On the EfficiencyvsSecurity Tradeoff in the Smart Grid
Abstract
The smart grid is envisioned to significantly enhance the efficiency of energy consumption, by utilizing twoway communication channels between consumers and operators. For example, operators can opportunistically leverage the delay tolerance of energy demands in order to balance the energy load over time, and hence, reduce the total operational cost. This opportunity, however, comes with security threats, as the grid becomes more vulnerable to cyberattacks. In this paper, we study the impact of such malicious cyberattacks on the energy efficiency of the grid in a simplified setup. More precisely, we consider a simple model where the energy demands of the smart grid consumers are intercepted and altered by an active attacker before they arrive at the operator, who is equipped with limited intrusion detection capabilities. We formulate the resulting optimization problems faced by the operator and the attacker and propose several scheduling and attack strategies for both parties. Interestingly, our results show that, as opposed to facilitating cost reduction in the smart grid, increasing the delay tolerance of the energy demands potentially allows the attacker to force increased costs on the system. This highlights the need for carefully constructed and robust intrusion detection mechanisms at the operator.
I Introduction
Over the past few years, the smart grid has received considerable momentum, exemplified in several regulatory and policy initiatives, and research efforts (see for example [1, 2] and the references therein). Such efforts have addressed a wide range of topics spanning energy generation, transportation and storage technologies, sensing, control and prediction, and cybersecurity [3].
Demand response/load balancing and energy storage are two promising directions for enhancing energy efficiency in the smart grid. Nonemergency demand response has the potential of lowering realtime electricity prices and reducing the need for additional energy sources. The basic idea is that, by utilizing twoway communication channels, the emergency level of each energy demand (at the endusers or central distribution stations) is sent to the grid operator that, in turn, schedules these demands in a way that flattens the load. This potential gain, however, comes at the expense of the security threat posed by the vulnerability of the communication channels to interception and impersonation.
This paper is, to the best of our knowledge, the first attempt to characterize the impact of cyberattacks on the smart grid, in terms of its energy efficiency. More specifically, we propose a novel model that captures the above scenario in the presence of a single attacker. Our model of the smart grid, similar to [4], includes a grid operator and consumers that are capable of energy storage, harnessing the potential cost savings in the smart grid. Each consumer has a single energy demand that includes the amount of energy the consumer requests, the service start time, and the deadline by which the requested energy should be delivered. The consumers send their demands, simultaneously, over separate communication channels to the operator. The grid operator attempts to schedule these demands so as to balance the load across a finite period of time, and hence minimize the total cost paid to serve these demands. In our model, we also assume the presence of a single attacker who is fully capable of intercepting and altering the consumer demands before they arrive at the operator, as shown in Figure 1. The end goal of the attacker, as opposed to the operator, is to maximize the operational cost paid by the system for these demands, hence reducing the energy efficiency of the system. We differentiate between two scenarios. The first corresponds to a naive operator who fully trusts the incoming energy demands, whereas in the second, a simple intrusion detection mechanism (that will be discussed later) is assumed to be deployed by the operator. The attacker’s desire to remain undetected imposes more limitations on its capabilities, and hence, reduces the potential harm. This desire can be justified, for example, by considering the longterm performance of the grid, i.e., successive instances of the problem considered in our model, where in each instance energy demands are issued and altered by an attack. From this perspective, one can envision scenarios where the total impact of successive attacks is more damaging when the attacker remains undetected.
Based on the aforementioned assumptions, we first formulate the optimization problems faced by the operator and the attacker. For the operator, when being oblivious to any attacks, a minimization problem needs to be solved. On the other hand, the attacker is aware of the optimal strategy employed by the operator, and hence, a maximin optimization problem needs to be solved. In our formulation, we limit the attack’s strength by the number of energy demands he is capable of altering, without being detected. For the case where the attacker is capable of altering all of the consumer’s energy demands (the attacks thus reach their full potential and force the system to operate at the maximum achievable total cost), we show that the attacker’s maximin problem is reduced to a maximization problem. Our main contribution can be summarized as follows.

