Академический Документы
Профессиональный Документы
Культура Документы
3, AUGUST 2018
Abstract—As electric sector stakeholders make the decision to given the integrated nature of modern cyber-physical systems,
upgrade traditional power grid architectures by incorporating cyber-induced failures of the power grid can cascade to other
smart grid technologies, the benefits of added connectivity must critical infrastructure sectors, such as transportation networks,
be weighed against the risk of increased exposure to cyber-attacks.
Therefore, decision makers must ask: How smart is smart enough? water treatment, or financial systems, causing extensive
This paper presents a probabilistic risk analysis framework to physical damage and economic disruption.
address this problem. The goal is to quantify the overall benefit While there is growing recognition across government,
and risk of adding connections to a network and hiring a number academia, and the private sector of the cyber vulnerability of
of cyber defense teams, with the objective to help decision makers the electric grid, the likelihood and consequences of a cyber-
formally assess tradeoffs and set priorities given limited resources.
Central to this approach is a new Bayes-adaptive network attack are difficult to quantify. Therefore, electric sector stake-
security model based on a reformulation of the “multiarmed holders have problems determining which investments to make
bandits” (MAB) problem. Here, instead of projects with uncertain beyond the minimum required for compliance with mandatory
probabilities of success as in the classic MAB problem, a network standards. As a result, current risk management approaches are
defender faces the possibility of attacks against network nodes at generally qualitative or heuristic in nature [3].
uncertain Poisson-distributed rates. This new technique, which by
similarity we call “multinode bandits,” takes a dynamic view of This paper presents a probabilistic risk analysis (PRA) ap-
cyber security investment, exploring how network defenders can proach to smart grid cyber security. In particular, this paper takes
optimally allocate cyber defense teams among nodes. In effect, this a dynamic and stochastic view of cyber security investment, ex-
approach entails employing proactively for defensive and informa- ploring how defenders of smart grid information networks can
tion gathering purposes teams that traditionally respond to cyber
optimally allocate cyber defense teams among nodes in their
breaches after they occur. We apply this model to the case study
of an electric utility considering the degree to which they should network. In short, this involves taking teams that traditionally
integrate demand response into their smart grid network, jointly respond to breaches after they occur, and instead employing
identifying both the optimal level of connectivity and the optimal them in a proactive manner for defensive and information gath-
strategy for the sequential allocation of cyber security resources. ering purposes. We then show how this model can be used to
Index Terms—Cyber-physical security, multiarmed bandit identify the optimal level of connectivity, where the benefits of
(MAB), smart grid. increased incorporation of smart grid technologies are weighed
against the cyber security risks that these new connections entail.
I. INTRODUCTION Given the sequential decision nature of this network de-
HE EMERGENCE of the smart grid promises to deliver fense formulation, we draw insights from multiarmed bandits
T many benefits to the overall operation of the North Amer-
ican electric grid, including increased efficiency, improved
(MABs), a class of problems where a decision maker must
sequentially allocate resources among competing projects, typ-
reliability, better incorporation of renewable energy sources, ically with uncertain probabilities of success [4]. In cyber se-
and more choice for electricity consumers [1]. However, the curity settings, network defenders are often concerned not just
same technologies that improve the performance of the smart with the probability of a compromise, but also the rate at which
grid also expose it to digital threats such as denial of service nodes in their network can be attacked. Inspired by this notion,
attacks, intellectual property theft, invasion of privacy, and we developed a new variant of the MAB model suited to cyber
sabotage of critical national infrastructure [2]. Furthermore, security settings. Instead of gaming machine “arms” or projects
with unknown probabilities of success, a decision maker faces
Manuscript received July 14, 2017; revised December 14, 2017; accepted unknown Poisson rates of attack against nodes in their network.
January 8, 2018. Date of publication February 26, 2018; date of current version The question at each step is how to employ cyber defense teams
July 17, 2018. Review of this manuscript was arranged by Department Editor
B. Jiang. (Corresponding author: Matthew David Smith.)
to defend against these attacks, protecting the network against
The authors are with the Department of Management Science and Engineer- known threats while also exploring the network to learn about
ing, Stanford University, Stanford, CA 94305 USA (e-mail: mdsmith44@gmail. new, unknown threats. We refer to this new formulation as a
com; mep@stanford.edu).
Color versions of one or more of the figures in this paper are available online
multinode bandit (MNB) model.
at http://ieeexplore.ieee.org. Using this MNB network security model, along with systems
Digital Object Identifier 10.1109/TEM.2018.2798408 and economic analysis of smart grid networks, we solve for
0018-9391 © 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications standards/publications/rights/index.html for more information.
SMITH AND PATÉ-CORNELL: CYBER RISK ANALYSIS FOR A SMART GRID: HOW SMART IS SMART ENOUGH? 435
technology on 40% of distribution feeders achieves 80% model and the overall PRA approach remain both reasonable
of the benefit of upgrading all feeders [10]. and tractable.
