[00:00:10] >> Are you saying we should not let. You GA forward because Professor was. His reason. For. The 1st. But you will hear more before. You Syria you think you will talk to us a. Bit. Thank you very much nor does that see bro narced my name perfectly because this is speaks Greek. [00:00:52] Thank you. Thank you for being here. I would. Like to spend the hour here talking about the start to show of the. Cybersecurity aspects of the electric energy system and basically what I will try to do cover is some by ground information some mount thinks about the cyber infrastructure in an electric energy delivery system what standards and what activities are going on within the professional rigorous actions and they disagree to say cured of the infrastructure and. [00:01:31] Then I'm going to talk a little bit about the some present but he says work that is done to advance the ability of the system to operate in a lab full of cybersecurity aspect. Keep in mind that the electric energy system is a system that is evolving is the computer or to Mission Systems I saw are evolving so does the electric energy system and of course this means that this issues are evolving over time. [00:02:05] And I'm going to talk about some demonstrations of. Cyber security simulator that tax and so on and some concluding remarks 1st of all I do have a point here or we don't. When they're on the case. They let me go in there is a system is has an extensive cyber communication system basically you can see here that we have the substation that is what we call a transmission substation the physical system all is on the top and Mischa lines come in we have transformers all the power equipment and of course. [00:02:52] Our thoughts are these are extreme additions Alice and sensors where we call that data and that that they score like that the new and number of electronic devices basically computers. Some of them are relays some of them are faulty recorders that I said there are but it's one of this device Great thank you. [00:03:15] Yeah thanks it's one of these devices is a high end personal computer basically most of them are ice Evan and so on and then of course we have to communicate through and number of different communications infrastructure has been obviously we have there are one infrastructure it is that then command communication system where basically we use this communication to the phrase between substations the control center and this is a real time system saw the availability of the information is very important and the speed by which we deliver the information is very important Similarly you see here at generating station where we have a process of the generation of the generators the binds and so on but in addition to this communication and which we control the power system we have a number of Father communication circuits for example. [00:04:17] Electric energy delivery system is not the lawn it is part of the entire interconnected power system for example we have the local utility here which is either connected to the rest of the United States system everything is connected and. Duplicate the for structure is in the neighborhood systems and we have to communicate between the 2 because in the operation of the system we have to. [00:04:43] Know what our neighbors are doing because. Because of the connection any disturbance in the neighborhood system will propagate into our system so this is the 2nd communication secret and then we have the Internet that can be the public Internet where if formation is exchanged between the customers and the. [00:05:07] And of course not is that the they don't it is they're connected to this private private. Communication System. And then we can have the enterprise communication system where basically this is for business purposes of the electric energy delivery system. Think of this as the vice president they want to see what's going on and all the information is part of them now this is what we call the bulk power system that now to this of course is that that's the distribution systems throughout their system where the distribution systems leave an electric energy to the various customers and presently the largest increase in cellular of networks is due to the utilities where basically they're deploying cellular networks to communicate and the distribution level get them still the majority of the communications in the distribution system is stored ideal small value there is a frequency they dictated to the electric utilities and now from the cybersecurity point of view their radio communications were developed many years ago and they are open field for any hike. [00:06:28] And of course this means that somebody can go in there and do a lot of damage. So this is the system we dealing with and of course the cloud is the new buzz war that I guess that people want to see how they can store the information in the cloud and if they remit and so on and there's applications to do that now if I take a closer look within the bulk power system that is box of stations transmission generation and so on the structure looks as follows in the abstract form we have the physical system of those misaligned stores for most of the narrator's etc and then we have sent source and assess 1st the we have to take in all of this basically the medicine units and the relays medicine units assembly that acquisition systems and because the physical system operates at very high voltage this. [00:07:28] Current that is also. Instrumental Swarmer the connect the dots acquisition systems to the. To the physical system similarly for the relay we have that is the weather swarms here and the relation of the aid to the conversion is there not is that the trend is to remove from the relays they have specific purposes for probe for protection of the system to remove the data acquisition from the relays and make very late simply computing devices. [00:08:03] Therefore. In order to protect the system or have to do is have that acquisition