For both the operator and an unlimited attacker, we propose optimal offline strategies (Section III). The gap between the two indicates the maximum damage that an attack possibly causes. We also provide efficient online strategies for both of them, which are more practical in terms of operability and indicate a lower bound on the possible damage due to an unlimited attack.

For more limited attacks (Section IV), we use a simple greedy algorithm to arrive at a lower bound on the resulting total cost in terms of the flexibility allowed to the stealthy attacker for altering the demands. Additionally, we provide a Dynamic Programmingbased algorithm that computes an upper bound on the total cost achieved by such attacks.

We provide numerical results that support our theoretical claims under different scenarios (Section V). In these studies, we compare the average system performance in the presence/absence of attacks with the expected system performance when the delay tolerance of the jobs is not exploited by the operator (resembling the current electric gird where the communication infrastructure is absent). Moreover, we show the tradeoff between the strength of the intrusion detection at the operator and the reduction in the system’s efficiency due to stealthy attacks.

From our analysis and numerical results, we conclude that in the absence of security threats an increase in the delay tolerance of the energy demands increases the energy efficiency of the system, as expected, since the smart grid’s operator is offered more scheduling opportunities. On the other hand, with a limited defense mechanism at the operator, this increase offers a similar opportunity to the attacker to force costs even higher than those incurred by the regular grid, transposing the purpose of the communication capabilities provided to the consumers.
Ii Problem Formulation
In this paper, we consider the control and optimization framework first proposed in [4] for the demand side of the smart grid. This framework assumes a central controller and energy consumers that send their energy service demands to the controller using perfect channels. We consider a timeslotted system with this model and add to it a single active attacker, that is capable of intercepting and altering the consumer demands. Let denote the set of energy demands. The energy demand is composed of the tuple , where denote the the demand’s arrival time and deadline, respectively, denotes the requested total energy by the consumer, and . Each energy demand is sent to the controller over a perfect channel that is fully intercepted by the attacker. Hence the attacker can substitute each demand by , which are then received by the controller. For ease of notation, we define . are defined similarly.
Upon receiving the (altered) demands, an admissible schedule of these jobs is to be determined by the controller. A schedule is admissible if each job is served its requested energy upon or after its arrival and before or upon its deadline (job preemption is allowed). Letting , a schedule is given by , where denotes the amount of energy allocated to job in time slot . Let be the total energy consumed at time slot under the schedule , i.e., . Let denote the cost paid for the total energy consumed at time slot with schedule , where is assumed to be nondecreasing and convex. The convexity assumption implies that, as the demand increases, the differential cost at the operator increases, i.e., serving each additional unit of energy to increasing demand becomes more expensive [4]. Accordingly, the controller attempts to find an admissible schedule that balances the load over . The optimization problem at the controller side is then defined as follows:
s.t.  
(Pmin) 
On the other hand, the attacker attempts to find appropriate values of such that the cost achieved by the legitimate controller is maximized, without being detected (see Figure 1). The intrusion detection capability at the controller is modeled as the number of energy demands the attacker is capable of altering without being detected. This threshold is known a priori to all parties and the attacker solves:
s.t.  
(Pmaxmin) 
where and
(1) 
In the above formulation, denotes the set of jobs altered by the attacker, and denotes the fraction of jobs that can be altered without being detected. The remainder of the constraints imply that, if the energy requirement of a job is not satisfied or a job is served outside its legitimate service duration, the attacker can be easily detected, e.g., by the corresponding consumer. Under this formulation, the case is of special interest to us as Problem (Pmaxmin) can be transformed into a maximization problem. To see this, consider any undetectable strategy followed by the attacker such that , for some , for all jobs . All such strategies are always feasible to the attacker by our assumption of and, if employed by the attacker, leave no degrees of freedom to the controller. Moreover, due to the monotonicity and convexity of , it is easy to see that it suffices for the attacker to consider only this set of strategies. Therefore the Problem (Pmaxmin), under (), reduces to a cost maximization problem which looks for a strategy that serves each job in a single feasible time slot. The attacker hence solves the following problem:
s.t.  
(Pmax) 
We provide efficient offline and online solutions to Problems (Pmin) and (Pmax) in the next section, and upper and lower bounds for Problem (Pmaxmin) in Section IV. For comparison purposes, we will also consider an inelastic scheduling policy for the controller as a baseline, where each job is served its total energy immediately upon its arrival. This strategy represents the case when the delay tolerance of the jobs is not exploited. Therefore, the resulting cost resembles that paid in the current regular gird, where no communication channels are established, and accordingly, the system is not vulnerable to the cyberattacks discussed in this paper. The resulting baseline cost is defined as:
Finally, the following definitions are used throughout this paper. For each job , define its job allowance to be and let , , and . Denote the set of the endpoints of the job intervals by . For every pair , let be the set of all jobs whose intervals are entirely contained in , that is, .
Iii Optimal Strategies and Performance Bounds
In this section, we first find the optimal scheduling strategy for the controller (the solution to Problem (Pmin)). Second, we study Problem (Pmax) and propose both an optimal offline attack and a simple online attack and compare their performance. Finally, an explicit bound on the impact of an attack is presented.
Iiia Optimal Scheduling for the Controller
The optimization problem at the controller (Problem Pmin) can be directly mapped to the “minimumenergy CPU scheduling problem" studied in [5]. Our discussion below is an adapted discretetime version to that of [5]. Define the energy intensity on to be
(2) 
and let be the set of jobs that maximizes over all . It is shown in [5] that the optimal strategy schedules a total energy of in each time slot in . Hence a greedy algorithm that searches for , schedules the jobs in and then removes those jobs (and the corresponding interval) from the problem instance, can be used to solve Problem (Pmin):
Algorithm 1
Repeat the steps below until is empty.

