Isolating Signatures of Cyberattacks under Stressed Grid Conditions

Abstract

In a controlled cyber-physical network, such as a power grid, any malicious data injection in the sensor measurements can lead to widespread impact due to the actions of the closed-loop controllers. While fast identification of the attack signatures is imperative for reliable operations, it is challenging to do so in a large dynamical network with tightly coupled nodes. A particularly challenging scenario arises when the cyberattacks are strategically launched during a grid stress condition, caused by non-malicious physical disturbances. In this work, we propose an algorithmic framework -- based on Koopman mode (KM) decomposition -- for online identification and visualization of the cyberattack signatures in streaming time-series measurements from a power network. The KMs are capable of capturing the spatial embedding of both natural and anomalous modes of oscillations in the sensor measurements and thus revealing the specific influences of cyberattacks, even under existing non-malicious grid stress events. Most importantly, it enables us to quantitatively compare the outcomes of different potential cyberattacks injected by an attacker. The performance of the proposed algorithmic framework is illustrated on the IEEE 68-bus test system using synthetic attack scenarios. Such knowledge regarding the detection of various cyberattacks will enable us to devise appropriate diagnostic scheme while considering varied constraints arising from different attacks.Comment: accepted as a work-in-progress paper at the 2024 Annual Conference of the IEEE Industrial Electronics Society (IECON