WO2016176682A1

WO2016176682A1 - Detecting cyber-attacks and sensor failures in digital substations

Info

Publication number: WO2016176682A1
Application number: PCT/US2016/030407
Authority: WO
Inventors: Ravindra Singh; Dmitry ISHCHENKO; Reynaldo Nuqui; Zhenyuan Wang
Original assignee: Abb Inc.
Priority date: 2015-04-30
Filing date: 2016-05-02
Publication date: 2016-11-03

Abstract

Detection of cyber-attacks on sampled values in a substation environment is based on the correlations and/or the Mahalanobis distances between the sampled values for two monitored points in the substation. An example method includes the collecting of a first series of sampled current and/or voltage data for a first monitored point. The method further includes receiving, from a second monitoring device in the power system, a second series of sampled current and/or voltage data for a second monitored point. This second series of sampled current and/or voltage data corresponds in time to the first series. Dissimilarity metrics are calculated for the first and second series, where the dissimilarity metrics are based on the covariances of the first and second series. The dissimilarity metrics are compared to a first threshold value, and an alarm is triggered in response to determining that said comparing indicates a dissimilarity that exceeds a target dissimilarity.

Description

DETECTING CYBER-ATTACKS AND SENSOR FAILURES IN DIGITAL

SUBSTATIONS

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR

DEVELOPMENT

[0001] This invention was made with U.S. Government support under Cooperative Agreement No. DE-OE0000674 awarded by the US Department of Energy (DOE). The Government has certain rights in this invention.

TECHNICAL FIELD

[0002] The present disclosure is related to electric power systems and is more particularly related to detecting attacks on digital equipment in such systems.

BACKGROUND

[0003] Intelligent Electronic Devices (IEDs) are microprocessor-based devices used by the electric power industry to control power system switching devices, such as circuit breakers, reclosers, etc. With the standardization by the International Electrotechnical Commission (IEC) of the IEC 61850 process bus, most modern IEDs now support voltage and current inputs in a digital format, as Sampled Value (SV) streams transmitted as Ethernet packets on the process bus. In implementations according to the IEC61850-9-2 specifications, a merging unit (MU) is the device that samples the analog measurements (voltages and currents) of the primary high voltage power circuit, encodes the measurement values into Ethernet packets, and injects them onto the process bus. The IED receives these SV packets from the process bus, processes and uses the SV as the inputs to its various fault detection and protection functions.

[0004] One function of the IED is to detect that a fault happens on the primary circuit and to issue a "trip" command to activate a switching device and thus disconnect the faulty parts of the circuit. During this process, the analog inputs to the MUs and the resulting digitized SV packets are critical to the proper operation decision of the IEDs.

[0005] Compared to earlier protection systems that relied on hardwired analog inputs, the use of digitized sample value streams and Ethernet technology opens the doors to cyber-attacks on the digitized sample value data. An attacker, once gaining access to the process bus or to a merging unit, can modify the SV packets received by the corresponding IED, and thus can manipulate the protection system and, potentially, cause serious consequences to the power grid. For example, a false trip on normally healthy circuits could cause the system to weaken in such a way that might lead to localized or regional grid collapse. Accordingly, techniques and devices are needed for securing the IED system against cyber-attacks on sampled value data used for fault detection.

SUMMARY

[0006] The techniques, apparatus, and systems described herein provide for the detection of cyber-attacks on sampled values from IEDs in a substation environment. Specific embodiments of the disclosed techniques are based on each of two statistical principles: a) the correlation between the two signals and b) the Mahalanobis distance between the two signals.

[0007] Example methods detailed herein are suitable for implementation in a monitoring device in a power system, such as in an IED in a digital substation. The methods might also be implemented in another computer/device in or associated with the digital substation, where the computer/device has access to sample value data for two or more monitoring points.

[0008] An example method includes the collecting of a first series of sampled electrical characteristics, such as current and/or voltage data, for a first monitored point in the power system. The method further includes receiving, from a second monitoring device in the power system, a second series of sampled current and/or voltage data for a second monitored point in the power system. This second series of sampled current and/or voltage data corresponds in time to the first series.

