Description:FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
The Patent Rules, 2003
COMPLETE SPECIFICATION
(See sections 10 & rule 13)
1. TITLE OF THE INVENTION
A SYSTEM AND METHOD FOR CYBER-ATTACK RECOGNITION AND RESPONSE IN POWER PLANTS
2. APPLICANT (S)
NAME NATIONALITY ADDRESS
DIVYASAMPARK IHUB ROORKEE FOR DEVICES MATERIALS AND TECHNOLOGY FOUNDATION IN Indian Institute of Technology Roorkee, Roorkee-247667, Uttarakhand, India.
3. PREAMBLE TO THE DESCRIPTION
COMPLETE SPECIFICATION

The following specification particularly describes the invention and the manner in which it is to be performed.

FIELD OF INVENTION:
[001] The present invention relates to the field of grid management technologies. The present invention in particular relates to system and method for cyberattack recognition and response mechanism in power plants considering real-time automatic generation control operational constraints.
DESCRIPTION OF THE RELATED ART:
[002] The introduction of information and communication technologies such as digital systems and networks to industrial control systems including nuclear power plants has improved the reliability, operability, and maintainability of power plants, but cyber threats to digital systems are increasing. Cyber threats to existing industrial control systems, similar to those in the IT field, mainly targeted information and communication systems such as servers that utilize networks. However, recently, cases of putting power plants in dangerous conditions by manipulating sensor signals or control logic targeting control systems such as PLCs (Programmable Logic Controllers) and DCSs (Distributed Control Systems), or manipulating HMI (Human Machine Interface) information have been continuously increasing. In particular, nuclear power plants can suffer serious damage to the environment and human life due to radioactive material leaks as well as economic losses in the event of an accident caused by a cyber-threat, so a detection system for cyber attacks on the control system is absolutely necessary. However, most cyber threat detection systems for nuclear power plants are designed to detect cyber attacks on network-based information systems, and it is difficult to detect intelligent and complex cyber attacks on control systems. This is because existing IT security technologies can detect abnormal packets by analyzing network protocols and data characteristics, but cannot determine whether the information in the packets is suitable for the power plant's operation and control conditions.
[003] Reference may be made to the following:
[004] Publication No. KR20250083877 relates to a cyber-attack detection system of a sensor signal of a nuclear power plant includes a data collector for collecting control signals, sensor signals, and diagnostic signals from a control system of the nuclear power plant including a controller, an actuator, a plant, and a sensor; a state estimator for estimating a current state value of the control system of the nuclear power plant; and a threat determiner for accumulating differences between an estimated value corresponding to an optimally estimated state value from the state estimator and a predicted value corresponding to a predicted state value from a plant model, and determining that a cyber threat exists when the difference between the accumulated estimated value and the predicted value exceeds a critical range.
[005] Publication No. JP2018190081 relates to a monitoring control device of a plant capable of maintaining the safety of a plant even though a cyber attack damages the soundness of plant control by a control device. A monitoring control device of a plant includes: a first control device for receiving an operation state of a nuclear power plant and outputting a drive control signal to plant equipment; a second control device provided electrically independently of the first control device to receive the operation state of the nuclear power plant and output a drive control signal to the plant equipment; and a switching device for outputting to the plant equipment the drive control signal from the second control device more preferentially than the drive control signal from the first control device.
[006] Publication No. KR20210111081 relates to a system and method for a cyber security analysis in nuclear facilities. The system includes: a physical device which is actually simulated based on a special system of a nuclear power plant; a simulator which generates a simulation of an entire operation of a nuclear power plant including a special system and synchronizes control signals applied to the special system in real time with a physical device; and a cyber security analysis device which executes a cyber attack on a control module (PLC) or local user interface (Local HMI) of the physical device through a network of the physical device and a simulator, and collects data transmitted by accessing the network.
[007] Publication No. KR20180097395 relates to a method and a system for monitoring cyber security of a digital system in a nuclear power plant which collect state information (log information) of a digital measurement control system (digital safety system and non-safety system) of a nuclear power plant by a cyber attack on the digital measurement control system to identify an abnormal sign of the digital measurement control system.
[008] Publication No. JP2017198836 relates to a cyber terrorism security simulator capable of improving a technique of cyber terrorism corresponding treatment for more perfectly specifying facilities to be attacked, removing factors, and restoring facilities when nuclear power generation plant facilities are subjected to cyber terrorism attack.
[009] Publication No. CN111431214 relates to a power grid automatic power generation control method and system considering network loss and a medium. The method comprises the following steps: calculating the sensitivity of power variation and network loss variation of each grid-connected power plant; calculating an increased power gain coefficient alpha i and a reduced power gain coefficient beta i of each grid-connected power plant considering the network loss based on the sensitivity.
[010] Publication No. JP2017129894 relates to a cyberattack detection system capable of detecting a latest cyberattack. A correlation control function integrally controls a security event including cyber security information, a facility state indicating a normal or abnormal state of a facility inside an atomic power plant, and a plant parameter indicating an operation state of a facility inside the plant, all of which are outputted from an atomic digital instrumentation control system, as well as defines a correlation of the security event, the facility state, and the plant parameter in a normal operation of the facilities.
[011] Publication No. IN202511042771 relates to a system for continuous supply of electrical power to a utility grid includes one or more energy generation units to generate electric power for supplying to the utility grid; and a wound-rotor induction generator. A first end of shaft of the wound-rotor induction generator receive electric power generated by the one or more energy generation units jointly or by at least one energy unit by continuously rotating the shaft of wound-rotor induction generator for supplying continuous power to the utility grid through coupling stator or/and rotor of wound-rotor induction generator, and the quantum of power supplied depends upon shaft speed of the wound-rotor induction generator.
