1. Spoofing State Estimation
William Niemira

2. Overview State Estimation DC Estimator Bad Data Malicious Data
Examples
Mitigation Strategies

3. State Estimation Finite transmission capacity
Economic and security aspects must be managed
Contingency analysis
Pricing
Congestion management
Accurate state information needed

4. State Estimation Networks are large Many measurements to reconcile
Thousands or tens of thousands of buses
Large geographical area
Many measurements to reconcile
Different types
Redundant
Subject to error

5. State Estimation
State estimation uses measurement redundancy to improve accuracy
Finds best fit for data
Differences between measures and estimates can indicate errors

6. DC Estimator Overdetermined system of linear equations
Solved as weighted-least squares problem
Assumes:
Lossless branches (neglects resistance and shunt impedances)
Flat voltage profile (same magnitude at each bus)
Reduces computational burden

7. DC Estimator 𝑧=𝐻𝑥+𝑒 𝑥 is the vector of n states
𝑧 is the vector of m measurements
𝐻 is the m x n Jacobian matrix
𝑒 is an m vector of random errors

8. DC Estimator Residual vector 𝑟=𝑧−𝐻𝑥 Estimated as 𝑧− 𝑧 where 𝑧 =𝐻 𝑥
Minimize:
𝐽 𝑥 = 𝑧−𝐻𝑥 ′ 𝑊 (𝑧−𝐻𝑥)
Where 𝑊 is a diagonal matrix of measurement weights

9. DC Estimator Differentiate 𝐽(𝑥) to obtain 𝐺 𝑥 = 𝐻 ′ 𝑊𝑧
Where 𝑥 is the state estimate and 𝐺= 𝐻 ′ 𝑊𝐻 is the state estimation gain matrix
Bad data assumed if 𝑧−𝐻 𝑥 >ε where ε is some tolerance

10. 1-Bus Example 1 0 0 1 −1 −1 PG PL1 = PGmeas PL1meas PL2meas 𝐻 𝑥 = 𝑧
PG = PGmeas
PL1 = PL1meas
– PL1 – PG = PL2meas
−1 −1 PG PL1 = PGmeas PL1meas PL2meas
𝐻 𝑥 = 𝑧

11. 1-Bus Example
For variances of 0.004, 0.001, and for PGmeas , PL1meas , PL2meas respectively 𝑊= 𝐺= 𝐻 ′ 𝑊𝐻=

12. 1-Bus Example 𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29
𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.7267
𝑧 =𝐻 𝑥 = −.7267 −.2967
𝑟 =𝑧− 𝑧 =

13. 3-Bus Example
– 50 θ2 – 100 θ3 = P1meas 150 θ2 – 100 θ3 = P2meas – 100 θ θ3 = P3meas – 100 θ3 = P13meas

14. −50 −100 150 −100 −100 200 0 −100 θ2 θ3 = P1meas P2meas P3meas P13meas
3-Bus Example
−50 − −100 − − θ2 θ3 = P1meas P2meas P3meas P13meas

15. 3-Bus Example
H= −50 − −100 − −100 , 𝑥= θ2 θ3 , 𝑧= P1meas P2meas P3meas P13meas

16. Bad Data Bad data usually consists of isolated, random errors
These types of errors tend to increase the residual
Measurements with large residuals can be omitted to check for better fit
Works well for non-interacting bad measurements

17. 1-Bus Example Good Data Bad Data
𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.7267 𝑧 =𝐻 𝑥 = −.7267 −.2967 𝑟 =𝑧− 𝑧 =
𝑧= PGmeas PL1meas PL2meas = 1.15 −.72 −0.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.7433 𝑧 =𝐻 𝑥 = −.7433 −.3133 𝑟 =𝑧− 𝑧 =

18. Malicious Data
Malicious data (data manipulated by an adversary) need not be isolated or random
Adversary may inject multiple coordinated measurement errors
Errors could interact with each other or other measurements
Could change 𝑥 without increasing 𝑧−𝐻 𝑥

19. Attack Formation Given: 𝑧−𝐻 𝑥 <ε
Attacked measurement vector 𝑧 𝑎 =𝑧+𝑎
Attack vector 𝑎
Estimated states due to attack 𝑥 𝑎= 𝑥 +𝑐
Clever adversary chooses 𝑎=𝐻𝑐
𝑧 𝑎 −𝐻 𝑥 𝑎 = 𝑧+𝑎−𝐻( 𝑥 +𝑐)
= 𝑧−𝐻 𝑥 +(𝑎−𝐻𝑐)
= 𝑧−𝐻 𝑥 <ε

20. 1-Bus Example 1 0 0 1 −1 −1 PG PL1 = PGmeas PL1meas PL2meas
PG = PGmeas
PL1 = PL1meas
– PL1 – PG = PL2meas
−1 −1 PG PL1 = PGmeas PL1meas PL2meas

21. 1-Bus Example
𝐻= −1 −1 𝑧= PGmeas PL1meas PL2meas x= PG PL1 Unobservable attack vectors: Any linear combination of 𝑎 1 and 𝑎 2 𝑎 1 = 1 0 −1 , 𝑎 2 = 0 1 −1

22. 1-Bus Example Unattacked Attacked
𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.7267 𝑧 =𝐻 𝑥 = −.7267 −.2967 𝑟 =𝑧− 𝑧 =
𝑧= PGmeas PL1meas PL2meas −1 = 1.55 −.22 −1.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.2267 𝑧 =𝐻 𝑥 = −.2267 − 𝑟 =𝑧− 𝑧 =

23. For Real?
In practice, state estimators are more complicated than previous examples
Assumed strong adversary:
Has access to topology information
Has some means to change measurements
Why would someone do this?
Simulate congestion—could affect markets
Reduce awareness of system operator

24. AC Estimator
AC model accounts for some effects neglected in the DC model
Attacks as generated earlier will affect residual
Attack may not have effect intended by adversary

25. AC Estimator 𝑧=ℎ(𝑥)+𝑒 𝑥 is the vector of n states
𝑧 is the vector of m measurements
ℎ(.) is nonlinear vector function relating measurements to states
𝑒 is an m vector of random errors

26. AC Estimator Solved using Gauss Newton method
Gain matrix: 𝐺 𝑥 = 𝐻 ′ 𝑥 𝑅𝑧 −1 𝐻 𝑥
𝑅𝑧 is diagonal matrix of variances
Estimation procedure:
Δ 𝑥 ν = 𝐺( 𝑥 ν ) −1 𝐻′( 𝑥 ν ) 𝑅𝑧 −1 Δ𝑧( 𝑥 ν )
𝑥 ν+1 = 𝑥 ν +Δ 𝑥 ν

27. AC Estimator DC approximation is pretty good
Harder to detect attack than random error
Relatively large attacks may escape detection
Grid state affects quality of DC attack

28. Detection Focus on quantities neglected by DC model (VARs)
VARs tend to be localized
AttackLosses changeVAR flow and generation changes

29. Detection
Alternative approach is to estimate parameters simultaneously with states
Augment state vector with known parameters
Compare known values to parameter estimates to find bad data

30. Detection
Choose something known to the control center but not an attacker
Example: TCUL xformer tap position, D-FACTS setting
Attacks will perturb parameter estimates

31. Conclusions
State estimators, even nonlinear estimators, are vulnerable to malicious data
Malicious data is different from conventional bad data
Nonlinearity effects of the attack may be detectable
Parameter estimation can verify data

32. Questions?
Thank you!