Ting Yang,Rui Zhao,Weixin Zhang,Qiang Yang

DOI: https://doi.org/10.1109/tpwrd.2016.2573320

IF: 4.825

2016-01-01

IEEE Transactions on Power Delivery

Abstract:The underlying substation communication network (SCN) is of paramount importance in facilitating the advanced functionalities of substation automation. To design and maintain an efficient SCN to guarantee high transmission availability and information integrity, an accurate traffic model is required and the traffic characteristics need to be understood. This paper exploits the challenge of modeling and analyzing SCN data traffic from the data generating mechanism to the transmission and retransmission mechanisms, and reveals the symbiosis of short-range dependence and self-similarity. Recognizing that there is little research effort available, this paper proposes a viable approach in modeling the SCN traffic and mathematically analyzes the associated parameters aiming to accurately model the self-similarity behavior of SCN traffic, describes the symbiotic characteristics, and effectively predicts the traffic pattern. Further, the proposed modeling approach is validated and assessed through a case study by using a realistic 24-h dataset collected from a 110 kV substation's supervisory-control-and-data-acquisition system. The result clearly demonstrates that the model can accurately describe and forecast the SCN traffic with the autocorrelation function mean square error as small as $\mathrm{MSE}\left(\mathrm{m}\right)=2.077\times {10}^{-3}$. The insights obtained from this work can significantly promote the design and operation of SCNs.

Qiang Yang,Weijie Hao,Leijiao Ge,Wei Ruan,Fujian Chi

DOI: https://doi.org/10.1049/iet-cps.2018.5052

2018-01-01

Abstract:The technological advances of intelligent electric substations have significantly improved the operational performance of power utilities by incorporating advanced monitoring and control functionalities. The data traffic patterns in substation communication network (SCN) need to be better understood to improve the SCN performance against different forms of cyber-attacks. To this end, this study presents a fractional auto-regressive integrated moving average (FARIMA)-based threshold model to characterise the SCN traffic flow based on the IEC 61850 protocol and carry out anomaly detection. The performance of the proposed anomaly detection solution is assessed and validated through numerical analysis under the condition of the cyber storm based on the collected SCN data traffic from a real 110kV substation, and the numerical results clearly confirmed its effectiveness.

Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

HAO Weijie,YANG Qiang,LI Wei

DOI: https://doi.org/10.7500/AEPS20180705012

2019-01-01

Abstract:With the rapid development of power transmission and transformation equipment automation and smart substation construction, the hidden danger of grid information security is increasingly prominent.Accurate and reliable traffic modeling and anomaly detection method of substation communication network (SCN) have become very important to prevent network security problems and identify cyber attacks.Based on the analysis of behavior characteristics of network traffic on the control layer of substation station, this paper proposes the fractional autoregressive integrated moving average (FARIMA) model to construct the threshold model for network traffic.Aiming at the typical cyber-attack mode and traffic anomaly characteristics of substation, the traffic data on the control layer of an actual substation station is analyzed based on the operation state assessment algorithm.And the probability of typical network anomaly is calculated.Finally, the safety situation evaluation of the substation is realized under the cyber attacks.

Jiang Jiang,Yongxiang Xia,Sheng Xu,Hui-Liang Shen,Jiajing Wu

DOI: https://doi.org/10.1063/1.5139254

2020-01-01

Abstract:Cyber-physical systems (CPSs) are integrations of information technology and physical systems, which are more and more significant in society. As a typical example of CPSs, smart grids integrate many advanced devices and information technologies to form a safer and more efficient power system. However, interconnection with the cyber network makes the system more complex, so that the robustness assessment of CPSs becomes more difficult. This paper proposes a new CPS model from a complex network perspective. We try to consider the real dynamics of cyber and physical parts and the asymmetric interdependency between them. Simulation results show that coupling with the communication network makes better robustness of power system. But since the influences between the power and communication networks are asymmetric, the system parameters play an important role to determine the robustness of the whole system.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/jsyst.2022.3150576

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In this article, we study how to resist malware attacks in cyber-physical power systems (CPPSs) through cyber protection. A model that incorporates the power flow analysis, the cyber monitoring and control, and the factor of cyber protection is proposed to simulate malware attacks in CPPSs. Meanwhile, an evaluation method is also developed to estimate the effectiveness of different cyber protection strategies. Through simulations, we conduct case studies in a test CPPS generated by coupling the IEEE 118 Bus System with a scale-free communication network. The protection effects of three heuristic cyber protection strategies, namely, target protection, random protection, and acquaintance protection are compared and analyzed. Simulation results reveal that compared with the other two strategies, target protection can suppress malware propagation and resist malware attacks more effectively. Moreover, we also investigate the optimal cyber protection problem in CPPSs and formulate it as a zero-one integer programming problem. We solve the problem by genetic algorithm and find that some low-degree cyber nodes also play a significant role in resisting malware attacks in CPPSs, especially when the protection budget is tight.

