Impact of Integrity Attacks on Real-Time Pricing in Smart Grids

# Impact of Integrity Attacks on Real-Time Pricing in Smart Grids

Rui Tan Varun Badrinath Krishna David K. Y. Yau Zbigniew Kalbarczyk
Advanced Digital Sciences Center, Illinois at Singapore
Singapore University of Technology and Design, Singapore
University of Illinois at Urbana-Champaign, Urbana, IL, USA
###### Abstract

Modern information and communication technologies used by smart grids are subject to cybersecurity threats. This paper studies the impact of integrity attacks on real-time pricing (RTP), a key feature of smart grids that uses such technologies to improve system efficiency. Recent studies have shown that RTP creates a closed loop formed by the mutually dependent real-time price signals and price-taking demand. Such a closed loop can be exploited by an adversary whose objective is to destabilize the pricing system. Specifically, small malicious modifications to the price signals can be iteratively amplified by the closed loop, causing inefficiency and even severe failures such as blackouts. This paper adopts a control-theoretic approach to deriving the fundamental conditions of RTP stability under two broad classes of integrity attacks, namely, the scaling and delay attacks. We show that the RTP system is at risk of being destabilized only if the adversary can compromise the price signals advertised to smart meters by reducing their values in the scaling attack, or by providing old prices to over half of all consumers in the delay attack. The results provide useful guidelines for system operators to analyze the impact of various attack parameters on system stability, so that they may take adequate measures to secure RTP systems.

