The growth in adoption of communication technologies in the power system results in an increase in its vulnerability towards cyberattacks. This paper presents a novel state partition-particle filter (SP-PF) based detection algorithm that dynamically adapts to varying operating conditions. The algorithm partitions state variables into size-restricted blocks, effectively grouping highly correlated variables to enhance computational efficiency and detection accuracy. Our approach consists of two main steps: (i) state-partition estimation of variables and (ii) detection based on likelihood conditions. The proposed detection algorithm was tested in a real-time cyber-physical environment using a real-time digital simulator (RTDS) in hardware-in-loop configuration with PMUs and a synchronization clock, all connected via standard TCP/UDP protocols. Experimental results demonstrate successful detection of false data injection attacks, replay attacks, and hybrid attacks under various operating conditions. Comparative analysis with extended Kalman filter shows that our approach achieves significantly improved accuracy in state estimation with reduced mean square error, enhancing the overall robustness of the detection mechanism.

Cyber attacks targeting Intelligent Electronic Devices (IEDs) in digital substations can disrupt power system operation, causing equipment damage, instability, cascading failures, and even a blackout. Cyber–Physical Power System (CPPS) datasets are critically needed to develop novel methods for the detection and prevention of cyber attacks on digital substations. In this paper, a novel CPPS dataset is proposed for cyber security of digital substations, including real-time power system measurements, i.e., electromagnetic transient three-phase voltages and currents, communication network traffic, and virtual IED resource metrics. Various scenarios are simulated on an IEC 61850-compliant testbed consisting of Real-Time Digital Simulator (RTDS) and physical and virtual IEDs in hardware-in-the-loop configuration. The dataset contains different operating conditions and cyber attack scenarios, i.e., normal operation, single-phase-to-ground fault, network reconnaissance, resource exhaustion, and IEC 61850 Generic Object-Oriented Substation Event (GOOSE) and Sampled Values (SV) injection attacks. This work aims to provide the research community with a comprehensive and high-fidelity dataset to be used for the design and testing of novel methodologies to increase the cyber security of power grids.

The increasing digitalization of power grids has introduced cyber security vulnerabilities. One of the vulnerabilities is related to the IEC 61850 Generic Object Oriented Substation Event (GOOSE) protocol for time-critical communication between Intelligent Electronic Devices (IEDs). This protocol lacks built-in message integrity and authentication mechanisms, making it susceptible to cyber attacks, e.g., spoofing. To address these vulnerabilities, IEC 62351-6:2020 recommends the usage of a Hash-based Message Authentication Code (HMAC). However, implementing this security measure in existing brownfield digital substations is challenging due to the lack of compatible commercial devices and is economically expensive. Therefore, this research proposes and evaluates a cost-effective cyber security enhancement using commodity hardware, e.g., Raspberry Pi, to implement HMAC-based message authentication for ensuring GOOSE message integrity and authentication in brownfield digital substations with respect to stringent time requirements for the operation of protective relays. The proposed solution ensures message integrity and authentication while maintaining compliance with standard requirements. Validation is performed using real commercial IEDs in a real-time Hardware-in-the-Loop (HIL) architecture, demonstrating that the solution meets substation time requirements. This approach provides a feasible and immediate cyber security enhancement for brownfield digital substations without requiring significant infrastructure changes.

Power grids are undergoing a fast-paced process of digitalization for enhanced monitoring and control capabilities and grid intelligence. However, the increased integration of digital technologies, such as the next generation of operational technologies (OTs) and digital substations, implies a new risk as information technology (IT)-OT systems are vulnerable to cyberattacks. Furthermore, the combination of heterogeneous, co-existing smart and legacy technologies generates significant vulnerabilities and security challenges. Examples of cybersecurity incidents related to power grids already exist around the world. On December 23, 2015, cyberattacks were conducted on the power grid in Ukraine that resulted in power outages, which affected 225,000 customers. More sophisticated cyberattacks on the Ukrainian power grid followed on December 17, 2016, resulting in a power outage in the distribution network where 200 MW of load was unsupplied. The complexity of cyberattacks on power systems is likely to increase. This chapter provides the state-of-the-art and essential knowledge of threats and cyberattacks on power systems. This chapter reviews major cyberattacks on power grids and industrial control systems. A detailed taxonomy of cyberattacks is provided. Power grid vulnerability to six main types of cyberattacks is discussed, that is, phishing, malware, network-based attacks, man-in-the-middle attacks, host-based attacks, and denial of service. The impact of cyberattacks on grid operation is analyzed in terms of loss of load, cascading effects, and equipment damage. A case study of a cyberattack scenario and simulation results are provided.

