FIELD OF INVENTION:
[001] The present invention relates to the field of electric power plant control systems. The present invention in particular relates to a system and method for the detection of cyber attack on automatic generation control (AGC) signal of an electric power plant.
DESCRIPTION OF THE RELATED ART:
[002] In power system, at any instant, the total generation must match the total demand plus losses incurred and such power balance will ensure the system frequency to be at its nominal value i.e., 50 Hz. Whenever, there is an increase in the demand, the kinetic energy stored in the rotating masses will be released to generate the additional power required and this is known as inertial response due to which there will be reduction of speed of the generator and hence frequency drop. With the help of flyball arrangement, the speed governors of the generators will sense this speed reduction and open the steam/water valve to increase the generation and to reduce the frequency drop from its nominal value and this control is known as primary frequency control. However, there will be frequency deviation in the steady-state. In order to nullify this deviation, secondary frequency control is provided with selected Inter State Generating Stations (ISGS). Secondary frequency control is achieved through Automatic Generation Control (AGC). AGC means a mechanism through which the generation of the Secondary Reserve Ancillary Service (SRAS) provider in a control area is automatically adjusted in response to the Secondary Control Signal. In India, there are five control regions namely South, West, North, East and North East. At present, secondary controls of all five regions are embedded in the AGC software at National Load Dispatch Centre (NLDC) along with the Energy Management Systems (EMS) at NLDC, New Delhi. The major objectives of AGC are (i) to maintain the system frequency very close to nominal value at 50 Hz, (ii) to maintain the tie-line interchange between control areas at the scheduled value, and (iii) to ensure economic dispatch of the generating units involved. These objectives are achieved by driving the area control error to zero. The Area Control Error (ACE) for each region would be auto-calculated at the control center of the NLDC based on the telemetered values of frequency and tie-line flow, and the external inputs as per the following formula:
ACE = (Ia - Is) - 10 * Bf * (fa - fs) + Offset
[003] Where,
Ia = Actual value of net interchange in MW (positive value for export)
Is = Scheduled value of net interchange in MW (positive value for export)
Bf = Frequency Bias Coefficient in MW/0.1 Hz (negative value)
fa = Actual system frequency in Hz
fs = Schedule system frequency in Hz
Offset = Provision for compensating for metering error
[004] For each control area, a dead band of 10 MW in the ACE is considered. With the help of exponential moving average filter, noises and random variations in the ACE are filtered out to obtain smoothed ACE (SACE).
[005] In an interconnected power system, each control area will have many generators whose outputs will be set as per economic dispatch and ACE signal so that each individual unit will generate the required amount of power out of each area’s total generation. This allocation of power is achieved using base points and participation factors. Let the most economic generation of each unit be Pibase. The participation factor (pfi) gives the share of each unit in the AGC system. The new desired output from unit i is determined as follows:
Pides = Pibase + (pfi × ?Ptotal)
where ?Ptotal = Pnew total - ? Pibase
?Ptotal = change in total generation and
Pnew total = new total generation
[006] The sum of participation factors is unity. These factors are time-dependent and must be determined dynamically based on costs, bid prices and availability.
[007] As shown in Fig. 2, to implement the AGC at NLDC, information such as (i) system frequency, (ii) real power flow over each tie-line to other neighboring areas, and (iii) real power output of each unit online is needed. Each power plant telemeters its real power output information through Optical Power Ground Wire (OPGW) cables provided by the Central Transmission Unit to NLDC in IEC 60870-5-104 (IEC 104) protocol. Control signals for each unit are calculated by the digital computer at the NLDC based on basepoint and participation factors and sent to various plants via same telemetry channel. The successful functioning of AGC scheme is essential for the satisfactory performance of whole power system as it involves in maintaining the grid frequency closer to the nominal frequency, i.e., 50 Hz.
[008] The transmitted plant AGC signal may be hacked by malicious attackers to hamper the system stability and hence operation of the system. Already many cyber-attacks such as Ukraine attack have been reported in the technical literature. These cyber-attack strategies are broadly classified into strategic attack, template attack and location attack. Data integrity attack, timing attack, and covert attack fall under the first category and bias injection attack, pulse attack and scaling attack come under the second category. The attack component is injected while plant AGC signal is being transmitted through OPGW cables. In the data integrity attack, original AGC signal (ACE) is modifies as,
ACEa = ACE + x
[009] where x is the attack input injected into original signal by the hacker to create a false attacked AGC signal (ACEa). With timing attack, attacker introduces a time delay to the original AGC signal as follows:
ACEa = ACE (t-t)
[010] where t is the delay involved. In case of pulse attack, the signal takes the shape of train of pulses. The shape of the pulses can be a square, rectangular, triangular and so on. In scaling attack, the AGC signal is scaled as,
ACEa = a ACE; where a is a constant real number.