Smart grid; real-time pricing; stability; cyber security
\permission

Disclaimer: This is the author’s version of the work. It is posted here for your personal use. Not for redistribution. The definitive version was published in the proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security (CCS 2013)
http://dl.acm.org/citation.cfm?id=2516705 \copyrightetcCopyright 2013 ACM \crdata978-1-4503-2477-9/13/11 …$15.00. \newdefproblemProblem \newdefremarkRemark \numberofauthors 1 \category B.8.2Performance and ReliabilityPerformance Analysis and Design Aids \categoryK.6.5Management of Computing and Information SystemsSecurity and Protection ## 1 Introduction A smart grid is an enhanced electrical grid that uses modern information and communication technologies to improve system reliability and efficiency. However, these computerized and networking technologies are subject to security threats that range from personal breaches [22] to sophisticated cyber attacks launched by hostile organizations to cause widespread outages [31]. As a sophisticated cyber-physical system, a smart grid features complex closed-loop feedback controls in various physical [18] and economic components [7], which maintain desirable system performance in the presence of dynamics and uncertainties. However, the impacts of cyber attacks against these closed loops on smart grids have received limited research attention. Without a systematic understanding of these impacts, system designers and operators will not be able to truly assess how these attacks may undermine the system’s ability to provide mission-critical services, and hence take appropriate defensive measures against the possible threats. This paper makes a step in this direction by quantifying, through both analysis and simulations, the impact of cyber attacks on real-time pricing (RTP) in smart grids, which involves closed-loop controls to stabilize the electricity market. Dynamic pricing [10] is a widely adopted means to balance electricity generation and consumption. The electricity price in the wholesale market is updated periodically (e.g., every hour) to match generation with dynamic demand. In contrast, many current retail markets adopt static pricing schemes such as fixed and time-of-use tariffs, under which the consumers have limited incentives to adapt their electricity consumption to market conditions. This lack of incentives results in high peak demands that strain infrastructure capacities and unnecessarily increase operational costs. By relaying the real-time wholesale prices to end users, RTP has been considered a key feature of smart grids, which can reduce over-provisioning and improve system efficiency. Unfortunately, as analyzed in [25], there exists a fundamental information asymmetry between the system operators and consumers under RTP. Specifically, a system operator needs to determine the price, which is supposed to clear the market, prior to the consumption decisions made by consumers. As the system operator typically has limited knowledge about the consumers, its best practice is to determine the price based on historical demand. As a result, RTP creates a closed loop formed by the mutually dependent real-time prices and price-taking demand [25]. Such a closed loop can increase the system’s sensitivity to dynamics and lower its robustness against situational uncertainties. As such, it can be exploited by an adversary whose objective is to destabilize the RTP system. Specifically, small modifications to the signals in the closed loop made by the adversary can be iteratively amplified by the feedback, causing inefficiency and significantly fluctuating demand, and possibly leading to severe failures such as blackouts. In smart grids, the real-time price signals are exposed to different security threats at the source, during network transmissions, and at the consumer-level smart meters. In particular, recent studies [22, 26] have shown that many smart meters lack basic security measures to ensure the integrity and authenticity of their input/output data. In light of these infrastructure vulnerabilities, imperative questions regarding RTP security include, “Can the malicious compromise of real-time price signals destabilize the system and cause severe failures such as outages? If so, to what extent do the price signals need to be compromised?” A main challenge in answering these questions stems from the complex coupling between the attacker actions and the closed-loop RTP system. For instance, an attack against a few smart meters can cause monetary losses to individual victims, but it will not be able to destabilize the whole system. But if the adversary is able to compromise a sufficiently large number of consumers, the real-time price control mechanisms, which are designed to stabilize the system, may fail to mitigate the attack’s impact. This impact may then pervade the whole system due to the iterative feedback. However, it is challenging to quantify these critical stability boundaries accurately, in order to characterize the impact of the attacks. In this paper, we adopt a control-theoretic approach, which captures the closed-loop nature of the RTP, to deriving fundamental stability conditions under credible integrity attacks. Based on the linearization of general abstract models of supply and demand, the RTP problem is formulated as a classical control problem for a linear time-invariant (LTI) system. We develop a basic pricing algorithm that sets the price adjustment proportional to the observed error between supply and demand. It ensures stability and captures the essence of stability-ensuring RTP systems. Therefore, the security analysis based on this algorithm provides a baseline understanding of the security of these systems. We adopt a control-theoretic metric, namely, the region of stability, to characterize the security of the closed-loop RTP system with respect to important and practical adversary models. Specifically, we consider two common and broad classes of integrity attacks, which we call the scaling and delay attacks, where the prices advertised to smart meters are compromised by a scaling factor (so that the meters will use the wrong prices) and by corrupted timing information (so that the meters will use old prices), respectively. In addition to directly tampering with traffic sent to the smart meters, these attacks can be accomplished by indirect techniques that are less effort intensive. For instance, the delay attack can be realized by compromising the time synchronization of deployed smart meters. Note that current commercial smart meters [28] synchronize their clocks by either built-in GPS receivers or a network time protocol (NTP) supported by time servers [28]. Both approaches have been shown to be vulnerable to realistic attack methods [4, 23]. As both attacks can be modeled as LTI transfer functions, the security analysis can be conducted under a LTI setting. Based on our analytical framework, we derive the region of stability for both the scaling and delay attacks. In particular, we show that the RTP system will remain stable if (i) the compromised prices are amplified versions of the true prices under the scaling attack (i.e., the scaling factor exceeds one), or (ii) less than half of the consumers in the pricing system are compromised in the delay attack. On the other hand, if the adversary can break either of these two conditions, the system may experience severely fluctuating demand arising from the system instability. We report GridLAB-D [2] simulation results for a distribution system consisting of 1405 consumers to verify our analysis and demonstrate possible system emergencies (e.g., line and transformer overload events) caused by the integrity attacks. Our results provide insights for securing RTP in smart grids. For instance, for the adversary to achieve the goal of compromising the price signals to at least half of the consumers, she may focus her efforts on shared support infrastructures such as the NTP time servers. This highlights the importance of securing these servers. The rest of this paper is organized as follows. Section 2 reviews related work. Section 3 presents the market model. Section 4 defines the RTP stability problem, and develops a control-theoretic formulation of the problem. Section 5 analyzes the impact of the scaling and delay attacks on the RTP system. Section 6 discusses extensions of the analysis framework to address a broader class of attacks that are combinations of multiple scaling and delay attacks. Section 7 presents simulation results. Section 8 concludes. ## 2 Related Work The security of smart grids is attracting increasing research attention. In particular, false data injection attacks against the state estimation of electrical grids have been extensively studied. In [21], Liu et al. systematically examine the conditions for bypassing a bad data detection mechanism of state estimation under various adversary capability models. Later studies [33, 20, 32, 16, 17] show that the false data injection attacks can lead to increased system operation costs due to inordinate generation dispatch [33] or energy routing [20], as well as economic losses due to misconduct of electricity markets [32, 16, 17]. In particular, the studies in [32, 16, 17] focus on false data injection attacks on real-time wholesale markets. They primarily emphasize attacks on critical measurements, which are often well protected by system operators. Moreover, they ignore demand response of end users to prices. In contrast, our work considers integrity attacks that target distributed smart meters that are much more vulnerable, and also accounts for demand response involving the end users. All these related studies [21, 33, 20, 32, 16, 17] analyze attacks on systems using constrained optimization formulations such as power flow dispatch. The closed loop characterizing the RTP system in our work imposes specific challenges in the security analysis due to its iterative nature. The security of a broader class of cyber-physical systems that feature complex closed loops has been studied recently. In [12], Cárdenas et al. identify challenges in the security analysis of these systems. In [11], the authors use simulations to study the impacts of integrity and denial-of-service attacks on a chemical reactor with multiple sensors and control loops. In [8], the authors perform security threat assessment of supervisory control and data acquisition systems for water supply. These studies focus on demonstrating the possibility of pushing the system to a certain state (e.g., unsafe pressure in a chemical reactor) by tampering with the sensor and/or control signals. They fall short of characterizing fully the fundamental critical stability conditions. ## 3 Preliminaries This section presents the market model adopted in this paper, which comprises an independent system operator (ISO) (Section 3.1), a set of consumers (Section 3.2), and a set of suppliers (Section 3.3). For both consumers and suppliers, we first describe general abstract models, and then discuss concrete empirical models commonly used in literature. The analytical results in this paper (i.e., Propositions 1 to 5) are based on the abstract models, while the empirical models (i.e., a constant elasticity of own-price demand model and a linear supply model) are used for the numerical examples and simulations. The notation used in this paper is summarized in Table 1. We also use the following mathematical notation: denotes the first derivative of function ; denotes the inverse of function ; / denotes the set of positive/negative real numbers; denotes the set of positive integers. ### 3.1 ISO Model and RTP Schemes The ISO is a profit-neutral agent, which aims to clear the market, i.e., match supply and demand. It determines a clearing price every hours and announces it to the suppliers and end consumers. Specifically, the price for the th pricing period , denoted by , is announced at time instant , where is a non-negative integer. Hence, this scheme corresponds to ex-ante pricing. We assume that the price must be within a range, i.e., , where . Note that in many electricity markets, suppliers sell electricity to utilities in wholesale markets, and utilities sell electricity to end consumers in retail markets. The market model adopted in this paper directly relays real-time wholesale prices to end consumers, which preserves the principles of RTP and simplifies the analysis. This model has been employed in previous studies (e.g., [25] and references therein) and is consistent with the essence of several experimental RTP programs [10] provided by utilities, which include Board of Public Utilities in New Jersey, Baltimore Gas and Electric Company in Maryland, and Duquesne Light in Pennsylvania. In these programs, the hourly wholesale prices published by PJM Interconnection LLC111PJM is a Regional Transmission Organization (RTO). This paper does not distinguish between ISO and RTO. are used directly as retail prices, where and . A few other experimental RTP programs give customers advance notice of hourly prices. For instance, for the RTP-HA-2 program of Georgia Power [6]. To simplify the discussion, we focus on RTP schemes without advance notice, i.e., . However, our analysis can be easily extended to encompass advance notice. In reality, locational prices can be applied to address location-dependent transmission costs. In many areas, as generation cost dominates transmission cost, variations of locational prices are often small. For instance, the relative standard deviation of the locational prices for 219 locations published by PJM is often around 5% only [5]. As this paper focuses on the impact of integrity attacks on RTP systems, we ignore the small variations in the locational prices. Thus, we assume that all the suppliers and consumers are subject to the same real-time price . ### 3.2 Consumers Abstract demand model: Let denote the set of consumers in the system. For consumer , let denote the baseline demand in the th pricing period, which is exogenous, bounded, dependent on time, but independent of . For instance, for a household, the baseline demand can characterize the minimum necessary power usage, such as cooking and a minimum level of illumination. Let denote the additional value (unit:$/hour) derived from consuming a total of units of power in the th pricing period, where . We assume that is a strictly increasing and strictly concave function. Let denote the demand of consumer in the th pricing period given price . We denote , where represents the inverse function of . The demand is given by

