Contextual anomaly detection for cyber -physical security ... · A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial

Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016) CPSWeek 2016 Vienna Anna Magdalena Kosek and Oliver Gehrke

A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna

12 April 2016

Problem • Increased number of distributed energy resources in the power system

2

Global cumulative PV installation until 2014

https://www.ise.fraunhofer.de


12 April 2016

Problem • Increased number of distributed energy resources in the power system • Increased influence of DER on the power system stability

3

http://www.dw.com


12 April 2016

SALVAGE approach • Investigate cyber-physical security in three

power system scenarios including attacks on:

– Direct control in smart grid (Aggregator performing ancillary services)

– Protection devices in MV – Advanced Metering Infrastructure

(including energy theft) • Vulnerability and risk assessment

– Power system stability – Time to compromise the ICT

infrastructure

4


12 April 2016

SALVAGE approach • Combine information form the DER

behaviour, power system state and cyber vulnerability analysis to asses the cyber-physical state of distribution grid

– Independent analysis in each component – Map and harmonize the analysis results

5


12 April 2016

Cyber-physical attack • Target: power system stability (voltage) • Means: injection of a modified control signal

(control of PV active power production) • Detection technique:

– Local monitoring and analysis – Model-based anomaly detection – DER behaviour evaluation – Power system risk assessment – Cyber vulnerability analysis

6


12 April 2016

Cyber-physical attack • Target: power system stability (voltage) • Means: injection of a modified control signal

(control of PV active power production) • Detection technique:

– Local monitoring and analysis – Model-based anomaly detection – DER behaviour evaluation – Power system risk assessment – Cyber vulnerability analysis

7


12 April 2016

Anomaly detection

“Anomalies are patterns in data that do not conform to a well defined notion of normal behavior.” [Chandola 2007]

8

[Chandola2007] • Types of anomaly detection:

– Supervised – Semi-supervised – Unsupervised

[Chandola2007]


12 April 2016

Model-based anomaly detection • (Semi-)supervised anomaly detection technique • A model of normal DER behaviour is used to

detect an anomaly Q: What is considered to be normal? A: Define the normal model to exclude anomalies we are interested in.

• Anomaly detection – Residual analysis

• Results: – Labels – Scores

• Type of anomaly: – Point – Contextual – Collective

9

[Chandola2007]


12 April 2016

Intrusion Detection System

• IDS consists of: – Model based anomaly detection – Power system stability analysis – Harmonization of DER and power system analysis

10


12 April 2016

Data • PV production and house consumption:

– Pecan Street Smart Grid Demonstration Program project that started in 2010 : open platform Energy Internet Demonstration with real residential consumers

– Mueller community in Austin, Texas. – Available on-line on Dataport (home

electricity use, PV power, EV charging, and demand response data recorded while participating in the utility programs)

– The data used in this research is 1 minute active power production in kW from 1st January 2013 to 31st January 2014.

• Meteorological data – National Solar Radiation Data Base

(NSRDB) developed by NREL (National Renewable Energy Laboratory).

– Recorded at a meteorological station in Texas, Austin (latitude 30.29, longitude -97.7) from 1st January 2013 to 31st January 2014.

– The data is recorded every 30 minutes, – Diffuse Horizontal Irradiance (DHI),

Direct Normal Irradiance (DNI), Global Horizontal Radiation , clear sky DHI, DNI and GHI

– Cloud type (13 categories) – Ambient temperature , wind direction

and wind speed

11


12 April 2016

PV modelling

12


12 April 2016

• Scenario II – 50% of the houses

are equipped with rooftop PVs.

– 40 houses and 20 PVs are divided into two feeders 12 houses and 5 PVs on feeder A and 28 houses and 15 PVs on feeder B

13

• Scenario I – 100% residential PV

penetration. – 40houses and PVs,

divided into two feeders 12 sets of houses and PVs on feeder A and 28 sets of houses and PVs on feeder B

• Case 1: Aggregator controls voltage in feeders A and B • Case 2: Attacker controls PVs to destabilize voltage


12 April 2016

Scenario I

• Case 1: In total 45 minutes of the operation voltage problems are visible (30 minutes over-voltage and 15 minutes under-voltage).

• Case 2: Increase to total of 240 minutes (where 225 minutes of over-voltage and 15 minutes of under-voltage).

14


12 April 2016

Scenario II

15

• Case 1: 15 minutes of over-voltage and 135 minutes of under-voltage

• Case 2: The total number of voltage problems is increased to 420 which all minutes are under-voltage.


12 April 2016

Results: control detection Control detection Malicious control detection

16

Thank you! Anna Magdalena Kosek [email protected]

Documents

Contextual anomaly detection for cyber -physical security ... · A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial