CIGRE GRID OF THE FUTURE, SENSOR DATA AND FAULT LOCATION ANALYTICS SESSION 2017.10 .24

A Met hod fo r Det ect ing Ab norm al Sens or Dat a Us ing Mult i-t e rm ina l Diffe rent ia l Pro t ect ion Funct ions

David Coa t s , Reyna ld o Nuq ui USCRC

1. Collab ora t ive Defens e (CoDef) Pro ject Overview

2. Threa t Mod eling

3. Mult i-Term ina l Pro t ect ion

4. Ab norm al Da t a Det ect ion Met hod

5. Sum m ary, Conclus ions , and Fut ure Pro ject s

Oct ob er 31, 20 17 Slid e 2

Agenda

Collaborat ive and Dist ribut ed Cyber Defens e Funct ions , DoE Fund ed Res ea rch

Oct ob er 31, 20 17 Slid e 3

Domain Based Collaborat ive Defense (CoDef )

To ad vance t he s t a t e o f t he a rt in cyb er d efens e m et hod s fo r t rans m is s ion and d is t rib ut ion g rid p ro t ect ion and cont ro l d evices b y d evelop ing and d em ons t ra t ing a d is t rib ut ed s ecurit y d om ain layer t ha t enab les t rans m is s ion and p ro t ect ion d evices t o co llab ora t ive ly d efend ag a ins t cyb er a t t acks .

“Cyb er Securit y t hroug h ob s curit y” Securit y ag a ins t cyb er a t t acks on p ro t ect ion and cont ro l

d evices is p erfo rm ed a t t he IT layer. Cyb er s ecurit y is react ive and could no t b lock m alicious

op era t ion o f s ub s t a t ion s wit ching d evices

Int er-d evice level t echno log y fo r s m art d e t ect ion o f cyb er a t t acks us ing p ower s ys t em d om ain knowled g e, IEC 61850 and o t her s t and ard s ecurit y ext ens ions Real t im e, cyb er s ecure and OT erro r-p roof p ro t ect ion and

cont ro l s o lut ions fo r p ower g rid s

Ob ject ive

St a t e -o f-t he-a rt

Innova t ion

Oct ober 31, 2017 Slid e 4

Technology Object ives

Cyber At t ack Scenarios and Securit y Dem ons t ra t ions

Oct ob er 31, 20 17 Fina l Rep ort - Award No. DE-OE0 0 0 0 674 Slid e 5

Cyber-Physical Securit y Funct ions

At t ack Goal of At t ack Cyber Securit y Funct ion Demonst rat ed

Implement at ion Level

Malicious d a t a inject ion Malicious t rip p ing o f circuit b reaker

1. Co-p ick – co llab ora t ive p ickup confirm at ion(p os s ib le w/ in Pro t ect ive Relays )

Eng ineering Too ls

2. Trans -p ick – t rans ient p ickup confirm at ion (new hard ware)

New Develop m ent

3. Mult i-pick – Mult i-t erminal dif f erent ialconf irmat ion (possible w/ in Prot ect ive Relays)

Eng ineering Too ls

Unaut horized cont ro l o f circuit b reaker

Malicious t rip p ing o f circuit b reaker

4. Cyb er s ecured d irect cont ro l o f b reaker –M2M com m unica t ions , s im ula t ion as s is t ed

Sim ula t ionAs s is t ed

Malicious chang e in p ro t ect ive re lays s e t t ing s

Mis -coord ina t ere lays

5. Cyb er s ecured IED config ura t ion chang e –GOOSE confirm at ion (p os s ib le w/ in Relays )

Sim ula t ionAs s is t ed , Com m .

GOOSE a t t ack Malicious t rip p ing o f circuit b reaker

6. Cyb er s ecured GOOSE – Aut hent ica t ed GOOSE IEC62351 Im p lem ent a t ion (new hard ware)

New Develop m ent ,St and ard s Bas ed Com m unica t ion

Timing Plot Comparison

Oct ob er 31, 20 17 Slid e 6

Example Applicat ion Time-Scale Overview

REL_PTRC: Trip cond it ion log ic: act ua l t rip com m and a ft e r act ua l fault

REL_Dis :

Dis t ance t rip com m and from REL670

CoPick or Mult iPick

Confirm from p ick-up log ica l nod e from 3 t o 4 exis t ing re lays b y GOOSE m es s ag e , Fib er

Mult i-t e rm ina l p ro t ect ion from 3 t e rm ina ls p rop os ed confirm a t ion from GOOSE m ess ag e , Fib er

