Operational Issues on Adaptive Protection of Microgrids Due to Cyber Attacks

This brief shows how false data injection attacks (FDIAs) affect adaptive projection in microgrids. Specifically, we implemented a directional over-current relay in the CIGRE low voltage benchmark system to carry out experiments to manipulate protection decisions via cyber-attacks. The aim of the newly proposed cyber-attack is to cause false relay tripping and unbalanced conditions in microgrid that can result in power outages and blackouts. The proposed study has been validated on commercial relays using a real-time digital simulator equipped with the IEC 61850 standard communication protocol. These results allow the power systems engineers to understand the cyber-physical interactions more closely and adapt their protection schemes accordingly.


I. INTRODUCTION
S AFE operation in modern electrical systems require complex interaction between smart devices and physical components of the grid. These smart devices known as relays or Intelligent Electronic Devices (IED) are in charge to detect and clear contingent events when they are present in the system by using different protection methods. These events in electrical system may damage or affect the life cycle of the components and appliances [1]. To ensure a reliable operation, protection relays must clear faults within their protection zone as quickly as possible, and depending on the topology, they also have a back-up element, which in most of the cases is another relay located up-stream from the location of the primary protection. Both primary and back-up protection must be timely coordinated by their settings.
In distribution system level, directional over-current relays (DOCR) are the most commonly used ones to protect line segments. In the case of microgrids that have multiple nodes of generation from Distributed Energy Resources (DER) in a single line segment, protection becomes even more challenging. Conventional DOCR is not adequate due to varying conditions (e.g., topology changes, generation, load, etc.) where schemes require adaptability [2]. The bidirectional current present in these systems, and changes in topology can cause maloperation of relays and therefore, interruption of electricity supply [3]. In this regard, relay settings can no longer be static, and instead, they must be changed according to the current state of the grid ensuring effective protection to all zones. This technique is known as adaptive protection.
In adaptive protection, to store protective settings such as plug setting (PS), operating curve function or time-dial setting (TDS) in the relays is a big challenge [4]. The goal is to make an automatic relay group set, when the grid changes. This can be achieved by means of the central management system, where all relays are connected to one entity and the setting groups are delivered unidirectionally. This solution is expensive, as it requires more sophisticated infrastructure and communication systems. Communication infrastructure is needed, where standard communication protocols (DNP3, GOOSE, SV, etc.) are deemed to be sufficient for this. In [5], a communication-assisted strategy was implemented to perform adaptive protection and self-healing on microgrids. These types of methods are reliable as usually the Ethernet or optic fiber communication links between the central management system and relays have very low chance of failures. Also, [6], [7] presents adaptive setting with the use of a central controller that can either calculate online group settings or set them based on the off-line short circuit analysis.
Digitalization has also made electrical systems more prone to cyber-attacks due to the introduction of the cyber-layer, through the ICT technologies, on top of the physical layer and the interactions between them. There are several types of cyber-attacks such as Denial-of-Service (DoS) [8] or false data injection attacks (FDIAs) that can harm the cyber layer and consequently affect the physical-layer operation of the energy system [9]. An example of the coordinated attack is presented in [10]. Similarly a FDIA attack described as a multi-objective optimization problem is shown in [11]. Both centralized and distributed communication schemes for adaptive protection are susceptible to cyber-attacks. Centralized scheme is more vulnerable as attacks in a single communication link or device can lead to several failures in the grid. In [12], cyber-attacks that exploit GOOSE and SV protocols making relays trip and causing instability in the system have been modelled. Also, in [13], a strategy for modelling cyber-attacks from the perspective of the attacker in centralized systems is presented. This strategy presents a damage risk indicator where most of the impact will be made while minimizing the probability of being caught. Distributed communication schemes are more resilient to cyber-attacks [14]. This is because FDIA injection at only one device does not lead to system outages as long as the cyber graph is undirected.
