Machine Learning Based Detection of False Data Injection Attacks in Wide Area Monitoring Systems

The Smart Grid (SG) is an upgraded, intelligent, and a more reliable version of the traditional Power Grid due to the integration of information and communication technologies. The operation of the SG requires a dense communication network to link all its components. But such a network renders it prone to cyber attacks jeopardizing the integrity and security of the communicated data between the physical electric grid and the control centers. One of the most prominent components of the SG are Wide Area Monitoring Systems (WAMS). WAMS are a modern platform for grid-wide information, communication, and coordination that play a major role in maintaining the stability of the grid against major disturbances. In this thesis, an anomaly detection framework is proposed to identify False Data Injection (FDI) attacks in WAMS using different Machine Learning (ML) and Deep Learning (DL) techniques, i.e., Deep Autoencoders (DAE), Long-Short Term Memory (LSTM), and One-Class Support Vector Machine (OC-SVM). These algorithms leverage diverse, complex, and high-volume power measurements coming from communications between different components of the grid to detect intelligent FDI attacks. The injected false data is assumed to target several major WAMS monitoring applications, such as Voltage Stability Monitoring (VSM), and Phase Angle Monitoring (PAM). The attack vector is considered to be smartly crafted based on the power system data, so that it can pass the conventional bad data detection schemes and remain stealthy. Due to the lack of realistic attack data, machine learning-based anomaly detection techniques are used to detect FDI attacks. To demonstrate the impact of attacks on the realistic WAMS traffic and to show the effectiveness of the proposed detection framework, a Hardware-In-the-Loop (HIL) co-simulation testbed is developed. The performance of the implemented techniques is compared on the testbed data using different metrics: Accuracy, F1 score, and False Positive Rate (FPR) and False Negative Rate (FNR). The IEEE 9-bus and IEEE 39-bus systems are used as benchmarks to investigate the framework scalability. The experimental results prove the effectiveness of the proposed models in detecting FDI attacks in WAMS

Electric Power Synchrophasor Network Cyber Security Vulnerabilities

Smart grid technologies such as synchrophasor devices (Phasor Measurement Units (PMUs)), make real-time monitoring, control, and analysis of the electric power grid possible. PMUs measure voltage and current phasors across the electrical power grid, add a GPS time stamps to measurements, and sends reports to the Phasor Data Concentrators (PDCs) in the control centers. Reports are used to make decisions about the condition and state of the power grid. Since this approach relies on Internet Protocol (IP) network infrastructure, possible cybersecurity vulnerabilities have to be addressed to ensure that it is stable, secure, and reliable. In literature, attacks that are relevant to PMUs, are discussed. The system modeled is the benchmark IEEE 68 bus (New England/New York) power system. This document details vulnerability testing performed on a network implemented with a real-time grid simulator, the Real Time Digital Simulator (RTDS), with SEL PMU devices monitoring several bases. The first set of security vulnerabilities were found when running traffic analysis of the network. In using this approach it was found that the system was susceptible to Address Resolution Protocol (ARP) poisoning. This allowed the switch to be tricked so that all network traffic was rerouted through the attack computer. This technique allowed for packet analysis, man-in-the-middle, and denial of service (DOS) attacks. Side channel analysis was used to distinguish PMU traffic across the virtual private network (VPN) established by the security gateways. After the traffic was collected, the inter-packet delays were used to construct a Hidden Markov Model. This model was used to distinguish measurement packets being transported across the VPN. Once the measurements are identified, a DOS attack can be performed on the network. While this document unveils certain security vulnerabilities within the PMU network, further testing is needed to provide a full security vulnerability analysis. A future security agenda is proposed

Security Analysis of Interdependent Critical Infrastructures: Power, Cyber and Gas