[011] The abovesaid cyber-attacks may cause system black out, economic loss and system instability. Therefore, it is mandatory to protect the system against such attacks. In India, the AGC signal is sent from NLDC to various power plants equipped to provide frequency support to the grid and situated in remote locations. The AGC signal is sent through OPGW in redundant manner and alternate path ensuring dual communication and diverse route. With the help of these two signals, it is possible to identify cyber-attack on AGC signal and to warn the plant operator to take corrective measures to protect the generating units of the power plant.
[012] Reference may be made to the following:
[013] IN Publication No. 202221022660 relates to a cloud computing infrastructure, where like various other cloud providers in the world a cloud is created that is virtual and private for all the users those who are using the cloud. The infrastructure presented offers the cloud where the clients can have full access to everything without internet. This infrastructure can be used by a single organization or a group of different organizations. Whatever be the case either a group of organization using it or different organizations are using it, in both the cases the cloud is able to provide the isolation between the users. The security of users' data is provided by a firewall on the cloud whose access is given to only administrator. The administrator can be dynamic, it can be changed and it is connected to the cloud through wireless medium. The concept of cloud computing is now well known, but the measures taken to provide security within the cloud environment is more important. Our invention "Virtual private cloud" (VPC) is a configurable pool of shared resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations using the resources. It offers users with the provision of private, isolated section of cloud infrastructure where the user can launch resources on-demand in a virtual network that they define. The Raspberry pi (Version 4) can be as a used as a web server on your main local network or the internet at large. Virtual box is act as a hypervisor, creating a virtual machine in which the user can run various OS. The Graphical network simulator 3 (GNS3) used to simulate, configure and troubleshoot virtual and real networks. It will allow the combination of virtual and real devices, used to simulate complex networks. PHP- Personal home page also called hypertext pre-processor, it can be downloaded at anywhere and readily available to use for event of web applications. It is platform independent and PHP based applications can run on any OS like UNIX, Linux and Windows, etc. MYSQL is open source relational database management system. It will allow to manage relational database. Data security will also be managed through MYSQL.
[014] IN Publication No. 202237018702 relates to a plant management method comprising: a step (S12) in which correlation information is obtained that indicates the correlation between configuration element that had a cyberattack and a configuration element that could be impacted thereby, if a plant comprising a plurality of configuration elements has a cyberattack; and a step (S14) in which the plurality of configuration elements is zoned on the basis of the correlation information. This is industrial Control System. It detects the cyber attack based on correlation.
[015] IN Publication No. 202211008050 relates to a process for predicting grid demand and anomaly detection of a smart grid with integration of IoT and AI technology, said process comprising: receiving an input data of consumer load by a model for predicting future demand, wherein said input data comprises each of a historical data of consumer load and a real time data of consumer load; predicting, by an LSTM module, a change in load based on comparison of historical data of consumer load and real time data of consumer load; detecting anomaly of load based on said change in load in said input data, wherein said anomaly is detected in presence of renewable energy resources for the smart grid; and training said model through changing pattern of load between historical data of consumer load and a real time data of consumer load.
[016] IN Publication No. 202124026580 relates to a system and method for controlling a power generating system having at least one power generating subsystem connected to a point of interconnection (POI). Accordingly, the subsystem controller of the power generating subsystem obtains a first data signal indicative of an electrical parameter at the POI and a second data signal indicative of the electrical parameter at the generating subsystem. The second data signal has a higher fidelity than the first data signal. The second data signal is utilized by the subsystem controller to generate a first modeled value for the electrical parameter at the POI which compensates for the lower-fidelity first data signal. The subsystem controller generates a setpoint command for the power generating subsystem based, at least in part, on the first modeled value for the electrical parameter. Thus, it controls power generating system and does not involve cyber attack.
[017] IN Publication No. 202014055795 relates to network of safety PLCs employs multi-PLC verification of a programming application before allowing the application to reprogram any PLC on the safety network. Each PLC on the safety network is equipped with authentication capability that detects attempts to reprogram the PLC and issues an authentication challenge requiring the programming application to process a proof-of-work. The authentication challenge is also sent to other PLCs on the safety network along with the response from the programming application for verification purposes. The other PLCs process the authentication challenge and check the response from the programming application for acceptability. If a majority of the PLCs on the safety network determines the response from the programming application is correct, then the programming application is verified and may proceed with the reprogramming. Such group authentication requires a malicious application to hijack multiple PLCs concurrently on the safety network, a highly unlikely outcome, before reprogramming any PLC. This implements a secure network of safety PLCs for an industrial plant.
[018] IN Publication No. 202037006072 relates to a method for protecting a flow-guiding device of a system against cavitation initiated by cyber attacks. In the method, at least one signal relating to an operating state of the system is first detected. This signal is then evaluated by means of a unit in order to detect a cyber attack, in which case the signal is compared with at least one reference value. If, on the basis of the evaluation of the signal, the unit detects a willfully caused irregular operation of the system, the unit forwards signals to components of the system, in order to ensure that the system operates in accordance with the rules, in which cavitation is avoided will bring about and on the other creates a state. Thus this is a method for protecting a flow-conducting device of an installation against cavitation initiated by a cyber-attack.
[019] IN Publication No. 201927042516 relates to a mission-based cyber training platform allows both offensive and defensive oriented participants to test their skills in a game-based virtual environment against a live or virtual opponent. The system builds realistic virtual environments to perform the training in an isolated and controlled setting. Dynamic configuration supports unique missions using a combination of real and/or virtual machines software resources tools and network components. Game engine behaves in a manner that will vary if participant attempts to replay a scenario based upon alternate options available to the engine. Scoring and leader boards are used to identify skill gaps/strengths and measure performance for each training participant. A detailed assessment of a player’s performance is provided at the end of the mission and is stored in a user profile/training record. This is game engine-based security training methods.
[020] Publication No. KR20190127346 relates to a cyber security development support system comprises: a display unit to generate an entity to display the entity on a diagram work area when the entity of a controller equipment type is selected from a user; a question sentence providing unit to extract a question sentence corresponding to the entity from a plurality of previously stored question sentences, and provide the question sentence in accordance with a preset question algorithm; a control unit to analyze a user response received in response to the question sentence to determine a type of the entity, and map a preset security requirement corresponding to the user response to match a realization method capable of executing the mapped security requirement to the security requirement; an examination guide generation unit to generate a guide for examination by a selected realization method when the realization method for each security requirement is selected from the user; a communication unit to supply the guide for examination to a linked nuclear power plant server to request examination verification, and receive an approval status from the nuclear power plant server; and a guide providing unit to generate a development requirement guide connecting a test or a verification process in a one-to-one manner in response to the realization method to supply the development requirement guide to the user when examination verification approval is received from the nuclear power plant server. This is cyber security development support system for a nuclear power plant.
[021] Publication No. KR20200075407 relates to a virtual physical system for cyber vulnerability testing and a method thereof. According to the present invention, the virtual physical system comprises: a security server which stores the security simulation of the entire nuclear power plant, and creates and stores an expansion system simulation in which the simulation is expanded for each system in the facilities of the nuclear power plant based on the purpose of cyber vulnerability while focusing on the security simulation; and at least one virtual physical device including a controller which controls the expansion system simulation to be driven by the physical device by interlocking with the physical device simulating one system among the facilities of the nuclear power plant and the expansion system simulation. This is virtual physical system for cyber vulnerability testing of a nuclear power plant.
[022] Publication No. KR20180097395 relates to a method and a system for monitoring cyber security of a digital system in a nuclear power plant which collect state information (log information) of a digital measurement control system (digital safety system and non-safety system) of a nuclear power plant by a cyber attack on the digital measurement control system to identify an abnormal sign of the digital measurement control system. This determines the cyber attack on the digital measurement control system of a nuclear power plant using state information.
[023] Publication No. KR20170142759 relates to a cyber security management apparatus comprising a communication part, an evaluation part, a diagnosis part and a management part. The communication part is connected to an external device via a web or an internet network and receives an update check list regarding a cyber security threat element. The evaluation part performs various analyses associated with a digital measurement control system of a nuclear power plant and evaluates the security level of the digital measurement control system of the nuclear power plant in accordance with the analyses. It comprises a communication part, an evaluation part and a management part for the cyber security management of a nuclear power plant.
[024] Publication No. KR102348786 relates to a cyber security analysis system and method for nuclear power plants, and based on the special system of the nuclear power plant, the entire operation simulation of the nuclear power plant including the actual simulated physical device and special system is generated, and applied to the special system in real time A simulator that synchronizes the control signal with the physical device, and executes a cyber attack on the control module (PLC) or local user interface (Local HMI) of the physical device through the network of the physical device and the simulator, and connects to the network and is transmitted includes cyber security analytics devices that collect data. It involves an operation simulator of a nuclear power plant to carry out cyber security analysis.
