A Method for Detecting Abnormal Sensor Data Using Multi · PDF file ·...
-
Upload
hoangquynh -
Category
Documents
-
view
218 -
download
1
Transcript of A Method for Detecting Abnormal Sensor Data Using Multi · PDF file ·...
CIGRE GRID OF THE FUTURE, SENSOR DATA AND FAULT LOCATION ANALYTICS SESSION 2017.10 .24
A Met hod fo r Det ect ing Ab norm al Sens or Dat a Us ing Mult i-t e rm ina l Diffe rent ia l Pro t ect ion Funct ions
David Coa t s , Reyna ld o Nuq ui USCRC
1. Collab ora t ive Defens e (CoDef) Pro ject Overview
2. Threa t Mod eling
3. Mult i-Term ina l Pro t ect ion
4. Ab norm al Da t a Det ect ion Met hod
5. Sum m ary, Conclus ions , and Fut ure Pro ject s
Oct ob er 31, 20 17 Slid e 2
Agenda
Collaborat ive and Dist ribut ed Cyber Defens e Funct ions , DoE Fund ed Res ea rch
Oct ob er 31, 20 17 Slid e 3
Domain Based Collaborat ive Defense (CoDef )
To ad vance t he s t a t e o f t he a rt in cyb er d efens e m et hod s fo r t rans m is s ion and d is t rib ut ion g rid p ro t ect ion and cont ro l d evices b y d evelop ing and d em ons t ra t ing a d is t rib ut ed s ecurit y d om ain layer t ha t enab les t rans m is s ion and p ro t ect ion d evices t o co llab ora t ive ly d efend ag a ins t cyb er a t t acks .
“Cyb er Securit y t hroug h ob s curit y” Securit y ag a ins t cyb er a t t acks on p ro t ect ion and cont ro l
d evices is p erfo rm ed a t t he IT layer. Cyb er s ecurit y is react ive and could no t b lock m alicious
op era t ion o f s ub s t a t ion s wit ching d evices
Int er-d evice level t echno log y fo r s m art d e t ect ion o f cyb er a t t acks us ing p ower s ys t em d om ain knowled g e, IEC 61850 and o t her s t and ard s ecurit y ext ens ions Real t im e, cyb er s ecure and OT erro r-p roof p ro t ect ion and
cont ro l s o lut ions fo r p ower g rid s
Ob ject ive
St a t e -o f-t he-a rt
Innova t ion
Cyber At t ack Scenarios and Securit y Dem ons t ra t ions
Oct ob er 31, 20 17 Fina l Rep ort - Award No. DE-OE0 0 0 0 674 Slid e 5
Cyber-Physical Securit y Funct ions
At t ack Goal of At t ack Cyber Securit y Funct ion Demonst rat ed
Implement at ion Level
Malicious d a t a inject ion Malicious t rip p ing o f circuit b reaker
1. Co-p ick – co llab ora t ive p ickup confirm at ion(p os s ib le w/ in Pro t ect ive Relays )
Eng ineering Too ls
2. Trans -p ick – t rans ient p ickup confirm at ion (new hard ware)
New Develop m ent
3. Mult i-pick – Mult i-t erminal dif f erent ialconf irmat ion (possible w/ in Prot ect ive Relays)
Eng ineering Too ls
Unaut horized cont ro l o f circuit b reaker
Malicious t rip p ing o f circuit b reaker
4. Cyb er s ecured d irect cont ro l o f b reaker –M2M com m unica t ions , s im ula t ion as s is t ed
Sim ula t ionAs s is t ed
Malicious chang e in p ro t ect ive re lays s e t t ing s
Mis -coord ina t ere lays
5. Cyb er s ecured IED config ura t ion chang e –GOOSE confirm at ion (p os s ib le w/ in Relays )
Sim ula t ionAs s is t ed , Com m .