[012] Publication No. KR101553891 relates to a cyber security monitoring method and system of a digital safety system in a nuclear power plant in order to detect the abnormality of the digital safety system and prepares a countermeasure by collecting the state information of the digital safety system according to a cyber attack on the digital safety system in the nuclear power plant.
[013] Publication No. US2024129339 relates to systems, devices, and methods for improving cybersecurity in electric power systems. A local controller configured for use in an electric power system may include a measurement subsystem to receive a plurality of conditions related to electrical conditions in a microgrid. A communication subsystem may communicate a set of data related to conditions in the microgrid to a remote controller; and receive a plurality of requests for control actions from the remote controller.
[014] Patent No. US11960312 relates to a power supply is disclosed for an industrial control system or any system including a distributed power supply network. In embodiments, the power supply comprises: a battery module including a battery cell and a battery monitor configured to monitor the battery cell; and a self-hosted server operatively coupled with the battery module, the self-hosted server being configured to receive diagnostic information from the battery monitor and provide network access to the diagnostic information.
[015] Publication No. KR101378057 relates to a device for analyzing cyber security requirements of a digital measurement control system, in a nuclear power plant, which is capable of protecting resources of the digital measurement control system in the nuclear power plant from cyber threat (attack) and a method thereof. The present invention predefines a model which corresponds to the digital measurement control system of the nuclear power plant, detects first security levels of resources which are included in the predefined model, detects second security levels of unique attributes of the resources, generates a security regulation guide which guides detected security level to satisfy a predefined security standard and outputs the generated security regulation guide to the corresponding resource when detecting the security level which is below the predefined security level between the first and second security levels.
[016] Publication No. US2022357729 relates to an industrial asset may have monitoring nodes that generate current monitoring node values representing a current operation of the industrial asset. An abnormality detection computer may detect when a monitoring node is currently being attacked or experiencing a fault based on a current feature vector, calculated in accordance with current monitoring node values, and a detection model that includes a decision boundary.
[017] Publication No. US2022329613 relates to a system, method, and non-transitory computer readable medium comprising a plurality of real-time monitoring nodes to receive streams of monitoring node signal values over time that represent a current operation of the cyber physical system; and a threat detection computer platform, coupled to the plurality of real-time monitoring nodes, to: receive the monitoring node signal values; compute an anomaly score; compare the anomaly score with an adaptive threshold; and detect that one of a particular monitoring node and a system is outside a decision boundary based on the comparison, and classify that particular monitoring node or system as anomalous.
[018] Patent No. US11388178 relates to extensive deployment of interoperable distributed energy resources (DER) on power systems is increasing the power system cybersecurity attack surface. National and jurisdictional interconnection standards require DER to include a range of autonomous and commanded grid-support functions which can drastically influence power quality, voltage, and the generation-load balance. Investigations of the impact to the power system in scenarios where communications and operations of DER are controlled by an adversary show that each grid-support function exposes the power system to distinct types and magnitudes of risk.
[019] Publication No. US2021382989 relates to a system and a method provide multilevel consistency check for a cyber attack detection in an automation and control system wherein the multilevel consistency check of sensor measurements, commands and settings on different automation devices on a plant floor is able to provide end-to-end intrusion detection on exchanged data. The multilevel consistency check includes a measurement consistency check and a commands and settings consistency check to enable a cyber security solution for industrial control systems (ICS).
[020] Publication No. US2022201014 relates to a method for detecting security vulnerabilities in at least one of cyber-physical systems (CPSs) and internet of things (IoT) devices. The method includes constructing an attack directed acyclic graph (DAG) from a plurality of regular expressions, where each regular expression corresponds to control-data flow for a known CPS/IoT attack. The method further includes performing a linear search on the attack DAG to determine unexploited CPS/IoT attack vectors, where a path in the attack DAG that does not represent a known CPS/IoT attack vector represents an unexploited CPS/IoT attack vector.
[021] Publication No. US2021334084 relates to Systems and methods for providing a secure and assured method for updating software of a cyber-physical system (CPS) device, maintaining a CPS device, diagnosing a CPS device, and transferring of CPS data.
[022] Publication No. US2021334370 relates to methods, systems, and non-transitory computer-readable medium for detecting data anomalies on a device. The method may include determining data patterns for data input to the device, data output from the device, and/or data stored in a memory of the device; monitoring the data input, data output, and the data stored in the memory at least based on the determined data patterns in parallel with processing of the data input, data output, and/or the data stored in the memory; and detecting whether an anomaly exists in the data input, data output, and/or the data stored in the memory of the device based on the monitoring.
[023] Publication No. US2017353484 relates to a method includes detecting a storage device. The method also includes performing a check-in process so that the storage device is recognizable by one or more protected nodes within a protected system and not recognizable by nodes outside of the protected system while the storage device is checked-in. The method further includes storing data associated with one or more cyber-security threats on the storage device.
[024] Publication No. US2025193211 relates to a system and method for detecting cyber threats during an interaction between a first device and a second device over Operation Technology (OT) protocols in an Industrial Control System (ICS) by implementing a state machine model.
[025] Patent No. US12309188 relates to a hybrid approach involving the mix of communication patterns and passive fingerprinting is used to identify unknown device types, manufacturers, and models of devices of digital control systems. ANDVI implementation maps the identified devices to their known vulnerabilities.
[026] Patent No. US12231461 relates to a computer-implemented method for mitigating cyber security risk of an enterprise network, the method comprising: receiving an analytical attack graph (AAG) representing paths within the enterprise network with respect to at least one target asset, the AAG defining a digital twin of the enterprise network and comprising a set of rule nodes, each rule node representing an attack tactic that can be used to move along a path of the AAG; integrating the AAG with a knowledge graph comprising a set of asset nodes, each asset node representing a digital asset that can be affected by one or more of the attack tactics; determining, based on integrating the AAG with the knowledge graph, a plurality of security controls, each security control having an assigned priority value; and selectively implementing the security controls in the enterprise network based on the assigned priority values of the security controls.