Identify . Schedule the jobs in , such that , for all , according to the Earliest Deadline First (EDF) policy (which is always feasible).

Modify the problem to reflect the deletion of the jobs in : For all jobs , if , set ; modify similarly. Set .
IiiB The Fullycompromised Controller
We now turn our attention to Problem (Pmax) and form a graph theoretic version of this problem. This is useful for describing the optimal full attack strategy, and for studying the impact of more limited attacks. Let be the interval graph induced by the jobs in , i.e., each vertex corresponds to a job interval, given by , while an edge is thrown between any two vertices iff the two corresponding job intervals intersect at one or more time slots [6]. We define the corresponding cost function over subsets of as , given by for any . In the induced interval graph, a clique is a subset of vertices , such that every two vertices in are connected by an edge. A maximal clique (inclusionwise) is a clique that is not a subset of a larger clique. By these definitions, our problem corresponds to finding a clique partition of that maximizes the total cost taken over the cliques in this partition, i.e., find
(3) 
where is the set of all clique partitions of . By our assumptions on , the set function is nondecreasing, i.e., whenever . Moreover, for every such that , and , we have . By these two properties, the optimal clique partition, solving (3), includes a maximal clique . In fact, if we let be a subgraph of restricted only to the jobs in any , then is achieved by a partition that contains a maximal clique of the subgraph as well. Hence, for any such subgraph, each maximal clique contained in the subgraph separates the optimization problem into two subproblems and a Dynamic Programming algorithm (adapted from [7]) solves the problem accordingly.
Let be the maximum feasible cost that could be achieved by scheduling the jobs in . Given , let be the set of all the jobs whose intervals contain time slot , i.e., is a maximal clique contained in . By our discussion, the following recursion clearly holds.
(4) 
Our algorithm iterates over all intervals , with increasing interval length. In each iteration step, the algorithm computes , where the last two terms are obtained from previous iterations. A formal description of this Dynamic Program is now presented.
Algorithm 2
The optimal cost is and the optimal clique partition is , which are computed in the final step of the above program. From the obtained clique partition, one can easily compute a set of time slots, and set , solving Problem (Pmax). The obtained schedule leaves no degrees of freedom to the controller as, after the attacker’s modifications, all jobs become virtually urgent to controller and must be scheduled immediately upon their arrival. It is also clear that, as the jobs’ allowance increases, the attacker is capable of forming larger cliques and hence imposing higher costs on the controller. Our goal in the remainder of this section is to formalize this observation. Towards this end, we first present a simple online attack where the jobs in are partitioned into cliques according to an EDF policy. That is, starting from the earliest deadline, all the jobs that arrive before or upon each deadline are grouped in a single clique and then removed from the problem instance:
Algorithm 3
Set . Repeat until is empty:

Set .

Set .

For all , set .

Update , .
Once the clique partition , has been established, the resulting cost is computed as
(6) 
Our next result shows that, despite its simplicity and online operation, Algorithm 3 could still achieve a significant loss in the system’s efficiency:
Proposition 1
For , Algorithm 3 has an approximation factor of .
Moreover, when is a power function of the form , the simple structure of the online solution also allows us to arrive at an explicit lower bound for :
Proposition 2
For ,
(7) 
The proofs for both propositions are provided in the Appendix. The above result can be used to estimate the growth of with . For instance, if we fix the average energy demand and the average interarrival time to arbitrary values, the bound obtained in Proposition 2 versus an increasing can be plotted. See Figure 2 for an example. As shown in the figure, grows at least linearly with , and the rate of growth increases as the sample size increases. More numerical results are reported in Section V.
Our numerical results in Section V provide more insights on the performance of the online attack.
Iv Performance Bounds under Limited Attacks
In this section, we study the case where the attacker is capable of changing the arrival times and the deadlines of only jobs. Similar to our argument in Section II, the attacker could only consider the following strategy: Choose a set of jobs such that , and set for all jobs and leave all other jobs unaltered. We propose two polynomial time algorithms that render a lower and an upper bound, respectively, on the performance due to the considered limited attack. For simplicity, we let and .
Iva A lower bound
Inspired by the standard greedy algorithm for the fractional knapsack problem [8], we propose a simple variant that is tailored to our problem. In the classical fractional knapsack problem, items are given, each with a weight and a value . We need to specify which items to collect such that their total weight does not exceed a specified quantity () and their total value is maximized. A fraction of any item might be collected, and the corresponding value is scaled according its chosen weight. The greedy algorithm below solves this problem.
Algorithm 4
Given and

Sort according to in a nonincreasing order.

Choose the first pairs, s.t.
(8)
The optimal set is the chosen items in step (2), and a fraction of the th item as the budget allows. Moreover, if we let the remaining weight budget after selecting the first pairs to be , by the greedy selection, we have
(9) 
The proposed attack strategy builds on this algorithm: first, the attacker finds the optimal clique partition using Algorithm 2, assuming a full budget. Then, it utilizes the above algorithm twice; once to choose a set of cliques to fully compress (i.e., to collapse the job allowances within each clique to one common time slot), and to choose a set of jobs within a given clique to fully compress. The choice that results in a higher cost is adapted.
Algorithm 5

Find the optimal clique partition of the jobs, , using Algorithm 2 (assuming a full budget). For each clique , set and .

Apply Algorithm 4 to the pairs , and , and pick the resulting cliques (ignoring the fraction generated by the algorithm). Compute the cost resulting from fully compressing those cliques. That is, .

For the th clique, apply Algorithm 4 to the pairs and . Compute the cost resulting from fully compressing the chosen jobs. That is, .