system that that is coming here to process by us and then we can connect a computing device to the process bus which is going to do the the function of the relay will protect the system. [00:08:22] And. Then we have here another. Another area where we concentrated not of the station bus station buses defers from the process but because the DOT of there is what we call phasers but this would take the way forms of the world as a guide as we apply 40 year transform and we transform it into phasers and this means we compact the dot com And then of course from the station bus with the connect to the rest of the system with raw private fireworks etc etc Now a distribution level. [00:09:02] There is a trend today too. For a number of technical reasons that we have in the process them to utilize what we call the customer flexibility so if I have a customer has an electric car a P.V. rooftop etc The utility of electric energy system will not like to use this in case of need that why we have a case of need now because basically as we go in more and more into your bills one aspect of that in your book is that there are not thrust that generators because they depend on how much when the wind blows how much the Sun signs of said there are and therefore we have a lot of variability of the output of these the narrator's So when the wind stops to blow then we have to make up the last generation system so one way to do that is of course we have extra big generators to cover for that the other way is to use the customers if we can access the customer's. [00:10:11] Resources then we can change the comments demand this coming from the customers and if the customers have the interaction we can say is also there is an operation to balance the system because remember in an electric power system. We have to venerate exactly the same amount of energy as the customers need at the least of the time crap that is very low storage in the system. [00:10:39] Last week I was in sign out and sign on is a unique situation in terms of operating the electric energy system there is only one state run utility for that our country and they support the research organization with that and they take decisions for the entire country so one of the decisions they they were talking to us I guess is that they want to start the stub to establish the idea of the Internet of thinks electric What does it mean basically they want to have access. [00:11:13] Through the Internet to a very cost American. Resource electric car P.V. panel smart appliances or so on why we need to do that because basically if I know how many resources are out there then I can ballance the generation a lot that then use the time without having. [00:11:36] The requirement to have a lot of extra capacity and Reserves to balance the generation a lot so there is a technical reason for that but think about this how many points we're going to have in there only in the state in the country of Sinai if we do that 1500000000 people every person will have fewer resources than we're talking about a big number. [00:12:07] To some extent we do similar things here in this country that is. Evolving technologies to that to address this problem. So what are the vulnerabilities of a system like this Well there are many Ok I have listed here a few of them. G.P.S. spoofing why is important for power systems if we spoke of the G.P.S. system while most of the modern control in operation. [00:12:38] For us the larger of the electric energy system depends on what we call G.P.S. economized measurements yet and if there is if we lose the cyclone assertion then things can go wrong for example we have very late I would call it differential protection differential protection tax measurement from different points of the of the system and basically the sum of this measurements to have a certain property based on the current law and so on. [00:13:11] Now this measure must come from different devices and it's one of these devices is G.P.S. or an iced So this means when I get the doctor then I know this data mistaken a distance of time so I compare the same east of the time that if somebody is spose the G.P.S. of one of these devices then I'm going to be comparing data at one time use them with a dot at another rest of the time so this is this will lead to. [00:13:42] Me So pressure of the relay that in other words the relays going to think that something is wrong in the system is going to trip the system up so G.P.S. is very important and G.P.S. is one of these things to spoof that of course now manufacturers of clocks and so on. [00:14:00] Receivers they are starting to limit the cybersecurity but the if you look at the generation of. 8 years ago for example then it's very easy to devise the sport. There is another type of attack or attack or controller attack basically. We have relays as a measure that. Control the. [00:14:29] Devices the weather the connected in the system or not connecting the system one easy way to damage the system is to close. The break area of a generator and connect the generator directly to the process them. Without any pretty bad Authority work preparatory work is basically we bring the generator to us at the speed and then we close the brake. [00:14:56] Now if this happens then the generator is damaged for good and we have to replace it and it's only one time to do that. So if somebody gets into their cyber structure and closes the breaker when the generator resistance still is going to damage the system and then we're talking about the repairs that will take. [00:15:18] Several months 2 years to replace that generator. Another is that that can measure that car. Radio communications in distribution systems are pretty much open to cyber. And somebody can access the controllers we have in the distribution system we have those farmers we have capacitors we have. Regulators etc It is easy to access the system and control of the Transformers capacity of sorts as a way to raise the vault as let's say by 50 