WO2020046286A1 - Évaluation du risque en matière de sécurité informatique et surveillance de l'état du réseau électrique intégrées - Google Patents

Évaluation du risque en matière de sécurité informatique et surveillance de l'état du réseau électrique intégrées Download PDF

Info

Publication number
WO2020046286A1
WO2020046286A1 PCT/US2018/048491 US2018048491W WO2020046286A1 WO 2020046286 A1 WO2020046286 A1 WO 2020046286A1 US 2018048491 W US2018048491 W US 2018048491W WO 2020046286 A1 WO2020046286 A1 WO 2020046286A1
Authority
WO
WIPO (PCT)
Prior art keywords
cybersecurity
power grid
monitoring
components
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2018/048491
Other languages
English (en)
Inventor
Honggang Wang
Philip Hart
Yazhou JIANG
Chaitanya Ashok BAONE
Xing Wang
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
General Electric Co
Original Assignee
General Electric Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by General Electric Co filed Critical General Electric Co
Priority to PCT/US2018/048491 priority Critical patent/WO2020046286A1/fr
Publication of WO2020046286A1 publication Critical patent/WO2020046286A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/18Network protocols supporting networked applications, e.g. including control of end-device applications over a network
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • Industrial control systems that operate electrical power grids (e.g ., associated with power turbines, generators, distribution lines, substations, etc.) are increasingly connected to the Internet. As a result, these control systems have become more vulnerable to threats, such as cyber-attacks (e.g., associated with a computer virus, malicious software, etc.) that could disrupt electric power generation and distribution, damage turbines, etc.
  • cyber-attacks e.g., associated with a computer virus, malicious software, etc.
  • a plurality of monitoring nodes may each generate a time-series of current monitoring node values representing current operation of components of an electrical power grid.
  • a cybersecurity monitoring computer platform may receive the current monitoring node values and pre-process them to generate a risk prior knowledge result. At least some of the components may be ranked to create a set of critical components based on a constrained optimizer that has the risk prior knowledge as an input. The cybersecurity monitoring computer platform may then monitor the set of critical components to generate a cybersecurity result (e.g ., representing normal operation, a cyber attack, or a fault in the electrical power grid) to be transmitted (e.g., via a recommendation for an electrical grid planner, an interactive user interface display, an automated online decision-making process, etc.).
  • a cybersecurity result e.g ., representing normal operation, a cyber attack, or a fault in the electrical power grid
  • Some embodiments comprise: means for receiving, by a cybersecurity monitoring computer platform from a plurality of monitoring nodes, a time-series of current monitoring node values that represent current operation of electrical power grid components; means for pre-processing the received current monitoring node values to generate a risk prior knowledge result; means for ranking at least some of the components to create a set of critical components based on a constrained optimizer that has the risk prior knowledge as an input; means for monitoring the set of critical components to generate a cybersecurity result; and means for transmitting an indication of the cybersecurity result.
  • abnormalities such as cyber-attacks and faults, in an automatic and accurate manner.
  • FIG. 1 is a high-level block diagram of a system using an optimization algorithm in accordance with some embodiments.
  • FIG. 2 is an electrical power grid protection method according to some embodiments.
  • FIG. 3 is a system diagram according to some embodiments.
  • FIG. 4 illustrates risk factors in accordance with some embodiments.
  • FIG. 5 illustrates a method to dynamically address a risk assessment process according to some embodiments.
  • FIG. 6 is a more detailed system diagram to capture changes and/or threat dynamics to inform risk management decisions in accordance with some embodiments.
  • FIG. 7 is an embodiment of controls associated with a single asset class according to some embodiments.
  • FIG. 8 is a human machine interface display in accordance with some embodiments.
  • FIG. 9 illustrates cyber- hardened state monitoring of a critical network subset of components according to some embodiments.
  • FIG. 10 is a high-level block diagram of a system that may be provided in accordance with some embodiments.
  • FIG. 11 is an electrical power grid protection platform according to some embodiments.
  • FIG. 12 is portion of a tabular electrical power grid database in accordance with some embodiments.
  • FIG. 1 is a high-level block diagram of a system 100 using an optimization algorithm in accordance with some embodiments.
  • the system 100 includes a pre-processing unit 110 that may receive signals representing measurement data from one or more sensors associated with components of an electrical power grid.
  • the pre-processing unit 110 may generate risk prior knowledge (including a likelihood or vulnerability of cyber-attack and/or self-healing abilities of a component).
  • An optimizer 150 may then rank power grid components to generate a list of critical network components based on, for example, a constrained optimizer algorithm that takes previously pre-processed results as an input.
  • the list may be provided to a system planner 160 and/or be used by transmission state monitoring 170 in accordance with any of the embodiments described herein.
  • outputs from the system planner 160 and/or transmission state monitoring 170 may be continuously and/or automatically provided as feedback 180 to the pre-processing unit 110.
  • the term“automatically” may refer to, for example, actions that can be performed with little or no human intervention.
  • devices may exchange information via any communication network which may be one or more of a Local Area Network (“LAN”), a Metropolitan Area Network (“MAN”), a Wide Area Network (“WAN”), a proprietary network, a Public Switched Telephone Network (“PSTN”), a Wireless Application Protocol (“WAP”) network, a Bluetooth network, a wireless LAN network, and/or an Internet Protocol (“IP”) network such as the Internet, an intranet, or an extranet.
  • LAN Local Area Network
  • MAN Metropolitan Area Network
  • WAN Wide Area Network
  • PSTN Public Switched Telephone Network
  • WAP Wireless Application Protocol
  • Bluetooth a Bluetooth network
  • wireless LAN network a wireless LAN network
  • IP Internet Protocol
  • any devices described herein may communicate via one or more such communication networks.
  • the optimizer 150 may store information into and/or retrieve information from various data stores, which may be locally stored or reside remote from the optimizer 150. Although a single optimizer 150 is shown in FIG. 1, any number of such devices may be included. Moreover, various devices described herein might be combined according to embodiments of the present invention. For example, in some embodiments, pre-processing unit 110 and optimizer 150 might comprise a single apparatus. The system 100 functions may be performed by a constellation of networked apparatuses, such as in a distributed processing or cloud-based architecture.
  • a user may access the system 100 via a device (e.g ., a Personal Computer (“PC”), tablet, or smartphone) to view information about and/or manage operational information in accordance with any of the embodiments described herein.
  • a device e.g ., a Personal Computer (“PC”), tablet, or smartphone
  • an interactive graphical user interface display may let an operator or administrator define and/or adjust certain parameters (e.g., when a new electrical power grid component is installed) and/or provide or receive automatically generated recommendations or results from the system 100.
  • FIG. 2 is an electrical power grid protection method that might performed by some or all of the elements of the system 100 described with respect to FIG. 1.
  • the flow charts described herein do not imply a fixed order to the steps, and embodiments of the present invention may be practiced in any order that is practicable. Note that any of the methods described herein may be performed by hardware, software, or any combination of these approaches.
  • a computer-readable storage medium may store thereon instructions that when executed by a machine result in performance according to any of the embodiments described herein.
  • a cybersecurity monitoring computer platform may receive, from a plurality of monitoring nodes, a time-series of current monitoring node values that represent current operation of electrical power grid components.
  • a cybersecurity monitoring computer platform may receive, from a plurality of monitoring nodes, a time-series of current monitoring node values that represent current operation of electrical power grid components.
  • component may refer to any item or process that facilitates the distribution of electrical energy, such as components associated with an electrical transmission system or an electrical distribution system.
  • components include a Phasor Measurement Unit (“PMU”), a Supervisory Control and Data Acquisition (“SCADA”)-based sensor, a smart meter, a generator, a substation, a Distributed Energy Resource (“DER”) cluster, an electrical bus, an electrical load, etc.
  • PMU Phasor Measurement Unit
  • SCADA Supervisory Control and Data Acquisition
  • DER Distributed Energy Resource
  • the system may pre-process the received current monitoring node values to generate a risk prior knowledge result.
  • the pre-processing might include, for example, a weighted factor associated with an attack likelihood for a component.
  • the pre-processing might be associated with a component’s capacity for self- healing, a likelihood of cyber-attack, a risk map, an attack map, etc.
