Cybersecurity Enhancement of Transformer

Differential Protection Using Machine Learning

Martiya Zare Jahromi, Amir Abiri Jahromi, Scott Sanner, and Marthe Kassouf
Deepa Kundur
University of Toronto Hydro-Quebec Research Institute (IREQ)
Toronto, Canada Varennes, Canada
ssanner@mie.utoronto.ca, dkundur@ece.utoronto.ca kassouf.marthe@ireq.ca

Abstract—The growing use of information and communication components and promoted the cybersecurity enhancement of
technologies (ICT) in power grid operational environments has its assets like substation protective relays to a top priority for
been essential for operators to improve the monitoring, mainte-
nance and control of power generation, transmission and distri-
regulatory agencies and utilities, in particular following the
bution, however, at the expense of an increased grid exposure successful cyberattacks against Ukrainian power infrastruc-
to cyber threats. This paper considers cyberattack scenarios tures [10], [11]. In a substation, protective relays form the most
targeting substation protective relays that can form the most critical defensive ingredient of power system against abnormal
critical ingredient for the protection of power systems against
abnormal conditions. Disrupting the relays operations may yield
conditions [12], [13]. Thus, their maloperations initiated by
major consequences on the overall power grid performance cyberattacks may cause major consequences for power systems
possibly leading to widespread blackouts. We investigate methods such as widespread blackouts.
for the enhancement of substation cybersecurity by leveraging the Cybersecurity of protective relays has been analyzed in the
potential of machine learning for the detection of transformer
differential protective relays anomalous behavior. The proposed literature from different perspectives. In [14], the impact of
method analyses operational technology (OT) data obtained cyberattacks against protective relays has been examined from
from the substation current transformers (CTs) in order to operational point of view. An analytical reliability assessment
detect cyberattacks. Power systems simulation using OPAL-RT framework has been proposed in [15] for quantifying the
HYPERSIM is used to generate training data sets, to simulate
the cyberattacks and to assess the cybersecurity enhancement impacts of cyberattacks against intelligent electronic devices
capability of the proposed machine learning algorithms. (IEDs) and protection systems. The impact of cyber-physical
Index Terms—Cyberphysical systems, operational technology, attacks against communication-assisted protection schemes
machine learning, differential protective relays, transformers. has been studied in [16]. A rule-based intrusion detection
I. I NTRODUCTION system has been presented in [17] for IEC 61850 protocol.
Cyber-resilient designs have been proposed in [18] and [19]
R APID deployment of standard and interoperable ICT in
power systems has raised serious cybersecurity concerns
in regulatory agencies and power utilities over the past decade
respectively for distance protection and line differential pro-
tection relays. Various anomaly detection systems (ADS) have
been presented in [20], [21] for substations. A collaborative
[1]. This is mainly because the security-by-obscurity philoso-
intrusion detection system (IDS) has been presented in [22]
phy used as a defensive strategy for proprietary ICT in power
for generic object oriented substation event (GOOSE) and
systems has become obsolete in the emerging standard and
sampled value (SV) packets in IEC 61850 protocol. A machine
interoperable ICT paradigm of smart grids [2].
learning based method has been used in [24] to identify
In order to address the growing cybersecurity concerns, the
cyberattacks against phasor measurement units (PMUs).
North American Electric Reliability Corporation has estab-
lished and enforced Critical Infrastructure Protection (CIP) In this paper, a fully connected autoencoder is employed for
standards. The CIP standards demand utilities to identify, detection and mitigation of cyberattacks against transformer
categorize and protect cyber assets that are essential to the differential protective relays. The fully connected autoencoder
reliable operation of the bulk electric system [3]. Nevertheless, is trained with three-phase current measurements from current
CIP standards do not provide any guideline about the cyber- transformers (CTs) at both sides of a transformer. The fully
secuity measures/tools that should be developed to improve connected autoencoder is then used to detect anomalies in
the cyber-resiliency of the assets. As such, different standards three-phase currents. The simulation results demonstrate the
and initiatives have been launched by National Standard Insti- capability of fully connected autoencoder to detect cyberat-
tutes like ISA [4]–[6], research institutes like Electric Power tacks against transformer differential protective relays.
Research Institute (EPRI) [7] and government agencies like The main contributions of this paper are as follows.
Department of Energy (DOE) [8], [9] to develop cybersecurity • A method is presented for cybersecurity enhancement of
measures/tools for cyber assets in power systems. transformer differential protective relays using machine
The digitalization of power grids over the past decade learning.
has increased the cyberattack surfaces across several grid • The performance of the proposed machine learning

