A Cyber-Physical Security Analysis of Synchronous-Islanded ...

A Cyber-Physical Security Analysis of Synchronous-IslandedMicrogrid Operation

Friedberg, I., Laverty, D., McLaughlin, K., & Smith, P. (2015). A Cyber-Physical Security Analysis ofSynchronous-Islanded Microgrid Operation. In Proceedings of the 3rd International Symposium for ICS &SCADA Cyber Security Research 2015 (pp. 52-62). BCS Learning & Development Ltd.https://doi.org/10.14236/ewic/ICS2015.6

Published in:Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research 2015

Document Version:Peer reviewed version

Queen's University Belfast - Research Portal:Link to publication record in Queen's University Belfast Research Portal

Publisher rights© 2015 Friedberg et al. Published byBCS Learning & Development Ltd.

General rightsCopyright for the publications made accessible via the Queen's University Belfast Research Portal is retained by the author(s) and / or othercopyright owners and it is a condition of accessing these publications that users recognise and abide by the legal requirements associatedwith these rights.

Take down policyThe Research Portal is Queen's institutional repository that provides access to Queen's research output. Every effort has been made toensure that content in the Research Portal does not infringe any person's rights, or applicable UK laws. If you discover content in theResearch Portal that you believe breaches copyright or violates any law, please contact [email protected].

Download date:24. Oct. 2021

https://doi.org/10.14236/ewic/ICS2015.6

https://pure.qub.ac.uk/en/publications/a-cyberphysical-security-analysis-of-synchronousislanded-microgrid-operation(4bd37ca9-d6bb-4da2-a0f1-ef5b47ceb20a).html

A Cyber-Physical Security Analysis ofSynchronous-Islanded Microgrid Operation

Ivo FriedbergQueen’s University Belfast

AIT Austrian Institute of [email protected]

David Laverty, Kieran McLaughlinQueen’s University Belfast

{david.laverty, kieran.mclaughlin}@qub.ac.uk

Paul SmithAIT Austrian Institute of Technology

[email protected]

Cyber-security research in the field of smart grids is often performed with a focus on either thepower and control domain or the Information and Communications Technology (ICT) domain. Thecharacteristics of the power equipment or ICT domain are commonly not collectively considered.This work provides an analysis of the physical effects of cyber-attacks on microgrids – a smart gridconstruct that allows continued power supply when disconnected from a main grid. Different typesof microgrid operations are explained (connected, islanded and synchronous-islanding) and potentialcyber-attacks and their physical effects are analyzed. A testbed that is based on physical power andICT equipment is presented to validate the results in both the physical and ICT domain.

Testbed, Microgrid, Smart Grid, Cyber Security, Vulnerability, Synchronous Islanded Generation

1. INTRODUCTION

Supervisory Control and Data Acquisition (SCADA)systems are widely used in industrial control systemsto collect information on the system state and issuecontrol commands to remote actuators. Incidentslike the attack on a German steel mill (Lee et al.2014) show the ability of successful cyber-attacks tocause physical damage. A close relationship betweenInformation and Communication Technologies (ICT)and the physical domain needs to be established toeffectively counter these attacks. Models of IntrusionDetection Systems (IDS) can be enhanced with theconstraints of the physical system. The same holdsfor control loops in the physical domain which canbenefit from knowledge about the state of the ICTdomain. Current research on SCADA system securityis often based on an analysis of ICT protocols ornetwork layouts, and is therefore strongly biasedby cyber-security research in the ICT domain. Thebenefits that come from an understanding of thephysical system that is under control are oftenignored: Intrusion Detection Systems (IDS) as well asmitigation strategies for Industrial Control Systems(ICS) can leverage the laws of physics; they should bedeveloped based on concrete domains and use cases tobridge the gap between the ICT and physical domainsmore effectively.

The development of current power grids into asmart grid revolves around a change from acentralized, uni-directional communication and powertransmission layout, towards a meshed infrastructureas highlighted by Farhangi (2010). Considine et al.(2012) motivates a dynamic grid structure that isbased on interconnected microgrids. This allows foran effective integration of renewable energy sources,but introduces new requirements for the tighterintegration of ICT resources. Microgrids can beoperated in two ways: (i) connected to the maingrid, they can draw or supply power from it; and(ii) islanded – disconnected from the main grid –they supply local loads with local generation. Often,islanded operation is only possible for a limitedamount of time. This calls for the capability todynamically connect and disconnect power islandsfrom the main grid; a transitional state that is highlydependent on ICT infrastructure while the grid isvulnerable to physical equipment damage due topower dynamics.