[025] Publication No. JP2017198836 relates to a cyber terrorism security simulator capable of improving a technique of cyber terrorism corresponding treatment for more perfectly specifying facilities to be attacked, removing factors, and restoring facilities when nuclear power generation plant facilities are subjected to cyber terrorism attack. A cyber terrorism security simulator of a nuclear power plant includes a monitoring control system and a server connected by an in-house network. This is a cyber terrorism security simulator of a nuclear power plant includes a monitoring control system and a server connected by an in-house network.
[026] Publication No. KR101553891 relates to a cyber security monitoring method and system of a digital safety system in a nuclear power plant in order to detect the abnormality of the digital safety system and prepares a countermeasure by collecting the state information of the digital safety system according to a cyber attack on the digital safety system in the nuclear power plant. This detects the abnormality of the digital safety system and prepares a countermeasure by collecting the state information of the digital safety system according to a cyber-attack on the digital safety system in a nuclear power plant.
[027] Publication No. US2014304772 relates to systems and methods that implement a coordinated cyber security program for a power generation plant to establish and/or maintain cyber security controls for the power generation plant through a comprehensive life cycle approach.
[028] Publication No. KR101378057 relates to a device for analyzing cyber security requirements of a digital measurement control system, in a nuclear power plant, which is capable of protecting resources of the digital measurement control system in the nuclear power plant from cyber threat (attack) and a method thereof. The present invention predefines a model which corresponds to the digital measurement control system of the nuclear power plant, detects first security levels of resources which are included in the predefined model, detects second security levels of unique attributes of the resources, generates a security regulation guide which guides detected security level to satisfy a predefined security standard and outputs the generated security regulation guide to the corresponding resource when detecting the security level which is below the predefined security level between the first and second security levels. The device is for analyzing cyber security requirements of a digital measurement control system in a nuclear power plant.
[029] Publication No. KR20130024660 relates to a network security system of an integrated power generation plant control system to detect harmful traffic which tries to trespass on a network of the integrated power generation plant control system by constructing a cyber-security solution. A Distributed Control System (DCS) network is connected to distribution control systems which control power generation facilities. An external network exclusive router connects a company network and an internet network. A one-way gateway connects the DCS network and a router for an external network. A network monitoring server detects harmful traffic which tries to trespass on the DCS network.
[030] Publication No. KR101210027 relates to a method and apparatus for managing the cyber security of a digital measurement control system in a nuclear power plant to protect digital asset against cyber risk according to a system design process, a detail design process, and an operation evaluating process of the digital measurement control system. An apparatus for managing a cyber security includes an evaluating unit, a diagnosing unit, and a managing unit. The evaluating unit analyzes a cyber security requirement, a cyber security target/asset, a cyber security risk and a cyber security weakness, and evaluates a cyber security level. The diagnosing unit models a detain design weakness and analyzes a development environment. The diagnosing unit diagnoses a source, a network scan, a system weakness, or a maintenance and repair policy. The managing unit manages a development process and security data.
[031] Publication No. KR20110123413 relates to a communication network system and a configuring method corresponding to a cyber security to configure a communication network between a barrier layer by corresponding to the cyber security.
[032] Publication No. KR20100044544 relates to a system and a method for protecting various protective logics to remove weakness of a cyber security and a common failure due to software using an FPGA (Field Programmable Gate Array) and hardware. A power plant protection system has four channels. Each channel comprises a comparison logic unit, a simultaneous logic unit and a start circuit unit. The comparison logic unit generates a comparison logic information by comparing a process valuable and a set value.
[033] Patent No. US11178176 relates to a system for detecting MITM for SCADA communication networks includes secure substation-substation communication links for providing secure and reliable paths to exchange OT data between substations for OT data consistency check; a SIB in each substation for sampling CT and PT measurements to calculate voltage magnitude and phase angle thereof; a S&C server in each substation coupled to the SIB for receiving the voltage magnitude and phase angle from the SIB and obtaining a packet carrying active power flow in transmission lines between two substations and a time stamp; an IDS server placed in a SCADA center for collecting the packet of each substation sent by the S&C server; analyzing the received packet from every adjacent substation; inspecting the payload of the received packet; and triggering an intrusion alarm to a SCADA operator when the power flow is not the same as the payload of the packets.
