Replay attack on wind farms: using simulation to analyze solutions

Replay attack on wind farms: using

simulation to analyze solutions

Michael Rook

Master’s Thesis

MSc Technology and Operations Management

Supervisors: Dr. I. Bakir Dr. E. Ursavas Dr. M. Yildirim

S3476170

Faculty of Economics and Business University of Groningen

Abstract.

1 INTRODUCTION ... 1

2 LITERATURE REVIEW ... 3

2.1 WIND FARM CYBER THREAT ... 3

2.2 REPLAY ATTACK ON WIND FARMS ... 4

2.3 CYBERSECURITY AND REPLAY ATTACK DETECTION... 6

3 METHODOLOGY... 7

3.1 NOTATIONS ... 7

3.2 GENERAL SIMULATION MODEL ... 8

3.3 WIND TURBINE ... 9

3.4 REPLAY ATTACK ... 9

3.5 DETECTION ... 10

3.6 OUTPUT CALCULATION MODEL ... 12

4 EXPERIMENTAL DESIGN... 14

5 RESULTS AND DISCUSSION ... 15

5.1 BASELINE SITUATION... 15

5.2 SUCCESSIVE DETECTIONS ... 16

5.3 ATTACK LENGTH ... 18

5.4 WEATHER NOISE ... 19

5.5 STANDARD DEVIATION: CHART, Χ2 AND T-TEST ... 20

6 CONCLUSION ... 21

1 Introduction

When looking at the list of European Union countries and their share of energy from renewable sources, it can be seen that The Netherlands is on the lower end of the list (Eurostat, 2017). However, the Dutch government has not been idle and agreed to increase its performance. Accordingly, the “energy agenda” (Rijksoverheid stimuleert duurzame energie, 2019) was created. Wind energy is a crucial part within this agenda, where offshore wind farms specifically, have an increasingly important role. This is because The North Sea is a favorable place for wind turbines, due to: water depth, wind climate, and good ports and (industrial) energy consumers in the area (Rijskoverheid, 2019). Wind energy, in general, is increasingly important. For instance, the United States is investing heavily into wind farms, as they are aiming to have 20% wind energy by 2030 (20% Wind Energy by 2030: Increasing Wind Energy’s Contribution to U.S. Electricity Supply, 2008).

External parties try to damage the assets or disturb the production of wind energy with so called “cyberattacks”. For instance, competitors in the energy market might disturb production in order to sell their own product, hackers might use ransomware to collect payments, or governments might disturb a power grid in a country for political reasons. Cyberattacks on modern power systems is not a new phenomenon, with notable examples like Stuxnet or CrashOverride (Krishna et al., 2018). Stuxnet is infamous for the attack on an uranium enrichment plant in Natanz (Zetter, 2014). The computer worm caused multiple centrifuges (used to enrich uranium gas) to fail at unprecedented rates, drastically decreasing the total production of the plant. Furthermore, Stuxnet caused computers at the plant to crash and reboot repeatedly. CrashOverride, on the other hand, is infamous for the attack on the power grid of Kiev, blacking out a fifth of the power capacity of Kiev (for about an hour). Greenberg (2017) mentions that this malware can automate mass power outages. The adaptability of the malware is also a threat to other power grids all over the world. The threat on wind farms, however, largely concerns attacks on control systems (Zhang, Xiang and Wang, 2017). Due to physical constraints or technological limitations of said control systems, the data traveling through the system is often poorly protected and susceptible to cyberattacks (Wang et al., 2016). This enables attackers to shut down turbines or to decrease the production. As wind energy control systems develop, so does the system vulnerability and potential of cyberattacks (Zhu and Martinez, 2014; Boyd, 2019).

The security types are prevention and detection, where the former includes tools like encryption and timestamps (Bou-Harb et al., 2013; Kaspersky, 2019), and the latter includes tools like deviation controllers (Hao et al., 2015). Literature mostly focus on prevention rather than detection. The attack types are command attacks and data attacks, where the former is focused on sending direct commands to entities (e.g. turn off), and the latter is focused on falsifying the data used in control systems. Researchers extensively studied and simulated command attacks on wind farms (Yang et al., 2011; Staggs, Ferlemann and Shenoi, 2017; Zabetian-Hosseini, Mehrizi-Sani and Liu, 2018). The research on data attacks, which is few and shallow, generally discusses Denial of Service (DoS), false data injection, and replay attacks (Zhu and Martinez, 2014; Wang et al., 2016; Ding et al., 2018). Especially the latter is inadequately addressed (Mo, Chabukswar and Sinopoli, 2014). This is notable as a replay attack is considered the easiest to carry out, yet hardest to detect. With a replay attack, an attacker injects previously recorded data into a system to trip its control. Literature on replay attacks assumes a simple and predictable system (Mo, Chabukswar and Sinopoli, 2014; Zhu and Martinez, 2014; Zhao, Wang and Yin, 2016). However, wind farm performance (e.g. power output) is reliant on weather data (e.g. wind speed), which has much variance and uncertainty. The studies done are on stable systems and their approach are therefore questionable.

section of this thesis contains the Conclusion, which refers back to the research question at hand, using the results to give an answer.