[0009] A series of dissimilarity metrics are calculated for the first and second series, where the dissimilarity metrics are based on the covariance of the first and second series. These

dissimilarity metrics may be based on correlations between the first and second series, or based on Mahalanobis distances between points in one series and points in the other series, for example. The example method further includes comparing each of the dissimilarity metrics to a first threshold value. An alarm is triggered in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value.

[0010] As discussed in detail below, the dissimilarity metric referred to here may correspond to any of several values utilized in detection algorithms like those described herein. For example, in a correlation-based scheme, the metric may correspond to a correlation value, to a mean correlation value, or to a fraction of mean correlation values that exceed a threshold value, among a series of buffered mean correlation values. Similarly, in a scheme based on Mahalanobis distances, the metric may correspond to a Mahalanobis distance value or a squared Mahalanobis distance value, to a mean Mahalanobis distance value or mean squared

Mahalanobis distance value, or to a fraction of mean Mahalanobis distance values or mean squared Mahalanobis distance values that exceed a threshold value, among a series of buffered mean Mahalanobis distance values or mean squared Mahalanobis distance values.

[0011] The method summarized above may be based on correlations between the first and second series of sample values, in some embodiments. Accordingly, in some embodiments, calculating the series of dissimilarity metrics comprises: calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients. In some of these embodiments, the calculated moving-average correlations are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In some others of these embodiments, the calculated moving-average correlations are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.

[0012] Other embodiments of the method summarized above are based on Mahalanobis statistics, such as the Mahalanobis distance or squared Mahalanobis distance between points in the first series and second series. Thus, according to some embodiments, calculating the series of dissimilarity metrics comprises: calculating, for example computing with a processing device, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.

[0013] Still further variations of the above-summarized methods are described in the detailed description that follows, as are apparatuses configured to carry out any of one or more of these methods.

BRIEF DESCRIPTION OF THE FIGURES

[0014] Figure 1 is a block diagram illustrating a correlation-based sample-value-attack detection scheme.

[0015] Figure 2 illustrates inputs and outputs of a unit for correlation-based attack detection.

[0016] Figure 3 is a flow chart illustrating a correlation-based detection algorithm.

[0017] Figure 4 illustrates an attack-detection scheme based on Mahalanobis distances.

[0018] Figure 5 illustrates inputs and outputs of a unit for attack detection based on

Mahalanobis distances.

[0019] Figure 6 is a flow chart illustrating an algorithm for attack detection based on

Mahalanobis distances.

[0020] Figure 7 illustrates the combination of fault detection with correlation-based and Mahalanobis-distance-based attack detection.

[0021] Figure 8 shows a substation configuration with different IEDs/MUs and a single line to ground fault.

[0022] Figures 9-12 illustrate correlations between pairs of IEDs during a simulated fault transient.

[0023] Figures 13-20 illustrate simulation results for an example implementation of the attack detection schemes described herein.

[0024] Figure 21 is a process flow diagram illustrating an example method according to the techniques detailed herein.

[0025] Figure 22 is a block diagram illustrating components of an example monitoring device according to several embodiments of the apparatuses disclosed herein.

DETAILED DESCRIPTION

[0026] With the introduction of the IEC 61850 Process Bus, most modern Intelligent

Electronic Devices (IEDs) now support voltage and current inputs in a digital format: the Sampled Value (SV) streams transmitted as Ethernet packets on the Process Bus. In an IEC61850-9-2 implementation, the Merging Unit (MU) is the device that samples the analog measurements (voltages and currents) of the primary high voltage power circuit, encodes the measurement values into Ethernet packets and injects them onto the Process Bus. The IED receives these SV packets from the Process Bus, processes and uses the SV as the inputs to its various fault detection, protection and control functions.