Trans Pick

Confirm from Trans ient cond it ions ap p roxim a t e ly q ua rt e r t o ha lf cycle p ro t ect ion (Com m od it y Hard ware)

Specif icat ions and Assumpt ions

Oct ob er 31, 20 17 Slid e 7

Threat Modeling

In a d ig it a l world , “ob scurit y” is g rowing increas ing ly ha rd t o m a int a in

Dom ain b ased , co llabora t ive , and ab norm a l da t a d e t ect ion cyb er s ecurit y ap p lica t ions a re no t t he firs t layer o f d efense b ut could he lp

There a re t wo t yp es o f s cena rios which fo rm t he b as is o f hig h leve l a t t ack m od els :

Scenario 1: In t his s cena rio , t he a t t acker e it her s t ea ls t he cred ent ia ls (log in/ pas sword ) and / or t here is a s ecurit y b reach in t he IT infra s t ruct ure . This lead s t o unaut horized acces s t o IEDs o r Pro t ect ive Relays and com m unica t ion ne t work.

Scenario 2: In t his s cena rio , t he a t t acker can b e a d isg runt led em p loyee , who has t he com p le t e knowledge o f t he sys t em and aut horized acces s t o IEDs and com m unica t ion ne t work.

A generic sample value attack model

Sample Value Securit y

Oct ob er 31, 20 17 Slid e 8

Abnormal Dat a Sources

IED gathers Ethernet traffic with NIC and filters SVValues of 3-phase values of V and I

IED firmware detects a fault in the electrical network

IED sends a 61850-8-1 GOOSE message to breaker control unit

MU Digitized Measurements

Merging Unit Gathers V, I and transducer status

MU merged digital values to standard SV packets and put time stamp

MU sends SV packets to Process Bus Network (61850-9-2)

MU gets time synch from a common timing source

Attacker injects an external malicious SV packet

Attacker eavesdrop SV traffic, get SV information

Attacker compose an SV packet

Driving Fact o rs :

Fas t e r p ro t ect ion req uires fa s t e r m easurem ent s

Dis t rib ut ion and t ransm is s ion aut om at ion p ush t oward d ig it a l m erg ing unit s fo r m easurem ent s

Increased d ep endence on t im ing sources

Hig h Leve l Threa t Scena rio1. The m erg ing unit (MU) g a t hers vo lt ag e, current and t ransd ucer s t a t us

info rm a t ion and d ig it izes t he m easurem ent s .2. MU g e t s t im e sync from com m on t im e source and d ig it ized

m easurem ent m erg ed in s am p le va lue (SV) p acke t s . The MU ensures t ha t t he num b er o f p acke t s fo llow IEC 61850-9-2, i.e . 80 s am p les / cycle

3. At t acker cont inuous ly m onit o rs t he SV t ra ffic, com p oses a m a licious SV p acke t s o r cop ies a fault s ig na t ure , and inject s it int o t he t ra ffic wit h t he correct p acke t s t ruct ure and s t and a rd fo rm a t Man in the Middle or Replay Attack

Scenario

KCL Condit ions

Oct ob er 31, 20 17 Slid e 9

Classical Dif f erent ial Prot ect ion

Typ ica l d iffe rent ia l o r m ult i-t e rm ina l p ro t ect ion m ay req uire d ed ica t ed com m unica t ion p a t hs

Mult ip le m as t e r config ura t ions : Mas t e r-s lave , m as t e r-m as t e r

Lim it s int rod uced in d ig it a l sys t em s b ased on la t ency and t hroug hp ut o f GOOSE, MMS , e t c

𝐼𝐼1 + 𝐼𝐼2 + 𝐼𝐼3 + ⋯𝐼𝐼𝑁𝑁 = 0

𝐼𝐼1 + 𝐼𝐼2 + 𝐼𝐼3 + ⋯𝐼𝐼𝑁𝑁 = 𝐼𝐼𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑

1. When t he sum of a ll current is ze ro : No fault is d e t ect ed in t he Pro t ect ed Zone .2. When t he sum of a ll current yie ld s a current Id iff: A fault is d e t ect ed in t he

Pro t ect ed Zone , and t he fault current is Id iff.Current m easurem ent s a re a s sum ed t o b e accura t e , wit h ad d it iona l re lay s e t t ing s fo r a b ia s va lue b ased on d iffe rences in CT ca lib ra t ion

Collaborat ive and Dist ribut ed Cyber Defens e Funct ions fo r Trans m is s ion and Dis t rib ut ion

