Embedded devices in modern power systems offer increased connectivity and remote reprogrammability/reconfigurability. These features along with interconnections between Information Technology (IT) and Operational Technology (OT) networks enable greater agility, reduced operator workload, and enhanced power system performance and capabilities, as well as expanding the cyber-attack surface. This increased cyber-attack surface, as well as increasingly complex, diverse, and potentially untrustworthy software/hardware supply chains, increases the need for robust real-time monitoring in power systems, and more generally in cyber–physical systems (CPS). We propose a novel framework for real-time monitoring and anomaly detection in CPS, specifically smart grid substations and SCADA systems. The proposed framework enables real-time signal temporal logic condition-based anomaly monitoring by processing raw captured packets from the communication network through a hierarchical semantic extraction and tag processing pipeline into a time series of semantic events and observations, that are then evaluated against expected temporal properties to detect and localize anomalies. We demonstrate the efficacy of our methodology on a hardware in the loop (HITL) testbed under several attack scenarios. The HITL testbed includes multiple physical power system devices (real-time automation controllers and relays) and simulated devices (Phasor Measurement Units—PMUs, relays, Phasor Data Concentrators—PDCs), all interfaced to a dynamic power system simulator.
Krishnamurthy et al. (Mon,) studied this question.