False Relay Operation Attacks in Power Systems with High Renewables
Mohamadsaleh Jafari, Md Hassan Shahriar, Mohammad Ashiqur Rahman, Sumit Paudyal
FFalse Relay Operation Attacks inPower Systems with High Renewables
Mohamadsaleh Jafari, Md Hassan Shahriar, Mohammad Ashiqur Rahman, and Sumit Paudyal
Department of Electrical and Computer Engineering, Florida International University, USAEmails: mjafari@fiu.edu, mshah068@fiu.edu, marahman@fiu.edu, spaudyal@fiu.edu
Abstract —Load-generation balance and system inertia areessential for maintaining frequency in power systems. Powergrids are equipped with Rate-of-Change-of-Frequency (
ROCOF )and Load Shedding ( LS ) relays in order to keep load-generationbalance. With the increasing penetration of renewables, theinertia of the power grids is declining, which results in a fasterdrop in system frequency in case of load-generation imbalance.In this context, we analyze the feasibility of launching FalseData Injection (FDI) in order to create False Relay Operations(FRO), which we refer to as FRO attack, in the power systemswith high renewables. We model the frequency dynamics of thepower systems and corresponding FDI attacks, including theimpact of parameters, such as synchronous generators’ inertia,and governors’ time constant and droop, on the success ofFRO attacks. We formalize the FRO attack as a ConstraintSatisfaction Problem (CSP) and solve using Satisfiability ModuloTheories (SMT). Our case studies show that power grids withrenewables are more susceptible to FRO attacks and the inertiaof synchronous generators plays a critical role in reducing thesuccess of FRO attacks in the power grids. Index Terms —False data injection, false relay operation, loadshedding relay, ROCOF relay, frequency response.
I. N omenclature ∆ f Change in frequency. ∆ P Total power imbalance. ∆ P gov Change in power due to governor’s action. ∆ P a Change in generator’s setpoint due to FDI attack. ∆ P sh Shed load due to Load Shedding ( LS ) relay. ∆ P tg Change of power generation due to
ROCOF . ∆ t Simulation time step. f Frequency. f Frequency threshold for load shedding.˙ f Rate-of-Change-of-Frequency (
ROCOF ).˙ f Threshold value of
ROCOF . H Inertia constant of multi-machine System. M Number of cycles in ˙ f calculation. n Discrete time step. P e Electrical power output of generators. P m Mechanical power input to generators. P sh Load shed by LS relays at each time step. P tg Power of tripped generators by
ROCOF relays. R Droop of the governors. T Time constant of governors. t Time. II. I ntroduction
A large part of power generation in bulk power systemsis supplied by synchronous generators. However, these days,Distributed Energy Resources (DERs) are becoming an inte-gral part of the power systems [1]. As the power grid evolveswith increasing penetrations of inverter-based DERs such assolar photovoltaics (PV) and wind turbines, the inertia of thegrid tends to decline [2], [3].Wind turbines and solar panels are equipped with severalsensor measurements such as wind velocity, wind direction,and solar irradiance. These measurements are connected tothe control center using wireless / wired technologies to facili-tate analyzing and adjusting the power output of generatorsto maintain the grid frequency. Protective devices, such asRate-of-Change-of-Frequency ( ROCOF ) and Load Shedding( LS ) relays are equipped in the power system to maintainload-generation balance when frequency changes [4], [5]. Inthe case of load-generation imbalance, the system frequencydeviates from the nominal value, and if the frequency / ROCOF goes beyond an acceptable range, these relays trip theircorresponding generators / loads to keep the frequency withinthe range. An attacker can exploit this relay functionality byperforming False Data Injection (FDI) attacks. The attackermay inject necessary false data into various DER sensor mea-surements causing a False Relay Operation (FRO) (i.e., falseoperation of an LS / ROCOF relay) in the grid. For example,the attacker can inject false data into the air density and windvelocity measurements of a wind turbine to mislead the controlcenter to perceive a power abundance in the network. Then,the operator of the control center adjusts the power output ofsynchronous generators. However, as the actual generation isless than the load, the frequency drops. If this attack continues,some generators may trip by
