Cyber Security of Smart Grid Systems Using Intrusion Detection Methods

Ata Arvani and Vittal S. Rao

Texas Tech University
Electrical and Computer Engineering Department
Box 43102, Lubbock, Texas 79409, USA
ata.arvani@ttu.edu, vittal.rao@ttu.edu

ABSTRACT remote terminal units (RTUs) and sent up to the

central control center [1]. In the future smart grid
The wide area monitoring of power systems is systems, the wide area monitoring will be
implemented at a central control center to coordinate
accomplished by collecting system level
the actions of local controllers. Phasor measurement
information in real time by using phasor
units (PMUs) are used for the collection of data in real
time for the smart grid energy systems. Intrusion
measurement units (PMUs) and phasor data
detection and cyber security of network are important concentrators (PDCs). The data obtained from
requirements for maintaining the integrity of wide area PMUs will be used for the state estimation and
monitoring systems. The intrusion detection methods implementation of control strategies for optimal
analyze the measurement data to detect any possible control of smart grid systems [2-4]. The PMUs
cyber attacks on the operation of smart grid systems. In which are also called synchrophasors provide
this paper, the model-based and signal-based intrusion accurate measurements of active power, reactive
detection methods are investigated to detect the power, voltage, current along with phasor angles
presence of malicious data. The chi-square test and in real-time. The data from various remote
discrete wavelet transform (DWT) have been used for
locations will be synchronized with a common
anomaly-based detection. An IEEE 14-bus system is
time source using global positioning systems
simulated using real time digital simulator (RTDS)
hardware platform for implementing attack and
(GPS). In a typical smart grid energy network
detection schemes. synchrophasors are used along with PDCs where
the data is collected. The synchrophasors can
KEYWORDS increase the reliability of power systems
embedded with renewable energy sources, like
Cyber security, wide area monitoring, smart grid, the solar and wind power by triggering the
anomaly-based detection methods, discrete wavelet
corrective actions for accounting the
transform.
unpredictable power generation. The
1 INTRODUCTION synchrophasors hold the key to the future power
systems by increasing the reliability, operational
The generation, transmission, and distribution of efficiency and quality of power distribution [5].
electric power systems embedded with real time Early power system networks used
measurements make the smart grid the most communication standards like DNP3 protocols.
dependable critical infrastructure in the world. The These protocols have limitations to handle real-
present monitoring systems depends on state time data and synchronization with the
estimation, which is based on the supervisory geographically dispersed synchrophasor devices.
control and data acquisition (SCADA) systems for The current PMUs use IEEE C37.118 protocols
the collection of data from field devices such as

ISBN: 978-0-9891305-4-7 ©2014 SDIWC 21

for communication, which defines the message These files are converted to RSCAD for
and communication standards for synchronized implementation on RTDS system. An
networks in real-time. In future electrical power experimental smart grid test bed with hardware-in-
systems, the wide use of PMUs is inevitable and the-loop (HIL) simulation capabilities is available
thus raises the importance of cyber security [6]. at Texas Tech University and a schematic is
There are different methods to detect the shown in Figure 2. These facilities were used to
malicious data. The main objective of this paper is implement attack and intrusion methods.
to investigate the model- and signal-based
intrusion detection methods to reveal any
anomalies in measurement data. The main feature
of model-based method lies in the development of
dynamic models of the power system and using
the chi-square test along with largest normalized
residual to detect and identify the malicious data.
The signal-based method exploits the statistical
properties of the signal and discrete wavelet
transform are used to detect and identify the
malicious data at different levels [7].

2 MODELLING OF IEEE 14-BUS SYSTEM

Figure 2. Schematic of smart grid test bed at Texas Tech
University
The benchmark IEEE 14-bus system has been
investigated by a number of researchers for the
analysis of dynamic system stability, power flow 3 MODEL-BASED INTRUSION DETECTION
analysis and state estimation problems [8]. The METHODS
power system simulator for engineering (PSS/E) is The operation of power system will be
a commercially available software package for compromised due to presence of malicious data in
simulating, analyzing, and optimizing of power the power system measurements. Hence we need
systems. This package has been used to build the an intrusion detection method for the detection of
PSSE files for the IEEE 14-bus system shown in malicious data in the measurements [10]. In this
Figure 1. section we present an intrusion detection method
using static state estimation algorithms. The chi-
square distribution test and largest normalized
residual tests are used to detect and identify the
malicious data [11].