abstract: Our daily life is becoming more and more reliant on services provided by the infrastructures power, gas , communication networks. Ensuring the security of these infrastructures is of utmost importance. This task becomes ever more challenging as the inter-dependence among these infrastructures grows and a security breach in one infrastructure can spill over to the others. The implication is that the security practices/ analysis recommended for these infrastructures should be done in coordination. This thesis, focusing on the power grid, explores strategies to secure the system that look into the coupling of the power grid to the cyber infrastructure, used to manage and control it, and to the gas grid, that supplies an increasing amount of reserves to overcome contingencies. The first part (Part I) of the thesis, including chapters 2 through 4, focuses on the coupling of the power and the cyber infrastructure that is used for its control and operations. The goal is to detect malicious attacks gaining information about the operation of the power grid to later attack the system. In chapter 2, we propose a hierarchical architecture that correlates the analysis of high resolution Micro-Phasor Measurement Unit (microPMU) data and traffic analysis on the Supervisory Control and Data Acquisition (SCADA) packets, to infer the security status of the grid and detect the presence of possible intruders. An essential part of this architecture is tied to the analysis on the microPMU data. In chapter 3 we establish a set of anomaly detection rules on microPMU data that flag "abnormal behavior". A placement strategy of microPMU sensors is also proposed to maximize the sensitivity in detecting anomalies. In chapter 4, we focus on developing rules that can localize the source of an events using microPMU to further check whether a cyber attack is causing the anomaly, by correlating SCADA traffic with the microPMU data analysis results. The thread that unies the data analysis in this chapter is the fact that decision are made without fully estimating the state of the system; on the contrary, decisions are made using a set of physical measurements that falls short by orders of magnitude to meet the needs for observability. More specifically, in the first part of this chapter (sections 4.1- 4.2), using microPMU data in the substation, methodologies for online identification of the source Thevenin parameters are presented. This methodology is used to identify reconnaissance activity on the normally-open switches in the substation, initiated by attackers to gauge its controllability over the cyber network. The applications of this methodology in monitoring the voltage stability of the grid is also discussed. In the second part of this chapter (sections 4.3-4.5), we investigate the localization of faults. Since the number of PMU sensors available to carry out the inference is insufficient to ensure observability, the problem can be viewed as that of under-sampling a "graph signal"; the analysis leads to a PMU placement strategy that can achieve the highest resolution in localizing the fault, for a given number of sensors. In both cases, the results of the analysis are leveraged in the detection of cyber-physical attacks, where microPMU data and relevant SCADA network traffic information are compared to determine if a network breach has affected the integrity of the system information and/or operations. In second part of this thesis (Part II), the security analysis considers the adequacy and reliability of schedules for the gas and power network. The motivation for scheduling jointly supply in gas and power networks is motivated by the increasing reliance of power grids on natural gas generators (and, indirectly, on gas pipelines) as providing critical reserves. Chapter 5 focuses on unveiling the challenges and providing solution to this problem.Dissertation/ThesisDoctoral Dissertation Electrical Engineering 201

Impact Assessment of Hypothesized Cyberattacks on Interconnected Bulk Power Systems

The first-ever Ukraine cyberattack on power grid has proven its devastation by hacking into their critical cyber assets. With administrative privileges accessing substation networks/local control centers, one intelligent way of coordinated cyberattacks is to execute a series of disruptive switching executions on multiple substations using compromised supervisory control and data acquisition (SCADA) systems. These actions can cause significant impacts to an interconnected power grid. Unlike the previous power blackouts, such high-impact initiating events can aggravate operating conditions, initiating instability that may lead to system-wide cascading failure. A systemic evaluation of "nightmare" scenarios is highly desirable for asset owners to manage and prioritize the maintenance and investment in protecting their cyberinfrastructure. This survey paper is a conceptual expansion of real-time monitoring, anomaly detection, impact analyses, and mitigation (RAIM) framework that emphasizes on the resulting impacts, both on steady-state and dynamic aspects of power system stability. Hypothetically, we associate the combinatorial analyses of steady state on substations/components outages and dynamics of the sequential switching orders as part of the permutation. The expanded framework includes (1) critical/noncritical combination verification, (2) cascade confirmation, and (3) combination re-evaluation. This paper ends with a discussion of the open issues for metrics and future design pertaining the impact quantification of cyber-related contingencies

Real-time data operations and causal security analysis for edge-cloud-based Smart Grid infrastructure

The electric power grids are one of the fundamental infrastructures of modern society and are among the most complex networks ever made. Recent development in communications, sensing and measurement techniques has completely changed the traditional electric power grid and has brought us the intelligent electric power grid known as Smart Grid. As a critical cyber-physical system (CPS), Smart Grid is an integration of physical components, sensors, actuators, control centers, and communication networks. The key to orchestrate large scale Smart Grid is to provide situational awareness of the system. And situational awareness is based on large-scale, real-time, accurate collection and analysis of the monitoring and measurement data of the system. However, it is challenging to guarantee situational awareness of Smart Grid. On the one hand, connecting a growing number of heterogeneous programmable devices together introduces new security risks and increases the attack surface of the system. On the other hand, the tremendous amount of measurements from sensors spanning a large geographical area can result in a reduction of available bandwidth and increasing network latency. Both the lack of security protection and the delayed sensor data impede the situational awareness of the system and thus limit the ability to efficiently control and protect large scale Smart Grids in time-critical scenarios. To target the aforementioned challenge, in this thesis, I propose a series of frameworks to provide and guarantee situational awareness in Smart Grid. Taking an integrated approach of edge-cloud design, real-time data operations, and causal security analysis, the proposed frameworks enhance security protection by anomaly detection and managing as well as causal reasoning of alerts, and reduce traffic volume by online data compression. Extensive experiments by real or synthetic traffic demonstrate that the proposed frameworks achieve satisfactory performance and bear great potential practical value

