Chuck McParland

Object lessons learned from a distributed system for remote building monitoring and operation

In this paper we describe our experiences with the design, the deployment, and the initial operation of a distributed system for the remote monitoring and operation of multiple heterogeneous commercial buildings across the Internet from a single control center. Such systems can significantly reduce building energy usage.Our system is distinguished by its ability to interface to multiple heterogeneous legacy building Energy Management Control Systems (EMCSs), its use of the Common Object Request Broker Architecture (CORBA) standard communication protocols for the former task, development of a standardized naming system for monitoring points in buildings, the use of a relational DBMS to store and process time series data, automatic time and unit conversion, and a scripted time series visualization system.We describe our design choices and our experiences in development and operation. We note requirements for future distributed systems software for interoperability of heterogeneous real-time data acquisition and control systems.

A hybrid network IDS for protective digital relays in the power transmission grid

In this paper, we propose a novel use of network intrusion detection systems (NIDSs) tailored to detect attacks against networks that support hybrid controllers that implement power grid protection schemes. In our approach, we implement specification-based intrusion detection signatures based on the execution of the hybrid automata that specify the communication rules and physical limits that the system should obey. To validate our idea, we developed an experimental framework consisting of a simulation of the physical system and an emulation of the master controller, which serves as the digital relay that implements the protection mechanism. Our Hybrid Control NIDS (HC-NIDS) continuously monitors and analyzes the network traffic exchanged within the physical system. It identifies traffic that deviates from the expected communication pattern or physical limitations, which could place the system in an unsafe mode of operation. Our experimental analysis demonstrates that our approach is able to detect a diverse range of attack scenarios aimed at compromising the physical process by leveraging information about the physical part of the power system.

Hybrid Control Network Intrusion Detection Systems for Automated Power Distribution Systems

In this paper, we describe our novel use of network intrusion detection systems (NIDS) for protecting automated distribution systems (ADS) against certain types of cyber attacks in a new way. The novelty consists of using the hybrid control environment rules and model as the baseline for what is normal and what is an anomaly, tailoring the security policies to the physical operation of the system. NIDS sensors in our architecture continuously analyze traffic in the communication medium that comes from embedded controllers, checking if the data and commands exchanged conform to the expected structure of the controllers interactions, and evolution of the systems physical state. Considering its importance in future ADSs, we chose the fault location, isolation and service restoration (FLISR) process as our distribution automation case study for the NIDS deployment. To test our scheme, we emulated the FLISR process using real programmable logic controllers (PLCs) that interact with a simulated physical infrastructure. We used this test bed to examine the capability of our NIDS approach in several attack scenarios. The experimental analysis reveals that our approach is capable of detecting various attacks scenarios including the attacks initiated within the trusted perimeter of the automation network by attackers that have complete knowledge about the communication information exchanged.

Micro Synchrophasor-Based Intrusion Detection in Automated Distribution Systems: Toward Critical Infrastructure Security

Because electric power distribution systems are undergoing many technological changes, concerns are emerging about additional vulnerabilities that might arise. Resilient cyber-physical systems (CPSs) must leverage state measures and operational models that interlink their physical and cyber assets, to assess their global state. Here, the authors describe a viable process of abstraction to obtain this holistic state exploration tool by analyzing data from micro-phasor measurement units (μPMUs) and monitoring distribution supervisory control and data acquisition (DSCADA) traffic. To interpret the data, they use semantics that express the specific physical and operational constraints of the system in both cyber and physical realms.

Monitoring Security of Networked Control Systems: It's the Physics

Physical device safety is typically implemented locally using embedded controllers, whereas operations safety is primarily performed in control centers. Safe operations can be enhanced by correctly designed device-level control algorithms as well as protocols, procedures, and operator training at the control-room level, but all of these can fail. Moreover, these elements exchange data and issue commands via vulnerable communication layers. To secure these gaps and enhance operational safety, the authors believe command sequence monitoring must be combined with an awareness of physical device limitations and automata models that capture safety mechanisms. One way of doing this is by leveraging specification-based intrusion detection to monitor for physical constraint violations. This method can also verify that the physical infrastructure state is consistent with information and commands exchanged by controllers. This additional security layer enhances protection from both outsider attacks and insider mistakes.

