spoofing state estimation william niemira. overview state estimation dc estimator bad data malicious...
TRANSCRIPT
Spoofing State Estimation
William Niemira
Overview
• State Estimation• DC Estimator• Bad Data• Malicious Data• Examples• Mitigation Strategies
2
State Estimation
• Finite transmission capacity
• Economic and security aspects must be managed– Contingency analysis– Pricing– Congestion
management
• Accurate state information needed
3
State Estimation
• Networks are large– Thousands or tens of thousands of buses– Large geographical area
• Many measurements to reconcile– Different types– Redundant– Subject to error
4
State Estimation
• State estimation uses measurement redundancy to improve accuracy
• Finds best fit for data
• Differences between measures and estimates can indicate errors
5
DC Estimator
• Overdetermined system of linear equations
• Solved as weighted-least squares problem
• Assumes:– Lossless branches (neglects resistance
and shunt impedances)– Flat voltage profile (same magnitude at
each bus)• Reduces computational burden
6
DC Estimator
• is the vector of n states• is the vector of m measurements• is the m x n Jacobian matrix• is an m vector of random errors
7
DC Estimator
• Residual vector
• Estimated as where • Minimize:
• Where is a diagonal matrix of measurement weights
8
DC Estimator
• Differentiate to obtain
• Where is the state estimate and is the state estimation gain matrix
• Bad data assumed if where is some tolerance
9
1-Bus Example
PG = PGmeas
PL1 = PL1meas
– PL1 – PG = PL2meas
10
1-Bus Example
For variances of 0.004, 0.001, and 0.001 for PG
meas , PL1meas ,
PL2meas respectively
11
1-Bus Example
12
3-Bus Example
– 50 θ2 – 100 θ3 = P1meas
150 θ2 – 100 θ3 = P2meas
– 100 θ2 + 200 θ3 = P3meas
– 100 θ3 = P13meas
13
3-Bus Example
(−50 −100150 −100−100 2000 −100
)(θ 2θ 3)=(P1meas P2meas P3meas P13meas
)14
3-Bus Example
H=(−50 −100150 −100−100 2000 −100
) ,𝑥=(θ2θ3) , 𝑧=(P1meas P2meas P3meas P13meas
)15
Bad Data
• Bad data usually consists of isolated, random errors
• These types of errors tend to increase the residual
• Measurements with large residuals can be omitted to check for better fit
• Works well for non-interacting bad measurements
16
1-Bus Example
Good Data Bad Data
17
Malicious Data
• Malicious data (data manipulated by an adversary) need not be isolated or random
• Adversary may inject multiple coordinated measurement errors
• Errors could interact with each other or other measurements
• Could change without increasing 18
Attack Formation
• Given: • Attacked measurement vector • Attack vector • Estimated states due to attack • Clever adversary chooses
19
1-Bus Example
PG = PGmeas
PL1 = PL1meas
– PL1 – PG = PL2meas
20
1-Bus Example
Unobservable attack vectors:
Any linear combination of
21
1-Bus Example
Unattacked Attacked
22
For Real?
• In practice, state estimators are more complicated than previous examples
• Assumed strong adversary:– Has access to topology information– Has some means to change
measurements• Why would someone do this?
– Simulate congestion—could affect markets
– Reduce awareness of system operator
23
AC Estimator
• AC model accounts for some effects neglected in the DC model
• Attacks as generated earlier will affect residual
• Attack may not have effect intended by adversary
24
AC Estimator
• is the vector of n states• is the vector of m measurements• is nonlinear vector function relating
measurements to states• is an m vector of random errors
25
AC Estimator
• Solved using Gauss Newton method• Gain matrix: • is diagonal matrix of variances• Estimation procedure:
26
AC Estimator
• DC approximation is pretty good
• Harder to detect attack than random error
• Relatively large attacks may escape detection
• Grid state affects quality of DC attack27
Detection
• Focus on quantities neglected by DC model (VARs)
• VARs tend to be localized
• AttackLosses changeVAR flow and generation changes
28
Detection
• Alternative approach is to estimate parameters simultaneously with states
• Augment state vector with known parameters
• Compare known values to parameter estimates to find bad data 29
Detection
• Choose something known to the control center but not an attacker
• Example: TCUL xformer tap position, D-FACTS setting
• Attacks will perturb parameter estimates
30
Conclusions
• State estimators, even nonlinear estimators, are vulnerable to malicious data
• Malicious data is different from conventional bad data
• Nonlinearity effects of the attack may be detectable
• Parameter estimation can verify data31
Questions?
Thank you!
32