If , fully compress the jobs in cliques . Otherwise, fully compress the chosen jobs from clique . Set .
To get insights on the performance of this attack, suppose that, under no budget constraints, the optimal clique partition (obtained from Algorithm 2) is composed of cliques of size one. In this case, our greedy attack will choose to fully compress the jobs of the highest energy demands. This guarantees that . Another extreme case is when the optimal clique partition is composed of one clique containing the jobs. Here, our greedy selection guarantees that . When is a power function of the form , we then get . For more general clique partitions, these two insights are used to arrive at the achievable bound below (the proof is found in the Appendix).
Proposition 3
For ,
(10) 
IvB An upper bound
In order to compute an upper bound on the system’s performance, we find the optimal attack strategy under the assumption that the controller follows the baseline scheduling strategy given in Section II. We further assume that at most one job arrives at any given time slot . Our main observation is that, under these assumptions, Problem Pmaxmin can be solved by a Dynamic Programming algorithm similar to Algorithm 2. To illustrate, consider the solution to Problem Pmaxmin when the controller follows the baseline scheduling strategy. The jobs’ schedule under this solution is a clique partition of the induced graph , which we denote by . Let denote the set of all the cliques of size one in and . Since at most one job can arrive at any time slot, without of loss of optimality, we can assume that each clique contains exactly a single job, say , that has an unaltered arrival time. The remainder of the jobs would have arrival times altered to match that of . For instance, we can choose as the job with latest arrival in clique . Hence, the budget used to form clique is exactly . This observation leads to the below proposition (the proof is found in the Appendix).
Proposition 4
Let be the clique containing the maximum total energy requirement in . If is not a maximal clique in , it can be made maximal by adding job(s) only from .
The above proposition can be directly applied to any subgraph , as defined in Section III. Similar to the case , for any such subgraph, each maximal clique contained in the subgraph separates the optimization problem into two subproblems. Hence, if we dedicate a budget of jobs to any interval , we can construct a recursion that computes by parsing for maximal cliques in each time slot , investigating all the possibilities of using only a budget of out of for each found clique. We would also exhaust all the possibilities of distributing the remaining budget on the resulting two subproblems of any chosen clique, and any chosen budget for that clique. By Proposition 4, the constructed recursion indeed holds. A Dynamic Program similar to Algorithm 2 is built and the results are reported in Section V.
V Numerical Results
In this section, the job arrivals are simulated as a Poisson arrival process with mean 5. All the job allowances are independently and identically distributed exponential random variables. We use a quadratic cost function in all of our simulations. Figure 3 reports our comparison between the maximum and the minimum cost caused by an optimal/online full attack and an optimal/online uncompromised controller, for . The results are obtained by varying the job allowance mean and are averaged over 20 trials. The amount of energy demands is uniformly distributed on . As shown, as the job allowance mean increases, more flexibility is offered to the uncompromized controller, hence enabling further cost reductions. This, however, offers a similar opportunity for the attacker to form larger cliques of jobs and increase the harm. For instance, a fully unprotected controller, on the average, ends up paying of the expected baseline cost ( of the expected minimum cost), under an optimal full attack and largeenough timeflexibility. Our proposed suboptimal algorithm for the attacker maintains significant gains over both the baseline and minimum costs, even with the increased job allowance variance. Figure 4 focuses on the performance of partial attacks that were launched using the proposed algorithms in Section IV. In our experiment, the simulation sample is composed of 50 jobs. The energy requirements were uniformly distributed on while the mean job allowance was set to 40. The results are averaged over 5 trials. As shown, with the increased allowance mean, the obtained clique partitions become denser and therefore the bounds become tighter. Also, observe that using a simple greedy algorithm, the attacker is immediately capable of achieving a cost arbitrarily close to for our sample, with a chance of altering only 5 jobs out of 50.
