Publications

Abstract not provided.

Abstract not provided.

Abstract not provided.

Most recently, stochastic control methods such as deep reinforcement learning (DRL) have proven to be efficient and quick converging methods in providing localized grid voltage control. Because of the random dynamical characteristics of grid reactive loads and bus voltages, such stochastic control methods are particularly useful in accurately predicting future voltage levels and in minimizing associated cost functions. Although DRL is capable of quickly inferring future voltage levels given specific voltage control actions, it is prone to high variance when the learning rate or discount factors are set for rapid convergence in the presence of bus noise. Evolutionary learning is also capable of minimizing cost function and can be leveraged for localized grid control, but it does not infer future voltage levels given specific control inputs and instead simply selects those control actions that result in the best voltage control. For this reason, evolutionary learning is better suited than DRL for voltage control in noisy grid environments. To illustrate this, using a cyber adversary to inject random noise, we compare the use of evolutionary learning and DRL in autonomous voltage control (AVC) under noisy control conditions and show that it is possible to achieve a high mean voltage control using a genetic algorithm (GA). We show that the GA additionally can provide superior AVC to DRL with comparable computational efficiency. We illustrate that the superior noise immunity properties of evolutionary learning make it a good choice for implementing AVC in noisy environments or in the presence of random cyber-attacks.

Microgrids require reliable communication systems for equipment control, power delivery optimization, and operational visibility. To maintain secure communications, Microgrid Operational Technology (OT) networks must be defensible and cyber-resilient. The communication network must be carefully architected with appropriate cyber-hardening technologies to provide security defenders the data, analytics, and response capabilities to quickly mitigate malicious and accidental cyberattacks. In this work, we outline several best practices and technologies that can support microgrid operations (e.g., intrusion detection and monitoring systems, response tools, etc.). Then we apply these recommendations to the New Jersey TRANSITGRID use case to demonstrate how they would be deployed in practice.

The electric grid has undergone rapid, revolutionary changes in recent years; from the addition of advanced smart technologies to the growing penetration of distributed energy resources (DERs) to increased interconnectivity and communications. However, these added communications, access interfaces, and third-party software to enable autonomous control schemes and interconnectivity also expand the attack surface of the grid. To address the gap of DER cybersecurity and secure the grid-edge to motivate a holistic, defense-in-depth approach, a proactive intrusion detection and mitigation system (PIDMS) device was developed to secure PV smart inverter communications. The PIDMS was developed as a distributed, flexible bump-in-the-wire (BITW) solution for protecting PV smart inverter communications. Both cyber (network traffic) and physical (power system measurements) are processed using network intrusion monitoring tools and custom machinelearning algorithms for deep packet analysis and cyber-physical event correlation. The PIDMS not only detects abnormal events but also deploys mitigations to limit or eliminate system impact; the PIDMS communicates with peer PIDMSs at different locations using the MQTT protocol for increased situational awareness and alerting. The details of the PIDMS methodology and prototype development are detailed in this report as well as the evaluation results within a cyber-physical emulation environment and subsequent industry feedback.

To meet the challenges oflow-carbon power generation, distributed energy resources (DERs) such as solar and wind power generators are now widely integrated into the power grid. Because of the autonomous nature of DERs, ensuring properly regulated output voltages of the individual sources to the grid distribution system poses a technical challenge to grid operators. Stochastic, model-free voltage regulations methods such as deep reinforcement learning (DRL) have proven effective in the regulation of DER output voltages; however, deriving an optimal voltage control policy using DRL over a large state space has a large computational time complexity. In this paper we illustrate a computationally efficient method for deriving an optimal voltage control policy using a parallelized DRL ensemble. Additionally, we illustrate the resiliency of the control ensemble when random noise is introduced by a cyber adversary.

We present our research findings on the novel NDN protocol. In this work, we defined key attack scenarios for possible exploitation and detail software security testing procedures to evaluate the security of the NDN software. This work was done in the context of distributed energy resources (DER). The software security testing included an execution of unit tests and static code analyses to better understand the software rigor and the security that has been implemented. The results from the penetration testing are presented. Recommendations are discussed to provide additional defense for secure end-to-end NDN communications.

