GB2558534A

GB2558534A - Detecting a bad data injection event within an industrial control system

Info

Publication number: GB2558534A
Application number: GB1618862.5A
Authority: GB
Inventors: Jiang Jing; Sun Hongjian
Original assignee: University of Durham
Current assignee: University of Durham
Priority date: 2016-11-08
Filing date: 2016-11-08
Publication date: 2018-07-18
Anticipated expiration: 2036-11-08
Also published as: GB2558534B

Abstract

A method of detecting a bad data injection event within an industrial control system (ICS) used to monitor a physical system, for example a smart grid. The ICS comprises a supervisory processor and a remote sensing system to provide state measurement data to the processor via a telemetry system. The method comprises: determining a first estimate of the state of the system at a first time instance using the measurement data; determining a second estimate of the state of the system, at a second, later, time instance using the measurement data; comparing the first and second estimates of the system state and determining a change; anddetermining that a bad data injection event has occurred if the determined change is greater than a predetermined threshold. The step of comparing the first and second state estimates may comprise determining a measurement change and performing a residual test, which can be used to detect a non-stealthy attack. Furthermore the step of comparing the first and second state estimates may comprise determining a state change, which can be used to detect a stealthy attack.

Description

(71) Applicant(s):

University of Durham (Incorporated in the United Kingdom)

The Palatine Centre, Stockton Road, Durham,

DH1 3LE, United Kingdom (72) Inventor(s):

Jing Jiang Hongjian Sun (74) Agent and/or Address for Service:

Scintilla Intellectual Property Ltd

The Centrum Building, 38 Queen Street, Glasgow,

G1 3DX, United Kingdom (51) INT CL:

G05B 23/02 (2006.01) (56) Documents Cited:

CN 105406471 A CN 102761122 A

US 9205560 B1

Y Lin et al, 2014 International conference on Wireless Communication and Sensor Network, published 2014, IEEE Research on Efficient Detection Methods for False Data Injection in Smart Grid

IEEE Communications Magazine, Vol.51, Issue 1, January 2013, Yi Huang et al, bad Data Injection in Smart Grid: Attack and Defense Mechanisms pages 27-33

IEEE Transactions on Smart Grid, Vol.6, No.5, September 2015, Gu Chaojun et al, Detecting False Data Injection Attacks in AC State Estimation pages 2476-2483 (58) Field of Search:

INT CL G05B

Other: INTERNET, EPODOC, WPI, ΧΡΙ3Ε, ΧΡΙΕΕ, XPESP, XSPRNG (54) Title of the Invention: Detecting a bad data injection event within an industrial control system Abstract Title: Detecting a bad data injection within an industrial control system (57) A method of detecting a bad data injection event within an industrial control system (ICS) used to monitor a physical system, for example a smart grid. The ICS comprises a supervisory processor and a remote sensing system to provide state measurement data to the processor via a telemetry system. The method comprises: determining a first estimate of the state of the system at a first time instance using the measurement data; determining a second estimate of the state of the system, at a second, later, time instance using the measurement data; comparing the first and second estimates of the system state and determining a change; anddetermining that a bad data injection event has occurred if the determined change is greater than a predetermined threshold. The step of comparing the first and second state estimates may comprise determining a measurement change and performing a residual test, which can be used to detect a non-stealthy attack. Furthermore the step of comparing the first and second state estimates may comprise determining a state change, which can be used to detect a stealthy attack.

Fig. 3

At least one drawing originally filed was informal and the print reproduced here is taken from a later filed formal copy.

1801 18 ί/4

Fig. 1

Fig. 2

1801 18

2/4

Fig. 3

3/4

Probability of detection Probability of detection

Performance of conventional detection method

Fig. 4

Performance of the proposed detection scheme

IEEE 9-bus test system

0.2 0.3 0.4 0.5 0.6 0.7

Probability of false alarm

Non-stealthy attack, ANR=10dB Stealthy attack, ANR=10dB Non-stealthy attack, ANR=12dB Stealthy attack, ANR=12dB Non-stealthy attack, ANR=6dB Stealthy attack, ANR=6dB