  • a self-healing ability might be associated with an amount of time (e.g, how long it will take to fix a problem, an amount of resources (e.g ., representing money or electrical power), a level of difficulty (e.g., why types of expertise will be required to fix the problem,) etc.
  • the system may rank at least some of the components to create a list or set of critical components based on a constrained optimizer that has the risk prior knowledge as an input.
  • the constrained optimizer might be associated with, according to some embodiments, a bi-level optimization algorithm having one level with an attack objective and another level with a defend objective.
  • the system may monitor the set of critical components to generate a cybersecurity result.
  • the cybersecurity result might indicate, for example, normal operation, a cyber-attack, and/or a fault (e.g, a naturally occurring problem) in the electrical power grid.
  • the set of critical components is monitored using a
  • the system may transmit an indication of the cybersecurity result.
  • the cybersecurity result may be transmitted, for example, via a recommendation for an electrical grid planner, an interactive user interface display, an automated online decision making process, etc.
  • FIG. 3 is a system diagram 300 according to some embodiments.
  • the system 300 performs a cyber-attack component-level vulnerability assessment by receiving component information from multiple electrical power grid components 312 (e.g, components 1 through A as illustrated in FIG. 3).
  • a cyber-attack system-level assessment tool 350 may execute an optimization formulation process 354 (to detect cyber-attacks) and rank critical network subsets 356 (based on loss size).
  • the cyber-attack system-level assessment tool 350 may output lists of critical network components 360 to facilitate recommendations for grid planners and/or an on-line decision-making process.
  • the lists of critical network components 360 may also be provided to a targeted, cyber-hardened monitoring tool 370 for critical network subsets using network sensors.
  • the targeted, cyber- hardened monitoring tool 370 may then provide cyber-hardened sensor data and identified events to facilitate recommendations for grid planners and/or the online decision-making process.
  • embodiments described herein may provide for on-line cybersecurity risk assessment and continuous state monitoring for a power grid.
  • the system might include, for example, a data collection module, a component-level cybersecurity vulnerability scoring module, a system-level cybersecurity optimization-based risk assessment module, and/or an efficient state monitoring module.
  • Such an architecture may provide an on-line cybersecurity risk assessment and continuous state monitoring tool for grid operators with a substantial reduction in the cost of power grid cybersecurity investment ( e.g ., two to three orders of magnitude).
  • system for continuous assessing and monitoring cybersecurity risk for a power includes one or more sensors configured to monitor a component and generate signals representing measurement data associated with the component.
  • a cybersecurity monitoring computer device may include a processor and a memory configured to iteratively implement the following steps:
  • sensors including a combination of PMUs, SCADA-based sensors, and/or smart meters within the transmission and distribution systems
  • FIG. 4 illustrates 400 electrical power grid cyber-resilience risk 450 factors in accordance with some embodiments.
  • an appropriately defined risk may include four pillars: (i) probability of the event, (ii) a consequence of the cyber-threat, (iii) system vulnerability, and (iv) a capacity to absorb the threat. Directly addressing risk instead of impact may lead to results that are more relevant.
  • embodiments described herein may take advantage of a newly-defined risk quantitively by an optimization framework that provides for: (i) an efficient development of vulnerability taxonomies of power grid components (e.g., substations, generators, and microgrids), and (ii) a leveraging of domain expertise to incorporate the vulnerabilities and associated estimates of recovery time into a cost function and/or constraint.
  • Embodiments may also improve computational efficiency by
  • the risk assessment process may be addressed in a dynamic way to capture any system change or threat dynamics and to better inform the risk management decisions.
  • FIG. 5 illustrates a method to dynamically address a risk assessment process according to some embodiments.
  • an enterprise may represent both the system “capacity factor” (a capacity to absorb the threat) and a cyber threat consequence in the objective function of an optimization problem.
  • This capacity factor could be the restoration difficulty or restoration time after attack, which may better reflect economic loss due to time accumulation of service interruption. Note that using a restoration time after attack can lead to a different solution.
  • the enterprise may generate vulnerability taxonomies for common grid components.
  • Component-specific procedures may be developed to exploit domain knowledge and quantitative metrics such as attack surface or exposure for quantification of individual component vulnerabilities.
  • a system’s attack surface might be composed of, for example: (i) methods, (ii) channels, and (iii) data items relating to the interaction between a system and its environment.
  • the attack surface measurement may consist of a weighted sum of the elements in these three categories, where the sum is weighted according to potential impact of each element on the operation of the individual grid component.
  • the enterprise may integrate prior knowledge of individual grid component vulnerabilities into an optimization problem.
  • Some embodiments may use consistent weighting factors/ranking factors which are determined by the level of cyber hardening and/or cyber-attack surface area for each line, bus, substation and generator, etc.
  • Other embodiments may use model reduction technologies based on domain knowledge. Components with low risk or exposure to attacks, such as a line section in distribution networks, are simplified or not taken into consideration in the power flow model, which is one critical equality constraint in the optimization problem formulation.
  • the benefit of integrating cyber vulnerabilities for specific power grid components into the optimization framework is twofold. First, it may reduce the search space substantially by penalizing the low likelihood scenarios, which in turn tends to improve the computational efficiency for the large-scale utility level network. Second, this cyber-attack probability may better reflect real-world constraints for an attacker (which can help make an optimized result closer to reality).
  • an execution time interval for optimization may be pre-defmed or event- triggered.
  • an optimization might be triggered by a system structure/parameter change, such as a substation revamp, a control system upgrade, a transmission network structure change identified using linear state estimation, or a security-related system parameter change.
  • a cybersecurity risk assessment and state monitoring system architecture that includes monitoring nodes, a pre processing unit, an optimization unit, a state monitoring unit and a user interface unit implemented in an on-line iterative manner.
  • Embodiments may also be associated with a relationship between an optimization unit and a state monitoring unit. For example, a state monitoring module may dynamically change the monitoring nodes based on the result of optimization based cyberattack risk assessment as described with respect to FIG. 12.
  • the enterprise may develop solution algorithms to improve computational efficiency. For example, a tool might be developed based on a bi-level optimization problem. According to some embodiments, only a DC power flow model is considered.
  • the enterprise may incorporate a heuristic-based decomposition method (such as Bender’s decomposition). As part of this effort, other algorithms such as a strong duality- based reformulation and/or a Karush-Kuhn-Tucker (“KKT”)-based reformulation methods might be utilized.
  • FIG. 6 is a more detailed system diagram 600 to capture changes and/or threat dynamics to inform risk management decisions in accordance with some embodiments.
  • the system 600 performs a cyber-attack component-level vulnerability assessment by receiving component information from multiple electrical power grid components 612 (e.g ., components including substations and DER clusters as illustrated in FIG. 6).
  • a cyber-attack system-level assessment tool 650 includes a grid map 652 and may execute an optimization formulation process 654 (to maximize load shed subject to various constraints) and rank critical network subsets 656 based on loss size (e.g., creating subsets of components associated with various impact levels).
  • the cyber-attack system-level assessment tool 650 may output lists of critical network components 660 to facilitate recommendations for grid planners and/or an on-line decision-making process.
  • the lists of critical network components 660 may also be provided to a targeted, cyber-hardened monitoring tool 670 for critical network subsets using network sensor.
  • the tool 670 might utilize a PCA-based sensor cyber attack detection and mitigation tool 672 and/or a fast -timescale network event classifier 674.
  • the targeted, cyber-hardened monitoring tool 670 may then provide cyber-hardened sensor data and identified events to facilitate recommendations for grid planners and/or the online decision-making process.
  • embodiments may improve efficiency by leveraging or re using any intermediate result in between each optimization execution.
  • embodiments may leverage the on-line and repeating optimization execution feature and re use some calculated intermediate result (such as a Jacobian or Hessian matrix) and/or a final result (the decision variable or the risk value of top-rated attack scenarios) in between adjacent executions.
  • some calculated intermediate result such as a Jacobian or Hessian matrix
  • a final result the decision variable or the risk value of top-rated attack scenarios
