Biblio

Cyber intrusions to substations of a power grid are a source of vulnerability since most substations are unmanned and with limited protection of the physical security. In the worst case, simultaneous intrusions into multiple substations can lead to severe cascading events, causing catastrophic power outages. In this paper, an integrated Anomaly Detection System (ADS) is proposed which contains host- and network-based anomaly detection systems for the substations, and simultaneous anomaly detection for multiple substations. Potential scenarios of simultaneous intrusions into the substations have been simulated using a substation automation testbed. The host-based anomaly detection considers temporal anomalies in the substation facilities, e.g., user-interfaces, Intelligent Electronic Devices (IEDs) and circuit breakers. The malicious behaviors of substation automation based on multicast messages, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Measured Value (SMV), are incorporated in the proposed network-based anomaly detection. The proposed simultaneous intrusion detection method is able to identify the same type of attacks at multiple substations and their locations. The result is a new integrated tool for detection and mitigation of cyber intrusions at a single substation or multiple substations of a power grid.
 

This paper proposes a methodology to assess cyber-related risks and to identify critical assets both at power grid and substation levels. The methodology is based on a two-pass engine model. The first pass engine is developed to identify the most critical substation(s) in a power grid. A mixture of Analytical hierarchy process (AHP) and (N-1) contingent analysis is used to calculate risks. The second pass engine is developed to identify risky assets within a substation and improve the vulnerability of a substation against the intrusion and malicious acts of cyber hackers. The risk methodology uniquely combines asset reliability, vulnerability and costs of attack into a risk index. A methodology is also presented to improve the overall security of a substation by optimally placing security agent(s) on the automation system.
 

A system implementing real-time situational awareness through discovery, prevention, detection, response, audit, and management capabilities is seen as central to facilitating the protection of critical infrastructure systems. The effectiveness of providing such awareness technologies for electrical distribution companies is being evaluated in a series of field trials: (i) Substation Intrusion Detection / Prevention System (IDPS) and (ii) Security Information and Event Management (SIEM) System. These trials will help create a realistic case study on the effectiveness of such technologies with the view of forming a framework for critical infrastructure cyber security defense systems of the future.
 

One of the various features expected for a smart power distribution system - a smart grid in the power distribution level - is the possibility of the fully automated operation for certain control actions. Although this is very expected, it requires various logic, sensor and actuator technologies in a system which, historically, has a low level of automation. One of the most analyzed problems for the distribution system is the topology reconfiguration. The reconfiguration has been applied to various objectives: minimization of power losses, voltage regulation, load balancing, to name a few. The solution method in most cases is centralized and its application is not in real-time. From the new perspectives of advanced distribution systems, fast and adaptive response of the control actions are required, specially in the presence of alternative generation sources and electrical vehicles. In this context, the multi-agent system, which embeds the necessary control actions and decision making is proposed for the topology reconfiguration aiming the loss reduction. The concept of multi-agent system for distribution system is proposed and two case studies with 11-Bus and 16-Bus system are presented.
 

Distributed mesh sensor networks provide cost-effective communications for deployment in various smart grid domains, such as home area networks (HAN), neighborhood area networks (NAN), and substation/plant-generation local area networks. This paper introduces a dynamically updating key distribution strategy to enhance mesh network security against cyber attack. The scheme has been applied to two security protocols known as simultaneous authentication of equals (SAE) and efficient mesh security association (EMSA). Since both protocols utilize 4-way handshaking, we propose a Merkle-tree based handshaking scheme, which is capable of improving the resiliency of the network in a situation where an intruder carries a denial of service attack. Finally, by developing a denial of service attack model, we can then evaluate the security of the proposed schemes against cyber attack, as well as network performance in terms of delay and overhead.

