Local Cyberphysical Attack with Leveraging Detection in Smart Grid
Abstract
A welldesigned attack in the power system can cause an initial failure and then results in largescale cascade failure. Several works have discussed power system attack through false data injection, linemaintaining attack, and lineremoving attack. However, the existing methods need to continuously attack the system for a long time, and, unfortunately, the performance cannot be guaranteed if the system states vary. To overcome this issue, we consider a new type of attack strategy called combinational attack which masks a lineoutage at one position but misleads the control center on line outage at another position. Therefore, the topology information in the control center is interfered by our attack. We also offer a procedure of selecting the vulnerable lines of its kind. The proposed method can effectively and continuously deceive the control center in identifying the actual position of lineoutage. The system under attack will be exposed to increasing risks as the attack continuously. Simulation results validate the efficiency of the proposed attack strategy.
Index terms– Cyberphysical system, combinational attacks, smart grid, power line outages, power flow.
I Introduction
Power system plays an important role in supporting the modern economy. Initial failures in power system, without being promptly detected, may lead to largescale cascade failure, and have adverse affects on nation’s economy and security [1]. Therefore, in the operation control center, various data processing modules such as state estimation (SE) and bad data detection are built to prevent the system operation from failures and malicious attacks. Although many protection and detection methods are used in system operation, these mechanisms can be corrupted by injecting carefully predesigned data to the measurements sent by Supervisory Control and Data Acquisition (SCADA). The topic has attracted much attention in the past few years [2, 3, 4, 5, 6, 7, 8, 9, 10].
In [2], the authors proposed the classic false data injection (FDI) attacks that can avoid being detected by existing bad data detection techniques if an attacker has the ability to alter the measurements of sensors and capture sufficient knowledge of the power system. Such FDI attacks are also known as cyber attacks. The designed attacks should obey the physical laws (Kirchhoff’s Current Law, KCL, and Kirchhoff’s Voltage Law, KVL). The authors in [3] and [4] studied the classic FDI attacks with incomplete information of the system, and [3] and [4] revealed that the attacks have the ability of passing the SE and bad data detection with only reduced network information.
Another type of attack called cyberphysical attacks involving cyber and physical levels have been investigated which can more efficiently interfere the operation of the system compared to classic FDI attack with only pure cyber attacks. For example, there are two types of cyberphysical attacks, which are lineremoving attack and linemaintaining attack as described in [5]. The linemaintaining attacks mean that an attacker can let the target line be physically disconnected, and simultaneously mask this outage event with the altered measurements of sensors. The other advanced linemaintaining attacks have been studied in [6, 7, 8]. Specifically, the authors masked the outage event with local redistribution attack and extended to attack with incomplete topology information [6, 7]. The attack model was further derived with power flow method [8].
The lineremoving attack is that an attacker generates a fake outage event so as to disturb the regular system operation. The attack has to avoid the trivial solution; otherwise, it can be easily detected by the control center. With this approach, the attacker can mislead the control center with an incorrect network topology and then make the system into unstable situation due to wrong dispatches. The lineremoving attacks have been studied with partial and whole information of the system, and mitigated with the countermeasure for the proposed attack [9]. The authors of [10] focused on the lineremoving attack in the local area, and proposed the method of finding the attack region. While implementing this attack, one must notice that not all transmission lines in the power system can be selected as attack targets because some lines are strictly protected by the control center. Only few studies, such as [5], considered the rules for selecting target lines.
Based on the discussions above, the previous approaches have obtained promising results and demonstrated the potential of the cyberphysical attacks. However, there is no guarantee that the linemaintaining attacks are always unobservable. To this end, the concept of the lineremoving attack may be applied simultaneously to fake an obvious outage in order to attract the attention of control center, so that the disconnected line has lower chance to be identified. Additionally, with this approach, the longer the control center in figuring the problem at fake outage positions, the more risky the system is.
Inspired by the above observations, we develop a novel attack strategy that combines the lineremoving and linemaintaining attack strategies. The attack is implemented in the local area and cannot be detected easily because our design makes sure that the physical laws of the power system are satisfied. In addition, unlike previous studies which randomly select the target lines, a rule of deciding the target lines is proposed in this work. To this end, we employ the line outage distribution factors (LODFs) as the impact of the attack line selections. The contributions of this study are as follows:

We propose a novel attack strategy called combinational attack whose goal is to attack the transmission line and simultaneously mask the real outage event with misleading the control center into another fake outage line.