Tao Yang,Weijie Hao,Qiang Yang,Wenhai Wang

DOI: https://doi.org/10.1016/j.eswa.2023.120668

IF: 8.5

2023-01-01

Expert Systems with Applications

Abstract:Industrial cyber-physical systems (ICPSs) are facing increasing cyber threats that can cause catastrophes in the physical systems. Efficient network traffic anomaly detection is essential for guaranteeing the system's security and reliability. However, existing research on network traffic anomaly detection for ICPS has several limitations. First, most traffic anomaly detection models focus on centralized detection. Thus, all traffic packets have to be uploaded to the control center for detection, which leads to a heavy traffic load. However, real-time and reliable communication is crucial to ICPSs. The heavy traffic load may cause communication delays or packets lost by corruption. Second, Seasonal AutoRegressive Integrated Moving Average (SARIMA) is popular in ICPS network traffic anomaly detection. However, most SARIMA-based detection models can only detect anomalous traffic once. Thus, they are unable to detect anomalies continuously and are not suitable for actual ICPS. Third, the features extracted from network traffic affect the classification performance. However, most existing feature extraction models cannot sufficiently extract traffic features, leading to poor detection performance. To address the limitations above, this paper proposes a cloud-edge coordinated network traffic anomaly detection approach. The proposed approach consists of a set of anomalous traffic alarm models deployed in the edge areas and an anomalous traffic analysis model deployed in the cloud. The former is implemented based on Improved Online SARIMA (IOSARIMA) algorithm that can detect anomalous traffic continuously and upload it to the cloud for further analysis, filtering massive normal traffic packets and making traffic load smaller. The anomalous traffic analysis model consists of a feature extraction algorithm and a Convolutional Neural Network (CNN) classifier, which can sufficiently extract traffic features and identify the attack types precisely. The proposed anomaly detection approach is extensively evaluated on a realistic ICPS testbed, including 3 edges (i.e., power generation, power transmission and power distribution) and a cloud consisting of an engineering workstation and a Supervisory Control And Data Acquisition (SCADA) workstation. The experimental results confirm the smaller traffic load and better detection performance, compared with the existing detection models.

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang

DOI: https://doi.org/10.1016/j.comnet.2020.107677

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>Supervisory Control and Data Acquisition (SCADA) systems are becoming increasingly susceptible to the sophisticated and targeted cyber attacks which are typically carried out by exploiting the vulnerabilities of industrial control devices or protocols. However, most of the existing network intrusion detection methods only focus on detecting and characterizing cyber attacks against the SCADA system, but cannot fully describe their real impact on the system. In this paper, we propose a cyber-physical model for the SCADA system to detect intrusions from the SCADA network and evaluate their risk levels against the industrial process. The model aims at characterizing the network structure and industrial process of the SCADA system through extracting and correlating the communication patterns and states of ICS devices. And any violation of the model is considered abnormal behavior, which can be caused by false operation or network attacks. Through associating network intrusions with the status of the SCADA system, a risk assessment method is proposed to estimate the potential damage degree of the attack on the system, which provides network administrators with richer information about network attacks. Moreover, the comprehensive performance evaluation conducted on public SCADA network data sets shows that the proposed method outperforms the existing methods in detecting and analyzing various cyber attacks against the SCADA system.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Caiming Yang,Jianmin Zhang,Kangyi Li,Jiayu Zhang,Naizheng Jin,Xijian Wang

DOI: https://doi.org/10.1109/ispec48194.2019.8975306

2019-11-01

Abstract:When abormalities, including equipment failure and/or cyber attacks, occur in the substation, it is essential to specify their difference in performance, e.g., process layer of digital substation will encounter stochastic messages and burst messages in normal operation, abnormal traffic caused by equipment fault, or denial-of-service (DoS) attacks by virus intrusion. In this reason, a novel cyber physical fusion based abnormal traffic detection approach has been proposed, a difference-sequence-variance based abnormal message traffic detection method and flowchart is proposed, including a new substation traffic anomaly membership function and its parameter estimation method. The simulation verification of the T1-1 type substation network is done by OPNET, which prove that the random and burst GOOSE messages as well as DoS attacks in the layer can be identified by proposed method.

