Power Systems Cybersecurity

Due to the fast progress of Microgrid (MG) systems and the development of advanced computing technologies and communication networks—all of which enhance the efficiency and reliability of power networks—MGs are at the risk of various cyber-attacks which can eventually lead to different glitches in the power distribution networks. There are many different kinds of cyber-attacks, some of which are the False Data Injection Attack, Denial of Service, Stealth Attack, and Covert Attack. The common goals of these attacks are to cause power outage, economic loss, and even system instability. Cyber-attacks could infiltrate MGs through the communication links, local controllers, or master control channels. In this chapter, a thorough review of the types of cyber-attacks and the problems caused by them in MGs has been presented, and some methods of cyber-attack detection, resilient control system design, and countermeasures against such attacks have been discussed. Numerous research works have already investigated the subject of cyber-attacks on both the Direct-Current (DC) and Alternating-Current (AC) MG systems. These studies can be divided into two main categories: (a) detection and mitigation approaches, and (b) resilient control system designs. Several subclasses of each of these categories, along with their advantages and disadvantages has been thoroughly investigated in this chapter. In the first category, after detecting a compromised agent, an active or passive mitigation mechanism is activated to prevent the spread of the agent’s destructive effects to the whole system. This may impose some strict limitations on the MGs. In the second category, by developing the distributed attack-resilient control protocols, the resilience of a MG system against potential attacks/faults/noises is enhanced to the point where no detection and mitigation action will be required.

Modern power systems heavily rely on Internet-of-Things (IoT) and emerging wide-area sensor networks that expose them to cyber vulnerabilities such as network failures and cyber-attacks. Some practical network failure examples include North America (2003) due to state estimator and alarm system failure, Austria (2013) due to network congestion caused by a software bug, and Switzerland (2005) due to information overload. Ukraine’s power system went down in December 2015 leaving thousands of homes and facilities out of power due to a cyber-attack caused by a malware, identified as BlackEnergy, in control center computers. Such failures and cyber-attacks will leave majority of customers without power supply and may cause significant damage to highly sensitive and mission critical equipment. In case of power electronics-intensive microgrids, the after-effects of the cyber-attacks are even more detrimental due to comparatively weaker and fragile distribution grid, highly dynamic source and load profiles, and meager generational inertia. Cyber vulnerabilities are divided into two main categories, i.e., cyber-attacks and network failures. An overview of such cyber vulnerabilities, practical limitations of modern power systems, relevant prevention measures, and a case study is presented in this chapter.

Vital energy infrastructures in today's evolving society are becoming more complex by distributed networks of cyber-physical systems (CPS). Although CPS provides a great deal of flexibility in the exploitation of critical infrastructure, they can also create other security-based threats which should be suitably addressed in the design and development stage. Considering this issue, power systems should be properly resistant against adverse events so that their operation is not easily impacted by severe conditions. At the same time, energy systems should be flexible enough to adapt to severe disruptions without losing or breaking down completely, and they should be able to recover in the least time after solving the problem. This critical feature of power systems is generally called resilience. This chapter provides an overview of various resilience methods from the perspective of CPS in smart power systems and microgrids. In order to provide a detailed study, in this chapter, cyber-physical structures, threats and security issues in smart power systems are introduced. Vulnerabilities of control systems and important methods for detecting and countering cyber-attacks with defenses mechanism in smart power systems are presented. Possible solutions to improve cyber-physical resilience of smart power systems and some important optimization techniques used in smart power systems and microgrids are provided, which can be utilized and developed by researchers in this field.

Power systems are shifting into a new paradigm of connectivity. This new paradigm facilitates massive integrations of different energy resources and loads, e.g., renewable energy and electric vehicle (EV) charging stations, throughout a microgrid with cyber interfaces. The integration of these energy resources and EVs can significantly enhance the microgrid efficiency, reliability, resiliency, and address environmental concerns. Several emerging technologies are required to prepare the cyber-physical infrastructure for this highly integrated grid. This new grid model is highly dependent on the cyber interfaces and communication infrastructure that makes the system vulnerable to cyber disruptions and threats. Considering the interconnected nature of these microgrids, cyber disorders may lead to disastrous consequences; therefore, it is essential to know the vulnerabilities of the grid and design tools to identify and mitigate these threats. This chapter specifically focuses on cybersecurity issues of the microgrid with inverter-based resources (IBRs) and EV charging stations. Due to complexity and unknown behavior of grids with IBRs and EV charging stations, a variety of cyber risks can impact the grid. Therefore, this chapter demonstrates the vulnerabilities of this new grid architecture, including IBRs and EV charging stations. Besides, it discusses the effective model-based, Artificial Intelligence (AI)-based techniques, and some technologies to detect and mitigate these cyber threats.

