STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH [0001] This invention was made with Government support under Grant No. ECCS- 2002570 awarded by the National Science Foundation (NSF), and Grant No. DE- EE0009031 awarded by the Department of Energy (DOE). The Government has certain rights in the invention.

BACKGROUND

[0002] Modern power system and subsystems include not only grid-level power applications, but also more localized applications such as localized subsystems, microgrids, and the like. These subsystems may manage and provide power to a relatively localized area such as a town, a campus, a factory or group of factories, a home, etc.

[0003] Such subsystems may include power sources including, but not limited to traditional power plants (e.g., coal fire or nuclear power plants), solar farms and panels, wind farms and turbines, generators. Power subsystems may also include various types of loads such as residential domiciles, factories, electric vehicles, and the like. In addition, these power subsystems may also include power storage devices (also sometimes referred to herein as storage elements) such as batteries. Other elements and circuits may be present within the subsystem such as power switches, power converters, power buses, and the like. All these elements may interact within the subsystem to create a localized power ecosystem or “grid” that provides energy to energy consumer (i.e. loads) within the subsystem. [0004] Many subsystems include computerized management systems that monitor and/or control the power sources, loads, storage elements (e.g., batteries), and other elements. These management systems can be susceptible to cyber-attacks, i.e. attacks by “hackers” (i.e., an organization or person who utilizes processing or other devices (e.g., computers) to gain unauthorized access to systems, data, and/or operations of a system) or other parties intending to interrupt, disrupt or otherwise interfere with or change in some way operation of a management system or a subsystem. Detecting cyber-attacks can afford a person, system or organization under attack to defend against the cyber-attack.

[0005] For example, a cyber-attack may be directed toward information regarding a tie line exchange or frequency input to an automatic generation control (AGC). In an electric power system, an AGC is a system for adjusting the power output of multiple generators at different power plants, in response to changes in the load. One AGC function is to automatically control power generation in response to slow, hard-to-predict area control imbalances. Each control area may have its own AGC system, with the task of regulating local area frequency to nominal value (60 Hz in USA, for example), and the exchange of power with the neighboring areas. The net power imbalance between neighboring areas is represented as the Area Control Error (ACE).

SUMMARY

[0006] Some or all of the actions described below may be performed by a computer or processor executing software instructions, by hardware, or by a combination of a computer or processor executing software instructions and hardware.

[0007] In an embodiment, a system includes an interface that provides an output signal; a controller configured to calculate an interaction variable from a function of one or more internal states of the system; a comparator circuit coupled to receive the output signal and the interaction variable, to determine a difference between at least one characteristic of the power signal and at least one characteristic of the interaction variable; and a cyber-attack identification module configured to identify the presence of a cyber-attack targeting the system based on the difference between the at least one characteristic of the power signal and the at least one characteristic of the interaction variable.

[0008] Implementations may include one or more of the following features. The system may be a microgrid. The output signal is a power output signal of the microgrid. The microgrid is a hierarchical microgrid. The interaction variable is a function that includes a rate of change of reactive power of the output signal. The interaction variable is a function of internal states of the system. The internal states may include: an amount of power generated by the system, an amount of power provided as an output of the system, an amount of power received from other systems, a change in a power level of the system, or any combination thereof. The cyber attack identification module calculates a threshold of the difference, and compares the difference to the threshold. The system includes one or more power source elements and one or more load elements. The system may include at least one measurement circuit to measure a state of the one or more power source elements and/or the one or more load elements.

[0009] In another embodiment, a method of detecting a cyberattack of a system includes providing, by the system, an output signal; measuring one or more internal states of the system; calculating an interaction variable from a function of one or more internal states of the system; determining, by a comparator circuit coupled to receive the output signal and the interaction variable, a difference between at least one characteristic of the power signal and at least one characteristic of the interaction variable; and identifying, by a cyber-attack identification module, the presence of a cyber-attack targeting the system based on the difference between the at least one characteristic of the power signal and the at least one characteristic of the interaction variable.

