (2012) motivates a dynamic gridstructure that is based on interconnected microgrids.This allows for an effective integration of renewableenergy sources, but introduces new requirements forthe tighter integration of ICT resources. Microgridscan be operated in two ways: (i) connected to themain grid, they can draw or supply power fromit; and (ii) islanded – disconnected from the maingrid – they supply local loads with local generation.Often, islanded operation is only possible for alimited amount of time. This calls for the capability todynamically connect and disconnect power islandsfrom the main grid; a transitional state that is highlydependent on ICT infrastructure while the grid isvulnerable to physical equipment damage due topower dynamics.

This paper presents a cyber-security analysis of theoperational modes of microgrids. Special focus isgiven to synchronous-islanded operation: a mode

c© Friedberg et al. Published byBCS Learning & Development Ltd. 52Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research 2015

A Cyber-Physical Security Analysis of Synchronous-Islanded Microgrid OperationFriedberg • Laverty • McLaughlin • Smith

of operation that controls the critical transitionalstate. Required for this operation are PhasorMeasurement Units (PMUs), which are devices thatallow the measurement and communication of powerdynamics. Currently, PMUs are primarily used asrecording devices for post-fault analysis, but theyhave received increased attention for security andcontrol applications. Our cyber-security analysis isbased on a physical testbed that is designed torepresent an islanded microgrid, which can beoperated in an islanded, synchronous-islanded orconnected (to the main grid) fashion. The mainfindings of this analysis are that attacks on theintegrity of measurement and control communicationcan cause the most severe physical impact onmicrogrids. While attacks against communicationavailability require less attack capabilities, they canonly cause critical physical effects under specificconditions out of the attacker’s control. Attacks onconfidentiality can cause no direct physical impactbut can be used during the reconnaissance phaseof an attack. Synchronous-islanded operation ismost vulnerable to physical damage – even directequipment damage – caused by cyber-attacks.

2. PRELIMINARIES

Dynamic connection and disconnection of microgridsis important for future smart grid operation. Powerdynamics need to be controlled to prevent equipmentdamage and to ensure human safety. This sectiongives an overview of the challenges involved withsynchronous-islanded operation of microgrids andwhat it can be used for.

2.1. Synchronous-Islanded Operation

For most types of microgrids, independent operationis only possible for a limited amount of time.To prevent blackouts in the microgrid duringreconnection, it has to be possible for microgridsto be dynamically added and removed from themain grid during operation. Synchronous-islandedoperation of microgrids is seen as one way to tacklethis challenge. Even in islanding mode, the powermetrics – voltage magnitudes (Xm), frequency (ω)and phase angle (φ) – are kept synchronized with themain grid. When these power metrics are matchedbetween the islanded microgrid and the main grid,circuit breaker re-closure (see Sect. 2.2) is safe.

Microgrid internal controls can also take over com-pletely when the main grid experiences severe sta-bility problems. Military microgrids are an examplewhere unstable environments are common and thisfeature is required. If synchronization is not guar-anteed, re-closure of circuit breakers has to beprohibited.

Synchronous-islanded operation enforces stricttransmission delay constraints on the underlyingcommunication network. Control logic is used tocontrol the difference in frequency between thesystems taking the current phase angle differenceinto account. A detailed controller example is givenin Sect. 3.

2.2. Circuit Breaker Re-closure

Connection of two independent and running powersystems involves a set of risks, including out-of-syncclosure. Two independent systems run potentiallywith different frequency and shifted phase angle.At the moment of connection three variables inthe two systems have to be matched as closelyas possible. These are the voltage magnitude(Xm), the frequency (ω) and the phase angle (φ).Limitations on the acceptable difference between thesystems depend on the equipment in use. At themoment of connection the two systems are forcedto synchronize. Depending on the synchronizationquality at the time of connection, this might cause astrong immediate power flow on the circuit breaker.During this process also generator equipment isaffected. The two phase angles are immediatelyforced to align, causing critical physical stress onequipment like generators.

