1

Abstract Smart grid heavily relies on Information and

Communications Technology (ICT) to manage the energy usage.
The concept of smart grid implies the use of smart devices,
such as smart meters or Remote Terminal Units (RTUs), that
require extensive information to optimize the power grid. As the
communication network is based on TCP/IP and Ethernet
technology, new cyber vulnerabilities are introduced that can be
exploited by malicious attackers. Cyber security has become a
serious concern due to various intrusion incidents. Cyber attacks
can make a significant impact on the grid, which will involve not
only steady-state but also dynamic behaviors. A cyber-power
system approach has been established that explicitly models the
interaction between ICT and the power system. New technologies
are under development to enhance the ICT vulnerability
assessment and evaluate the impact of cyber attacks on system
operation. This paper presents the cyber security issues in a
smart grid environment and cyber attack/mitigation scenarios
using a testbed at University College Dublin (UCD).

Index Terms Cyber security of SCADA systems, smart grid,
cyberphysical system.
I. CYBER-PHYSICAL POWER SYSTEM SECURITY
mart grid is deployed at both distribution and transmission
levels. Smart meters allow the exchange of extensive
energy and pricing information between customers and energy
suppliers and enable remote controls. Distributed generation is
integrated in this environment with varying capabilities for
frequency and voltage control. A smart Supervisory Control
And Data Acquisition (SCADA) system incorporating
advanced Remore Terminal Units (RTUs) and Intelligent
Electronic Devices (IEDs) can enhance system operation and
control and improve its ability to revier from a major failure.
The power grid is combined with smart controllers,
communication protocols and open computer networks for
monitoring, control and operation. ICT layer resides on top of
the electric grid and is a significant part of a large and
complex cyberphysical system. Smart grid can enable control
of smart appliances, integration of distributed generations,
intelligent and efficient transmission systems and energy
management over wide areas.
The power and cyber systems are becoming more and more
interdependent. Interactions are needed between Energy
Management Systems (EMSs) and electricity markets and
between energy suppliers and industrial/home customers.
Smart communication devices adopt TCP/IP and Ethernet
based technologies for higher speed at reduced costs; however,
it is known that they are susceptible to IP based attacks, e.g.,

