Inference of Tampered Smart Meters with Validations from Feeder-Level Power Injections

04/28/2019
by   Yachen Tang, et al.
0

Tampering of metering infrastructure of an electrical distribution system can significantly cause customers' billing discrepancy. The large-scale deployment of smart meters may potentially be tampered by malware by propagating their agents to other IP-based meters. Such a possibility is to pivot through the physical perimeters of a smart meter. While this framework may help utilities to accurately energy consumption information on the regular basis, it is challenging to identify malicious meters when there is a large number of users that are exploited to vulnerability and kWh information being altered. This paper presents a reconfiguration switching scheme based on graph theory incorporating the concept of distributed generators to accelerate the anomaly localization process within an electrical distribution network. First, a data form transformation from a visualized grid topology to a graph with vertices and edges is presented. A conversion from the graph representation to machine recognized matrix representation is then performed. The connection of the grid topology is illustrated as an adjacency or incidence matrix for the following analysis. A switching procedure to change elements in the topological matrix is used to detect and localize the tampered node or cluster. The procedure has to meet the electrical and the temporary closed-loop operational constraints. The customer-level anomaly detection is then performed in accordance with probability derived from smart meter anomalies.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

12/30/2020

Dynamic Graph-Based Anomaly Detection in the Electrical Grid

Given sensor readings over time from a power grid, how can we accurately...
12/08/2021

Adaptive packet transmission in response to anomaly detection in software defined smart meter networks

In this paper, we examine a basic smart meter network topology in minine...
06/28/2021

Towards anomaly detection in smart grids by combining Complex Events Processing and SNMP objects

This paper describes the architecture and the fundamental methodology of...
04/13/2018

Detection of Compromised Smart Grid Devices with Machine Learning and Convolution Techniques

The smart grid concept has transformed the traditional power grid into a...
12/15/2020

Anomaly Detection and Localization based on Double Kernelized Scoring and Matrix Kernels

Anomaly detection is necessary for proper and safe operation of large-sc...
01/19/2015

On the impact of topological properties of smart grids in power losses optimization problems

Power losses reduction is one of the main targets for any electrical ene...
06/23/2021

Topology-preserving Scan-based Immersed Isogeometric Analysis

To exploit the advantageous properties of isogeometric analysis (IGA) in...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

ENERGY thieves have been known as the major pitfalls for developing countries as the illegal electricity users are not part of the payment to utilities [1]. Similarly, alteration of individual’s electronic energy usage on a smart meter is a covert, fraudulent behavior. Such motivation is to avoid full payment over the course of a long period of time. While smart meters provide the technology to conveniently obtain kWh information to utility billing center, poor physical perimeters may enable individuals to tamper the smart meters. Collectively, such an attack can get more creative that may be propagated through the Intranet of all associated smart meter devices to be enumerated by pivoting through a compromised smart meter [2, 3]. Massive tampering can occur within the home area network (HAN) and neighborhood area network (NAN). Although this may not affect overall reliability of a distribution network, it would implicate the collection of monthly payments from utility’s customers, leading to significant lower revenue as part of the financial losses [4, 5]. On the other extreme, the discrepancy may trigger complaints by other customers who do not use usage much but amplified by the malware agents to significantly higher usage.

The metering data has the risk of being tampered during the process of measurement, collection, storage, or transmission while the malware or the worm propagation is usually embedded in the data string of the plausible legitimate metering data. In time-critical communications, the data collection devices usually have access for security, the inquire of data is restricted. Therefore, it is hard to detect the existed malware in these devices. Mike Davis demonstrated the speed of the malware can break a smart meter’s safeguard and worms propagation through the loophole in 2009 at Blackhat [6] while the Stuxnet worm attacked the metering units in the power system in 2010 [7, 8]. Different than conventional malicious attacks, several smart meters might share the same identity number or a mechanical unit may generate one or more additional identity number to cause Distributed Denial-of-Service (DDoS) attack. DDoS only affects the unavailability of smart meters. However, this attack can be utilized to reduce the share of resources in the topology and give attackers more information to perform other attacks [9, 10]. A McAfee report warned that an attacker could exploit smart meters easily and takes control of the whole system [11]. Since the system specifications, diverse network protocols, and operational constraints in AMI, the existing defense methods against malicious attacks cannot be applied directly. The main motivation of this work is not to provide a defend method to improve the cybersecurity of the grid network. It proposed a switching operation scheme to detect and localize the occurred attacks or tampering behaviors within a distribution system.