GOOSE a t t ack Malicious t rip p ing o f circuit b reaker
6. Cyb er s ecured GOOSE – Aut hent ica t ed GOOSE IEC62351 Im p lem ent a t ion (new hard ware)
New Develop m ent ,St and ard s Bas ed Com m unica t ion
Timing Plot Comparison
Oct ob er 31, 20 17 Slid e 6
Example Applicat ion Time-Scale Overview
REL_PTRC: Trip cond it ion log ic: act ua l t rip com m and a ft e r act ua l fault
REL_Dis :
Dis t ance t rip com m and from REL670
CoPick or Mult iPick
Confirm from p ick-up log ica l nod e from 3 t o 4 exis t ing re lays b y GOOSE m es s ag e , Fib er
Mult i-t e rm ina l p ro t ect ion from 3 t e rm ina ls p rop os ed confirm a t ion from GOOSE m ess ag e , Fib er
Trans Pick
Confirm from Trans ient cond it ions ap p roxim a t e ly q ua rt e r t o ha lf cycle p ro t ect ion (Com m od it y Hard ware)
Specif icat ions and Assumpt ions
Oct ob er 31, 20 17 Slid e 7
Threat Modeling
In a d ig it a l world , “ob scurit y” is g rowing increas ing ly ha rd t o m a int a in
Dom ain b ased , co llabora t ive , and ab norm a l da t a d e t ect ion cyb er s ecurit y ap p lica t ions a re no t t he firs t layer o f d efense b ut could he lp
There a re t wo t yp es o f s cena rios which fo rm t he b as is o f hig h leve l a t t ack m od els :
Scenario 1: In t his s cena rio , t he a t t acker e it her s t ea ls t he cred ent ia ls (log in/ pas sword ) and / or t here is a s ecurit y b reach in t he IT infra s t ruct ure . This lead s t o unaut horized acces s t o IEDs o r Pro t ect ive Relays and com m unica t ion ne t work.
Scenario 2: In t his s cena rio , t he a t t acker can b e a d isg runt led em p loyee , who has t he com p le t e knowledge o f t he sys t em and aut horized acces s t o IEDs and com m unica t ion ne t work.
A generic sample value attack model
Sample Value Securit y
Oct ob er 31, 20 17 Slid e 8
Abnormal Dat a Sources
IED gathers Ethernet traffic with NIC and filters SVValues of 3-phase values of V and I
IED firmware detects a fault in the electrical network
IED sends a 61850-8-1 GOOSE message to breaker control unit
MU Digitized Measurements
Merging Unit Gathers V, I and transducer status
MU merged digital values to standard SV packets and put time stamp
MU sends SV packets to Process Bus Network (61850-9-2)
MU gets time synch from a common timing source
Attacker injects an external malicious SV packet
Attacker eavesdrop SV traffic, get SV information
Attacker compose an SV packet
Driving Fact o rs :
Fas t e r p ro t ect ion req uires fa s t e r m easurem ent s
Dis t rib ut ion and t ransm is s ion aut om at ion p ush t oward d ig it a l m erg ing unit s fo r m easurem ent s
Increased d ep endence on t im ing sources
Hig h Leve l Threa t Scena rio1. The m erg ing unit (MU) g a t hers vo lt ag e, current and t ransd ucer s t a t us
info rm a t ion and d ig it izes t he m easurem ent s .2. MU g e t s t im e sync from com m on t im e source and d ig it ized
m easurem ent m erg ed in s am p le va lue (SV) p acke t s . The MU ensures t ha t t he num b er o f p acke t s fo llow IEC 61850-9-2, i.e . 80 s am p les / cycle
3. At t acker cont inuous ly m onit o rs t he SV t ra ffic, com p oses a m a licious SV p acke t s o r cop ies a fault s ig na t ure , and inject s it int o t he t ra ffic wit h t he correct p acke t s t ruct ure and s t and a rd fo rm a t Man in the Middle or Replay Attack
Scenario
KCL Condit ions
Oct ob er 31, 20 17 Slid e 9
Classical Dif f erent ial Prot ect ion
Typ ica l d iffe rent ia l o r m ult i-t e rm ina l p ro t ect ion m ay req uire d ed ica t ed com m unica t ion p a t hs
Mult ip le m as t e r config ura t ions : Mas t e r-s lave , m as t e r-m as t e r
Lim it s int rod uced in d ig it a l sys t em s b ased on la t ency and t hroug hp ut o f GOOSE, MMS , e t c
𝐼𝐼1 + 𝐼𝐼2 + 𝐼𝐼3 + ⋯𝐼𝐼𝑁𝑁 = 0
𝐼𝐼1 + 𝐼𝐼2 + 𝐼𝐼3 + ⋯𝐼𝐼𝑁𝑁 = 𝐼𝐼𝑑𝑑𝑑𝑑𝑑𝑑𝑑𝑑
1. When t he sum of a ll current is ze ro : No fault is d e t ect ed in t he Pro t ect ed Zone .2. When t he sum of a ll current yie ld s a current Id iff: A fault is d e t ect ed in t he