The motivation to develop this brief relies on the concerns described above, mainly on the vulnerability of cyber-layer against possible attacks, which may lead to harmful consequences related to the malfunctioning of the power grid, including localized outages or even blackouts. This brief proposes a centralized adaptive protection system, where relays communicate with their neighbor relay(s) to inform about the state of the grid at their own nodes, and inform the variables status at each particular node. Based on the information received by the different nodes, a set of rules define the optimal settings for each relay at that particular instant. This scheme highlights the vulnerability of relay coordination against FDIAs.
In our view, this brief allows the power systems engineers to understand the cyber-physical interactions more closely and adapt their protection schemes accordingly including a higher possibility of potential cyber attacks, which has harmful impacts in the physical grid infrastructure, as well as negative impact for the network operator and for the people living in the region covered by it. The contributions of this brief are: • A newly proposed DOCR coordination implementation in CIGRE LV microgrid; • A novel cyber-attack formulation of GOOSE messages under IEC 61850 protocol for FDIA. • A demonstration of the proposed remote FDIA attack using Real Time Digital Simulator (RTDS).
II. MICROGRID ADAPTIVE PROTECTION Coordination of DOCR in microgrids is a challenging task due to different locations of the DER. This means a need of changing DOCR settings for different scenarios compared to conventional coordination in radial distribution systems, where static settings and non-bidirectional elements are sufficient to protect the network. In microgrids, the considerations for DOCR coordination are as follows: • Type of DOCR tripping curves (standard inverse, very inverse and extreme inverse) • Primary and back-up relay pairing • Plug setting optimization • Time-dial setting optimization • Change settings for every grid configuration (varying conditions) Once the considerations are made, the coordination problem can be formulated as a minimization of the total operation time of the primary and back-up relays, while keeping a minimal operation time for each relay and Coordination Time Interval where, T op is the total operation time of primary and back-up relay pairs, t p and t b refer to the operation time of the primary and back-up relay, and n is the amount of primary/back-up relay pairs. Each relay operation time can be calculated as in which α and β are values depending on the curve characteristics of the DOCR relay shown in Table I, I f is the fault current seen by the relay and CTR is the current transformer ratio.
For better coordination, instead of having one constant TDS or PS at time per optimization, they should be multi-objective variables in the problem. TDS have setting bounds of where these times are selected based on experimental results [15] and, the product of CTR times PS is known as pick-up current (I pu ) selected like in [16] in the interval of where I load is the nominal current under normal operation conditions, I fmin is the minimal short circuit current and they are obtained by performing the power flow and short circuit analysis. Inequality shown in Eq. (4) is a useful guide to choose an adequate value of CTR. Both TDS and PS stepping size depends on the relay manufacturer.
The objective function has two constraints, e.g., Eqs. (5) and (6). They indicate the tripping time of DOCRs can not be below 100 ms and their coordination time between trips is around 250 ms. These constraint times are chosen arbitrarily based on experimental results to guarantee safety margins [15].

A. Proposed Microgrid Cases and Optimization
In this brief, we used the CIGRE low voltage (LV) benchmark microgrid (see Fig. 1). It consists of five loads and five DER points distributed in the microgrid. The DOCRs are placed in a way that all zones are protected at all times.
The microgrid parameters are presented in Table II. The three microgrid scenarios analyzed in this brief include: 1) Grid connected: SW1 closed and both DER 1/DER 2 operating, see Fig. 1(a)  operating, see Fig. 1(b) 3) Partial DER: SW1 closed but only DER 2 operating, see Fig. 1(c). In this brief, the pair R9 and R7 of the main and back DOCR from Fig. 1 were implemented and tested at the fault point F5. To obtain the optimized setting values, first, a power flow and short circuit analysis is done for the three scenarios. The grid implementation was simulated using a Digital real-time simulator (DRTS). The information was used to adjust current transformer (CT) values and I f from Eq. 2. The obtained nominal values and fault currents at the point of interest are summarized in Table III (the algorithms used in this brief are available at https://github.com/daniel-gutierrezrojas/Projections_cyber_attacks.git).
