1

An Economic-based Cyber-security Framework for Identifying Critical Assets Jie Yan, Member, IEEE, Rui Bo, Senior Member, IEEE, Ming Ni, Senior Member, IEEE

Abstract—This research proposes a systematic approach to identify critical assets that support the efficiency of electricity markets. NERC standards CIP provides guidance on the identification and protection of critical cyber assets that support the reliability of power systems. Those assets don’t include properties that are critical to the efficiency of electricity markets. However, attacking such properties may cost electricity market customers millions of dollars. This systematic approach fills the gap, and identifies the assets that have significant impacts on the market efficiency. The methodology is to analyze congested flowgates in an electricity market. It starts from a full list of the congested flowgates, and rank the congested flowgates with Estimated Potential Benefit (EPB) calculation. Top congested flowgates are then obtained. Apply correlation calculation to the top congested flowgates. A final list of critical congested flowgates is generates as a result. The simulation is performed on an ISO market. It identifies a short list of critical congested flowgates in the ISO market. Attacking one of those critical congested flowgates may cost the ISO market averagely thousands of dollars per hour. Future study is to develop security mechanisms for the critical congested flowgates. It includes both cyber security measures and physical security measures. Index Terms—Electricity market, LMP, Congested flowgates, Shadow Price, Production cost, EPB, Correlation coefficient, ISO I.

INTRODUCTION

T

his paper presents a systematic approach to identify critical assets that support the efficiency of electricity markets. It will provide important security guidance for Regional Transmission Organizations (RTOs)/Independent System Operators (ISOs) to keep the safety of electricity markets. It will also fill a gap in NERC standards Critical Infrastructure Protection (CIP). NERC standards CIP specifically pertains to the identification and protection of critical cyber assets that

Ming Ni is with NARI Group Corporation, Nanjing, China ([email protected]). J. Yan and Rui Bo are with Mid-continent Independent Transmission System Operator (MISO), Eagan, MN 55122, USA ([email protected], [email protected]). This work is supported by the State Grid Corporation project: Key Technologies for Power System Security and Stability Defense Considering the Risk of Communication and Information Systems. Disclaimer: The views expressed in this paper are solely of the authors and do not necessarily represent those of NARI and MISO.

support the reliability of power systems [1]. However, those assets don’t include properties that are important to the efficiency of electricity markets. If such properties are under attack, it will cause a higher Locational Marginal Pricing (LMP) and cause millions of dollars loss. For example, if a transmission line is out of service due to cyber attacks, and it reduces the transfer capacity from coal units to loads, the coal units will generate less because of transmission congestion, and gas units will generate more to pick up the loads. As a result, the LMP at the load side will be higher, and the electricity production cost will increase. It is very beneficial to identify assets that are critical to the market efficiency. By doing so, RTOs/ISOs can enhance the cyber security of those assets to keep the efficiency of the markets which mean stable LMPs and optimal electricity production cost. Much effort has been made to maintain the reliability of power systems under cyber attacks. Reference [2] characterizes the fundamental limitations of static, dynamic, and active monitors on attack detection and identification. It shows graph theoretic conditions for the existence of undetectable and unidentifiable attacks. As an extension of [2], the authors present centralized and distributed monitors for attack detection and identification in [3]. False data injection attacks against state estimation are introduced in [4]. If designed carefully, those attacks can be undetectable. Reference [5] assesses quantitatively vulnerabilities of power control systems through an attack tree. The impact of a cyber attack on SCADA systems is studied systematically in [6]. A vulnerability analysis framework is proposed for coordinated variable structure switching attacks in [7]. Reference [8] develops a Bloom filter-based intrusion detection approach for resource constrained SCADA field devices. Reference [9] introduces a two-tier hierarchical cyber-physical framework to monitor transient stability against cyber-physical attacks. In [10], a PMU-based risk assessment framework is presented to enhance voltage stability against attacks. There are many ways to jeopardize the market efficiency through cyber attacks, such as attacking the data (both power system data from the state estimation and bid data from market participants), directly attacking the critical transmission assets (flowgate) to make it out of service. This paper will propose a method to identify critical transmission assets which have significant impacts on electricity markets. The proposed method will be tested on an ISO case.

2 II. IDENTIFICATION The systematic approach to identify critical transmission assets is shown in Fig. 1. It starts from identifying congested flowgates in an electricity market. Then an advanced ranking method, which is called Estimated Potential Benefit (EPB), is used to get top congested flowgates. Correlations of different top congested flowgates are calculated so as to identify critical congested flowgates.