An assumption is that the AMI and SCADA systems have been fully deployed in the test area, however,the SCADA was developed using a comprehensive security policy to protect the system from the cyber attacks or any other threatens, while the validation for smart meters remains in the early stage. The main contribution of this paper is to combine the tamper detection method with the topology reconstruction switching procedure to locate subfeeder or clusters with malicious meters in a distribution system. The distributed generators are considered in this study to reduce the switching combinations. The rest of this paper is structured as follows: Related works are presented in Section II. The switching strategies are formularized in Section III. A case study with a virtual distribution network is discussed in Section IV. The conclusion and the future work are presented in Section V.

Ii Related Work

Researchers to prevent anomalous electricity usages have done many existing methods. Artificial intelligence based machine learning and big data analysis [12] have been widely used for intelligent data analysis and data mining to identify normal consumption patterns, thus an obvious deviation between the normal pattern and the measuring data can be considered as an anomaly. Authors in [13]

using machine learning techniques on the past data to built models for detecting anomalous meter readings. A distributed intelligent framework using benford’s law and stackelberg game to detect electricity theft was proposed in

[14].

A technique can identify diverse forms and caused deviations from tampered activities by using artificial neural networks

[15]

and Kalman filter

[16]

. The abnormal reports from the load areas with high tampered probabilities can be trained in support vector machine (SVM)

[3] for classification.
Another main strategy of detecting malicious meters is based on the real-time comparison. In [17], the (feeder) remote terminal unit (RTU/FRTU) provides a strategy to narrow down the search area for energy theft in a smart community. Also, [2] compares the real values with the predicted results to infer the possible tampered activities. The methods to distinguish the legitimate data from metering devices and the malware-carrying data string and using a disassembler to assist mathematical analysis are described in [18]. Different than data based detection approaches, [19] provides the attack and intrusion detection mechanism for a smart grid neighborhood area network (NAN). In addition, some strategies based on graph theory have been developed. In [20], a novel inspection algorithm identifies each meter with a unique binary-coded number to locate the unique malicious meter is proposed. The conversion between the power grid and binary tree or spanning tree is adopted in [3]. Sensors can also be used to detect anomalies in customer levels and even in networks and communication levels. However, the deploy and maintenance fee of a complete sensor system could be expensive and false alarms may occur in the inspection process[21].

The reconfiguration switching scheme in the distribution system is mainly applied for the emergency operation and optimization process [22]. The main purpose to exploit this problem is to achieve optimization. In [23], the authors deal with the problem existed in the radial topology of the distribution network with minimum losses while [24, 25] demonstrated a strategy to optimize the cost for equipment and devices installation and maintenance via changing the states of switching devices. In [26] introduces methods to restore maximum load with minimum steps of switching procedures.

Fig. 1: Sparse visualization of the adjacency and incidence matrices for the provided virtual topology.

Iii Switching Strategies for Tampered Node Localization

The profile-based anomaly detection to detect the irregularity of potentially tampered data by comparing the summation of all smart meters results with the metering result shown in the FRTU at the feeder head [27]. If the offset is quite different (much larger or smaller) than the pre-defined threshold, the reconfiguration switching scheme is utilized to localize the subfeeder, microgrid [28], cluster, or the distribution node with tampered load(s) or malicious meter(s). Since the operational complexity and the cost during the topological reconfiguration, the proposed method is performed once the discrepancy is larger than 20% of the normal power consumption (which will cause massive tampering). All electrical utilities keep the power on during the switching procedures while meeting the closed-loop electrical and operational constraints in the distribution grid [29, 30].

