False Data Injection Attack Against Power System Small-Signal Stability
FFalse Data Injection Attack AgainstPower System Small-Signal Stability
Mohamadsaleh Jafari, Mohammad A. Rahman, and Sumit Paudyal
Department of Electrical and Computer Engineering, Florida International University, USAEmails: mjafari@fiu.edu, marahman@fiu.edu, spaudyal@fiu.edu
Abstract —Small-Signal Stability (SSS) is crucial for the controlof power grids. However, False Data Injection (FDI) attacksagainst SSS can impact the grid’s stability, hence, the security ofSSS needs to be studied. This paper proposes a formal methodof synthesizing FDI attack vectors (i.e., a set of measurementsto be altered) that can destabilize power systems. We formulatean FDI attack as an optimization problem using AC power flow,SSS model, and stability constraints. The attacker’s capability ismodeled as the accessibility to a limited set of measurements.The solution of the proposed FDI attack model provides adestabilizing attack vector if exists. We implement the proposedmechanism and evaluate its performance by conducting severalcase studies using the WSCC 3-machine 9-bus system. Thecase study results showed that the possibility of random FDIs(i.e., with no knowledge of the power system) in launching adestabilizing attack is too low to be successful. However, anintelligent attacker can leverage the grid’s knowledge to make thesystem unstable, even with limited access to the measurements.
Index Terms —Small-signal stability, power flow, false datainjection, attack analysis, formal modeling.
I. I
NTRODUCTION
Due to the fast-growing cyber world of complex adaptivesystems and the internet, False Data Injection (FDI) attacksare becoming one of the most challenging issues [1]. In 2015,there was an FDI attack on the breakers of Ukrainian powergrids that caused a power outage for more than 200 thousandcustomers for several hours [2]. FDI attacks can be detrimentalto equipment as well. For example, a test carried out bymanipulating a diesel generator’s circuit breaker demonstrateddamage to physical components of the electric power grids[3], [4]. FDI attacks can also lead the system operators totake control actions that may jeopardize the operation of thepower grids. FDI attack was first brought up by Liu et al. inthe smart grid domain [5]. Although it may sound common,it particularly means that an attacker stealthy infuses somewrong data into the meter measurements to make the stateestimation outputs in the smart grid wrong [6]. This attack islaunched in such a way that the bad data detection module ofthe power grid control center may not detect it.Stability analysis of power grids is of great importancedue to the severe outage problem resulting from losing thestable working region. Small-Signal Stability (SSS) analysisis used to determine the power system’s capacity to stay insynchronism when a small disturbance occurs in the system. Small-signal oscillations in a synchronous generator have beena matter of concern as discussed in several studies [7]. In largeinterconnected power systems, especially the ones connectedthrough long transmission lines, the SSS issue might threatenthe security of the system due to the oscillation among thesynchronous generators [8]. Eigenvalue analysis methods arewidely used for the small-signal analysis of power grids[9]. Instability occurs when a pair of complex conjugateeigenvalues or a real eigenvalue fall in the right half of the S -plane.We identify and review relevant existing work fromliterature in two categories: the first focuses on SSS andpower flow/Optimal Power Flow (OPF) while the other focuseson FDI attacks in power grids. In [10], an approach forrescheduling generating units in OPF is proposed whichconsiders SSS constraints of the power system. Generatingunits are rescheduled if there are any unstable modes in therotor angles of the generators. In [11], a stochastic OPF isproposed with voltage stability and SSS constraints. In [12],an eigenvalue optimization-based semi-definite programmingmodel is proposed for SSS constrained OPF. A sequentialquadratic programming approach combined with gradientsampling for SSS constrained OPF is proposed in [13].A redispatching method is presented in [14], which gives theoptimal preventive control actions ensuring a given securitylevel of SSS. However, this work does not consider thepossibility of launching a stealthy FDI attack. In [15], theauthors analyze specific closed-loop, dynamic load alteringattacks against power system stability. The analysis followsa mathematical model considering that the attacker controlsthe changes in the attacked loads based on the feedbackfrom the power system’s frequency. This study considers theDC power flow, which often cannot provide accurate results.In [16], the authors consider the distributed load sharing ofautonomous microgrids under FDI attacks, defining the stableregion for operating microgrids. However, such analysis at thebulk power level with consideration of synchronous generatorsis lacking in the literature. The authors in [17] propose aresilient control strategy for load frequency control, where theyintroduce a defense layer capable of detecting and mitigatingFDI attacks on power grids. Brown et al. in [18] study thepossibility of cyber-physical attacks in creating instability inthe power grid; however, the adopted method does not yield a r X i v : . [ c s . S Y ] F e b n optimal attack vector. In [19], the impacts of FDI attackson local/master controllers by compromising communicationlinks are analyzed, and subsequently, a cyber-attack resilientdistributed control strategy is proposed in which all theparticipants can jointly detect and isolate corrupted links.To the best of our knowledge, there is no work reported inthe literature considering FDI attacks on load measurementsand SSS analysis of power systems using an AC OPFframework. In this context, this paper aims at studying thefeasibility of launching FDI attacks on the power systemagainst small-signal stability. More importantly, unlike existingworks, our formal model can be solved to automaticallysynthesize potential FDI attack vectors that lead to thesystem’s instability.The rest of the paper is organized as follows. In SectionII, we formulate the SSS model of the power system. InSection III we provide the FDI attack as an AC OPF problemwith SSS as the constraints. In Section IV, we provide casestudies to assess an FDI attack success considering differentlevels of the attacker’s access to the measurements as well asknowledge of the power system. We conclude the paper inSection V.II. S MALL -S IGNAL S TABILITY M ODEL
In this section, we present the formal model of SSS.