[034] Publication No. CN114185324 relates to an abnormal point detection method and device for an automatic power generation control program and computer equipment, relates to the field of automatic control of a power system, and can solve the problems that when execution of the automatic power generation control program is abnormal, program execution steps are difficult to accurately analyze, and abnormal points cannot be quickly positioned.
[035] Patent No. US11075932 relates to the appliance extension is designed and constructed to be a secure extension of the threat visualizer user interface of the cyber security appliance installed in the system with a limited set of functions including monitoring, investigating, and taking actions to counter the detected cyber threat, all of which an operator can securely take from the appliance extension; rather than, needing to log into the cyber security appliance and investigate potential cyber threats at a location where the cyber security appliance is installed in the system.
[036] Publication No. CN103401247 relates to an optimization method for realizing AGC and AVC in a monitoring system of a boosting station of a power plant. The optimization method realizes AGC and AVC in a communication manager in an algorithm form, AGC/AVC is configured and monitored in an operator work station, and finally the communication manager directly sends a distributed value or instruction to control units of each set via AGC/AVC interface units.
[037] In order to overcome the limitations of above listed prior art, the present invention aims to provide a system and method for detection of cyber attack on automatic generation control signal of an electric power plant.
OBJECTS OF THE INVENTION:
[038] The principal object of the present invention is to provide a system and method for detection of cyber attack on automatic generation control signal of electric power plant.
[039] Another object of the present invention is to provide an alert/ alarm to the plant operator to operate the plant in local mode if it was found that there is a hacking of AGC signal received by the plant.
[040] Yet another object of the present invention is to develop a simple and fast system and method to protect the plant and the system from the effects of hacking.
[041] Still another object of the present invention is to provide provide a system and method for the detection of cyber attack on automatic generation control signal of electric power plant without disturbing the existing control system while taking corrective action if hacking is identified.
SUMMARY OF THE INVENTION:
[042] The present invention relates to a system and method for the detection of cyber attack on automatic generation control signal of electric power plant. The system isolates the hacked AGC signal from entering the power plant and jeopardizing the system. The developed algorithm is simple and elegant. At the same time, it is very fast so that the unwanted effects are heavily limited. Its response time is very small and it gives ample time to the plant operator to react and to take corrective action.
BREIF DESCRIPTION OF THE INVENTION
[043] It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are therefore not to be considered for limiting of its scope, for the invention may admit to other equally effective embodiments.
[044] Fig. 1 illustrates the calculation of area control error (ACE);
[045] Fig. 2 depicts the block diagram of automatic generation control;
[046] Fig. 3 shows the AGC implementation;
[047] Fig. 4 shows the schematic of an interconnected power system and its control center;
[048] Fig. 5 shows the block diagram of a regional grid and its control center;
[049] Fig. 6 depicts the structural diagram of state power system and its control center;
[050] Fig. 7 illustrates a schematic diagram of one embodiment of control logic of a system for detecting the hacking according to the present invention;
[051] Fig. 8 shows the main signal, hacked protection signal and alarm signal for DC bias attack;
[052] Fig. 9 shows the main signal, protection signal (hacked) and alarm signal for time delay attack;
[053] Fig. 10 shows the main signal, hacked protection signal and alarm signal for scaling attack (m = 0.5);
[054] Fig. 11 shows the main signal, protection signal (hacked) and alarm signal for scaling attack (m =2);
[055] Fig. 12 shows the main signal, protection signal (hacked) and alarm signal for scaling attack (m = -1);
[056] Fig. 13 shows the main signal, protection signal (hacked) and alarm signal for rectangular pulse;
[057] Fig. 14 shows the main signal, protection signal (hacked) and alarm signal for triangular pulse attack;
[058] Fig. 15 shows the main signal, protection signal (hacked) and alarm signal for sinusoidal attack;
[059] Fig. 16 shows the main signal, protection signal (hacked) and alarm sinusoidal signal injection in ramp variation attack;
[060] Fig. 17 shows the main signal, protection signal (hacked) and alarm sinusoidal signal injection in ramp variation attack with sine signal injection;
[061] Fig. 18 shows the main signal, protection signal (hacked) and alarm signal for combined attack involving DC bias, pulse, sinusoidal with ramp.
DETAILED DESCRIPTION OF THE INVENTION:
[062] The present invention provides a system and method to identify the hacking of AGC signal sent from the control center to the controller of an electric power plant through optical ground wire as shown in Fig. 3.
[063] The present invention is a fast and efficient method to identify any cyber-attack and to trigger an alarm signal to alert the operator to initiate corrective action in the form of moving the plant operation from remote automatic mode to local mode so that the plant can be safeguarded against the ill-effects of such attacks.
