|Institution:||Washington State University|
|Keywords:||Electrical engineering; Anomaly Detection; Cyber security of Substations; GOOSE Anomaly Detection; Intrusion Detection; Network Security; SMV Anomaly Detection|
|Full text PDF:||http://hdl.handle.net/2376/5164|
Cyber intrusions into substations of a power grid are a source of vulnerability since most substations are unmanned and with limited protection of the cyber and physical security. In the worst case, simultaneous cyber intrusions into multiple substations can lead to severe cascading events, causing catastrophic power outages. In addition, substation communication protocols do not include cyber security features in their original standard. Generic Object Oriented Substation Event (GOOSE) contains the circuit breaker trip command whereas Sampled Measured Value (SMV) includes measured analog values such as currents and voltages. Due to the importance of substation automation multicast messages, IEC 62351 standards proposed the authentication method as a primary security measure for GOOSE and SMV messages since they required fast transmission time. However, performance testing for the application of the authentication method to GOOSE and SMV is in an early stage, and there is presently no solution to detection of the GOOSE and SMV related error, anomaly and intrusion. Cyber security technologies for anomaly detection at a substation are in an early stage of development. Technologies to detect anomalies for substation automation multicast protocols and applications are critically needed. This dissertation is concerned with anomaly detection in the computer network environment of a substation. The proposed integrated Anomaly Detection System (ADS) contains host- and network-based anomaly detection systems for the substations, and simultaneous anomaly detection for multiple substations. Potential scenarios of simultaneous intrusions into the substations have been simulated using a substation automation testbed based on the IEEE 39 and modified IEEE 118-bus systems. The host-based anomaly detection considers temporal anomalies in the substation facilities. The malicious behaviors of substation automation based on multicast messages are incorporated in the proposed network-based anomaly detection. The proposed impact evaluation method can help operators find the most critical substation among the anomaly detected substations. In addition, the proposed simultaneous intrusion detection method is able to identify the same type of attacks at multiple substations and their locations. The result is a new integrated tool for detection and mitigation of cyber intrusions at a single substation or multiple substations of a power grid.