0.8 0.9

Fig. 5

4/4

Probability of detection Probability of detection

Performance of the proposed detection scheme

X ** ✓ rf f r			_____-A
	J s	z x* r
/, /	F /
/ P · / i				.·*
p				IEEE 14-bus test system
				— Non-stealthy attack, ANR=8dB — Non-stealthy attack, ANR=10dB —- Non-stealthy attack, ANR=12dB -o- Stealthy attack, ANR=8dB -δ- Stealthy attack, AN R=10dB -x- Stealthy attack, AN R=12dB -°- Stealthy attack, AN R=15dB ...... Random guess line, for reference I I I I I
Ϊ d

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Probability of false alarm

Fig. 6

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

Performance of the proposed detection scheme

✓ / /		3—□—C
/

	d
	7		IEEE	57-bus	test s'	/stem
	/			Non-stealthy attack, ANR	=16dB
			—- Non-stealthy attack, ANR=13dB — Non-stealthy attack, ANR=10dB -o- Stealthy attack, AN R=16dB -o- Stealthy attack, AN R-13dB -δ- Stealthy attack, AN R=10dB ...... Random guess line, for reference -1-1-“Ί-Γ-1-

	·...··*
sf?·

0.1 0.2

0.3 0.4 0.5 0.6 0.7

Probability of false alarm

0.8 0.9

Fig. 7

DETECTING A BAD DATA INJECTION EVENT WITHIN AN INDUSTRIAL CONTROL SYSTEM

The present invention relates to detecting a bad data injection event within an industrial control system. In particular, the present invention relates to detecting a cyber-attack on a smart grid.

A smart grid is an electrical power grid that uses information and communications technology (ICT) to gather and act on information for improving the efficiency, robustness, economics, and sustainability of the energy distribution and management. The bi-directional information exchange among customers, operators and control devices offers a more efficient way of energy supplying and consuming. On the operator side, equipment can be intelligently managed and energy supplying flexibility can be significantly improved. On the consumer side, both the user experience and the billing system can be enhanced.

However, by integrating a physical system (power grid) with a cyber system (ICT), a smart grid presents significant cyber security challenges and makes the overall system more vulnerable to cyber-attacks. For instance, in December 2015, a cyber-attack was reported in western Ukraine which caused a power cut lasting several hours and affecting 80,000 customers. According to data provided by the United States Computer Emergency Readiness Team, there were 79 cyber hacking incidents in that year targeted at the energy sector, meanwhile the incidents observed in the previous year were 145. Such attacks could maliciously manipulate the electricity price in the power market, or even cause a regional blackout (taking Ukraine as an example), and thus result in serious social and economic consequences. Thus, a smart grid must incorporate appropriate cyber protection mechanisms for detecting and identifying such malicious data attacks to improve the smart grid security.

To maintain normal operations of the smart grid, the power systems are continuously monitored and controlled by Supervisory Control and Data Acquisition (SCADA) systems and Energy Management Systems (EMS). In particular, the SCADA host receives real-time measurements of system states (typically transmission line power flows, bus line voltages and phase angles) from remote meters or sensors. These measurements are then processed at the state estimator for estimating the system states and building real-time electricity network models. These state estimates are crucial, and must be passed to EMS application functions, such as automatic generation control and optimal power flow, to control the physical aspects of the power grids.

Figure 1 shows a block architecture diagram of a smart grid comprising the power system, communication network, and control center. An attacker may launch attacks by hacking a few meters or sensors to distort the measurements. Moreover, the communication links are also vulnerable to data injection attacks where measurements may be altered during data transmission. Bad data injection attacks can result in the state estimator producing incorrect system state estimates, leading to poor control decisions or a major malfunction or even blackout.

Other, non-malicious, events can also result in a bad data injection. For example, an accident such as a tree falling on a power line will cause a sudden and large change in some measurements of system states. Within this specification, such an event is also referred to as a type of bad data injection and is specifically referred to as an accident.

It is desirable to detect bad data injections prior to or during the state estimation process.

There are two kinds of approaches to defending against bad data injection attacks. A common approach is to deploy advanced measurement units, such as phasor measurement units (PMUs), at various locations to prevent injections. Due to its high cost, it is not feasible in practice to secure all measurement units and, recently, other methods on how to locate PMUs for protecting a subset of measurements have been proposed. For instance, a graphical characterization can be used to study defense mechanisms with a minimum number of secure measurements; or a fast greedy algorithm can be used to select a subset of measurements to be protected; or a minimum mean square error-based optimal PMU layout method can be used. The approach of deploying advanced measurement units to defend against data injections will be more suitable to power systems that have great social and economic impacts, but for a general power system it will be restricted by limited budget.

