The increasing risk of cyber-physical attacks (CPAs) on power infrastructure has led to need for reliable detection technologies. As the landscape of cyber threats evolves, it becomes imperative to continually update and enhance attack detection techniques. This research investigates the formulation of detection algorithm, via combination of State Partition Particle Filter (SP-PF) theories for power system security. The proposed approach applies intelligent partitioning of the state space so as to be accurately represented with fewer particles. This reduction in computational demand enhances the algorithm’s efficiency, making it more practical for real-time applications. The detection algorithm based on SP-PF is tested against switching attacks (SAs) launched on the governor and excitation systems associated with the generator. The RTDS platform is utilized for conducting real-time simulations of IEEE 9-bus power network in order to demonstrate the efficacy of proposed SP-PF based detection SA in real-time.@en

This review paper explores the landscape of incipient fault detection methodologies within power distribution networks. It aims to provide insights into the current state-of-the-art techniques, their effectiveness, and potential avenues for future research. Incipient faults, often imperceptible and challenging to detect, pose significant risks to the stability and reliability of power distribution systems. Detecting these faults early ensures uninterrupted service and prevents catastrophic failures. The review begins by outlining the fundamental concepts of incipient faults and their implications on power distribution networks. It then surveys various detection methods, categorizing them into conventional and advanced techniques. Conventional methods include rule-based approaches, while advanced techniques encompass machine learning, artificial intelligence, and data-driven methodologies. Each category is examined in terms of its principles, advantages, and limitations. Furthermore, the review identifies key challenges and emerging trends in incipient fault detection, such as integrating smart grid technologies, utilizing big data analytics, and developing hybrid detection approaches. This thorough review enables stakeholders in the power distribution sector to enhance their comprehension of existing incipient fault detection techniques, thereby enabling informed decisions to enhance network reliability and resilience. Moreover, it offers invaluable insights for researchers and practitioners striving to drive advancements in the field through innovative methodologies and technologies.@en

Cyber-physical power systems are susceptible to cyber threats and attacks that can lead to cascading failures and widespread power outages. Therefore, mitigating the impact of such attacks requires the timely implementation of operational strategies to prevent cascading blackouts. One Such strategy is the controlled islanding of the affected power grid, serving as a last resort against the propagation of the cascading outages. In this context, this paper introduces a novel detection-informed operational mitigation strategy, i.e., controlled islanding, against cyberattack-induced cascading failures, addressing 'when' and 'where' to implement controlled islanding. The proposed strategy leverages dynamic cascading failure modeling to quantify the impact of ongoing cyberattacks on power grids, using quantitative metrics such as demand-not-served (DNS). For effective operational mitigation, the strategy initiates controlled islanding when any attack, including fabricated protection trip commands and measurements' replay attacks, are detected, and any operating limits, such as line loading, are violated. It then proceeds to the implementation of controlled islanding, where identified cyberattack-affected elements are effectively surrounded by stable and self-sufficient islanded areas, while minimizing the system DNS. Numerical results on the IEEE 39-bus system demonstrate the effectiveness of the proposed strategy, reducing the DNS value by up to 47% when the controlled islanding strategy is implemented.

@en

Power systems are undergoing rapid digitalization. This introduces new vulnerabilities and cyber threats in future Cyber-Physical Power Systems (CPPS). Some of the most notable incidents include the cyber attacks on the power grid in Ukraine in 2015, 2016, and 2022, which employed Advanced Persistent Threat (APT) strategies that took several months to reach their objectives and caused power outages. This highlights the urgent need for an in-depth analysis of APTs on CPPS. However, existing frameworks for analyzing cyber attacks, i.e., MITRE ATT&CK ICS and Cyber Kill Chain, have limitations in comprehensively analyzing APTs in CPPS environments. To address this gap, we propose a novel Advanced Cyber-Physical Power System (ACPPS) kill chain framework. The ACPPS kill chain identifies the APT characteristics that are unique to power systems. It defines and examines the cyber-physical APT stages spanning from the initial phases of infiltration to cascading failures and a power system blackout. The proposed ACPPS kill chain is validated with real-world APT attacks on the power grid in Ukraine in 2015 and 2016, and cyber-physical simulations.

@en

The virtual integration of geographically distributed Research Infrastructures (RIs) for joint experiments in the domain of power and energy systems poses numerous challenges, particularly in terms of tool compatibility and user-friendliness. To address some of these challenges, this work presents the development and implementation of a laboratory-based middleware and data exchange service as part of the H2020 ERIGrid 2.0 project. The middleware comprises a suite of shared software tools and services designed to seamlessly integrate RIs including transport protocols as well as interface semantics. Specifically, this work details the development of a simplified and standardised interface known as the Universal Application Programming Interface (UAPI). It eliminates the need for users to grapple with the diverse intricacies of each individual RI, offering instead a tool-agnostic and standardised interface for conducting joint experiments. The work also presents and discusses the results of a real-world case study of a geographically distributed, sector-coupling experiment conducted between laboratories in Denmark, Greece, Italy, Netherlands, and Norway utilising the developed middleware.