2 Literature review

This section reviews current literature relevant to this thesis and discusses the focus of this thesis. The first paragraph reviews cyberthreat and attack surfaces in general, vulnerabilities of wind farm control, categorization of cyberattacks, and current studies on specific attacks. The focus on replay attacks will be discussed, after which the second paragraph will discuss replay attacks in the context of wind farms. Finally, the third paragraph will discuss cybersecurity in general and for replay attacks specifically.

2.1 Wind farm cyber threat

A wind farm focuses on optimizing power production by configuring its wind turbines (e.g. yawing or pitching). Cyberattacks directly (command attack) or indirectly (data attack) try to misconfigure turbines, which leads to production losses (Knudsen, Bak and Svenstrup, 2015). Furthermore, the attacks cause harmful events to humans, system reliability degradation, and data integrity violation (Yang et al., 2011; Morris and Gao, 2013; Kang, Kim and Choi, 2019). Also, the digitalization of equipment leads to more cyber risks. Hence, secure control system are necessary, where the goal is to prevent attacks or to detect them timely, so that the damage remains within a tolerable limit (Shi, Elliott and Chen, 2017). To design such systems, knowledge is needed on specific attacks and specific contexts, where the replay attack on wind farm is the focus of this thesis.

the vendor is infected, the attacker has full access as well. Digitizing sensors and actuators, which falls under the electronics category, enables attackers to access/target such components. Hence, attackers focus on humans, networks, and electronics to gain access to wind farm systems.

Cyberattacks can be divided into multiple categories (Morris and Gao, 2013; Kang, Kim and Choi, 2019). Generally speaking, however, there are command attacks and data attacks. In order to design secure control, this thesis argues that each attack should be studied separately. Command attacks on wind farms have been studied and simulated extensively (Yang et al., 2011; Staggs, Ferlemann and Shenoi, 2017; Zabetian-Hosseini, Mehrizi-Sani and Liu, 2018). Data attacks (replay attacks specifically) have been studied for generic control systems (Mo and Sinopoli, 2009; Mo, Chabukswar and Sinopoli, 2014; Zhu and Martinez, 2014), but not for a wind farm context. Hence, the literature on replay attacks is not specific.

A current concern is that the replay attack is inadequately addressed (Mo and Sinopoli, 2009), and that there is little literature on secure control under a replay attack (Wang et al., 2016). Obviously, the former causes the latter, but the lack of secure control literature can also be argued due to no wind farm specific replay attack literature being present. The concern is remarkable, as it is often the goal of an attacker to make injected (fake) data look like real data, for which the replay attack is the easiest and best way to achieve this goal (Mo, Chabukswar and Sinopoli, 2014). A replay attack is very difficult to detect and passes examination of cryptographic keys (Mo and Sinopoli, 2009; Ding et al., 2018). Furthermore, this type of attack is common for attackers which have little system knowledge (Mo and Sinopoli, 2009; Mo, Chabukswar and Sinopoli, 2014; Wang et al., 2016). Hence, literature on wind farm control under replay attacks is inadequately addressed, but highly relevant. Therefore, this thesis will discuss the replay attack in the context of wind farms and provide specific attack scenarios.

2.2 Replay attack on wind farms

Thereafter, the collected data can be injected via several methods like; resending, delaying, or modifying (Zhao, Wang and Yin, 2016; Zhang, Xiang and Wang, 2017; Ding et al., 2018).

Figure 1. Power vs. rotational speed of turbine at different wind velocities. 2.3 Cybersecurity and replay attack detection

3 Methodology

This section provides the simulation model. It starts with a general model (Figure 2), describing how all sub-models are connected, and how information flows through them. Thereafter, each sub-model is discussed in-depth.