2.3. The Phasor

A phasor – first described by Charles Proteus Stein-metz – is defined by the C37.118 standard (IEEEPower & Energy Society 2011) as a representationof the sinusoidal waveform defined in Eq. 1 with Xm

describing the amplitude of the wave, ω the angularfrequency and φ the phase angle of the waveform attime t = 0.

x(t) = Xm cos(ωt + φ) (1)

Using the transformation shown in Eq. 3 the phasorcan use the representation of an imaginary numberwhere the subscripts r and i signify real andimaginary part respectively.

X = (Xm/√

2)ejφ

= (Xm/√

2)(cos φ + j sinφ) (2)

= Xr + jXi

Phasors are commonly used in AC power analytics.The optimal assumption is a waveform with aconstant frequency of 50 Hz and a voltage amplitudeof 230 V for most of Europe and Asia. In this model,the waveform x(t) is sufficiently defined by onephasor at time t = 0 for any future time t. Real powersystems cannot fulfill this optimal model. Standardsdefine the acceptable ranges of power quality forfrequency and voltage. By allowing the frequency tochange, the phase angle φ measured at time t = 0

53


Figure 1: Graphical description of phasor definition.

is not sufficient to define the waveform at time t1(given ω and Xm at time t1 are known). Successivemeasurements are needed to update the knowledgeabout the waveform.

Figure 1 shows a graphical interpretation of a phasoras a rotating vector. The magnitude Xm of the vectorequals the amplitude of the waveform. The frequencyω describes the speed the vector rotates in. Thephase angle φ is the angle between the vector andthe base line. It becomes immediately clear, that theonly parameter really depending on the time t isφ. We get the waveform by moving the source ofthe vector along the x-axis (in this case time) withconstant speed. The projection of the vector on they-axis is then the value of x(t).

It has been possible to measure frequency andamplitude for a long time, but more recently PhasorMeasurement Units (PMUs) have allowed operatorsto measure the phase angle remotely. PMUsallow the comparison of phasors of synchronoussystems by assuming a reference waveform ofnominal frequency. Phase Angle measurements areonly comparable when taken at the same time.Precision requirements on time synchronization forcomparable phase angle measurements are givenby the C37.118 standard (IEEE Power & EnergySociety 2011) with ±3μs. These measurementsenable a set of new control capabilities but also openup new attack vectors as we will discuss in Sect. 4.

3. SYNCHONOUS-ISLANDING TESTBED

This section describes the current implementationof the synchronous islanding testbed at Queen’sUniversity Belfast. Section 3.1 gives an overview

of the current testbed architecture. It highlights thephysical components and describes their role inthe testbed. Section 3.2 describes the controllerfunctionality in more detail followed by a descriptionof the used communication protocol in Sect. 3.3.

3.1. Architecture

Figure 2 gives an overview of the testbed’s currentimplementation. It is designed to operate a DCmachine synchronous with the main grid while inislanded mode.

DC Machine. The DC machine is a DC Motor /Alternator set. The DC motor is supplied from a‘Eurotherm 590+’ digital DC drive; it offers analogueinputs to control the set points on the drive. Thealternator is a 1000 rpm, 6 pole construction ratedfor 5kVA with a 0.8 power factor. Socket terminalson the laboratory work bench offer connection to thethree phases, their neutrals and the alternator fieldwinding over 4mm ‘banana’ plugs.

Phasor Measurement Units (PMUs). As PMUtechnology, equipment from the OpenPMU project(see Sect. 5) is used. PMUs are deployed at the maingrid and within the power island. The collected powermetrics are then transmitted to the controller.

Load Bank. A 3-phase resistive load bank isdeployed within the power island. It can be used toevaluate the behaviour of the controlled island undershifting loads.

