Description:FIELD OF INVENTION:
[001] The present invention relates to the field of electric power plant control systems. More particularly the present invention relates to a system and method for the detection of cyber hacking on secondary frequency control (SFC) signal of an electric power plant.
DESCRIPTION OF THE RELATED ART:
[002] Considering its large size and operation as a single grid, the Indian power system is one among the complex system in the world. Though, as per the Indian Electricity Grid Code, the national reference frequency of Indian power grid is 50 Hz, the specified acceptable power system frequency range is 49.95 to 50.05 Hz. Such a narrow frequency range is essential for the long life of the dominant electrical motor loads and better power quality needed by sophisticated loads such as process industries and traction locomotives. Further, as there is a direct relation between grid frequency and grid voltage, maintaining grid frequency closer to its nominal value results in reduced transmission losses and improved efficiency. Therefore, it is vital to tightly maintain the frequency within the specified range. To attain this goal, the power balance between the total generation and net load plus losses must be maintained. For this purpose, power system is equipped with a few frequency control schemes namely inertial response, primary frequency control, secondary frequency control (SFC) and tertiary control. These schemes possess different quantum and operate in different time frames. Inertial and primary frequency control schemes are automatic and decentralized whereas secondary frequency control is centralized, i.e., the control signal is sent from the Energy Control Centre. The secondary frequency control has been introduced through automatic generation control (AGC). In India, majority of inter-state generating station (ISGS) generators are equipped with secondary frequency control. In India, secondary frequency control is achieved by considering each of the five regional grids namely South, West, North, East and North East as an individual balancing area. Thus, five AGCs are located at National Load Dispatch Centre, New Delhi.
[003] Three major objectives of AGC are as follows:
(i) to maintain the power system frequency very close to national reference frequency value i.e., 50 Hz,
(ii) to maintain the tie-line real power interchange between control areas at the scheduled value, and
(iii) to ensure economic dispatch of the generating stations involved.
[004] The above-mentioned objectives are achievable by driving the area control error (ACE) to zero. The ACE for each region would be auto-calculated at the control center based on the telemetered values of tie-line flow, frequency, and the external inputs as per the following formula:
ACE = (Pa - Ps) - 10 * Bf * (fa - fs) + Offset
[005] where,
[006] Pa = Actual value of net real power interchange in MW (positive value for export)
[007] Ps = Scheduled value of real power interchange in MW (positive value for export)
[008] Bf = Frequency bias coefficient in MW/0.1 Hz (negative value)
[009] fa = Actual system frequency in Hz
[010] fs = Reference system frequency in Hz
[011] Offset = Provision for compensating metering error
[012] For each control area, a dead band of ±10 MW in the ACE is considered. The noises and random variations in the ACE are eliminated with the aid of exponential moving average filter and smoothed ACE (SACE) is obtained. In an interconnected power system, each control area will have many ISGS generators to provide frequency support to the grid and to maintain the tie-line MW interchange at its scheduled value. Control signals for each ISGS plant are calculated by the digital computer at the NLDC and transmitted to various plants via telemetry channel. The transmitted plant AGC signal may be hacked by malicious attackers to hamper the stability and operation of the system. These cyber-hacking strategies are broadly classified into strategic attack, template attack and location attack. Data integrity attack, timing attack, and covert attack fall under the first category and bias injection attack, pulse attack and scaling attack come under the second category. The attack component is injected while plant AGC signal is being transmitted through telemetry channel.
[013] As it is known, grid frequency is an indicator of power balance between total system generation and total system load plus losses. Load increase or decrease in power generation may cause power unbalance. However, such unbalance will show up as grid frequency deviation from its nominal value (50 Hz). When the net generation is more than the net load plus losses, the actual system frequency is greater than the nominal frequency (50 Hz). As a result, frequency deviation which is the difference between actual frequency, f, and nominal frequency fn, i.e. (?f = f- fn) is positive and it can be brought to zero by reducing the generation. On the other hand, if the total generation is less than the total load plus losses, then it will result in negative frequency deviation. This deviation, ?f could be nullified by increasing the real power generation which is achieved by driving the ACE to zero by AGC.
[014] The plant AGC signal may be altered by the cyber hackers. Assume that the NLDC sent a plant control signal to increase the generation of a plant as the total generation is less than the total load plus losses due to which the frequency deviation is negative. But the hacker can attack the signal and make it to decrease instead of increasing. As a result, the grid frequency will go further down and cause stability issues. In another scenario, assume that frequency deviation, ?f is positive as the total generation is more than the total load plus losses. To bring the frequency to normal value, NLDC sends a control signal to a plant to decrease the generation. This signal could be modified as an increase command by the hacker to disturb the system operation. Thus, by observing the nature of plant AGC signal and grid frequency deviation, it is possible to identify the cyber hacking.
