A Cautionary Tale: On the Effectiveness of Inertia-Emulating Load as a Cyber-Physical Attack Path
Presenter
May 10, 2016
Keywords:
- cyber-physical security, emulated inertia, distributed control
Abstract
A long literature has illustrated the potentially severe consequences of subversion of feedback control within electric power grids, well before Stuxnet brought wide attention to the threat of industrial control system cyber-attacks. The electromechanical dynamics of the power system make it uniquely vulnerable. Power grids typically possess lightly damped, wide-area oscillatory modes, requiring relatively little control energy to destabilize, thereby allowing subverted control systems to induce wide-area instabilities. Recognizing these threats, the National Electric Reliability Corporation (NERC), with the Federal Energy Regulatory Commission, have adopted strong cyber-security standards to protect grid control against these and other threats.
Recent years have also seen growing recognition of potential for distributed, consumer-based equipment to contribute to the real-time grid control functions, to improve dynamic performance and efficiency. One attractive function is that of “emulated inertia.” As traditional synchronous generators are displaced by power-electronically coupled renewable resources, rotating inertia is lost. However, the beneficial effects of inertia previously provided by synchronous generators may be restored by feedback control that emulates the dynamics of this inertia, and such control may be implemented in distributed load resources.
The work here is intended as a cautionary case study to illustrate the “two-edged sword” inherent in such distributed control: the same emulated inertia feedback that can contribute to improving grid dynamic performance is also extremely well-suited to subversion by a cyber-attacker. In particular, local inertia-emulating feedback controllers, with only modest modification to their feedback parameters, can create “targeted” wide-area electromechanical instabilities in the power grid. A malicious control design can create a mode shape with the property that buses experiencing the largest magnitude frequency oscillations are selectable by the attacker, and can be remote from the points of intrusion. The magnitude of affected load can be modest, with the case study here illustrating subverted control varying the total system load by no more than 2% in a 179-bus test system. With reasonable assumptions on settings for rate-of-change-of-frequency protective relays on generators, the study here strongly suggests the unstable oscillations would cause generator trips. Finally, this case study shows a less than two-minute window between the triggering of the attack, and the instant at which generator tripping would occur. The authors believe this scenario is particularly troubling, because in present practice, distributed, load-based control systems appear unlikely to enjoy the stringent level of NERC cyber-security protection afforded systems inside major generating plants and utility control centers.