WO2016176682A1 - Détection de cyber-attaques et de défaillances de capteur dans des sous-stations numériques - Google Patents

Détection de cyber-attaques et de défaillances de capteur dans des sous-stations numériques Download PDF

Info

Publication number
WO2016176682A1
WO2016176682A1 PCT/US2016/030407 US2016030407W WO2016176682A1 WO 2016176682 A1 WO2016176682 A1 WO 2016176682A1 US 2016030407 W US2016030407 W US 2016030407W WO 2016176682 A1 WO2016176682 A1 WO 2016176682A1
Authority
WO
WIPO (PCT)
Prior art keywords
moving
series
average
dissimilarity
dissimilarity metrics
Prior art date
Application number
PCT/US2016/030407
Other languages
English (en)
Inventor
Ravindra Singh
Dmitry ISHCHENKO
Reynaldo Nuqui
Zhenyuan Wang
Original Assignee
Abb Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Inc. filed Critical Abb Inc.
Publication of WO2016176682A1 publication Critical patent/WO2016176682A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R19/00Arrangements for measuring currents or voltages or for indicating presence or sign thereof
    • G01R19/25Arrangements for measuring currents or voltages or for indicating presence or sign thereof using digital measurement techniques
    • G01R19/2513Arrangements for monitoring electric power systems, e.g. power lines or loads; Logging
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02HEMERGENCY PROTECTIVE CIRCUIT ARRANGEMENTS
    • H02H1/00Details of emergency protective circuit arrangements
    • H02H1/0092Details of emergency protective circuit arrangements concerning the data processing means, e.g. expert systems, neural networks
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02HEMERGENCY PROTECTIVE CIRCUIT ARRANGEMENTS
    • H02H3/00Emergency protective circuit arrangements for automatic disconnection directly responsive to an undesired change from normal electric working condition with or without subsequent reconnection ; integrated protection
    • H02H3/02Details
    • H02H3/05Details with means for increasing reliability, e.g. redundancy arrangements

