Experimental Evaluation of Cyber Attacks on

Automatic Generation Control using a CPS Security

Testbed
Aditya Ashok, Pengyuan Wang, Matthew Brown, Manimaran Govindarasu
Department of Electrical and Computer Engineering
Iowa State University
Ames, IA 50011, USA.
Email: aashok, pywang, mrbrown, [email protected]

Abstract—Cyber-Physical Security Testbeds serve as valuable applications they provide through a layered defense approach
experimental platforms to implement and evaluate realistic, [3]. It is critical to develop attack-resilient algorithms for the
complex cyber attack-defense experiments. Testbeds, unlike tra- critical applications that look beyond traditional information
ditional simulation platforms, capture communication, control
and physical system characteristics and their interdependencies and infrastructure security by leveraging and correlating cyber
adequately in a unified environment. In this paper, we show how and physical system information to detect measurement or
the PowerCyber CPS testbed at Iowa State was used to implement control manipulations, which could otherwise go undetected.
and evaluate cyber attacks on one of the fundamental Wide-Area Wide-Area Monitoring, Protection and Control (WAMPAC)
Control applications, namely, the Automatic Generation Control applications like State Estimation (SE), Automatic Generation
(AGC). We provide a brief overview of the implementation of
the experimental setup on the testbed. We then present a case Control (AGC), and Remedial Action Schemes (RAS) are
study using the IEEE 9 bus system to evaluate the impacts of critical to the reliability and stability of the bulk power
cyber attacks on AGC. Specifically, we analyzed the impacts system. These applications rely on wide-area measurement
of measurement based attacks that manipulated the tie-line information from SCADA infrastructure to provide situational
and frequency measurements, and control based attacks that awareness (SE), generation/load balance (AGC), prevention
manipulated the ACE values sent to generators. We found that
these attacks could potentially create under frequency conditions of disturbance propagation (RAS). The critical nature of the
and could cause unnecessary load shedding. As part of future measurement and control data that is being exchanged in
work, we plan to extend this work and utilize the experimental these applications highlights the need to secure them against
setup to implement other sophisticated, stealthy attack vectors different types of cyber attacks [4]–[6].
and also develop attack-resilient algorithms to detect and mitigate Cyber-Physical Security Testbeds address the need of pro-
such attacks.
viding realistic test environments to perform complex cyber
I. I NTRODUCTION attack-defense experiments by providing a hybrid combination
of simulated, emulated and real cyber-physical components.
As the electric power grid evolves into a Smart Grid to pro- Testbeds, unlike traditional simulation platforms, capture com-
vide a reliable, secure and resilient electricity transmission and munication, control and physical system characteristics and
distribution system, the dependence on cutting edge automa- their interdependencies adequately in a unified environment.
tion and networking technologies has increased tremendously. Testbed based research spans a broad range of topics from
The advent of high accuracy, time synchronized, high data- vulnerability assessment, impact analysis to development of
rate synchrophasor measurements and other modern substation counter-measures, etc., [6].
automation systems over the grid, which are deployed to The main objective of this paper is to show a case study
monitor, control and protect the power grid, has resulted in of how cyber-physical security testbeds can be leveraged to
increased network connectivity and consequently, increased implement and evaluate various types of cyber attacks on
the potential attack surface. Several government reports in WAMPAC applications like the AGC. The remainder of the
the recent past acknowledge the fact that the Supervisory paper is organized as follows. Section 2 identifies relevant
Control and Data Acquisition (SCADA) systems that are used literature about similar CPS testbeds. Section 3 discusses about
to monitor and control the power grid are constant targets the different types of cyber attacks on AGC. Section 4 provides
of sophisticated cyber attacks every day [1], [2]. They also an overview of the implementation of the experimental setup
identify the need to develop intelligent countermeasures to that was used to evaluate cyber attacks on AGC. Section 5
secure SCADA infrastructure elements and the fundamental provides a detailed case study using the IEEE 9 bus system to
Acknowledgement: This research is funded by National Science Foundation show the impacts of different attack scenarios on AGC. Section
award #s: ECCS 1202542, CNS 1329915. 6 provides conclusions and directions for future work.