Cyber Physical System Security — DoS Attacks on Synchrophasor Networks in the Smart Grid

With the rapid increase of network-enabled sensors, switches, and relays, cyber-physical system security in the smart grid has become important. The smart grid operation demands reliable communication. Existing encryption technologies ensures the authenticity of delivered messages. However, commonly applied technologies are not able to prevent the delay or drop of smart grid communication messages. In this dissertation, the author focuses on the network security vulnerabilities in synchrophasor network and their mitigation methods. Side-channel vulnerabilities of the synchrophasor network are identified. Synchrophasor network is one of the most important technologies in the smart grid transmission system. Experiments presented in this dissertation shows that a DoS attack that exploits the side-channel vulnerability against the synchrophasor network can lead to the power system in stability. Side-channel analysis extracts information by observing implementation artifacts without knowing the actual meaning of the information. Synchrophasor network consist of Phasor Measurement Units (PMUs) use synchrophasor protocol to transmit measurement data. Two side-channels are discovered in the synchrophasor protocol. Side-channel analysis based Denial of Service (DoS) attacks differentiate the source of multiple PMU data streams within an encrypted tunnel and only drop selected PMU data streams. Simulations on a power system shows that, without any countermeasure, a power system can be subverted after an attack. Then, mitigation methods from both the network and power grid perspectives are carried out. From the perspective of network security study, side-channel analysis, and protocol transformation has the potential to assist the PMU communication to evade attacks lead with protocol identifications. From the perspective of power grid control study, to mitigate PMU DoS attacks, Cellular Computational Network (CCN) prediction of PMU data is studied and used to implement a Virtual Synchrophasor Network (VSN), which learns and mimics the behaviors of an objective power grid. The data from VSN is used by the Automatic Generation Controllers (AGCs) when the PMU packets are disrupted by DoS attacks. Real-time experimental results show the CCN based VSN effectively inferred the missing data and mitigated the negative impacts of DoS attacks. In this study, industry-standard hardware PMUs and Real-Time Digital Power System Simulator (RTDS) are used to build experimental environments that are as close to actual production as possible for this research. The above-mentioned attack and mitigation methods are also tested on the Internet. Man-In-The-Middle (MITM) attack of PMU traffic is performed with Border Gateway Protocol (BGP) hijacking. A side-channel analysis based MITM attack detection method is also investigated. A game theory analysis is performed to give a broade

A Data Analytics Framework for Smart Grids: Spatio-temporal Wind Power Analysis and Synchrophasor Data Mining

abstract: Under the framework of intelligent management of power grids by leveraging advanced information, communication and control technologies, a primary objective of this study is to develop novel data mining and data processing schemes for several critical applications that can enhance the reliability of power systems. Specifically, this study is broadly organized into the following two parts: I) spatio-temporal wind power analysis for wind generation forecast and integration, and II) data mining and information fusion of synchrophasor measurements toward secure power grids. Part I is centered around wind power generation forecast and integration. First, a spatio-temporal analysis approach for short-term wind farm generation forecasting is proposed. Specifically, using extensive measurement data from an actual wind farm, the probability distribution and the level crossing rate of wind farm generation are characterized using tools from graphical learning and time-series analysis. Built on these spatial and temporal characterizations, finite state Markov chain models are developed, and a point forecast of wind farm generation is derived using the Markov chains. Then, multi-timescale scheduling and dispatch with stochastic wind generation and opportunistic demand response is investigated. Part II focuses on incorporating the emerging synchrophasor technology into the security assessment and the post-disturbance fault diagnosis of power systems. First, a data-mining framework is developed for on-line dynamic security assessment by using adaptive ensemble decision tree learning of real-time synchrophasor measurements. Under this framework, novel on-line dynamic security assessment schemes are devised, aiming to handle various factors (including variations of operating conditions, forced system topology change, and loss of critical synchrophasor measurements) that can have significant impact on the performance of conventional data-mining based on-line DSA schemes. Then, in the context of post-disturbance analysis, fault detection and localization of line outage is investigated using a dependency graph approach. It is shown that a dependency graph for voltage phase angles can be built according to the interconnection structure of power system, and line outage events can be detected and localized through networked data fusion of the synchrophasor measurements collected from multiple locations of power grids. Along a more practical avenue, a decentralized networked data fusion scheme is proposed for efficient fault detection and localization.Dissertation/ThesisPh.D. Electrical Engineering 201

