Biblio

With the ever-increasing reliance on data for data-driven applications in power grids, such as event cause analysis, the authenticity of data streams has become crucially important. The data can be prone to adversarial stealthy attacks aiming to manipulate the data such that residual-based bad data detectors cannot detect them, and the perception of system operators or event classifiers changes about the actual event. This paper investigates the impact of adversarial attacks on convolutional neural network-based event cause analysis frameworks. We have successfully verified the ability of adversaries to maliciously misclassify events through stealthy data manipulations. The vulnerability assessment is studied with respect to the number of compromised measurements. Furthermore, a defense mechanism to robustify the performance of the event cause analysis is proposed. The effectiveness of adversarial attacks on changing the output of the framework is studied using the data generated by real-time digital simulator (RTDS) under different scenarios such as type of attacks and level of access to data.

With the development of smart grid technologies and the fast adoption of household IoT devices in recent years, new threats, attacks, and security challenges arise. While a large number of vulnerabilities, threats, attacks and controls have been discussed in the literature, there lacks an abstract and generalizable framework that can be used to model the cyber-physical interactions of attacks and guide the design of defense mechanisms. In this paper, we propose a new modeling approach for security attacks in smart grids and IoT devices using a Cyber-Physical Systems (CPS) perspective. The model considers both the cyber and physical aspects of the core components of the smart grid system and the household IoT devices, as well as the interactions between the components. In particular, our model recognizes the two parallel attack channels via the cyber world and the physical world, and identifies the potential crossing routes between these two attack channels. We further discuss all possible attack surfaces, attack objectives, and attack paths in this newly proposed model. As case studies, we examine from the perspective of this new model three representative attacks proposed in the literature. The analysis demonstrates the applicability of the model, for instance, to assist the design of detection and defense mechanisms against smart grid cyber-attacks.

Power systems automation and communication standards are crucial for the transition of the conventional power system towards a smart grid. The IEC 61850 standard is widely used for substation automation and protection. It enables real-time communication and data exchange between critical substation automation devices. IEC 61850 serves as the foundation for open communication and data exchange for digital substations of the smart grid. However, IEC 61850 has cyber security vulnerabilities that can be exploited with a man-in-the-middle attack. Such coordinated cyber attacks against the protection system in digital substations can disconnect generation and transmission lines, causing cascading failures. In this paper, we demonstrate a cyber attack involving the Generic Object-Oriented Substation Event (GOOSE) protocol of IEC 61850. This is achieved by exploiting the cyber security vulnerabilities in the protocol and injecting spoofed GOOSE data frames into the substation communication network at the bay level. The cyber attack leads to tripping of multiple protective relays in the power grid, eventually resulting in a blackout. The attack model and impact on system dynamics are verified experimentally through hardware-in-the-loop simulations using commercial relays and Real-Time Digital Simulator (RTDS).

In a smart power grid, phasor measurement devices provide critical status updates in order to enable stabilization of the grid against fluctuations in power demands and component failures. Particularly the trend is to employ a large number of phasor measurement units (PMUs) that are inter-networked through wireless links. We tackle the vulnerability of such a wireless PMU network to message replay and false data injection (FDI) attacks. We propose a novel approach for avoiding explicit data transmission through PMU measurements prediction. Our methodology is based on applying advanced machine learning techniques to forecast what values will be reported and associate a level of confidence in such prediction. Instead of sending the actual measurements, the PMU sends the difference between actual and predicted values along with the confidence level. By applying the same technique at the grid control or data aggregation unit, our approach implicitly makes such a unit aware of the actual measurements and enables authentication of the source of the transmission. Our approach is data-driven and varies over time; thus it increases the PMU network resilience against message replay and FDI attempts since the adversary's messages will violate the data prediction protocol. The effectiveness of approach is validated using datasets for the IEEE 14 and IEEE 39 bus systems and through security analysis.

In recent years, there are more and more attacks and exploitation aiming at network security vulnerabilities. It is effective for us to prevent criminals from exploiting vulnerabilities for attacks and help security analysts maintain equipment security that knows vulnerabilities and threats on time. With the knowledge graph, we can organize, manage, and utilize the massive information effectively in cyberspace. In this paper we construct the vulnerability ontology after analyzing multi-source heterogeneous databases. And the vulnerability knowledge graph is established. Experimental results show that the accuracy of entity recognition for extracting vendor names reaches 89.76%. The more rules used in entity recognition, the higher the accuracy and the lower the error rate.