Definitions

  • the present disclosure is related to electric power systems and is more particularly related to detecting attacks on digital equipment in such systems.
  • Intelligent Electronic Devices are microprocessor-based devices used by the electric power industry to control power system switching devices, such as circuit breakers, reclosers, etc.
  • IEC International Electrotechnical Commission
  • a merging unit is the device that samples the analog measurements (voltages and currents) of the primary high voltage power circuit, encodes the measurement values into Ethernet packets, and injects them onto the process bus.
  • the IED receives these SV packets from the process bus, processes and uses the SV as the inputs to its various fault detection and protection functions.
  • One function of the IED is to detect that a fault happens on the primary circuit and to issue a "trip" command to activate a switching device and thus disconnect the faulty parts of the circuit.
  • the analog inputs to the MUs and the resulting digitized SV packets are critical to the proper operation decision of the IEDs.
  • the techniques, apparatus, and systems described herein provide for the detection of cyber-attacks on sampled values from IEDs in a substation environment. Specific embodiments of the disclosed techniques are based on each of two statistical principles: a) the correlation between the two signals and b) the Mahalanobis distance between the two signals.
  • Example methods detailed herein are suitable for implementation in a monitoring device in a power system, such as in an IED in a digital substation.
  • the methods might also be implemented in another computer/device in or associated with the digital substation, where the computer/device has access to sample value data for two or more monitoring points.
  • An example method includes the collecting of a first series of sampled electrical characteristics, such as current and/or voltage data, for a first monitored point in the power system. The method further includes receiving, from a second monitoring device in the power system, a second series of sampled current and/or voltage data for a second monitored point in the power system. This second series of sampled current and/or voltage data corresponds in time to the first series.
  • a series of dissimilarity metrics are calculated for the first and second series, where the dissimilarity metrics are based on the covariance of the first and second series.
  • dissimilarity metrics may be based on correlations between the first and second series, or based on Mahalanobis distances between points in one series and points in the other series, for example.
  • the example method further includes comparing each of the dissimilarity metrics to a first threshold value. An alarm is triggered in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value.
  • the dissimilarity metric referred to here may correspond to any of several values utilized in detection algorithms like those described herein.
  • the metric may correspond to a correlation value, to a mean correlation value, or to a fraction of mean correlation values that exceed a threshold value, among a series of buffered mean correlation values.
  • the metric may correspond to a Mahalanobis distance value or a squared Mahalanobis distance value, to a mean Mahalanobis distance value or mean squared
  • Mahalanobis distance value or to a fraction of mean Mahalanobis distance values or mean squared Mahalanobis distance values that exceed a threshold value, among a series of buffered mean Mahalanobis distance values or mean squared Mahalanobis distance values.
  • calculating the series of dissimilarity metrics comprises: calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients.
  • the calculated moving-average correlations are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In some others of these embodiments, the calculated moving-average correlations are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.
  • calculating the series of dissimilarity metrics comprises: calculating, for example computing with a processing device, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.
  • Figure 1 is a block diagram illustrating a correlation-based sample-value-attack detection scheme.
  • Figure 2 illustrates inputs and outputs of a unit for correlation-based attack detection.
  • Figure 3 is a flow chart illustrating a correlation-based detection algorithm.
  • Figure 4 illustrates an attack-detection scheme based on Mahalanobis distances.
  • Figure 5 illustrates inputs and outputs of a unit for attack detection based on
  • Figure 6 is a flow chart illustrating an algorithm for attack detection based on
  • Figure 7 illustrates the combination of fault detection with correlation-based and Mahalanobis-distance-based attack detection.
  • Figure 8 shows a substation configuration with different IEDs/MUs and a single line to ground fault.
  • Figures 9-12 illustrate correlations between pairs of IEDs during a simulated fault transient.
  • Figures 13-20 illustrate simulation results for an example implementation of the attack detection schemes described herein.
  • Figure 21 is a process flow diagram illustrating an example method according to the techniques detailed herein.
  • Figure 22 is a block diagram illustrating components of an example monitoring device according to several embodiments of the apparatuses disclosed herein.
  • the IEDs now support voltage and current inputs in a digital format: the Sampled Value (SV) streams transmitted as Ethernet packets on the Process Bus.
  • the Merging Unit MU is the device that samples the analog measurements (voltages and currents) of the primary high voltage power circuit, encodes the measurement values into Ethernet packets and injects them onto the Process Bus.
  • the IED receives these SV packets from the Process Bus, processes and uses the SV as the inputs to its various fault detection, protection and control functions.
  • One function of the IED system is to detect that a fault happens on the primary circuit and to issue a trip command to disconnect the faulty parts of the circuit.
  • the analog inputs are critical to the proper operation decision of the IEDs.
  • the digitalized sample value streams using the Ethernet technology opens the doors to cyber-attacks on the analog input data: an adversary, once gaining access to the Process Bus or the Merging Unit, can then modify the SV packets, and hence can manipulate the protection system and cause serious consequences to the power grid. For example, a false trip on normally healthy circuits could cause the system to weaken that might lead to localized or regional grid collapse.
  • detecting cyber-attacks on sampled values on the Process Bus is an important goal. More generally, techniques are needed for detecting cyber-attacks on sampled current and/or voltage data collected by monitoring devices in electric power systems, whether or not the devices are IEDs compatible with the IEC 61850 Process Bus. Once an attack is detected, mitigation schemes can prevent the false trip.
  • the techniques, apparatus, and systems described herein provide for the detection of cyber-attacks on sampled values from IEDs in a substation environment. Specific embodiments of the disclosed techniques are based on each of two statistical principles: a) the correlation between signals at two different points in the electric power substation and b) the Mahalanobis distance between the two signals.
  • the techniques disclosed herein for detection of sample-value attacks are based on coordination of measurements from at least two IEDs or other monitoring devices. More particularly, some embodiments of the proposed sample-value threat detection algorithms utilize the current measurements from the two IEDs.
  • the IEDs can either be on the same substation or on different substations. However, to avoid a communications bottleneck, measurements at the same substation may usually be considered.