[027] Publication No. US2024411957 relates to a system for building a high fidelity model of a cyber physical human system (CPHS) is disclosed. The CPHS modelling system may comprise a database containing database information and an interface configured to receive a schema and operational data from a user.
[028] Publication No. US2024388602 relates to a cybersecurity automated threat intelligence and attack mitigation system mitigate the effects of a mass data breach, a malware attack, and distributed denial of service (DDoS) attacks on a monitored system protected by a system administrator.
[029] Publication No. US2024106839 relates to various systems and methods to enable cyber-physical protections in edge computing platforms, including with countermeasures that mitigate and halt a variety of digital or real-world attacks. In an example, an attack detection and response engine is used to monitor processing circuitry, with operations that: identify operational data from processing circuitry that operates multiple layers (e.g., of an IP block) to perform compute operations, with trust of the processing circuitry established based on attestation of a hardware root of trust (RoT); evaluate the operational data to identify an attack condition at the processing circuitry, based on monitoring an operational layer of the multiple layers; and provide a digital attack response to the processing circuitry, in response to identifying the attack condition, to deploy the digital attack response and cause a countermeasure at the operational layer of the processing circuitry.
[030] Publication No. US2024089284 relates to a system comprises one or more networks including a digital twin and one or more cyber system components. The digital twin is configured to emulate at least a portion of a physical system of an operational technology (OT) system.
[031] Publication No. US2024314143 relates to systems and methods for detecting cyber-attacks of subsystems include an interface of the subsystem that provides power exchange. A processor may be configured to calculate an interaction variable from a function of one or more internal states of the subsystem.
[032] Publication No. US2024236148 relates to a cyber-security system for protecting a networked system, the cyber security system being implemented on a computer service comprised in or provided in communication with the networked system, the cyber security system being configured to deploy an interactive deception framework configured to interact with an unauthorized entity that has accessed the networked system; the interactive deception being configured to interact with the unauthorized entity by providing artificial components of the networked system; and wherein the security component is configured to dynamically adapt or select the artificial components based on the interaction with the unauthorized entity and/or a characterization of the unauthorized entity.
[033] Publication No. US2023315851 relates to a method for detecting false data injection attacks (FDIAs) on a condition-based predictive maintenance (CBPM) system includes: collecting sensor data from sensors monitoring components of a system maintained by the CBPM system to extract features for a cyberattack detection model and gathering historical data of the system to build a cyberattack knowledge base about the system; combining the sensor data and the historical data to train the cyberattack detection model; using a graphical Bayesian network model to capture domain knowledge and condition-symptom relationships between the sensor-monitored components and the sensors; and based on the cyberattack detection model and the Bayesian network model, detecting the FDIAs on the CBPM system.
[034] Patent No. US11178176 relates to a system for detecting MITM for SCADA communication networks includes secure substation-substation communication links for providing secure and reliable paths to exchange OT data between substations for OT data consistency check; a SIB in each substation for sampling CT and PT measurements to calculate voltage magnitude and phase angle thereof; a S&C server in each substation coupled to the SIB for receiving the voltage magnitude and phase angle from the SIB and obtaining a packet carrying active power flow in transmission lines between two substations and a time stamp; an IDS server placed in a SCADA center for collecting the packet of each substation sent by the S&C server; analyzing the received packet from every adjacent substation; inspecting the payload of the received packet; and triggering an intrusion alarm to a SCADA operator when the power flow is not the same as the payload of the packets.
[035] Publication No. CN114185324 discloses an abnormal point detection method and device for an automatic power generation control program and computer equipment, relates to the field of automatic control of a power system, and can solve the problems that when execution of the automatic power generation control program is abnormal, program execution steps are difficult to accurately analyze, and abnormal points cannot be quickly positioned. If it is detected that the automatic power generation control program is abnormal, actual operation parameters of the automatic power generation control program are obtained; comprising the steps that the operation mode of a strategy simulation system is determined, whether actual operation parameters meet target operation requirements corresponding to the operation mode or not is judged, the strategy simulation system is used for conducting analog simulation on an automatic power generation control program, and the operation mode comprises a constant value mode and a curve mode; if yes, executing a corresponding running program according to the running mode, outputting a program single-step execution result, and determining first anomaly detection information of the automatic power generation control program according to the program single-step execution result; and if not, outputting second anomaly detection information which does not meet the security policy.
[036] Patent No. US11075932 relates to the appliance extension is designed and constructed to be a secure extension of the threat visualizer user interface of the cyber security appliance installed in the system with a limited set of functions including monitoring, investigating, and taking actions to counter the detected cyber threat, all of which an operator can securely take from the appliance extension; rather than, needing to log into the cyber security appliance and investigate potential cyber threats at a location where the cyber security appliance is installed in the system.
[037] Publication No. CN103401247 discloses an optimization method for realizing AGC and AVC in a monitoring system of a boosting station of a power plant. The optimization method realizes AGC and AVC in a communication manager in an algorithm form, AGC/AVC is configured and monitored in an operator work station, and finally the communication manager directly sends a distributed value or instruction to control units of each set via AGC/AVC interface units.
[038] Publication No. CN103634296 provides an intelligent electricity network attack detection method based on physical system and information network abnormal data merging. The intelligent electricity network attack detection method comprises the following steps that at a physical layer, the abnormal degree of electric power data of each node is calculated on the basis of the electric power monitoring data in an intelligent electricity network; at an information layer, an invasion detection system is utilized for monitoring the communication flow rate, warning events aiming at the abnormal communication flow rate are generated, and the abnormal degree of network communication of each node of the system is calculated; the electric power data of each node is correlated with the abnormal degree of the network communication on the basis of an ID-IP (identity- internet protocol) mapping table of the node, and whether each node is attacked or not is judged.