3.1 Notations

T Simulation run length c Chart period; number of data points

included

t ∈ T Simulation period index p Successive detections

Q Amount of simulations per experiment

it Attack indication at t

et Expected output at t gt Suspicious indicator at t

ot Actual output at t ht Physical test result at t

at Attacked output at t

dt Difference between e and a at t y_t False alarm indication at t

L Attack length m Attack noise percentage

l ∈ L Attack period index w Weather noise percentage

v Attack delay

rs _{Data recording start period c}σ _{Chart strategy standard deviation}

re _{Data recording end period}

Rs _{Attack start period µ Mean}

Re _{Attack end period σ Standard deviation}

3.2 General simulation model

This paragraph presents the general simulation model, which simulates a wind turbine, replay attack, and multiple detection strategies. The goal of the model is to measure how multiple detection strategies perform in the context of ‘detecting a replay attack on a wind turbine’. In order to do achieve this goal, four sub-models and a simulation manager were programmed (Figure 2). The sub-sub-models are discussed individually in the next paragraphs.

The core of the simulation model is the Simulation Manager, which collects the inputs and saves the outputs. Regarding the inputs, the manager reads the necessary parameter values from a row in the ‘input’ file. If multiple rows are filled, multiple simulations are run (and saved). Regarding the outputs, the manager writes the outputs, provided by the output calculation sub-model, to an ‘output’ file. To obtain outputs, firstly, the wind turbine sub-model generates expected (et) and actual power output (ot). Secondly, the replay attack sub-model generates the attacked power output (at). Thirdly, the detection sub-model attempts to detect the attack in the attacked power output data. Lastly, the calculation sub-model uses the data of the preceding sub-models to gather or calculate the simulation outputs.

3.3 Wind turbine

This sub-model mainly uses the ‘windpowerlib’, which is a Python library that provides a set of functions and classes to calculate the power output of wind turbines (Haas et al., 2019). Furthermore, this library provides weather data for every hour for a whole year. This thesis uses default options, one turbine, and the first month of the weather data. Firstly, the power output calculated via this library is considered as expected output (et), where every hour of output is considered a data point. In reality, one can forecast output with

weather predictions, or use live data of surrounding wind turbines to get a mean output. Secondly, for every data point, the actual output (ot) is calculated by adding or subtracting weather noise (w), i.e. normal noise

caused due to weather uncertainty.

𝑜𝑡 = 𝑒𝑡 + 𝑒𝑡∗ 𝑁(0, 𝑤)

3.4 Replay attack

This sub-model contains multiple steps in order to obtain the recording period, recorded data, attack period, and attacked output. Firstly, the start of recording (𝑟_𝑡𝑠_{) is randomly determined, considering the attack}

length (L) and delay (v). Randomization is done to improve accuracy in measuring detection performance. The behavior of weather data is very unpredictable and unstable (i.e. high variance). Therefore, two different attack times might yield two different results. By randomizing the start of the attack, and then by repetition of the simulation model, the result becomes more accurate. If the start of recording is determined, the end of recording, start of attack, and end of attack can be determined.

𝑟𝑠 = 𝑈(0, 𝑇 − 𝐿 ∗ 2 − 𝑣)

𝑟𝑒 = 𝑟𝑡𝑠+ 𝐿

𝑅𝑠 _{= 𝑟}𝑒_{+ 𝑣}

𝑅𝑒 = 𝑅𝑠+ 𝐿

After determining the above, the model will generate the attacked power output (at) data. To do this, a range

(from t = Rs _{till t = R}e_{) of data from the actual power output (o}

t) is saved as attack values (Sl), where the

first attack value is linked to the first hour of the attack period (l). Attack noise (m) is put on Sl. This noise

is to prevent detection through analyzing historical data for similarities, as this could easily be avoided by the attacker in real-life scenarios. After the attack values are obtained, an attack indication (it) is generated,

which indicates per hour if there is an attack happening.

𝑖𝑡= {1, if 𝑅

𝑆 _{< 𝑡 < 𝑅}𝑒

To generate at, a rule is used to iterate over every hour of ot and it, where; if it = 1, then ot gets replaced by

an attack value (Sl). The model knows which attack value to use as it knows which attack period (l) it is.

The result is saved as attacked power output at.

𝑎𝑡 = {

𝑆𝑙+ 𝑆𝑙∗ 𝑁(0, 𝑚), if 𝑖𝑡 = 1, (𝑙 + 1)

𝑜𝑡, otherwise

3.5 Detection

This sub-model consists of three steps: (1) calculating the difference between expected output and attacked output (dt), (2) providing a suspicious indicator (gt) for six different detection strategies, and (3) doing a

