Spoofing State Estimation William Niemira
Overview State Estimation DC Estimator Bad Data Malicious Data Examples Mitigation Strategies
State Estimation Finite transmission capacity Economic and security aspects must be managed Contingency analysis Pricing Congestion management Accurate state information needed
State Estimation Networks are large Many measurements to reconcile Thousands or tens of thousands of buses Large geographical area Many measurements to reconcile Different types Redundant Subject to error
State Estimation State estimation uses measurement redundancy to improve accuracy Finds best fit for data Differences between measures and estimates can indicate errors
DC Estimator Overdetermined system of linear equations Solved as weighted-least squares problem Assumes: Lossless branches (neglects resistance and shunt impedances) Flat voltage profile (same magnitude at each bus) Reduces computational burden
DC Estimator 𝑧=𝐻𝑥+𝑒 𝑥 is the vector of n states 𝑧 is the vector of m measurements 𝐻 is the m x n Jacobian matrix 𝑒 is an m vector of random errors
DC Estimator Residual vector 𝑟=𝑧−𝐻𝑥 Estimated as 𝑧− 𝑧 where 𝑧 =𝐻 𝑥 Minimize: 𝐽 𝑥 = 𝑧−𝐻𝑥 ′ 𝑊 (𝑧−𝐻𝑥) Where 𝑊 is a diagonal matrix of measurement weights
DC Estimator Differentiate 𝐽(𝑥) to obtain 𝐺 𝑥 = 𝐻 ′ 𝑊𝑧 Where 𝑥 is the state estimate and 𝐺= 𝐻 ′ 𝑊𝐻 is the state estimation gain matrix Bad data assumed if 𝑧−𝐻 𝑥 >ε where ε is some tolerance
1-Bus Example 1 0 0 1 −1 −1 PG PL1 = PGmeas PL1meas PL2meas 𝐻 𝑥 = 𝑧 PG = PGmeas PL1 = PL1meas – PL1 – PG = PL2meas 1 0 0 1 −1 −1 PG PL1 = PGmeas PL1meas PL2meas 𝐻 𝑥 = 𝑧
1-Bus Example For variances of 0.004, 0.001, and 0.001 for PGmeas , PL1meas , PL2meas respectively 𝑊= 250 0 0 0 1000 0 0 0 1000 𝐺= 𝐻 ′ 𝑊𝐻= 1250 1000 1000 2000
1-Bus Example 𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= 1.0233 −.7267 𝑧 =𝐻 𝑥 = 1.0233 −.7267 −.2967 𝑟 =𝑧− 𝑧 = 0.0267 0.0067 0.0067
3-Bus Example – 50 θ2 – 100 θ3 = P1meas 150 θ2 – 100 θ3 = P2meas – 100 θ2 + 200 θ3 = P3meas – 100 θ3 = P13meas
−50 −100 150 −100 −100 200 0 −100 θ2 θ3 = P1meas P2meas P3meas P13meas 3-Bus Example −50 −100 150 −100 −100 200 0 −100 θ2 θ3 = P1meas P2meas P3meas P13meas
3-Bus Example H= −50 −100 150 −100 −100 200 0 −100 , 𝑥= θ2 θ3 , 𝑧= P1meas P2meas P3meas P13meas
Bad Data Bad data usually consists of isolated, random errors These types of errors tend to increase the residual Measurements with large residuals can be omitted to check for better fit Works well for non-interacting bad measurements
1-Bus Example Good Data Bad Data 𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= 1.0233 −.7267 𝑧 =𝐻 𝑥 = 1.0233 −.7267 −.2967 𝑟 =𝑧− 𝑧 = 0.0267 0.0067 0.0067 𝑧= PGmeas PL1meas PL2meas + 0.1 0 0 = 1.15 −.72 −0.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= 1.0567 −.7433 𝑧 =𝐻 𝑥 = 1.0567 −.7433 −.3133 𝑟 =𝑧− 𝑧 = 0.0933 0.0233 0.0233