[0027] One function of the IED system is to detect that a fault happens on the primary circuit and to issue a trip command to disconnect the faulty parts of the circuit. During this process, the analog inputs are critical to the proper operation decision of the IEDs. Compared to traditional hardwired analog input, the digitalized sample value streams using the Ethernet technology opens the doors to cyber-attacks on the analog input data: an adversary, once gaining access to the Process Bus or the Merging Unit, can then modify the SV packets, and hence can manipulate the protection system and cause serious consequences to the power grid. For example, a false trip on normally healthy circuits could cause the system to weaken that might lead to localized or regional grid collapse.

[0028] Accordingly, detecting cyber-attacks on sampled values on the Process Bus is an important goal. More generally, techniques are needed for detecting cyber-attacks on sampled current and/or voltage data collected by monitoring devices in electric power systems, whether or not the devices are IEDs compatible with the IEC 61850 Process Bus. Once an attack is detected, mitigation schemes can prevent the false trip.

[0029] The techniques, apparatus, and systems described herein provide for the detection of cyber-attacks on sampled values from IEDs in a substation environment. Specific embodiments of the disclosed techniques are based on each of two statistical principles: a) the correlation between signals at two different points in the electric power substation and b) the Mahalanobis distance between the two signals.

[0030] To compute the correlation or Mahalanobis distance, coordination between two or more IEDs is required. The proposed techniques assume that the coordination between the IEDs is already established as a part of planning. The simulations described herein further assume that one of the IEDs in coordination is secure and free from cyber-attack while the other is under attack. Using the disclosed techniques, an attack on sampled values can be detected and the intentional tripping of protection devices under normal operating conditions can be prevented. [0031] As shown below, the disclosed techniques are robust against many kinds of manipulation in sampled values. The techniques are measurement based, and do not require any system model for anomaly detections in the sampled values. The techniques are applicable to the digital substation environment, and are best suited for enhancement of cyber- security.

[0032] The techniques disclosed herein for detection of sample-value attacks are based on coordination of measurements from at least two IEDs or other monitoring devices. More particularly, some embodiments of the proposed sample-value threat detection algorithms utilize the current measurements from the two IEDs. The IEDs can either be on the same substation or on different substations. However, to avoid a communications bottleneck, measurements at the same substation may usually be considered.

[0033] The coordination scheme is based on the observability of a fault by the IEDs in coordination. For example, two IEDs that observe the same fault will carry the signature of the fault in their respective measurements. As a result, they can coordinate together in the detection of a sample-value attack.

[0034] The techniques described herein are based on the calculation of dissimilarity metrics corresponding to the sampled values observed by the two monitoring devices. These

dissimilarity metrics are functions of the covariances of the sampled-value series observed by the monitoring devices. By comparing the dissimilarity metrics to an appropriate threshold, an attack on the sampled values can be detected. Detailed examples of these techniques are described below, based on two schemes for detection of sample-value attacks: a correlation-based scheme and a scheme based on the computation of Mahalanobis distances.

[0035] A first group of techniques is based on the calculation of dissimilarity metrics that are in turn based on the correlation between the sample value streams for two (or more) monitored points in the electric power system. The correlation between two random variables is defined as the ratio of covariance between the two and the product of their standard deviations. If x and y are the two random variables, then the correlation coefficient (p_xy) between the two is given by:

^{J σ}χ^σγ

where σ_χ, a_y are the standard deviations of x and y respectively. For sampled values, the correlation coefficients are based on the estimates of the covariance and standard deviation of the samples. In this case, the correlation coefficient is computed as follows:

where r_xy is the correlation coefficient, n is the number of samples, and μ_χ, μ_γ are sample means of x and y, respectively.

