标题: 智慧電網狀態估計之匿蹤攻擊與防護
Counter Counter-Measures against Stealth Attacks on State Estimation in Smart Grids
作者: 韓松俯
Han, Sung-Fu
蘇育德
Su, Y.T.
電信工程研究所
关键字: 智慧電網;假數據攻擊;狀態估計;電表選擇;smart grid security;false attack;state estimation;meter selection
公开日期: 2013
摘要: 從傳統電力網路(Power Grid,以下簡稱電網)結合先進的通訊網路而演進到智慧電網(Smart Grid)後,電網內各設施的資訊不再經由獨立隔絕的電網電路或人力的方式而是透過公共的通訊網路傳送,資訊安全因此變得十分重要。目前最受矚目的資安議題之一便是針對電網狀態估計(State Estimation)的所謂假數據攻擊(False Data Injection Attack, FDIA)。只要攻擊者有電網結構的資訊又能夠及時串改部分電表的測量值,就可通過錯誤資訊判斷機制(Bad Data Detection)使得電力公司之控制中心估計出錯誤的狀態(States)致使能源管理系統(EMS)用這些錯誤狀態做出不正確的電力調整或控制決策。FDIA若能通過BDD測試而不為EMS察覺,則稱為匿蹤攻擊。
這種匿蹤攻擊可以透過保護一定數量的電表或測量值來防止。但通常需保護的量測值相當龐大,費用很高,施工期也長。本文研究的重點即在電網管控單位因種種原因無法及時保護足夠數量之電表量測,而只能保護一定量的測量值的前提下去設計一保護電表選擇的策略以最大化攻擊者之成本(需竄改的測量值數量)提高此惡意攻擊之困難度。易言之,對這種攻擊測量值(counter-measures, CM)與保護測量值(counter counter-measures, CCM)間的賽局(game),我們採取的是max-min策略,即迫使攻擊方提高(最大化)所需付出的最小代價,而其代價則以所需竄改(攻擊)的測量值(電表)數量為準。但若就防禦方(電網管理者)而言,其風險則反比於攻擊方之代價,即攻擊者所要竄改的量越少管理的風險越高。如此來說,我們的策略就變成min-max的形式,試圖盡量降低最大的可能風險。
由於要一次選出大量的保護值複雜度很高,我們的max-min解是一個逐步(incremental)選擇保護電表演算法。這個方法與每個電表的安全指數(SI)有關,SI是指連帶竄改電表的數量,亦即FDIA為了要竄改某一測量值且通過錯誤資訊判斷機制所必須連帶竄改的最少電表數量。SI的計算可透過將電網結構視為某種圖形而考慮電表在圖中之最小切法(minimum cut)而得。保護安全指數最低的電表便可迫使攻擊者尋找其他攻擊成本(即SI)更高的攻擊方式。然因常有多個電表的安全指數同為最小的情況,我們進一步利用每個電表會通過多條最小切法的現象,發展出一套有效決定電表保護優先順序的演算法。
我們先探討攻擊者選擇攻擊對象的最佳化(即竄改最少電表而能達成目的)問題,將其從NP hard,在無入射式電表電網(injection-free grids)中,簡化成多項式時間(polynomial time)即可解的等效問題。對一般有入射式電表(injection meter)之電網,我們先排除入射電表來決定保護策略再將其列入考慮以決定須保護之額外電表。但即使沒有額外之電表保護我們也可證明在無入射式電表的假設下所設計之保護策略也可保證攻擊者實際將付出更高之代價。易言之,我們的保護策略所估計之攻擊代價雖未將入射電表列入考慮,但事實上FDIA所需攻擊之電表數量一定高於我們的估計值,因此我們的演算法保證的是最低的電網安全指數。根據數種IEEE標準電網模型所進行的電腦模擬也證明我們的演算法相對於其他方法有遠為優異的效能表現。
Security is of paramount importance in upgrading a power grid into a smart grid in which various wired and wireless communication links are used for control, monitoring and sensing applications. One of the key security concerns that has drawn much research attention is the so-called false data injection attack (FDIA) against state estimation. With the knowledge of the grid topology and by injecting proper false data into selected meters, an FDIA can pass bad data detection (BDD) and become stealth to the grid's Supervisory Control and Data Acquisition (SCADA) system. The Energy Management System (EMS) uses the state estimates evaluated by polluted measurements reported by tampered meters to perform grid configuration will result in incorrect, unreliable operations and may even lead to disastrous consequences.

Such a counter-measures (CM) can be prevented if sufficient number of meters (links) are protected. Unfortunately, protection of a large number of meters can be very expensive and time-consuming. We therefore focus on the scenario in which the grid can only protect a selected set of measurements smaller than that required by a FDIA-free system. A scheme that maximizes the attacker's cost (i.e., the number of tampered meters required to form a stealth meter data vector) is desired. Such a design goal is equivalent to counter the counter-measure carried by an FDIA with a max-min approach. From the grid operator's viewpoint, however, its risk is inverse proportional to the cost of an attacker as the easier an attacker can launch an FDIA the higher the risk of a grid. Whence our method is also min-max, trying to minimize the risk of being attacked. Our solution involves the notion of security index (SI) of a meter which specifies the minimum number of tampered meters, other than the meter of concern, needed in generating a legitimate attack vector that corrupts a state estimation. The evaluation of a meter's SI is done by representing the grid by a grid and then find the so-called minimum cuts associated with the branch (meter) of interest.

As the task of locating multiple measurements for protection is computational expensive, we adopt an incremental approach which tries to find, in each iteration, the single candidate meter for protection that costs the attacker least. Finding and protecting the most vulnerable meter (i.e., the one with the smallest SI) forces the attacker to tamper meters with higher SI in order to generate a legitimate false measurement thereby paying a higher cost. As oftentimes there are multiple meters with the same SI and a meter is involved with many minimum cuts of the equivalent grid graph that link other meters, we develop further criteria to select the protected (most vulnerable) meter.

Our approach transforms an NP-hard problem of optimizing a successful FDIA into one that can be solved in polynomial-time for injection-free grids. We thus starts with injection-free grids and then extends to the full-measurement and other practical grids. We show that our injection-free solution gives a low-bound on the number of meters any FDIA has to tamper with. Computer simulations based on some IEEE standard grids are performed to examine the efficiencies of our approaches and verify the numerical advantages with respect to other known methods.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT070060204
http://hdl.handle.net/11536/73004
显示于类别:Thesis


文件中的档案:

  1. 020401.pdf

If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.