Conference PaperPDF Available

Preventing False Tripping Cyberattacks Against Distance Relays: A Deep Learning Approach

Authors:
Yew Meng Khaw
Yew Meng Khaw
Yew Meng Khaw
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Amir Abiri-Jahromi at McGill University
Amir Abiri-Jahromi
Arani Mohammadreza F. M.
Arani Mohammadreza F. M.
Arani Mohammadreza F. M.
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Deepa Kundur at University of Toronto
Deepa Kundur
Show all 6 authorsHide
Download full-text PDF
Read full-text
Download citation

Figures

Figures - uploaded by Amir Abiri-Jahromi
Author content
All figure content in this area was uploaded by Amir Abiri-Jahromi
Content may be subject to copyright.
Content uploaded by Amir Abiri-Jahromi
Author content
All content in this area was uploaded by Amir Abiri-Jahromi on May 31, 2021
Content may be subject to copyright.
Preventing False Tripping Cyberattacks Against
Distance Relays: A Deep Learning Approach
Yew Meng Khaw, Amir Abiri Jahromi, Mohammadreza F. M. Arani,
Deepa Kundur, and Scott Sanner
University of Toronto
Toronto, Canada
dkundur@ece.utoronto.ca, ssanner@mie.utoronto.ca
Marthe Kassouf
Hydro-Quebec Research Institute (IREQ)
Varennes, Canada
kassouf.marthe@ireq.ca
Abstract—The false tripping of circuit breakers initiated by
cyberattacks on protective relays is a growing concern in power
systems. This is of high importance because multiple false
equipment tripping initiated by coordinated cyberattacks on
protective relays can cause large scale disturbance in power
systems and potentially lead to cascading failures and blackouts.
In this paper, a deep learning based autoencoder is employed to
identify anomalous voltage and current data injection to distance
protection relays. The autoencoder is first trained with current
and voltage data sets representing three-phase faults in zone 1 of a
distance relay using a benchmark test system. The autoencoder
is then employed to identify anomalies in voltage and current
data to prevent false tripping commands by the distance relay.
The simulation results verify the capability of the autoencoder
model to extract signatures of three-phase faults in the intended
zone of a protective relay and detect three-phase fault current
and voltage data that do not contain these signatures with high
accuracy.
Index Terms—Cyberphysical systems, operational technology,
deep learning, distance relays cybersecurity, anomaly detection.
I. INTRODUCTION
DEPLOYMENT of IEC 61850 protocol in substations
is expected to revolutionize the substation automation
system by improving reliability, reducing costs, allowing inter-
operability between intelligent electronic devices (IEDs) and
facilitating remote access [1], [2]. Despite the unquestionable
benefits of IEC 61850 protocol in streamlining substation
automation, it opens up new cybersecurity vulnerabilities that
need to be addressed properly [3].
Protective relays form the most critical and fastest line of
defence against disturbances in power systems. The protective
relays detect abnormal conditions and faults in power systems
using different logics and initiate appropriate control actions
[4], [5]. As a result, their misoperation due to cyberattacks has
serious consequences for power system security and stability
[6]. For instance, multiple false equipment tripping initiated by
coordinated cyberattacks on protective relays can cause large
scale disturbance in power systems and potentially lead to
cascading failures and blackouts [7], [8]. Thus, it is imperative
to increase the cyber resiliency of protective relays as one
The authors wish to acknowledge the Natural Sciences and Engineering
Research Council (NSERC) Strategic Grants Program for Projects as well
as Fonds de Recherche du Qu´
ebec-Nature et Technologies Postdoctoral
Fellowship (FRQNT) for providing funding for this work.
of the most vital protection and control ingredients of power
systems.
Different anomaly detection techniques have been proposed
in [9], [10] for substations. The proposed anomaly detection
methods work based on logs of intruders’ footprints. A rule-
based intrusion detection system has been presented in [11] for
IEC 61850 protocol. In [12]–[14] domain based cybersecurity
solutions have been proposed for digital substations. The
proposed methods utilize protection coordination principles
and transient fault cross correlation coefficient algorithms to
identify cyberattacks. A distributed and collaborative intrusion
detection system has been presented in [15] to detect generic
object oriented substation events (GOOSE) and sampled value
(SV) related intrusions, anomalies, and abnormal behaviors.
The application of security filters for IEC 61850 message
authentication has been presented in [16]. The aforemen-
tioned methods are capable of addressing cyberattacks against
IEC 61850 GOOSE and SV packets. Nevertheless, most of
these approaches are unable to identify the corrupt contents
of packets generated by a malicious agent which infiltrates
the communication network through a combined man-in-the-
middle and false data injection (FDI) attack without leaving
footprints on IEC 61850 packets that can be used to identify
the intrusion. Driven by the quest of their perpetrators for
financial or political rewards, cyber threats against critical
infrastructures including power grids are expected to grow in
frequency and complexity and, therefore, advanced cybersecu-
rity data analytics are increasingly required to provide efficient
intrusion detection and mitigation.
Machine learning approaches have received considerable
attention in recent years for identification and prevention of
cyberattacks against power systems [17]–[19]. Considering
the polymorphic and stealthy nature of cyberattacks in power
systems, anomaly-based techniques are more practical com-
pared to misuse-based techniques. The misuse-based detection
techniques utilize the signatures of cyberattacks. This is while
anomaly-based techniques use system behaviors to identify
anomalies that deviate from these behaviors beyond a certain
threshold. The main advantage of anomaly-based techniques
is their capability to detect zero-day attacks [20]. Moreover, it
is much more convenient to obtain training data for dynamic
behaviors of power systems than the evolving and clandestine
signatures of cyberattacks.