[0036] Figure 1 is a block diagram illustrating a correlation-based scheme for detecting attacks on sampled-value data. Let SV1 and SV2 be the series of sampled values of signals from the merging units (MUs) of a first IED, IED1, and second IED, IED 2, under coordination. The latest sample value for each series is appended into one of two buffer locations 110, while the oldest entry is discarded, so that buffer size remains fixed. The buffer size can be configured for samples corresponding to half, full or any fraction of cycle. A minimum buffer size of samples corresponding to a half-cycle of the monitored signals provides robustness to the algorithm, thus a moving window of samples corresponding to a half-cycle is considered. The correlation coefficient is computed between the buffer sample of IED1 (x) and IED2 (y), in correlation computation block 120. The correlation coefficients are stored in another buffer 130 of correlation coefficients, which has the same size as each of buffers 110. A moving average filter followed by a detection method is applied on these coefficients to determine the attack, in detection block 140. In the illustrated example, a value of zero in the output indicates no attack, whereas a value equal to one is indicative of an attack. Of course, the coding of these values is arbitrary; the opposite coding (i.e., a value of zero indicates an attack) could be used.

[0037] Figure 2 is a block diagram illustrating the inputs and outputs for a correlation-based attack detection unit, here designated a "CorrDet" unit 200. As detailed below, this unit may be implemented as part of an IED, such as IED1 or IED2 of Figure 1, as part of another monitoring device, or as part of another computer/device that has access to the sample value streams for each of the monitored points.

[0038] Table 1, below, provides details for these inputs and outputs. Inputs to the CorrDet unit 200 include sample value streams for first and second monitored points in the electric power system. In this case, the sample value streams, designated I IEDl and I IED2, are current sample values for first and second IEDs. These inputs are designated as "analog" inputs in Figure 2, as they correspond to analog signal values. These values may be represented as floating point values, in some embodiments. The output from CorrDet unit, CorrDet Out is a Boolean (binary) value indicating whether an attack on either of the sample value streams is detected. I/O Name Type Description Comment

Input I IEDl Analog Real time sampled SV stream or

(Float) value of current from sensor

MU of I EDI measurements

I IED2 Analog Real time sampled

(Float) value of current from

MU of IED2

Output CorrDet Out Boolean 1 : Attack; 0: no

Attack

Table 1 : Input/output of Correlation Detection Unit (CorrDet)

[0039] The details of an example algorithm for correlation-based attack detection follow. This algorithm utilizes a buffer of n samples for each of two monitored points in the electric power system, each buffer comprising a moving window of sample values for the respective monitored point. For each new sample, a correlation coefficient is computed over the moving windows of n samples. The steps involved in the algorithm are illustrated in Figure 3 and described in detail as follows:

[0040] Step 1 : Initialize each buffer of n samples (minimum half cycle), for signal x and signal y, with zeroes. This is shown at block 310 of Figure 3.

[0041] Step 2: Once a new sample arrives for each monitored point, update the latest entry in the corresponding buffer with the new sample and drop the oldest buffer element. This is shown at block 320. Note that block 322 indicates that sample values of the current waveform from a first monitored point correspond to an attacked relay, which means that the sample values have been altered by an attacker. Block 324 indicates that sample values of the current waveform from a second monitored are also received; these sample values are assumed not to have been attacked in the illustrated process flow. [0042] Step 3 : Compute the correlation coefficient for the two buffers of n values, e.g., using Equation (2) above. The result is stored in a new buffer, also having a moving window of the n most recent values. This is shown at block 330.

[0043] Step 4: Compute the moving average

coefficients, for the latest sample, and maintain a n size buffer of r^_y ^" by adding the latest to a buffer while discarding the oldest . This is shown at block 340.

[0044] Step 5 : Count the number k of elements in the buffer of for which the absolute value of Γχ^ is less than a predetermined, e.g., where |Γ^| < ε. An example threshold value might be 0.85. This is shown at block 350.

[0045] Step 6: If the number k is greater than a predetermined number or, equivalently, if the ratio of k to n is greater than a predetermined threshold (i.e., - > a), then an attack is detected, and an alarm is triggered, as shown at blocks 360 and 370. If no attack is detected, the process flow repeats for the next sample value. An example threshold for the ratio k/n is 0.95.