percent if this happens there we're going to have massive failure of appliances or for the customers connected along this distribution network. [00:16:06] I can go on for. On and on of what I can do the power system and not so let me give you some. Examples of the things we measured here is a. G.P.S. clock. Receives information basically there with a for myself whether it is I set them cords etc So I get quite and do what sophisticated high kill will do the following let me go to the because there is a variable take singles from several satellites depending how many satellites are visible and that is the time and the location. [00:16:49] So I get can do sophisticated quite can do is that it could take every It's one of the. Signals and things that single. Interest me the. Stronger signal into the receiver and all he has to do is insert a time delay in that signal. That time delay is going to change the time. [00:17:15] And they're sophisticated I get can do this the 4th thing that is it can set the delay needs one of the singles in such a way that the receiver is not going to notice a any. Any difference or any of them Ali for example. Note is that it's one of the satellites has a different length distance from the receiver so I can compute I can make the computations of how much I should be late single and then the receiver is going to receive and a set of core system and sing those but the outcome of this signal is going to be a time that is different on the real time and that will can cause havoc to the PA system. [00:18:07] Here is a distribution system so if I control. The transformer as the capacitor boxes so on I can raise the Volt as in the distribution system so that everything is connected is the reason system is going to be experiencing an over voltage and of course many appliances and devices. [00:18:30] Fail to that. Here is an actual distribution system this is from my project that I gave to my students to. Access the controllers of the Transformers the capacitor banks the. Disconnects that are a sample here there it is and disconnect and so on and tried to figure out how they can say is the Volt as to the market value and that's pretty straight for straight a straightforward. [00:19:05] Exercise. Here is a generator. The generator is somewhere here and this is the breaking of the generator so many times the generator resides in that in other words this means that this break it is open so the generator is not connected to the system so if I get access to the infrastructure of the generation substation and I ordered a little way to close this breaker then I will damage the generator right away. [00:19:40] So let's see what kind of standards we have to what do we do indeed the street to protect the system against cyber attacks and of course. We were but cyber attacks that will do the denial of service for example if I get into the distribution system and I open the breakers to listen to her system then all the customers along the distribution system there will not have power this is the famous Ukraine attack which was a very low. [00:20:12] Low tech attack and they did exactly what they opened the breakers and people do not have a counselor in there and more important they. That is the system so that the operators will not they cannot be the breakers and so on. So these things can happen and therefore we develop the standards and there are many organizations that are working in the development of standards 1st of all I to the police you get a nice net Fedak are all involved in developing cybersecurity the standards nice of course has the lead in the in the basic security framework and network is. [00:20:57] Developed a star set of standards that every facility in the electric power has that is classified this critical has to obey with the standards that now the. Standard is basically based on other readers that are standards but basically they require utilities to meet the standards if Eric facility is. [00:21:25] Is classified this critical infrastructure and critical infrastructure is basically all of the substations and substations I can deliver more than 30 megawatts and so on so this covers 9 the 8 percent of all the substations in the country. Here are some specific standards and I'm going to talk I'm going to pick up a few of them to talk to you more detail I guess. [00:21:54] 1st of all the ice sheet is a family of standards that covers pretty much everything in the electrical system and then I'm going to talk about the C. $37.00 to $40.00 this is a standard that basically mob's the requirement from the NIST the standards in do what utilities need to be doing. [00:22:17] And then of course this is a very important stand there also $6096.00 that deals with the how we make cybersecurity every single device in the power system whether it's going to be a relay or adult acquisition or a messy unit and so on there are specific questions that will make that. [00:22:41] Device obviously would not have time to go through all the details so I'm going to just last through a few slides this is the family the I see serious of standards for cybersecurity and basically they cover everything is going live assess them from communications to. How we dealing with. [00:23:02] Transferred and go months and so on how we. Are phase will are there between utilities how extensive formation and so on so everything is covered in this family of standards and the basic principle being the in the I.C. standards is the following if I have electrical facility if this is a substation this is a control center and so on we define the electronic perimeter and basically we say cure that electronic perimeter and the idea there is that we can communicate with the rest of the water through a single point will be where we can place a fire wall and so on and on and so on so for a control said they're not there is that everything is included within the. [00:23:51] They're growing but it meant that. While for the substation this is a distribution's