Conference PaperPDF Available

SHARP-Net: Platform for Self-Healing and Attack Resilient PMU Networks

Authors:
SHARP-Net: Platform for Self-Healing and Attack
Resilient PMU Networks
Vivek Kumar Singh, Evan Vaughan, Joshua Rivera
Energy Security and Resilience Center, National Renewable Energy Laboratory
Email: vivekkumar.singh@nrel.gov, evan.vaughan@nrel.gov, joshua.rivera@nrel.gov
Abstract—Synchrophasor technology plays a pivotal role in de-
veloping the next generation of wide-area monitoring, protection,
and control in the smart grid environment. As technology and
communications infrastructures evolve, however, so do the attack
surfaces in the synchrophasor network that can be exploited
by advanced persistent threat (APT) actors to affect power
system stability and reliability. In this paper, we propose a novel
platform for developing a self-healing and attack-resilient PMU
network (SHARP-Net) by instituting a state-of-the-art intrusion
detection system (IDS) with an intrusion mitigation system (IMS)
and an alert management system (AMS). In particular, the
proposed platform detects anomalies during cyberattacks on
phasor data concentrators (PDCs) based on the rules defined
in the IDS, then the generated alerts are published to the IMS
through the AMS. The proposed IMS proceeds to take automated
corrective responses to mitigate cyberattacks by reconfiguring the
synchrophasor network to isolate the compromised PDCs, and
it orchestrates new PDCs to prevent the future propagation of
attacks. Further, the IMS restores the system’s observability by
reconnecting the new PDCs to make the grid attack-resilient.
In this work, the SHARP-Net platform is developed by using
Python-based libraries, minimega’s software-defined network,
and virtual machine orchestration. We implement and validate
the proposed SHARP-Net architecture by testing a PMU network
in the smart grid environment. SHARP-Net showed promising
performance in detecting cyberattacks and mitigating them
through the network reconfiguration.
I. INTRODUCTION
Synchrophasor technology is transforming today’s electric
power grids by providing real time monitoring to protect the
grid’s health on spatial and temporal levels. Synchrophasors
provide dynamic stability assessments and assist in developing
mission-critical applications as necessary to maintain the sta-
bility and reliability of power systems. Traditional supervisory
control and data acquisition (SCADA) systems fail to provide
faster measurements, which are necessary to provide a wide-
area dynamic monitoring of the grid and perform corrective
actions to maintain the transient stability. These limitations can
1Acknowledgement: This work was authored by the National Renewable
Energy Laboratory, operated by Alliance for Sustainable Energy, LLC, for the
U.S. Department of Energy (DOE) under Contract No. DE-AC36-08GO28308.
Funding provided by U.S. Department of Energy Office of Energy Efficiency
and Renewable Energy Facilities and Infrastructure Budget. The views ex-
pressed in the article do not necessarily represent the views of the DOE or
the U.S. Government. The U.S. Government retains and the publisher, by
accepting the article for publication, acknowledges that the U.S. Government
retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or
reproduce the published form of this work, or allow others to do so, for U.S.
Government purposes.
be overcome by deploying synchrophasor technology-based
phasor measurement units (PMUs), which can provide high-
resolution measurement at a rate of more than 30 samples
per second to detect disturbances and develop efficient wide-
area controllers [1]. As synchrophasor technology evolves with
increasing field deployments and mission-critical applications,
synchrophasors become more vulnerable to cyberattacks. As
emphasized in the NERC document [2], there is a need
to incorporate cyber- and physical security policies into the
synchrophasor network. Because synchrophasor devices lack
authentication, and communicate using unencrypted and inse-
cure protocols, attackers can perform different types of attacks,
such as denial-of-service (DoS), man-in-the-middle (MITM),
and global positioning system (GPS) spoofing attacks. Further,
phasor measurements sent over a wide-area network contain
valuable information about the power system topology and
grid condition. Any compromises and significant delays caused
by cyberattacks can affect the observability of a power system
and its related applications. Therefore, there is a strong desire
to develop a self-healing and attack-resilient synchrophasor
architecture against cyberattacks. In this paper, we propose a
novel platform, SHARP-Net, to develop a self-healing PMU
architecture that is resilient to cyberattacks with the objectives
of bridging the gap between theoretical/simulated research
and applied field deployment, and addressing the challenges
related to architecture implementation. The proposed self-
healing architecture has three main components: an intrusion
detection system (IDS), an intrusion mitigation system (IMS),
and an alert management system (AMS). The proposed IDS
relies on PMU network logs and phasor measurements to
detect different classes of anomalies. Once an anomaly is
detected, the generated alert is delivered to the IMS through
the AMS-based publisher-subscriber interfaces to take cor-
rective actions. The corrective actions include reconfiguring
the synchrophasor network to isolate the compromised phasor
data concentrators (PDCs), orchestrating new PDCs to prevent
the propagation of attacks, and reconnecting the disconnected
PMUs to restore the system’s observability. For the proof
of concept, resources available at the National Renewable
Energy Laboratory’s Energy Systems Integration Facility were
leveraged to develop the SHARP-Net platform to validate the
proposed architecture. Further, we evaluate the performance of
the proposed SHARP-Net architecture through experimental
studies and multiple use cases for different cyberattacks.
