1. Introduction
The heavy usage of non-renewable fossil fuels is the primary contributor to the greenhouse effect by releasing carbon dioxide [
1]. Zaidi et al. reveal that non-renewable energy is the main contributor to pollution by analyzing renewable and non-renewable energy consumption [
2]. Awan et al. highlight that industrialization increases the demand for renewable energy resources and decreases sustainability of greenhouse gas emissions [
3]. With the emergence of environmental problems and the consumption of non-renewable energy, the application of renewable energy such as wind and solar energy is more and more important [
4]. Shady et al. highlight in [
5] that the establishment of SGs is very important to improve the efficiency and security of energy supply. SGs would help in reducing energy consumption during peak load, and in reducing emissions of pollutants. However, a large number of instruments and equipment with network communication in new energy are applied in SGs. Due to the lack of adequate protection measures, the risk of network attack on SGs is greatly increased; access to distributed and renewable energy resources brings great uncertainty to the cyber security of SGs [
6]. In 2003, a computer network at Davis–Besse nuclear power plant was penetrated. In 2010, the nuclear power plant in Iran was penetrated by Stuxnet [
7]. In December 2015, malicious software called “Black Energy” penetrated the national grid of Ukraine, causing serious damage to the supervisory control and data acquisition (SCADA) system [
8]. In January 2016, Israel’s electricity authority suffered a serious cyber attack, in which ransom ware was distributed by mail to trick its staff into executing malicious code, causing the associated computers to be shut down for two days. Cyber security of smart grids is becoming an increasingly important issue [
9,
10].
Through analysis, it is not difficult to find that the main process attacked is as follows. First, adversaries implant virus software by hacking into the target host. Then, the adversaries continuously steal the data and constructs the appropriate attack based on the acquired data. After that, the constructed attack implanted in the available data and uploads to the control station. Finally, the control station is misled by the attacked data and makes a series of wrong operations, which causes the system to crash. Moreover, because some transport protocols as the IEC TR 61850-90-2 are short of integrity protection or provided but can be omitted when requiring very low latency [
11]. Potential adversaries can even modify measurements by modifying the transmitted bits.
Similarly, the SCADA system is the important data acquisition and monitoring component in the power grid [
12]. It is responsible for collecting measurements from sensors and monitoring the operation of the current grids. State estimation techniques are used to detect and weed out bad data in the SCADA system [
13]. While few power companies will disclose the details of their grid to the public, it is proposed in [
14] that the attackers can combine satellite images and the existing transmission system map to collect information of the target power system to identify the topology of the power grids. Moreover, the attackers can determine the actual value of the network parameters through the characteristics of the transmission line. The node admittance matrix within 1% of the margin of error has been estimated [
15]. In particular, once the adversaries know the configuration of the grids, the false data injection attack (FDIA) can bypass the existing detection techniques. The fundamental reason is that the existing bad data detection (BBD) techniques rely usually on the Chi-square detection mechanism, yet it is not reliable [
16]. Specifically, it is proposed in [
16] that even if the result of the state estimator is changed by FDIA, the BDD alarm is not triggered as long as the residual increment is within the threshold.
This paper primarily studies false data injection attacks against the SGs state estimation. The purpose of the idea is not to destroy the power grids, but to reveal the mechanism of the attack and digging the system vulnerability. In [
17], Li et al. consider that the cyber attack problem is significant since one needs to understand the behavior of an attacker to give effective defensive measures. Similar views emerge in [
18], they point out that studying potential attack mechanisms helps assess the vulnerability and security weaknesses of SGs. Therefore, the research of the attack is significant to the protection of the system.
The FDIA exploits the vulnerabilities of the BDD scheme, resulting in major harm to the power grids [
19]. For the FDIA, there are two issues research topics: The construction of false data attack vectors [
16,
20,
21] and attack detection and defense [
22,
23,
24]. In particular, the construction of the FDIA attack vector can reveal the vulnerability of the state estimation, which will help the development of security defense.