Iii-a Convert the Distribution Network To a Graph

A distribution grid is a radial topology and constructed by different feeders and microgrids. The adjacent feeders are connected with each other through tie switches (normally open and can be closed under emergency situation). The distribution grid can be represented by a graph , which only contains nodes and edges. In , all distributed power resources and loads are denoted as nodes/vertices while all nodes are connected by feeder lines with openable tie switches, which are referred to as edges . The graph is stored in matrix form (adjacency and/or incidence matrix) to straightforward demonstrate the connection relationships between nodes and edges [31].

0:    
1:  Isolate all subfeeders or clusters with distributed generators.
2:  if  shows no tampered load(s) in this system. then
3:     .
4:     Restore the connection of each subfeeder or cluster sequentially and check .
5:  else
5:     
6:     ;
7:      keeps updating;
8:      Convert the topological incidence matrix to adjacency form and update the current states of all switches;
9:     .
10:     .
11:     Replace all diagonal elements in with 0.
12:      Initialization;
13:     .
14:     .
15:      Check if the status is same as the previous iteration.
16:     while  do
17:        .
18:        .
19:     end while
20:     Replace all nonzero elements in with 1.
21:     return  .
22:      Localize the tampered node.
23:     Find all 0 elements in .
24:     while More than one tampered nodes in one feeder, change to generate a new do
25:        Repeat .
26:     end while
27:  end if
Algorithm 1 Tampered Node Localization Algorithm

An example of a distribution network with two feeders and the corresponding adjacency and incidence matrices are shown in Fig. 1. The sparse visualization of the adjacency and incidence matrices for the provided virtual topology is also illustrated in Fig. 1. The is responsible to monitor the consumption states of all customers in the blue area while the metering the green area. The detailed structure of the secondary network (customer level) for each load is shown in the gray block. In other words, the metering results in FRTU should be equal or slightly different than the summation of all smart meters’ results under the supervised zone. It should be noted that the order of vertices and edges may change the form of matrices but can not change the topology of the graph. In this example, the order of vertices following the numbering sequence in this figure while the to represent edges 2 to 7. The and represent edge 1 and 7, respectively. Two vertices and and their connection (edge 2) is displayed on the visualized sparse matrices. The nonzero elements of these two matrices represent the number of edges in the graph. Since the graph is undirected, each edge is counted twice. This example is used for the case study in this paper.

Iii-B Tampered Node Localization with Switching Strategies

The Algorithm 1 illustrates the iterative process of how the node with tampered load(s) is localized based on the distribution switching procedure. The detailed descriptions of variables are shown as below:

[]

Topological incidence matrix to represent the connection states between nodes: is denoted as a node/vertex and denoted as an edge. If node is connected by edge to other node(s), = 1, otherwise, = 0.

Topological adjacent matrix to represent the connection states between nodes: both and are denoted as nodes/vertices. If node is connected with node , = 1, otherwise, = 0.

A defined row vector with length to indicate the connection states (open or close) of switches (edges) in the distribution topology. If switch is open = 0, otherwise, = 1.

A defined row vector with length to indicate the locations of all distributed power resources in the distribution topology. If node connected with a power source, = 1, otherwise, = 0.

Index of RTU/FRTU that indicates there exists tampered load(s).

A defined row vector with length to indicate the location of distributed generators. If vertex connected with a distributed generators, then = 1, otherwise, = 0.

The algorithm starts with balancing the benefits of detecting the fraud, only the detected power losses are more than 20%, the process is performed. The algorithm is summarized as follows:

  1. Isolate all subfeeders or clusters with distributed generators, if shows no tampered load(s), the tampered load(s) exists in the isolated subfeeders or clusters.

  2. Restore the connection of each microgrid sequentially and check to identify which microgrid has the tampered load(s).

  3. If the tampered load(s) is not in the isolated area, perform the iteration function to localize the tampered node.

  4. Convert the topological incidence matrix to adjacency form and update the current states of all switches for detecting the possible tampered node;

  5. Initialize with and set as the previous iteration result of and initialize with 0;

  6. Check the status of every node during each iteration by checking ;

  7. If values of all nodes in the row vector are unchanged in the following iterations, use 1 to replace all nonzero elements in ;

  8. If there are more than one tampered nodes within a single feeder, update to generate a new and then repeat ;

  9. Return ;

  10. 0 element(s) in to represent the location(s) of tampered node(s).