[015] Generation of any generator unit can be ramped up or down only at certain rate due to its limitation. For example, it may be 20 MW/ minute for hydro units. The attacker can change the rate at which plant AGC signal varies. By this attack, hacker tries to increase/decrease the generation at a rate more/less than the fixed limit of the plant to cause damage to the units and create havoc in the power system operation. Such attack can be identified by determining the rate at which plant AGC set point signal is increasing or decreasing. Thus, with the help of the above-mentioned two methods involving frequency deviation, the nature (positive or negative) of plant AGC signal and its rate of change, it is possible to identify cyber-attack on plant AGC signal and to alert the plant operator with an alarm to initiate corrective actions to protect the ISGS generating units of any power plant.
[016] Reference may be made to the following:
[017] IN Publication No. 202241057079 relates to a threat detection system for protecting a device against a cyber-attack and method thereof. The system includes, but not limited to, a computer network intrusion detector that detects external attacks, an analyzing unit connected to the intrusion detector to analyse each attack found and identify a characteristic indicative of that attack and a data filter unit connected to the analyzer to produce an alert based on the characteristics of several attacks. Further, a processing unit is configured to receive a first set of measures from a control system's initial operation, the first set of measurements being obtained by each of the control system's numerous sensing and actuating devices.
[018] IN Publication No. 202241050353 relates to an artificial intelligence based IoT security system for smart grid networks. We presented the use of IoT as a technology that makes the smart grid possible. Then, we provided a thorough analysis of the major security problems and obstacles facing IoT-based. Additionally, we summarized the main problems with IoT-based smart grids and suggested remedies. Artificial intelligence and machine learning are contributing factors to the advancement of traditional security. The efficiency of our daily life is also improved by IoT technology, such as smarter homes, smarter cars, etc. Health professionals frequently advise organizations to strike a tight line when deciding whether to adopt an unattended or regulated strategy.
[019] Publication No. EP2897243 relates to a frequency-conversion differential protection method for an output transformer of a static frequency converter (SFC) system, a protection device measures the three-phase current on each side of the output transformer of the SFC system; according to the connection manner of the output transformer, triangle side is used as a reference to perform phase correction on the star side; at the same time, in consideration of the secondary rated current on each side of the transformer are different, a balance coefficient on each side is adjusted, to calculate sampling values of correcting current on each side and the differential current; a generator start-up and shutdown protection algorithm which unaffected by frequency is used to calculate amplitude values of the correcting current, the differential current, and the restraint current; and frequency-conversion differential protection for the output transformer is implemented by using biased differential characteristic and according to magnitudes of the differential current and the restraint current. The protection method adapts to a large-scale frequency change, and compared with instantaneous overcurrent protection, greatly improves the sensitivity of detection on an internal fault of the output transformer.
[020] Patent No. US9621569 relates to a method and apparatus for detecting cyber-attacks on remotely-operable elements of an alternating current distribution grid. Two state estimates of the distribution grid are prepared, one of which uses micro-synchro phasors. A difference between the two state estimates indicates a possible cyber-attack.
[021] Patent No. US9059842 relates to a method and system for a secure communication network using an electrical distribution grid.
[022] Publication No. CN103634296 relates to an intelligent electricity network attack detection method based on physical system and information network abnormal data merging. The intelligent electricity network attack detection method comprises the following steps that at a physical layer, the abnormal degree of electric power data of each node is calculated on the basis of the electric power monitoring data in an intelligent electricity network; at an information layer, an invasion detection system is utilized for monitoring the communication flow rate, warning events aiming at the abnormal communication flow rate are generated, and the abnormal degree of network communication of each node of the system is calculated; the electric power data of each node is correlated with the abnormal degree of the network communication on the basis of an ID-IP (identity- internet protocol) mapping table of the node, and whether each node is attacked or not is judged.
[023] Publication No. CN112865085 relates to an attack simulation method and system for an electric power information physical system. The method comprises the following steps: S1, obtaining topological structure feature information of a target electric power system; S2, constructing an electric information physical network topology model according to the topological structure feature information; S3, calculating importance values of all lines in the electric information physical network topology model, and screening out a target line with concealment according to the calculated importance values; and S4, taking the screened target line as an attack object, and carrying out multiple times of cooperative attacks on the target line in the electric information physical network topology model to obtain an attack simulation result for carrying out optimal scheduling on a power grid. According to the invention, attack simulation of a high-concealment line can be realized, and the attack resistance of an electric power information physical system is improved.