,(((
Authorized licensed use limited to: Iowa State University. Downloaded on May 17,2020 at 03:38:30 UTC from IEEE Xplore. Restrictions apply.
II. OVERVIEW AND RELATED WORKS
During the past 10 years, there has been a remarkable
increase in PMU deployment across the North American
electric grid, from approximately 200 PMU devices in 2007
to 2500 networked PMU devices in 2017 [3]; however, several
researchers have raised serious concerns related to the cyber-
security challenges of a synchrophasor network. References
[4]—[6] highlighted the existing cybersecurity vulnerabilities
in synchrophasor networks and demonstrate different classes
of attacks, such as data integrity attacks, DoS, GPS spoofing
attacks, etc. Few researchers have proposed intrusion detection
methods against cyberattacks in the context of synchropasor
networks [7]-[11]. Reference [9] discussed white-listing and
behavior-based IDS for synchrophasor networks that are re-
silient to attack reconnaissance (Zenmap scanning), DoS, and
MITM attacks. In a similar context, a model-based IDS that
detects known and unknown attacks is presented in [10]. These
works had presented extensive research regarding the attack
surface between the PMU and PDC network, however, there
exists very little insight that addresses the attack surface be-
tween the substation-based local PDC and control center-based
central PDC wide-area network. Because a local PDC receives
phasor measurements from multiple PMUs, any compromise
or communications delay of the local PDC can cause more
severe consequences than a single affected PMU. As outlined
in [11], researchers presented an integer linear-programming-
based self-healing mechanism for the PMU network while
assuming that the cyberattacks had already been detected;
however, the paper lacked architecture design and pilot ex-
periments based on performance evaluations. To the best of
our knowledge, this is the first work that presents a self-
healing platform, SHARP-Net, designed on minimega and
Python-based software platforms, to address the challenges
of real-world implementation, and bridge the gap between the
theoretical/ simulation research and actual field deployment. It
allows user to develop and implement their own custom rules
for IDS, set up their own synchrophasor network based on
the given system topology, reconfigure the network to isolate
the compromised local PDCs, and orchestrate new PDCs to
restore system observability.
III. PROPOSED SELF-HEALING ARCHITECTURE
A. Proposed Architecture
In this paper, we propose a novel architecture for developing
an attack-resilient and self-healing PMU network by integrat-
ing a state-of-the-art IDS with a network virtualization and
centralized network controller, such as the emerging software-
defined networking (SDN) technology, as part of the IMS.
The proposed architecture operates in two stages. In the first
stage, the proposed IDS detects cyberattacks targeting the
synchrophasor network, specifically local PDCs, by leveraging
phasor measurements and synchrophasor network packets. In
the second stage, the IMS is performed using the namespace
orchestrator to effectively manage virtual image snapshots
and create an encapsulated SDN environment. The AMS is
responsible for sending alert messages from the IDS to the
IMS through the alert manager publisher-subscriber interfaces.
The AMS also sends alert messages to the central PDC to
provide situational awareness about the reconfigured network
addresses of local PDCs. In this work, we assume that the
attacker has access to the wide-area network between the sub-
station and control center network, and can perform different
cyberattacks, such as DoS attack and MITM attacks, targeting
local substation-based PDCs. The local PDCs are deployed
in several substations, which receive phasor measurements
from multiple PMUs. The deployed local PDCs forward these
measurements to the central PDC, located at the control center.
The generic synchrophasor architecture is represented in the
highlighted area of Fig. 1. The proposed architecture consists
of three major components:
1) IDS: This component analyzes the synchrophasor net-
work traffic and detects malicious cyberattacks based on
the defined rules. It sniffs synchrophasor network traffic
to obtain cyber logs as well as phasor measurements to
detect cyberattacks. We can define several rules to detect
different classes of cyber attacks in real time.
2) IMS: This component performs the substation-based lo-
cal PDC namespace orchestration as needed to configure
several virtual PDCs based on the system topology. The
configured virtual local PDCs receive PMU measure-
ments and forward them to the central PDC. Initially,
the proposed IMS operates in the armed mode, and it
activates the namespace orchestrator, once an anomaly is
detected, to remove the compromised substation PDCs,
and replaces them with new substation PDCs. The cen-
tral PDC also receives alert messages and new network
addresses to initiate the connection with new substations
PDC to restore the connection.