[064] Fig. 4 depicts the interconnected Indian power system 100 controlled by centralized computer control center, i.e. National Load Dispatch Centre (NLDC) 101. As depicted in Fig. 4, the interconnected power system 100 includes five electrical regions 200 namely Southern, Western, Northern, Eastern and North Eastern grids. Each regional grid 200 can be considered as a loose power pool with decentralized scheduling and dispatch. Through inter-regional tie-lines 103, power transfer between various regions takes place according to bi-lateral exchange schedule agreed upon. There are communication lines 102 through which control signal is transmitted from NLDC to all regional load dispatch centers (RLDC) for control and operation of the regional grids. These communication lines are dedicated optical fiber ground wires running above the power lines of transmission towers. Through the same lines 102, power plants send their operational data to NLDC 101.
[065] The regional grid 200 is depicted in Fig.5. Each electrical region 200 will have a RLDC 201 and it contains several state power systems 300. State power systems 300 are operated as notional control area and they are connected through inter-state transmission systems 203. Further, through communication lines 202, control signals are sent from RLDC 201 to each state power systems 300.
[066] Referring to Fig. 6, each state power system grid 300 will have its own State Load Dispatch Center (SLDC) 301. The SLDCs are the apex body to ensure integrated operation of the state power system complying with the directions of RLDC 101. The RLDC 101 will interact and coordinate only with SLDCs 301 corresponding to that particular region. State power systems 300 consists of loads 303, inter-state transmission lines 304, generators 305 and a few special types of generators namely ISGS 400. Theses ISGS units 400 are equipped to provide secondary frequency control through AGC signal received from NLDC 101 through OPGW 102. Through communication lines 302, the SLDC 301 issues control signal to various loads 303 and generators 305 for reliable, secure and economic operation.
[067] Thus, as shown in Fig. 7, through communication lines 102, NLDC 101 control the operation of various regional grids 200 which in turn control the state power systems 300. In addition, with the help of OPGW 102, AGC signal is sent from NLDC 101 to ISGS plants 400 for secondary frequency control.
[068] The ISGS plant control system is illustrated in Fig. 7, the AGC signal sent from NLDC, for secondary frequency control, is received by the network panel 401 in the plant 400. In this panel, optical signal is converted into electrical signal and is sent to AGC panel 403 via ethernet cable 402 and the same signal is sent to the hacking detection block 500. In the AGC panel 403, signal is converted to optical signal and then it is sent to plant master control system 405 (process computer) through fiber optical cable 404. Subsequently, through field bus cables 406, control signals are sent to RTUs 407 of various components such as turbine, generator, excitation, transformer, etc.
[069] The schematic block diagram of the present invention i.e., hacking detection processor 500 is presented in Fig. 7. To improve the reliability, instead of one AGC signal, two signals namely main 501 and protection 502 are sent from NLDC 101 to ISGS plants 400 through two cores 102A and 102B of 102 respectively via different routes. The ISGS plants are spread throughout the country. At the plants, these signals are received. Though, there are two signals available, only one signal is sent to the plant controller. In this invention, the availability of two identical AGC signals is used to identify the cyber-attack in any of the AGC signal.
[070] As used herein, the term “processor” 500 refers to a microcomputer, a microcontroller, a programmable logic controller (PLC), an application specific integrated circuit, a field programmable gate array and any other programmable circuits. With this processor, the difference between the plant AGC protection signal the AGC main signal is determined in the block 503. Subsequently, with another block 504, it is checked whether the difference value is a non-zero value. If the value is not equal to zero, then it is inferred that there is a cyber-attack. Subsequently, using alarm generating block 505, an alarm signal is triggered to alert the operator to take corrective measures to protect the plant from the attack. On the other hand, if there is no cyber-attack on any of the AGC signals, the difference between these signals will be zero and there won’t be triggering of alarm. Thus, any cyber-attack on any of AGC signals at any instant can be identified very quickly.
[071] Referring to Fig. 7, in an embodiment, the system includes only one unit or a plant 400 comprising of several units of same kind i.e., thermal/hydro/wind/PV systems or their combination.
[072] In the present invention, hacking detection system and method is emulated using a Personal Computer, real-time controller board and 4-channel digital storage oscilloscope. Both AGC signals are generated and sent out through DAC blocks of board as well as to two channels of a digital storage oscilloscope. These signals were given as input to the controller board through ADC blocks of the same board to be processed by the system. If any hacking is detected by the system, an alarm signal is generated and sent out through the DAC block to third channel of the same digital storage oscilloscope. In the next part, the results for various test cases involving hacking signals are presented.
