Electric power systems for high and medium voltages are widely used. The need to transmit power over longer distances, to perform voltage conversion in a transformer substation or to distribute power requires complex electric systems. In recent years, so-called automation systems have become increasingly popular which increase the degree of automation attained in an electric power system. For illustration, substations for power distribution in high and medium voltage power networks include primary or field devices such as electrical cables, lines, bus bars, switches, breakers, power transformers and instrument transformers arranged in switch yards and/or bays. These primary devices may be operated in an automated way via a Substation Automation (SA) system responsible for controlling, protecting and monitoring of substations. The SA system comprises programmable secondary devices, so-called Intelligent Electronic Devices (IED), interconnected in a SA communication network, and interacting with the primary devices via a process interface. Similarly, a wide variety of electric power systems may have an associated power utility automation system which includes IEDs that perform functions of controlling, protecting and monitoring operation of the respective electric power system. Communication between IEDs may be performed according to standardized protocols. For illustration, the IEC standard 61850 “Communication Networks and Systems in Substations” decouples the substation-specific application functionality from the substation communication-specific issues and to this end, defines an abstract object model for compliant substations, and a method how to access these objects over a network via an Abstract Communication Service Interface (ACSI).
With an increasing degree of automation and with increasing usage of IEDs, there is also an increasing need to reliably detect critical situations in the power automation system. Examples for such critical events include security intrusions, operator errors, timing issues, hardware faults or any critical or incorrect state of the electric power system and/or its power utility automation system.
US 2011/0196627 A1 describes methods and devices in which real-time data transmissions are detected and may be evaluated with regard to time-related information. Such an approach allows critical situations to be detected when, for example, communication protocols are used which require messages that are transmitted between IEDs to fulfil certain timing requirements.
In the field of computer networks, Intrusion Detection Systems (IDSs) are used to monitor the network or the activity of systems in order to detect intrusions or malicious activities of unauthorized third-parties. IDSs are designed to identify possible incidents, log information and report possible attempts. The primary function of IDSs is to alert the operator of the secured perimeter, so that he can take measures to prevent intrusion, to minimize the impacts of the attacks or to do post incident analysis. Signature-based IDSs use predefined signatures of known attacks (like virus scanner signatures) to detect intrusions. This can be seen as a blacklist approach, where the IDS alerts the operator if a behaviour is observed which is explicitly forbidden in the sense that it is included in the blacklist. Such signature-based approaches are widely used for IDSs in classical information technology (IT) systems. While the blacklist approach may be used to detect critical events in power utility automation systems, there may be problems associated with such an approach. The blacklist approach requires a signature for each critical event which is to be identified. New or unknown attacks cannot be detected. In the context of electric power systems, the number of attacks and vulnerabilities known for control and automation systems and their special protocols is very low. Therefore, blacklist based IDS applied to electric power systems would, to a great extent, only be able to detect attacks known from the IT domain. The usefulness of blacklist approaches is thus especially limited for IDS in electric power systems.