 dj(k,λk)=argmaxx(vj(x−bk,j)−λk⋅x)=bk,j+wj(λk).

In the above equation, is the additional utility beyond the baseline by consuming totally units of power. The is referred to as price-responsive demand. It is easy to verify that is a decreasing function of . By denoting and , the total demand, denoted by , is given by

 d(k,λk)=∑j∈Cdj(k,λk)=bk+w(λk). (1)

As there are a large number of consumers, we assume that and are unknown to the ISO. However, the ISO knows the historical total demand . The above derivations, which are based on the basic concept of utility in economics, explain the consumer’s demand response to price. Human-induced demand response has been observed in previous studies [29]. With the increasing adoption of smart appliances and home automation systems, this demand response will become more automated.

Empirical demand model: The constant elasticity of own-price (CEO) model [14] is a simple model that can be used to characterize the total price-responsive demand, which is defined by , where and are positive and negative constants, respectively. The is referred to as the price elasticity of demand, which is typically within  [13, 19].

### 3.3 Suppliers

Abstract supply model: Each supplier aims to maximize its profit. Let denote the set of suppliers in the system. For any supplier , let the function represent the cost (unit: \$/hour [15, p. 534]) of producing and transmitting units of power. We assume that is a strictly convex and non-negative function over the support . Moreover, we assume that is an asymptotically increasing function, i.e., , if . Let denote the quantity of power that supplier schedules to generate in the th pricing period given price , which is given by . Note that is the profit from generating units of power. It is easy to verify that is an increasing function of . We assume that the generation capacity of the supplier is at least . In this paper, we consider centralized bulk generation rather than distributed generation. Therefore, an ISO can estimate as there are typically a limited number of suppliers. Let denote the scheduled total supply in the th pricing period, i.e., . We note that, in current electricity wholesale markets, the supply and price are often determined through a bidding process [14], which is generally governed by the costs of generation and transmission. In a competitive bidding-based wholesale market, the resultant supply and price will well reflect the supply model derived from the cost model. We assume that the realized total generation in the th pricing period, denoted by , is always equal to the total demand . This is consistent with the current technologies in power grids. For instance, when the demand exceeds the scheduled generation, the system operators will observe a dropping voltage and frequency, and generation can be increased to meet demand and maintain the voltage and frequency at their nominal values.

