Detection of False Data Injection Attacks in Multi-Microgrid

In this thesis an Intrusion Detection System was developed to fight False Data Injection Attacks in Multi-Microgrids. Multi-Microgrids are a part of future power systems and they form the core part of critical infrastructure where resiliency and availability are exceedingly important. Severe consequences in the main power grid can happen if security is not taken into account. The Energy Management System has to be protected against cyber-attacks and one of the dire threats is a False Data Injection Attack. False Data Injections in Energy Management Systems are among the critical threats that need to be taken seriously as they can cause a major harm. In this thesis, the impact of a False Data Injection Attack on Multi-Microgrids and Energy Management Systems has been explored. It has also been researched how to detect these attacks by designing and developing a Multi-Microgrid model in MATLAB/Simulink for emulating the operation of Multi-Microgrid. The MATLAB/Simulink model simulates a Multi-Microgrid environment over the course of 24 hours. To detect False Data Injection Attacks from the data created in this simulation a Kalman Filter based Intrusion Detection System was developed. The Kalman Filter based Intrusion Detection System analyzes simulation data for possible False Data Injection Attacks. Further analysis was done based on the results of the Kalman Filter based Intrusion Detection System implementation. The implementation was tested with a set of attack simulations. The results analysis revealed that developed Kalman Filter based Intrusion Detection System is suitable for detecting simple attacks but it has low accuracy for complex intrusion attacks. With taking into account only the types of attacks the implementation was initially planned to detect the detection rate averaged to 87 %. The detection accuracy could be improved in future work by considering complex attack types early on in the implementation of the detection system. Securing power systems against malicious actors from causing harm or gaining financial benefits is a far-reaching research topic with plenty of future paths to explore. Kalman Filter based methods are one of the potential methods for detecting False Data Injection Attacks in Energy Management Systems. More research on Kalman Filter based protections is part of the ongoing race in protecting ourselves from cyber-attacks against critical infrastructure

Model Predictive Control for Mitigating Sensor Attacks on Multilevel Inverters

Nowadays, multilevel power inverters have become a hot research topic which are being widely used in smart grids. They are also driving devices for conveyors, compressors, motors, and can enable uninterruptible power supply for critical loads such as database centers or telecommunications base stations. In the future, smart grids will play an important role to achieve higher efficiency, smarter control and better performance. Such an ambitious goal can only be achieved by inverters with higher voltage and power levels. The smart grids are the typical cyber-physical systems that is composed of physical processes and computation units combined by sensors, actuators, and communication devices. The smart grids are apt to errors and vicious attacks on their physical construction leading to considerable damage, such as false data injection (FDI), denial of service (DOS). The vicious data injection can effectively bypass the detection of system and cause serious effects on the grid. In recent years, some advanced control approaches have been proposed to perform inverter current control. Among them, model predictive control (MPC) is a promising one that makes use of explicit system models to predict its future response and optimize system performance. It has unique advantages that can accurately forecast the future response of the system and have fast response. However, the effectiveness and the accuracy of the conventional MPC rely on whether the system model is accurate. Uncertainty and false data injection in the system model sometimes lead to unresponsive or even unstable control systems. Conventional MPC is hard to keep the system stable when the uncertainty and malicious attack happen. In existing studies, although various attacks have been investigated, the undetectable false data injection aiming at the inverter system was rarely studied. In the thesis, the model of the cascaded H-bridge inverter is established and conventional MPC to achieve load current control is applied. It shows great performance to achieve load current control and has fast dynamic control. Then considering various attack signals such as step attack signals, pulse attack signals to the sensors in the system, the conventional MPC loses the ability to achieve a stable and effective current control. According to simulation results, Kalman Filter model is built which can filter some Gaussian noises from the sensors in the system. Then from the perspective of attacker, a special FDI attack is designed that can effectively bypass the Kalman Filter. For the system that targeted by the FDI and DOS attack, a new controller is designed based on the K-Nearest Neighbor (KNN) algorithm and MPC strategy which can achieve the load current control with high output quality. Finally, the new control method based on KNN and MPC is compared with conventional MPC. The simulation results are analyzed and conclusion have been made. A modified MPC combined with KNN algorithm proposed in this thesis can detect bad data that can enter the system without triggering alarms. The case studies show the modified MPC based on KNN algorithm can achieve current control accurately when the system is injected by various attack signals showing better performance of current control with low total harmonic distortion (THD)