[024] Publication No. WO2016183644 relates to parameter management and automatic control of banks of capacitors and voltage regulators in power grids, regulation of the power factor in power grids, protection and safety of grid protection devices during short-circuits and reconnection after scheduled or unexpected disconnections, monitoring and control via the cloud at various points of the power grids, and the creation of the necessary conditions for transforming usual power grids into smart grids. The object of the present invention is the optimisation of the power factor in a more balanced manner throughout the grid, lengthening the service life of capacitors and devices for protecting the grid against short-circuits, shortening grid unavailability times and reducing the need for and the frequency of maintenance of grid reconnecting devices, using information on the voltage measured at various points of the grid, with pre-programmed parameters and smart grid or intelligent grid intelligence level, with signal inputs that allow monitoring both voltage and current in all three phases of the grid, having its own "no break" and operating the banks of capacitors in fine syntony with the local and momentary needs of the grid, connecting or disconnecting the grid in stages. It comprises communication ports for simultaneously receiving and sending information to the voltage regulator, acting through a single voltage controller for all three phases of the power grid, and capable of communicating via wires or preferably, wirelessly over the internet, the cloud or radiofrequency in dedicated channels.
[025] Publication No. CN113507460 relates to an abnormal message detection method and device, computer equipment and a storage medium. The method comprises the following steps: acquiring at least one substation sampling value SMV message; wherein the SMV messages are preprocessed, and SMV message pictures corresponding to the SMV messages are obtained; and inputting each SMV message picture into a preset neural network model for fault detection, and obtaining a fault detection result of each SMV message. By adopting the method, fault detection can be carried out on the sampling value SMV message of the transformer substation, whether abnormal conditions such as packet loss and false injection exist in the SMV message or not is judged, and abnormal operation of a transformer substation system caused by the abnormal conditions is avoided.
[026] Publication No. CN111131331 relates to a network vulnerability guided information attack oriented moving target defense deployment optimization method, which is characterized by comprising the following steps: S1, acquiring power grid system data; S2, preprocessing the acquired data; S3, performing static data processing; S4, performing dynamic data processing; s5, performing configuration strategy generation; s6, configuring strategy weight coverage detection; s7, performing strategy economic cost configuration and line regulation capability detection are carried out; and S8, outputting an installation scheme. By analyzing the power grid topology and the node vulnerability and taking the line deployment capability and the deployment cost as constraints, the optimal equipment number required by power grid operation and security defense is determined, and the installation position of the D-FACTS equipment is determined according to the coupling relationship between the nodes and the line, so that the deployed equipment can cover all vulnerable nodes. On the premise of ensuring normal operation and power flow scheduling of a power grid, the requirement of information security is met, and the problem of D-FACTS equipment deployment when an MTD technology is applied to deal with FDI attacks is solved.
[027] Publication No. CN110659322 relates to a power distribution network operation parameter processing method, which comprises the steps of collecting a first operation parameter of a power distribution network, compressing the first operation parameter to obtain a compressed operation parameter, and uploading the compressed operation parameter to a data storage module; obtaining the compressed operation parameter in a storage module, and decompressing the compressed operation parameters to obtain second operation parameters; verifying the second operating parameter, and if the verification is not successful, judging whether the verification frequency reaches a preset verification frequency threshold value; if the verification frequency does not reach the preset verification frequency threshold, performing data restoration on the second operation parameter to obtain a third operation parameter; and verifying the third operating parameter, and sending the third operating parameter to the data analysis module for analysis when the verification is successful. According to the method, data compression, decompression, verification and data restoration are added in the processing process of the first operating parameter, so that the integrity and security of transmission are ensured.
[028] Publication No. CN111275074 relates to an electric power CPS information attack identification method based on a stack type self-encoding network model, which is characterized by comprising the following steps: introducing a maximum information coefficient to select data characteristics according to properties such as CPS data non-function dependence and non-linear correlation, and determining an optimal attack characteristic set; constructing an information attack identification model based on a stack type self-encoding network, and setting an unsupervised pre-training encoder and a supervised fine tuning classifier to perform network parameter training updating; model initial parameter optimization based on the adaptive cuckoo algorithm is realized. The problems of complex data characteristics, relatively low identification precision and the like in the power CPS information attack identification process are solved, and the method has the advantages of being scientific, reasonable, high in applicability, good in effect and the like.
[029] Publication No. GB2520987 relates to a computer implemented method of profiling cyber threats detected in a target environment, comprising: receiving, from a Security Information and Event Manager (SIEM) monitoring the target environment, alerts triggered by a detected potential cyber threat 801, and, for each alert: retrieving captured packet data related to the alert 802; extracting data pertaining to a set of attributes from captured packet data triggering the alert 803; applying fuzzy logic 804 to data pertaining to one or more of the attributes to determine values 705 for one or more output variables indicative of a level of an aspect of risk attributable to the cyber threat. In this manner fuzzy logic is used to assign a risk level to a potential threat allowing threats to be displayed in priority order of risk level and potentially reducing the sheer number of alerts shown to an administrator and also reducing the number of false positive alerts. Levels of risk may be based on threat sophistication risk, capability risk, confidentiality risk, system integrity risk and system availability risk. Training data may be used to provide the automatic generation of each rule base used in the fuzzy logic using a machine learning approach. Cyber threats such as SQL injection attacks, OS command injection attacks, buffer overflow attacks, XSS attacks, phishing attacks or other malicious attacks may be profiled.