Digitalization is paving the way toward enhanced power grid operational capabilities and intelligence. The increased digitalization, however, also implies a greater risk of cyber vulnerabilities and threats. Therefore, various power systems facets such as transmission and distribution systems, digital substations, control centers, and wide-area communication networks are vulnerable to cyber-attacks. The most notable cyber-attacks on power grids are the twin attacks on the Ukrainian power grid in 2015 and 2016. These incidents clearly highlighted that cyber-attacks on power grids are an imminent threat that needs to be addressed. Keeping this in mind, this chapter provides essential knowledge of cyber-attack mitigation for cyber-physical power systems, i.e., secure communication protocols for operational technologies, penetration testing using cyber ranges and cyber-physical co-simulation, security controls, and intrusion detection and prevention systems. Among the wide-scope mitigation, artificial intelligence is highlighted as an emerging solution. This chapter presents how hybrid deep learning based on graph convolutional long short-term memory is used for anomaly detection in power system operational technology (OT) networks. Unlike traditional signature and supervised learning-based intrusion detection, the hybrid deep learning anomaly detection utilizes the OT traffic throughput. It takes advantage of the OT traffic’s deterministic and homogenous characteristics to provide a robust and flexible anomaly detection for a wide scope of cyber-attacks. The traffic anomalies are incorporated into an attack graph that aids power system operators identify and localize anomalies of active attacks on power systems in near real time. Cyber-attack case studies and cyber-physical co-simulation results are provided to demonstrate the efficiency of hybrid deep learning for anomaly detection.

The increased digitalization of the power grid and transition to cyber-physical power systems raise serious concerns about cyber security and secure operation of the power system. It is now well recognized that information and communication technologies are vulnerable to cyber attacks. Thereby, electrical power grids as critical infrastructures are susceptible to cyber attacks as well. Malicious cyber attacks on power grid infrastructure can detrimentally affect power system operation and stability. In the worst-case, it can trigger cascading failures across the system, leading to a blackout. A coordinated cyber attack across multiple locations can collapse the entire interconnected power grids of nations, or even continents. This is a real modern-day threat, as seen during the cyber attacks on the Ukrainian power grid in 2015, 2016, and 2022. Therefore, power grid resilience and cyber security are now recognized challenges for power system operation and security of electricity supply. The gist of this entire thesis can be summarized as follows.

“Analyze and demonstrate how cyber attacks on power grids may cause and accelerate cascading failures. Based on this analysis, develop suitable proactive defense measures to contain the spread of cascading failures.” Consequently, the core research focus of the thesis with a threefold objective is as follows:

Cyber security of digital substations 

This thesis investigated the impact of cyber threats targeting digital substations. Experiments demonstrate the catastrophic impact of spoofing and replay attacks targeting OT protocols and standards used in digital substations, leading to relay denial-of-service and malfunction. Subsequently, it is experimentally shown how these events may snowball resulting in cascading failures and blackouts. Based on this analysis, this thesis developed mitigation measures based on IEC 62351-6 using HMAC to secure critical control communications in digital substations, adherent to latency requirements of 4ms. The aforementioned studies are conducted using a hardware-in-the-loop cyber-physical experimental framework that closely resembles real-world conditions within a digital substation, including intelligent electronic devices and protection schemes. Thus, the outcomes of this research are of particular importance to both, vendors and utilities.