Pro t ect ed Zone , and t he fault current is Id iff.Current m easurem ent s a re a s sum ed t o b e accura t e , wit h ad d it iona l re lay s e t t ing s fo r a b ia s va lue b ased on d iffe rences in CT ca lib ra t ion
Collaborat ive and Dist ribut ed Cyber Defens e Funct ions fo r Trans m is s ion and Dis t rib ut ion
Oct ob er 31, 20 17 Slid e 10
Mult i Terminal Logic Goals
1. Fas t Op era t ion• Fas t act ing p rot ect ion m et hod s chosen (overcurrent ,
d iffe rent ia l)• Take advant ag e of d ig it a l m erg ing unit s and hig h sp eed
com m unica t ion2. Securit y
• Mult ip le loca t ions• Mult ip le sensor s t ream s• Es t ab lished p hys ica l p rincip les (KCL)• Sup p lem ent a l t o IT and OT b es t p ract ices
3. Read ines s• Typ ica l Markov Decis ion Log ic ut ilized for p ro t ect ive re lays• Int e rop erab ilit y p rovid ed wit h in com m unica t ion s t and a rd s• Minim a l deve lopm ent required• Targ e t s exis t ing eng ineering and config ura t ion t oo ls
4. Com p a t ib ilit y• No d ed ica t ed ha rd ware• Can use exis t ing p ro t ect ion funct ions• Confirm a t ion and co llabora t ion funct ions ava ilab le t hroug h
IEC61850 log ica l nod es
Collaborat ive and Dist ribut ed Cyber Defens e Funct ions fo r Trans m is s ion and Dis t rib ut ion
Oct ob er 31, 20 17 Slid e 11
Abnormal Dat a Det ect ion Logic
1. Cont inuous ly ca lcula t e t he superim p osedcom ponent current s (I1F t hrough INF) from t hecurrent m easurem ent s (I1 t hroug h IN)
2. Ca lcula t e t he d iffe rent ia l current , Id iff
3. If Id iff and a m ajorit y of t he N superim p osedcom ponent current s (I1F t hrough INF) a reg rea t e r t han p redefined t hreshold s , confirmint e rna l fault
4. If Id iff and only one of t he N superim p osedcom ponent current s , fo r exam ple only I1F, a reg rea t e r t han p redefined t hresho lds , a sensorfa ilure was d e t ect ed and t he sensor t ha tm easures I1 was t he fa iled sensor.
Measurement and digit alizat ion of CT input s
Oct ober 31, 2017 Slid e 12
Simulat ion Set up and Test Cases
Example t apped line wit h mult i-t erminal prot ect ion and DER int egrat ion
Sim ula t ed Measurem ent Sys t em :1. Id ea l q uant iza t ion wit h rand om ized noise2. Modelled current t rans form er sa t ura t ion lim it s
and g a in se t t ing s3. Tim e synchroniza t ion
Sim ula t ed Pro t ect ion Sys t em s :1. Sim p lified d iffe rent ia l m ult i-t e rm ina l d e t ect ion2. Log ica l Markov decis ion p roces s verifying
d iffe rent ia l p ro t ect ion wit h t he superim p osedcurrent
Tes t Cond it ions :1. Int e rna l fault wit hin t he p ro t ect ion zone2. Ext erna l fault close t o t he g rid connect ion3. Measurem ent fault caused by a sudden,
unaut horized change in CT ra t io or fa ls ifiedcurrent m easurem ent
Result s - Fault caus ed b y unaut horized chang e in CT Ra t io
Oct ob er 31, 20 17 Slid e 13
Mult i-t erminal Collaborat ive Defense Conf irmat ion
Confirmed Trip
Unconfirmed Trip
A m ult i-t e rm ina l d iffe rent ia l p ro t ect ion s chem e a llows fo r d e t ect ion and id ent ifica t ion o f s ens or anom alies in m eas urem ent d evices
Enab led b y IEC61850 , log ica l variab les verify t ha t each t e rm ina l in t he p ro t ect ion zone s ees a g iven int e rna l fault and p rovid e norm al op era t ion o f d iffe rent ia l p ro t ect ion
The m et hod is fas t , int e rop erab le wit h exis t ing s ys t em s / p ro t ect ion, and p rovid es an ad d it iona l cyb er-p hys ica l d efence layer
As m ore d ig it a l m erg ing unit d evices em erg e , t hey s up p ort new com m unica t ion and confirm at ion m et hod s t ha t could op era t e wit hin p ro t ect ion t im ing req uirem ent s
Effo rt s in Co llab ora t ive Defence a t ABB have b een cont inued in t wo s ep ara t e p rog ram s t a rg e t ing Microg rid s and HVDC ap p lica t ions p art nering wit h UIUC, Duke Prog res s , and Bonneville Power Ad m inis t ra t ion
Oct ob er 31, 20 17 Slid e 14
Summary and Conclusions