This paper presents a cyber-security analysis of theoperational modes of microgrids. Special focus isgiven to synchronous-islanded operation: a mode ofoperation that controls the critical transitional state.Required for this operation are Phasor MeasurementUnits (PMUs), which are devices that allow the

c© The Authors. Published by BISL. 1<Proceedings of 3rd International Symposium for ICS & SCADA Cyber Security Research>

A Cyber-Physical Security Analysis of Synchronous-Islanded Microgrid OperationFriedberg • Laverty • McLaughlin • Smith

measurement and communication of power dynamics.Currently, PMUs are primarily used as recordingdevices for post-fault analysis, but they havereceived increased attention for security and controlapplications. Our cyber-security analysis is based ona physical testbed that is designed to represent anislanded microgrid, which can be operated in anislanded, synchronous-islanded or connected (to themain grid) fashion. The main findings of this analysisare that attacks on the integrity of measurementand control communication can cause the mostsevere physical impact on microgrids. While attacksagainst communication availability require less attackcapabilities, they can only cause critical physicaleffects under specific conditions out of the attacker’scontrol. Attacks on confidentiality can cause nodirect physical impact but can be used during thereconnaissance phase of an attack. Synchronous-islanded operation is most vulnerable to physicaldamage – even direct equipment damage – caused bycyber-attacks.

2. PRELIMINARIES

Dynamic connection and disconnection of microgridsis important for future smart grid operation. Powerdynamics need to be controlled to prevent equipmentdamage and to ensure human safety. This sectiongives an overview of the challenges involved withsynchronous-islanded operation of microgrids andwhat it can be used for.

2.1. Synchronous-Islanded Operation

For most types of microgrids, independent operationis only possible for a limited amount of time.To prevent blackouts in the microgrid duringreconnection, it has to be possible for microgrids to bedynamically added and removed from the main gridduring operation. Synchronous-islanded operation ofmicrogrids is seen as one way to tackle this challenge.Even in islanding mode, the power metrics – voltagemagnitudes (Xm), frequency (ω) and phase angle(φ) – are kept synchronized with the main grid.When these power metrics are matched between theislanded microgrid and the main grid, circuit breakerre-closure (see Sect. 2.2) is safe.

Microgrid internal controls can also take overcompletely when the main grid experiences severestability problems. Military microgrids are anexample where unstable environments are commonand this feature is required. If synchronization is notguaranteed, re-closure of circuit breakers has to beprohibited.

Synchronous-islanded operation enforces strict trans-mission delay constraints on the underlying commu-nication network. Control logic is used to control the

difference in frequency between the systems takingthe current phase angle difference into account. Adetailed controller example is given in Sect. 3.

2.2. Circuit Breaker Re-closure

Connection of two independent and running powersystems involves a set of risks, including out-of-syncclosure. Two independent systems run potentiallywith different frequency and shifted phase angle.At the moment of connection three variables inthe two systems have to be matched as closely aspossible. These are the voltage magnitude (Xm), thefrequency (ω) and the phase angle (φ). Limitationson the acceptable difference between the systemsdepend on the equipment in use. At the moment ofconnection the two systems are forced to synchronize.Depending on the synchronization quality at the timeof connection, this might cause a strong immediatepower flow on the circuit breaker. During this processalso generator equipment is affected. The two phaseangles are immediately forced to align, causingcritical physical stress on equipment like generators.

2.3. The Phasor

A phasor – first described by Charles ProteusSteinmetz – is defined by the C37.118 standard (IEEEPower & Energy Society 2011) as a representation ofthe sinusoidal waveform defined in Eq. 1 with Xm

describing the amplitude of the wave, ω the angularfrequency and φ the phase angle of the waveform attime t = 0.

x(t) = Xm cos(ωt+ φ) (1)

Using the transformation shown in Eq. 2 the phasorcan use the representation of an imaginary numberwhere the subscripts r and i signify real andimaginary part respectively.

X = (Xm/√

2)ejφ

= (Xm/√

2)(cosφ+ j sinφ)= Xr + jXi

(2)

Phasors are commonly used in AC power analytics.The optimal assumption is a waveform with aconstant frequency of 50 Hz and a voltage amplitudeof 230 V for most of Europe and Asia. In this model,the waveform x(t) is sufficiently defined by one phasorat time t = 0 for any future time t. Real powersystems cannot fulfill this optimal model. Standardsdefine the acceptable ranges of power quality forfrequency and voltage. By allowing the frequency tochange, the phase angle φ measured at time t = 0is not sufficient to define the waveform at time t1

2


φ

ω x(

t)

Figure 1: Graphical description of phasor definition.

(given ω and Xm at time t1 are known). Successivemeasurements are needed to update the knowledgeabout the waveform.

Figure 1 shows a graphical interpretation of a phasoras a rotating vector. The magnitude Xm of the vectorequals the amplitude of the waveform. The frequencyω describes the speed the vector rotates in. The phaseangle φ is the angle between the vector and the baseline. It becomes immediately clear, that the onlyparameter really depending on the time t is φ. Weget the waveform by moving the source of the vectoralong the x-axis (in this case time) with constantspeed. The projection of the vector on the y-axis isthen the value of x(t).

