Uttam Adhikari

Modeling Cyber-Physical Vulnerability of the Smart Grid With Incomplete Information

This paper addresses the attack modeling using vulnerability of information, communication and electric grid network. Vulnerability of electric grid with incomplete information has been analyzed using graph theory based approach. Vulnerability of information and communication (cyber) network has been modeled utilizing concepts of discovery, access, feasibility, communication speed and detection threat. Common attack vector based on vulnerability of cyber and physical system have been utilized to operate breakers associated with generating resources to model aurora-like event. Real time simulations for modified IEEE 14 bus test case system and graph theory analysis for IEEE 118 bus system have been presented. Test case results show the possible impact on smart grid caused by integrated cyber-physical attack.

Developing a Hybrid Intrusion Detection System Using Data Mining for Power Systems

Synchrophasor systems provide an immense volume of data for wide area monitoring and control of power systems to meet the increasing demand of reliable energy. The construction of traditional intrusion detection systems (IDSs) that use manually created rules based upon expert knowledge is knowledge-intensive and is not suitable in the context of this big data problem. This paper presents a systematic and automated approach to build a hybrid IDS that learns temporal state-based specifications for power system scenarios including disturbances, normal control operations, and cyber-attacks. A data mining technique called common path mining is used to automatically and accurately learn patterns for scenarios from a fusion of synchrophasor measurement data, and power system audit logs. As a proof of concept, an IDS prototype was implemented and validated. The IDS prototype accurately classifies disturbances, normal control operations, and cyber-attacks for the distance protection scheme for a two-line three-bus power transmission system.

Machine learning for power system disturbance and cyber-attack discrimination

Power system disturbances are inherently complex and can be attributed to a wide range of sources, including both natural and man-made events. Currently, the power system operators are heavily relied on to make decisions regarding the causes of experienced disturbances and the appropriate course of action as a response. In the case of cyber-attacks against a power system, human judgment is less certain since there is an overt attempt to disguise the attack and deceive the operators as to the true state of the system. To enable the human decision maker, we explore the viability of machine learning as a means for discriminating types of power system disturbances, and focus specifically on detecting cyber-attacks where deception is a core tenet of the event. We evaluate various machine learning methods as disturbance discriminators and discuss the practical implications for deploying machine learning systems as an enhancement to existing power system architectures.

Development of power system test bed for data mining of synchrophasors data, cyber-attack and relay testing in RTDS

This paper describes the development of a hardware-in-the-loop Real Time Digital Simulator (RTDS) enabled power system test bed used to support various types of research. Lack of access to actual utility synchrophasors data at the university level hinders studies on various subjects of interest including power system event detection, situational awareness, wide area monitoring and control, and cyber security. This paper explains a way to facilitate the researcher with reliable synchrophasor data and a power system test bed for different applications such as event detection, and cyber security resiliency studies. Various power system events and scenarios are modeled and simulation results are presented.

Classification of Disturbances and Cyber-Attacks in Power Systems Using Heterogeneous Time-Synchronized Data

Visualization and situational awareness are of vital importance for power systems, as the earlier a power-system event such as a transmission line fault or cyber-attack is identified, the quicker operators can react to avoid unnecessary loss. Accurate time-synchronized data, such as system measurements and device status, provide benefits for system state monitoring. However, the time-domain analysis of such heterogeneous data to extract patterns is difficult due to the existence of transient phenomena in the analyzed measurement waveforms. This paper proposes a sequential pattern mining approach to accurately extract patterns of power-system disturbances and cyber-attacks from heterogeneous time-synchronized data, including synchrophasor measurements, relay logs, and network event monitor logs. The term common path is introduced. A common path is a sequence of critical system states in temporal order that represent individual types of disturbances and cyber-attacks. Common paths are unique signatures for each observed event type. They can be compared to observed system states for classification. In this paper, the process of automatically discovering common paths from labeled data logs is introduced. An included case study uses the common path-mining algorithm to learn common paths from a fusion of heterogeneous synchrophasor data and system logs for three types of disturbances (in terms of faults) and three types of cyber-attacks, which are similar to or mimic faults. The case study demonstrates the algorithms effectiveness at identifying unique paths for each type of event and the accompanying classifiers ability to accurately discern each type of event.

Cyber security recommendations for wide area monitoring, protection, and control systems

Synchrophasor systems are being added to modern power systems to facilitate improved wide area monitoring and wide area protection schemes. As synchrophasor systems are installed utilities must decide if new cyber devices, phasor measurement units and phasor data concentrators, will be declared as The US National Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) cyber critical assets. This paper explores the potential impact of reconnaissance attacks, packet injection attacks, and denial of service attacks on wide area monitoring systems and wide area protection systems. This paper was written to accompany a panel presentation and discussion and was not intended to provide new research results.