A. Small-Signal Stability of a Dynamic System
Dynamics of a power system can be represented by thefollowing generic Differential-Algebraic Equation (DAE), ˙ x = F D ( x,y ) , (1) = F A ( x,y ) , (2)where x is the state variable vector, and y is the vector of non-state variables. For small-signal model, linearized form of (1)is used, which can be written as, (cid:20) ∆ ˙ x0 (cid:21) = (cid:20) ˜ A ˜ B ˜ C ˜ D (cid:21) (cid:20) ∆ x ∆ y (cid:21) . (3)Eliminating ∆ y from (3), we obtain, ∆ ˙ x = A ∆ x , (4) A = ˜ A − ˜ B ˜ D − ˜ C , (5)where A is the state matrix. For SSS analysis, eigenvalues of A are computed as, Aφ = λ φ , (6)where φ is normalized right eigenvector and λ is a set ofeigenvalues corresponding to φ . For a dynamic system tobe small-signal unstable, at least one eigenvalue must lie onpositive half-plane, i.e., Real ( λ ) > . (7) B. Power System Small-Signal Model
Consider g is the set of generator buses including theslack bus, and l is the set of load buses including zero-injection buses. Assume n (= g ∪ l ) is set of all buses, and g (cid:48) represents set of generator buses except the slack bus onthe power network. Assume m is alias of n . n g is the numberof generators. Let j = √− . Define complex net powerinjection, net current injection, and bus voltage vectors as −→ S n = P n + j Q n , −→ I n = I rn + j I in , and −→ V n = V rn + j V in . Forsmall-signal analysis purpose, a linearized power grid modelaround an operating point ( −→ I g , −→ V g , −→ V l ) is used, which can bewritten as, (cid:20) ∆ I g (cid:21) = (cid:20) Y Y Y Y (cid:48) (cid:21) (cid:20) ∆ V g ∆ V l (cid:21) , (8)where ∆ I g = [∆ I r , ∆ I i , .., ∆ I rg , ∆ I ig ] T is the vector ofreal and imaginary components of incremental injectioncurrents −−→ ∆ I g at generator buses, ∆ V g is the vector of realand imaginary components of incremental voltage −−→ ∆ V g atgenerator buses, and ∆ V l is the vector of real and imaginarycomponents of incremental voltage −−→ ∆ V l at load buses. Thesub-matrices Y , Y , and Y are extracted from the busadmittance matrix Y written as, Y = Y · · · Y n ... . . . ... Y n · · · Y nn (9)where Y nm = (cid:104) G nm − B nm B nm G nm (cid:105) in which G nm and B nm arethe real and imaginary components of the line admittancebetween buses n and m , respectively. Y (cid:48) is obtained by addingload admittance on diagonal of matrix Y , and Y is alsoextracted from Y , Y (cid:48) nn = (cid:20) G nn + G L n − B nn + B L n B nn − B L n G nn + G L n (cid:21) (10)where G L n and B L n are the real and imaginary componentsof the load impedance at the bus n .Synchronous generators are modeled using classicalrepresentation [20]. The DAE that describes generators arelinearized as following, ∆ ˙ x = A g ∆ x + B g ∆ V g , (11) ∆ I g = C g ∆ x + D g ∆ V g , (12)where ∆ x = [∆ δ ∆ ω , · · · , ∆ δ n g ∆ ω n g ] T is the vector ofthe state variables of power system. The details of matrices A g , B g , C g , and D g are provided in the Appendix and furtherdetails in [21]. We can obtain the following constitutingmatrices of the state matrix A [21], ˜ A = A G , ˜ B = [ B G ] , ˜ C = (cid:20) − C G (cid:21) , ˜ D = (cid:20) Y − D G Y Y Y (cid:48) (cid:21) . (13)II. F ALSE D ATA I NJECTION A TTACK M ODEL
