Control Systems for the Power Grid and their Resiliency to Attacks

ENERGY CONTROL SYSTEMS SECURITY Control Systems for the Power Grid and Their Resiliency to Attacks Carlos Barreto | University of Texas at Dallas Jairo Giraldo | Universidad de los Andes, Colombia Álvaro A. Cárdenas | University of Texas at Dallas Eduardo Mojica-Nava | Universidad Nacional, Colombia Nicanor Quijano | Universidad de los Andes, Colombia Most government, industry, and academic efforts to protect the power grid have focused on information security mechanisms for preventing and detecting attacks. In addition to these mechanisms, control engineering can help improve power grid security. A large body of work focuses on power grid system device vulnerability assessment1; however, successfully compromising a power grid’s computers and embedded systems is only the first step in a successful attack. To predictably modify the physical components of a power grid (for instance, strategically manipulating voltages or loads), attackers must understand how control systems operate. Defenders who leverage only information security mechanisms to protect their power grid will have limited success against sophisticated attackers. To develop a defense-in-depth security strategy, defenders must incorporate power grid control models to understand the vulnerabilities and fragility of the system they’re trying to protect (for example, not all compromised devices can drive a system to an unsafe state) as well as design attack-resilient control algorithms that can survive a partial system compromise. To facilitate the integration of control engineering with security, we introduce the role of control systems for the power grid, show how to model control system 1540-7993/14/$31.00 © 2014 IEEE vulnerability by looking at the affected physical states, and offer design suggestions for attack-resilient control systems. There’s a significant amount of IT security and privacy work for the power grid: Álvaro Cárdenas and Reihaneh Safavi-Naini conducted a general survey including government and industry efforts,2 and Igor Fovino discussed the role of IT security in industrial control systems.3 However, in this article, we focus on control systems’ (and attacks’) effects on physical variables, including voltages, frequencies, and currents. Power Grid Control Systems The power grid’s objective is to generate and then deliver enough electric power to match consumer demand. In general, we can divide the power grid into three major parts: generation, transmission, and distribution. Generation consists of power plants producing electric power from natural resources, such as coal, water, or nuclear energy. Power is then transferred from generating power plants to electrical substations through Copublished by the IEEE Computer and Reliability Societies November/December 2014 15 ENERGY CONTROL SYSTEMS SECURITY Recloser and States of distributed network Substation transformer states Medium and Alarms low voltage Contingency actions SCADA Contingency actions BMS Market Long-term contracts Schedules Real-time dispatches Operating constraints Schedules Automatic generator control State estimation Load management Contingency analysis Voltage regulation V,I (P,Q) Tie-line powers Frequency/area control error Contingency actions EMS Voltage regulation actions Phasor measurement units SCADA High voltage Pilot bus measure Voltage compensator actions Sync. generator Voltage (V), current (I), real power (P), and reactive power (Q) Physical .. . Sync. generator Transmission lines ... Frequency and voltage set points .. . Distribution and loads Cyber V,I,P,Q Figure 1. Energy management systems (EMSs) coordinate the power grid’s operational requirements in conjunction with business management systems (BMSs), which focus on market operations. EMSs send control signals to generators to control their frequency and voltage as well as to substations and intelligent devices in transmission and distribution networks to control voltage and reconfigure network topology. transmission lines, which are designed to support voltages between 100 and 800 kV. Step-down transformers at substations then change high-voltage transmission lines into medium- and low-voltage distribution lines that serve electricity consumers; these lines are designed for voltages of 1 to 50 kV. hese substations, which are generally unsupervised, consist of equipment used to monitor and control parts of the distribution network to preserve service quality in the grid. Because of the power grid’s large scale and complexity, no single entity can simultaneously monitor and control all parts of the network; thus, the power grid uses a hierarchical architecture with multiple distributed control systems. Devices Power grid control is achieved with the help of several ield devices, including remote terminal units (RTUs); intelligent electronic devices (IEDs) such as breakers, regulators, meters, and load tap changers in transformers; and programmable logic controllers (PLCs). Although advances in modern control equipment have blurred the lines between RTUs and PLCs, RTUs are used primarily for telemetry in large geographical areas, whereas PLCs tend to be used for localized fast control. As such, RTUs are generally found in transmission and 16 IEEE Security & Privacy distribution automation, controlling remote unmanned locations (such as grid