Congested Flowgates EPB Calculation

C. Correlation Calculation [12] Correlation calculation reveals the mutual impact between different top congested flowgates. The information is very important for identifying the critical flowgates for cyber attacks. If a top congested flowgate is closely correlated to many other top congested flowgates, then its out-of-service after a cyber attack will result in a large-scale congestion boost and a big LMP change in congested areas. On the other hand, if a top congested flowgate is not correlated closely with other top congested flowgates, attacking it will not cause a large-scale congestion boost or a big LMP change. The method used is to compute the correlation coefficient between the hourly flows on every two top congested flowgates [12]. The formula is as follows: n

∑ (x

i

rxy =

Top Congested Flowgates

− x)( yi − y) (1)

i =1 n

n

∑ (x

i

− x)

i =1

Correlation Calculation

where

Fig. 1. The proposed systematic approach A. Congested Flowgates The systematic approach starts from identifying the congested flowgates because they affect the LMP directly. The LMP is the sum of three components: Marginal Energy Charge (MEC), Marginal Congestion Charge (MCC), and Marginal Loss Charge (MLC). The Shadow Prices of congested flowgates determine MCC. Therefore, congested flowgates have importance impacts on the efficiency of electricity markets. The impacts of congested flowgates are quantified by Shadow Prices. The Shadow Price of a congested flowgate is the system production cost reduction if the congestion is relieved by 1 MW. B. EPB Calculation EPB calculation is to generate a list of top congested flowgates. There are thousands of congested flowgates in an electricity market. It is neither practical nor efficient to employ security measures on every one of them. It is better to direct such efforts to congested flowgates that have the most significant impacts on the market efficiency. EPB calculation is used to identify such flowgates. The computation method in introduced in [11]. The congested flowgates are ranked by their EPBs. Flowgates with large EPBs are ranked high; flowgates with small EPBs are ranked low. Flowgates with the EPB larger than a certain threshold are selected as top congested flowgates.

∑(y

i

− y)

2

i =1

xi and yi are the flows at hour i on the top congested

flowgates X and Y respectively; x and y are the sample mean of

Critical Congested Flowgates

2

xi and yi respectively; n is the number of hours.

The correlation coefficient measures the linear dependence between X and Y. It realized values between -1 to 1. The closer the correlation coefficient is to -1 or 1, the stronger correlation X and Y have. If the top congested flowgates X and Y have high mutual impact,

xi and yi will have a big correlation coefficient. For

example,

when

X

and

Y

are

in

parallel,

then

xi / yi = R y / R x , and rxy = 1, where Rx and Ry are the impedance of X and Y respectively. When X and Y are in consecutive, then

xi = yi , and rxy = 1. Therefore, the

correlation coefficient measures the mutual impact between two top congested flowgates. When

xi and yi have a big correlation coefficient, the top

congested flowgates X and Y do not necessarily have high mutual impact. Therefore, this method uses the geographical distance between the flowgates X and Y as well. If

xi and yi

have a big correlation coefficient, and the flowgates X and Y are physically close, it will be judged that X and Y have high mutual impact. Critical congested flowgates are selected after correlation calculation. The correlation coefficient of the hourly flows on every two top congested flowgates is calculated. If a top congested flowgates has strong correlations with multiple other top congested flowgates, and those flowgates are close, it will be selected as a critical congested flowgate. III. CASE STUDY A. Case Introduction The electricity market of an ISO is used for case study. A

3 production cost model is built to represent the ISO market in details which has more than 80,000 transmission branches, 60,000 buses, and 5,000 generators. A very powerful simulation tool, called PROMOD, is used for case study. PROMOD simulates the Day-ahead market of the ISO market. It performs hourly chronological Security Constrained Unit Commitment (SCUC) and Security Constrained Economic Dispatch (SCED) on the ISO market model. As a result, it generates the hourly Shadow Prices of individual transmission flowgates, the hourly LMPs of individual buses and the hourly production costs of individual generators. B. Simulation Results The simulation follows the process shown in Fig. 1. It starts from a combined list of historical congested flowgates and future congested flowgates in an ISO. After EPB calculation of each congested flowgates, top congested flowgates are selected. Then the correlations between each pair of top congested flowgates are computed. As a result, critical congested flowgates are identified based on the correlations. The historical congested flowgates are obtained from ISO market records; the future congested flowgates are generated from future year’s production cost model. The future congested flowgates are forecasted to have congestions in the future based on forward looking of the ISO market. Combined with the historical congested flowgates, they provide a complete list of congested flowgates. Different future scenarios are considered when the future congested flowgates are generated. Future uncertainties such as load levels and fuel prices have a big influence on SCUC and SCED. Therefore, different load levels or different fuel prices will result in different congestion patterns in the transmission system. This case study uses different future scenarios. They are different with regard to future uncertainties including load levels and fuel prices. The major differences are shown in Table I. Gas Price is shown here because gas units are usually marginal units in electricity markets. Future congested flowgates are then identified under the various future scenarios. Future Scenario Scenario #1 Scenario #2 Scenario #3 Scenario #4

