Junho Hong

Due to the high penetration of distributed energy resources (DER) and emerging DER interconnection and interoperability requirements, fast and standardized information exchange is essential for stable, resilient, and reliable operations in microgrids. This paper proposes fast fault detection, isolation, and restoration (F-FDIR) for microgrid application with the IEC 61850 Generic Object Oriented Substation Event (GOOSE) communication considering the communication/system failure. GOOSE provides a mechanism for lightweight low latency peer-to-peer data exchange between devices, which reduces the restoration time compared to conventional client-server communication paradigm. The proposed mitigation method for the communication/system failure can find an available restoration scenario and reduce the overall process time. Hardware-in-the-loop (HIL) testbed is designed and implemented with real time digital simulator, microgrid control system, and protection and control intelligent electric devices (IEDs) for the validation. The experimental results show that the proposed F-FDIR and IEC 61850 models can enhance the reliability and interoperability of the microgrid operation and enable self-healing microgrids.

IEC61850 is the mainstream of the development for substation automation. This paper presents a practical consideration and analysis for implementing a secure sampled measured value (SeSV) message in substation automation system. Due to the lack of security features in the standard, IEC Working Group 15 of Technical Committee 57 published IEC62351 on security for IEC61850 profiles. However, the use of authentication methods for SV based on IEC62351 standards are still not integrated, and computational capabilities and performance are not validated and tested with commercial grade equipment. Hence, this paper shows the performance of security feature enabled SeSV packets transmitted between protection and control devices by appending a message authentication code (MAC) to the extended IEC61850 packets. A prototype implementation on a low cost commodity embedded system has proved that the MAC-enabled SV message can fully secure the process bus communication in the digital substation with negligible time delay.

Information and Communications Technology (ICT) supports the development of novel control and communication functions for monitoring, operation, and control of power systems. However, the high-level deployment of ICT also increases the risk of cyber intrusions for Supervisory Control And Data Acquisition (SCADA) systems. Attackers can gain access to the protected infrastructures of the grid and launch attacks to manipulate measurements at the substations. The fabricated measurements can mislead the operators in the control center to take undesirable actions. The Intrusion Detection System (IDS) proposed in this paper is deployed in IEC 61850 based substations. The proposed IDS identifies falsified measurements in Manufacturing Messaging Specification (MMS) messages. By cross-checking the consistency of electric circuit relationships at the substation level in a distributed manner, the falsified measurements can be detected and discarded before the malicious packets are sent out of the substations through DNP3 communication. A cyber-physical system testbed is used to validate the performance of the proposed IDS. Using the IEEE 39-bus test system, simulation results demonstrate high accuracy of the proposed substation-based intrusion detection system. INDEX TERMS Cyber security of substation, measurement-based attack, MMS, IEC 61850, intrusion detection, SCADA.

As electric power became an essential part of daily life, resiliency and reliability of operation became important. A distribution management system (DMS) enables real-time monitoring and dynamic controls of the power distribution networks. As such, their controls should be designed to be resilient against distribution grid disturbances and cyber events. Due to the high penetration of Information and Communication Technology (ICT) in the DMS, the reliability of power distribution grids is highly dependent on the cyber system. However, most power distribution applications, communication protocols, and devices are vulnerable to the cyber attacks since they are designed and implemented before cybersecurity became a critical issue. Recent reports and cyber attack incidents clearly indicate that cyber-attacks are increasingly likely on the power system infrastructures, e.g., control centers, nuclear power plants, and substations. These attacks may cause significant damages to the power grid. Cybersecurity research for the power distribution grid is a high priority subject in the emerging smart grid environment. This article proposes cybersecurity enhanced distribution automation system (DAS) with a multi-agent system (MAS). The proposed multi-agent based cyber attack detection and mitigation algorithms can identify the anomalies, abnormal activities, and unusual system operations of the DAS. The proposed algorithms have been applied to the existing communication protocols, protection schemes, and restoration applications. The result is validated with a testbed and proposes a new integrated tool for the detection and mitigation of cyber intrusions at a power distribution grid with multiple feeders. INDEX TERMS Cybersecurity of distribution automation system, multi-agent based system, fault detection, isolation and detection.