substations) and interfacing with Supervisory Control and Data Acquisition (SCADA). On the other hand, PLCs tend to be used for primary and secondary control of electric power generation. Control Objectives he power grid has multiple control objectives; the most relevant are safety (accident prevention and equipment protection), reliability of the electric service to customers, and electricity market optimization. Safety and protection are ensured by relays and circuit breakers that react to local faults. For example, in transmission and distribution lines, a fault occurs when one of the lines makes contact with another line or with “ground” (for instance, a tree). his contact generates a current so large that it can cause ire or electrocution, damage equipment, or lower the line’s voltage, afecting the quality of delivered electricity. Circuit breakers are common protection mechanisms that activate whenever the current lowing through them exceeds a certain limit. Similarly, generators have protective relays that prevent them from connecting to the power grid if they’re out of phase. Whereas safety mechanisms focus on local control actions, control systems for reliability and November/December 2014 market optimization orchestrate large-scale control of the power grid. heir main control objective is to supply enough electric power to match demand. Figure 1 illustrates the power system’s general control architecture. he power grid’s control centers use energy management systems (EMSs) for most of their operational needs. EMSs are responsible for state estimation, managing the network topology processor, performing contingency analysis, and, in particular, controlling voltage—for example, by sending control commands to substations—and frequency through automatic generator control (AGC). Control centers usually host a business management system, which is in charge of market operations and can control parts of the power grid to optimize the market while maintaining the EMS’s reliability constraints.4 In this article, we focus on the large-scale real-time control used to maintain reliability. In this context, power systems want to supply enough real power to satisfy consumer demand via frequency control and supply enough reactive power to satisfy consumer demand via voltage control. As in most industrial control systems, these objectives are achieved using a hierarchical architecture. In particular, for the power grid, we generally deine primary, secondary, and tertiary controls. At the lowest level, the primary control is a local control in charge of ensuring the stability of the local device (for example, the generator). At the highest level, tertiary control is performed at the system’s control center and is responsible for orchestrating the schedule and optimization of a system of generators and loads. In between, the secondary control interfaces with the tertiary control’s long-term eiciency goals and ensures that each device under control achieves its set points. Frequency Control Changes in electric power demand inluence the generator’s rotation speed, which in turn inluences the frequency of electricity oscillations in the grid (for example, 50 or 60 Hz). If the power supply is greater than the demand, the generator stores excess power as kinetic energy, which accelerates the generator, resulting in higher rotation frequency. On the other hand, if the power supply isn’t enough to match the demand, generators must provide more current to the system, and the magnetic ield associated with this increased current slows the generator, resulting in lower rotation frequency. By increasing or decreasing the mechanical power (for instance, water or steam) at the generator turbines, we can control the generator’s frequency to keep it stable at, for instance, 60 Hz. Primary control is done by speed governors located www.computer.org/security Operator tasks S0 Change in S0 the system Normal recovery S1 Normal Alert S3 Detection of dangerous conditions Evaluation of disturbances Determination of the remaining availability Emergency Detection of fault Selective fault tripping Autoreclosing Reliable isolation Bypassing the faulted section Collapse Restoration of power supply Contingency S2 Economic and reliable power supply High availability of network Figure 2. States of the power system and protective actions. Current security assessment models treat failure states as the result of natural causes and aren’t prepared to react to intentional attacks, which aren’t random and might involve the simultaneous failure of several tactically important components. at the generation plant, which are in charge of stabilizing a system by sensing frequency changes and adjusting the mechanical energy at the turbines to correct frequency deviations. Primary control ensures frequency stability; however, it produces a steady state error—that is, the frequency is stable but at an undesired value— which a secondary control must correct. To meet the required total aggregated power, secondary control coordinates power generation at diferent plants and among several generators. he goal of the secondary control is to keep the real-time diference between incoming and outgoing power in a large area— that is, the area control error (ACE)—close to zero. Tertiary control handles economic dispatch with security assessment. (Power engineers use the term security to refer to