Chee-Wooi Ten

Vulnerability Assessment of Cybersecurity for SCADA Systems

Vulnerability assessment is a requirement of NERCs cybersecurity standards for electric power systems. The purpose is to study the impact of a cyber attack on supervisory control and data acquisition (SCADA) systems. Compliance of the requirement to meet the standard has become increasingly challenging as the system becomes more dispersed in wide areas. Interdependencies between computer communication system and the physical infrastructure also become more complex as information technologies are further integrated into devices and networks. This paper proposes a vulnerability assessment framework to systematically evaluate the vulnerabilities of SCADA systems at three levels: system, scenarios, and access points. The proposed method is based on cyber systems embedded with the firewall and password models, the primary mode of protection in the power industry today. The impact of a potential electronic intrusion is evaluated by its potential loss of load in the power system. This capability is enabled by integration of a logic-based simulation method and a module for the power flow computation. The IEEE 30-bus system is used to evaluate the impact of attacks launched from outside or from within the substation networks. Countermeasures are identified for improvement of the cybersecurity.

Anomaly Detection for Cybersecurity of the Substations

Cybersecurity of the substations in a power system is a major issue as the substations become increasingly dependent on computer and communication networks. This paper is concerned with anomaly detection in the computer network environment of a substation. An anomaly inference algorithm is proposed for early detection of cyber-intrusions at the substations. The potential scenario of simultaneous intrusions launched over multiple substations is considered. The proposed detection method considers temporal anomalies. Potential intrusion events are ranked based on the credibility impact on the power system. Snapshots of anomaly entities at substations are described. Simulation results using the modified IEEE 118-bus system have shown the effectiveness of the proposed method for systematic identification. The result of this research is a tool to detect cyber-intrusions that are likely to cause significant damages to the power grid.

Fault Location for Underground Power Cable Using Distributed Parameter Approach

This paper proposes an extensive fault location model for underground power cable in distribution system using voltage and current measurements at the sending-end. First, an equivalent circuit that models a faulted underground cable system is analyzed using distributed parameter approach. Then, the analysis of sequence networks in three-phase network is obtained by applying the boundary conditions. This analysis is used to calculate a fault distance in single section using voltage and current equations. The extension to multi-section is further analyzed based on Korean distribution systems. This method is an iterative process to determine a faulted section from the network. Finally, the case studies are evaluated with variations of fault distance and resistance, which also includes the evaluation of its robustness to load uncertainty.

Power System Reliability Evaluation With SCADA Cybersecurity Considerations

As information and communication networks are highly interconnected with the power grid, cyber security of the supervisory control and data acquisition (SCADA) system has become a critical issue in the electric power sector. By exploiting the vulnerabilities in cyber components and intruding into the local area networks of the control center, corporation, substations, or by injecting false information into communication links, the attackers are able to eavesdrop critical data, reconfigure devices, and send trip commands to the intelligent electronic devices that control the system breakers. Reliability of the power system can thus be impacted by various cyber attacks. In this paper, four attack scenarios for cyber components in networks of the SCADA system are considered, which may trip breakers of physical components. Two Bayesian attack graph models are built to illustrate the attack procedures and to evaluate the probabilities of successful cyber attacks. A mean time-to-compromise model is modified and adopted considering the known and zero-day vulnerabilities on the cyber components, and the frequencies of intrusions through various paths are estimated. With increased breaker trips resulting from the cyber attacks, the loss of load probabilities in the IEEE reliability test system 79 are estimated. The simulation results demonstrate that the power system becomes less reliable as the frequency of successful attacks on the cyber components increases and the skill levels of attackers increase.

Strategic FRTU Deployment Considering Cybersecurity in Secondary Distribution Network

This paper is concerned about strategic deployment of feeder remote terminal unit (FRTU) in primary network by considering cybersecurity of distribution secondary network. First, detection of historical anomaly load profile in secondary network is assumed to be observable. These irregularities of historical energy usages can be determined from consumer billing centers using proposed cybersecurity metrics. While it is constrained by budget on the number of FRTUs that can be deployed, the proposed algorithm identifies pivotal locations of a distribution feeder to install the FRTUs in different time horizons. The simulation results show that the infrastructure enhancement using proposed multistage method improves investment planning for distribution systems.