[039] Publication No. WO2020255359 relates to a security training assistance device is used to generate a scenario for targeted attack by a virtual attacker that is composed of a plurality of steps along a time series, each of the plurality of steps having a process defined therein that is executed in the step.
[040] Patent No. US9374380 relates to non-harmful data mimicking computer network attacks may be inserted in a computer network. Anomalous real network connections may be generated between a plurality of computing systems in the network. Data mimicking an attack may also be generated. The generated data may be transmitted between the plurality of computing systems using the real network connections and measured to determine whether an attack is detected.
[041] Publication No. GB2520987 relates to a computer implemented method of profiling cyber threats detected in a target environment, comprising: receiving, from a Security Information and Event Manager (SIEM) monitoring the target environment, alerts triggered by a detected potential cyber threat 801, and, for each alert: retrieving captured packet data related to the alert 802; extracting data pertaining to a set of attributes from captured packet data triggering the alert 803; applying fuzzy logic 804 to data pertaining to one or more of the attributes to determine values 705 for one or more output variables indicative of a level of an aspect of risk attributable to the cyber threat. In this manner fuzzy logic is used to assign a risk level to a potential threat allowing threats to be displayed in priority order of risk level and potentially reducing the sheer number of alerts shown to an administrator and also reducing the number of false positive alerts. Levels of risk may be based on threat sophistication risk, capability risk, confidentiality risk, system integrity risk and system availability risk.
[042] Publication No. CN111275074 relates to an electric power CPS information attack identification method based on a stack type self-encoding network model, which is characterized by comprising the following steps: introducing a maximum information coefficient to select data characteristics according to properties such as CPS data non-function dependence and non-linear correlation, and determining an optimal attack characteristic set; constructing an information attack identification model based on a stack type self-encoding network, and setting an unsupervised pre-training encoder and a supervised fine tuning classifier to perform network parameter training updating; model initial parameter optimization based on the adaptive cuckoo algorithm is realized.
[043] Publication No. CN110659322 relates to a power distribution network operation parameter processing method, which comprises the steps of collecting a first operation parameter of a power distribution network, compressing the first operation parameter to obtain a compressed operation parameter, and uploading the compressed operation parameter to a data storage module; obtaining the compressed operation parameter in a storage module, and decompressing the compressed operation parameters to obtain second operation parameters; verifying the second operating parameter, and if the verification is not successful, judging whether the verification frequency reaches a preset verification frequency threshold value; if the verification frequency does not reach the preset verification frequency threshold, performing data restoration on the second operation parameter to obtain a third operation parameter; and verifying the third operating parameter, and sending the third operating parameter to the data analysis module for analysis when the verification is successful.
[044] Publication No. CN111131331 relates to a network vulnerability guided information attack oriented moving target defense deployment optimization method, which is characterized by comprising the following steps: S1, acquiring power grid system data; S2, preprocessing the acquired data; S3, performing static data processing; S4, performing dynamic data processing; s5, performing configuration strategy generation; s6, configuring strategy weight coverage detection; s7, performing strategy economic cost configuration and line regulation capability detection are carried out; and S8, outputting an installation scheme. By analyzing the power grid topology and the node vulnerability and taking the line deployment capability and the deployment cost as constraints, the optimal equipment number required by power grid operation and security defense is determined, and the installation position of the D-FACTS equipment is determined according to the coupling relationship between the nodes and the line, so that the deployed equipment can cover all vulnerable nodes. On the premise of ensuring normal operation and power flow scheduling of a power grid, the requirement of information security is met, and the problem of D-FACTS equipment deployment when an MTD technology is applied to deal with FDI attacks is solved.
[045] Publication No. CN113507460 relates to an abnormal message detection method and device, computer equipment and a storage medium. The method comprises the following steps: acquiring at least one substation sampling value SMV message; wherein the SMV messages are preprocessed, and SMV message pictures corresponding to the SMV messages are obtained; and inputting each SMV message picture into a preset neural network model for fault detection, and obtaining a fault detection result of each SMV message.
[046] Publication No. WO2016183644 relates to the field of parameter management and automatic control of banks of capacitors and voltage regulators in power grids, regulation of the power factor in power grids, protection and safety of grid protection devices during short-circuits and reconnection after scheduled or unexpected disconnections, monitoring and control via the cloud at various points of the power grids, and the creation of the necessary conditions for transforming usual power grids into smart grids.
[047] Publication No. CN112865085 relates to an attack simulation method and system for an electric power information physical system. The method comprises the following steps: S1, obtaining topological structure feature information of a target electric power system; S2, constructing an electric information physical network topology model according to the topological structure feature information; S3, calculating importance values of all lines in the electric information physical network topology model, and screening out a target line with concealment according to the calculated importance values; and S4, taking the screened target line as an attack object, and carrying out multiple times of cooperative attacks on the target line in the electric information physical network topology model to obtain an attack simulation result for carrying out optimal scheduling on a power grid.
[048] Publication No. EP2279465 relates to a method and system for cyber security management of supervisory control and data acquisition (SCADA) systems is provided to enhance situational awareness and cyber security management for industrial control systems.
[049] Publication No. CN111478970 relates to a power grid Web application mimicry defense system. A heterogeneous virtual Web server pool which is equivalent in function, diversified and dynamic is constructed, technologies such as redundancy voting, dynamic executor scheduling and database instruction isomerization are adopted, an attack chain is blocked, the utilization difficulty of vulnerabilities or backdoors is increased, and the availability and safety of Web services are guaranteed.