We model the FDI attack as an AC OPF problem withSSS model as the constraints. In this paper we assumethat the attacker is able to inject false data into loadmeasurements only. Let us define an attack vector as −→ S al ,which is the compromise (change) made by the attacker onload information (measurement or forecast). Let’s consider anattack of −→ S al , changes the generator setpoints as −→ A v , where −→ A v = [ −→ P ag −→ V ag ] T . The FDI attack can be modelled as,
Min: f ( −→ A v ) (14) subject to: −→ I n = Y −→ V n , (15) diag (cid:16) −→ S g + −→ S ag (cid:17) = diag (cid:16) −→ V g + −→ V ag (cid:17) diag (cid:16) −→ I g ∗ (cid:17) , (16) diag (cid:16) −→ S l + −→ S al (cid:17) = diag (cid:16) −→ V l (cid:17) diag (cid:16) −→ I l ∗ (cid:17) , (17) V n ≤ |−→ V n | ≤ V n , (18) constraints (5)-(8), (10)-(13) −→ I g = −→ I g , (19) −→ V g = −→ V g , (20) −→ V l = −→ V l , (21)where V n and V n are the minimum/maximum acceptablenodal voltage magnitudes, and diag( ) results in a diagonalmatrix. Equation (15) represents load flow equations in termsof current injection, Equation (16) and (17) represent modelingof generation and load powers, respectively. Equation (18)ensures voltage bounds. Constraints (5)-(8),(10)-(13) are SSSconstraints. Constraints (19)-(21) provides an operating pointfor small-signal model.IV. C ASE S TUDIES
The proposed method is applied to the WSCC 3-machine9-bus, which is a test system usually used for small-signal stability analysis. WSCC system has three loads andthree generators, as shown in Fig. 1 and Table I. Thenonlinear equations of this study are implemented in Juliafor Mathematical Programming (JuMP), which is a domain-specific modeling language for mathematical optimizationembedded in Julia [22]. Also, Interior Point Optimizer (Ipopt)is used as the Nonlinear Programming (NLP) solver in thesecase studies [23]. We consider the following case studies: Initial Stability Analysis (C1):
The evaluation ofthe proposed mechanism starts with implementing a casestudy ( C ) to ensure that the power system is stable withthe scheduled generation setpoints and loads. As shown inTable II, eigenvalues are either zero or negative; thus, thesystem is initially stable. A destabilizing attack vector willbe considered as successful if the system becomes unstableafter the attack. TABLE IL
OAD DATA AND GENERATOR SETPOINTS FOR
WSCC 3-
MACHINE BUSSYSTEM [20].