An alternative approach for defending against bad data injection attacks is to use advanced signal processing techniques in the control center to detect the injected bad data and exclude this data from the measurements used in state estimates. Conventional detection algorithms are based on performing residual tests. However, it has been demonstrated that, if attackers have knowledge of the power grid topology, they can launch specially configured attacks that easily evade these conventional detection approaches. Such attacks are known as stealthy data attacks.

A machine-learning (ML) technique has been proposed for detecting stealthy attacks. This ML technique relies on a set of historical data that is used for learning and validating data to detect the attacks in new measurements, but the learning efficiency is limited. A cumulative-sum-based (CS) approach can also be used which aims to minimize the detection time subject to certain detection error constraints, but this CS approach only applies to non-stealthy attacks. Defense mechanisms can be used which exploit the low rank structure of temporal erroneous-free measurements and sparsity of malicious attacks. However, these mechanisms are strongly based on the assumption that the attack matrix must be sparse, which is not true for attackers with a strong capability for launching cyber-attacks.

Instead of considering PMUs, the present invention relates to signal processing techniques for detecting and identifying bad data injection attacks at the control center. Embodiments of the invention can adaptively detect both non-stealthy and stealthy data attacks. Bad data injection attacks can be detected during the state estimation process, which is an essential part of many smart grid applications such as demand side management and virtual power plant. Embodiments of the invention allow the detection and classification of bad data injection attacks as non-stealthy attacks or stealthy attacks on smart grid networks.

According to the present invention, there is provided a method of detecting a bad data injection event within an industrial control system (ICS) used to monitor a physical system, the ICS comprising a supervisory processor and a remote sensing system which provides state measurement data to the supervisory processor via a telemetry system, the method comprising:

determining a first estimate of the state of the monitored system at a first time instance using the state measurement data provided by the remote sensing system;

determining a second estimate of the state of the monitored system at a second, later, time instance using the state measurement data provided by the remote sensing system;

comparing the first and second estimates of the system state and determining a change;

and determining that a bad data injection event has occurred if the determined change is greater than a predetermined threshold.

Optionally, the step of comparing the first and second estimates of the system state comprises determining a measurement change and performing a residual test, and wherein the method includes determining that the bad data injection event is a non-stealthy attack if the determined residual is greater than a first predetermined threshold.

Optionally, the step of comparing the first and second estimates of the system state comprises determining a state change, and wherein the method includes determining that the bad data injection event is a stealthy attack if the determined state change is greater than a second predetermined threshold.

Optionally, the second time instance is less than 20 minutes after the first time instance. Optionally, the second time instance is about 15 minutes after the first time instance.

Optionally, the ICS is a SCADA system or a wide area measurement system for a power grid or a smart grid.

Optionally, the remote sensing system comprises at least one remote sensor or meter or a remote terminal unit (RTU) or a programmable logic controller (PLC).

Optionally, the state measurement data comprises one or more of transmission line power flows, bus voltages and phase angles.

Optionally, the method includes determining the first and second estimates of the system state using a power flow analysis. Optionally, the power flow analysis is a DC power flow analysis.

Optionally, the method is implemented using a computer program product. Optionally, the computer program product is stored on or transmitted as one or more instructions or code on a computer-readable medium. Optionally, the computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. By way of example such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.

The invention will now be described, by way of example only, with reference to the accompanying drawings, in which:

Fig. 1 is a block diagram of power system, communication network, and control center of a smart grid;

Fig. 2 is a block diagram of power system, communication network, and control center of a smart grid which includes an IEEE 9 bus power system;

Fig. 3 is a flow chart of an embodiment of a method of detecting a bad data injection in accordance with the present invention;

Fig. 4 is a graph of the performance of a conventional detection method;

Fig. 5 is a graph of the performance of the detection method of Fig. 3 for an IEEE 9 bus system;

Fig. 6 is a graph of the performance of the detection method of Fig. 3 for an IEEE 14 bus system; and

Fig. 7 is a graph of the performance of the detection method of Fig. 3 for an IEEE 57 bus system;

Figure 2 shows a block architecture diagram of a smart grid that consists of a 9-bus power system, communication network, and control center. An IEEE 9-bus system is chosen to illustrate the power system. The power system includes a plurality of remote sensors or meters. The remote sensors come in two varieties: transmission line flow sensors, which measure the power flow through a single transmission line, and bus injection sensors, which measure the power injection flow from all transmission lines connected to a single bus.