[0010] Implementations may include one or more of the following features. The system is a microgrid. The output signal is a power output signal of the microgrid. The microgrid is a hierarchical microgrid. The interaction variable is a function that includes a rate of change of reactive power of the output signal. The interaction variable is a function of internal states of the system. The internal states may include: an amount of power generated by the system, an amount of power provided as an output of the system, an amount of power received from other systems, a change in a power level of the system, or any combination thereof. The cyber attack identification module calculates a threshold of the difference, and compares the difference to the threshold. The system includes one or more power source elements and one or more load elements. The method may include measuring, by at least one measurement circuit, a state of the one or more power source elements and/or the one or more load elements.

BRIEF DESCRIPTION OF THE DRAWINGS

[0011] FIG. 1 is block diagram of an example power system comprising one or more subsystems.

[0012] FIG. 2 is block diagram of an example power system comprising an aggregator/controller coupled to one or more sources, loads and/or buses.

[0013] FIG. 3 is a block diagram representation of information processing in emerging microgrids showing their hierarchical control. [0014] FIG. 4 is a flow diagram of a process for detecting a cyber attack.

[0015] FIG. 5 is a block diagram of a system for detecting a cyber attack.

[0016] FIG. 6 is a model of subsystem.

[0017] FIG. 7 is a model of an element of a subsystem.

DETAILED DESCRIPTION

[0018] In general overview, described herein are systems and methods for detecting cyber-attacks. Also described are systems and methods for defending against cyber attacks. It should be appreciated that although references and examples are sometimes made herein to systems and methods for detecting cyber-attacks in the context of electrical power systems, such references the concepts, systems and methods described herein may also find use is in a variety of other applications such as computer systems and computer network applications.

[0019] Before describing the details of systems and methods for detecting and defending against cyber-attacks some introductory terminology is explained. The term “subsystems” is used herein to refer to electrical power subsystems. It should be appreciated that this term may include various types of subsystems such as power grids, power grid subsystems, microgrids, building-level power systems, or any other type of power system with power generating elements, power consuming elements, and/or power storage elements. In some instances, subsystems will include computerized monitoring or control of some or all the elements within the subsystem. For example, a computing system may monitor and control power sources within the subsystem by measuring voltage and current outputs of the power source and throttling the electrical output of the power source. The computing system may also monitor and control power consumer (a.k.a. loads) by measuring the current into and voltage across the load, and turning the loads on and off and/or throttling the amount of power the load consumes. The computing system may also monitor and control batteries within the subsystem by measuring the stored energy within the battery and controlling the charging and discharging of the battery.

[0020] Subsystems with emerging functionalities may require cyber-physical control for their lead services. These subsystems can participate in economic dispatch to predict usage and balance ancillary services. Cyber-attacks can compromise the subsystem and potentially cause significant operational problems.

[0021] Referring to FIG. 1, a subsystem 100 is coupled to a central power grid 102. The subsystem 100 may include various power sources 102 which may include any elements that generate power within the subsystem 100. Examples of sources 102 include, but are not limited to, power generators, power plants, solar farms, wind farms, storage devices and the like. The power sources 102 may also include one or more solar panels on buildings.

[0022] The subsystem 100 may also include various loads 104, which may include any element that consumes power such as buildings, factories, residential homes, and the like as well as any power consuming machines therein. For example, loads 104 may also include loads within buildings and structures such as heating systems, hot water heaters, air conditioning systems, and the like. Subsystem 100 may also include elements that can act as both electrical sources and loads, such as storage devices (e.g., batteries). One or more loads 104 may be critical loads, which may be loads where power must not be interrupted. Examples of critical loads include hospitals and other facilities where the loss of power can be dangerous. Subsystem 104 may also comprise one or more priority loads and/or one or more interruptible loads. Priority loads are loads where it is desirable to provide continuous power, and interruptible loads are loads where temporary loss of power may be acceptable.

[0023] The subsystem also includes infrastructure 106, which may comprise power lines, switches, buses, transformers, communication lines, and other electrical circuits and interconnections that allow the sources 102 and loads 104 to interact, provide/consume power, and communicate with each other. In some instances, the infrastructure 106 may include a computer network (wired or wireless) that allows communication between some or all of the elements within the subsystem 100.