2) The cyber security risk will increase. While the effects of Assumption 1: Smartness of a smart grid network is defined
the dependency are not immediately apparent, increased as the number of physical nodes that have been upgraded with a
connectivity causes an increase in both the probability of particular smart grid technology and connected to the informa-
cyber-attacks given an increased number of attack paths, tion network.
and their potential consequences given the tighter cou- The setting for our research model is an electric utility com-
pling between control components in the power network. pany faced with the following decision: starting from a baseline
When considered together, these two trends have crucial con- version of their power grid network, they have to decide on
sequences for utilities when evaluating the tradeoff between the degree to which they want to integrate some smart grid
the benefit and risks of increased connectivity. Beyond a certain technology into their network. As illustrated in Fig. 1, we repre-
level, added connectivity yields little additional benefit, and may sent the physical network by an undirected graph consisting of
be outweighed by the increase in cyber risks. nodes (electrically distinct points in the network, which include
2) How Much to Invest in Cyber Security?: Numerous cy- generators, substations, and consumers) and edges represent-
ber security countermeasures and network architectures have ing transmission lines. This representation of power networks
been proposed and developed in recent years to help protect is common in power systems analysis, and modern power net-
smart grid information networks. Broadly speaking, these in- works can consist of thousands of such nodes in the case of an
volve a combination of traditional IT countermeasures (e.g., entire regional interconnect, or dozens in the case of municipal
antivirus protection, or firewalls that separate control networks utilities [11].
from enterprise networks) as well as additional techniques that The utility’s decision amounts to choosing which subset of
are tailored to the unique security requirements of energy con- nodes to connect with the smart grid technology (and the added
trol systems (e.g., application whitelisting and host data loss connectivity that entails). In the information network, each
prevention, which require fewer computational resources and node thus represents an Internet-connected point, for example, a
less-frequent patching) [9]. In addition to these technical solu- router that transmits data, or a control center that aggregates in-
tions, there are also a range of management solutions available formation and makes control decision, and each edge is a direct
to utilities, such as employee training, increased intelligence communication link [12]. The size of the information network
gathering, or hiring a chief risk officer. therefore scales with the increased incorporation of a particular
Despite the range of cyber security tools available to network smart grid technology. As the grid becomes smarter, the infor-
defenders, there is significant uncertainty surrounding the risk- mation network grows to accommodate the increased demand
reduction value of the different techniques. For example, given for real-time monitoring and enhanced control with fast and ef-
a fixed security budget, should a network defender allocate the ficient algorithms, but the added connectivity also increases the
resources toward improved firewalls, training for employees, or number of pathways into utility systems. In effect, this network
an increased member of the organization’s cyber security team? model discretizes the utility’s decision regarding how smart to
These types of questions are difficult to address, especially due make their system. However, since electricity balancing author-
to the dynamic and uncertain nature of cyber threats. Further- ities and system operators commonly aggregate customers into
more, what if the budget is not fixed? Now defenders must ask large loads to realize savings, we argue that it makes sense to
how much to invest, in addition to where to invest it. We focus bundle the total system load into discrete customer nodes in this
here on the number and allocation of cyber defense teams, and fashion.
their task to protect against both known and new vulnerabilities. Assumption 2: The rate of successful cyber-attacks against
The MNB model, when used as part of an overall PRA frame- a connected node can be modeled as a Poisson process.
work, provides a way to address both research questions. When Empirical analysis of cyber security incident data has shown
considering a power system with a finite number of nodes, the that the arrival of successful cyber-attacks is well modeled by a
model allows system operators to solve for the optimal alloca- Poisson process. For example, an analysis of recently released
tion of a cyber defense team among nodes in the network. Based security logs of 1131 cyber intrusions against the U.S. Depart-
on that strategy, we quantify the cyber risk facing the network ment of Energy from 2010 to 2014 [13] shows that the dis-
for any number of connected nodes. Comparing this risk to the tribution of interarrival times is exponential, and thus arrivals
benefit curve of increased smartness permits system operators are Poisson, as shown in Fig. 2. Additional theoretical justifi-
to identify the optimal level of connectivity. If we allow for the cation comes from the Palm–Khintchine theorem, which states
number of response teams to be variable, we can also address that the aggregate arrivals from many (possibly non-Poisson)
the question of how much to invest in these teams. Hence, using sources approach a Poisson distribution in the limit.
the MNB model, system operators can address how smart to Assumption 3: The rates of attack to different nodes in the
make their network (how many nodes to connect) as well as network are independent.
