Time-Delay Switch Attack on Load Frequency Control in Smart Grid
Arman Sargolzaei1,a, Kang K. Yen1,b, MN. Abdelghani2,c
1Department of Electrical and Computer Engineering, Florida International University, Miami, USA
2Department of Mathematics and Statistical Sciences, University of Alberta, Edmonton, Canada
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Keywords: Systems with delay, TDS attack, Smart grids, Load frequency control (LFC), Switched
systems, Power systems component, Hybrid systems
Abstract. Current smart power grids have communication infrastructure to improve efficiency,
reliability and sustainability of supply. However, their open communication architecture makes them
vulnerable to cyber-attacks with potentially catastrophic consequences. In this paper, we propose a
new model of time-delay switch (TDS) attack by introducing different time delays to each state in the
dynamics of a power system. This means, we delay the telemetered sensed state of a plant by a
specific amount of time delay for some specified attack time. Such an attack will have devastating
consequences or introduce hidden inefficiency on smart grids if no prevention measures are
considered in the design of these power systems. Here we will consider examples of the effects of the
TDS attack on the dynamic performance of a power system. To do this, we first formulated a state
space model of a smart power grid system under TDS attack using a hybrid systems approach. Then
we prove by analysis and demonstrate by simulations how a TDS attack can be used to sabotage and
destabilize a smart grid.
Power grids and water supply systems are constantly updated by new telecommunication
technologies for control and monitoring to improve efficiency, reliability and sustainability of supply
and distribution. However, this modernization effort relies on computers and multi-purpose networks
which make power grids and water supply systems vulnerable to cyber-attacks which may cause
major impact on people’s life and economy. For example, the US power is operated with SCADA,
i.e. supervisory control and data acquisition systems. SCADA systems are industrial control systems
for large-scale processes that include multiple sites and are operated over long distances. Despite the
precautions, several cyber-attacks on SCADA systems have been reported [1, 2, 3, 4, 5, 6].
Furthermore, replacing proprietary communication networks by open communication standards
exposes process control and SCADA systems to risks associated with open networks such as
corrupted data, network delays and cyber-attacks .
Investigating methods of attacks on industrial control systems of sensitive infrastructures and
devising countermeasures and security control protocols have attracted the attention of academia,
industries, and governments. All of their efforts have culminated in a large amount of studies many
hardware and software systems dedicated to security countermeasures to prevent possible attacks on
industrial systems. We will review some of the most common attacks and expand on an attack known
as the time-delay switch attack or TDS for short.
Generally, an intruder enact an attack into the IT infrastructure of industrial control systems by
obtaining access various sensors and control signals, and/or manipulateing them to disrupt and
sabotage the systems. For instance, an intruder can disrupt a power system by increasing the load on
2013 International Conference on Advanced in Communication Technology
Advances in Communication Technology, Vol.5
978-1-61275-063-7/10/$25.00 ©2013 IERI ICACT 2013
a particular power transformer, by shutting down one or more sections of a smart power grid, or by
introducing inefficiencies in the power supply [8, 9, 10, 11].
The delay attack has been studied in  for sensor networks where can be happened in
communication lines. A class of false data injection (FDI) attacks bypassing the bad data detection in
SCADA systems was proposed by . In , adversaries launched FDI attacks against state
estimates of power systems knowing only the perturbed model of the power systems. Y. Mo et al.
, studied FDI attacks on a control system equipped with Kalman filter. In , the smallest set of
adversary controlled meters was identified to perform an unobservable attack. Recently, Amin et al.
 considered denial of service (DoS) attacks on the communication channels in the measurements
telemetered in remote terminal units (RTUs) sent to the control center of power systems. They
demonstrated that an adversary may make power systems unstable by properly designing DoS attack
sequences. Liu et al.  considered how a switched-DoS attack on a smart grid can affect the
dynamic performance of its power systems. The Viking projects [16, 17] considered cyber-attacks to
Load Frequency Control (LFC), one of a few automatic control loops in SCADA power systems.
They analyzed the impacts of cyber-attacks on the control centers of power systems, by using
reachability methods. However, they only considered attacks on the control centers which are usually
harder to be attacked than the communication channels in the sensing loop of a power system.
In this paper, we will focus on the impact of introducing time delays in the sensing loop (SL) or in
the automatic generation control (AGC) signal--the only automatic closed loop between the IT and
the power system on the controller area. When an adversary chooses to introduce delays in a control
system, he or she is performing a time-delay-switch attack (TDS). Our work will show how TDS
attacks could make any control system, in particular a power control system, unstable. Therefore,
future smart grids will have to use advanced two-way communication and artificial intelligence
technologies to provide better situational awareness of power grid states keeping smart grids reliable
and safe from FDI, DOS or TDS attacks. While smart grid technologies will facilitate the aggregation
and communication of both system-wide information and local measurement, they will for sure
introduce their own cyber security challenges.