Learning-based Fault Detection and Mitigation Model in Industrial Control Systems Based on Measurement Data

Industrial control systems (ICSs) play a significant role in supervising, controlling, and automating critical infrastructures, such as power plants, water treatment, and civil transportation. In the past years, ICSs have employed open technologies to communicate data over other ICS or non-ICS networks. Although wireless communication has the privilege of having access to the system from far distances, it opens new points of intrusion for adversaries. Fault detection problems in ICSs are commonly known as a network traffic monitoring scheme for detecting abnormal activities. However, a network-based intrusion detection system (NIDS) can be deceived by attackers that imitate the system\u27s normal activity. This research is devoted to develop model-based and learning-based fault detection and mitigation designs, by focusing on the data-driven methods. The main contribution of this study is two-folded. First, it proposes a novel machine learning-based approach for fault detection and mitigation in ICSs based on measurement data in the supervisory control and data acquisition (SCADA) system. The proposed fault detection, isolation, and identification (FDI) approach is called measurement intrusion detection system (MIDS), which enables the system to detect, locate, and identify the type of any abnormal activity in the system even if the attacker tries to conceal it in the system\u27s control layer. Second, a learning-based control design would compensate for the detected fault to converge the system\u27s deviation to zero. The proposed controller consists of a set of deep learning algorithms that learns the normal behavior of the ICS by monitoring the input and output data. This design allows ICSs to be fault-tolerant even if the mathematical model is unavailable. Also, it can be a complementary protection system along with the conventional NIDS to improve the security and reliability of ICSs remarkably. The proposed mechanism is implemented and tested on two test-beds. First, employing experimental data, the MIDS is implemented on a dataset exploited from a test-bed consisting of a boiler, turbine, water-treatment, and a hardware-in-the-loop (HIL) simulator. Second, the performance of the MIDS and the learning-based controller is evaluated on a two-area interconnected power system with a load frequency control section. The results show a very successful and reliable performance for the proposed mechanism to protect ICSs against faults and attacks

On the Detection of Cyber-Attacks in the Communication Network of IEC 61850 Electrical Substations

The availability of the data within the network communication remains one of the most critical requirement when compared to integrity and confidentiality. Several threats such as Denial of Service (DoS) or flooding attacks caused by Generic Object Oriented Substation Event (GOOSE) poisoning attacks, for instance, might hinder the availability of the communication within IEC 61850 substations. To tackle such threats, a novel method for the Early Detection of Attacks for the GOOSE Network Traffic (EDA4GNeT) is developed in the present work. Few of previously available intrusion detection systems take into account the specific features of IEC 61850 substations and offer a good trade-off between the detection performance and the detection time. Moreover, to the best of our knowledge, none of the existing works proposes an early anomaly detection method of GOOSE attacks in the network traffic of IEC 61850 substations that account for the specific characteristics of the network data in electrical substations. The EDA4GNeT method considers the dynamic behavior of network traffic in electrical substations. The mathematical modeling of the GOOSE network traffic first enables the development of the proposed method for anomaly detection. In addition, the developed model can also support the management of the network architecture in IEC 61850 substations based on appropriate performance studies. To test the novel anomaly detection method and compare the obtained results with available techniques, two use cases are used

Information fusion architectures for security and resource management in cyber physical systems

Data acquisition through sensors is very crucial in determining the operability of the observed physical entity. Cyber Physical Systems (CPSs) are an example of distributed systems where sensors embedded into the physical system are used in sensing and data acquisition. CPSs are a collaboration between the physical and the computational cyber components. The control decisions sent back to the actuators on the physical components from the computational cyber components closes the feedback loop of the CPS. Since, this feedback is solely based on the data collected through the embedded sensors, information acquisition from the data plays an extremely vital role in determining the operational stability of the CPS. Data collection process may be hindered by disturbances such as system faults, noise and security attacks. Hence, simple data acquisition techniques will not suffice as accurate system representation cannot be obtained. Therefore, more powerful methods of inferring information from collected data such as Information Fusion have to be used. Information fusion is analogous to the cognitive process used by humans to integrate data continuously from their senses to make inferences about their environment. Data from the sensors is combined using techniques drawn from several disciplines such as Adaptive Filtering, Machine Learning and Pattern Recognition. Decisions made from such combination of data form the crux of information fusion and differentiates it from a flat structured data aggregation. In this dissertation, multi-layered information fusion models are used to develop automated decision making architectures to service security and resource management requirements in Cyber Physical Systems --Abstract, page iv

