Supporting Security with Advanced Multimodal Grid Data Analytics

s
Activity Leads: 
Industry Collaborators: 

This research benefits from the close collaboration of the industry partners and utilities. The main collaborators are:

  • Riverside Public Utilities (RPU)
  • Electric Power Research Institute (EPRI)
  • OSIsoft

The work in thread 1 overlaps with the DOE-Lawrence Berkeley Laboratory grant DE-AC02-05CH11231 (2015-2017) ($200,000) “LBNL/CEDS - Supporting Cyber Security of Power Distribution Systems by Detecting Difference between Real-Time Micro-Synchrophasor Measurements and Cyber-Reported SCADA.” The work in thread 2 complements this and other activities in CREDC that make use of PMU readings, particularly for distribution grids.

Summary Statement: 

This activity contains two main threads that are filling gaps through advanced forms of network and grid analytics.

Cyber-Physical Intrusion Detection Incorporating μPMU Measurements in Automated Distribution Systems: Assuring the Automated Distribution System (ADS) communication security is of utmost importance, especially for those applications that are time- and function-critical, and usually relate to expensive infrastructures. Considering the fact that the protocols used in this network are not secure, our idea is to introduce a Grid Security System (GSS) that extends the established cyber security notion of Network Intrusion Detection Systems (NIDSs) to comprise physical reliability metrics and leverage new sensing modalities.

An important feature of our GSS architecture is that it leverages emerging low-cost, Micro-Synchrophasor (µPMU) technology. µPMUs are synchronized, fast-sampling devices, developed to do real-time measurements in the distribution grid. Our GSS architecture is hierarchical, and the NIDS processing correlates different data sources including the µPMU data, and the monitored Distribution SCADA communication packets, which contain the physical and cyber data that are used in the control of the ADS.

The security policies are translated into mechanisms using the BRO framework, and implemented hierarchically as shown in Fig. 1. This would be the first time that BRO rules comprehend full knowledge of the physics of the physical infrastructure. The stage-1 servers are placed next to each µPMU and network tap, and are responsible for finding the anomalies in the functions of voltage and current phasor. The higher stages correlate an increasing amount of sensor information and prior information about the system and inspect for the anomaly and source of the anomaly.

Addressing Data Quality Challenges and Forensic Analysis of Power Grid Measurements to Support Cyber-Physical Security: Having µPMU devices as a critical component in our other thread, we have observed that data quality issues arising due to noise or erroneous current and voltage transformers can lead to incorrect readings. We therefore decided to pursue a thread in this activity that deals with the data quality issues affecting the analytics that are developed to monitor the security status of the grid. However, this thread is not just limited to this issue. We also wish to extend the notion of “non-intrusive load monitoring (NILM)” algorithms for the forensic analysis of µPMU signals. The NILM algorithm disaggregates the signals in individual components that are traced back to the specific load activities in the grid. The objective of this analysis from a defender perspective, is to discriminate between normal and abnormal activities at the feeder by classifying the unique local features of the AC power signal associated to specific events and uses. We will test this idea using the current and voltage phasor measurements that are feeding into a computer server.

Energy Delivery System (EDS) Gap Analysis: 

We have identified gaps in lack of visibility to critical events in distribution automation systems, as well as data quality challenges to the use of grid measurements to support cyber security. This activity integrates high-resolution physical sensors, such as PMUs, into the reconnaissance of cyber-attacks into EDS, to enhance and complement the analysis of control area networks traffic. Rather than using model-free methods, our adaptive signal processing algorithms search for signatures by leveraging models based on system reliability principles and the law of physics so as to automate the detection, analysis and classification of the physical events and determine where and how cyber-assets may be compromised. Our sensor fusion architecture fully leverages distributed intelligence to be scalable to a large number of sensors and wide area collection deployment.

Reference the research activity fact sheet (PDF) for an extended gap analysis and bibliography. 

How does this research activity address the Roadmap to Achieve Energy Delivery Systems Cybersecurity?
This activity directly aims to create automated mechanisms to “assess and monitor risk” at the level of electric power distribution networks, by using high resolution sensors, knowledge of the interactions of the cyber and  physical realms, and a data management architecture designed to respond in real time and, thus help “manage  cyber-incidents” promptly.

Status of Activity: 
Active