Integrity Data Attacks in Power Market Operations

1 Integrty Data Attacks n Power Market Operatons Le Xe, Member, IEEE, Yn Mo, Student Member, IEEE, Bruno Snopo, Member, IEEE Abstract We study the economc mpact of a potenta cass of ntegrty cyber attacks, named fase data njecton attacks, on eectrc power market operatons. In partcuar, we show that wth the knowedge of the transmsson system topoogy, attackers may crcumvent the bad data detecton agorthms equpped n today s state estmator. Ths, n turn, may be everaged by attackers for consstent fnanca arbtrage such as vrtua bddng at seected pars of nodes. Ths paper s a frst attempt to formaze the economc mpact of macous data attacks on rea-tme market operatons. We show how an attack coud systematcay construct a proftabe attackng strategy, n the meantme beng undetected by the system operator. Such a resut s aso vauabe for the system operators to examne the potenta economc oss due to such cyber attack. The potenta mpact of the fase data njecton attacks s ustrated on rea-tme market operatons of the IEEE 14-bus system. Index Terms cyber securty, state estmaton, fase data njecton attack, eectrcty markets, ocatona margna prce, economc dspatch I. INTRODUCTION The eectrc power ndustry s undergong profound changes as our socety ncreasngy emphaszes the mportance of a smarter grd for sustanabe energy utzaton [1]. Techncay, enabed by the advances n sensng, communcaton, and actuaton, power system operatons are key to nvove more rea-tme nformaton gatherng and processng devces such as Phasor Measurement Unts (PMUs) [2]. Insttutonay, the ncreasng presence of dstrbuted generaton resources and fexbe demand programs may ead to more ntegrated SCADA and end-user networks [3]. Fnancay, the dereguaton of eectrcty ndustry has unbunded the generaton, transmsson and dstrbuton. In most regons, the operaton of the whoesae eve eectrcty markets and the underyng physca power systems are organzed n Regona Transmsson Organzatons (RTOs) such as Independent System Operators (ISO) New Engand, Pennsyvana-New Jersey-Maryand (PJM) and Caforna Independent System Operator (CAISO). Market operatons have become an mportant part of RTOs responsbtes n addton to ensurng physcay secure eectrcty transmsson servces. Gven the stronger coupng among cyber components (sensors and communcaton networks, n partcuar), physca, and fnanca operatons n eectrc power systems, smart grd of Ths work was supported n part by Texas Engneerng Experment Staton, and n part by CyLab at Carnege Meon under grant DAAD19-02-1-0389 from the Army Research Offce. Le Xe s wth the Departments of Eectrca and Computer Engneerng, Texas A&M Unversty, Coege Staton, TX 77843 USA ema: xe@ma.ece.tamu.edu Yn Mo and Bruno Snopo are wth the Department of Eectrca and Computer Engneerng, Carnege Meon Unversty, Pttsburgh, PA 15213 USA e-ma: ymo@andrew.cmu.edu, brunos@ece.cmu.edu the future must cope wth a varety of anomaes n ths cyberphysca energy system. The prmary goa of ths paper s to estabsh an anaytca framework to nvestgate the mpact of cyber securty voatons on the physca and fnanca operatons n eectrc power systems. As more and more advanced cyber components become ntegrated n RTOs software support systems, potenta cyber-securty threats aso rase ncreasng concerns. The measurement sensors equpped n today s Supervsory Contro and Data Acquston (SCADA) systems are subject to oca and remote attacks. Insder attacks to contro centers software systems are aso key to happen. Two major software systems, caed Energy Management Systems (EMS) and Market Management Systems (MMS), used empoyed to support RTOs physca and market operatons respectvey. One of the key functons of EMS s to perform state estmaton [4], whch converts fed sensor measurements and other avaabe nformaton nto an estmate of the state of the eectrc power system [4]. The estmated physca states n the system are then processed by hgher eve toos n both EMS and MMS to make operatona and prcng decsons respectvey. Gven the key roe of state estmaton n coupng the cyber ayer (fed sensor measurements and communcaton networks) wth physca and market operatons, the physca and fnanca rsks assocated wth an attack on state estmaton requre utmost attenton. Recent terature has begun to assess the mpact of cyber attacks on state estmaton on power system operatons. In [8] the possbty of fase data njecton attacks aganst power grd state estmaton was frst conceved. By everagng the knowedge of the power system topoogy, t was shown that fase data njecton attack can crcumvent the bad data detecton routne equpped n today s SCADA systems, therefore resutng n a manpuated snapshot of system operatng states. In [9] and [12] two possbe ndces are proposed for quantfyng the requred efforts to mpement such a cass of macous data attack. The proposed ndces can be represented as functons of the system topoogy, and they coud revea the east effort attack whe avodng bad data aarms n SCADA system. In [10] and [11] computatonay effcent strateges have been deveoped to detect these macous data attacks aganst state estmators. In [6] a four-ayer conceptua framework s proposed to assess potenta mpact of cyber attacks n dereguated eectrcty markets. Whe most terature focus on the physca mpact of cyber attacks to the power system, the potenta fnanca rsks of such a cass of cyber attack are not we understood yet [13]. In ths paper, we present a nove ntegrated framework whch anayzes the economc mpact of macous data attacks aganst state estmators. In partcuar, we demonstrate how macous attackers coud make proftabe market transactons