It has been possible to measure frequency andamplitude for a long time, but more recentlyPhasor Measurement Units (PMUs) have allowedoperators to measure the phase angle remotely. PMUsallow the comparison of phasors of synchronoussystems by assuming a reference waveform of nominalfrequency. Phase Angle measurements are onlycomparable when taken at the same time. Precisionrequirements on time synchronization for comparablephase angle measurements are given by the C37.118standard (IEEE Power & Energy Society 2011) with±3µs. These measurements enable a set of newcontrol capabilities but also open up new attackvectors as we will discuss in Sect. 4.

3. SYNCHONOUS-ISLANDING TESTBED

This section describes the current implementationof the synchronous islanding testbed at Queen’sUniversity Belfast. Section 3.1 gives an overview

of the current testbed architecture. It highlightsthe physical components and describes their rolein the testbed. Section 3.2 describes the controllerfunctionality in more detail followed by a descriptionof the used communication protocol in Sect. 3.3.

3.1. Architecture

Figure 2 gives an overview of the testbed’s currentimplementation. It is designed to operate a DCmachine synchronous with the main grid while inislanded mode.DC Machine. The DC machine is a DC Motor /Alternator set. The DC motor is supplied from a‘Eurotherm 590+’ digital DC drive; it offers analogueinputs to control the set points on the drive. Thealternator is a 1000 rpm, 6 pole construction ratedfor 5kVA with a 0.8 power factor. Socket terminalson the laboratory work bench offer connection to thethree phases, their neutrals and the alternator fieldwinding over 4mm ‘banana’ plugs.Phasor Measurement Units (PMUs). As PMUtechnology, equipment from the OpenPMU project(see Sect. 5) is used. PMUs are deployed at the maingrid and within the power island. The collected powermetrics are then transmitted to the controller.Load Bank. A 3-phase resistive load bank is de-ployed within the power island. It can be used toevaluate the behaviour of the controlled island undershifting loads.Controller. The controller collects the measure-ments from the PMUs and adapts the set pointsof the generator set. The controller in the testbedis implemented by a Python script running on aRaspberry Pi. The Serial Peripheral Interface (SPI)is used in combination with a transducer to transmitthe set points to the analogue input of the digital DCdrive. Figure 3 gives a schematic view on the modularsoftware architecture of the controller. Network pack-ets are received and then handled by separate workerthreads to increase throughput. The worker threadlogic decodes the network packet and is therefore pro-tocol dependent. The decoded measurement pointsare then synchronized between the worker threadsand measurements from the two PMUs are matchedin the time domain. Once two measurements withthe same timestamp are received, phase angle andfrequency are extracted and sent to the controller.The controller block implements the logic described inSect. 3.2. A generic Proportional-Integral-Derivative(PID) controller is used in combination with someadditional logic to calculate the error value. Thecalculated update value is then transferred to a gener-ator set specific communication module. It calculatesan adequate set of set points as feedback for theinternal controller of the generator set.

3


WANPMU Controller SPI Circuit Breaker

Load Bank

PMUCommunication

Power

Prime Mover Alternator

Prime Mover Controller

DC Machine

Figure 2: Overview on the testbed architecture. A DC Machine is operated synchronous with the main grid while in islandingmode. A PMU at a remote, secure location in the main grid communicates with a local controller. A second PMU measuresthe power metrics in the island. The controller compares the measurements from the two PMUs and controls the generator.

Controller

Genset Communication

PMU Communitacion Layer

Pac

ket

Wo

rker

Thread Synchronization

Pac

ket

Wo

rker

Pac

ket

Wo

rker

Pac

ket

Wo

rker

Pac

ket

Wo

rker

Pac

ket

Wo

rker

Timestamp Matching

Measurement Data Transcoding

Receive Measurement Value

Phase Angle Control

Frequency Control

Update Genset Setpoints

Co

ntr

olle

r P

aram

ete

r U

pd

ate

s

Receive Updated Setpoints

Transcode and Transmit to Genset

Figure 3: Schematic view on modular controller softwarearchitecture

3.2. Controller Strategy

A PID controller is a feedback-based control loopmechanism. It relies solely on the measured variables

Controlled Process+- deKI I )(

dt

tdeDKD

)(

)(teKP P

)( te

++

+ )(tu )(ty)( tr

Figure 4: Standard model of a PID controller.

of the process under control and not on knowledgeabout the underlying processes. This makes themechanism widely applicable without the need foradaptation. Figure 4 gives an overview of the generalfunctionality of a PID controller.

The controlled process continuously emits measuredprocess variables (y(t)). The PID controller triesto minimize the error (e(t)) between the processvariables and given reference set points (r(t)). Whiley(t) is measured on the running process that iscontrolled, r(t) is controlled by the operator; bothcan change over time. An update signal (u(t)) istransmitted by the controller to the process to updatethe operation with the goal to minimize e(t). Theupdate signal comprises three weighted terms – theproportional term P depends on the current error,the integral term I depends on past errors and thederivative term D predicts future errors. The weightsof each term (KP ,KI ,KD) are used to tune thecontroller to a specific process.

