Feasibility of Time-Synchronization Attacks Against PMU-Based State Estimation

The emerging measurement technology of phasor measurement units (PMUs) makes it possible to estimate the state of electrical grids in real time, thus opening the way to new protection and control applications. PMUs rely on precise time synchronization; therefore, they are vulnerable to time-synchronization attacks (TSAs), which alter the measured voltage and current phases. In particular, undetectable TSAs pose a significant threat as they lead to an incorrect but credible estimate of the system state. Prior work has shown that such attacks exist against pairs of PMUs, but they do not take into consideration the clock adjustment performed by the clock servo, which can modify the attack angles and make the attacks detectable. This cannot be easily addressed with the existing attacks, as the undetectable angle values form a discrete set and cannot be continuously adjusted as would be required to address the problems posed to the attacker by the clock servo. Going beyond prior work, this article first shows how to perform undetectable attacks against more than two PMUs, so that the set of undetectable attacks forms a continuum and supports small adjustments. Second, it shows how an attacker can anticipate the operation of the clock servo while achieving her attack goal and remaining undetectable. Third, this article shows how to identify vulnerable sets of PMUs. Numerical results on the 39-bus IEEE benchmark system illustrate the feasibility of the proposed attack strategies.