up they still has distribution lines so we have this that abuse alliance here they have one of those regulators or 2 made the streets as capacitor banks and so on that are outside and however to be cyber system is all interconnected so you see the vulnerability between what. [00:24:17] The system is close to the customers and how we can. Secure the. Facilities of the system. You know this here in this case so we have bomb. Detection systems at the very. At the perimeter of the of the electronic fence and then of course you can have. Monitoring devices Security money to the devices at the very and the that is within the substation or along the distribution circuit kept so whether we like in is this part here where very far away from security in the distribution system. [00:25:06] Now this is the standard C. 37 to 40 as I mentioned the standard price to mop the N.I.S. the are there 77628 in do how it will apply to the substation we don't have time to go through all these details or you're going to have the slides so you can see the some of the details this is a very important standard that is developed under the idea poorly because basically it takes the cybersecurity all the way to the device level the very late the mail the unit that's on so that our hearing requirements are both 0 how these devices can be accessed. [00:25:51] And obviously you see here that done. Based the access control is one of the most important issues because basically if I'm in the need for the power company and I have access then I can access any device any real a any meds you need throughout the electric power system and therefore we have to have some good way to know what is who is allowed to use what. [00:26:23] And so on and in addition you see here in this lease that we have requirements that. Any traffic through this device has to be recorded so we can recreate that traffic if something happens to see who did what. So a lot of requirements and all of this is for one device how many devices we have in the substation. [00:26:48] Typically even to a small substation we have about kind of devices like this so everything has to be secured. And now so this is continuation of the standard 686 and here is some of the typical practice that we have today radius is extensively used for. Access and radius of course 3 part of assess the gate users or devices before grindin access to network and devices authorized users or devices for specific networks edifices or all based the authorization. [00:27:29] For use as a set of says so we can keep track of. Who used what up. Then of course the IP Sec Internet protocol security is. Extensively used in the electric power industry to address confidentiality dignity and authentication and it provides interoperable high quality cryptographically basic purity for I P 4 and I P V 6. [00:27:59] Now one important thing here is that the present practice is that we do not on the communication infrastructure inside the substation there is no increase there is no so you've described the work goes into his obsession as Access has access to everything that. He can see everything. And of course extensively we use internet exchange for authentication and song. [00:28:30] So we have all of these systems and there is a lot of comedians work in and improving systems and so on and there's that is developing new A better ways to do that. However we need more of that and why we need more because basically. Some many of the systems eventually can be defeated and therefore we have to have some additional. [00:28:57] Some additional differences here is how an electric power system or a facility of electric power system looks we have valve basically breakers. Instrumentalists warmers but there's a little force got in those foreigners that said there are. A here I'm showing that we have the data crazies or system next to the breaker next to beat the next to the city and now if we have this kind of system then fiber optic brings that that I mean do computers here computing devices. [00:29:30] We have also what we call legacy systems where we have delays and for a good relays we need to bring copper wires from these devices into they release them. And. Many times now we have hybrid systems where you have legacy systems we have newer systems together or Brady and so on and of course we need to protect this now let's take a look at what kind of data go through be going through the system. [00:30:04] Here is a view or what kind of that is is being processed through the system for example if I have bump messy units next to the instrument or swarm us the data traffic here is quite high because basically we sample it speeds 5 for. 4800 samples spend a 2nd 21212000 samples per 2nd so you can see a lot of that is being processed from this instrument down here and if we look at this up because substation we have something like more than 300 channels the speeds you can realize that we have several millions of that are paired 2nd. [00:30:53] And therefore high traffic that that's why here we have computing devices we use the term ID it's that's where he likes it Dell is the electronic devices that take this dot then convert them into phasers. Basically this is a compaction method and here we have less data and less traffic of data in the station and of course we have computed device computing connected they require here to do their specific protection and control and optimization functions of the system. [00:31:29] So the bottom line is a lot of dot They stay is being transferred to the system. Now there are a lot of methods and people working on what we call data based. Intrusion detection systems analysis of the. Warty of illness of these not and so on and what we have found would be finding out that that the base methods provide a lot of false positives and the reason for this is that a lot of disturbances sky going on in the system on a normal basis. [00:32:08] Falls are happening breakups open breakers close. Saw normalities in the dark