We design a selection rule based on LODF for selecting the target lines instead of random selection.

To mislead the control center, the corresponding power flow must be dispatched according to the pattern of target line and misleading line. Hence, we propose an algorithm based on breadthfirst search (BFS) [11], which is generally used for searching graph structure.

To test the effectiveness of the proposed attack strategy, the conventional SE and bad data detection are applied. The simulation results reveal that the misleading line can be actually detected by control center and the real outage event can be successfully hidden at the same time.
Ii System Model
The system considered in this study is shown in Fig. 1, which is divided into two parts, including state estimator, and cyberphysical attack model. In this section, we briefly illustrate the state estimator based on the DC model, and then the proposed attack strategy will be introduced in next section.
Iia DC Power Flow Model
We consider a power transmission network with buses and lines, and let and respectively be the sets of buses and lines. The power network can then be represented as a graph denoted as . Assuming a line that connects bus and , and then the power of line flowing from bus to denoted as can be represented as
(1) 
where is the reactance of line , and and are the phases of bus and , respectively. With (1), the vector of all power flows and the phase angles of the buses should satisfy
(2) 
where is a matrix whose row indicates the corresponding line, and the column presents the direction of line’s flow. Therefore, the th row of which represents line flowing from bus to bus can be formulated as
(3) 
IiB Linear State Estimation
Based on the DC power flow model, the system states are phase angles, , and therefore the measurements received by SCADA system without attack can be expressed as
(4) 
Here, commonly comprises of the measurements of bus injection power and line power flow, and then is the jacobian matrix which depends on the network topology and network parameter vector representing the parameter errors. is the measurement errors. We further denote the measurements modified by the attacker with .
With the measurement expression, we adopt weighted leastsquares (WLS) SE to estimate the system state . The objective of the SE problem is to minimize the sum of the squares of the weighted deviations of the estimated measurements from . The SE problem is then solved by the following optimization problem with assumption of zero parameter errors
(5a)  
(5b) 
where is the estimated system state, is the parameter error vector, is the measurement error covariance matrix.
IiC Bad Data and Parameter Error Detection
After applying SE, we have to pass through the bad data and parameter error detection to ensure there is no bad data or parameter errors within the measurements. In this context, the normalized residual and parameter error method is employed for detection.
The measurement residual vector can be represented as
(6) 
If the Lagrangian multiplier method is applied in (5), is the Lagrangian multiplier related to the parameter error. Given and , the normalized residual and normalized parameter errors can be calculated. The normalized residuals are linked to the corresponding measurements, and the normalized parameter errors are related to the corresponding line’s parameter. References [12, 13, 14] provide further details. With the and , the errors are regarded as Gaussian distribution, and we choose the largest value among these two parameters. If the chosen value is below the identification threshold, then there is neither bad data nor parameter error existing. On the other hand, the measurement or the parameter corresponding to the chosen largest value will be identified as the error. The part corresponding to the error will be removed, and SE and bad data detection will be carried out again. Such procedure is performed until there is no error.
Iii Attack Model
In this section, the attacker block in Fig. 1 is illustrated. In particular, the capabilities for the attacker and the selecting limitations of target line are first explained. Then, the procedure of launching the proposed attack is separated into three parts for illustration which are selection of the line for attack target and decoy, determination of cyber attack region, and alteration of measurements.
Iiia Introduction of the Attack
We assume that the attacker has the following capabilities:

the attacker has knowledge about the topology of the entire system;

the attacker has the capability to observe the subnetwork of and perform the power flow calculation for the subnetwork; and

the attacker has the capability to change the states of the measurements in the subnetwork rather than whole network.
To launch an attack, the attackers are limited to finite sets of target lines because of the following reasons:

the line that connects to a transformer, or in between two generators cannot be physically attacked;

the real and fake outage events cannot take place next to each other; otherwise, the true outage position can be easily observed if the operator goes to repair the misleading line;

the generator output cannot be modified;

the load of the buses in the attack region cannot be modified to be negative. Moreover, the difference of the states and measurements before and after the attack must be controlled within a specified range; and