3) AMS: This component interacts with two other compo-
nents— IMS and IDS— to transfer the alert messages
from the IDS to the IMS. It consists of three main
subcomponents: the alert manager publisher, alert man-
ager subscriber 1, and alert manager subscriber 2. The
alert manager publisher collects alert logs from anomaly
detectors,- and forwards them to the IMS. The alert
manager subscriber 1 sends the received alert messages
to the namespace orchestrator, which initiates the re-
orchestration process on a given substation namespace.
The alert manager subscriber 2 sends the received alert
messages to the PDC management application program-
ming interface (API) of the central PDC.
B. Software Overview, Architecture, and Functionality
In this subsection, we discuss several software tools that
provided the foundation of the SHARP-Net platform. To
develop the self-healing platform, we used many open-source
tools that are publicly available, including minimega [12] for
orchestrating the virtual environment; iPDC [13], a Linux-
based PDC for emulating PDCs at the substation and con-
trol center networks; Pyshark, a Python based Tshark, for
parsing and dissecting synchrophasor packets; and PyZMQ,
a Python bindings for ZeroMQ, which allows asynchronous
Authorized licensed use limited to: Iowa State University. Downloaded on May 17,2020 at 03:38:30 UTC from IEEE Xplore. Restrictions apply.
Fig. 1: Proposed architecture of the SHARP-Net platform
and multicast messaging between the alert manager publisher
and multiple alert manager subscribers in real-time. Minimega
is deployed as a namespace orchestrator, which provides a
virtualization environment that can orchestrate virtual machine
snapshots inside of a SDN. It is capable of deploying virtual
machines through a scripting engine based on the commands
received from the centralized node. The orchestration can be
divided into several namespaces, as shown in Fig. 1, which
are separate instances of contained virtual machines. This
separation allows for a quick teardown and redeployment
of virtual instances without affecting other virtual systems.
Further, the scripting engine can be created and modified
by Python, which enables re-orchestration of compromised
virtual machines in real time, as required during the attack
mitigation process. Note that the iPDC software is used to
emulate substation-based PDCs, and openPDC software is
used for the control center-based PDCs. They are installed
in virtual machines that are orchestrated in minimega’s virtual
environment. As part of the IDS, we used Pyshark to create
a proprietary Python script that detects and decodes IEEE
C37.118 synchrophasor packets by using TShark’s decoding
capabilities. Further, the ZeroMQ protocol is used to commu-
nicate between alert manager publisher and subscribers. One
ZeroMQ publisher can have more than one subscriber binding
to the same port and vice versa.
Fig. 2 shows the software flowchart of the SHARP-Net
platform, which revolves around a given number of substation-
based local PDCs virtually modeled by namespaces. These
namespaces can be individually orchestrated depending on
the situational demand; in this case, we are dismantling com-
promised local PDCs during cyberattacks, assigning internet
protocol (IP) credentials to offline virtual iPDC substations,
Fig. 2: Software flowchart of the SHARP-Net platform
configured as a standby mode, and spawning new replica
substations as standby snapshots by using the minimega
orchestrator. To develop the synchrophasor-specific IDS, we
captured the synchrophasor packets via a Pyshark network
sniffer. We defined rules for detecting DoS and ARP Spoofing
attacks, as shown in Table 1. Once the packets are identified
Authorized licensed use limited to: Iowa State University. Downloaded on May 17,2020 at 03:38:30 UTC from IEEE Xplore. Restrictions apply.
TABLE I. Rules for Network-Based IDS
Signature-Based Rules Attack Type IDS Rules
Rule 1 Denial of Service
(Timing and Size-Based)
if packet timestamp <float(0.001) or packet size >65535 :
Alert[’Type’], Alert[’Surface’], Alert[’IP’] = ’DOS’, ’iPDC[ID]’, ”{}”.format(random-IP)
socket.send string(topic, str(Alert))
Rule 2 ARP Spoofing
(Man in the Middle)
if (IP not in whitelist):
Alert[’Type’], Alert[’Surface’], Alert[’IP’] = ’MITM’, ’iPDC[ID]’, ”{}”.format(random-IP)
socket.send string(topic, str(Alert))
TABLE II. Re-Orchestration Script
Signature-Based Rules Execute Command minimega Script
iPDC Alert Orchestration mm Read [/path/to/script]
namespace iPDC Sandbox;
nvm kill VM[killID]; clear vm config; vm config disk ubuntu server.qc2;
vm config mem 1024; vm config net 101 ; vm launch kvm VM[standbyID];
vm start all; cc filter name=VM[activeID]; cc exec ip link set ens1 up;
cc exec ip addr add [new-IP]/24 dev ens1;
by the alert manager, they are passed through the IDS, where
PMU synchrophasor values and logs packet attributes can
be analyzed to detect cyber attacks. Table 1 provides the
evaluation scripts that we have developed to perform the
functions previously mentioned. Rule 1 accounts for DoS-
related attacks where packet size and latency surpasses an
acceptable threshold; Rule 2 identifies ARP spoofing (MITM)
attack based on whitelisting MAC addresses, IP addresses, and
port numbers in the Ethernet, network, and transport layers.