In the control center of the smart grid, a supervisory processor in the form of a SCADA host receives state measurement data, which are real-time measurements from the remote sensors. The measurements are then processed at the state estimator to estimate the system states and build real-time electricity network models.

An attacker may launch an attack by hacking a few meters or sensors to distort the measurements. The communication links are also vulnerable to data injection attacks where measurements may be altered during data transmission.

A direct current power flow model will be considered, which is widely used for real-time analysis of state estimation in the power system operation. The power system comprises n + 1 buses and I transmission lines. The network connectivity of this power grid is described by an oriented incidence matrix Μ E IR^ⁿ⁺¹^^xi; each column of M corresponds to the power line (p, q) and consists of all Os except the p-th and p-th elements having a value of 1 and -1, respectively. The physical properties of the transmission grid are described by the nonsingular diagonal matrix /VeIR^ixi, of which the diagonal entries are equal to the admittance of the transmission lines.

The received measurements at the SCADA host can be represented in a vector-matrix from as z = Hx+u (1) where z = [z₁₍ z₂,.. z_m]^Tdenotes the measurement vector, which includes power flow measurements on I transmission lines and power injection measurements at n buses. The system state vector is represented by x = [x1; x2, xn]^T- The vector u = [u±, u₂,.. u_m]^r represents the Gaussian noise with a zero mean and a covariance matrix U. The matrix Η E IR^m%n is the measurement Jacobian matrix:

ΝΜ^ύ

ΜΝΜ^τ (2)

That is, power flow measurements on transmission lines are obtained from ΜΝΜ^Ύχ and power injection measurements at buses can be computed from ΝΜ^Ύχ.

The state estimation uses the received power measurements Z to timely estimate the power system states X. The vector X can be estimated using the weighted least-square method:

x - [HUH] ¹ HUz - Kz, with K = ^HUHj ¹ O (3)

The weighting matrix U has diagonal entries equal to the inverse of variances of the Gaussian noise.

If a bad data injection attack occurs, the measurement model will become:

z = Hx+a+u (4) where a = [a_lt a₂,.. a_m]^T denotes the bad data vector injected by the attacker. J-C_o represents the no-attack hypothesis, i.e., 7f₀: a = 0, and i~C₁ represents the attack hypothesis, i.e., a ^0. The realistic true hypothesis is denoted by R G and the detector decision hypothesis by

D G {Tfo,^}. The probabilities of detection and a false alarm are thus given by

P_det=P(D = KJ/? = and P_f3=P(D = KJ/? = %₀).

Non-stealthy data injection attacks are defined as the attacks detectable by conventional bad data detection methods. In this case, the measurement matrix H is not known to the attackers. The attackers simply generate random attack vectors and manipulate the meter readings.

Stealthy data injection attacks are defined as the attacks not detectable by conventional bad data detection methods. In this case, attackers are assumed to be familiar with the power grid topology information or know the measurement matrix H . They can carefully design the malicious data and let the attack vector lie in the range of H, i.e. a = Hc, where c G IRⁿ can be any arbitrary vector.

Conventional methods to detect bad data are mostly based on residual tests. The residual refers to the difference between the measurement vector z and the calculated value from the estimated state, i.e. z-Hx. The largest normalized residual test can be used to detect bad data injection if the largest absolute value of the element in z-Hx is largerthan a pre-defined threshold. Other methods such as the norm method can also be used to perform the residual test. However, the stealthy data injection attack (when a = Hc) can bypass the conventional bad data detection.

When a stealthy data injection attack occurs, the measurement vector can be written as z = Hx+a+u = H{x+c) + u (5)

And, in this case, the residual would not differ as compared to the no-attack case, and the system would accept the state (x + cj without reporting any abnormal state hypothesis.

The present invention can detect bad data injection attacks and classify the attacks into the types of no-stealthy attack and stealthy attack. The measurements of two sequential data collection slots are considered, and equation (1) can be re-written as state-space equations with discrete time index i as

Zj = Hx, + Mj = Xj_! + Δχ, (6) where Δχ_£ is the state change vector representing the system state changes from the last data collection slot t-1 to the current data collection slot i. Current smart meters support a 15 minute interval data collection frequency, and the frequency is likely to improve further for achieving advanced smart grid functionalities. Compared with the values of system state x,, the values of Δχ, are relatively small, that is, the system state generally varies within a small dynamic range.