Different machine learning techniques such as neural net-
works, support vector machines, Bayesian networks and clus-
tering methods have been employed for identifying cyberat-
tacks against power systems. In [21], principal component
analysis and support vector machine have been used to de-
tect stealthy attacks against state estimation. An artificial
intelligence-based method using Kullback-Leibler divergence
has been employed in [22] to identify compromised meters.
In [23], conditional deep belief network is used to recognize
behavior patterns of FDI attacks using historical measurement
data. A deep learning-based method has been employed in
[24] to identify FDI attacks against phasor measurement units
(PMU) with wide area control applications. A semi-supervised
method has been employed in [25] for anomaly detection in an
IEC 61850-based smart distribution substation. A non-nested
generalized exemplar and state extraction method has been
used in [26] for intrusion detection.
In this paper, a deep learning based autoencoder is employed
for the first time to mitigate anomalous voltage and current
data injection attacks on protective relays. The autoencoder is
trained with current and voltage data sets representing three-
phase faults in zone 1 of a distance relay using a benchmark
test system. The autoencoder is then used to identify anomalies
in voltage and current data, and prevent false tripping com-
mands by the distance relay. The simulation results verify the
capability of the autoencoder model to extract signatures of
three-phase faults in the intended zone of the protective relay
and detect current and voltage data that do not contain these
signatures with high accuracy and in a timely fashion.
The main contributions of this paper are as follows.
A deep learning-based anomaly detection system is pre-
sented for identifying false tripping cyberattacks against
distance protection relays.
The capability of the proposed anomaly detection system
is examined for three cyberattacks including 1) false
data injection attack, 2) replay attack and 3) attacks on
instrument transformer tap settings.
The remainder of this paper is organized as follows. Sec-
tion II provides background on line distance protection and
presents the cyberattack model. Section III elaborates on the
autoencoder-based anomaly detection system (ADS). Section
IV describes the training process of the ADS. The numer-
ical results are provided in Section V. Section VI offers a
discussion about the areas that need further investigation and
highlights the directions for future research before concluding
in Section VII.
II. PRELIMINARIES
A. Step-Distance Relays
The basic principle of step-distance protection involves the
division of the measured voltage and current quantities at the
relaying point and its comparison with a predefined reach point
impedance. If the measured impedance by the step-distance
relay is less than a predefined reach point impedance, the
Fig. 1. Step-distance protection.
relay assumes the existence of a fault and operates. Unlike
phase and neutral overcurrent relays, the fault coverage of
the step-distance relays is virtually independent of source
impedance variations which makes them an ideal candidate
for transmission line protection [4], [5].
A typical distance relay incorporates several reach points
called zones. Typically, first zone of a distance relay oper-
ates instantaneously and covers approximately 80% of the
transmission line to ensure that the relay only trips when
a fault occurs on the protected line. This is while second
zone covers 120-150% of the line and operates with 15 to 30
cycles time delay. This time delay allows the adjacent relays
to trip first if the fault is not on the line protected by the
step-distance relay. Zone 1 and zone 2 protection overlap and
provide 100% protection of the transmission line as well as
backup protection for adjacent lines as illustrated in Fig. 1.
The distance relays typically have zone 3 protection looking
in the reverse direction which operates with 60 cycles time
delay [4], [5]. It is noteworthy that the ADS presented in this
paper is applied to zone 1 of distance relays.
B. Attack Model and Requirements
The primary objective of the attacker is to cause false
line tripping resulting in power outages. This is achieved by
corrupting the current transformer (CT) and/or voltage trans-
former (VT) measurements such that the impedance seen by
the relay falls within its zone setting, causing a trip command.
A single point attack of this nature may result in local power
outage with minimal impact. However, coordinated attacks on
multiple relays resulting in multiple line tripping can cause
cascading failures, resulting in widespread power outages.
In this paper, we consider an attacker that has access to the
substation automation system with the appropriate knowledge
to manipulate the protective relay’s inputs. More precisely,
we first consider an attack scenario where the attacker gains
remote access to the substation communication network and
its interconnected merging units using stolen legitimate op-
erator credentials, thus, successfully carrying out a man-in-
the-middle attack. This attack is a precursor to perpetrating
FDI and replay attacks with the intent of causing the protec-
tive relays to issue false tripping commands following false
measurements injection and measurements replay, respectively.
The second attack scenario considers an attacker that has
physical access to instrument transformers and that can alter
the tap settings such that the incorrectly scaled measurements
cause false tripping by the protective relays.
More sophisticated attacks are possible if the attacker pos-
sesses measurements from fault conditions that have previ-
ously occurred. These measurements can be injected to the
relay as a replay attack. Such attacks are difficult to detect,
and particularly so if the measurements are obtained during
actual faults that occurred on the targeted line.
III. ANO MA LY DETE CT IO N SYS TE M
Previous research has shown the potential of autoencoders in
anomaly detection [27], [28]. The autoencoder consists of two
parts; encoder and decoder. The encoder compresses the input
data to a latent variable, z, with dimensions typically smaller
than the input data. The decoder then reconstructs the input
data from the latent variable z [29]. The autoencoder is trained
with data sets representing the behavior of the system. As
such, the autoencoder learns the system behavior by keeping
the distinct signatures of system behavior in latent variable z.
As a result, the autoencoder reconstructs the input data that do
not contain these signatures with high error. Thus, a threshold
based on reconstruction error can be set to detect anomalous
data. The reconstruction error is calculated using the mean
squared error (MSE) between the reconstructed output and the
input to the autoencoder. It is noteworthy that different models
can be used in the autoencoder including fully-connected
networks, recurrent models and convolutional neural networks.
