Developing correlation indices to identify coordinated cyber-attacks on power grids

: Increasing reliance on Information and Communication Technology exposes the power grid to cyber-attacks. In particular, Coordinated Cyber-Attacks (CCAs) are considered highly threatening and difficult to defend against, because they (i) possess higher disruptiveness by integrating greater resources from multiple attack entities, and (ii) present heterogeneous traits in cyber-space and the physical grid by hitting multiple targets to achieve the attack goal. Thus, and as opposed to independent attacks, whose severity is limited by the power grid's redundancy, CCAs could inflict disastrous consequences, such as blackouts. In this study, the authors propose a method to develop Correlation Indices to defend against CCAs on static control applications. These proposed indices relate the targets of CCAs with attack goals on the power grid. Compared to related works, the proposed indices present the benefits of deployment simplicity and are capable of detecting more sophisticated attacks, such as measurement attacks. The method is demonstrated using measurement attacks against Security Constrained Economic Dispatch.


Introduction
The operation of today's power grid largely relies on automated control applications and Supervisory Control and Data Acquisition (SCADA) systems.While control applications compute the commands to operate the power grid, SCADA serves as the channel between control applications and field devices [1] by transmitting measurement and control signals.The desire to improve the efficiency and reliability of control applications and SCADA has led to the use of heterogeneous and non-proprietary information and communication technology (ICT) [2].However, this heterogeneous and non-proprietary ICT increases the number of cyber-vulnerabilities, opening up a much wider scope of cybersecurity concerns among utilities.
By exploiting cyber-vulnerabilities, malicious adversaries can launch cyber-attacks against control applications and SCADA, among which Coordinated Cyber-Attacks (CCA) are considered highly threatening and difficult to defend against.This is because CCAs (i) possess higher descriptiveness by integrating resources from multiple attack entities, and (ii) present heterogeneous traits in cyber-space and the physical power grid by hitting multiple targets to achieve the attack goal.
Thus, and as opposed to regular (or independent) cyber-attacks, whose severity is limited by the power grid's redundancy, CCAs could (i) inflict catastrophic consequences and (ii) be very challenging to detect in real-time.CCAs could inflict catastrophic consequences as exemplified by the cyber-attacks to the Ukrainian power grid (the 'BlackEnergy' malware attack in 2015 [3,4], and the 'Crash Override' attack in 2016 [5]).These CCAs disconnected multiple substations that triggered power outages, leaving thousands of consumers and facilities without electricity.On the other hand, CCAs are challenging to detect in real-time due to the invisibility of attack goals, which are formed by and thus concealed by CCAs over space and time.
Intrusion Detection Systems (IDSs) are necessary tools to protect control applications and SCADA against cyber-attacks.IDSs record and analyse cyber-traces from adversaries that breach into the grid's cyber-system to exploit vulnerabilities.If, after analysing cyber-traces, the security of the grid appears to be compromised, then IDSs will generate alarms.In addition, some IDSs will also take action to mitigate attacks' effect.While IDSs can detect regular attacks or individual components of CCAs, they suffer from false alarms, fail to identify CCAs, and cannot estimate the attack consequences on the grid.
To identify CCAs and estimate attack consequences, recent works suggest integrating intrusion data from IDSs with attack templates -attack templates model cyber-attacks against control applications.This integration results in a set of Correlation Indices (CIs) describing the temporal and/or spatial correlation of coordinated attacks.

Related works
Many CIs have been proposed in the literature; however, they differ in their principles, which we summarise below.

CIs based on adversaries' cyber traces:
Attack sequences of the same adversary have similar cyber-traces that can be identified as contributing to CCAs.IDSs use this detection principle to investigate the temporal correlation of intrusions in cyber-space.Anomaly matrices [6] and time failure propagation graphs [4] are proposed to relate intrusion time with intrusion actions.While capable of detecting CCAs at the cyber-space, CIs of this type fail to estimate the attack consequences on the grid.

CIs based on cyber-physical dependence:
Logic graphs describing the conditions (in sequence in the cyber-space) for a physical consequence to take place can be used to derive CIs [7].The logic graphs can take forms of attack trees [8], attack graphs [9], and PetriNets [10].Temporal correlation of attacks is derived not only in the cyber-space but also in the physical power grid (see Fig. 2 in [11] for an example).However, constructing these logic graphs requires great computational effort due to a large number of cyber and physical components.

