Impact of Cyber Attacks on High Voltage DC Transmission Damping Control

: Hybrid AC/HVDC (AC-HVDC) grids have evolved to become huge cyber-physical systems that are vulnerable to cyber attacks because of the wide attack surface and increasing dependence on intelligent electronic devices, computing resources and communication networks. This paper, for the ﬁrst time, studies the impact of cyber attacks on HVDC transmission oscillation damping control.Three kinds of cyber attack models are considered: timing attack, replay attack and false data injection attack. Followed by a brief introduction of the HVDC model and conventional oscillation damping control method, the design of three attack models is described in the paper. These attacks are tested on a modiﬁed IEEE New England 39-Bus AC-HVDC system. Simulation results have shown that all three kinds of attacks are capable of driving the AC-HVDC system into large oscillations or even unstable conditions.


Motivation
High voltage direct-current (HVDC) power transmission systems are becoming popular in modern electric grids, which are faced with increasing power demands and already strained AC transmission lines [1]. HVDC is able to deliver renewable generation to the main grid more efficiently and transfer bulk power between unsynchronized AC transmission systems. It also can be used for additional services other than bulk power transfers, such as damping power system inter-area oscillation [2]. At the same time, AC-HVDC grids have evolved to become huge cyber-physical systems (CPSs) that are vulnerable to cyber attacks because of the wide attack surface and increasing dependence on intelligent electronic devices, computing resources and communication networks [3,4]. The security and stability of AC-HVDC transmissions against cyber-attacks are essential to modern electric power systems.

Literature Survey
The application of a DC line to provide power system stabilization was being considered almost as soon as HVDC became practical. The intrinsic reason for power system inter-area oscillation is the real power unbalance, which could be mitigated by modulating the transferred power on the HVDC lines. In the early stage of HVDC, it was used to damp inter-area oscillations by modulating the DC power flow in proportion to the frequency difference between the two ends of the line [5]. Some real-world tests were performed on actual power systems to validate the system model with the design of a modulation function for HVDC transmissions [6,7].
The last several decades have witnessed rapid advances in AC-HVDC power systems because of the pervasive use of information and communication technologies. With the development of attack and false data injection attack (FDIA). The three major cyber attack models were introduced and designed to jeopardize the performance of the HVCD oscillation damping controller. Well-constructed attacks are implemented and tested on the HVDC link in a modified IEEE New England 39-Bus AC-HVDC system. The contribution of this paper comes from two aspects: (1) it is the first time the cyber-security issue has been studied for HVDC damping controls; (2) we have proven that all three major cyber attack models are capable of driving an AC-HVDC system into unstable conditions if attackers have careful attack plans and necessary knowledge of the power system.

Organization of Paper
The remaining parts of this paper are organized as follows. Section 2 briefly introduces the HVDC system model and power oscillation damping controls. In Section 3, the three cyber attacks and model constructions are discussed. Section 4 describes the simulation overview and the test system. Section 5 presents the simulation results. Finally, conclusions are reported in Section 6.

HVDC Models
A diagram of a two-terminal LCC-HVDC system is shown in Figure 1. It consists of a controlled rectifier and inverter at the respective terminals, both of which are fed from tap-changing transformers. The DC line models are represented by a T-equivalent as [32]: where R dc , C dc , L dc and V c are the equivalent DC line resistance, capacitance, inductance and DC voltage, V dc,rec and V dc,inv are the voltage at the rectifier and inverter and I dc,rec and I dc,inv are the DC currents. The active and reactive power of the HVDC converter can be obtained as follows: Q ac = P ac × tan arccos cos(α) + cos(π − γ) 2 (5) where α and γ are the firing and extinction angles of the converters.

Conventional HVDC Oscillation Damping Control
The inter-area oscillations, which occur as groups of generators can move together against other groups of generators, are detrimental to the system stability and prevent the maximum power transfer on the tie-lines. Severe oscillations may even trip the generators and cause cascade failures in the system. Because the power flow over HVDC links can be controlled independently of the phase angle between the source and load, HVDC has been recognized as an effective way for the mitigation of inter-area oscillations of interconnected power systems, which in turn would improve system reliability.
There are many HVDC damping control schemes that have been proposed in the literature, some of them have been implemented in the real world [6,33]. In this work, the implemented HVDC damping controller is based on a prototype using the real-time PMU measurements in [33]. This controller represents the most conventional method in the real world, and it has been installed on the west-coast Pacific DC Intertie (PDCI) to modulate real power. The control logic is based on the frequency difference at the PDCI terminals. The frequency difference is obtained by passing signals of the electrical angle difference from PMUs through a derivative filter. Figure 2 represents the typical damping controller for HVDC transmission. When the HVDC is operating at steady state and there is no oscillation, the frequencies at the terminals are the same. The change to transmitted power is zero, and the HVDC is working at the nominal states. When an inter-area oscillation occurs, the frequency difference at the HVDC terminals is non-zero and is amplified through a proportional gain [34]. The amplified signal is used as a feedback to modulate HVDC transmitted power and damp the oscillation. The feedback signal is calculated as follows: where f rec and f inv are the frequencies at the rectifier and inverter terminals of HVDC transmission, K is the proportional gain and P mod is the modulation power.