The linear measurement equation is given by:

∆z = H∆x + e (1)

Where ∆z is the measurement vector, H is the

Jacobian coefficient matrix, and e is the error
Figure 1. Schematic diagram of IEEE 14-bus system vector with:

ISBN: 978-0-9891305-4-7 ©2014 SDIWC 22

E e = 0 and cov e = R. The weighted least S is multiplied by the error vector, e, to find the
square (WLS) estimator of the linear state vector measurement residuals, r. The measurement
can be obtained as follows: residual vector is divided by the square root of the
residual covariance matrix, Ω, which is defined as:
∆x = H R H H R ∆z (2)
Ω = SR (9)
And the estimated value of ∆z is:
Thus, normalized value of the residual can be
∆z = H∆x (3) obtained as follows:
121
r0 = (10)
34 56
The intrusion detection method consists of two
steps:
The largest normalized residual will be suspected
1) malicious data detection and 2) identification
as bad data.
of bad data.
We have simulated the IEEE 14-bus system and
The chi-squares test is used to detect the malicious
its measurement configuration for the
data and the largest normalized residual test is
demonstration of intrusion detection methods [8].
then used to identify the bad data.
The objective function can be obtained for The number of state variable, n, for this system is
corresponding measurements: 27, made up of 14 bus voltage magnitudes and 13
bus voltage phase angles, slack bus phase angle
being excluded from the state list. There are
J x = (4) altogether m = 41 measurents, i.e., 1 voltage
magnitude measurement, 8 pairs of real/reactive
Chi-square distribution table corresponding to a power injections, and 12 pairs of real/reactive
detection confidence with probability p and degree flows. The degrees of freedom for the approximate
of freedom can be obtained as follows: chi-square distribution of the objective function
J x will be:
p = Pr J x ≤ (
(5) m − n = 41 − 27 = 14
% ,'

( The real power injection at bus 2 is manipulated

If J x ≥ % ,'
the bad data will be suspected.
by the man-in-the-middle intentionally, to
The largest normalized residual test can be used to simulate bad data as shown in Table 1.
identify bad data.
Table 1. Real power manipulation at bus 2
A gain matrix is defined as:
Measurement No bad One bad
G=H R H (6) Type data data
P( 0.183 0.483
And the hat matrix is:
K = HG H R (7) Tables 2 and 3 illustrate the state estimation of
IEEE 14-bus system without malicious data and
The hat matrix, K, is used to find the residual with malicious data, respectively.
sensitivity matrix, S, where I is the identity matrix:
S= I−K (8)