2 by compromsng severa ne fow sensors usng fase data njecton attacks whe gong undetected. Such a cass of macous attacks may ead to consstent fnanca osses to the soca wefare. By reveang such potenta rsks, the centra message of ths paper s that besdes the catastrophc physca consequences cyber attacks may provoke, t s equay mportant to prevent economc oss due to macous attacks n future smart grd market operatons. An nterdscpnary approach based on power engneerng, contro systems, and communcaton can ead to the deveopment of effectve technques to prevent ths grm scenaro from becomng reaty n the near future. The man contrbutons of ths paper can be summarzed as threefod: We formuate the probem of macous data njecton attack aganst state estmaton, whch eads to fnanca msconducts n eectrc power market operatons. We provde strateges for fndng undetectabe and proftabe attacks, whch can be formuated as a convex optmzaton probem. We quantfy the economc mpact of such macous data attacks on eectrcty market operatons usng day-ahead and ex-post rea-tme prcng modes n today s RTOs. The rest of ths paper s organzed as foows. Secton II provdes the basc overvew of how dereguated eectrc power markets are operated n major RTOs. The macous data njecton attacks aganst state estmaton s then formuated n Secton III. In Secton IV we descrbe the attacker s strategy to everage the macous data attacks for vrtua bddng transactons, eadng to consstent fnanca arbtrage between dayahead and ex-post rea-tme prces at seected pars of nodes. In Secton V we anayze the optma attack strategy under the assumpton that ony a mted number of measurement sensors coud be compromsed. In Secton VII numerca exampes and an economc assessment of macous data attacks on market operatons are provded usng the standard IEEE 14-bus system as a testbed. II. PRELIMINARIES In dereguated eectrcty markets, the noda prces are determned at the Regona Transmsson Organzatons (RTOs). The eectrc power market conssts of severa forward and reatme spot markets. In rea-tme spot markets, MMS cacuates the ex-post ocatona margna prce (LMP) based on the actua state estmaton from the SCADA system. The ex-post LMP s the settement prce for a the market partcpants. In ths secton we brefy ntroduce state estmaton agorthm n power system operatons and descrbe the effect of state estmaton on ex-post prcng. A. Notatons We frst summarze the notatons used throughout ths paper n Tabe I. For consstency we use superscrpt to ndcate the context of the used varabes. For exampe P g denotes the optma generaton power at bus gven by the Ex-Ante Souton. P g denotes the rea tme generaton power and ˆP g s the estmated rea tme generaton power. j k I J L Ld j P g x z C (P g ) P g mn(max) λ F F max F mn B. Ex-ante Rea-tme Market TABLE I NOTATIONS Index for generators Index for oad buses j Index for transmsson ne Tme k Tota number of generators Tota number of oad buses Tota number of transmsson nes Load at bus j durng run tme Generaton at durng run tme A vector conssts of a P g and Ld j Coecton of sensor measurements Generaton cost of producng P g Mnmum (maxmum) avaabe power from generator Eectrcty prce at bus Transmsson fow at ne Maxmum aowed transmsson fow at ne Mnmum aowed Transmsson fow at ne The ex-ante rea-tme market, whch usuay takes pace every 10 to 15 mnutes pror to rea tme, conducts securtyconstraned economc dspatch (SCED) to determne the optma power generaton P g gven the expected oad Ld j. The optma power fow souton needs to satsfy physca securty constrants. Frsty, due to the nerta of generator, P g cannot devate generaton capacty mts P g mn P g P g max, = 1,..., I. Secondy, power fow on each transmsson ne cannot exceed the transmsson capacty, whch mpes that F mn F F max, = 1,..., L. Based on the nearzed DC-power fow mode, the ne fow vector s a near functon of the noda njecton vector: [ ] Ld F = H, (1) P g where H s the dstrbuton factor matrx of the noda power njecton vector [14]. For future anayss, we defne the jth coumn of H to be H j. The SCED probem soved n ex-ante market can be therefore expressed as foows, the resut of whch w be the dspatch order gven to each market partcpant (generator, oad servng enttes, etc). Ex-ante Formuaton: mnmze P g C (P g ) =1 P g = =1 P g mn F mn J j=1 Ld j P g P g max F F max C. State Estmaton n Rea-tme Operatons = 1,..., I = 1,..., L Due to the stochastc nature of demand Ld j, the rea tme vaues of P g, Ld, F may dffer from the optma P g, Ld, F cacuated n the ex-ante market cearng.