978-1-4673-8040-9/15/$31.00 ©2015 IEEE

Authorized licensed use limited to: ULAKBIM UASL - Afyon Kocatepe Universitesi. Downloaded on December 04,2021 at 11:15:44 UTC from IEEE Xplore. Restrictions apply.
 II. R ELATED WORK balancing areas, and frequency measurements to compute
There has been a lot of recent work in the development of the Area Control Error (ACE) values, which are generator
security testbeds to perform a variety of research and experi- corrections to ensure generation-load balance and economic
mental validation pertaining to power grid cyber security. One operation. The AGC algorithm runs every 2-4 seconds typ-
of the foundational efforts was the National SCADA Testbed ically at each balancing area (BA), where ACE corrections
(NSTB), which is a collaborative project across multiple are computed for each area generators on AGC. The ACE is
national labs where actual power system and cyber system calculated based on two terms, one depending on the deviation
components were used to perform vulnerability assessments of actual tie-line power flows (Pact ) and scheduled tie-line
and impact analysis studies [7]. Sandia National Laboratory power flows (Psch ) between adjacent areas, the second one is
has the Virtual Control System Environment (VCSE) testbed based on the deviation of the overall system frequency from
that integrates a combination of simulated, emulated and the nominal frequency (60 Hz). β is the frequency bias factor
physical system components to realize a cyber-physical testbed (MW/Hz), which varies for each balancing area and represents
[8]. The University of Illinois hosts the Virtual Power System its obligation to support overall grid frequency.
Testbed (VPST) which also consists of a mix of simulated,
emulated and physical components to perform cyber secu-
rity research that includes vulnerability assessments, protocol
testing and research validation [9]. The University College,
Dublin also consists of a SCADA testbed which is used
to perform experiments on intrusion detection and anomaly
detection related to power grid cyber security [10]. Mississippi
State University consists of a SCADA security testbed, which
is used to perform intrusion detection and security testing of
phasor measurement units and data concentrators [11].
The PowerCyber testbed at Iowa State University is a
similar testbed compared to the other testbeds mentioned
above [6]. The testbed consists of a hybrid mix of industry
grade SCADA hardware and software, emulators for wide-
area network routing and real-time power system simulators,
thereby providing high-fidelity, hardware-in-the-loop, cyber-
physical testbed environment for cyber security research and Fig. 1. Overview of AGC algorithm
experimental validation studies.
The PowerCyber testbed has been leveraged to perform vul- Figure 1 shows how the AGC algorithm depends on wide-
nerability assessment of SCADA devices, and communication area network for receiving the measurements and also sending
protocols, impact analysis of coordinated attack scenarios and the control commands back to the generators. Therefore, it is
also to validate existing research that develops various ap- vulnerable to data manipulation either in the measurement or
plication specific countermeasures. Recently, the PowerCyber the control direction. ’T’ and ’F’ represent the tie-line flow and
testbed was linked with the DETER testbed at the University frequency measurements that are sent to the control center of
of Southern California to demonstrate a federated, coordinated each BA, where the AGC algorithm computes the ACE values
cyber attack/defense experiment at the Smart America Chal- for each generator taking part in AGC. It is to be noted that
lenge in Washington, D.C. [12]. In this paper, we describe in each area some generators may not take part in AGC and
how the PowerCyber testbed has been used to implement and may operate with a fixed loading depending on schedules.
evaluate various types of cyber attack scenarios on the AGC. Conceptually, the AGC algorithm can be impacted by at-
tacks on measurements or control data. Measurement based
III. C YBER ATTACKS ON AGC attacks involve a modification of the tie-line and frequency
The previous section briefly described the research efforts measurements causing an incorrect computation of the ACE
that have been carried out using other similar CPS security values for each area generators. Sridhar et al. show how such
testbeds. Also, the PowerCyber CPS security testbed was an attack can cause impacts on the power grid frequency and
introduced. In this section, we provide a quick overview of affect generation load balance in [5]. Further, the paper also
the AGC algorithm, and then discuss how different types of identifies how a stealthy attacker can manipulate the tie-line
cyber attacks impact the AGC, and consequently, the power measurements and frequency measurements consistently based
system frequency and load. on some knowledge about the underlying power system. In
The Automatic Generation Control (AGC) algorithm is the [13], the authors extend upon their earlier work to analyze the
only wide-area control application that is completely auto- impact of such attacks in more detail and developed a model-
mated, i.e. no operator in the loop to make control decisions. based anomaly detection algorithm along with attack-resilient
The AGC algorithm relies on wide-area measurement data, AGC algorithm.
namely, the tie-line power flow measurements between the Control attacks are attacks where the attacker manipulates

