Topology Attacks on Power System Operation and Consequences Analysis by Jiazi Zhang A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Science Approved June 2015 by the Graduate Supervisory Committee: Lalitha Sankar, Chair

The large distributed electric power system is a hierarchical network involving the transportation of power from the sources of power generation via an intermediate densely connected transmission network to a large distribution network of end-users at the lowest level of the hierarchy. At each level of the hierarchy (generation/ transmission/ distribution), the system is managed and monitored with a combination of (a) supervisory control and data acquisition (SCADA); and (b) energy management systems (EMSs) that process the collected data and make control and actuation decisions using the collected data. However, at all levels of the hierarchy, both SCADA and EMSs are vulnerable to cyber attacks. Furthermore, given the criticality of the electric power infrastructure, cyber attacks can have severe economic and social consequences. This thesis focuses on cyber attacks on SCADA and EMS at the transmission level of the electric power system. The goal is to study the consequences of three classes of cyber attacks that can change topology data. These classes include: (i) unobservable state-preserving cyber attacks that only change the topology data; (ii) unobservable state-and-topology cyber-physical attacks that change both states and topology data to enable a coordinated physical and cyber attack; and (iii) topologytargeted man-in-the-middle (MitM) communication attacks that alter topology data shared during inter-EMS communication. Specifically, attack class (i) and (ii) focus on the unobservable attacks on single regional EMS while class (iii) focuses on the MitM attacks on communication links between regional EMSs. For each class of attacks, the theoretical attack model and the implementation of attacks are provided, and the worst-case attack and its consequences are exhaustively studied. In particularly, for class (ii), a two-stage optimization problem is introduced to study worst-case attacks that can cause a physical line overflow that is unobservable in the cyber layer. The