ISBN: 978-0-9891305-4-7 ©2014 SDIWC 23

 Table 2. IEEE 14-Bus system without malicious data
Bus Number Estimated State
(No Bad Data)
V θ?
1 1 0.00
2 1.0068 0.00
3 0.9899 -5.5265
4 0.9518 -14.2039
5 0.9579 -11.4146
6 0.9615 -9.7583
7 1.0185 -16.0798
Figure 3. Active power at bus No 2
8 0.9919 -14.7510
9 1.0287 -14.7500
The normalized residual tests are used to detect
10 0.9763 -16.5125
and eliminate the bad data for this measurement
11 0.9758 -16.7476
12 0.9932 -16.5397
set. The weighted least squares (WLS) state
13 1.0009 -17.0203
estimator results for the significant measurement
14 0.9940 -17.0583 residuals shows that the power injection at bus 2 is
detected as bad data and ignored from the
Table 3. IEEE 14-Bus system with malicious data measurement set. We verified the efficiency of the
model-based algorithm using chi-square test and
Bus Number Estimated State largest normalized residual for detecting the
(One Bad Data)
malicious data.
V θ?
1 1 0.00
2 0.9897 0.00 4 SIGNAL-BASED INTRUSION
3 0.9731 -5.5304 DETECTION METHODS
4 0.9329 -14.9925
5 0.9370 -12.3482 A brief review of discrete wavelet transform
6 0.9407 -10.6143 (DWT) is presented in this section [12]. DWT is a
7 0.9992 -17.2033 mathematical tool to decompose signals and is
8 0.9717 -15.8285
used to extract information in different resolution
9 1.0094 -15.8269
10 0.9559 -17.6649 levels. Wavelet transform breaks the signal into its
11 0.9554 -17.9071 wavelets, which are scaled and shifted versions of
12 0.9733 -17.6846 a signal waveform known as the mother wavelet.
13 0.9812 -18.1813
Wavelet analysis is suitable for revealing scaling
14 0.9742 -18.2210
properties of the temporal and frequency dynamics
The test threshold at 0.95% confidence level is simultaneously. The irregularity in shape and
obtained by MATLAB function: compactly supported nature of wavelets make
yE 2FG ?H4 = chi2inv 0.95, 14 = 23.68 wavelet analysis an ideal tool for analyzing signals
For the first case (No malicious data), J x = of a non-stationary nature. Their fractional nature
7.637 < 23.68, bad data will not be suspected. allows them to analyze signals with discontinuities
For the second case (with malicious data in real or sharp changes, while their compactly supported
power injection at bus 2), J x = 241.74 > nature enables temporal localization of a signal’s
23.68, bad data will be suspected. features. A one-dimensional discrete wavelet
Figure 3 shows the active power at bus number 2 transform is composed of decomposition
for the IEEE 14-bus system. (analysis) and reconstruction (synthesis). Discrete
wavelet transform produces two sets of constants

ISBN: 978-0-9891305-4-7 ©2014 SDIWC 24

 500
Corrupted Signal
450
Original Signal
term as approximation and detail coefficients. The

Current magnitude
400

350
approximation coefficients are the high scale, low 300

frequency components and the detail coefficients 250

200

are the low scale, high frequency components. The 150

100
signal is passed through a series of high pass and 50
0 100 200 300 400 500
Time stamp
low pass filters to analyze respective functions at Figure 6. Original and corrupted data of current signal
each level. Wavelet analysis starts by selecting
We employ Haar filter and compute the one-
basic wavelet function, called the mother wavelet.
dimensional discrete wavelet transform up to 5
The Haar wavelet is chosen as the mother wavelet,
levels. In order to obtain the thresholds for
the corresponding scaling function and wavelet
anomaly-based intrusion detection the
function are calculated. We can express these
distribution of the wavelet reconstructed signal
functions as a linear combination of low-pass filter
without anomaly should be analyzed. Then,
and high-pass filter. For a given signal,
normality is verified by Lilliefors test for
approximation and detail coefficients can be
goodness of fit to normal distribution [16-18].
obtained by convolving low-pass filter and high-
This has a normal distribution at 5%
pass filter followed by down sampler,
significance level. We can detect anomaly-
respectively. Anomaly detection of malicious data
based intrusion by choosing some of the levels
consists of three parts as shown in Figure 4. The
through selective reconstruction. Table 4 and
first part is the PMU signal from the power
Table 5 show some statistical properties of
system. The second part consists of discrete
original and corrupted data of voltage and
wavelet transformation to analyze the signal [13-
current signal. It should be noted that the
15]. In the third part, the threshold values are
original data could be considered as Gaussian
compared for the determination of the anomalies
white noise, and anomaly could be considered
in the signal.
as random signal. For any random variable,
choosing ±3 confidence interval yields to:

P μ − 3σ < S ≤ μ + 3σ ≈ 99.7% (11)

Figure 4. Anomaly-based intrusion detector

The benchmark and corrupted data of voltage This interval corresponds to 99.7% confidence
and current are shown in Figures 5 and 6, level, which means that we can detect
respectively. Discrete wavelet transform is used anomalies with 0.3% error rate.
to analyze the measured signal, by calculating
the statistical properties of the signal.
4
x 10
1.1
Corrupted Signal
Original Signal
1.09
Voltage magnitude