Causal event graphs cyber-physical system intrusion detection system

This paper proposes to model the causal relationship between devices in a cyber-physical system using a Bayesian Networks and a new Bayesian Network expansion called causal event graphs. Unique paths through causal event graphs are used to model deterministic signatures which can be used by an intrusion detection system to classify events. A case study is provided to demonstrate the effectiveness of the method for classifying cyber and physical events in an electric transmission system. Bulk electric transmission systems are dynamic cyber-physical systems. Cyber monitoring and control systems are used to remotely operate the power system and to detect and react to physical disturbances. The communication layer associated with this monitoring and control functionality also enables cyber attacks against transmission systems. Existing regulations require utilities to use monitoring techniques such as intrusion detection systems to monitor cyber activity at electronic security perimeter boundaries. Recent attacks demonstrate that monitoring restricted to boundaries is insufficient to detect all attack threats. The methodology described in this paper provides a means to develop a model based defense in depth solution for electric transmission system intrusion detection.

A cyber-physical power system test bed for intrusion detection systems

The rapid advancement of technology used in operation, monitoring, and control introduces several threats against power system. Cyber-physical power system vulnerabilities are increasing and the consequences of attack can be catastrophic. Understanding power system phenomena and attacks is vital to identifying and detecting such events. Researchers require a suitable power system test bed that can provide a platform for simulation of power system events and attacks. An essential part of such a test bed is the ability to provide software and hardware interaction to mimic real world scenarios. This paper presents a test bed for the development of an intrusion detection system (IDS) for power systems. The test bed consists of a power system modeled on a real time digital simulator (RTDS), a data collection and processing engine, and a MATLAB/RSCAD parameter calculation engine. This test bed provides a platform for hardware in the loop (HIL) simulation, power system attacks, and generates data sets required by cyber security researchers. Coordinated distance protection and overcurrent protection schemes are implemented on the IEEE 9 bus system and a 3-generator 4 bus system [11]. Fault, contingency and cyber-attack scenarios have been developed for both power systems. Selected relevant simulation results are presented.

WAMS Cyber-Physical Test Bed for Power System, Cybersecurity Study, and Data Mining

Researchers from various cross disciplinary fields such as power systems, data science, and cybersecurity face two distinct challenges. First, the lack of a comprehensive test bed that integrates industry standard hardware, software, and wide area measurement system (WAMS) components and protocols impedes the study of cybersecurity issues including vulnerabilities associated with WAMS components and the consequences of exploitation of vulnerabilities. Second, a lack of comprehensive labeled Synchrophasor data along with other system related information imposes challenges to the development and evaluation of data mining algorithms that can classify power system cyber-power events. In this paper, a WAMS cyber-physical test bed was developed using a real time digital simulator with hardware-in-the-loop simulation. Commercial control and monitoring devices, hardware, software, and industry standard communication networks and protocols were combined with custom MATLAB, Python, and AutoIt scripts to model realistic power system contingencies and cyber-attacks. An automated simulation and control engine was developed to randomize modeled cyber-power events including power system faults, contingencies, control actions, and cyber-attacks. Scripts were added to capture heterogenous sensor data and create ground truth labeled datasets. The WAMS cyber-physical test bed is capable of simulating various sized power systems and creating datasets without altering the hardware configuration. A WAMS architecture is presented to document the integration of various components. Finally, test bed applications, simulated cyber-power scenarios, the dataset development process, and selected results are presented.

Applying Hoeffding Adaptive Trees for Real-Time Cyber-Power Event and Intrusion Classification

Electricity transmission systems are networked cyber physical systems that are subject to many well-known control, weather, and equipment failure related contingencies which can disrupt power delivery. Cyber-attacks against electric transmission systems are another class of contingency which can disrupt power delivery. Wide area monitoring systems (WAMSs) enhanced with phasor measurement units provide high volume and high velocity power system sensor data which can be combined with traditional power system data sources and cyber data sources to enable real time detection of both types of contingencies. This paper describes research toward a cyber-power event and intrusion detection system (EIDS) which can be used for multiclass or binary-class classification of traditional power system contingencies and cyber-attacks. The continuous streams of high speed data from WAMS pose significant challenges in data storage, management, and handling. Data stream mining addresses the continuous data problem and can deal with very large data sizes. Hoeffding adaptive trees (HAT) augmented with the drift detection method (DDM) and adaptive windowing (ADWIN) can effectively be used to classify traditional and cyber contingencies in real time. Experiments performed for this paper demonstrate HAT + DDM + ADWIN provides classification accuracy of greater than 94% for multiclass and greater than 98% for binary class classification for a dataset with artifacts from 45 classes of cyber-power contingencies. Results also show that HAT + DDM + ADWIN has a small memory foot print and a fast evaluation time which enables real time EIDS.