  • FIG. 7 is an embodiment of controls 700 associated with a single asset class according to some embodiments.
  • the controls 700 may be associated with a cyber-attack risk assessment tool having a closed-loop optimization process.
  • the system 700 includes a pre-processing unit 710 that may receive signals representing measurement data from one or more sensors associated with components of an electrical power grid.
  • the pre- processing unit 710 may generate risk prior knowledge (including a likelihood or
  • An optimizer 750 may then rank power grid components to generate a list of critical network components based on, for example, a constrained optimizer algorithm that takes previously pre-processed results as an input.
  • the optimizer 750 might be implemented as, for example, a bi-level
  • the attack portion 752 might, for example, try to maximize cyber-attack risk (e.g ., capacity) subject to attack resource constraints, grid operator reaction, etc.
  • the defend portion 754 might try to minimize damage (e.g., load shedding) subject to DC power balance constraints, generation constraints, etc.
  • the list may be provided to a system planner 760 (e.g, in the form of assessed high-risk subsystems) and/or be used by transmission state monitoring 770 (e.g, as a risk map, attack map, etc.) in accordance with any of the embodiments described herein.
  • outputs from the system planner 760 and/or transmission state monitoring 770 may be continuously and/or automatically provided as feedback 780 (including, for example, information about the transmission system, PMU, substations, control centers, etc.) to the pre-processing unit 710.
  • substantial quantities of disparate data from a variety of sources and different levels of granularity in the transmission system may be sampled and fed into the pre-processing unit 710.
  • two risk factors including vulnerability and capacity may be derived from prior knowledge and specialized assessment tools.
  • the obtained risk-related information may then be fed into the optimizer 750.
  • a computationally-efficient solver may generate a solution in a reasonably fast time.
  • the solution of the optimizer 750 may consist of prioritized risk scenarios and corresponding subsystems and components, which can be sent to the system planning tool 760 and transmission/distribution monitoring 770.
  • a software-based monitoring tool may leverage output from the risk assessment algorithm to reduce and partition the sensor measurement dataset before it is subject to PCA-based event classification (which may allow for convenient application of parallel computing and faster event classification).
  • PCA-based power grid event classification algorithms which are applied to measurement datasets derived exclusively from PMUs in the transmission system
  • the algorithm in this monitoring tool may be able to classify events using datasets derived from a broader range of sensor technologies, including a combination of PMUs, SCADA-based sensors, and/or smart meters within the transmission and distribution systems.
  • a combination of PCA-based event classification and linear state estimation methods may be employed in order to achieve both depth and breadth in situational awareness for power systems of arbitrary sizes and complexities.
  • the combined application of both methods may allow for cross-validation of sensor anomaly detection, providing higher confidence in the event classification results as compared to what could be obtained from individual application of either method.
  • FIG. 8 is a human machine interface display 800 in accordance with some embodiments.
  • the display 800 includes a graphical depiction 810 of a power grid along with a symbolic structure 820 of the components.
  • Various components of an optimization platform 830 may also be provided. Selection of a component (e.g ., via touchscreen or computer mouse pointer 840) may result in the display of more detailed information about that component and/or let an operator or administrator adjust parameters associated with the component (e.g., to change an optimization constraint).
  • large-scale electric power systems may contain hundreds of thousands of interconnected components including generators, substations, transmission and distribution lines, DER clusters, and sensors.
  • This high degree of system complexity poses a challenge to power grid operators and planners who seek to enhance the resilience of the power grid in the face of cyber-attacks.
  • cost- effective attainment of cybersecurity may require the identification of the highest-priority cyber-attack scenarios as well as careful allocation of the finite resources available to address those scenarios.
  • Embodiments described herein may provide a computationally-efficient, software-based cybersecurity tool that can accommodate large-scale system complexity by selectively focusing on the cyber-attack scenarios with the highest system-level impact.
  • FIG. 9 illustrates 900 cyber- hardened state monitoring of a critical network subset of components according to some embodiments.
  • Sensor data fusion 910 may receive PMU and SCAD A data along with smart meter data and provide information to rapid, PCA-based feature extraction for network sensor data 920 ( e.g ., as described in more detail with respect to FIG. 10).
  • the extracted network sensor data features may then be provided to a fast -timescale network event classifier 930 that determines if a fault, cyber-attack, or normal operation is occurring.
  • Identified events may be provided from the classifier 930 to a grid operator (e.g., for mitigation).
  • the classifier 930 may also provide identified“bad” or spoofed sensors along with features to a PCA-based data substitution 940.
  • the data substitution 940 may automatically replace a bad sensor value (illustrated with cross-hatching in FIG. 9) with information determined from other sensors.
  • the comprehensive software framework may enable grid operators and planners to prioritize the application of financial and computational resources, facilitating cost-effective, continuous cybersecurity monitoring and improved incident management for the entire transmission and distribution system.
  • the tools may be particularly instrumental in the prevention and mitigation of cyber-attacks that result in severe events, such as large-scale blackouts.
  • Some embodiments described herein are associated with time series data from one or more monitoring nodes from a physical (i.e., industrial or enterprise) asset that may be analyzed to provide reliable cyber-threat detection.
  • Monitoring nodes may include, for example, sensors, actuators, and/or controller nodes.
  • the system may extract features from the time series data for each monitoring node.
  • feature may refer to, for example, mathematical characterizations of data. Examples of features as applied to data might include the maximum and minimum, mean, standard deviation, variance, settling time, Fast Fourier Transform (“FFT”) spectral components, linear and non-linear principal components, independent components, sparse coding, deep learning, etc.
  • FFT Fast Fourier Transform
  • the type and number of features for each monitoring node might be optimized using domain -knowledge and/or a feature discovery process.
  • the features may be, for example, calculated over a sliding window with consecutive samples of specified duration from time series data. The length of the window and the duration of overlap for each batch may be determined from domain knowledge and an inspection of the data or using batch processing.
  • the features may be computed at the local level (associated with each monitoring node) and/or the global level (associated with all the monitoring nodes, i.e., the whole asset).
  • the time-domain values of the nodes or their extracted features may be, according to some embodiments, normalized for better numerical conditioning.
  • FIG. 10 is a high-level architecture of a system 1000 in accordance with some embodiments.
  • the system 1000 may include monitoring node sensors 1010 MNi through MN N , a“normal space” data source 1020, and an“anomaly space” data source 1030.
  • the normal space data source 1020 might store, for each of the plurality of monitoring nodes 1010, a series of normal values over time that represent normal operation of an electrical power grid (e.g ., generated by a model or collected from actual sensor data as illustrated by the dashed line in FIG. 10).
  • the anomaly space data source 1030 might store, for each of the monitoring nodes 1010, a series of anomaly values that represent an anomaly operation of the industrial asset (e.g., when the system is experiencing a cyber-attack or a naturally occurring failure).
  • Information from the normal space data source 1010 and the anomaly space data source 1020 may be provided to an anomaly detection model creation computer 1060 that uses this data to create a decision boundary (that is, a boundary that separates normal behavior from anomaly behavior).
  • the decision boundary may then be used by an anomaly detection computer 1050 executing an anomaly detection model 1055.
  • the anomaly detection model 1055 may, for example, monitor streams of data from the monitoring nodes 1010 comprising data from sensor nodes, actuator nodes, and/or any other critical monitoring nodes (e.g, sensor nodes MNi through MN y) and automatically output an anomaly alert signal to one or more remote monitoring devices 1070 when appropriate (e.g, for display to an operator or use by a mitigation process).
  • information about detected anomalies may be transmitted back to an industrial asset control system.
  • devices may exchange information via any communication network which may be one or more of a LAN, a MAN, a WAN, a proprietary network, a PSTN, a WAP network, a Bluetooth network, a wireless LAN network, and/or an IP network such as the Internet, an intranet, or an extranet.
  • any devices described herein may communicate via one or more such communication networks.
  • the anomaly detection model creation computer 1060 may store information into and/or retrieve information from various data stores, such as the normal space data source 1020 and/or the anomaly space data source 1030.