[073] (a) DC Bias
[074] Initially, both AGC main and protection signals are at 0. 2 p.u. till t = 1.2 s as shown in the first and second traces of Fig. 8. After that both signals start to increase with a slope of 0.2 p.u/0.6 s. The main signal reaches 0.4 p.u at t = 1. 8 s. However, hacker attacks the protection signal and increases it to reach 0. 44 p.u. and they remain in those values for some time. Then, they start to decrease with the same slope 0.2 p.u./0.6 s. and reach 0.2 p.u and remain in the same value till t = 6 s. Both signals are processed by the presented detection system and it finds the difference between them which is zero (shown in the third trace of Fig. 8) and the absolute value is also zero till t = 1.8 s. After that, due to attack, the main and protection signals are different from t = 1.8 to 4.8 s. As detected by the algorithm, the absolute value of this difference is a non-zero value and an alarm signal is triggered immediately to alert the plant operator to take corrective action. Thus, with the system, it is possible to identify the dc bias attack correctly.
[075] (b) Time Delay Attack
[076] In this test case, initially, main signal is at 0.2 p.u. Subsequently, at t = 1.2 s, it starts to increase at a rate of 0.2 p.u/0.6 s and reaches 0. 4 at 1.8 s remains at the same value till t = 4. 2 s. After this time, it starts to decrease at the same rate and attains 0. 2 p.u at t = 4. 8 s. There is no attack on the protection signal till t = 4.2 s. The waveforms pertaining to this case are presented in Fig. 9. However, attacker introduces a delay 0. 6 s and as a result it starts to decrease like the main signal only at t = 4. 8 s and reaches the value of 0.2 p.u only at t = 5.4 s. Thus, from t = 4.2 to 5. 4 s, there is a delay attack and this is correctly identified by the system as shown in the third trace of Fig 9. Therefore, with this test case, it is proven that the system is capable of detecting the time delay attack.
[077] (c) Scaling attack
[078] Another possible attack on AGC signal is scaling attack. In this case, plant AGC signal is multiplied by a scalar (a). The actual AGC signal is main signal and its variations are shown in the first trace of Fig 10. As a first case, a= 0.8 is considered. At t= 0.6 s, the attacker multiplies the AGC signal of protection channel with a = 0.8. As a result, main signal differs from the protection signal from 0. 6 to 5.4 s. The system, rightly, identifies the hacking and gives warning signal as shown in Fig 10. Once the hacking is taken away by the attacker, alarm is stopped at t = 5.4 s. With this test case, it is shown that proposed system can identify the scaling attack.
[079] In the next test case, the attacker is considering a scalar of a = 1.5 at t = 0. 6 s. As a consequence, the protection signal is more than the AGC main signal and there is a difference between them. Waveforms pertaining to this test case are shown in Fig 11. As seen from this figure, whenever, there is a difference between the two signals, system gives the alarm signal. It shows that system identifies hacking of AGC signal correctly.
[080] As the last scaling attack, at t = 0.6 s, the actual protection AGC signal is inverted by the attacker, i.e. a = -1. As a result, the signal becomes negative. The proposed system finds this attack and gives warning immediately. The waveforms corresponding to this test case are presented in Fig. 12.
[081] (d) Pulse Attack
[082] Test cases involving pulses such as rectangular, sinusoidal and triangular are considered subsequently. The waveforms for this test case involving rectangular pulse attack is shown in Fig.11. The changes in the actual signal is shown in the first trace of Fig. 13. Till t = 1.8 s, hacker did not attack the signal. After that rectangular pulses are injected by the attacker into the protection signal till t = 4.2 s. This attack results in as a difference between the two input signals of system. As a consequence, alarm signal is generated from 1. 8 to 4. 2 s.
[083] Thus, rectangular pulse attack also can be detected by the system. In another test case, it is assumed that the attacker injects sinusoidal signal to the protection signal from t = 1.8 s to 4. 2 s and the waveforms are shown in Fig. 14. Like the previous test case, system detects the attack and alarm signal is produced for this period. As a final pulse test case, triangular pulse is considered to be injected by the attacker for the same period as shown in Fig 15. From this figure, it is understood that the hacking is found by the scheme correctly and alarm signal is generated. From these test cases, it is clear that the proposed scheme is capable of identifying the pulse attacks irrespective of its shape.
