Electric power substations are critical elements of the power grid, installed with power system components such as transformers, busbars, and circuit breakers arranged to ensure reliable and adequate transmission and distribution of electric power. Measurements from substations, such as from Intelligent Electronic Devices (IEDs), are used as input to Energy Management System (EMS) software applications, including state estimation and optimal power flow for monitoring and control of the electric system. Both “cyber devices” and “physical devices” can be physically and/or electrically connected in the substation. For example, a protection and control unit of a transformer (a physical device) is connected to a user interface (a cyber device), for control purposes, via the substation local area network.
In digital substations, microprocessor-based Intelligent Electronic Devices (IEDs) are used to control power system switching devices such as circuit breakers, reclosers, etc. With the standardization by the International Electrotechnical Commission (IEC) of the IEC 61850 process bus, most modern IEDs now support voltage and current inputs in a digital format, as Sampled Value (SV) streams transmitted as Ethernet packets on the process bus. In implementations according to the IEC61850-9-2 specifications, a merging unit (MU) is the device that samples the analog measurements (voltages and currents) of the primary high voltage power circuit, encodes the measurement values into Ethernet packets, and injects them onto the process bus. The IED receives these SV packets from the process bus, processes them, and uses the SV as the inputs to its various fault detection and protection functions.
More particularly, the IED processes the SV values with an internal Discrete Fourier Transform function to convert the SV streams into phasor values. The phasors are time-synchronized within an electrical power substation and can be published on the station bus, through Manufacturing Message Specification (MMS) reporting or according to the IEEE Standard for Synchrophasor Measurements for Power Systems (IEEE C37.1118-2011), for example. Phasor information can also be made available on the station bus through GOOSE (Generic Object Oriented Substation Events) messaging.
The IED thus operates on the basis of measured signals (e.g., voltages and currents, etc.) from attached sensors, signals from other IEDs indicating the state of their controlled elements, and signals from a supervisory system. The IED can also generate signals to act on its switching elements, to communicate its state to other IEDs or to inform the supervisory system. These signals are either hardwired or transmitted as network messages, for instance according to IEC 61850.
One key function of the IED is to detect that a fault happens on the primary circuit and to issue a “trip” command to activate a switching device and thus disconnect the faulty parts of the circuit. During this process, the analog inputs to the MUs and the resulting digitized SV packets are critical to the proper operation decision of the IEDs. Compared to earlier protection systems that relied on hardwired analog inputs, the use of digitized sample value streams and Ethernet technology opens the doors to cyber-attacks on the digitized sample value data. An attacker, once gaining access to the process bus or to a merging unit, can modify the SV packets received by the corresponding IED, and thus can manipulate the protection system and, potentially, cause serious consequences to the power grid. For example, a false trip on normally healthy circuits could cause the system to weaken in such a way that might lead to localized or regional grid collapse.
In addition to its primary protection function, an IED can include a control function for direct operation, whereby the IED executes commands from the operator, in particular to open and close assigned switching elements. An operator can initiate a control command from the Control Center (CC), the Station Human-Machine Interface (HMI), or the Local HMI on the front of the IED. Alternatively, the command can also be executed by directly manipulating a protection device control data object in the IEC 61850 hierarchy, by gaining access to the station bus.
Remote access to substation networks is a common way for control and maintenance of substation facilities. However, there is a potential cyber-security issue in remote access operation. An unauthorized direct control attack to important substations may be used to open multiple circuit breakers, for example, which could trigger multiple, cascaded sequences of events, leading to a blackout. As a result, it is crucial to enhance the cyber security of substations and analyze cyber security and physical security as one integrated structure, to enhance the resilience of power grids.
An appropriate mitigation strategy for dealing with attacks on substations is vital. Mitigation techniques can be applied on the cyber side of the system (i.e., in the Information and Communication Technology components of the electric power system), as well as to the physical system components. A key to cyber mitigation is to find anomalous activities or malicious behaviors, and disconnect or stop the intrusion. However, pure cyber mitigation still has vulnerabilities, since it can be compromised by well-trained intruders or may have unacceptable intrusion-detection performance. Unacceptable performance may include, for example, either an excessive false-positive ratio or an excessive false-negative ratio, where the false-positive ratio is defined as the number of misclassified normal activities divided by the total number of normal activities and the-false negative ratio is defined as the number of undetected abnormal activities divided by the total number of abnormal activities.
Accordingly, improved techniques and devices are needed for securing substations against malicious control operations.