1.08

1.07

1.06

1.05

1.04
0 100 200 300
Time stamp
400 500
Figure 7. Wavelet decomposition of original voltage
Figure 5. Original and corrupted data of voltage signal signal

ISBN: 978-0-9891305-4-7 ©2014 SDIWC 25

 Figure 8. Wavelet decomposition of corrupted voltage Figure 9. Thresholds values and detail coefficients at
signal different levels of voltage signal
The PMU signals are analyzed at different We can set the thresholds for each level, which
resolution levels. Figures 7 and 8 show the are equivalent to ±3 confidence level to detect
approximation and detail coefficients of the anomalies. DWT provides good detection of
original and corrupted signal of voltage up to anomalies at different levels.
level 5. By comparing the analyzed information We have repeated the procedure for current
with thresholds it is possible to detect the signals. The detail and approximation
anomalies and alert the operator regarding the coefficients of original current signal and
presence of anomalies in the data. In order to corrupted current signals are shown in Figures
detect shorter anomalies we have analyzed the 10 and 11, respectively.
signal at higher level such as 1 and 2. For
example, by selecting the thresholds at level 1
to -0.2832 and 0.2832 respectively, which is
equivalent to ±3 we can detect the anomalies
with error rate of 0.3%. Table 4 shows the
statistical parameters of voltage signal like
standard deviation for original and corrupted
data.
Figure 10. Wavelet decomposition of original current
Table 4. Statistical properties of voltage signal
signal
Original data of voltage Corrupted data of
magnitude voltage magnitude

Standard Standard
Level Threshold Level
deviation
deviation

1 0.0944 0.2832 1 5.121

2 0.1265 0.3795 2 4.854

3 20.67 62.01 3 21.64 Figure 11. Wavelet decomposition of corrupted current

signal
4 47.13 141.39 4 48.11
Table 5 shows the statistical parameters of
5 102.2 306.60 5 101.4 current signal like standard deviation for
original and corrupted data.

ISBN: 978-0-9891305-4-7 ©2014 SDIWC 26

 Table 5. Statistical properties of current signal 5 CONCLUSIONS

Original data of current Corrupted data of Wide-area monitoring and control that coordinates
magnitude current magnitude the various devices of the power system to
improve system-wide dynamic performance and
Standard stability is being implemented in the smart grids.
Standard
Level Threshold Level
deviation These critical devices usually have the most
deviation
significant impacts on power system oscillation,
1 5.122 15.36 1 13.57 damping, performance and stability. The cyber
security and the data integrity are very important
2 4.84 14.52 2 14.94
for successful integration of phasor measurement
3 17.86 53.58 3 19.47 units for automatic control of electric power
4 42.86 128.58 4 43.44 systems. In this paper a cyber security tool is
developed and presented for intrusion detection.
5 111.4 334.2 5 110
We have simulated an IEEE benchmark 14-bus
system using RTDS system. The bench mark and
malicious data has been generated in our
laboratory. The proposed cyber security tool for
the detection of intrusion detection has been
successfully employed on this data. The results are
very satisfactory. The detection method depends
on the selection of threshold values. In the future
we will be comparing this method with the
methods based on measurement residual detection
methods.

Figure 12. Thresholds values and detail coefficients at 6 ACKNOWLEDGMENTS

different levels of current signal
The authors gratefully acknowledge support of the
Figures 9 and 12 show the detail coefficients and
National Science Foundation through a grant
corresponding thresholds for original and
ECCS- 1040161 for acquiring the research
corrupted signal at different levels up to 5. The
instrumentation used in this research work.
values located on the top and bottom of the
thresholds indicate that intrusion has been 7 REFERENCES
occurred in the network. For the corrupted voltage
and current signals, Figures 9 and 12, the detail
[1] Leirbukt, A.; Breidablik, O.; Gjerde, J.O.; Korba, P.;
coefficients at levels 1 and 2 are greater than the Uhlen, K.; Vormedal, L.K., “Deployment of a SCADA
integrated wide area monitoring system”, Transmission
corresponding thresholds and the malicious data and Distribution Conference and Exposition: Latin
has been detected. The results show that the use of America, 2008 IEEE/PES, pp. 1 – 6., Aug 2008.
signal-based method successfully detected the [2] Hong Li; Weiguo Li, "A new method of power system
anomalies in the data. state estimation based on wide-area measurement
system," Industrial Electronics and Applications, 2009.
ICIEA 2009. 4th IEEE Conference, pp.2065-2069, 25-
27 May 2009.