The fusion of information, data, control and electric power facilitates the electric cyber-physical system (ECPS). In the ECPS, though the high-level cyber-physical interaction and integration increase the flexibility and efficiency of power system operation, the accompanied cyber perils gradually endanger the system security. In fact, several energy sector-targeted attacks, including the infamous Ukraine power grid hack, have shown the power system vulnerability in cybersecurity incidents. Known as the critical power-balancing operation in real-time control systems, automatic generation control (AGC) is a typical ECPS application. Measurements from remote sensors may be manipulated by attackers when telemetered to the AGC center, thereby disrupting the balance of power and frequency stability. In this situation, cyber-attack- tolerant AGC plays an important role in the face of cybersecurity threats. To achieve the cyber-attack-tolerant AGC, some strategies including the physics-based and data-driven attack mitigation schemes have been employed. In this chapter, inspired by the fault detection, diagnosis and reconfiguration in fault-tolerant control theories, a hybrid physics-based and data-driven mitigation model is developed for AGC under false data injection attacks (FDIAs). A mathematical model is derived to reveal the causal relation between the FDIA signal and compromised AGC measurement data. Then, data-driven approaches are employed to establish the mapping between the compromised measurement data and power compensation. Finally, the compensation-based mitigation model is developed.

With the uptake of advanced communication technologies, monitoring and operation of power systems have been experiencing a paradigm shift. Many centralized algorithms can now be implemented in a distributed scheme. For example, local decisions can make faster actions resulting in a resilient power grid. Despite these advantages, these communication networks have made power networks vulnerable to cyber-attacks. Therefore, only attack-resilient algorithms can be reliably implemented using these technologies. In this chapter, a Data-Driven Cyber-Resilient Control (DDCRC) method is proposed for the frequency stability of wide area power grids. In the proposed method, the automatic generation control signals are generated without using a predefined model such that the frequency stability of the power system in the presence of Deception Attacks (DA) is guaranteed. Simulation results on a three-area power grid show the efficiency and superiority of the proposed method.

While automatic generation control of multi-area power systems has better dynamic performance, it intrinsically shares the distributed control and communication frameworks and is thus inevitably vulnerable to cyber attacks. To better explore the merits of multi-area power systems, and at the same time, guarantee the security for power infrastructures and the safety for operators, countermeasures to cyber attacks must be taken. In this chapter, one new cyberattack-resilient control method suitable for automatic power generation is systematically revealed. Different from the existing techniques, this chapter presents a completely novel, unexplored resilient control framework for power generation systems under cyber attacks. This framework is equipped with two security layers. Specifically, the first security layer is about off-line tolerant control gains seeking, and the second security layer concerns on-line cyberattack detection. In the first security layer, different categories of cyber attack models can be presumed by specific concerns, with which the composite power system model is derived. Leveraging the Lyapunov method, the tolerant control gains with expected performance indexes can be sought. In the second security layer, the received signals from neighboring areas are carefully examined by the real-time cyberattack detection procedure before executing control actions, to protect the communication network from cyber attacks. With the proposed cyberattack-resilient control method embedded in each control unit, the secure operation of multi-area power systems are well promoted.

The recent trend to expand the use of Information Technology (IT) in power networks has made the electric grid potentially vulnerable to cyber-attacks. Protection systems are among the most critical cyber-vulnerable components, as they directly affect the integrity and stability of power systems. On this basis, this chapter reviews and investigates the cyber-vulnerabilities of protection systems in power networks. These vulnerabilities can be categorized into three main groups: (i) vulnerabilities of substations, (ii) vulnerabilities of Communication-Assisted Protection (CAP) schemes, and (iii) vulnerabilities of Wide-Area Protection (WAP) schemes. This chapter also discusses the techniques that can be used to detect cyber-attacks against protection schemes and differentiate them from faults.