the reliability of the system subject to potential contingencies, accidents, or faults.) his control determines the amount of power that generators must produce according to economic optimization and contingency constraints as well as whether a generator is initialized or turned of. Voltage Control Power systems use alternating current (AC) instead of direct current; this means their voltage and current can be described by sine waves in time. Because power systems use AC power, control systems must take into account that most power grid loads, such as electric motors, are inductive—that is, they resist changes in current low—and therefore, they introduce a phase shit between voltage and electricity. hus, electric power systems must consider reactive power, which 17 ENERGY CONTROL SYSTEMS SECURITY u1 f3 f1 f2 (a) f4 u4 Time delay (sec.) 2 Instability region 1 Stability region 0 1 2 Sampling period (sec.) (b) Figure 3. he four-bus system with two generators and four loads. (a) ui is the injected power at generator i, and fi is the frequency observed at bus i. he typical centralized secondary frequency control system used to determine the amount of power ui to inject to generators is based on the frequency measurements fi at the diferent buses. (b) his centralized control becomes unstable if there are delays and packet drops for frequency measurements longer than two seconds. isn’t consumed by the load (although it generates transmission losses) but circulates in the network. Controlling the voltage indirectly afects reactive power. At the generators, voltage is controlled by the automatic voltage regulator (AVR)—which manipulates the generator’s excitation winding. In contrast to frequency control, voltage is regulated at diferent points in the electricity transmission and distribution networks. Owing to the losses in transmission lines, regulating voltage closer to where it’s consumed is convenient. We can achieve voltage control in transmission and distribution systems by changing the tap on transformers—at substations or in long transmission lines—or injecting reactive power with capacitor banks, static compensators, static synchronous compensators, and other lexible AC transmission systems (FACTS) devices. Laurence Phillips and his colleagues present a comprehensive security analysis of FACTS devices.5 Voltage control is also a hierarchical distributed system. In addition to the primary voltage control elements we described (FACTS, AVR, and so forth), a supervisory control layer deines the voltage for all regions in the system based on reactive optimal power low (OPF) calculations. he goal of this supervisory control element is to minimize the losses and voltage deviations and maximize reactive power reserves. Some OPF implementations use N-1 contingencies, which introduce veriication power delivery reliability, even when faults occur in any component. Stability and Protection Mechanisms Protective relays and primary controls are responsible for maintaining system stability and preventing 18 IEEE Security & Privacy damages and other accidents at short time scales. When these systems fail to prevent damages, a series of control center emergency response procedures, usually mediated by a human operator, take place. In control systems, stability is deined as the system’s capacity to achieve or maintain a desired value (for example, 60 Hz) under disturbances. hus, power system stability is an electric power system’s ability to regain operating equilibrium ater a physical disturbance.6 Deinitions of stability difer depending on the type of disturbance and the variables to analyze, such as small signal stability, transient stability, and voltage collapse. In addition to stability analysis, power engineering security refers to a system’s ability to withstand sudden disturbances or system component failure. It’s related to the ability to prevent cascading failures and noncontrolled loss of load. Contingency analysis studies the consequences of possible failures, such as an electric line touching a tree, two electric lines touching each other, generation failures, and disconnection of any element without a fault. In particular, the N-1 criterion for contingency analysis considers events resulting in the loss of a single element of the grid. A system’s operating states can be classiied as normal, alert, emergency, and collapse (see Figure 2). In the normal state, all system parameters are within acceptable ranges. Signiicant changes in the system, such as a large load increase and extreme weather, might make the system vulnerable, entering an alert state. In an alert state, the system is stable, but certain events might push it to a state of instability. With immediate corrective actions, the system can be restored to normal operation; however, additional contingencies might lead to an emergency state. In emergency states, the system violates some operational restrictions but can be restored; however, severe contingencies might lead to unstable states that lead to collapse. Finally, in a collapse state, the system is unstable, and loss of generation, load shedding, or system isolation is necessary to prevent cascading failures. he Smart Grid: New Control Challenges he smart grid refers to multiple eforts around the globe to modernize aging power grid infrastructures with new technologies, enabling a more intelligently networked