Power system automation and communication standards are spearheading the power system transition towards a smart grid. IEC 61850 is one such standard, which is widely used for substation automation and protection. It enables real-time communication and data exchange between critical substation automation and protection devices within digital substations. However, IEC 61850 is not cyber secure. In this paper, we demonstrate the dangerous implications of not securing IEC 61850 standard. Cyber attacks may exploit the vulnerabilities of the Sampled Values (SV) and Generic Object-Oriented Substation Event (GOOSE) protocols of IEC 61850. The cyber attacks may be realised by injecting spoofed SV and GOOSE data frames into the substation communication network at the bay level. We demonstrate that such cyber attacks may lead to obstruction or tripping of multiple protective relays. Coordinated cyber attacks against the protection system in digital substations may cause generation and line disconnections, triggering cascading failures in the power grid. This may eventually result in a partial or complete blackout. The attack model, impact on system dynamics and cascading failures are veri ed experimentally through a proposed cyber-physical experimental framework that closely resembles real-world conditions within a digital substation, including Intelligent Electronic Devices (IEDs) and protection schemes. It is implemented through Hardware-in-the-Loop (HIL) simulations of commercial relays with a Real-Time Digital Simulator (RTDS).

Due to the increasing number of heterogeneous devices connected to electric power grid, the attack surface increases the threat actors. Game theory and machine learning are being used to study the power system failures caused by external manipulation. Most of existing works in the literature focus on one-shot process of attacks and fail to show the dynamic evolution of the defense strategy. In this paper, we focus on an adversarial multistage sequential game between the adversaries of the smart electric power transmission and distribution system. We study the impact of exploration rate and convergence of the attack strategies (sequences of action that creates large scale blackout based on the system capacity) based on the reinforcement learning approach. We also illustrate how the learned attack actions disrupt the normal operation of the grid by creating transmission line outages, bus voltage violations, and generation loss. This simulation studies are conducted on IEEE 9 and 39 bus systems. The results show the improvement of the defense strategy through the learning process. The results also prove the feasibility of the learned attack actions by replicating the disturbances created in simulated power system.

Most of today's infrastructure systems can be efficiently operated thanks to the intelligent power supply of the smart grids. However, smart grids are highly vulnerable to malicious attacks, that is, because of the interplay between the components in the smart grids, the failure of some critical components may result in the cascading failure and breakdown of the whole system. Therefore, the question of how to identify the most critical components to protect the smart grid system is the first challenge to operators. To enable the system's robustness, there has been a lot of effort aimed at the system analysis, designing new architectures, and proposing new algorithms. However, these works mainly introduce different ranking methods for link (transmission line) or node (station) identification and directly select most the highest degree nodes or common links as the critical ones. These methods fail to address the problem of interdependencies between components nor consider the role of users that is one of critical factors impacting on the smart grid vulnerability assessment. This motivates us to study a more general and practical problem in terms of smart grid vulnerability assessment, namely the Maximum-Impact through Critical-Line with Limited Budget (MICLLB) problem. The objective of this research is to provide an efficient method to identify critical components in the system by considering a realistic attack scenario.

False data injection attack (FDIA) is a real threat to smart grids due to its wide range of vulnerabilities and impacts. Designing a proper detection scheme for FDIA is the 1stcritical step in defending the attack in smart grids. In this paper, we investigate two main statistical techniques-based approaches in this regard. The first is based on the principal component analysis (PCA), and the second is based on the canonical correlation analysis (CCA). The test cases illustrate a better characterization performance of FDIA using CCA compared to the PCA. Further, CCA provides a better differentiation of FDIA from normal grid contingencies. On the other hand, PCA provides a significantly reduced false alarm rate.

The generation, transmission, distribution, and storage of electric power is becoming increasingly decentralized. Advances in Distributed Energy Resources (DERs) are rapidly changing the nature of the power grid. Moreover, the accommodation of these new technologies by the legacy grid requires that an increasing number of devices be Internet connected so as to allow for sensor and actuator information to be collected, transmitted, and processed. With the wide adoption of the Internet of Things (IoT), the cybersecurity vulnerabilities of smart grid devices that can potentially affect the stability, reliability, and resilience of the power grid need to be carefully examined and addressed. This is especially true in situations in which smart grid devices are deployed with default configurations or without reasonable protections against malicious activities. While much work has been done to characterize the vulnerabilities associated with Supervisory Control and Data Acquisition (SCADA) and Industrial Control System (ICS) devices, this paper demonstrates that similar vulnerabilities associated with the newer class of IoT smart grid devices are becoming a concern. Specifically, this paper first performs an evaluation of such devices using the Shodan platform and text processing techniques to analyze a potential vulnerability involving the lack of password protection. This work further explores several Shodan search terms that can be used to identify additional smart grid components that can be evaluated in terms of cybersecurity vulnerabilities. Finally, this paper presents recommendations for the more secure deployment of such smart grid devices.

Security vulnerabilities in firmware/software pose an important threat ton power grid security, and thus electric utility companies should quickly decide how to remediate vulnerabilities after they are discovered. Making remediation decisions is a challenging task in the electric industry due to the many factors to consider, the balance to maintain between patching and service reliability, and the large amount of vulnerabilities to deal with. Unfortunately, remediation decisions are current manually made which take a long time. This increases security risks and incurs high cost of vulnerability management. In this paper, we propose a machine learning-based automation framework to automate remediation decision analysis for electric utilities. We apply it to an electric utility and conduct extensive experiments over two real operation datasets obtained from the utility. Results show the high effectiveness of the solution.

The intelligent power grid is composed of a large number of industrial control equipment, and most of the industrial control equipment has security holes, which are vulnerable to malicious attacks and affect the normal operation of the power grid. By analyzing the security vulnerability of the firmware of industrial control equipment, the vulnerability can be detected in advance and the power grid's ability to resist attack can be improved. In this paper, a kind of industrial control device firmware protocol vulnerabilities associated technology, through the technology of information extraction from the mass grid device firmware device attributes and extract the industrial control system, the characteristics of the construction of industrial control system device firmware and published vulnerability information correlation, faster in the industrial control equipment safety inspection found vulnerabilities.

A process of critical transmission lines identification in presented here. The criticality is based on network flow, which is essential for power grid connectivity monitoring as well as vulnerability assessment. The proposed method can be utilized as a supplement of traditional situational awareness tool in the energy management system of the power grid control center. At first, a flow network is obtained from topological as well as functional features of the power grid. Then from the duality property of a linear programming problem, the maximum flow problem is converted to a minimum cut problem. Critical transmission lines are identified as a solution of the dual problem. An overall set of transmission lines are identified from the solution of the network flow problem. Simulation of standard IEEE test cases validates the application of the method in finding critical transmission lines of the power grid.

Traditionally, power grid vulnerability assessment methods are separated to the study of nodes vulnerability and edges vulnerability, resulting in the evaluation results are not accurate. A framework for vulnerability assessment is still required for power grid. Thus, this paper proposes a universal method for vulnerability assessment of power grid by establishing a complex network model with uniform weight of nodes and edges. The concept of virtual edge is introduced into the distinct weighted complex network model of power system, and the selection function of edge weight and virtual edge weight are constructed based on electrical and physical parameters. In addition, in order to reflect the electrical characteristics of power grids more accurately, a weighted betweenness evaluation index with transmission efficiency is defined. Finally, the method has been demonstrated on the IEEE 39 buses system, and the results prove the effectiveness of the proposed method.

The normal operation of key measurement and control equipment in power grid (KMCEPG) is of great significance for safe and stable operation of power grid. Firstly, this paper gives a systematic overview of KMCEPG. Secondly, the cyber security risks of KMCEPG on the main station / sub-station side, channel side and terminal side are analyzed and the related vulnerabilities are discovered. Thirdly, according to the risk analysis results, the attack process construction technology of KMCEPG is proposed, which provides the test process and attack ideas for the subsequent KMCEPG-related attack penetration. Fourthly, the simulation penetration test environment is built, and a series of attack tests are carried out on the terminal key control equipment by using the attack flow construction technology proposed in this paper. The correctness of the risk analysis and the effectiveness of the attack process construction technology are verified. Finally, the attack test results are analyzed, and the attack test cases of terminal critical control devices are constructed, which provide the basis for the subsequent attack test. The attack flow construction technology and attack test cases proposed in this paper improve the network security defense capability of key equipment of power grid, ensure the safe and stable operation of power grid, and have strong engineering application value.

As a modern power transmission network, smart grid connects plenty of terminal devices. However, along with the growth of devices are the security threats. Different from the previous separated environment, an adversary nowadays can destroy the power system by attacking these devices. Therefore, it's critical to ensure the security and safety of terminal devices. To achieve this goal, detecting the pre-existing vulnerabilities of the device program and enhance the terminal security, are of great importance and necessity. In this paper, we propose a novel approach that detects existing buffer-overflow vulnerabilities of terminal devices via automatic static analysis (ASA). We utilize the static analysis to extract the device program information and build corresponding program models. By further matching the generated program model with pre-defined vulnerability patterns, we achieve vulnerability detection and error reporting. The evaluation results demonstrate that our method can effectively detect buffer-overflow vulnerabilities of smart terminals with a high accuracy and a low false positive rate.

In order to make up for the shortcomings of traditional evaluation methods neglecting node difference, a vulnerability assessment method considering node heterogeneity for cyber physical power system (CPPS) is proposed. Based on the entropy of the power flow and complex network theory, we establish heterogeneity evaluation index system for CPPS, which considers the survivability of island survivability and short-term operation of the communication network. For mustration, hierarchical CPPS model and distributed CPPS model are established respectively based on partitioning characteristic and different relationships of power grid and communication network. Simulation results show that distributed system is more robust than hierarchical system of different weighting factor whether under random attack or deliberate attack and a hierarchical system is more sensitive to the weighting factor. The proposed method has a better recognition effect on the equilibrium of the network structure and can assess the vulnerability of CPPS more accurately.

The risk of large-scale blackouts and cascading failures in power grids can be due to vulnerable transmission lines and lack of proper remediation techniques after recognizing the first failure. In this paper, we assess the vulnerability of a system using fault chain theory and a power flow-based method, and calculate the probability of large-scale blackout. Further, we consider a Remedial Action Scheme (RAS) to reduce the vulnerability of the system and to harden the critical components against intentional attacks. To identify the most critical lines more efficiently, a new vulnerability index is presented. The effectiveness of the new index and the impact of the applied RAS is illustrated on the IEEE 14-bus test system.

Deep packet inspection (DPI) is a critical component to prevent intrusion detection. This requires a detailed analysis of each network packet header and body. Although this is often done on dedicated high-power servers in most networked systems, mobile systems could potentially be vulnerable to attack if utilized on an unprotected network. In this case, having DPI hardware on the mobile system would be highly beneficial. Unfortunately, DPI hardware is generally area and power consuming, making its implementation difficult in mobile systems. We developed a memristor crossbar-based approach, inspired by memristor crossbar neuromorphic circuits, for a low-power, low-area, and high-throughput DPI system that examines both the header and body of a packet. Two key types of circuits are presented: static pattern matching and regular expression circuits. This system is able to reduce execution time and power consumption due to its high-density grid and massive parallelism. Independent searches are performed using low-power memristor crossbar arrays giving rise to a throughput of 160Gbps with no loss in the classification accuracy.

Electromagnetic (EM) analysis is to reveal the secret information by analyzing the EM emission from a cryptographic device. EM analysis (EMA) attack is emerging as a serious threat to hardware security. It has been noted that the on-chip power grid (PG) has a security implication on EMA attack by affecting the fluctuations of supply current. However, there is little study on exploiting this intrinsic property as an active countermeasure against EMA. In this paper, we investigate the effect of PG on EM emission and propose an active countermeasure against EMA, i.e. EM Equalizer (EME). By adjusting the PG impedance, the current waveform can be flattened, equalizing the EM profile. Therefore, the correlation between secret data and EM emission is significantly reduced. As a first attempt to the co-optimization for power and EM security, we extend the EME method by fixing the vulnerability of power analysis. To verify the EME method, several cryptographic designs are implemented. The measurement to disclose (MTD) is improved by 1138x with area and power overheads of 0.62% and 1.36%, respectively.

