An Intrusion Detection Method for Line Current Differential Relays

Abstract

The U.S. Department of Homeland Security (DHS) has recently identified digital relays as targets vulnerable to cyber-attacks. The DHS has also noted that attacks to multiple relays can bring about cascading outages of transmission lines, leading to blackouts. As a result, making protective relays cyber-resilient is a prominent security issue in power networks. Line current differential relays (LCDRs) are among the potentially vulnerable digital relays that are increasingly deployed for protecting critical transmission lines. LCDRs, however, lack the required resiliency against cyber attacks, due to their high dependence on communication systems. This paper unveils that such susceptibilities can result in unwarranted trip signals through false data injection attacks (FDIAs), and so cause instability if several attacks are coordinated. It also presents a solution for detecting FDIAs and distinguishing them from real internal faults. To detect attacks, the proposed method compares the estimated and locally measured voltages at an LCDR’s terminal for both the positive sequence (PS) and negative sequence (NS). To estimate the local voltage for each sequence, the proposed technique uses an unknown input observer (UIO), the state-space model of the faulty line, and remote and local measurements, all associated with that sequence. The difference between the measured and estimated local voltages for each sequence remains close to zero during real internal faults because, in this condition, the state-space model based on which the UIO operates correctly represents the line. Nevertheless, the state-space model mismatch during FDIAs leads to a large difference between measured and estimated values in both sequences. The effectiveness of the proposed method is corroborated using simulation results for the IEEE 39-bus network.