if the system is separated into two parts when a line is being attacked, then this line cannot be selected.
IiiB Mathematical Formulation of Selecting Attack Target Line
To determine the lines for attack target and decoy, we employ Line Outage Distribution Factors (LODFs) matrix, denoted as , whose definition and calculation can be found in [15]. The th row and th column of , , represents the ratio of th line’s power flow that will inject on th line when th line is in outage. With LODF matrix, we can define an influence factor denoted as whose th element can be represented as
(7) 
where means the th column taken from . The parameter shows the amount of power flow increases for the whole system, when the th line is disconnected. Therefore, we can determine the target line to be in outage
(8) 
After determining the line to be disconnected, we have to choose which line is used to mislead the control center. The idea behind misleading is to let the control center find out fake outage event in the system instead of real one so that the control center is delayed the time of detecting the real outage event and even making wrong operation or decision. The more time the control center spends on identifying the location of real outage line, the more risk the system suffers. Therefore, for the choice of misleading, the residual lines should reach their thermal limits as close as possible after the misleading line is disconnected. In this context, the optimization problem of selecting the line is given as
(9a)  
s.t.  (9b)  
(9c)  
(9d) 
and denote the thermal limit and the modified real power of th line, respectively. Equation (9a) is the objective function that sums the ratio of the flow after outage to its thermal limit for all lines. Constraints (9b) and (9c) are the equations related to the selection vector, . Then, the calculation of the power flow after outage based on LODF matrix is shown in Equation (9d). Therefore, the misleading line is determined as .
The selected outage line, , and the buses connected by are assigned to set . Meanwhile, the buses linked by the misleading line, , are assigned to set .
IiiC Attack Region
After selecting the target lines for physical outage and misleading, we then need to determine the attack region. This is due to the fact that attacks should not have the ability to alter the measurements of all sensors. Therefore, we assume that the attacks only have the limited capability that can observe and alter the subnetwork of . To launch the combinational attack, the attacker aims to maliciously change the measurements in a subnetwork of denoted as . The buses and lines in the attack region are assigned to the set and respectively. In the set , we further separate it into two sets, and . The boundary buses in are assigned to the set and others are placed in .
The key idea of finding the attack region is that we have to find a new path to redispatch the flow to supply the load of the buses in , and obtain the good estimate for power flow of and the states of the buses in . The subnetwork can be obtained through BFS algorithm which is detailed later.
IiiD Measurements Modification
For the measurement modification, we formulate an optimization problem taking two objectives into account. One is to minimize the difference of measurements before and after modification due to the attacker’s ability. These measurements may contain the angles, the loads of buses, and the power flows of the lines. However, the power flows of the lines are closely related to the angles and loads of buses, and hence the first objective can be defined as
(10) 
where is the power flow after modification in the attack region. Another objective is to maximize the modified measurements corresponding to the power flow at line which flows from bus to bus , and can be defined as
(11) 
That is, we try to prevent the amount of the flow at line from being so that it makes the attack noneffective.
We then formulate the optimization problem by considering and as follows:
(12a)  
s.t.  (12b)  
(12c)  
(12d)  
(12e)  
(12f)  
(12g) 
where and are the angle of bus before and after modification. indicates the modification range. Equation (12b) is that the angles of the boundary buses should remain the same, and Equation (12c) shows that the changes of the buses’ angle in should be controlled in a range. The load difference of bus inside the region before modification, , and after modification, , should be maintained in a range shown in Equation (12d). Then, the power injected into the bus should meet the load as listed in Equation (12e). The midified power flow in the attack region, , is calculated by Equation (12f). In the final, Equation (12g) shows that the flow of the th line have to be managed under the thermal limits.
Iv Implementation Strategy