‘physical test’ to check if there is actually an attack. The six detection strategies are: Chart, χ2, t-test, Individual and Moving Range (I-MR) chart, Cumulative Sum (CuSum) chart, and Exponentially Weighted Moving Average (EWMA) chart. The physical test represents physical changes done to the turbine, in which a turbine is configured to have low(er) power output generation. Presumably and expectedly, if a turbine is under attack, the power output readings will be unaffected to the physical change. Hence, if a physical test is done, and readings do not drop to the expected level, an attack is caught. On the other hand, if a physical test is done, and readings do drop to the expected level, there was no attack (i.e. a false alarm). The degree to which the turbine should be physically changed depends on the accuracy of information. This thesis assumes that sensors are very accurate, meaning that the measured wind speed is very close to the actual wind speed. Additionally, this thesis assumes that power output is determined by the combination of wind speed (and direction) and turbine configuration. For instance, if there is a certain wind speed and turbine configuration for a specific time period, one can look back at the data and observe that the gained power output is in-line with expectations. If, however, accuracy of information is lowered, the expected power output can have a margin of error. This margin should then be considered and surpassed by the physical test. The first step of the sub-model is to calculate the difference between expected output and attacked output, where 𝑑𝑡= 𝑒𝑡− 𝑎𝑡. This data is required for detection strategy 1 and 4-6.

3.5.1 Detection strategies

The second step of the sub-model is to use the detection strategies to try to detect the attack. Strategies 4-6 use ‘pyspc’, which is a Python library that provides a set of functions and classes to apply control charts. All strategies use a similar approach, namely that of control charts based on statistical process control. For every data point in the data, the current point and the preceding c points are selected as temporary data. Thereafter, calculations are done on this temporary data, and results are used to plot the respective control chart(s). Hence, control charts and limits are updated per data point. The suspicious indicator (gt) is 1 if a

𝑔𝑡 = {1, if (UCL < 𝐹 or 𝐹 < LCL) _{0, otherwise}

The Chart strategy is an Individual (I) chart. Per data point in dt, the mean of the temporary data is the

centerline, and the control limits are the centerline plus/minus cσ standard deviation of the temporary data. An X-bar in conjunction with a r- or s-chart has also been considered. However, multiple samples per data point are required for this approach, whereas the weather file only has one sample per data point. The goal of this strategy is to monitor the data point value and its centerline, looking for abnormal gaps (i.e. attacks). The χ2 strategy combines Pearson’s chi-squared test with the Chart strategy. Pearson’s chi-squared test is the most commonly used chi-squared test, which test the difference between observed and expected values of multiple events in a sample. Firstly, an observed contingency table is created, in which there are two categories: (1) output type and (2) time. Regarding the former, the two output types are expected and attacked power output. Regarding the latter, the time includes the c points from the temporary data. Secondly, an expected contingency table is created via the test. The differences between the two contingency tables are used to create a test statistic (χ_𝑡2_{), which indicates if there is a significant difference}

between the two output types. If there is no attack, the test statistic will be very small. On the other hand, if there is an attack, the test statistic will increase. Furthermore, the more attacked points in the temporary data, the more high differences, the higher the test statistic. This is what differs it from the Chart strategy, for which the succeeding attacked values will be high, but stable. Therefore, the χ2 strategy is of interest. The test statistic χ𝑡2 is created for every hour of expected output (et) and attacked output (at). The data (χ_𝑡2)

is then used as input for the Chart strategy, which will detect out of control χ𝑡2 values as an attack. Hence,

this strategy considers the variance between expected and attacked output for every hour in the temporary data.

The t-test strategy combines the Student’s t-test (unpaired) with the first strategy. Unpaired is preferred for this thesis as weather characteristics differ a lot over time, meaning that samples of different time frames are not similar. The test statistic (ttt) is calculated for every hour, by comparing the means of et and at. The

ttt will be the input for the control chart discussed in strategy 1. What differentiates this strategy from the first, is that the mean of the temporary data is the test value, rather than the data point value itself. This can be viewed as a smoothing technique.

The I-MR strategy is a combination of the I-chart and MR-chart. The I-chart, similar to strategy 1, displays data point value and looks if these are out of control. The MR-chart monitors process variation, looking if the change in values (i.e. variance) is out of control. For this strategy, gt = 1 if both I- and MR-chart are out

The Cusum and EWMA strategy are similar in that the charts both weigh the values in the temporary data (Hunter, 1986; de Vargas, Lopes and Souza, 2004). De Vargas et al. (2004) explain that the CuSum attributes equal weight to every data point, whereas the EWMA gives higher weight to more frequent information. Both strategies iterate over dt to make the corresponding charts.

3.5.2 Physical test

The third step of the sub-model is the ‘physical test’. In the default scenario, the model will do a physical test if an attack was detected in the preceding hour, i.e. the number of successive detections (p) is 1. This parameter can be adjusted. To determine if a physical test should be done, the following rule iterates over the suspicious indicator 𝑔𝑡:

∑ 𝑔τ

𝑡−1

τ=𝑡−𝑝

= 𝑝 ∀ t ∈ T

If this rule is true for a t, a physical test is carried out and the attack is caught. There are four plausible outcomes (Table 1), which are stored as ht for all t.