The reliability theory used in the design of complex systems including electric grids assumes random component failures and is thus unsuited to analyzing security risks due to attackers that intentionally damage several components of the system. In this paper, a security risk analysis methodology is proposed consisting of vulnerability analysis and impact analysis. Vulnerability analysis is a method developed by security engineers to identify the attacks that are relevant for the system under study, and in this paper, the analysis is applied on the communications network topology of the electric grid automation system. Impact analysis is then performed through co-simulation of automation and the electric grid to assess the potential damage from the attacks. This paper makes an extensive review of vulnerability and impact analysis methods and relevant system modeling techniques from the fields of security and industrial automation engineering, with a focus on smart grid automation, and then applies and combines approaches to obtain a security risk analysis methodology. The methodology is demonstrated with a case study of fault location, isolation and supply restoration smart grid automation.

The modern society increasingly relies on electrical service, which also brings risks of catastrophic consequences, e.g., large-scale blackouts. In the current literature, researchers reveal the vulnerability of power grids under the assumption that substations/transmission lines are removed or attacked synchronously. In reality, however, it is highly possible that such removals can be conducted sequentially. Motivated by this idea, we discover a new attack scenario, called the sequential attack, which assumes that substations/transmission lines can be removed sequentially, not synchronously. In particular, we find that the sequential attack can discover many combinations of substation whose failures can cause large blackout size. Previously, these combinations are ignored by the synchronous attack. In addition, we propose a new metric, called the sequential attack graph (SAG), and a practical attack strategy based on SAG. In simulations, we adopt three test benchmarks and five comparison schemes. Referring to simulation results and complexity analysis, we find that the proposed scheme has strong performance and low complexity.

Modern power systems heavily rely on the associated cyber network, and cyber attacks against the control network may cause undesired consequences such as load shedding, equipment damage, and so forth. The behaviors of the attackers can be random, thus it is crucial to develop novel methods to evaluate the adequacy of the power system under probabilistic cyber attacks. In this study, the external and internal cyber structures of the substation are introduced, and possible attack paths against the breakers are analyzed. The attack resources and vulnerability factors of the cyber network are discussed considering their impacts on the success probability of a cyber attack. A procedure integrating the reliability of physical components and the impact of cyber attacks against breakers are proposed considering the behaviors of the physical devices and attackers. Simulations are conducted based on the IEEE RTS79 system. The impact of the attack resources and attack attempt numbers are analyzed for attackers from different threats groups. It is concluded that implementing effective cyber security measures is crucial to the cyber-physical power grids.

The evolution of electrical grids, both in terms of enhanced ICT functionalities to improve efficiency, reliability and economics, as well as the increasing penetration of renewable redistributed energy resources, results in a more sophisticated electrical infrastructure which poses new challenges from several perspectives, including resilience and quality of service analysis. In addition, the presence of interdependencies, which more and more characterize critical infrastructures (including the power sector), exacerbates the need for advanced analysis approaches, to be possibly employed since the early phases of the system design, to identify vulnerabilities and appropriate countermeasures. In this paper, we outline an approach to model and analyze smart grids and discuss the major challenges to be addressed in stochastic model-based analysis to account for the peculiarities of the involved system elements. Representation of dynamic and flexible behavior of generators and loads, as well as representation of the complex ICT control functions required to preserve and/or re-establish electrical equilibrium in presence of changes need to be faced to assess suitable indicators of the resilience and quality of service of the smart grid.

This paper proposes a methodology to assess cyber-related risks and to identify critical assets both at power grid and substation levels. The methodology is based on a two-pass engine model. The first pass engine is developed to identify the most critical substation(s) in a power grid. A mixture of Analytical hierarchy process (AHP) and (N-1) contingent analysis is used to calculate risks. The second pass engine is developed to identify risky assets within a substation and improve the vulnerability of a substation against the intrusion and malicious acts of cyber hackers. The risk methodology uniquely combines asset reliability, vulnerability and costs of attack into a risk index. A methodology is also presented to improve the overall security of a substation by optimally placing security agent(s) on the automation system.

This paper proposes a methodology to assess cyber-related risks and to identify critical assets both at power grid and substation levels. The methodology is based on a two-pass engine model. The first pass engine is developed to identify the most critical substation(s) in a power grid. A mixture of Analytical hierarchy process (AHP) and (N-1) contingent analysis is used to calculate risks. The second pass engine is developed to identify risky assets within a substation and improve the vulnerability of a substation against the intrusion and malicious acts of cyber hackers. The risk methodology uniquely combines asset reliability, vulnerability and costs of attack into a risk index. A methodology is also presented to improve the overall security of a substation by optimally placing security agent(s) on the automation system.

