Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016) CPSWeek 2016 Vienna Anna Magdalena Kosek and Oliver Gehrke
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Problem • Increased number of distributed energy resources in the power system
2
Global cumulative PV installation until 2014
https://www.ise.fraunhofer.de
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Problem • Increased number of distributed energy resources in the power system • Increased influence of DER on the power system stability
3
http://www.dw.com
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
SALVAGE approach • Investigate cyber-physical security in three
power system scenarios including attacks on:
– Direct control in smart grid (Aggregator performing ancillary services)
– Protection devices in MV – Advanced Metering Infrastructure
(including energy theft) • Vulnerability and risk assessment
– Power system stability – Time to compromise the ICT
infrastructure
4
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
SALVAGE approach • Combine information form the DER
behaviour, power system state and cyber vulnerability analysis to asses the cyber-physical state of distribution grid
– Independent analysis in each component – Map and harmonize the analysis results
5
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Cyber-physical attack • Target: power system stability (voltage) • Means: injection of a modified control signal
(control of PV active power production) • Detection technique:
– Local monitoring and analysis – Model-based anomaly detection – DER behaviour evaluation – Power system risk assessment – Cyber vulnerability analysis
6
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Cyber-physical attack • Target: power system stability (voltage) • Means: injection of a modified control signal
(control of PV active power production) • Detection technique:
– Local monitoring and analysis – Model-based anomaly detection – DER behaviour evaluation – Power system risk assessment – Cyber vulnerability analysis
7
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Anomaly detection
“Anomalies are patterns in data that do not conform to a well defined notion of normal behavior.” [Chandola 2007]
8
[Chandola2007] • Types of anomaly detection:
– Supervised – Semi-supervised – Unsupervised
[Chandola2007]
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Model-based anomaly detection • (Semi-)supervised anomaly detection technique • A model of normal DER behaviour is used to
detect an anomaly Q: What is considered to be normal? A: Define the normal model to exclude anomalies we are interested in.
• Anomaly detection – Residual analysis
• Results: – Labels – Scores
• Type of anomaly: – Point – Contextual – Collective
9
[Chandola2007]
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Intrusion Detection System
• IDS consists of: – Model based anomaly detection – Power system stability analysis – Harmonization of DER and power system analysis
10
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Data • PV production and house consumption:
– Pecan Street Smart Grid Demonstration Program project that started in 2010 : open platform Energy Internet Demonstration with real residential consumers
– Mueller community in Austin, Texas. – Available on-line on Dataport (home
electricity use, PV power, EV charging, and demand response data recorded while participating in the utility programs)
– The data used in this research is 1 minute active power production in kW from 1st January 2013 to 31st January 2014.
• Meteorological data – National Solar Radiation Data Base
(NSRDB) developed by NREL (National Renewable Energy Laboratory).
– Recorded at a meteorological station in Texas, Austin (latitude 30.29, longitude -97.7) from 1st January 2013 to 31st January 2014.
– The data is recorded every 30 minutes, – Diffuse Horizontal Irradiance (DHI),
Direct Normal Irradiance (DNI), Global Horizontal Radiation , clear sky DHI, DNI and GHI
– Cloud type (13 categories) – Ambient temperature , wind direction
and wind speed
11
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
PV modelling
12
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
• Scenario II – 50% of the houses
are equipped with rooftop PVs.
– 40 houses and 20 PVs are divided into two feeders 12 houses and 5 PVs on feeder A and 28 houses and 15 PVs on feeder B
13
• Scenario I – 100% residential PV
penetration. – 40houses and PVs,
divided into two feeders 12 sets of houses and PVs on feeder A and 28 sets of houses and PVs on feeder B
• Case 1: Aggregator controls voltage in feeders A and B • Case 2: Attacker controls PVs to destabilize voltage
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Scenario I
• Case 1: In total 45 minutes of the operation voltage problems are visible (30 minutes over-voltage and 15 minutes under-voltage).
• Case 2: Increase to total of 240 minutes (where 225 minutes of over-voltage and 15 minutes of under-voltage).
14
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Scenario II
15
• Case 1: 15 minutes of over-voltage and 135 minutes of under-voltage
• Case 2: The total number of voltage problems is increased to 420 which all minutes are under-voltage.
A.M. Kosek, O Gehrke, Contextual anomaly detection for cyber-physical security in Smart Grids based on an artificial neural network model 2016 Joint Workshop on Cyber-Physical Security and Resilience in Smart Grids (CPSR-SG2016), CPSWeek 2016 Vienna
12 April 2016
Results: control detection Control detection Malicious control detection
16
Thank you! Anna Magdalena Kosek [email protected]