Table 1. Physical test outcomes

Result Suspicious Attack Caught

1 (normal) No No No

2 (attack missed) No Yes No 3 (false alarm) Yes No No 4 (attack caught) Yes Yes Yes

3.6 Output calculation model

The outputs per simulation are calculated as: 𝑎𝑡𝑡𝑎𝑐𝑘𝑠 𝑐𝑎𝑢𝑔ℎ𝑡 = ∑ 𝑥𝑡 𝑇 𝑡=1 𝑥𝑡= {1,_0, if ℎ_otherwise𝑡= 4 𝑓𝑎𝑙𝑠𝑒 𝑎𝑙𝑎𝑟𝑚𝑠 = ∑ 𝑦𝑡 𝑇 𝑡=1 𝑦𝑡= {1,_0, if ℎ_otherwise𝑡= 3 𝑐𝑎𝑡𝑐ℎ 𝑡𝑖𝑚𝑒 = min{𝑡: ℎ𝑡= 1} − 𝑅𝑠

4 Experimental Design

This section provides the simulation parameters, default setting, and experiments.

This thesis uses nine parameters for the simulation model. The simulation run length (T) is 744 hours. The attack noise (m) is put on 0.1 (=10%). The attack delay is put on 24 hours. The expected output (et) is fixed,

as it is calculated with fixed values from the weather file. The chart period (c) is put on 72 hours, i.e. 72 data points will be used for the detection strategies. The number of repetitions per simulation (Q) is 100. In order to get a valid representation of the output values, it is necessary to iterate simulations. Both 50 and 100 iterations were carried out and compared, with a minor difference between the results. Hence, the data with 100 iterations is used as this is representative. The number of required successive detections (p) for a physical test is put on 1. The attack length (l) is put on 24 hours. The weather noise (w) is put on 0.1, meaning that N(0, 0.1) will be applied on et. The amount of standard deviation (cσ), used for the control

chart in detection strategies 1-3, is put on 3.

Table 2. Default model parameters and numerical values Parameters Numerical value

T 744 m 0.1 v 24 et weather file c 72 Q 100 p 1 l 24 w 0.1 cσ 3

5 Results and Discussion

In this section, the default run and the experiments are presented in order to provide insights into the effects of the (experimental) parameters on the detection performance measures. The default run is presented first, so that a baseline situation is set for reference material. Thereafter, the experiments will be presented, exposing the differences between the results of the baseline situation and the experiment. Accordingly, these differences are discussed in order to grasp what happened.

5.1 Baseline situation

Table 3 presents the performance measures per detection strategy, for the default run (p = 1, l = 24, w = 0.1, and cσ = 3). The results show that the strategies perform differently.

Table 3. Default run results per detection strategy

Performance Measure Chart

(1) χ2 (2) t-test (3) I-MR (4) CuSum (5) EWMA (6) Attacks caught 0.96 1 0.46 0.99 1 1 False alarms 20.9 23.6 10.7 19.9 82.4 26.1 Catch time 1.1 1.7 2.6 2.6 2.3 2.6

attacked points are required causes the χ2 to be slower than the Chart. However, the test statistic will keep increasing with more attacked points, so that it will catch it guaranteed. Regarding the t-test, the catch time can be argued due to the fact that multiple abnormal data points are required in order to get the mean to a state in which it is out of control. The longer catch times for CuSum and EMWA are due to the build-up period, i.e. for every data point, it considers all c data points. Similar to the t-test, it takes longer to build up an out of control value (abnormality). The CuSum chart is slightly faster as it is more sensitive toward abnormalities, which links to the significant high amount of false alarms.

Considering all observations, there is no ‘optimal’ detection strategy for the default setting, i.e. there is no strategy which scores best on all performance measures. For instance, when comparing the Chart and the I-MR chart, there are minor difference in ‘attacks caught’ and ‘false alarms’, for which it is up to the user’s preferences and priorities as to what is more important.

5.2 Successive detections

This paragraph presents the impact of the number of successive detections required to flag detection (p) on the different performance measures. Figures 2-4 illustrate the results for ‘attacks caught’, ‘false alarms’, and ‘catch time’ respectively.

Figure 3. Attacks caught performance for differing required number of successive detections (p) Figure 4 illustrates that changing p has an impact on the number of false alarms, for all strategies. If the number of successive detections required to flag an attack increases, the number of false alarms decreases. Figure 5 illustrates that changing p has an impact on the average time needed to catch an attack.

