The harmonized automatic relay mitigation of nefarious intentional events (HARMONIE) special protection scheme (SPS) was developed to provide adaptive, cyber-physical response to unpredictable disturbances in the electric grid. The HARMONIE-SPS methodology includes a machine learning classification framework that analyzes real time cyber-physical data and determines if the system is in normal conditions, cyber disturbance, physical disturbance, or cyber-physical disturbance. This classification then informs response, if needed and/or suitable, and included cyber-physical corrective actions. Beyond standard power system mitigations, a few novel approaches were developed that included a consensus algorithm-based relay voting scheme, an automated power system triggering condition and corrective action pairing algorithm, and a cyber traffic routing optimization algorithm. Both the classification and response techniques were tested within a newly integrated emulation environment composed of a real-time digital simulator (RTDS) and SCEPTRE™. This report details the HARMONIE-SPS methodology, highlighting both the classification and response techniques, and the subsequent testing results from the emulation environment.
The electric grid has undergone rapid, revolutionary changes in recent years; from the addition of advanced smart technologies to the growing penetration of distributed energy resources (DERs) to increased interconnectivity and communications. However, these added communications, access interfaces, and third-party software to enable autonomous control schemes and interconnectivity also expand the attack surface of the grid. To address the gap of DER cybersecurity and secure the grid-edge to motivate a holistic, defense-in-depth approach, a proactive intrusion detection and mitigation system (PIDMS) device was developed to secure PV smart inverter communications. The PIDMS was developed as a distributed, flexible bump-in-the-wire (BITW) solution for protecting PV smart inverter communications. Both cyber (network traffic) and physical (power system measurements) are processed using network intrusion monitoring tools and custom machinelearning algorithms for deep packet analysis and cyber-physical event correlation. The PIDMS not only detects abnormal events but also deploys mitigations to limit or eliminate system impact; the PIDMS communicates with peer PIDMSs at different locations using the MQTT protocol for increased situational awareness and alerting. The details of the PIDMS methodology and prototype development are detailed in this report as well as the evaluation results within a cyber-physical emulation environment and subsequent industry feedback.
Communication-assisted adaptive protection can improve the speed and selectivity of the protection system. However, in the event, that communication is disrupted to the relays from the centralized adaptive protection system, predicting the local relay protection settings is a viable alternative. This work evaluates the potential for machine learning to overcome these challenges by using the Prophet algorithm programmed into each relay to individually predict the time-dial (TDS) and pickup current (IPICKUP) settings. A modified IEEE 123 feeder was used to generate the data needed to train and test the Prophet algorithm to individually predict the TDS and IPICKUP settings. The models were evaluated using the mean average percentage error (MAPE) and the root mean squared error (RMSE) as metrics. The results show that the algorithms could accurately predict IPICKUP setting with an average MAPE accuracy of 99.961%, and the TDS setting with a average MAPE accuracy of 94.32% which is sufficient for protection parameter prediction.
Adaptive protection is defined as a real-time system that can modify the protective actions according to the changes in the system condition. An adaptive protection system (APS) is conventionally coordinated through a central management system located at the distribution system substation. An APS depends significantly on the communication infrastructure to monitor the latest status of the electric power grid and send appropriate settings to all of the protection relays existing in the grid. This makes an APS highly vulnerable to communication system failures (e.g., broken communication links due to natural disasters as well as wide-range cyber-attacks). To this end, this paper presents the addition of local adaptive modular protection (LAMP) units to the protection system to guarantee its reliable operation under extreme events when the operation of the APS is compromised. LAMP units operate in parallel with the conventional APS. As a backup, if APS fails to operate because of an issue in the communication system, LAMP units can accommodate a reliable fault detection and location on behalf of the protection relay. The performance of the proposed APS is verified using IEEE 123 node test system.
We present our research findings on the novel NDN protocol. In this work, we defined key attack scenarios for possible exploitation and detail software security testing procedures to evaluate the security of the NDN software. This work was done in the context of distributed energy resources (DER). The software security testing included an execution of unit tests and static code analyses to better understand the software rigor and the security that has been implemented. The results from the penetration testing are presented. Recommendations are discussed to provide additional defense for secure end-to-end NDN communications.
There are now over 2.5 million Distributed Energy Resource (DER) installations connected to the U.S. power system. These installations represent a major portion of American electricity critical infrastructure and a cyberattack on these assets in aggregate would significantly affect grid operations. Virtualized Operational Technology (OT) equipment has been shown to provide practitioners with situational awareness and better understanding of adversary tactics, techniques, and procedures (TTPs). Deploying synthetic DER devices as honeypots and canaries would open new avenues of operational defense, threat intelligence gathering, and empower DER owners and operators with new cyber-defense mechanisms against the growing intensity and sophistication of cyberattacks on OT systems. Well-designed DER canary field deployments would deceive adversaries and provide early-warning notifications of adversary presence and malicious activities on OT networks. In this report, we present progress to design a high-fidelity DER honeypot/canary prototype in a late-start Laboratory Directed Research and Development (LDRD) project.
As conventional generation sources continue to be replaced with inverter-based resources, the traditional fixed overcurrent protection schemes used at the distribution level will no longer be valid. Adaptive protection will provide the ability to update the protection scheme in near real-time to ensure reliability and increase the resilience of the grid. However, knowing and detecting when to update protection parameters that are calculated with an adaptive protection algorithm to prevent unnecessarily communicating with relays still needs to be understood. The proposed method provides a sensitivity analysis to understand when it is necessary to issue new parameters to the relays. The results show that settings do not need to be issued at each available time step. Instead, the proposed sensitivity analysis method can be used to ensure that only the imperative protection parameters are communicated to the relay, allowing for more optimal utilization of the communications. The results show that the sensitivity analysis reduces the settings communicated to the devices by 93% over the year.