[030] Patent No. US10530799 relates to non-harmful data mimicking computer network attacks may be inserted in a computer network. Anomalous real network connections may be generated between a plurality of computing systems in the network. Data mimicking an attack may also be generated. The generated data may be transmitted between the plurality of computing systems using the real network connections and measured to determine whether an attack is detected.
[031] Patent No. US9374380 relates to non-harmful data mimicking computer network attacks may be inserted in a computer network. Anomalous real network connections may be generated between a plurality of computing systems in the network. Data mimicking an attack may also be generated. The generated data may be transmitted between the plurality of computing systems using the real network connections and measured to determine whether an attack is detected.
[032] Publication No. WO2020255359 relates to a security training assistance device is used to generate a scenario for targeted attack by a virtual attacker that is composed of a plurality of steps along a time series, each of the plurality of steps having a process defined therein that is executed in the step. The security training assistance device comprises an information acquisition unit for acquiring at least information that specifies the number of a plurality of steps that are set, and a scenario-generation unit for selecting, for each of the plurality of steps, a process that is executed in the step from a database in which the elements of a process executable in the step are registered and generating a scenario for targeted attack until the set number is satisfied.
[033] Publication No. EP2279465 relates to a method and system for cyber security management of supervisory control and data acquisition (SCADA) systems to enhance situational awareness and cyber security management for industrial control systems. A centralized system security manager (SSM) is integrated into a SCADA to collect security related data for the industrial control system and an integrated command and control user interface displays security related data, a system security level, and interfaces with a user to allow for changing of system security settings for the industrial control system based on the security related data collected and manages changes in operational state of the SCADA based on the security level to restrict use of system interfaces and system accesses.
[034] Publication No. CN111478970 relates to a power grid Web application mimicry defense system. A heterogeneous virtual Web server pool which is equivalent in function, diversified and dynamic is constructed, technologies such as redundancy voting, dynamic executor scheduling and database instruction isomerization are adopted, an attack chain is blocked, the utilization difficulty of vulnerabilities or backdoors is increased, and the availability and safety of Web services are guaranteed. A dynamic environment is realized through active change of software and hardware elements of different layers such as a network, a platform, a system, software and an application, and therefore, the dependency condition of the network attack on the determinacy and continuity of the operating environment is destroyed, controllable active defense is realized in the toxic bacteria-carrying software and hardware element environment with the vulnerability and the backdoor, the unknown attack defense problem by using the unknown vulnerability and the unknown backdoor is solved, and the network security of the key Web application system in the power industry is effectively enhanced.
[035] Publication No. WO2020046286 relates to a plurality of monitoring nodes may each generate a time-series of current monitoring node values representing current operation of components of an electrical power grid. A cybersecurity monitoring computer platform may receive the current monitoring node values and pre-process them to generate a risk prior knowledge result. At least some of the components may be ranked to create a set of critical components based on a constrained optimizer that has the risk prior knowledge as an input. The cybersecurity monitoring computer platform may then monitor the set of critical components to generate a cybersecurity result (e.g., representing normal operation, a cyber-attack, or a fault in the electrical power grid) to be transmitted (e.g., via a recommendation for an electrical grid planner, an interactive user interface display, an automated online decision-making process, etc.).
[036] Publication No. JP2018139101 relates to a feature and boundary tuning for threat detection in an industrial asset control system. A threat detection model creation computer receives a series of normal monitoring node values (representing normal operation of an industrial asset control system), and generates a set of normal feature vectors. The threat detection model creation computer receives a series of threatened monitoring node values (representing a threatened operation of the industrial asset control system), and generates a set of threatened feature vectors. At least one potential determination boundary for a threat detection model is calculated based on the set of normal feature vectors, the set of threatened feature vectors, and an initial algorithm parameter. A performance of the at least one potential determination boundary is evaluated based on a performance metric. Next, the initial algorithm parameter is tuned based on a result of the evaluation, and the at least one potential determination boundary is re-calculated.
[037] Patent No. US10372569 relates to a system for detecting false data injection attacks includes one or more sensors configured to each monitor a component and generate signals representing measurement data associated with the component. The system also includes a fault detection computer device configured to: receive the signals representing measurement data from the one or more sensors, receive a fault indication of a fault associated with the component, generate a profile for the component based on the measurement data, and determine an accuracy of the fault indication based upon the generated profile.
[038] In order to overcome the limitations of above listed prior art, the present invention aims to provide a system and method for detection of cyber attack on automatic generation control signal of an electric power plant.
OBJECTS OF THE INVENTION:
[039] The major object of the present invention is to provide a system and method for identification of cyber hacking on plant control signal pertaining to secondary frequency control of an electric power plant.
[040] Another object of the present invention is to provide a robust and fast system and method, based on grid parameters and local plant parameters for safeguarding the plant as well as the system from the effects of hacking.
