Cyber-physical systems have behaviour that crosses domain boundaries during events such as planned operational changes and malicious disturbances. Traditionally, the cyber and physical systems are monitored separately and use very different toolsets and analysis paradigms. The security and privacy of these cyber-physical systems requires improved understanding of the combined cyber-physical system behaviour and methods for holistic analysis. Therefore, the authors propose leveraging clustering techniques on cyber-physical data from smart grid systems to analyse differences and similarities in behaviour during cyber-, physical-, and cyber-physical disturbances. Since clustering methods are commonly used in data science to examine statistical similarities in order to sort large datasets, these algorithms can assist in identifying useful relationships in cyber-physical systems. Through this analysis, deeper insights can be shared with decision-makers on what cyber and physical components are strongly or weakly linked, what cyber-physical pathways are most traversed, and the criticality of certain cyber-physical nodes or edges. This paper presents several types of clustering methods for cyber-physical graphs of smart grid systems and their application in assessing different types of disturbances for informing cyber-physical situational awareness. The collection of these clustering techniques provide a foundational basis for cyber-physical graph interdependency analysis.
The report summarizes the work and accomplishments of DOE SETO funded project 36533 “Adaptive Protection and Control for High Penetration PV and Grid Resilience”. In order to increase the amount of distributed solar power that can be integrated into the distribution system, new methods for optimal adaptive protection, artificial intelligence or machine learning based protection, and time domain traveling wave protection are developed and demonstrated in hardware-in-the-loop and a field demonstration.
The power grid, traditionally perceived as an independent physical network has undergone a significant transformation in recent years due to its integration with cyber communication networks and modern digital components. Cyber situations, including cyber-attacks and network anomalies, can directly affect the physical operation of the grid; therefore, studying this intricate relationship between the physical and cyber systems is pivotal for enhancing the resilience and security of modern power systems. In this digest, a novel Long Short-Term Memory (LSTM)-based Autoencoder (AE) model for cyber-physical data fusion and threat detection is proposed. The scenario under consideration includes the effective detection of a physical disturbance and a Denial-of-Service (DoS) attack, which obstructs control commands during the physical disturbance in the power grid. Detailed analysis and quantitative results regarding the LSTM-based AE model's training and evaluation phases is provided, which highlight its key operation features and benefits for guaranteeing security and resilience in the power grid.
This paper presents a methodology for simultaneous fault detection, classification, and topology estimation for adaptive protection of distribution systems. The methodology estimates the probability of the occurrence of each one of these events by using a hybrid structure that combines three sub-systems, a convolutional neural network for topology estimation, a fault detection based on predictive residual analysis, and a standard support vector machine with probabilistic output for fault classification. The input to all these sub-systems is the local voltage and current measurements. A convolutional neural network uses these local measurements in the form of sequential data to extract features and estimate the topology conditions. The fault detector is constructed with a Bayesian stage (a multitask Gaussian process) that computes a predictive distribution (assumed to be Gaussian) of the residuals using the input. Since the distribution is known, these residuals can be transformed into a Standard distribution, whose values are then introduced into a one-class support vector machine. The structure allows using a one-class support vector machine without parameter cross-validation, so the fault detector is fully unsupervised. Finally, a support vector machine uses the input to perform the classification of the fault types. All three sub-systems can work in a parallel setup for both performance and computation efficiency. We test all three sub-systems included in the structure on a modified IEEE123 bus system, and we compare and evaluate the results with standard approaches.
As the electric grid becomes increasingly cyber-physical, it is important to characterize its inherent cyber-physical interdepedencies and explore how that characterization can be leveraged to improve grid operation. It is crucial to investigate what data features are transferred at the system boundaries, how disturbances cascade between the systems, and how planning and/or mitigation measures can leverage that information to increase grid resilience. In this paper, we explore several numerical analysis and graph decomposition techniques that may be suitable for modeling these cyber-physical system interdependencies and for understanding their significance. An augmented WSCC 9-bus cyber-physical system model is used as a small use-case to assess these techniques and their ability in characterizing different events within the cyber-physical system. These initial results are then analyzed to formulate a high-level approach for characterizing cyber-physical interdependencies.