With the description in Section III, we now explain the implementation strategy of the proposed combinational attack. The section is divided into two phases as shown in Fig. 2. The first phase is focusing on finding the line for lineoutage and misleading. Then, with the determined lines, the attack region and the modification are illustrated in the second phase.
For the first phase, we use Equation (7) to determine the lineoutage position, and then the misleading line is selected with Equation (9). After determining the target lines, we must check if the selection fulfills the rules described in Section IIIA. The detailed steps are shown as follow:
Step 1: We wish to select the line with the greatest influence to the system for its disconnection. Therefore, is selected as the description in (8), and the buses linked by are assigned to . Use LODF to calculate the power flow after is disconnected.
Step 2: For the selection of the misleading, we apply misleading line select algorithm (MSLA) listed in Algorithm 1. At the beginning of the algorithm, we construct a vector . Then, the exhaustive search is applied to calculate the objective function of (9) which is then assigned to . At the same time, we have to avoid the line being selected. In the final, the line with the largest value is selected to be .
Step 3: Once we obtain the lines, we have to check if the lines are reasonable or following the rules described in Section IIIA. If not, we eliminate the from or from for the unreasonable line, and then start from Step 1 again. Otherwise, enter to the second phase.
In the second phase, the attack region and the modification have to be determined based on the selected lines. The region of the subnetwork is obtained by using BFS algorithm for finding the shortest path to redispatch the power flow, and the modification is based on the solution of the Problem . The detailed steps are listed as follow:
Step 4: Assuming the flow of the is from bus to bus . The trivial solution is that we just add and minus the flow amount to bus and , respectively. However, it can be easily recognized by the control center. To prevent from the trivial solution, we just add the flow amount to the load of bus , and try to find another path to supply the load at bus .
Step 5: Set the and in as empty sets first. To find a path to supply bus , we then use the BFS algorithm described in Algorithm 2 to find the shortest path for redispatching the flow. The path obtained from Algorithm 2 is regarded as the subnetwork . We further includes to and the buses in to as the attack region.
Step 6: With the attack region, we now solve the optimization Problem . The formulation in (12) is a convex optimization problem with linear constraints. There are many existing algorithms and toolboxes dealing with convex optimization problem; therefore, one of them is applied. If the Problem has no solution, which means the current attack region cannot satisfy the constraints. Algorithm 2 is thus applied again, and go back to solve Problem again. With the solutions, set and replace the measurements of in with the solution of Problem .
V Case Study
In this section, we adopt the IEEE 14bus system [16] to illustrate the proposed attacking mechanism in detail. The system topology is shown in Fig. 3, and the thermal limit of each line is listed in Table I. Without any specification, the modification rage, , for all measurements is set to . The errors for all measurements are assumed to be . The identification threshold of bad data and parameter error detection is set to which is outside of confidence interval. The software toolbox, MATPOWER [17], is utilized to run the power flow to provide the initial information of the system. To solve the Problem , we use CVX [18], a package intended to solve convex programs.
Line  limit  Line  limit  Line  limit  Line  limit 
number  (MW)  number  (MW)  number  (MW)  number  (MW) 
In the beginning, we select the target line based on the Step 1 to Step 3 in Section IV. Line is first selected for line outage and line is the line for misleading. However, the line connects two generators, and there is a transformer on line ; hence, we have to choose the target lines again. Following the proposed recursive way, the line and are finally selected as the line for outage and misleading respectively.
The direction of the misleading line is from bus to bus so that we have to find the path to supply the load of bus . Moreover, the nearest generator is at bus . Therefore, we now use the Algorithm 2 to find the shortest path from the starting bus, bus , to the destination bus, bus . Table II summarizes the attack region based on the results of Algorithm 2. Then, the measurements before and after modification based on the results of Problem are listed in Table III and IV.
Set  Bus number  Description 
The buses in the attack region  
The boundary bus of the attack region  
The buses connecting the lineoutage line  
The buses connecting the misleading line  
Set  Line number  ãDescription 
The lines in the attack region 
Bus number  Phase (angle)  Load (MW)  
Before  After  Before  After  