This paper is organized as follows: The power system and TDS attacks are modeled using hybrid
systems approach in the second section. In section III damage and risk assessment of power systems
under TDS attacks are analyzed using sabotage and instability analysis. In section IV we evaluate the
effects of TDS attacks on an example of a LTI approximation of a two-area LFC model.
Control SignalControl Signal
Tie line power felow
Power Area 1 Power Area 2
Figure 1 Two-area power system with Load Frequency Control (LFC) under TDS attacks
2. Model of Power Systems with TDS Attacks
It is reasonable to model a power system under TDS attacks as a hybrid system, by formulating TDS
attacks as a switch action, “Off/Delay-by- ”, where is some random delay time, of the sensed
system states or control signals of a power system. Here we will consider the TDS attack on the power
Consider a two-area power system with automatic gain control in Fig.1 . The LFC sends
control signals to the plant and the controller gets updated by feedback states through the
communication channels from/to the turbine and from the telemeter’s measurements for RTUs. The
communication channels are wireless networks. Attacks can be lunched by jamming the
communication channels (i.e. DOS attack), by distorting feedback signals (e.g. FDI attack) by
injecting delays (i.e. TDS attack) in data coming from telemeters measurements.
An LFC is usually designed as an optimal feedback controller. For the LFC to operate optimally it
requires power states estimation to be telemetered in real time. If an adversary introduces significant
time delays in the telemetered control signals or measured states, the LFC will deviate from it
optimality and in most cases the system will break down.
The two-area power system model and its extension to the multi-area interlock power system have
been proposed in . The dynamic model of the LFC for the th
area is given by
RU are the state and the control vectors, respectively. This model also depends
on the th
power area. Matrices KK
B are constant matrices with appropriate dimensions, K
is the load deviation. Then K
X0 is an initial value vector for the th
power area. The state vector is
KK ePPPftX )( (2)
P and K
eare frequency deviation, power deviation of generator, value
position of the turbine, tie-line power flow and control error on the th
power area, respectively. The
control error of the th
power area is expressed as
where K denotes the frequency bias factor.
In the dynamic model of the LFC, KK
B, and )),(( K
LPtXf are represented by
where N is the total number of power areas, K
J, K, K, Kg
T and Ktu
T are the generator moment
of inertia, the speed-droop coefficient, generator damping coefficient, the governor time constant, the
turbine time constant in the th
power area and KL
Tis the stiffness constant between the t h
power area, respectively. Also we have
Equation 9 given the extension of the dynamic model (1) to the multi-area power system with
attack model using Equations (4), (5), (6), (7) and (8).
PDtBUtAXtX l (9)
The optimal feedback controller is given by
XKU ˆ (13)
and the new state after the attack can be modeled by
In (14), ...,, 21 dd tt and dN
t are different time-delays and are positive integers. When dNdd ttt ...,,, 21 are
all zero, the system is in the normal operation. An adversary can get access to the communication line
and switch on/off a delay attack on the line to cause the system to abnormal operations. This paper
analyzes TDS attacks in some detail and shows how it can be used to switch a system to unstable
The analysis starts with the design of an optimal controller for the LFC in the normal operation
(i.e., with no attack), then we analyze the behavior of the system under attacks.Consider the system
model described by (9) with the performance index described by
where matrix nn
RQ is positive semi-definite and mm
RR is positive definite. Then the optimal
control problem is to the obtain optimal control )(
*tU that minimize the performance index (15),
subject to the dynamic of the system with no time-delay in its states.
3. Sabotage and Destability Analysis
To show that TDS attacks can destabilize the systems, we use the following proof for our hybrid
system. Before commenceing the proof the instibilzing effect of the TDS attack, we assume that the
LFC can be approximated by a linear time-invarient (LTI) system and its optimal controller has the
form ).()( tKXtU
Where under a TDS attack, the control can be described by
where is a set of dNdd ttt ,,, 2,1 ,a
t is the start time of attack and b
t is the end time of an attack. It is
obvious that the system is stable for all a
tt and maybe stable for b
tt by the definition of the
optimal controller. However, for ba ttt it is not obvious that the system would be stable.