automated system. A smart grid’s goal is to deliver energy with greater eiciency, reliability, and security and provide more transparency and choice to electricity consumers. he major initiatives associated with the smart grid are the advanced metering infrastructure (AMI), demand response, microgrids, distribution automation, distributed energy resources, and the integration November/December 2014 Toward Resilient Control As we described, power grids have several protection www.computer.org/security × 10 2 5 Frequency (Hz) 1 0 −1 −2 0 5 10 15 20 25 Time (sec.) 30 35 40 5 10 15 20 Time (sec.) 30 35 40 (a) 58.2 57.6 Frequency (Hz) of plug-in hybrid electric vehicles. Each of these initiatives has new challenging control system requirements. AMI systems use smart meters that provide two-way communication between the utility and the consumer, reducing the need to read the meters on site and providing a range of new capabilities to the utilities, including fine-grained electricity consumption monitoring, automatic outage detection, remote disconnection, and automated power restoration. Demand response programs are an attempt to control electricity consumers by asking them to reduce electricity consumption in exchange for a reward (for instance, lower prices). hese programs are currently in place for large commercial consumers. hey’re useful for critical conditions when there isn’t enough power to satisfy demand or when generating more power would be economically impractical. A microgrid is a subsystem of the entire network that can operate autonomously, for instance, a military base that can provide its own electricity generation and distribution and connects to the main power grid only when necessary. As we explained, the conventional method for decentralized control is frequency and voltage droop control. One challenge of controlling power in a low-voltage microgrid is that the diferent distributed generator output impedances and the high-line impedance ratio lead to real and reactive power control coupling (something that can be ignored in traditional power systems), and therefore traditional droop control might be inefective.7 Distribution automation refers to the deployment of IEDs and SCADA systems to monitor and control automatic electric distribution—a capability generally available only to transmission systems. Distribution automation includes fault isolation, service restoration, voltage management, contingency analysis, and switching management. Integrating distributed energy resources, including renewable energy (sun and wind) and energy storage (bateries), also introduces new control challenges. First, renewable energy can’t be controlled and is hard to forecast. Second, unlike large generators currently used to provide power to the grid, distributed energy resources will have low inertia and fast changes, which means that any perturbation or control error will introduce oscillations and harmonics to the system, afecting reliability. Finally, because electric vehicles consume approximately one to six times the load of a general US household, we need new control algorithms to orchestrate eicient charging of electric vehicles and minimize the strain to the power grid. 57 56.4 55.8 0 (b) 25 Figure 4. Frequency of the four-bus system with four distributed generators: (a) frequencies of all buses with the centralized control algorithm and (b) a decentralized consensus-based control strategy. Information is sampled every two seconds and delayed one second. A centralized control algorithm can’t maintain stability; however, the decentralized control method preserves frequency synchronization. mechanisms to prevent accidents, damage, and blackouts, and as a irst line of defense, they can make atacks harder to launch. However, these protection mechanisms were designed for accidental failures and aren’t guaranteed to prevent actions by strategic atackers. For example, the Aurora atack shows how adversaries can bypass protective relays to connect a generator out of sync with an energized system by exploiting iltering algorithms’ benign fault assumptions.8,9 In addition, state estimation algorithms’ false data injections show how atackers can bypass traditional anomaly detection tests focusing on identifying sensor measurement errors.10 Protections against these atacks require research into how to extend traditional safety and fault-tolerant control systems to atack-resilient control systems. We give two examples of using control theory to analyze control system vulnerability and design resilient control algorithms. 19 ENERGY CONTROL SYSTEMS SECURITY 300 400 η = 0.01 350 Additive attack (ω = π) 200 η = 0.7 η = 0.8 Delay attack (τ = 8) 150 η = 0.2 250 η = 0.4 Megawatts Magnitude of | Sε (e jω)| 300 Scaling attack (γ = 0.95) 250 η = 0.6 200 150 100 50 0 −50 100 −100 50 0 −150 0 2 4 (a) 6 ω (radians/h) 8 10 12 −200 (b) 25 30 35 40 Time (h) Figure 5. Attack sensitivity and supply–demand mismatch. (a) Sensitivity to attacks as a function of the attack signal frequency for diferent control settings η, and (b) the comparison of diferent attacks and their efects on the supply– demand error. he parameters Τ and γ correspond to the time delay and scaling factor, respectively, and ω is the angular frequency (ω = 2 πf). Resilient Frequency Control An electric network’s stability and performance can be afected if a sensor or control signal’s