ROCOF relay operation or someloads may get disconnected by LS relays. We name suchexploitations as FRO attacks.Various FDI attacks in power grids have been widely studiedin the literature. The authors in [6], [7] presented an FDIattack on contingency analysis of the power system, wherethe target was created to mislead the operational cost only.Chlela et al. [8] addressed the impacts of FDI cyber-attackson critical microgrid control functions as well as the lossof load resulting from under-frequency load shedding. Zhanget al. [9] discussed security issues of a dynamic microgridpartition process and investigated three di ff erent scenarios of a r X i v : . [ ee ss . S Y ] F e b DI attacks against it. In [10], the authors analyzed FDI attackswith incomplete information, where the attacker has limitedinformation about the network topology. The possible FDIvulnerabilities on an integrated Volt-VAr control is studiedin [11]. Teixeira et al. [12] studied the impact of FDI attackson the measurement data and reference signals received bythe voltage droop controllers in microgrids. Liu et al., [13]focus on the continuous injection of time-varying false dataand load redistribution in the system. A pre-overload vulner-ability graph approach is proposed in [14] to systematicallyassess, evaluate, and quantify the system vulnerability undera load redistribution FDI attack. Some researchers studied thedefense against the above-mentioned attacks. For example, areachability analysis-based mechanism is presented in [15] todetect FDI attacks. Saad et al. [16] presented an IoT-basedcyber-physical system at mitigating FDI attacks.However, to the best of our knowledge, the current literaturedoes not address the possibility of launching FDI attacksleading to FRO. In this context, this paper aims at studying thefeasibility of FRO attacks in power systems. We represent theoverall problem in a generic, formal manner by recognizingit as a Constraint Satisfaction Problem (CSP). We applySatisfiability Modulo Theories (SMT), a powerful constraintsatisfaction tool [17], to solve this CSP.The rest of the paper is organized as follows. In sectionIII, we model the frequency behavior of the power systemconsidering the change of the generator setpoints due to FDI,the generator’s governor reaction, LS , and ROCOF relayoperations. In section IV, we show case studies by consid-ering di ff erent combinations of power system parameters andanalyze their impacts on the success of FDI in launching FROattacks. We conclude the paper in section V.III. F ormal M odels In this section, we present the formal models of the powersystem frequency dynamics and the synthesis of potential FROattack vectors. An attack vector identifies a set of sensormeasurements and necessary FDIs that can lead to a FROattack. We also model the power grid relay operations andhow the attack can percolate into this system leading to falseactivation of the relays. We specifically focus on
ROCOF and LS relays. A. Power System Frequency Dynamics
The system frequency response in a power grid can be de-termined using swing equation, and load / generation changes.For multi-machine power systems, the swing equations can beequivalently represented in terms of center of inertia (COI) as, d f ( t ) dt = H ( P m − P e ) . (1)The above form of swing equation can be linearized for amulti-machine power system as follows [18], d ∆ f ( t ) dt = H ∆ P ( t ) . (2) B. FDI Attacks on Grid Frequency Control