Theorem 1: Without loss of generality we suppose b
t. Then we consider the system described
in (9) with an attack described by (16). The system under attack is not stable if the hybrid dynamic
model of system has at least one positive eigenvalue or at least one pole in the right hand plane
Proof: Consider (9) with 0
P(for simplicity). Applying (16) to (9) for a
tt , we obtain
)()()( tBKXtAXtX (17)
Its characteristic equation is
0)( BKAsI (18)
Solving (18) for ‘
’ gives the eigenvalues of the system before attack.
tt the system is described by
)()()( tXBKtAXtX (19)
Taking the Laplace transform from of the above equation, we obtain
XBKeAXsX s (20)
etX )( be a proposed solution of (19), then we have
stsstst eBKeAeIse (21)
’ must satisfy the characteristic equation of the delay system (19), i.e.
In order to keep the system in the same stable situation as before the attack, the new eigenvalues
should be at the same place as those eigenvalues right before the attack. So from (18) and (22) we
IIeIeIBK ss 0)( (23)
Equation (23) is satisfies if and only if 0. Then we can conclude for 0, the system (9) will be
disturbed for those subspaces (time-delays), where for larger time-delays, the system will be
4. Demonstration of Instability by Simulation
Simulation studies have been conducted to evaluate the effects of TDS attacks on the dynamics of the
system. Based on the Pontryagin’s minimum principle , the optimal control law can be found for
the system in its normal operation. For simplicity of discussion, we set 2N, which means a
two-power-area system. Table 1 shows parameter values used in this process. Since simulation on
certain duration tracks a step load change, we also set 1
Table 1 Parameter values for two area power system optimal controller design
er Value Paramet
J 10 1 05.0
1 5.1 1g
T s2.0 2tu
T radpu/198.0 21
T radpu /198.0
J 12 2 05.0
2 1 2g
R 100 f
Q 100 f
1 5.21 221
Then the instability of the system can be studies by finding the eigenvalues of the system before
and after the attack. Roots (zeros) of (22) determine the stability of the system. For simulation
simplicity, the fifth order Pade approximation  has been used to approximate s
Fig. 2 shows the results of the system eigenvalues before and after different TDS attacks. As
tends to be larger than zero, the eigenvalues move from the LHP to the RHP. It clearly shows that
the system become unstable for time-delay larger than sec3.0 . In Fig.2 crosses, points, circles and
stars denote eigenvalues of the system with no attack and attacks with time delay sec1.0 ,
sec4.0 and sec6.0 , respectfully. Fig. 3 shows the maximum eigenvalue track based on different
time-delay. Figures 2 and 3 clearly show that the system become unstable when delay value
-12 -10 - 8 -6 -4 -2 0 2 4
Figure 2 Eigenvalues of the system for normal operation and attack by different time-delays
Figure 3 Maximum Eigenvalues for different time-delay attacks
The total simulation time is 40 seconds. We deliberate that the adversary has an access to switch
SW in figure 1 and starts the TDS attack T
dndd ttt 21 . Consider that the attack occurs at time
t. In the figures we only show the dynamics of the first area of the two-area system in the normal
operation and under different attack conditions. In, Figures 4 the graphs (a), (b), (c) and (d) show the
simulation results of the frequency deviation, the power deviation of the generator, the value position
of the turbine and the tie-line power flow, respectively.
The adversary attacks all of the states at sta15 , with the same time-delay pattern. In Figures 4 (a),
(b), (c) and (d), the black lines show normal operation. TDS attack 1(Blue dashes) and 2(Red
dot-dashes) denote time-delay attacks with 4.0,,4.0,4.0 1021 ddd ttt and
6.0,,6.0,6.0 1021 ddd ttt , respectively. It is clear that system moves into the unstable region with
The attack starts at time sta5, and the hacker attacks only one state of the system. In the Figures
5, the graphs (a), (b), (c) and (d), TDS attacks 1 and 2 denote attacks with time-delay of 6.0
t, respectively (It means that there is no time-delay attack for other states). In the case of TDS
attack at 3.0
t, the system is disturbed but still stable.
The result of Case 1 and Case 2 results, conclude that the adversary can cause instability to the
system even by attacking one state of the system.
This paper considers TDS attacks, a new type of attack on the cyber layer of smart grids that can
sabotage the dynamic performance of power systems. The LFC power system under TDS attacks
modeled using hybrid systems, and the TDS attacks are formulated as switch action “Off/Delay-by- ”
sensing channels or control inputs. Then the destabilizing action of TDS attacks on power systems
has been studied by using methods from hybrid systems theories. A two-area LFC LTI model has
been simulated to evaluate the effects of TDS attacks. The results show that TDS attacks affect the
dynamic performance of the LFC system and in many cases could destroy the system stability which
can be launched at any time during the operation of the power system. Our future work will focus on
trying to make controllers and communication protocols robust under this type of attack.