ISBN: 978-0-9891305-4-7 ©2014 SDIWC 27

[3] Monticelli, “Electric Power System State Estimation”,
Proceedings of the IEEE, Vol. 88, No. 2, Feb. 2000 pp. [17] A. Monticelli, F. F. Wu, and M. Y. Multiple. Bad data
262-282. identification for state estimation by combinatorial
optimization. IEEE Transactions on Power Delivery,
[4] L. Zhao, A. Abur, “Multi Area State Estimation Using 1(3):361–369, July 1986.
Synchronized Phasor Measurements,” IEEE
Transactions on Power Systems, Vol. 20, No. 2, pp. [18] Y. Liu and P. Ning and M. K. Reiter, “False Data
611-617, May 2005. Injection Attacks against State Estimation in Electric
Power Grids”, Proc. of the 16th ACM conference on
[5] XiaoYun Chen; DongMei Zhao; Xu Zhang, "A Novel Computer and communications security, Nov. 2009.
Voltage Stability Prediction Index Based On Wide Area
Measurement," Power and Energy Engineering
Conference (APPEEC), 2010 Asia-Pacific ,Vol., No.,
pp.1-4, 28-31 March 2010.

[6] Luitel, B.; Venayagamoorthy, G.K.; Johnson, C.E.,

“Enhanced wide area monitoring systems”, Innovative
Smart Grid Technologies, pp. 1-7, Jan. 2010.

[7] Seong Soo Kim; Reddy, A.L.N., "Statistical Techniques

for Detecting Traffic Anomalies Through Packet Header
Data," Networking, IEEE/ACM Transactions on,
Vol.16, No.3, pp.562-575, June 2008.

[8] L.L. Freris, A.M. Sasson, “Investigation of the Load-

Flow Problem,” Proceedings of IEE, Vol. 115, No. 10,
pp. 1459-1470, 1968.

[9] Meikang Qiu; Wenzhong Gao; Min Chen; Jian-Wei

Niu; Lei Zhang , “Energy Efficient Security Algorithm
for Power Grid Wide Area Monitoring System”, IEEE
Transactions on Smart Grid , Vol. 2, No. 4, pp. 715 –
723, Dec. 2011.

[10] Denning, D.E., "An Intrusion-Detection Model,"

Software Engineering, IEEE Transactions on, Vol.SE-
13, No.2, pp. 222- 232, Feb. 1987.

[11] A. Abur and A. G. Expósito, "Power System State

Estimation: Theory and Implementation." Boca Raton,
FL: CRC, 2004.

[12] Mallat, A wavelet tour of signal processing. Academic

Press, 1998.

[13] C. T. Huang, S. Thareja, and Y. J. Shin, “Wavelet based

real time detection of network traffic anomalies,” in
Securecomm and Workshops, 2006, pp. 1–7, 2006.

[14] J.Gao, G. Hu,X. Yao, and R. K. C. Chang, “Anomaly

detection of network traffic based on wavelet packet,”
in Proceedings of the Asia- Pacific Conference on
Communications (APCC ’06), pp. 1–5, Busan, Korea,
August 2006.

[15] Seong Soo Kim , A. L. Narasimha Reddy , Marina

Vannucci, “Detecting traffic anomalies using discrete
wavelet transforms“, Proceedings of International
Conference on Information Networking (ICOIN),
Busan, Korea.

[16] Kosut, O.; Liyan Jia; Thomas, R.J.; Lang Tong; ,

"Malicious Data Attacks on Smart Grid State
Estimation: Attack Strategies and Countermeasures,"
Smart Grid Communications (SmartGridComm), 2010
First IEEE International Conference on , Vol., No.,
pp.220-225, 4-6 Oct. 2010.

ISBN: 978-0-9891305-4-7 ©2014 SDIWC 28