For synchronous-islanded operation, two processvalues need to be controlled: phase φ and frequencyω. The internal controller in the generator set onlyaccepts one feedback signal. Figure 5 shows theadaption of a general PID controller to the use case.The analogue set point at the generator is used tocontrol the frequency. The classical PID control loop

4


+-

++

PID Controller

+-

Uti

lity

Ref

ere

nce

x

ωr

φr Δφ

φg

Generator

ωg

Kφ

Δω

Frequency Control Loop

Phase Difference Control Loop

Figure 5: The control logic for synchronous islanded generation.

uses the current frequency of the power island (ωg) asa feedback parameter and calculates the error giventhe controller’s set point. The reference value for thefrequency (ωr) is received from the main grid. But itcannot be used as is. A Phase Difference Control Loopfirst calculates the error between the feedback phaseangle in the island and the phase angle reference (seeEq. 3).

∆φ = φr − φg (3)

The Phase Difference Control Loop introduces a newtuning parameter Kφ that weighs the phase angleerror. The weighted phase angle error is then addedto ωr to adapt the reference. As a result, the islandwill intentionally run with lower frequency than themain grid if its phase angle is ahead (the weightedphase angle error will be negative) and with higherfrequency if the phase angle is behind. The completecalculation of the set-point for the PID controller ∆ωis shown in Eq. 4.

∆ω = Kφ∆φ+ ωr − ωg (4)

A known problem with PID controllers is integralwindup. A large change in set-points can causethe integral part to accumulate a large error. Thiserror causes the feedback to overshoot; the updatefrom the controller further increases although theproportional error was already resolved and nowpoints in the opposite direction. To resolve the issue,the accumulation in the integral term is blocked,while the update value from the controller is at thelimits.

3.3. Protocol

The OpenPMU currently supports transmissionof measurement values using the User DatagramProtocol (UDP) over the Internet Protocol (IP).Packets are transmitted to a statically defined IPaddress with a sampling rate of 10 measurements per

second. UDP is a suitable transport layer protocol.Randomly dropped packets are obsolete by the timethey would have been detected and requested again.

The payload of the packets containstext-based comma-separated values inthe form of: $<PMU ID>,<Time inUTC>,<Voltage>,<Frequency>,<Phase>*. Thisprotocol is sufficient for the basic usage of PMUs andto operate a synchronous-islanded generator. Thisprotocol is sufficient for the basic usage of PMUsand to operate a synchronous-islanded generator.Even though traditional industrial protocols likeC37.118 do not offer more in terms of security, thelack of message integrity and message confidentialitylimits the suitability of the protocol for securityresearch. It has to be noted that a wide range ofstandardized protocols (like C37.118) do not offermore in terms of security. Only IEC 61850-90-5comes with specifications of signature-based messageintegrity specified as part of the standard. While itis possible that integrity protection features receivemore attention as PMUs are increasingly usedfor control tasks, standards leave vendors a lot offreedom when it comes to concrete implementations.Often security features are in place, but checks aredisabled for simplicity or usability reasons. Thus,the potential impact of cyber-attacks that cancircumvent integrity protection features remainsrelevant.

4. CYBER-SECURITY ANALYSIS

This section provides a detailed cyber-securityanalysis of different operation modes of microgridsusing PMUs for active control. Figure 6 shows anextended version of the testbed, including (i) a bump-in-the-wire solution for IEC61850-90-5 support and(ii) a virtual office and SCADA network to allowmulti-stage attacks.

5


WANPMU

IEC

61

85

0-9

0-5

Gat

eway

Corporate Network

Office Network

SCADA Network

Controller DC MachineSPICircuit

Breaker

Load Bank

PMU

Communication

Power IEC 61850-90-5Gateway

Figure 6: Planned testbed layout including (i) a bump-in-the-wire solution for IEC61850-90-5 support and (ii) a virtualoffice and SCADA network to allow multi-stage attacks in addition to the testbed presented in Fig. 2

The microgrid can be operated in three differentmodes. Connected to the main grid, Islanded fromthe main grid or In Transition between those two.Synchronous-islanded operation will be the use casefor the transitional state as described in Sect. 2.Attacks can aim to compromise one of three securityobjectives: Availability, Integrity or Confidentiality.In the following, we focus on attacks on thecommunication infrastructure. Possible cyber-attacksto devices and physical attacks to the system are outof scope of this work. We give a general overview ofthe limitations given by current power control setups,describe attack types grouped by the three securityobjectives and analyze possible physical effects ofeach attack type in each of the operation modes. Theanalysis is supported with related work in Sect. 5.