how much to invest (how many cyber defense teams to hire). While it is reasonable to think that these rates may be depen-
dent (for example, in the case where an attacker is launching a
coordinated attack using multiple attack vectors), we justify this
C. Assumptions and Justification assumption by noting that smart grid information networks are
This section discusses key assumptions that bound the scope highly distributed and highly heterogeneous. That is, the nodes
of our analysis and ensure that the MNB network security in the physical network are geographically dispersed, often
SMITH AND PATÉ-CORNELL: CYBER RISK ANALYSIS FOR A SMART GRID: HOW SMART IS SMART ENOUGH? 437
TABLE I
HEURISTIC-BASED EXPLORATION STRATEGIES FOR MULTINODE BANDIT
PROBLEMS Y i = λi ci
The variable Y i = λi c i represents the expected cost of attacks against node i, based on
current information state. Fig. 5. Use of value of perfect information to calibrate an approximate value
function, from which we can fit an approximate value function for use in a
one-step look-ahead algorithm.
consider two classes of methods: 1) heuristic-based exploration
strategies, where a node is selected at each step based on some
easily calculated property of the current system state, and 2) ap-
proximate dynamic programming, where we make simplifying
assumptions that enable us to solve a simplified optimization
problem as a proxy to the intractable multiperiod problem.
The first class of approximate solution methods is heuristic-
based exploration strategies. Based on a review of MAB liter-
ature as well as intuition on the unique characteristics of the
MNB variation, we evaluated the solution methods described in
Table I. The parameters of each method are tuned to ensure the
best match with the known optimal policy for the sample two-
node problem from Section III-C3 for which the exact solution
is known. The greedy strategy represents a pure-exploitation
strategy, while the other methods represent different ways to
incorporate exploration into the node-probing strategy.
While the heuristic methods attempt to circumvent the need Fig. 6. Comparison of approximate solution strategies for multinode bandits.
to address the dynamic programming problem, approximate
dynamic programming methods attempt to solve the original
dynamic programming problem by making simplifying as-
sumptions that make it more tractable. We explore here the increase toward VoPI. Indeed, the exact value of various states
use of one such method, a one-step look-ahead algorithm. of information shows this pattern, as presented in Fig. 5.
This means that at any time, rather than performing value A comparison of all the approximate methods considered here
iteration from the terminal horizon back to the current time, (the four heuristic-based strategies as well as the one-step look-
we only consider the expected cost of the next transition, and ahead) is shown in Fig. 6. We compare methods based on three
use an approximate value function to estimate the remaining factors: 1) accuracy (how often do we take the correct action);
value until the end of the time horizon. In order to find a good 2) value of implementing that strategy, as determined by the
approximate value function, we used the concept of Value of Monte Carlo simulation; and 3) computational speed.
Perfect Information, defined as follows. We observe that the one-step look-ahead strategy with a VoPI-
1) Value of Perfect Information (VoPI) = Value we would based approximate value function provides the best value and
get if we knew all uncertain rates of attacks. accuracy, although it is the slowest one to compute. The quantile-
2) Value of No Information (VoNI) = Value we would get if selection and variance bonus strategies perform well, which we
we could not update our beliefs as we got further infor- can attribute to the fact that they capture the “potential upside”
mation by probing each node. of probing a node better than the purely greedy, short-sighted
Intuitively, with one time unit remaining, the best value that strategies. In the rest of this paper, we use the VoPI method
we can achieve is VoNI, since it would be too late to adapt after to gain insights into more complex MNB problems, although
getting new information. With more time remaining, there is it should be noted that the variance bonus method would be
more opportunity to explore, and we expect the probing value to especially useful in settings where a solution is needed quickly.
SMITH AND PATÉ-CORNELL: CYBER RISK ANALYSIS FOR A SMART GRID: HOW SMART IS SMART ENOUGH? 441
Fig. 7. Overview of probabilistic risk analysis approach to smart grid cyber security.
IV. OPTIMAL CONNECTIVITY AND ALLOCATION OF CYBER erating costs are high (e.g., during peak demand) or when system
SECURITY RESOURCES reliability is in jeopardy (e.g., during an unexpected outage or
This section illustrates how smart grid system operators can other system contingency). Due to the communication overhead
utilize the MNB network security model as part of a PRA frame- needed to support and enable the technology, demand response
work to identify the optimal level of connectivity and the optimal is a quintessential example of a smart grid technology, where
network defense strategy for a smart grid network. the increased connectivity provides benefits to system operators
The overall PRA framework is illustrated in Fig. 7. In the first while simultaneously introducing new cyber risks [32]. There-
step, we perform systems analysis to identify plausible classes fore, demand response is an appealing case study for application
of failure scenarios that can be induced by exploiting cyber of our research model, which seeks to identify the optimal level
vulnerabilities in a smart grid network, as drawn from industry of connectivity.
expert opinion and known incidents. We also specify the initial
threat estimates, which take the form of a set of gamma distri- A. Case Study Network
bution priors over the uncertain Poisson rates of attack against We illustrate the MNB network security model and the cas-
the system. Step 2 uses an economic dispatch model to compute cading effects of failures using a schematic 24-node intercon-
the financial impact of each failure scenario, as well as the ben- nected power network of the SMUD, as shown in Fig. 8. We then
efit of increased network smartness, based on the physics and consider the decision regarding the degree to which one should
economics of their effect on the power system. The outputs of integrate demand response into any subset of the ten highlighted
the economic analysis are numerical inputs to the MNB model, consumer nodes, with smartness ranging from 0 to 10.
