On the Detection of Cyber-Attacks in the Communication Network of IEC 61850 Electrical Substations

The availability of the data within the network communication remains one of the most critical requirement when compared to integrity and confidentiality. Several threats such as Denial of Service (DoS) or flooding attacks caused by Generic Object Oriented Substation Event (GOOSE) poisoning attacks, for instance, might hinder the availability of the communication within IEC 61850 substations. To tackle such threats, a novel method for the Early Detection of Attacks for the GOOSE Network Traffic (EDA4GNeT) is developed in the present work. Few of previously available intrusion detection systems take into account the specific features of IEC 61850 substations and offer a good trade-off between the detection performance and the detection time. Moreover, to the best of our knowledge, none of the existing works proposes an early anomaly detection method of GOOSE attacks in the network traffic of IEC 61850 substations that account for the specific characteristics of the network data in electrical substations. The EDA4GNeT method considers the dynamic behavior of network traffic in electrical substations. The mathematical modeling of the GOOSE network traffic first enables the development of the proposed method for anomaly detection. In addition, the developed model can also support the management of the network architecture in IEC 61850 substations based on appropriate performance studies. To test the novel anomaly detection method and compare the obtained results with available techniques, two use cases are used

Detection of DoS Attacks Using ARFIMA Modeling of GOOSE Communication in IEC 61850 Substations

Integration of Information and Communication Technology (ICT) in modern smart grids (SGs) offers many advantages including the use of renewables and an effective way to protect, control and monitor the energy transmission and distribution. To reach an optimal operation of future energy systems, availability, integrity and confidentiality of data should be guaranteed. Research on the cyber-physical security of electrical substations based on IEC 61850 is still at an early stage. In the present work, we first model the network traffic data in electrical substations, then, we present a statistical Anomaly Detection (AD) method to detect Denial of Service (DoS) attacks against the Generic Object Oriented Substation Event (GOOSE) network communication. According to interpretations on the self-similarity and the Long-Range Dependency (LRD) of the data, an Auto-Regressive Fractionally Integrated Moving Average (ARFIMA) model was shown to describe well the GOOSE communication in the substation process network. Based on this ARFIMA-model and in view of cyber-physical security, an effective model-based AD method is developed and analyzed. Two variants of the statistical AD considering statistical hypothesis testing based on the Generalized Likelihood Ratio Test (GLRT) and the cumulative sum (CUSUM) are presented to detect flooding attacks that might affect the availability of the data. Our work presents a novel AD method, with two different variants, tailored to the specific features of the GOOSE traffic in IEC 61850 substations. The statistical AD is capable of detecting anomalies at unknown change times under the realistic assumption of unknown model parameters. The performance of both variants of the AD method is validated and assessed using data collected from a simulation case study. We perform several Monte-Carlo simulations under different noise variances. The detection delay is provided for each detector and it represents the number of discrete time samples after which an anomaly is detected. In fact, our statistical AD method with both variants (CUSUM and GLRT) has around half the false positive rate and a smaller detection delay when compared with two of the closest works found in the literature. Our AD approach based on the GLRT detector has the smallest false positive rate among all considered approaches. Whereas, our AD approach based on the CUSUM test has the lowest false negative rate thus the best detection rate. Depending on the requirements as well as the costs of false alarms or missed anomalies, both variants of our statistical detection method can be used and are further analyzed using composite detection metrics

Early Attack Detection for Securing GOOSE Network Traffic

The requirements for the security of the network communication in critical infrastructures have been more focused on the availability of the data rather than the integrity and the confidentiality. The availability of communication in IEC 61850 substations can be hindered by Generic Object Oriented Substation Event (GOOSE) poisoning attacks that might result in threats such as Denial of Service (DoS) or flooding attacks. In order to accurately detect similar attacks, a novel method for the Early Detection of Attacks for GOOSE Network Traffic (EDA4GNeT) is developed in the present work. The EDA4GNeT method considers the dynamic behavior of network traffic in electrical substations. A mathematical modeling of GOOSE network traffic is adopted for the anomaly detection based on statistical hypothesis testing. The developed mathematical model of the communication traffic can also support the management of the network architecture in IEC 61850 substations based on appropriate performance studies. To test the novel anomaly detection method and compare the obtained results with related works found in the literature, a simulation of a DoS attack against a 66/11kV substation with several experiments is used as a case study

Pandemic episodes, CO2 emissions and global temperatures.

This paper deals with the relationship between the CO2 emissions and the global temperatures across the various pandemic episodes that have been taken place in the last 100 years. To carry out the analysis, first we conducted unit root tests finding evidence of nonstationary I(1) behavior, that means that a shift in time causes a change in the shape of distribution. However, due to the low statistical power of unit root tests, we also used a methodology based on long memory and fractional integration. Our results indicate that the emissions display very heterogeneous behaviour in relation with the degree of persistence across pandemics. The temperatures are more homogeneous, finding values for the orders of integration of the series smaller than 1 in all cases, and thus showing mean reverting behaviour.pre-print349 K