The state change vector Δχ_£ follows a certain distribution and is here initialized to be a normal distribution with zero mean and covariance matrix A,. In addition, we consider a stable power system, that is, the measurement matrix H remains the same for the two small sequential data collection slots. Any changes to the measurement matrix will be reported to the control center and the updated matrix of H will be used for state estimation and attack detection.

Let iv, represent the measurement change vector, which is the difference between the current stage power flow measurement vector and the calculated value of the last estimated state

(7)

According to equation (3), x, _x = Kz_{t lt} and therefore:

w_t = z_t — HKz_i} = (Hx₍ + Mj) - Hx_{i }} — HKu_{i }} (8) = ΗΔχι + (u_t - Ut-!)

The state change vector is estimated from the measurement change vector iv, by using the weighted least-square method. As m, -u, _x is also Gaussian distributed with a zero mean and a covariance matrix 2U, the estimated state change vector is:

Δχ, = (Η'Ζί/Η/’Η'Ζί/ιν, = KWi (8) where the matrix K is defined in equation (3).

The state change between two data collection slots is monitored to detect both non-stealthy and stealthy data injection attacks. Specifically, the measurement change residual vector iv, — ΗΔχ, is computed, and its Euclidean norm is used to detect the presence of a non-stealthy data injection attack. That is, ||iv, — Ζ/Δχ,|| is compared with a threshold τ_χ, and the presence of a non-stealthy data injection is inferred if | The Euclidean norm is also called the L² distance, β² distance, L² norm, or β² norm. Apart from the Euclidean norm test, the largest normalized test of the residual can also be used to detect the presence of non-stealthy data injection. The selection of the threshold τ_Ύ is based on history and a trade-off between probability of detection and probability of false alarm. In addition, if no data injection is inferred, i.e. ||iv,· -//4X,||< τ_1; the Euclidean norm of state change Δχ, is used to detect the presence of a stealthy data injection attack. ||Δχ,|| is compared with a threshold τ₂, and the presence of a stealthy data injection is inferred if ||δχ,· >τ₂. When attackers launch a stealthy data injection, the state change vector is AXj + Cj, compared to Δχ_£ for the non-attack case. Due to the facts that the vector Δχ_£ + c_t does not exhibit the same distribution feature as the vector Δχ_£ and that the element value of c, is normally larger compared to that of Δχ_ί; the existence of c, can be detected using detection algorithms at a relatively high probability. The probability of detection of the proposed scheme will be higher with a larger value of c,. A larger value of c, entails that the stealthy attack can cause a larger system state change and thus is more dangerous to the power system operations.

Finally, if both the test for a non-stealthy data injection attack and that of a stealthy data attack are passed, the decision of no attack is made, and the state estimation process will continue.

Referring to Figure 3, steps of a method according to an embodiment of the invention are as follows:

I. Initialization: time index i=0; Collect historical estimated state vector x₀.

II. Repeat the proposed adaptive detection mechanism for detecting state change due to bad data injection or electrical accidents (such as falling branches or trees):

ll-i) Update the time index: i = i + 1;

ll-ii) Obtain current measurement vector z, measuring power flow and/or voltage; ll-iii) Calculate the measurement change vector w_it which is the difference between the current measurement vector z, and the calculated value of the last estimated state Hx_fl, that is, w, = ζ, -HXi i;

ll-iv) Estimate the state change vector Δχ_£ from the measurement change vector w,, by using the weighted least-square method, that is, Δχ_£ = KWjWhere the matrix K is defined in equation (3);

Il-v) Calculate the measurement change residual vector η, which is the difference between the measurement change vector w, and the computed value from the estimated state change vector ΗΔχ\, that is, = Wj — ΗΔΧ(;

ll-vi) Identify and classify data attacks based on the state change vector Δχ_£ and the measurement change residual vector η :

if Euclidean norm of the measurement change residual is greater than the threshold τ_χ, i.e., ||η||>Τι, then report non-stealthy data injection attack and exit; else if Euclidean norm of the state change is greater than the threshold τ₂, i.e., ||ΔΧ,·||>τ2/then report stealthy data injection attack (or electrical accidents) and exit;

else make the decision of no attack, obtain the estimated state vector by x. =Kz_jtupdate the last-time-slot estimated state vector _x = x_it and continue the state estimation process.