Controller. The controller collects the measure-ments from the PMUs and adapts the set pointsof the generator set. The controller in the testbedis implemented by a Python script running on aRaspberry Pi. The Serial Peripheral Interface (SPI)is used in combination with a transducer to transmitthe set points to the analogue input of the digi-tal DC drive. Figure 3 gives a schematic view onthe modular software architecture of the controller.Network packets are received and then handledby separate worker threads to increase through-put. The worker thread logic decodes the networkpacket and is therefore protocol dependent. Thedecoded measurement points are then synchronizedbetween the worker threads and measurements fromthe two PMUs are matched in the time domain.Once two measurements with the same timestampare received, phase angle and frequency are ex-tracted and sent to the controller. The controllerblock implements the logic described in Sect. 3.2.A generic Proportional-Integral-Derivative (PID) con-troller is used in combination with some additionallogic to calculate the error value. The calculatedupdate value is then transferred to a generator set

54


Figure 2: Overview on the testbed architecture. A DC Machine is operated synchronous with the main grid while in islandingmode. A PMU at a remote, secure location in the main grid communicates with a local controller. A second PMU measuresthe power metrics in the island. The controller compares the measurements from the two PMUs and controls the generator.

Figure 3: Schematic view on modular controller softwarearchitecture

specific communication module. It calculates an ad-equate set of set points as feedback for the internalcontroller of the generator set.

Figure 4: Standard model of a PID controller.

3.2. Controller Strategy

A PID controller is a feedback-based control loopmechanism. It relies solely on the measuredvariables of the process under control and not onknowledge about the underlying processes. Thismakes the mechanism widely applicable without theneed for adaptation. Figure 4 gives an overview ofthe general functionality of a PID controller.

The controlled process continuously emits measuredprocess variables (y(t)). The PID controller triesto minimize the error (e(t)) between the processvariables and given reference set points (r(t)). Whiley(t) is measured on the running process that iscontrolled, r(t) is controlled by the operator; bothcan change over time. An update signal (u(t)) istransmitted by the controller to the process to updatethe operation with the goal to minimize e(t). Theupdate signal comprises three weighted terms – theproportional term P depends on the current error,the integral term I depends on past errors and thederivative term D predicts future errors. The weightsof each term (KP , KI , KD) are used to tune thecontroller to a specific process.

For synchronous-islanded operation, two processvalues need to be controlled: phase φ and frequencyω. The internal controller in the generator set only

55


Figure 5: The control logic for synchronous islanded generation.

accepts one feedback signal. Figure 5 shows theadaption of a general PID controller to the use case.The analogue set point at the generator is used tocontrol the frequency. The classical PID control loopuses the current frequency of the power island (ωg)as a feedback parameter and calculates the errorgiven the controller’s set point. The reference valuefor the frequency (ωr) is received from the main grid.But it cannot be used as is. A Phase DifferenceControl Loop first calculates the error between thefeedback phase angle in the island and the phaseangle reference (see Eq. 3).

Δφ = φr − φg (3)

The Phase Difference Control Loop introduces a newtuning parameter Kφ that weighs the phase angleerror. The weighted phase angle error is then addedto ωr to adapt the reference. As a result, the islandwill intentionally run with lower frequency than themain grid if its phase angle is ahead (the weightedphase angle error will be negative) and with higherfrequency if the phase angle is behind. The completecalculation of the set-point for the PID controller Δωis shown in Eq. 4.

Δω = KφΔφ + ωr − ωg (4)

A known problem with PID controllers is integralwindup. A large change in set-points can causethe integral part to accumulate a large error. Thiserror causes the feedback to overshoot; the updatefrom the controller further increases although theproportional error was already resolved and nowpoints in the opposite direction. To resolve the issue,the accumulation in the integral term is blocked,while the update value from the controller is at thelimits.

3.3. Protocol

The OpenPMU currently supports transmission ofmeasurement values using the User Datagram

Protocol (UDP) over the Internet Protocol (IP).Packets are transmitted to a statically defined IPaddress with a sampling rate of 10 measurementsper second. UDP is a suitable transport layerprotocol. Randomly dropped packets are obsoleteby the time they would have been detected andrequested again.