3 Hence, measurements are necessary to estmate the rea-tme state varabes. For DC nearzed power fow modes, the states are typcay the bus votage phase ange θ. Gven a fxed topoogy and choce of sack bus, there exsts a bjectve reatonshp between bus votage phase ange θ and the vector of noda power njecton x [14]. Snce the LMPs are expcty cacuated from noda power njectons, we defne the states n ths paper as the vector of noda power njecton x. Because the rea-tme states are typcay not exacty the same as the optma vaue, we have the foowng equatons x = x + w, F = H(x + w), where w s the devaton of run tme states from the schedued optma states. In ths paper we w assume that w s a Gaussan random varabe wth zero mean and covarance Q. We assume that I + J + L sensors are depoyed to measure P g, Ld j, F respectvey. As a resut, the observaton equaton can be wrtten n the matrx form as foows: [ I z = x + e = Cx + e, (2) H] where e s the measurement error, aso assumed to be Gaussan wth zero mean and covarance R. Gven z, a mnmum mean square error estmator s used to estmate the state x based on the foowng crteron: ˆx = argmnˆx E x ˆx 2 2. (3) Snce we assume the observaton equatons and fow mode to be near, one can prove that the souton of the mnmum mean square error estmator s gven by ˆx = (C R 1 C) 1 C R 1 z = P z. (4) We aso assume that a detector s used to detect abnormaty n the measurements. Let us defne the resdue r to be r z C ˆx. (5) We w assume the detector trggers an aarm based by comparng the norm of r wth certan threshod,.e. an aarm s trggered f the foowng event happens: D. Ex-post Market r 2 = z C ˆx 2 > threshod. (6) Snce the run tme state varabes P g, Ld, F are dfferent from the dspatch eve n ex-ante market, RTOs w cacuate another vector of LMPs based on the run-tme data for settement purposes. In ths paper we use the ex-post prcng mode descrbed n deta n [5]. Let us frst defne the postve congeston set to be c + = { : ˆF F max }, the negatve congeston set to be c = { : ˆF F mn }, and the non congeston set to be c 0 = { : / c +, / c }, The ex-post market cearng soves the SCED n a sma range around the actua system state n order to obtan the LMPs for settement purposes: Ex-post Formuaton: mnmze P g C ( P g + ˆP g ) =1 P g = 0 =1 P g mn P g P g max = 1,..., I F 0 c + F 0 c, where P g max and P g mn s usuay chosen to be 0.1MW h and 2MW h respectvey. ˆP g s the estmated power generaton by generator. The Lagrangan of the above mnmzaton probem s defned as L = + + C ( P g + ˆP g ) λ =1 =1 =1 + P g =1 µ,max ( P g P g max ) µ,mn ( P g mn P g ) c + η F + c ζ ( F ). It s we known that the optma souton of the optmzaton probem must satsfy the KKT condtons. In partcuar, we know that the foowng hods: η 0, ζ 0. (7) To smpfy the notaton, we defne η = 0 f / c +, ζ = 0 f / c. After sovng the above optmzaton probem and computng the Lagrangan mutpers λ, µ,max, µ,mn, η, ζ, we can defne the noda prce at each oad bus of the network, gven by λ j = λ + L =1 (η ζ ) F Ld j. (8) More detas of the dervaton of noda prce can be found n [4]. Now et us wrte (8) n a more compact matrx form. Let us defne η = [η 1,..., η L ] R L to be a vector of a η and ζ = [ζ 1,..., ζ L ]. By (1), we know that F / Ld j = H j, where H j s the eement on the th row and jth coumn of H. Hence, (8) can be smpfed as λ j = λ + H T j (η ζ), (9) where H j s the jth coumn of H matrx. The dfference of prce at two nodes and s gven by λ j1 λ j2 = (H j1 H j2 ) T (η ζ). (10)