TABLE I DIFFERENT FUTURE SCENARIOS Load Growth Rate Gas Price Escalation Rate 1.06% 2.5% 1.59% 4.0% 0.53% 1.5% 1.06% 4.0%

The EPB calculation ranks the congested flowgates, and the picked top congested flowgates are shown in Fig. 2. There are 27 top congested flowgates in this case. They are represented by Letter A to AD. Fig. 2 shows the geographical locations of the top congested flowgates. The correlation calculation shows that the top congested flowgates A, K, N, R, V have strong correlations with other top congested flowgates that are geographically close. The correlation coefficients are shown in Table II. For example, Flowgate A has strong correlations with the flowgates N, R,

W, and V. The correlation coefficient ranges from 0.90 to 0.97. The total Shadow Price on the flowgates N, R, W, V is 122,233$/MWh. Attacking Flowgate A may result in additional congestions on the flowgates N, R, W, and V. Therefore, Flowgate A is selected as a critical congested flowgate. The flowgates K, N, R, V are selected as critical congested flowgates as well for the same reasons.

Fig. 2. Top Congested Flowgates in an ISO Market TABLE II CORRELATION COEFFICIENTS BETWEEN FLOWGATES Total Shadow Hourly Flow Price on Flowgate 1 Flowgate 2 Correlation Flowgate 2 Coefficient ($/MWh) N 0.97 R 0.96 A 122,233 W 0.90 V 0.90 C 0.99 K D 0.97 535,843 E 0.92 A 0.97 N R 0.91 122,789 V 0.85 A 0.96 R V 0.95 122,912 N 0.91 R 0.95 V A 0.90 118,723 N 0.85

C. Verification Cyber attacks are simulated to verify the impact of these critical congested flowgates on the market efficiency. For each critical congested flowgate, assume that it is attacked by hackers, so the flowgate is out of service. The market model with this flowgate out of service is simulated by PROMOD, and the results from this run are compared with the results from the base case (no flowgate out of service). The final results are shown in the following tables. Apparently, the critical congested flowgates have very significant impacts on the market efficiency. Attacking one of them will cost the ISO market millions of dollars. Table III shows the increase of the electricity production

4 cost after attacks. It ranges from 10.5 to 37.9 million dollars. For example, when Flowgate K is out of service due to attacks, it reduces the transfer capability from cheap generation to loads. Cheap units such as coal units have to reduce their generation outputs. In the meantime, expensive units such as gas units generate more to pick up the difference. Therefore, the total production cost to provide electricity in the ISO market increases. In the case of Flowgate K, the production cost increases as much as $37.9 million dollars. Table IV shows the increase of congestions after attacks. It is quantified by Shadow Prices. For example, when Flowgate K is out of service due to attacks, it results in a large-scale congestion boost. The total Shadow Price on other flowgates increases as much as 869,126$/MWh among which Flowgate E has the largest increase of 430,419$/MWh. This is consistent with the results of the correlation calculation. Flowgate E is highly correlated with Flowgate K. The correlation coefficient is as high as 0.92. In the case of Flowgate V, Flowgate B has the largest increase on the Shadow Price. Flowgate B is not highly correlated with Flowgate V; the flowgates R, A, N are highly correlated. The Shadow Prices on R, A, N actually decrease after Flowgate V is attacked. The reason is that Flowgate V is a critical path. Power flow goes from the flowgates R, A, N, and then through Flowgate V. When Flowgate V is out of service due to attacks, the power flow pattern changes. Less power flow goes through R, A, N. The Shadow Prices on these flowgates decrease. More power flow goes through other flowgates such as Flowgate B. The Shadow Prices increase on those flowgates. Table V shows the increase of the LMP after attacks. It ranges from 0.6 to 3.8$/MWh. For example, when Flowgate K is out of service due to attacks, the average LMP in its surrounding area increases by 3.8$/MWh. This is a significant impact on the ISO market, considering the large amount of electricity consumed hourly. TABLE III PRODUCTION COST INCREASE Out-of-service Flowgate due to attacks A K N R V

Out-ofservice Flowgate due to attacks A K N R V

Annual production cost increase $19,599,713 $37,879,208 $10,501,147 $21,380,076 $16,021,678

Average production cost increase per hour $2,237.41 $4,324.11 $1,198.76 $2,440.65 $1,828.96

TABLE IV CONGESTION INCREASE Shadow Price Flowgate with increase on the most other flowgates increase ($/MWh) ($/MWh) 254,346 869,126 81,730 157,715 57,696