TABLE I
AUTO EN COD ER ST RUC TUR E
Encoder Decoder
1. Convolution 64 filters 10. Convolution 256 filters
2. Convolution 64 filters 11. Convolution 256 filters
3. Max Pooling Pool Size 4 12. Upsampling Factor 6
4. Convolution 128 filters 13. Convolution 128 filters
5. Convolution 128 filters 14. Convolution 128 filters
6. Max Pooling Pool Size 5 15. Upsampling Factor 5
7. Convolution 256 filters 16. Convolution 64 filters
8. Convolution 256 filters 17. Convolution 64 filters
9. Max Pooling Pool Size 6 18. Upsampling Factor 4
In this paper, an ADS based on 1-dimensional convolutional
autoencoder is integrated into the distance relay, making zone
1 tripping decisions resilient to cyberattacks. This can be
achieved using a dedicated processor or directly in IEDs
with adequate processing power. The encoder consists of
convolutional layers and max pooling layers. The decoder
consists of convolutional layers and upsampling layers. The
autoencoder structure is provided in Table I. Kernel size of
10, stride of 1 and rectified linear unit (ReLU) are used in all
convolutional layers. The inputs to the ADS are exactly the
same as the inputs to distance protection relays i.e., three-phase
current and voltage measurements (Ia, Ib, Ic, Va, Vb, Vc). The
ADS is activated by the activation of zone 1 pick up element of
the distance relay. When zone 1 pick up element is inactive, the
ADS also remains inactive. The ADS is capable of detecting
Fig. 2. The IEEE PSRC D6 benchmark test system.
anomalous measurements that deviate from expected behaviors
of faults in zone 1 of a distance relay. Thus, the ADS can be
employed to block tripping commands issued by the zone 1
element when anomalous measurements are detected.
IV. TRAINING PROCESS OF THE ADS
A. Description of the Test System
Fig. 2 illustrates the IEEE power system relaying committee
(PSRC) D6 benchmark test system [6], [30]. The benchmark
test system represents a part of a 500kV transmission system
consisting of four transmission lines L1-L4. The transmission
lines connect a power plant with four generators G1-G4 to the
main grid S1. The main grid is modeled as an infinite bus. The
current and voltage measurements from current transformer
(CT1) and voltage transformer (VT1) are used to train the
ADS for the distance relay (R1) in Fig. 2.
B. Data Generation and Autoencoder Training
OPAL-RT HYPERSIM is employed to generate training
data sets. The simulations are performed for 1.5 seconds
with a permanent three-phase fault occurring at t=1 s. In
this paper, we only consider symmetrical three-phase faults.
Yet, the proposed model can be extended to consider other
types of faults such as phase to phase and phase to ground
faults. The generation levels and fault locations are changed in
each simulation to generate data sets under different operating
conditions and fault location scenarios. Moreover, the starting
time of the three-phase fault is changed between t=1 s to
t=1.05 s in simulations to ensure fault occurs at different
parts of the current and voltage waveforms-(the period of one
cycle is approximately 0.0167 s in a 60Hz power system). The
minimum and maximum capacity limits of the generating units
are considered to be 300 MW and 400 MW respectively. The
generator outputs are changed in 10 MW step size to produce
the training data set. Moreover, the fault location is changed
along the transmission line L1 with 10 km step size. In total,
2100 simulations are performed to generate training data sets.
The autoencoder is trained using Adam optimization for 100
epochs.
The current and voltage measurements at CT1 and VT1
are collected at a sampling rate of 4800 samples per second-
(80 samples per cycle) to be consistent with SV packet
Fig. 3. A sample of three-phase measurements by measuring instruments (a)
current measurements by CT1, b) voltage measurements by VT1.
specifications in IEC 61850-9-2 standard [31]. The collected
data from CT1 and VT1 are exported in COMTRADE format.
Before feeding the data to the autoencoder for training, the
COMTRADE data is formatted by removing the mean and
scaling the data to unit variance.
An important parameter for autoencoder training is the
input data length, i.e., number of input samples fed to the
autoencoder. In this paper, a sliding window of 50 ms, i.e., 240
samples of current and voltage measurements for each phase,
is fed to the autoencoder as input. As such, each window
consists of 3 cycles of current and voltage measurements.
Thus, the 1.5 s simulation data is split into sliding windows
of 50 ms data. As the sliding window slides over the entire
training sample, the autoencoder is trained with both no-fault
and three-phase fault conditions. A sample of the current
and voltage measurements by CT1 and VT1 are shown in
Fig. 3. The autoencoder is tested and validated using test and
validation data sets with generation levels and fault locations
that are different from the training data set.
V. NUMERICAL RE SU LTS
Three cyberattack scenarios including 1) false data injec-
tion attack, 2) replay attack and 3) attacks on instrument
transformer tap settings are considered to investigate the
performance of the ADS. The threshold for anomaly detection
is set at 1.5 times of the maximum MSE observed using the
training data sets. This is to ensure that no three-phase fault
in zone 1 of the distance relay is classified as an anomaly, i.e.,
no blocking signal is sent for such cases. It is noteworthy that
the input and reconstructed data are only presented for phase
B current and voltage in the numerical results to improve the
clarity of figures. Two metrics are considered to measure the
performance of the ADS:
precision =True Positive
True Positive +False Positive (1)
recall =True Positive
True Positive +False Negative (2)
Definitions: True Positive represents cyberattacks that are
correctly identified by ADS. False Positive represents three-
Fig. 4. Reconstruction of a random false data injection attack.
phase faults in zone 1 of the distance relay that are incorrectly
classified as anomaly by ADS. False Negative represents
cyberattacks that are not identified by ADS. True Negative
represents three-phase faults in zone 1 of the distance relay
that are correctly classified as non-anomalous by ADS.