@en

High Voltage Direct Current (HVDC) technology is one of the key enablers of the energy transition, especially for offshore wind energy systems. While extensive research on cyber security of High Voltage Alternating Current (HVAC) systems has been conducted, limited research exists on cyber security aspects of HVDC systems. These systems exhibit unique attributes, in comparison to HVAC systems, such as longer transmission line distances and increased volume of data samples for wide-area monitoring, control, and protection applications. These factors lead to a higher vulnerability of HVDC systems to cyber attacks. Existing state-of-the-art HVDC surveys, however, are primarily focused on HVDC physical components and exclude cyber security elements. Therefore, this paper presents the first detailed survey on the cyber security of HVDC Cyber-Physical Systems (CPS). We present a comprehensive review of the state-of-the-art HVDC systems, with a special focus on cyber threats and vulnerabilities, defense and mitigation strategies, and testbeds. Based on the review and analysis, insights and recommendations on future research directions to address the research gaps in this field of study are provided. Future research on cyber security for HVDC systems should prioritize the integration of cyber and physical system data and focus on early-stage detection to mitigate the potentially severe impacts of cyber attacks on HVDC grids.

@en

Today's critical infrastructure systems are more interconnected and dependent on the electric power grid. This interdependence means that disruptions in one system can have far-reaching consequences across many others. This is particularly evident when a cyberattack in the power grid leads to widespread outages and disrupts essential societal services. To prevent such disasters, it is crucial that proactive actions are taken to secure our power grid control centers and digital substations. This is where digital twins (DTs) play an important role: By creating virtual replicas of cyberphysical assets and processes, DTs allow system operators to anticipate and address potential vulnerabilities in our cybersecurity defenses before they can be exploited. As such, a DT can be considered as a key contributor to safeguard the power system against cyberattacks. This article examines the potential future benefits of DTs in enabling a cybersecure and resilient power grid, explores multiple use cases, and proposes a path forward.@en

Cascading failures in power systems are extremely rare occurrences caused by a combination of multiple, low probability events. The looming threat of cyberattacks on power grids, however, may result in unprecedented large-scale cascading failures, leading to a blackout. Therefore, new analysis methods are needed to study such cyber induced phenomena. In this article, we propose a data-driven method for dynamical analysis of power system cascading failures caused by cyberattacks. We provide experimental proof on how attacks may accelerate the cascading failure mechanism, in comparison to historically observed blackouts. Using a dynamic power grid model, consisting of multiple, coordinated protection schemes, we define and analyze the point of no return in a cascading failure sequence by applying the Hilbert-Huang transform for time-frequency analysis. Numerical results indicate, cyberattacks may accelerate cascading failures at least by a factor of 3x. This is due to the excitation and non-damping of multiple frequency modes greater than 1 Hz in a short time span. The proposed method is tested using time domain simulations conducted through a modified IEEE 39-bus test system, which can simulate cascading outages using coordinated protection schemes.

@en

Cyber actors can target the unsecured IEC 61850 protocols in digital substations to open circuit breakers and affect the power system operation. Thus, system operators must detect cyber-physical anomalies and differentiate in real-time between power system faults and cyber attacks on digital substations for effective incident response. In this work, we propose a novel image encoding method for event correlation using cyber-physical time-series data, i.e., Phasor Measurement Units (PMUs) and Operational Technology (OT) network traffic. More specifically, we propose a dynamic variation of the Gramian Angular Field method, which generates image streams capturing in real-time the spatial-temporal features in PMU measurements and IEC 61850 GOOSE traffic throughput. The proposed method for cyber-physical event correlation uses an image fusion technique. The method is tested using the benchmark IEEE 9-bus system. It successfully distinguishes between three-phase faults and GOOSE cyber attacks, demonstrating its usefulness for power system cyber security analytics.