The harmonized automatic relay mitigation of nefarious intentional events (HARMONIE) special protection scheme (SPS) was developed to provide adaptive, cyber-physical response to unpredictable disturbances in the electric grid. The HARMONIE-SPS methodology includes a machine learning classification framework that analyzes real time cyber-physical data and determines if the system is in normal conditions, cyber disturbance, physical disturbance, or cyber-physical disturbance. This classification then informs response, if needed and/or suitable, and included cyber-physical corrective actions. Beyond standard power system mitigations, a few novel approaches were developed that included a consensus algorithm-based relay voting scheme, an automated power system triggering condition and corrective action pairing algorithm, and a cyber traffic routing optimization algorithm. Both the classification and response techniques were tested within a newly integrated emulation environment composed of a real-time digital simulator (RTDS) and SCEPTRE™. This report details the HARMONIE-SPS methodology, highlighting both the classification and response techniques, and the subsequent testing results from the emulation environment.
The electric grid has undergone rapid, revolutionary changes in recent years; from the addition of advanced smart technologies to the growing penetration of distributed energy resources (DERs) to increased interconnectivity and communications. However, these added communications, access interfaces, and third-party software to enable autonomous control schemes and interconnectivity also expand the attack surface of the grid. To address the gap of DER cybersecurity and secure the grid-edge to motivate a holistic, defense-in-depth approach, a proactive intrusion detection and mitigation system (PIDMS) device was developed to secure PV smart inverter communications. The PIDMS was developed as a distributed, flexible bump-in-the-wire (BITW) solution for protecting PV smart inverter communications. Both cyber (network traffic) and physical (power system measurements) are processed using network intrusion monitoring tools and custom machinelearning algorithms for deep packet analysis and cyber-physical event correlation. The PIDMS not only detects abnormal events but also deploys mitigations to limit or eliminate system impact; the PIDMS communicates with peer PIDMSs at different locations using the MQTT protocol for increased situational awareness and alerting. The details of the PIDMS methodology and prototype development are detailed in this report as well as the evaluation results within a cyber-physical emulation environment and subsequent industry feedback.
Communication-assisted adaptive protection can improve the speed and selectivity of the protection system. However, in the event, that communication is disrupted to the relays from the centralized adaptive protection system, predicting the local relay protection settings is a viable alternative. This work evaluates the potential for machine learning to overcome these challenges by using the Prophet algorithm programmed into each relay to individually predict the time-dial (TDS) and pickup current (IPICKUP) settings. A modified IEEE 123 feeder was used to generate the data needed to train and test the Prophet algorithm to individually predict the TDS and IPICKUP settings. The models were evaluated using the mean average percentage error (MAPE) and the root mean squared error (RMSE) as metrics. The results show that the algorithms could accurately predict IPICKUP setting with an average MAPE accuracy of 99.961%, and the TDS setting with a average MAPE accuracy of 94.32% which is sufficient for protection parameter prediction.
Unpredictable disturbances with dynamic trajectories such as extreme weather events and cyber attacks require adaptive, cyber-physical special protection schemes to mitigate cascading impact in the electric grid. A harmonized automatic relay mitigation of nefarious intentional events (HARMONIE) special protection scheme (SPS) is being developed to address that need. However, for evaluating the HARMONIE-SPS performance in classifying system disturbances and mitigating consequences, a cyber-physical testbed is required to further development and validate the methodology. In this paper, we present a design for a co-simulation testbed leveraging the SCEPTRE™ platform and the real-time digital simulator (RTDS). The integration of these two platforms is detailed, as well as the unique, specific needs for testing HARMONIE-SPS within the environment. Results are presented from tests involving a WSCC 9-bus system with different load shedding scenarios with varying cyber-physical impact.
Adaptive protection is defined as a real-time system that can modify the protective actions according to the changes in the system condition. An adaptive protection system (APS) is conventionally coordinated through a central management system located at the distribution system substation. An APS depends significantly on the communication infrastructure to monitor the latest status of the electric power grid and send appropriate settings to all of the protection relays existing in the grid. This makes an APS highly vulnerable to communication system failures (e.g., broken communication links due to natural disasters as well as wide-range cyber-attacks). To this end, this paper presents the addition of local adaptive modular protection (LAMP) units to the protection system to guarantee its reliable operation under extreme events when the operation of the APS is compromised. LAMP units operate in parallel with the conventional APS. As a backup, if APS fails to operate because of an issue in the communication system, LAMP units can accommodate a reliable fault detection and location on behalf of the protection relay. The performance of the proposed APS is verified using IEEE 123 node test system.