[0046] It will be appreciated that many variations of the process illustrated in Figure 3 are possible. For instance, Step 4 describes a moving average computation in which the n most recent values of the correlation coefficients are averaged, to obtain the moving average value . This requires that the n most recent values of the correlation coefficients be stored, e.g., in a moving window buffer. It will be appreciated that this computation is but one example of a low- pass filtering of the correlation coefficients. In a variant of this approach, a new filtered average value might be computed according to

is the new filtered average value, corresponding to received sample value /^', r^^1-1-¹ is the preceding filtered average value, and r_xy^^ is the most recent correlation value, n is the memory length for the filter in this approach, which in this case corresponds to the length of the sample value buffers. Note that in this approach, it is not necessary to keep a buffer of values of the coefficient values r_xy .

[0047] Other variations, utilizing computations and detection schemes that are mathematically equivalent to those described above and/or that refine the straightforward filtering and detection schemes described above, are also possible. [0048] A second group of techniques is based on the calculation of dissimilarity metrics that are in turn based on the Mahalanobis distance between sample values for one monitored point in the electric power system and a corresponding series of sample values for another monitored point. The Mahalanobis distance statistically measures the distance of data points from a common point. The difference between Euclidian distance and Mahalanobis distance is that the correlation among the points is taken into the account by the latter. Let x and y be the vectors of two random variables of size n each. Assume x is the reference vector, then the square of the Mahalanobis distance (D¾) is given by:

D¾ = (y - E[x])^T∑-¹(y - E[x]) (3)

where E[x] is expectation of x and∑_x is covariance of observations in x.

[0049] If the expected value of data samples in reference vector is μ_χ , then the squared Mahalanobis distance for each point in y is expressed as:

The mean squared distance is given by:

[0050] Assuming that (Vj— μ_χ) is modelled with a Gaussian distribution, then D¾ _j will be a χ² distribution with one degree of freedom and D¾ will be a χ² distribution with n degrees of freedom, divided by n. In this case, D¾ will be upper bounded by

where P is the probability, and χ² (Ρ, n) is the inverse χ² cumulative distribution function (CDF) with n degrees of freedom. The expression is particularly true when y is statistically close to x. In this case γ=1, otherwise γ can be tuned, based on fault level of signals.

[0051] One heretofore unmet challenge relating to the correlation-based attack detection scheme described above is that it can fail to detect the case where an attacker manipulates a sample value signal by simply amplifying its magnitude, without any change in the frequency or shape of the waveform. A Mahalanobis-distance-based scheme can be efficiently applied to detect such attacks.

[0052] A block diagram of this scheme is shown in Figure 4. As seen in the figure, the design of this scheme is similar to that of correlation based scheme of Figure 1, except that the correlation computation in block 120 in the previous scheme is replaced by a Mahalanobis distance computation block 420, and a detection block 440 is modified accordingly.

[0053] Let x be the buffer of samples for a first monitored point, e.g., from a reference IED referred to as IED1, while y is the buffer of the samples from a second monitored point, e.g., as collected by IED2. The mean and variance of x is computed, and then, for each sample in y, the squared Mahalanobis distance Dj^ is computed. The mean Z¾ of this squared distance is computed for each sample, and the results stored over a moving window. An example window length is one cycle of the monitored signal. These stored results are then compared with a predetermined threshold. If, in a window, more than a predetermined fraction, e.g., 95% (β =5%), of the samples have a mean-squared-distance below the predetermined threshold then the sample value streams are valid. Otherwise there has been an attack on one of the streams.

[0054] Figure 5 illustrates the analog inputs and digital output for an attack detection unit based on Mahalanobis distances, here designated a "MahaDet" unit 500. Like the CorrDet unit described above, this unit may be implemented as part of an IED or other monitoring device, or in another computer/device that has access to the sample value streams for each of the monitored points.