Model Predictive Control for Mitigating Sensor Attacks on Multilevel Inverters

Nowadays, multilevel power inverters have become a hot research topic which are being widely used in smart grids. They are also driving devices for conveyors, compressors, motors, and can enable uninterruptible power supply for critical loads such as database centers or telecommunications base stations. In the future, smart grids will play an important role to achieve higher efficiency, smarter control and better performance. Such an ambitious goal can only be achieved by inverters with higher voltage and power levels. The smart grids are the typical cyber-physical systems that is composed of physical processes and computation units combined by sensors, actuators, and communication devices. The smart grids are apt to errors and vicious attacks on their physical construction leading to considerable damage, such as false data injection (FDI), denial of service (DOS). The vicious data injection can effectively bypass the detection of system and cause serious effects on the grid. In recent years, some advanced control approaches have been proposed to perform inverter current control. Among them, model predictive control (MPC) is a promising one that makes use of explicit system models to predict its future response and optimize system performance. It has unique advantages that can accurately forecast the future response of the system and have fast response. However, the effectiveness and the accuracy of the conventional MPC rely on whether the system model is accurate. Uncertainty and false data injection in the system model sometimes lead to unresponsive or even unstable control systems. Conventional MPC is hard to keep the system stable when the uncertainty and malicious attack happen. In existing studies, although various attacks have been investigated, the undetectable false data injection aiming at the inverter system was rarely studied. In the thesis, the model of the cascaded H-bridge inverter is established and conventional MPC to achieve load current control is applied. It shows great performance to achieve load current control and has fast dynamic control. Then considering various attack signals such as step attack signals, pulse attack signals to the sensors in the system, the conventional MPC loses the ability to achieve a stable and effective current control. According to simulation results, Kalman Filter model is built which can filter some Gaussian noises from the sensors in the system. Then from the perspective of attacker, a special FDI attack is designed that can effectively bypass the Kalman Filter. For the system that targeted by the FDI and DOS attack, a new controller is designed based on the K-Nearest Neighbor (KNN) algorithm and MPC strategy which can achieve the load current control with high output quality. Finally, the new control method based on KNN and MPC is compared with conventional MPC. The simulation results are analyzed and conclusion have been made. A modified MPC combined with KNN algorithm proposed in this thesis can detect bad data that can enter the system without triggering alarms. The case studies show the modified MPC based on KNN algorithm can achieve current control accurately when the system is injected by various attack signals showing better performance of current control with low total harmonic distortion (THD)