4 III. ATTACK MODEL In ths secton we assume that a macous thrd party wants to attack the system and make a proft from the market, by compromsng a number of sensors and sendng bogus measurements to the RTO. We assume the attacker has the foowng capabtes: 1) The attacker has fu knowedge the underyng system topoogy. 2) The attacker knows the optma states P g, Ld, F pubshed by the RTO from the Ex-Ante market. 3) The attacker compromsed severa sensors and can manpuate ther readngs arbtrary. We consder two possbe scenaros: a) The attacker has aready compromsed a fxed subset of sensors. Let us defne matrx Γ = dag(γ 1,..., γ I+J+L ), where γ s a bnary varabe and γ = 1 f and ony f sensor s compromsed. Hence, the corrupted measurements receved by the RTO can be wrtten as z = z +z a, where z a, whch es n the coumn space of Γ, s the bas ntroduced by the attacker. b) The attacker can choose whch sensor to compromse, however due to mted resources, he can ony compromse no more than N sensors. In that case, we can st wrte the corrupted measurement as z = z + z a. However nstead of requrng z a to es n certan subspace, we now requre z a to have no more than N non-zero eements. Based on the above assumptons, the state estmaton equatons can be wrtten as ˆx = P z = ˆx + P z a. (11) Thus, the new resdue becomes r = r + (I CP )z a. By tranguar nequaty, r 2 r 2 + (I CP )z a 2. As a resut, f (I CP ) z a 2 s sma, then wth a arge probabty the detector cannot dstngush r and r. In the mt case, f (I CP ) z = 0, then r w pass the detector whenever r passes the detector. Based on these arguments, we gve the foowng defnton: Defnton 1: The attacker s nput z a s caed ε-feasbe f (I CP )z a 2 ε. Remarks 1: ε s a desgn parameter for the attacker dependng on how subte he wants the attack to be. An attack wth smaer ε w be more key to be undetected by the RTO. However, the magntude of attacker nputs, and hence the attacker s abty to manpuate the state estmaton, w be mted. In the rest of the paper we w assume ε s predetermned by the attacker. Besdes beng unnotceabe, the attack must aso be proftabe to the attacker. In ths paper, we assume that the attacker w expot the vrtua bddng mechansm to make a proft. In many RTOs such as ISO-New Engand, vrtua bddng actvtes are egtmate fnanca nstruments n eectrcty markets. A market partcpant purchase/se a certan amount of vrtua power P o at ocaton n day-ahead forward market, and w be obged to se/purchase the exact same amount n the subsequent rea-tme market. Therefore, the attacker s acton can be summarzed as In day-ahead forward market, buy and se vrtua power P o at ocatons and at prce λ DA, λ DA, respectvey. Inject z a to manpuate the noda prce of Ex-Post market. In Ex-Post market, se and buy vrtua power P o at ocatons and at prce λ j1, λ j2, respectvey. The proft that the attacker coud obtan from ths combnaton of vrtua tradng s Let us defne P roft = (λ j1 λ DA )P o + (λ DA λ j2 )P o = (λ j1 λ j2 + λ DA λ DA )P o p = λ j1 λ j2 + λ DA λ DA. (12) Combned wth equaton (10), equaton (12) can be wrtten as p(z ) = (H j1 H j2 ) T (η(z ) ζ(z )) + λ DA λ DA. Ideay, the attacker woud ke to enforce that p(z ) > 0. However, snce the system s stochastc and the z vector s partay unknown to the attacker, t can ony try to guarantee that Ep(z ) > 0,.e., the attack s proftabe n the expected sense. Such a probem s st qute hard snce the reatonshp between η, ζ and z s gven by the Lagrangan mutper and hence mpct. As a resut, Monte Caro method may be used n order to compute Ep(z ). In the next secton, we w expot the structure of the Ex-Post formuaton and deveop a heurstc for the attacker. IV. SCENARIO I: PREDETERMINED SUBSET OF COMPROMISED SENSORS In ths secton, we deveop a heurstc for the attacker to fnd a proftabe nput z a when the subset of compromsed sensors s fxed. We w show that such a probem can be effectvey formuated as a convex optmzaton probem and soved effcenty. Let us defne the set and L + = { : H,j1 > H,j2 }, L = { : H,j1 < H,j2 }. As a resut, p(z ) can be wrtten as p(z ) = (H,j1 H,j2 )(η (z ) ζ (z )) L+ + (H,j2 H,j1 )(ζ (z ) η (z )) L + λ DA λ DA. (13) By the fact that η (ζ ) s non-negatve and t s 0 f the ne s not postve (or negatve) congested, we can see that the foowng condtons are suffcent for p(z ) > 0 (A1) λ DA > λ DA. (A2) ˆF < F max f L,.e. the ne s not postve congested.