This research is sponsored by Science Foundation Ireland (SFI) at
University College Dublin (UCD) through a Principal Investigator Award.
A. Stefanov is with University College Dublin, Ireland
(alexandru.stefanov@ucdconnect.ie). C. C. Liu is with Washington State
University, Pullman, and UCD, Ireland (liu@ucd.ie).
routing attack, IP spoofing or TCP SYN. The security of
SCADA systems relies on firewalls to prevent cyber
intrusions, but firewalls generally do not detect intrusions
using a trusted party or insider connection. In the substation
communication network there are remote access points for
maintenance purposes and need to be highly secured to
prevent unauthorized access. Standard communication
protocols used in EMS/SCADA system are not entirely
secure; data contents can be modified in case of man-in-the-
middle attack. ICT networks can be attacked, not only by
direct intrusions, but also by infecting the machines with
viruses, worms and Trojan horses and launching Denial of
Service (DoS) attacks. The impact of unauthorized access,
configuration change and controls manipulation on systems
operation can be severe and will involve steady state and
dynamic behaviors. New solutions must be developed and
implemented to enable the smart grid to assess sources of
vulnerabilities, detect cyber attacks, and disconnect the
intruders. Research is on-going in the areas of Intrusion
Detection Systems (IDS), smart firewalls, and vulnerability
assessment to enhance the security of the cyberpower grids
[1] [3].
Cyber security of power grids, especially in the smart grid
framework, is emerging as a sensitive and critical issue, due to
intrusion incidents. In March 2007, US Department of
Energys Idaho National Laboratory produced a real evidence
of targeted cyber attack within the Aurora project. A
previous classified video was made and publicized in
September 2007 to demonstrate the vulnerabilities of the
cyberpower system. Coordinated simultaneous attacks on
multiple power plants with the objective of damaging a large
number of generators are serious threats to national security
[4]. An evidence of DoS cyber attack is represented by the
Stuxnet worm that is targeting the SCADA system of
industrial facilities. It searches for a specific type of
Programmable Logic Controller (PLC), reprograms parts of its
code, waits for certain condition and then it takes control.
Even though Stuxnet initially targeted nuclear facilities, it can
be adapted to attack different types of power plants or control
centers [5]. Reports of coordinated and targeted cyber attacks
can be found in McAfees white paper on Global energy
cyber attacks: Night Dragon, February 2011. Although there
are no report on physical damage, the Night Dragon attacks
penetrated the corporate network and showed that the energy
sector can be vulnerable [6].
II. CYBER SECURITY TESTBED ARCHITECTURE
As illustrated in Figure 1, the UCD cyberpower system
testbed comprises 2 control centers and 2 substations. At the
control center level there are two operator consoles and a
Dispatcher Training Simulator (DTS) for training purposes.
Alexandru Stefanov, Student Member, IEEE, Chen-Ching Liu, Fellow, IEEE
CyberPower System Security
in a Smart Grid Environment
S
978-1-4577-2159-5/12/$31.00 2011 IEEE
2
Control center A is able to exchange certain information
with control center B by using the Inter-Control Center
Communications Protocol (ICCP). Proper configuration of
bilateral tables is required in order to define which data each
control center is allowed to access.
At the substation level, there are 2 user interfaces, one for
each control room, that supervise 2 physical Intelligent
Electronic Devices (IEDs), in an on-line environment using
IEC 61850 protocols. The power grid is modeled using an
industrial grade simulation software that allows steady state
and dynamics analysis. It is able to exchange real time data
with the user interface at substation A through Object Linking
and Embedding for Process Control (OPC) communication.
An OPC server is mapping the data points between the user
interface and power system simulator, which acts as two
clients. The Distributed Network Protocol (DNP) over TCP/IP
allows measurements and controls to be exchanged between
control centers and substations. By running on-line power
flow or time domain simulations, measurements and circuit
breaker status are sent to the control center operators. Each
substation has a remote access point. Attackers can also
intrude into substation networks through these access points.
The UCD testbed provides a realistic model of the cyber
power grid and allows monitoring of interactions between ICT
and the power system. Multiple attacks can be translated into
wide area multiple contingencies that demonstrate severe
consequences on the system operating condition.
III. SIMULATION SCENARIO
A test power grid is shown in Figure 2. Three hydroelectric
power plants, with reduced capacity of 150 MW each and
equipped with governors and automatic voltage regulators,
supply 6 loads with their characteristics represented by a
polynomial model. The 6 transmission lines are rated at 110
kV. For each element of the grid, external measurement points
have been defined and data is sent during the simulation via
the SCADA system to control centers. System operators
monitor and control the grid in real-time and dynamics can be
analyzed as well.
This simulation (hypothetical) scenario is concerned with a
successful intrusion into the SCADA network. Attackers
exploit the vulnerabilities of the power companys extranet
web servers, used for maintenance purposes, to have remote
command execution capabilities. By uploading specific
hacking tools, they access the companys intranet. Usernames
and passwords can be exposed by manipulation of the
environment. Critical process control machines can be
targeted by using the malware. The intruder gains access into
substation 4 Local Area Network (LAN) and then to Local
Operating Network (LON) to control the IEDs. The attack
triggers 2 circuit breakers to open, which disconnects 2
transmission lines. As a result, power plant 4 is disconnected
and is assumed to be unavailable for some time. The one-line
diagram of the grid shown on the operators console of the
SCADA system (Figure 3) indicates that 3 system elements
have been lost simultaneously and the system faces an N 3
contingency that may lead to cascading events.

Fig. 2. Four-bus demo power grid.
Vendor
Personnel or
Site engineer
Dial-up, VPN
or Wireless
Attackers
DNP 3.0
User
interface
SCADA
network
Substation A
User
interface
Dispatcher
training
simulator
Control center A
OPC
server
ICCP
SCADA : Supervisory Control and Data Acquisition
ICCP : Inter-Control Center Communications Protocol
DNP : Distributed Network Protocol
OPC : OLE for Process Control
VPN : Virtual Private Network
IED : Intelligent Electronic Device
Control center B
Substation B
University College Dublin testbed
Power system
OPC
client
Power
system
simulation
User
interface
User
interface
IED
IED

Fig. 1. Cyber security testbed at University College Dublin (UCD).
3
Gen 1 Load 1
Gen 4 Gen 2 Load 3c Load 4 Load 2 Load 3b Load 3a
Substation 1
Substation 2 Substation 3 Substation 4
+148.08 MW
+23.87 MVAr
+67.43MW
+22.16MVAr
107.96 kV
+8.31 MW
-8.55 MVAr
+8.31 MW
-8.55 MVAr
+64.02 MW
+22.30 MVAr
+0.00MW
+0.00MVAr
Line 12a Line 12b Line 14a Line 14b
-8.30 MW
+5.15 MVAr
-8.30 MW
+5.15 MVAr
+96.41MW
+35.86 MVAr
-96.05 MW
-33.42 MVAr
+0.00 MW
+0.00 MVAr
+0.00 MW
+0.00 MVAr
+0.00 MW
+0.00 MVAr
-63.54 MW
-20.89 MVAr
Line 23 Line 43
108.63 kV 104.80 kV 106.99 kV
+148.08 MW
+68.59 MVAr
+68.27 MW
+22.44 MVAr
+38.42 MW
+12.63 MVAr
+38.42 MW
+12.63 MVAr
+19.21 MW
+9.30 MVAr
+0.00 MW
+0.00 MVAr
+63.54 MW
+20.89 MVAr

Fig. 3. Control center one-line display by SCADA after cyber attack.