Authorized licensed use limited to: ULAKBIM UASL - Afyon Kocatepe Universitesi. Downloaded on December 04,2021 at 11:15:44 UTC from IEEE Xplore. Restrictions apply.
 the ACE corrections that are sent out to each generator in power system to analyze the impacts of both measurement
the BA. In this type of attack, the attacker tries to steer the and control attacks on the AGC algorithm.
system’s generation towards a certain operating condition, for
example, creating constant generation ramp down eventually
leading to an under frequency load shedding condition. The
impact of such an attack can be quantified as lost load or in
some cases as uneconomic generation dispatch, if the attacker
changes individual generator set-points to control how each
generator in a BA ramps up/down.
IV. E XPERIMENT I MPLEMENTATION ON THE
P OWER C YBER T ESTBED

Fig. 3. IEEE 9 bus power system with 3 Balancing Areas

Figure 3 shows the IEEE 9-bus model split into three BA’s
for the purpose of AGC implementation. Each area contains
one generator and one regional load. The scheduled tie-line
flows are set to the initial power flow distribution values.
Out of the three BA’s, we show all the attack scenarios
with AGC actions and load changes associated with only one
Fig. 2. Experiment Implementation on PowerCyber Testbed (Area 1). Similar to real-world implementations, if the AGC
fails to bring system frequency back to the normal level, we
Figure 2 shows how the experimental setup has been imple- have implemented Under Frequency Load Shedding (UFLS)
mented on the PowerCyber testbed. The power system model scheme and generator low frequency protection according
was configured to run on the RTDS, and the tie-line and to the frequency drop. When frequency goes below 59.8Hz,
frequency measurements were configured to be transmitted 20MW out of the total load will be shed as the first block in
from the RTDS to the control center through the DNP3 UFLS scheme. When it is below 59.6Hz, another 10MW will
protocol, similar to real-world implementations. At the control be shed as part of second block in UFLS scheme implemented.
center, the tie-line power flow and frequency measurements
are periodically polled from the outstations (RTDS) or the A. Attack scenarios
RTU’s and then the AGC algorithm is periodically triggered to
We have implemented two attack strategies to analyze the
compute the ACE values for the generators in the model. Once
performance of AGC under different attacks.
the values are computed, these are fed back to the outstations,
• Measurement attacks: This attack targets the tie-line flow
in our case the RTDS again through the same DNP3 protocol.
Based on the ACE values, the generators ramp up/down for and frequency measurements, i.e. measurements PL45,
the load changes in the power system model. PL69 and the system frequency being sent to the control
The attack vector that has been implemented is a classic center. In this paper, we show a scenario where the
man-in-the-middle (MITM) attack, where the attacker sits attacker modifies the measurements by adding a random
in between the control center and the substations, which is offset, though other complex attacks can also be easily
achieved through ARP poisoning. We implemented the MITM implemented.
• Control attacks: This attack targets the ACE value after
through the use of Scapy tool [14], which is a interactive
packet manipulation program written in python and has several it’s sent out from AGC algorithm and before it arrives at
libraries to perform forging or decoding of packets of several the substation, i.e. the ACE values to generator 1. In this
network protocols and retransmitting them. Using this tool, we paper, we show a scenario where the attacker modifies
implemented both the control attacks (orange lightning bolt) the sign of the ACE value leading to ramping up for load
and measurement attacks (red lightning bolt), where either the decrease and vice-versa.
ACE values or the tie-line and frequency measurements were
B. Experimental results
manipulated to demonstrate different types of attacks.
Figure 4 and Figure 5 show the load profile in BA 1, and
V. C ASE STUDY USING IEEE 9 BUS POWER SYSTEM the corresponding frequency profile with only the governor
In the previous section, we described how the experimental control (no AGC) and with the AGC algorithm respectively.
setup had been implemented to perform different attacks. In The top subplot shows the load profile and it keeps changing
this section, we present a case study using the IEEE 9 bus with time. We simulated the load profile in Area 1 with 4