False data injection attack was firstly proposed by Liu et al. in 2009 [
16] where they constructed the attack vector by limiting it as the linear combination of the column vectors of the measurement matrix. Moreover, they put forward that the attack vector can be constructed as long as the attackers can tamper with a certain number of sensors. In [
21,
25,
26], the principle was inherited. In those methods, the attack residual has no change compared with no attack. Therefore the attack can easily pass the residual detection mechanism. Then in [
27], to reduce the cost of the attack, the sparseness of an attack vector was studied, whereby setting some specific element of the attack vector to be 1, the problem of designing an attack vector was transformed into
-norm optimization problem. Furthermore, Teixeira et al. [
28] transformed the
-norm optimization problem into a general
p-norm problem based on the constraint, and a general construction method of FDIA method with specific target constraints was proposed. Next, the mathematical optimizer CPLEX or Gurobi was used to solve the construction problem of attack vectors [
29]. In the above methods, because of limiting attack as the linear combination of the column vectors of the measurement matrix, the sparseness of attacks is difficult to be improved, and the risks and costs associated with attacks are greatly increased. Different from the above model, the residual increment caused by the attack is ensured within the threshold and a construction method of attack vectors based on ADMM is proposed in [
30]. The attack vector design relaxed.
While the above methods can find the attack vector, the sparseness and effectiveness of attack vectors are difficult to be satisfied simultaneously. Moreover, the existing methods also do not provide a feasible domain of attack vector. In conclusion, there are three problems:
To pass BDD, what is the range of attack vector?
What extent can an attack be called effective attacks?
How to design the sparse attack vectors within the feasible domain to achieve the desired attack effect?
Aiming at these problems, this paper investigates the feasible region of attack vector and a novel sparse attack vector construction method is presented. The main contributions are:
According to the state estimation technique, the feasible region of attack vector is obtained using linear algebra.
The constraint of the effectiveness of attack is derived based on whether it can cause the operator to misbehave.
The state estimation variations domain is proposed based on the feasible region of the attack vector.
Furthermore, the greatest contribution considered by the authors should be the discussion of the attack vector range in this paper.
The rest is organized as follows.
Section 2 illustrates the BDD mechanism and the principle of FDIA based on the DC model.
Section 3 presents the main results of the paper. The simulation results are presented in
Section 4.
2. Formulate Problem
Power system state estimation can be used for inference the operation state by the available measurements of various meters in the power grid [
16]. The available measurements include bus real power and reactive power injection, and branch real power and reactive power flow. The measurement model of the AC power flow is described as
where
is denoted as measurement vector;
is the system state vector;
is the Gaussian measurement noise caused by environmental factors and measuring instrument, and
is the functional dependency between measurements and state variables.
When the weighted least squares (WLS) algorithm is used in the model, the system state can be inferred from the following optimization problem
Here, the state estimation based on the DC model can be used, the details of the DC power flow measurement model are as follows:
where
is denoted measurement vector, including active powers and reactive powers,
is the voltage phase angle of each node,
is the Gaussian measurement noise caused by environmental factors and measuring instrument,
H is the measurement matrix which depends on the topology of network and line parameters.
The system state can be inferred from the following optimization problem
where
and
is the variance of measurement noise associated with the
i-th meter
[
28]. If the matrix
is invertible, the solution of Equation (4) can be written as
Let vector is the measurement estimation residual. Since the noise vector satisfies Gaussian distribution, satisfies the Chi-square distribution with a degree of freedom . Then the binary hypothesis test is established as BBD, this is the Chi-square detection. When the confidence level is , the binary hypothesis test can be expressed as
Hypothesis : , there is no bad data and is true.
Hypothesis : , there is a bad data and is true.
However, Even if the result of the state estimator is changed by FDIA, the BDD alarm is not triggered only if the residual increment is within the threshold. The FDIA for the state estimation exploits the vulnerabilities of the Chi-square detector.