Oct ob er 31, 20 17 Slid e 10

Mult i Terminal Logic Goals

1. Fas t Op era t ion• Fas t act ing p rot ect ion m et hod s chosen (overcurrent ,

d iffe rent ia l)• Take advant ag e of d ig it a l m erg ing unit s and hig h sp eed

com m unica t ion2. Securit y

• Mult ip le loca t ions• Mult ip le sensor s t ream s• Es t ab lished p hys ica l p rincip les (KCL)• Sup p lem ent a l t o IT and OT b es t p ract ices

3. Read ines s• Typ ica l Markov Decis ion Log ic ut ilized for p ro t ect ive re lays• Int e rop erab ilit y p rovid ed wit h in com m unica t ion s t and a rd s• Minim a l deve lopm ent required• Targ e t s exis t ing eng ineering and config ura t ion t oo ls

4. Com p a t ib ilit y• No d ed ica t ed ha rd ware• Can use exis t ing p ro t ect ion funct ions• Confirm a t ion and co llabora t ion funct ions ava ilab le t hroug h

IEC61850 log ica l nod es

Collaborat ive and Dist ribut ed Cyber Defens e Funct ions fo r Trans m is s ion and Dis t rib ut ion

Oct ob er 31, 20 17 Slid e 11

Abnormal Dat a Det ect ion Logic

1. Cont inuous ly ca lcula t e t he superim p osedcom ponent current s (I1F t hrough INF) from t hecurrent m easurem ent s (I1 t hroug h IN)

2. Ca lcula t e t he d iffe rent ia l current , Id iff

3. If Id iff and a m ajorit y of t he N superim p osedcom ponent current s (I1F t hrough INF) a reg rea t e r t han p redefined t hreshold s , confirmint e rna l fault

4. If Id iff and only one of t he N superim p osedcom ponent current s , fo r exam ple only I1F, a reg rea t e r t han p redefined t hresho lds , a sensorfa ilure was d e t ect ed and t he sensor t ha tm easures I1 was t he fa iled sensor.

Measurement and digit alizat ion of CT input s

Oct ober 31, 2017 Slid e 12

Simulat ion Set up and Test Cases

Example t apped line wit h mult i-t erminal prot ect ion and DER int egrat ion

Sim ula t ed Measurem ent Sys t em :1. Id ea l q uant iza t ion wit h rand om ized noise2. Modelled current t rans form er sa t ura t ion lim it s

and g a in se t t ing s3. Tim e synchroniza t ion

Sim ula t ed Pro t ect ion Sys t em s :1. Sim p lified d iffe rent ia l m ult i-t e rm ina l d e t ect ion2. Log ica l Markov decis ion p roces s verifying

d iffe rent ia l p ro t ect ion wit h t he superim p osedcurrent

Tes t Cond it ions :1. Int e rna l fault wit hin t he p ro t ect ion zone2. Ext erna l fault close t o t he g rid connect ion3. Measurem ent fault caused by a sudden,

unaut horized change in CT ra t io or fa ls ifiedcurrent m easurem ent

Result s - Fault caus ed b y unaut horized chang e in CT Ra t io

Oct ob er 31, 20 17 Slid e 13

Mult i-t erminal Collaborat ive Defense Conf irmat ion

Confirmed Trip

Unconfirmed Trip

A m ult i-t e rm ina l d iffe rent ia l p ro t ect ion s chem e a llows fo r d e t ect ion and id ent ifica t ion o f s ens or anom alies in m eas urem ent d evices

Enab led b y IEC61850 , log ica l variab les verify t ha t each t e rm ina l in t he p ro t ect ion zone s ees a g iven int e rna l fault and p rovid e norm al op era t ion o f d iffe rent ia l p ro t ect ion

The m et hod is fas t , int e rop erab le wit h exis t ing s ys t em s / p ro t ect ion, and p rovid es an ad d it iona l cyb er-p hys ica l d efence layer

As m ore d ig it a l m erg ing unit d evices em erg e , t hey s up p ort new com m unica t ion and confirm at ion m et hod s t ha t could op era t e wit hin p ro t ect ion t im ing req uirem ent s

Effo rt s in Co llab ora t ive Defence a t ABB have b een cont inued in t wo s ep ara t e p rog ram s t a rg e t ing Microg rid s and HVDC ap p lica t ions p art nering wit h UIUC, Duke Prog res s , and Bonneville Power Ad m inis t ra t ion

Oct ob er 31, 20 17 Slid e 14

Summary and Conclusions

Quest ions?