  • the coordination scheme is based on the observability of a fault by the IEDs in coordination. For example, two IEDs that observe the same fault will carry the signature of the fault in their respective measurements. As a result, they can coordinate together in the detection of a sample-value attack.
  • dissimilarity metrics are functions of the covariances of the sampled-value series observed by the monitoring devices. By comparing the dissimilarity metrics to an appropriate threshold, an attack on the sampled values can be detected. Detailed examples of these techniques are described below, based on two schemes for detection of sample-value attacks: a correlation-based scheme and a scheme based on the computation of Mahalanobis distances.
  • a first group of techniques is based on the calculation of dissimilarity metrics that are in turn based on the correlation between the sample value streams for two (or more) monitored points in the electric power system.
  • the correlation between two random variables is defined as the ratio of covariance between the two and the product of their standard deviations. If x and y are the two random variables, then the correlation coefficient (p xy ) between the two is given by:
  • the correlation coefficients are based on the estimates of the covariance and standard deviation of the samples. In this case, the correlation coefficient is computed as follows:
  • r xy is the correlation coefficient
  • n is the number of samples
  • ⁇ ⁇ , ⁇ ⁇ are sample means of x and y, respectively.
  • FIG. 1 is a block diagram illustrating a correlation-based scheme for detecting attacks on sampled-value data.
  • SV1 and SV2 be the series of sampled values of signals from the merging units (MUs) of a first IED, IED1, and second IED, IED 2, under coordination.
  • the latest sample value for each series is appended into one of two buffer locations 110, while the oldest entry is discarded, so that buffer size remains fixed.
  • the buffer size can be configured for samples corresponding to half, full or any fraction of cycle.
  • a minimum buffer size of samples corresponding to a half-cycle of the monitored signals provides robustness to the algorithm, thus a moving window of samples corresponding to a half-cycle is considered.
  • the correlation coefficient is computed between the buffer sample of IED1 (x) and IED2 (y), in correlation computation block 120.
  • the correlation coefficients are stored in another buffer 130 of correlation coefficients, which has the same size as each of buffers 110.
  • a moving average filter followed by a detection method is applied on these coefficients to determine the attack, in detection block 140.
  • a value of zero in the output indicates no attack, whereas a value equal to one is indicative of an attack.
  • the coding of these values is arbitrary; the opposite coding (i.e., a value of zero indicates an attack) could be used.
  • FIG. 2 is a block diagram illustrating the inputs and outputs for a correlation-based attack detection unit, here designated a "CorrDet” unit 200.
  • this unit may be implemented as part of an IED, such as IED1 or IED2 of Figure 1, as part of another monitoring device, or as part of another computer/device that has access to the sample value streams for each of the monitored points.
  • Inputs to the CorrDet unit 200 include sample value streams for first and second monitored points in the electric power system.
  • the sample value streams designated I IEDl and I IED2
  • I IEDl and I IED2 are current sample values for first and second IEDs.
  • These inputs are designated as "analog" inputs in Figure 2, as they correspond to analog signal values. These values may be represented as floating point values, in some embodiments.
  • the output from CorrDet unit, CorrDet Out is a Boolean (binary) value indicating whether an attack on either of the sample value streams is detected.
  • Step 1 Initialize each buffer of n samples (minimum half cycle), for signal x and signal y, with zeroes. This is shown at block 310 of Figure 3.
  • Step 2 Once a new sample arrives for each monitored point, update the latest entry in the corresponding buffer with the new sample and drop the oldest buffer element. This is shown at block 320. Note that block 322 indicates that sample values of the current waveform from a first monitored point correspond to an attacked relay, which means that the sample values have been altered by an attacker. Block 324 indicates that sample values of the current waveform from a second monitored are also received; these sample values are assumed not to have been attacked in the illustrated process flow. [0042] Step 3 : Compute the correlation coefficient for the two buffers of n values, e.g., using Equation (2) above. The result is stored in a new buffer, also having a moving window of the n most recent values. This is shown at block 330.
  • Step 4 Compute the moving average
  • Step 5 Count the number k of elements in the buffer of for which the absolute value of ⁇ is less than a predetermined, e.g., where
  • An example threshold value might be 0.85. This is shown at block 350.
  • Step 6 If the number k is greater than a predetermined number or, equivalently, if the ratio of k to n is greater than a predetermined threshold (i.e., - > a), then an attack is detected, and an alarm is triggered, as shown at blocks 360 and 370. If no attack is detected, the process flow repeats for the next sample value.
  • a predetermined threshold i.e., - > a
  • Step 4 describes a moving average computation in which the n most recent values of the correlation coefficients are averaged, to obtain the moving average value .
  • This requires that the n most recent values of the correlation coefficients be stored, e.g., in a moving window buffer. It will be appreciated that this computation is but one example of a low- pass filtering of the correlation coefficients.
  • a new filtered average value might be computed according to is the new filtered average value, corresponding to received sample value / ' , r ⁇ 1-1 - 1 is the preceding filtered average value, and r xy ⁇ is the most recent correlation value, n is the memory length for the filter in this approach, which in this case corresponds to the length of the sample value buffers. Note that in this approach, it is not necessary to keep a buffer of values of the coefficient values r xy .
  • a second group of techniques is based on the calculation of dissimilarity metrics that are in turn based on the Mahalanobis distance between sample values for one monitored point in the electric power system and a corresponding series of sample values for another monitored point.
  • the Mahalanobis distance statistically measures the distance of data points from a common point.
  • the difference between Euclidian distance and Mahalanobis distance is that the correlation among the points is taken into the account by the latter.
  • the mean squared distance is given by:
  • D3 ⁇ 4 j will be a ⁇ 2 distribution with one degree of freedom and D3 ⁇ 4 will be a ⁇ 2 distribution with n degrees of freedom, divided by n.
  • D3 ⁇ 4 will be upper bounded by
  • One heretofore unmet challenge relating to the correlation-based attack detection scheme described above is that it can fail to detect the case where an attacker manipulates a sample value signal by simply amplifying its magnitude, without any change in the frequency or shape of the waveform.
  • a Mahalanobis-distance-based scheme can be efficiently applied to detect such attacks.
  • FIG. 4 A block diagram of this scheme is shown in Figure 4. As seen in the figure, the design of this scheme is similar to that of correlation based scheme of Figure 1, except that the correlation computation in block 120 in the previous scheme is replaced by a Mahalanobis distance computation block 420, and a detection block 440 is modified accordingly.
  • x be the buffer of samples for a first monitored point, e.g., from a reference IED referred to as IED1
  • y is the buffer of the samples from a second monitored point, e.g., as collected by IED2.
  • the mean and variance of x is computed, and then, for each sample in y, the squared Mahalanobis distance Dj ⁇ is computed.
  • the mean Z3 ⁇ 4 of this squared distance is computed for each sample, and the results stored over a moving window.
  • An example window length is one cycle of the monitored signal.
  • the sample value streams are valid. Otherwise there has been an attack on one of the streams.
  • Figure 5 illustrates the analog inputs and digital output for an attack detection unit based on Mahalanobis distances, here designated a "MahaDet" unit 500.
  • this unit may be implemented as part of an IED or other monitoring device, or in another computer/device that has access to the sample value streams for each of the monitored points.
  • Inputs to the MahaDet unit 500 include sample value streams for first and second monitored points in the electric power system.
  • the sample value streams designated I IEDl and I IED2
  • I IEDl and I IED2 are current sample values for first and second IEDs.
  • These inputs are designated as "analog" inputs in Figure 5, as they correspond to analog signal values. These values may be represented as floating point values, in some embodiments.
  • the output from MahaDet unit, MahaDet Out is a Boolean (binary) value indicating whether an attack on either of the sample value streams is detected.
  • FIG. 6 is a flowchart illustrating the details of an example algorithm for attack detection based on Mahalanobis distance computation.
  • this algorithm utilizes a buffer of n samples for each of two monitored points in the electric power system, each buffer comprising a moving window of sample values for the respective monitored point. For each new sample, a squared Mahalanobis distance is computed over the moving windows of n samples. The steps involved in the algorithm are described in detail as follows:
  • Step 1 Initialize each buffer of n samples (minimum half-cycle), for signal x and signal y, with zeroes. This is shown at block 610.
  • Step 2 Once a new sample arrives for each monitored point, update the latest entry in the corresponding buffer with the new sample and drop the oldest buffer element. This is shown at block 620. Note that block 622 indicates that sample values of the current waveform from a first monitored point correspond to an attacked relay, which means that the sample values have been altered by an attacker. Block 624 indicates that sample values of the current waveform from a second monitored are also received; these sample values are assumed not to have been attacked in the illustrated process flow.
  • Step 3 Compute the mean and variance of x, and compute the squared Mahalanobis distance (D3 ⁇ 4 j ) of each element in y, with respect to the values in x. This is shown at block 630.
  • Step 6 If the number k is greater than a predetermined number or, equivalently, if the ratio of k to n is greater than a predetermined threshold (i.e., - > ?), then an attack is detected, and an alarm is triggered, as shown at blocks 660 and 670. If no attack is detected, the process flow repeats for the next sample value.
  • a predetermined threshold i.e., - > ?
  • the Mahalanobis distance may be used.
  • the above algorithm calculates a one-point to vector squared Mahalanobis distance for each sample value in the buffer of y.
  • Other variations, utilizing computations and detection schemes that are mathematically equivalent to those described above and/or that refine the straightforward filtering and detection schemes described above, are also possible.
  • the two schemes described above may be combined, in some embodiments, e.g., by logically OR-ing the results of the respective schemes, to detect an attack on sampled values. Note that these schemes, together and/or separately, may also be used to detect sensor problems in an electric power system, such as sensor calibration issues. Either or both schemes may be combined with other fault verification schemes, including, for example, schemes based on the evaluation of fault transients.
  • FIG. 7 shows an example of two IEDs coordinating in order to detect a sample value attack in a substation.
  • all IEDs are at the same voltage level and breakers are configured according to one and half breaker scheme.
  • all IEDs are capable of receiving sampled values from their own merging unit (MU) and well as MUs associated with other IEDs. It is assumed that an attacker can manipulate the sampled values associated with any of the IEDs, but not simultaneously.
  • IED1 and IED2 are shown to be coordinated for CorrDet and MahaDet blocks.
  • the scheme is shown as implemented in IED1. However, in actual scenario, the same scheme may be implemented in both IEDs, as well as in other IEDs under coordination. The illustrated scheme works as follows:
  • the fault detection logic detects a fault.
  • a trip signal is transmitted to a protection device associated with IED1, causing the protective device to interrupt to flow of current in a portion of the power system.
  • IED associated with that bus coordinates with other IEDs.
  • the coordination of the corresponding IED is not taken into consideration for attack detection.
  • the status of breaker may be verified through a generic objected oriented substation event (GOOSE) message. If the status of the breaker is confirmed to be open, the output of detection scheme from all IEDs using zero currents is blocked.
  • GOOSE generic objected oriented substation event
  • Figure 8 is a schematic illustrating a portion of a substation with one and half breaker configuration.
  • the illustrated portion of the substation consists of three breaker IEDs,
  • IED CB 12 IED CB13, and IED CB23; two line IEDs, IED2 and IED3; and one transformer
  • IED IED1
  • IED1 IED1
  • a single line to ground fault is simulated and the directions of current flows through different IEDs are shown by arrows.
  • the samples of current waveform (phase A) at one end of transmission line are replaced by the samples from the following waveforms: a rectangular pulse, a triangular wave, random Gaussian noise, a copy of a fault, a square wave, and an amplification of magnitude.
  • Figure 13 shows the injected signals along with the fault. A coordinated signal from the other end of the transmission line is shown in figure 14.
  • the correlation coefficient In the event of no attack, the correlation coefficient should remain close to unity, because the two coordinated signals evolve from the same process. However, if one of the signals is manipulated by an attacker, the correlation coefficient drops, indicating that the two signals are either uncorrected or weakly correlated. This is true because one of the signals does not follow the system process during the attack.
  • a confidence bound is set on the samples of a moving window. Typically, a 95% confidence is considered for statistical analysis, so the results illustrated in Figures 15-20 are based on a 95% confidence.
  • Figures 15-20 show the results of the detection algorithm for various sample value attacks. It is clear from Figures 15-19 that whenever there is an attack corresponding to these figures, the correlation goes down significantly, and the algorithm can easily identify the attack. However, in Figure 20, which corresponds to the case of an attack that comprises only signal magnitude amplification, the algorithm fails to detect the attack. In this case, the high amplitude of current may confuse the protective devices into detecting a fault. To detect an attack in this situation, the method based on Mahalanobis distance may be applied. The method is statistical in nature and very efficient in detecting an attack that is caused by change in amplitude.
  • Figure 21 is a process flow diagram illustrating a generalized method according to several of the example embodiments discussed above.
  • the illustrated method is suitable for implementation in a first monitoring device in a power system, such as in an IED in a digital substation.
  • the method might also be implemented in another computer/device in or associated with the digital substation, where the computer/device has access to sample value data for two or more monitoring points.
  • the illustrated method includes the collecting of a first series of sampled current and/or voltage data for a first monitored point in the power system.