Figure 1 illustrates the FDIA frame. If the target’s topology and line parameters are obtained by the attackers, they may capture measurement
z through invading advanced parts such as phase measurement units (PMUs)/remote terminal units (RTUs). Then, the adversaries use
z to construct an attack
a. After that,
a is injected into measurement and makes
z become
. Next,
will be transmitted to the SCADA system via the communication network. In SCADA system, the WLS state estimation algorithm is employed to estimate the system state and identify bad data. Once
is not detected by BDD, it will be used for system power flow calculation and scheduling.
Remark 1. The SCADA system collects the measurements from the remotes, which may cause packet data random sequence false, loss and other situations because of transmission through the network. The construction of attack vectors is the main focus in this paper, so where network communication is in an ideal situation.
The Chi-square detector is a residual detector centered on measurement and estimated residual. The successful FDIA depends on that the attack vector can pass BDD and the result of the attack is effective. The construction of the attack vector is the key for attackers. Therefore, this paper focuses on the feasible and effective domains of attack vectors and the state variation domains caused by attack vectors using linear algebra.
Remark 2. The research on the feasible domain of attack vector can not only facilitate the attacker but also be significant to the defender. If the defenders know the feasible domain, they can reduce the feasible domain to improve the security. The discussion on effectiveness has the same effect.
3. Construction of Sparse Attack Vector
3.1. Feasible Domain of Attack Vector
Definition 1. When the attack vector , the alarm is not triggered. The range is defined as the feasible domain of attack vector a.
The feasible domain of attack vector is not delved into in the existing research. It will be proved that the attack vector is only selected from a subset of in the existing methods, which leads to a sparseness of attack vectors. In this subsection, the research of will be a great guide to the design of the attack vector.
Definition 2 ([
31])
. In the finite-dimensional space, a square matrix P is called a projection matrix if it is equal to its square, i.e., . Lemma 1 ([
31])
. Let be a finite dimensional vector space and the matrix P be a projection on . If the subspaces L and M are the range and kernel of P, respectively, P has the following properties: Every vector can be decomposed uniquely as with and , where , and . Lemma 2. Let , then B is a projection matrix and is a projection matrix too.
The calculation of Lemma 2 is shown below.
According to Definition 2,
B is a projection matrix. Since
substituting Equation (6) into Equation (
7), we have
Thus square matrix is also a projection matrix.
Theorem 1. includes projection subspace and kernel subspace of projection transformation matrix .
Proof of Theorem 1. Let
be the measurement contained the attack vector.
can be written as
Let
as the attacked estimate. When there exists the attack,
can be written as
where
c is the perturbation of the state caused by
a. When
, according to the Equation (5),
Let
as the attacked measurement estimate. Because of
, the attacked residual
can be expressed as
From Equations (9)–(11),
is rewritten as
when there is no an attack, normal measurement can pass through the detector because of
. Hence, if
attempt to pass the Chi-square detector,
a must satisfy
Let
by using (5), Equation (14) can be rewritten as
Since
B is an
m-dimensional square matrix,
Lemma 2 states that
is a projection transformation matrix in
space, and
, where the subspaces
L and
M are the range and kernel of
, respectively. According to the nature of the idempotent matrix,
can be expressed as
where
and
. Using Lemma 1, it follows that
The projection transformation projects the vector
from the original space
to the projection subspace
L. Combining Equations (16) and (18), the feasible domain of the attack vector can be obtained as
in the subspace
M,
Therefore, Equation (19) shows that
is a sphere in the projection subspace
L of the projection transformation. The feasible domain in the subspace
M can be calculated from Equation (
20) and the
is any. □
Remark 3. Not all of the injected into the measurement z can pass the BDD because of the existence of the BDD mechanism. The feasible domain in space consists of and :
- 1.
where is a sphere in the projection subspace L of the projection transformation matrix and the centre of sphere is ,the radius is τ.