[050] Publication No. WO2020046286 relates to a plurality of monitoring nodes may each generate a time-series of current monitoring node values representing current operation of components of an electrical power grid. A cybersecurity monitoring computer platform may receive the current monitoring node values and pre-process them to generate a risk prior knowledge result. At least some of the components may be ranked to create a set of critical components based on a constrained optimizer that has the risk prior knowledge as an input.
[051] Publication No. JP2018139101 relates to a feature and boundary tuning for threat detection in an industrial asset control system. A threat detection model creation computer receives a series of normal monitoring node values (representing normal operation of an industrial asset control system), and generates a set of normal feature vectors.
[052] Patent No. US10372569 relates to a system for detecting false data injection attacks includes one or more sensors configured to each monitor a component and generate signals representing measurement data associated with the component. The system also includes a fault detection computer device configured to: receive the signals representing measurement data from the one or more sensors, receive a fault indication of a fault associated with the component, generate a profile for the component based on the measurement data, and determine an accuracy of the fault indication based upon the generated profile.
[053] The article entitled “Machine learning-based cyberattack detection and identification for automatic generation control systems considering nonlinearities” by Nour M. Shabar, Ahmad Mohammad Saber, Deepa Kundur; arxiv; 12 Apr 2025 talks about a machine learning (ML)-based detection framework that identifies FDIAs and determines the compromised measurements. The approach utilizes an ML model trained offline to accurately detect attacks and classify the manipulated signals based on a comprehensive set of statistical and time-series features extracted from AGC measurements before and after disturbances. For the proposed approach, we compare the performance of several powerful ML algorithms. Our results demonstrate the efficacy of the proposed method in detecting FDIAs while maintaining a low false alarm rate, with an F1-score of up to 99.98%, outperforming existing approaches.
[054] In the basic AGC hack-detection scheme, system frequency, AGC setpoint, and Unit Load Set Point (ULSP) were used as the primary input parameters. From these inputs, key variables such as the frequency deviation (ΔF), the rate of change of the AGC setpoint (denoted as M), and the product of ΔF and ΔP (denoted as N) were derived. A simple rule-based logic was then implemented to monitor the signs and values of M, ΔF, and N (i.e., whether they are positive, negative, or zero). This logic was used to trigger an alarm in response to abnormal conditions, indicating potential cyber intrusions (fig 4).
[055] This foundational method played a significant role in understanding the ideal operational behavior of AGC. Any noticeable deviation from this expected behavior was treated as a potential attack scenario, prompting an alarm.
[056] However, several operational limitations are inherent in this idealized AGC mechanism. Given that AGC functionality is influenced by multiple interdependent and overlapping conditions, its complete characterization in real-time operation is notably complex. One such consideration is the presence of a dead band — a deliberate unresponsive range built into the AGC logic — which arises from factors such as actuator lag and the high integral gain in PI controllers.
[057] Another critical limitation of the earlier scheme was its inability to accommodate post-attack isolation protocols, which are essential for protecting system integrity following the detection of an anomaly.
[058] None of the system detects attacks when the AGC signal rate of change is zero.
[059] Hence there needed an effective system which can detect the. cyber-attack even when the AGC signal rate of change is zero.
[060] In order to overcome above listed prior art, the present invention aims to provide a system and method for cyber-attack recognition and response mechanism in power plants considering real-time automatic generation control operational constraints.
OBJECTS OF THE INVENTION:
[061] The principal object of the present invention is to provide a system and method for cyber-attack recognition and response in power plants considering real-time automatic generation control operational constraints.
[062] Another object of the present invention is to provide suitable for both hydro and thermal plants, enhancing automatic generation control (AGC) system resilience across diverse power generation environments.
[063] Yet another object of the present invention is to increase the reliability and resilience of the overall power generation control architecture.
[064] Still another object of the present invention is to provide a system and method for cyber-attack recognition and response in power plants which specifically addresses the conditions.
[065] Yet another object of the present invention is to automatic generation control (AGC) system to maintain the system frequency very close to nominal value at 50 Hz.
[066] Still another object of the present invention is to provide automatic generation control (AGC) system to maintain the tie-line interchange between control areas at the scheduled value.
[067] Yet another object of the present invention is to automatic generation control (AGC) system to ensure economic dispatch of the generating units involved.
[068] Still another object of the present invention is to detect attacks even when the AGC signal rate of change is zero, a scenario where traditional systems typically fail.
SUMMARY OF THE INVENTION:
[069] The present invention relates to a system and method for the real-time monitoring and control of power plants. It extends their capabilities by embedding an advanced anomaly detection method within the automatic generation control (AGC) signal pathway. This is achieved without disrupting the underlying operational processes but by enhancing situational awareness and response accuracy in existing SCADA/EMS systems. The invention relates to existing fault detection and redundancy method in control systems of power generation units. It introduces a multi-layered detection and response mechanism that improves upon existing backup switching strategies by enabling seamless transition to redundant controllers during a confirmed cyber event. This increases the reliability and resilience of the overall power generation control architecture. The invention interfaces with existing communication infrastructures between power plants and control centers, without the need for significant hardware redesign. It operates in harmony with existing IEC protocols, enabling easy integration with substations and control devices already deployed in the field. The invention improves upon current anomaly detection systems by specifically addressing conditions typically overlooked, such as the zero-product condition of frequency deviation and power mismatch (ΔF × ΔP = 0). While existing systems might treat such conditions as stable, this invention incorporates logic to evaluate such scenarios for latent threats, thereby filling a critical gap in existing methods.