which is used in step 3 to solve for the optimal strategy for the The reasons for choosing SMUD are threefold. The first ben-
sequential allocation of cyber defense teams among nodes in efit is the relative simplicity and isolation of the SMUD power
the network. Based on that strategy, we quantify the net cyber network, which facilitates illustration of the basic concepts of
risk to smart grid information networks that remains after em- the model. Second, as it is a publicly owned utility, more data
ploying the optimal cyber defense strategy. Finally, in step 4, a are available from resources like the Energy Information Ad-
decision-analytic framework combines the benefit of increased ministration [33] and California Energy Commission [34] than
smartness, the cost inflicted on the network by newly introduced for privately owned utilities. Third, SMUD is currently assess-
cyber vulnerabilities, and the value of optimal defensive probing ing the potential benefits of incorporating demand response into
strategies to identify the optimal level of connectivity and the their network, as evidenced by their recently completed pilot
optimal number of defense teams to hire. program [35]. Hence, they are a good candidate to study risks
We apply this framework to a case study of the incorporation and benefits of making their network smarter via the incorpora-
of demand response in the management of the SMUD power tion of demand response.
network. Demand response is an emerging smart grid tech- To model the behavior of the SMUD power network and
nology, which allows utilities to use price signals to influence the impact of demand response, we utilize the IEEE 24-Bus
customer behavior, inducing lower electricity demand when op- Reliability Test System, a simple, adaptable, and well-studied
442 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT, VOL. 65, NO. 3, AUGUST 2018
Fig. 9. Benefit curve of increased smartness for SMUD power network. The
curve specifically accounts for the order in which the nodes are connected, with
the most advantageous nodes selected first.
TABLE II
CYBER FAILURES SCENARIOS INTRODUCED BY INCORPORATION OF DEMAND RESPONSE TECHNOLOGY
FS1—Loss of Threat agent compromises demand response (DR) system with Insiders, Criminal Impact of transmission line outages
Situational Awareness custom malware, causing customer system to report false usage and Groups for that node are doubled.
status information to utility. Results in reduced situational awareness
and inhibits a utility’s ability to react proactively, and could increase
the number and duration of failures.
FS2—Local Outage Threat agent injects purpose-built malware into the demand response Terrorist Group, Cost of $3.76 per kWh of demand
Triggered Remotely automation server (DRAS), gaining remote command of the server, Nation States not met [49], taken as highest 4-hour
and blocking or issuing malicious control signals to cause a local or period for that node.
regional outage during peak demand hours.
FS3—Denial of Service Threat agent blocks communications between a demand response Hacktivist, Peak load increase by 2% over
Blocks DR Messages automation server (DRAS) and customer systems. This could be Terrorist Group normal profile (with no demand
accomplished by flooding the communications channel with other response).
messages, or by tampering with the communications channel. These
actions could prevent legitimate DR messages from being received
and transmitted, resulting in increased peak energy usage.
FS4—Price/Meter Threat agent obtains access to the communications channel between Customers, Effective customer prices reduced by
Manipulation the DRAS and the customer DR system, and delivers false Insiders, 1% from nominal values [33],
information to under-report electricity usage or to create artificially Competing Firms reducing revenue for utility.
high prices in the spot power market for financial gain.
FS5—Theft of Private Threat agent compromises DR systems, and then pivots to parts of Criminal Groups Fixed cost of $2.3 k for any node,
Information the information network containing sensitive customer data or based on per capita cost from data
valuable intellectual property, leading to possible fines or breach reports [28]
remediation costs.
TABLE III
COST OF EACH TYPE OF SUCCESSFUL CYBER-ATTACK FOR EACH CUSTOMER
NODE IN SMUD’S NETWORK, BASED ON RECOMPUTING THE DAILY
OPERATING COST SUBJECT TO ADDITIONAL CONSTRAINTS IMPOSED
BY EACH CYBER FAILURE SCENARIO (FS)
Customer FS1 Cost FS2 Cost FS3 Cost FS4 Cost FS5 Cost Net Cost per
Node ($k) ($k) ($k) ($k) ($k) Attack ($k)
Fig. 10. Net cyber risk facing the network, accounting for the value of the
optimal defensive probing strategy. The red (upper) curve represents the net
The costs of the failure scenarios for each node are computed cyber risk that remains after implementing an optimal defensive strategy.