Load GeneratorLabel P L Q L Label P sp V sp (MW) (MVAr) (MW) (pu) L
125 50 G - 1.040 L
90 30 G
163 1.025 L
100 350 G
85 1.025 Success Probability of Fully Random Attacks onLoad Measurements (C2):
In this case study, we assess thepossibility of launching a successful attack if the attackerdoesn’t have any knowledge about the power system andonly has access to load measurements to launch the attack.In order to implement this scenario, we launch 7,500 uniformrandom attack vectors of −→ S al , and observe the impacts on SSSof the system. The distribution of −→ S al is shown in Fig. 2.Among 7,500 uniform random attacks, we obtain only a singlesuccessful attack that makes the system unstable. This clearlyshows that the success rate of launching a destabilizing attackon the power system is very low ( ≈ −→ S al for a successfulattack, which shows for a random successful attack largechanges on the load measurements are needed. Attack with Full Knowledge and Full Accessto Load Measurements (C3):
In this case study, weassume that the attacker has full knowledge of the powersystem (network topology, transmission line impedances, andgenerator parameters) as well as access to all the loadmeasurements to launch an attack. Attack with Full Knowledge but Limited Access toLoad Measurements (C4):
In this case, we implement theattack assuming that the attacker has limited access to loadmeasurements. We study three distinct scenarios:
Fig. 1. WSCC 9-bus system used for case studies [20].ig. 2. Distribution of random attacks on active and reactive loadmeasurements in C2 . • C . : The attacker can compromise only two of the loadmeasurements ( L and L ). • C . : The attacker can access only one of the loadmeasurements ( L ). • C . : The attacker can inject false data into the activepower measurements only.Comparing results of C and C in Fig. 3(a), it is interestingto note that knowledge of power system can substantiallyminimize the attack vector to make the system unstable. Thisis very crucial as the change in the load measurements maynot be noticeable to the system operations in many cases,which makes it easier for the attacker to successfully executethe attack. Comparing the results, it can also be seen thatthe attacker may launch a smaller attack on active powerloads compared to reactive power; thus, system operatorsmay need to pay attention to expected reactive power loadson the network as well, otherwise, the attack goes stealthy.Based on C , we can observe that attacking only a fewload measurements is sufficient for the attacker to make thesystem unstable if the attacker is knowledgeable about networkparameters and power system operation practices.Additionally, as the results of case studies C and C shows, a successful attack vector is larger when more numberof measurements are compromised. This is because of theproblem’s NLP nature and that the solutions obtained aretrapped at a local minimum. If the proposed models are ableto be convexified, then we expect to see trivial results that asmaller attack would make the system unstable if more numberof measurements are attacked. Another possible reason is that TABLE IIE
IGENVALUES OF CASE STUDIES C AND C .Case- C Case- C λ -0.077 + j0.000 -3.404 + j0.000-0.074 ± j5.826 -0.076 ± j7.546-0.020 ± j4.247 -0.005 + j0.0000.000 + j0.000 0.000 + j0.000 since we do not include load attack term −→ S al in the objectivefunction, rather we minimize a function based on the changein generators’ setpoints −→ A v due to a load attack, the AC OPF (a)(b)Fig. 3. Attack values (a) P aL and (b) Q aL for different case studies.(a)(b)Fig. 4. Changes of generator setpoint values (a) V aG and (b) P aG due to FDIattacks on load measurements for different case studies.ig. 5. Objective function (OF) values for case studies.Fig. 6. Eigenvalue placement for case studies C and C . finds minimal values in terms of generators’ setpoint changes.It can be confirmed from Fig. 4(b), Fig. 4(a), and Fig. 5 thatthe optimizer achieves the same values of −→ A v and objectivefunctions for cases C and C . As we mentioned before,these solutions correspond to a local minimum, given the NLPnature of the problem.Fig. 6 shows that the eigenvalues for case studies C and C are the same. This is also due to the same solution obtainedin terms of −→ A v , although the other variables at load buses aredifferent. V. C ONCLUSION AND F UTURE W ORK
