Implementing smart grid functionalities integrates information and communication technologies into substations, giving rise to a substantial risk potential through cyber attacks. To cope with these threats the project will research a specific anomaly detection system for the automation network in substations and implement it as proof-of-concept.
The first step of the project will be an analysis of the security requirements for the operation of primary and secondary substations. Thereafter a formal model of the network structure including the typical protocols used therein is developed, which is done after a suitable formalism has been chosen. Based on this model patterns of normal behavior are defined among others by techniques of machine learning. Further on an algorithm is developed that allows for continuous checking of the current network traffic against the patterns. This algorithm is able to detect deviations of the normal behavior as anomalies leading to respective counter-actions. Another aspect playing an important role in the project Substation Security is concerned with the fact that the detection system must operate in a decentralized manner integrated within existing automation networks. Consequently, it must be capable of operating in an environment of restricted hardware resources.
Project goals and results
Important components of the electric energy distribution systems are primary and secondary substations. Substation Security researches an intrusion detection system for automation networks within primary and secondary substations. Devising the intrusion detection system as anomaly detection system will enable it to cope with hitherto unknown, not yet observed attacks as well. As network traffic shows rather regular behavior, anomaly-centered procedures are viable.
The content and results of the research project Substation Security will be:
- the design of an intrusion detection system for automation networks in substations and local transformer stations based on anomaly detection
- a formal definition of the normal behavior of such a network with the purpose of a continuous surveillance of network behavior
- a proof-of-concept implementation of the intrusion detection system integrated in a next to real world setting