[041] Still another object of the present invention is to alert the plant operator, during hacking detection, to take/initiate corrective action by way of switching the plant operation to local mode.
[042] Yet another object of the present invention is to provide a system and method for the detection of cyber hacking on secondary load frequency control signal of an electric power plant without disturbing the operation of the power plant while taking corrective action if attack is detected.
[043] Still another object of the present invention is to provide a quick and effective system and method to detect any cyber-attack and send out an alarm signal to alert the operator to take the necessary corrective actions.
SUMMARY OF THE INVENTION:
[044] The present invention pertains to a system and method for the identification of cyber hacking on automatic generation control signal of an electric power plant. The present method is based on grid parameters and local plant signals. The system and method are simple and fast. With the present method and system, it is possible to isolate the hacked signal and to enable the operator to initiate corrective action.
BREIF DESCRIPTION OF THE INVENTION
[045] It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are therefore not to be considered for limiting of its scope, for the invention may admit to other equally effective embodiments.
[046] Fig. 1 illustrates the interconnection between NLDC, RLDCs and ISGS plant;
[047] Fig. 2 depicts the communication links between NLDC, RLDCs and ISGS plant;
[048] Fig. 3 shows the plant level control system and the present invention;
[049] Fig. 4 shows the schematic of one embodiment of control logic of a system for detecting the hacking according to the present invention;
[050] Fig. 5 shows the frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for positive ?f and AGC ramp rate within the specified limits;
[051] Fig. 6 shows the frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for positive ?f and AGC ramp rate more than specified upper limit;
[052] Fig. 7 shows frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for positive ?f and less than acceptable AGC ramp rate;
[053] Fig. 8 shows frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for negative ?f and acceptable AGC ramp rate;
[054] Fig. 9 shows the frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for negative ?f and AGC ramp rate more than specified upper limit;
[055] Fig. 10 shows the frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for negative ?f and less than acceptable AGC ramp rate;
[056] Fig. 11 shows the frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for zero ?f and acceptable AGC ramp rate;
[057] Fig. 12 shows the frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for zero ?f and AGC ramp rate beyond specified limits;
[058] Fig. 13 shows the frequency deviation (?f), unit AGC setpoint, rate of change of AGC and alarm signal for zero ?f and ramp rate is less than the acceptable limit.
DETAILED DESCRIPTION OF THE INVENTION:
[059] The present invention provides a system and method to identify the cyber hacking of automatic generation control signal sent from the energy control center to the controller of an electric power plant. The invention presents a quick and effective system and method to detect any cyber-attack and send out an alarm signal to alert the operator to take the necessary corrective actions such as switching the mode of operation of the plant from remote automatic mode to local mode to protect it from the adverse effects of such attacks.
[060] In power system 100, as shown in Fig. 1, the secondary frequency control is achieved through automatic generation control (AGC) scheme which is implemented by National Load Dispatch Centre (NLDC) 101. Considering generation constraints, through telemetry 104B, Inter-State Generating Station (ISGS) 300 sends information on possible generation for each block of a day to regional load dispatch centre (RLDC) 103 one day in advance. Based on this information, RLDC 103 prepares the block generation schedule known as Ex-bus schedule 104A for ISGS 300. This information is shared with the ISGS plants 300. At the plants, auxiliary power consumption of the plants is added to Ex-bus schedule 104A to decide the unit load set point (ULSP) 105A which is sent to the NLDC 101. Contribution of plant for secondary frequency control, delta P, is added to ULSP 105A to determine the plant AGC setpoint 105B and sent to ISGS 300. In response, ISGS sends the delta P feedback after applying maximum and minimum generation limits.
[061] Fig. 2 depicts the interconnection of NLDC 101 with five RLDCs 103 i.e. Southern, Western, Northern, Eastern and North Eastern grids, and ISGS 300 for data exchange. The bidirectional communication path 104 provided by the optical fibre ground wire (OPGW) cables is used to transmit data between RLDC 103 and ISGS 300. The regional telemetry data and the control signals are communicated between NLDC 101 and RLDC 103 through bidirectional communication lines 102 which forms a communication network 200. NLDC’s SCADA system 201 collects telemetry data from RLDCs 103. Based on these data, it calculates area control error (ACE), delta P and then AGC setpoint which is sent to AGC software 203 through communication line 202. Subsequently, this AGC setpoint 105B in optical form is sent to the power plant with the help of AGC software 203. This signal along with other signals such as AGC suspend status 105 are sent to the plant by communication line 204 provided by OPGW cable forming a communication network 205.