Given that an alert has been triggered by the Alert Manager, a
ZeroMQ object enclosing a newly generated IP address, attack
type, and attack location is published to the ZeroMQ data
subscriber 1 and 2. The ZeroMQ data subscriber 1 sends an
alert to the IMS, which performs the necessary orchestrations
to tear-down the compromised substation namespace for the
local PDC, assign new networking credentials to the standby
substation namespace, and initiate another standby substation
namespace to enable new PDC and replace the compromised
PDC. Meanwhile, the ZeroMQ data subscriber 2 communi-
cates with central PDC, which utilizes the newly generated IP
address and attack location information to identify the newly
instantiated substation-based local PDC and establish a client-
server connection. The initial orchestration is governed by
an automation script that deploys two PDC virtual machines
per substation namespace: one active system and one standby
system. Upon creation, the active iPDC is assigned an Internet
Protocol (IP) address and phasor measurement units (PMUs)
server connection information, such as IP addresses and port
numbers; whereas the standby system is only assigned the
PMU server connection information without the ability to
communicate over the network. Once an attack on the active
iPDC system is recognized by the Alert Manager, a new or-
chestration process automates the removal of the compromised
iPDC, creates a new standby iPDC system, and assign a ran-
dom IP address to the standby system, which is different from
the compromised iPDC. This is done by utilizing minimega’s
orchestration API that allows for the command line inter-
face (CLI) to deploy mass-virtualization environments. Table
2 provides minimega initialization scripts used to structure
qcow2 disk snapshots across a SDN. These structures can be
compartmentalized into namespaces, allowing for seamless re-
orchestration upon recognition of malicious attack vectors.
IV. CASE STUDY AND EXPERIMENTAL SETUP
Fig. 3: Experimental setup for using SHARP-Net
Fig. 3 shows the experimental setup for testing the SHARP-
Net’s architecture. To enable synchrophasor communications,
virtual PMUs are modeled in the real time digital simulator
(RTDS), which generates synthetic phasors at a sampling rate
of 60 samples per second. The Linux-based PDC software,
iPDC, is operating as a local PDC for the substation that
receives the PMU data from the simulator using the IEEE
C37.118 protocol, and forwards it to the software-based PDC,
openPDC, operating in the control center environment. As a
case study, we implemented an ARP spoofing attack on the
local active PDC to disable the communication between the
local active PDC and the super PDC. The IDS, IMS, and AMS
are operated over the wide-area network to coordinate the re-
orchestration process in the event of an attack. Initially, the
local standby PDC is offline and unreachable via the network.
Once the IDS detects the man-in-the-middle (MITM) attack,
based on the rule defined in table 1, the IMS removes the
compromised PDC, assigns internet protocol (IP) credentials
to the new active PDC, and orchestrates a new standby PDC.
The AMS generates the alert message and network address
Authorized licensed use limited to: Iowa State University. Downloaded on May 17,2020 at 03:38:30 UTC from IEEE Xplore. Restrictions apply.
information of local PDC 2 and transmits it to the super PDC,
located in the control center, for re-configuration.
V. R ESULTS AND DISCUSSIONS
Fig. 4 shows the PMU packets during DoS and ARP spoof-
ing attacks in terms of frames/second. Initially, the central
PDC receives PMU packets around 60 frames/second. During
the DoS attack, packet frames reduce below 20 frames/second
at 10 seconds. The ARP spoofing attack disables the commu-
nication and frame rate reduces from 60 to 0 frames/sec in a
small time interval. Fig. 5 shows the performance of SHARP-
Net during the attack detection and mitigation processes. It
can be observed that the ARP spoofing attack is performed
at 8.5 seconds, which compromises the local active PDC, and
disables the PMU communication to the central PDC. Once
the local active PDC is compromised, the PMU voltage drops
from 0.933 (per unit) to 0 (per unit). The IDS detects the
alerts based on the defined rules, and the IMS enables PMU
communications to pass through the local standby PDC. The
local standby PDC connects to the central PDC at 16 seconds
and PMU voltage is finally recovered to 0.933, restoring the
system’s observability.