  • the various data sources may be locally stored or reside remote from the anomaly detection model creation computer 1060.
  • a single anomaly detection model creation computer 1060 is shown in FIG. 10, any number of such devices may be included.
  • various devices described herein might be combined according to embodiments of the present invention.
  • the anomaly detection model creation computer 1060 and one or more data sources 1020, 1030 might comprise a single apparatus.
  • the anomaly detection model creation computer 1060 functions may be performed by a constellation of networked apparatuses, in a distributed processing or cloud-based architecture.
  • a user may access the system 1000 via one of the monitoring devices 1070 (e.g ., a PC, tablet, or smartphone) to view information about and/or manage anomaly operation information in accordance with any of the embodiments described herein.
  • an interactive graphical display interface may let a user define and/or adjust certain parameters (e.g., anomaly detection trigger levels) and/or provide or receive automatically generated recommendations or results from the anomaly detection model creation computer 1060 and/or anomaly detection computer 1050.
  • FIG. 11 is a block diagram of an electrical power grid protection platform 1100 that may be, for example, associated with the system 100 of FIG. 1 and/or any other system described herein.
  • the electrical power grid protection platform 1100 comprises a processor 1110, such as one or more commercially available Central Processing Units (“CPUs”) in the form of one-chip microprocessors, coupled to a communication device 1160 configured to communicate via a communication network (not shown in FIG. 11).
  • CPUs Central Processing Units
  • the communication device 1160 may be used to communicate via a communication network (not shown in FIG. 11).
  • the electrical power grid protection platform 1100 further includes an input device 1140 (e.g ., a computer mouse and/or keyboard to input power grid and/or predictive modeling information) and/an output device 1150 (e.g., a computer monitor to render a display, provide alerts, transmit recommendations, and/or create reports).
  • an input device 1140 e.g ., a computer mouse and/or keyboard to input power grid and/or predictive modeling information
  • an output device 1150 e.g., a computer monitor to render a display, provide alerts, transmit recommendations, and/or create reports.
  • a mobile device, monitoring physical system, and/or PC may be used to exchange information with the electrical power grid protection platform 1100.
  • the processor 1110 also communicates with a storage device 1130.
  • the storage device 1130 may comprise any appropriate information storage device, including combinations of magnetic storage devices (e.g. , a hard disk drive), optical storage devices, mobile telephones, and/or semiconductor memory devices.
  • the storage device 1130 stores a program 1112 and/or electrical power grid protection engine 1114 for controlling the processor 1110.
  • the processor 1110 performs instructions of the programs 1112, 1114, and thereby operates in accordance with any of the embodiments described herein. For example, the processor 1110 may receive from a plurality of monitoring nodes that each generate a time-series of current monitoring node values representing current operation of an electrical power grid.
  • the processor 1110 may receive, from a plurality of monitoring nodes, a time- series of current monitoring node values representing current operation of components of an electrical power grid. The processor 1110 may then pre-process information to generate a risk prior knowledge result. At least some of the components may be ranked by the processor 1110 to create a set of critical components based on a constrained optimizer that has the risk prior knowledge as an input. The processor 1110 may then monitor the set of critical components to generate a cybersecurity result (e.g, representing normal operation, a cyber attack, or a fault in the electrical power grid) to be transmitted (e.g, via a recommendation for an electrical grid planner, an interactive user interface display, an automated online decision-making process, etc.).
  • a cybersecurity result e.g, representing normal operation, a cyber attack, or a fault in the electrical power grid
  • the programs 1112, 1114 may be stored in a compressed, uncompiled and/or encrypted format.
  • the programs 1112, 1114 may furthermore include other program elements, such as an operating system, clipboard application, a database management system, and/or device drivers used by the processor 1110 to interface with peripheral devices.
  • information may be“received” by or“transmitted” to, for example: (i) the electrical power grid protection platform 1100 from another device; or (ii) a software application or module within the electrical power grid protection platform 1100 from another software application, module, or any other source.
  • the storage device 1130 further stores an electrical power grid database 1200.
  • an example of a database that may be used in connection with the electrical power grid protection platform 1100 will now be described in detail with respect to FIG. 12. Note that the database described herein is only one example, and additional and/or different information may be stored therein. Moreover, various databases might be split or combined in accordance with any of the embodiments described herein.
  • a table is shown that represents the electrical power grid database 1200 that may be stored at the electrical power grid protection platform 1100 according to some embodiments.
  • the table may include, for example, entries identifying industrial assets or other systems to be protected.
  • the table may also define fields 1202,
  • the fields 1202, 1204, 1206, 1208, 1210, 1212, 1214 may, according to some embodiments, specify: an electrical power grid identifier 1202, a critical subset of interest 1204, a component identifier and description 1206, sensors 1208, a rank 1210, an impact 1212, and a status 1214.
  • the electrical power grid database 1200 may be created and updated, for example, when a new physical system is monitored or modeled, raw sensor data is received from monitoring odes, an attack is detected, etc.
  • the electrical power grid identifier 1202 might be a unique alphanumeric label that is associated with a particular power grid being protected.
  • the critical subset of interest 1204 may represent a set of components being evaluated (e.g ., one of the critical network subsets 656 of FIG. 6).
  • the component identifier and description 1206 may identify individual components of the power grid (substations, DER clusters, smart meters, etc.).
  • the sensors 1208 may identify one or more sensors (or monitoring nodes) that provide information about that component.
  • the rank 1210 might represent a place in an ordered list of components ranked based on a criticality score and the impact 1212 might identify a level of risk associated with a cyber-attack on that component.
  • a component ranked “450” (with one being the most critical) might be considered“non-critical” while a component ranked“40” might be associated with a“high” impact 1212.
  • the status 1214 might indicate if the component is currently considered as operating normally, experiencing a fault, under cyber-attack, etc.
  • an optimization may give assign a top ranking to DER cluster #1 on Monday.
  • the monitoring nodes for the state monitoring algorithm (PCA, for example) will be the sensors/actuators/controllers within DER cluster #1.
  • PCA state monitoring algorithm
  • an on-line iteration optimization result shows that the top-ranking subsystem is now substation S2.
  • the state monitoring unit may change its monitoring nodes to those from substation S2. Note that this is one extreme case (e.g, when there is a limited calculation resource for a state monitoring unit considering the super grid network).
  • Embodiments may allow for the allocation of limited resources to the most vulnerable, or highest risk, subsystem being monitored.
  • the system may continue to evaluate the gap between the available calculation resources and the work load to be conducted for grid monitoring.
  • the system may dynamically add (or reduce) monitoring nodes based on their ranking or priority from an optimization result.
  • the state monitoring algorithm itself could adapt to the optimization result.
  • two state monitoring algorithms with one being faster and less accurate while the other is slower and more accurate.
  • the system may use the faster algorithm when there are a relatively large number of monitoring nodes and switch to the slower algorithm when there are a smaller number of monitoring nodes.
  • an optimizer may identify sophisticated, high-impact attacks involving an entire subset of grid components and simultaneously identify the elements of that subset (e.g, as described with respect to FIG. 6).
  • the attack’s sophistication may be inherently associated with the fact that the attack could simultaneously target multiple grid components - this is why the optimizer may“sift” through all the different“worst-case” combinations of components.
  • a critical subset of interest 1204 could contain, for example, three components: substation Sl, DER cluster #4, and generator Gl.
  • this critical subset 1204 of components may be assigned an “impact” 1212 or criticality score.
  • an individual component identifier 1206 could appear multiple times in the electrical power grid database 1200 (e.g ., if that component was contained in multiple critical subsets of interest 1204).
  • “C 103” appears in the database 1200 as both a member of“subset 3” and“subset 4.”
  • the component rank 1210 and impact 1212 may be inherited from the ranking of the component’s“parent” subset of interest 1204 (e.g., the critical network subsets 656 of FIG. 6).
  • a single component“C 103” can have a rank 1210 of“40” with respect to parent subset“subset 3” and a rank 1210 of “74” with respect to parent subset“subset 4.”