by rerunning the economic dispatch model, subject to the addi-
tional constraints imposed by each failure scenario. The average
cost of all failure scenarios then becomes the average cost per prior probability distribution of gamma(λi ; αi = 2, βi = 2) for
successful cyber-attack to that node, which becomes the nodal the rate of attacks to each node. At each level of smartness of the
cost parameter ci for use in the MNB model. The net cost per SMUD power network, from 0 candidate nodes connected to all
attack for each node ranges from $1.49 k to $3.62 k, as shown 10, we use the MNB model to determine the value of the optimal
in Table III. probing strategy of a single cyber defense. Using this strategy,
we evaluate the residual cyber risk facing the network, defined
as the expected value of the cost inflicted by all incoming cyber-
C. INSIGHTS: HOW SMART AND HOW MUCH TO INVEST? attacks minus the value saved from thwarting attacks. This value
To identify the optimal level of connectivity, the outputs of is illustrated in Fig. 10.
the economic dispatch model—i.e., the benefit curve of Fig. 9 Combining this cyber risk curve with the benefit of in-
and the cyber-attack costs from Table III—are used as inputs creased smartness, we assess the tradeoffs as shown in Fig. 11.
to the MNB network security model. To complete the network These computations show an optimal smartness level where the
specification, we consider a time horizon of T = 60 days and a marginal benefit of increased connectivity equals the marginal
444 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT, VOL. 65, NO. 3, AUGUST 2018
TABLE IV
SUMMARY OF GENERATOR DATA BY GENERATOR TYPE FOR THE SYNTHETIC POWER NETWORK REPRESENTATION OF SMUD’S POWER SYSTEM
Generator Code Fuel Type Capacity (MW) Number in Network Cost coef. c0 ($/hr) Cost coef. c1 ($/MWh) Cost coef. c2 ($/MW-MWh)
The generator code identifies which generator in the original IEEE 24-bus network these new generators replace.
cyber-attacks. Solving the MNB problem yields a strategy by design, adaptable to different power system configurations,
for the sequential employment of cyber defense teams among allowing us to adjust generation cost and consumer demand
nodes in an organization’s information network, thus protecting parameters to match the characteristics of the SMUD power
the network against known threats while actively exploring it network in a manner suitable to studying the impact of demand
to detect and prevent new threats. For simple problems (two response.
or three nodes, short time horizon T < 15 days), we can solve Using generator cost functions and fuel cost data from pub-
for the truly optimal strategy using dynamic programming. licly available sources, we derive the generator mix for the
For more complex (and hence more realistic) settings, we need synthetic SMUD power network, as shown in Table IV. Specif-
to use approximate solution methods based on heuristics or ically, the operating cost of each generator is fit to a quadratic
approximate dynamic programming. cost function, based on actual operating points for comparable
We make two final notes on the MNB model. First, the model- generators used in California [43], current natural gas fuel prices
ing power of the MNB framework is not limited to the allocation [44], recent cost analysis reports for hydro power [45], and the
of cyber defense teams. In alternative formulations, rather than California Energy Commission’s Cost of Generation Toolkit for
a time step of 1 day we could have a time step of t ∼ 1 s (e.g., solar, wind, and geothermal generation [46]. Additionally, by
computerized decision support system allocating intrusion de- preserving the same nodal generation capacities as the original
tection resources), or even t ∼ 1 month (e.g., long-term planning IEEE test network, results for the SMUD network may still be
to shift organizational resources or plan system upgrades). Sec- compared with other benchmark studies.
ond, by taking a Bayes-adaptive approach to network security, In addition to generator cost functions, the other aspect of
the MNB model allows an organization to leverage the techni- SMUD’s network that we incorporate into the model is the
cal ingenuity and expertise of its cyber security professionals to hourly usage data for end-users. The value of demand response
defend against intelligent adversaries. largely relies on its ability to influence or force users to shift
Smart grid networks indeed pose unique cyber security chal- or reduce their electricity demand from peak to off-peak hours.
lenges. The Congress of the United States is currently con- Thus, the hourly load profiles play a key role in determining the
sidering requiring a decrease in the grid’s connectivity level, benefit of implementing demand response technology. Using
essentially unplugging parts of it from the Internet [42]. The actual hourly energy usage data for the SMUD service area
question is: Up to what point? A quantitative analysis such as during the 2012 calendar year from the National Renewable
that presented here shows that the optimal connectivity can in- Energy Lab [47], we obtain the typical aggregate load profile
deed be assessed through a risk analysis based on existing attack shown in Fig. 13.
data, engineering models, economic analysis, and expert opin- The hourly load profile from Fig. 13, which represents the
ion. While it is infeasible to protect against every cyber-attack aggregate load of the entire power network, is translated to
vector in systems as complex as the smart grid, this approach the individual customer nodes as follows. First, each customer
can help enable smart grid stakeholders to prioritize protection node is characterized either as a commercial node (where load is
efforts given limited security resources. 70% commercial, and 30% residential), residential node (30%
commercial, 70% residential), or a mixed node (50% commer-
cial and residential). Introducing three types of customer nodes
APPENDIX allows us to explore how the impact of demand response varies
To model the behavior of the SMUD power network, we by end-use sector. Second, the peak load of each customer node
utilize the IEEE 24-bus reliability test system, a simple and is scaled so that the node’s fractional contribution to the total
well-studied benchmark of a “typical” utility published by IEEE system load is the same as in the original IEEE 24-bus network
in 1996 [36]. The original 24-bus test system contains useful (as specified in [36, Table V]). The resulting customer load
data on generation capacity, power flow limits, transmission profiles are summarized in Table V.