Fig. 4: PMU frames/ second during DoS and ARP spoofing
attacks
Fig. 5: Attack detection and mitigation during ARP spoofing
attack using SHARP-Net
VI. CONCLUSION
In this paper, we proposed a novel platform, SHARP-Net, to
develop a self-healing and attack-resilient architecture of the
PMU network. We described three main components of the
proposed architecture: IDS, IMS, and AMS. We showcased
how the proposed IDS can sniff network traffic to obtain
attack signatures to detect possible cyberattacks, such as DoS
and MITM attacks, in the context of synchrophasor cyber-
physical security. Further, we integrated the proposed IDS
with IMS through the AMS to provide automated corrective
responses, once an initial attack was detected, to prevent
further propagation of attacks. We also provided key insights
about several open-source software tools that were integrated
seamlessly to build this platform. It can be inferred from
the experimental results that the proposed architecture can
recover the synchrophasor network from cyberattacks in a
small time frame. Further, the proposed SHARP-Net platform
allows users to develop their own custom rules for IDS, modify
and customize the architecture implementation based on their
requirements, and add more scripting-based corrective actions
to secure the substation-based PDC. These capabilities have
not been possible using the commercially available hardware-
based substation PDC. The potential avenues for future work
include developing a library of several synchrophasor-specific
IDS rules, introducing the network redundancy using the SDN
local and wide-area network, and deploying in the field.
REFERENCES
[1] U.S Department of Energy (DoE), Advancement of Synchrophasor
Technology, March 2016.
[2] NERC (Oct. 2010), Real-Time Application of Synchrophasors for Im-
proving Reliability.
[3] 2017. NARUC Summer Meeting, North American SynchroPhasor Ini-
tiative (NASPI), (2017).
[4] C. Beasley et al., ”Cyber security evaluation of synchrophasors in a
power system,” 2014 Clemson University Power Systems Conference,
Clemson, SC, 2014, pp. 1-5.
[5] T. Morris et al., “Cybersecurity Testing of Substation Phasor Measure-
ment Units and Phasor Data Concentrators,” in ACM Annual Workshop
on Cyber Security and Information Intelligence Research, 2011.
[6] D. Shepard et al., “Evaluation of the Vulnerability of Phasor Measure-
ment Units to GPS Spoofing Attacks,” in International Journal of Critical
Infrastructure Protection, 2012.
[7] V. K. Singh and M. Govindarasu, ”Decision Tree Based Anomaly
Detection for Remedial Action Scheme in Smart Grid using PMU Data,”
2018 IEEE Power Energy Society General Meeting (PESGM), Portland,
OR, 2018, pp. 1-5.
[8] V. K. Singh et al., ”Evaluation of Anomaly Detection for Wide-Area
Protection Using Cyber Federation Testbed,” 2019 IEEE Power Energy
Society General Meeting (PESGM), Atlanta, GA, 2019, pp. 1-5.
[9] Y. Yang et al., ”Intrusion Detection System for network security in
synchrophasor systems,” IETICT 2013, Beijing, China, 2013, pp. 246-
252.
[10] R. Khan, A. Albalushi, K. McLaughlin, D. Laverty and S. Sezer, ”Model
based intrusion detection system for synchrophasor applications in smart
grid,” 2017 IEEE Power Energy Society General Meeting, Chicago, IL,
2017, pp. 1-5.
[11] H. Lin et al., ”Self-Healing Attack-Resilient PMU Network for Power
System Operation,” in IEEE Transactions on Smart Grid, vol. 9, no. 3,
pp. 1551-1565, May 2018.
[12] minimega, a distributed VM management tool, https://minimega.org/
[13] iPDC-Free Phasor Data Concentrator, Tool for Wide-Area Measurement
System, https://sourceforge.net/projects/iitbpdc/
Authorized licensed use limited to: Iowa State University. Downloaded on May 17,2020 at 03:38:30 UTC from IEEE Xplore. Restrictions apply.
... I Cai et al. [11] I Degeler et al. [13] I Samir et al. [14] I Wyers et al. [15] I Gill et al. [12] I Mehmet [16] 2. Self-Healing Approaches and Techniques I Chen and Bahsoon [17] I Singh et al. [18] I Stojanovic and Stojanovic [19] I Berry and Chollot [20] I Schneider et al. [10] I Khalil et al. [21] I Hsieh [14] I El Fallah Seghrouchni et al. [2] 3. Intrusion Detection and Security I Degeler et al. [13] I Joseph and Mukesh [9] I Ahmad et al. [22] I Berry and Chollot [20] I Zhang et al. [6] I Subashini and Kavitha [4] I Colabianchi et al. [23] I Mohammadi et al. [24] ...