5 (A3) ˆF > F mn f L +,.e. the ne s not negatve congested. (A1) can be easy satsfed n the day-ahead market. Hence, the attacker needs to manpuate the measurement z to make sure that (A2) and (A3) hod or at east hod wth a arge probabty. Foowng such ntuton, we gve the foowng defnton: Defnton 2: An attack nput z a s caed δ-proftabe f the foowng nequates hod E ˆF F max δ, L, E ˆF F mn + δ, L +, where E ˆF = F + HP z a. Remarks 2: It s worth mentonng that δ does not drecty reate to the proft (or expected proft). However, t s reated to the probabty that (A2) and (A3) hod. Reca that from the attacker s perspectve, ˆF s a Gaussan random varabe wth mean E ˆF. As a resut, a arge margn δ w guarantee that wth arge probabty (A2) and (A3) are not voated. Therefore, the attacker s strategy durng the run tme s to fnd an ε feasbe z a such that the margn δ s maxmzed. The probem can be formuated as maxmze z a span(γ) δ (I CP )z a 2 ε E ˆF F max δ L E ˆF F mn + δ L + δ > 0. It s easy to verfy that the objectve functon and a the constrants are convex. Therefore the probem tsef s a convex programmng probem and can be soved effcenty [16]. Remarks 3: It may happen that the above convex optmzaton probem s nfeasbe. In other words, the sensors compromsed by the attacker are not suffcent to decongest a the nes n L and L +. In that case, we can reax the above optmzaton probem by addng a penaty on those nes that are congested n the undesrabe drectons. The new formuaton s as foows: maxmze z a span(γ) δ D =1 β (I CP )z a 2 ε E ˆF F max δ + β L E ˆF F mn + δ β L + δ > 0 β > 0 = 1,...,, where D > 0 s the weght of the penaty and β s the reaxaton varabe. V. SCENARIO II: LIMITED RESOURCES TO COMPROMISE SENSORS In ths secton, we consder a scenaro n whch the attacker can seect the set of sensors to compromse. However, due to mted resources, the tota number of compromsed sensor cannot exceed certan threshod N. As a resut, not ony does the attacker need to desgn an optma nput to system, but aso t need to choose the optma set of sensors to compromse. Foowng the prevous argument, we can wrte the optmzaton probem as maxmze z a δ (I CP )z a 2 ε E ˆF F max δ L E ˆF F mn + δ L + δ > 0 z a 0 N, where 0 s the zero norm, whch s defned as the number of non-zero eements n a vector. Note that n ths formuaton we do not requre that z a es n the span of Γ, but nstead we requre z a to have no more than N non-zero eements. The non-zero eements of z a correspond to the sensors the attacker needs to compromse. However, the above formuaton s a hard combnatora probem, snce t nvoves a constrant nvovng the zero norm of a vector, whch s not convex. To render the probem sovabe, we resort to a convex reaxaton of the orgna optmzaton probem, usng the method deveoped n [15]. Accordng to ths method, the L 0 norm s substtuted wth a weghted L 1 norm, where the weghts are chosen to avod the penazaton, gven by the L 1 norm, of the bgger coeffcents. In that paper, the authors propose an teratve agorthm that aternates between an estmaton phase and a redefnton the weghts, based on the emprc consderaton that the weghts shoud reate nversey to the true sgna magntudes. The resutng agorthm s composed of the foowng 4 steps: 1) Set the teraton count c to zero and set the weghts vector to w 0 = 1 for = 1,..., I + J + L 2) Sove the weghted L 1 mnmzaton probem maxmze z a δ (I CP )z a 2 ε E ˆF F max δ L E ˆF F mn + δ L + δ > 0 z a w c N, Let the souton be z a,c 1,..., za,c I+J+L. 3) Update the weghts w c+1 = z a,c 1 + ζ where ζ s a sma postve constant., = 1,..., I + J + L,

6 4) Termnate on convergence or when c reaches a specfed maxmum number of teratons c max. Otherwse, ncrement c and go to step 2. Remarks 4: Smary to [15], here we ntroduce the parameter ζ > 0 n step 3 n order to avod nverson of zero-vaued component n z a. The economc mpact on power market operatons due to such a cass of fase data njecton attacks s ustrated n the next secton. VI. ILLUSTRATIVE EXAMPLES In ths secton we consder the standard IEEE 14-bus system n Fgure 1 to dscuss the economc mpact of macous data attacks aganst state estmaton. The system comprses a tota of fve generators. Three cases, summarzed n Tabe II, are anayzed. In Case I, ony one transmsson ne s congested and two