Digital substations, which replace traditional analog infrastructure, are essential to power grid operation but are facing growing vulnerability to cyber attacks. Existing anomaly detection in substation communication requires labeled datasets for supervised training and fails to incorporate temporal characteristics, which cannot detect unknown persistent attacks. Setting arbitrary thresholds for outlier detection leads to high false positives and low detection rates. This paper addresses cyber security challenges related to IEC 61850 Generic Object Oriented Substation Event (GOOSE) protocol within digital substations. We propose a novel unsupervised Transformer-based Distribution Fitting Anomaly Detection (TF-DiFAD) method for time series GOOSE frames with a robust thresholding technique. Deep packet inspection is used to extract features from GOOSE frames, which are processed through the proposed TF-DiFAD model. TF-DiFAD combines the deep learning transformer model with statistical distribution fitting techniques to accurately detect anomalous GOOSE frames. Specifically, reconstruction errors are generated using a state-of-the-art transformer model. A novel model-agnostic solution is applied for setting anomaly thresholds and calculating anomaly probabilities. The Kolmogorov-Smirnov test is employed to select the best-fitting distribution for these errors. TF-DiFAD is benchmarked against other state-of-the-art models using two distinct test datasets, demonstrating superior performance. The results indicate that TF-DiFAD detects anomalies with Receiver Operating Characteristics Area Under Curve (ROC AUC) scores of 96.84% and 95.73% respectively for both datasets.

High Voltage Direct Current (HVDC) technology is one of the key enablers of the energy transition, especially for offshore wind energy systems. While extensive research on cyber security of High Voltage Alternating Current (HVAC) systems has been conducted, limited research exists on cyber security aspects of HVDC systems. These systems exhibit unique attributes, in comparison to HVAC systems, such as longer transmission line distances and increased volume of data samples for wide-area monitoring, control, and protection applications. These factors lead to a higher vulnerability of HVDC systems to cyber attacks. Existing state-of-the-art HVDC surveys, however, are primarily focused on HVDC physical components and exclude cyber security elements. Therefore, this paper presents the first detailed survey on the cyber security of HVDC Cyber-Physical Systems (CPS). We present a comprehensive review of the state-of-the-art HVDC systems, with a special focus on cyber threats and vulnerabilities, defense and mitigation strategies, and testbeds. Based on the review and analysis, insights and recommendations on future research directions to address the research gaps in this field of study are provided. Future research on cyber security for HVDC systems should prioritize the integration of cyber and physical system data and focus on early-stage detection to mitigate the potentially severe impacts of cyber attacks on HVDC grids.

Cyber actors can target the unsecured IEC 61850 protocols in digital substations to open circuit breakers and affect the power system operation. Thus, system operators must detect cyber-physical anomalies and differentiate in real-time between power system faults and cyber attacks on digital substations for effective incident response. In this work, we propose a novel image encoding method for event correlation using cyber-physical time-series data, i.e., Phasor Measurement Units (PMUs) and Operational Technology (OT) network traffic. More specifically, we propose a dynamic variation of the Gramian Angular Field method, which generates image streams capturing in real-time the spatial-temporal features in PMU measurements and IEC 61850 GOOSE traffic throughput. The proposed method for cyber-physical event correlation uses an image fusion technique. The method is tested using the benchmark IEEE 9-bus system. It successfully distinguishes between three-phase faults and GOOSE cyber attacks, demonstrating its usefulness for power system cyber security analytics.