Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Unmasking Covert Intrusions: Detection of Fault-Masking Cyberattacks on Differential Protection Systems

Ahmad Mohammad Saber, Amr Youssef, Davor Svetinovic, Hatem Zeineldin, Ehab F. El-Saadany

TL;DR

The paper tackles the covert threat of fault-masking attacks on line current differential relays by introducing a two-stage detection framework that first uses a physics-based Mismatch Index to flag inconsistencies between local and remote measurements, then employs an ANN-based Zone-Confirmation Classifier to verify that the fault lies on the protected line. The approach, validated on the IEEE 39-bus system and implemented in a real-time OPAL-RT setup, achieves high accuracy (≈99.85%), zero false alarms, and rapid detection within 1.5 power cycles. It demonstrates robustness to system loading changes, CVT/CT non-linearities, and joint cyberattacks, offering a practical defense layer for high-speed protection in modern grids. The work also provides a comparative analysis against prior methods, highlighting improved precision and real-time verification capabilities essential for smart-grid security.

Abstract

Line Current Differential Relays (LCDRs) are high-speed relays progressively used to protect critical transmission lines. However, LCDRs are vulnerable to cyberattacks. Fault-Masking Attacks (FMAs) are stealthy cyberattacks performed by manipulating the remote measurements of the targeted LCDR to disguise faults on the protected line. Hence, they remain undetected by this LCDR. In this paper, we propose a two-module framework to detect FMAs. The first module is a Mismatch Index (MI) developed from the protected transmission line's equivalent physical model. The MI is triggered only if there is a significant mismatch in the LCDR's local and remote measurements while the LCDR itself is untriggered, which indicates an FMA. After the MI is triggered, the second module, a neural network-based classifier, promptly confirms that the triggering event is a physical fault that lies on the line protected by the LCDR before declaring the occurrence of an FMA. The proposed framework is tested using the IEEE 39-bus benchmark system. Our simulation results confirm that the proposed framework can accurately detect FMAs on LCDRs and is not affected by normal system disturbances, variations, or measurement noise. Our experimental results using OPAL-RT's real-time simulator confirm the proposed solution's real-time performance capability.

Unmasking Covert Intrusions: Detection of Fault-Masking Cyberattacks on Differential Protection Systems

TL;DR

The paper tackles the covert threat of fault-masking attacks on line current differential relays by introducing a two-stage detection framework that first uses a physics-based Mismatch Index to flag inconsistencies between local and remote measurements, then employs an ANN-based Zone-Confirmation Classifier to verify that the fault lies on the protected line. The approach, validated on the IEEE 39-bus system and implemented in a real-time OPAL-RT setup, achieves high accuracy (≈99.85%), zero false alarms, and rapid detection within 1.5 power cycles. It demonstrates robustness to system loading changes, CVT/CT non-linearities, and joint cyberattacks, offering a practical defense layer for high-speed protection in modern grids. The work also provides a comparative analysis against prior methods, highlighting improved precision and real-time verification capabilities essential for smart-grid security.

Abstract

Line Current Differential Relays (LCDRs) are high-speed relays progressively used to protect critical transmission lines. However, LCDRs are vulnerable to cyberattacks. Fault-Masking Attacks (FMAs) are stealthy cyberattacks performed by manipulating the remote measurements of the targeted LCDR to disguise faults on the protected line. Hence, they remain undetected by this LCDR. In this paper, we propose a two-module framework to detect FMAs. The first module is a Mismatch Index (MI) developed from the protected transmission line's equivalent physical model. The MI is triggered only if there is a significant mismatch in the LCDR's local and remote measurements while the LCDR itself is untriggered, which indicates an FMA. After the MI is triggered, the second module, a neural network-based classifier, promptly confirms that the triggering event is a physical fault that lies on the line protected by the LCDR before declaring the occurrence of an FMA. The proposed framework is tested using the IEEE 39-bus benchmark system. Our simulation results confirm that the proposed framework can accurately detect FMAs on LCDRs and is not affected by normal system disturbances, variations, or measurement noise. Our experimental results using OPAL-RT's real-time simulator confirm the proposed solution's real-time performance capability.
Paper Structure (29 sections, 21 equations, 17 figures, 3 tables)

This paper contains 29 sections, 21 equations, 17 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Line Current Differential Relays and Cyberattacks
  3. Related Works and Research Gap
  4. Solution Challenges and Our Contributions
  5. Main challenges
  6. Proposed framework
  7. Summary of Contributions
  8. Fault-Masking Cyberattacks on LCDRs
  9. Vulnerability of LCDRs to Cyber-Induced Attacks
  10. Attacking LCDRs to Cause Loss of Protection
  11. Detecting Fault-Masking Attacks on LCDRs
  12. Developing a Mismatch Index for Detecting FMAs Based on the Transmission Line's Equivalent Model
  13. Learning-Based Classifier for Fault Zone Confirmation
  14. Performance Evaluation
  15. Comprehensive Cases Studies
  16. ...and 14 more sections

Figures (17)

  • Figure 1: Illustration of line protection by LCDRs.
  • Figure 2: LCDR's characteristics.
  • Figure 3: Illustration of an FMA on $LCDR_1$.
  • Figure 4: Combined logic of LCDRs with the proposed FMA detection scheme.
  • Figure 5: Line equivalent model. (a) Healthy, (b) Under an FMA. Concerning $LCDR_1$, measurements $I_1$ and $V_1$ are authentic, but $I_2$ can be manipulated.
  • ...and 12 more figures