Figure 4. False alarms performance for differing successive detections (p)

Figure 5. Catch time performance for differing number of successive detections (p)

run. However, by increasing p, the EWMA strategy becomes more appealing as the percentage of attacks caught remains above 98%, whereas the amount of false alarms drops from 26.1 to 0.8. This example assumes that false alarms is more important than catch time.

5.3 Attack length

This paragraph presents the impact of the attack length (l) on the different performance measures. Figures 5-7 illustrate the results for ‘attacks caught’, ‘false alarms’, and ‘catch time’ respectively.

Figure 6 illustrates that an increase in l leads to an increase in the percentage of attacks caught. This is most noticeable in the lower spectrum (l = [2, 3]). Looking at I-MR, CuSum, and EWMA, we observe a significant performance gap between l = 2 and l = 3. Regarding CuSum and EWMA, this is due to their smoothing/weighing, i.e. they use cumulative information, for which the abnormality needs to build up. Therefore, the more time to build up, the higher the chance to catch the attack.

Figure 6. Attacks caught performance for differing attack length (l)

Figure 7 illustrates that l has a significant effect on the CuSum and the EWMA strategies, where an increase in l leads to a decrease in the amount of false alarms. The reasoning for the impact is related to the impact on the percentage of attacks caught. For example, if an attack is not caught, the attacked data remains in system to be used for future detection, triggering false alarms shortly after the attack has finished. From the former results, we observed that shorter attacks lead to lower detection chances, i.e. that they will be missed more frequently. This causes the example to occur more often.

Figure 8 illustrates that l has an impact on the average time needed to catch an attack, where an increase in l leads to an increase in catch time. This is due to the fact that with 24-hour attacks, more attacks are caught, because more time is available to detect them. The additional caught attacks with longer catch times are now included in calculation of the averages, therefore the average will increase. Additionally, looking at the I-MR, CuSum, and EWMA, the attack with l = 2 an p = 1 took less than an hour to detect. This is strange, as the strategies should analyze attacked data for at least an hour. An explanation is that, for some simulations, the data point before the attack is a false alarm, i.e. the attack is detected immediately.

Figure 8. Catch time performance for differing attack length (l)

Overall, it seems that the Chart and χ2 perform better than the other strategies, when it comes to the ability to deal with different attack lengths. The other strategies struggle especially with l = 2, though the percentage of attacks caught improves significantly when the attacks length is more than two hours. 5.4 Weather noise

Figure 9. Catch time performance for differing weather noise (w) 5.5 Standard deviation: chart, χ2 and t-test

This paragraph presents the last experiment, which introduces further modification of the Chart strategy, therewith affecting the χ2 and t-test strategy as well. The modification was done to the control limits, for which the default standard deviation of 3 was changed to 4 and 5. Figure 10 illustrates that modifying the Chart impacts the performance of all three strategies. This makes sense as χ2 and t-test use the Chart to check whether their respective test values are out of control. In other words, modification of strategies can lead to further improvement. Part (a) shows us that the percentage of the attacks caught remains arguably unaffected. On the other hand, from part (b) we can observe that there are significantly less false alarms. Additionally, part (c) shows us that there is a minor increase in the average time needed to catch an attack. Hence, this thesis argues that the modification improved the detection strategies, as the performance gain for ‘false alarms’, heavily outweighs the performance loss of ‘catch time’. This is based on the assumption that both performance measures are of equal importance.

Figure 10. Detection performance measures for differing standard deviation (cσ)

6 Conclusion

This thesis provides new insights into replay attacks on wind turbines and presents a simulation model which includes a replay attack on a turbine and six detection strategies. The new insights are obtained by studying literature on cyberattack mechanisms and wind farm control system vulnerabilities, thereafter, discussing which mechanisms can exploit which vulnerabilities. The presented simulation model simulates the effect of a replay attack on a wind turbine. Six different detection strategies are introduced, which parallelly try to detect the replay attack, so that detection performance can be fairly compared. This performance is measured in the percentage of attacks caught, average number of false alarms, and average time needed to catch the attack. A default setting is proposed, allowing for a baseline situation. Experiments on different parameters are proposed, for which the effect on detection performance is discussed per experiment.

which arguably favors the drop in false alarms. Concluding, it seems that the modified Chart strategy is far superior than the other strategies and should therefore be used in detecting the replay attack.

References

20% Wind Energy by 2030: Increasing Wind Energy’s Contribution to U.S. Electricity Supply (2008). Washington, DC. Available at: www.nrel.gov/docs/fy08osti/41869.pdf (Accessed: 9 October 2019). Ahmad, R. T. and Abdul-Hussain (2017) ‘Modeling and Simulation of Wind Turbine Generator Using Matlab-Simulink’, Journal of Al Rafidain University College, (40), pp. 282–300.