ne fow sensors are assumed to be compromsed usng fase data njecton attack. In Cases II and III, we assume there are mutpe congested transmsson nes. Compared wth Case II, Case III ony aows a mted number of sensors whch can be compromsed. As a resut, the attacker needs to both pck a subset of sensors and ts nput. In Cases I and II, an attacker foows the procedure descrbed n the end of Secton III wth the purpose of ganng proft from vrtua bddng. In Case III, the attacker foows the mted sensor attack agorthm descrbed n Secton V. At the par of the nodes that are pre-specfed n the thrd coumn of Tabe II, the attacker buys and ses the same amount of vrtua power n day-ahead market at nodes and, respectvey. Based on hstorca trends, the attacker buys at the ower prced node and se at the hgher prced node 1. In rea-tme market operatons, the attacker compromses the seected ne fow sensors by njectng fase data wthout beng detected. By dong so, the congested transmsson nes n dayahead operatons appear no onger congested from the system state estmaton. Ths, n turn, w resut dfferent rea-tme expost LMPs wth controabe bas compared to the day-ahead LMPs 2. In Case I, ony one transmsson ne (from bus 1 to bus 2) s congested. The attacker chooses to buy same amount of vrtua power at bus 4 (ower prce) and ses vrtua power at bus 2 (hgher prce) n day-ahead market. By compromsng two ne fow measurement sensors wth fase data njecton, the transmsson ne congeston appears to be reeved n rea-tme EMS. Ths manpuated system state s then passed to rea-tme market cearng procedure, whch computes a unform ex-post LMP across the system. Fgure 2 shows the LMPs wth and wthout the cyber attacks. Based on equaton (12), the proft of such transacton s about $2/MWh. In Case II, day-ahead market cearng shows that there are three congested nes, bus 1 and bus 2 have LMP dfference of about $8/MWh. By 1 The choce of pars of nodes does not necessary have to be between a congested transmsson ne [14]. As ong as the par of nodes exhbt consstent noda prce dfferences, ths par of nodes coud be a canddate. 2 To ustrate the effect of the attacks on ex-post market cearng prces, we assume that the oad forecast at day-ahead s perfect. In other words, f there were no cyber attacks, the day-ahead LMP w be the same as the ex-post LMP. Fg. 1. Prce ($/MWh) Fg. 2. 44 42 40 38 36 34 32 IEEE standard 14-bus system Ex post LMPs at Each Bus Vrtua buyng at Bus 4 Vrtua seng at Bus 2 Wthout Cyber Attack Wth Cyber Attack 30 0 5 10 15 Locaton (Bus Number) LMP wth and wthout cyber attacks (ony one ne congeston) compromsng three ne fow sensors ndcated n the thrd coumn of Tabe II, the desgnated par of nodes (buses 1 and 2) has the same LMP n ex-post rea-tme market. The reason s that macous data njecton attacks to these three sensors ower the estmated ne fow, thereby settng the shadow prces of the actua congested nes to be zero. The proft of such transacton s approxmatey $8.2/MWh. In Case III, we assume that an attacker can compromse at most two sensors. By appyng the agorthm descrbed n Secton V, the attacker chooses to compromse ne fow sensors between nodes 1-2, and nodes 2-3. Compromsng ony these two sensors cannot make a the congested nes appear uncongested n rea-tme operatons. However, as shown n Fgure 3, compromsng just two sensors can st generate $6.0/MWh of proft for the attacker. In Tabe III we compare the attack efforts and the assocated expected fnanca profts for a the three cases. We use the nfnty norm of z a normazed by the nfnty norm of z as an ndcator of the attacker s effort. As the system congeston

7 TABLE II CASE DESCRIPTION congested nes n day-ahead (from bus-to bus) vrtua bddng nodes compromsed sensors Case I 1-2 2 and 4 ne fow sensors 1-2, 3-4 Case II 1-2, 2-4, 2-5 1 and 2 ne fow sensors 1-2, 2-3, 2-4 Case III 1-2, 2-4, 2-5 1 and 2 ne fow sensors 1-2, 2-3 Prce ($/MWh) Fg. 3. Ex post LMP at Each Bus (wth three congested nes) 42 40 38 36 Vrtua seng at Bus 2 Vrtua buyng at Bus 1 34 Wthout Cyber Attack Compromsng 3 Sensors Compromsng 2 Sensors 32 0 5 10 15 Locaton (Bus Number) LMP wth and wthout cyber attacks (three congested nes) TABLE III ATTACK EFFORTS AND PROFITS (ε = 1 MWH) reatve efforts ( za ) z profts (% of transacton cost) Case