4.1. Power Grid Operation

The physical prerequisites and the current state-of-the-art in power system control impose a set oflimitations on potential cyber-attackers. Inflictingphysical damage to power equipment by meansof cyber-attacks is difficult. Each input parameterfor power equipment is checked by an internalcontrol algorithm against a range of acceptablevalues. This range assures safe operation of thedevice to prevent physical damage. Protectivedevices throughout the grid continuously check forunacceptable conditions and automatically isolateelectrical faults. This does not prevent an attackerfrom achieving an unacceptable condition in the grid,but limits possibilities to propagate the fault. Further,protective relays are hard-wired to the power linesand, as such, cannot be attacked from the cyberdomain. Governments standardize the metrics forpower quality; namely the intended frequency and

voltage levels in the grid, including acceptable rangesof deviation (230V ± 10% for voltage at any timeand 50Hz ± 10mHz for the average frequency overa period of one day for Central Europe). Setpointsfor frequency and voltage can again be limited tothese acceptable ranges, in order to prevent accidentalor malicious power quality violations. Cyber-attacksin the power domain can require detailed knowledgeabout the system under attack and the possibilitiesto inflict physical damage to power equipment arelimited.

For microgrids three operational modes are identifiedthat have further implications on the possibilities ofcyber-attacks.Connected Mode. A microgrid is operated con-nected to the main grid. Manual synchronizationof phase and frequency are not needed. To managethe voltage on the distribution lines – to preventover- or undervoltage situations – the main grid cancontrol the active and reactive power that is fed intothe distribution system by the microgrid. This iscontrolled by changing the set-points for active andreactive power, which are the commands that can bemanipulated by an attacker in this stage.Islanded Mode. The microgrid operates discon-nected from the main grid. Local loads are suppliedby local generation. Synchronization with the maingrid is not needed. An internal controller has totake responsibility for the power quality within themicrogrid. It has to ensure that the voltage andfrequency levels in the microgrid fulfill the powerquality requirements. These are fixed standardizedreferences and as such not possible to attack from thecyber domain. Availability and integrity attacks arepossible on data from local measurement devices that

6


are sent to the controller. In case the local demand ina islanded microgrid exceeds the possible local gener-ation, three possibilities exist: (i) the microgrid cangracefully shut down, resulting in a local blackout;(ii) load can be shed to maintain stable operation; or(iii) the microgrid can attempt to reconnect to themain grid.Transitional State. Disconnection and reconnec-tion are the two most volatile states for a microgrid.Before disconnecting it has to be ensured that thelocal generation can supply the local demand toprevent a blackout in the microgrid. During recon-nection syncrhonous-islanded operation is one wayto align phasor and frequency in the main grid andin the island. In this state, both, the reference fromthe main grid as well as local measurements aresent over ICT networks and are, as such, open toattacks. In particular, reference measurements fromthe main grid have to potentially perform multiplehops to reach the local controller, each of which isa potential attack vector. Additional risk is imposedat this stage by measurement data from the phasor.For voltage and frequency, fixed power quality set-points are known. A high deviation from these set-points at the reference point in the main grid isvery unlikely and indicates faulty measurements or anattack. For phasor measurement data, every potentialvalue is valid at certain points in time. It is thedeviation between the reference point and the localmeasurements that has to be minimized.

4.2. Attack Types

The proposed use case contains two communicationlinks that can potentially be targeted by a cyberattack: the ICT network and the GPS communicationused by the PMUs for clock synchronization. Forboth, attacks on all three security requirements arepossible.

Availability. Communication in power systemsis often time critical. Control commands andmeasurements are only valid for a given time window.Therefore, Denial-of-Service (DoS) attacks can eitheraim to block traffic completely or delay a messagefor long enough to shift the arrival time out of theaccepted time window. DoS attacks can happen ondifferent levels of the communication stack. On thePhysical Layer, wireless communication technologiesare vulnerable to cyber-attacks. In the given usecase, this can include both the ICT network andthe GPS signals. First, the communication betweenthe PMUs and the controller can include wirelessconnections. This is especially true if the controlledisland is in a geographically isolated area. Second,the PMUs rely on GPS for time synchronization. TheData Link Layer is responsible for a reliable point-to-point communication. In the proposed testbed,communication between PMUs and the controller is

