Integrated Anomaly Detection for Cyber Security of the Substations
Title | Integrated Anomaly Detection for Cyber Security of the Substations |
Publication Type | Journal Article |
Year of Publication | 2014 |
Authors | Junho Hong, Chen-Ching Liu, Govindarasu, M. |
Journal | Smart Grid, IEEE Transactions on |
Volume | 5 |
Pagination | 1643-1653 |
Date Published | July |
ISSN | 1949-3053 |
Keywords | ADS, anomaly detection, catastrophic power outages, circuit breakers, computer network security, computer security, cyber intrusions, cyber security of substations, generic object oriented substation event, GOOSE, GOOSE anomaly detection, host-based anomaly detection systems, IED, integrated anomaly detection system, intelligent electronic devices, Intrusion detection, malicious behaviors, multicast messages, network-based anomaly detection systems, physical security, power engineering computing, power grid, power grids, power system reliability, sampled measured value, severe cascading events, simultaneous anomaly detection, simultaneous intrusion detection method, SMV, SMV anomaly detection and intrusion detection, substation automation, substation automation testbed, substation facilities, Substations, temporal anomalies, user-interfaces |
Abstract | Cyber intrusions to substations of a power grid are a source of vulnerability since most substations are unmanned and with limited protection of the physical security. In the worst case, simultaneous intrusions into multiple substations can lead to severe cascading events, causing catastrophic power outages. In this paper, an integrated Anomaly Detection System (ADS) is proposed which contains host- and network-based anomaly detection systems for the substations, and simultaneous anomaly detection for multiple substations. Potential scenarios of simultaneous intrusions into the substations have been simulated using a substation automation testbed. The host-based anomaly detection considers temporal anomalies in the substation facilities, e.g., user-interfaces, Intelligent Electronic Devices (IEDs) and circuit breakers. The malicious behaviors of substation automation based on multicast messages, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Measured Value (SMV), are incorporated in the proposed network-based anomaly detection. The proposed simultaneous intrusion detection method is able to identify the same type of attacks at multiple substations and their locations. The result is a new integrated tool for detection and mitigation of cyber intrusions at a single substation or multiple substations of a power grid. |
DOI | 10.1109/TSG.2013.2294473 |
Citation Key | 6786500 |
- simultaneous intrusion detection method
- physical security
- power engineering computing
- Power Grid
- power grids
- power system reliability
- sampled measured value
- severe cascading events
- simultaneous anomaly detection
- network-based anomaly detection systems
- SMV
- SMV anomaly detection and intrusion detection
- substation automation
- substation automation testbed
- substation facilities
- Substations
- temporal anomalies
- user-interfaces
- GOOSE
- Anomaly Detection
- catastrophic power outages
- circuit breakers
- computer network security
- computer security
- cyber intrusions
- cyber security of substations
- generic object oriented substation event
- ADS
- GOOSE anomaly detection
- host-based anomaly detection systems
- IED
- integrated anomaly detection system
- intelligent electronic devices
- Intrusion Detection
- malicious behaviors
- multicast messages