Presentation is loading. Please wait.

# Spoofing State Estimation

## Presentation on theme: "Spoofing State Estimation"— Presentation transcript:

Spoofing State Estimation
William Niemira

Overview State Estimation DC Estimator Bad Data Malicious Data
Examples Mitigation Strategies

State Estimation Finite transmission capacity
Economic and security aspects must be managed Contingency analysis Pricing Congestion management Accurate state information needed

State Estimation Networks are large Many measurements to reconcile
Thousands or tens of thousands of buses Large geographical area Many measurements to reconcile Different types Redundant Subject to error

State Estimation State estimation uses measurement redundancy to improve accuracy Finds best fit for data Differences between measures and estimates can indicate errors

DC Estimator Overdetermined system of linear equations
Solved as weighted-least squares problem Assumes: Lossless branches (neglects resistance and shunt impedances) Flat voltage profile (same magnitude at each bus) Reduces computational burden

DC Estimator 𝑧=𝐻𝑥+𝑒 𝑥 is the vector of n states
𝑧 is the vector of m measurements 𝐻 is the m x n Jacobian matrix 𝑒 is an m vector of random errors

DC Estimator Residual vector 𝑟=𝑧−𝐻𝑥 Estimated as 𝑧− 𝑧 where 𝑧 =𝐻 𝑥
Minimize: 𝐽 𝑥 = 𝑧−𝐻𝑥 ′ 𝑊 (𝑧−𝐻𝑥) Where 𝑊 is a diagonal matrix of measurement weights

DC Estimator Differentiate 𝐽(𝑥) to obtain 𝐺 𝑥 = 𝐻 ′ 𝑊𝑧
Where 𝑥 is the state estimate and 𝐺= 𝐻 ′ 𝑊𝐻 is the state estimation gain matrix Bad data assumed if 𝑧−𝐻 𝑥 >ε where ε is some tolerance

1-Bus Example 1 0 0 1 −1 −1 PG PL1 = PGmeas PL1meas PL2meas 𝐻 𝑥 = 𝑧
PG = PGmeas PL1 = PL1meas – PL1 – PG = PL2meas −1 −1 PG PL1 = PGmeas PL1meas PL2meas 𝐻 𝑥 = 𝑧

1-Bus Example For variances of 0.004, 0.001, and for PGmeas , PL1meas , PL2meas respectively 𝑊= 𝐺= 𝐻 ′ 𝑊𝐻=

1-Bus Example 𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29
𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.7267 𝑧 =𝐻 𝑥 = −.7267 −.2967 𝑟 =𝑧− 𝑧 =

3-Bus Example – 50 θ2 – 100 θ3 = P1meas 150 θ2 – 100 θ3 = P2meas – 100 θ θ3 = P3meas – 100 θ3 = P13meas

−50 −100 150 −100 −100 200 0 −100 θ2 θ3 = P1meas P2meas P3meas P13meas
3-Bus Example −50 − −100 − − θ2 θ3 = P1meas P2meas P3meas P13meas

3-Bus Example H= −50 − −100 − −100 , 𝑥= θ2 θ3 , 𝑧= P1meas P2meas P3meas P13meas

Bad Data Bad data usually consists of isolated, random errors
These types of errors tend to increase the residual Measurements with large residuals can be omitted to check for better fit Works well for non-interacting bad measurements

1-Bus Example Good Data Bad Data
𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.7267 𝑧 =𝐻 𝑥 = −.7267 −.2967 𝑟 =𝑧− 𝑧 = 𝑧= PGmeas PL1meas PL2meas = 1.15 −.72 −0.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.7433 𝑧 =𝐻 𝑥 = −.7433 −.3133 𝑟 =𝑧− 𝑧 =

Malicious Data Malicious data (data manipulated by an adversary) need not be isolated or random Adversary may inject multiple coordinated measurement errors Errors could interact with each other or other measurements Could change 𝑥 without increasing 𝑧−𝐻 𝑥

Attack Formation Given: 𝑧−𝐻 𝑥 <ε
Attacked measurement vector 𝑧 𝑎 =𝑧+𝑎 Attack vector 𝑎 Estimated states due to attack 𝑥 𝑎= 𝑥 +𝑐 Clever adversary chooses 𝑎=𝐻𝑐 𝑧 𝑎 −𝐻 𝑥 𝑎 = 𝑧+𝑎−𝐻( 𝑥 +𝑐) = 𝑧−𝐻 𝑥 +(𝑎−𝐻𝑐) = 𝑧−𝐻 𝑥 <ε

1-Bus Example 1 0 0 1 −1 −1 PG PL1 = PGmeas PL1meas PL2meas
PG = PGmeas PL1 = PL1meas – PL1 – PG = PL2meas −1 −1 PG PL1 = PGmeas PL1meas PL2meas

1-Bus Example 𝐻= −1 −1 𝑧= PGmeas PL1meas PL2meas x= PG PL1 Unobservable attack vectors: Any linear combination of 𝑎 1 and 𝑎 2 𝑎 1 = 1 0 −1 , 𝑎 2 = 0 1 −1

1-Bus Example Unattacked Attacked
𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.7267 𝑧 =𝐻 𝑥 = −.7267 −.2967 𝑟 =𝑧− 𝑧 = 𝑧= PGmeas PL1meas PL2meas −1 = 1.55 −.22 −1.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= −.2267 𝑧 =𝐻 𝑥 = −.2267 − 𝑟 =𝑧− 𝑧 =

For Real? In practice, state estimators are more complicated than previous examples Assumed strong adversary: Has access to topology information Has some means to change measurements Why would someone do this? Simulate congestion—could affect markets Reduce awareness of system operator

AC Estimator AC model accounts for some effects neglected in the DC model Attacks as generated earlier will affect residual Attack may not have effect intended by adversary

AC Estimator 𝑧=ℎ(𝑥)+𝑒 𝑥 is the vector of n states
𝑧 is the vector of m measurements ℎ(.) is nonlinear vector function relating measurements to states 𝑒 is an m vector of random errors

AC Estimator Solved using Gauss Newton method
Gain matrix: 𝐺 𝑥 = 𝐻 ′ 𝑥 𝑅𝑧 −1 𝐻 𝑥 𝑅𝑧 is diagonal matrix of variances Estimation procedure: Δ 𝑥 ν = 𝐺( 𝑥 ν ) −1 𝐻′( 𝑥 ν ) 𝑅𝑧 −1 Δ𝑧( 𝑥 ν ) 𝑥 ν+1 = 𝑥 ν +Δ 𝑥 ν

AC Estimator DC approximation is pretty good
Harder to detect attack than random error Relatively large attacks may escape detection Grid state affects quality of DC attack

Detection Focus on quantities neglected by DC model (VARs)
VARs tend to be localized AttackLosses changeVAR flow and generation changes

Detection Alternative approach is to estimate parameters simultaneously with states Augment state vector with known parameters Compare known values to parameter estimates to find bad data

Detection Choose something known to the control center but not an attacker Example: TCUL xformer tap position, D-FACTS setting Attacks will perturb parameter estimates

Conclusions State estimators, even nonlinear estimators, are vulnerable to malicious data Malicious data is different from conventional bad data Nonlinearity effects of the attack may be detectable Parameter estimation can verify data

Questions? Thank you!

Download ppt "Spoofing State Estimation"

Similar presentations

Ads by Google