... PMUs measure electrical quantities' magnitude and phase angle, such as voltage and current, at high speed and accuracy. PMUs can be used to implement self-healing mechanisms in several ways, such as: PMU for a self-healing feature on the power grid was implemented by [18] and created real-time monitoring and load balancing using three components that facilitate the selfadaptation and self-healing functionality of the network. The following list describes the three components of the PMU: ...
... The subscriber2 sends the received alert messages to the namespace orchestrator, which triggers the orchestration process on a given substation namespace. The alert manager subscriber3 sends the received alert messages to the application programming interface (API) of the central management application [18]. ...
Article
Full-text available
The rapid advancement of networking, computing, sensing, and control systems has introduced a wide range of cyber threats, including those from new devices deployed during the development of scenarios. With recent advancements in automobiles, medical devices, smart industrial systems, and other technologies, system failures resulting from external attacks or internal process malfunctions are increasingly common. Restoring the system’s stable state requires autonomous intervention through the self-healing process to maintain service quality. This paper, therefore, aims to analyse state of the art and identify where self-healing using machine learning can be applied to cyber–physical systems to enhance security and prevent failures within the system. The paper describes three key components of self-healing functionality in computer systems: anomaly detection, fault alert, and fault auto-remediation. The significance of these components is that self-healing functionality cannot be practical without considering all three. Understanding the self-healing theories that form the guiding principles for implementing these functionalities with real-life implications is crucial. There are strong indications that self-healing functionality in the cyber–physical system is an emerging area of research that holds great promise for the future of computing technology. It has the potential to provide seamless self-organising and self-restoration functionality to cyber–physical systems, leading to increased security of systems and improved user experience. For instance, a functional self-healing system implemented on a power grid will react autonomously when a threat or fault occurs, without requiring human intervention to restore power to communities and preserve critical services after power outages or defects. This paper presents the existing vulnerabilities, threats, and challenges and critically analyses the current self-healing theories and methods that use machine learning for cyber–physical systems.
... A deep-learning based model is proposed by Khediri et al.in [32] to enhance resiliency of the SG. Singh et al. in [33] proposed a resiliency framework for a PMU network capable of detecting an intrusion in order to develop a potential mitigation strategy. ...
Article
Full-text available
The advent of synchrophasor technology has completely revolutionized the modern smart grid, enabling futuristic wide-area monitoring protection and control. The Synchrophasor Communication Network (SCN) is a backbone that supports communication of synchrophasor data among Phasor Measurement Units (PMUs) and Phasor Data Concentrators (PDCs). The operator at the control center can visualize the health of the smart grid using synchrophasor data aggregated at PDCs from several PMUs. Since the core of the SCN is the existing IP network as an underlying communication infrastructure, the synchrophasor data is subjected to attacks that can compromise its security. The attacks, such as denial-of-service (DoS), can result in degradation of performance and even can disrupt the entire operation of the smart grid, if not controlled. Thus, a resilient SCN is a pertinent requirement in which the system continues to operate with accepted levels of performance even in response to the DoS. This article endeavors to propose a comprehensive resiliency framework for the SCN with enhanced resiliency metrics based on hardware reliability and data reliability. The proposed framework is deployed for a SCN pertaining to a practical power grid in India for its resiliency analysis. The proposed work can be regarded as a significant contribution to smart grid technology, as it provides a framework for resiliency analysis covering different aspects such as hardware reliability, data reliability, and parameters validation using the QualNet network simulator. Nevertheless, an analytical design of the hybrid SCN proposed in this work can even be extended to other topological designs of SCN.
... Traditional health assessment, which is based on voltage security and/or frequency stability, provides a deeper insight into the operational health of a system and provides indications of anomalous activity [10]. Voltage security is defined as the system's capability to maintain system's voltage within acceptable limits during system stress, physical disturbances, and cyber-attacks [11]- [15]. Similarly, frequency stability is defined as a system's ability to maintain a stable and synchronous frequency environment between generators amid environmental and external disturbances [16], [17]. ...
Chapter
Reliability, resilience and Quality of Service are essential features of modern electric power-system operations that reflect the transition of electric energy infrastructure towards the smart grid deployment. Leveraging the Software Defined Networking technology and other cybersecurity cutting-edge technologies and algorithms, this work aims to bring a innovation in the modern Electrical Power and Energy System environment. To this end, we propose a cyber-resilience enhancement framework with the aim to modernize the traditional electrical grid and provide solutions in the domains of voltage and frequency restoration, cybersecurity and network Quality of Service. Based on the results, the framework is able to detect accurately cyberattacks and perform network path re-allocation by maximizing the Quality of Service in a more accurate way than other state of art algorithms.