[0024] The infrastructure 106 may include a controller 108 coupled to one, some, or all the sources 102, loads 104, infrastructure 106 elements, or any other element within subsystem 100. In embodiments, controller 108 may be a computing device that includes a processor and a memory. The processor may execute software instructions stored on the memory, which may cause the processor to perform various functions. These functions may include operational functions of the subsystem such as controlling any or all the loads 104, sources 102, infrastructure elements, or storage devices. The functions may also include any or all the functions described below relating to detection of a cyber attack including, but not limited to, measuring or computing interaction variables (IntVars), comparing IntVars to detect a cyber attack, and the like. [0025] Controller 108 may be a single computing device 108 or a plurality of computing devices. Controller 108 may be collocated with subsystem 100, or may be located at a remote location as long as controller 108 can communicate with one or more of the element(s) within subsystem 100.

[0026] Subsystem 100 may be coupled to a central grid 110, such as a national or regional power grid. Similarly, subsystem 100 may be coupled to one or more other subsystems 112. In some instances, there may be power exchange between subsystem 100 and central grid 110. However, in other instances, subsystem 100 may operate independently, supplying and consuming its own power without the need for power exchange with other grids.

[0027] Referring to FIG. 2, subsystem 200 may be the same as or similar to subsystem 100. In this example, additional examples of subsystem infrastructure are shown. Subsystem 200 is shown with various points of contact 202, 204, 206, 208. These points of contact 202-208 may act as electrical buses that can function as interconnects for various loads and sources within or external to subsystem 200. For example, point of contact 206 may be coupled to loads 210 and 212, and coupled to source 214 which may provide power to loads 21 and 212. Point of contact 206 may also provide an external interface point to subsystem 200, which may be coupled to a central grid, another subsystem 218, or the like. In embodiments, subsystem 200 may have multiple external interfaces that exchange power with multiple other subsystems.

[0028] A controller 216 may be coupled to one, some, or all the elements within subsystem 200. Controller 216 may monitor and/or control the infrastructure elements, providing power to critical loads, priority loads, and interruptible loads as needed. Controller 216 may also measure or otherwise determine or receive the state of each element within subsystem 200 and use one, some or all of the element states to generate an aggregated IntVar calculation, which will be discussed below.

[0029] An IntVar of subsystem 200 may be represented as the power exerted by subsystem 200 on its environment. One way to measure the IntVar is to measure an area control error (ACE), which can be represented as power and the rate of change of the power at the external interfaces (e.g. interface 220) of subsystem 200. If the subsystem has more than one external interface (i.e. more than one point of contact that exchanges power external to subsystem 200), then the IntVar for subsystem 200 can be measured by measuring the power exchange (e.g. the power input or output, and/or the rate of change of the power input or output) at each interface and summing them.

[0030] Another way to measure the IntVar of subsystem 200 is to calculate, computer, receive or otherwise determine the internal states of subsystem 200. This may be accomplished, for example, by measuring the power and the rate of change of power of every element (i.e., loads, sources, power storage elements, etc.) within subsystem 200 and aggregating them. Thus, the IntVar can be calculated or otherwise determined as a function of the internal states of the subsystem, and can be represented as, where x is an internal state of subsystem 200:

[0031] Since the internal state x and the rate of change of the internal state are measured, the IntVar of the subsystem can be viewed as a function of the internal states x and the rate of change of the internal states x of the subsystem /(x, x). In view of equations (1) and (2), in a normally operating subsystem:

[0032] The left side of equation (3) represents the IntVar measured at the subsystem’s external interfaces. The right side of equation (3) represents the IntVar calculated aggregating the states of the elements within the subsystem. If there is a discrepancy, for example if the two sides of equation (3) do not match, it can indicate the presence of a cyber-attack that is affecting the power generated and/or consumed by the subsystem.

[0033] To detect the presence of a cyber-attack, a threshold value T (e.g., a determined value, or an arbitrarily selected threshold value T) may be established, such that if: then a cyber-attack is detected.

[0034] In embodiments, a threshold value may be determined based upon historical data associated with one or more systems and/or subsystems.