or care continuously but most of these abnormalities is because of what the physical system is doing. So all the databases that the best methods basically they're not as capable of the recognizing what is normal and what is because of a cyber attack. [00:32:39] Another way to me my eyes the false positives is what we call state and one that can I can base the process so the idea is very simple basically what what we're doing here is that we have a physical system and then we have a magic system using that their marriage is a unit because in there's that we called the unit be the subsystem that connects the physical system to the cyber infrastructure so that includes. [00:33:07] Instrumental Swarmer Sanal to digital conversion and so on and of course whether we have here is all the data in digital form of these collected from the system. So if I want to. Do know how the DOT down relate to the actual state of the system then another one way to do that is to perform a dynamic system measure then I will know based on the dot I have what the system is doing. [00:33:37] And if there is an abnormality then that is going to be a difference between the dynamics that is the measure and tell me the state is and why the physical system is doing and then I'm just measure has that capability to determine this discrepancy that therefore I can have a disturbance and another go all over the place but if this is consistent with a physical system. [00:34:03] Everything is fine. Is not fine we'll just have to deal with the basically the protection and control of the power system against this condition what I mean there is that of course is not what is different than what the system is doing and how it can detect that somebody. [00:34:24] Into the system and thinks that. And therefore what we have here is we drug the parade the state detect the blood mileage this. And more important we need to find the root cause the bend analysis OK So this is where we have to determine whether this abnormality came from the event of the system of the physical system or a fault cannot do anything else or sub idea of the system and done. [00:34:56] If you set the wrong data in the system. And more important if we do that then we need to identify the compromised device so I'm going to discuss how we can do this and of course when we have this then now the outcome of this August is going to be we have a normal importation normal means that there's no cyberattack OK the things that normal does not happen in are normal and to be expected from the system if an event though who cares then if it is a power system disturbance then we can use develop controls in the system to deal with the operation of the system. [00:35:37] However if it is a cyber attack we need to identify that could have been compromised devices What idea of a compromised devices and then take action sanitize affected devices at the start of the system. So that's the idea of the state and model tracking based approaches and I'm going to show you some results utilizing these models. [00:36:01] First of all in order to be able to do this we have to have a model that includes both of the physical system the medical system and the cyber infrastructure of the PA system OK so we refer to this as they're called Wanda the or the physically based. [00:36:23] Power and cyber. Model. And the idea there is very simple here here you see here. And actual substation has 2 transformers here breakers suits us etc distribution lines here and this is a very most small substation in the vision islands. 35 K.V. system. If you count how many relation here is yes 23 lace. [00:36:56] Now. It's a relay of course is connected to the physical system through the instrumental Swarmer So here you see for this lay where inputs it takes from it takes inputs from the current here and don't show everything I guess and so on but then what is what this does is we have the physical system on the transformers that US missile lines distribution lines etc Then we have the model or the medical system what is connected to what and then you have the model of it's one of these relays and how these relays are connected to the local area network in the substation and how the local area network is connected through other devices to the communication system of the overall system that so it is a. [00:37:47] Hybrid model that includes all of the support of us. So by doing this basically once I detect an abnormality I can do to use dynamic status to measurement techniques to do hypothesis testing to find out the root cause of why of course not the norm and. That. Now we've just got there and not by a project that. [00:38:15] Basically we're out of just on the 2nd month of this project where we are. We. Integrate all of this in do one he degraded system and you can see here the idea what is the we have this substation here who it's has made the units the star of the distributed into the actual physical system so you see here breakers transformers etc It's a very small picture I guess this is my rock this is an actual substation but a month ago. [00:38:49] And the messages are located there and out of the messages through fiber links we bring to the doctor into a process bus. The person does the of the foreign tasks they call the doctor the have different time stamps and so on and aligns all the data in time so that will be available in an orderly orderly way and then we have here the protectively lace. [00:39:17] Basically for the substation for the substation we have something like. One had that and 50 protections on every device every combination of devices the protections on it so think of this we have now something like had been 50 computing devices here that teach one. Here has the responsibility of protecting one particular protections on. [00:39:45] Now this is the more parades normally and this is this particular relays are based on dynamics that is the mission basically the monitor or what's going on in the protection zone through