communication channel is delayed or blocked with a denial of service (DoS) attack. Consider a secondary frequency control algorithm applied to John Grainger and William Stevenson’s four-bus system,11 with two generators and two loads (see Figure 3). In this scenario, a central controller receives the frequency measurements (f) from all buses and computes the necessary power (u) that needs to be injected at each generator such that the system is stable and the ACE is zero. Typically, the secondary control computed by the control center consists of a proportional-integral controller t ui =−(K p ei + ∫ K s ei (r )dr ) , 0 where ei is the ACE for area i, r represents integration over time, dr is the time diferential, and Kp and Ks are control parameters selected to change the frequency back to 60 Hz. Looking at the system dynamics, we determine that any control signal delay of more than two seconds produces unstable frequency control. Sampling and delays between central control and generators increase the system’s setling time (the time it takes for a system to return to its stable point) up to a point where the system is no longer stable. Faced with this potential vulnerability, operators must consider cases in which attackers can cause delays 20 IEEE Security & Privacy or packet drops. One of the biggest problems in security is that the attack time might be unbounded; thus, control systems must survive even the worst possible attacks that can send arbitrary delays or DoS attacks. To achieve resilient frequency control algorithms, we have proposed a decentralized secondary control algorithm that allows a group of generators and loads to achieve frequency synchronization with arbitrary delays and packet losses.12 Long delays or DoS attacks still signiicantly impact the system, causing oscillations and tripping circuit breakers; however, our results guarantee that all network nodes will converge to the same frequency eventually. Therefore, the system is stable. In our design, the ith generator’s controller is described by a consensus algorithm N dui =−K i ∑( fi − f j ) , dt j=1 where ui is the extra amount of power that a generator (or storage devices) must inject or absorb, Ki ≥ 0 is a controller design parameter, fi is the frequency at the generator, fj is the frequency measurement received from neighboring generators, and N is the number of measurements. Figure 4a shows the frequencies of all buses with the centralized control algorithm, and Figure 4b shows the decentralized consensus algorithm under the assumptions of a one-second delay for all messages and measurement exchange every two seconds. Ater 20 seconds, a change in load causes a frequency deviation in the network. Figure 4 shows that under these conditions, a centralized control algorithm can’t maintain November/December 2014 Resilient Demand Response with Real-Time Pricing At the moment, frequency control in the power grid is a load-following approach in which control centers adjust the generator power in response to changes in the load caused by consumers. To increase eiciency, multiple ongoing eforts are trying to control the power consumed by power grid customers as well as controlling the power injected to the grid. In their basic form, demand response programs are a control problem in which the control signal allow incentives—for instance, real-time pricing—or direct-load control reduces consumers’ electricity consumption during peak hours, shiting it to of-peak hours—for instance, the utility directly controls consumers’ air conditioning set points. Rui Tan and his colleagues recently explored the security of demand response algorithms with real-time electricity pricing.13 hey considered an atacker who compromised a portion of the communication channels used to send price information to consumers, and then studied the efects of delaying price changes and scaling the electricity prices. hese parametric adversary models—delaying or scaling the real signal instead of giving atackers arbitrary control of it—are beneicial in that they allow us to keep mathematical analysis tractable; however, constraining adversaries this way limits realistic modeling. To study atackers that aren’t subject to these parametric constraints, we allow arbitrary changes to the pricing signal. We model this generic atack as a disturbance dk that can arbitrarily modify the price information for a portion of the consumers and show how to design resilient control algorithms for this problem.14,15 Sensitivity functions have been widely used to analyze the impact of external disturbances or parameter www.computer.org/security 15 10 Megawatts stability. However, our decentralized control method preserves frequency synchronization. he extra costs to implement this resilient algorithm (compared to the centralized solution) include the need for a communication infrastructure where all buses can share their frequency with all generators in the system (and not only to a centralized controller) and for storage devices that can absorb energy. In future work, we plan to study the amount of time a system needs for convergence, which is a more practical quantity for system operators than a promise that the system will eventually converge, no matter how long it takes. Ater all, we can achieve stability theoretically, but a large deviation or current will trip protective circuit breakers and might cause