标题: 智慧电网状态估计之匿踪攻击与防护
Counter Counter-Measures against Stealth Attacks on State Estimation in Smart Grids
作者: 韩松俯
Han, Sung-Fu
苏育德
Su, Y.T.
电信工程研究所
关键字: 智慧电网;假数据攻击;状态估计;电表选择;smart grid security;false attack;state estimation;meter selection
公开日期: 2013
摘要: 从传统电力网路(Power Grid,以下简称电网)结合先进的通讯网路而演进到智慧电网(Smart Grid)后,电网内各设施的资讯不再经由独立隔绝的电网电路或人力的方式而是透过公共的通讯网路传送,资讯安全因此变得十分重要。目前最受瞩目的资安议题之一便是针对电网状态估计(State Estimation)的所谓假数据攻击(False Data Injection Attack, FDIA)。只要攻击者有电网结构的资讯又能够及时串改部分电表的测量值,就可通过错误资讯判断机制(Bad Data Detection)使得电力公司之控制中心估计出错误的状态(States)致使能源管理系统(EMS)用这些错误状态做出不正确的电力调整或控制决策。FDIA若能通过BDD测试而不为EMS察觉,则称为匿踪攻击。
这种匿踪攻击可以透过保护一定数量的电表或测量值来防止。但通常需保护的量测值相当庞大,费用很高,施工期也长。本文研究的重点即在电网管控单位因种种原因无法及时保护足够数量之电表量测,而只能保护一定量的测量值的前提下去设计一保护电表选择的策略以最大化攻击者之成本(需窜改的测量值数量)提高此恶意攻击之困难度。易言之,对这种攻击测量值(counter-measures, CM)与保护测量值(counter counter-measures, CCM)间的赛局(game),我们采取的是max-min策略,即迫使攻击方提高(最大化)所需付出的最小代价,而其代价则以所需窜改(攻击)的测量值(电表)数量为准。但若就防御方(电网管理者)而言,其风险则反比于攻击方之代价,即攻击者所要窜改的量越少管理的风险越高。如此来说,我们的策略就变成min-max的形式,试图尽量降低最大的可能风险。
由于要一次选出大量的保护值复杂度很高,我们的max-min解是一个逐步(incremental)选择保护电表演算法。这个方法与每个电表的安全指数(SI)有关,SI是指连带窜改电表的数量,亦即FDIA为了要窜改某一测量值且通过错误资讯判断机制所必须连带窜改的最少电表数量。SI的计算可透过将电网结构视为某种图形而考虑电表在图中之最小切法(minimum cut)而得。保护安全指数最低的电表便可迫使攻击者寻找其他攻击成本(即SI)更高的攻击方式。然因常有多个电表的安全指数同为最小的情况,我们进一步利用每个电表会通过多条最小切法的现象,发展出一套有效决定电表保护优先顺序的演算法。
我们先探讨攻击者选择攻击对象的最佳化(即窜改最少电表而能达成目的)问题,将其从NP hard,在无入射式电表电网(injection-free grids)中,简化成多项式时间(polynomial time)即可解的等效问题。对一般有入射式电表(injection meter)之电网,我们先排除入射电表来决定保护策略再将其列入考虑以决定须保护之额外电表。但即使没有额外之电表保护我们也可证明在无入射式电表的假设下所设计之保护策略也可保证攻击者实际将付出更高之代价。易言之,我们的保护策略所估计之攻击代价虽未将入射电表列入考虑,但事实上FDIA所需攻击之电表数量一定高于我们的估计值,因此我们的演算法保证的是最低的电网安全指数。根据数种IEEE标准电网模型所进行的电脑模拟也证明我们的演算法相对于其他方法有远为优异的效能表现。
Security is of paramount importance in upgrading a power grid into a smart grid in which various wired and wireless communication links are used for control, monitoring and sensing applications. One of the key security concerns that has drawn much research attention is the so-called false data injection attack (FDIA) against state estimation. With the knowledge of the grid topology and by injecting proper false data into selected meters, an FDIA can pass bad data detection (BDD) and become stealth to the grid's Supervisory Control and Data Acquisition (SCADA) system. The Energy Management System (EMS) uses the state estimates evaluated by polluted measurements reported by tampered meters to perform grid configuration will result in incorrect, unreliable operations and may even lead to disastrous consequences.

Such a counter-measures (CM) can be prevented if sufficient number of meters (links) are protected. Unfortunately, protection of a large number of meters can be very expensive and time-consuming. We therefore focus on the scenario in which the grid can only protect a selected set of measurements smaller than that required by a FDIA-free system. A scheme that maximizes the attacker's cost (i.e., the number of tampered meters required to form a stealth meter data vector) is desired. Such a design goal is equivalent to counter the counter-measure carried by an FDIA with a max-min approach. From the grid operator's viewpoint, however, its risk is inverse proportional to the cost of an attacker as the easier an attacker can launch an FDIA the higher the risk of a grid. Whence our method is also min-max, trying to minimize the risk of being attacked. Our solution involves the notion of security index (SI) of a meter which specifies the minimum number of tampered meters, other than the meter of concern, needed in generating a legitimate attack vector that corrupts a state estimation. The evaluation of a meter's SI is done by representing the grid by a grid and then find the so-called minimum cuts associated with the branch (meter) of interest.

As the task of locating multiple measurements for protection is computational expensive, we adopt an incremental approach which tries to find, in each iteration, the single candidate meter for protection that costs the attacker least. Finding and protecting the most vulnerable meter (i.e., the one with the smallest SI) forces the attacker to tamper meters with higher SI in order to generate a legitimate false measurement thereby paying a higher cost. As oftentimes there are multiple meters with the same SI and a meter is involved with many minimum cuts of the equivalent grid graph that link other meters, we develop further criteria to select the protected (most vulnerable) meter.

Our approach transforms an NP-hard problem of optimizing a successful FDIA into one that can be solved in polynomial-time for injection-free grids. We thus starts with injection-free grids and then extends to the full-measurement and other practical grids. We show that our injection-free solution gives a low-bound on the number of meters any FDIA has to tamper with. Computer simulations based on some IEEE standard grids are performed to examine the efficiencies of our approaches and verify the numerical advantages with respect to other known methods.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT070060204
http://hdl.handle.net/11536/73004
显示于类别:Thesis


文件中的档案:

  1. 020401.pdf

If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.