dynamics this measure if and I'm normality OK then there will. They see this of the mob normality and. [00:40:05] If we don't do anything else basically will disconnect the protections on. However with a new system we said the following that let's not take a decision immediately because of this a broader market let's figure out where the subnormal is coming from is it the next will fall to the system is it some operator did something wrong is it a cyber attack and so on we need to figure out the root cause and then take the decision so what are we doing in this project basically. [00:40:39] We've taken all the data from the from this release it would then have a the data for the entire subset and this is done in an automated way. And so basically we build in from the models of the protections or the model of the entire substation and then now we do the numbers that is the measure for the entire substation why we do that because basically the protection we lay level we do not have redundancy and doctor to do a lot of far. [00:41:14] Cry processes analysis and so on but if we bring all the data into a central location for the entire substation then we have a hugely down there see and we can do a lot of hypothesis analysis that do we can determine what was the root cause. And now therefore we can see here the dynamics that is the measurement there hypothesis analysis and out of this we can have. [00:41:40] Results that says there is an actual fold in the system if it is then we give a signal back to the relay and say do your job. If it is. If it is a cyber attack then we have to take action against the particular device the particular made the provider is not or if there was another port that the injected not in the system. [00:42:06] Or there are other things can happen wrong for example if I can have a hidden failure a human failure will be basically in the wiring here that connects the devices to the magic I may have a short. Nobody will notice that except that because of the short the data will be coming out of this mess you are not going to be going to be 0 or something different. [00:42:30] And if I detect this. Event analysis tells me that this is the case then I can use the model of the substation and say this is not us who have been dumped by you and then I can then that is that I send it back to the process boss and everything is going toward property. [00:42:51] And of course the the objective of this project is not only cybersecurity is basically to improve the resiliency of the operation of the system due to the start of us is that normal or care in the physical system. So the core technology in all of this of course is the dynamics that is the mission and. [00:43:17] A. Lot of other benefits from this that we don't have time to discuss here. Now key to all of this of course is the data integrity that. In order to operate the power system properly we have to have. Trust warthe data. Or we can talk about data integrity what compromises that integrity well could be things such as instrumentations unawares. [00:43:45] We fell into this S.. Because the system addition is not an ideal devices and then of course errors for example we use our instrument our Swarmer suites our saturable cord when saturation goes there then the data is distorted and generates big error so I guess our hidden failure summation a fault in. [00:44:11] Is them or their sins are no or cyberattacks So these are basically the 3 main courses of. That job or dies the integrity of the data in the system. And. Here is I think we're running out of time so I'm going to skip this a little bit. The importance of the doubt I could receive is should be obvious I guess. [00:44:39] And the other thing that is important here is that if I have acted data then I am going to be more able to reliably detect any cyber attacks because of the doubt I have 5334 percent their ropes then I lose my capability to zoom in to what is the source of the errors kept so if we do an error correction then I have more reliable detection methods that. [00:45:15] Hidden fail loose in cyber attacks basically are can be detected with the same kind of techniques and what is the present of the art Well basically we have some money factors that provide in Legacy lanes schemes. Some ability to identify some hidden failures that this is as long as the hidden failure occurs during a fair day nothing else is governing in the system if the hidden failure case together with some other fault in the system or cyber attack they have not capability and of course nobody has any capability presently to detect that alteration by cyber attacks in the very least and so on. [00:46:04] So how we do the detection 1st of all the detection is with it then I'm saying the measure of the action is immediate that I'm going to give you some somber scene in a 2nd with an example. They keys there too once we detect an abnormality What is the root cause of this abnormality and if it is a cyber attack we need to a dignified weeds device has been compromised. [00:46:32] Now this is another view of crowd the overall. Infrastructure of a substation is organized we have the protections on the protections on is going to be the physical system transformer line etc and we have messy use the collect data from be a physical system that they come to the process by us and then you have very late that looks at this data and process and not up to see if there is a physical fault in the system. [00:47:04] But of course. If there is a physical fault in the system or a hidden failure or in a cyber attack then obviously there really is going to see effort and abnormality. That is detected quickly and the there is nothing much we can do about that because basically at this point the redundancy of the data is limited not is that a typical appley casing is that we have 3 fold this is a 3 card is that the 2 ends of the production zone and that's not enough not to. [00:47:42] Do any hypothesis test however if I take the dot from all of