For the protection engineer, it is often the case, that full coverage and thus perfect selectivity of the system is not an option for protection devices. This is because perfect selectivity requires protection devices on every line section of the network. Due to cost limitation, relays may not be placed on each branch of a network. Therefore, a method is needed to allow for optimal coordination of relays with sparse relay placement. In this paper, methods for optimal coordination of networks with sparse relay placement introduced in prior work are applied to a system where both overcurrent and distance relays are present. Additionally, a method for defining primary (Zone 1) and secondary (Zone 2) protection zones for the distance relays in such a sparse system is proposed. The proposed method is applied to the IEEE 123-bus test case. The proposed method is found to successfully coordinate the system while also limiting the maximum relay operating time to 1.78s which approaches the theoretical lower bound of 1.75s.
Penetration of the power grid by renewable energy sources, distributed storage, and distributed generators is becoming more widespread. Increased utilization of these distributed energy resources (DERs) has given rise to additional protection concerns. With radial feeders terminating in DERs or in microgrids containing DERs, standard non-directional radial protection may be rendered useless. Moreover, coordination will first require the protection engineer to determine what combination of directional and nondirectional elements is required to properly protect the system at a reasonable cost. In this paper, a method is proposed to determine the type of protection that should be placed on each line. Further, an extreme cost constraint is assumed so that an attempt is made to protect a meshed network using only overcurrent protection devices. A method is proposed where instantaneous reclosers are placed in locations that cause the system to temporarily become radial when a fault occurs. Directional and nondirectional overcurrent (OC) relays are placed in locations that allow for standard radial coordination techniques to be utilized while the reclosers are open to clear any sustained faults. The proposed algorithm is found to effectively determine the placement of protection devices while utilizing a minimal number of directional devices. Additionally, it was shown for the IEEE 14-bus case that the proposed relay placement algorithm results in a system where relay coordination remains feasible.
There are now over 2.5 million Distributed Energy Resource (DER) installations connected to the U.S. power system. These installations represent a major portion of American electricity critical infrastructure and a cyberattack on these assets in aggregate would significantly affect grid operations. Virtualized Operational Technology (OT) equipment has been shown to provide practitioners with situational awareness and better understanding of adversary tactics, techniques, and procedures (TTPs). Deploying synthetic DER devices as honeypots and canaries would open new avenues of operational defense, threat intelligence gathering, and empower DER owners and operators with new cyber-defense mechanisms against the growing intensity and sophistication of cyberattacks on OT systems. Well-designed DER canary field deployments would deceive adversaries and provide early-warning notifications of adversary presence and malicious activities on OT networks. In this report, we present progress to design a high-fidelity DER honeypot/canary prototype in a late-start Laboratory Directed Research and Development (LDRD) project.
We present our research findings on the novel NDN protocol. In this work, we defined key attack scenarios for possible exploitation and detail software security testing procedures to evaluate the security of the NDN software. This work was done in the context of distributed energy resources (DER). The software security testing included an execution of unit tests and static code analyses to better understand the software rigor and the security that has been implemented. The results from the penetration testing are presented. Recommendations are discussed to provide additional defense for secure end-to-end NDN communications.
The electric grid is becoming increasingly cyber-physical with the addition of smart technologies, new communication interfaces, and automated grid-support functions. Because of this, it is no longer sufficient to only study the physical system dynamics, but the cyber system must also be monitored as well to examine cyber-physical interactions and effects on the overall system. To address this gap for both operational and security needs, cyber-physical situational awareness is needed to monitor the system to detect any faults or malicious activity. Techniques and models to understand the physical system (the power system operation) exist, but methods to study the cyber system are needed, which can assist in understanding how the network traffic and changes to network conditions affect applications such as data analysis, intrusion detection systems (IDS), and anomaly detection. In this paper, we examine and develop models of data flows in communication networks of cyber-physical systems (CPSs) and explore how network calculus can be utilized to develop those models for CPSs, with a focus on anomaly and intrusion detection. This provides a foundation for methods to examine how changes to behavior in the CPS can be modeled and for investigating cyber effects in CPSs in anomaly detection applications.