CIs based on attack goals on the physical grid:
Adversaries' goals described with reliability metrics or in terms of the criticality of a certain target are used to derive CIs.For example, in [4], substations are attack targets and their criticality is first ranked.In [12], the attack goal is modelled as causing an insufficient power transfer.The work takes a numerical approach by disconnecting a set of substations at one time and running power flow.The substations in the set are identified as correlated if the power flow is divergent.Given the great size of power grids, the combined deployment of CIs based on cyber-traces and attack goals promises better computation performance and higher accuracy than the CIs based on cyber-physical dependence.The existing CIs based on attack goals, however, are limited to a few goals achieved by corrupting control commands.Other cyber-attacks, such as measurement attacks, present much higher threats in coordination (as a rich body of the literature has shown their impact in electricity markets and security constrained power flows [13][14][15]).This is because measurement attacks are (i) difficult to detect by hiding in measurement signals and deceiving through control applications, and (ii) capable of inflicting disastrous consequences by coordinating attacks against multiple grid components.

Our work
This paper proposes a method to derive CIs based on attack goals for the following attack template: measurement attacks against Security Constrained Economic Dispatch (SCED).In particular, we make the following contributions: i.An analytical method to derive CIs.We formulate the attack template as a bilevel mix-integer optimisation program.This problem is challenging due to its non-convex and combinatorial nature.To address these challenges, we propose an algorithm that computes the CIs based on attack goals.ii.A collection of set-theoretic properties for the CIs.These properties relate attack goals to the targets of CCAs.iii.Defence strategies against CCAs, a metric of defence effectiveness, and the application of CIs to identify CCAs.
Though we present our method to derive CIs for SCED, we emphasise that our method can be extended to other static control applications.
The remaining of the paper is organised as follows.Section 2 reviews the concepts of static applications and attack templates.The mathematical models of SCED and the attack template in bilevel form are presented in Sections 3 and 4, respectively.The CIs are derived in Section 5. Section 6 describes the CIs' properties, defence strategies, the metric of defence effectiveness, and the application of CIs to identify CCAs.In Section 7, the CIs are demonstrated with numerical experiments.Finally, Section 8 concludes the paper.

Background
In this section, we review the concepts of static applications and attack templates.

Static control applications
Static applications are control loops designed to monitor, supervise, and control the grid's operating point -i.e. they ignore the dynamics and work with the grid at a quasi-steady state.These applications can be automated or executed by a human operator.Examples include SCED, Optimal Reactive Power Support, and dispatch in Electricity Markets.
Fig. 1 illustrates a schematic diagram of a static application.These applications compute control commands by solving optimisation algorithms or by allowing direct manipulation via a human-machine interface.In any case, the control commands are computed based on measurements collected at remote substations.To verify the integrity of these measurements, the most wellknown applications implement state estimation and bad data detection.

Attack templates
Attack templates describe models of cyber-attacks on control applications.We consider two CCAs: control and measurement attacks.In control attacks [16], adversaries coordinately corrupt or hijack multiple control devices and directly modify control commands (Fig. 2a).This class of attack is essentially the same as physical attacks, in the sense that the grid's configuration is altered by control signals in a way similar to mechanical operation.In measurement attacks [16], adversaries coordinately contaminate or falsify measurements at multiple substations to manipulate decision-making processes (i.e.control applications) (Fig. 2b).Since remote substations collect the measurements and operate physical control devices (e.g.circuit breakers or capacitors), we assume that coordinated control and/or measurement attacks are executed by hacking into multiple remote substations.
Attack templates have been used in the literature to determine the consequences of cyber-attacks, identify critical components of the grid, derive defence strategies and so on.For instance, by studying the attack template of measurement attacks on state estimation, several authors have proposed to stop the attacks by enhancing the screening methods of state estimation [17].This defence strategy, however, fails if the static application does not have state estimation, which is often true for real-time and contingency dispatch.
In this paper, we consider the following attack template: measurement attacks against SCED.This attack template describes an adversary with the following characteristics: i.The adversary knows the models of the power grid and SCED.ii.The adversary can hack into the substations' ICT and inject falsified measurements to manipulate SCED.iii.The adversary can coordinate the attack against multiple substations over a large geographic area -i.e.launch CCAs.
We use the attack template to derive CIs.These CIs describe a relation between the target substations and the attack goal (Fig. 3).
Remark 1: The adversary's characteristics might be restrictive.However, they were selected for convenience of CIs' development and can be relaxed at the expense of more involved computations.For example, to relax the first characteristic, existing studies [18,19] developed stochastic methods to launch attacks with limited information.Other studies [20,21] presented methods for estimating the power grid model with region-constrained information from multiple adversaries.The stochastic and estimation methods can easily be applied to extend the CIs' development method in future studies.