line failure rates, and customer demand data for each of ten To compute the benefit, when customer node Ci in the 24-
customer nodes. Importantly for our purposes, the test system is, node SMUD network is upgraded to a smart node capable of
446 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT, VOL. 65, NO. 3, AUGUST 2018
REFERENCES
[1] S. Blumsack and A. Fernandez, “Ready or not, here comes the smart
grid!,” Energy, vol. 37, no. 1, pp. 61–68, 2012.
[2] A. Narayanan, “The emerging smart grid: Opportunities for increased
system reliability and potential security risks,” Ph.D. dissertation, Dept.
Eng. Public Policy, Carnegie Mellon Univ., Pittsburgh, PA, USA, 2012.
Fig. 13. Representative daily load profile of the SMUD service area used for [3] M. Hayden, C. Hébert, and S. Tierney, “Cybersecurity and the North
analysis purposes American electric grid: New policy approaches to address an evolv-
ing threat,” Bipartisan Policy Center, Washington, DC, USA, 2014,
TABLE V pp. 33–38.
SUMMARY OF THE TEN CUSTOMER LOADS IN THE SMUD POWER NETWORK [4] M. O. Duff, “Optimal learning: Computational procedures for Bayes-
MODEL adaptive Markov decision processes,” Ph.D. dissertation, Dept. Comp.
Sci., Univ. Amherst, Amherst, MA, USA, 2002.
Customer Node in IEEE Fraction Fraction Peak % of [5] A. Lee, “Cyber security strategy guidance for the electric sector,” Electric
Node 24-Bus Test Commercial Residential Load System Power Research Institute, Palo Alto, CA, 2012.
System (MW) Load [6] Z. Yan, P. Zhang, and A. V. Vasilakos, “A survey on trust management for
Internet of Things,” J. Netw. Comput. Appl., vol. 42, pp. 120–134, 2014.
C1 3 0.5 0.5 362.9 11.4% [7] Q. Jing, A. V. Vasilakos, J. Wan, J. Lu, and D. Qiu, “Security of the Internet
C2 4 0.3 0.7 149.2 4.7% of Things: Perspectives and challenges,” Wireless Netw., vol. 20, no. 8,
C3 5 0.3 0.7 143.2 4.5% pp. 2481–2501, 2014.
C4 6 0.5 0.5 274.2 8.6% [8] J. Hu and A. V Vasilakos, “Energy big data analytics and security:
C5 8 0.7 0.3 344.8 10.9% Challenges and opportunities,” IEEE Trans Smart Grid, vol. 7, no. 5,
C6 9 0.7 0.3 352.8 11.1% pp. 2423–2436, Sep. 2016.
C7 10 0.7 0.3 393.2 12.4% [9] R. S. E. Knapp, Applied Cyber Security and the Smart Grid. Waltham,
C8 13 0.5 0.5 534.3 16.8% MA, USA: Syngress, 2013.
C9 19 0.5 0.5 364.9 11.5% [10] K. P. Schneider, J. C. Fuller, F. K. Tuffner, and R. Singh, “Evaluation
C10 20 0.3 0.7 258.1 8.1% of conservation voltage reduction (CVR) on a national level,” Pacific
Northwest Nat. Lab., Richland, WA, USA, 2010, p. 114.
[11] R. D. Zimmerman, C. E. Murillo-Sanchez, and R. J. Thomas, “MAT-
POWER: Steady-state operations, planning, and analysis tools for power
systems research and education,” IEEE Trans. Power Syst., vol. 26, no. 1,
implementing demand response, the residential and commercial pp. 12–19, Feb. 2011.
loads are shifted by a flexibility factor, representing the fraction [12] M. Parandehgheibi, E. Modiano, and D. Hay, “Mitigating cascading fail-
ures in interdependent power grids and communication networks,” in Proc.
of customers willing and able to shift their energy usage. Based 2014 IEEE Int. Conf. Smart Grid Commun., 2015, pp. 242–247.
on recent analysis of the potential impact of demand response [13] U.S. Department of Energy, Washington, DC, USA, “Freedom of infor-
in the California electricity market [48], we derive flexibility mation request #: HQ-2015-00126-F,” 2015.