There are now over 2.5 million Distributed Energy Resource (DER) installations connected to the U.S. power system. These installations represent a major portion of American electricity critical infrastructure and a cyberattack on these assets in aggregate would significantly affect grid operations. Virtualized Operational Technology (OT) equipment has been shown to provide practitioners with situational awareness and better understanding of adversary tactics, techniques, and procedures (TTPs). Deploying synthetic DER devices as honeypots and canaries would open new avenues of operational defense, threat intelligence gathering, and empower DER owners and operators with new cyber-defense mechanisms against the growing intensity and sophistication of cyberattacks on OT systems. Well-designed DER canary field deployments would deceive adversaries and provide early-warning notifications of adversary presence and malicious activities on OT networks. In this report, we present progress to design a high-fidelity DER honeypot/canary prototype in a late-start Laboratory Directed Research and Development (LDRD) project.

The electric grid is rapidly being modernized with novel technologies, adaptive and automated grid-support functions, and added connectivity with internet-based communications and remote interfaces. These advancements render the grid increasingly 'smart' and cyber-physical, but also broaden the vulnerability landscape and potential for malicious, cascading disturbances. The grid must be properly defended with security mechanisms such as intrusion detection systems (IDSs), but these tools must account for power system behavior as well as network traffic to be effective. In this paper, we present a cyber-physical IDS, the proactive intrusion detection and mitigation system (PIDMS), that analyzes both cyber and physical data streams in parallel, detects intrusion, and deploys proactive response. We demonstrate the PIDMS with an exemplar case study exploring a packet replay attack scenario focused on photovoltaic inverter communications; the scenario is tested with an emulated, cyber-physical grid environment with hardware-in-the-loop inverters.

Abstract not provided.

Abstract not provided.

Abstract not provided.

Recent trends in the growth of distributed energy resources (DER) in the electric grid and newfound malware frameworks that target internet of things (IoT) devices is driving an urgent need for more reliable and effective methods for intrusion detection and prevention. Cybersecurity intrusion detection systems (IDSs) are responsible for detecting threats by monitoring and analyzing network data, which can originate either from networking equipment or end-devices. Creating intrusion detection systems for PV/DER networks is a challenging undertaking because of the diversity of the attack types and intermittency and variability in the data. Distinguishing malicious events from other sources of anomalies or system faults is particularly difficult. New approaches are needed that not only sense anomalies in the power system but also determine causational factors for the detected events. In this report, a range of IDS approaches were summarized along with their pros and cons. Using the review of IDS approaches and subsequent gap analysis for application to DER systems, a preliminary hybrid IDS approach to protect PV/DER communications is formed in the conclusion of this report to inform ongoing and future research regarding the cybersecurity and resilience enhancement of DER systems.

Networked microgrids are clusters of geographically-close, islanded microgrids that can function as a single, aggregate island. This flexibility enables customer-level resilience and reliability improvements during extreme event outages and also reduces utility costs during normal grid operations. To achieve this cohesive operation, microgrid controllers and external connections (including advanced communication protocols, protocol translators, and/or internet connection) are needed. However, these advancements also increase the vulnerability landscape of networked microgrids, and significant consequences could arise during networked operation, increasing cascading impact. To address these issues, this report seeks to understand the unique components, functions, and communications within networked microgrids and what cybersecurity solutions can be implemented and what solutions need to be developed. A literature review of microgrid cybersecurity research is provided and a gap analysis of what is additionally needed for securing networked microgrids is performed. Relevant cyber hygiene and best practices to implement are provided, as well as ideas on how cybersecurity can be integrated into networked microgrid design. Lastly, future directions of networked microgrid cybersecurity R&D are provided to inform next steps.