[0055] Table 2, below, provides details for these inputs and outputs. Inputs to the MahaDet unit 500 include sample value streams for first and second monitored points in the electric power system. In this case, the sample value streams, designated I IEDl and I IED2, are current sample values for first and second IEDs. These inputs are designated as "analog" inputs in Figure 5, as they correspond to analog signal values. These values may be represented as floating point values, in some embodiments. The output from MahaDet unit, MahaDet Out is a Boolean (binary) value indicating whether an attack on either of the sample value streams is detected.

(Float) MU of IED2

Output MahaDet Out Boolean 1 : Attack; 0: no Attack

Table 2: Input/output of Mahalanobis-Distance Detection Unit (MahaDet)

[0056] Figure 6 is a flowchart illustrating the details of an example algorithm for attack detection based on Mahalanobis distance computation. Like the correlation-based algorithm described above, this algorithm utilizes a buffer of n samples for each of two monitored points in the electric power system, each buffer comprising a moving window of sample values for the respective monitored point. For each new sample, a squared Mahalanobis distance is computed over the moving windows of n samples. The steps involved in the algorithm are described in detail as follows:

[0057] Step 1 : Initialize each buffer of n samples (minimum half-cycle), for signal x and signal y, with zeroes. This is shown at block 610.

[0058] Step 2: Once a new sample arrives for each monitored point, update the latest entry in the corresponding buffer with the new sample and drop the oldest buffer element. This is shown at block 620. Note that block 622 indicates that sample values of the current waveform from a first monitored point correspond to an attacked relay, which means that the sample values have been altered by an attacker. Block 624 indicates that sample values of the current waveform from a second monitored are also received; these sample values are assumed not to have been attacked in the illustrated process flow.

[0059] Step 3 : Compute the mean and variance of x, and compute the squared Mahalanobis distance (D¾ _j) of each element in y, with respect to the values in x. This is shown at block 630.

[0060] Step 4: Compute the mean-squared distance ( D¾ =

DM_, f°^r the latest sample and maintain a buffer of current and previous n-1 mean-squared distances D¾. This is shown at block 640.

— T~ — X² ( ri)

[0061] Step 5 : Count the number k of elements in the buffer of for which Z¾ >γ ' . (Note that γ=1 when x and y are statistically similar.) This is shown at block 650. [0062] Step 6: If the number k is greater than a predetermined number or, equivalently, if the ratio of k to n is greater than a predetermined threshold (i.e., - > ?), then an attack is detected, and an alarm is triggered, as shown at blocks 660 and 670. If no attack is detected, the process flow repeats for the next sample value. An example threshold for the ratio k/n is 0.05.

[0063] It will be appreciated that many variations of the process illustrated in Figure 6 are possible. For instance, the algorithm above utilizes the squared Mahalanobis distance.

Alternatively, the Mahalanobis distance may be used. Further, the above algorithm calculates a one-point to vector squared Mahalanobis distance for each sample value in the buffer of y. Alternative embodiments might utilize a calculation of the Mahalanobis distance (or squared Mahalanobis distance) between the vectors x and y, calculated each time the moving windows for x and y are updated. This calculation may be performed according to d(x, y) = j(x— y)^TS^~1 (x— y), for example, where 5^_1 is the covariance matrix for x and y. Other variations, utilizing computations and detection schemes that are mathematically equivalent to those described above and/or that refine the straightforward filtering and detection schemes described above, are also possible.

[0064] The two schemes described above may be combined, in some embodiments, e.g., by logically OR-ing the results of the respective schemes, to detect an attack on sampled values. Note that these schemes, together and/or separately, may also be used to detect sensor problems in an electric power system, such as sensor calibration issues. Either or both schemes may be combined with other fault verification schemes, including, for example, schemes based on the evaluation of fault transients.