  • the method further includes receiving, from a second monitoring device in the power system, a second series of sampled current and/or voltage data for a second monitored point in the power system. This is shown at block 2120. This second series of sampled current and/or voltage data corresponds in time to the first series.
  • a series of dissimilarity metrics are calculated for the first and second series, where the dissimilarity metrics are based on the covariance of the first and second series.
  • these dissimilarity metrics may be based on correlations between the first and second series, or based on Mahalanobis distances between points in one series and points in the other series, for example.
  • the "metric" referred to in the figure may correspond to any of several values utilized in a detection algorithm like those described above.
  • the metric may correspond to a correlation value, to a mean correlation value, or to a fraction of mean correlation values that exceed a threshold value, among a series of buffered mean correlation values.
  • the metric may correspond to a Mahalanobis distance value or a squared Mahalanobis distance value, to a mean Mahalanobis distance value or mean squared Mahalanobis distance value, or to a fraction of mean Mahalanobis distance values or mean squared Mahalanobis distance values that exceed a threshold value, among a series of buffered mean Mahalanobis distance values or mean squared Mahalanobis distance values.
  • the method further includes comparing each of the
  • dissimilarity metrics to a first threshold value.
  • An alarm is triggered, as shown at block 2150, in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value. Note that it is possible that an increasing degree of dissimilarity may be represented by a decreasing value of the dissimilarity metric, depending on exactly how the dissimilarity metric is calculated.
  • calculating the series of dissimilarity metrics comprises: calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients.
  • the calculated moving-average correlations are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In some others of these embodiments, the calculated moving-average correlations are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.
  • calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving- average correlation, that are below a second threshold value, where the calculated percentages are the dissimilarity metrics.
  • calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, where the counted numbers are the dissimilarity metrics.
  • calculating the series of dissimilarity metrics comprises: calculating, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving- average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.
  • the calculated moving-average distance statistics are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.
  • the calculated moving-average distance statistics are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving- average distance statistics are below the first threshold value.
  • calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, where the calculated percentages are the dissimilarity metrics.
  • calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, where the counted numbers are the dissimilarity metrics.
  • Mahalanobis statistics are computed from subsets of sample values, where each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power.
  • the method may further include detecting an apparent electric fault, based on the first series of sampled current and/or voltage data, but refraining from tripping a protection device associated with the first monitoring device, upon determining that the detecting of the apparent electric fault corresponds with the triggered alarm.
  • Monitoring devices configured to carry out any one or more of the methods illustrated above may be similar to existing IEDs, with appropriate modifications made to the processing circuits and/or interface circuits in or associated with the IED.
  • An example monitoring device 2200 configured to carry out some of the disclosed methods is shown in Figure 22 and comprises a first interface circuit 2210 configured to receive sampled current and/or voltage data for a first monitored point in the power system.
  • the same interface circuit 2210 or a different interface circuit is configured to receive, from a second monitoring device, a second series of sampled current and/or voltage data for a second monitored point in the power system, the second series corresponding in time with the first series.
  • Monitoring device 2200 further includes a processing circuit 2220, which, in some embodiments, is configured to detect a fault, using the sampled current and/or voltage data.
  • the processing circuit 2200 is further configured to carry out one or more of the methods detailed above, in some embodiments.
  • the interface circuit 2210 in this example monitoring device comprises hardware and, when necessary, supporting software and/or firmware stored in a non-transitory a computer readable medium, such as memory, for receiving digital sampled value data from one or several merging units and/or from a common process bus, depending on the system configuration.
  • a computer readable medium such as memory
  • Interface circuit 2210 may be configured according to an industry standard, in some embodiments
  • the processing circuit 2220 in Figure 22 may comprise one or more microprocessors, microcontrollers, digital signal processors, or the like, designated as processor(s) 2224 in Figure 22, coupled with or including one or more memory devices 2228, where the memory device 2228 is a non-transitory computer readable medium structured to store program code for carrying out all or a portion of one or more of the methods detailed above.
  • the processing circuit 2220 may also comprise additional digital hardware 2226 for carrying out one or more of the operations in the above-described methods.
  • the monitoring device 2200 shown in Figure 22 may be configured to carry out one or several of the methods described in detail above, as well as variants thereof.
  • the processing circuit 2220 is configured, e.g., with appropriate program code, to calculate a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; compare each of the dissimilarity metrics to a first threshold value; and trigger an alarm in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value.
  • processing circuit 2220 may be configured to carry out a correlation-based technique, or a technique based on Mahalanobis statistics, or a combination thereof, according to any of the various methods described above.
  • Embodiments of the techniques, apparatuses, and systems described above may be used to address emerging problems in power systems automation and control, and may provide several advantages over existing technology. More particularly, the disclosed techniques efficiently detect anomalies in sampled values, indicative of an attack on the sampled values. Once an attack is detected, an alarm may be triggered. For example, a trip blocking signal may be sent to a protective device, such as a circuit breaker, in order to prevent a wrongfully-induced tripping under normal operating conditions, or message can also be sent to the system operator, through SCADA. These techniques thus improve the resiliency of the power grid against a cyber-attack.
  • a protective device such as a circuit breaker
  • One embodiment is a method for detecting a false fault detection in a power system including a first monitoring device and a second monitoring device, the method comprising collecting a first series of power system electrical characteristic samples of the first monitoring device; detecting an apparent fault with a first monitoring device; receiving, from the second monitoring device, a second series of power system electrical characteristic samples, the second series of electrical characteristic samples corresponding in time to the first series; calculating a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; and triggering an alarm in response to determining the apparent fault is a false fault detection using the calculated dissimilarity metrics.
