Substation Anomaly Detection System – A Substation & Distribution Network Cybersecurity Early Warning System

Power grids are transitioning to a fully digital data-network-driven paradigm. While digitalization provides great benefit in terms of flexible, adaptive, and efficiency-optimized operation of the powergrid, it introduces substantial new risks of cyberattack on the power grid, including the risk of disruptive and damaging mal-operation of control and protection. While IT security best-practices and IT security technology such as firewalls, intrusion and malware detection systems, asset management software and Security Information and Event Management (SIEM) systems can help to detect and prevent such attacks, it is wise to assume that well-resourced mal-actors may still penetrate the control network, and either take manual actions or place persistent malware for later triggering. Therefore, an additional important aspect of critical infrastructure cybersecurity is real-time situational awareness of potential system mal-operation due to digital monitoring and control system misbehavior. A pathway to such situational awareness is to understand system vulnerabilities to different cyberattacks, and to note the characteristic effects of each category of attack. Hence, it is important for operators of an infrastructure system such as digital substations to investigate potential cyberattack scenarios, and prioritize detection and mitigation efforts according to different cyberattack impact levels. This paper enumerates and describes attack types particular to the OT (control and monitoring system) of the substation and distribution segment of the grid, on the assumption that access to the OT networks has already been gained by mal-actors or their malware. With research still in progress, this paper examines specific cyberattack test case scenarios carried out on an IEC61850 digital substation emulated by a designed test platform. The emulated substation and distribution grid has an advanced double bus-bar scheme and includes Distribution Energy Resource (DER) assets. Multi-vendor protection relays adopt typical protective schemes of a real substation environment, and power flow simulation is carried out over process bus (IEC61850-9). This paper first introduces the designed and developed real-time test platform for cybersecurity studies. Then, it briefly enumerates plausible cyberattack cases to IEC 61850 substation and distribution grid. It then investigates two noteworthy and diverse IEC 61850-based cyberattack test cases, i.e., forged breaker failure and reverse polarity of DR/DER operation. For these two test cases, data collection, training Machine Learning (ML) algorithm, attack sequences, anomaly detection methods and testing the trained detection system on attack-contrasting normal operations use cases are discussed.