these protections zones in do the substation then I have extremely extremely doubt that's how we define the redundancy is the amount of that that we have Verisign is the number of states that describes the physical system. [00:48:05] So the. And the protection was on level this is a double C Maybe having a 50 percent and a substantial level is above 2000 percent therefore I can do a lot of hypothesis testing and say if I don't use this data how the rest of the data comply with the system I saw. [00:48:28] So that's the idea of the. Hypothesis Test then and now. This slide repeats basically what I said that is we have a lot of redundancy in the substation level and we use this and we done the same to do hypothesis testing and some of the mechanics are here now the hypothesis there is it has to be organized in such a way that we can detect the root cause in the least possible way and we have some ways of doing this for example. [00:49:02] When the output of the dynamics that is the measurement can provide basically what measurements are not consistent with the system we refer to this as residuals kept and then from there is Israel as we can. Through a semi expert system where they defy what might be the case for example if. [00:49:25] I'm looking at the data and I see all the data coming from one measure the unit. Have a consistent There are of 10 percent then I know. What I'm suspecting now is that this device may have been compromised so how I'm going to do the hypothesis testing I will remove all this data from the. [00:49:49] From the substation data and I will really round the dynamics that is the message if the dynamic stays the summation tells me that very last of the data. It's consistent with what's going on in the physical system then. With high probability dob device has been compromised that now is not going to tell me if the compromise was because of an attack or go round and change some of the parameters of this device or some operator accidentally and their own parameter in the system so I'm going to give you an example of this in a little while and of course we have also other hypothesis then they have to do with the things that can go wrong in the PA system and of course the output of all these type of his destiny is to know whether it is an actual fault of the system a hidden failure in the system or a cyber attack. [00:50:47] So here are some examples. Here I haven't substation. This is a simplified version of of a substation want the. Transformer at the special line and distribution line some breakers and so on so for this I can recognize this Abilify system 5 protection zones one for the special line for the bus for the transformer the low Walters' bus etc then. [00:51:16] What we're going to do here is that Ground 0 to the heathen failure. Of this location in order is that what we do here we are measuring the voltage through this potential transformer by connecting the system through fuses and if one of the fuses blows up then. One of the channels of the system of those 4 is not going to be giving us that gap. [00:51:45] So I'm going to go very quickly through the SEC Zabol nor does the where the what happened in this case is the data coming in then for this phase that. The fuses blown now that there is 0. Now the dynamics say this measure immediately 1000 me this out of the residuals for all the other data of this is just FUD that the shown from the substation even if it is a small but that this humongous still but not is that it tells me that I have a residual for the Phase A of this potential of those work which is way larger than anything else then I know where to look at right so if I do a hypothesis test and remove these not 2 and I repeat the dynamics there just misses the rest of the data is going to tell me everything is fine in the system and therefore I know where the problem is it is this tunnel and therefore I can send a technician to fix this problem now more important yet this is some intermediate results of the more important I'm having here is human view of the data this is the the tunnel where we have the Brawn fuse nor does the data go to 0 immediately after the fuse is blown but through the hypothesis testing and so on I after 2 cycles I know that because it is a hidden failure OK so now what I can do is that using the estimated States or the substation again say that this is not there should have been this way now I'm started streaming data back to the station to the process bus this data and other relays is collected data and it will continue to operate properly so I'm contributing to a very resilient view of the system. [00:53:40] Let's see another example. This example is for the part was of showing. That the fog that abnormality can be detected immediately. Here is basically from an actual system and we had the team of attack us as a month ago we have one of the doctors here I guess. [00:54:06] There we had lessons in 3 substations in the present call area and this is the most ground in one of the substations the stuff that is more complicated their story or deny of being the picture of the. And one of that I guess we'll go to one of the lace of that I would say it's the relay set in from 12 for them 25224025 so what this means is basically any relays connect to any stream of those former and now this particular one is connected to God interest formers they have a formation ratio of 12 ga going to 5. [00:54:48] So that I get went there and saints dot said in from 12 to 1400 so what this means this means not when we take a measurement of the current is that of getting the correct value let's say if it was 8 rather than on Piers now I'm getting 400 M.P.'s again. [00:55:08] How consistent is with the rest of the system well what happens in this case the this is an indication of whether all the data is consistent with the physical system now not is that before that that we had the values at this level which indicates everything is normal everything Marxist together then why is