978-1-7281-5508-1/20/$31.00 ©2020 IEEE

Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 18,2021 at 12:09:52 UTC from IEEE Xplore. Restrictions apply.
 Attacker decoder

Commands code
Sc

Sce
en Differential
ari Protective Relay
nar
o2 input output

io1 Process bus

Commands Current Measurements Commands
MU1 MU2
encoder

CB1 CT1 CT2 CB2

Fig. 2. Autoencoder structure
Transformer
CB: Circuit Breaker MU: Merging Unit CT: Current Transformer
a compromised electronic component inside the merging unit
Fig. 1. Transformer differential protective relay. MU1, thus, corresponding to a supply chain attack such as in
[25]. The embedded malicious electronic component is able to
tamper the data received from CT1, for example, by changing
method is investigated for two different cyberattack sce-
the magnitude of current measurements.
narios. In the second scenario (referred to as Scenario 2), an
The remainder of this paper is organized as follows. Section attacker gains remote access to the substation process bus
II presents the basics of transformer differential protective through the use of stolen legitimate operator credentials and a
relays and the potential cyberattack scenarios. The proposed remote connection to the substation communication network.
machine learning method for cybersecurity enhancement of The attacker then performs false data injection attack by
transformer differential protective relays is presented in Sec- injecting falsified SV packets on the process bus forcing the
tion III. Section IV provides the test system, training data sets differential protective relay to misoperate.
and simulation results. The conclusions of the paper are given In both scenarios, falsified current measurements trigger the
in Section V. differential protective relay and de-energize the transformer
II. T RANSFORMER D IFFERENTIAL P ROTECTIVE R ELAYS in the absence of physical faults. Although substation and
AND C YBERATTACK S CENARIOS
control center operators observe the transformer tripping,
they would not be able to re-energize the transformer before
A. Transformer Differential Protective Relays performing a comprehensive investigation about the reason
The primary objective of transformer protective relays is to behind transformer tripping based on utility guidelines. Having
detect internal transformer faults with high sensitivity and iso- machine learning algorithms for anomaly detection would
late the transformer as quickly as possible. Fast detection and provide a mitigation strategy to prevent differential protective
de-energization of transformer faults minimizes the damages to relay misoperation caused by cyberattacks.
the transformer as well as the need for subsequent repairs [12].
III. P ROPOSED M ACHINE L EARNING M ETHOD
This task is normally performed by the transformer differential
protection. In this paper, we leverage a fully connected autoencoder for
The differential relaying is a powerful relaying principle cybersecurity enhancement of differential protective relays by
that can be used for any asset like transformers, lines, buses, using it to detect anomalies.
and so forth. The differential protective relays are designed to From a technical perspective, a fully connected autoencoder
measure the geometrical difference between electrical quanti- consists of two parts: an encoder and a decoder as illustrated in
ties in particular current measurements and operate when the Fig. 2. An encoder consists of an input layer, a variable number
difference goes beyond a certain threshold. of hidden layers and a code (embedding) layer. The code layer
B. Cyberattack Scenarios connects the encoder and decoder. The decoder consists of the
We consider a substation automation scheme that employs same number of hidden layers as the encoder and an output
the IEC 61850 protocols GOOSE and SV for communication layer. An autoencoder is trained with inputs as output target
between protective relays and merging units. The analog mea- labels. When provided with a new input post-training, it will
surements generated by the current transformers CT1 and CT2 nonlinearly embed the input into a code and then nonlinearly
in Fig. 1 are respectively converted by merging units MU1 decompress this code to approximately reconstruct the input
and MU2 to SV packets. The GOOSE commands generated at the output [26].
by the differential protective relay in Fig. 1 are conveyed to In this work, we train the autoencoder on current mea-
the merging units MU1 and MU2 in order to trigger actions surements that are free of cyberattacks with the aim that
respectively on the circuit breakers CB1 and CB2. it will be able to accurately compress and reconstruct such
We consider two cyberattack scenarios against the trans- attack-free measurements. It is noteworthy that the attack-free
former differential protective relay. In the first scenario (re- measurements are easy to collect from power systems since
ferred to as Scenario 1), we assume the implementation of power systems are not under attack normally and cyberattacks

Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 18,2021 at 12:09:52 UTC from IEEE Xplore. Restrictions apply.
 R87
A B C
Tr5
G1 CB1CT1 Tr1
CT2CB2

R87
CB9 L1 CB10 CB11 L2 CB12
G2
CB3CT3 Tr2
CT4CB4

R87 CB17 CB18

S1

G3 CB5CT5 CT6CB6 Tr6

Tr3 L4
CB13 L3 CB14 CB15 CB16
R87
G4
CB7CT7 CT8CB8
E
Tr4 D F

Fig. 3. The IEEE PSRC D6 benchmark test system.

are very rare incidents in power systems. This is in line is simulated for 16 randomly selected starting times to ensure
with assumption in anomaly detection systems in the literature faults occur at different parts of the current waveforms. This
[27]. Since the autoencoder has not been trained on data con- amounts to 10000 simulations. In order to be consistent with
taining cyberattacks, we hypothesize that reconstructions of SV packet specifications in IEC 61850 standard, we capture
anomalous measurements occurring during attacks may not be 4800 samples per second for current measurements per phase.
reconstructed well [27], [28]. Thus, we aim to use a threshold The 10000 simulations are performed for 1.5 seconds and
of the autoencoder reconstruction error as a means of detecting the transformer faults are initiated randomly between t=1 s
anomalous measurements that may indicate cyberattacks. to t=1.02 s. It is noteworthy that the period of one cycle is
approximately 0.0167 s in a 60Hz power system.
IV. S IMULATION R ESULTS
An important parameter for generating training data set is
A. Test System the input data length, i.e., number of samples in each training
Fig. 3 illustrates the IEEE power system relaying committee data. In this paper, a sliding window of 10-ms, i.e., 48 samples
(PSRC) D6 benchmark test system [29], [30]. The benchmark of current for each phase is considered. Thus, each training
test system represents a power plant with four generators G1- data contains 288 current samples, i.e., 144 three-phase current
G4 that are connected to the main grid through a 500kV samples from each side of the transformer. In order to generate
transmission system. The 500kV transmission system consists a 10-ms sliding window, we first extract a 20-ms window from
of four transmission lines L1-L4 and the main grid is modeled the 1.5 s simulation results containing 48 samples before the
as an infinite bus S1. The power plant transformers Tr1-Tr4 starting point of the fault and 47 samples after the starting
are protected by differential protective relays. point of the fault. Next, a sliding window of 10-ms slides
sample by sample till it covers the 20-ms window. This
B. Training Data Set amounts to 48 10-ms windows per simulation. Considering
We employed OPAL-RT HYPERSIM to implement and 10000 simulations, 2000 simulations data are used for testing.
simulate PSRC D6 test system and generate the data set for Hence, the training data set contains 48*8000=384000 10-ms
machine learning. The operating points of the generators G1- current measurement data.
G4 are changed between 200 MW and 400 MW in 50 MW
step size. The three-phase internal fault of the transformer Tr1
C. Cyberattack Test Sets
input output
layer layer
In a real world, the anomaly detection data is heavily
imbalanced and attacks are rare events. As we mentioned,
code we have 2000 simulation data sequences for test. To make
layer an imbalanced data set, for each scenario, we replace 100 of
the sequences with malicious data sequences. As discussed in
Section II. B, we consider two cyberattack scenarios against
transformer differential protective relay. Malicious data se-
size: 16
quences are generated based on the aforementioned cyberat-
neurons
size: 32 size: 32 tack scenarios. In Scenario 1, the current measurements from
neurons neurons
size: 64
neurons
size: 64
neurons
the current transformer CT1 are scaled to trigger the trans-
size: 48*6
=288
size: 48*6
=288
former differential protective relay. In Scenario 2, the current
measurements from current transformer CT1 are replaced by
Fig. 4. Proposed Fully Connected Autoencoder Structure false data.

Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 18,2021 at 12:09:52 UTC from IEEE Xplore. Restrictions apply.
 &7PHDVXUHPHQWV &7PHDVXUHPHQWV three-phase fault. True Negative represents transformer three-
 phase faults that are correctly identified as transformer three-
3KDVH$FXUUHQWYDOXH

3KDVH$FXUUHQWYDOXH


 
phase fault.




E. Fully Connected Autoencoder Architecture


As illustrated in Fig. 4 for the input layer, data has
   
been flattened to a vector size of (window size) ∗
6DPSOHLQGH[ 6DPSOHLQGH[
(count of f eatures) = 48 ∗ 6. Hence, we have input layer
5HFRQVWUXFWLRQRI&7PHDVXUHPHQWV

5HFRQVWUXFWLRQRI&7PHDVXUHPHQWV of size 288, and output layer with the same size. The code

size has been set to size 16. The autoencoder has two hidden
3KDVH$FXUUHQWYDOXH

3KDVH$FXUUHQWYDOXH


layers for encoder/decoder. The hidden layers in the encoder
 have 64 and 32 neurons respectively, and the hidden layers in


the decoder have 32 and 64 neurons.

We examined different values for each parameter in order

    to tune hyper-parameters of the autoencoder as summarized
6DPSOHLQGH[ 6DPSOHLQGH[
in Table I. The parameters that produced the lowest validation
Fig. 5. Reconstruction of phase A current measurements from CT1 and CT2
errors are selected. It is noteworthy that the validation errors
during transformer physical fault. are not reported here for the sake of conciseness. The Relu
activation function is used for all layers except the last layer
which uses linear activation function. The Adam Optimizer is
D. Metrics for Measuring the Cyberattack Detection Perfor- further used for optimization. The learning rate is set to 0.01.
mance of Fully Connected Autoencoder It is noteworthy that we used Tensorflow and Keras libraries
Two metrics including precision and recall are considered to for the implementation of the autoencoder.
measure the performance of the fully connected autoencoder
as follows. TABLE I
PARAMETER VALUES EXAMINED FOR HYPER - PARAMETER SELECTION

(T rueP ositive) Parameter Values

P recision = (1)
(T rueP ositive) + (F alseP ositive) Learning rate {0.01, 0.001}
Hidden layers in encoder/decoder {1, 2, 3, 4, 5}
(T rueP ositive) Neurons in first hidden layer {32, 64, 128}
Recall = (2)
(T rueP ositive) + (F alseN egative)
In (1)-(2), True Positive represents anomalous data that Fig. 5 illustrates the capability of the fully connected au-
are correctly identified by fully connected autoencoder. False toencoder to reconstruct phase A current measurements from
Positive represents three-phase transformer fault data that CT1 and CT2 during transformer physical fault.
are incorrectly identified as anomalous data. False Negative
represents anomalous data that are identified as transformer F. Case Studies
The fully connected autoencoder has been tested for the two
cyberattack scenarios defined in Section II.B.
&7PHDVXUHPHQWV &7PHDVXUHPHQWV
 1) Scenario 1: The autoencoder performance is examined
for different changes in current measurement magnitudes. The
3KDVH$FXUUHQWYDOXH

3KDVH$FXUUHQWYDOXH




 
scaling of current measurements ranging between 1.1 to 5 are

considered and tested. The fully connected autoencoder was

able to identify the attacks with 100% precision and 100%



recall. It is noteworthy that the autoencoder becomes active


6DPSOHLQGH[
 

6DPSOHLQGH[

when the pick up element of the differential protective relay
detects a physical fault on the transformer and becomes active.
5HFRQVWUXFWLRQRI&7PHDVXUHPHQWV 5HFRQVWUXFWLRQRI&7PHDVXUHPHQWV


Thus, the autoencoder is capable of detecting and blocking
the anomalous current measurements. This mitigation strategy
3KDVH$FXUUHQWYDOXH

3KDVH$FXUUHQWYDOXH





detects and prevents cyberattacks before causing differential



protective relay misoperation and transformer false tripping


but would not be able to identify the source of the cyberattack.