Automated Anomaly Detection in Distribution Grids Using uPMU Measurements

Automated Anomaly Detection in Distribution Grids Using µ PMU Measurements Mahdi Jamei ∗ , Anna Scaglione ∗ , Ciaran Roberts † , Emma Stewart † , Sean Peisert † , Chuck McParland † , Alex McEachern ‡ , ∗ School of Electrical, Computer, and Energy Engineering, Arizona State University, Tempe, AZ, USA † Lawrence Berkeley National Laboratory, Berkeley, CA, USA ‡ Power Standards Laboratory, Alameda, CA, USA Abstract—The impact of Phasor Measurement Units (PMUs) for providing situational awareness to transmission system op- erators has been widely documented. Micro-PMUs (µPMUs) are an emerging sensing technology that can provide similar benefits to Distribution System Operators (DSOs), enabling a level of visibility into the distribution grid that was previously unattainable. In order to support the deployment of these high resolution sensors, the automation of data analysis and prioritizing communication to the DSO becomes crucial. In this paper, we explore the use of µPMUs to detect anomalies on the distribution grid. Our methodology is motivated by growing concern about failures and attacks to distribution automation equipment. The effectiveness of our approach is demonstrated through both real and simulated data. Index Terms—Intrusion Detection, Anomaly Detection, Micro- Phasor Measurement Unit, Distribution Grid I. I NTRODUCTION The state vectors of the transmission grid are closely monitored and their physical behavior is well-understood [1]. In contrast, Distribution System Operators (DSOs) have historically lacked detailed real-time actionable information about their system. This, however, is set to change. As the distribution grid shifts from a demand serving network towards an interactive grid, there is a growing interest in gaining situational awareness via advanced sensors such as Micro- Phasor Measurement Units (µPMUs) [2]. The deployment of the µPMUs in isolation without addi- tional data driven applications and analytics is insufficient. It is critical to equip DSOs with complimentary software tools that are capable of automatically mining these large data sets in search of useful, actionable information. There has been a lot of work focused on using PMU data at the transmission level to improve Wide-Area Monitoring, Protection and Control (WAMPC) [3], [4]. The distribution grid, however, is lagging in this respect. Due to inherent differences between operational behavior, such as imbalances and increased variability on the distribution and transmission grid, the algorithms derived for WAMPC at the transmission level are generally not directly applicable at the distribution level. Our work is aimed at addressing this issue. We focus on an important application of µPMU data in the distribution system: anomaly detection, i.e., behavior that differs significantly from normal operation of the grid during (quasi) steady-state. An anomaly can take a number of forms, including faults, misoperations of devices or switching transients, among others, and its root cause can be either a natural occurrence, error or attack. The risk of cyber-physical attacks via an IP network has recently gained significant interest due to the increase in automation of our power gird via two-way communication. This communication is typically carried out on breachable networks that can be manipulated by attackers [5]. Even if an anomaly naturally occurs, it is important to notify the DSO to ensure proper remedial action is taken. A. Related Work The majority of published work in anomaly detection using sensor data, primarily SCADA and PMU data, has focused on the transmission grid. The proposed methods are typically data-driven approaches, whereby the measurements are in- spected for abnormality irrespective of the underlying physical model. One such example, the common path data mining approach implemented on PMU data and audit logs at a central server, is proposed in [6] to classify between a disturbance, an attack via IP computer networks and normal operation. Chen et al., [7] derive a linear basis expansion for the PMU data to reduce the dimensionality of the measurements. Through this linear basis expansion, it is shown how an anomaly, which changes the grid operating point, can be spotted by comparing the error of the projected data onto the subspace spanned by the basis and the actual values. Valenzuela et al., [8] used Principal Component Analysis (PCA) to classify the power flow results into regular and irregular subspaces. Through analyzing the data residing in the irregular subspace, their method determines whether the irregularity is caused by a network attack or not. Jamei et al., [9] propose an intrusion detection architecture that leverages µPMU data and SCADA communication over IP networks to detect potentially damag- ing activities in the grid. These aforementioned algorithms are all part of the suite of machine learning techniques that the security monitoring architecture will rely on. B. Our Contribution µPMUs, due to their high sampling frequency, are a much richer data source in comparison to traditional Distribution Supervisory Control and Data Acquisition (DSCADA). In this