Stealth Attacks and Protection Schemes for State Estimators in Power Systems Gy¨ orgy D´ an and Henrik Sandberg ACCESS Linnaeus Centre, School of Electrical Engineering KTH, Royal Institute of Technology Stockholm, Sweden {gyuri,hsan}@ee.kth.se Abstract—State estimators in power systems are currently used to, for example, detect faulty equipment and to route power flows. It is believed that state estimators will also play an increasingly important role in future smart power grids, as a tool to optimally and more dynamically route power flows. Therefore security of the estimator becomes an important issue. The estimators are currently located in control centers, and large numbers of measurements are sent over unencrypted communication channels to the centers. We here study stealthy false-data attacks against these estimators. We define a security measure tailored to quantify how hard attacks are to perform, and describe an efficient algorithm to compute it. Since there are so many measurement devices in these systems, it is not reasonable to assume that all devices can be made encrypted overnight in the future. Therefore we propose two algorithms to place encrypted devices in the system such as to maximize their utility in terms of increased system security. We illustrate the effectiveness of our algorithms on two IEEE benchmark power networks under two attack and protection cost models. I. I NTRODUCTION SCADA (Supervisory Control and Data Acquisition) sys- tems are widely used to monitor and control the behav- ior of large-scale power systems. SCADA systems transmit measurement data, status information, and control signals to and from Remote Terminal Units (RTUs), which are located in substations in the grid, see for example [1], [2]. For such large-scale systems, lost data and failing sensors are common. The incoming data is therefore often fed to a so- called state estimator, which provides Energy Management Systems (EMS) and the human operator in the control center with hopefully accurate information at all times. The technology and the use of the SCADA systems have evolved quite a lot since the 1970s when they were introduced. The early systems were mainly used for logging data from the power network. Today a modern system is supported by EMS such as automatic generation control (AGC), optimal power flow analysis, and contingency analysis (CA), see for example [1]. With the advent of new sensors such as PMUs (Phasor Measurement Units), so-called Wide-Area Monitoring and Control Systems (WAMS/WAMC) will also be introduced. This provides yet another layer of control in the modern power network control systems. One motivation for this paper is that SCADA/EMS systems are increasingly more connected This work is supported in part by the European Commission through the FP7 project VIKING, and by the ACCESS Linnaeus Centre at KTH. to office LANs in the control center. Thus these critical infras- tructure systems are potentially accessible from the Internet. The SCADA communication network is also heterogeneous and consists of fiber optics, satellite, and microwave connec- tions. Data is often sent without encryption. Therefore many potential cyber security threats exist for modern power control systems, as has been pointed out in for example [3], [4]. Another motivation for this work is that future smart power grids are believed to be more dependent on accurate state estimators to fulfill their task of optimally and dynamically routing power flows. Resilience and security of smart power grids are addressed in for example [5]. In this paper, the focus is on stealth attacks (also called false-data injection attacks) against state estimators. This type of attacks was first studied in [4], to the authors’ best knowl- edge. In [4], it was shown that an attacker can manipulate the state estimate while avoiding bad-data alarms in the control center. It was also shown that rather simple false-data attacks often can be constructed by an attacker with access to the power network model. More recently in [6], [7], further aspects of these attacks were studied. In [7], two security indices were defined that quantify how difficult it is to perform a successful stealth attack against particular measurements. In [6], it was shown how one can completely protect a state estimator from these unobservable attacks by encrypting a sufficient number of measurement devices. Here we extend the work in [6], [7]. First of all, we propose an efficient method for computing the security index α k introduced in [7] for sparse stealth attacks. This index is relevant to the problem because it quantifies the minimum number of measurements that need to be corrupted to perform a stealth attack with a specific goal. We also propose an extension where clusters of measurements are available at the same cost for the attacker. This is a realistic scenario if an attack is taking place from a substation, and potentially all measurements originating from the substation can be corrupted at once. Finally, we propose a protection scheme for how to allocate encryption devices to strengthen security. In [6], it is shown exactly how many measurements need to be encrypted to ensure security. It is shown that the number is equal to the number of state variables in the system. In this paper, we use the introduced security index to quantify the security when the number of encrypted measurements is insufficient to provide complete security, but one would like to maximize the