I 1.23% 2.40% Case II 1.41% 9.46% Case III 1.31% 7.54% becomes more compex, the potenta of fnanca gan by macousy pacng fase data attacks s aso hgher. One can observe from the comparson between Case II and Case III that f the attacker can ony compromse a mted number of sensors, then the expected profts decrease. However, even compromsng a very sma number of sensors (e.g. two sensors n the Case III) can ead to profts, showng how the economc osses due to even sma fase data njecton attacks can be sgnfcant n the ong run. VII. CONCLUSIONS AND FUTURE WORK In ths paper we examne the possbe economc mpact of fase data njecton attacks aganst state estmaton n eectrc power market operatons. We show how an attacker can manpuate the noda prce of ex-post rea-tme market wthout beng detected by the state estmators. In conjuncton wth vrtua bddng, these ntegrty attacks can ead to consstent fnanca proft for the attacker. A heurstc s deveoped to compute the optma njecton of fase data from the attacker s perspectve. Fase data njecton attacks wth a mted number of sensors are formuated as a convex optmzaton probem and thus soved effcenty by the attacker. Iustratve exampes n IEEE 14-bus system show that the potenta economc gan for the attackers are sgnfcant even wth sma number of sensors beng compromsed by the attackers. In future work, the deveopment of countermeasures to mtgate the fnanca rsks of macous data njecton attacks w be nvestgated. We aso pan to study the senstvty of dfferent ex-post LMP prcng modes such a cass of macous data njecton attacks [17]. Another mportant future drecton of research s to conduct more reastc case studes, and nvestgate the accumuate proft of such attacks. Fnay, we beeve that future robust state estmaton agorthms whch coud detect these fase/macous data njectons need to be deveoped. ACKNOWLEDGMENTS We thank Dr. Feng Zhao of ISO-New Engand for nformatve dscusson on the eectrcty market prcng modes. The vews and concusons contaned here are those of the authors and shoud not be nterpreted as necessary representng the offca poces or endorsements, ether express or mped, of ARO, Texas A&M, Carnege Meon, or the U.S. Government or any of ts agences. REFERENCES [1] S. M. Amn and B. F. Woenberg, Toward a smart grd, IEEE Power & Energy Magazne, Vo. 3, Issue 5, pp.34-41, Sep/Oct 2005. [2] M. D. Ić, L. Xe, U. A. Khan, and J. M. F. Moura, Modeng of future cyber-physca energy systems for dstrbuted sensng and contro, IEEE Transactons on Systems, Man and Cybernetcs, Part A: Systems and Humans, Vo. 40, Issue 4, pp. 825-838, Ju 2010. [3] F. F. Wu, K. Moseh, and A. Bose, Power system contro centers: past, present, and future, Proceedngs of the IEEE, Vo. 93, Issue 11, pp.1890-1908, Nov 2005. [4] F. C Schweppe, J. Wdes, and D. B. Rom, Power system statc state estmaton, Parts I, II and III, IEEE Transactons on Power Apparatus and Systems, Vo. 89, Issue 1, pp. 120-135, Jan 1970. [5] F. L, Y. We, and S. Adhkar, Improvng an unjustfed common practce n ex post LMP cacuaton, IEEE Transactons on Power Systems, Vo. 25, Issue 2, pp. 1195-1197, May 2010. [6] M. Negrete-Pncetc, F. Yoshda, and G. Gross, Towards quantfyng the mpacts of cyber attacks n the compettve eectrcty market envronment, Proceedngs of IEEE PowerTech, Ju 2009. [7] D. Saem-Natarajan, L. Zhao, W. Shao, M. Varghese, S. Ghosh, M. Subramanan, G. Ln, H. Chang, and H. L, State estmator for CA ISO market and securty appcatons-reevance and readness, Proceedngs of IEEE Power and Energy Socety Genera Meetng, Ju 2008. [8] Y. Lu, M. K. Reter, and P. Nng, Fase data njecton attacks aganst state estmaton n eectrc power grds, Proceedngs of the 16th ACM Conference on Computer and Communcatons Securty, 2009. [9] H. Sandberg, A. Texera, and K. H. Johansson, On securty ndces for state estmators n power networks, Frst Workshop on Secure Contro Systems, CPSWEEK 2010, Apr 2010. [10] O. Kosut, L. Ja, R. Thomas, and L. Tong, Lmtng fase data attacks on power system state estmaton, Proceedngs of Conference on Informaton Scences and Systems, Mar 2010. [11] O. Kosut, L. Ja, R. Thomas, and L. Tong, Macous Data Attacks on Smart Grd State Estmaton: Attack Strateges and Countermeasures, Proceedngs of Frst IEEE Smart Grd Communcaton Conference, Oct 2010.

