Content uploaded by Arman Sargolzaei

Author content

All content in this area was uploaded by Arman Sargolzaei on Jul 24, 2017

Content may be subject to copyright.

Time-Delay Switch Attack on Load Frequency Control in Smart Grid

Arman Sargolzaei1,a, Kang K. Yen1,b, MN. Abdelghani2,c

1Department of Electrical and Computer Engineering, Florida International University, Miami, USA

2Department of Mathematics and Statistical Sciences, University of Alberta, Edmonton, Canada

aasarg001@fiu.edu, bkang.yen@fiu.edu, cmnabdelghani@gmail.com

Keywords: Systems with delay, TDS attack, Smart grids, Load frequency control (LFC), Switched

systems, Power systems component, Hybrid systems

Abstract. Current smart power grids have communication infrastructure to improve efficiency,

reliability and sustainability of supply. However, their open communication architecture makes them

vulnerable to cyber-attacks with potentially catastrophic consequences. In this paper, we propose a

new model of time-delay switch (TDS) attack by introducing different time delays to each state in the

dynamics of a power system. This means, we delay the telemetered sensed state of a plant by a

specific amount of time delay for some specified attack time. Such an attack will have devastating

consequences or introduce hidden inefficiency on smart grids if no prevention measures are

considered in the design of these power systems. Here we will consider examples of the effects of the

TDS attack on the dynamic performance of a power system. To do this, we first formulated a state

space model of a smart power grid system under TDS attack using a hybrid systems approach. Then

we prove by analysis and demonstrate by simulations how a TDS attack can be used to sabotage and

destabilize a smart grid.

1. Introduction

Power grids and water supply systems are constantly updated by new telecommunication

technologies for control and monitoring to improve efficiency, reliability and sustainability of supply

and distribution. However, this modernization effort relies on computers and multi-purpose networks

which make power grids and water supply systems vulnerable to cyber-attacks which may cause

major impact on people’s life and economy. For example, the US power is operated with SCADA,

i.e. supervisory control and data acquisition systems. SCADA systems are industrial control systems

for large-scale processes that include multiple sites and are operated over long distances. Despite the

precautions, several cyber-attacks on SCADA systems have been reported [1, 2, 3, 4, 5, 6].

Furthermore, replacing proprietary communication networks by open communication standards

exposes process control and SCADA systems to risks associated with open networks such as

corrupted data, network delays and cyber-attacks [7].

Investigating methods of attacks on industrial control systems of sensitive infrastructures and

devising countermeasures and security control protocols have attracted the attention of academia,

industries, and governments. All of their efforts have culminated in a large amount of studies many

hardware and software systems dedicated to security countermeasures to prevent possible attacks on

industrial systems. We will review some of the most common attacks and expand on an attack known

as the time-delay switch attack or TDS for short.

Generally, an intruder enact an attack into the IT infrastructure of industrial control systems by

obtaining access various sensors and control signals, and/or manipulateing them to disrupt and

sabotage the systems. For instance, an intruder can disrupt a power system by increasing the load on

2013 International Conference on Advanced in Communication Technology

Advances in Communication Technology, Vol.5

978-1-61275-063-7/10/$25.00 ©2013 IERI ICACT 2013

a particular power transformer, by shutting down one or more sections of a smart power grid, or by

introducing inefficiencies in the power supply [8, 9, 10, 11].

The delay attack has been studied in [12] for sensor networks where can be happened in

communication lines. A class of false data injection (FDI) attacks bypassing the bad data detection in

SCADA systems was proposed by [11]. In [13], adversaries launched FDI attacks against state

estimates of power systems knowing only the perturbed model of the power systems. Y. Mo et al.

[14], studied FDI attacks on a control system equipped with Kalman filter. In [15], the smallest set of

adversary controlled meters was identified to perform an unobservable attack. Recently, Amin et al.

[8] considered denial of service (DoS) attacks on the communication channels in the measurements

telemetered in remote terminal units (RTUs) sent to the control center of power systems. They

demonstrated that an adversary may make power systems unstable by properly designing DoS attack

sequences. Liu et al. [10] considered how a switched-DoS attack on a smart grid can affect the

dynamic performance of its power systems. The Viking projects [16, 17] considered cyber-attacks to

Load Frequency Control (LFC), one of a few automatic control loops in SCADA power systems.

They analyzed the impacts of cyber-attacks on the control centers of power systems, by using

reachability methods. However, they only considered attacks on the control centers which are usually

harder to be attacked than the communication channels in the sensing loop of a power system.