Extraction of Geospatial Topology and Graphics for Distribution Automation Framework

Maintaining the integrity of an electrical distribution network for the supervisory control and data acquisition (SCADA) database is a challenging task due to the increasingly changing network topology. Despite the labor-intensive database maintenance that is prone to human error, the use of inaccurate data can lead to erroneous computational results. This paper proposes an automated framework to extract geospatial datasets for SCADA of distribution systems using two standardized exchange formats: (1) Common information model (CIM/XML) which describes the topology, and (2) CIM graphics in scalable vector graphics (SVG) format from the World Wide Web consortium (W3C), which illustrates the dynamic and static geographical schematics. A comparator which determines the changes between different datasets is proposed to avoid importing all data. The proposed framework is evaluated using case studies consisting of thousands of CIM-based elements.

Inclusion of SCADA Cyber Vulnerability in Power System Reliability Assessment Considering Optimal Resources Allocation

With sufficient resources, attackers might be able to intrude into multiple substation-level networks of the supervisory control and data acquisition (SCADA) system and send fabricated commands to the local field devices. In this paper, cyberattacks against the SCADA system in the substations of the power system are modeled by a modified semi-Markov process (SMP). The optimal allocation of offensive and defensive resources is modeled as a Colonel Blotto game, and the probabilities of successful cyberattacks on 24 substations are calculated. With the optimal allocated resources, the mean time-to-compromise (MTTCs) of cyberattacks on each substation are calculated, and the loss of load probabilities (LOLP) and expected energy not supplied (EENS) are estimated with the IEEE reliability test system 79 (RTS79). When more offensive or less defensive resources are allocated to the targets, the probabilities of breaker trips resulted by the cyber attacks are increased, less MTTCs are needed on each substation and the power system becomes less reliable.

Cyber-Based Contingency Analysis

Microprocessor-based relays protecting against fault current have revolutionized power automation industry. The leverage using commercially available information communication technologies has been the currency for future cyberinfrastructure deployment, which enables plausible electronic manipulation that can affect system operation. The bus differential protection has been recognized as one of the most critical protection schemes, if compromised, that would disconnect a large number of components within a substation. A hypothesized substation outage is the worst case scenario of intrusion attack events. This paper proposes an impact analysis of critical cyber assets in substations that capture historical load and topology conditions. This is to identify critical substations and other “nightmare” hypothesized combinations for security protection planning. The proposed metrics of attack scenarios incorporate electronic instrumentation in relation to the physical system for impact and dependency evaluation. Combinatorial verification of these hypothesized events based on the proposed reverse pyramid model (RPM) is validated using IEEE 30- and 118-bus systems.

A simulation model of cyber threats for energy metering devices in a secondary distribution network

This paper proposes a simulation model of cyber threats for energy meters in a secondary distribution network. The wireless communication network of the energy meters is derived from a cellular automation framework where each meter is modeled as an agent. An adversary objective of attack tree based on the device vulnerabilities is enumerated with the possible vulnerabilities of energy metering devices and communication framework. The cyber threats considered in this preliminary analysis is worm propagation. Transmission of a legitimate firmware update is then followed with simulation and analysis based on anomaly patterns, i.e., the traffic statistics of the malicious activities within the network. The mean absolute percentage error (MAPE) is employed to measure the variation of network trend based on historical patterns, where a new anomaly pattern can be determined based on erroneous discrepancies. A simulation model based on an example Singapore housing block has been made to demonstrate the impact of worm propagation and feasibility.

Preventive Maintenance for Advanced Metering Infrastructure Against Malware Propagation

Advanced metering infrastructure (AMI) deployment has been widely promoted in recent years to improve the accuracy of billing information as well as to facilitate implementation of demand response. Information integrity and availability of the devices is crucial to the billing information that should reflect accurately on how much the household energy is consumed. The IP-based smart metering devices may exist with unknown vulnerabilities that can introduce backdoors to enable worm propagation across AMI network. The infected devices can be attack agents that would largely disable the metering functionalities or manipulate control variables of each meter. This paper proposes an optimal frequency of on-site investigation and the number of monitoring verification to investigate potential anomalies of malware footprinting by applying the decision process framework of Markovian. The proposed method determines the best inspection strategies based on the observation from the existing anomaly detectors deployed in the network. The considerations include malware propagation characteristics, accuracy of anomaly detectors, and investigation and diagnosis costs. Four scenarios are simulated using the proposed method, demonstrating the effectiveness of investigation on potentially infected electronic meters within an AMI network.