  • calculating the series of dissimilarity metrics comprises: calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients.
  • the dissimilarity metrics are the calculated moving-average correlations, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that a predefined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below a first threshold value. In certain forms, the dissimilarity metrics are the calculated moving-average correlations, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.
  • calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.
  • calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.
  • calculating the series of dissimilarity metrics comprises calculating, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving- average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.
  • the dissimilarity metrics are the calculated moving-average distance statistics, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, the dissimilarity metrics are the calculated moving-average distance statistics, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.
  • calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.
  • calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.
  • each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power.
  • triggering an alarm comprises refraining from tripping a protection device associated with the first monitoring device, upon determining that the detecting of the apparent electric fault is a false fault detection.
  • Another exemplary embodiment is a power system comprising a first monitoring device including one or more interface circuits configured to collect a first series of power system electrical characteristic samples corresponding to a first monitored point in the power system, and to receive a second series of power system electrical characteristic samples corresponding to a second monitored point in the power system, the second series corresponding in time with the first series; and a signal processing circuit configured to detect an apparent fault using the first series; calculate a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; and trigger an alarm in response to determining the apparent fault is a false fault detection using the calculated dissimilarity metrics.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients.
  • the dissimilarity metrics are the calculated moving-average correlations, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.
  • the dissimilarity metrics are the calculated moving-average correlations, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving- average correlations are below the first threshold value.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises calculating, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.
  • the dissimilarity metrics are the calculated moving-average distance statistics, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.
  • the dissimilarity metrics are the calculated moving-average distance statistics, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving- average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.
  • each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power.
  • the signal processing circuit is configured to refrain from tripping a protection device associated with the first monitoring device upon determining that the detecting of the apparent fault is a false fault detection.
  • a further exemplary embodiment is a method, in a first monitoring device in a power system, the method comprising collecting a first series of sampled current and/or voltage data for a first monitored point in the power system; receiving, from a second monitoring device in the power system, a second series of sampled current and/or voltage data for a second monitored point in the power system, the second series of sampled current and/or voltage data
  • calculating the series of dissimilarity metrics comprises calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients.
  • the calculated moving- average correlations are the dissimilarity metrics, and wherein determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In certain forms, the calculated moving-average correlations are the dissimilarity metrics, and wherein determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.
  • calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.
  • calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving- average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.
  • calculating the series of dissimilarity metrics comprises computing, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.
  • the calculated moving-average distance statistics are the dissimilarity metrics, and wherein determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, the calculated moving-average distance statistics are the dissimilarity metrics, and wherein determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.
  • calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated
  • calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving- average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.
  • each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power.
  • the method further comprises detecting an apparent electric fault, based on the first series of sampled current and/or voltage data, but refraining from tripping a protection device associated with the first monitoring device, upon determining that the detecting of the apparent electric fault corresponds with the triggered alarm.
  • a further exemplary embodiment is a first monitoring device for use in a power system, the monitoring device comprising one or more interface circuits configured to collect a first series of sampled current and/or voltage data for a first monitored point in the power system and to receive, from a second monitoring device, a second series of sampled current and/or voltage data for a second monitored point in the power system, the second series corresponding in time with the first series; and a signal processing circuit configured to calculate a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; compare each of the dissimilarity metrics to a first threshold value; and trigger an alarm in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients.
  • the calculated moving-average correlations are the dissimilarity metrics, and wherein the signal processing circuit is configured to determine that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity by determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.
  • the calculated moving-average correlations are the dissimilarity metrics, and wherein the signal processing circuit is configured to determine that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity by determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average correlations, a number of moving- average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises computing, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.
  • the calculated moving-average distance statistics are the dissimilarity metrics, and wherein the signal processing circuit is configured to determine that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity by determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.
  • the calculated moving-average distance statistics are the dissimilarity metrics, and wherein the signal processing circuit is configured to determine that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity by determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.
  • the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving- average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.
  • each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power.
  • the signal processing circuit is configured to detect an apparent electric fault, based on the a first series of sampled current and/or voltage data, but is further configured to refrain from tripping a protection device associated with the first monitoring device upon determining that the detecting of the apparent electric fault corresponds with the triggered alarm