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Supply And Distribution Of Alternating Current (AREA)
  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)

Abstract

La présente invention concerne une pluralité de nœuds de surveillance qui peuvent générer chacun une série temporelle de valeurs de nœuds de surveillance courantes représentant le fonctionnement courant des composants d'un réseau électrique. Une plateforme informatique de surveillance de la sécurité informatique peut recevoir les valeurs de nœuds de surveillance courantes et les prétraiter pour générer un résultat de connaissances antérieures d'un risque. Au moins certains des composants peuvent être classés pour créer un ensemble de composants critiques sur la base d'un dispositif d'optimisation sous contrainte comprenant comme entrée les connaissances antérieures d'un risque. La plateforme informatique de surveillance de la sécurité informatique peut alors surveiller l'ensemble de composants critiques pour générer un résultat de sécurité informatique (par exemple, en représentant un fonctionnement normal, une attaque informatique ou une défaillance du réseau électrique) devant être transmis (par exemple, via une recommandation à un agent de planification du réseau électrique, un affichage d'interface utilisateur interactif, un processus décisionnel en ligne automatisé et autres).
PCT/US2018/048491 2018-08-29 2018-08-29 Évaluation du risque en matière de sécurité informatique et surveillance de l'état du réseau électrique intégrées Ceased WO2020046286A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2018/048491 WO2020046286A1 (fr) 2018-08-29 2018-08-29 Évaluation du risque en matière de sécurité informatique et surveillance de l'état du réseau électrique intégrées