based on UDP/IP over Ethernet. With MAC addressspoofing, an attacker can masquerade as anotherdevice. This is a potential threat to both availabilityand integrity. On the Network and Transport Layerresource exhaustion attacks can be especially effectiveon power equipment, as resources are very limited.These can also be performed on the ApplicationLayer, where computationally expensive requests canbe sent to devices.Integrity. There are two main types of integrityattacks: (i) existing messages can be interceptedand altered or (ii) additional valid messages can beinjected into a communication flow. The first typeis also a potential threat to availability. Successfulintegrity attacks are potentially more dangerous thanDoS attacks, because they can lead to unexpectedcontrol decisions. Two different aspects of the systemneed to be targeted. First, the integrity of a messageneeds to be compromised. Then the message needsto be manipulated in a way that results in theintended effect in the controlled physical domain.Integrity attacks are possible on GPS signals and onthe ICT network. On the ICT network, the followingmeasurements and control commands are at risk: inconnected mode the set-points for active and reactivepower, in islanded mode the local measurements offrequency and voltage and in synchronous-islandingmode all measurements at the reference point ofthe main grid as well as local measurements ofphase, frequency and voltage. The potential effectsof integrity attacks on this information are furtherdiscussed in Sect. 4.3.Confidentiality. Attacks on confidentiality are theleast critical for power grid operation. But a lackof message confidentiality can help attackers duringreconnaissance. The network layout, the type ofprotocols in use, network addresses of potentiallyvulnerable devices and the current status of thepower system are just a small sample of interestinginformation that can be gathered on the network.

Availab. Integrity Confident.Physical G# # #

Data Link G# G#Transport/

Network G# G# G#

Application G# Table 1: Overview of the attack capabilities required onthe different communication layers to target each securityobjective. Full circles indicate, that an attack capability onthe specific layer is required, half circles indicate that anattack on the layer is either sufficient but not required, orcan be used to extend the attack capabilities.

Table 1 shows the attack capabilities that are neededon each network in order to perform a specific type ofattack. It can be seen that attacks on availability canbe performed on each network layer independently.

7


They have a large attack surface. Integrity andconfidentiality attacks, on the other hand, have strictrequirements on the application layer. Especially onthe security features in place like signatures andencryption.

4.3. Physical Effects

We have identified five types of physical impacts thata cyber-attack can have in the described microgriduse case. These include: (i) a local blackout in themicrogrid with no imminent threat to the rest of thegrid; (ii) instabilities on the main grid (these includecases in which protective relays isolate electricalfaults); (iii) violations of the power quality in themicrogrid; (iv) physical damage to power equipment;and (v) danger for human safety. Table 2 gives anoverview of the potential physical effects of cyber-attacks in the different operation modes of themicrogrid. We differentiate three attack types: (i)attacks on the availability and integrity of the GPS-based clock synchronization of PMUs; (ii) attackson the availability of the ICT network; and (iii)integrity attacks on the messages in the ICT network.Attacks on availability and integrity of GPS arecategorized together because the physical effectsthat can be caused are very similar. Only theeffectiveness of the attack can be higher if an integrityattack is used to intelligently manipulate the timesynchronization, instead of introducing an arbitraryerror. Confidentiality attacks are not shown, as theycannot directly introduce physical effects.

It is assumed that the attacker can only gain controlof the ICT network in the microgrid. Therefore,attacks on all messages sent from and to the microgridby a central SCADA control center can be attacked.Messages to other devices or substations in the maingrid cannot be affected. In the following, we willdiscuss the table for each operation mode.Connected. In connected mode the attacker’scapabilities to cause physical damage are themost limited. Measurements from the PMUs arenot required for safe operation. Only messagescontrolling active and reactive power emission canbe affected. The potential impact of a manipulationof these set-points depends on the significance ofthe attacked microgrid’s size in comparison to themain grid or a certain section in the distributionnetwork. Depending on the significance, blockingor manipulating these set-points can cause localgrid instability and subsequently local blackouts.Additional redundancies in the distribution networkcan limit the possible damage. Further, protectivedevices are in place to isolate electrical faults andprevent propagation.Islanded. In islanded mode, cyber-attacks cannotinfluence the main grid. The microgrid, on the otherhand, is more vulnerable. One reason for this that is

specific to the proposed use case is that PMUs arethe only sensor in the proposed microgrid. Attackson the GPS signal have limited effect on the grid,because control over frequency and voltage does notrequire phasor orientation in islanded mode. The lackof ICT communication as well as intelligent integrityattacks on the other hand can cause serious physicaleffects. By manipulating the local measurements offrequency and voltage, control over power quality islost which can result in a violation of power qualitymetrics as well as a shutdown of the microgrid.Synchronous-Islanding. Synchronous-islanding isthe most volatile operation mode where the mostcritical physical damage can be achieved: damageto equipment and risk of human safety. The criticalmoment for equipment is the moment of circuitbreaker re-closure. Significant differences of phaseangle, frequency or voltage magnitude between themain grid and the island can damage the circuitbreaker as well as local synchronous generators.This situation can be achieved by manipulating thefeedback loop in charge of synchronization. DoSattacks on the ICT network can easily be detectedand re-closure can be prohibited. The effects oflimited precision in clock synchronization betweenthe PMUs is harder to detect and therefore morecritical. Most damage can be done using integrityattacks on the ICT network. Manipulation of the localmeasurements or measurements from the referencepoint trick the controller into making incorrectassumptions about the system state. This can be usedto maximize the phase angle difference. The localcontroller has no way of verifying the correctness ofthe data. It will assume synchronization is achievedwhile the control decisions potentially led to amaximization of the phase angle difference. Whilefrequency and voltage levels can be compared to thestatic set-points from the power quality metrics, thesame cannot be done for phase angle information.This leaves the controller vulnerable to integrityattacks without the ability to detect them.