In this paper, we will focus on the impact of introducing time delays in the sensing loop (SL) or in

the automatic generation control (AGC) signal--the only automatic closed loop between the IT and

the power system on the controller area. When an adversary chooses to introduce delays in a control

system, he or she is performing a time-delay-switch attack (TDS). Our work will show how TDS

attacks could make any control system, in particular a power control system, unstable. Therefore,

future smart grids will have to use advanced two-way communication and artificial intelligence

technologies to provide better situational awareness of power grid states keeping smart grids reliable

and safe from FDI, DOS or TDS attacks. While smart grid technologies will facilitate the aggregation

and communication of both system-wide information and local measurement, they will for sure

introduce their own cyber security challenges.

This paper is organized as follows: The power system and TDS attacks are modeled using hybrid

systems approach in the second section. In section III damage and risk assessment of power systems

under TDS attacks are analyzed using sabotage and instability analysis. In section IV we evaluate the

effects of TDS attacks on an example of a LTI approximation of a two-area LFC model.

Other

Parts

Other

Parts

Load

Frequency

Control

Communication

channels

Communication

channels

Attacker Attacker

Control SignalControl Signal

Tie line power felow

Loads

Loads

SensorsSensors

Reference Inputs

Power Area 1 Power Area 2

SW SW

Figure 1 Two-area power system with Load Frequency Control (LFC) under TDS attacks

2. Model of Power Systems with TDS Attacks

It is reasonable to model a power system under TDS attacks as a hybrid system, by formulating TDS

attacks as a switch action, “Off/Delay-by- ”, where is some random delay time, of the sensed

system states or control signals of a power system. Here we will consider the TDS attack on the power

LFC system.

Consider a two-area power system with automatic gain control in Fig.1 [10]. The LFC sends

control signals to the plant and the controller gets updated by feedback states through the

communication channels from/to the turbine and from the telemeter’s measurements for RTUs. The

communication channels are wireless networks. Attacks can be lunched by jamming the

communication channels (i.e. DOS attack), by distorting feedback signals (e.g. FDI attack) by

injecting delays (i.e. TDS attack) in data coming from telemeters measurements.

An LFC is usually designed as an optimal feedback controller. For the LFC to operate optimally it

requires power states estimation to be telemetered in real time. If an adversary introduces significant

time delays in the telemetered control signals or measured states, the LFC will deviate from it

optimality and in most cases the system will break down.

The two-area power system model and its extension to the multi-area interlock power system have

been proposed in [10]. The dynamic model of the LFC for the th

K

area is given by

KK

K

l

LK

K

K

KK

K

XX

PtXftUBtXAtX

0

)0(

)),(()()()( (1)

where 5

R

X

and 5

RU are the state and the control vectors, respectively. This model also depends

on the th

L

power area. Matrices KK

Aand K

B are constant matrices with appropriate dimensions, K

l

P

is the load deviation. Then K

X0 is an initial value vector for the th

K

power area. The state vector is

defined as

T

KK

pf

K

tu

K

g

KK ePPPftX )( (2)

where K

f, K

g

P, K

tu

P, K

pf

P and K

eare frequency deviation, power deviation of generator, value

position of the turbine, tie-line power flow and control error on the th

K

power area, respectively. The

control error of the th

K

power area is expressed as

t

K

K

Kdtfte

0

)( (3)

where K denotes the frequency bias factor.

In the dynamic model of the LFC, KK

A, K

B, and )),(( K

l

LPtXf are represented by

1000

00002

00

1

0

1

00

11

0

0

1

0

1

1

K

N

L

LK

KL

KgKgK

KtuKtu

KKK

K

KK

T

TT

TT

JJJ

A(4)

T

Kg

KT

B00

1

00 (5)

K

lK

L

N

L

LK

KL

K

l

LPDtXAPtXf )()),((

1

(6)

where N is the total number of power areas, K

J, K, K, Kg

T and Ktu

T are the generator moment

of inertia, the speed-droop coefficient, generator damping coefficient, the governor time constant, the

turbine time constant in the th

K

power area and KL

Tis the stiffness constant between the t h

K

and the

th

L

power area, respectively. Also we have

00000

00002

00000

00000

00000

KL

KL

T

A (7)

and

T

K

KJ

D0000

1 (8)

Equation 9 given the extension of the dynamic model (1) to the multi-area power system with

attack model using Equations (4), (5), (6), (7) and (8).