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2018/048491 WO2020046286A1 (fr) 2018-08-29 2018-08-29 Évaluation du risque en matière de sécurité informatique et surveillance de l'état du réseau électrique intégrées

Publications (1)

Publication Number Publication Date
WO2020046286A1 true WO2020046286A1 (fr) 2020-03-05

Family

ID=63684444

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2018/048491 Ceased WO2020046286A1 (fr) 2018-08-29 2018-08-29 Évaluation du risque en matière de sécurité informatique et surveillance de l'état du réseau électrique intégrées

Country Status (1)

Country Link
WO (1) WO2020046286A1 (fr)

Cited By (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431561A (zh) * 2020-03-10 2020-07-17 国电南瑞科技股份有限公司 一种考虑网络攻击的电力系统预想故障集生成方法和装置
CN111970342A (zh) * 2020-08-03 2020-11-20 江苏方天电力技术有限公司 一种异构网络的边缘计算系统
CN112348374A (zh) * 2020-11-12 2021-02-09 深圳供电局有限公司 一种配网检修计划智能编排系统
CN112365161A (zh) * 2020-11-12 2021-02-12 北京中电普华信息技术有限公司 风险监测方法及装置
CN112541679A (zh) * 2020-12-14 2021-03-23 国网辽宁省电力有限公司经济技术研究院 一种负荷重分配攻击下电网的防护方法
CN113013987A (zh) * 2021-02-23 2021-06-22 国网福建省电力有限公司 一种电网智能自动监控系统及其工作方法
CN113094715A (zh) * 2021-04-20 2021-07-09 国家计算机网络与信息安全管理中心 一种基于知识图谱的网络安全动态预警系统
CN113516357A (zh) * 2021-05-10 2021-10-19 湖南大学 考虑网络攻击风险的电力系统脆弱线路评估方法及系统
CN113537658A (zh) * 2020-04-14 2021-10-22 南京南瑞继保电气有限公司 一种设备风险评估及检修系统和方法
CN113869645A (zh) * 2021-08-30 2021-12-31 国网山东省电力公司信息通信公司 一种电力通信系统隐患风险评估方法及系统
CN113904443A (zh) * 2021-09-28 2022-01-07 国网江苏省电力有限公司连云港供电分公司 多维度空间可视化的现场变电设备监控与预警系统
CN114139020A (zh) * 2021-12-08 2022-03-04 广西民族大学 一种网络安全事件结构层次化处理方法和装置
CN114338088A (zh) * 2021-12-06 2022-04-12 国网安徽省电力有限公司超高压分公司 变电站电力监控系统网络安全等级的评估算法及评估系统
CN114493246A (zh) * 2022-01-24 2022-05-13 东北大学 一种基于DW-Degree度中心性的电力信息网络节点风险评估方法
CN114710353A (zh) * 2022-04-11 2022-07-05 万申科技股份有限公司 一种基于AIoT智能边缘网关的风险管控系统
CN115017464A (zh) * 2022-06-10 2022-09-06 中国南方电网有限责任公司 电网遭受外部攻击的风险评估方法、装置和存储介质
CN115049270A (zh) * 2022-06-20 2022-09-13 长沙理工大学 考虑变电站网络攻击成功概率的电力系统风险评估方法
CN115099564A (zh) * 2022-05-18 2022-09-23 清华大学 基于系统保护故障场景的一二次系统辅助决策方法及系统
CN115441585A (zh) * 2022-09-19 2022-12-06 德惠市奔兔网络科技有限公司 一种电网电力信息安全监护系统
CN115511198A (zh) * 2022-10-14 2022-12-23 深圳供电局有限公司 一种基于敏感负荷耐受度的电压暂降监测点优化配置方法
CN115604353A (zh) * 2022-10-27 2023-01-13 广西电网有限责任公司(Cn) 电力监控系统中数据处理方法、系统和计算机设备
CN115834159A (zh) * 2022-11-08 2023-03-21 国网重庆市电力公司电力科学研究院 一种基于深度学习的电网信息化建设的网络安全防护方法
CN115936428A (zh) * 2022-11-17 2023-04-07 江苏东港能源投资有限公司 增量配电网防外破定值优化系统
CN116245334A (zh) * 2023-03-15 2023-06-09 东南大学 一种基于深度强化学习的电力系统风险感知实时调度方法
CN116707909A (zh) * 2023-06-07 2023-09-05 国网安徽省电力有限公司电力科学研究院 电网攻击风险感知防御方法及系统
CN117061257A (zh) * 2023-10-13 2023-11-14 广州市零脉信息科技有限公司 一种网络安全评估系统
CN117171548A (zh) * 2023-11-03 2023-12-05 北京格蒂智能科技有限公司 一种基于电网大数据的网络安全态势智能预测方法
WO2024051822A1 (fr) * 2022-09-08 2024-03-14 国网浙江省电力有限公司台州供电公司 Procédé et système d'analyse de sécurité dynamique collaborative multi-terminal pour une alimentation électrique distribuée
CN117707027A (zh) * 2024-02-05 2024-03-15 国网甘肃省电力公司白银供电公司 一种基于多源数据融合的集控站一键顺控系统
CN117978551A (zh) * 2024-03-29 2024-05-03 南京鼎研电力科技有限公司 变电站监控网络的交互异常行为分析方法
CN118174464A (zh) * 2024-05-14 2024-06-11 国网甘肃省电力公司酒泉供电公司 一种具有自动调节功能的应急电网线路传输故障监测系统
CN118445170A (zh) * 2024-07-08 2024-08-06 合肥优晟电力科技有限公司 一种基于物联网的智能防误系统
CN119030156A (zh) * 2024-10-28 2024-11-26 北京方智科技股份有限公司 一种基于分布式储能设备的运维监测方法、设备及介质
CN119135450A (zh) * 2024-11-12 2024-12-13 武汉东湖学院 一种基于人工智能的网络安全防护系统
CN119338261A (zh) * 2024-12-18 2025-01-21 中国电建集团西北勘测设计研究院有限公司 水上施工现场的监测信息处理方法、展示方法与装置
CN119397427A (zh) * 2024-09-02 2025-02-07 国家电网有限公司信息通信分公司 一种基于威胁告警语义知识挖掘迁移学习的电网安全监测系统
CN119484072A (zh) * 2024-11-07 2025-02-18 贵州电网有限责任公司 一种电力系统网络安全防御资源优先级选择方法及系统
CN119692628A (zh) * 2025-02-24 2025-03-25 国网安徽省电力有限公司营销服务中心 一种用于智能电网的停电分析方法及系统
CN119835048A (zh) * 2024-12-31 2025-04-15 上海交通大学 新能源波动和数据注入攻击叠加的信息物理融合危害评估方法及系统
CN119885862A (zh) * 2024-12-26 2025-04-25 中国人民解放军国防科技大学 基于图注意力网络的高效微电网脆弱性评估方法及装置
CN119945722A (zh) * 2024-12-23 2025-05-06 广东电网有限责任公司广州供电局 基于网络支撑平台的网络环境安全防护系统
CN119966629A (zh) * 2025-04-10 2025-05-09 北京因乎智电科技有限公司 用于电力信息安全防护的数据密钥动态调节方法及装置
CN120389323A (zh) * 2025-05-09 2025-07-29 江苏汇舸电力有限公司 适用于电力设备预制舱的散热优化控制方法及系统
CN121091635A (zh) * 2025-11-07 2025-12-09 泉州信息工程学院 一种设备异常自闭环控制系统
CN121682002A (zh) * 2026-02-06 2026-03-17 国网上海能源互联网研究院有限公司 一种fpga对称结构潮流雅克比矩阵动态增量计算方法