that that happened these dumps 10 times higher than it is in detection of something's wrong in the system. [00:55:38] And then of course little hypothesis there is then we can go and figure out that this is the. That. The data here is going to be for all the 3 phases of the garden's there is going to be. There to have a high as usual and by removing this doubt then doing that again did then I'm say this mess going to does the rest of the drug is consistent and then we know that this device has been compromised as my fact we know what how exactly was compromised. [00:56:12] So why is this important. So basically the detection of the doubt that that is almost is that dangerous that. These the numbers that this mess around every cycle every $16.00 I merely said once saw basically once and not tackle carrying the dollar has been compromised then the next time the one I'm guessing is there's the message the line we're going to detect that OK So at the because he then of course see that in all the lateness is communications from substations to substations and so on $25.00 milliseconds or less that it is the fact that the 1st execution of the dynamics that is the most. [00:56:53] Now the I did if occasion over the compromised device is also fast. In this particular case an additional of 8 milliseconds to do the hypothesis test then to figure out why it was that of course and then the corrective action once we have this information then the corrective action is very simple that we can quote at the end that compromised device blocking access to the system. [00:57:18] Think of this as we had to define a compromise device then we call the glass of water and say no but no one is going to handle the substation. Whether he's authorized the use of and so on until we figure out what we have to do that this does not mean that we dropped the operational communications because the present communication have to be there to operate the system by the we block all the access to the system until we sanitize it and restore it. [00:57:54] Now now does the fall I think that if. We can assume safely that an attack is going to talk one device at the time so says we detect this in real time practically then by the time the attack is going to get through the 2nd device is going to be. [00:58:16] He's not going to have access weather here because we quarantine the whole substation and so on and therefore we can detect thank you leave out dark right when it happens. Now another type of dock or that the time is. Almost expired so what I'm going to do I'm going to give this this and I love examples this is an example of. [00:58:46] An intrusion or fake or modified malicious command in the system and basically in this case we went to. Their command or tests we have to authorize that they gave the command and since we have a physical system on those on we can do faster than real time simulation to determine what is the effect and if the effect is malicious the system then can block this command. [00:59:15] This is another example that shows how we go the the next day this measure will detect any spoofing of the G.P.S. system. Now does that before this is a small. For substation system and without G.P.S. Wolf in the. Estimated in actual measurements and so on are on top of each other very cautious and so on when a spoof you know guess they're not this spoofing occurs here the spoofing is on this up there's normally but there's somebody there. [00:59:57] At the time difference equivalent to about 2 degrees in face to face and time goes together I guess and that is that once the spoof you know cared then both the voters and the phases are oath. Here is not shown because only 2 degrees and how does this is irradiance so you cannot see the difference but if I take the difference between the 2 you're going to see that it is the difference almost 0 up to there and then from there on is consistently 2 degrees so I mean that the I get recognized that is the time an error in the clocks and not therefore I can detect the misspoken and with this I guess I would like to conclude this or this is the actual system that. [01:00:41] We had a demonstration. Of parts of the system of course that was 2 years ago the system has been a while since then and there are additional benefits by doing this 1st of all we have by doing this system we did use the control how size reuse the wired in etc I don't have time to go through any details but basically these are very important very important items for the industry because. [01:01:13] If you go to talk to electric utility about cybersecurity you have to have. A lot of. Formality and they have to more not define Eric and so on but if you talk to them about improving their resilience in the reliability of the system then. They're more receptive to that I guess. [01:01:35] So 1st of all they does that is supported by professional organizations move towards the more does the substation. In do what I presented here. And they did that process become a full automated mania for stores autonomy or Dhanam is the next step of automation because basically minimizes the emir in the work and so on so things can be done or autonomously again and with self healing capabilities now that this technologists over the distinct benefits 1st basically drastically improve operational reliability that because. [01:02:17] We have a cybersecurity protection system and the intrusions would be very very rare however events in the system are more often faults or parade or there are some hidden failures and so on that are forward by having a system that does both then we improved drastically the operational reliability of course if a cyber attack Yes we have reliable defenses against the cyber attacks in addition to the standard protection and most importantly by incorporate these technologies that course are reduced and that is of course. [01:03:00] A benefit that will drives these developments and thank you for listening and sorry for running a few minutes over.