0

)0(

)()()(

XX

PDtBUtAXtX l (9)

where

NNNNN

N

N

N

AAAA

AAAA

AAAA

AAAA

A

321

3333231

2232221

1131 211

(10)

}{ 321

T

N

BBBBdiagB (11)

}{ 321

T

N

DDDDdiagD (12)

The optimal feedback controller is given by

XKU ˆ (13)

and the new state after the attack can be modeled by

)(

)(

)(

ˆ

ˆ

ˆ

2

1

2

1

dN

d

d

NttX

ttX

ttX

X

X

X

(14)

In (14), ...,, 21 dd tt and dN

t are different time-delays and are positive integers. When dNdd ttt ...,,, 21 are

all zero, the system is in the normal operation. An adversary can get access to the communication line

and switch on/off a delay attack on the line to cause the system to abnormal operations. This paper

analyzes TDS attacks in some detail and shows how it can be used to switch a system to unstable

states.

The analysis starts with the design of an optimal controller for the LFC in the normal operation

(i.e., with no attack), then we analyze the behavior of the system under attacks.Consider the system

model described by (9) with the performance index described by

dttRUtUtQXtXJ T

t

T

f

)}()()()({

2

1

0

(15)

where matrix nn

RQ is positive semi-definite and mm

RR is positive definite. Then the optimal

control problem is to the obtain optimal control )(

*tU that minimize the performance index (15),

subject to the dynamic of the system with no time-delay in its states.

3. Sabotage and Destability Analysis

To show that TDS attacks can destabilize the systems, we use the following proof for our hybrid

system. Before commenceing the proof the instibilzing effect of the TDS attack, we assume that the

LFC can be approximated by a linear time-invarient (LTI) system and its optimal controller has the

form ).()( tKXtU

Where under a TDS attack, the control can be described by

b

ba

a

tttXK

ttttXK

tttXK

tU

)(

)(

)(

)( (16)

where is a set of dNdd ttt ,,, 2,1 ,a

t is the start time of attack and b

t is the end time of an attack. It is

obvious that the system is stable for all a

tt and maybe stable for b

tt by the definition of the

optimal controller. However, for ba ttt it is not obvious that the system would be stable.

Theorem 1: Without loss of generality we suppose b

t. Then we consider the system described

in (9) with an attack described by (16). The system under attack is not stable if the hybrid dynamic

model of system has at least one positive eigenvalue or at least one pole in the right hand plane

(RHP).

Proof: Consider (9) with 0

l

P(for simplicity). Applying (16) to (9) for a

tt , we obtain

)()()( tBKXtAXtX (17)

Its characteristic equation is

0)( BKAsI (18)

Solving (18) for ‘

s

’ gives the eigenvalues of the system before attack.

For a

tt the system is described by

)()()( tXBKtAXtX (19)

Taking the Laplace transform from of the above equation, we obtain

XBKeAXsX s (20)

Let st

etX )( be a proposed solution of (19), then we have

stsstst eBKeAeIse (21)

Here ‘

s

’ must satisfy the characteristic equation of the delay system (19), i.e.

0)( s

BKeAsI (22)

In order to keep the system in the same stable situation as before the attack, the new eigenvalues

should be at the same place as those eigenvalues right before the attack. So from (18) and (22) we

obtain

IIeIeIBK ss 0)( (23)

Equation (23) is satisfies if and only if 0. Then we can conclude for 0, the system (9) will be

disturbed for those subspaces (time-delays), where for larger time-delays, the system will be

unstable.

4. Demonstration of Instability by Simulation

Simulation studies have been conducted to evaluate the effects of TDS attacks on the dynamics of the

system. Based on the Pontryagin’s minimum principle [18], the optimal control law can be found for

the system in its normal operation. For simplicity of discussion, we set 2N, which means a

two-power-area system. Table 1 shows parameter values used in this process. Since simulation on

certain duration tracks a step load change, we also set 1

l

Pand 0

2

l

P.

Table 1 Parameter values for two area power system optimal controller design

Paramet

er Value Paramet

er Value

1

J 10 1 05.0

1 5.1 1g

T s12.0

1tu

T s2.0 2tu

T s45.0

12

T radpu/198.0 21

T radpu /198.0

2

J 12 2 05.0

2 1 2g

T s18.0

R 100 f

Q 0

Q 100 f

t

1 5.21 221

Then the instability of the system can be studies by finding the eigenvalues of the system before

and after the attack. Roots (zeros) of (22) determine the stability of the system. For simulation

simplicity, the fifth order Pade approximation [19] has been used to approximate s

e.