@en

This paper presents a methodology to distinguish between three-phase faults and GOOSE cyber attacks, aimed at opening the circuit breakers in the power grid. We propose a scheme that utilizes Phasor Measurement Unit (PMU)-enabled monitoring of power grid states, and communication network packet logs in the substation. In this scheme, by leveraging both cyber and physical data correlations and applying a Seasonal Autoregressive Moving Average (SARMA) model, we successfully distinguish between 3-phase faults and cyber attacks. The proposed scheme is tested using the benchmark IEEE 9-bus system, and can distinguish cyber attacks from faults in less than 0.2s. This demonstrates the usefulness of the proposed scheme for power system cyber security analytics.@en

Cascading effects in the power grid involve an uncontrolled, successive failure of elements. The root cause of such failures is the combined occurrence of multiple, statistically rare events that may result in a blackout. With increasing digitalisation, power systems are vulnerable to emergent cyber threats. Furthermore, such threats are not statistically limited and can simultaneously occur at multiple locations. In the absence of real-world attack information, however, it is imperative to investigate if and how cyber attacks can cause power system cascading failures. Hence, in this work we present a fundamental analysis of the connection between the cascading failure mechanism and cyber security. We hypothesise and demonstrate how cyber attacks on power grids may cause cascading failures and a blackout. To do so, we perform a systematic survey of major historic blackouts caused by physical disturbances, and examine the cascading failure mechanism. Subsequently, we identify critical cyber-physical factors that can activate and influence it. We then infer and discuss how cyber attack vectors can enable these factors to cause and accelerate cascading failures. A synthetic case-study and software-based simulation results prove our hypothesis. This analysis enables future research into cyber resilience of power grids.

@en

Monitoring, protection, and control processes are becoming more complex as distributed energy resources (DERs) penetrate distribution networks (DNs). This is due to the inherent nature of power DNs and the bi-directional flow of current from various sources to the loads. To improve the system’s situational awareness, the grid dynamics of the entire DER integration processes must be carefully monitored using synchronized high-resolution real-time measurement data from physical devices installed in the DN. μPMUs have been introduced into the DN to help with this. In comparison to traditional measurement devices, μPMUs can measure voltage, current, and their phasors, in addition to frequency and rate of frequency change (ROCOF). In this study, an approach to generating realistic event data for a real utility DN utilizing strategically installed μPMUs is proposed. The method employs an IEEE 34 test feeder with 12 μPMUs installed in strategic locations to generate real-time events-based realistic μPMU data for various situational awareness applications in an unbalanced DN. The node voltages and line currents were used to analyze the various no-fault and fault events. The author generated the data as part of his PhD research project, utilizing his real-time utility grid operation experience to be used for various situational awareness and fault location studies in a real unbalanced DN. The DN was modeled in DIgSILENT PowerFactory (DP) software. The generated realistic μPMU data can be utilized for developing data-driven algorithms for different event-detection, classification and section-identification research works.@en

The complexity and dynamic nature of laboratory configurations pose a challenge when undertaking joint experiments, involving multiple Research Infrastructures (RIs). In this context, this paper presents an approach towards the automation of Configuration Management (CM) for joint experiments between multiple labs. The objective is to develop a CM workflow, based on the automated generation of individual local signal configurations from a single global experiment configuration. For this reason, a global experiment configuration file which defines signals, their exchange patterns between RIs, and the data transport packages used for the actual exchange is created. Furthermore, typical use cases based on static and dynamic lab configuration are defined and demonstrated using the proposed approach.@en

The cyber attacks in Ukraine in 2015 and 2016 demonstrated the vulnerability of electrical power grids to cyber threats. They highlighted the significance of Operational Technology (OT) communication-based anomaly detection. Many anomaly detection methods are based on real-time traffic monitoring, i.e., Intrusion Detection Systems (IDS) that may produce false positives and degrade the OT communication performance. Security Operations Center (SOC) needs intelligent tools to conduct forensic analysis on generated IDS alarms and identify the attack locations. Therefore, in this paper, we propose a novel, graph-based forensic analysis method for anomaly detection in power systems using OT communication network traffic throughput. It employs a hybrid deep learning model involving Graph Convolutional Long Short-Term Memory and a Convolutional Neural Network. The proposed method aids SOC with continuous OT security monitoring and post-mortem investigations. Results indicate that the proposed method is able to pinpoint the locations of cyber attacks on power grid OT networks with an AUC score above 75%.@en

This paper presents a rules-based integrated fault detection, classification and section identification (I-FDCSI) method for real distribution networks (DN) using micro-phasor measurement units ((Formula presented.) PMUs). The proposed method utilizes the high-resolution synchronized realistic measurements from the strategically installed (Formula presented.) PMUs to detect and classify different types of faults and identify the faulty section of the distribution network. The I-FDCSI method is based on a set of rules developed using expert knowledge and statistical analysis of the generated realistic measurements. The algorithms mainly use line currents per phase reported by the different (Formula presented.) PMUs to calculate the minimum and maximum short circuit current ratios. The algorithms were then fine-tuned with all the possible types and classes of fault simulations at all possible sections of the network with different fault parameter values. The proposed I-FDCSI method addresses the inherent challenges of DN by leveraging the high-precision measurements provided by (Formula presented.) PMUs to accurately detect, classify, and sectionalise faults. To ensure the applicability of the developed IFDCSI method, it is further tested and validated with all the possible real-time events on a real distribution network and its performance has been compared with the conventional fault detection, classification and section identification methods. The results demonstrate that the I-FDCSI method has a higher accuracy and faster response time compared to the conventional methods and facilitates faster service restoration, thus improving the reliability and resiliency indices of DN.