Mathematical models
In this section, we describe the models of the power grid and SCED.

Mathematical notation
Throughout this paper, we use the following notation.Let ℝ and ℝ ≥ 0 (resp.ℝ > 0 ) denote the set of real numbers and non-negative (resp.positive) real numbers.For n > 1, I n denotes the n- dimensional identity matrix. 1 and 0 denote, respectively, the vectors (or matrices) with all components equal to one and zero.Given a finite set V, we let V denote its cardinality, i.e. the number of elements of V, and 2 V the power set of V, i.e. the set of all subsets of V.
For a matrix A ∈ ℝ n × m , [A] i and [A] i j denote its ith row and its (i, j)th elements.Given a vector x ∈ ℝ n , x i denotes the ith element, (x) is the diagonal matrix of x, and ∥ x ∥ 0 is the zero norm of x, i.e. the number of non-zero elements of x.We let ∥ x ∥ ∞ denote the infinity norm defined as ∥ x ∥ ∞ := max { x i }.For two vectors x, y ∈ ℝ n , x ∘ y = z ∈ R n denotes the Hadamard or element-wise product, i.e. z i = x i y i , and x ⪯ y denotes the element-wise inequality, i.e. x i ≤ y i .

Power grid modelling
We model the power grid as the graph G = (V, E), where V and E ⊂ V × V are the sets of n := V buses and m := E transmission lines.To each bus i ∈ V, we associate the generation P g, i ∈ ℝ ≥ 0 , and the demand P d, i ∈ ℝ ≥ 0 ; to each transmission line e := (i, j) ∈ E, connecting buses i, j ∈ V, we associate the power flow P f , e ∈ ℝ.In vector form, the generation, demand, and power flows are, respectively, In addition, we assume the grid has a set of n s substations, i.e. S = {s 1 , s 2 , …, s n s }.At the substation s k , we represent the grid within its service area as the sub-graph G s k = (V s k , E s k ) with the following properties: i. Substation service areas compose the entire power grid, i.e.
ii. Substation service areas may overlap, i.e. for some s k , s l ∈ S, we may have G s k ∩ G s l ≠ ∅, but the overlapped areas do not have buses with generation.iii.Each substation collects demand measurements, denoted as P ~d ∈ ℝ n , within its service area.

Security constrained economic dispatch
We consider a SCED problem that computes a new generation profile P g * based on demand measurements P ~d.The SCED problem is formulated based on the power flow equations.The power flow equations are the mathematical model to plan, operate, and analyse the power grid.They describe how generation and demand balance, and how active and reactive power flows through the grid.
For large-scale power grids, however, the coupled active and reactive power flow models might become computationally expensive and even unfeasible.Thus, a decoupled (DC) power flow might be the only viable alternative to solve large-scale problems.DC power flow is simpler and more robust due to sparsity and linearity, but it is only accurate close to the operating point [22].We refer the interested reader to [23,24] for more information on how utilities use DC power flow.
We formulate SCED (based on DC power flow) as a convex optimisation problem that minimises the total generation cost (1a) subject to the following security constraints: generation-demand balance (1b), operation limits of the generators (1c), and transmission limits on power flows (1d), i.e.
where c 2 , c 1 , c 0 ∈ ℝ ≥ 0 n are the cost coefficients for a generation, C 2 = (c 2 ), P ¯g ∈ ℝ ≥ 0 n is the rated power from generators, P ¯f ∈ ℝ ≥ 0 m is the thermal capacity of transmission lines, and F is the generator shift matrix.

