Analysis And Defense Of Coordinated Cyber Attack In Substation Automation System

Advanced computer and communication sensor technology give advanced intelligence such as global perception and dynamic optimization control to modern power system,while the standard open communication procedures also bring many hidden dangers to cyber security of power system.In recent years,the outbreak of twice Ukraine power outages,Iranian nuclear power plants attacked again and other actual cases demonstrate,cyber threats to power systems are often backed by an increasing number of state actors.Hostile organization with rich resources can merge multiple intrusion attack means and launch a synchronous coordinated attack on multiple targets of physical system through the vulnerability of power information system,resulting in the damage of multiple power facilities and triggering a major blackout,affecting the overall security and stable operation of the power grid.This paper takes substation automation system(SAS)as the object to study cyber coordinated attack.Firstly,the paper analyzes the cyber security risks based on the attacker’s identity,and divides them into three categories:state-supported cyberattack,organized network attack,cyberattack without specific target and random failure.On the basis of analyzing the defects of existing security mechanisms,it is pointed out that the state-sponsored cyberattack should be paid more attention.Considering the consequences of attack destruction,the cyberattack behaviors are graded,which illustrates that the coordinated attack against multiple targets will trigger risk migrating upward.Based on the ultimate goal of state-supported cyberattack,two new types of high-risk cyber coordinated attack modes are proposed,non-communication time synchronization coordinated switch attack(TSCSA)and non-communication disturbance synchronization coordinated switch attack(DSCSA).The feasibility and harmful consequences of DSCSA under low voltage disturbance are simulated by IEEE 39 bus system.The results show that the initial faults such as line trip can trigger the low-voltage logic of malicious software in substations near failure,which can lead to the trip and voltage loss of substations,and that of multiple of substations in a way of active cascading trip,triggering a blackout.In view of the two new attack modes,this paper studies the detection and protection from two aspects.According to the destruction characteristics of attack,the cyber coordinated attack detection method of substations based on logical trigger is firstly proposed,which can realize the detection of two kinds of attacks by artificially creating attack trigger environment during the network access test or annual maintenance of substation monitoring equipment.From the perspective of destroy coordinated mechanism,the clock differentiation management of substation is proposed as defense method of TSCSA,which can choose key substation according to vulnerability index to diverge synchronous clock of substation,avoiding the key substations and other malicious software of transformer substation form coordinated attack,reducing attack damage consequence.To IEEE 39 bus system protective effect of the proposed method has carried on the simulation analysis,the results show that when two or three substations suffer TSCSA,two key substations are chosen to carry clock differentiation management that can significantly reduce the attack damage consequences,effectively improving the toughness that withstand TSCSA of power grid.