Empirical supply model: Quadratic cost functions have been widely adopted in the analyses of power generation systems [15], i.e., , where . To make non-negative over , we have a few additional conditions: if , or if . Therefore, if , ; otherwise, . To simplify the evaluation based on this empirical supply model, we assume that and , such that the total supply can be simplified as , where and . We now empirically verify this linear supply model using the half-hourly total supply data of New South Wales (NSW), Australia, provided by the Australian Energy Market Operator (AEMO) [1]. Fig. 1 shows the histogram of total supply versus the wholesale price in January, 2012. We can see that the relationship between the average supply and price is nearly linear. A linear fitting of the total supply shown in Fig. 1 yields and . Such a linear relationship can also be seen in the investigation of the electricity market of California [29, p. 112], where the demand does not exceed the generation capacity.

## 4 The RTP Problem and Solutions

This section formally states the RTP problem, examines an existing solution, and proposes a new basic control-theoretic solution with provable bounded-input bounded-output stability (referred to as stability for short in this paper). Based on our solution, the security analysis in Section 5 lays the foundation for understanding the impact of attacks on feedback-based RTP systems.

### 4.1 The RTP Problem and Solution Stability

At time instant , the ISO aims to find the clearing price for the period , denoted by , such that the scheduled supply matches demand, i.e., . However, as is unknown, in practice, the ISO sets the price to match the scheduled supply and predicted demand (denoted by ). Formally, we define

RTP Problem: Find such that .

Straightforward solutions to this problem may lead to significantly fluctuating prices. For instance, a direct feedback approach [25], which uses as the predicted demand , can yield oscillating prices as shown in Fig. 2. The root cause of the oscillation is the unstable closed-loop system formed by the direct feedback. When the system is unstable, the price set by the ISO will oscillate or diverge, even if the initial price is very close to the true clearing price. The oscillations may lead to severe consequences. When the diverging prices reach low values, the increased demand may cause overload of the transmission and distribution networks. Moreover, as shown in Fig. 2, the unstable system may experience significant generation scheduling errors (i.e., ). Although reserve generating capacity can help compensate for the errors, their use may increase the cost of operating the system.

To study the impact of integrity attacks on the RTP systems, we should start with RTP schemes that are stable in the absence of attacks. In Section 4.2, we examine the stability of an existing RTP scheme [25] in the absence of attacks. Its poor stability properties motivate us to design a basic control-theoretic RTP scheme with provable stability in the absence of attacks. This is the subject of Section 4.3.

### 4.2 Direct Feedback Approach

A direct feedback approach to the RTP problem has been studied in [25]. The conditions for global stability222The system is globally stable if the price converges to the clearing price given any positive initial price. of the approach, i.e., the properties of and that ensure global stability, have also been analyzed in [25]. The approach is briefly reviewed as follows. It predicts by the most recent demands based on an autoregression model, and determines the price accordingly. For instance, the simplest autoregression model uses as and the closed-loop system is expressed as . It is also referred to as the persistence model. Thus, the price is determined as . If direct feedback based on the persistence model is not globally stable, it is difficult to stabilize those systems globally with an autoregression-based direct feedback approach [25]. Hence, global stability under the persistence model is particularly important. By applying Corollary 3 in [25], our analysis [30] shows that under the linear supply and CEO demand models, where and is a non-negative constant , the system is not globally stable.

As the direct feedback approach is not globally stable, its convergence highly depends on the system state. If is time-varying, it can push the system to a state that eventually leads to divergence. A few realistic constraints may affect the system stability. For instance, even if the system is not globally stable, the system may converge when the initial price is within the allowed range . Moreover, if a tentative price is out of the range , it will be rounded to or . Hence, we conduct numerical experiments that account for these realistic constraints for better understanding. The settings of the supply model are and , which are obtained in Fig. 1. Given a clearing price , the coefficient is set by solving , i.e., , where to ensure for any valid . Fig. 3(a) shows a map of the probability that the system is converging when . To calculate the probability, the initial price sweeps the range and the probability is calculated as the fraction of the initial prices that lead to system convergence. Fig. 3(a) shows that the probability is mostly either 0 or 1 and the transition region with the probability within is sharp. Fig. 3(b) plots the boundaries between the converging and diverging regions under various settings of , where its valid range is . For instance, when , the system can be diverging if and . For the data shown in Fig. 1, about 20% of the prices are lower than . Therefore, the direct feedback approach can be unstable with significant probabilities.

### 4.3 Control-Theoretic Price Stabilization

The results in Section 4.2 show the necessity of control laws for stabilizing the RTP systems. This section develops a basic control-theoretic price stabilization algorithm with provable stability. The main objective of this paper is to identify the fundamental impacts of integrity attacks against the vulnerable real-time price signals on the stability of the RTP systems with well designed control laws. More sophisticated price stabilization algorithms could be developed. However, our security analysis in Section 5, which is based on our basic control-theoretic algorithm, provides fundamental baselines for understanding the security properties of RTP systems running such sophisticated algorithms.