Finally, in a more controlled experiment, we have generated 50 identical demands, with each requiring a 5 energy units and offering an allowance of 50. The interarrival times between jobs are all set to one value, denoted by in Figure 5. was set to various values between 1 and 10, and was computed with varying values of . This enables us to gain more insights on how the growth of , with respect to , and how this growth is affected by the clique densities. As shown in the figure, when , with our chosen parameters, a single clique of jobs could be formed to achieve the maximum cost, and hence, in accordance with our theoretical results, the attacker could achieve approximately of the maximum achievable cost. As increases, the growth of with approaches a linear trend. The reason is that as increases, the size of the optimal clique partition of jobs increases, having approximately equally sized cliques. Hence the maximum cost decreases so does the contribution of each clique to the maximum cost.
Vi Conclusion
In this paper, we have studied the performance of the smart grid, in terms of energy efficiency, in the presence of active attacks on the system. When the grid operator is fully compromised, we have proposed optimal scheduling and undetectable attack strategies. We have derived bounds on both the minimum and maximum achievable cost by an attacker with low complexity, online algorithms. In addition, we gave bounds on the impact of attacks that are limited by intrusion detection at the operator. In these limited attacks, we have shown that a significant increase in cost could still be achieved by a simple greedy algorithm. Overall, our theoretical analysis and numerical results show that an inelastic utilization of the communication channels in the smart grid could result in costs significantly higher than those expected for both the smart grid and the current electric grid, motivating the need for stronger intrusion detection and defense strategies for grid operators.
References
 [1] K. Moslehi and R. Kumar, “A reliability perspective of the smart grid,” Smart Grid, IEEE Transactions on, vol. 1, no. 1, pp. 57 –64, june 2010.
 [2] T. Lui, W. Stirling, and H. Marcy, “Get smart,” Power and Energy Magazine, IEEE, vol. 8, no. 3, pp. 66 –78, mayjune 2010.
 [3] P. McDaniel and S. McLaughlin, “Security and privacy challenges in the smart grid,” Security Privacy, IEEE, vol. 7, no. 3, pp. 75 –77, 2009.
 [4] I. Koutsopoulos and L. Tassiulas, “Control and optimization meet the smart power gridscheduling of power demands for optimal energy management,” Arxiv preprint arXiv:1008.3614, 2010.
 [5] F. Yao, A. Demers, and S. Shenker, “A scheduling model for reduced cpu energy,” in Foundations of Computer Science, 1995. Proceedings., 36th Annual Symposium on. IEEE, 1995, pp. 374–382.
 [6] J. Gross and J. Yellen, Graph theory and its applications. CRC press, 2006.
 [7] D. Gijswijt, V. Jost, and M. Queyranne, “Clique partitioning of interval graphs with submodular costs on the cliques,” RAIROOperations Research, vol. 41, no. 03, pp. 275–287, 2007.
 [8] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, Introduction to Algorithms. The MIT Press, 2009.
Appendix A Proofs
Aa Proof of Proposition 1
For a given problem instance, , , let the optimal partition of the jobs in be such that
(11) 
By our construction of , we have that, for all , all the jobs in have arrived strictly later than the earliest deadline of the jobs in . Consequently, each could have a nonempty intersection with at most consecutive sets in the partition . Letting , we have
where (a) is obtained by the power mean inequality.
AB Proof of Proposition 2
From Eq(6) and the power mean inequality, we have
(12) 
We will show that , where , and this completes the proof. If , we are done. Otherwise, it suffices to show that for .
In the solution of Algorithm 3, the maximum number of cliques of size 1 is , for otherwise, our assumption on is violated. We assume that the number of cliques of size 1 is . Hence the summation of the interarrival times of those jobs is GE , if they did not include the last arrival in , and is GE if they did. On the other hand, if the number of the remaining cliques is strictly larger than , then necessarily the summation of the interarrival times corresponding to those cliques is strictly larger than , if they include the last arrival, and strictly larger than otherwise. Combined with the argument above, we find that we can have at most remaining cliques, and accordingly .
AC Proof of Proposition 3
Let denote the fraction of budget available to clique assuming the first cliques are fully compressed, and .
AD Proof of Proposition 4
Assume that is not maximal. Then there exists a job such that is a clique in . If is in some clique and then we can schedule job in without affecting the attacker’s budget. Moreover, by the convexity of , the resulting cost cannot decrease by this change. If is in some clique , and , then we can schedule all the jobs in clique together with job , and schedule all the jobs in at the latest arrival time of the remaining jobs in . This leaves the budget unaffected and could only increase the total resulting cost.