[062] The control system of an ISGS plant 300 is illustrated in Fig. 3. The plant signal 105 received from NLDC’s AGC method through OPGW cable terminates at plant network panel 301. The telemetry signal 104B is received from RLDC 103. In network panel 301, from the plant signal 105, the AGC setpoint signal is separated and converted into electrical form 307 and then sent to AGC panel 304 after passing through firewall 303. The firewall 303 is installed in the plant to prevent alien signals entering AGC panel 304. Finally, the control signal 105B reaches the plant’s main controller 306 through communication line 305. Through the SCADA controller 306, many plant level signals 308 including grid frequency information 308A is collected and fed to the present invention of hacking detection system 309 as shown in Fig. 3. The plant AGC setpoint signal 307 and the grid frequency signal 308A are the two input signals required for present invention. With the reading blocks 310 and 311, the AGC setpoint 307 and frequency 308A signals are collected respectively. Furthermore, these signals through channels 312 and 313 fed to the block 500 which is the signal processor. The method of this invention is implemented in this processor 500 and a signal 314 is generated, if there is any cyber hacking, and send to the alarm block 315.
[063] The system and method of present invention is shown in Fig. 4. The five regional power grids 103 communicate with NLDC SCADA system 201 with the help of communication lines 102. This communication involves the Inter-control Center Communications Protocol to transfer data. The SCADA system 201 collects the information from various RLDCs 103 and send them to the AGC software 203 in NLDC through the communication line 202. The plant AGC control signal generated by the 203 is sent to ISGS plant with the help of bidirectional fiber optical cable communication link 204 provided by OPGW cable. In the plant this optical cable terminates in the network panel 301 where the optical signal is converted into electrical signal. Subsequently, the control signal 307 comes to AGC panel 304 with the help of ethernet cable 302. The function of firewall 303 is to reject the alien signal. The main plant controller unit 306 gets the command signal 307 for secondary frequency control with the help of communication line 305. The critical components and equipment of power plant are controlled in distributed fashion, in which dedicated master Distributed Control system (DCS) 401 is placed wherever remote control of equipment (such as powerhouse, station service, switchgear etc.) are needed. These DCS communicate with master control using communication link 400. Furthermore, each essential piece of equipment like temperature monitoring system 405, transformer 406, excitation system 407, generator 408, and turbine 409 has an individual controller unit 403 which collects/sends the data from/to the equipment through link 404 and transfer them to DCS with the help of communication line 402.
[064] Furthermore, a cyber intelligent unit 410 is depicted in Fig. 4. For control and monitoring of the power system, power plants send many vital signals to the NLDC as well as to the RLDC. The cyber intelligent unit 410 uses some of these signals i.e., 308 along with signals coming from NLDC i.e., 307 as shown in Fig. 4 to identify the cyber intrusion. The present invention 309 is implemented in this cyber intelligent unit 410. The proposed hack-detecting method is shown in 500, where 307 and 308A are AGC setpoint and frequency signals respectively. These two signals are read by the block 501. In the block 501A, ?f, the difference between the system frequency 308A and nominal frequency (50 Hz) is calculated.
[065] Further, in the same block 501A, the rate of change of AGC setpoint (M) is also determined. Next, in the block 502, the system checks whether the rate of change of AGC setpoint is positive or negative. If rate of change AGC setpoint is positive then the system will verify whether rate of change is less than 20 MW per minute which is the limitation of the plant as shown by block 504. If the rate is greater than 20 MW per minute, the method decides that the AGC set point is tampered by hacker and will give an alarm signal. But, if the rate is within the limit of 20 MW per minute, then the block 506 of the present system will check whether the frequency deviation (?f) is greater than or equal to zero. If the decision is affirmative, then it indicates hacking because if ?f is positive or zero then AGC setpoint i.e generation control signal should decrease or remain as it is respectively to maintain grid frequency. As a result, a signal will be generated and sent to the block 315 to raise warning through alarm. The present method will take a similar sequence of actions when the rate of change of the AGC setpoint signal is negative i.e., it will check whether the rate is less than -20 MW per minute or not as shown by block 503. If the rate is less than -20 MW, then the hack-detecting system will give an alarm signal. But if the rate is within control i.e., above -20 MW per minute then the block 505 will check whether ?f is less than or equal to zero. If ?f is less than or equal to zero, then the system deduces that the signal is hacked and generates an alarm signal. Because, for negative ?f, generation should be increased and for zero ?f, generation should remain the same.
[066] In another intelligent unit 309A, cyber hacking is identified based on ?f and the ?P which is the difference between AGC setpoint 307 and ULSP 105A whose electrical form is 308B. If ?f is positive, i.e., actual grid frequency is more than the nominal grid frequency, then ?P must be negative, i.e., “down”. On the other hand, ?P must be positive when ?f is negative. Therefore, the product of these two signals can’t be greater than zero. Thus, it can be detected as hacking if the product is greater than zero. In the block 601 of the intelligent unit 309A, the AGC setpoint 307, the frequency 308A and the ULSP in electrical form 308B are received. At block 601A, ?f, ?P and their product (N) are determined. Subsequently, whether the product (N) is greater than zero or not is checked at the block 602. If the condition is true, then present method deduces that there is a cyber-attack and sends a signal to 315 to generate alarm signal for alerting the operator.