Benyachou, B. et al. (2017) Modelling with Matlab/Simulink of a wind turbine connected to a generator asynchronous dual power (GADP), Journal of Materials ad Environmental Science. Available at: https://www.researchgate.net/publication/327594505_Modelling_with_MatlabSimulink_of_a_wind_turbi ne_connected_to_a_generator_asynchronous_dual_power_GADP (Accessed: 7 October 2019).

Bisenieks, L., Vinnikov, D. and Galkin, I. (2011) ‘New converter for interfacing PMSG based small-scale wind turbine with residential power network’, in 2011 7th International Conference-Workshop Compatibility and Power Electronics, CPE 2011 - Conference Proceedings, pp. 354–359. doi: 10.1109/CPE.2011.5942260.

Bou-Harb, E. et al. (2013) ‘Communication security for smart grid distribution networks’, IEEE Communications Magazine, 51(1), pp. 42–49. doi: 10.1109/MCOM.2013.6400437.

Boyd, J. (2019) New Security Technology Detects Malicious Cyberattacks On Drones, Cars, And Robots. Available at: https://spectrum.ieee.org/tech-talk/computing/embedded-systems/new-security-technology-detects-attacks-on-sensors-controlling-numerous-applications-including-drones-cars-and-robots

(Accessed: 11 September 2019).

Cam-Winget, N., Sadeghi, A. R. and Jin, Y. (2016) ‘Invited: Can IoT be secured: Emerging challenges in connecting the unconnected’, in Proceedings - Design Automation Conference. Institute of Electrical and Electronics Engineers Inc. doi: 10.1145/2897937.2905004.

Ding, D. et al. (2018) ‘A survey on security control and attack detection for industrial cyber-physical systems’, Neurocomputing. Elsevier B.V., 275, pp. 1674–1683. doi: 10.1016/j.neucom.2017.10.009. Eurostat (2017) Share of energy from renewable sources. Available at: https://appsso-eurostat-ec-europa-eu.proxy-ub.rug.nl/nui/show.do?dataset=nrg_ind_ren&lang=en (Accessed: 10 September 2019).

Gao, W. and Morris, T. (2014) ‘On Cyber Attacks and Signature Based Intrusion Detection for Modbus Based Industrial Control Systems’, Journal of Digital Forensics, Security and Law. Embry-Riddle Aeronautical University/Hunt Library, 9(1), pp. 36–56. doi: 10.15394/jdfsl.2014.1162.

Greenberg, A. (2017) Crash Override Malware Took Down Ukraine’s Power Grid Last December, WIRED. Available at: https://www.wired.com/story/crash-override-malware/ (Accessed: 28 October 2019).

Haas, S. et al. (2019) ‘wind-python/windpowerlib: Revision release’. doi: 10.5281/ZENODO.3403360. Hao, J. et al. (2015) ‘Sparse Malicious False Data Injection Attacks and Defense Mechanisms in Smart Grids’, IEEE Transactions on Industrial Informatics. IEEE Computer Society, 11(5), pp. 1198–1209. doi: 10.1109/TII.2015.2475695.

Huang, Y. L. et al. (2009) ‘Understanding the physical and economic consequences of attacks on control systems’, International Journal of Critical Infrastructure Protection, 2(3), pp. 73–83. doi: 10.1016/j.ijcip.2009.06.001.

Johnson, A. (2017) Microsoft’s perspective on cyber resilience - Microsoft Security. Available at: https://www.microsoft.com/security/blog/2017/08/23/microsoft-perspective-on-cyber-resilience/

(Accessed: 1 November 2019).

Kang, D. J., Kim, H. T. and Choi, S. (2019) ‘Methodology for quantifying the economic impact of cyberattacks on bulk electric systems’, in Conference Record - Industrial and Commercial Power Systems Technical Conference. Institute of Electrical and Electronics Engineers Inc. doi: 10.1109/ICPS.2019.8733322.

Kaspersky (2019) What is a Replay Attack and How to Prevent it. Available at: https://www.kaspersky.com/resource-center/definitions/replay-attack (Accessed: 25 September 2019). Kinnunen, T. et al. (2017) ‘RedDots replayed: A new replay spoofing attack corpus for text-dependent speaker verification research’, in ICASSP, IEEE International Conference on Acoustics, Speech and Signal Processing - Proceedings. Institute of Electrical and Electronics Engineers Inc., pp. 5395–5399. doi: 10.1109/ICASSP.2017.7953187.