Anomaly Detection and Failure Prediction in Gas Turbines

This study is based on time-series data taken from the combined cycle heavy-duty utility gas turbines. For analysis, first, a multi-stage vector autoregressive model is constructed for the nominal operation of powerplant assuming sparsity in the association among variables, and this model is used as a basis for anomaly detection and prediction. This prediction is compared with the time-series data of the powerplant test data containing anomalies. Granger causality networks, which are based on the associations between the time series streams, can be learned as an important implication from the vector autoregressive modelling. This method suffers from the disadvantage that some of the variables are not stationary even after segmenting the working mode based on the RPM. To improve the efficacy of the algorithm, the observations are further clustered into different working modes, because of the heterogeneous behavior of the gas turbine parameters under various modes. Then predicting the operational parameters is considered under each mode respectively, via algorithms including random forest, generalized additive model, and neural networks. The comparative advantage based on prediction accuracy and applicability of the algorithms is discussed for real-time use and post processing. The advantage of this segmentation method is that it achieves high predictive power and provides insight into the behavior of specific gas turbine variables. Next, the long-memory behavior of residuals is modeled, and heterogeneous variances are observed from the residuals of the generalized additive model. Autoregressive Fractionally Integrated Moving Average (ARFIMA) and Generalized Autoregressive Conditional Heteroskedasticity (GARCH) models are employed to fit the residual process, which significantly improve the prediction. Rolling one-step-ahead forecast is studied. Numerical experiments of abrupt changes and trend in the blade-path temperature are performed to evaluate the specificity and sensitivity of the prediction. The prediction is sensitive given reasonable signal-to-noise ratio and has lower false-positive rate

Temperature and precipitation in the US states: long memory, persistence, and time trend.

post-print1265 K

Spurious Long Memory in Commodity Futures: Implications for Agribusiness Option Pricing

Long memory, and more precisely fractionally integration, has been put forward as an explanation for the persistence of shocks in a number of economic time series data as well as to reconcile misleading findings of unit roots in data that should be stationary. Recent evidence suggests that long memory characterizes not commodity futures prices but rather price volatility (generally defined as $L_p$ norms of price logreturns). One implication of long memory in volatility is the mispricing of options written on commodity futures, the consequence of which is that fractional Brownian motion should replace geometric Brownian motion as the building block for option pricing solutions. This paper asks whether findings of long memory in volatility might be spurious and caused either by fragile and inaccurate estimation methods and standard errors, by correlated short memory dynamics, or by alternative data generating processes proven to generate the illusion of long memory. We find that for nine out of eleven agricultural commodities for which futures contracts are traded, long memory is spurious but is not caused by the effect of short memory. Alternative explanations are addressed and implications for option pricing are highlighted.Q13, Q14, Marketing, C52, C53, G12, G13,

Security, trust and cooperation in wireless sensor networks

Wireless sensor networks are a promising technology for many real-world applications such as critical infrastructure monitoring, scientific data gathering, smart buildings, etc.. However, given the typically unattended and potentially unsecured operation environment, there has been an increased number of security threats to sensor networks. In addition, sensor networks have very constrained resources, such as limited energy, memory, computational power, and communication bandwidth. These unique challenges call for new security mechanisms and algorithms. In this dissertation, we propose novel algorithms and models to address some important and challenging security problems in wireless sensor networks. The first part of the dissertation focuses on data trust in sensor networks. Since sensor networks are mainly deployed to monitor events and report data, the quality of received data must be ensured in order to make meaningful inferences from sensor data. We first study a false data injection attack in the distributed state estimation problem and propose a distributed Bayesian detection algorithm, which could maintain correct estimation results when less than one half of the sensors are compromised. To deal with the situation where more than one half of the sensors may be compromised, we introduce a special class of sensor nodes called \textit{trusted cores}. We then design a secure distributed trust aggregation algorithm that can utilize the trusted cores to improve network robustness. We show that as long as there exist some paths that can connect each regular node to one of these trusted cores, the network can not be subverted by attackers. The second part of the dissertation focuses on sensor network monitoring and anomaly detection. A sensor network may suffer from system failures due to loss of links and nodes, or malicious intrusions. Therefore, it is critical to continuously monitor the overall state of the network and locate performance anomalies. The network monitoring and probe selection problem is formulated as a budgeted coverage problem and a Markov decision process. Efficient probing strategies are designed to achieve a flexible tradeoff between inference accuracy and probing overhead. Based on the probing results on traffic measurements, anomaly detection can be conducted. To capture the highly dynamic network traffic, we develop a detection scheme based on multi-scale analysis of the traffic using wavelet transforms and hidden Markov models. The performance of the probing strategy and of the detection scheme are extensively evaluated in malicious scenarios using the NS-2 network simulator. Lastly, to better understand the role of trust in sensor networks, a game theoretic model is formulated to mathematically analyze the relation between trust and cooperation. Given the trust relations, the interactions among nodes are modeled as a network game on a trust-weighted graph. We then propose an efficient heuristic method that explores network heterogeneity to improve Nash equilibrium efficiency

Synthesis of Satellite Microwave Observations for Monitoring Global Land-Atmosphere CO2 Exchange

This dissertation describes the estimation, error quantification, and incorporation of land surface information from microwave satellite remote sensing for modeling global ecosystem land-atmosphere net CO2 exchange. Retrieval algorithms were developed for estimating soil moisture, surface water, surface temperature, and vegetation phenology from microwave imagery timeseries. Soil moisture retrievals were merged with model-based soil moisture estimates and incorporated into a light-use efficiency model for vegetation productivity coupled to a soil decomposition model. Results, including state and uncertainty estimates, were evaluated with a global eddy covariance flux tower network and other independent global model- and remote-sensing based products