[067] In an embodiment, the “processor” 500 is such as but not limited to the microcomputer, a microcontroller, a programmable logic controller (PLC), an application specific integrated circuit, a field programmable gate array and any other programmable circuits.
[068] To system is tested to ensure the practical usefulness of the present invention. In this approach, the hacking detection system and method are emulated with the help of a real-time controller board, four-channel digital storage oscilloscope (DSO), and personal computer. grid frequency deviation signal, AGC setpoint signal and its slope of variation were generated in simulation and sent out through DAC blocks of controller board and to the channels of DSO. Subsequently, these signals were sent as input to the controller board through ADC blocks of the same board for processing. If hacking is detected by the system, an alarm signal is generated and sent out through the DAC block to the fourth channel of the same DSO. The results of various test scenarios considered are presented in the next part. In all waveforms, the first trace pertains to grid frequency deviation, the second trace corresponds to the unit AGC set-point, the third trace corresponds to the rate of change of unit AGC set-point signal and the last trace pertains to the alarm signal generated.
[069] The invention will be more fully understood from the following examples. These examples are to be constructed as illustrative of the invention and not limitative thereof:
[070] Example 1
[071] (a) Positive ?f = 0.01 Hz
[072] As shown in Fig. 5, initially, the unit AGC set-point is 51 MW, grid frequency is at 50.01 Hz and hence the grid frequency deviation is 0.01 Hz. At t = 500 s (0.5 minute), the hacker attacks this signal and increases it from 51 MW to 70 MW at a rate of 19 MW/minute which is within the rate limit of the generator unit. As seen from the trace 3, it reaches 70 MW at t = 1.5 min. Already system frequency is more than its nominal value but the hacker increases the generation to create problems in the stability and operation of system. This attack was correctly identified by the detection system and alarm is generated to alert the plant operator as shown in the trace 4. At t = 3.5 min, AGC signal is reduced at the rate of 19 MW/min and it reaches 51 MW again at t = 4.5 min. For this change, there is no alarm as ?f is positive and generation is reduced at a rate within the limit.
[073] In the second test case with positive ?f, the AGC signal is increased by the hacker from 51 MW to 70 MW but at a rate larger than the ramp rate limit of 20 MW/min as shown in Fig. 6. This abnormal condition is detected by the system and an alarm is set. Later, at t = 3. 5 min, the AGC signal is reduced to 51 MW at a rate of 19 MW/min. This reduction is necessary to bring down the frequency to nominal value and the rate of reduction is also within the limit and hence there is no alarm signal is generated as seen from trace 4.
[074] The last test scenario with positive ?f is similar to the second test case in which attacker is increasing the AGC signal at rate greater than the permitted ramp rate limit of the plant. The present method correctly identifies this abnormal condition and generates an alarm signal. At t = 3.5 min, AGC signal is decreased at a rate greater than ramp rate limit. This situation is identified by the present method and an alarm signal is produced to alert the plant operator. This can be seen from trace 4 of Fig. 7.
[075] Example 2
[076] (b) Negative ?f
[077] The grid frequency is at 49.99 and hence the frequency deviation is a negative value of -0.01 Hz. Initially, the AGC set-point is at 51 MW. At t = 0.5 min, the set-point is increased to 70 MW at a rate of 19 MW which is within the ramp rate limit. The waveforms corresponding to this test is presented in Fig. 8. There is no contradicting situation between AGC set-point and ?f. Further, there is no violation in the rate of increase of the set-point also and hence the present method correctly observes that there is no attack. Hence alarm signal is not generated. However, at t = 3.5 min, AGC set-point starts to decrease and it reaches 51 MW at t = 4.5 min. Already frequency is less than its nominal value and the set-point is decreased. This abnormal situation is correctly identified as cyber attack by the present method and alarm signal is produced as shown in the trace 4.
[078] In the second test case, initial AGC set-point is at 51 MW. As the frequency deviation is negative, set-point has to be increased. At t = 0.5 min, it is increased but at a larger rate than the limit. The present method correctly detects this condition as an attack and sets an alarm as shown in Fig. 9. At t = 3.5 min, the set-point is decreased at a rate larger than the limit by the hacker. When the frequency is less than the reference value, decreasing the set-point will lead to further reduction in grid frequency which is not acceptable. Further, decreasing at a larger rate will disturb the operation of the unit. Thus, this must be an attack by the hacker. The present method detects this attack and an alarm signal is produced.