Iii-C Customer-Level Anomaly Detection

In this study, we assume all customers have smart meters. Continue the profile-based tampering detection process in consumers’ level by comparing the historical consumption records with the current period report after the localization of tampered node in the load (or lumped load) level. The anomaly score and the attacking probability of smart meters will be considered at the beginning of the customer-level anomaly detection to improve the searching efficiency. The searching process will start from the distribution node covers the smart meters with the highest anomaly index.

The anomaly score of the smart meter can be estimated by a statistical approach. The ratio between the recorded number of anomalous readings and the total number of readings over a test period represents the score.

The anomaly score can be represented as (1):

(1)

where is number of anomalous readings of a smart meter in a time duration and represents the total number of metering results.

Assume the alarm system in each smart meter is sensitive, the attacking probability indicates the probability that an alarm occurs during a time duration of , which can be estimated as (2):

(2)

where represents the occurrence probability of type alarm, which can be estimated from the statistics and observations of archived data. There might be more than one tampering on one node.

Iv A Case Study

A test case is utilized to validate the proposed strategy for detecting tampered meters based on the switching procedure. The schemes of changing connection status of switches in the distribution topology have to keep the whole system power on and meet the electrical and operational constraints.

Fig. 2: Switching procedures to localize the tampered load node in the example topology.

Iv-a Test Case Description

Fig. 2 is the topology of the distribution test network. There are two feeders and six load nodes. The two remote-controlled switches at each feeder head are deployed with a FRTU. An alarm system based on the profile-based tampering detection is also installed in FRTU. The load node with the distributed generator can generate the microgrids. A random generated massive tampering alarm is sent from .

The corresponding input incidence matrix can be gathered from the previous section. The input row vectors of the first scenario in Fig. 2 are as since and are two power sources; due to the normally open tie switch ; for the random fraud alarm and because of the distributed generator. In the second scenario, the , , and remain unchanged while since the switching procedure.

Iv-B Switching Procedures

Since the topology of the test system keeps unchanged, the input incidence matrix has no changes. The difference between each iteration is the updated connecting status .

Iv-B1 Step 1

Under the operational constraints, connect the tie switch between these two feeders in order to keep the test system power on during this procedure.

Iv-B2 Step 2

Isolate the load node since it connected with a distributed generator which can supply the power for this microgrid.

Iv-B3 Step 3

Perform the profile-based tampering detection at , if shows normally, the tampered loads are not in .

Iv-B4 Step 4

Perform the profile-based tampering detection at , if shows normally, the tampered loads are in ; If not, the tampered loads are in .

In this work, a simple virtual distribution network is applied, since the key point of the proposed method is to find out the best sequence of the switching procedure and change the states of openable edges, the different sequence will cause different searching time: the time could be exponential or only spend a linear time in a real distribution network. This is the preliminary work that intends to prove the feasibility of the proposed idea.

V Conclusion and Future Work

In this paper, a new application is presented to infer tampered node within distribution AMI network using graph-theoretic framework. The data-based tampering detection method is utilized to help indicate the existing of attacks or tampered activities in the system. The consideration of subfeeders, clusters, or microgrids with distributed generators will reduce the number of combinations during the switching procedures that can accelerate the localization of the spot with energy theft. In the process of localizing the tampered load node, the distribution network is converted to a graph only contains vertices and edges. The graph is demonstrated as incidence or adjacency matrix for the analysis. A localization of tampered nodes within a network is introduced.

Validations can be further extended in the future to study a large-scale distribution framework using the proposed algorithm. The consideration of electrical and operational constraints, corresponding combination strategy, as well as a heuristic search algorithm will be incorporated as part of the future work.

The real topology of a distribution system can be drawn based on a real map in the geographic information system (GIS). An agent-based model which can be integrated with multiple modules into a single simulation environment such as the GridLAB-D [32] to generate random tampered nodes and perform the power flow to meet the constraint requirements in the provided network will be conducted.