Li Zhang,Zhuo Lv,Xuesong Zhang,Cen Chen,Nuannuan Li,Yidong Li,Wei Wang

DOI: https://doi.org/10.1007/978-3-030-36938-5_24

2019-01-01

Abstract:Industrial Control Systems (ICS) are the critical infrastructures of power grids. It is very important to monitor and control industrial equipment through the networks. Most ICSs currently used in smart grid contain IT key equipment and communication technologies to implement the communication and logic control functions. However, unlike traditional IT network traffic, these power-related industrial control systems have variety of proprietary protocols. Obviously, in typical complex systems the manually intensive processing of data is costly and sub-optimal. In this paper, we propose an novel traffic anomaly detection model for power ICS based on Multi-Head attention (MHA) method, in which the collected raw traffic was converted into the form of matrix. The MHA and Convolutional Neural Network (CNN) model were used to classify traffic data. We replace the traditional feature extraction and rule making process with an acceptable computational cost. The effectiveness of our approach is demonstrated by experiments on two real world power ICS testbeds: a power generation simulation platform based on a distributed control system (DCS) and a substation slave station. Comparing with some classical machine learning algorithms and Convolutional Neural Networks, the experimental results show that our MHA model outperforms the CNN-based and classical machine learning detection models with an accuracy rate of 99.86%.

Yidong Li,Li Zhang,Zhuo Lv,Wei Wang

DOI: https://doi.org/10.1109/tits.2020.3018259

IF: 8.5

2021-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Safe and reliable intelligent charging stations are imperative in an intelligent transportation infrastructure. Over the past few years, a big number of smart charging stations have been deployed, and most of them are online and connected, resulting in potential risks of threats. Although there exists related work on securing intelligent vehicles, very little work focused on the security of charging devices. Unlike traditional network systems, these power-related Industrial Control Systems (ICSs) use many different proprietary protocols and diverse interactions. Traditional anomaly detection methods based on network traffic are thus not suitable for these systems. In this work, we propose an anomaly detection method in real vehicle power supply systems based on a deep architecture model. In particular, we propose a novel traffic anomaly detection model based on Multi-Head Attentions (MHA) that take into account the inherent correlations of traffic generated by ICSs. The MHA model is employed to substitute the traditional feature extraction and rule making process with an acceptable computational cost for classifying traffic data. It is an attention-based model that employs Google Transformer encoder architecture to extract recessive features of traffic for anomaly detection. The effectiveness of the model is demonstrated by experiments on two real-world power ICS testbeds including a substation with a slave charging station and a power generation simulation platform based on a distributed control system. Comprehensive experimental results indicate that the MHA model outperforms the Convolutional Neural Networks (CNN)-based and classical machine learning detection models with an accuracy rate of 99.86%.

engineering, electrical & electronic,transportation science & technology, civil

Weijie Hao,Tao Yang,Qiang Yang

DOI: https://doi.org/10.1109/tase.2021.3073396

IF: 6.636

2023-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems. The advanced monitoring, control, and management functionalities of the industrial systems firmly rely on the reliable and secure operations of the industrial control system (ICS) network. This article characterizes the ICS network traffic and presents a scalable and efficient solution for real-time ICS network traffic anomaly detection, considering various forms of ICS anomaly events. The events due to the cyberattacks, malicious operating behaviors, and network anomalies can be effectively detected without sophisticated computational requirements and retrieval of communication protocols. The proposed hybrid statistical-machine learning model integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the abnormal traffic patterns with low false omission rates. The proposed solution is extensively evaluated at a realistic ICS cyber–physical system (CPS) testbed, and the numerical results confirm its high detection accuracy and low computational complexity. Note to Practitioners—This article was motivated by the challenge of real-time anomaly detection in industrial cyber–physical systems (CPSs). The existing industrial control system (ICS) network anomaly detection solutions are generally carried out based on a single model based on the historian database and cannot dynamically classify the abnormal conditions in a real-time fashion. A novel hybrid statistical-machine learning model is developed that integrates a seasonal autoregressive integration moving average (SARIMA)-based dynamic threshold model and a long short-term memory (LSTM) model to jointly identify the anomalous events through traffic pattern analysis. The proposed anomaly detection solution can efficiently provide accurate detection for cyberattacks, malicious operating behaviors, and network anomalies while meeting the real-time requirements of ICS networks. The proposed solution can be deployed in the realistic ICS CPSs, e.g., the power generation system, gas pipeline systems, and urban railway transportation systems. The preliminary numerical results obtained from the ICS-CPS testbed suggested that it can provide high detection accuracy with low computational complexity and, hence, can be adopted with minimal deployment hurdles.

