Data Analytics for Cyber Physical Security Analysis A. Srivastava, - - PowerPoint PPT Presentation

Data Analytics for Cyber Physical Security Analysis

• A. Srivastava, A. Hahn, V. V. G. Krishnan, Y.Zhang, K. Kaur,

Washington State University

• P. Jiaxing, S.Sindhu

Siemens

1

2

Digitalization of the Electric Grid

Credit: GE, Schneider, EPRI

Power Systems Data: Example of fixed data

Fixed Data (Assets)

• 7,500 generation plants
• 75,000 substations
• 300,000 miles transmission (100,000

lines and transformers)

• 2.2 million miles distribution (1 million

distribution feeders)

• 300 million customers

Credit: Prof Anjan Bose, WSU, TAMU NSF SPOKE

Data Collection by PMUs: Example of Operational Data

• PMU sampling rates: 30 per second
• Assume 100 values per second

If we assume all 100 points in a sub are PMUs

• Average data rate per sub is 10K/sec
• Average data rate for the total of 100 subs in a BA is 1M/sec
• Average data rate for the RC is then 10M/sec

Data Analytics Needed for Making Sense of this Streaming Operational Data for Cyber or Physical Events !!!!

Credit: Prof Anjan Bose, WSU

5

Connecting Data Analytics with Cyber Security ???

6

Biggest Challenge In System Anomalies

Data

• Physical

– PMU measurements – CT/PT

measurements

– Breaker status – Relay operations

• Cyber

– Network data

• Pcaps, netflows,

Ids alerts

– Hosts

• Event logs, Ids

alerts

???

Cyber-Physical Ev Event Cyber E Event

Anomaly aly Physica ical E l Even ent

NO Physical Event YES

Nor

• rmal O

Operation

• n

Status

YES

YES Cyber E Eve vent

NO

NO

YES YES YES NO

NO

NO YES NO

• Cyber Physical Security Analytics for Transactive Energy

Systems

• Data Analytics for Cyber-Physical Security of Transmission

Protection System

7

Use Cases

• The significant increase in distributed energy resources

(PV, storage, electric vehicles)

• Transition from “consumer” to “prosumers” that buy and sell

electricity

• Transactive Energy Systems employ economic and control

mechanisms to dynamically balance the demand and supply

• Depends on a large number of distributed edge-computing and

consumer controlled Internet of Things.

• IoT systems and the electric grid cyber assets are increasingly

vulnerable to attack.

• New analytical methods are needed to monitor these

system’s operations and detect malicious activity.

8

Data Analytic Techniques for TES

TE Infrastructure Overview

9

Distribution Transmission

Bids/ Demands LMP Prices Bids/Demands

Prosumer Market Communication

Agent Agent

10

Decision/ control Data acquisition Physical signals

(V, I, P)

Anomaly detector

and classifier

(Cyber, Physical)

Metrics

Simulated/ measured data

Cyber signals

(logs, data traffic, etc)

Market signals

(LMP, bids)

Physical/cyber system Physical layer Cyber layer Market layer

Data Analytics for Transactive Energy Systems

11

Data Collection for Analytics

Data Analytics

Data from TESP (Physical/Market)

• Voltage
• LMP
• Bid Values, etc.

Network Stats (Cyber)

• IP addresses, ports
• No. of bytes, packets
• Payload size, Protocol
• Duration of comm.

Anomaly Detection via Deep Learning

• Why deep learning?

– Feature extraction (local

patterns, such as spikes) from multi-channel time series data

– Doesn’t need domain expert to

define features

– High accuracy with sufficient

number of layers

– High level generalized features

can be used to detect unknown attacks

Convolutional Neural Network for Anomaly Detection

• Supervised Learning: use normal and outliers to train
• Able to create high level generalized features
• Use generalized features to detect anomalies in the testing data

Cyber-Physical Analysis for Failure in Protection System

• Protection systems are one of the most important crucial components in the

smart transmission system ( NERC rank failure in protection system #1 cause for power blackout)

• These systems can be prone to vulnerabilities and attacks against them, which

could massively disrupt the operation of the smart grid

• New analytical methods are needed to monitor these system’s operations and

detect malicious activity and quantify the effects of cyber attacks on the

• peration of the transmission system operation

Abnormal Event Occurs ProNet Selection Data Collection From PMUs 5 digit message Calculation Multiple Hypothesis Generation Hypothesis Credit Calculation Correct Hypothesis Selection

Example

Fault at 12-13, Breaker 14-13 malfunctioned Two possible explanations:

• 1. Fault at 12-13,

Breaker 14-13 malfunctioned

• 2. Fault at 13-14,

Breaker 13-14 failed Breaker 13-12 malfunctioned

Example for Failure in Protection System

Decision Tree

Detected by Data Analytics using PMU data and Cyber System Further analysis by relay settings, switch status Further analysis using historical access, substation logs Failure caused by cyber attack

Data Analytics can help initializing the cyber-physical analysis to monitor power system’s operations and detect malicious activity.

• Combination of supervised and unsupervised deep learning algorithms
• Algorithms must incorporate cyber, physical, and market data

Transactive Energy Systems employ economic and control mechanisms to dynamically balance the demand and supply.

• Significant increase in DER
• Devices are increasingly vulnerable to cyberattack.

State of the art data analytic techniques are needed to identify protection system malfunctions. Supplementary analysis based on relay log files or other asset information may be needed to conclude.

17

Summary

18

Support from NSF, CREDC, DOE and Siemens Appreciated.