The objective of price stabilization is to minimize the generation scheduling error and adapt to the time-varying baseline load. We reformulate the RTP problem as a classical discrete-time feedback control problem. Under this formulation, the ISO observes the generation scheduling error in the previous pricing period, and then uses it to guide the setting of the price in the next pricing period. Specifically, let denote the generation scheduling error, i.e., . The objective is to maintain the controlled variable close to its reference, which is zero. The manipulated variable is , and is the controlled system. The block diagram of the feedback control loop is shown in Fig. 4. We let , , and denote the transfer functions of the price stabilization algorithm, the controlled system, and the observation system, which are expressed in the -transform domain. The -transform [24] provides a compact representation for discrete-time functions, where represents a time shift operation. As is bounded and independent of , it can be modelled as a disturbance to the system [24].

We now derive the expressions of and . To preserve generality, our design is based on the abstract supply and demand models and , which can be non-linear as in the CEO model. In controller design, a common approach to dealing with non-linear systems is to adopt local linearization [24]. Specifically, and , where is a fixed operating point. By denoting , , , and , we have and . As and are independent of , as shown in Fig. 4, we can collect them with the price-independent . The transfer functions of the proportional models and are and , respectively. Therefore, . As the price stabilization algorithm uses the observed generation scheduling error in the previous pricing period to adjust the price for the current pricing period, , which represents the delay of one pricing period. Based on the above modeling, we have the following proposition, which can be proved by examining whether the poles of the system are located within a unit circle centered at the origin of the -plane. The details of the proof are omitted due to space constraints and can be found in [30].

###### Proposition 1

For the linearized system with fixed and the observation system , the following price stabilization algorithm ensures stability: , where .

The transfer function of the above algorithm is . From control theory, when is a constant, the system converges the fastest when , as the system’s pole is at the origin [24]. The convergence speed is particularly important for adapting to fast time-varying baseline load so that the convergence is achieved before a significant change of baseline load. However, our analysis in Section 5 shows that we generally need to set a smaller to reduce the impact of attacks. In other words, we have to sacrifice convergence speed for resilience to attacks.

As discussed in Section 3.2, is unknown to the ISO. In practice, the ISO can estimate based on the history of price-demand pairs. Our analysis in Section 6.1 shows that, if the relative error in estimating is less than , the algorithm given by Proposition 1 remains stable. For instance, if , the relative error bound is 50%, which is a tractable requirement for most estimation algorithms. Moreover, for a smaller that is set to increase resilience to attacks, the error bound will be larger. As the focus of this paper is to analyze the fundamental impact of integrity attacks on system stability under the control law in Proposition 1, we do not elaborate on the estimation algorithm, and the analysis in Section 5 assumes that the ISO can accurately estimate . Section 6.1 also discusses the impact of inaccurate on the security analysis.

The price stabilization algorithm in Proposition 1 assumes a fixed operating point . However, intuitively, if the operating point adapts to the current price, the linear approximations to and can be more accurate. Specifically, by setting , we have the following algorithm:

 λk=λk−1−2η˙s(λk−1)−˙w(λk−1)⋅ek−1. (2)

Although there is a lack of rigorous theory to support the technique of adapting to the current price, our numerical experiments show that the algorithm in Eq. (2) is always stable under all the settings shown in Fig. 3. The numerical examples and simulations conducted in the rest of this paper employ the algorithm in Eq. (2). Fig. 5(a) shows the evolution of price with fixed baseline load. When , converges to after two pricing periods. When , the system has a longer settling time. When , the price oscillates but converges. The oscillation is caused by a negative pole [24]. Fig. 5 will also be used as a running example in Section 5 to illustrate the impact of attacks.

## 5 Integrity Attacks to RTP

This section studies the impact of two integrity attacks on RTP systems under the RTP scheme given by Proposition 1.

### 5.1 Attack Models and Impact Metrics

We consider integrity attacks on the price signals received by a subset of consumers. If the price signal received by a consumer is subject to attack, the price signal applied for the current pricing period (denoted by ) is different from the true price . The integrity attacks on the price signals can be launched in different ways. For instance, once the adversary has compromised the intermediate nodes in the communication network of the smart grid (e.g., routers) and obtained the decryption/encryption keys held by the ISO and/or smart meters, the adversary can intercept and forge price data packets. Moreover, recent reverse engineering and penetration tests [22, 26] have shown that many smart meters lack basic security measures to ensure integrity and authenticity of the input/output data. These security vulnerabilities can be exploited to maliciously change the price signals. We would like to point out that the integrity attacks do pose strong requirements for the adversary. They require that the adversary is able to modify the price information, either at the source, during transmissions, or at the smart meters. However, these attacks in a cyber environment are certainly feasible and credible, and it would be wrongfully complacent to ignore their possibility. In this paper, as the price signals sent to the centralized suppliers are often well protected, we assume that they are not subject to attacks. However, our analysis framework can be easily extended to account for possible attacks on the suppliers.