The vulnerability analysis is vital for safely running power grids. The simultaneous attack, which applies multiple failures simultaneously, does not consider the time domain in applying failures, and is limited to find unknown vulnerabilities of power grid networks. In this paper, we discover a new attack scenario, called the sequential attack, in which the failures of multiple network components (i.e., links/nodes) occur at different time. The sequence of such failures can be carefully arranged by attackers in order to maximize attack performances. This attack scenario leads to a new angle to analyze and discover vulnerabilities of grid networks. The IEEE 39 bus system is adopted as test benchmark to compare the proposed attack scenario with the existing simultaneous attack scenario. New vulnerabilities are found. For example, the sequential failure of two links, e.g., links 26 and 39 in the test benchmark, can cause 80% power loss, whereas the simultaneous failure of them causes less than 10% power loss. In addition, the sequential attack is demonstrated to be statistically stronger than the simultaneous attack. Finally, several metrics are compared and discussed in terms of whether they can be used to sharply reduce the search space for identifying strong sequential attacks.

As information and communication networks are highly interconnected with the power grid, cyber security of the supervisory control and data acquisition (SCADA) system has become a critical issue in the power system. By intruding into the SCADA system via the remote access points, the attackers are able to eavesdrop critical data and reconfigure devices to trip the system breakers. The cyber attacks are able to impact the reliability of the power system through the SCADA system. In this paper, six cyber attack scenarios in the SCADA system are considered. A Bayesian attack graph model is used to evaluate the probabilities of successful cyber attacks on the SCADA system, which will result in breaker trips. A forced outage rate (FOR) model is proposed considering the frequencies of successful attacks on the generators and transmission lines. With increased FOR values resulted from the cyber attacks, the loss of load probabilities (LOLP) in reliability test system 79 (RTS79) are estimated. The results of the simulations demonstrate that the power system becomes less reliable as the frequency of successful attacks increases.

Cyber intrusions to substations of a power grid are a source of vulnerability since most substations are unmanned and with limited protection of the physical security. In the worst case, simultaneous intrusions into multiple substations can lead to severe cascading events, causing catastrophic power outages. In this paper, an integrated Anomaly Detection System (ADS) is proposed which contains host- and network-based anomaly detection systems for the substations, and simultaneous anomaly detection for multiple substations. Potential scenarios of simultaneous intrusions into the substations have been simulated using a substation automation testbed. The host-based anomaly detection considers temporal anomalies in the substation facilities, e.g., user-interfaces, Intelligent Electronic Devices (IEDs) and circuit breakers. The malicious behaviors of substation automation based on multicast messages, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Measured Value (SMV), are incorporated in the proposed network-based anomaly detection. The proposed simultaneous intrusion detection method is able to identify the same type of attacks at multiple substations and their locations. The result is a new integrated tool for detection and mitigation of cyber intrusions at a single substation or multiple substations of a power grid.

Wireless sensor and actuator networks (WSAN) constitute an emerging technology with multiple applications in many different fields. Due to the features of WSAN (dynamism, redundancy, fault tolerance, and self-organization), this technology can be used as a supporting technology for the monitoring of critical infrastructures (CIs). For decades, the monitoring of CIs has centered on supervisory control and data acquisition (SCADA) systems, where operators can monitor and control the behavior of the system. The reach of the SCADA system has been hampered by the lack of deployment flexibility of the sensors that feed it with monitoring data. The integration of a multihop WSAN with SCADA for CI monitoring constitutes a novel approach to extend the SCADA reach in a cost-effective way, eliminating this handicap. However, the integration of WSAN and SCADA presents some challenges which have to be addressed in order to comprehensively take advantage of the WSAN features. This paper presents a solution for this joint integration. The solution uses a gateway and a Web services approach together with a Web-based SCADA, which provides an integrated platform accessible from the Internet. A real scenario where this solution has been successfully applied to monitor an electrical power grid is presented.