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)

Abstract

L'invention concerne la détection de cyber-attaques sur des valeurs échantillonnées dans un environnement de sous-station, qui est basé sur les corrélations et/ou les distances de Mahalanobis entre les valeurs échantillonnées pour deux points surveillés dans la sous-station. Un procédé à titre d'exemple comprend la collecte d'une première série de données de tension et/ou de courant échantillonnées pour un premier point surveillé. Le procédé comprend en outre la réception, à partir d'un second dispositif de surveillance dans le système d'alimentation, d'une seconde série de données de tension et/ou de courant échantillonnées pour un second point surveillé. Cette seconde série de données de tension et/ou de courant échantillonnées correspond temporellement à la première série. Des mesures de dissimilarité sont calculées pour la première et la seconde série, les mesures de dissimilarité étant basées sur les covariances de la première et de la seconde série. Les mesures de dissimilarité sont comparées à une première valeur seuil, et une alarme est déclenchée en réponse à la détermination que ladite comparaison indique une dissimilarité qui excède une dissimilarité cible.
PCT/US2016/030407 2015-04-30 2016-05-02 Détection de cyber-attaques et de défaillances de capteur dans des sous-stations numériques WO2016176682A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201562154831P 2015-04-30 2015-04-30
US62/154,831 2015-04-30

Publications (1)

Publication Number Publication Date
WO2016176682A1 true WO2016176682A1 (fr) 2016-11-03

Family

ID=57198863

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/030407 WO2016176682A1 (fr) 2015-04-30 2016-05-02 Détection de cyber-attaques et de défaillances de capteur dans des sous-stations numériques

Country Status (1)

Country Link
WO (1) WO2016176682A1 (fr)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656610A (zh) * 2016-12-27 2017-05-10 上海科梁信息工程股份有限公司 电力信息系统安全性测试系统及方法
CN108921424A (zh) * 2018-06-28 2018-11-30 广东电网有限责任公司 一种电力数据异常检测方法、装置、设备及可读存储介质
CN109805932A (zh) * 2017-11-21 2019-05-28 西门子保健有限责任公司 Mr装置中的自动故障检测
US10417415B2 (en) 2016-12-06 2019-09-17 General Electric Company Automated attack localization and detection
WO2020072477A1 (fr) * 2018-10-01 2020-04-09 Abb Schweiz Ag Atténuation décentralisée de fausses données pour miniréseaux imbriqués
CN112146904A (zh) * 2019-06-28 2020-12-29 三菱重工业株式会社 异常检测装置、异常检测方法、以及存储介质
US11475124B2 (en) 2017-05-15 2022-10-18 General Electric Company Anomaly forecasting and early warning generation
EP3894872A4 (fr) * 2018-12-14 2023-01-04 University of Georgia Research Foundation, Inc. Surveillance d'état par l'intermédiaire d'un audit de consommation d'énergie dans des dispositifs électriques et audit de forme d'onde électrique dans des réseaux d'alimentation
US11790081B2 (en) 2021-04-14 2023-10-17 General Electric Company Systems and methods for controlling an industrial asset in the presence of a cyber-attack
US12034741B2 (en) 2021-04-21 2024-07-09 Ge Infrastructure Technology Llc System and method for cyberattack detection in a wind turbine control system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7110231B1 (en) * 2002-08-30 2006-09-19 Abb Inc. Adaptive protection system for a power-distribution network
US20090147412A1 (en) * 2007-12-07 2009-06-11 Cooper Technologies Company Transformer inrush current detector
US20100306151A1 (en) * 2007-11-05 2010-12-02 Schneider Electric USA, Inc. in hierarchy determination for power monitoring systems
US20120284790A1 (en) * 2006-09-11 2012-11-08 Decision-Zone Inc. Live service anomaly detection system for providing cyber protection for the electric grid
US20130138651A1 (en) * 2011-11-28 2013-05-30 Bin Lu System and method employing a self-organizing map load feature database to identify electric load types of different electric loads
US20130188796A1 (en) * 2012-01-03 2013-07-25 Oticon A/S Method of improving a long term feedback path estimate in a listening device
US20140312893A1 (en) * 2013-03-14 2014-10-23 Don Burkart Intelligent electronic sensors for monitoring electrical circuits
US20140371941A1 (en) * 2013-06-18 2014-12-18 The Regents Of The University Of Colorado, A Body Corporate Software-defined energy communication networks