[0065] One application of the techniques described herein is for enhancing the cyber security of the power grid at a substation. Figure 7 shows an example of two IEDs coordinating in order to detect a sample value attack in a substation. In this example, all IEDs are at the same voltage level and breakers are configured according to one and half breaker scheme. In the example, all IEDs are capable of receiving sampled values from their own merging unit (MU) and well as MUs associated with other IEDs. It is assumed that an attacker can manipulate the sampled values associated with any of the IEDs, but not simultaneously. In the figure, IED1 and IED2 are shown to be coordinated for CorrDet and MahaDet blocks. [0066] In Figure 7, the scheme is shown as implemented in IED1. However, in actual scenario, the same scheme may be implemented in both IEDs, as well as in other IEDs under coordination. The illustrated scheme works as follows:

1) The fault detection logic detects a fault.

2) If the fault detection logic detects the fault and the CorrDet/MahaDet combined block detects a cyber-attack, a trip signal is not transmitted to a protection device associated with IED1.

3) If fault detection logic detects the fault and the CorrDet/MahaDet block does not detect a cyber-attack, a trip signal is transmitted to a protection device associated with IED1, causing the protective device to interrupt to flow of current in a portion of the power system.

[0067] In the coordination scheme, whenever there is a flow of current to and from a bus, the

IED associated with that bus coordinates with other IEDs. In case of no current flow, due to an open breaker, the coordination of the corresponding IED is not taken into consideration for attack detection. In this scenario, the status of breaker may be verified through a generic objected oriented substation event (GOOSE) message. If the status of the breaker is confirmed to be open, the output of detection scheme from all IEDs using zero currents is blocked.

[0068] Figure 8 is a schematic illustrating a portion of a substation with one and half breaker configuration. The illustrated portion of the substation consists of three breaker IEDs,

IED CB 12, IED CB13, and IED CB23; two line IEDs, IED2 and IED3; and one transformer

IED, IED1. In the illustrated example, a single line to ground fault is simulated and the directions of current flows through different IEDs are shown by arrows.

[0069] Correlations are computed for every new sample over a moving window of half cycle. The correlation between different IEDs during fault transient is shown in figures 9-12. It is clear from the figures that the correlation is valid between the IEDs during fault transient conditions. Hence, once the simulation is fully initialized (after the first half-cycle), the detection algorithm is robust against any operating condition of the power system.

[0070] Figures 13-20 illustrate simulation results for an example implementation of the schemes described above. This example is based on the coordination of current signals between two IEDs. Without loss of generality, any two IEDs which observe the same fault can be considered for coordination. As an example, we have considered the two IEDs at the two ends of a transmission line. The simulation is performed over a period of 1.0 second, with a sampling rate of 80 samples per cycle. A double line to ground fault is simulated during t=0.5 sec to 0.7 sec. During the time interval 0.156 sec to 0.35 sec, the samples of current waveform (phase A) at one end of transmission line are replaced by the samples from the following waveforms: a rectangular pulse, a triangular wave, random Gaussian noise, a copy of a fault, a square wave, and an amplification of magnitude. Figure 13 shows the injected signals along with the fault. A coordinated signal from the other end of the transmission line is shown in figure 14.

[0071] In the event of no attack, the correlation coefficient should remain close to unity, because the two coordinated signals evolve from the same process. However, if one of the signals is manipulated by an attacker, the correlation coefficient drops, indicating that the two signals are either uncorrected or weakly correlated. This is true because one of the signals does not follow the system process during the attack. A threshold value for detecting an attack is set, e.g., ε = 0.85. That is, if for a sample, the mean absolute value for the previous n samples is below 0.85, we can suspect this sample as an attack. A single suspect sample may not always indicate an attack because the correlation coefficient may drop slightly during a transient caused by a fault. To avoid the false detection of attack, a confidence bound is set on the samples of a moving window. Typically, a 95% confidence is considered for statistical analysis, so the results illustrated in Figures 15-20 are based on a 95% confidence.

[0072] Figures 15-20 show the results of the detection algorithm for various sample value attacks. It is clear from Figures 15-19 that whenever there is an attack corresponding to these figures, the correlation goes down significantly, and the algorithm can easily identify the attack. However, in Figure 20, which corresponds to the case of an attack that comprises only signal magnitude amplification, the algorithm fails to detect the attack. In this case, the high amplitude of current may confuse the protective devices into detecting a fault. To detect an attack in this situation, the method based on Mahalanobis distance may be applied. The method is statistical in nature and very efficient in detecting an attack that is caused by change in amplitude.