The payload of the packets contains text-basedcomma-separated values in the form of: $ <PMUID>, <Time in UTC>, <Voltage>, <Frequency>,<Phase>*. This protocol is sufficient for the basicusage of PMUs and to operate a synchronous-islanded generator. This protocol is sufficient for thebasic usage of PMUs and to operate a synchronous-islanded generator. Even though traditional industrialprotocols like C37.118 do not offer more in termsof security, the lack of message integrity andmessage confidentiality limits the suitability of theprotocol for security research. It has to be notedthat a wide range of standardized protocols (likeC37.118) do not offer more in terms of security.Only IEC 61850-90-5 comes with specifications ofsignature-based message integrity specified as partof the standard. While it is possible that integrityprotection features receive more attention as PMUsare increasingly used for control tasks, standardsleave vendors a lot of freedom when it comes toconcrete implementations. Often security featuresare in place, but checks are disabled for simplicityor usability reasons. Thus, the potential impact ofcyber-attacks that can circumvent integrity protectionfeatures remains relevant.

4. CYBER-SECURITY ANALYSIS

This section provides a detailed cyber-securityanalysis of different operation modes of microgridsusing PMUs for active control. Figure 6 shows an

56


Figure 6: Planned testbed layout including (i) a bump-in-the-wire solution for IEC61850-90-5 support and (ii) a virtual officeand SCADA network to allow multi-stage attacks in addition to the testbed presented in Fig. 2

extended version of the testbed, including (i) a bump-in-the-wire solution for IEC61850-90-5 support and(ii) a virtual office and SCADA network to allow multi-stage attacks.

The microgrid can be operated in three differentmodes. Connected to the main grid, Islanded fromthe main grid or In Transition between those two.Synchronous-islanded operation will be the usecase for the transitional state as described inSect. 2. Attacks can aim to compromise one ofthree security objectives: Availability, Integrity orConfidentiality. In the following, we focus on attackson the communication infrastructure. Possible cyber-attacks to devices and physical attacks to the systemare out of scope of this work. We give a generaloverview of the limitations given by current powercontrol setups, describe attack types grouped bythe three security objectives and analyze possiblephysical effects of each attack type in each of theoperation modes. The analysis is supported withrelated work in Sect. 5.

4.1. Power Grid Operation

The physical prerequisites and the current state-of-the-art in power system control impose a setof limitations on potential cyber-attackers. Inflictingphysical damage to power equipment by meansof cyber-attacks is difficult. Each input parameterfor power equipment is checked by an internalcontrol algorithm against a range of acceptablevalues. This range assures safe operation of thedevice to prevent physical damage. Protectivedevices throughout the grid continuously check forunacceptable conditions and automatically isolateelectrical faults. This does not prevent an attacker

from achieving an unacceptable condition in thegrid, but limits possibilities to propagate the fault.Further, protective relays are hard-wired to the powerlines and, as such, cannot be attacked from thecyber domain. Governments standardize the metricsfor power quality; namely the intended frequencyand voltage levels in the grid, including acceptableranges of deviation (230V ± 10% for voltage atany time and 50Hz ± 10mHz for the averagefrequency over a period of one day for CentralEurope). Setpoints for frequency and voltage canagain be limited to these acceptable ranges, in orderto prevent accidental or malicious power qualityviolations. Cyber-attacks in the power domain canrequire detailed knowledge about the system underattack and the possibilities to inflict physical damageto power equipment are limited.

For microgrids three operational modes are identifiedthat have further implications on the possibilities ofcyber-attacks.

Connected Mode. A microgrid is operated con-nected to the main grid. Manual synchronization ofphase and frequency are not needed. To managethe voltage on the distribution lines – to preventover- or undervoltage situations – the main grid cancontrol the active and reactive power that is fedinto the distribution system by the microgrid. This iscontrolled by changing the set-points for active andreactive power, which are the commands that can bemanipulated by an attacker in this stage.

Islanded Mode. The microgrid operates discon-nected from the main grid. Local loads are suppliedby local generation. Synchronization with the maingrid is not needed. An internal controller has to

57


take responsibility for the power quality within themicrogrid. It has to ensure that the voltage andfrequency levels in the microgrid fulfill the powerquality requirements. These are fixed standardizedreferences and as such not possible to attack fromthe cyber domain. Availability and integrity attacksare possible on data from local measurement de-vices that are sent to the controller. In case thelocal demand in a islanded microgrid exceeds thepossible local generation, three possibilities exist:(i) the microgrid can gracefully shut down, resultingin a local blackout; (ii) load can be shed to maintainstable operation; or (iii) the microgrid can attempt toreconnect to the main grid.