Attack template
In this section, we describe the attack template in bilevel form.The attack template models measurement attacks against SCED.We also describe the attack goal and constraints.

Measurement attacks
Let a ∈ ℝ n denote the attack signal.The adversary fabricates a to corrupt measurements of the demand as follows: We assume the adversary injects a by hacking into substations and altering measurements at the data concentrator (or at a communication link via a man-in-the-middle attack).Thus, in the rest of the paper, we refer the target data concentrator and ICT within the substation as the target substation.

Attack goal
Using the corrupted measurements (2), the adversary has the following attack goal: to manipulate SCED and increase the power flow on a single target line e ∈ E, which occurs at where P f , e (a) ∈ ℝ (resp.P f , e (0) ∈ ℝ) denotes the power flow on e after (resp.before) the attack, P g * (a) ∈ ℝ n denotes the new (after the attack) generation profile, and τ ∈ (0, τ ¯] ⊆ ℝ > 0 quantifies the flow increase. We use the notation (e, τ ~) ∈ E × (0, τ ¯] to describe attack goals satisfying (3).Since τ ∈ (0, τ ¯], we can have (in theory) an infinite number of attack goals.In practice, however, we study a finite number of attack goals τ.For example, the attack goal τ that will cause congestion (relating to economic loss), overloading (increasing long-term capital cost by accelerating asset depreciation, increasing losses), and loss of transmission lines (under very stressful operating condition).Thus, in the worst case scenario, we assume the adversary maximises the flow increase τ.
In the SCED example, based on the attack goals, the target lines are selected differently.For example, a line connected to a critical generator can be selected if the adversary aims to destabilise the system under heavily loaded condition.Similarly, a line/lines can also be selected to cause congestion (surrounding a load area) and induce market power.As a result, adversaries can deprive profit from generation assets outside or inside the load area.(In the latter case, the electricity market has a power mitigation procedure [25]).

Attack constraints
The attack might be constrained due to the following: i.State estimation and bad data detection.ii.Corruptible measurements and defence at substations.iii.Attack resources.
Since SCED has state estimation, the adversary must design the attack signal a to bypass bad data detection.Other applications, however, might not have state estimation, and hence the attack signal a can take any (realistic) value.In any case, we write this constraint as ∥ a ∥ ∞ ≤ a ¯ where a ¯> 0. We can use a ¯ as a design parameter to model different attack scenarios.
If the defender protects substation s k ∈ S, then the adversary cannot corrupt measurements at s k ; otherwise, the adversary can corrupt all the measurements.We write this constraint as where δ s k = 1 if the adversary attacks s k , and δ s k = 0 if not.The vector δ(e, τ) = [δ s 1 , δ s 2 , …, δ s n s ] ⊤ describes the safe and target substations during CCAs with an attack goal (e, τ).
If the adversary has limited resources, then (s)he must limit the number of target substations.We write this constraint as ∥ δ(e, τ) ∥ 0 ≤ κ, (5) where κ ∈ {1, 2, …, n s } denotes the maximum number of target substations.In the worst-case scenario, the adversary minimises κ.Remark 2: Note that in the worst-case scenario the adversary faces two conflicting objectives: maximise τ and minimise κ.The interaction τ − κ generates a Pareto-like behaviour between aimed flow increase (τ) and the number of target substations (κ).

Attack template in the bilevel form
We use bilevel optimisation to model the attack template, describing the worst-case scenario of measurement attacks against SCED.Since bilevel optimisation models decision making among agents [26] (e.g.adversary versus defender), researchers have used it to study cyber-attacks [27,28]; or physical attacks [29] to power grids.
We write the attack template in bilevel form as follows: where P g * (a) denotes the optimal solution of the SCED optimisation algorithm, parametrised by the attack signal a, i.e.P g * (a) ∈ arg min with In the above, the upper level problem (6) models the attack goal and constraints, while the lower level problem (7) models the SCED manipulated through corrupted measurements (a).
The optimal solution of the bilevel form (τ * , κ * , δ * , a * , P g * ), if it exists, describes an adversary that targets the least number of substations (κ * and δ * ) and maximises the flow increase (τ * ) on the single line e ∈ E.
The bilevel form ( 6) and ( 7) depends on several parameters, including the power grid parameters, the SCED parameters, and the maximum value for the attack signal a ¯.Thus, a defender, using the attack template, can select the parameters to study different scenarios.
Remark 3: By defining the corresponding attack goal, constraints, and control algorithm, we can model measurement attacks against other static applications, using the attack template in bilevel form.In addition, we can model control attacks using the upper level problem (6).