Dynamical analysis of power system cascading failures caused by cyber attacks

This thesis proposed a data-driven method for dynamical analysis of power system cascading failures caused by cyberattacks. It provides experimental proof on how cyber attacks may accelerate the cascading failure mechanism, in comparison to historically observed blackouts. Using a dynamic power grid model, consisting of multiple, coordinated protection schemes,  the point of no return is defined and analysed in a cascading failure sequence by applying the Hilbert–Huang transform for time-frequency analysis. Numerical results indicate, cyber attacks may accelerate cascading failures at least by a factor of 3x. This is due to the excitation and non-damping of multiple frequency modes greater than 1 Hz in a short time span. This thesis demonstrates semi-analytically how cyber attacks can cause and accelerate power system cascading failures, thereby leading to a quicker point of no return.

Defense against cyber attack induced cascading failures

Cyber-physical power systems are vulnerable to cyber attacks that may lead to cascading failures and power outages. A promising solution to tackle this emerging issue is the concept of preventive/proactive controlled islanding before the cyber event occurs based on early detection of cyber attacks. Hence, this thesis developed a novel physics-informed graph convolution network to perform preventive controlled islanding. By incorporating power system physics into the neural network loss function formulations, the resulting islands were made self-sufficient and voltage and frequency stable. Experimental simulations using a modified version of the IEEE 39-bus test system with coordinated protection schemes prove that the islands formed using the proposed method can contain the spread of cascading failures. This results in minimization of loss of load by up to 90\% and 62% when single and multiple substations are compromised, respectively. Hence, this work paves the way towards automated cyber-resilience for power systems and provides system operators with decision making recommendations to curtail the spread of cascading failures. 

This thesis addressed the increasingly crucial topic of cyber security for power systems. It provides a comprehensive analysis of how cyber attacks may trigger and accelerate cascading failures in power grids, potentially leading to large-scale power outages. Furthermore, this research enhances our understanding of power grid cyber resilience by experimentally demonstrating the vulnerabilities of digital substations, proposing a novel data-driven method for analysing cyber-induced cascading failures, and developing an advanced physics-informed graph convolutional network for preventive controlled islanding. The findings of this thesis are highly relevant to utilities and vendors, as they offer practical insights into the pitfalls associated with power system digitalization and possible adverse consequences. Thereby, the proposed cascading failure analysis technique and preventive islanding defense strategy directly contribute towards enhancing the cyber security of power systems and ensuring better preparedness in the face of the ever-growing cyber threat landscape. Ultimately, this research contributes   to a more cyber secure and resilient power system.

The Digital Twins (DT) have emerged as the technology that provides capabilities to simulate and analyze cyber-physical systems’ behaviors using digital replicas. This is achieved through high-fidelity digital models, bi-directional communication and (near) real-time data exchange between physical real-world systems and DTs. Despite its capabilities of facilitating real-time monitoring, optimization, and predicting system performance, effectively leveraging DT for power system applications requires integrating data from heterogeneous sources and addressing various data related aspects. These include data modeling, exchange and interoperability. One promising concept to address these aspects is that of data federation which promotes interoperability, allowing DTs to operate autonomously, yet interact seamlessly. While various studies in literature have addressed DT applications, technologies, and challenges, a comprehensive review on the data federation aspects within power systems still needs to be investigated. This research seeks to bridge this gap by providing an in-depth review of DT practices in academia and industry, functional and non-functional requirements, and enabling technologies, with emphasis on data federation. Its role in enhancing system-wide interoperability in the power system, along with associated challenges are summarized and discussed.