Weijie Hao,Qiang Yang

DOI: https://doi.org/10.1016/j.egypro.2018.04.068

2018-01-01

Energy Procedia

Abstract:The quick development of intelligent electric substations has significantly improved the operational performance of power utilities through incorporating advanced monitoring and control functionalities. The data traffic patterns in intelligent substation communication network (SCN) needs to be better understood and characterized, so as to improve the SCN performance and planning. This paper presents a FARIMA based solution for SCN data traffic characterization in intelligent substations based on real data measurements. The effectiveness of the proposed threshold model is evaluated and validated through numerical analysis.

Yirui Zhao,Yong Li,Yijia Cao,Mingyu Yan

DOI: https://doi.org/10.1016/j.apenergy.2023.121551

IF: 11.2

2023-07-22

Applied Energy

Abstract:Substation with various communication and control devices has become a major target of cyber-attacks. In general, two main types of cyber-attacks can be performed on substations through direct intelligent electronic device connections from remote accesses or via compromising local substation supervisory control center and data acquisition systems, thus respectively resulting in different damage to the power systems. In this paper, the combination of two types of cyber-attacks on the power systems are considered. The generalized stochastic Petri net is utilized to simulate dynamic intrusion processes of these two types of cyber-attacks. Furthermore, the successful attack probabilities of cyber-attacks are calculated based on simulation results. Then, a probabilistic bi-level optimization model is proposed to identify critical components with the maximum cyber risk and the types of cyber-attacks. The two types of cyber-attacks initiated from substation space to individual components are particularly modeled in the proposed model. Finally, a two-stage algorithm using the network flow is proposed to solve the proposed model more efficiently. Simulation results tested on the IEEE RTS 24-bus and the 118-bus systems validate the effectiveness of the proposed model. Results also show that the devised algorithm can improve the computation performance in dealing with larger-scale power systems.

energy & fuels,engineering, chemical

Prashanth Krishnamurthy,Ali Rasteh,Ramesh Karri,Farshad Khorrami

2024-06-18

Abstract:Increased connectivity and remote reprogrammability/reconfigurability features of embedded devices in current-day power systems (including interconnections between information technology -- IT -- and operational technology -- OT -- networks) enable greater agility, reduced operator workload, and enhanced power system performance and capabilities. However, these features also expose a wider cyber-attack surface, underscoring need for robust real-time monitoring and anomaly detection in power systems, and more generally in Cyber-Physical Systems (CPS). The increasingly complex, diverse, and potentially untrustworthy software and hardware supply chains also make need for robust security tools more stringent. We propose a novel framework for real-time monitoring and anomaly detection in CPS, specifically smart grid substations and SCADA systems. The proposed method enables real-time signal temporal logic condition-based anomaly monitoring by processing raw captured packets from the communication network through a hierarchical semantic extraction and tag processing pipeline into time series of semantic events and observations, that are then evaluated against expected temporal properties to detect and localize anomalies. We demonstrate efficacy of our methodology on a hardware in the loop testbed, including multiple physical power equipment (real-time automation controllers and relays) and simulated devices (Phasor Measurement Units -- PMUs, relays, Phasor Data Concentrators -- PDCs), interfaced to a dynamic power system simulator. The performance and accuracy of the proposed system is evaluated on multiple attack scenarios on our testbed.