#### 5.1.1 Attack Models

As the number of consumers in a smart grid is often large, the number of compromised consumers is an important metric for the adversary’s capability and resource availability. Let denote the set of consumers whose price signals are compromised, where , and denote the total price-responsive demand in the presence of an attack. Thus, . We define

 ρ=∑j∈C′wj(λ′k)∑j∈Cwj(λ′k)=∑j∈C′wj(λ′k)w(λ′k), (3)

which characterizes the fraction of consumers receiving the compromised price signals. If the consumers are homogeneous (i.e., is same for all ), is a constant, i.e., . If they are heterogeneous, is a function of . The extensive numerical evaluation in [30] shows that, if the heterogeneous consumers follow the CEO model, with a variation of less than 0.003 and hence can be practically treated as a constant. Moreover, we make the following approximation:

 ∑j∈C∖C′wj(λk)≃(1−ρ)∑j∈Cwj(λk)=(1−ρ)w(λk). (4)

The numerical evaluation in [30] shows that relative approximation error of Eq. (4) is less than 1%. Therefore, in the presence of integrity attacks, we have

 w′(λk)≃ρw(λ′k)+(1−ρ)w(λk). (5)

If the price signals can be arbitrarily modified, the capability requirements of an adversary would be high. In this paper, we consider “constrained” integrity attacks, where the malicious modifications follow certain rules and can be realized with lower capability and resource requirements. Note that the adversary must be able to cause more severe damage to the system if she is assumed to be able to modify the price signals arbitrarily. An attack can be characterized by the parameters for the rule, which is denoted by . We consider two kinds of integrity attacks:

Scaling attack : The compromised price is a scaled version of the true price, i.e., , .

Delay attack : The compromised price is an old price, i.e., , .

These two attacks can be launched in various ways. The price values or time stamps in data packets sent to the smart meters can be maliciously modified during transmissions in vulnerable communication networks. Moreover, they can be launched in indirect ways. For instance, the delay attack can be launched by modifying the smart meters’ internal clocks. Smart meters typically assign a memory buffer to store received prices. If a smart meter’s clock has a lag, it will store newly received prices in the buffer and apply an old price for the present. Furthermore, attacks on the clocks can be realized by compromising vulnerable time synchronization protocols or the time servers that provide timing information to the smart meters. A few smart meter products [28] synchronize their clocks via a built-in GPS receiver, which is vulnerable and subject to remote attacks that are effective across large geographic areas [23].

In this paper, we assume that at most one kind of attack is in effect. Moreover, we assume that the attack parameters are the same for all the compromised consumers. For instance, if a delay attack with is launched, all the compromised consumers experience the same delay of two pricing periods. These simplifications allow us to better understand the impact of each attack on the RTP system, which is the basis for understanding more complex scenarios such as heterogeneous attack parameters and combinations of attack types. In Section 6.2, we will briefly discuss how to extend our analysis to address these more complex cases.

#### 5.1.2 Attack Impact Metrics

This section defines two metrics for the impact of the integrity attacks on system stability. We first define the marginal demand-supply ratio, which is a quantity that can significantly affect the system stability under attacks.

###### Definition 1

Marginal demand-supply ratio is .

From Definition 1, depends on the operating point . As discussed in Section 4.3, the gain coefficient of the price stabilization algorithm affects the system stability in a major way. Therefore, we define the following metric:

###### Definition 2

Given attack , the region of operating point stability under attack, denoted by , is

 ROSλo(A)={(h,η)|The system is stable % under attack A}.

The above metric depends on . We define a second metric that is independent of :

###### Definition 3

Given attack , the region of stability under attack, denoted by , is

 ROS(A)={η|The system is stable under attack A,∀h>0}.

The above two metrics are important for understanding the impact of integrity attacks on the stability of the RTP system under the price stabilization algorithm in Proposition 1. In particular, the specifies the range of that ensures system stability under attack . Hence, the ROS allows us to compare the impacts of different integrity attacks. For two attacks and , if , the ISO has more flexibility in setting under than , to achieve faster convergence. Thus, the system is more resilient to than . From the adversary’s perspective, is more effective than . Note that, when the RTP system with is stable under attack , the compromised consumers may still experience monetary losses and the system may run at low efficiency. However, this paper focuses on the impact of attacks on the system stability, which is a fundamental system requirement. In Sections 5.2 and 5.3, we will derive the and for the scaling and delay attacks.

### 5.2 Impact of Scaling Attack

The local linearization of Eq. (5) with is

 w′(λk)≃ ρ⋅(w(γλo)+˙w(γλo)⋅(γλk−γλo)) +(1−ρ)⋅(w(λo)+˙w(λo)⋅(λk−λo)).

By collecting the price-independent terms with , the transfer function of the price-dependent component is . To make the analysis tractable, for the scaling attack, we only focus on a class of price-responsive demand models that satisfy , where is the set of model parameters of and the function is independent of and always positive. Such a is said to be decomposable. For instance, under the CEO model, , and . For simplicity of exposition, we denote as in the rest of this paper. Therefore, , and . The closed-loop transfer function [24] under the attack is

 Tc(z)=Gc(z)Gp(z)1+Gc(z)Gp(z)H(z)=2η(1+ργμh+h−ρh)zP(z),

where the system characteristic function . Note that , , and have been obtained in Section 4.3.