Mitigation strategies to absorb impacts from extreme events that may trigger cascading outages are crucial for modern power systems, particularly given the increasing penetration of power electronics, thereby enhancing system resilience. This paper presents a comprehensive resilience-centered framework that integrates cyber-physical cascading mitigation through network topology reinforcement and operational strategies, specifically DC segmentation and controlled islanding, respectively. The methodology first identifies AC lines at segmentation boundaries (i.e., those that most frequently contribute to system partitioning) and evaluates the benefits of replacing them with VSC-HVDC links through dynamic cascading analysis and quantification, thereby enabling the asynchronous interconnection of segments. This approach helps confine cascading impacts within segments, significantly reducing the risk of widespread blackouts, especially in renewable-rich power grids with a heightened risk of instability. Next, to enhance operational resilience against cascading failures, controlled islanding is implemented within the DC-segmented system undergoing cascade initiation, effectively further confining cascading stress to a limited area around the origin of the initiating events. Tailored to enhance resilience in hybrid AC/DC power grids against cyber and physical cascade triggering events, the method leverages a cyber-anomaly detection technique to identify elements affected by fabricated protection trip commands and measurement replay attacks, distinguishing cyberattacks from physical disturbances. Implemented in the IEEE 39-bus and 118-bus test systems with dynamic cascading failure modeling that fully captures voltage and frequency transients in system response, the method demonstrates improvements of up to 88 % and 97 % in served demand, respectively, highlighting its effectiveness in mitigating cascading impacts and enhancing system resilience.

Power systems are undergoing rapid digitalization. This introduces new vulnerabilities and cyber threats in future Cyber-Physical Power Systems (CPPS). Some of the most notable incidents include the cyber attacks on the power grid in Ukraine in 2015, 2016, and 2022, which employed Advanced Persistent Threat (APT) strategies that took several months to reach their objectives and caused power outages. This highlights the urgent need for an in-depth analysis of APTs on CPPS. However, existing frameworks for analyzing cyber attacks, i.e., MITRE ATT&CK ICS and Cyber Kill Chain, have limitations in comprehensively analyzing APTs in CPPS environments. To address this gap, we propose a novel Advanced Cyber-Physical Power System (ACPPS) kill chain framework. The ACPPS kill chain identifies the APT characteristics that are unique to power systems. It defines and examines the cyber-physical APT stages spanning from the initial phases of infiltration to cascading failures and a power system blackout. The proposed ACPPS kill chain is validated with real-world APT attacks on the power grid in Ukraine in 2015 and 2016, and cyber-physical simulations.

Cyber actors can target the unsecured IEC 61850 protocols in digital substations to open circuit breakers and affect the power system operation. Thus, system operators must detect cyber-physical anomalies and differentiate in real-time between power system faults and cyber attacks on digital substations for effective incident response. In this work, we propose a novel image encoding method for event correlation using cyber-physical time-series data, i.e., Phasor Measurement Units (PMUs) and Operational Technology (OT) network traffic. More specifically, we propose a dynamic variation of the Gramian Angular Field method, which generates image streams capturing in real-time the spatial-temporal features in PMU measurements and IEC 61850 GOOSE traffic throughput. The proposed method for cyber-physical event correlation uses an image fusion technique. The method is tested using the benchmark IEEE 9-bus system. It successfully distinguishes between three-phase faults and GOOSE cyber attacks, demonstrating its usefulness for power system cyber security analytics.

The virtual integration of geographically distributed Research Infrastructures (RIs) for joint experiments in the domain of power and energy systems poses numerous challenges, particularly in terms of tool compatibility and user-friendliness. To address some of these challenges, this work presents the development and implementation of a laboratory-based middleware and data exchange service as part of the H2020 ERIGrid 2.0 project. The middleware comprises a suite of shared software tools and services designed to seamlessly integrate RIs including transport protocols as well as interface semantics. Specifically, this work details the development of a simplified and standardised interface known as the Universal Application Programming Interface (UAPI). It eliminates the need for users to grapple with the diverse intricacies of each individual RI, offering instead a tool-agnostic and standardised interface for conducting joint experiments. The work also presents and discusses the results of a real-world case study of a geographically distributed, sector-coupling experiment conducted between laboratories in Denmark, Greece, Italy, Netherlands, and Norway utilising the developed middleware.