Article
The smart grid cyber–physical system (SGCPS) is the latest evolution of the traditional power system. Synchrophasor application in the SGCPS is responsible for wide area monitoring and control of the grid. Its communication network referred to as the synchrophasor communication network (SCN) has to be resilient. The resiliency measures the system’s ability to bounce back to the operational state from the failed state. Despite the maturity of the research on resiliency, it is still sparsely explored for the SCNs in a SGCPS. There is no comprehensive resiliency metric for the resiliency analysis of the SCN. Thus, a comprehensive resiliency metric in the context of the SCNs is presented in this paper. Further, a methodology is also presented for evaluating the resiliency of the SCN. The SCNs are designed for the practical power grid of West Bengal State, India, which have been analyzed for their resiliency using the proposed methodology.
Chapter
With the advent of 5th Generation (5G) of mobile networks, a diverse range of new computer networking technologies are being devised to meet the stringent demands of applications that require ultra-low latency, high bandwidth and geolocation-based services. Mobile Edge Computing (MEC) is a prominent example of such an emerging technology, which provides cloud computing services at the edge of the network using mobile base stations. This architectural shift of services from centralised cloud data centers to the network edge, helps reduce bandwidth usage and improve response time, meeting the ultra-low latency requirements laid out for 5G. However, MEC also inherits some of the vulnerabilities affecting traditional networks and cloud computing, such as coordinated attacks. Previous works have proposed the use of Intrusion Detection Systems (IDS), specifically Collaborative Intrusion Detection Systems (CIDS), which have proven to be effective in identifying distributed attacks. However, identifying the right CIDS model is not straightforward due to the tradeoff between different factors such as detection accuracy, network overhead, computation and memory overhead. In this chapter, we outline some of the characteristics relevant for evaluating CIDS deployment models and survey existing CIDS architectures in the context of MEC, while presenting novel strategies and architectures of our own.
Conference Paper
Full-text available
Cyber physical security research for smart grid is currently one of the nation's top R&D priorities. The existing vulnerabilities in the legacy grid infrastructure make it particularly susceptible to countless cyber-attacks. There is a growing emphasis towards building interconnected, sophisticated feder-ated testbeds to perform realistic experiments by allowing the integration of geographically-dispersed resources in the dynamic cyber-physical environment. In this paper, we present a cyber (network) based federation testbed to validate the performance of an anomaly detector in context of a Wide Area Protection (WAP) security. Specifically, we have utilized the resources available at the Iowa State University Power Cyber (ISU PCL) Laboratory to emulate the substation and local center networks; and the US Army Research Laboratory (ARL); to emulate the regional control center network. Initially, we describe a hardware-in-the loop based experimental setup for implementing data integrity attacks on an IEEE 39 bus system. We then perform network packet analysis focusing on latency and bandwidth as well as evaluate the performance of a decision tree based anomaly detector in measuring its ability to identify different attacks. Our experimental results reveal the computed wide area network latency; bandwidth requirement for minimum packet loss; and successful performance of the anomaly detector. Our studies also highlight the conceptual architecture necessary for developing the federated testbed, inspired by the NASPI network.
Conference Paper
Full-text available
The advanced and persistent cyber threats facing the critical infrastructure such as the smart grid are exponentially rising which require sophisticated defense strategy. Remedial Action Scheme (RAS), also known as Special Protection Scheme (SPS), relies on the interconnected cyber physical system for automated protection which is exposed to the multitude of vulnerabilities. In this paper, we propose an innovative approach to develop an Intelligent Remedial Action Scheme (IRAS) which can detect and distinguish cyber attacks from the physical disturbances in smart grid and later take smart corrective actions as required to minimize the impact on system reliability and economy. Specifically, we have proposed the decision tree based anomaly detection methodology which can distinguish between the normal tripping during power line faults and malicious tripping attack on the physical relays in the context of RAS. The classification model is developed using differential features of voltage and current phasors. Next, as a proof of concept, we have implemented and validated the proposed methodology in cyber physical environment at Iowa State's PowerCyber testbed. Finally, the proposed methodology is tested on modified IEEE 39 bus system in offline and real-time mode. Our experimental results show that the proposed method is efficient in detecting attacks and performing corrective actions within an acceptable time frame. Index Terms-remedial action scheme, cyber attack, phasor measurement units, decision tree.
Conference Paper
Full-text available
Synchrophasor technology is used for real-time control and monitoring in modern power systems. IEEE C37.118 communication framework is most widely used by synchrophasor devices such as Phasor Measurement Units (PMUs) and Phasor Data Concentrators (PDCs). The size, format and structure of IEEE C37.118 payloads vary significantly from one PMU/PDC to the other which make traditional signature based IDS tools (i.e., SNORT, Suricata, etc) inefficient for synchrophasor-based systems. Thus, this paper presents the design of a comprehensive model-based Synchrophasor Specific Intrusion Detection System (SS-IDS) and analyzes its features and capabilities. The proposed SS-IDS is implemented as a light-weight efficient multi-threaded tool using optimized PCAP filters. The defined model-based rules enable it to detect known as well as unknown attacks (including unintentional misuse). The functionalities of the proposed SS-IDS are validated in the lab using a testbed consisting of real PMU data and NRL CORE based emulated network.