Timing Attack
A timing attack is a kind of DoS attack that blocks the communication between data senders and receivers with an induced false time stamp [35]. In the wide-area monitoring system of electric grids, coordinated universal time among PMUs uses a common time reference from a global positioning system that has time-synchronization protocols, which could be attacked by either changing the time stamp or adding an intended delay for malicious purposes. Because the timing attack could only involve delaying messages, it would still be able to jeopardize the controllers even if synchronization messages are encrypted and/or authenticated [36]. In this study, it was assumed that attackers would intentionally delay the measurements received by the damping controller in Equation (6). Specifically, the attacker would change the time stamp and introduce an intended delay for the measurements from the remote terminal of the HVDC transmission.
The principle of timing attacks on the HVDC damping controller is shown in Figure 3. When the timing attack occurs, the two frequency signals are no longer synchronized. Apparently, the timing attacks would not work during normal operations since the frequencies at two terminals are both at nominal values. The changes to transmitted power are always zero regardless of the time delays. However, the time delay could generate large errors during system transients when the terminal frequencies are different. To study the impact of a timing attack on HVDC damping controls, transient events were simulated such that the inter-area oscillation modes were triggered and the damping controller started to modulate the transmitted power based on the frequencies at the two terminals. Different levels of timing attacks were constructed in the study.

Replay Attack
A replay attack is a special attack that maliciously repeats a valid data transmission to the signal receiver. A replay attack is realized in two steps. In the first step, a valid data transmission is monitored and recorded by the attacker. Then, the attacker maliciously replaces the transmitted data with pre-recorded data, which are sent repeatedly to the receiver [21]. Because the replayed data are valid messages that match the CPS, there is high a possibility that they could bypass the detection algorithms and successfully fool the receiver without being detected. To illustrate, the valid data D T (t) received by the HVDC controller during time [t 1 , t 2 ] as: where T = t 2 − t 1 , d(t) represents the instantaneous transferred data and M is a indicator function with: The corrupted signalsd(t) that are repeatedly sent to the receiver are: The principle of replay attacks on the HVDC damping controller is shown in Figure 4. To construct the replay attack model, the attacker should first get access to the valid signal that is sent to the HVDC controller. Then, a part of the valid signal is recorded by the attacker maliciously. Finally, the attacker will intercept the real-time valid signals that are being sent to the HVDC controller and replace them with the recorded signals. The recorded signals will be played repeatedly to fool the receiver of the HVDC controller. There are two options to apply the replay attack. The first option is to record the valid data during transient events and then replay the records during steady state operations; thus, the normal operation will be disturbed, and transient events are generated. The second option is to record the valid signals during steady state operations and then replay the records during transient events. In constructing a timing attack that can only work during transient events, the replay attack is suitable for any system status.
In this study, the above two options are studied with two simulation scenarios. In the first scenario, the frequency measurements at the HVDC remote terminal are recorded during a severe transient event and replayed during normal operations to the damping controller. The frequency differences between the rectifier and inverter change the transmitted power according to Equation (6), could trigger the inter-area oscillation of the system and further disturb the operation of the damping controller. In the second scenario, the frequency measurements at the HVDC terminals are recorded when no system disturbances exist. Therefore, the recorded frequency difference at the two terminals is zero. The recorded data are sent to the HVDC controller during large system transient events, and therefore, the capability of using HVDC to damp inter-area oscillation is disabled.