A. False Data Injection Attack
We first consider a simple attack where the attacker injects
random false data to cause the distance relay to trip. In this
case, the attacker injects false measurements with high current
magnitude such that the measured impedance by the step-
distance relay drops into its zone 1 reach point setting. As
illustrated in Fig. 4, the autoencoder reconstructs the injected
false data with high error. The ADS is examined for different
random FDI attacks and it was able to identify the attacks
with 100% precision and 100% recall. The MSE of random
FDI attack was on average 39 times greater than the threshold.
B. Replay Attack
Replay attacks are examined in this section. We assume
that the attacker possesses both CT1 and VT1 measurements
associated with a three-phase fault condition at transmission
line L1. The attacker replays these measurements to cause
false tripping by the distance relay. As illustrated in Fig. 5,
the autoencoder reconstructs the replay attack data with high
error. For comparison, Fig. 6 illustrates the reconstruction of an
actual three-phase fault. The main reason that ADS is able to
identify the replay attacks is that the injected measurements by
replay attacks are out-of-phase with the actual measurements
before the replay attacks.
The ADS is examined for different replay attack scenarios
and it was able to identify the replay attacks with 100%
precision and 92.8% recall. The MSE of replay attack was on
average 24 times greater than the threshold. The cases when
the ADS fails to identify the replay attacks are when the replay
attack measurements are in phase with the actual measure-
ments before the replay attack. These replay attacks can be
identified by cross checking the measurements from different
measuring instruments in the substation. Nevertheless, the
cross checking approach requires more time to identify replay
Fig. 5. Reconstruction of replay attack measurements.
Fig. 6. Reconstruction of actual three-phase fault measurements.
cyberattacks. Moreover, it can only identify the existence of
cyberattacks but it cannot determine which measurement is
actually tampered by the cyberattack.
C. Cyberattacks Against Measuring Instrument Tap Settings
This section considers an attacker that has physical access to
the measuring instruments i.e., CTs and VTs. We tested three
cases where the attacker has access to 1) current transformer
(CT1), 2) voltage transformer (VT1) and 3) both current
and voltage transformers. The ADS was able to identify the
cyberattacks in all three cases with 100% precision and 100%
recall. For the sake of conciseness, we only present the results
for the case where an attacker has access to the current
transformer. In this case, the attacker modifies the current
transformer tap setting and scales the current measurements
such that the relay sees an impedance within its zone 1 reach
setting. We considered current scaling ranging between 2X to
10X. An example of the reconstructed window for the case
with compromised current transformer is shown in Fig. 7.
D. Comparison of Results
The results obtained using the deep autoencoder are com-
pared with a linear autoencoder consisting of single layer
fully-connected encoder and decoder. The deep autoencoder
outperforms the linear autoencoder as summarized in Table II.
Fig. 7. Reconstruction of measurements received from a compromised CT.
In the replay attack which is the most sophisticated attack
considered here, the deep autoencoder outperforms the linear
autoencoder by approximately 14%.
TABLE II
COMPARISON OF RESULT S
Attack Deep Autoencoder Linear Autoencoder
Scenario Precision Recall Precision Recall
Random FDI 100% 100% 100% 100%
Replay 100% 92.8% 100% 78.9%
Instrument Tap Setting Change 100% 100% 100% 97.7%
E. Remarks
Although the autoencoder receives 240 samples of current
and voltage measurements for each phase as input, it is capable
of identifying most of the anomalous measurements in all
three cyberattack scenarios in 10 ms after the starting point
of the cyberattack i.e., after receiving 48 samples of falsified
current/voltage measurements. Moreover, it takes the autoen-
coder an average of 4.9 ms to reconstruct the measurements
using i7-9700K CPU with RTX2080 GPU. This sums up to
a minimum real-time delay of 15 ms in processing the data,
slightly less than 1 cycle. The short duration required by the
ADS to identify cyberattacks is crucial since zone 1 of the
distance relay must operate almost instantaneously when a
three-phase fault occurs. It is noteworthy that the substation
IEDs do not have the computational capability of the Personal
Computer (PC) used in this paper so further investigations are
required in this regard.
VI. DISCUSSION AND FUTURE WORK
The application of deep learning based approaches for
identifying cyberattacks against operational technology (OT)
systems like measuring instruments is at its embryonic stage.
The promising results obtained in this paper demonstrate
the potential of these approaches. Nevertheless, more work
needs to be done to build confidence on these approaches
before passing through field acceptance tests for industrial
applications. For instance, one needs to investigate the im-
pact of scenarios such as current transformer saturation and
communication packet loss to see how these scenarios would
impact the accuracy of the proposed approach.
The ADS presented in this paper is applied to zone 1 of a
distance relay while considering three-phase faults. The next
step is to consider other types of faults like phase to phase
and phase to ground faults. Moreover, the extension of the
proposed approach to other protection zones of distance relays
is another direction for future research. It is noteworthy that
the application of deep learning based ADS to other protection
zones of distance relays may become challenging consider-
ing the numerous scenarios and practical considerations that
should be taken into account. Some of these considerations
include short lines, existence of in-feeds, out-feeds, and dif-
ferent topologies. The application of more advanced deep
learning based approaches for identifying cyberattacks against
OT systems is another direction for future research.