Authorized licensed use limited to: ULAKBIM UASL - Afyon Kocatepe Universitesi. Downloaded on December 04,2021 at 11:15:44 UTC from IEEE Xplore. Restrictions apply.
 different levels which are 40, 60, 90 and 110 MW. In our case Control attacks: Figure 6 shows the scenario where control
study, we executed the AGC algorithm once every 4 seconds. commands are attacked, i.e. the ACE value going to the
From Figure 4, we can see clearly that following a load generator is manipulated by the attacker. In this case, the attack
change the system frequency either increases or decreases and sends ramping commands to the generator in the opposite
does not return to the nominal frequency (60 Hz). It can be direction when compared to actual ACE values, i.e. ramp down
seen clearly that when the load level in Area 1 is at 90 MW, for ramp up and vice versa. The top subplot shows the total
the frequency is at 60 Hz, as this is the base point operating load in Area 1, the middle subplot shows the frequency and the
condition and for any other load level the frequency is either bottom subplot shows the generator output in BA1. We have
above (load <90 MW) or below (load > 90 MW). shown the important events in the plots through the numbered
The bottom subplot in Figure 5 shows the system frequency red dots. Dot 0 indicates the normal load change from 90 MW
response to the load changes with the AGC algorithm imple- to 110 MW, which is picked up by Area 1 generator.
mented in Area 1. In this subplot, we can see that the system As the AGC algorithm computes the ACE values for this
frequency tries to get back to the nominal value after load load change, the normal control action would have been to
change. If there is no load change for a sufficiently long time, ramp up the generation and improve the frequency. Dot 1
we can clearly see that the system frequency is at nominal indicates the start of the attack, where in we can see the change
frequency due to AGC. in generator power and system frequency immediately. With
the control attack described above (flipping the ACE signal),
the frequency continues to decrease. When it goes below
59.8Hz, 20MW load is shed (Dot 2). As time progresses, the
frequency worsens and another 10MW load will be dropped
when frequency goes to 59.6Hz (Dot 3). The system frequency
stays slightly above 59.6 Hz after the load drop and stays there
as the attacker then sends zero ACE values to the generators
until the end of the attack (Dot 4). After the attack ends, the
real ACE values steer the frequency and tie-line flow back to
nominal values immediately.

Fig. 4. Load change and frequency - Without AGC

Fig. 6. Generation, Load, Frequency during control attacks

Fig. 5. Load change and frequency - With AGC Measurement attacks: Figure 7 shows the scenario where
the tie-line flow and frequency measurements are manipulated