References

  • [1] J. Nagi, K. S. Yap, S. K. Tiong, S. K. Ahmed, and M. Mohamad, “Nontechnical loss detection for metered customers in power utility using support vector machines,” IEEE Trans. Power Del., vol. 25, no. 2, pp. 1162–1171, Apr. 2010.
  • [2]

    C. Cody, V. Ford, and A. Siraj, “Decision tree learning for fraud detection in consumer energy consumption,” in

    Proc. IEEE 14th Intl. Conf. on Machine Learning and Applications, Dec. 2015, pp. 1175–1179.
  • [3] P. Jokar, N. Arianpoo, and V. C. M. Leung, “Electricity Theft Detection in AMI Using Customers’ Consumption Patterns,” IEEE Trans. Smart Grid, vol. 7, no. 1, pp. 216–226, Jan. 2016.
  • [4] P. McDaniel and S. McLaughlin, “Security and privacy challenges in the smart grid,” IEEE Security Privacy, vol. 7, no. 3, pp. 75–77, Jun. 2009.
  • [5] J. Smith. (2015) Smart meters take bite out of electricity theft. National Geographic. [Online]. Available: http://news.nationalgeographic.com/news/energy/2011/09/110913-smart-meters-for-electricity-theft/.
  • [6] M. Davis. (2009) SmartGrid Device Security: Adventures in a new medium. Black Hat. [Online]. Available: {http://www.blackhat.com/presentations/bh-usa-09/MDAVIS/BHUSA09-Davis-AMI-SLIDES.pdf.}
  • [7] E. Byres, A. Ginter, and J. Langill. (2010) White Paper: How stuxnet spreads-a study of infection paths in best practice systems. Tofino Security. [Online]. Available: {https://www.slideshare.net/YuryChemerkin/how-stuxnet-spreads-a-study-of-infection-paths-in-best-practice-systems.}
  • [8] D. M. Nicol, “Hacking the lights out: The computer virus threat to the electrical grid,” Scientific American, vol. 305, no. 1, pp. 70–75, Jul. 2011.
  • [9] K. Cho, M. Jo, T. Kwon, H. Chen, and D. Lee, “Classification and experimental analysis for clone detection approaches in wireless sensor networks,” IEEE Systems Journal, vol. 7, no. 1, pp. 26–35, 2013.
  • [10] M. Demirbas and Y. Song, “An rssi-based scheme for sybil attack detection in wireless sensor networks,” in Proc. WoWMoM 2006, 2006, pp. 566–570.
  • [11] (2012) smarter protection for the smart grid. McAfee. [Online]. Available: {https://www.ccn-cert.cni.es/publico/InfraestructurasCriticaspublico/rp-smarter-protection-smart-grid.pdf.}
  • [12] J. E. Cabral, J. O. P. Pinto, and A. M. A. C. Pinto, “Fraud detection system for high and low voltage electricity consumers based on data mining,” in IEEE Power Energy Society General Meeting, Jul. 2009, pp. 1–5.
  • [13] B. Coma-Puig, J. Carmona, R. Gavaldà, S. Alcoverro, and V. Martin, “Fraud detection in energy consumption: A supervised approach,” in IEEE Intl. Conf. on DSAA, Oct. 2016, pp. 120–129.
  • [14] L. Wei, A. Sundararajan, A. I. Sarwat, S. Biswas, and E. Ibrahim, “A distributed intelligent framework for electricity theft detection using benford’s law and stackelberg game,” in Resilience Week (RWS), Sep. 2017, pp. 5–11.
  • [15] V. Ford, A. Siraj, and W. Eberle, “Smart grid energy fraud detection using artificial neural networks,” in Proc. IEEE 8th International Symposium on Service Oriented System Engineering, Dec. 2014, pp. 1–6.
  • [16] S. A. Salinas and P. Li, “Privacy-preserving energy theft detection in microgrids: A state estimation approach,” IEEE Trans. Power Syst., vol. 31, no. 2, pp. 883–894, Mar. 2016.