Deriving the CIs
In this section, we derive the key concepts, CIs and security index.We obtain the indices by transforming the attack template in bilevel form into a Mathematical Program with Equilibrium Constraints (MPEC) and addressing its mathematical challenges.

Mathematical challenges
The MPEC ( 8) is a challenging problem.Its properties are far more complex than the properties of traditional mathematical programming problems, making the standard non-linear programming approach inapplicable [31].These challenges arise because the MPEC ( 8) is non-convex, is non-differentiable, and has two conflicting objectives.The complementary slackness constraint (8g) makes the MPEC (8) non-convex.To address this challenge, we linearise (8g) using the Big M method [31].Let M > 0 be a sufficiently large constant, then (8g) is equivalent to where ω ∈ {0, 1} 2(n + m) is a binary decision variable.
The attack goal constraint (3) makes the MPEC (8) nondifferentiable.To address this challenge, we proceed as follows.Since the flow on e before the attack P f , e (0) can be computed using (1), the attack goal constraint (3) can be written as , where M ∞ > 0 is a sufficiently large constant and ω e + , ω e − ∈ {0, 1} are binary decision variables.
The MPEC (8) has two conflicting objectives, i.e. max τ − κ.To address this challenge, we minimise κ (i.e. the number of target substations) and let τ ≥ τ ~ where τ ~ is a predefined flow increase.We can attach semantics to τ ~, e.g. the (τ ~) that triggers the line's protection.

Algorithm: deriving the CIs
The optimal solutions κ * and δ * (e, τ ~) of ( 11) denote, respectively, the security index and the CI for the attack goal (e, τ ~).The security index κ * determines the least number of target substations to increase the flow (τ ~) on line e, while the CI δ * (e, τ ~) describes which target substations.This CI represents a strongly correlated CCA since it relates the least number of target substations with the attack goal (e, τ ~).
Though the security index κ * is unique, the CI might not be.Other CCAs attacking κ * substations might also increase the flow (τ ~) on line e -i.e. a consequence of the combinatorial nature of (11).All the CIs, however, are feasible solutions of (11) with κ = κ * , which we use to develop the following algorithm (see Fig. 4).
Given the attack goal (e, τ ~), Algorithm 1 (depicted in Fig. 4) computes the security index first, and then the CIs by exploring which of the κ * n s combinations of target substations are feasible solutions of (11) with κ = κ * .
The mathematical procedure, i.e. deriving the CIs from the embedded optimisation problem (11), is applicable to other static control applications, which are formulated as an optimisation problem.Examples are emergency voltage control, economic dispatches in electricity markets under various time frameworks and so on.

Limitations
Our method has a limitation, namely the computation performance of Algorithm 1 (Fig. 4), which we discuss next.
Algorithm 1 (Fig. 4) only promises local optimal solutions in finite time.This is because the mixed-integer linear problem (11) and the κ * n s − 1 feasibility problems are in general NP-hard.Given that there are only a few substations in a power grid, the computation time of the proposed algorithm is unlikely to be a problem.However, in the case of abrupt changes occurring in the power grid, CIs will need to be updated at run-time and an algorithm providing theoretic bounds of convergence must be sought after.These tasks are out of the scope of this paper, but they will be part of our future work.

Applying the CIs to protect against CCAs
In this section, we describe the properties of CIs using a settheoretic approach.These properties allow us to derive defence strategies against CCAs.In particular, CIs defend against CCAs in the following ways: (i) CIs imply defence strategies (in terms of physical and cyber assets criticality) under limited resources and (ii) CIs reveal the attack goals of CCAs, which can be used in IDS to allow the runtime detection of CCAs.
The next proposition shows that if the CCA S α, j ′ fails to increase the flow (τ ~) on line e, then all subordinated attacks S α, j ⊂ S α, j ′ also fail to increase the flow on e.