III. Until non-stealthy or stealthy data injection attack (or electrical accidents) is determined;

IV. Terminate the attack detection process and report the detected data injection attack to system operators.

V. For distinguishing between stealthy data injection attack and electrical accidents, system operators can either send staff to verify or wait for receiving reports from secure devices (such as Phasor Measurement Units or Intelligent Electronic Devices).

Apart from the Euclidean norm method, the largest normalized method (which compares the largest absolute value of the elements in a vector with a threshold) can also be used in Step ll-vi) to identify and classify data attacks.

The MATLAB package MATPOWER has been used to simulate the operation of the power system. The signal-to-noise ratio (SNR) considered in the simulations indicates the power level of true measurements to the power level of noise. The noise comes from measurement noise or communication link noise, and is modeled as Gaussian distributed variable with zero mean. For bad data injection attacks, both non-stealthy and stealthy attacks of various attack severity levels were considered. The attack-to-noise ratio (ANR) is used to indicate the attack severity level, defined as the ratio of attack power level to the noise power level. The detection performance of the proposed scheme was assessed using receiver operating characteristic (ROC) curves. ROC curves are often used to illustrate the performance of a detector as the discrimination threshold is varied. The curve is generated by plotting the probability of detection against the probability of a false alarm at various threshold settings. The probability of detection indicates the probability of saying that an 'attack' is present given that an 'attack' event actually occurred. The probability of the false alarm is the probability of saying that an 'attack' is present given that a 'no attack' event actually occurred.

Referring again to the IEEE 9-bus test system and power system shown in Figure 2, there are 9 transmission lines and thus 18 measurement elements in total for one data collection slot. Figure 4 shows the detection performance of a conventional residual-test method to detect both nonstealthy and stealthy attacks, where SNR=20dB and ANR=10dB for both non-stealthy and stealthy attacks. It can be seen that the conventional method can detect non-stealthy attacks at a successful ratio of around 85% given a 10% probability of false alarm. However, for stealthy attacks, a completely random guess line (the same as coin tossing, i.e. the diagonal line from the left bottom to the top right corner) is obtained, which means that the conventional residual-test method cannot detect stealthy attacks and simply makes a random guessing decision.

For comparison, based on the same IEEE 9-bus test system, the performance of the method according to the invention to adaptively detect both non-stealthy and stealthy attacks is demonstrated in Figure 5. The same value of SNR=20dB and various values of ANR were used. When ANR=10dB, as used for the conventional approach, the method can achieve the same detection probability for detecting non-stealthy attacks and can significantly improve the detection probability for detecting stealthy attacks. For example, given a 10% probability of a false alarm, the method can successfully detect non-stealthy attacks at a ratio of around 86%. Different attack levels, with ANR equal to 12dB and 6dB, are also considered in Figure 5. With a higher attack level, regardless of whether the bad data injection is a non-stealthy or a stealthy attack, better detection performance can be achieved using the method of the invention. The method of the invention is therefore of great very value in practical power systems for detecting higher levels of attack.

In an IEEE 14-bus test system, there are 20 transmission lines, and thus 34 measurement elements. Figure 6 shows the detection performance of the method of the invention for this test system, with SNR=20dB and various values of ANR being considered. A random guess line is also shown to present the ROC curve achieved using the conventional method when detecting stealthy attacks. The ROC curves obtained by using the method of the invention are all above the diagonal line, which means that the method can achieve very good results for classifying and detecting attacks (significantly better than random guessing). For the stealthy bad data attacks (which have proved hard to detect using conventional methods), four different levels of ANR (8dB, lOdB, 12dB and 15dB) were considered. As the attack power level increased, the detection performance of the method of the invention improved, with the successful detection ratio of 30% increasing to 100% given a 10% probability of false alarm. The proposed scheme also shows a very good performance when detecting non-stealthy attacks.