[14] Z. Yan, P. Zhang, and A. V. Vasilakos, “A security and trust framework
factors of νC = 3.20% for commercial loads, and νR = 1.35% for virtualized networks and software-defined networking,” Sec. Commun.
for residential. In general, commercial loads are more “flexi- Netw., vol. 9, no. 16, pp. 3059–3069, 2016.
ble” than residential loads, due to their increased diligence to [15] Z. Shu, J. Wan, D. Li, J. Lin, A. V. Vasilakos, and M. Imran, “Security
in software-defined networking: Threats and countermeasures,” Mobile
electricity expenditures and their ability to have on-site tech- Netw. Appl., vol. 21, no. 5, pp. 764–776, 2016.
nologies supporting demand response (e.g., storage devices or [16] F. Hu et al., “Robust cyber-physical systems: Concept, models, and im-
on-site generators that kick in when prices are high). The re- plementation,” Future Gener. Comput. Syst., vol. 56, pp. 449–475, 2016.
[17] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, “False
spective loads of any demand response nodes are then shifted data injection on state estimation in power systems—Attacks, impacts,
by a fraction νC or νR from the current to the average value. and defense: A survey,” IEEE Trans. Ind. Informat., vol. 13, no. 2,
The effect is to “flatten” the daily load profile. Recomputing pp. 411–423, Apr. 2017.
[18] N. Liu, J. Zhang, H. Zhang, and W. Liu, “Security assessment for
the economic dispatch algorithm with the new, flatter demand communication networks of power control systems using attack graph
curves will thus result in a cost saving for the utility. and MCDM,” IEEE Trans. Power Del., vol. 25, no. 3, pp. 1492–1500,
To capture the ability of a demand response strategy to mit- Jul. 2010.
[19] T. Sommestad, M. Ekstedt, and L. Nordström, “Modeling security of
igate the impact of unexpected component failures, we intro- power communication systems using defense graphs and influence di-
duce random transmission line failures into the model, with agrams,” IEEE Trans. Power Del., vol. 24, no. 4, pp. 1801–1808,
daily probabilities of failure ranging from 8.22 × 10−4 to Oct. 2009.
[20] A. Hahn and G. Manimaran, “Cyber attack exposure evaluation framework
7.94 × 10−3 , as specified in the original IEEE 24-bus test for the smart grid,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 835–843,
system (drawn from transient outage rates in [36, Table 12]). Dec. 2011.
SMITH AND PATÉ-CORNELL: CYBER RISK ANALYSIS FOR A SMART GRID: HOW SMART IS SMART ENOUGH? 447
[21] N. S. V. Rao, S. W. Poole, C. Y. T. Ma, F. He, J. Zhuang, and D. K. [44] U.S. Energy Information Administration, Washington, DC, USA, “Natural
Y. Yau, “Defense of cyber infrastructures against cyber-physical attacks gas spot and futures prices (NYMEX),” 2016.
using game-theoretic models,” Risk Anal., vol. 36, no. 4, pp. 694–710, [45] International Renewable Energy Agency, Abu Dhabi, UAE, “Hy-
2016. dropower,” 2012.
[22] N. S. V Rao, C. Y. T. Ma, U. Shah, J. Zhuang, F. He, and D. K. Y. Yau, “On [46] California Energy Commission, Energy Almanac, Sacramento, CA, USA,
resilience of cyber-physical infrastructures using discrete product-form “Cost of generation report,” 2016.
games,” in Proc. 2015 18th Int. Conf. Inf. Fusion, 2015, pp. 1451–1458. [47] National Renewable Energy Laboratory, Golden, CO, USA, “Commercial
[23] Z. M. Fadlullah, Y. Nozaki, A. Takeuchi, and N. Kate, “A survey of game and residential hourly load profiles for all TMY3 Locations in the United
theoretic approaches in smart grid,” in Proc. 2011 Int. Conf. Wireless States,” 2013.
Commun. Signal Process., 2011, pp. 1–4. [48] D. J. Olsen et al., “Grid integration of aggregated demand response, Part 1:
[24] Y. Zhu, J. Yan, Y. Sun, and H. He, “Revealing cascading failure vulnera- Load availability profiles and constraints for the western interconnection,”
bility in power grids using risk-graph,” IEEE Trans. Parallel Distrib. Syst., Lawrence Berkeley Nat. Lab., Berkeley, CA, USA, LBNL - 6417E, 2013,
vol. 25, no. 12, pp. 3274–3284, Dec. 2014. p. 101.
[25] M. Ouyang, L. Duenas-Osorio, and X. Min, “A three-stage resilience [49] K. T. P. Centolella , M. Farber-DeAnda, and L. A. Greening, “Estimates
analysis framework for urban infrastructure systems,” Struct. Saf., of the value of uninterrupted service for the mid-west independent sys-
vol. 36–37, pp. 23–31, 2012. tem operator,” Harvard Elect. Policy Group, Harvard Kennedy School
[26] K. Liu and Q. Zhao, “Dynamic intrusion detection in resource-constrained Government, Cambridge, MA, USA, 2010, pp. 1–49.
cyber networks,” in Proc. IEEE Int. Symp. Inf. Theory Proc., 2011,
pp. 970–974.