VII. CONCLUSION
This paper presented a deep learning based anomaly de-
tection system for cyberattack prevention. The proposed ADS
makes the zone 1 elements of distance relays resilient to false
tripping caused by cyberattacks. A 1-dimensional convolu-
tional based autoencoder is employed in the ADS. The autoen-
coder is trained with sliding windows of 50 ms-(240 samples)
composed of three-phase voltage and current measurements.
Different generator operating points under no fault and three-
phase fault conditions are simulated to generate training data
sets. The three-phase fault location is also changed along the
transmission line to generate training data sets for different
fault location scenarios. The input data to the autoencoder
are the same as the input data to the distance relays. Three
different cyberattacks including 1) false data injection attack,
2) replay attack and 3) tampering of instrument transformer
tap settings are considered to investigate the capability of the
autoencoder in identifying cyberattacks. The simulation results
verified the capability of the proposed ADS in identifying
cyberattacks accurately and in a timely fashion.
REFERENCES
[1] K. P. Brand, V. Lohmann, and W. Wimmer, Substation Automation
Handbook, Utility Automation Consulting Lohmann, 2003.
[2] IEC TR 61850–90–4:2013, Communication Networks and Systems for
Power Utility Automation - Part 90-4: Network Engineering Guidelines,
Technical Report, August 2013. Available: http://webstore.iec.ch/.
[3] Institute of Electrical and Electronics Engineers (IEEE) C37.240, Cy-
ber Security Requirements for Substation Automation, Protection and
Control Systems, 2014.
[4] T. D. J. Blackburn, Protective Relaying: Principles and Applications, 4th
ed. CRC Press, 2014.
[5] M. Kezunovic, J. Ren, and S. Lotfifard, Design, Modeling and Eval-
uation of Protective Relays for Power Systems, Springer International
Publishing, 2006.
[6] A. Abiri-Jahromi, A. Kemmeugne, D. Kundur and A. Haddadi, “Cyber-
physical attacks targeting communication-assisted protection schemes,”
IEEE Trans. Power Syst.,early access 2019.
[7] X. Liu, M. Shahidehpour, Z. Li, X. Liu, Y. Cao, and Z. Li, “Power
system risk assessment in cyber attacks considering the role of protection
systems,” IEEE Trans. Smart Grid, vol. 8, no. 2, pp. 572–580 March
2017.
[8] A. Ameli, A. Hooshyar, and E. F. El-Saadany, “Development of a cyber-
resilient line current differential relay,IEEE Trans. Indust. Inform., vol.
15, no. 1, pp. 305–318, Jan. 2019.
[9] C. W. Ten, J. Hong, and C. C. Liu, “Anomaly detection for cybersecurity
of the substations,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 865-873,
Dec. 2011.
[10] J. Hong, C. C. Liu, and M. Govindarasu, “Integrated anomaly detection
for cyber security of the substations,” IEEE Trans. Smart Grid, vol. 5,
no. 4, pp. 1643-1653, April 2014.
[11] U. K. Premaratne, J. Samarabandu, and T. S. Sidhu, “An intrusion
detection system for IEC61850 automated substations,” IEEE Trans.
Power Del., vol. 25, pp. 2376–2383, Oct. 2010.
[12] R. Macwan et al., “Collaborative defense against data injection attack
in IEC61850 based smart substations,” in Proc. 2016 IEEE Power and
Energy Society Gen. Meet., Boston, MA, 2016, pp. 1–5.
[13] R. Nuqui, J. Hong, A. Kondabathini, D. Ishchenko and D. Coats, “A
collaborative defense for securing protective relay settings in electrical
cyber physical systems,” in Proc. 2018 Resilience Week, Denver, CO,
2018, pp. 49–54.
[14] J. Hong et al., “Cyber attack resilient distance protection and circuit
breaker control for digital substations,” IEEE Trans. Indust. Inform.,
vol. 15, no. 7, pp. 4332–4341, July 2019.
[15] J. Hong, and C. C. Liu,“Intelligent electronic devices with collaborative
intrusion detection systems” IEEE Trans Smart Grid, vol. 10, no. 1, pp.
271–281, Jan. 2019.
[16] T. Cui, D. Ishchenko, and R. Nuqui “Security filter: secure commu-
nication of protection and control devices in IEC 61850 substations,”
in Proc. Protection, Automation and Control (PAC) World Americas,
Raleigh, NC, USA, 2015.
[17] H. Karimipour, A. Dehghantanha, R. M. Parizi, K. R. Choo and H.
Leung, “A deep and scalable unsupervised machine learning system for
cyber-attack detection in large-scale smart grids” IEEE Access, vol. 7,
pp. 80778–80788, 2019.
[18] S. Ahmed, Y. Lee, S. Hyun and I. Koo, “feature selection-based detec-
tion of covert cyber deception assaults in smart grid communications
networks using machine learning,” IEEE Access, vol. 6, pp. 27518–
27529, 2018.
[19] Y. Wang, M. M. Amin, J. Fu and H. B. Moussa, “A novel data analytical
approach for false data injection cyber-physical attack mitigation in
smart grids,” IEEE Access, vol. 5, pp. 26022–26033, 2017.
[20] Y. Xin et al., “Machine learning and deep learning methods for cyber-
security,IEEE Access, vol. 6, pp. 35365–35381, 2018.
[21] M. Esmalifalak, L. Liu, N. Nguyen, R. Zheng and Z. Han, “Detecting
stealthy false data injection using machine learning in smart grid,” IEEE
Systems Journal, vol. 11, no. 3, pp. 1644–1652, Sept. 2017.