[070] The cyber-attack recognition and response mechanism tailored specifically for power plants operating under real-time AGC constraints. This invention embedding practical system behaviors—such as AGC dead band, frequency lag, and controller dynamics—into the core of the detection logic. One of the key novel aspects lies in the algorithm’s ability to detect attacks even when the AGC signal's rate of change is zero, a condition under which conventional systems typically fail to trigger alarms. By monitoring the system frequency over a sustained interval (e.g., 20 seconds), the proposed method ensures robust detection of subtle attacks that manipulate setpoints without visible AGC signal changes.
[071] The present invention provides treatment of the condition where the product of frequency deviation (ΔF) and power mismatch (ΔP) equals zero. This edge case is often neglected in conventional schemes, which may classify it as benign. The invention includes logic that systematically examines such scenarios to avoid false negatives, ensuring comprehensive and accurate anomaly recognition. Furthermore, the system integrates a structured three-tier detection model (Theta 1, Theta 2, and Theta 3), culminating in an intelligent isolation mechanism. Upon detection of an anomaly, a seamless switch to a redundant local controller is initiated, guaranteeing uninterrupted plant operation. This proactive response element significantly strengthens the resilience of AGC systems in cyber-physical environments.
[072] This invention is adaptable to both hydro and thermal power stations engaged in AGC operations, making it widely applicable across generation assets in modern grid systems.
BREIF DESCRIPTION OF THE INVENTION
[073] It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are therefore not to be considered for limiting of its scope, for the invention may admit to other equally effective embodiments.
[074] Fig. 1 shows area control error calculation at NLDC.
[075] Fig. 2 shows AGC implementation.
[076] Fig. 3 shows AGC signal from NLDC to Plant.
[077] Fig. 4 shows elementary AGC hack-detection flowchart.
[078] Fig. 5 shows block diagram according to the present invention.
[079] Fig. 6 shows block diagram comprising of hack detection unit, isolation and redundant control operation unit integrated with the plant.
DETAILED DESCRIPTION OF THE INVENTION:
[080] The present invention provides a system and method for the real-time monitoring and control of power plants. It embeds an advanced anomaly detection method within the automatic generation control (AGC) signal pathway. This is achieved without disrupting the underlying operational processes but by enhancing situational awareness and response accuracy in existing SCADA/EMS systems.
[081] The invention relates to existing fault detection and redundancy method in control systems of power generation units. It introduces a multi-layered detection and response mechanism that improves upon existing backup switching strategies by enabling seamless transition to redundant controllers during a confirmed cyber event. This increases the reliability and resilience of the overall power generation control architecture. The invention interfaces with existing communication infrastructures between power plants and control centers, without the need for significant hardware redesign. It operates in harmony with existing IEC protocols, enabling easy integration with substations and control devices already deployed in the field. The invention improves upon current anomaly detection systems by specifically addressing conditions typically overlooked, such as the zero-product condition of frequency deviation and power mismatch (ΔF × ΔP = 0). The system evaluates such scenarios for latent threats, thereby filling a critical gap in existing methods.
[082] To maintain the power system frequency at its nominal value of 50 Hz, it is essential to ensure a continuous balance between power generation and the aggregate of load demand and transmission losses. All generators are equipped with a primary frequency control (PFC) mechanism, which typically includes a flyball governor, a speed governor, and a valve control mechanism. During minor load fluctuations, the PFC responds immediately to restore power balance and stabilize system frequency. However, in the event of a sustained load change, a steady-state frequency deviation may occur. To eliminate this deviation, Secondary frequency control is employed at selected Inter-State Generating Stations (ISGS). This control is implemented through AGC. In accordance with the central electricity regulatory commission (CERC), AGC is mandatory for all thermal ISGS units with an installed capacity of 200 MW and above, and for all hydroelectric stations with a capacity exceeding 25 MW, excluding run-of-river hydro projects.
[083] The AGC maintains the system frequency very close to nominal value at 50 Hz, the tie-line interchange between control areas at the scheduled value, and ensures economic dispatch of the generating units involved. These objectives are achieved by driving the area control error is to zero. The Area Control Error (ACE) for each region would be auto-calculated at the control center of the NLDC based on the telemetered values of frequency and tie-line flow, and the external inputs as per the following formula:
ACE = (Ia - Is) - 10 * B * (fa - fs) + Offset (1)
where,
Ia = Actual value of net interchange in MW (positive value for export)
Is = Scheduled value of net interchange in MW (positive value for export)
fa = Actual system frequency in Hz
fs = Schedule system frequency in Hz
B = Frequency bias coefficient in MW/0.1 Hz (negative value).
Offset = Provision for compensating for metering error
[084] For each control area, a dead band of ±10 MW in the ACE is considered. With the help of exponential moving average filter, noises and random variations in the ACE are filtered out to obtain smoothed ACE (SACE) as shown in Fig. 1.
[085] In an interconnected power system, each control area will have many generators whose outputs will be set as per economic dispatch and ACE signal so that each individual unit will generate the required amount of power out of each area’s total generation. This allocation of power is achieved using base points and participation factors. Let the most economic generation of each unit be Pibase. The participation factor (pfi) gives the share of each unit in the AGC system. The new desired output from unit i is determined as follows:
Pides = Pibase + (pfi × ΔPtotal) (2)
where,
ΔPtotal = Pnew_total - ∑ Pibase
ΔPtotal = change in total generation
Pnew_total = new total generation
[086] The sum of participation factors is unity. These factors are time-dependent and must be determined dynamically based on costs, bid prices and availability.
[087] As shown in Fig. 2, to implement the AGC at NLDC, information such as (i) system frequency, (ii) real power flow over each tie-line to other neighboring areas, and (iii) real power output of each unit online is needed. Each power plant telemeters its real power output information through Optical Power Ground Wire (OPGW) cables provided by the Central Transmission Unit to NLDC in IEC 60870-5-104 (IEC 104) protocol. Control signals for each unit are calculated by the digital computer at the NLDC based on basepoint and participation factors and sent to various plants via the same telemetry channel. The successful functioning of the AGC scheme is essential for the satisfactory performance of the whole power system as it is involved in maintaining the grid frequency closer to the nominal frequency, i.e. 50 Hz.