In this paper, we studied the feasibility of launching adestabilizing FDI attack on the power system in terms ofsmall-signal stability. We used the AC power flow in our studyand considered the classical model to implement synchronousgenerator behaviors in the system. Due to the nonlinearityof the study, we used a Nonlinear Programming (NLP) andoptimization solver and proposed a mechanism to find thedestabilizing attack vector. We conducted several experimentswith different levels of attacker’s knowledge about thepower system was implemented on a 9-bus system and theresults showed the proposed mechanism’s effectiveness. Forexample, while the success rate of a random attack is verylow ( ≈ EFERENCES[1] Y. Song, X. Liu, Z. Li, M. Shahidehpour, and Z. Li, “Intelligent dataattacks against power systems using incomplete network information: areview,”
Journal of Modern Power Systems and Clean Energy , vol. 6,no. 4, pp. 630–641, 2018.[2] G. Liang, S. R. Weller, J. Zhao, F. Luo, and Z. Y. Dong, “The 2015ukraine blackout: Implications for false data injection attacks,”
IEEETransactions on Power Systems , 2009.[5] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacksagainst state estimation in electric power grids,”
ACM Transactions onInformation and System Security (TISSEC) , vol. 14, no. 1, p. 13, 2011.[6] M. Ahmed and A.-S. K. Pathan, “False data injection attack (FDIA):an overview and new metrics for fair evaluation of its countermeasure,”
Complex Adaptive Systems Modeling , vol. 8, pp. 1–14, 2020.[7] D. Mondal, A. Chakrabarti, and A. Sengupta,
Power system small signalstability analysis and control . Academic Press, 2020.[8] G. Rogers,
Power system oscillations . Springer Science & BusinessMedia, 2012.[9] M. Pai, D. S. Gupta, and K. Padiyar,
Small signal analysis of powersystems . Alpha Science Int’l Ltd., 2004.[10] S. H. Adeli, A. Rabiee, and S. T. Boroujeni, “Optimal re-dispatchof generating units ensuring small signal stability,”
IET Generation,Transmission & Distribution , vol. 14, no. 18, pp. 3692–3701, 2020.[11] C. Hamon, M. Perninge, and L. Söder, “A stochastic optimal power flowproblem with stability constraints—Part I: Approximating the stabilityboundary,”
IEEE Transactions on Power Systems , vol. 28, no. 2, pp.1839–1848, 2012.[12] P. Li, H. Wei, B. Li, and Y. Yang, “Eigenvalue-optimisation-basedoptimal power flow with small-signal stability constraints,”
IETGeneration, Transmission & Distribution , vol. 7, no. 5, pp. 440–450,2013.[13] P. Li, J. Qi, J. Wang, H. Wei, X. Bai, and F. Qiu, “An SQP methodcombined with gradient sampling for small-signal stability constrainedOPF,”
IEEE Transactions on Power Systems , vol. 32, no. 3, pp. 2372–2381, 2017.[14] R. Zarate-Minano, F. Milano, and A. J. Conejo, “An OPF methodologyto ensure small-signal stability,”
IEEE Transactions on Power Systems ,vol. 26, no. 3, pp. 1050–1061, 2011.[15] S. Amini, F. Pasqualetti, and H. Mohsenian-Rad, “Dynamic load alteringattacks against power system stability: Attack models and protectionschemes,”
IEEE Transactions on Smart Grid , vol. 9, no. 4, pp. 2862–2872, 2016.[16] H. Zhang, W. Meng, J. Qi, X. Wang, and W. X. Zheng, “Distributed loadsharing under false data injection attack in an inverter-based microgrid,”
IEEE Transactions on Industrial Electronics , vol. 66, no. 2, pp. 1543–1551, 2018.[17] A. Abbaspour, A. Sargolzaei, P. Forouzannezhad, K. K. Yen, and A. I.Sarwat, “Resilient control design for load frequency control systemunder false data injection attacks,”
IEEE Transactions on IndustrialElectronics , vol. 67, no. 9, pp. 7951–7962, 2019.[18] H. E. Brown and C. L. Demarco, “Risk of cyber-physical attack viaload with emulated inertia control,”
IEEE Transactions on Smart Grid ,vol. 9, no. 6, pp. 5854–5866, 2018.[19] Q. Zhou, M. Shahidehpour, A. Alabdulwahab, and A. Abusorrah, “Acyber-attack resilient distributed control strategy in islanded microgrids,”
IEEE Transactions on Smart Grid , 2020.[20] P. Kundur, N. J. Balu, and M. G. Lauby,
Power system stability andcontrol . McGraw-hill New York, 1994, vol. 7.[21] X.-F. Wang, Y. Song, and M. Irving,
Modern power systems analysis .Springer Science & Business Media, 2010.[22] I. Dunning, J. Huchette, and M. Lubin, “JuMP: A modeling language formathematical optimization,”
SIAM Review , vol. 59, no. 2, pp. 295–320,2017.[23] “Ipopt,” https://github.com/coin-or/Ipopt.
PPENDIX A g i = (cid:20) ω s − D i H i (cid:21) B g i = (cid:34) − E (cid:48) i H i (cid:35) (cid:20) − R a i X q i − X q i − R a i (cid:21) − (cid:20) sin δ i − cos δ i cos δ i sin δ i (cid:21) C g i = (cid:20) sin δ i − cos δ i cos δ i sin δ i (cid:21) T (cid:16) (cid:20) − R a i X q i − X q i − R a i (cid:21) − (cid:20) V q i − V d i (cid:21) − (cid:20) I q i − I d i (cid:21) (cid:17) D g i = (cid:20) sin δ i − cos δ i cos δ i sin δ i (cid:21) T (cid:20) − R a i X q i − X q i − R a i (cid:21) − (cid:20) sin δ i − cos δ i cos δ i sin δ i (cid:21) A G = diag (cid:0) A g , · · · , A g ng (cid:1) , B G = diag (cid:0) B g , · · · , B g ng (cid:1) , C G = diag (cid:0) C g , · · · , C g ng (cid:1) , D G = diag (cid:0) D g , · · · , D g ng (cid:1)(cid:1)