Cyber-physical power systems are susceptible to cyber threats and attacks that can lead to cascading failures and widespread power outages. Therefore, mitigating the impact of such attacks requires the timely implementation of operational strategies to prevent cascading blackouts. One Such strategy is the controlled islanding of the affected power grid, serving as a last resort against the propagation of the cascading outages. In this context, this paper introduces a novel detection-informed operational mitigation strategy, i.e., controlled islanding, against cyberattack-induced cascading failures, addressing 'when' and 'where' to implement controlled islanding. The proposed strategy leverages dynamic cascading failure modeling to quantify the impact of ongoing cyberattacks on power grids, using quantitative metrics such as demand-not-served (DNS). For effective operational mitigation, the strategy initiates controlled islanding when any attack, including fabricated protection trip commands and measurements' replay attacks, are detected, and any operating limits, such as line loading, are violated. It then proceeds to the implementation of controlled islanding, where identified cyberattack-affected elements are effectively surrounded by stable and self-sufficient islanded areas, while minimizing the system DNS. Numerical results on the IEEE 39-bus system demonstrate the effectiveness of the proposed strategy, reducing the DNS value by up to 47% when the controlled islanding strategy is implemented.

This review paper explores the landscape of incipient fault detection methodologies within power distribution networks. It aims to provide insights into the current state-of-the-art techniques, their effectiveness, and potential avenues for future research. Incipient faults, often imperceptible and challenging to detect, pose significant risks to the stability and reliability of power distribution systems. Detecting these faults early ensures uninterrupted service and prevents catastrophic failures. The review begins by outlining the fundamental concepts of incipient faults and their implications on power distribution networks. It then surveys various detection methods, categorizing them into conventional and advanced techniques. Conventional methods include rule-based approaches, while advanced techniques encompass machine learning, artificial intelligence, and data-driven methodologies. Each category is examined in terms of its principles, advantages, and limitations. Furthermore, the review identifies key challenges and emerging trends in incipient fault detection, such as integrating smart grid technologies, utilizing big data analytics, and developing hybrid detection approaches. This thorough review enables stakeholders in the power distribution sector to enhance their comprehension of existing incipient fault detection techniques, thereby enabling informed decisions to enhance network reliability and resilience. Moreover, it offers invaluable insights for researchers and practitioners striving to drive advancements in the field through innovative methodologies and technologies.

The increasing risk of cyber-physical attacks (CPAs) on power infrastructure has led to need for reliable detection technologies. As the landscape of cyber threats evolves, it becomes imperative to continually update and enhance attack detection techniques. This research investigates the formulation of detection algorithm, via combination of State Partition Particle Filter (SP-PF) theories for power system security. The proposed approach applies intelligent partitioning of the state space so as to be accurately represented with fewer particles. This reduction in computational demand enhances the algorithm’s efficiency, making it more practical for real-time applications. The detection algorithm based on SP-PF is tested against switching attacks (SAs) launched on the governor and excitation systems associated with the generator. The RTDS platform is utilized for conducting real-time simulations of IEEE 9-bus power network in order to demonstrate the efficacy of proposed SP-PF based detection SA in real-time.

Today's critical infrastructure systems are more interconnected and dependent on the electric power grid. This interdependence means that disruptions in one system can have far-reaching consequences across many others. This is particularly evident when a cyberattack in the power grid leads to widespread outages and disrupts essential societal services. To prevent such disasters, it is crucial that proactive actions are taken to secure our power grid control centers and digital substations. This is where digital twins (DTs) play an important role: By creating virtual replicas of cyberphysical assets and processes, DTs allow system operators to anticipate and address potential vulnerabilities in our cybersecurity defenses before they can be exploited. As such, a DT can be considered as a key contributor to safeguard the power system against cyberattacks. This article examines the potential future benefits of DTs in enabling a cybersecure and resilient power grid, explores multiple use cases, and proposes a path forward.

Cascading failures in power systems are extremely rare occurrences caused by a combination of multiple, low probability events. The looming threat of cyberattacks on power grids, however, may result in unprecedented large-scale cascading failures, leading to a blackout. Therefore, new analysis methods are needed to study such cyber induced phenomena. In this article, we propose a data-driven method for dynamical analysis of power system cascading failures caused by cyberattacks. We provide experimental proof on how attacks may accelerate the cascading failure mechanism, in comparison to historically observed blackouts. Using a dynamic power grid model, consisting of multiple, coordinated protection schemes, we define and analyze the point of no return in a cascading failure sequence by applying the Hilbert-Huang transform for time-frequency analysis. Numerical results indicate, cyberattacks may accelerate cascading failures at least by a factor of 3x. This is due to the excitation and non-damping of multiple frequency modes greater than 1 Hz in a short time span. The proposed method is tested using time domain simulations conducted through a modified IEEE 39-bus test system, which can simulate cascading outages using coordinated protection schemes.