[084] (e) Ramp Attack
[085] Ramp attack is another kind of cyber-attack considered to test the effectiveness of the proposed algorithm. As the attacker did not inject any signal, both AGC main and protection signals are the same till t = 4.2 s and shown in Fig. 14. At t = 4.2 s, the main signal starts to decrease at a slope of 0.2 p.u/0.6 s whereas protection is made to decrease at a rate of 0.2 p.u/1.2 s by the attacker. This attack was correctly detected by the system as shown in the third trace of Fig. 16. and alarm signal is generated.
[086] (f) Ramp with sinusoidal Attack
[087] This attack is similar to the previous test case except that at t = 4.2 s, the attacker not only changes the slope of the AGC protection signal to 0.2 p.u/1.2 s but also injects sinusoid signal till t = 5.4 s. The waveforms are presented in the Fig. 17. Thus, the hacker attacks the protection signal from 4.2 to 5.4 s and the alarm is also produced correctly for this period.
[088] (g) Combined Signal Attack
[089] A versatile test case combining all possible attacks as shown in Fig. 18 is considered as the last test case. In this case, at t = 1.2 s, the slope of the protection signal is changed to 0.16 p.u/0.6 s by the attacker. Further, at t = 1.8 s, a dc bias of -0. 04 p.u, at t = 2.4 s, sinusoid signal, and at t = 4. 2 s, ramp (0.2 p.u/0.6 s) with sinusoid are injected by the attacker. Effectively, cyber-attack is present from t = 1. 2 to 4.8 s. As seen from the third trace of Fig. 16, alarm signal is also generated by the system for the same period.
[090] TABLE – I Performance of the presented method under various cyber-attacks
Sl. No. Type of
Cyber Attack Hacking Time (s) Alarm Signal
Duration (s)
Start End
1. DC Bias 1.8 4.8 1.8 to 4.8
2. Timing (Delay) 4.2 5.4 4.2 to 5.4
3 Scaling (a = 0.8) 0.6 5.4 0.6 to 5.4
4. Scaling (a = 1.5) 0.6 5.4 0.6 to 5.4
5 Scaling (a = -1) 0.6 5.4 0.6 to 5.4
6 Rectangular Pulse 1.8 4.2 1.8 to 4.2
7. Sinusoidal 1.8 4.2 1.8 to 4.2
8 Triangular Pulse 1.8 4.2 1.8 to 4.2
9 Ramp 4.2 5.4 4.2 to 5.4
10. Sine Ramp 4.2 5.4 4.2 to 5.4
11. Combined 1.2 4.8 1.2 to 4.8
[091] The performance of the proposed system for various cyber-attack test cases is presented in Table- I. From this Table, it can be observed that alarm signal is triggered exactly for the period during which there is a cyber-attack. Thus, the proposed cyber-attack detection system is robust against various attacks and it can detect the attack and alert the operator with the alarm signal produced.
[092] Numerous modifications and adaptations of the system of the present invention will be apparent to those skilled in the art, and thus it is intended by the appended claims to cover all such modifications and adaptations which fall within the true spirit and scope of this invention.

WE CLAIM:

1. A method for the detection of cyber attack on automatic generation control signal, the system comprises at least one inter-state generating unit 400, of a state power system 300 of a regional grid 200, connected to the power system grid 100 and to the national load dispatch center 101 via two optical ground wire 102A and 102B received at network panel 401, and detection block 500, the method comprising:
? Obtaining the two AGC optical signals namely AGC main 501 and AGC protection 502 at the network panel 401 which converts them into electrical signals and feeding them to the detection controller 500;
? determining the difference value 503 between AGC main signal 501 and AGC protection signal 502;
? checking whether the difference value 503 is greater than zero using the block 504;
? generating an alarm signal with the help of the block 505 to alert the operator if the difference value 503 is greater than zero.
2. The system and method for the detection of cyber attack on automatic generation control (AGC) signal of electric power plant, as claimed in claim 1, wherein the time taken to detect the intrusion is only very small and such a fast response helps in reducing the impact of attack on the power plant.
3. The system and method for the detection of cyber attack on automatic generation control (AGC) signal of electric power plant, as claimed in claim 1, wherein the present invention does not affect the existing control systems of the power plants.
4. The system of claim 1 includes only one unit or a plant comprising of several units of same kind i.e., thermal/hydro/pumped storage schemes/wind/PV systems or their combination.
5. The system and method for the detection of cyber-attack on automatic generation control (AGC) signal of power plant, as claimed in claim 1 enhances electric network stability, reliability and performance of the power system.