other undesirable efects. Modeling the protection mechanisms’ interaction with the system’s physics is one of the main challenges in creating a foundation of resilient control in the power grid. 5 No compensation, η = 0.1 Robust control, η = 0.7 0 0.2 0.4 0.6 0.8 1 1.2 ω (radians/sec.) 1.4 1.6 1.8 2 Figure 6. Maximum supply−demand mismatch. By designing an “observer” to identify an attack, we can reconfigure the system using a robust control algorithm that minimizes the discrepancy between supplied and consumed power during attacks. changes on a feedback system’s output. In systems and control theory, it’s well-known that feedback can atenuate or amplify disturbances; therefore, by using a system’s frequency representation (called a transfer function), we can obtain the sensitivity function and observe the system’s response to a perturbation of a speciic frequency ω. According to the sensitivity function in Figure 5, the efects of d over ε (the diference between supplied and consumed power) are ampliied at almost all frequencies ω (except very low frequencies) and all control parameters η.13 On the other hand, Tan and his colleagues’ proposed atacks have frequencies close to zero (or to the baseline consumption) and therefore won’t be ampliied. For example, if the atack frequency is zero, there will be no change to the supply–demand error. Figure 5 shows how atacks designed to identify the frequencies ampliied from the sensitivity function will have a larger impact on the system than delay or scaling atacks with the same amount of maximum deviation from the reference signal. In addition to characterizing the efects of more general atacks, control theory can help us deine more resilient algorithms. he area of robust control ofers a large body of work on designing controllers that identify problems and reconigure themselves to minimize the impacts of these perturbations. In particular, because we know the system’s physical models, we can identify when the control commands aren’t having the expected result, and then estimate the error by designing an “observer” (state estimator) for the system. Once we estimate the atacker’s pricing signal modiication, 21 ENERGY CONTROL SYSTEMS SECURITY we can compensate the control action based on this estimate and, in addition, change the control command and the parameter η (based on the sensitivity function) to minimize the atack’s efects (see Figure 6).14 his would be a potential temporary solution while security analysts identify the compromised communication channels and revoke any credentials or devices used in the atack. Although applying robust control theory to this problem can minimize the impact of atacks, it can’t eliminate them. he main diference between robust and secure control is that, in the later, a strategic atacker can learn about our detection and response strategy and design an atack that either avoids detection or triggers the automated response in a manner that the designer didn’t anticipate. To improve the analysis of atack detection mechanisms, we focused on atackers that can evade detection, and then studied the worst possible atack that our system doesn’t detect. his type of analysis is one step toward diferentiating between robust control and secure control,16 but we need further research that accounts for the diferences between random failures and strategic atacks against control systems. U nderstanding control theory and security can lead to beter risk assessment for atack consequences, design of atack detection algorithms by monitoring the behavior of a physical system under control, and beter design of atack-resilient algorithms and architectures to survive cyberatacks while maintaining critical functions. To achieve this vision, we need to educate a new generation of computer scientists and engineers in control engineering and information security, so they can understand which security mechanisms are most appropriate for a physical system’s control vulnerabilities and, at the same time, design and evaluate new atackresilient control algorithms. he path to achieving resilient control systems isn’t straightforward; it will require signiicant new developments in modeling corner cases in control theory. Two of these challenges were showcased by our examples. In the irst example, we showed that the system was stable for any type of DoS atack; however, this doesn’t model the efects of large system oscillations and how they interact with traditional power grid safety and protection mechanisms. he interaction of safety and security and diferentiating between random failures and malicious atacks are important research challenges for creating a resilient control systems theory. In our second example, we showed the ability to model generic and powerful atackers. Again, to keep 22 IEEE Security & Privacy systems mathematically tractable, researchers have limited adversaries to parametric models such as delay or scaling atacks; however, in practice, atackers will be able to generate arbitrary control signals not constrained by modeling artifacts. Modeling powerful adversaries is another challenge for obtaining results that encompass a large class of possible atacks. Finally, IT security will still provide the foundation to prevent the most devastating atacks. At the end of the day, if all system control and sensor signals are compromised, there’s litle a control system can do to mitigate atacks; it’s efectively in the atacker’s hands. Diversity and redundancy can build a foundation to validate work for resilient control algorithms, where we can safely assume that only a fraction of sensor or control signals are compromised. References 1. J. Searle et al., NESCOR Guide to Penetration Testing for Electric Utilities, version 3, white paper, EPRI, 2013. 