Data Analytics for Cyber Physical Security Analysis A. Srivastava, A. Hahn, V. V. G. Krishnan, Y.Zhang, K. Kaur, Washington State University P. Jiaxing, S.Sindhu Siemens 1
Digitalization of the Electric Grid Credit: GE, Schneider, EPRI 2
Power Systems Data: Example of fixed data Fixed Data (Assets) • 7,500 generation plants • 75,000 substations • 300,000 miles transmission (100,000 lines and transformers) • 2.2 million miles distribution (1 million distribution feeders) • 300 million customers Credit: Prof Anjan Bose, WSU, TAMU NSF SPOKE
Data Collection by PMUs: Example of Operational Data • PMU sampling rates: 30 per second • Assume 100 values per second If we assume all 100 points in a sub are PMUs • Average data rate per sub is 10K/sec • Average data rate for the total of 100 subs in a BA is 1M/sec • Average data rate for the RC is then 10M/sec Data Analytics Needed for Making Sense of this Streaming Operational Data for Cyber or Physical Events !!!! Credit: Prof Anjan Bose, WSU
Connecting Data Analytics with Cyber Security ??? 5
Biggest Challenge In System Anomalies Data • Physical – PMU measurements NO Anomaly aly – CT/PT measurements ??? YES – Breaker status – Relay operations NO NO • Cyber Cyber E Eve vent Physica ical E l Even ent – Network data YES YES • Pcaps, netflows, Ids alerts – Hosts NO YES YES YES NO YES NO NO • Event logs, Ids Nor ormal O Operation on Physical Event Cyber-Physical Ev Event Cyber E Event Status alerts 6
Use Cases • Cyber Physical Security Analytics for Transactive Energy Systems • Data Analytics for Cyber-Physical Security of Transmission Protection System 7
Data Analytic Techniques for TES • The significant increase in distributed energy resources (PV, storage, electric vehicles) • Transition from “consumer” to “prosumers” that buy and sell electricity • Transactive Energy Systems employ economic and control mechanisms to dynamically balance the demand and supply • Depends on a large number of distributed edge-computing and consumer controlled Internet of Things. • IoT systems and the electric grid cyber assets are increasingly vulnerable to attack. • New analytical methods are needed to monitor these system’s operations and detect malicious activity. 8
TE Infrastructure Overview Communication Transmission Prosumer Agent Prices Bids/ LMP Market Demands Agent Bids/Demands Distribution 9
Data Analytics for Transactive Energy Systems Physical/cyber system Data acquisition Physical signals Physical layer (V, I, P) Simulated/ measured data Cyber signals Cyber layer (logs, data traffic, etc) Market signals Market layer (LMP, bids) Anomaly detector Decision/ and classifier Metrics control (Cyber, Physical) 10
Data Collection for Analytics Network Stats Data from TESP (Cyber) (Physical/Market) - IP addresses, ports - Voltage - No. of bytes, packets - LMP - Payload size, Protocol - Bid Values, etc. - Duration of comm. Data Analytics 11
Anomaly Detection via Deep Learning • Why deep learning? – Feature extraction (local patterns, such as spikes) from multi-channel time series data – Doesn’t need domain expert to define features – High accuracy with sufficient number of layers – High level generalized features can be used to detect unknown attacks
Convolutional Neural Network for Anomaly Detection • Supervised Learning: use normal and outliers to train • Able to create high level generalized features • Use generalized features to detect anomalies in the testing data
Cyber-Physical Analysis for Failure in Protection System • Protection systems are one of the most important crucial components in the smart transmission system ( NERC rank failure in protection system #1 cause for power blackout) • These systems can be prone to vulnerabilities and attacks against them, which could massively disrupt the operation of the smart grid • New analytical methods are needed to monitor these system’s operations and detect malicious activity and quantify the effects of cyber attacks on the operation of the transmission system operation Data Abnormal 5 digit Multiple Hypothesis Correct ProNet Collection Event message Hypothesis Credit Hypothesis Selection Occurs Calculation Generation Calculation Selection From PMUs
Example for Failure in Protection System Fault at 12-13, Breaker 14-13 malfunctioned Example Two possible explanations: 1. Fault at 12-13, Breaker 14-13 malfunctioned 2. Fault at 13-14, Breaker 13-14 failed Breaker 13-12 malfunctioned
Decision Tree Detected by Data Analytics using PMU data and Cyber System Further analysis by Further analysis relay settings, switch using historical status access, substation logs Failure caused by cyber attack
Summary Data Analytics can help initializing the cyber-physical analysis to monitor power system’s operations and detect malicious activity. • Combination of supervised and unsupervised deep learning algorithms • Algorithms must incorporate cyber, physical, and market data Transactive Energy Systems employ economic and control mechanisms to dynamically balance the demand and supply. • Significant increase in DER • Devices are increasingly vulnerable to cyberattack. State of the art data analytic techniques are needed to identify protection system malfunctions. Supplementary analysis based on relay log files or other asset information may be needed to conclude. 17
Support from NSF, CREDC, DOE and Siemens Appreciated. 18
Recommend
More recommend