- 2.
where is any in the kernel subspace M of the projection transformation matrix .
The proposed in this paper is a sufficient and necessary condition. Furthermore, it covers all feasible domains of perfect attack vectors and imperfect attack vectors.
Corollary 1. The sphere is a subset of .
Remark 4. When designing an attack vector, the attacker must ensure that the attack vector is within the feasible domain. Therefore, an attacker prefers the feasible domain to be as large as possible. However, relates to the threshold of τ. From the view of power system security, τ should be as small as possible. A small τ limits the scope of the attack.
Further, it will be proved that the attack vector is only selected from the kernel space in the methods of . Because the selection is so small, which leads to the sparseness of attack vectors is greatly limited.
Theorem 2. The column vectors of measurement matrix H belong to the kernel space of the projection transformation matrix .
Proof of Theorem 2. According to matrix theory, there is
and because
, so
Combining Equations (21) and (22), is always true, so the column vectors of measurement matrix H belong to the kernel space of . □
Remark 5. In the constraint , a is a linear combination of the columns of H, so a is one member of the vector space of the columns of H. According to Theorem 2, the vector space of the columns belongs to the kernel space of . Hence, the design scheme of is based on kernel space, which is only a subset of the feasible domain proposed in this paper.
3.2. Lower Bound of the Attack Vector
As seen in the previous section, the feasible domain of a is discussed. The question of attack vector range is answered. However, apart from the feasible domain, another main issue is the effectiveness when the attack constructed. In this subsection, the effectiveness of attacks will be investigated. We propose that the criterion of causing operator’s wrong action is taken as the index of effective attack and the constraint of an effective attack is suggested.
When the operators find the estimated state deviated from their expected without considering the existence of an attack, they take actions such as adjusting the generator output or changing loads. These actions based on incorrect state variables may harm the normal operation of SGs. Thus, only attacks that can harm the power grid operation will be called effective attacks.
Definition 3. An effective attack can make the state estimated deviate from its given normal operating range for the power grid.
For example, a harmful attack is an attack which causes the voltage deviation exceeds 5% of the nominal. Next, the constraints on the attack vector will be derived for such an effective attack. Suppose that each state deviation is less than
during normal operation. Therefore, by Definition 3, the potential attackers need to design attack
a so that the maximum state variable more than
. Equation (11) shows that the state variation caused by the attack is
c. Combined with Definition 3,
where
is the maximum. According to Equation (11), Equation (23) can be re-written as
Noting
, Equation (24) can be re-written as
combined with Equation (25) can be derived as
where
is the induced norm, also known as the spectral norm of the matrix
A.
According to the definition of the spectral norm of the matrix,
, where
is the largest eigenvalue of matrix
. So Equation (26) can be re-written as
Remark 6. To induce the operator’s mistake, the attack vector designed must meet certain conditions. As shown in Equation (27), which condition distinguishes the effectiveness of the attack vector and indicates the system’s tolerance to noise.
3.3. The Range of State Estimate Variable
When the attackers make an attack, they need to specify an expected state variable
at first. The attackers construct
a to implements such a state variable. Therefore, it is very essential to understand the range of
c and select
in the domain. An attacker can construct the desired attack vector result from picking a suitable value within this domain. However, if an attack is in the range of Corollary 1 in
Section 3.1, what is the domain of state variables in the state space? In this subsection, we study the topic. This is a map from attack domain to result domain. As an attacker, this is the knowledge to have before constructing an attack.
Lemma 3 ([
31])
. Let D be a real m-by-n matrix and . Then the image set of unit sphere surface in under linear transformation has the following properties:- 1.
If , the image set in is an ellipsoid surface, in basis P which can be expressed as - 2.
If , the image set in is an ellipsoid, in basis P which can be expressed as
where P is the left singular matrix of D and is the singular value of matrix D.
As seen in
Section 3.1, the feasible domain of
a is derived. The question of attack vector range is answered. A subset of
a is determined in Corollary 1, which is a solid sphere whit the centre of sphere
and the radius
.