In this study, the FDI attack on measurements from DERs(e.g., wind velocity, solar irradiance) will be perceived asgeneration change at the control center level. We assume thatthe attacker cannot directly change the generators’ setpoints.Therefore, the attacker tries to launch FDI attacks on the DERmeasurements. These compromised measurements are sent tothe control center to mislead the operator of the abundanceor shortage of power in the network. Then, the operatorsends new setpoints to the synchronous generators to addressthe issue, while unknowingly participating in the attacker’sgoal. We assume that the frequency regulation takes placemainly due to the primary frequency response and secondaryfrequency control actions.We model the power imbalance as [18], ∆ P n = ∆ P govn − ∆ P an + ∆ P shn − ∆ P gn . (3)Governor operation ( ∆ P govn (cid:44) ∆ P govn + = ∆ P govn + ∆ tT (cid:16) − ∆ f n R − ∆ P govn (cid:17) , (4)We model the frequency resulting from the actions ofgovernors, ROCOF , and LS relays using the following, ∆ f n + = ∆ t H (cid:20) ∆ P govn (2 − ∆ tT ) − ∆ P an − ∆ f n ( ∆ tRT − H ∆ t ) − ∆ P tgn + − ∆ P shn + (cid:21) , (5) f n = + ∆ f n , (6)If f n is less than f , the total amount of shed load at time n + ∆ P shn + = ∆ P shn + P sh , ∀ f n ≤ f (7)To model the activation of ROCOF relays, we compute ˙ f asfollows [19], ˙ f = M n (cid:88) n − M + ∆ f n ∆ t , (8)If ˙ f is greater than ˙ f , the ROCOF relay operates and discon-nects the generator from the grid. This generator disconnectionis modeled by, ∆ P tgn + = ∆ P tgn + P tg , ∀ ˙ f ≥ ˙ f (9)
11 + 𝑇𝑠 11 + 𝑇 𝑇 𝑠 1 𝑅 Δ𝑓 Δ Δ Δ
Fig. 1. Model of generators’ Equivalent Governor.
V. C ase S tudies In order to study the proposed method, we consider a 5-bus power system as shown in Fig. 2 with three generators,three wind farms, two solar parks, and four bulk loads. Thetotal amount of the load is 4.5 p.u., 3.0 p.u. of which issupplied by the generators (1.0 p.u. each), and 1.50 p.u. issupplied by the wind and solar generations. We consider anominal frequency of 60 Hz. All the loads are equipped with LS relays with f = ROCOF relays with ˙ f = / s at buses 4,5, and 1, respectively. The reason for considering di ff erent ˙ f values for the relays is that not all of the generators in case ofany ROCOF -type attack get disconnected simultaneously fromthe grid [20]. The acceptable maximum ˙ f is usually rangedbetween 0.5 and 1.2 Hz / s [21]. The value of M typically variesbetween 2 and 40 cycles [22]. In our study, we set M to6 cycles. Also, we assume that the FDI attack takes placeonly at a single time step (not a recurring attack attempt).We encode the formalization presented in the previous sectionand solve it using Z3, which is an e ffi cient SMT solver [17].During the execution of the FDI attack, the solution to themodel returns either a successful or unsuccessful status. If theresult is successful, it denotes that the SMT solver identifiedan attack vector that satisfies all the given constraints. On theother hand, unsuccessful status implies that there is no solutionto the given problem (with the given attack constraints). Inthis work, an attack vector represents an assignment variablevalue for which the framework identifies a satisfiable solution.We run our experiments on an Intel Core i7 processor with16 GB memory. In order to evaluate the impact of powersystem parameters on the feasibility of FDI on FRO, weconsider di ff erent combinations of H , R , and T for the examplepower grid and run the proposed framework. We also considerthe Threshold of Injection ( T oI ) and Attackable DERs ( AD )parameters in our studies. T oI is the maximum percentage ofthe change that the attacker can make in measurements as falsedata and AD is the percentage of attackable DERs (includingwind turbines and solar panels). By attackable, we mean thatthe measurements in DERs are not secured and the attacker Fig. 2. A 5-Bus Test Network for case studies. TABLE IP ower system parameters used for the case studies . Parameter Case Study C C C R ( pu ) 0.2 0.2 0.2, 0.4, 0.6, 0.8, 1.0 T ( s ) 0.2 0.2 0.2, 0.4, 0.6, 0.8, 1.0 AD % 20.0 20.0 20.0, 40.0, 60.0, 80.0, 100.0 H ( s ) 2.0 6.0 2.0, 4.0, 6.0, 8.0, 10 ToI % 2.0 6.0 2.0, 4.0, 6.0, 8.0, 10 can access them. Table I shows di ff erent values of the examplepower grid parameters used to evaluate the performance of theproposed framework in di ff erent case studies. To generate ageneric relationship among the parameters, we created 10,000di ff erent combinations of these values and observed the suc-cessful attacks at launching FRO. Among these combinations,we pick two to show the frequency and ROCOF behaviors ofthe power system. Then, we show a bigger picture of theseparameters impact on attack success. • Case 1 ( C ∆ P a = f sharply changes and reaches 0.510 Hz / s in 12cycles which is greater than the ˙ f of the generator at bus4. Therefore, ROCOF relay at bus 4 operates falsely anddisconnects its corresponding generator from the grid ( P tg = f changes are shown in Table IIfor n = • Case 2 ( C R , T ,and AD remains the same as C H increases. In orderto launch a successful attack, the attacker needs to be able toinject at least 6.0% of false data into the measurements i. e., T oI = ∆ P a = f reach 0.513 Hz / s in 12 cycles, which is greater thanthe ˙ f of the generator at bus 4. Hence, the ROCOF relayat bus 4 operates falsely and its generator gets disconnectedfrom the grid ( P tg = ROCOF are shown in Table II. • Case 3 ( C TABLE IIF requency and
ROCOF behavior of the example power system for casestudies C and C n ˙ f ( Hz / s ) f ( Hz ) C C C C
20 - - 60.000 60.0001 - - 59.991 59.9912 - - 59.983 59.9833 - - 59.976 59.9744 - - 59.968 59.9665 - - 59.960 59.9576 0.480 0.490 59.952 59.9517 0.470 0.500 59.944 59.9418 0.460 0.500 59.937 59.9339 0.460 0.500 59.930 59.92410 0.460 0.500 59.922 59.91611 0.450 0.490 59.915 59.90812 iscuss the impact of the power system parameters on FROattack success.Fig. 3 shows the impact of H on FRO success. As can beseen, there is almost a negative correlation between H and thenumber of successful FRO. In other words, When H increases,the number of successful FRO decreases. This is due to thefact that with a higher value of H , the frequency of the systembecomes more stable and has less fluctuation. Therefore, thepossibility of a larger ˙ f occurrence below f becomes less.Fig. 4 also shows that there is a negative correlationbetween R and the number of successful FRO attacks. This isbecause, with increasing values of the droop, the power grid’sgenerators show a slower reaction to the frequency changes inthe power grid. This slow reaction goes against the attacker’sgoal, which tries to cause a sharp ˙ f or a frequency dropbelow f . From Fig. 5, it can be observed that an increasein T leads to more successful FRO attacks. This positivecorrelation is due to the fact that larger T makes the governor’sresponse slower to any frequency abnormalities that actuallygives more chances to the frequency fluctuations. This createsmore possibilities for the attacker to achieve his goal.In Fig. 6, it is shown that the relationship between T oI andthe number of successful FRO attacks is almost a proportionalrelationship. This is in accordance with the fact that if theattacker is able to change each of the measurements with agreater absolute value, the possibility of convincing the controlcenter of sending a greater change to the generator setpointsis higher. The greater the changes in the setpoints, the greaterthe fluctuations in the frequency, and the greater the possibilityof having successful FRO attacks. Fig. 7 the result of Fig. 6.It shows