Network attack risk assessment of power grid CPS System based on attacker’s perspective

Network attack is one of the hidden dangers affecting the safe and stable operation of power system. In this paper, a potential attack path is established through association algorithm, and the selection probability of the attack path is analysed comprehensively considering the attacker’s ability, the characteristics of the attack behavior and the characteristics of the target network, and then an improved directed acyclic network attack probability attack graph is established. At the same time, the impact factors of attack action layer and attack target layer are established from the information side and the physical side, and then the incidence of the attack on the whole CPS system is analysed quantitatively, which improves the comprehensiveness and accuracy of the impact consequence analysis of network attacks. Through the above steps, the potential attack path and the risk value of the system are obtained, and the risk level of the CPS system under the current attack is determined by the fuzzy evaluation method.


Introduction
With the construction of power grid automation system, reliable sensor network and its deep integration with ubiquitous information network and energy network, the traditional power grid is gradually transforming into a power information physical system with wide collaboration and autonomic capacity between information system and physical system [1][2][3][4]. The development of CPS is bound to be accompanied by the gradual improvement of the dependency degree between interdependent networks, and the faults of unilateral systems may be intercommunicated through the coupling between systems, thus expanding the damage consequences. The fault of one -sided system may be propagated in the network through mutual coupling between systems, which will enlarge its damage consequence.
At present, in the aspect of risk assessment of power grid CPS, most researches are still remained the risk of fragmented analysis information system and independent physical power grid.
Literature [5] analyzes the security risks in the actual business scenario SCADA system, and believes that it is difficult to guarantee the security of SCADA system in the network environment only by physical isolation, and its remote terminal RTU may be attacked by the Internet, and briefly puts forward measures to improve the system security from the perspective of network security. Literature [6] establishes a mathematical model for firewall and security password, the two most EEEP 2020 IOP Conf. Series: Earth and Environmental Science 675 (2021) 012161 IOP Publishing doi:10.1088/1755-1315/675/1/012161 2 commonly used security protection measures, and evaluates the potential impact of network attack on power system with load loss. However, this paper does not consider the impact of security vulnerability, the internal cause of network risk, on the CPS system risk caused by network attack and the propagation process. Literature [7] carries out quantitative risk assessment on the information security of substation automation system when the communication information system is attacked by malicious attacks. Literature [8] specifically aims risk assessment for information security of power automatic meter reading system. Literature [9] presents a security risk calculation method of intelligent substation system considering the failure effect of application layer equipment application software and power grid management service system software.
Most of the above assessments are only aimed at the risk impact of the physical side under the network attack, and do not comprehensively consider the risk impact of the information side on the cyber-physical fusion system. Therefore, the assessment results are not comprehensive and have certain limitations.
Aiming at these problems above, various types of potential attack path is constructed by association algorithm, and analyzes the selection probability of attack paths based on the characteristics of different attack behaviors. The impact factors of the attack are constructed from the angle of the purpose of the attack, and the risk of the potential attack path of the power grid is obtained. The analysis of the risk level caused by the attack on the power grid CPS system can provide a new perspective for the research on the security analysis and protection methods, and provide accurate basis for the power grid operators to make defensive measures.

Improve the basic structure of the network attack graph
The basic structure of the improved network attack graph is shown in Figure 1. Firstly, an improved directed acyclic probability attack graph PAG=(N,E,P,C), is established, where N represents the set of nodes in the attack graph. E is the set of directed edges in the attack graph, whose physical significance is the rule used between nodes, namely the causal relationship. P is a probability table attached to each directed edge, and its physical significance is the probability that the attacker chooses this attack path. C is the impact factor of each node in the attack graph, and its physical significance represents the influence of the node on the CPS system after failure.
Model based on graph theory knowledge to the structure design, make the following the attack graph model is set to three layer structures and establish the node set N=AUIUG, from the Angle of attacker, information side and the physical side of relations between weak link.

Improved network attack graph path creation
The reverse search method can be used to build the attack graph from the attacker's perspective, and the potential attack path can be deduced from the final attack target. Taking attack target layer node and attack action layer node as an example, the steps to establish the association relationship between nodes are as follows: (1) Obtain the primary and secondary abnormal data indicators and network attack actions in the CPS historical operation database. Mark the primary side abnormal operation indicator as 1 2 , ... I I , mark the second side abnormal operation indicator as 1 2 , ... F F , the network attack action is recorded as 1 2 , ... k A A A ,and establish an item collection (2) According to historical operation data abnormal operating indicators listed business set t is a transaction that has occurred historically, Each transaction i t contains an item collection that is a subset of I .
(3) Scan the abnormal operation Indicators of the transaction set T , set the support degree according to the specific space and time scene, and iterate mining frequent item set F .
(4) Association rules are generated from frequent item sets and strong association rules satisfying minimum confidence are found. (1) The difficulty level of utilizing the weak links in CPS system to the attacker Refer to the establishment of CVSS, the vulnerability rating system of communication network. In view of the weak links in the CPS environment using the difficulty from attacker utilization way method  , using complexity comp  and the degree of defense resource allocation of the node i K , these three points to establish a scoring system:

Probabilistic prediction model of network attack
Among them,  is pareto distribution coefficient. The greater the value of i E , the more difficult it is to utilize the weak links of the equipment. The intensity of defense i K based on the historical attack launched by the attacker, the obtained attack data feedback can be used to determine the defense rating i D of the current target equipment.
The attacker obtains the general defense level D , current time scenario T and space scene S of the target network through prior data collection. Consider that there is a certain correlation between the three factors, so the logarithmic synthesis method is used to calculate the defense resource allocation degree of i equipment in the location S within time period T as follows: (2) (2)Failure probability of CPS system equipment after attack Considering the influence of the repair degree of the weak links of power grid CPS system on the failure probability of the equipment after the attack, if the longer the weak link in the current target CPS system exists, the higher the probability that the link will be found and repaired, the probability of its failure after being attacked will be reduced. Therefore, the average repair degree of weak links in power grid CPS is as follows: Among them, i t is the existence time of the weak link,  is Weibull Distributed parameter. The higher the value of average i R , the repair degree of the target network is higher, then the probability of its failure after being attacked will be lower.
At the same time, the recovery probability of the infected equipment node can also be expressed in the formula.
(3) The penetration degree of current node equipment information to the attacker O   of the attacker's understanding of each information node, the probability of nodes destroyed under the current information accuracy for the attacker is: Synthesize the difficulty of using the weak link of the above target i E , average repair degree av i R and the information factor that the attacker knows about the weak link i  . The probability model attached to the i-th directed edge is established to indicate that the attacker chooses to attack this path as follows:

Network attack impact factor (1) Attack action layer impact factor
The variable weight coefficient method is used to characterize the influence of different types of network attacks on the availability, integrity and confidentiality of information, which can provide a basis for subsequent attack behavior discovery and defense strategy formulation. Firstly, the constant weight value i W of the above three elements is set as 1/3. Secondly, the security indexes of the information equipment are classified and sorted, and then the individual state indexes under the three comprehensive state elements are scored respectively , i j x .Then get the rating of each comprehensive status index i x , so the variable weight coefficient of the safety index of the information equipment function is as follows: Among them, n is the number of single state indexes included in the comprehensive state index; j x is the score of single status index; j W is the weight of single status index, in this make it 1/n. In the above formula, {1, 2,3} i  respectively correspond to the confidentiality, integrity and availability of information equipment functions. The corresponding relationship between the comprehensive state indicators and single state indicators used for information functional impact .
The variable weight coefficient of the three comprehensive indicators is obtained by the above formula, and the functional impact factor of network attack on the i-th cyber equipment in the CPS system is obtained by substituting into the following formula: Attack target layer impact factor The impact factor of the attack target layer is to consider the degree of impact on the CPS system after the final removal or failure of the physical side elements when the network attack aimed at destroying the stability of the power grid succeeds. In this paper, the influence factors of the attack target layer are established by combining the influence factors of structure and function by combining the influence factors of physical side abnormality caused by network attack.
The importance index of electrical topology and the influence index of connectivity rate are established from the perspective of structure.
1) Electrical topology importance factor Suppose there are S branches between node i and node j on the physical side of the power grid, and the impedance of each branch is 1 .For the physical side network with M nodes and N branches, the sum of equivalent impedance of all node pairs is defined as the electrical topological quantity of the When a line is mistakenly cut in the network due to network attacks, the electrical topology importance factor of the line in the system is as follows: . 1 1 Among them, k Z  is miscut circuit equivalent impedance, the bigger T C is, the greater the impact of the branch's breaking on the system will be.
2) Connectivity impact factor It is assumed that before the network attack occurs in the system, the number of branches contained in the largest connected domain in the target network is 0 N .When a network attack risk event occurs, the number of branches contained in the remaining connected area of the network is K N .The connectivity impact factor of the line is: The influence factors of voltage and loss of electric quantity are established from the perspective of function.
3) Voltage impact factor Assume that and are the upper and lower voltage lines on the physical side node i of the system before the network attack occurs. When the network attack risk after the incident, the node voltage quality is affected, cause system node voltage drop in the k u  , the node voltage impact factors is:

Network attack risk rating
Based on the classical principles of risk assessment, target risk rate=probability of occurrence× consequences of the event, and the above analysis results, the risk of CPS system when an attacker chooses to attack a certain path is as follows: is the impact factor of the occurrence of the node event. In the attack graph, the realization of the attack target is the result of the joint action of multi-step node attacks, so the risk that an attacker chooses an attack path is path i R . Firstly, the total number of the current network attack risk levels is determined as 5 levels, and the fuzzy comprehensive evaluation method is used to classify the risk levels caused by the current network attack. The alternative set in fuzzy space is divided into 5 levels: = {very low, low, medium, high, very high}.
The isosceles triangle membership function is used to construct the membership function used for operation state grading.
The risk impact index evaluation matrix i R and its weight matrix   , , , ,  is the adopted fuzzy operator, and   , M   model is used.
Finally, the comprehensive fuzzy subset     1  2  3  4  5 , , , , of the system under the current attack is obtained, and the maximum membership degree method is used to describe the risk level of the system under the current attack.

The example analysis
The information physical interaction node is located in IEEE-57 system, with the upper layer docking to IEEE-57 system information side C 14 and the lower layer docking to physical side bus 8, and the mobile attack and defense platform simulating a network attack launched by a network attacker. The impact factors of the attack in the attack action layer can be obtained, as shown in Table 1: Since the above three typical attack types ultimately cause the circuit breaker of this workstation to lose control, the following is the evaluation result of the impact index after the failure of the physical side,as shown in Table 2

Conclusions
Starting with the concept of security assessment, this paper establishes the potential attack path through association algorithm. Considering the attacker's ability, the characteristics of the attack behavior and the characteristics of the target network, the selection probability of the attack path is analysed. According to the two-layer coupled topology model of the target network, the impact factors of the attack action layer and the attack target layer are established from the information side and the physical side, and then the impact degree of the attack on the CPS system is analysed quantitatively, which improves the comprehensivity and accuracy of the impact consequence analysis of the network attack. Based on the above steps, the risk of the potential attack path is obtained, and then the risk level caused by the attack against the CPS system of the power grid is obtained. Then, the current network attack risk level is divided by the fuzzy comprehensive evaluation method. Finally, an example is given to analyse the application.