Transitional State. Disconnection and reconnectionare the two most volatile states for a microgrid.Before disconnecting it has to be ensured thatthe local generation can supply the local demandto prevent a blackout in the microgrid. Duringreconnection syncrhonous-islanded operation is oneway to align phasor and frequency in the main gridand in the island. In this state, both, the referencefrom the main grid as well as local measurementsare sent over ICT networks and are, as such, open toattacks. In particular, reference measurements fromthe main grid have to potentially perform multiplehops to reach the local controller, each of which isa potential attack vector. Additional risk is imposedat this stage by measurement data from the phasor.For voltage and frequency, fixed power quality set-points are known. A high deviation from these set-points at the reference point in the main grid isvery unlikely and indicates faulty measurements oran attack. For phasor measurement data, everypotential value is valid at certain points in time. It isthe deviation between the reference point and thelocal measurements that has to be minimized.

4.2. Attack Types

The proposed use case contains two communicationlinks that can potentially be targeted by a cyberattack: the ICT network and the GPS communicationused by the PMUs for clock synchronization. Forboth, attacks on all three security requirements arepossible.

Availability. Communication in power systems isoften time critical. Control commands and measure-ments are only valid for a given time window. There-fore, Denial-of-Service (DoS) attacks can either aimto block traffic completely or delay a message forlong enough to shift the arrival time out of theaccepted time window. DoS attacks can happen ondifferent levels of the communication stack. On thePhysical Layer, wireless communication technolo-gies are vulnerable to cyber-attacks. In the givenuse case, this can include both the ICT network and

the GPS signals. First, the communication betweenthe PMUs and the controller can include wirelessconnections. This is especially true if the controlledisland is in a geographically isolated area. Second,the PMUs rely on GPS for time synchronization. TheData Link Layer is responsible for a reliable point-to-point communication. In the proposed testbed,communication between PMUs and the controller isbased on UDP/IP over Ethernet. With MAC addressspoofing, an attacker can masquerade as anotherdevice. This is a potential threat to both availabilityand integrity. On the Network and Transport Layerresource exhaustion attacks can be especially effec-tive on power equipment, as resources are very lim-ited. These can also be performed on the ApplicationLayer, where computationally expensive requestscan be sent to devices.

Integrity. There are two main types of integrityattacks: (i) existing messages can be interceptedand altered or (ii) additional valid messages can beinjected into a communication flow. The first typeis also a potential threat to availability. Successfulintegrity attacks are potentially more dangerous thanDoS attacks, because they can lead to unexpectedcontrol decisions. Two different aspects of thesystem need to be targeted. First, the integrityof a message needs to be compromised. Thenthe message needs to be manipulated in a waythat results in the intended effect in the controlledphysical domain. Integrity attacks are possible onGPS signals and on the ICT network. On the ICTnetwork, the following measurements and controlcommands are at risk: in connected mode the set-points for active and reactive power, in islandedmode the local measurements of frequency andvoltage and in synchronous-islanding mode allmeasurements at the reference point of the main gridas well as local measurements of phase, frequencyand voltage. The potential effects of integrity attackson this information are further discussed in Sect. 4.3.

Confidentiality. Attacks on confidentiality are theleast critical for power grid operation. But a lack ofmessage confidentiality can help attackers duringreconnaissance. The network layout, the type ofprotocols in use, network addresses of potentiallyvulnerable devices and the current status of thepower system are just a small sample of interestinginformation that can be gathered on the network.

Table 1 shows the attack capabilities that are neededon each network in order to perform a specific type ofattack. It can be seen that attacks on availability canbe performed on each network layer independently.They have a large attack surface. Integrity andconfidentiality attacks, on the other hand, have strictrequirements on the application layer. Especially on

58


Table 1: Overview of the attack capabilities required onthe different communication layers to target each securityobjective. Full circles indicate, that an attack capability onthe specific layer is required, half circles indicate that anattack on the layer is either sufficient but not required, orcan be used to extend the attack capabilities.

the security features in place like signatures andencryption.