that if the attacker has access to a larger number ofDER measurements, i. e., greater AD , more successful FROattacks are possible to happen in the grid.Comparing Fig. 3, Fig. 4, and Fig. 5, it can be seen that theslop of number of successful FRO attacks vs. H is greaterthan the ones of R and T . This shows the importance ofconsidering the inertia of the power system while increasingthe penetration of DERs in the grid. Inertia can have significante ff ects on a power grid’s vulnerability against FDI attacks.With increasing the penetration of low-inertia DERs such Inertia, H (sec) N o . o f S u cc e ss f u l A tt a c k s Fig. 3. Number of successful FRO attacks vs. inertia ( H ). Droop, R (pu) N o . o f S u cc e ss f u l A tt a c k s Fig. 4. Number of successful FRO attacks vs. governor’s droop ( R ). Time Constant, T (sec) N o . o f S u cc e ss f u l A tt a c k s Fig. 5. Number of successful FRO attacks vs. governor’s time constant ( T ). as wind turbines and solar panels into power systems, thefrequency of the grid becomes less stable to any type ofdisturbances or attacks. This makes the power grids morepotent to FRO attacks.From Table III, it can be observed that inertia has an impacton the FRO attack type (i. e., ROCOF or LS attack), as well.When H is less than 4 (in the example power system), wehave both ROCOF and LS attacks in the power grid whilewith an increase in H , we observe only ROCOF attacks. Thisis because of the fact that for low H , the power grid showsa faster reaction to any load-generation imbalances. If these Threshold of Injection (ToI) (%) N o . o f S u cc e ss f u l A tt a c k s Fig. 6. Number of successful FRO attacks vs. threshold of injection (
ToI ). Attackable DERs (%) N o . o f S u cc e ss f u l A tt a c k s Fig. 7. The number of successful FRO attacks vs. attackable DERs ( AD ). imbalances are big enough the frequency might drop in lessthan 6 cycles (the number of cycles considered in this paper forcalculation of ˙ f ). This possibility of fast operation of LS relaysis eliminated with an increment of H . Moreover, according toFig. 4 and Fig. 5, it can be noticed that an increase in T ordecrease in R reduces the number of successful FRO attacks. TABLE IIII mpact of inertia (H) on the attack type .H (s)
ROCOF
Attack LS Attack < (cid:88) (cid:88) ≥ (cid:88) × V. C onclusion
In this work, we study the feasibility of FDI attacks onpower systems that falsely trigger protective relays (i.e., rate-of-change-of-frequency and load shedding relays). The pro-posed formal model considers the impact of di ff erent powersystem’s parameters, including generators’ inertia, equivalentgovernors’ droop and time constant, the threshold of false datainjection, and the number of attackable DERs and synthesizessuccessful FRO attacks, if exists. Our results show that, amongvarious parameters, inertia has the most impact on reducingthe success of the FRO attacks as higher inertia can reduce thepossibility of launching a successful FRO attack in the powersystem. Moreover, it is demonstrated that an increase in droopor decrease in the time constant of governors can lower thepossibility of launching a FRO attack in the power system.R eferences [1] M. Jafari, T. O. Olowu, A. I. Sarwat, and M. A. Rahman, “Study ofsmart grid protection challenges with high photovoltaic penetration,” in Proc. North American Power Symposium (NAPS) , 2019, pp. 1–6.[2] U. Tamrakar, D. Shrestha, M. Maharjan, B. P. Bhattarai, T. M. Hansen,and R. Tonkoski, “Virtual inertia: Current trends and future directions,”
Applied Sciences , vol. 7, no. 7, p. 654, 2017.[3] P. Denholm, T. Mai, R. W. Kenyon, B. Kroposki, and M. O’Malley,“Inertia and the power grid: A guide without the spin,” Technical Report:NREL / TP-6A20-73856, National Renewable Energy Laboratory, May2020.[4] M. Grebla, J. R. A. K. Yellajosula, and H. K. Høidalen, “Adaptivefrequency estimation method for ROCOF islanding detection relay,”