The electric grid is becoming increasingly cyber-physical with the addition of smart technologies, new communication interfaces, and automated grid-support functions. Because of this, it is no longer sufficient to only study the physical system dynamics, but the cyber system must also be monitored as well to examine cyber-physical interactions and effects on the overall system. To address this gap for both operational and security needs, cyber-physical situational awareness is needed to monitor the system to detect any faults or malicious activity. Techniques and models to understand the physical system (the power system operation) exist, but methods to study the cyber system are needed, which can assist in understanding how the network traffic and changes to network conditions affect applications such as data analysis, intrusion detection systems (IDS), and anomaly detection. In this paper, we examine and develop models of data flows in communication networks of cyber-physical systems (CPSs) and explore how network calculus can be utilized to develop those models for CPSs, with a focus on anomaly and intrusion detection. This provides a foundation for methods to examine how changes to behavior in the CPS can be modeled and for investigating cyber effects in CPSs in anomaly detection applications.
The goal of this paper is to utilize machine learning (ML) techniques for estimating the distribution circuit topology in an adaptive protection system. In a reconfigurable distribution system with multiple tie lines, the adaptive protection system requires knowledge of the existing circuit topology to adapt the correct settings for the relay. Relays rely on the communication system to identify the latest status of remote breakers and tie lines. However, in the case of communication system failure, the performance of adaptive protection system can be significantly impacted. To tackle this challenge, the remote circuit breakers and tie lines' status are estimated locally at a relay to identify the circuit topology in a reconfigurable distribution system. This paper utilizes Support Vector Machine (SVM) to forecast the status of remote circuit breakers and identify the circuit topology. The effectiveness of proposed approach is verified on two sample test systems.
Traditional protective relay voting schemes utilize simple logic to achieve confidence in relay trip actions. However, the smart grid is rapidly evolving and there are new needs for a next-generation relay voting scheme. In such new schemes, aspects such as inter-relay relationships and out-of-band data can be included. In this work, we explore the use of consensus algorithms and how they can be utilized for groups of relays to vote on system protection actions and also reach consensus on the values of variables in the system. A proposed design is explored with a simple case study with two different scenarios, including simulation in PowerWorld Simulator, to demonstrate the consensus algorithm benefits and future directions are discussed.
The electric grid is rapidly being modernized with novel technologies, adaptive and automated grid-support functions, and added connectivity with internet-based communications and remote interfaces. These advancements render the grid increasingly 'smart' and cyber-physical, but also broaden the vulnerability landscape and potential for malicious, cascading disturbances. The grid must be properly defended with security mechanisms such as intrusion detection systems (IDSs), but these tools must account for power system behavior as well as network traffic to be effective. In this paper, we present a cyber-physical IDS, the proactive intrusion detection and mitigation system (PIDMS), that analyzes both cyber and physical data streams in parallel, detects intrusion, and deploys proactive response. We demonstrate the PIDMS with an exemplar case study exploring a packet replay attack scenario focused on photovoltaic inverter communications; the scenario is tested with an emulated, cyber-physical grid environment with hardware-in-the-loop inverters.
Recent trends in the growth of distributed energy resources (DER) in the electric grid and newfound malware frameworks that target internet of things (IoT) devices is driving an urgent need for more reliable and effective methods for intrusion detection and prevention. Cybersecurity intrusion detection systems (IDSs) are responsible for detecting threats by monitoring and analyzing network data, which can originate either from networking equipment or end-devices. Creating intrusion detection systems for PV/DER networks is a challenging undertaking because of the diversity of the attack types and intermittency and variability in the data. Distinguishing malicious events from other sources of anomalies or system faults is particularly difficult. New approaches are needed that not only sense anomalies in the power system but also determine causational factors for the detected events. In this report, a range of IDS approaches were summarized along with their pros and cons. Using the review of IDS approaches and subsequent gap analysis for application to DER systems, a preliminary hybrid IDS approach to protect PV/DER communications is formed in the conclusion of this report to inform ongoing and future research regarding the cybersecurity and resilience enhancement of DER systems.
Grid operators are now considering using distributed energy resources (DERs) to provide distribution voltage regulation rather than installing costly voltage regulation hardware. DER devices include multiple adjustable reactive power control functions, so grid operators have the difficult decision of selecting the best operating mode and settings for the DER. In this work, we develop a novel state estimation-based particle swarm optimization (PSO) for distribution voltage regulation using DER-reactive power setpoints and establish a methodology to validate and compare it against alternative DER control technologies (volt-VAR (VV), extremum seeking control (ESC)) in increasingly higher fidelity environments. Distribution system real-time simulations with virtualized and power hardware-in-the-loop (PHIL)-interfaced DER equipment were run to evaluate the implementations and select the best voltage regulation technique. Each method improved the distribution system voltage profile; VV did not reach the global optimum but the PSO and ESC methods optimized the reactive power contributions of multiple DER devices to approach the optimal solution.
The penetration of Internet-of-Things (IoT) devices in the electric grid is growing at a rapid pace; from smart meters at residential homes to distributed energy resource (DER) system technologies such as smart inverters, various devices are being integrated into the grid with added connectivity and communications. Furthermore, with these increased capabilities, automated grid-support functions, demand response, and advanced communication-assisted control schemes are being implemented to improve the operation of the grid. These advancements render our power systems increasingly cyber-physical. It is no longer sufficient to only focus on the physical interactions, especially when implementing cybersecurity mechanisms such as intrusion detection systems (IDSs) and mitigation schemes that need to access both cyber and physical data. This new landscape necessitates novel methods and technologies to successfully interact and understand the overall cyber-physical system. Specifically, this paper will investigate the need and definition of cyber-physical observability for the grid.