Numerical experiments
In this section, we provide numerical simulations, using the reduced model of the New England power grid, to demonstrate (i) how our method deduces CIs (described in Section 5); and (ii) the CIs properties, defence implications, and the metric of defence effectiveness (described in Section 6).We remark, however, that the deductive approach to construct CIs is not limited to the experimented power system but also applicable to any power system configuration.Fig. 6 shows the New England 39 bus system used to model a power grid with n s = 6 substations.We selected two target lines e = (2, 25) and e′ = (16, 21); and the target flow increase τ ∈ {2.5%, 5%, 7.5%, 10%}.The line e ∈ E (resp.e′ ∈ E) connects substations s 1 and s 6 (resp.s 2 and s 4 ), and allow us to mimic attacks aiming to cause overloading, trip the protective relays on the lines, and disconnect the substations from each other.The parameters used in our experiments were M, M ∞ = 10 3 , a ¯= 0.1, and the SCED base case data for the New England system taken from MATPOWER software package [33].

Experiment 1: Deducing the CIs
In this experiment, we derived the CIs for the attack goals (e, τ ~) and (e′, τ ~) using Algorithm 1 (Fig. 4).We implemented Algorithm 1 (Fig. 4) using CVX (a package for solving convex and linear mixed-integer programs [34]).Tables 1 and 2 present the collection of CIs.We found that all attack goals have unique CIs but (e, 5%).

Experiment 2: CIs dependence on the parameter a
Īn this experiment, we studied the CIs' dependence on a ¯.Fig. 7 shows how the security index κ * changes as we increase the attack signal max value a ¯.We found that the security index decreases as a īncreases.
This result implies that if the defender increases a ¯ in the attack template, the defence implications become more conservative.

Experiment 3: Defence implications of CIs
We studied the mathematical properties of CIs and defence implications from Theorem 2.Tables 1 and 2 show, respectively, the CIs for the attack goals (e, τ ~) and (e′, τ ~), before and after protecting substation s k * = s 2 .Before protecting substation s k * = s 2 , the CIs have the following defence implications: for the attack goal (e, 5%), subordinated attacks of the CI S α, j

Conclusion
In this paper, we provided a method to derive CIs based on attack goals, which can be used to estimate attack consequences and identify critical substations during coordinated attacks.Compared to existing approaches, our method does not rely on numerical simulation of a large number of attack events to conclude attack patterns for a specific victim power grid.In contrast, our method is deductive -by deriving CIs, we analytically reveal the cyberphysical causal chain of attack for any power system configuration and attack goals -and is able to detect more sophisticated attacks, such as measurement attacks.We modelled the attack template as a bilevel optimisation program and derived Algorithm 1 (Fig. 4) to solve it.Algorithm 1 (Fig. 4) computes the CIs for any given attack goal.These CIs describe strongly correlated attacks since the adversary reaches the goal by attacking the least number of target substations.We then used a set-theoretic approach to derive the CIs' properties.These properties suggest defence implications against coordinated attacks, including the best defence for a transmission line, the best defence against strongly correlated attacks, and the metric of defence effectiveness.Thus, our method to compute CIs and their properties present the benefit of deployment simplicity but face one limitation, namely the computational performance of Algorithm 1 (Fig. 4).However, given that there are only a few substations in the power grid, the computation performance is unlikely to be a problem.In our future work, we will use the CIs and their defence implications together with IDSs to protect the grid against coordinated attacks.

Fig. 1 Fig. 2
Fig. 1 Static control application.At the substation s k , we illustrate its ICT, including IDSs

Fig. 3
Fig.3Relation graphs between n s targets (s k ) and m attack goals (θ i ).For example, the targets associated to θ 3 are {s 5 , s 6 , s n s }, and to θ m are {s 2 , s 4 , s 5 , s 6 }

Fig. 4
Fig. 4 Deriving the security index and CIs