As well as 9-bus and 14-bus test systems, an IEEE 57-bus test system was considered. An IEEE 57bus test system has 80 transmission lines and thus 137 measurement elements. Using the same setting of SNR = 20 dB as used for IEEE 9-bus and 14-bus systems, the detection performance of the method of the invention is shown in Figure 7 (various values of ANR were considered). Similar to IEEE 9-bus and 14-bus systems, the method of the invention can classify and self-adaptively detect both the non-stealthy and stealthy attacks for the IEEE 57-bus system. As the number of bus lines is high, compared to IEEE 9-bus and 14-bus systems, a larger value of ANR assures a high detection probability for the IEEE 57-bus system.

As demonstrated for IEEE 9-bus, 14-bus and 57-bus test systems, the method of the invention is able to achieve a high level of smart grid security in terms of data attack identification and accurate detection.

Embodiments of the method of the invention offer a number of advantages. Unlike conventional methods that only consider the measurements at one single time slot, the measurements of two sequential data collection slots are taken into account, and a bad data injection attack is detected by monitoring the state change between these two data collection slots.

The method can self-adaptively detect both non-stealthy and stealthy data injection attacks. Traditionally, stealthy attacks have been impossible to detect using conventional residual-based approaches. Furthermore, the method can classify the types of data attacks into non-stealthy attacks and stealthy attacks. Once the attack type is known, the power system operators can prioritize their actions or resources to better protect their systems, e.g. by switching off some devices or controlling breakers to change system topology, that reduces the risk of attackers launching future stealthy attacks. If stealthy data injection attack and electrical accidents need to be distinguished, system operators can either send staff to verify or wait for receiving reports from secure devices (such as Phasor Measurement Units or Intelligent Electronic Devices).

The analytical and simulation results have shown that the method of the invention is highly efficient in terms of data attack classification and detection accuracy.

It should be understood that the logic code, programs, modules, processes, methods, and the order in which the respective elements of each method are performed are purely exemplary. Depending on the implementation, they may be performed in any order or in parallel, unless indicated otherwise in the present disclosure. Further, the logic code is not related, or limited to any particular programming language, and may comprise one or more modules that execute on one or more processors in a distributed, non-distributed, or multiprocessing environment.

While aspects of the invention have been described with reference to at least one exemplary embodiment, it is to be clearly understood by those skilled in the art that the invention is not limited thereto. Rather, the scope of the invention is to be interpreted only in conjunction with the appended claims and it is made clear, here, that the inventor(s) believe that the claimed subject matter is the invention.

Claims

1. A method of detecting a bad data injection event within an industrial control system (ICS) used to monitor a physical system, the ICS comprising a supervisory processor and a remote sensing system which provides state measurement data to the supervisory processor via a telemetry system, the method comprising:

comparing the first and second estimates of the system state and determining a change; and determining that a bad data injection event has occurred if the determined change is greater than a predetermined threshold.

2. A method as claimed in Claim 1, wherein the step of comparing the first and second estimates of the system state comprises determining a measurement change and performing a residual test, and wherein the method includes determining that the bad data injection event is a non-stealthy attack if the determined residual is greater than a first predetermined threshold.

3. A method as claimed in Claim 2, wherein the step of comparing the first and second estimates of the system state comprises determining a state change, and wherein the method includes determining that the bad data injection event is a stealthy attack if the determined state change is greater than a second predetermined threshold.

4. A method as claimed in any preceding claim, wherein the second time instance is less than 20 minutes after the first time instance.

5. A method as claimed in Claim 4, wherein the second time instance is about 15 minutes after the first time instance.

6.

A method as claimed in any preceding claim, wherein the remote sensing system comprises at least one remote sensor or meteror a remote terminal unit (RTU) or a programmable logic controller (PLC).

7. A method as claimed in any preceding claim, wherein the ICS is a SCADA system or a wide area measurement system for a power grid or a smart grid.

8. A method as claimed in Claim 7, wherein the state measurement data comprises one or more of transmission line power flows, bus voltages and phase angles.

9. A method as claimed in Claim 7 or 8, including determining the first and second estimates of the system state using a power flow analysis.

10. A method as claimed in Claim 9, wherein the power flow analysis is a DC power flow analysis.

11. A method as claimed in any preceding claim, wherein the method is implemented using a computer program product stored on or transmitted as one or more instructions or code on a computer-readable medium.

12. A method as claimed in Claim 11, wherein the computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.

Intellectual

Property

Office

Application No: GB1618862.5 Examiner: Adrian French