00.1 0.2 0.3 0.4 0.5 0.6 0.7
Figure 4-(a) Frequency deviation, K
Figure 4-(b) Power deviation of generator, K
Figure 4-(c) Value position of the turbine, K
P Figure 4-(d) Tie-line power flow, 1
0 5 10 15 2 0 25 3 0 35 4 0
0 5 10 15 2 0 25 3 0 35 40
0 5 10 15 2 0 25 3 0 35 40
0 5 10 15 2 0 25 3 0 3 5 40
Figure 5-(a) Frequency deviation, K
f Figure 5-(b) Power deviation of generator, K
Figure 5-(c) Value position of the turbine, K
PFigure 5-(d) Tie-line power flow, 1
 Gorman, S. (2009, April 8, 2009). Electricity Grid in U.S. Penetrated By Spies. The Wall Street
 Greenberg, A. (2008, January 18 2008). Hackers Cut Cities' Power, Forbes.
 Meserve, J. (2007, September 26 2007). Sources: Staged cyber attack reveals vulnerability in
power grid. CNN.
 News, B. (2000, January 18 2000). Colombia rebels blast power pylons. Retrieved from
 Pidd, H. (2012, 31 July 2012 ). India blackouts leave 700 million without power. The Guardian.
 Vijayan, J. (2010, July 26, 2010). Stuxnet renews power grid security concerns. Computer world.
 Byres, E., & Lowe, J. (2004). The Myths and Facts behind Cyber Security Risks for Industrial
Control Systems. Paper presented at the VDE Kongress, Berlin, Germany.
0 5 10 15 2 0 25 3 0 35 4 0
0 5 10 15 2 0 25 3 0 3 5 40
0 5 10 15 2 0 25 3 0 35 4 0
0 5 10 15 2 0 25 3 0 3 5 40
 Amin, S., Cardenas, A. A., & Sastry, S. S. (2009). Safe and Secure Networked Control Systems
under Denial-of-Service Attacks. Paper presented at the Proceedings of the 12th International
Conference on Hybrid Systems: Computation and Control, San Francisco, CA.
 Cardenas, A. A., Amin, S., & Sastry, S. (2008). Research challenges for the security of control
systems. Paper presented at the Proceedings of the 3rd conference on Hot topics in security, San
Liu, S., Liu, X. P., & Saddik, A. E. (2013). Denial-of-Service (dos) attacks on load frequency
control in smart grids. Paper presented at the Innovative Smart Grid Technologies (ISGT), 2013
Liu, Y., Ning, P., & Reiter, M. K. (2009). False data injection attacks against state estimation in
electric power grids. Paper presented at the 16th ACM conference on Computer and
communications security, ser. CCS 09, New York, NY, USA.
Hui Song, Sencun Zhu, Guohong Cao, Attack-resilient time synchronization for wireless sensor
networks, Ad Hoc Networks, Volume 5, Issue 1, January 2007, Pages 112-125, ISSN 1570-8705.
Teixeira, A., Amin, S., Sandberg, H., Johansson, K. H., & Sastry, S. S. (2010, 15-17 Dec. 2010).
Cyber security analysis of state estimators in electric power systems. Paper presented at the
Decision and Control (CDC), 2010 49th IEEE Conference on.
Mo, Y., & Sinopoli, B. (2010, April 2010). False data injection attacks in control systems. Paper
presented at the 1st Workshop on Secure Control Systems, Stockholm, Sweden.
Kosut, O., Liyan, J., Thomas, R. J., & Lang, T. (2011). Malicious Data Attacks on the Smart
Grid. Smart Grid, IEEE Transactions on, 2(4), 645-658. doi: 10.1109/tsg.2011.2163807
Esfahani, P. M., Vrakopoulou, M., Margellos, K., Lygeros, J., & Andersson, G. (2010). A robust
policy for automatic generation control cyber attack in two area power network. Paper presented
at the Decision and Control (CDC), 2010 49th IEEE Conference on.
Mohajerin Esfahani, P., Vrakopoulou, M., Margellos, K., Lygeros, J., & Andersson, G. (2010).
Cyber attack in a two-area power system: Impact identification using reachability. Paper
presented at the American Control Conference (ACC), 2010.
Sargolzaei, A., Yen, K. K., Noei, S., & Ramezanpour, H. (2013). Assessment of He's homotopy
perturbation method for optimal control of linear time-delay systems. Applied Mathematical
Sciences, 7(8), 349-361.
Golub, G. H. and C. F. Van Loan, Matrix Computations, Johns Hopkins University Press,
Baltimore, 1989, pp. 557-558.