[088] The transmitted plant AGC signal may be hacked by malicious attackers to hamper the system stability and hence operation of the system. Data integrity attack, timing attack, and covert attack fall under the first category and bias injection attack, pulse attack and scaling attack come under the second category. The attack component is injected while plant AGC signal is being transmitted through OPGW cables. In the data integrity attack, original AGC signal (ACE) is modified as:
ACEa = ACE + x (3)
[089] where x is the attack input injected into original signal by the hacker to create a false attacked AGC signal (ACEa). With timing attack, attacker introduces a time delay to the original AGC signal as follows:
ACEa = ACE (t-τ) (4)
[090] where τ is the delay involved. In case of pulse attack, the signal takes the shape of train of pulses. The shape of the pulses can be a square, rectangular, triangular and so on. In scaling attack, the AGC signal is scaled as:
ACEa = αACE (5)
[091] where α is a constant real number.
[092] Such cyber-attacks may cause system black out, economic loss and system instability. Therefore, it is mandatory to protect the system against such attacks. In India, the AGC signal is sent from NLDC to various power plants equipped to provide frequency support to the grid and situated in remote locations.
[093] The AGC signal is sent through OPGW in a redundant manner and alternate path ensuring dual communication and diverse route as shown in Fig. 3. With the help of these two signals, it is possible to identify cyber-attack on AGC signal and to warn the plant operator to take corrective measures to protect the generating units of the power plant.
[094] Cyber-attacks on AGC systems at hydropower plants can have significant impacts on the stability and reliability of the power grid. AGC systems are responsible for controlling the output of power generators in real-time to maintain a balance between power supply and demand on the grid. If an AGC system is compromised by a cyber-attack, it can lead to disruptions in the power supply, potentially causing blackouts and other issues. There have been several high-profile instances of cyber-attacks on AGC systems at hydropower plants in recent years. The attackers were able to gain access to the plant's control systems and manipulate the output of the power generators, causing significant disruptions to the power grid.
[095] The potential impact of cyber-attacks on AGC systems at hydropower plants highlights the need for robust cybersecurity measures to protect these critical infrastructure systems. This can include measures such as regular security audits, the use of secure communication protocols, and the implementation of strong access controls to prevent unauthorized access to control systems. In addition, based on the nature of the plant AGC signal and its relation with plant parameters and grid attributes such as frequency, algorithms can be developed to detect the cyber-attack and then to alert the plant operator.
[096] Hack-Detection- A previously developed attack detection algorithm for Hydro AGC, addressing the fundamental relationship between ΔF variation and AGC dynamics, is outlined in Fig. 4. The upgraded method introduces additional features to address real-time operational constraints and incorporates mechanisms to support both detection and isolation in the presence of cyber-attacks. This makes the hack-detection system more robust, adaptive, and practical for deployment in real-world AGC environments.
[097] Improved method for Attack Detection and Isolation in AGC Systems- This method detects cyber-attacks in AGC systems by analyzing deviations between primary and redundant AGC signals, frequency anomalies, and power mismatches. The decision-making process is structured into three hierarchical levels—Theta 1, Theta 2, and Theta 3—each addressing a progressively detailed set of anomaly checks. Figure 5 shows block diagram, a real-time simulator (6), is used to generate four essential signals: AGC main, AGC protection, ULSP, and frequency signals. These generated signals are then fed into a microcontroller (1b) which runs the embedded hack detection method. The system comprises a control unit (1) with LEDs (1a) to detect the hack and glow the corresponding LED signaling a warning (alarm) to the system operator, Three phase converter (2), Power analyzer (3), display unit including computer (4), MSO (5) and a real-time simulator (6) to generate four essential signals: AGC main, AGC protection, ULSP, and frequency signals. These generated signals are then fed into a microcontroller (1b) which runs the embedded hack detection method.
[098] The inventive step in this innovation lies in the development of a multi-layered hack detection and isolation algorithm for AGC systems that integrates both redundant signal analysis and practical operational constraints in a structured and hierarchical manner. This includes:
[099] Use of Redundant AGC Comparison (Theta-1): Incorporating a real-time discrepancy check between the primary and redundant AGC signals as the first-level screening mechanism is an inventive safeguard. While redundancy is a known concept, using it as a dynamic detection metric in AGC cybersecurity is novel and non-obvious in the context of real-time power control systems.
[100] Evaluation of Product of Frequency and Power Deviations (Theta-2): The method leverages the product of ΔF (frequency deviation) and ΔP (power mismatch) as a key indicator of abnormality. This consideration of the sign and magnitude of the product (especially when N = 0) as a condition to differentiate between operational noise and actual attack patterns is not standard practice and reflects a non-obvious refinement.
[101] Time-Based Frequency Stability Check under Static AGC Conditions (Theta-3): Introducing a 20-second time window to observe frequency changes when AGC rate of change is zero is a critical inventive step. This temporal correlation logic for attack validation is not intuitive and would not be apparent to someone skilled in conventional control systems or cybersecurity, making it a clear example of non-obviousness.
[102] The implementation of an automated isolation protocol triggered by anomaly detection, followed by a seamless switchover to a redundant plant controller, ensures operational continuity. Integrating this into a microcontroller-based prototype bridges algorithmic innovation with practical deployment—a step beyond typical academic implementations. To visually indicate the detection of a hack, a control unit equipped (1) with LEDs is used. If any hack is detected by the method running on the microcontroller, the corresponding LED will glow, signaling a warning (alarm) to the system operator.
