Unmasking Covert Intrusions: Detection of Fault-Masking Cyberattacks on Differential Protection Systems

TL;DR

This paper introduces a two-module framework combining a mismatch index and neural network classifier to detect fault-masking cyberattacks on line current differential relays, ensuring reliable transmission line protection.

Contribution

It presents a novel detection framework that effectively identifies stealthy cyberattacks on protection systems using physical modeling and machine learning, validated on benchmark systems and real-time simulations.

Findings

Accurately detects fault-masking cyberattacks without false alarms.

Effective under system disturbances and measurement noise.

Demonstrates real-time detection capability in simulations.

Abstract

Line Current Differential Relays (LCDRs) are high-speed relays progressively used to protect critical transmission lines. However, LCDRs are vulnerable to cyberattacks. Fault-Masking Attacks (FMAs) are stealthy cyberattacks performed by manipulating the remote measurements of the targeted LCDR to disguise faults on the protected line. Hence, they remain undetected by this LCDR. In this paper, we propose a two-module framework to detect FMAs. The first module is a Mismatch Index (MI) developed from the protected transmission line's equivalent physical model. The MI is triggered only if there is a significant mismatch in the LCDR's local and remote measurements while the LCDR itself is untriggered, which indicates an FMA. After the MI is triggered, the second module, a neural network-based classifier, promptly confirms that the triggering event is a physical fault that lies on the line protected by the LCDR before declaring the occurrence of an FMA. The proposed framework is tested using the IEEE 39-bus benchmark system. Our simulation results confirm that the proposed framework can accurately detect FMAs on LCDRs and is not affected by normal system disturbances, variations, or measurement noise. Our experimental results using OPAL-RT's real-time simulator confirm the proposed solution's real-time performance capability.