  • [17] Y. Zhou, X. Chen, A. Y. Zomaya, L. Wang, and S. Hu, “A dynamic programming algorithm for leveraging probabilistic detection of energy theft in smart home,” IEEE Trans. Emerging Topics in Computing, vol. 3, no. 4, pp. 502–513, Dec. 2015.
  • [18] Y. Park, D. M. Nicol, H. Zhu, and C. W. Lee, “Prevention of malware propagation in AMI,” in Proc. IEEE International Conference on Smart Grid Communications (SmartGridComm), Oct. 2013, pp. 474–479.
  • [19] H. Sedjelmaci and S. M. Senouci, “Smart grid security: A new approach to detect intruders in a smart grid neighborhood area network,” in Proc. International Conference on Wireless Networks and Mobile Communications (WINCOM), Oct. 2016, pp. 6–11.
  • [20] X. Xia, W. Liang, Y. Xiao, and M. Zheng, “BCGI: A fast approach to detect malicious meters in neighborhood area smart grid,” in Proc. IEEE International Conference on Communications (ICC), Jun. 2015, pp. 7228–7233.
  • [21] R. Czechowski and A. M. Kosek, “The most frequent energy theft techniques and hazards in present power energy consumption,” in Joint Workshop on CPSR-SG, Apr. 2016, pp. 1–7.
  • [22] J. Duan, K. Zhang, and L. Cheng, “A novel method of fault location for single-phase microgrids,” IEEE Trans. Smart Grid, vol. 7, no. 2, pp. 915–925, Mar. 2016.
  • [23] A. Augugliaro, L. Dusonchet, M. G. Ippolito, and E. R. Sanseverino, “Minimum losses reconfiguration of mv distribution networks through local control of tie-switches,” IEEE Trans. Power Del., vol. 18, no. 3, pp. 762–771, Jul. 2003.
  • [24] A. Abiri-Jahromi, M. Fotuhi-Firuzabad, M. Parvania, and M. Mosleh, “Optimized sectionalizing switch placement strategy in distribution systems,” IEEE Trans. Power Del., vol. 27, no. 1, pp. 362–369, Jul. 2012.
  • [25] A. Heidari, V. G. Agelidis, M. Kia, J. Pou, J. Aghaei, M. Shafie-Khah, and J. P. S. Catalão, “Reliability optimization of automated distribution networks with probability customer interruption cost model in the presence of dg units,” IEEE Trans. Smart Grid, vol. 8, no. 1, pp. 305–315, Jan. 2017.
  • [26] J. Li, X. Y. Ma, C. C. Liu, and K. P. Schneider, “Distribution system restoration with microgrids using spanning tree search,” IEEE Trans. Power Syst., vol. 29, no. 6, pp. 3021–3029, Nov. 2014.
  • [27] Y. Tang, C. Ten, and L. E. Brown, “Switching reconfiguration of fraud detection within an electrical distribution network,” in Resilience Week (RWS), Sept. 2017, pp. 206–212.
  • [28] L. Wang, C. Cao, and B. Chen, “Model-based micro-grid modeling and optimal pev charging control,” in 12th IEEE/ASME International Conf. on Mechatronic and Embedded Systems and Applications (MESA), Aug. 2016, pp. 1–6.
  • [29] L. Wang, S. Feng, and F. Shi, “Risk analysis of closing loop operation based on the main and distribution network integration,” in China Intl. Conf. on Electricity Distribution, Sept 2012, pp. 1–4.
  • [30] D. Mao, D. Meyer, and J. Wang, “Evaluating pev’s impact on long-term cost of grid assets,” in IEEE Power Energy Society Innovative Smart Grid Technologies Conference (ISGT), Apr. 2017, pp. 1–5.
  • [31] C.-W. Ten and Y. Tang, Electric Power Distribution Emergency Operation.   Taylor & Francis Group, 2018.
  • [32] (2012, Dec.) GridLAB-D. U.S. Department of Energy (DOE) at Pacific Northwest National Laboratory (PNNL). [Online]. Available: http://www.gridlabd.org.