[103] Upon detecting a compromised signal, the hack detection algorithm triggers an alarm and initiates a safe isolation protocol for the AGC signal. This protocol sends a command to the control board unit to open the switch, thereby disconnecting the compromised AGC signal. Immediately after this disconnection, a redundant plant controller takes over the operations, functioning in a local control mode to ensure the continuity and stability of plant operations.
[104] The block diagram (as shown in Fig. 6) illustrates the complete hack detection mechanism, isolation process, and the role of the redundant control system, which together enhance system robustness and reliability.
[105] The invention presents a specialized cyberattack detection and response system for power plants operating under real-time AGC. It incorporates real-world AGC behaviors—like dead bands, frequency delays, and control dynamics—into its detection logic. The system detect attacks even when the AGC signal rate of change is zero, a scenario where traditional systems typically fail. By observing system frequency over extended intervals, it effectively identifies subtle manipulations.
[106] The system also addresses overlooked conditions where the product of frequency deviation (ΔF) and power mismatch (ΔP) equals zero, avoiding false negatives by including them in its anomaly logic. It uses a three-tier detection model (Theta 1, 2, and 3) and, upon detecting an anomaly, switches automatically to a backup local controller to maintain continuous plant operation.
[107] This hack detection and isolation algorithm of the AGC signal has four inputs:
• A1: AGC Main Signal (Primary AGC)
• A2: AGC Redundant Signal (Backup AGC)
• F: Actual system frequency at a given time
• U: Unit Load Set Point (ULSP)
[108] The Initial Step involves reading of F, A1, A2, U. Then ΔF = F - 50 (Frequency deviation from nominal 50 Hz) is calculated. The decision-making process is structured into three hierarchical levels—Theta 1, Theta 2, and Theta 3—each addressing a progressively detailed set of anomaly checks. Whenever the algorithm detects a potential attack, the following operations are initiated:
(1) Isolation of AGC signal and activation of the local mode of operation: The algorithm generates a command to cut off AGC operation of the plant and swiftly switch it to the local mode of operation, ensuring the continuity of the plant operation.
(2) Incident Communication and Fallback Control Verification Protocol: The developed system is equipped to send immediate alerts from the plant to the NLDC for verification. This ensures that central monitoring authorities are informed in real time, enabling faster and coordinated incident response. The plant remains in this safe fallback mode until NLDC verifies the integrity of the AGC signal, after which normal operation can resume. Figure 5 shows the flowchart.
[109] Theta 1- Theta 1 is the Primary AGC Discrepancy Check, i.e., computation of E, which is given by E = A1 - A2. If the magnitude of E is greater than zero (|E|>0), then the algorithm identifies it as a case of attack, initiating the isolation and fallback operations as mentioned previously. Otherwise, the algorithm Proceeds to Theta 2.
[110] Theta 2- Theta 2 begins with Power Change (ΔP) Check and its product with ΔF (N) which are given by
ΔP = A1 - U (Power mismatch)
N = ΔF × ΔP
[111] 1st test condition in Theta 2 is a deadband check of ΔF which is -0.10< ΔF<0.05 as per CERC report for Indian grid. If this criteria is satisfied, then algorithm moves to Theta 3. Otherwise, it will continue in Theta 2 with next test condition which is the N value. According to values N, the algorithm takes decisions as follows:
(1) For N>0, it is a clear case of an attack needing no further investigation
(2) For N<0, the algorithm needs further validation from Theta 3
(3) For N=0, ΔP is checked. If ΔP=0, then the algorithm needs further validation from Theta 3; otherwise, (ΔP≠0) is a case of an attack
[112] Theta 3- Theta 3 checks the rate of Change of AGC and Frequency by computing M, which is given by M = (A1(t2) - A1(t1)) / (t2 - t1). The following test conditions are governed by the value of M:
[113] If M=0 is found, a deadband and RoCoF condition of -0.10 < Δ(F2 - F1)<0.10 & RoCoF < 1Hz/s is checked. If this condition is not met, the algorithm waits for 20 seconds. Even after 20 seconds, the condition remains unsatisfied, and the algorithm flags an attack.
[114] For M > 20 MW/min or M < - 20 MW/min, these are the direct cases for attack, which need no further validation. But if M lies between these threshold values, then the algorithm needs ΔF values along with M as:
i) For M>-20 MW/Min and ΔF<0
or
ii) For M<20 MW/Min and ΔF>0
[115] These are cases of an attack.
[116] The method is suitable for both hydro and thermal plants, enhancing AGC system resilience across diverse power generation environments.
[117] Numerous modifications and adaptations of the system of the present invention will be apparent to those skilled in the art, and thus it is intended by the appended claims to cover all such modifications and adaptations which fall within the true spirit and scope of this invention.
, Claims:WE CLAIM:
1. A system and method for cyber-attack recognition and response in power plants comprises-
a) a control unit (1) with LEDs (1a) to detect the hack and glow the corresponding LED signaling a warning (alarm) to the system operator.
b) Three phase converter (2), Power analyzer (3).
c) Display unit including computer (4).
d) MSO (5).
e) a real-time simulator (6) to generate four essential signals: AGC main, AGC protection, ULSP, and frequency signals. These generated signals are then fed into a microcontroller (1b) which runs the embedded hack detection method.
2. The method for cyber-attack recognition and response in power plants, as claimed in claim 1, wherein the method addresses real-time operational constraints and incorporates mechanisms to support both detection and isolation in the presence of cyber-attacks.
3. The system and method for cyber-attack recognition and response in power plants, as claimed in claim 1, wherein each control area of interconnected power system includes many generators whose outputs is set as per economic dispatch and ACE signal so that each individual unit will generate the required amount of power out of each area’s total generation which is achieved using base points and participation factors.