Article
Full-text available
In this paper, we propose a self-healing PMU network that exploits the features of dynamic and programmable configuration in a software-defined networking (SDN) infrastructure to achieve resiliency against cyber-attacks. After a cyberattack, the configuration of network switches is changed to isolate the compromised PMUs/PDCs to prevent further propagation of the attack; meanwhile, the disconnected yet uncompromised PMUs will be reconnected to the network to “self-heal” and thus restore the observability of the power system. Specifically, we formulate an integer linear programming (ILP) model to minimize the overhead of the self-healing process (e.g., the recovery latency), while considering the constraints of power system observability, hardware resources, and network topology. We also propose a heuristic algorithm to decrease the computational complexity. Case studies of a PMU network based on the IEEE 30-bus and 118-bus systems are used to validate the effectiveness of the self-healing mechanism.
Conference Paper
Full-text available
Future bulk electric transmission systems will include substation automation, synchrophasor measurement systems, and automated control algorithms which leverage wide area monitoring system to better control the grid. Prior to installation of new networked devices, utilities should perform cybersecurity testing and develop corrective actions for identified vulnerabilities. This paper outlines testing performed prior to the installation of a synchrophasor wide area monitoring system. Phasor measurement unit and phasor data concentrator devices from multiple vendors were subjected to laboratory testing including; device security feature identification, port scans, network congestion testing, denial of service testing, protocol mutation testing, and network traffic disclosure testing. This paper outlines the procedures used to perform the testing and discusses the types of results expected from testing.
Article
Results of Global Positioning System (GPS) spoofing tests against phasor measurement units (PMUs) are presented, which demonstrate that PMUs are vulnerable to spoofing attacks. A GPS spoofer can manipulate PMU time stamps by injecting a counterfeit ensemble of GPS signals into the antenna of the PMU's time reference receiver. A spoofer-induced timing error of only a few tens of microseconds causes a PMU to violate the maximum phase error allowed by the applicable standard. These and other larger errors can give automated or human power grid controllers a false perception of the state of the grid, leading to unnecessary, and possibly destabilizing, remedial control actions. To emphasize this threat, this paper shows that a particular PMU-based automatic control scheme currently implemented in Mexico whose control architecture and setpoints have been published in the open literature could be induced by a GPS spoofing attack to trip a primary generator.
Conference Paper
The addition of synchrophasors such as phasor measurement units (PMUs) to the existing power grid will enhance real-time monitoring and analysis of the grid. The PMU collects bus voltage, line current, and frequency measurements and uses the communication network to send the measurements to the respective substation(s)/control center(s). Since this approach relies on network infrastructure, possible cyber security vulnerabilities have to be addressed to ensure that is stable, secure, and reliable. In this paper, security vulnerabilities associated with a synchrophasor network in a benchmark IEEE 68 bus (New England/New York) power system model are examined. Currently known feasible attacks are demonstrated. Recommended testing and verification methods are also presented.
Conference Paper
Synchrophasor systems will play a significant role in next generation Smart Grid monitoring, protection and control. However, these systems also introduce a multitude of potential vulnerabilities and cyber threats from malicious attackers or disgruntled employees, which may cause erroneous situational awareness or severe damage. This paper proposes a Synchrophasor Specific Intrusion Detection System (SSIDS) for malicious cyber attacks and unintended misuse. The SSIDS involves a heterogeneous whitelist and behaviour-based approach to detect known and unknown attacks. The paper investigates and simulates reconnaissance, Man-in-the-Middle (MITM) and Denial-of-Service (DoS) attacks against a practical synchrophasor system that is used to validate the effectiveness of the proposed SSIDS detection tool. In contrast to previous research in this area that generally has investigated known attacks, this research actively considers the operational features of the IEEE C37.118 protocol and presents a more comprehensive and general solution to deal with not only known attacks but also unknown attacks.
iPDC-Free Phasor Data Concentrator, Tool for Wide-Area Measurement System
  • Ipdc-Free
Evaluation of Anomaly Detection for Wide-Area Protection Using Cyber Federation Testbed
  • V K Singh
V. K. Singh et al., "Evaluation of Anomaly Detection for Wide-Area Protection Using Cyber Federation Testbed," 2019 IEEE Power Energy Society General Meeting (PESGM), Atlanta, GA, 2019, pp. 1-5.