[22] K. Khanna, B. K. Panigrahi and A. Joshi, “AI-based approach to identify
compromised meters in data integrity attacks on smart grid,” IET Gen.,
Trans. & Dist., vol. 12, no. 5, pp. 1052–1066, 2018.
[23] Y. He, G. J. Mendis and J. Wei, “Real-time detection of false data injec-
tion attacks in smart grid: A deep learning-based intelligent mechanism,”
IEEE Trans. Smart Grid, vol. 8, no. 5, pp. 2505–2516, Sept. 2017.
[24] J. Wei and G. J. Mendis, “A deep learning-based cyber-physical strategy
to mitigate false data injection attack in smart grids,” in Proc. 2016 Joint
Workshop on Cyber- Physical Security and Resilience in Smart Grids
(CPSR-SG), Vienna, 2016, pp. 1–6.
[25] A. Valdes, R. Macwan and M. Backes, “Anomaly detection in electrical
substation circuits via unsupervised machine learning,” in Proc. 2016
IEEE 17th International Conference on Information Reuse and Integra-
tion (IRI), Pittsburgh, PA, 2016, pp. 500–505.
[26] U. Adhikari, T. H. Morris and S. Pan, “Applying non-nested generalized
exemplars classification for cyber-power event and intrusion detection,”
IEEE Trans. Smart Grid, vol. 9, no. 5, pp. 3928–3941, Sept. 2018.
[27] M. Sakurada and T. Yairis, “Anomaly detection using autoencoders
with nonlinear dimensionality reduction,” in Proceedings of the MLSDA
2014 2nd Workshop on Machine Learning for Sensory Data Analysis -
MLSDA’14, Gold Coast, Australia, 2014, pp. 4–11.
[28] P. Malhotra et al., “LSTM-based encoder-decoder for multi-sensor
anomaly detection” in ICML 2016 Anomaly Detection Workshop, New
York, NY, 2016.
[29] I. Goodfellow, Y. Bengio and A. Courville, Deep learning, MIT Press,
2016.
[30] H. Gras, J. Mahseredjian, E. Rutovic, U. Karaagac, A. Haddadi, O. Saad,
I. Kocar, and A. El-Akoum, “A new hierarchical approach for modeling
protection systems in EMT-type software,” Intern. Conf. Power Syst.
Transients, Seoul, Republic of Korea, June 2017.
[31] UCA International Users Group, “Implementation Guideline for Digital
Interface to Instrument Transformers using IEC 61850-9-2,
... An instantaneous time response is set to isolate any detected fault inside this zone. While zone 2 covers a selected percent between 120% to and 150% of the protected line length at coordination time delay of 1second, zone 3 covers all the protected line length in addition to a percent of 120% to 180% of the next line length at coordination time delay of 3 seconds [13], [14]. Zone 2 overlaps zone 1, and zone 3 overlaps both zone 1 and 2. Zone 1 acts as the main protection for the protected line, while zone 2 is considered as a backup protection for zone 1 as well as for the next line distance relay RB as illustrated in Figure 2. The objective of Zone 2 coordination time delay is to avoid simultaneous relay operation with zone 1 in relay B that eventually increases the scheme selectivity. ...
... In order to rate the efficiency of the proposed method, the reliability metrics are evaluated using the confusion matrix. Accuracy, sensitivity, specificity, precision, F1-Score, and Matthews Correlation Coefficient (MCC) are some of these metrics [39], [40], which can be calculated using the equations from (9) to (14). The accuracy ACC is an indication of the proposed methodology ability to differentiate between the classes: The sensitivity (Dependability) is the ability of the proposed system to detect and isolate the fault: ...
Line Voltage Based Distance Relay Using a Multistage Convolutional Neural Network Classifier
Article
Full-text available
  • Dec 2021
This paper presents a novel proposed method for the fault diagnosis in distance protection of transmission line, by which the real time voltage signal is the only required relay input. Unlike conventional protection schemes, the current signal is excepted without influencing the basic functions of the relay as a protecting and a monitoring device to detect and locate the fault. The new method is based on a pre-trained Convolutional Neural Network (CNN) with a combination of the higher order spectral estimations, which performs a deep learning classification with a very high accuracy. This research has succeeded in proposing an efficient 2D CNN model that takes the Short-Time Fourier Transform (STFT) of the signal for high accuracy fault detecting, locating, and classifying. The performance of the proposed models is tested using a new large dataset prepared using Simulink/ Matlab. The results show a high numerical performance evaluation that validates the consistency of the proposed methods.
View
... A combination of signature-based and deep learning methods have been employed in [12] to monitor and detect cyberattacks in transmission protection. In [13,14], a deep learning-based cyberattack detection system has been proposed for transmission line protection. The performance of different learning algorithms including supervised, semi-supervised, and online learning algorithms have been analyzed in [15] for different attack scenarios. ...
View
... Since recent advancements of machine learning and deep learning have enriched the field of power system, there have been multiple attempts to investigate the properties of protective relaying with the help of artificial intelligence [20], [21]. The author in [22] studied deep learning-based abnormality detection system for distance relays for realtime identification of cyber-attacks to enhance power system cybersecurity. There has also been research on deep neural networks for real-time defect detection and classification from differential current data with excellent accuracy and dependability under a variety of operating situations [23]. ...
Analyzing the Efficacy of Differential Relay Systems for Transformer Protection Under Different Internal Faults
Conference Paper
  • Dec 2023
Abstract: Transformers play a crucial role in the electric power system, and it is essential to protect them adequately. To address the risk of transformer damage during faults, faster and more selective protection measures are required. In this study, the performance of a differential relay was successfully simulated on the MATLAB/Simulink platform. The data found from the proposed model were used to train an Artificial Neural Network (ANN) to predict the relay tripping. The main objective was to investigate the protection of power transformer from internal faults and prevent any interference with the power system. Several plausible fault scenarios were evaluated. It was thoroughly examined how the relays performed under different system characteristics and fault conditions. Additionally, the ANN model was successfully trained to predict the differential relay tripping under different fault scenarios and locations.