IEEE Transactions on Power Delivery , vol. 35, no. 4, pp. 1867–1875,2020. [5] Y. Tofis, S. Timotheou, and E. Kyriakides, “Minimal load shedding usingthe swing equation,”
IEEE Transactions on Power Systems , vol. 32,no. 3, pp. 2466–2467, 2017.[6] M. Ashiqur Rahman, M. Hasan Shahriar, M. Jafari, and R. Masum,“Novel Attacks against Contingency Analysis in Power Grids,” arXive-prints , p. arXiv:1911.00928, Nov. 2019.[7] J.-W. Kang, I.-Y. Joo, and D.-H. Choi, “False data injection attacks oncontingency analysis: Attack strategies and impact assessment,”
IEEEAccess , vol. 6, pp. 8841–8851, 2018.[8] M. Chlela, G. Joos, M. Kassouf, and Y. Brissette, “Real-time testingplatform for microgrid controllers against false data injection cybersecu-rity attacks,” in
Proc. IEEE Power and Energy Society General Meeting(PESGM) , July 2016, pp. 1–5.[9] X. Zhang, X. Yang, J. Lin, and W. Yu, “On false data injection attacksagainst the dynamic microgrid partition in the smart grid,” in
Proc.IEEE International Conference on Communications (ICC) , 2015, pp.7222–7227.[10] M. A. Rahman and H. Mohsenian-Rad, “False data injection attackswith incomplete information against smart power grids,” in
Proc. IEEEGlobal Communications Conference (GLOBECOM) , Dec 2012, pp.3153–3158.[11] A. Teixeira, G. Dán, H. Sandberg, R. Berthier, R. B. Bobba, andA. Valdes, “Security of smart distribution grids: Data integrity attackson integrated volt / var control and countermeasures,” in Proc. AmericanControl Conference , June 2014, pp. 4372–4378.[12] A. Teixeira, K. Paridari, H. Sandberg, and K. H. Johansson, “Voltagecontrol for interconnected microgrids under adversarial actions,” in
Proc.IEEE 20th Conference on Emerging Technologies Factory Automation(ETFA) , Sep. 2015, pp. 1–8.[13] Y. Liu, S. Gao, J. Shi, X. Wei, and Z. Han, “Sequential-mining-basedvulnerable branches identification for the transmission network undercontinuous load redistribution attacks,”
IEEE Transactions on SmartGrid , vol. 11, no. 6, pp. 5151–5160, 2020.[14] Y. Liu, S. Gao, J. Shi, X. Wei, Z. Han, and T. Huang, “Pre-overload-graph-based vulnerable correlation identification under load redistribu-tion attacks,”
IEEE Transactions on Smart Grid , vol. 11, no. 6, pp.5216–5226, 2020.[15] O. A. Beg, T. T. Johnson, and A. Davoudi, “Detection of false-datainjection attacks in cyber-physical DC microgrids,”
IEEE Transactionson industrial informatics , vol. 13, no. 5, pp. 2693–2703, 2017.[16] A. Saad, S. Faddel, T. Youssef, and O. A. Mohammed, “On theimplementation of IoT-based digital twin for networked microgridsresiliency against cyber attacks,”
IEEE Transactions on Smart Grid ,vol. 11, no. 6, pp. 5138–5150, 2020.[17] L. De Moura and N. Bjørner, “Satisfiability modulo theories: Anappetizer,” in
Brazilian Symposium on Formal Methods . Springer, 2009,pp. 23–36.[18] T. Amraee, M. G. Darebaghi, A. Soroudi, and A. Keane, “Probabilisticunder frequency load shedding considering rocof relays of distributedgenerators,”
IEEE Transactions on Power Systems , vol. 33, no. 4, pp.3587–3598, 2018.[19] M. R. Alam, M. T. A. Begum, and K. M. Muttaqi, “Assessing theperformance of ROCOF relay for anti-islanding protection of distributedgeneration under subcritical region of power imbalance,”
IEEE Trans-actions on Industry Applications , vol. 55, no. 5, pp. 5395–5405, 2019.[20] J. C. M. Vieira, W. Freitas, W. Xu, and A. Morelato, “Performance offrequency relays for distributed generation protection,”
IEEE Transac-tions on Power Delivery , vol. 21, no. 3, pp. 1120–1127, July 2006.[21] “IEEE standard for interconnection and interoperability of distributedenergy resources with associated electric power systems interfaces,”
IEEE Std 1547-2018 , pp. 1–138, April 2018.[22] C. F. Ten and P. A. Crossley, “Evaluation of Rocof relay performanceson networks with distributed generation,” in