[0035] In embodiments, controller 216 may be coupled to each element within subsystem 200 and can measure the power input and output of each element. Additionally or alternatively, controller 200 may receive communications about the state of each element within subsystem 200. For example, controller 216 may receive a network communication from an element such as a smart water heater within subsystem 200 providing information about the power consumption of the smart water heater. Controller 216 may then be able to calculate and aggregate the IntVar of the subsystem by aggregating the power input and output of each element within the subsystem, per equation (2) above.

[0036] Referring to FIG. 3, some subsystems may operate according to a hierarchical control structure 300 having a plurality of levels with here three levels being shown (i.e., primary, secondary and tertiary levels being shown in the example embodiment of Fig. 3). Each of the levels may comprise one or more controllers and/or one or more components. At each level, decisions are made and scales of complexity differ at the primary, secondary and tertiary levels. The one or more controllers in the bottom level (identified as Row C in Fig. 3) may represent one or more controllers coupled to one or more individual elements within a subsystem, such as a controller coupled to one or more of: an individual load such as a smart water heater or electric car; to an individual source such as generator; and/or to an individual storage device, or the like. The one or more controllers in Row B may represent controllers that operate a subsystem, such as controller 216 in FIG. 2. The controllers in rows B and C may communicate with each other, providing and/or exchanging information (for example over a communication network) about the state of the subsystem and/or the state of the elements within the subsystem.

[0037] A tertiary level controller in row A may communicate with multiple subsystem- level controllers in row B. In embodiments, the tertiary controller in row B may provide and/or exchange information about the amount of power that is being exchanged between subsystems. For example, referring again to FIG. 2, the tertiary controller can provide information to controller 216 and/or subsystem 218 about the ACE between subsystems 200 and 218. In FIG. 3, the boxes labeled component 1 through N may represent energy generating sources including but not limited to entire power plants such as solar plants, nuclear power plants, fusion power plants, storage devices, generators, and the like. [0038] FIG. 4 is a flow diagram showing illustrative processing for detecting a cyber attack in a subsystem that can be implemented within any of systems 100 (FIG. 1), 200 (FIG. 2), 300 (FIG. 3) describe above. Some or all of the functions in the flowchart may be performed by a computing device, such as controller 216 (Fig. 2).

[0039] Rectangular elements (typified by element 402 in FIG. 4), denoted as “processing blocks,” represent processing or computer software instructions or groups of instructions. Diamond shaped elements (typified by element 410 in FIG. 4), denoted as “decision blocks,” represent processing or computer software instructions, or groups of instructions, which affect the execution of the processing or computer software instructions represented by the processing blocks. Alternatively, the processing and decision blocks may represent functions performed by functionally equivalent circuits such as a digital signal processor circuit or an application specific integrated circuit (ASIC). The flow diagrams do not depict the syntax of any particular programming language. Rather, the flow diagrams illustrate the functional information one of ordinary skill in the art requires to fabricate circuits or to generate computer software to perform the processing required of the particular system or device. It should be noted that many routine program elements, such as initialization of loops and variables and the use of temporary variables are not shown. It will be appreciated by those of ordinary skill in the art that unless otherwise indicated, the particular sequence of blocks described is illustrative only and can be varied without departing from the spirit of the concepts, structures, and techniques described. Thus, unless otherwise stated the blocks described below are unordered meaning that, when possible, the functions represented by the blocks can be performed in any convenient or desirable order. [0040] Turning now to FIG. 4, processing begins in processing block 402, internal characteristics (e.g., internal states) of a subsystem are measured or otherwise determined. As described above, in embodiments, the internal states of elements within a subsystem can be measured otherwise determined by or communicated to a controller. In processing block 404, an IntVar for the subsystem is calculated or otherwise determined from the characteristics that were measured in processing block 402. The measured or determined characteristics can be aggregated. In embodiments, the measured or determined characteristics can be aggregated according to equation (2) above. In processing block 406, the IntVar of the subsystem can be measured or otherwise determined by measuring or determining the power exchange at the interface(s) of the subsystem. This may be accomplished, for example, according to equation (1) above.