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7110231B1 (en) * 2002-08-30 2006-09-19 Abb Inc. Adaptive protection system for a power-distribution network
US20120284790A1 (en) * 2006-09-11 2012-11-08 Decision-Zone Inc. Live service anomaly detection system for providing cyber protection for the electric grid
US20100306151A1 (en) * 2007-11-05 2010-12-02 Schneider Electric USA, Inc. in hierarchy determination for power monitoring systems
US20090147412A1 (en) * 2007-12-07 2009-06-11 Cooper Technologies Company Transformer inrush current detector
US20130138651A1 (en) * 2011-11-28 2013-05-30 Bin Lu System and method employing a self-organizing map load feature database to identify electric load types of different electric loads
US20130188796A1 (en) * 2012-01-03 2013-07-25 Oticon A/S Method of improving a long term feedback path estimate in a listening device
US20140312893A1 (en) * 2013-03-14 2014-10-23 Don Burkart Intelligent electronic sensors for monitoring electrical circuits
US20140371941A1 (en) * 2013-06-18 2014-12-18 The Regents Of The University Of Colorado, A Body Corporate Software-defined energy communication networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JAAFARI MOUSAVI.: "Underground distribution cable incipient fault diagnosis system.", DISS. TEXAS A&M UNIVERSITY., 25 April 2007 (2007-04-25), pages 72, 123, 133, XP055326357, Retrieved from the Internet <URL:https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjr1b3qt8jNAhXIMSYKHVzhAzYQFggeMAA&url=http%3A%2F%2Foaktrust.library.tamu.edu%2Fbitstream%2Fhandle%2Fl969.l%2F4675%2Fetd-tamu-2005C-ELEN-Jaafari.pdf%3Fsequence%3D1&usg=AFQjCNGxDN8EKKOernlaM3DlzuzS13eUvw&si> *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10417415B2 (en) 2016-12-06 2019-09-17 General Electric Company Automated attack localization and detection
CN106656610A (zh) * 2016-12-27 2017-05-10 上海科梁信息工程股份有限公司 电力信息系统安全性测试系统及方法
US11475124B2 (en) 2017-05-15 2022-10-18 General Electric Company Anomaly forecasting and early warning generation
CN109805932A (zh) * 2017-11-21 2019-05-28 西门子保健有限责任公司 Mr装置中的自动故障检测
CN109805932B (zh) * 2017-11-21 2023-04-14 西门子保健有限责任公司 Mr装置中的自动故障检测
CN108921424A (zh) * 2018-06-28 2018-11-30 广东电网有限责任公司 一种电力数据异常检测方法、装置、设备及可读存储介质
CN108921424B (zh) * 2018-06-28 2020-11-17 广东电网有限责任公司 一种电力数据异常检测方法、装置、设备及可读存储介质
WO2020072477A1 (fr) * 2018-10-01 2020-04-09 Abb Schweiz Ag Atténuation décentralisée de fausses données pour miniréseaux imbriqués
CN113169558A (zh) * 2018-10-01 2021-07-23 Abb瑞士股份有限公司 用于嵌套式微电网的分散式错误数据减轻
EP3894872A4 (fr) * 2018-12-14 2023-01-04 University of Georgia Research Foundation, Inc. Surveillance d'état par l'intermédiaire d'un audit de consommation d'énergie dans des dispositifs électriques et audit de forme d'onde électrique dans des réseaux d'alimentation
CN112146904A (zh) * 2019-06-28 2020-12-29 三菱重工业株式会社 异常检测装置、异常检测方法、以及存储介质
US11500965B2 (en) 2019-06-28 2022-11-15 Mitsubishi Heavy Industries, Ltd. Abnormality detection device, abnormality detection method, and non-transitory computer-readable medium
US11790081B2 (en) 2021-04-14 2023-10-17 General Electric Company Systems and methods for controlling an industrial asset in the presence of a cyber-attack
US12034741B2 (en) 2021-04-21 2024-07-09 Ge Infrastructure Technology Llc System and method for cyberattack detection in a wind turbine control system

Similar Documents

Publication Publication Date Title
WO2016176682A1 (fr) Détection de cyber-attaques et de défaillances de capteur dans des sous-stations numériques
US11728640B2 (en) Secured fault detection in a power substation
Lotfifard et al. Detection of symmetrical faults by distance relays during power swings
Hong et al. Detection of cyber intrusions using network-based multicast messages for substation automation
CN106415286B (zh) 用于脉冲接地故障检测和定位的系统和方法
Jafarian et al. High-speed superimposed-based protection of series-compensated transmission lines
CN106597188B (zh) 电缆、架空及混联线路下单相接地故障判别方法
CN104569683B (zh) 一种故障电弧的检测方法
CN110933031A (zh) 一种基于lstm的智能电网配电终端单元入侵检测方法
Dubey et al. Wavelet based energy function for symmetrical fault detection during power swing
Lin et al. A novel adaptive single-phase reclosure scheme using dual-window transient energy ratio and mathematical morphology
Ray et al. Detection of faults in a power system using wavelet transform and independent component analysis
Aguilera et al. Directional traveling-wave protection based on slope change analysis
CN102135555A (zh) 低压系统串联电弧故障识别方法
Adhikari et al. A cyber-physical power system test bed for intrusion detection systems
CN104485646B (zh) 一种用于快速相量保护的采样值异常闭锁方法及快速相量保护装置
Mishra et al. Resilience-oriented protection scheme for TCSC-compensated line
Gilbert et al. A statistical method for the detection of power system faults
Noori et al. Security assessment for a cumulative sum-based fault detector in transmission lines
CN107483492B (zh) 电力系统继电保护网络安全防护方法
NengLing et al. Wavelet‐based approach for high impedance fault detection of high voltage transmission line
US10474142B2 (en) Detection of cross-country faults
Wijekoon et al. Transient based faulted conductor selection method for double circuit lines
WO2008069988A2 (fr) Procédé et appareil pour améliorer la sécurité et la sûreté de fonctionnement de la détection d&#39;un défaut de haute impédance
CN108242797A (zh) 一种应用于10kV配电网小电阻接地系统故障保护的集中式保护装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16787306

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16787306

Country of ref document: EP

Kind code of ref document: A1