Developing Cyber-Immune Line Current Differential Relays Using the Relay Measurements, Machine Learning, and Physical Models

Abstract

The electric grid is one of the most critical complex systems on which people depend. To operate efficiently and autonomously, the electric grid employs a cyber layer comprised of information and communication technologies (ICTs) integrated with the physical layer. Today, many of the protection and control schemes, which are responsible for responding to abnormalities and stabilizing the system, respectively, are communication-dependent. This dependence opens doors to cyberattacks on smart grids. This thesis contributes to enhancing the cybersecurity of smart grids by proposing novel approaches to detect and mitigate cyberattacks on critical components, namely line current differential relays (LCDRs).

LCDRs are now widely used for protecting critical transmission lines, such as those carrying Gigawatts of power, thanks to industrial advancements in (ICTs). LCDRs are mainly used due to their fast, sensitive, selective, and secure performance. They are used in both AC and DC systems. In addition to transmission systems, LCDRs can be used to protect lines in inverter-based microgrids, which can have a high penetration of renewables and can be either AC, DC, or hybrid AC-DC microgrids.

Currently, the architecture of LCDRs is designed to respond to internal faults on the protected line by comparing the local and remotely communicated current measurements. Despite their advantages, LCDRs rely on vulnerable communication networks, i.e., to swap the needed current measurements, making them vulnerable to cyber-induced attacks. These attacks are different in mechanism and objective. From a mechanism standpoint, they include false-data-injection attacks, time-synchronization attacks, relay attacks, replay attacks, and man-in-the-middle attacks.

From a power systems’ standpoint, the first problem with LCDRs’ architecture is that it cannot distinguish between real faults and cyber-induced attacks whose goal is to cause false tripping of the line protected by the LCDR. When performed under normal operation of the power system, this type of attack is known as a direct false-tripping attack (DTA). Additionally, an LCDR’s remote measurements can be manipulated to fool the LCDR into tripping its line once a fault on an adjacent line occurs, referred to as a sympathetic-tripping attack (STA). Further, a cyberattack can stealthily manipulate the remote measurements of a certain LCDR to disguise faults on the protected line so they remain undetected by this LCDR, known as a fault-masking attack (FMA). The main contribution of this thesis is developing cyber-immune LCDRs. To achieve this objective, the thesis presents four novel frameworks for precisely detecting different cyberattacks targeting LCDRs in different operating modes and environments.

The first framework proposed for LCDRs comprises an anomaly-based scheme (ABS) for detecting direct false-tripping attacks against LCDRs, in the form of relay attacks, replay attacks, general false-data-injection attacks, and time-synchronization attacks. The proposed ABS uniquely relies only on the LCDR’s local measurements, which cannot be easily manipulated by cyberattacks. The ABS employs the Isolation Forest algorithm, which is trained on features determined from local current measurements to confirm real faults and differentiate them from false-tripping attacks. After employing the proposed ABS within an LCDR, no trip command will be issued unless the sensed fault is confirmed as a non-attack by the ABS. This approach allows the detection of DTAs on LCDRs regardless of the attack’s mechanism.

Continuing with LCDRs, the second framework is dedicated to detecting FMAs using a two-module framework. The first module is a Mismatch Index (MI) developed from the protected transmission line’s equivalent physical model. The MI is triggered only if there is a significant mismatch in the LCDR’s local and remote measurements while the LCDR itself is untriggered, which indicates an FMA. After the MI is triggered, the second module, a neural network-based classifier, promptly confirms that the triggering event is a physical fault that lies on the line protected by the LCDR before declaring the occurrence of an FMA.

The third framework is primarily designed to detect STAs on LCDRs, which are more stealthy than false-tripping attacks occurring on a healthy power system with no fault. Under STAs, the LCDR’s local measurements are disrupted due to an external fault, making the detection of STAs non-straightforward. To solve this problem, a generic scheme is developed to protect LCDRs from STAs, and also from DTAs and FMAs. The proposed scheme utilizes a deep neural network (DNN), trained offline on features extracted from the current and voltage measurements available for LCDRs. The trained DNN model can then be implemented within LCDRs. This scheme actively differentiates between authentic and manipulated LCDR measurements to detect and mitigate possible cyberattacks.

The fourth presented framework comprises a model-free intrusion detection system (IDS) for LCDRs in islanded hybrid inverter-based AC-DC microgrids (IHIMs), where the system inertia is negligible and fault-current levels are limited, which was not considered by any of the previous works. The proposed IDS employs a recurrent neural network to differentiate between faults and FDIAs and informs the LCDR of the legitimacy of fault conditions before the LCDR executes the trip. The novelty of the proposed IDS lies in how it leverages the time-series nature of local and remote measurements to enhance performance. Further, it relies solely on the LCDR’s current measurements without employing AC- or DC-specific features making it applicable to both AC and DC sides of IHIMs.

The above four developed solutions have been tested on multiple benchmark systems as applicable, including the IEEE 9-bus transmission system, the IEEE 39-bus benchmark for transmission systems, and an islanded inverter-based microgrid modified from the IEEE 33-bus distribution system. The results obtained throughout this thesis show that the four proposed frameworks can accurately detect different cyberattacks targeting LCDRs installed in different environments, with accuracies ranging from 100%–97.13% depending on the type of LCDR, type of attack, the type and size of the power system, and the level of encountered systems variations, dynamics, and measurement noise. The proposed frameworks do not deprive augmented LCDRs of their protective merits.

Date of Award	20 May 2024
Original language	American English
Supervisor	Ehab Fahmy El Sadaany (Supervisor)