2. Á. Cardenas and R. Safavi-Naini, “Security and Privacy in the Smart Grid,” Handbook on Securing Cyber-Physical Critical Inrastructure: Foundations and Challenges, S.K. Das et al., eds., Morgan Kaufmann, 2012, pp. 637–654. 3. I.N. Fovino, “SCADA System Cyber Security,” Secure Smart Embedded Devices, Platforms and Applications, Springer, 2014, pp. 451–471. 4. F. Wu, K. Moslehi, and A. Bose, “Power System Control Centers: Past, Present, and Future,” Proc. IEEE, vol. 93, no. 11, 2005, pp. 1890–1908. 5. L.R. Phillips et al., “Analysis of Operations and Cyber Security Policies for a System of Cooperating Flexible Alternating Current Transmission System (FACTS) Devices,” Sandia, Dec. 2005. 6. P. Kundur et al., “Deinition and Classiication of Power System Stability IEEE/CIGRE Joint Task Force on Stability Terms and Deinitions,” IEEE Trans. Power Systems, vol. 19, no. 3, 2004, pp. 1387–1401. 7. Y. Li and Y. Li, “Power Management of Inverter Interfaced Autonomous Microgrid Based on Virtual FrequencyVoltage Frame,” IEEE Trans. Smart Grid, vol. 2, no. 1, 2001, pp. 30–40. 8. M. Zeller, “Myth or Reality—Does the Aurora Vulnerability Pose a Risk to My Generator?,” 64th IEEE Ann. Conf. Protective Relay Engineers, 2011, pp. 130–136. 9. E.O. Schweitzer III and D. Hou, “Filtering for Protective Relays,” Proc. IEEE Comm. Computers and Power in the Modern Environment Conf., 1993, pp. 15–23. 10. Y. Liu, P. Ning, and M.K. Reiter, “False Data Injection Atacks against State Estimation in Electric Power Grids,” ACM Trans. Information and System Security (TISSEC), 2011, vol. 14, no. 1, p. 13. 11. J.J. Grainger and W.D. Stevenson, Power System Analysis, McGraw-Hill, 1994. November/December 2014 12. J. Giraldo et al., “Delay and Sampling Independence of a Consensus Algorithm and Its Application to Smart Grid Privacy,” Proc. IEEE Control and Decision Conf., 2014. 13. R. Tan et al., “Impact of Integrity Atacks on Real-Time Pricing in Smart Grids,” Proc. ACM SIGSAC Conf. Computer and Comm. Security, 2013, pp. 439–450. 14. J. Giraldo, Á. Cardenas, and N. Quijano, “Atenuating the Impact of Integrity Atacks on Real-Time Pricing in Smart Grids,” ArXiv preprint, arXiv:1410.5111 [cs.SY], 2014. 15. C. Barreto et al., “CPS: Market Analysis of Atacks against Demand Response in the Smart Grid,” Proc. Computer Security Applications Conf. (ACSAC 14), 2014. 16. Á. Cardenas et al., “Atacks against Process Control Systems: Risk Assessment, Detection, and Response,” Proc. 6th ACM Symp. Information, Computer and Comm. Security, 2011, pp. 355–366. Álvaro A. Cárdenas is an assistant professor of com- Carlos Barreto is a PhD student in the Department of Nicanor Quijano is an associate professor and the direc- Computer Science at the University of Texas at Dallas. His research interests include cyber-physical systems security, distributed resource allocation, and gametheoretic methods with applications to smart grids. He’s a member of the IEEE Control Systems Society. Contact him at [email protected]. tor of the research group in control and automation systems in the Department of Electrical and Electronics Engineering at Universidad de los Andes, Colombia. His current research interests include hierarchical and distributed optimization methods, using bio-inspired and game-theoretical techniques for dynamic resource allocation, applied to problems in energy, water, and transportation. Quijano received a PhD in electrical engineering from Ohio State University. Contact him at nquijano@uniandes. edu.co. Jairo Giraldo is a PhD student in the Department of Electrical Engineering at Universidad de los Andes, Colombia. His research interests include control algorithms for the power grid and their security and privacy. He’s a member of the IEEE Control Systems Society. Contact him at ja.giraldo908@uniandes. edu.co. puter science at the University of Texas at Dallas. His research interests include cyber-physical systems security and network security. Cárdenas received a PhD in electrical engineering from the University of Maryland at College Park. He’s a member of IEEE and the ACM. Contact him at [email protected]. Eduardo Mojica-Nava is an associate professor with the Department of Electrical and Electronics Engineering at Universidad Nacional, Colombia. His research interests include optimization and control of complex networked systems, switched and hybrid systems, and control in smart grid applications. Mojica-Nava received a PhD in electrical engineering from Universidad de los Andes. Contact him at [email protected]. Selected CS articles and columns are also available for ree at htp://ComputingNow.computer.org. Take the CS Library wherever you go! IEEE Computer Society magazines and Transactions are now available to subscribers in the portable ePub format. Just download the articles from the IEEE Computer Society Digital Library, and you can read them on any device that supports ePub. For more information, including a list of compatible devices, visit www.computer.org/epub www.computer.org/security 23