View
... The vulnerabilities of remote connectivity to protective relays are summarised in [15], categorised as software security vulnerabilities, network security vulnerabilities, such as denial-of-service (DoS) attacks, system vulnerabilities, and other miscellaneous malware. The cyberattack against the individual IED, for example, the false data injection attack, has already been rigorously discussed, mainly focussing on the unwanted or undesired IED operation [4,16]. However, subsequent IED operations that could result in large-scale power outages have been well investigated [6]. ...
Cascading verification initiated by switching attacks through compromised digital relays
Article
Full-text available
  • Mar 2022
Attackers are able to enumerate all devices and computers within a compromised substation network. Digital relays deployed in the substation are the devices with IP addresses that can be discovered in the process of trial-and-error search. This paper is concerned with studies of cyberattacks manipulating digital relays to disruptively disconnect the associated breakers. The plausible enumeration of such disruptive attack for each relay in a substation is verified with the dynamic simulation studies with the special protection system for frequency, voltage, and rotor angle stability. A pertinent approach with smaller scale contingency analysis results is proposed to reduce the enormous computation burden. The devised enumeration reduction method is evaluated using IEEE test cases. The proposed method provides an extensive enumeration strategy that can be used by utility engineers to identify the pivotal relays in the system and can be further strengthened with security protection.
View
... Despite the considerable potential of machine learning-based anomaly detection systems, they have received less attention in the literature compared to analytical approaches for cybersecurity enhancement of substations due to the lack of high fidelity data in traditional substations. A 1-dimensional convolutional based autoencoder has been employed in [24] to identify cyberattacks against distance protective relays. A fully connected autoencoder has been employed in [19] to enhance the cybersecurity of the transformer differential protection. ...
Data analytics for cybersecurity enhancement of transformer protection
Article
Full-text available
  • Nov 2021
Electric power substations are experiencing an accelerated pace of digital transformation including the deployment of LAN-based IEC 61850 communication protocols that facilitate accessibility to substation data while also increasing remote access points and exposure to complex cyberattacks. In this environment, machine learning algorithms will play a vital role in cyberattack detection and mitigation and natural questions arise as to the most effective models in the context of smart grid substations. This paper compares the performance of three autoencoder-based anomaly detection systems including linear, fully connected, and convolutional autoencoders, as well as long short-term memory (LSTM) neural network for cybersecurity enhancement of transformer protection. The simulation results indicated that the LSTM model outperforms the other models for detecting cyberattacks targeting asymmetrical fault data. The linear autoencoder, fully connected autoencoder and 1D CNN further outperform the LSTM model for detecting cyberattacks targeting the symmetrical fault data.
View
View
View
View
View
View
Cyber-Physical Attacks Targeting Communication-Assisted Protection Schemes
Article
Full-text available
  • Jun 2019
The dependence of modern societies on electric energy is ever increasing by the emergence of smart cities and electric vehicles. This is while unprecedented number of cyberphysical hazards are threatening the integrity and availability of the power grid on a daily basis. On one hand, physical integrity of power systems is under threat by more frequent natural disasters and intentional attacks. On the other hand, the cyber vulnerability of power grids is on the rise by the emergence of smart grid technologies. This underlines an imminent need for the modeling and examination of power grid vulnerabilities to cyber-physical attacks. This paper examines the vulnerability of the communication-assisted protection schemes like permissive overreaching transfer trip (POTT) to cyberattacks using a co-simulation platform. The simulation results show that the transient angle stability of power systems can be jeopardized by cyberattacks on the communication-assisted protection schemes. To address this vulnerability two physical solutions including the deployment of communication channel redundancy, and a more advanced communicated-assisted protection scheme, i.e. DCUB, are considered and tested. The proposed solutions address the vulnerability of the communication-assisted protection schemes to distributed denial of service attack to some extent. Yet, the simulation results show the vulnerability of the proposed solutions to sophisticated cyberattacks like false data injection attacks. This highlights the need for the development of cyberbased solutions for communication channel monitoring.
View
A Deep and Scalable Unsupervised Machine Learning System for Cyber-Attack Detection in Large-Scale Smart Grids
Article
Full-text available
  • May 2019
Smart grid technology increases reliability, security and efficiency of the electrical grids. However, its strong dependencies on digital communication technology brings up new vulnerabilities that need to be considered for efficient and reliable power distribution. In this paper an unsupervised anomaly detection based on statistical correlation between measurements is proposed. The goal is to design a scalable anomaly detection engine suitable for large-scale smart grids, which can differentiate an actual fault from a disturbance and an intelligent cyber-attack. Proposed method applies feature extraction utilizing Symbolic Dynamic Filtering (SDF) to reduce computational burden while discovering causal interactions between the subsystems. Simulation results on IEEE 39, 118 and 2848 bus systems verify the performance of the proposed method under different operation conditions. The results show an accuracy of 99%, true positive rate of 98% and false positive rate of less than 2%.