Systems and Control

Yinfei Lv,Huorong Ren,Xuefeng Gao,Tong Sun,Haopeng Zhang,Xinyu Guo

DOI: https://doi.org/10.1007/978-3-030-65955-4_19

2020-01-01

Abstract:As the problem of network security becomes more and more serious, how to accurately perceive the current network security situation and discover the attack behavior in time has become the focus of research in the field of network security. This paper proposes a multi-scale risk assessment model for network security based on Long Short Term Memory neural network (LSTM). The model utilizes the wavelet transform to decompose network traffic time series into sub-sequences of various scales. The LSTM network is used to predict the sub-sequence of wavelet decomposition. By comparing the difference between the actual sub-sequence and the predicted sub-sequence, the model determines whether there is “anomaly” in the network traffic time series. The anomaly detection results of each sub-sequence are summarized into a network security risk value to assess the risk of network security. The introduction of the multi-scale technology improves the detection accuracy of network traffic time series anomaly detection and effectively enhances the reliability of the risk value.

Tianyi Pan,Subhankar Mishra,Lan N. Nguyen,Gunhee Lee,Jungmin Kang,Jungtaek Seo,My T. Thai

DOI: https://doi.org/10.1109/ACCESS.2017.2738565

2020-05-16

Abstract:Social Networks (SNs) have been gradually applied by utility companies as an addition to smart grid and are proved to be helpful in smoothing load curves and reducing energy usage. However, SNs also bring in new threats to smart grid: misinformation in SNs may cause smart grid users to alter their demand, resulting in transmission line overloading and in turn leading to catastrophic impact to the grid. In this paper, we discuss the interdependency in the social network coupled smart grid and focus on its vulnerability. That is, how much can the smart grid be damaged when misinformation related to it diffuses in SNs? To analytically study the problem, we propose the Misinformation Attack Problem in Social-Smart Grid (MAPSS) that identifies the top critical nodes in the SN, such that the smart grid can be greatly damaged when misinformation propagates from those nodes. This problem is challenging as we have to incorporate the complexity of the two networks concurrently. Nevertheless, we propose a technique that can explicitly take into account information diffusion in SN, power flow balance and cascading failure in smart grid integratedly when evaluating node criticality, based on which we propose various strategies in selecting the most critical nodes. Also, we introduce controlled load shedding as a protection strategy to reduce the impact of cascading failure. The effectiveness of our algorithms are demonstrated by experiments on IEEE bus test cases as well as the Pegase data set.

Systems and Control,Social and Information Networks

Lianquan Hou,Jianmin Zhang,Naizheng Jin,Ma Zhu,Yong Li

DOI: https://doi.org/10.1109/ccdc.2016.7531789

2016-01-01

Abstract:Cyber security is a major issue and a hard work for digital substation who uses Ethernet communication network and open IEC 61850 communication protocol. Based on message type and data stream analysis of digital substation communication, the cyber security threats faced by digital substation have been classified and analyzed at first; knowing the performance of a cyber-attack is the first step for latter attack detection and defense, for which simulation is a better choice; in this paper, the most malicious and harmful SYN-Flood attack has been taken as a simulation case by OPNET platform, and from which the performance of SYN-Flood attack has been observed and analyzed for further attack detection and defense.

Jing Bai,Jianlin Jiao,Meng Han,Xianfei Zhou,Chao Liu

DOI: https://doi.org/10.2478/amns-2024-0714

2024-01-01

Applied Mathematics and Nonlinear Sciences

Abstract:Abstract Substation network security is the key to maintaining the stable operation of power systems. In the face of growing threats of network attacks, traditional security protection measures have been brutal to meet the needs of modern power systems. Research on substation network security, situational awareness strategies, and remote operation and maintenance of equipment is essential to improve network defense capability and ensure the continuity and reliability of power supply. This study explores effective security situational awareness methods and remote operation and maintenance techniques to provide new solutions for substation network security. This paper builds an efficient network attack detection model by introducing linear discriminant analysis (LDA) and radial basis function (RBF) neural networks. The experiment uses the KDD Cup99 dataset, which is preprocessed to provide the model training and testing data. The LDA-RBF model in this paper outperforms the traditional RNF neural and BP neural networks regarding recognition rate. Specifically, the recognition rate reaches 90.2% for the Smurf attack and 100% for the Ipsweep attack. The proposed model of the study also performs well in terms of leakage and false alarm rates, with an overall recognition rate of 97.00%. This study proposes a network security situational awareness strategy and equipment remote operation and maintenance method that can effectively enhance substation networks’ security and operation and maintenance efficiency.