Next, using the values of Table III, we proceed to obtain DOCR settings according to the operational state of the grid. Due to the non-linear nature of the objective function, to minimize coordination time of relays, meta-heuristics are used to find the global optimal solution. In this brief we used Particle Swarm Optimization (PSO) to retrieve settings values. PSO is a swarm-based optimization technique, which has been inspired by bird flocks [17]. The optimization is initialized for one or several particles inside the constrains and they update their position according to the functions of speed and movement direction. It has been widely used in power systems and also in case of relay coordination [18]. The settings obtained employing the PSO are seen in Table IV. An example using the obtained settings for the scenario with the settings 3 on the fault point F5 is shown in Fig. 2, where the tripping of R9 occurs slightly after 100 ms while the time between the relays is maintained around 250 ms.

B. Cyber Attack Formulation
Cyber attacks lead to a high risk both to the DER power system infrastructure and end consumers. This brief considers a data injection cyber attack on the GOOSE protocol of the IEC 61850 standard. GOOSE is a fast and reliable data transmission protocol. According to the first edition of IEC 61850, it is used at power substations utilizing only local area networks (LAN). The second edition extends the applicability of the GOOSE protocol with the introduction of routable GOOSE (R-GOOSE). It allows to use it with a wide area network (WAN), making it possible to utilize the protocol at a distribution grid [19]. R-GOOSE has security data field inside the data frame, which allows protecting the data flow from cyber attacks, while the original GOOSE does not. The details about GOOSE and R-GOOSE can be founded in [20].
The current research focuses on the GOOSE protocol, assuming that a hacker gets access to a device at the LAN where the respective industrial IEDs and Raspberry Pi are also connected. The detailed description of hacking of the device in LAN is out of the scope of this brief. One possible way of getting access to a LAN is the existence of an unsecured router that, for example, uses a default password, provides access to the WAN. Raspberry Pi's communication driver is able to access the L2-type network which is used to run GOOSE message streams. Therefore, it can both receive and send GOOSE messages within a LAN, and thus, is considered as a device in LAN which the hacker gets access to carry out its attack. Fig. 3 illustrates the communication network configuration of the testing setup which includes a digital real-time simulator, control and protection IEDs, Microgrid central control (MGCC) and RPi acting as a hacked device.
The initial stage of the attack is data collection from LAN and its analysis. It is done with Tshark which is a terminalbased version of the network analysis tool, Wireshark. Tshark allows the visualization of all fields of the GOOSE message including names of sending and receiving nodes, time to stay alive, and actual information about the setting group. GOOSE protocol is intended to be used at LAN only and it does not have any security hash fields. Therefore, using the collected information and after the definition of possible targets for the cyber attack, a modified GOOSE message with wrong information can be replicated using an open-source C++ library design by MZ Automation (https://github.com/mz-automation/libiec61850), which is ARM-compatible and allows to cross-compile applications for RPi. The library allows the transmission and reception of MMS, SV, and GOOSE messages on non-industrial devices like laptops and single-board computers. In the considered case MZ Automation library is used to compile and run a GOOSE publisher application. The sending frequency for the fake publisher is adjusted in a way to affect the control device.
After the hacking is initiated, there are two data streams: (1) with the fake information, which goes from hacked Raspberry Pi, and (2) the right information, going from the MGCC. In the case of equality of sampling rates of the hacker and controller, the setting fluctuates between right and wrong groups. These fluctuations lead to the constant and frequent tripping of the setting group relays that can damage protection IEDs and with the loss of its functionality.
In order to set up only the wrong parameters to the protection IEDs, there is a need to suppress the right data flow from the controller. It can be done with a high sampling frequency of the data flow going from the hacker device. The sampling rate of the fake data sent from Raspberry Pi should be 30-50 times higher than the sampling rate from control IEDs. Finally, the wrong setting group set up to the protection relay leads to the insensitivity of protection IEDs to the faults or false tripping of the protection.
As a result, a cyber attack can have dramatic consequences on the state of control and power equipment, and distribution grid. A cyber attack on adaptive protection affects their proper functionality. Therefore, there is a need to design cyber-security measures to prevent such attacks, ensuring safe operation of the control and protection IEDs.