View
Machine Learning and Deep Learning Methods for Cybersecurity
Article
Full-text available
  • May 2018
With the development of the Internet, cyber-attacks are changing rapidly and the cyber security situation is not optimistic. This survey report describes key literature surveys on machine learning (ML) and deep learning (DL) methods for network analysis of intrusion detection and provides a brief tutorial description of each ML / DL method. Papers representing each method were indexed, read, and summarized based on their temporal or thermal correlations. Because data are so important in ML / DL methods, we describe some of the commonly used network datasets used in ML / DL, discuss the challenges of using ML / DL for cybersecurity and provide suggestions for research directions.
View
Feature Selection–Based Detection of Covert Cyber Deception Assaults in Smart Grid Communications Networks Using Machine Learning
Article
Full-text available
  • May 2018
The integration of computing and modern wireless communications techniques is enabling prolific intelligent monitoring and efficient control of electric power systems in the frameworks of smart grids. In parallel, an enhanced reliance on such technologies has increased the susceptibility of today’s smart grids to cyber-assaults. Recently, a new type of assault, termed covert cyber deception assault, has been introduced to infringe upon the integrity of smart grid data. Such assaults are designed and initiated by hackers who have considerably good knowledge of the power network topology and the security measures in place, and therefore, these assaults cannot be effectively detected by the bad-data detectors in traditional state estimators. In this paper, we propose a supervised machine learning–based scheme to detect a covert cyber deception assault in the state estimation–measurement feature data that are collected throughout a smart-grid communications network. The distinctive characteristic of the paper is that we use a genetic algorithm–based feature selection in our scheme to improve detection accuracy and reduce computational complexity. The proposed detection scheme is evaluated using standard IEEE 14-bus, 39-bus, 57-bus, and 118-bus test systems. Through performance analysis, it is shown that the proposed scheme provides a significant improvement in covert cyber deception assault detection accuracy, compared to existing machine learning–based schemes.
View
A Novel Data Analytical Approach for False Data Injection Cyber-Physical Attack Mitigation in Smart Grids
Article
Full-text available
  • Nov 2017
False data injection cyber-physical threat is a typical integrity attack in modern smart grids. Nowadays, data analytical methods have been employed to mitigate false data injection attacks (FDIAs), especially when large scale smart grids generate huge amounts of data. In this paper, a novel data analytical method is proposed to detect FDIAs based on data-centric paradigm employing the margin setting algorithm (MSA). The performance of the proposed method is demonstrated through simulation using the six-bus power network in a wide area measurement system (WAMS) environment, as well as experimental data sets. Two FDIA scenarios, playback attack and time attack, are investigated. Experimental results are compared with the support vector machine (SVM) and artificial neural network (ANN). The results indicate that MSA yields better results in terms of detection accuracy than both the SVM and ANN when applied to FDIA detection.
View
View
Cyber Attack Resilient Distance Protection and Circuit Breaker Control for Digital Substations
Article
  • Dec 2018
This paper proposes new concepts for detecting and mitigating cyber attacks on substation automation systems by domain based cyber-physical security solutions. The proposed methods form the basis of a distributed security domain layer that enables protection devices to collaboratively defend against cyber attacks at substations. The methods utilize protection coordination principles to cross check protection setting changes and can run real time power system analysis to evaluate the impact of the control commands. The Transient Fault Signature based cross correlation coefficient algorithm has been proposed to detect the false Sampled Values data injection attack. The proposed functions were verified in a hardware-in-the loop simulation using commercial relays and a Real Time Digital Simulator. Various types of cyber intrusions are tested using this test bed to evaluate the consequences and impacts of cyber attacks to power grid as well as to validate the performance of the proposed research-grade cyberattack mitigation functions.
View
View
Development of a Cyber-Resilient Line Current Differential Relay
Article
  • Apr 2018
The application of line current differential relays (LCDRs) to protect transmission lines has recently proliferated. However, the reliance of LCDRs on digital communication channels has raised growing cyber-security concerns. This paper investigates the impacts of false data injection attacks (FDIAs) on the performance of LCDRs. It also develops coordinated attacks that involve multiple components, including LCDRs, and can cause false line tripping. Additionally, this paper proposes a technique for detecting FDIAs against LCDRs and differentiating them from actual faults in two-terminal lines. In this method, when an LCDR detects a fault, instead of immediately tripping the line, it calculates and measures the superimposed voltage at its local terminal, using the proposed positive-sequence (PS) and negative-sequence (NS) submodules. To calculate this voltage, the LCDR models the protected line in detail and replaces the rest of the system with a Thevenin equivalent that produces accurate responses at the line terminals. Afterwards, remote current measurement is utilized by the PS and NS submodules to compute each sequence's superimposed voltage. A difference between the calculated and the measured superimposed voltages in any sequence reveals that the remote current measurements are not authentic. Thus, the LCDR's trip command is blocked. The effectiveness of the proposed method is corroborated using simulation results for the IEEE 39-bus test system. The performance of the proposed method is also tested using an OPAL real-time simulator (RTS). IEEE
View
AI based approach to identify compromised meters in data integrity attacks on smart grid
Article
  • Oct 2017
False data injection attacks can pose serious threats to the operation and control of power grid. The smarter the power grid gets, the more vulnerable it becomes to cyber-attacks. Various detection methods of cyber-attacks have been proposed in the literature in recent past. However, to completely alleviate the possibility of cyber-threats, the compromised meters must be identified and secured. In this study, the authors are presenting an artificial intelligence (AI)-based identification method to correctly single out the malicious meters. The proposed AI-based method successfully identifies the compromised meters by anticipating the correct measurements in the event of the cyber-attack. New York Independent System Operator load data is mapped with the IEEE 14-bus system to validate the proposed method. The efficiency of the proposed method is compared for artificial neural network and extreme learning machine-based AI techniques. It is observed that both the techniques identify the corrupted meters with high accuracy.
View