This chapter is the second part of a two-part chapter that thoroughly discusses cyber-vulnerabilities of protection systems in power networks. Part I comprehensively explained different cyber-attacks and the taxonomy of attack detection for power system protection applications. In this Part, as an example, the working principle and cyber-security of Line Current Differential Relays (LCDRs) are studied. Additionally, False Data Injection Attacks (FDIAs) and Time Synchronization Attacks (TSAs) against LCDRs are formulated in this chapter. The reasons for focusing on LCDRs are that (i) this type of relay is highly vulnerable to cyber-attacks due to its dependence on communication media and the Global Positioning System (GPS) for collecting time-synchronized remote measurements from all terminals of the line in its protection zone, and (ii) LCDRs are widely used for protecting major transmission lines carrying giga-watts of power. Finally, this chapter elaborates on two types of methods, i.e., a Machine Learning (ML)-based and a model-based, to address the cyber-security problem of this family of Communication-Assisted Protection (CAP) schemes.

Modern power systems are continuously exposed to malicious cyber-attacks. Analyzing industrial control system (ICS) traffic data plays a central role in detecting and defending against cyber-attacks. Detection approaches based on system modeling require effectively modeling the complex behavior of the critical infrastructures, which remains a challenge, especially for large-scale systems. Alternatively, data-driven approaches which rely on data collected from the inspected system have become appealing due to the availability of big data that supports machine learning methods to achieve outstanding performance. This chapter presents an enhanced cyber-attack detection strategy using unlabeled data for ICS traffic monitoring and detecting suspicious data transmissions. Importantly, we designed two semi-supervised hybrid deep learning-based anomaly detection methods for intrusion detection in ICS traffic of smart grid. The first approach is a Gated recurrent unit (GRU)-based stacked autoencoder (AE-GRU), and the second is constructed using a generative adversarial network (GAN) model with a recurrent neural network (RNN) for both generator and discriminator that we called GAN-RNN. The employment of GRU and RNN in AE and GAN models is expected to improve the ability of these models to learn the temporal dependencies of multivariate data. These models are used for feature extraction and anomaly detection methods (Isolation forest, Local outlier factor, One-Class SVM, and Elliptical Envelope) for cyber-attack in power systems. These approaches only employ normal events data for training without labeled attack types, making them more attractive for detecting cyber-attack in practice. The detection performance of these approaches is demonstrated on IEC 60870-5-104 (aka IEC 104) control communication that is often utilized for substation control in smart grids. Results showed that GAN-GRU and AE-GRU-based LOF methods achieved enhanced detection with an averaged F1-score of 0.98, among others.

Detection of anomalies based on smart meter data is crucial to identify potential risks and unusual events at an early stage. In addition anomaly detection can be used as a tool to detect unwanted outliers, caused by operational failures and technical faults, for the pre-processing of data for machine learning, to detect concept drift as well as enhancing cyber-security in smart electrical grid operations. It is known that anomalies are defined through their contextual appearance. Hence, anomalies are divided into point, conceptual and contextual anomalies. In this work the contextual anomaly detection is examined, through a novel type of load forecasting known as vertical approach. This chapter explores the use of anomaly detection in the relevant learning systems for machine learning in smart electrical grid operation and management through data from New South Wales region in Australia. The presented vertical time approach uses seasonal data for training and inference, as opposed to continuous time approach that utilizes all data in a continuum from the start of the dataset until the time used for inference. It is observed that Local Outlier Factor identifies different local outliers given different vertical approaches. In addition, the local outlier factor score vary vertically. An anomaly is defined as a deviation from an established normal pattern. Spotting an anomaly depends on the ability to defy what is normal. Anomaly detection systems aim at finding these anomalies. Anomaly detection systems are in high demand, despite the fact that there is no clear validation approach. These systems rely on deep domain expertise.

We propose a framework for the evaluation of cyberattack detection systems in which theoretical results can be tested in a realistic setup. We emulate a power control infrastructure, an attacker and a monitoring system. In this controlled environment, through a modular approach, it is possible to evaluate a variety of detection models: we inject adversarial activity, collect logs from the systems, analyze such logs and produce evidences that are later processed by artificial intelligence models that can raise alerts, and give diagnostic or predictive information. In particular, we test our framework with detection models based on Dynamic Bayesian Networks, that take into account the evolution of adversarial activities over time. The testbed allows us to effectively test the adequacy of the detection mechanisms for early warning of suspicious events; currently, it includes man-in-the-middle attacks and false data injection.