 

Fig. 6 illustrates an example of phase A current measure-



6DPSOHLQGH[
 

6DPSOHLQGH[

ments reconstruction for CT1 and CT2 during cyberattacks
on MU1 using a supply chain attack. As it can be seen
Fig. 6. Reconstruction of phase A current measurements from CT1 and CT2 from Fig. 6, the autoencoder reconstructs the phase A current
after a supply chain cyberattack. measurements from CT1 and CT2 with high error.

Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 18,2021 at 12:09:52 UTC from IEEE Xplore. Restrictions apply.
 2) Scenario 2: The autoencoder was able to identify the [3] North American Electric Reliability Corporation (NERC) Critical Infras-
false data injection attacks with 100% precision and 100% re- tructure Protection (CIP) Reliability Standards, http://www.nerc.com
[4] K. Stouffer, J. Falco, and K. Scarfone, “Guide to Industrial Control
call. A similar mitigation strategy to what has been considered Systems (ICS) Security,” NIST SP 800-82, 2015.
for Scenario 1 is applied here. [5] E. Smith, S. Corzine, D. Racey, D. Patrick, H. Colin, and J. Weiss, “Going
Fig. 7 illustrates an example of phase A current mea- beyond cybersecurity compliance,” IEEE Power Energy Mag., vol. 14, no.
5, pp. 48—56, Sep. 2016.
surements reconstruction for CT1 and CT2 during false data [6] ISA99, Industrial Automation and Control Systems Security. Accessed
injection cyberattacks. As it can be seen from Fig. 7, the on Aug. 2016.
autoencoder reconstructs the phase A current measurements [7] Electric Power Research Institute “Creating Security Metrics for the
Electric Sector”, Dec. 2015.
from CT1 and CT2 with high error. [8] Department of Energy, Roadmap to Achieve Energy Delivery Systems
Cybersecurity, 2011.
V. C ONCLUSION
[9] Department of Energy, Multiyear Plan for Energy Sector Cybersecurity,
This paper presented a method for cybersecurity enhance- 2018.
ment of transformer differential protective relays using ma- [10] R. M. Lee, M. J. Assante, and T. Conway, “Analysis of the Cyber Attack
on the Ukrainian Power Grid Defense Use Case”, Electricity-Information
chine learning. A fully connected autoencoder is trained Sharing and Analysis Center (E–ISAC), March 2016.
using sliding windows of 10-ms composed of the current [11] J. Slowik, Anatomy of an attack: Detecting and Defeating
measurements at each side of the transformer. The sliding CRASHOVERRIDE, Dragos Inc. White Paper, Oct. 2018.
[12] T. D. J. Blackburn, Protective Relaying: Principles and Applications, 4th
windows contain 48 SV single-phase current measurements ed. CRC Press, 2014.
i.e., 144 SV three-phase current measurements at each side [13] M. Kezunovic, J. Ren, and S. Lotfifard, Design, Modeling and Eval-
of the transformer. The data sets used for the autoencoder uation of Protective Relays for Power Systems, Springer International
Publishing, 2006.
training are generated and archived using OPAL-RT HYPER- [14] X. Liu, M. Shahidehpour, Z. Li, X. Liu, Y. Cao, and Z. Li, “Power
SIM for different operating points of the test system under system risk assessment in cyber attacks considering the role of protection
study. Afterwards, the proposed autoencoder is employed for systems,” IEEE Trans. Smart Grid, vol. 8, no. 2, pp. 572–580 March 2017.
[15] M. Bahrami, M. Fotuhi-Firuzabad and H. Farzin, “Reliability evaluation
detection and mitigation of two different cyberattack scenarios. of power grids considering integrity attacks against substation protective
The simulation results demonstrate the capability and high IEDs,” IEEE Transactions on Industrial Informatics, early access.
performance of the proposed machine learning algorithm for [16] A. Abiri-Jahromi, A. Kemmeugne, D. Kundur and A. Haddadi, “Cyber-
physical attacks targeting communication-assisted protection schemes,”
detection and mitigation of cyberattacks against transformer IEEE Trans. Power Syst., early access 2019.
differential protective relays. While these results are very [17] U. K. Premaratne, J. Samarabandu, and T. S. Sidhu, “An intrusion
encouraging, further research should investigate a larger range detection system for IEC61850 automated substations,” IEEE Trans.
Power Del., vol. 25, pp. 2376–2383, Oct. 2010.
of scenarios to better understand the range of conditions where [18] J. Hong et al., “Cyber attack resilient distance protection and circuit
autoencoders perform well. breaker control for digital substations,” IEEE Trans. Indust. Inform., vol.
15, no. 7, pp. 4332–4341, July 2019.
R EFERENCES [19] A. Ameli, A. Hooshyar, and E. F. El-Saadany, “Development of a cyber-
resilient line current differential relay,” IEEE Trans. Indust. Inform., vol.
[1] G. N. Ericsson, “Cyber security and power system communication:
15, no. 1, pp. 305–318, Jan. 2019.
Essential parts of a smart grid infrastructure,” IEEE Trans. Power Del.,
vol. 25, no. 3, pp. 1501-–1507, Jul. 2010. [20] C. W. Ten, J. Hong, and C. C. Liu, “Anomaly detection for cybersecurity
[2] S. Ward et al., “Cyber security issues for protective relays; c1 working of the substations,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 865-873,
group members of power system relaying committee,” In Proc. IEEE Dec. 2011.
Power Eng. Soc. Gen. Meet., June 2007, pp. 1—8. [21] J. Hong, C. C. Liu, and M. Govindarasu, “Integrated anomaly detection
for cyber security of the substations,” IEEE Trans. Smart Grid, vol. 5,
no. 4, pp. 1643-1653, April 2014.
[22] J. Hong, and C. C. Liu,“Intelligent electronic devices with collaborative
&7PHDVXUHPHQWV &7PHDVXUHPHQWV
intrusion detection systems” IEEE Trans Smart Grid, vol. 10, no. 1, pp.
 271–281, Jan. 2019.
3KDVH$FXUUHQWYDOXH