[27] M. Zhu, Z. Hu, and P. Liu, “Reinforcement learning algorithms for adap-
tive cyber defense against heartbleed,” in Proc. 1st ACM Workshop Moving
Target Defense, 2014, pp. 51–58.
[28] Ponemon Institute, “2016 cost of data breach study: Global analysis,”
Ponemon Inst. Res. Rep., Traverse City, MI, 2016. Matthew David Smith received the B.S. degree in
[29] P. Henry, J. Williams, and B. Wright, “The SANS survey of digital foren- physics from the Massachusetts Institute of Tech-
sics and incident response,” SANS Whitepaper, 2013. nology, Cambridge, MA, USA, in 2006, the M.S.
[30] U.S. Department of Defense, Arlington, VA, USA, “The DoD cyber strat- degree in electrical engineering from the University
egy,” 2015, p. 42. of Southern California, Los Angeles, CA, USA, in
[31] “Second cyberspace weapon system reaches full operational capabil- 2010, and the Ph.D. degree in management science
ity status,” 24th Air Force, Air Force Space Command Public Affairs, and engineering from Stanford University, Stanford,
Colorado Springs, CO, USA, 2016. CA, in 2017.
[32] R. Deng, Z. Yang, M. Y. Chow, and J. Chen, “A survey on demand response He is currently serving as an Operations Research
in smart grids: Mathematical models and approaches,” IEEE Trans. Ind. Officer with the U.S. Army, and since 2006 has been
Informat., vol. 11, no. 3, pp. 570–582, Jun. 2015. serving in a variety of assignments in the Army’s in-
[33] U.S. Energy Information Administration, Washington, DC, USA, “Elec- telligence and research and development communities. His research interests
tricity detailed survey data files,” 2015. include the application of mathematical tools and engineering models to en-
[34] California Energy Commission, Energy Almanac, Sacramento, CA, USA, hance the resilience of cyber-physical systems against cyber threats.
“2015 energy supply plans,” 2015.
[35] L. Jimenez, J. Potter, and S. George, “SmartPricing options interim eval-
uation,” SMUD, Sacramento, CA, USA, 2013.
[36] C. Grigg and P. Wong, “The IEEE reliability test system -1996 a report
prepared by the reliability test system task force of the application of
probability methods subcommittee,” IEEE Trans. Power Syst., vol. 14, M. Elisabeth Paté-Cornell received the B.S. degree
no. 3, pp. 1010–1020, Aug. 1999. in mathematics and physics from the University of
[37] D. S. Kirschen, Fundamentals of Power System Economics. Chichester, Marseille, Marseille, France, in 1968, the M.S. de-
U.K.: Wiley, 2004. gree in computer science and applied mathematics
[38] M. Hummon et al., “Grid integration of aggregated demand response, from the University of Grenoble, Grenoble, France,
Part 2: Modeling demand response in a production cost model,” National in 1970, and the M.S. degree in operations research
Renewable Energy Laboratory, Golden, CO, USA, Tech. Rep. DE-AC36- and the Ph.D. degree in engineering-economic sys-
08GO28308, 2013. tems from Stanford University, Stanford, CA, in 1972
[39] H. G. Kwag and J. O. Kim, “Optimal combined scheduling of generation and 1978, respectively.
and demand response with demand resource constraints,” Appl. Energy, She is the Burt and Deedee McMurtry Professor
vol. 96, pp. 161–170, 2012. with the School of Engineering and a Professor and
[40] A. Lee, “Electric sector failure scenarios and impact analyses,” NESCOR Founding Chair (2000–2011) with the Department of Management Science and
Technical Working Group 1, Elect. Power Res. Inst., Palo Alto, CA, USA, Engineering, Stanford University. Her specialty is engineering risk analysis with
2013. application to complex systems (space, medical, offshore oil platforms, etc.).
[41] K. J. Soo Hoo, “How much is enough: A risk management approach to She has authored more than 100 publications, and is the co-editor of Perspec-
computer security,” Stanford Univ., Stanford, CA, USA, Working paper, tives on Complex Global Problems (Wiley, 2016).
2000, pp. 104–104. Dr. Paté-Cornell is a member of the National Academy of Engineering and
[42] “Lawmakers look to ‘dumb down’ smart grid,” The Hill, 2015. the French Académie des Technologies. She was a member of the President’s
[43] J. B. Klein, “The use of heat rates in production cost modeling and Foreign Intelligence Advisory Board from December 2001 to 2008, and of the
market modeling,” Elect. Anal. Office, California Energy Commission, board of the Aerospace Corporation (2004–2013) of Draper Laboratory (2009–
Sacramento, CA, USA, 1998, pp. 1–124. 2016), and of InQtel (2006–2017).