#### 5.2.1 Region of Operating Point Stability

###### Proposition 2

For the linearized system based on a fixed operating point and a decomposable , , where

 ¯η=h+1h+1+ρh(γμ−1). (6)
{proof}

If all the poles of (i.e., roots of ) are within the unit circle centered at the origin of -plane, the system is stable [24]. If , the pole is within the circle. As , takes the minimum of 1 and .

{remark}

Under the CEO demand model, by replacing in Eq. (6), we have . Fig. 6 plots the stability boundaries when , where the are the regions below the boundaries. We can see that the shrinks with increased and decreased . This can be easily proved by the monotonicity of . Moreover, it is consistent with the intuitions that (i) the system becomes more unstable when more consumers are compromised, and (ii) the increased demand due to a decreased poses more challenges to the system.

We now use the numerical example in Fig. 5(b) to verify our analysis. Fig. 5(b) shows the price signals received by the suppliers and consumers, respectively, when . We can see that the price does not converge. The average value of is , which falls in the unstable region () according to the analytical . Note that when , the price converges and the average value of is , which falls in the stable region () according to the analytical . Therefore, Proposition 2 successfully characterizes the critical stability boundary. Note that, as the settings for Fig. 5(b) are close to the stability boundary, the price oscillates in a small range. For smaller , the price can severely oscillate, as shown in Section 7.

#### 5.2.2 Region of Stability

###### Proposition 3

For the linearized system based on a decomposable , when , ; when , , where .

{proof}

When , . From Proposition 2, if , the system is stable regardless of . When , is a bounded decreasing function of . Its infimum . Therefore, if , the system is stable regardless of .

{remark}

Under the CEO demand model, replacing in Proposition 3 yields the following result. When , ; when , , where . Therefore, under the CEO model, if the adversary amplifies the price, the system remains stable. This result is consistent with the intuition that decreased demand due to the amplified price poses no challenges to the system. Fig. 8(a) plots when . We can see that shrinks with increased and decreased . This can be easily proved by the monotonicity of .

### 5.3 Impact of Delay Attack

The local linearization of Eq. (5) with is

 w′(λk)≃ ρ⋅(w(λo)+˙w(λo)⋅(λk−τ−λo)) +(1−ρ)⋅(w(λo)+˙w(λo)⋅(λk−λo)).

By collecting the price-independent terms with , the transfer function of the price-dependent component is , where represent a delay of pricing periods. Therefore, . The closed-loop transfer function under the attack is

 Tc(z)=Gc(z)Gp(z)1+Gc(z)Gp(z)H(z)=2η(1+(1−ρ)h)zτ+1+2ρηhzP(z),

where the system characteristic function is

 P(z)=(h+1)zτ+1+(2η+2η(1−ρ)h−h−1)zτ+2ηρh.

#### 5.3.1 Region of Operating Point Stability

As is a -order polynomial, it is extremely difficult to derive the closed-form formulas for the poles of . Various methods have been developed to test the stability without explicitly solving for the poles [24]. Among them, the Jury test [24, p. 185] is preferred because the coefficients of are real numbers. The Jury test constructs a table based on the coefficients of and derives the stability conditions from the table. Given , we can derive the closed-form for different from the Jury test. However, the expressions become more complicated for larger . We numerically compute the based on the Jury test for various settings of and . Fig. 7 plots the stability boundaries, where the are the regions below the boundaries. From Fig. 7, the shrinks with and , which is consistent with intuition. We have the following proposition. The proof is based on the Jury test, which is omitted due to space constraints and can be found in [30].

###### Proposition 4

For the linearized system with a fixed operating point , .

We now use the numerical example in Fig. 5 to verify our analysis. Fig. 5(c) shows the price signals received by the suppliers and consumers, respectively, when , , . We can see that the price diverges. The average value of is , which falls in the unstable region () according to the Jury test. Note that when , the price does converge and the average value of is , which falls in the stable region () according to the Jury test. Therefore, the Jury test successfully characterizes the critical stability boundary. As the settings for Fig. 5(c) are close to the stability boundary, the price diverges slowly. For larger , the price can diverge quickly.

#### 5.3.2 Region of Stability

We observe from Fig. 7(b) that, when , the system is stable for . We have the following proposition.

###### Proposition 5

For the linearized system, if , , .

The proof can be found in the appendix, where we prove that if , all roots of are within the unit circle centered at the origin in the -plane and hence the system is stable [24]. From Proposition 5, to launch a successful delay attack that destabilizes the system, the adversary has to compromise no less than a half of the consumers. The intuition behind this result is that the compromised price-responsive load must predominate to affect the operation of the system. This result poses strong requirements for the adversary. However, she could accomplish the goal by targeting shared infrastructures such as the time servers that provide timing information to all the smart meters. On the other hand, the need for the adversary to compromise a large fraction of the meters in order to be effective is indicative of the resilience of the price stabilization algorithm given by Proposition 1 to delay attacks.

