Implications of Cyber Attacks on Distributed Power System Operations

The electric grid is a complex physically distributed and inter-connected network managed by a large number of entities (e.g., systems operators, utilities) to ensure reliable transmission, generation, and distribution of power. Sustained and reliable operation with dynamic situational awareness in the grid requires continued data sharing amongst the grid entities. Lack of automated communications and coordination between distributed operators in the grid contributes significantly to the lack of global situational awareness occasionally with serious consequences of runaway cascading failures. While wide-area monitoring and information sharing has been proposed by the Federal Energy Regulatory Commission, real-time data sharing in the grid is still done in an ad hoc manner between connected areas. Furthermore, the mode, amount, and granularity of data shared are not standardized. A smart adversary can design man-in-the middle attacks that limit the information shared between adjacent areas, thereby threatening the reliable operation of the system. In this paper, we focus on a class of topology-targeted man-in-the-middle (MitM) communication attacks aimed at limiting information sharing between adjacent areas, particularly when one or both areas experience topology changes (e.g., line outages). To understand the broader consequences of such attacks on actual power systems operation, we develop a tractable temporal model for energy management system (EMS) operations that allows studying the time progression of the cyber-attack introduced in one area and its effect on both areas. The aim of this work is two-fold: (i) understanding the physical consequences of a class of cyber-attacks; and (ii) mimicking data sharing conditions that in practice led to blackouts when local outages were not shared in real-time between connected areas (e.g., Northeast black 2003). Our results demonstrate that such an MitM communication attack in a distributed power network leads to a range of consequences, some more severe than others: these include relatively benign oscillations in the power flow solutions between the two areas that eventually fix themselves (infrequent) to more complex situations (more likely) over time including power flow overload violations caused by thermal limit relaxations, progressively severe lack of convergence of OPF in both areas, as well as actual physical line overflows that are not observable from the cyber solution but can eventually cause line overheating and cascading outages. Based on these observations, in addition to the traditional countermeasure of human operator-based data sharing (which have been shown to be error-prone and delayed too), it is essential to have more resiliency via automated data sharing mechanisms. To this end, we propose an interactive distributed data processing platform. This could help both areas become aware of inconsistencies over faster time-scales including: (a) enable local topology processing to include interactive updating; (b) enable real-time coordination of dispatch between the two areas; and (c) create and share a list of external contingencies caused to other areas by an internal component outage.