Let
. Combining with Corollary 1,
can be re-written as
Equation (30) shows that column vector
y is constrained to a unit sphere and the attack vector
a expressed as
Because
, combining Equations (11) and (31), state variations caused by an attack can be written as
Since
, Equation (32) can be re-written as
The singular value decomposition of matrix
A can be express as
Lemma 3 shows that in
the image set of
y is an ellipsoid, Using the columns of
U as a set of basis, the ellipsoid can be written as
Equation (35) can be re-written as
where
is a diagonal matrix whose elements are the singular values of matrix
A.
Equation (36) shows the range of state change under attack. An attacker can select a specific
in the range to construct an attack vector when they make an FDIA. However, since the representation of the state is under the natural basis
E, it is necessary to convert the coordinate representation of
U into the representation of the natural basis
E. Since the matrix
U is a unitary matrix, the basis transformation matrix
can convert the coordinates under the basis
U into coordinates under the basis
E. The coordinates of the image set of
y with
E as the basis can be expressed as
Remark 7. If attack vector satisfies Corollary 1, its effect on state is limited.
3.4. Sparse Attack Vector Construction Based on Norm
In this subsection,
c is selected with the restriction of Equation (37) as derived in
Section 3.3. Attackers also needs to consider that it is unrealistic to tamper with the measurements on a large scale. This will not only increase the cost but also increase the possibility of being detected. Therefore, the sparseness of the attack vector is chosen as the objective function, the design problem is transformed into an optimization problem of
-norm.
Since
, after the desired state variable
is determined as the attackers, if they have access to all the measuring instruments, the current measurements will construct the attack vector to meet the attacks’ needs. To reduce the cost and risk of the attack, the attackers tend to the modified measurement as little as possible, i.e., the attack vector should be as sparse as possible. Therefore, the attacker’s requirements can be described as
There are other constraints when the effectiveness (see
Section 3.2) and the feasibility (see
Section 3.1) of the attack vector are considered. The feasible domain is concerned in
Section 3.2 and Equation (27) can be taken as the effectiveness constraint of attack vector. The construction problem of sparse effective attack vectors can be expressed as Equation (38). Hence, when designing an attack vector
a and take into account the feasible domain (see
Section 3.1) and the effectiveness (see
Section 3.2). This changes Equation (38) to Equation (39) below:
Equation (39) represents a constrained
-norm optimization problem, which is a non-convex optimization. Compare with the methods in [
25,
26,
27], the constraint in this method
on attack vectors are relaxed, which can improve the sparseness of attack vectors. Compare with the literature [
30], the effectiveness of the attack in this method is explicitly specified. Moreover, the variable domain of the state is proposed in this method, which gives the attacker a reference when carrying out an attack. Since the above model is the
-norm optimization problem, the greedy algorithm can be used to solve it. In this paper, the OMP algorithm is used to solve the problem. The OMP algorithm is often used in the study of compressed sensing, and it described in the literature [
32]. The OMP algorithm pseudo-code (Algorithm 1) is given below.
Algorithm 1 OMP algorithm for sparse constrained a |
Require: Expected state variation , dictionary A, sparseness k. |
Ensure: Sparse attack vector a. |
1: Initial solution , initial residual , , initial . |
2: repeat |
3: (Sweep) |
4: (Find new minimizer) |
5: If , else break; |
6: (Update provisional solution) |
7: (Update provisional solution) |
8: (Update residual) |
9: |
10: until |
The attackers implement an attack that can be expressed as follows. First, adversaries implant virus software by hacking into the target host. Then, the adversaries continuously steal measurement z. After that, adversaries can construct the appropriate attack vector a using this method based on the stolen measurements. Then, the constructed attack is implanted in the available measurement and uploaded to the control station. Finally, the control station will be misled by the attacked data and makes a series of wrong operations, which will cause the system to crash.