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015070466A1 (fr) * 2013-11-18 2015-05-21 国家电网公司 Procédé et appareil d'évaluation de risque de sécurité
US20160359895A1 (en) * 2015-06-02 2016-12-08 C3, Inc. Systems and methods for providing cybersecurity analysis based on operational technologies and information technologies

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015070466A1 (fr) * 2013-11-18 2015-05-21 国家电网公司 Procédé et appareil d'évaluation de risque de sécurité
US20160359895A1 (en) * 2015-06-02 2016-12-08 C3, Inc. Systems and methods for providing cybersecurity analysis based on operational technologies and information technologies

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ANKUR SINHA ET AL: "A Review on Bilevel Optimization: From Classical to Evolutionary Approaches and Applications", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 17 May 2017 (2017-05-17), XP080948566 *

Cited By (57)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431561A (zh) * 2020-03-10 2020-07-17 国电南瑞科技股份有限公司 一种考虑网络攻击的电力系统预想故障集生成方法和装置
CN113537658A (zh) * 2020-04-14 2021-10-22 南京南瑞继保电气有限公司 一种设备风险评估及检修系统和方法
CN111970342A (zh) * 2020-08-03 2020-11-20 江苏方天电力技术有限公司 一种异构网络的边缘计算系统
CN111970342B (zh) * 2020-08-03 2024-01-30 江苏方天电力技术有限公司 一种异构网络的边缘计算系统
CN112348374A (zh) * 2020-11-12 2021-02-09 深圳供电局有限公司 一种配网检修计划智能编排系统
CN112365161A (zh) * 2020-11-12 2021-02-12 北京中电普华信息技术有限公司 风险监测方法及装置
CN112541679A (zh) * 2020-12-14 2021-03-23 国网辽宁省电力有限公司经济技术研究院 一种负荷重分配攻击下电网的防护方法
CN113013987A (zh) * 2021-02-23 2021-06-22 国网福建省电力有限公司 一种电网智能自动监控系统及其工作方法
CN113013987B (zh) * 2021-02-23 2022-06-10 国网福建省电力有限公司 一种电网智能自动监控系统及其工作方法
CN113094715A (zh) * 2021-04-20 2021-07-09 国家计算机网络与信息安全管理中心 一种基于知识图谱的网络安全动态预警系统
CN113516357A (zh) * 2021-05-10 2021-10-19 湖南大学 考虑网络攻击风险的电力系统脆弱线路评估方法及系统
CN113516357B (zh) * 2021-05-10 2024-04-19 湖南大学 考虑网络攻击风险的电力系统脆弱线路评估方法及系统
CN113869645A (zh) * 2021-08-30 2021-12-31 国网山东省电力公司信息通信公司 一种电力通信系统隐患风险评估方法及系统
CN113904443A (zh) * 2021-09-28 2022-01-07 国网江苏省电力有限公司连云港供电分公司 多维度空间可视化的现场变电设备监控与预警系统
CN113904443B (zh) * 2021-09-28 2023-01-06 国网江苏省电力有限公司连云港供电分公司 多维度空间可视化的现场变电设备监控与预警系统
CN114338088A (zh) * 2021-12-06 2022-04-12 国网安徽省电力有限公司超高压分公司 变电站电力监控系统网络安全等级的评估算法及评估系统
CN114139020A (zh) * 2021-12-08 2022-03-04 广西民族大学 一种网络安全事件结构层次化处理方法和装置
CN114493246A (zh) * 2022-01-24 2022-05-13 东北大学 一种基于DW-Degree度中心性的电力信息网络节点风险评估方法
CN114710353A (zh) * 2022-04-11 2022-07-05 万申科技股份有限公司 一种基于AIoT智能边缘网关的风险管控系统
CN114710353B (zh) * 2022-04-11 2023-11-28 万申科技股份有限公司 一种基于AIoT智能边缘网关的风险管控系统
CN115099564A (zh) * 2022-05-18 2022-09-23 清华大学 基于系统保护故障场景的一二次系统辅助决策方法及系统
CN115017464A (zh) * 2022-06-10 2022-09-06 中国南方电网有限责任公司 电网遭受外部攻击的风险评估方法、装置和存储介质
CN115017464B (zh) * 2022-06-10 2024-05-03 中国南方电网有限责任公司 电网遭受外部攻击的风险评估方法、装置和存储介质
CN115049270A (zh) * 2022-06-20 2022-09-13 长沙理工大学 考虑变电站网络攻击成功概率的电力系统风险评估方法
WO2024051822A1 (fr) * 2022-09-08 2024-03-14 国网浙江省电力有限公司台州供电公司 Procédé et système d'analyse de sécurité dynamique collaborative multi-terminal pour une alimentation électrique distribuée
CN115441585A (zh) * 2022-09-19 2022-12-06 德惠市奔兔网络科技有限公司 一种电网电力信息安全监护系统
CN115511198A (zh) * 2022-10-14 2022-12-23 深圳供电局有限公司 一种基于敏感负荷耐受度的电压暂降监测点优化配置方法
CN115604353A (zh) * 2022-10-27 2023-01-13 广西电网有限责任公司(Cn) 电力监控系统中数据处理方法、系统和计算机设备
CN115604353B (zh) * 2022-10-27 2024-05-17 广西电网有限责任公司 电力监控系统中数据处理方法、系统和计算机设备
CN115834159A (zh) * 2022-11-08 2023-03-21 国网重庆市电力公司电力科学研究院 一种基于深度学习的电网信息化建设的网络安全防护方法
CN115834159B (zh) * 2022-11-08 2024-03-19 国网重庆市电力公司电力科学研究院 一种基于深度学习的电网信息化建设的网络安全防护方法
CN115936428A (zh) * 2022-11-17 2023-04-07 江苏东港能源投资有限公司 增量配电网防外破定值优化系统
CN116245334A (zh) * 2023-03-15 2023-06-09 东南大学 一种基于深度强化学习的电力系统风险感知实时调度方法
CN116245334B (zh) * 2023-03-15 2024-04-16 东南大学 一种基于深度强化学习的电力系统风险感知实时调度方法
CN116707909A (zh) * 2023-06-07 2023-09-05 国网安徽省电力有限公司电力科学研究院 电网攻击风险感知防御方法及系统
CN117061257A (zh) * 2023-10-13 2023-11-14 广州市零脉信息科技有限公司 一种网络安全评估系统
CN117171548B (zh) * 2023-11-03 2024-02-02 北京格蒂智能科技有限公司 一种基于电网大数据的网络安全态势智能预测方法
CN117171548A (zh) * 2023-11-03 2023-12-05 北京格蒂智能科技有限公司 一种基于电网大数据的网络安全态势智能预测方法
CN117707027A (zh) * 2024-02-05 2024-03-15 国网甘肃省电力公司白银供电公司 一种基于多源数据融合的集控站一键顺控系统
CN117707027B (zh) * 2024-02-05 2024-04-16 国网甘肃省电力公司白银供电公司 一种基于多源数据融合的集控站一键顺控系统
CN117978551A (zh) * 2024-03-29 2024-05-03 南京鼎研电力科技有限公司 变电站监控网络的交互异常行为分析方法
CN117978551B (zh) * 2024-03-29 2024-06-04 南京鼎研电力科技有限公司 变电站监控网络的交互异常行为分析方法
CN118174464A (zh) * 2024-05-14 2024-06-11 国网甘肃省电力公司酒泉供电公司 一种具有自动调节功能的应急电网线路传输故障监测系统
CN118445170A (zh) * 2024-07-08 2024-08-06 合肥优晟电力科技有限公司 一种基于物联网的智能防误系统
CN119397427A (zh) * 2024-09-02 2025-02-07 国家电网有限公司信息通信分公司 一种基于威胁告警语义知识挖掘迁移学习的电网安全监测系统
CN119030156A (zh) * 2024-10-28 2024-11-26 北京方智科技股份有限公司 一种基于分布式储能设备的运维监测方法、设备及介质
CN119484072A (zh) * 2024-11-07 2025-02-18 贵州电网有限责任公司 一种电力系统网络安全防御资源优先级选择方法及系统
CN119135450A (zh) * 2024-11-12 2024-12-13 武汉东湖学院 一种基于人工智能的网络安全防护系统
CN119338261A (zh) * 2024-12-18 2025-01-21 中国电建集团西北勘测设计研究院有限公司 水上施工现场的监测信息处理方法、展示方法与装置
CN119945722A (zh) * 2024-12-23 2025-05-06 广东电网有限责任公司广州供电局 基于网络支撑平台的网络环境安全防护系统
CN119885862A (zh) * 2024-12-26 2025-04-25 中国人民解放军国防科技大学 基于图注意力网络的高效微电网脆弱性评估方法及装置
CN119835048A (zh) * 2024-12-31 2025-04-15 上海交通大学 新能源波动和数据注入攻击叠加的信息物理融合危害评估方法及系统
CN119692628A (zh) * 2025-02-24 2025-03-25 国网安徽省电力有限公司营销服务中心 一种用于智能电网的停电分析方法及系统
CN119966629A (zh) * 2025-04-10 2025-05-09 北京因乎智电科技有限公司 用于电力信息安全防护的数据密钥动态调节方法及装置
CN120389323A (zh) * 2025-05-09 2025-07-29 江苏汇舸电力有限公司 适用于电力设备预制舱的散热优化控制方法及系统
CN121091635A (zh) * 2025-11-07 2025-12-09 泉州信息工程学院 一种设备异常自闭环控制系统
CN121682002A (zh) * 2026-02-06 2026-03-17 国网上海能源互联网研究院有限公司 一种fpga对称结构潮流雅克比矩阵动态增量计算方法