With a growing demand of concurrent software to exploit multi-core hardware capability, concurrency vulnerabilities have become an inevitable threat to the security of today's IT industry. Existing concurrent program detection schemes focus mainly on detecting concurrency errors such as data races, atomicity violation, etc., with little attention paid to detect concurrency vulnerabilities that may be exploited to infringe security. In this paper, we propose a heuristic framework that combines both static analysis and fuzz testing to detect targeted concurrency vulnerabilities such as concurrency buffer overflow, double free, and use-after-free. The static analysis locates sensitive concurrent operations in a concurrent program, categorizes each finding into a potential type of concurrency vulnerability, and determines the execution order of the sensitive operations in each finding that would trigger the suspected concurrency vulnerability. The results are then plugged into the fuzzer with the execution order fixed by the static analysis in order to trigger the suspected concurrency vulnerabilities. In order to introduce more variance which increases possibility that the concurrency errors can be triggered, we also propose manipulation of thread scheduling priority to enable a fuzzer such as AFL to effectively explore thread interleavings in testing a concurrent program. To the best of our knowledge, this is the first fuzzer that is capable of effectively exploring concurrency errors. In evaluating the proposed heuristic framework with a benchmark suit of six real-world concurrent C programs, the framework detected two concurrency vulnerabilities for the proposed concurrency vulnerability detection, both being confirmed to be true positives, and produced three new crashes for the proposed interleaving exploring fuzzer that existing fuzzers could not produce. These results demonstrate the power and effectiveness of the proposed heuristic framework in detecting concurrency errors and vulnerabilities.

The blockchain technology has emerged as an attractive solution to address performance and security issues in distributed systems. Blockchain's public and distributed peer-to-peer ledger capability benefits cloud computing services which require functions such as, assured data provenance, auditing, management of digital assets, and distributed consensus. Blockchain's underlying consensus mechanism allows to build a tamper-proof environment, where transactions on any digital assets are verified by set of authentic participants or miners. With use of strong cryptographic methods, blocks of transactions are chained together to enable immutability on the records. However, achieving consensus demands computational power from the miners in exchange of handsome reward. Therefore, greedy miners always try to exploit the system by augmenting their mining power. In this paper, we first discuss blockchain's capability in providing assured data provenance in cloud and present vulnerabilities in blockchain cloud. We model the block withholding (BWH) attack in a blockchain cloud considering distinct pool reward mechanisms. BWH attack provides rogue miner ample resources in the blockchain cloud for disrupting honest miners' mining efforts, which was verified through simulations.

Recent years, the issue of cyber security has become ever more prevalent in the analysis and design of electrical cyber-physical systems (ECPSs). In this paper, we present the TrueTime Network Library for modeling the framework of ECPSs and focuses on the vulnerability analysis of ECPSs under DoS attacks. Model predictive control algorithm is used to control the ECPS under disturbance or attacks. The performance of decentralized and distributed control strategies are compared on the simulation platform. It has been proved that DoS attacks happen at dada collecting sensors or control instructions actuators will influence the system differently.

With the integration of computing, communication, and physical processes, the modern power grid is becoming a large and complex cyber physical power system (CPPS). This trend is intended to modernize and improve the efficiency of the power grid, yet it makes the CPPS vulnerable to potential cascading failures caused by cyber-attacks, e.g., the attacks that are originated by the cyber network of CPPS. To prevent these risks, it is essential to analyze how cyber-attacks can be conducted against the CPPS and how they can affect the power systems. In light of that General Packet Radio Service (GPRS) has been widely used in CPPS, this paper provides a case study by examining possible cyber-attacks against the cyber-physical power systems with GPRS-based SCADA system. We analyze the vulnerabilities of GPRS-based SCADA systems and focus on DoS attacks and message spoofing attacks. Furthermore, we show the consequence of these attacks against power systems by a simulation using the IEEE 9-node system, and the results show the validity of cascading failures propagated through the systems under our proposed attacks.

Power grid infrastructures have been exposed to several terrorists and cyber attacks from different perspectives and have resulted in critical system failures. Among different attack strategies, simultaneous attack is feasible for the attacker if enough resources are available at the moment. In this paper, vulnerability analysis for simultaneous attack is investigated, using a modified cascading failure simulator with reduced calculation time than the existing methods. A new damage measurement matrix is proposed with the loss of generation power and time to reach the steady-state condition. The combination of attacks that can result in a total blackout in the shortest time are considered as the strongest simultaneous attack for the system from attacker's viewpoint. The proposed approach can be used for general power system test cases. In this paper, we conducted the experiments on W&W 6 bus system and IEEE 30 bus system for demonstration of the result. The modified simulator can automatically find the strongest attack combinations for reaching maximum damage in terms of generation power loss and time to reach black-out.