The penetration of Internet-of-Things (IoT) devices in the electric grid is growing at a rapid pace; from smart meters at residential homes to distributed energy resource (DER) system technologies such as smart inverters, various devices are being integrated into the grid with added connectivity and communications. Furthermore, with these increased capabilities, automated grid-support functions, demand response, and advanced communication-assisted control schemes are being implemented to improve the operation of the grid. These advancements render our power systems increasingly cyber-physical. It is no longer sufficient to only focus on the physical interactions, especially when implementing cybersecurity mechanisms such as intrusion detection systems (IDSs) and mitigation schemes that need to access both cyber and physical data. This new landscape necessitates novel methods and technologies to successfully interact and understand the overall cyber-physical system. Specifically, this paper will investigate the need and definition of cyber-physical observability for the grid.

Reducing the risk of cyber-attacks that affect the confidentiality, integrity, and availability of distributed Photovoltaic (PV) inverters requires the implementation of an Intrusion Detection System (IDS) at the grid-edge. Often, IDSs use signature or behavior-based analytics to identify potentially harmful anomalies. In this work, the two approaches are deployed and tested on a small, single-board computer; the computer is setup to monitor and detect malevolent traffic in-between an aggregator and a single PV inverter. The Snort, signature-based, analysis tool detected three of the five attack scenarios. The behavior-based analysis, which used an Adaptive Resonance Theory Artificial Neural Network, successfully identified four out of the five attacks. Each of the approaches ran on the single-board computer and decreased the chances of an undetected breach in the PV inverters control system.

Abstract not provided.

To ensure reliable and predictable service in the electrical grid between distributed renewable distributed energy resources (DERs) it is important to gauge the level of trust present within critical components and DER aggregators (DERAs). Although trust throughout a smart grid is temporal and dynamically varies according to measured states, it is possible to accurately formulate communications and service level strategies based on such trust measurements. Utilizing an effective set of machine learning and statistical methods, it is shown that establishment of trust levels between DERAs using behavioral pattern analysis is possible. Further, it is also shown that the establishment of such trust can facilitate simple secure communications routing between DERAs. Providing secure routing between DERAs enables a grid operator to maintain service level agreements to its customers, reduce the attack surface and increase operational resiliency.

In recent years the use of security gateways (SG) located within the electrical grid distribution network has become pervasive. SGs in substations and renewable distributed energy resource aggregators (DERAs) protect power distribution control devices from cyber and cyber-physical attacks. When encrypted communications within a DER network is used, TCP/IP packet inspection is restricted to packet header behavioral analysis which in most cases only allows the SG to perform anomaly detection of blocks of time-series data (event windows). Packet header anomaly detection calculates the probability of the presence of a threat within an event window, but fails in such cases where the unreadable encrypted payload contains the attack content. The SG system log (syslog) is a time-series record of behavioral patterns of network users and processes accessing and transferring data through the SG network interfaces. Threatening behavioral pattern in the syslog are measurable using both anomaly detection and graph theory. In this paper it will be shown that it is possible to efficiently detect the presence of and classify a potential threat within an SG syslog using light-weight anomaly detection and graph theory.

Abstract not provided.

Abstract not provided.

Abstract not provided.

The integration of communication-enabled grid-support functions in distributed energy resources (DER) and other smart grid features will increase the U.S. power grid's exposure to cyber-physical attacks. Unwanted changes in DER system data and control signals can damage electrical infrastructure and lead to outages. To protect against these threats, intrusion detection systems (IDSs) can be deployed, but their implementation presents a unique set of challenges in industrial control systems (ICSs), New approaches need to be developed that not only sense cyber anomalies, but also detect undesired physical system behaviors. For DER systems, a combination of cyber security data and power system and control information should be collected by the IDS to provide insight into the nature of an anomalous event. This allows joint forensic analysis to be conducted to reveal any relationships between the observed cyber and physical events. In this paper, we propose a hybrid IDS approach that monitors and evaluates both physical and cyber network data in DER systems, and present a series of scenarios to demonstrate how our approach enables the cyber-physical IDS to achieve more robust identification and mitigation of malicious events on the DER system.

Abstract not provided.