False Data Injection Attack
An FDIA compromises measurements from the sensor network and adversely injects false data with errors to deceive the operators or controllers. Unlike the timing attack or replay attack that feeds the valid signal (although the timing is wrong or the signal is repeatedly played) to the HVDC damping controller, an FDIA assaults the integrity of measurements by replacing the true values with false ones, without being detected. Recent studies have shown that traditional authentication mechanisms cannot prevent an FDIA if a certain number of sensor nodes are compromised [22]. In the power system, FDIA is an important type of cyber-attack that stealthily circumvents the regular bad data detection (BDD) process. A successful FDIA would cause the state estimator to send erroneous estimates of the measurements and operational states to the operators or controllers, thereby jeopardizing the normal operation of the power system. The state estimation process in the power system is often simplified through DC power flow approximation. A general DC state estimation model is given as: [37] z = Hx + e where z is the measurement from sensors, x represents the system states, e represents the measurement errors and H is the Jacobian matrix of the system model. Hx denotes the functional dependency between measurements and state variables. The state estimation process in the power system is intended to find the best estimatesx of system states given all the measurements, which most of the time are redundant, from the sensor networks.x is usually computed using the weighted least square (WLS) method that finds the best solution for minimizing WLS errors by solving the optimization problem [38], where W is the diagonal weight matrix W = diag 1 σ 2 1 , · · · , 1 σ 2 i , · · · and σ i is the variance of the measurement errors associated with the i-th meter. The solution of the optimization problem is: Raw measurements z may contain some inaccurate or bad data because of sensor errors or large noise signals, which should be excluded from the state estimation process to assume the confidence level in the best state estimatesx. In power systems, the BDD process is used to eliminate the possible measurement errors. A common approach to detecting bad measurements is to test the largest normalized residual (LNR) and compare it with a preset threshold ε. If there are no bad data in the measurements, the LNR should be smaller than ε: Otherwise, the bad measurement will be detected if the LNR is larger than ε. However, an FDIA could circumvent the BDD process if the attacker compromises a few sensors with careful planning and enough knowledge of the power system. In other words, an FDIA would inject false data into the state estimation process with LNRs smaller than ε. To construct an FDIA, the attacker needs to compromise the measurements with z bad so that the output of the state estimation process could be the expected false system statesx bad : x bad =x + β where φ and β are the difference between the false values and the original correct values. If the attacker can compromise the measurements according to the relationship φ = Hβ, the BDD process could be successfully circumvented. Proof: Assume Equation (12) is satisfied and there are no bad measurements in the system before the cyber attack. After the FDIA is applied, the solution of state estimation is as follows: Therefore, if the relationship φ = Hβ is guaranteed, the new false values satisfy the state estimation process. Regarding the BDD process, the new LNR is as follows: The new LNR is still smaller than the threshold of the BDD process, thus an FDIA would successfully circumvent the BDD process if the attacker can compromise the sensor with the relationship φ = Hβ. In this study, the FDIA was constructed to generate false data that circumvent the BDD process and inject false frequency data to the HVDC damping control.

Test System and Simulation Overview
A modified IEEE New England 39-Bus system has been built to serve as the AC-HVDC test system, as shown in Figure 5. A 500-kV, 700-MW rated HVDC line was added between Buses 16 and 19, connecting the northeastern area with the southeastern area. The power flow direction is from south to north. To figure out the oscillation modes in this test system, a small-signal stability study is performed as follows [39].
The linearized model for the test system is expressed as: where x d are the perturbed system states, v is the vector of the network bus voltages, i d is the current injection into the network, ∆ is a prefix representing the perturbed value and A d , B d , C d , D d are the system coefficient matrices. The interconnecting network is represented by the node equation: where Y N is the admittance matrix of the system. Therefore, the overall system state equation is formed by eliminating ∆v and ∆i d :ẋ where A s is the complete system state matrix. The eigenvalues (with frequency between 0.1 and 1 Hz and a damping ratio less than 5%) of A s directly give the information about the oscillation modes. It is found that there are three low-frequency inter-area oscillation modes in the modified system, as summarized in Table 1. Apparently, Oscillation Mode 2 is the most severe one because the corresponding damping ratio is the smallest. Mode 2 represents the generator oscillation of the northern part of the system against the generators of the southern part. The added HVDC line is supposed to provide damping controls for Mode 2 to increase the entire stability of the system. A schematic overview of the application of the timing attack, replay attack and FDIA on the HVDC damping controller is shown in Figure 6. The three cyber attacks are applied sequentially to the test system, and they are supposed to jeopardize the normal operation of the damping controller as discussed in Section 3. The simulation results are shown as follows.

Timing Attack Results
In this simulation case, the AC-HVDC system is operating normally at the beginning. At time 1.0 s, a temporary three-phase fault happens on Lines 23-36, and it is tripped 1.5 cycles later. The fault is cleared another two cycles later, and the line is reconnected. This event generates large transients and triggers inter-area oscillations in the system. The HVDC damping controller is working to damp the inter-area oscillation by changing the power transfer on the DC line. The timing attack starts to add intended delays to the input signals that are fed to the HVDC damping controllers. Figures 7 and 8 show the Bus 23 voltage magnitudes and machine 5-10 angle differences with respect to different levels of timing attacks (delays). When the delay is zero (no timing attack), the oscillation is damped very quickly. That means the HVDC damping controller is very effective at reducing the transients of inter-area oscillation and increases the overall system stability. When the timing attack starts and the intended delay is small (100 ms), the HVDC damping controller is still able to damp the oscillations, but it takes a longer period of time to drive the system back to the steady state. This means the HVDC damping controller can withstand a certain level of timing attacks. However, when the delay is very large (350 ms), the bus voltage drops greatly, while the machine angle difference increases greatly, and the system gradually loses stability until the simulation blows out. Therefore, the timing attack is able to drive the system into an unstable situation with a severe attack level.