Similar Documents

Publication Publication Date Title
WO2020046286A1 (fr) Évaluation du risque en matière de sécurité informatique et surveillance de l'état du réseau électrique intégrées
US10452845B2 (en) Generic framework to detect cyber threats in electric power grid
US11503045B2 (en) Scalable hierarchical abnormality localization in cyber-physical systems
US11252169B2 (en) Intelligent data augmentation for supervised anomaly detection associated with a cyber-physical system
EP3804268B1 (fr) Système et procédé de détection d'anomalie et de cybermenace dans une éolienne
US12099571B2 (en) Feature extractions to model large-scale complex control systems
US10476902B2 (en) Threat detection for a fleet of industrial assets
US11916940B2 (en) Attack detection and localization with adaptive thresholding
US10990668B2 (en) Local and global decision fusion for cyber-physical system abnormality detection
US11170314B2 (en) Detection and protection against mode switching attacks in cyber-physical systems
US10671060B2 (en) Data-driven model construction for industrial asset decision boundary classification
CN107390567B (zh) 用于保护工业资产控制系统的系统以及方法
EP3515037A1 (fr) Procédé d'apprentissage concurrent dynamique pour neutraliser des cyberattaques et des pannes de n uds de surveillance d'équipement industriel
US20180262525A1 (en) Multi-modal, multi-disciplinary feature discovery to detect cyber threats in electric power grid
EP3515038A1 (fr) Système de détection virtuelle reconfigurable autonome pour la neutralisation des cyber-attaques
WO2020049087A1 (fr) Procédé mis en œuvre par ordinateur, produit-programme d'ordinateur et système de détection d'anomalie et/ou de maintenance prédictive
DE102017128693A1 (de) Merkmal- und Grenzeinstellung zur Bedrohungserkennung in einem industriellen Anlagensteuersystem
US20210084056A1 (en) Replacing virtual sensors with physical data after cyber-attack neutralization
US11461691B2 (en) Performance manager to autonomously evaluate replacement algorithms
Aydın Detecting cybersecurity threats in digital energy systems using deep learning for imbalanced datasets
Kabir Intelligent Condition Monitoring and Fault Diagnosis of Electrical Power and Control Systems Using Machine Learning–Based Predictive Analytics
Teixeira et al. Cyber-secure and resilient architectures for industrial control systems
Ashraf et al. Artificial intelligence-driven dynamic optimization for predictive maintenance and cybersecurity in smart power distribution networks
Gunaratne et al. An edge tier task offloading to identify sources of variance shifts in smart grid using a hybrid of wrapper and filter approaches
Wu Improving system reliability for cyber-physical systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18778610

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18778610

Country of ref document: EP

Kind code of ref document: A1