This paper proposes new concepts for detecting and mitigating cyber attacks on substation automation systems by domain-based cyber-physical security solutions. The proposed methods form the basis of a distributed security domain layer that enables protection devices to collaboratively defend against cyber attacks at substations. The methods utilize protection coordination principles to cross check protection setting changes and can run real-time power system analysis to evaluate the impact of the control commands. The transient fault signature (TFS)-based cross-correlation coefficient algorithm has been proposed to detect the false sampled values data injection attack. The proposed functions were verified in a hardware-in-the-loop (HIL) simulation using commercial relays and a real-time digital simulator (RTDS). Various types of cyber intrusions are tested using this test bed to evaluate the consequences and impacts of cyber attacks to power grid as well as to validate the performance of the proposed research-grade cyber attack mitigation functions. Index Terms-Collaborative cyber defense models, cyber-physical security test bed, digital substation, domain-based mitigation, smart grid cybersecurity, substa-tion cybersecurity.

This paper presents the results of the demonstration of a research project on collaborative defense system of transmission relays against cyber attacks in an electrical substation. The system is based on methods that monitor inconsistencies between the physical state of the substation, the power system around it, and the measurements as an indication of cyber intrusion. We assumed that the attacker has gained access to the substation communication network, either as an insider or a " virtual insider " , and initiates actions to gain control of intelligent electronic devices (IEDs). A hardware‐in‐the‐ loop cyber‐physical security test bed consisting of line protection and transformer protection relays, merging units, and a real time digital simulator (RTDS) was set up at BPA to simulate the cyber threats and to validate the effectiveness of the collaborative methods to block cyber attacks in real time. Cyber threats are continuously evolving and getting more sophisticated with time. The Ukraine cyber attack incident underlined the need for more distributed security in electrical infrastructures. This collaborative system of protective devices with distributed intelligence has demonstrated its capability, in a hardware in a loop simulation inside BPA lab, to block attempts to maliciously control circuit breakers remotely from the control center or locally from the substation network. The distributed intelligence also allows protection relays to collaboratively block attacks on settings that intentionally mis‐coordinate relay operation. The simulated cyber attacks were focused on a 500 kV substation within a study area consisting of four interconnected substations representing a region at BPA. Several 500 kV and 230 kV transmission lines, some with series capacitors, interconnects the various substations. Modeling the system in a real time simulated environment using RTDS allowed the generation of analog voltage and currents using amplifiers, fed to merging units which generated the sampled values, and then streamed to the protective relays. The hardware in the loop demonstration was used extensively to validate the timing performance of the security algorithms. A key requirement of the demonstration is that the security functions must not delay existing protection system's capability to detect and protect against faults in the system. It was confirmed in the lab set up that the distributed cyber security functions performed dependably in blocking simulated cyber attacks with timing performance that did not compromise the relays' protection times.

Energy cyber physical systems such as power systems are increasingly controlled by embedded microcontrollers that are connected to communication networks. Thus, modern power systems are increasingly under increased threat of cyber-attacks and tools are required to research the impact of these threats to the physical system. Cyber-attacks can be carried out in an electrical power system for the purpose of controlling switching devices or circuit breakers.  Such attacks could weaken the power system or result in a power outage. A cyber physical security test bed is a necessary tool for conducting research in cyber physical security.  It provides a platform by which attacks are simulated and evaluated on cyber physical systems. Methods to mitigate these threats can be validated in the same platform. This paper presents a hardware-in-the-loop based cyber-physical security test bed for substations. It consists of commercial equipment, and has capabilities to simulate the potential cyber threats and attacks, detect cyber intrusions, and could be used to validate cyber attack mitigation methods. A power system is modeled containing a detailed substation and simulated using Real Time Digital Simulator (RTDS), which is connected to Intelligent Electronic Devices (IEDs) and substation gateway to mimic power system protections and operations. Various types of cyber threats and intrusions are tested using this test bed to check the consequences and impacts of cyber attacks to power grids.

This paper proposes a new network-based cyber intrusion detection system (NIDS) using multicast messages in substation automation systems (SASs). The proposed network-based intrusion detection system monitors anomalies and malicious activities of multicast messages based on IEC 61850, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Value (SV). NIDS detects anomalies and intrusions that violate predefined security rules using a specification-based algorithm. The performance test has been conducted for different cyber intrusion scenarios (e.g., packet modification, replay and denial-of-service attacks) using a cyber security testbed. The IEEE 39-bus system model has been used for testing of the proposed intrusion detection method for simultaneous cyber attacks. The false negative ratio (FNR) is the number of misclassified abnormal packets divided by the total number of abnormal packets. The results demonstrate that the proposed NIDS achieves a low fault negative rate.