With the modified measurements, we perform SE and then bad data and parameter error detection. The equation of the power flow is linear, the solution of SE can be easily obtained as
(13) 
Hence, we apply the detection by calculating the normalized residual and parameter errors, and sort the results shown in Table V(a) in a descending order. From the table, there are two largest parameter errors related to and and they are also larger than the identification threshold. We then eliminate the measurements having relation with and , and apply the bad data detection again. Table V(b) shows the results of the secondround detection. The largest value in Table V(b) is much lower than the threshold. Therefore, according to the results, we successfully let the control center find out there is an error happening in the misleading line.
The bad data and parameter error detection can be influenced by the noise, we further collect the results with Monte Carlo simulations. If the parameter of misleading line is recognized as the error, and the corresponding parameter error is larger than the threshold, the attack is regarded as a successful attack. Furthermore, the false alarm is defined as other parameter or measurement are regarded as the error. According to the results, the successful rate calculated by the ratio of the number of the successful attacks to is , and the false alarm rate is . That is, the error of the parameter at misleading line shows up at every simulation. However, the normalized parameter errors are sometimes not larger than the threshold with noise’s influence. Therefore, we can ensure the efficiency of the proposed attack strategy.
Line number  Power flow (MW)  

Before  After  

(a) First Round  (b) Second Round  
Parameter  ,  Parameter  ,  
Measurement  Measurement  ã  
Vi Conclusions
In this paper, we present the combinational attack which maliciously injects the false data in the cyber layer to cover the physical event in the power system. While launching the attack, the method of finding the target lines is introduced based on the LODF matrix. Moreover, an algorithm followed by BFS algorithm was proposed to find the attack region, and the modification results are from the power flow equations. The simulation results also reveal that the proposed scheme can successfully achieve the goal of misleading the control center and mask the lineoutage event. As the future work, we will extend this study in two directions by proposing the attack based on AC power flow, and investigating a protection strategy for the cyberphysical system. Moreover, the assessment of the power system with the proposed attack method should also be discussed.
Vii Acknowledgements
This work was supported by Ministry of Science and Technology under grant numbers MOST 1052221E001009MY3 and 1042221E001008MY3, and Academia Sinica Thematic Project AS104TPA05.
References
References
 V. Rampurkar, P. Pentayya, H. A. Mangalvedekar, and F. Kazi, “Cascading Failure Analysis for Indian Power Grid,” in IEEE Trans. Smart Grid, vol. 7, no. 4, pp. 1951–1960, Jul., 2016.
 Y. Liu, P. Ning, and M. K. Reiter, “False Data Injection Attacks Against State Estimation in Electric Power Grids,” in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS ’09, pp. 21–32, Nov., 2014.
 Md. A. Rahman and H. M. Rad, “False Data Injection Attacks with Incomplete Information Against Smart Power Grids,” in IEEE Global Communications Conference (GLOBECOM), pp. 3153–3158, Dec., 2012.
 X. Liu, Z. Bao, D. Lu, and Z. Li, “Modeling of Local False Data Injection Attacks With Reduced Network Information,” in IEEE Trans. Smart Grid, vol. 6, no. 4, pp. 1686–1696, Jul., 2015.
 J. Zhang and L. Sankar, “Implementation of Unobservable Statepreserving Topology Attacks,” in North American Power Symposium (NAPS), Oct., 2015.
 X. Liu and Z. Li, “Local Load Redistribution Attacks in Power Systems With Incomplete Network Information,” in IEEE Trans. Smart Grid, vol.5, no. 4, pp. 1665–1676, Jul., 2014.
 Z. Li, M. Shahidehpour, A. Alabdulwahab, and A. Abusorrah, “Analyzing Locally Coordinated CyberPhysical Attacks for Undetectable Line Outages,” in IEEE Trans. Smart Grid, to be published.
 J. Zhang and L. Sankar, “Physical System Consequences of Unobservable StateandTopology CyberPhysical Attacks,” in IEEE Trans. Smart Grid, vol.7, no. 4, pp. 2016–2025, Jul., 2016.
 J. Kim and L. Tong, “On Topology Attack of a Smart Grid : Undetectable Attacks and Countermeasures,” in IEEE J. Sel. Areas Commun., vol. 31, no. 7, pp. 1294–1305, Jul., 2013.
 X. Liu and Z. Li, “Local Topology Attacks in Smart Grids,” in IEEE Trans. Smart Grid, to be published.
 C.Y. Lee, “An Algorithm for Path Connections and Its Applications,” in IRE Trans. on Electron. Comput., vol. EC10, no. 3, pp. 346–365, Sep., 1961.
 J. Zhu and A. Abur, “Identification of Network Parameter Errors,” in IEEE Trans. Power Syst., vol. 21, no. 2, pp. 586–592, May, 2006.
 Y. Lin and A. Abur, “A New Framework for Detection and Identification of Network Parameter Errors,” in IEEE Trans. Smart Grid, to be published.
 A. Abur and A. GómezExpósito, “Power System State Estimation : Theory and Implementation,” New York: Marcel Dekker, 2004.
 J. Guo, Y. Fu, Z. Li, and M. Shahidehpour, “Direct Calculation of Line Outage Distribution Factors,” in IEEE Trans. Power Syst., vol. 24, no. 3, pp. 1633–1634, Aug., 2009.
 R. D. Christie, “Power Systems Test Case Archive,” in IEEE Trans. Power Syst., University of Washington, Aug. 1993. [Online]. Available: https://www2.ee.washington.edu/research/pstca/pf14/pg_tca14bus.htm
 R. D. Zimmerman, C. E. MurilloSánchez, and R. J. Thomas, “MATPOWER: Steadystate Operations, Planning and Analysis Tools for Power Systems Research and Education,” in IEEE Trans. Power Syst., vol. 26, no. 1, pp. 12–19, Feb., 2011.
 M. Grant, and S. Boyd, “CVX: Matlab software for disciplined convex programming,” http://cvxr.com/cvx/, Mar. 2014.