Biblio

With the rapid advancement of the electrical grid, substation automation systems (SASs) have been developing continuously. However, with the introduction of advanced features, such as remote control, potential cyber security threats in SASs are also increased. Additionally, crucial components in SASs, such as protection relays, usually come from third-party vendors and may not be fully trusted. Untrusted devices may stealthily perform harmful or unauthorised behaviours which could compromise or damage SASs, and therefore, bring adverse impacts to the primary plant. Thus, it is necessary to detect abnormal behaviours from an untrusted device before it brings about catastrophic impacts. Anomaly detection techniques are suitable to detect anomalies in SASs as they only bring minimal side-effects to normal system operations. Many researchers have developed various machine learning algorithms and mathematical models to improve the accuracy of anomaly detection. However, without prudent feature selection, it is difficult to achieve high accuracy when detecting attacks launched from internal trusted networks, especially for stealthy message modification attacks which only modify message payloads slightly and imitate patterns of benign behaviours. Therefore, this paper presents choices of features which improve the accuracy of anomaly detection within SASs, especially for detecting “stealthy” attacks. By including two additional features, Boolean control data from message payloads and physical values from sensors, our method improved the accuracy of anomaly detection by decreasing the false-negative rate from 25% to 5% approximately.

This paper proposes new concepts for detecting and mitigating cyber attacks on substation automation systems by domain-based cyber-physical security solutions. The proposed methods form the basis of a distributed security domain layer that enables protection devices to collaboratively defend against cyber attacks at substations. The methods utilize protection coordination principles to cross check protection setting changes and can run real-time power system analysis to evaluate the impact of the control commands. The transient fault signature (TFS)-based cross-correlation coefficient algorithm has been proposed to detect the false sampled values data injection attack. The proposed functions were verified in a hardware-in-the-loop (HIL) simulation using commercial relays and a real-time digital simulator (RTDS). Various types of cyber intrusions are tested using this test bed to evaluate the consequences and impacts of cyber attacks to power grid as well as to validate the performance of the proposed research-grade cyber attack mitigation functions.

IEC 61850 is an international standard that is widely used in substation automation systems (SAS) in smart grids. During its development, security was not considered thus leaving SAS vulnerable to attacks from adversaries. IEC 62351 was developed to provide security recommendations for SAS against (distributed) denial-of-service, replay, alteration, spoofing and detection of devices attacks. However, real-time communications, which require protocols such as Generic Object-Oriented Substation Event (GOOSE) to function efficiently, cannot implement these recommendations due to latency constraints. There has been researching that sought to improve the security of GOOSE messages, however, some cannot be practically implemented due to hardware requirements while others are theoretical, even though latency requirements were met. This research investigates the possibility of encrypting GOOSE messages with One- Time Pads (OTP), leveraging the fact that encryption/decryption processes require the random generation of OTPs and modulo addition (XOR), which could be a realistic approach to secure GOOSE while maintaining latency requirements. Results show that GOOSE messages can be encrypted with some future work required.

This paper proposes a new network-based cyber intrusion detection system (NIDS) using multicast messages in substation automation systems (SASs). The proposed network-based intrusion detection system monitors anomalies and malicious activities of multicast messages based on IEC 61850, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Value (SV). NIDS detects anomalies and intrusions that violate predefined security rules using a specification-based algorithm. The performance test has been conducted for different cyber intrusion scenarios (e.g., packet modification, replay and denial-of-service attacks) using a cyber security testbed. The IEEE 39-bus system model has been used for testing of the proposed intrusion detection method for simultaneous cyber attacks. The false negative ratio (FNR) is the number of misclassified abnormal packets divided by the total number of abnormal packets. The results demonstrate that the proposed NIDS achieves a low fault negative rate.