Authorized licensed use limited to: ULAKBIM UASL - Afyon Kocatepe Universitesi. Downloaded on December 04,2021 at 11:15:44 UTC from IEEE Xplore. Restrictions apply.
 by the attacker. In this case, the ACE values are determined work done by other similar testbeds, and briefly introduced
by the based on the incorrect measurements which contain a the PowerCyber testbed. We described two attack vectors
constant offset. Similar to the previous case, the key events and how these cyber attacks impact the AGC algorithm and
are indicated by the red dots. In this scenario, the load level consequently, the power system frequency and load. We also
increases from 90 MW to 110 MW (Dot 0). After the attack explained the implementation of the experimental setup on the
starts (Dot 1), instead of forwarding the real measurements PowerCyber testbed. We performed a case study of two types
corresponding to 110 MW load level, the fake measurements of cyber attacks, namely, measurement and control attacks and
are sent to AGC which are actually replayed measurements showed their impacts on system frequency and load.
when load level is 40 MW. Though the attack scenarios described in this paper are rel-
After AGC algorithm is run, a positive ACE value will be atively simplistic, the main intent of this paper was to describe
sent to ramp down the generator so that the frequency goes the implementation architecture of the experimental setup and
even lower. This can be clearly seen in the bottom subplot, show proof-of-concept attack scenarios as an evaluation. We
where the output of generator 1 falls steeply due to the ACE plan to extend the basic attack scenarios described in this paper
values computed for tie-line flow and frequency measurements to develop more complex attack scenarios. We would also
corresponding to a load level of 40 MW. Therefore, abruptly work on implementing and evaluating attack-resilient control
the frequency drops and eventually 20MW load will be shed algorithms on the testbed that can detect and mitigate complex,
after frequency is below 59.8 Hz (Dot 2). After the load stealthy attack vectors such as the ones described in [13].
shedding, the attacker denies the measurements from reaching
R EFERENCES
the control center. Consequently, the frequency stays slightly
above 59.8 Hz following the load drop until the attack ends [1] High-Impact, Low-Frequency Event Risk to the North American Bulk
Power System, Jointly-Commissioned Summary Report of the North
(Dot 3). Once the attack is over the system frequency will American Electric Reliability Corporation and the U.S. Department of
recover after next cycle of AGC control. Energy, Nov. 2009.
[2] NERC Critical Infrastructure Protection Committee (CIPC) Cyber At-
tack Task Force (CATF) Update, North American Electric Reliability
Corporation (NERC), Dec. 2011.
[3] U.S Department Of Homeland Security - Control Systems Security
Program), “Recommended Practice: Improving Industrial Control
Systems Cybersecurity with Defense-In-Depth Strategies,” October
2009. [Online]. Available: https://ics-cert.us-cert.gov/sites/default/files/
recommended practices/Defense in Depth Oct09.pdf
[4] A. Ashok and M. Govindarasu, “Cyber attacks on power system state
estimation through topology errors,” in Power and Energy Society
General Meeting, 2012 IEEE, july 2012, pp. 1 –8.
[5] Sridhar, S. and Govindarasu, M., “Data integrity attacks and their
impacts on SCADA control system,” in Power and Energy Society
General Meeting, 2010 IEEE, july 2010, pp. 1 –6.
[6] A. Hahn, A. Ashok, S. Sridhar, and M. Govindarasu, “Cyber-physical
security testbeds: Architecture, application, and evaluation for smart
grid,” Smart Grid, IEEE Transactions on, vol. 4, no. 2, pp. 847–855,
2013.
[7] National SCADA Test Bed: Fact Sheet, Idaho National Laboratory (INL),
2007.
[8] Michael J. McDonald, Gregory N. Conrad, Travis C. Service, Regis
H. Cassidy, SAND2008-5954: Cyber Effects Analysis Using VCSE,
Promoting Control System Reliability, Sandia National Laboratories,
September 2008.
[9] David C. Bergman, Dong Jin, David M. Nicol, Tim Yardley, “The Virtual
Power System Testbed and Inter-Testbed Integration,” 2nd Workshop on
Cyber Security Experimentation and Test, August 2009.
[10] J. Hong, S.-S. Wu, A. Stefano, A. Fshosha, C.-C. Liu, P. Gladyshev, and
M. Govindarasu, “An intrusion and defense testbed in a cyber-power
system environment,” in Power and Energy Society General Meeting,
2011 IEEE, Jul. 2011.
[11] B. Reaves and T. Morris, “An open virtual testbed for industrial
control system security research,” International Journal of Information
Security, vol. 11, no. 4, pp. 215–229, 2012. [Online]. Available:
http://dx.doi.org/10.1007/s10207-012-0164-7
Fig. 7. Generation, Load, Frequency during measurement attacks [12] Govindarasu, M. and Benzel, T. and Hahn, A., “Smart Energy CPS -
CPS Security Testbed Federation for Coordinated Cyber Attack/Defense
Experimentation,” June 2014. URL: http://smartamerica.org/news/iowa-
state-researchers-to-demonstrate-cyber-physical-security-testbed-for-
VI. C ONCLUSION AND F UTURE D IRECTIONS power-grid-at-smartamerica-challenge-expo/.
In this paper, we showed how cyber-physical security [13] S. Sridhar and M. Govindarasu, “Model-based attack detection and miti-
gation for automatic generation control,” Smart Grid, IEEE Transactions
testbeds can be leveraged to implement realistic cyber attacks on, vol. 5, no. 2, pp. 580–591, March 2014.
on critical WAMPAC applications like the AGC and analyze [14] , “Scapy - An interactive packet manipulation program,” 2014. [Online].
the impacts of such attacks. Specifically, we looked at related Available: http://www.secdev.org/projects/scapy/

Authorized licensed use limited to: ULAKBIM UASL - Afyon Kocatepe Universitesi. Downloaded on December 04,2021 at 11:15:44 UTC from IEEE Xplore. Restrictions apply.