We now discuss the ROS when . From Fig. 7, the stability boundary curves are non-increasing and converge to limits when . Let denote the stability boundary curve for particular and . Therefore,

 ROS(ρ,τ)={η|0<η

When , the limit is simply . However, for larger , it is extremely difficult to derive the closed-form formula for the limit, primarily because of the iterative nature of the Jury test. Instead, we use an algorithm to define , which is shown in Algorithm 1. This algorithm is developed based on key observations from the Jury test procedure. Fig. 8(b) plots , which is computed by Algorithm 1, versus under various settings of . We also use the Jury test to compute with a large setting for (specifically, ). The results are the same as in Fig. 8(b). From the figure, we can see that the ROS shrinks with and , which is consistent with intuition.

## 6 Discussions

In this section, we discuss the impact of inaccuracy in estimating on the analysis in the previous sections. We also discuss how to extend our analysis to address more complicated attack models.

### 6.1 Impact of Inaccuracy in Estimating ˙w(λo)

As the price-dependent demand model is unknown to the ISO, we derive an upper bound for the error in estimating , to ensure the stability of the algorithm in Proposition 1. Let denote the estimated , and denote the relative estimation error. The stability condition can be rewritten as . As long as , the system is stable. This condition can be derived as . As , is a sufficient condition for stability.

We now discuss the impact of inaccurate on the security analysis results in Section 5. From the definition of , we have . Note that since . By replacing with in Proposition 2, we have a new result in the presence of the estimation error . From the proofs of Propositions 3, 4, and 5, they are independent of . Therefore, these propositions still hold in the presence of estimation errors.

### 6.2 Superimposed and Heterogeneous Attacks

In this section, we discuss how to extend our analysis framework to address a class of integrity attacks that are the superimposition of scaling and delay attacks. We also discuss how to adapt our analysis to scenarios in which the attack models/parameters are different for different compromised consumers.

From discrete-time control theory [24], our analysis framework can be applied to derive the and under any integrity attack that can be modeled as a linear time-invariant (LTI) system with the transfer function , where the and are the -transforms of and . In the time domain, is given by the linear combination of and , where and . The scaling and delay attacks studied in Section 5 are special cases of this general attack model. For instance, under the delay attack, , for , , for . This general attack model can also be regarded as the superimposition of scaling and delay attacks. We now illustrate the enhanced impact of attack superimposition using a simple example: . Under this attack superimposition, the closed-loop system characteristic function of Eq. (5) is

 P(z)=(h+1)zτ+1+(2η+2η(1−ρ)h−h−1)zτ+2ηρhγμ,

where is defined in Section 5.2. We can still apply the Jury test to derive the and . Fig. 7(a) shows the stability boundary for this attack superimposition with , , and . The of this attack superimposition is smaller than the delay attack with and , which means stronger attack impact.

If two subsets of consumers are subject to two different attacks that happen simultaneously in the grid, Eq. (5) can be rewritten as , where and are the fractions of consumers subject to the two attacks, and and are the corresponding compromised prices. Our analysis framework still applies once the models of and are specified. The attack with different parameters (e.g., consumers are subject to different delays) can be treated as simultaneous attacks.

## 7 Trace-Driven Simulations

We use GridLAB-D [2], an electric power distribution system simulator, to evaluate the impact of integrity attacks. GridLAB-D captures many physical characteristics such as power line capacities and impedances. Hence, we can validate our analysis under the realism provided by GridLAB-D. Moreover, it can record emergency events that occur when the current ratings of lines and power ratings of transformers are exceeded. Such events could cause sustained service interruptions to consumers. These events are of particular interest to us, because they help us understand the physical consequences caused by the integrity attacks.

### 7.1 Simulation Methodology and Settings

We use a distribution feeder specification [27], which covers a moderately populated urban area and comprises 1405 houses, 2134 buses, 3314 triplex buses, 1944 transformers, 1543 overhead lines, 335 underground lines, and 1631 triplex lines. For this small-scale distribution feeder, locational prices are usually not applicable and hence all the houses are subject to the same price as discussed in Section 3.1. By leveraging the extensibility of GridLAB-D, we develop new modules that implement the CEO model for each single house, the price stabilization algorithm in Eq. (2), and the attack strategies. We measure the instantaneous power of the entire feeder at the root node. Its peak value over the previous pricing period is used as in Eq. (2). As we focus on evaluating the physical consequences of attacks, we do not simulate the logistics of the attacks and assume that the adversary can gain access to the meters of his choosing. Specifically, if a house is not subject to attacks, it directly reads the real-time price from the ISO module; otherwise, it reads the price from an adversary module that modifies the price according to the attack models. All the attacks are launched after the system has converged.

We adopt the CEO demand model for each single house, where the parameters are drawn from normal distributions: (unit: kW) and