The impact of the attack is analyzed by computer
simulations of system dynamics. As a result, the attack has
made a severe impact on the system condition. Since a
generator is disconnected, the remaining 2 power plants are
generating at full capacity to serve the load, but there is not
enough generation and frequency is falling below 48 Hz, as
shown in Figure 4.


Fig. 4. Frequency after cyber attack.

In order to implement a mitigation strategy, the cyber attack
must be stopped and the intruder disconnected. This is
achieved by collaboration between the IDS and firewall, both
present in the substation 4 ICT network. The IDS finds the
anomalies and sends disconnect control commands to the
firewall, which will block the intruders connection. To
mitigate the effects of the attack, emergency control actions
must be taken to steer the system to a normal operating
condition. In this scenario the mitigation actions are computed
with Optimal Power Flow (OPF) with an objective function
that minimizes load shedding.


Fig. 5. Frequency after mitigation.

The OPF results show that loads 1 and 4 must be shed by
80% and 70%, respectively. Figure 5 illustrates that frequency
has a sharp decline when the generator is disconnected, by the
time it reaches 49.5Hz the mitigation strategy is implemented,
loads are shed and transmission lines 14b and 43 are
reconnected. All bus voltages settle at acceptable values
(Figure 6) and the system returns to a stable operating point.


Fig. 6. Bus voltages after mitigation.

Simultaneous cyber events on multiple locations can be
translated into multiple contingencies that could trigger wide
spread outages. The smart grid environment requests
intelligent reconfiguration strategies to support operators
decision.
IV. ACKNOWLEDGEMENT
This research is sponsored by Science Foundation Ireland
(SFI) through a Principal Investigator Award. We also
acknowledge the support for collaboration from US National
Science Foundation.
V. REFERENCES
[1] J. Yan, C. C. Liu, and M. Govindarasu, Cyber Intrusion of Wind Farm
SCADA System and Its Impact Analysis, IEEE PES Power Systems
Conference and Exposition, Mar. 20-23, 2011, Phoenix, USA.
[2] S. S. Wu, C. C. Liu, A. Shosha, and P. Gladyshev, Cyber Security and
Information Protection in a Smart Grid Environment, IFAC Congress,
Invited Session on Emerging EMS Features and Functions Needed for
the Future Control Center in the Smart Grid Environment, Milan, Aug.
28 Sept. 2, 2011.
[3] A. F. Shosha, P. Gladyshev, S. S. Wu, and C. C. Liu, Detecting Cyber
Intrusions in SCADA Networks Using Multi-Agent Collaboration, Int
Symp Intelligent System Application to Power Systems (ISAP), Crete,
2011.
[4] J. Bumgarner, Computers as Weapons of War, IO Journal, vol. 2, no.
2, pp. 4 8, May 2010.
[5] T. M. Chen, and S. Abu-Nimeh, Lessons from Stuxnet, IEEE
Computer Society, vol. 44, no. 4, pp. 91 93, Apr. 2011.
[6] McAfee Labs, Global Energy Cyberattacks: Night Dragon, Feb. 2011.
Available at: http://www.mcafee.com/us/resources/white-papers/wp-
global-energy-cyberattacks-night-dragon.pdf
VI. BIOGRAPHIES
Alexandru Stefanov received his BSEE and MSEE degrees from Politehnica
University of Bucharest, Romania, in 2009 and 2011, respectively. He is
currently pursuing his Ph.D. in School of Electrical, Electronic and
Mechanical Engineering at University College Dublin, Ireland. His research
interests include cyber security in EMS/SCADA systems, impact analysis and
power systems mitigation strategies.
Chen-Ching Liu (F94) received his Ph.D. degree from the University of
California, Berkeley. He is presently Boeing Distinguished Professor at
Washington State University and Professor of Power Systems at the
University College Dublin, Ireland. He was Palmer Chair Professor of
Electrical Engineering at Iowa State University and a Professor of Electrical
Engineering at the University of Washington. Dr. Liu received an IEEE Third
Millennium Medal in 2000 and the IEEE Power and Energy Society
Outstanding Power Engineering Educator Award in 2004. Professor Liu is a
Fellow of the IEEE.