4.3. Physical Effects

We have identified five types of physical impacts thata cyber-attack can have in the described microgriduse case. These include: (i) a local blackout in themicrogrid with no imminent threat to the rest of thegrid; (ii) instabilities on the main grid (these includecases in which protective relays isolate electricalfaults); (iii) violations of the power quality in themicrogrid; (iv) physical damage to power equipment;and (v) danger for human safety. Table 2 givesan overview of the potential physical effects ofcyber-attacks in the different operation modes ofthe microgrid. We differentiate three attack types:(i) attacks on the availability and integrity of the GPS-based clock synchronization of PMUs; (ii) attackson the availability of the ICT network; and (iii)integrity attacks on the messages in the ICT network.Attacks on availability and integrity of GPS arecategorized together because the physical effectsthat can be caused are very similar. Only theeffectiveness of the attack can be higher if anintegrity attack is used to intelligently manipulatethe time synchronization, instead of introducing anarbitrary error. Confidentiality attacks are not shown,as they cannot directly introduce physical effects.

It is assumed that the attacker can only gain controlof the ICT network in the microgrid. Therefore,attacks on all messages sent from and to themicrogrid by a central SCADA control center can beattacked. Messages to other devices or substationsin the main grid cannot be affected. In the following,we will discuss the table for each operation mode.

Connected. In connected mode the attacker’scapabilities to cause physical damage are themost limited. Measurements from the PMUs arenot required for safe operation. Only messagescontrolling active and reactive power emission canbe affected. The potential impact of a manipulation

of these set-points depends on the significance ofthe attacked microgrid’s size in comparison to themain grid or a certain section in the distributionnetwork. Depending on the significance, blockingor manipulating these set-points can cause localgrid instability and subsequently local blackouts.Additional redundancies in the distribution networkcan limit the possible damage. Further, protectivedevices are in place to isolate electrical faults andprevent propagation.

Islanded. In islanded mode, cyber-attacks cannotinfluence the main grid. The microgrid, on theother hand, is more vulnerable. One reason forthis that is specific to the proposed use case isthat PMUs are the only sensor in the proposedmicrogrid. Attacks on the GPS signal have limitedeffect on the grid, because control over frequencyand voltage does not require phasor orientation inislanded mode. The lack of ICT communication aswell as intelligent integrity attacks on the other handcan cause serious physical effects. By manipulatingthe local measurements of frequency and voltage,control over power quality is lost which can resultin a violation of power quality metrics as well as ashutdown of the microgrid.

Synchronous-Islanding. Synchronous-islanding isthe most volatile operation mode where the mostcritical physical damage can be achieved: damageto equipment and risk of human safety. Thecritical moment for equipment is the moment ofcircuit breaker re-closure. Significant differencesof phase angle, frequency or voltage magnitudebetween the main grid and the island can damagethe circuit breaker as well as local synchronousgenerators. This situation can be achieved bymanipulating the feedback loop in charge ofsynchronization. DoS attacks on the ICT networkcan easily be detected and re-closure can beprohibited. The effects of limited precision in clocksynchronization between the PMUs is harder todetect and therefore more critical. Most damagecan be done using integrity attacks on the ICTnetwork. Manipulation of the local measurementsor measurements from the reference point trick thecontroller into making incorrect assumptions aboutthe system state. This can be used to maximizethe phase angle difference. The local controller hasno way of verifying the correctness of the data. Itwill assume synchronization is achieved while thecontrol decisions potentially led to a maximizationof the phase angle difference. While frequency andvoltage levels can be compared to the static set-points from the power quality metrics, the samecannot be done for phase angle information. Thisleaves the controller vulnerable to integrity attackswithout the ability to detect them.

59


Table 2: Overview on physical effects of different types of cyber attacks in the three operation modes of a microgrid. Halfcircles indicate that control algorithms without knowledge of the ICT system can potentially mitigate the physical effect. Fullcircles indicate that additional control algorithms will be needed that bridge the gap between the physical and the cyber domainto detect and mitigate the threat.

5. RELATED WORK

One approach for safe circuit-breaker re-closure issynchronous-islanded operation of power islands; auniversally applicable method is presented by Bestet al. (2008). The authors describe general require-ments and possible limitations caused by time-delayintroduced when transmitting the reference signal.Challenges like islanding detection and control ini-tiation are covered as well as issues with powerquality and security mechanisms in the case of acommunication loss. Laverty et al. (2008) performsa detailed analysis on the effect of the time delayintroduced by wide-area telecommunications. In theirwork, the authors show the response of an alternatoroperated by an Internet-based phase difference con-troller to local load acceptances. They were able toshow that control is effective when it is operated on atelecommunication link with variable time delay suchas the Internet. Caldon et al. (2004) evaluates theeffects of synchronous and inverter-interfaced gen-erators on the stability of power islands. The authorsshow, that inverter-interfaced generators increasethe stability of frequency and phase angle difference.Synchronous-islanded operation highly depends onPhasor Measurement Units (PMUs).

Research on the potential effects of cyber-attackson physical infrastructures in cyber-physical systemsis often performed from either an ICT or aphysical and control engineering perspective. In theICT domain, Dondossola et al. (2008) analyzepotential cyber-attacks on power substation controlsystems. Their research focus lies on the potentialthreats of cyber-attacks to the ICT communicationcapabilities. Potential physical effects are highlightedbut no critical physical effects are achievedin the experiments. Wang and Lu (2013)highlight potential cyber-attacks on availability,integrity and confidentiality, and their potential effects

on different use cases. They also present potentialmitigation strategies. Signatures and encryption arepresented as cryptographic countermeasures, andthe difficulties that arise from limited computingpower and strict time constraints are explained.Network-based countermeasures are presented andgrouped by the targeted communication layers.Availability attacks on GPS signals by GPS jammingare presented by Hu and Wei (2009). The authorsalso elaborate on countermeasures against GPSjamming in modern GPS receivers. Zhang et al.(2013) presents an integrity attack on GPS signalswith respect to time synchronization. The authorsshow how the injection of targeted GPS signalsincreases the effect of the attack in comparison tothe arbitrary error introduced by availability attacks.In the control domain, work by Sandberg et al.(2010) and Dan and Sandberg (2010) focuseson risks associated with bad data injection – anattack against state estimation where the monitoredsystem state is manipulated in order to remainundetected. The authors develop security indicesfor nodes in the grid that produce measurementdata. These indices are used to define how criticalmeasurements from a certain node are to the overallstate estimation. This knowledge can be used tointroduce security features step-by-step, starting withthe most critical nodes in the system. Kundur et al.(2011) presents a first step towards a graph-basedframework for modeling the physical impact of cyber-attacks on smart grids. Two case studies show theapplication of the framework in a Matlab environmentbased on two modified models of the IEEE 13node distribution system. One case study showsthat a successful cyber-attack can cause a severeunder-frequency situation that ultimately results ina local blackout. Iowa State University (ISU) havedeveloped the PowerCyber testbed in 2013 (Hahnet al. 2013). Real physical components are used toimplement substations. Substation communication

60


is performed using IEC 61850 GOOSE messages.The Internet-Scale Event and Attack GenerationEnvironment (ISEAGE) project – also developedby ISU – is used to emulate wide-area networks.SCADA-specific hardware is used to emulate acontrol centre. The physical setup is integrated with areal-time digital simulator and a PowerFactory basedoffline simulator for bigger power grid instances. Ofspecial interest is the use of IEC 61850 as wellas the scalable approach of combining physicaldevices with power grid simulation. The authorsfurther perform an analysis of the cyber and physicalimpact of cyber-attacks on three use cases of thesystem. The first use case shows the effect ofa malicious breaker trip in a three generator set.It is shown that isolation of one generator cancause the remaining two synchronous generatorsto become unsynchronized. The second use casehighlights the effects of DoS attacks on stateestimation algorithms. The third use case presents acoordinated multi-stage attack on a Remedial ActionScheme (RAS) that could cause load-shedding, aswell as frequency instability.