The dynamic nature of cyberattacks, as well as the incorrect predictions of Artificial Intelligence (AI)-based cybersecurity intrusion detection systems, are major impediments to the efficient protection of critical infrastructures’ Information Technology (IT) and Operational Technology (OT) systems, including Electrical Power Energy Systems (EPES). This phenomenon is caused by the cyberattack detection models, which lose their effectiveness over time. The variability of cybersecurity threats makes it difficult to establish and implement a specific model, which detects all types of attacks accurately. The key to system protection is the integration of a cybersecurity framework, which simultaneously addresses new potential threats, fixes misclassified predictions and utilizes the best performing model, according to the most recent data. This work proposes a self-learning engine which is based on the SPARK data analytics framework and is integrated into a cybersecurity platform. The self-learning module provides the opportunity for annotating data to correct misclassifications or to add intelligence regarding previously unknown attacks. Initially, the domain experts submit annotated data through a Visual Analytics (VA) & monitoring system, to start the retraining process. Three (3) machine-learning (ML) methods–Random Forest (RF), Logistic Regression (LR) and K-nearest neighbors (KNN)-as well as one (1) Deep Learning (DL) method-SDAE-are dynamically compared in terms of \(F_1\) score and accuracy. After the completion of the retraining process, the best performing model replaces the existing one and labels the incoming data. The dynamic nature of the self-learning module implies that it gets annotations from users anytime, compares the methods during the retraining process and assigns data labelling to the most accurate model.

Reliability, resilience and Quality of Service are essential features of modern electric power-system operations that reflect the transition of electric energy infrastructure towards the smart grid deployment. Leveraging the Software Defined Networking technology and other cybersecurity cutting-edge technologies and algorithms, this work aims to bring a innovation in the modern Electrical Power and Energy System environment. To this end, we propose a cyber-resilience enhancement framework with the aim to modernize the traditional electrical grid and provide solutions in the domains of voltage and frequency restoration, cybersecurity and network Quality of Service. Based on the results, the framework is able to detect accurately cyberattacks and perform network path re-allocation by maximizing the Quality of Service in a more accurate way than other state of art algorithms.

Monitoring data and control functionality presented by interoperable photovoltaic (PV) inverters and other Distributed Energy Resources (DER) can be used to improve site maintenance, prognostics, and grid operations. Unfortunately, DER communications present attack vectors which could lead to power systems impacts. Since adversary capabilities continually improve, avoiding catastrophic consequences requires intelligent intrusion detection and remediation systems that consider both physical and cyber features. New Security Orchestration, Automation, and Response (SOAR) technologies are equipping cyber-defenders with new capabilities to autonomously respond to network and host-based system alerts, threat hunting results, and cyber intelligence data streams. In this Chapter, we present a novel SOAR approach for DER systems, called SOAR4DER, that ingests data from multiple Intrusion Detection Systems (IDSs) to quickly block attacks and revert DER systems to known good states. Our implementation used a collection of IDS technologies on a Bump-in-the-Wire (BITW) device which incorporated physical and cyber data to detect abnormal and potential malicious behaviors. Multiple SOAR playbooks then used the IDS data streams to automatically defend the system. Laboratory testing of the SOAR4DER system showed detection and response times under 30 s for all adversary reconnaissance operations, denial-of-service attacks, malicious Modbus commands, brute force logins, and machine-in-the-middle attacks.

Technological advances resulted in overwhelming usage of electronic gadgets across the world which further resulted in increased load demands. The obvious challenges are blackouts, overloads and voltage sags. One possible and trusted solution for these problems is Smart grid. A power network supported by digital communication technology is termed as Smart grid. But this solution is not that simple as it seems to be. There are few challenges associated with this solution like cyber vulnerabilities and cyber-attacks. Therefore, an effort is made here to review comprehensively the research work carried out till date, encompassing different heuristic detection and estimation techniques. It is a convenient factor that issues in Smart grid like relay protection, Power flow control, grid security and reliability can effectively be modelled and efficiently be analyzed. An effort is made to identify the dependencies among Cyber Physical System controls in this work. There is an immediate need to protect the communications and computations carried out by the digital communication equipment in Smart grids from cyber-attack. An overview of current research efforts in expanding the Smart grid applications and its infrastructure security is presented here. The conclusions submitted here present the further scope of the research work.

In order to have explicit cybersecurity measures and best cybersecurity practices in power systems, a number of cybersecurity standards containing generic sets of rules/guidelines for maintaining proper cybersecuirty hygiene are being designed and developed. However, appropriate study, proper understanding of scope, applicability, and implementation guidelines of these cybersecurity standards for power systems are not adequately being exercised and presented till date. In this chapter, a study is presented to understand the scope and applicability of cybersecurity standards and derive implementation guidelines in power systems. The proposed study discussed and analyzed relevant cybersecuriy standards for understanding the scope, applicability, cybersecurity process improvement for individual systems/devices deployed in present day power systems and also for a whole system setup such as substation/plant, communication setup, local/central control center.