0)

3042033601512030240

3042033601512030240

(55443322

55443322

sssss

sssss

BKAsI (24)

Fig. 2 shows the results of the system eigenvalues before and after different TDS attacks. As

tends to be larger than zero, the eigenvalues move from the LHP to the RHP. It clearly shows that

the system become unstable for time-delay larger than sec3.0 . In Fig.2 crosses, points, circles and

stars denote eigenvalues of the system with no attack and attacks with time delay sec1.0 ,

sec4.0 and sec6.0 , respectfully. Fig. 3 shows the maximum eigenvalue track based on different

time-delay. Figures 2 and 3 clearly show that the system become unstable when delay value

increases.

-12 -10 - 8 -6 -4 -2 0 2 4

-20

-15

-10

-5

0

5

10

15

20

Figure 2 Eigenvalues of the system for normal operation and attack by different time-delays

Figure 3 Maximum Eigenvalues for different time-delay attacks

The total simulation time is 40 seconds. We deliberate that the adversary has an access to switch

SW in figure 1 and starts the TDS attack T

dndd ttt 21 . Consider that the attack occurs at time

a

t. In the figures we only show the dynamics of the first area of the two-area system in the normal

operation and under different attack conditions. In, Figures 4 the graphs (a), (b), (c) and (d) show the

simulation results of the frequency deviation, the power deviation of the generator, the value position

of the turbine and the tie-line power flow, respectively.

Case 1:

The adversary attacks all of the states at sta15 , with the same time-delay pattern. In Figures 4 (a),

(b), (c) and (d), the black lines show normal operation. TDS attack 1(Blue dashes) and 2(Red

dot-dashes) denote time-delay attacks with 4.0,,4.0,4.0 1021 ddd ttt and

6.0,,6.0,6.0 1021 ddd ttt , respectively. It is clear that system moves into the unstable region with

the attacks.

Case 2:

The attack starts at time sta5, and the hacker attacks only one state of the system. In the Figures

5, the graphs (a), (b), (c) and (d), TDS attacks 1 and 2 denote attacks with time-delay of 6.0

1d

t and

1

1d

t, respectively (It means that there is no time-delay attack for other states). In the case of TDS

attack at 3.0

1d

t, the system is disturbed but still stable.

The result of Case 1 and Case 2 results, conclude that the adversary can cause instability to the

system even by attacking one state of the system.

5. Conclusion

This paper considers TDS attacks, a new type of attack on the cyber layer of smart grids that can

sabotage the dynamic performance of power systems. The LFC power system under TDS attacks

modeled using hybrid systems, and the TDS attacks are formulated as switch action “Off/Delay-by- ”

sensing channels or control inputs. Then the destabilizing action of TDS attacks on power systems

has been studied by using methods from hybrid systems theories. A two-area LFC LTI model has

been simulated to evaluate the effects of TDS attacks. The results show that TDS attacks affect the

dynamic performance of the LFC system and in many cases could destroy the system stability which

can be launched at any time during the operation of the power system. Our future work will focus on

trying to make controllers and communication protocols robust under this type of attack.

00.1 0.2 0.3 0.4 0.5 0.6 0.7

-4

-2

0

0

0.2

0.4

0.6

0.8

Time-delay

Imag

Maximum Eigenvalue

Figure 4-(a) Frequency deviation, K

f

Figure 4-(b) Power deviation of generator, K

g

P

Figure 4-(c) Value position of the turbine, K

tu

P Figure 4-(d) Tie-line power flow, 1

pf

P

0 5 10 15 2 0 25 3 0 35 4 0

-0.1

-0.08

-0.06

-0.04

-0.02

0

0.02

0.04

0.06

0.08

0.1 Normal

TDS 1

TDS2

0 5 10 15 2 0 25 3 0 35 40

-4

-3

-2

-1

0

1

2

3

4

5

Normal

TDS 1

TDS 2

0 5 10 15 2 0 25 3 0 35 40

-6

-4

-2

0

2

4

6

Time

Normal

TDS 1

TDS 2

0 5 10 15 2 0 25 3 0 3 5 40

-0.15

-0.1

-0.05

0

0.05

0.1

0.15

0.2

Time

Normal

TDS 1

TDS 2

Figure 5-(a) Frequency deviation, K

f Figure 5-(b) Power deviation of generator, K

g

P

Figure 5-(c) Value position of the turbine, K

tu

PFigure 5-(d) Tie-line power flow, 1

pf

P

References

[1] Gorman, S. (2009, April 8, 2009). Electricity Grid in U.S. Penetrated By Spies. The Wall Street

Journal, A1.