Malicious Data Malicious data (data manipulated by an adversary) need not be isolated or random Adversary may inject multiple coordinated measurement errors Errors could interact with each other or other measurements Could change 𝑥 without increasing 𝑧−𝐻 𝑥
Attack Formation Given: 𝑧−𝐻 𝑥 <ε Attacked measurement vector 𝑧 𝑎 =𝑧+𝑎 Attack vector 𝑎 Estimated states due to attack 𝑥 𝑎= 𝑥 +𝑐 Clever adversary chooses 𝑎=𝐻𝑐 𝑧 𝑎 −𝐻 𝑥 𝑎 = 𝑧+𝑎−𝐻( 𝑥 +𝑐) = 𝑧−𝐻 𝑥 +(𝑎−𝐻𝑐) = 𝑧−𝐻 𝑥 <ε
1-Bus Example 1 0 0 1 −1 −1 PG PL1 = PGmeas PL1meas PL2meas PG = PGmeas PL1 = PL1meas – PL1 – PG = PL2meas 1 0 0 1 −1 −1 PG PL1 = PGmeas PL1meas PL2meas
1-Bus Example 𝐻= 1 0 0 1 −1 −1 𝑧= PGmeas PL1meas PL2meas x= PG PL1 Unobservable attack vectors: Any linear combination of 𝑎 1 and 𝑎 2 𝑎 1 = 1 0 −1 , 𝑎 2 = 0 1 −1
1-Bus Example Unattacked Attacked 𝑧= PGmeas PL1meas PL2meas = 1.05 −.72 −.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= 1.0233 −.7267 𝑧 =𝐻 𝑥 = 1.0233 −.7267 −.2967 𝑟 =𝑧− 𝑧 = 0.0267 0.0067 0.0067 𝑧= PGmeas PL1meas PL2meas + .5 .5 −1 = 1.55 −.22 −1.29 𝑥 = 𝐺 −1 𝐻 ′ 𝑊 𝑧= 1.5233 −.2267 𝑧 =𝐻 𝑥 = 1.5233 −.2267 −1.2967 𝑟 =𝑧− 𝑧 = 0.0267 0.0067 0.0067
For Real? In practice, state estimators are more complicated than previous examples Assumed strong adversary: Has access to topology information Has some means to change measurements Why would someone do this? Simulate congestion—could affect markets Reduce awareness of system operator
AC Estimator AC model accounts for some effects neglected in the DC model Attacks as generated earlier will affect residual Attack may not have effect intended by adversary
AC Estimator 𝑧=ℎ(𝑥)+𝑒 𝑥 is the vector of n states 𝑧 is the vector of m measurements ℎ(.) is nonlinear vector function relating measurements to states 𝑒 is an m vector of random errors
AC Estimator Solved using Gauss Newton method Gain matrix: 𝐺 𝑥 = 𝐻 ′ 𝑥 𝑅𝑧 −1 𝐻 𝑥 𝑅𝑧 is diagonal matrix of variances Estimation procedure: Δ 𝑥 ν = 𝐺( 𝑥 ν ) −1 𝐻′( 𝑥 ν ) 𝑅𝑧 −1 Δ𝑧( 𝑥 ν ) 𝑥 ν+1 = 𝑥 ν +Δ 𝑥 ν
AC Estimator DC approximation is pretty good Harder to detect attack than random error Relatively large attacks may escape detection Grid state affects quality of DC attack
Detection Focus on quantities neglected by DC model (VARs) VARs tend to be localized AttackLosses changeVAR flow and generation changes
Detection Alternative approach is to estimate parameters simultaneously with states Augment state vector with known parameters Compare known values to parameter estimates to find bad data
Detection Choose something known to the control center but not an attacker Example: TCUL xformer tap position, D-FACTS setting Attacks will perturb parameter estimates
Conclusions State estimators, even nonlinear estimators, are vulnerable to malicious data Malicious data is different from conventional bad data Nonlinearity effects of the attack may be detectable Parameter estimation can verify data
Questions? Thank you!