Online disturbance prediction for enhanced availability in smart grids

A gradual move in the electric power industry towards Smart Grids brings new challenges to the system's efficiency and dependability. With a growing complexity and massive introduction of renewable generation, particularly at the distribution level, the number of faults and, consequently, disturbances (errors and failures) is expected to increase significantly. This threatens to compromise grid's availability as traditional, reactive management approaches may soon become insufficient. On the other hand, with grids' digitalization, real-time status data are becoming available. These data may be used to develop advanced management and control methods for a sustainable, more efficient and more dependable grid. A proactive management approach, based on the use of real-time data for predicting near-future disturbances and acting in their anticipation, has already been identified by the Smart Grid community as one of the main pillars of dependability of the future grid. The work presented in this dissertation focuses on predicting disturbances in Active Distributions Networks (ADNs) that are a part of the Smart Grid that evolves the most. These are distribution networks with high share of (renewable) distributed generation and with systems in place for real-time monitoring and control. Our main goal is to develop a methodology for proactive network management, in a sense of proactive mitigation of disturbances, and to design and implement a method for their prediction. We focus on predicting voltage sags as they are identified as one of the most frequent and severe disturbances in distribution networks. We address Smart Grid dependability in a holistic manner by considering its cyber and physical aspects. As a result, we identify Smart Grid dependability properties and develop a taxonomy of faults that contribute to better understanding of the overall dependability of the future grid. As the process of grid's digitization is still ongoing there is a general problem of a lack of data on the grid's status and especially disturbance-related data. These data are necessary to design an accurate disturbance predictor. To overcome this obstacle we introduce a concept of fault injection to simulation of power systems. We develop a framework to simulate a behavior of distribution networks in the presence of faults, and fluctuating generation and load that, alone or combined, may cause disturbances. With the framework we generate a large set of data that we use to develop and evaluate a voltage-sag disturbance predictor. To quantify how prediction and proactive mitigation of disturbances enhance availability we create an availability model of a proactive management. The model is generic and may be applied to evaluate the effect of proactive management on availability in other types of systems, and adapted for quantifying other types of properties as well. Also, we design a metric and a method for optimizing failure prediction to maximize availability with proactive approach. In our conclusion, the level of availability improvement with proactive approach is comparable to the one when using high-reliability and costly components. Following the results of the case study conducted for a 14-bus ADN, grid's availability may be improved by up to an order of magnitude if disturbances are managed proactively instead of reactively. The main results and contributions may be summarized as follows: (i) Taxonomy of faults in Smart Grid has been developed; (ii) Methodology and methods for proactive management of disturbances have been proposed; (iii) Model to quantify availability with proactive management has been developed; (iv) Simulation and fault-injection framework has been designed and implemented to generate disturbance-related data; (v) In the scope of a case study, a voltage-sag predictor, based on machine- learning classification algorithms, has been designed and the effect of proactive disturbance management on downtime and availability has been quantified

Predicción de ciberataques en sistemas industriales SCADA a través de la implementación del filtro Kalman

In industrial SCADA (Supervisory Control and Data Acquisition) systems, knowing the status of each device allows information to be collected on its behavior. In this way, actions can be deduced, and different strategies can be formed to help reduce cyber risk. In this article of applied research, a model of prediction of possible cyber-attacks in a SCADA system is presented. This prediction is made with a Kalman filter. A Kalman filter processes cyber security events captured through an intrusion detection system (applied in a SCADA simulation system) and generates a future projection of the probability of an attack being carried out. With this information, system administrators will be able to make some decisions about how to act against imminent cyber-attacks. An installation of different technological components was carried out and 3 cyberattacks to the SCADA were executed: (i) possible scans, (ii) theft of information and (iii) command and data overwriting generating Denial of Service or DoS. The security events were detected by an intrusion detection system and sent to a software, setup with Kalman filter features to deliver as output the possible predictions of attacks. As a result, the probability of a successful computer attack can be seen from the entries based on the historical events and the applied filter formulas.En los sistemas industriales SCADA (Supervisory Control And Data Acquisition), conocer el estado de cada dispositivo permite obtener información de su comportamiento. De esta forma se pueden deducir acciones y conformar estrategias diferentes que ayuden a reducir el riesgo cibernético. En este artículo de investigación aplicada, se presenta un modelo de predicción de posibles ciberataques en un sistema SCADA. Dicha predicción se hace con un filtro Kalman. Un filtro Kalman procesa los eventos de ciberseguridad capturados a través de un sistema de detección de intrusos (aplicado en un sistema de simulación de SCADA) y genera una proyección futura de la probabilidad de que se consolide un ataque. Con esta información, los administradores de sistemas podrán tomar alguna decisión sobre cómo actuar frente a inminentes ataques informáticos. Se realizó una instalación de diferentes componentes tecnológicos y se ejecutaron 3 ataques informáticos al SCADA: (i) posibles escaneos, (ii) robo de información y (iii) sobrescritura de comandos y datos generando Denial of Service o DoS. los eventos de seguridad fueron detectados por un sistema de detección de intrusos y enviados a un software configurado con las características del filtro Kalmanpara entregar como salida las posibles predicciones de ataques. Como resultado, se puede ver cómo a partir de las entradas es posible conocer la probabilidad de que un ataque informático sea exitoso con base en los eventos históricos y las fórmulas aplicadas del filtro