Integrity and Privacy Protection for Cyber-physical Systems (CPS)

The present-day interoperable and interconnected cyber-physical systems (CPS) provides significant value in our daily lives with the incorporation of advanced technologies. Still, it also increases the exposure to many security privacy risks like (1) maliciously manipulating the CPS data and sensors to compromise the integrity of the system (2) launching internal/external cyber-physical attacks on the central controller dependent CPS systems to cause a single point of failure issues (3) running malicious data and query analytics on the CPS data to identify internal insights and use it for achieving financial incentive. Moreover, (CPS) data privacy protection during sharing, aggregating, and publishing has also become challenging nowadays because most of the existing CPS security and privacy solutions have drawbacks, like (a) lack of a proper vulnerability characterization model to accurately identify where privacy is needed, (b) ignoring data providers privacy preference, (c) using uniform privacy protection which may create inadequate privacy for some provider while overprotecting others.Therefore, to address these issues, the primary purpose of this thesis is to orchestrate the development of a decentralized, p2p connected data privacy preservation model to improve the CPS system's integrity against malicious attacks. In that regard, we adopt blockchain to facilitate a decentralized and highly secured system model for CPS with self-defensive capabilities. This proposed model will mitigate data manipulation attacks from malicious entities by introducing bloom filter-based fast CPS device identity validation and Merkle tree-based fast data verification. Finally, the blockchain consensus will help to keep consistency and eliminate malicious entities from the protection framework. Furthermore, to address the data privacy issues in CPS, we propose a personalized data privacy model by introducing a standard vulnerability profiling library (SVPL) to characterize and quantify the CPS vulnerabilities and identify the necessary privacy requirements. Based on this model, we present our personalized privacy framework (PDP) in which Laplace noise is added based on the individual node's selected privacy preferences. Finally, combining these two proposed methods, we demonstrate that the blockchain-based system model is scalable and fast enough for CPS data's integrity verification. Also, the proposed PDP model can attain better data privacy by eliminating the trade-off between privacy, utility, and risk of losing information

Methods to Attack and Secure the Power Grids and Energy Markets

The power grid is a highly complex control system and one of the most impressive engineering feats of the modern era. Nearly every facet of modern society critically relies on the proper operation of the power grid such that long or even short interruptions can impose significant economic and social hardship on society. The current power grid is undergoing a transformation to a Smart Grid, that seeks to monitor and track diagnostic and operational information so as to enable a more efficient and resilient system. This significant transformation, however, has made the grid more susceptible to attacks by cybercriminals, as highlighted by several recent attacks on power grids that have exposed the vulnerabilities in modern power systems. Motivated by this, this thesis aims at analyzing the effect of three classes of emerging cyberattacks on smart grids and a set of possible defense mechanisms to prevent them or at least reduce their damaging consequences in the grid. In the first part of the thesis, we analyze the security of the power grid against the attacks targeting the supervisory control and data acquisition (SCADA) network. We show that the existing techniques require some level of trust from components on SCADA system, rendering them vulnerable to sophisticated attacks that could compromise the entire SCADA system. As a viable solution to this issue, we present a radio frequency-based distributed intrusion detection system (RFDIDS) that remains reliable even when the entire SCADA system is considered untrusted. In the second part of the thesis, we analyze the performance of the existing high-wattage IoT botnet attacks (Manipulation of Demand IoT (MaDIoT)) on power grids and show they are ineffective in most of the cases because of the existence of legacy protection schemes and the randomness of the attacks. We discuss how an attacker can launch more sophisticated attacks in this category which can cause a total collapse of the power system. We illustrate that by computing voltage instability indices, an attacker can find the appropriate time and locations to activate the high-wattage bots, causing (with very high probability) a complete voltage collapse and blackout in the bulk power system; we call these new attacks MaDIoT 2.0. We also propose novel effective defenses against MaDIoT 2.0 attacks by modifying the way classical protection algorithms work in the power networks. In the third part of the thesis, we discuss how an smart attacker with access to high-wattage IoT botnet can indirectly manipulate the energy prices in the electricity markets. We name this attack as Manipulation of Market via IoT (MaMIoT). MaMIoT is the first energy market manipulation cyberattack that leverages high-wattage IoT botnets to slightly change the total demand of the power grid with the aim of affecting the electricity prices in the favor of specific market players. Using real-world data obtained from two major energy markets, we show that MaMIoT can significantly increase the profit of particular market players or financially damage a group of players depending on the motivation of the attacker. We discuss a set of effective countermeasures to reduce the possibility and effect of such attacks.Ph.D