Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Isolating Signatures of Cyberattacks under Stressed Grid Conditions

Sanchita Ghosh, Syed Ahsan Raza Naqvi, Sai Pushpak Nandanoori, Soumya Kundu

TL;DR

The paper presents a Koopman-mode decomposition framework for online identification of cyberattack signatures in nonlinear, stressed power grids using streaming PMU data. By forecasting sensor measurements with an empirical Koopman predictor and decomposing the forecast error into Koopman modes, it extracts latent spatio-temporal signatures that differentiate attacks from natural grid disturbances. A two-stage, divergence-based quantitative comparison normalizes KM components and computes a KM Delta-score to locate compromised sensors, demonstrating attack signatures on an IEEE 68-bus system with synthetic scenarios and showing robustness across KM implementations and distance metrics. The work provides a practical, online-capable approach to isolate cyberattack impacts in real-time grid operations and outlines future plans for automated detection and identification algorithms.

Abstract

In a controlled cyber-physical network, such as a power grid, any malicious data injection in the sensor measurements can lead to widespread impact due to the actions of the closed-loop controllers. While fast identification of the attack signatures is imperative for reliable operations, it is challenging to do so in a large dynamical network with tightly coupled nodes. A particularly challenging scenario arises when the cyberattacks are strategically launched during a grid stress condition, caused by non-malicious physical disturbances. In this work, we propose an algorithmic framework -- based on Koopman mode (KM) decomposition -- for online identification and visualization of the cyberattack signatures in streaming time-series measurements from a power network. The KMs are capable of capturing the spatial embedding of both natural and anomalous modes of oscillations in the sensor measurements and thus revealing the specific influences of cyberattacks, even under existing non-malicious grid stress events. Most importantly, it enables us to quantitatively compare the outcomes of different potential cyberattacks injected by an attacker. The performance of the proposed algorithmic framework is illustrated on the IEEE 68-bus test system using synthetic attack scenarios. Such knowledge regarding the detection of various cyberattacks will enable us to devise appropriate diagnostic scheme while considering varied constraints arising from different attacks.

Isolating Signatures of Cyberattacks under Stressed Grid Conditions

TL;DR

The paper presents a Koopman-mode decomposition framework for online identification of cyberattack signatures in nonlinear, stressed power grids using streaming PMU data. By forecasting sensor measurements with an empirical Koopman predictor and decomposing the forecast error into Koopman modes, it extracts latent spatio-temporal signatures that differentiate attacks from natural grid disturbances. A two-stage, divergence-based quantitative comparison normalizes KM components and computes a KM Delta-score to locate compromised sensors, demonstrating attack signatures on an IEEE 68-bus system with synthetic scenarios and showing robustness across KM implementations and distance metrics. The work provides a practical, online-capable approach to isolate cyberattack impacts in real-time grid operations and outlines future plans for automated detection and identification algorithms.

Abstract

In a controlled cyber-physical network, such as a power grid, any malicious data injection in the sensor measurements can lead to widespread impact due to the actions of the closed-loop controllers. While fast identification of the attack signatures is imperative for reliable operations, it is challenging to do so in a large dynamical network with tightly coupled nodes. A particularly challenging scenario arises when the cyberattacks are strategically launched during a grid stress condition, caused by non-malicious physical disturbances. In this work, we propose an algorithmic framework -- based on Koopman mode (KM) decomposition -- for online identification and visualization of the cyberattack signatures in streaming time-series measurements from a power network. The KMs are capable of capturing the spatial embedding of both natural and anomalous modes of oscillations in the sensor measurements and thus revealing the specific influences of cyberattacks, even under existing non-malicious grid stress events. Most importantly, it enables us to quantitatively compare the outcomes of different potential cyberattacks injected by an attacker. The performance of the proposed algorithmic framework is illustrated on the IEEE 68-bus test system using synthetic attack scenarios. Such knowledge regarding the detection of various cyberattacks will enable us to devise appropriate diagnostic scheme while considering varied constraints arising from different attacks.
Paper Structure (8 sections, 1 equation, 2 figures, 1 table)

This paper contains 8 sections, 1 equation, 2 figures, 1 table.

Table of Contents

  1. Introduction
  2. Methodology
  3. Results and Discussion
  4. System Description
  5. Attack Scenario Description
  6. Quantitative Comparison and Interpretation
  7. Robustness
  8. Conclusion and Future Work

Figures (2)

  • Figure 1: Step-wise schematic of the proposed quantitative comparison algorithm
  • Figure 2: Quantitative comparison among different attacks