An Intrusion Detection Method for Line Current Differential Relays in Medium-Voltage DC Microgrids

Amir Ameli, Khaled A. Saleh, Aram Kirakosyan, Ehab F. El-Saadany, Magdy M.A. Salama

Research output: Contribution to journalArticlepeer-review

17 Scopus citations


Line current differential relays (LCDRs) detect faults accurately and promptly, by comparing all currents flowing into the line. This type of relay has been identified in the literature as a reliable protection for lines in DC microgrids (MGs). LCDRs, however, lack the required resiliency against cyber intrusions, such as false data injection attacks (FDIAs) and time synchronization attacks (TSAs), due to their high dependence on communication infrastructure and/or the Global Positioning System (GPS). This paper first introduces coordinated attacks - i.e., several almost-simultaneous FDIAs or TSAs that are carried out independently to achieve a specific objective - as potential threats for MGs. Then, through a case study, it shows how coordinated FDIAs and TSAs can initiate a sequence of events that result in instability of an entire MG. Afterwards, an approach is presented to detect FDIAs and TSAs, and to distinguish them from real faults. The proposed method is comprised of passive oscillator circuits (POCs) installed in series with each converter. During faults, the resultant RLC circuit causes the POCs to resonate and generate a damped sinusoidal component with a specific frequency, i.e., f_{d}. However, f_{d} is not generated during FDIAs and TSAs, since unlike faults, which are physical events that trigger the natural frequencies of a system, cyber-attacks happen in the cyber layer without provoking natural frequencies of the physical layer. Thus, an LCDR pickup without detecting f_{d} denotes an FDIA or a TSA. Since f_{d} is locally measured and analyzed by each LCDR, the proposed detection approach cannot be targeted by cyber-attacks. The proposed method is evaluated on a simulated ±2.5 kV DC MG. Numerical analysis confirms that the proposed method (i) is system-independent; (ii) detects FDIAs and TSAs in less than 1 ms; (iii) is sensitive to high-resistance faults; (iv) can determine fault types, and (v) reduces faults' peak currents.

Original languageBritish English
Article number9083955
Pages (from-to)3580-3594
Number of pages15
JournalIEEE Transactions on Information Forensics and Security
StatePublished - 2020


  • Cyber-physical systems
  • cyber-security
  • DC microgrid
  • line current differential relay
  • passive circuit
  • protection


Dive into the research topics of 'An Intrusion Detection Method for Line Current Differential Relays in Medium-Voltage DC Microgrids'. Together they form a unique fingerprint.

Cite this