5. RELATED WORK

One approach for safe circuit-breaker re-closure issynchronous-islanded operation of power islands;a universally applicable method is presented byBest et al. (2008). The authors describe generalrequirements and possible limitations caused by time-delay introduced when transmitting the referencesignal. Challenges like islanding detection and controlinitiation are covered as well as issues with powerquality and security mechanisms in the case of acommunication loss. Laverty et al. (2008) performsa detailed analysis on the effect of the timedelay introduced by wide-area telecommunications.In their work, the authors show the response ofan alternator operated by an Internet-based phase

8


LocalBlackout

MainsInstability

Violation ofPower Quality

EquipmentDamage

HumanDanger

Connected

Avail. or Int. GPS # # # # #Availability ICT # G# # # #

Integrity ICT G# G# # # #

Islanded

Avail. or Int. GPS G# # # # #Availability ICT # # # #

Integrity ICT # # #

Sync-Islanded

Avail. or Int. GPS # # G# G#Availability ICT G# # G# # #

Integrity ICT # Table 2: Overview on physical effects of different types of cyber attacks in the three operation modes of a microgrid. Halfcircles indicate that control algorithms without knowledge of the ICT system can potentially mitigate the physical effect.Full circles indicate that additional control algorithms will be needed that bridge the gap between the physical and the cyberdomain to detect and mitigate the threat.

difference controller to local load acceptances. Theywere able to show that control is effective when it isoperated on a telecommunication link with variabletime delay such as the Internet. Caldon et al. (2004)evaluates the effects of synchronous and inverter-interfaced generators on the stability of power islands.The authors show, that inverter-interfaced generatorsincrease the stability of frequency and phase angledifference. Synchronous-islanded operation highlydepends on Phasor Measurement Units (PMUs).

Research on the potential effects of cyber-attackson physical infrastructures in cyber-physical systemsis often performed from either an ICT or aphysical and control engineering perspective. Inthe ICT domain, Dondossola et al. (2008) analyzepotential cyber-attacks on power substation controlsystems. Their research focus lies on the potentialthreats of cyber-attacks to the ICT communicationcapabilities. Potential physical effects are highlightedbut no critical physical effects are achieved inthe experiments. Wang and Lu (2013) highlightpotential cyber-attacks on availability, integrity andconfidentiality, and their potential effects on differentuse cases. They also present potential mitigationstrategies. Signatures and encryption are presentedas cryptographic countermeasures, and the difficultiesthat arise from limited computing power andstrict time constraints are explained. Network-basedcountermeasures are presented and grouped by thetargeted communication layers. Availability attackson GPS signals by GPS jamming are presented byHu and Wei (2009). The authors also elaborate oncountermeasures against GPS jamming in modernGPS receivers. Zhang et al. (2013) presents anintegrity attack on GPS signals with respect totime synchronization. The authors show how theinjection of targeted GPS signals increases the effectof the attack in comparison to the arbitrary errorintroduced by availability attacks. In the controldomain, work by Sandberg et al. (2010) and Dán

and Sandberg (2010) focuses on risks associatedwith bad data injection – an attack against stateestimation where the monitored system state ismanipulated in order to remain undetected. Theauthors develop security indices for nodes in thegrid that produce measurement data. These indicesare used to define how critical measurements froma certain node are to the overall state estimation.This knowledge can be used to introduce securityfeatures step-by-step, starting with the most criticalnodes in the system. Kundur et al. (2011) presentsa first step towards a graph-based framework formodeling the physical impact of cyber-attacks onsmart grids. Two case studies show the applicationof the framework in a Matlab environment basedon two modified models of the IEEE 13 nodedistribution system. One case study shows that asuccessful cyber-attack can cause a severe under-frequency situation that ultimately results in a localblackout. Iowa State University (ISU) have developedthe PowerCyber testbed in 2013 (Hahn et al. 2013).Real physical components are used to implementsubstations. Substation communication is performedusing IEC 61850 GOOSE messages. The Internet-Scale Event and Attack Generation Environment(ISEAGE) project – also developed by ISU – isused to emulate wide-area networks. SCADA-specifichardware is used to emulate a control centre. Thephysical setup is integrated with a real-time digitalsimulator and a PowerFactory based offline simulatorfor bigger power grid instances. Of special interestis the use of IEC 61850 as well as the scalableapproach of combining physical devices with powergrid simulation. The authors further perform ananalysis of the cyber and physical impact of cyber-attacks on three use cases of the system. The first usecase shows the effect of a malicious breaker trip in athree generator set. It is shown that isolation of onegenerator can cause the remaining two synchronousgenerators to become unsynchronized. The second usecase highlights the effects of DoS attacks on state

9


estimation algorithms. The third use case presents acoordinated multi-stage attack on a Remedial ActionScheme (RAS) that could cause load-shedding, as wellas frequency instability.