III. CYBER-ATTACKS HIL TESTING Traditionally, power system protection architecture has relied on centralized decision making and computational mechanisms. This includes adaptive protection, secondary and tertiary control schemes for microgrids. Due to its simplicity, centralized infrastructure has preferably been used in power systems and electronics applications. However, it suffers from issues like single-point-of-failure, high communication bandwidth requirements, aggregated computation, etc. As a result, the reliability of centralized philosophy is often challenged albeit its high cost. A single point of cyber intrusion (aimed at either manipulating or interrupting the information in the cyber layer) can cause immediate failures/unavailability of services.
To replicate a cyber attack, we followed the methodology presented in Section II-B. The test was performed using Hardware-in-the-loop (HIL) simulation on the DRTS. For this, we first simulated the CIGRE LV benchmark on the cyber layer including all control and measuring signals. Then, on the physical layer, we connected two commercial DOCR (R9 and R7 see Fig. 1) to the LAN network, along with a commercial controller and Raspberry Pi both controlled remotely. Finally, the communication signals were all set up so the system closes the loop by the DRTS sending information to the controller about the state of the grid, and the relays sending back command trips to simulated switches in the software interface. The schematic of the test setup is illustrated in Fig. 3.
The test begins with running the simulation on gridconnected operation. Then, by opening SW1 and switches located in DER 2 and DER 4 we change the microgrid scenarios. Both relays are checked so that they set accordingly to the scenario by the messages sent by the controller and the grid runs in steady state without the presence of faults. When the system is running on grid-connected mode with DER 2&4 OFF, the remote attacker sends GOOSE messages of a different setting group (islanded) through Rasberry Pi into the LAN network. These messages are send in frequency higher as twice the frequency of what the controller sends GOOSE messages. The controller works on a way that it sends periodically GOOSE messages to the relays depending on the scenario and DOCRs receive the messages and it is able to reset within less than one second. Once the attacker's messages arrive into the LAN, due to the faster frequency, they overlap the ones sent by the controller, and DOCRs are only able to see the ones sent by the remote attacker and therefore change the setting group from DER 2&4 OFF to islanded.
From Fig. 4, we can examine the sequence of the event when the FDIA begins. When the message overlapping occurs and the attacker is able to change deliberately from group setting #2 to #3, due to the lower PS in DOCR R9, it perceives the change as an increase in the current similar to an electrical fault and then it trips. After R9 trips, it leads to initially lowering the current passing on DOCR R7, then the microgrid becomes unstable and it rapidly increases the current on R7 making it trip as well. The tripping times are according to the settings and operational time from Eq. (2). It is worth to notice that there is no coordination between the DOCRs R9 and R7 because of change in setting parameters. The time that passes between the moment the attacker sends the messages remotely and the DOCR receives the false settings is around 2 seconds. The experiments done using this type of FDIA were marked as successful even though the attacker will have limited access despite having a reasonable amount of knowledge of both physical and cyber components [21]; this brief also contains a more detailed taxonomy of cyber-attacks in microgrids. The attacker was able to remotely trip the relay under normal microgrid operation and create instability.
The experiments were also conducted by trying different frequencies on which the attacker send the messages. To obtain a successful attack, is necessary at least double of the frequency that controller sends the messages. Above this, the DOCR enter in a mode where the group settings changes for about 3 seconds and then they block themselves.
IV. CONCLUSION Cyber attacks are nowadays becoming a large topic of discussion in protection of power systems. Hackers have more access to information than in the past, which was thought to be exclusively from system operators and it is granted by accessing commercial equipment installed at vulnerable links of the grid. Since these equipment and the principle of operation is easily available, new schemes are needed to further ensure high levels of security. In this brief, we proposed a centralized strategy for adaptive DOCR setting in microgrids. The DOCR set their own protective setting group based on specific logic with the signal coming from a central controller. A remote FDIA was then formulated and implemented in HIL showing the vulnerabilities of a real deployment. Moreover, it has been identified that how conventional protection schemes might be subject to a relatively easy attack. This emphasizes that there is a need for adaptive protection in microgrids with high-level security.