Knudsen, T., Bak, T. and Svenstrup, M. (2015) ‘Survey of wind farm control - Power and fatigue optimization’, Wind Energy. John Wiley and Sons Ltd, 18(8), pp. 1333–1351. doi: 10.1002/we.1760. Krishna, V. B. et al. (2018) ‘Cyberattacks on primary frequency response mechanisms in power grids’, Computer. IEEE Computer Society, pp. 37–45. doi: 10.1109/MC.2018.2876053.

Mo, Y., Chabukswar, R. and Sinopoli, B. (2014) ‘Detecting integrity attacks on SCADA systems’, IEEE Transactions on Control Systems Technology. Institute of Electrical and Electronics Engineers Inc., 22(4), pp. 1396–1407. doi: 10.1109/TCST.2013.2280899.

Mo, Y. and Sinopoli, B. (2009) ‘Secure control against replay attacks’, in 2009 47th Annual Allerton Conference on Communication, Control, and Computing, Allerton 2009, pp. 911–918. doi: 10.1109/ALLERTON.2009.5394956.

Morris, T. and Gao, W. (2013) ‘Industrial Control System Cyber Attacks’, Proceedings of the 1st International Symposium on ICS & SCADA Cyber Security Research, pp. 22–29. Available at: http://ewic.bcs.org/content/ConMediaFile/22618 (Accessed: 11 September 2019).

Rijksoverheid stimuleert duurzame energie (2019). Available at:

https://www.rijksoverheid.nl/onderwerpen/duurzame-energie/meer-duurzame-energie-in-de-toekomst (Accessed: 10 September 2019).

Rijskoverheid (2019) Windenergie op zee. Available at:

https://www.rijksoverheid.nl/onderwerpen/duurzame-energie/windenergie-op-zee (Accessed: 10

September 2019).

Shi, D., Elliott, R. J. and Chen, T. (2017) ‘On Finite-State Stochastic Modeling and Secure Estimation of Cyber-Physical Systems’, IEEE Transactions on Automatic Control. Institute of Electrical and Electronics Engineers Inc., 62(1), pp. 65–80. doi: 10.1109/TAC.2016.2541919.

Sridhar, S. and Manimaran, G. (2010) ‘Data integrity attacks and their impacts on SCADA control system’, in IEEE PES General Meeting, PES 2010. doi: 10.1109/PES.2010.5590115.

Staggs, J., Ferlemann, D. and Shenoi, S. (2017) ‘Wind farm security: attack surface, targets, scenarios and mitigation’, International Journal of Critical Infrastructure Protection. Elsevier B.V., 17, pp. 3–14. doi: 10.1016/j.ijcip.2017.03.001.

Wang, D. et al. (2016) ‘Recent advances on filtering and control for cyber-physical systems under security and resource constraints’, Journal of the Franklin Institute. Elsevier Ltd, 353(11), pp. 2451–2466. doi: 10.1016/j.jfranklin.2016.04.011.

Yan, J., Liu, C. C. and Govindarasu, M. (2011) ‘Cyber intrusion of wind farm SCADA system and its impact analysis’, in 2011 IEEE/PES Power Systems Conference and Exposition, PSCE 2011. doi: 10.1109/PSCE.2011.5772593.

Yang, Y. et al. (2011) ‘Impact of cyber-security issues on Smart Grid’, in IEEE PES Innovative Smart Grid Technologies Conference Europe. doi: 10.1109/ISGTEurope.2011.6162722.

Zabetian-Hosseini, A., Mehrizi-Sani, A. and Liu, C. C. (2018) ‘Cyberattack to cyber-physical model of wind farm SCADA’, in Proceedings: IECON 2018 - 44th Annual Conference of the IEEE Industrial Electronics Society. Institute of Electrical and Electronics Engineers Inc., pp. 4929–4934. doi: 10.1109/IECON.2018.8591200.

Zetter, K. (2014) An Unprecedented Look at Stuxnet, the World’s First Digital Weapon, WIRED. Available at: https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ (Accessed: 28 October 2019). Zhang, Y., Xiang, Y. and Wang, L. (2017) ‘Power System Reliability Assessment Incorporating Cyber Attacks Against Wind Farm Energy Management Systems’, IEEE Transactions on Smart Grid. Institute of Electrical and Electronics Engineers Inc., 8(5), pp. 2343–2357. doi: 10.1109/TSG.2016.2523515.

Zhao, J., Wang, J. and Yin, L. (2016) ‘Detection and Control against Replay Attacks in Smart Grid’, in 2016 12th International Conference on Computational Intelligence and Security (CIS). IEEE, pp. 624–627. doi: 10.1109/CIS.2016.0151.