8 [12] G. Dan and H. Sandberg, Steath Attacks and Protecton Schemes for State Estmators n Power Systems, Proceedngs of Frst IEEE Smart Grd Communcaton Conference, Oct 2010. [13] L. Xe, Y. Mo, and B. Snopo, Fase Data Injecton Attacks n Eectrcty Markets, Proceedngs of Frst IEEE Smart Grd Communcaton Conference, Oct 2010. [14] F. F. Wu, P. Varaya, P. Sper, and S. Oren, Fok theorems on transmsson access: proofs and counterexampes, Journa of Reguatory Economcs, Vo. 10, Issue 1, pp. 5-23, Ju 1996. [15] E. J. Candes, M. B. Wakn, and S. Boyd, Enhancng sparsty by reweghted 1 mnmzaton, Journa of Fourer Anayss and Appcatons, vo. 14, no. 5, pp. 877 905, December 2008. [16] S. Boyd and L. Vandenberghe, Convex Optmzaton. Cambrdge Unversty Press, 2004. [17] T. Zheng and E. Ltvnov, On ex post prcng n the rea-tme eectrcty market, IEEE Transactons on Power Systems, Vo. 26, Issue 1, pp. 153164, Feb 2011. Le Xe (S 05 M 10) s an Assstant Professor n the Department of Eectrca and Computer Engneerng at Texas A&M Unversty. He receved hs B.E. n Eectrca Engneerng n 2004 from Tsnghua Unversty, Bejng, Chna. He receved an M.Sc. n Engneerng Scences from Harvard Unversty n 2005. He obtaned hs Ph.D. n the Department of Eectrca and Computer Engneerng at Carnege Meon Unversty n 2009. Hs ndustry experence ncudes an nternshp at ISO-New Engand and an nternshp at Edson Msson Energy Marketng and Tradng. Hs research nterest s the modeng and contro of arge-scae power systems wth renewabe energy resources, smart grds, and eectrcty markets. Yn Mo receved the Bacheor of Engneerng degree from Department of Automaton, Tsnghua Unversty, Bejng, Chna, n 2007. He s currenty workng toward the Ph.D. Degree n eectrca and computer engneerng from the Carnege Meon Unversty. Hs research nterests ncude secure contro systems and networked contro systems, wth appcatons n sensor networks. Bruno Snopo receved the Dr. Eng. degree from the Unversty of Padova n 1998 and hs M.S. and Ph.D. n Eectrca Engneerng from the Unversty of Caforna at Berkeey, n 2003 and 2005 respectvey. After a postdoctora poston at Stanford Unversty, Dr. Snopo joned the facuty at Carnege Meon Unversty where he s an assstant professor n the Department of Eectrca and Computer Engneerng wth courtesy appontments n Mechanca Engneerng and n the Robotcs Insttute. Dr. Snopo was awarded the 2006 E Jury Award for outstandng research achevement n the areas of systems, communcatons, contro and sgna processng at U.C. Berkeey and the NSF Career award n 2010. Hs research nterests ncude networked embedded contro systems, dstrbuted estmaton and contro wth appcatons to wreess sensor-actuator networks and system securty.