R E A A B

Shadow Price increase on that flowgate ($/MWh) 136,626 430,419 43,831 91,286 13,556

Out-ofservice Flowgate due to attacks A K N R V

TABLE V LMP INCREASE Average LMP Average LMP before after ($/MWh) ($/MWh) 44.4 46.6 44.4 44.4 48.7

46.7 50.4 46.0 46.3 49.3

LMP increase ($/MWh)

2.3 3.8 1.6 1.9 0.6

The electricity production costs are from PROMOD simulation results. First, PROMOD simulates the ISO market as it is now. It performs hourly chronological SCUC and SCED for a certain time period, and generates the production cost of generators. Second, assuming one of the critical congested flowgates is out of service due to attacks, PROMOD simulates the ISO market again with the degraded transmission network. The results of SCUC and SCED are then different because the transmission network is different. PROMOD generates a new value of the production cost of generators. The difference between the old and new values of the production cost is the electricity production cost increase. It is employed to quantify the impact of the critical congested flowgate on the market efficiency. The Shadow Prices and LMPs differences are obtained in the same way from PROMOD simulations. IV. CONCLUSIONS This research proposes a systematic approach to identify transmission assets that are critical to the efficiency of electricity markets. It starts from a list of congested flowgates which is the combination of historical and future congested flowgates. These flowgates are ranked based on the EPB method, and the top congested flowgates are picked. Then the correlations of pairs of top congested flowgates are calculated to find out the top congested flowgates with strong mutual impact. If a top congested flowgates has strong correlations with multiple neighboring top congested flowgates, it will be selected as a critical congested flowgate. The simulation results show that on average thousands of dollars will be lost for every hour if those critical flowgates are attacked by hackers. Future research will focus on protection mechanisms for the critical congested flowgates. They will include both cyber security measures and physical security measures. REFERENCES [1] [2]

[3]

http://www.nerc.com/pa/CI/Comp/Pages/default.aspx F. Pasqualetti, F. Dorfler, and F. Bullo, “Attack detection and identification in cyber-physical systems – Part I: models and fundamental limitations,” IEEE Transactions on Automatic Control, Feb. 2012, Preprint. Available at http://arxiv.org/pdf/1202.6144v1. F. Pasqualetti, F. Dorfler, and F. Bullo, “Attack detection and identification in cyber-physical systems – Part II: centralized and distributed monitor design,” IEEE Transactions on Automatic Control, Feb. 2012, Preprint. Available at http://arxiv.org/pdf/1202.6049.

5 [4]

Y. Liu, M. K. Reiter, and P. Ning, “False data injection attacks against state estimation in electric power grids,” Proc. ACM Conference on Computer and Communications Security, Chicago, IL, Nov. 2009. [5] C. W. Ten, G. Maninaran, and C. C. Liu, “Cybersecurity for critical infrastructures: attack and defense modeling,” IEEE Trans. Power Syst., vol. 40, no. 4, pp. 853-865, July 2010. [6] C. W. Ten, C. C. Liu, and G. Maninaran, “Vulnerability assessment of cybersecurity for SCADA systems,” IEEE Trans. Power Syst., vol. 23, no. 4, pp. 1836-1846, November 2008. [7] S. Liu, S. Mashayekh, D. Kundur, T. Zourntos, and K.L. Butler-Purry, “A smart grid vulnerability analysis framework for coordinated variable structure switching attacks,” Proc. Power Eng. Soc. General Meeting, San Diego, CA, 2012. [8] S. Parthasarathy, D. Kundur, “Bloom filter based intrusion detection for smart grid SCADA,” Proc. IEEE Canadian Conference on Electrical and Computer Engineering, Montreal, Canada, 2012. [9] J. Wei, D. Kundur, “Two-tier hierarchical cyber-physical security analysis framework for smart grid,” Proc. Power Eng. Soc. General Meeting, San Diego, CA, 2012. [10] J. Yan, M. Govindarasu, C. C. Liu, and U. Vaidya, “A PMU-based Risk Assessment Framework for Power Control Systems,” Proc. Power Eng. Soc. General Meeting, Vancouver, Canada, 2013. [11] Rui Bo, Liangying Hecker, Yang Gu, James Okullo, Jordan Bakke, Ming Ni, "A New Congested Flowgate Ranking Strategy In MISO Market Efficiency Planning Study", Proc. Power Eng. Soc. General Meeting, Vancouver, Canada, 2013. [12] Rui Bo, Jie Yan, Charles Wu, Liangying Hecker, Matthew Tackett, and Ming Ni, " Novel Congested Flowgate Grouping Methods In Economic Transmission Planning," submitted to 2014 IEEE PES General Meeting