[0041] In box 408, the controller may calculate or otherwise determine a difference between the value of the IntVar that was determined in box 406 and the value of the IntVar that was determined in processing block 404. If that difference exceeds a threshold in box 410, then the controller may indicate that a potential cyber attack was detected in processing block 412. In processing block 414, measures/processes/actions to counter the cyber-attack can be taken. These measures can include any known cyber-attack counter measures such as shutting off external network communications, closing firewalls, and the like.

[0042] If, in decision block 410, the difference did not exceed the threshold value, the controller may restart the process at processing block 402. In embodiments, the process 400 may take a few seconds or less to execute. Thus, the concepts, systems and techniques described herein may rapidly determine a potential cyber attack. [0043] Referring to FIG. 5, a system 500 for detecting or otherwise determining a cyber attack includes a controller 502 that may be associated with a subsystem. Controller 502 may be the same as or similar to controller 216. The system may include one or more distributed system state measurements circuits 516a-n. These circuits 516a-n may function or otherwise act to measure or determine the internal state of the subsystem by, for example, measuring the state of the elements of the subsystem. For example, the circuit 516a-n may comprise a power measurement device capable of measuring how much power is being consumed by an individual load within the subsystem, or how much power is being produced by an individual source within the subsystem.

[0044] The system may also include one or more interface IntVar measurement circuits 518. The circuit 518 may be configured to measure power at the interface of the subsystem to determine a value of the IntVar for the subsystem. For example, circuit 518 may determine (e.g., measure) an ACE between subsystems, the net power exchange of the subsystem at all external interfaces, and/or similar measurements.

[0045] The circuits 516a-n and 518 may communicate with the controller 512 through a communication interface 514, which may be a wireless or wired network. An IntVar processor module 520 may receive the measurements of the internal states of the subsystem from the circuits 516a-n and compute a first value of the IntVar of the system from the internal states. The IntVar processor module 520 may also receive the measurements of power at the external interfaces of the subsystem from circuit 518 and use them to compute a second value of the IntVar of the system. A comparator module 522 may compare the first value of the IntVar with the second value of the IntVar. Under normal operating conditions, the two values should be substantially the same. Thus, if the difference between the two values is above a threshold, controller 512 may provide an indication of the presence of a cyber attack.

[0046] Referring to FIG. 6, an example model 600 of an example subsystem is shown. Box 602 represents the aggregate of the measurements at the external interfaces of the subsystem. These are represented as the power exchange at the external interface £ and dE the rate of change of the power exchange at the external interface — . Box 604 represents dx the internal states x and the rate of change of the internal states — of the elements of the subsystem. Under normal operating conditions, the values boxes 602 and 604 should be substantially the same. Also, the rate of change of the value of these boxes should be substantially the same.

[0047] From these measurements, the IntVar and the rate of change of the IntVar dlntVar

( — — — ) can be calculated. As shown in box 606, the rate of change of the IntVar and/or the rate of change of the IntVar are a function of the state variables x and the rate of change of the state variables

[0048] Referring to FIG. 7, a model of an element 702 is shown to illustrate example measurements of state variables and IntVar calculations for the element. The element 702 is a generalized element that can represent a subsystem or an element within a subsystem. The element 702 has a terminal 704. Power can be measured at the terminal, for example, by measuring the current i and voltage V. The state variables may be the power P at the terminal (where P = I*V) and the rate of change of the power at the terminal where:

[0049] Various embodiments of the concepts, systems, devices, structures, and techniques sought to be protected are described above with reference to the related drawings. Alternative embodiments can be devised without departing from the scope of the concepts, systems, devices, structures, and techniques described. It is noted that various connections and positional relationships (e.g., over, below, adjacent, etc.) may be used to describe elements in the description and drawing. These connections and/or positional relationships, unless specified otherwise, can be direct or indirect, and the described concepts, systems, devices, structures, and techniques are not intended to be limiting in this respect. Accordingly, a coupling of entities can refer to either a direct or an indirect coupling, and a positional relationship between entities can be a direct or indirect positional relationship.

[0050] As an example of an indirect positional relationship, positioning element "A" over element "B" can include situations in which one or more intermediate elements (e.g., element "C") is between elements "A" and elements "B" as long as the relevant characteristics and functionalities of elements "A" and "B" are not substantially changed by the intermediate element(s).