3KDVH$FXUUHQWYDOXH



[23] Y. Xin, L. Kong, Z. Liu, Y. Chen, Y. Li, H. Zhu, M. Gao, H. Hou, and C.
Wang, “Machine learning and deep learning methods for cybersecurity,”

 IEEE Access, vol. 6, pp. 35365–35381, 2018.

[24] A. Ahmed et al., “Cyber Physical Security Analytics for Anomalies
in Transmission Protection Systems,” IEEE Trans. Indust. App., early
  access.
    [25] Z. Basnight, J. Butts, Jr. J. Lopez and T. Dube, Firmware modifica-
6DPSOHLQGH[ 6DPSOHLQGH[
tion attacks on programmable logic controllers, International Journal of
5HFRQVWUXFWLRQRI&7PHDVXUHPHQWV 5HFRQVWUXFWLRQRI&7PHDVXUHPHQWV
Critical Infrastructure Protection, vol. 6, pp. 76–84, 2013.

[26] I. Goodfellow, Y. Bengio, and A. Courville. Deep learning. MIT press,
2016.
3KDVH$FXUUHQWYDOXH

3KDVH$FXUUHQWYDOXH



 [27] V. Chandola, A. Banerjee, V. Kumar, “Anomaly detection: A survey,”

 ACM computing surveys (CSUR), 41.3, 2009.

[28] M. Sakurada, and T. Yairi, “Anomaly detection using autoencoders with

 nonlinear dimensionality reduction,” Proceedings of the MLSDA 2014 2nd
Workshop on Machine Learning for Sensory Data Analysis, ACM, 2014.
  [29] IEEE PSRC WG D6, “Power swing and out-of-step considerations on
   

6DPSOHLQGH[ 6DPSOHLQGH[
transmission lines,” Jul. 2005.
[30] H. Gras, J. Mahseredjian, E. Rutovic, U. Karaagac, A. Haddadi, O.
Saad, I. Kocar, and A. El-Akoum, “A new hierarchical approach for
Fig. 7. Reconstruction of phase A current measurements from CT1 and CT2 modeling protection systems in EMT–type software,” Intern. Conf. Power
after FDI cyberattacks. Syst. Transients, Seoul, Republic of Korea, June 2017.

Authorized licensed use limited to: UNIVERSITY OF CONNECTICUT. Downloaded on May 18,2021 at 12:09:52 UTC from IEEE Xplore. Restrictions apply.