One Breaker is Enough: Hidden Topology Attacks on Power Grids

A coordinated cyber-attack on grid meter readings and breaker statuses can lead to incorrect state estimation that can subsequently destabilize the grid. This paper studies cyber-attacks by an adversary that changes breaker statuses on transmission lines to affect the estimation of the grid topology. The adversary, however, is incapable of changing the value of any meter data and can only block recorded measurements on certain lines from being transmitted to the control center. The proposed framework, with limited resource requirements as compared to standard data attacks, thus extends the scope of cyber-attacks to grids secure from meter corruption. We discuss necessary and sufficient conditions for feasible attacks using a novel graph-coloring based analysis and show that an optimal attack requires breaker status change at only ONE transmission line. The potency of our attack regime is demonstrated through simulations on IEEE test cases.

💡 Research Summary

The paper introduces a novel class of cyber‑physical attacks on power‑grid state estimation that rely solely on manipulating breaker (circuit‑breaker) statuses and on jamming the communication of line‑flow measurements. Unlike traditional false‑data injection attacks, which require an adversary to alter the numerical values reported by meters in real time, the proposed “breaker‑jammer” attack changes only binary breaker states (from closed to open) and blocks the transmission of flow measurements on selected lines. Because breaker statuses change less frequently and are easier to tamper with, and because loss of flow data can be mistaken for ordinary communication drops, this attack model is both low‑cost and stealthy.

The authors model the power system as a graph G = (V,E) with buses as vertices and transmission lines as edges. The DC power‑flow model is used for state estimation, where the state vector x consists of bus voltage angles. The measurement vector z contains line‑flow measurements (z_f) and bus‑injection measurements (z_inj). The generalized state estimator (GSE) first determines the network topology from the breaker status matrix D, then estimates x from the measurements using the linear model z = Hx + e.

In the attack, the adversary selects a set of breakers to open, represented by a diagonal matrix D_a, and simultaneously jams a set of flow measurements, represented by T_a. The post‑attack topology is D – D_a and the set of available flow measurements is (T – T_a). The estimated state becomes x + c, where c is the hidden deviation the attacker wishes to introduce without triggering bad‑data detection.

From the DC equations the authors derive four essential conditions for an undetectable attack:

1. Flow‑measurement consistency – For any line whose breaker is opened, its flow measurement must be jammed; otherwise the residual (T – T_a) B M c would be non‑zero and the estimator would flag an error. This yields the constraint D_a · (T – T_a) = 0.

2. Injection balance – Equation (6) shows that the sum of actual flows on attacked lines incident to a bus must be exactly compensated by changes in estimated flows on the remaining (unjammed) lines attached to that bus. This condition only involves buses that have injection meters.

3. Uniqueness of the solution – The rank condition (7) ensures that after the attack the estimator still produces a unique solution for the state vector (up to the reference angle).

To interpret these algebraic constraints graphically, the authors introduce a graph‑coloring framework. They assign the same color to any two neighboring buses whose estimated angle deviation c is identical. Because unjammed flow measurements force c(a) = c(b), all buses connected by unjammed lines share a color. Consequently, the network is partitioned into colored groups separated by either jammed lines or lines whose breakers have been opened.

The colored groups are then collapsed into “super‑nodes”. A reduced graph (\hat G) is constructed:

• Each colored group becomes a super‑node (boundary buses with injection meters are kept separate).
• Edges between super‑nodes correspond to original lines whose breakers remain closed but whose flow measurements are jammed (or are absent).
• The injection at each super‑node equals the net actual flow on attacked lines incident to that super‑node (positive for inflow, negative for outflow).

In (\hat G) the injection constraints take the form of a weighted Laplacian equation (8): (\sum_{b\in\hat N(a)} \hat B_{ab}(\hat c_a-\hat c_b)=\hat z^{inj}_a). The number of independent color values is k – 1 (one color is fixed as the reference). Theorem 1 proves that for a feasible hidden attack the number of injection measurements at the boundary buses must be exactly k – 1. In other words, each distinct color (except the reference) must be anchored by at least one injection measurement.

A striking consequence of the analysis is that any feasible attack that changes multiple breakers can be reduced to an attack that changes only a single breaker. The authors show that if a set of breaker changes yields a feasible coloring, then selecting any one of those breakers and keeping the same jammed flows still satisfies all the coloring constraints, because the remaining colors can be merged without violating the injection equations. Thus the optimal (minimum‑resource) attack consists of:

• Opening one breaker on a line that originally has a flow measurement.
• Jamming the two flow measurements on that line (the line’s own flow measurement and the reciprocal measurement, if present).

No knowledge of the current state x or line susceptances B is required; the attacker only needs to know the meter placement (which lines have flow meters and which buses have injection meters).

The authors validate the theory with simulations on IEEE 14‑bus, 30‑bus, and 57‑bus test systems. In each case, a single breaker‑open plus the necessary flow‑jams produce a hidden deviation c that is large enough to cause the residual to exceed the bad‑data detection threshold, leading the estimator to accept an erroneous state. The resulting state error can cause line overloads, voltage violations, and abnormal locational marginal prices, demonstrating the practical impact of the attack.

Implications:

• Existing detection schemes that focus on bad‑data in measurement values are insufficient because the attacker never alters numeric data.
• Protection of breaker status telemetry (e.g., cryptographic authentication, redundant status verification) becomes critical.
• Monitoring of communication loss patterns for flow measurements should be enhanced to distinguish intentional jamming from normal packet loss.
• The graph‑coloring perspective provides a systematic way to assess vulnerability: networks with many colored groups and insufficient boundary injections are more susceptible.

Future work suggested includes extending the analysis to AC state estimation, incorporating dynamic breaker status verification, designing robust detection algorithms that exploit temporal consistency of breaker states, and exploring coordinated multi‑breaker attacks that could bypass the single‑breaker optimality under more restrictive measurement configurations.

In summary, the paper establishes that a power‑grid attacker with modest capabilities—changing just one breaker and jamming two flow measurements—can stealthily corrupt the state estimation process, and it provides a rigorous graph‑theoretic framework to characterize and mitigate this previously under‑appreciated threat.