6. CONCLUSION AND FUTURE WORK

In this paper, we have performed a cyber-securityanalysis of different operational states of microgrids,with a particular focus on synchronous-islandedoperation. To control these operational states, anincreased integration of power systems with ICTcommunication is needed. Our analysis, which isbased on a testbed that includes both powerequipment and ICT components, has consideredthe physical limitations imposed by real powerequipment and the potential capabilities of anattacker in the cyber domain. We have indicatedthat a cyber-attack can cause physical damageto power equipment and endanger human safety.These findings motivate the need for new solutionsfor cyber-physical resilience in microgrids. Thesesolutions need to tightly integrate efforts fromICT and power domain to detect and mitigatecyber-attacks accurately and ensure safe operation.Future work will include further development of thepresented testbed. The described attacks will beimplemented and evaluated in this cyber-physicalenvironment. A more formal security analysis willbe conducted using the Systems Theoretic ProcessAnalysis (STPA) method, as proposed by Levenson(2011). Our goal is the realisation of a resilienceframework that ensures the safe operation ofmicrogrids during cyber-attacks.

Acknowledgements. This work was partly fundedby the EU FP7 SPARKS project (Contract No.608224) and the EPSRC CAPRICA (Contract No.EP/M002837/1) project.

REFERENCES

Best, R. et al. (2008) Universal application ofsynchronous islanded operation. In: IET-CIREDSeminar SmartGrids for Distribution.

Caldon, R., Rossetto, F., and Turri, R. (2004) Tempo-rary islanded operation of dispersed generation ondistribution networks. In: 39th International Univer-sities Power Engineering Conference, 3, 987–991.

Considine, T., Cox, W., and Cazalet, E. G. (2012)Understanding microgrids as the essentialarchitecture of smart energy. In: Grid IneropForum,Texas.

Dan, G. and Sandberg, H. (2010) Stealth attacksand protection schemes for state estimatorsin power systems. In: First IEEE InternationalConference on Smart Grid Communications(SmartGridComm), 214–219.

Dondossola, G., Szanto, J., Masera, M., and Fovino,I. N. (2008) Effects of intentional threats topower substation control systems. Int. J. CriticalInfrastruct., 4 (1), 129–143.

Farhangi, H. (2010). The path of the smart grid. IEEEPower and Energy Mag., 8 (1), 18–28.

Hahn, A. et al. (2013) Cyber-physical securitytestbeds: Architecture, application, and evaluationfor smart grid. IEEE Trans. Smart Grid, 4 (2),847–855.

Hu, H. and Wei, N. (2009). A study of GPSjamming and anti-jamming. In: 2nd InternationalConference on Power Electronics and IntelligentTransportation System (PEITS), 1, 388–391.

IEEE Power & Energy Society (2011) IEEE StdC37.118.1-2011 (Revision of IEEE Std C37.118-2005).IEEE standard for synchrophasors forpower systems.

Kundur, D. et al. (2011) Towards modelling theimpact of cyber attacks on a smart grid. Int. J.Security and Netw., 6 (1), 2–13.

Laverty, D. M. et al. (2008) Internet basedphasor measurement system for phase controlof synchronous islands. In: IEEE Power andEnergy Society General Meeting - Conversion andDelivery of Electrical Energy in the 21st Century,1–6.

Lee, R., Assante, M., and Connway, T. (2014) ICSCP/PE (cyber-to-physical or process effects) casestudy paper – German steel mill cyber attack.SANS ICS, Tech. Rep.

61


Levenson, N. G. (2011). Engineering a safer world.In: Systems Thinking Applied to Safety. Cam-bridge, MA, USA: The MIT Press.

Sandberg, H., Teixeira, A., and Johansson, K.H. (2010) On security indices for state esti-mators in power networks. In: Preprints of theFirst Workshop on Secure Control Systems, CP-SWEEK,Stockholm, Sweden.

Wang, W. and Lu, Z. (2013) Cyber security inthe smart grid: Survey and challenges. Comput.Netw., 57 (5), 1344–1371.

Zhang, Z., Gong, S., Dimitrovski, A. D., and Li, H.(2013). Time synchronization attack in smart grid:Impact and analysis. IEEE Trans. Smart Grid, 4(1),87–98.

62

a cyber-physical security analysis of synchronous … · a cyber-physical security analysis of...

Documents