[2] Greenberg, A. (2008, January 18 2008). Hackers Cut Cities' Power, Forbes.

[3] Meserve, J. (2007, September 26 2007). Sources: Staged cyber attack reveals vulnerability in

power grid. CNN.

[4] News, B. (2000, January 18 2000). Colombia rebels blast power pylons. Retrieved from

http://news.bbc.co.uk/2/hi/americas/607782.stm

[5] Pidd, H. (2012, 31 July 2012 ). India blackouts leave 700 million without power. The Guardian.

[6] Vijayan, J. (2010, July 26, 2010). Stuxnet renews power grid security concerns. Computer world.

[7] Byres, E., & Lowe, J. (2004). The Myths and Facts behind Cyber Security Risks for Industrial

Control Systems. Paper presented at the VDE Kongress, Berlin, Germany.

0 5 10 15 2 0 25 3 0 35 4 0

-0.03

-0.02

-0.01

0

0.01

0.02

0.03

0.04

0.05

Time

Normal operation

TDS 1

TDS 2

TDS 4

0 5 10 15 2 0 25 3 0 3 5 40

-1.5

-1

-0.5

0

0.5

1

1.5

Time

Normal operation

TDS 1

TDS 2

TDS 3

0 5 10 15 2 0 25 3 0 35 4 0

-1.5

-1

-0.5

0

0.5

1

1.5

Time

Normal operation

TDS 1

TDS 2

TDS 3

0 5 10 15 2 0 25 3 0 3 5 40

-0.05

0

0.05

0.1

0.15

0.2

Time

Normal operation

TDS 1

TDS 2

TDS 3

[8] Amin, S., Cardenas, A. A., & Sastry, S. S. (2009). Safe and Secure Networked Control Systems

under Denial-of-Service Attacks. Paper presented at the Proceedings of the 12th International

Conference on Hybrid Systems: Computation and Control, San Francisco, CA.

[9] Cardenas, A. A., Amin, S., & Sastry, S. (2008). Research challenges for the security of control

systems. Paper presented at the Proceedings of the 3rd conference on Hot topics in security, San

Jose, CA.

[10]Liu, S., Liu, X. P., & Saddik, A. E. (2013). Denial-of-Service (dos) attacks on load frequency

control in smart grids. Paper presented at the Innovative Smart Grid Technologies (ISGT), 2013

IEEE PES.

[11]Liu, Y., Ning, P., & Reiter, M. K. (2009). False data injection attacks against state estimation in

electric power grids. Paper presented at the 16th ACM conference on Computer and

communications security, ser. CCS 09, New York, NY, USA.

[12]Hui Song, Sencun Zhu, Guohong Cao, Attack-resilient time synchronization for wireless sensor

networks, Ad Hoc Networks, Volume 5, Issue 1, January 2007, Pages 112-125, ISSN 1570-8705.

[13]Teixeira, A., Amin, S., Sandberg, H., Johansson, K. H., & Sastry, S. S. (2010, 15-17 Dec. 2010).

Cyber security analysis of state estimators in electric power systems. Paper presented at the

Decision and Control (CDC), 2010 49th IEEE Conference on.

[14]Mo, Y., & Sinopoli, B. (2010, April 2010). False data injection attacks in control systems. Paper

presented at the 1st Workshop on Secure Control Systems, Stockholm, Sweden.

[15]Kosut, O., Liyan, J., Thomas, R. J., & Lang, T. (2011). Malicious Data Attacks on the Smart

Grid. Smart Grid, IEEE Transactions on, 2(4), 645-658. doi: 10.1109/tsg.2011.2163807

[16]Esfahani, P. M., Vrakopoulou, M., Margellos, K., Lygeros, J., & Andersson, G. (2010). A robust

policy for automatic generation control cyber attack in two area power network. Paper presented

at the Decision and Control (CDC), 2010 49th IEEE Conference on.

[17]Mohajerin Esfahani, P., Vrakopoulou, M., Margellos, K., Lygeros, J., & Andersson, G. (2010).

Cyber attack in a two-area power system: Impact identification using reachability. Paper

presented at the American Control Conference (ACC), 2010.

[18]Sargolzaei, A., Yen, K. K., Noei, S., & Ramezanpour, H. (2013). Assessment of He's homotopy

perturbation method for optimal control of linear time-delay systems. Applied Mathematical

Sciences, 7(8), 349-361.

[19]Golub, G. H. and C. F. Van Loan, Matrix Computations, Johns Hopkins University Press,

Baltimore, 1989, pp. 557-558.