High Voltage Direct Current (HVDC) technology is one of the key enablers of the energy transition, especially for offshore wind energy systems. While extensive research on cyber security of High Voltage Alternating Current (HVAC) systems has been conducted, limited research exists on cyber security aspects of HVDC systems. These systems exhibit unique attributes, in comparison to HVAC systems, such as longer transmission line distances and increased volume of data samples for wide-area monitoring, control, and protection applications. These factors lead to a higher vulnerability of HVDC systems to cyber attacks. Existing state-of-the-art HVDC surveys, however, are primarily focused on HVDC physical components and exclude cyber security elements. Therefore, this paper presents the first detailed survey on the cyber security of HVDC Cyber-Physical Systems (CPS). We present a comprehensive review of the state-of-the-art HVDC systems, with a special focus on cyber threats and vulnerabilities, defense and mitigation strategies, and testbeds. Based on the review and analysis, insights and recommendations on future research directions to address the research gaps in this field of study are provided. Future research on cyber security for HVDC systems should prioritize the integration of cyber and physical system data and focus on early-stage detection to mitigate the potentially severe impacts of cyber attacks on HVDC grids.

This paper presents a methodology to distinguish between three-phase faults and GOOSE cyber attacks, aimed at opening the circuit breakers in the power grid. We propose a scheme that utilizes Phasor Measurement Unit (PMU)-enabled monitoring of power grid states, and communication network packet logs in the substation. In this scheme, by leveraging both cyber and physical data correlations and applying a Seasonal Autoregressive Moving Average (SARMA) model, we successfully distinguish between 3-phase faults and cyber attacks. The proposed scheme is tested using the benchmark IEEE 9-bus system, and can distinguish cyber attacks from faults in less than 0.2s. This demonstrates the usefulness of the proposed scheme for power system cyber security analytics.

This paper presents a rules-based integrated fault detection, classification and section identification (I-FDCSI) method for real distribution networks (DN) using micro-phasor measurement units ((Formula presented.) PMUs). The proposed method utilizes the high-resolution synchronized realistic measurements from the strategically installed (Formula presented.) PMUs to detect and classify different types of faults and identify the faulty section of the distribution network. The I-FDCSI method is based on a set of rules developed using expert knowledge and statistical analysis of the generated realistic measurements. The algorithms mainly use line currents per phase reported by the different (Formula presented.) PMUs to calculate the minimum and maximum short circuit current ratios. The algorithms were then fine-tuned with all the possible types and classes of fault simulations at all possible sections of the network with different fault parameter values. The proposed I-FDCSI method addresses the inherent challenges of DN by leveraging the high-precision measurements provided by (Formula presented.) PMUs to accurately detect, classify, and sectionalise faults. To ensure the applicability of the developed IFDCSI method, it is further tested and validated with all the possible real-time events on a real distribution network and its performance has been compared with the conventional fault detection, classification and section identification methods. The results demonstrate that the I-FDCSI method has a higher accuracy and faster response time compared to the conventional methods and facilitates faster service restoration, thus improving the reliability and resiliency indices of DN.

The complexity and dynamic nature of laboratory configurations pose a challenge when undertaking joint experiments, involving multiple Research Infrastructures (RIs). In this context, this paper presents an approach towards the automation of Configuration Management (CM) for joint experiments between multiple labs. The objective is to develop a CM workflow, based on the automated generation of individual local signal configurations from a single global experiment configuration. For this reason, a global experiment configuration file which defines signals, their exchange patterns between RIs, and the data transport packages used for the actual exchange is created. Furthermore, typical use cases based on static and dynamic lab configuration are defined and demonstrated using the proposed approach.