[079] In the last test scenario, the initial grid frequency deviation is -0.01 Hz and the AGC set-point is 51 MW. To bring the frequency deviation to zero, AGC set-point must be increased but at a rate within the limit. This is what happens at t = 0.5 min. Therefore, there is no attack and this is a normal and acceptable change. The present method identifies this and does not produce alarm signal. However, at t = 3.5 min, the attacker reduces the set-point. When frequency deviation is negative, this is not the accepted change. Further, attacker reduces the set-point at a rate more than the acceptable limit. Therefore, this must be an attack on the system by the hacker. The present method and system correctly sense this attack and generates alarm signal as shown in Fig. 10.
[080] Example 3
[081] (c) Zero grid frequency deviation
[082] In this case, power system is at equilibrium condition, i.e., grid frequency at its ideal reference value of 50 Hz and the grid frequency deviation is zero. The initial AGC set-point is 51 MW. However, attacker disturbs the system at t = 0.5 min by increasing the set-point at a rate of 19 MW/min. The corresponding waveforms are shown in Fig. 11. The present method discovers the attack and alerts the operator by raising an alarm signal. Another attack takes place at t = 3.5 min. In this attack, the set-point is decreased. When the system is at equilibrium condition, such change must be an attack. From the trace 4, it is clear that an alarm is signaled by the present method by correctly identifying the attack on the set-point by the hacker. In another test case, attacker increases the AGC signal at a larger rate than the limit and later reduces it at an acceptable rate. Both attacks are identified as hacking and alarm signal is generated by the present method as shown in Fig. 12. In the last test case, hacker attacks the AGC signal and increases it at an acceptable ramp rate. Subsequently, as shown in Fig. 13, at t = 3.5 min, it decreases at a rate more than 20 MW/min. The present method correctly detects these scenarios as attack and the plant operator is alerted with an alarm signal.
[083] The performance of the proposed method and system for various cyber-attack test cases is tested. From the obtained results presented here, it can be observed that alarm signal is triggered exactly for the period during which there is a cyber-attack. Thus, the present cyber-attack detection method and system is robust against various attacks and it can detect the attack and alert the operator with an alarm signal.
[084] Numerous modifications and adaptations of the system of the present invention will be apparent to those skilled in the art, and thus it is intended by the appended claims to cover all such modifications and adaptations which fall within the true spirit and scope of this invention.
, Claims:WE CLAIM:
1. A system and method for detecting of cyber-hacking on secondary frequency control signal, the system comprises
? at least one inter-state generating station 300, sends information on possible generation for each block of a day to regional load dispatch centre (RLDC) 103 one day in advance wherein five RLDC 103 prepares the block generation schedule known as Ex-bus schedule 104A for ISGS 300.
? national load dispatch centre (NLDC) 101 considering generation constraints, through telemetry 104B, based on this information.
? Ex-bus schedule 104A to decide the unit load set point (ULSP) 105A which is sent to the NLDC 101.
? bidirectional communication path 104 provided by the optical fiber ground wire (OPGW) cables is used to transmit data between RLDC 103 and ISGS 300.
2. The system for detecting of cyber-hacking on secondary frequency control signal, as claimed in claim 1, wherein the system generates an alarm signal if the product of ?f and ?P is greater than zero.
3. The system for detecting of cyber-hacking on secondary frequency control signal, as claimed in claim 1, wherein the system detects the hacking from the plant signals, sent from the plant to control center, which are not limited to unit load set point, actual MW generation, unit capability MW (max and min), delta P feedback, actual reactive power, automatic voltage regulator setpoint, generator transformer tap position.
4. The method for detecting of cyber-hacking on secondary frequency control signal includes following steps:
? Obtaining the plant AGC control signal 105B from NLDC 101 as well as frequency deviation with respect to grid from power plant and feeding them to hack detection system 309 which is accommodated inside a cyber intelligent unit 410.
? Checking whether the rate of change of AGC control signal 105B is positive or negative.
? Checking whether the rate of change of control signal 105B is within the specified limit.
? Checking whether the ?f is positive, negative or zero. Here, ?f = actual frequency – nominal frequency.
? Checking whether the product (N) of ?f and ?P (which is the difference between the AGC setpoint 307 and ULSP 308B) is greater than zero.
? Generating an alarm signal 314 with the help of the above information.
5. The method for detecting of cyber-hacking on secondary frequency control signal, as claimed in claim 4, wherein the AGC setpoint 105B signal in optical form is sent from NLDC 101 to ISGS 300 and it is converted into electrical signal 307 in plant.
6. The method for detecting of cyber-hacking on secondary frequency control signal, as claimed in claim 4, wherein the cyber intelligent unit 410 consist of present hack-detecting system 309 along with other hack-detecting units (i.e., 309A, 309B, 309C), that are using telemetry data signals 308 from ISGS 300 plant and NLDC 101.
7. The method for detecting of cyber-hacking on secondary frequency control signal, as claimed in claim 4, wherein if the rate of change of control signal 105B is positive and within the specified limit but ?f is also positive or zero then alarm signal 314 is generated and if the rate of change of control signal 105B is negative and within the specified limit but ?f is also negative or zero then alarm signal 314 is generated.