Ezzeldin Shereen

Ph.D. student

Division of Network and Systems Engineering
School of Electrical Engineering and Computer Science
KTH Royal Institute of Technology

Title of the doctoral thesis

Security of Time Synchronization for PMU-based Power System State Estimation: Vulnerability and Countermeasures


Phasor Measurement Units (PMUs) constitute an emerging technology that is essential for various smart grid applications such as phase angle monitoring, power oscillation damping, fault localization, and linear state estimation. To obtain precise PMU measurements of voltage and current phasors, time synchronization in the order of 1 microsecond is typically required. Nevertheless, time synchronization sources for PMUs, such as GPS satellites and Precision Time Protocol (PTP), are vulnerable to Time Synchronization Attacks (TSAs). A TSA can disrupt time synchronization, resulting in malicious phase angle measurements, potentially leading to serious consequences to the stability of the power grid. Moreover, sophisticated attackers may be able to develop undetectable TSAs that would lead to incorrect but credible estimates of the system state, which will bypass traditional Bad Data Detection (BDD) algorithms employed in the grid. Therefore, the detection and mitigation of such undetectable TSAs is of utmost importance for power system operators. ​

The first part of this thesis explores the threat of undetectable TSAs by investigating the practical feasibility of launching such attacks. We provide necessary and sufficient conditions for a set of PMUs to be vulnerable to undetectable TSAs and provide an efficient algorithm to compute attacks against any number of vulnerable PMUs. Furthermore, we show that the set of undetectable TSAs forms a continuum if at least three vulnerable PMUs are targeted by the attack. This fact can be exploited by an attacker to develop low-rate attacks that would adapt to the clock servo that controls the PMU clock, and would bypass typical change detection-based security solutions. We demonstrated the practical feasibility of computing undetectable TSAs using realistic PMU data and a widely-used clock servo implementation.

The second part of this thesis considers the detection of TSAs against PMUs. We proposed three detection approaches focusing on various aspects of PMU and power grid operations. The first proposed approach is decentralized, and attempts to detect TSAs at every PMU individually by leveraging the dependance between the PMU clock state and the measured voltage phasor. The approach is based on the observation that a TSA changes the correlation between the PMU clock frequency adjustments and the change in the measured phase angle. We proposed model-based and data-driven machine learning-based TSA detectors exploiting the change in correlation. Using extensive simulations and realistic PMU clock models, the proposed detectors were shown to perform well even for relatively low-rate attacks. The second proposed approach is centralized and is based on performing state estimation using the complete three-phase model instead of the simpler and more widely-used direct-sequence equivalent model. Our analytical results and extensive simulations showed that three-phase state estimators are significantly more resilient to TSAs compared to single-phase state estimators in unbalanced three phase systems. Even though not completely invulnerable, our work showed that three-phase state estimation is a simple, yet effective solution for decreasing the vulnerability of PMU time synchronization. The third proposed approach is based on the framework of Graph Signal Processing (GSP) in power systems. By regarding the system state as a graph signal, we are able to exploit the low-dimensional structure of the PMU measurements and the system state for TSA detection. Based on GSP, we proposed a high-pass graph filter as well as a machine learning classifier utilizing GSP features, both showing superior performance not only in detecting the presence of a TSA, but also in localizing the attacked PMUs.

The third and final part of the thesis considers the mitigation of TSAs, with special focus on attack mitigation in PTP networks. In this regard, we investigated recently standardized authentication schemes in PTPv2.1 and their effect on both the synchronization accuracy and network latency in an experimental testbed. The results showed that the authentication schemes pose no significant overhead on the synchronization accuracy or the network latency. Moreover, the cost considerations of PTP authentication were investigated by considering the partial application of the authentication schemes to a PTP network only in the parts that are vulnerable to undetectable TSAs, thus combining TSA mitigation and detection. We showed that the problem of mitigating undetectable TSAs at minimum cost is NP-hard. We formulated the problem as an integer linear program and proposed two approximation algorithms based on linear relaxation and a greedy heuristic. Through extensive simulations on both synthetic graphs and realistic IEEE benchmark power system graphs, we showed that our proposed algorithms, combining both state estimation and PTP authentication, can dramatically reduce the cost of mitigating TSAs.

The TSA detection and mitigation approaches presented in this thesis constitute a step towards secure and reliable time synchronization for PMU applications and a more resilient smart grid infrastructure.

Included publications

Ezzeldin Shereen, Marguerite Delcourt, Sergio Barreto, György Dán, Jean-Yves Le Boudec, Mario Paolone, ''Feasibility of Time Synchronization Attacks against PMU-based State-Estimation,''
IEEE Trans. on Instrumentation and Measurement, vol. 69., no. 6., Jun. 2020, pp. 3412-3427, [pdf] [doi]

Ezzeldin Shereen, György Dán, ''Model-based and Data-driven Detectors for Time Synchronization Attacks against PMUs,''
IEEE Journal on Selected Areas in Communications (JSAC), vol. 38., no. 1., Jan. 2020, pp. 169-179 [pdf] [doi]

Marguerite Delcourt, Ezzeldin Shereen, György Dán, Jean-Yves Le Boudec, Mario Paolone, ''Time-Synchronization Attack Detection in Unbalanced Three-Phase Systems,''
IEEE Trans. on Smart Grids, accepted for publication, [pdf] [doi]

Ezzeldin Shereen, Florian Bitard, György Dán, Steffen Fries, Tolga Sel, ''Next Steps in Security for Time Synchronization: Experiences from implementing IEEE 1588 v2.1,''
in Proc. of IEEE Symposium on Precision Clock Synchronization for Measurement, Control and Communication (ISPCS), Sep. 2019 [pdf] [doi]

Ezzeldin Shereen, György Dán, ''Network Topology-aware Mitigation of Undetectable PMU Time Synchronization Attacks,''
under submission

Ezzeldin Shereen, Raksha Ramakrishna, György Dán, ''Detection and Localization of PMU Time Synchronization Attacks via High-pass Graph Filtering,''
under submission

Publications not included in the doctoral thesis

Sergio Barreto, Ezzeldin Shereen, Marco Pignati, György Dán, Jean-Yves Le Boudec, Mario Paolone, ''A Continuum of Undetectable Timing-Attacks on PMU-based Linear State-Estimation,''
in Proc. of IEEE SmartGridComm, Oct. 2017, [pdf] [doi]

Ezzeldin Shereen, György Dán, ''Correlation-based Detection of PMU Time Synchronization Attacks,''
in Proc. of IEEE SmartGridComm, Oct. 2018 [pdf] [doi]

Ezzeldin Shereen, György Dán, ''Network-aware Mitigation of Undetectable PMU Time Synchronization Attacks,''
in Proc. of IEEE SmartGridComm, Nov. 2020 [pdf] [doi]

Serkan Saritas, Ezzeldidn Shereen, Henrik Sandberg, György Dán, ''Continuous Authentication Security Games,''
in Game Theory and Machine Learning for Cyber Security (eds. C. Kamhoua, C. Kiekintveld, F. Fang, Q. Zhu), Wiley-IEEE Press, 2021

Serkan Saritas, Ezzeldidn Shereen, Henrik Sandberg, György Dán, ''Adversarial Attacks on Continuous Authentication Security: A Dynamic Game Approach,''
in Proc. of Intl. Conf. on Decision and Game Theory for Security (GameSec), Oct. 2019 [pdf] [doi]