@en

Electromagnetic transients (EMT) is the most accurate, but computationally expensive method of analyzing power system phenomena. Thereby, interconnecting several real-time simulators can unlock scalability and system coverage, but leads to a number of new challenges, mainly in time synchronization, numerical stability, and accuracy quantification. This study presents such a cosimulation, based on digital real-time simulators (DRTS), connected via Aurora 8B/10B protocol. Such a setup allows to analyze complex and hybrid system-of-systems whose resulting numerical phenomena and artifacts have been poorly investigated and understood so far. We experimentally investigate the impact of IEEE 1588 precision time protocol synchronization assessing both time and frequency domains. The analysis of the experimental results is encouraging and show that numerical stability can be maintained even with complex system setups. Growing shares of inverter-based renewable power generation require larger and interconnected EMT system studies. This work helps to understand the phenomena connected to such DRTS advanced cosimulation setups.@en

Electrical power grids are vulnerable to cyber attacks, as seen in Ukraine in 2015 and 2016. However, existing attack detection methods are limited. Most of them are based on power system measurement anomalies that occur when an attack is successfully executed at the later stages of the cyber kill chain. In contrast, the attacks on the Ukrainian power grid show the importance of system-wide, early-stage attack detection through communication-based anomalies. Therefore, in this paper, we propose a novel method for online cyber attack situational awareness that enhances the power grid resilience. It supports power system operators in the identification and localization of active attack locations in Operational Technology (OT) networks in near real-time. The proposed method employs a hybrid deep learning model of Graph Convolutional Long Short-Term Memory (GC-LSTM) and a deep convolutional network for time series classification-based anomaly detection. It is implemented as a combination of software defined networking, anomaly detection in communication throughput, and a novel attack graph model. Results indicate that the proposed method can identify active attack locations, e.g., within substations, control center, and wide area network, with an accuracy above 96%. Hence, it outperforms existing state-of-the-art deep learning-based time series classification methods.@en

Paper ID – 0348@en

Over the past decade, the number of cyber attack incidents targeting critical infrastructures such as the electrical power system has increased. To assess the risk of cyber attacks on the cyber-physical system, a holistic approach is needed that considers both system layers. However, the existing risk assessment methods are either qualitative in nature or employ probabilistic models to study the impact on only one system layer. Hence, in this work, we propose a quantitative risk assessment method for cyber-physical systems based on probabilistic and deterministic techniques. The former uses attack graphs to evaluate the attack likelihood, while the latter analyzes the potential cyber-physical impact. This is achieved through a dynamic cyber-physical power system model, i.e., digital twin, able to simulate power system cascading failures caused by cyber attacks. Additionally, we propose a domain-specific language to describe the assets of digital substations and thereby model the attack graphs. Using the proposed method, combined risk metrics are calculated that consider the likelihood and impact of cyber threat scenarios. The risk assessment is conducted using the IEEE 39-bus system, consisting of 27 user-defined digital substations. These substations serve as the backbone of the examined cyber system layer and as entry-points for the attackers. Results indicate that cyber attacks on specific substations can cause major cascading failures or even a blackout. Thereby, the proposed method identifies the most critical substations and assets that must be cyber secured.@en

Cosimulation techniques are gaining popularity amongst the power system research community to analyze future scalable smart grid solutions. However, complications such as multiple communication protocols, uncertainty in latencies are holding up the widespread usage of these techniques for the power system analysis. These issues are even further exacerbated when applied to digital real-time simulators (DRTSs) with strict real-time constraints for power hardware-in-the-loop (PHIL) tests. In this article, we present an innovative digital real-time cosimulation infrastructure that allows interconnecting different DRTS through the Aurora 8B/10B protocol to reduce the effects of communication latency and respect real-time constraints. The proposed solution synchronizes the DRTS interconnection by means of the IEEE 1588 precision time protocol (PTP) standard to align executions and results obtained by the cosimulated scenario. The ideal transformer method interface algorithm, commonly used in PHIL applications, is used to interface the DRTS. Finally, we present time-domain and frequency-domain accuracy analyzes on the obtained experimental results to demonstrate the potential of the proposed infrastructure. With the presented setup, a time step duration down to 50 μs is shown to be stable and accurate in running an electromagnetic transients cosimulated power grid scenario by interconnecting two commercial DRTS (i.e., RTDS NovaCor), extending the scalability of future smart grid real-time simulations.

@en