6. CONCLUSION AND FUTURE WORK

In this paper, we have performed a cyber-securityanalysis of different operational states of microgrids,with a particular focus on synchronous-islandedoperation. To control these operational states, anincreased integration of power systems with ICTcommunication is needed. Our analysis, which isbased on a testbed that includes both powerequipment and ICT components, has considered thephysical limitations imposed by real power equipmentand the potential capabilities of an attacker in thecyber domain. We have indicated that a cyber-attackcan cause physical damage to power equipment andendanger human safety. These findings motivate theneed for new solutions for cyber-physical resiliencein microgrids. These solutions need to tightlyintegrate efforts from ICT and power domain todetect and mitigate cyber-attacks accurately andensure safe operation. Future work will includefurther development of the presented testbed. Thedescribed attacks will be implemented and evaluatedin this cyber-physical environment. A more formalsecurity analysis will be conducted using the SystemsTheoretic Process Analysis (STPA) method, asproposed by Levenson (2011). Our goal is therealisation of a resilience framework that ensures thesafe operation of microgrids during cyber-attacks.

Acknowledgements. This work was partly fundedby the EU FP7 SPARKS project (Contract No.608224) and the EPSRC CAPRICA (Contract No.EP/M002837/1) project.

REFERENCES

Best, R., Morrow, D., Laverty, D., and Crossley,P. (2008). Universal application of synchronousislanded operation.

Caldon, R., Rossetto, F., and Turri, R. (2004). Tem-porary islanded operation of dispersed generationon distribution networks. In 39th InternationalUniversities Power Engineering Conference, 2004.UPEC 2004, volume 3, pages 987–991 vol. 2.

Considine, T., Cox, W., and Cazalet, E. G.(2012). Understanding microgrids as the essentialarchitecture of smart energy. In Grid IneropForum, Texas.

Dán, G. and Sandberg, H. (2010). Stealth Attacksand Protection Schemes for State Estimators inPower Systems. In Smart Grid Communications

(SmartGridComm), 2010 First IEEE InternationalConference on, pages 214–219.

Dondossola, G., Szanto, J., Masera, M., and NaiFovino, I. (2008). Effects of intentional threatsto power substation control systems. Internationaljournal of critical infrastructures, 4(1):129–143.

Farhangi, H. (2010). The Path of the Smart Grid.Power and Energy Magazine, IEEE, 8(1):18–28.

Hahn, A., Ashok, A., Sridhar, S., and Govindarasu,M. (2013). Cyber-Physical Security Testbeds:Architecture, Application, and Evaluation forSmart Grid. IEEE Transactions on Smart Grid,4(2):847–855.

Hu, H. and Wei, N. (2009). A study of GPSjamming and anti-jamming. In Power Electronicsand Intelligent Transportation System (PEITS),2009 2nd International Conference on, volume 1,pages 388–391.

IEEE Power & Energy Society (2011). IEEEStandard for Synchrophasors for Power Systems. InIEEE Std C37.118.1-2011 (Revision of IEEE StdC37.118-2005).

Kundur, D., Feng, X., Mashayekh, S., Liu, S.,Zourntos, T., and Butler-Purry, K. L. (2011).Towards modelling the impact of cyber attacks ona smart grid. International Journal of Security andNetworks, 6(1):2–13.

Laverty, D. M., Morrow, D. J., Best, R., and Crossley,P. A. (2008). Internet based phasor measurementsystem for phase control of synchronous islands.In 2008 IEEE Power and Energy Society GeneralMeeting - Conversion and Delivery of ElectricalEnergy in the 21st Century, pages 1–6. IEEE.

Lee, R., Assante, M., and Connway, T. (2014). ICSCP/PE (Cyber-to-Physical or Process Effects) casestudy paper – German Steel Mill Cyber Attack.Technical report, SANS ICS.

Levenson, N. G. (2011). Engineering a safer world.Systems Thinking Applied to Safety, The MITPress, Cambridge, MA, USA.

Sandberg, H., Teixeira, A., and Johansson, K. H.(2010). On security indices for state estimatorsin power networks. In Preprints of the FirstWorkshop on Secure Control Systems, CPSWEEK2010, Stockholm, Sweden.

Wang, W. and Lu, Z. (2013). Cyber security inthe Smart Grid: Survey and challenges. ComputerNetworks, 57(5):1344–1371.

Zhang, Z., Gong, S., Dimitrovski, A. D., and Li, H.(2013). Time Synchronization Attack in SmartGrid: Impact and Analysis. Smart Grid, IEEETransactions on, 4(1):87–98.

10

A Cyber-Physical Security Analysis of Synchronous-Islanded ...

Documents

Transcript of A Cyber-Physical Security Analysis of Synchronous-Islanded ...