Attack Occurs During Normal Operation
In this simulation case, the system is operating normally, and there is no fault event. To generate a replay attack, the frequency measurements at the HVDC remote terminal were recorded in advance during a severe transient event and replayed during normal operations to the damping controller. The recorded and replayed signals are shown in Figure 9. The black dashed curve represents some valid data of the HVDC remote side frequency during a historical transient event. The most severe transient information is recorded and played repeatedly by the attacker at time 1.0 s as the red solid curve. Note that the frequency values at the start and end points are identical, which helps reduce the chance of being detected when the same segment of the signal is repeatedly sent to the HVDC damping controller. The result of the machine 5-10 angle differences under this replay attack is shown in Figure 10. Although there is no fault event in the system, the replayed data cause large frequency differences between the rectifier and inverter terminals, which changes the transmitted power, triggers forced oscillations in the system and further disturbs the operation of the damping controller. As shown in Figure 10, several oscillation modes are triggered. The replay attack continuously impacts the HVDC damping controller adversely until the simulation blows out. Therefore, the replay attack is able to drive a steady state AC-HVDC system into transient and even adverse power system conditions with recorded data.

Attack Occurs During Transient Events
In this simulation case, the replay attack occurred when large transient events were generated in the AC-HVDC system. Before the simulation of the replay attack, the frequency measurements at the HVDC terminals were recorded in advance when no disturbances existed. Therefore, the frequency difference was zero, and the power modulation on the DC line was also zero. Then, at time 1.0 s, a temporary three-phase fault happens on Lines 21-16, and it is tripped 1.5 cycles later. The fault is cleared another two cycles later, and the line is reconnected. The HVDC terminal frequency during this large transient event should be deviating from the nominal value, which further generates modulation signals that drive the HVDC to damp the oscillations. However, the replay attack is applied when the fault occurs and the recorded steady-state frequency data are sent to the HVDC controller, disabling the oscillation damping capability.
The result of the machine 5-8 angle differences under this replay attack is shown in Figure 11. The black curve shows the expected angle difference if the replay attack is not applied and the HVDC damping controller is operating normally. It is found that the HVDC controller could effectively damp the oscillations and drive the system back to the steady state quickly. However, when the replay attack is applied and the HVDC damping controller is disabled, the large oscillations cannot be damped effectively. Therefore, the replay attack is able to disable the HVDC damping capability and adversely impact the system stability with the recorded steady state data.

FDIA Attack Results
In this simulation case, the AC-HVDC system is operating normally, and there is no fault event. At time 0.8 s, an FDIA is applied to the HVDC damping controller with injected false data. The injected false data fool the controller and make it think the frequency difference between the rectifier and inverter is very large. The damping controller reacts to the false input and changes the transmitted power, which triggers the inter-area oscillation in the system.
The results of the FDIA depend on the attack plan, the attacker's knowledge of the power system and the number of sensors that can be compromised. Figure 12 shows the machine 5-10 angle differences for a moderate FDIA situation, where only limited sensors were compromised. A large oscillation is generated by the FDIA, and several oscillation modes are triggered. However, the HVDC damping controller is able to gradually stabilize the system with the trends shown in Figure 12. This means the HVDC damping controller can withstand a certain level of FDIA attacks. The result of a more severe FDIA is shown in Figure 13, in which more sensors were compromised. As a consequence, severe oscillations are generated, and the system loses its stability. Therefore, the FDIA is able to affect the stability of the AC-HVDC system adversely and drive a steady state system into a large oscillation or an unstable situation.

Conclusions
This paper has described three kinds of cyber attacks: timing attack, replay attack and FDIA. The impact of cyber attacks on the HVDC oscillation damping control has been studied through simulations conducted on a modified IEEE 39-Bus AC-HVDC system. Results have shown that a timing attack would affect the system only during transient events, while the replay attack and FDIA are both able to adversely affect the system regardless of its operating status. The HVDC damping controller has been proven to be able to withstand low level cyber-attacks with certain robustness. However, with the necessary knowledge of the power system and careful attack plans, the malicious party could hack the power system and drive it into a large oscillation or unstable situations.
Future work includes the development of mitigation methods against cyber attacks on the AC-HVDC system, such as attack-detection algorithms and robust control schemes. More research will be performed regarding the application of cyber attacks to more HVDC lines and larger systems, as well as the design of benchmark test systems.
Author Contributions: R.F. and J.L. performed the simulations and prepared the manuscript. K.K. designed the attack models and provided the analysis of the results. M.E. reviewed conventional HVDC damping controllers and corrected the paper. All authors read and approved the submission.