[0051] Also, the following definitions and abbreviations are to be used for the interpretation of the claims and the specification. The terms "comprise," "comprises," "comprising, "include," "includes," "including," "has," "having," "contains" or "containing," or any other variation are intended to cover a non-exclusive inclusion. For example, an apparatus, a method, a composition, a mixture or an article, that comprises a list of elements is not necessarily limited to only those elements but can include other elements not expressly listed or inherent to such apparatus, method, composition, mixture, or article.

[0052] Additionally, the term "exemplary" is means "serving as an example, instance, or illustration. Any embodiment or design described as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. The terms "one or more" and "at least one" indicate any integer number greater than or equal to one, i.e. one, two, three, four, etc. The term "plurality" indicates any integer number greater than one. The term "connection" can include an indirect "connection" and a direct "connection".

[0053] References in the specification to “embodiments,” "one embodiment, "an embodiment," "an example embodiment," “an example,” “an instance,” “an aspect,” etc., indicate that the embodiment described can include a particular feature, structure, or characteristic, but every embodiment may or may not include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it may affect such feature, structure, or characteristic in other embodiments whether or not explicitly described.

[0054] Relative or positional terms including, but not limited to, the terms "upper," "lower," "right," "left," "vertical," "horizontal, "top," "bottom," and derivatives of those terms relate to the described structures and methods as oriented in the drawing figures. The terms "overlying," "atop," "on top, "positioned on" or "positioned atop" mean that a first element, such as a first structure, is present on a second element, such as a second structure, where intervening elements such as an interface structure can be present between the first element and the second element. The term "direct contact" means that a first element, such as a first structure, and a second element, such as a second structure, are connected without any intermediary elements.

[0055] Use of ordinal terms such as “first,” “second,” “third,” etc., in the claims to modify a claim element does not by itself connote any priority, precedence, or order of one claim element over another, or a temporal order in which acts of a method are performed, but are used merely as labels to distinguish one claim element having a certain name from another element having a same name (but for use of the ordinal term) to distinguish the claim elements.

[0056] The terms “approximately” and “about” may be used to mean within ±20% of a target value in some embodiments, within ±10% of a target value in some embodiments, within ±5% of a target value in some embodiments, and yet within ±2% of a target value in some embodiments. The terms “approximately” and “about” may include the target value. The term “substantially equal” may be used to refer to values that are within ±20% of one another in some embodiments, within ±10% of one another in some embodiments, within ±5% of one another in some embodiments, and yet within ±2% of one another in some embodiments.

[0057] The term “substantially” may be used to refer to values that are within ±20% of a comparative measure in some embodiments, within ±10% in some embodiments, within ±5% in some embodiments, and yet within ±2% in some embodiments. For example, a first direction that is “substantially” perpendicular to a second direction may refer to a first direction that is within ±20% of making a 90° angle with the second direction in some embodiments, within ±10% of making a 90° angle with the second direction in some embodiments, within ±5% of making a 90° angle with the second direction in some embodiments, and yet within ±2% of making a 90° angle with the second direction in some embodiments.

[0058] The disclosed subject matter is not limited in its application to the details of construction and to the arrangements of the components set forth in the following description or illustrated in the drawings. The disclosed subject matter is capable of other embodiments and of being practiced and carried out in various ways.

[0059] Also, the phraseology and terminology used in this patent are for the purpose of description and should not be regarded as limiting. As such, the conception upon which this disclosure is based may readily be utilized as a basis for the designing of other structures, methods, and systems for carrying out the several purposes of the disclosed subject matter. Therefore, the claims should be regarded as including such equivalent constructions insofar as they do not depart from the spirit and scope of the disclosed subject matter.

[0060] Although the disclosed subject matter has been described and illustrated in the foregoing exemplary embodiments, the present disclosure has been made only by way of example. Thus, numerous changes in the details of implementation of the disclosed subject matter may be made without departing from the spirit and scope of the disclosed subject matter. [0061] Accordingly, the scope of this patent should not be limited to the described implementations but rather should be limited only by the spirit and scope of the following claims.

[0062] All publications and references cited in this patent are expressly incorporated by reference in their entirety.