[0073] It should be appreciated that the preceding detailed examples provide several methods for detecting attacks on sample values in an electric power system. Figure 21 is a process flow diagram illustrating a generalized method according to several of the example embodiments discussed above. The illustrated method is suitable for implementation in a first monitoring device in a power system, such as in an IED in a digital substation. The method might also be implemented in another computer/device in or associated with the digital substation, where the computer/device has access to sample value data for two or more monitoring points. [0074] As shown at block 2110, the illustrated method includes the collecting of a first series of sampled current and/or voltage data for a first monitored point in the power system. The method further includes receiving, from a second monitoring device in the power system, a second series of sampled current and/or voltage data for a second monitored point in the power system. This is shown at block 2120. This second series of sampled current and/or voltage data corresponds in time to the first series.

[0075] As shown at block 2130, a series of dissimilarity metrics are calculated for the first and second series, where the dissimilarity metrics are based on the covariance of the first and second series. As demonstrated by the detailed examples provided above, these dissimilarity metrics may be based on correlations between the first and second series, or based on Mahalanobis distances between points in one series and points in the other series, for example. It should be appreciated that the "metric" referred to in the figure may correspond to any of several values utilized in a detection algorithm like those described above. For example, in a correlation-based scheme, the metric may correspond to a correlation value, to a mean correlation value, or to a fraction of mean correlation values that exceed a threshold value, among a series of buffered mean correlation values. Similarly, in a scheme based on Mahalanobis distances, the metric may correspond to a Mahalanobis distance value or a squared Mahalanobis distance value, to a mean Mahalanobis distance value or mean squared Mahalanobis distance value, or to a fraction of mean Mahalanobis distance values or mean squared Mahalanobis distance values that exceed a threshold value, among a series of buffered mean Mahalanobis distance values or mean squared Mahalanobis distance values.

[0076] As shown at block 2140, the method further includes comparing each of the

dissimilarity metrics to a first threshold value. An alarm is triggered, as shown at block 2150, in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value. Note that it is possible that an increasing degree of dissimilarity may be represented by a decreasing value of the dissimilarity metric, depending on exactly how the dissimilarity metric is calculated.

[0077] The process illustrated generally in Figure 21 may be based on correlations between the first and second series of sample values, in some embodiments. Accordingly, in some embodiments, calculating the series of dissimilarity metrics comprises: calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients. In some of these embodiments, the calculated moving-average correlations are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In some others of these embodiments, the calculated moving-average correlations are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.

[0078] In some of these correlation-based embodiments, wherein calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving- average correlation, that are below a second threshold value, where the calculated percentages are the dissimilarity metrics. In others, calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, where the counted numbers are the dissimilarity metrics.

[0079] Other embodiments of the method illustrated in Figure 21 are based on Mahalanobis statistics, such as the Mahalanobis distance or squared Mahalanobis distance between points in the first series and second series. Thus, according to some embodiments, calculating the series of dissimilarity metrics comprises: calculating, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving- average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.

[0080] In some of these embodiments, the calculated moving-average distance statistics are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In other embodiments, the calculated moving-average distance statistics are the dissimilarity metrics, and determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving- average distance statistics are below the first threshold value.

[0081] In others of these schemes based on Mahalanobis statistics, calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, where the calculated percentages are the dissimilarity metrics. In still others, calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, where the counted numbers are the dissimilarity metrics.

[0082] In various embodiments of the methods described above, the correlations or

Mahalanobis statistics are computed from subsets of sample values, where each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power.

[0083] In any of the embodiments described above, the method may further include detecting an apparent electric fault, based on the first series of sampled current and/or voltage data, but refraining from tripping a protection device associated with the first monitoring device, upon determining that the detecting of the apparent electric fault corresponds with the triggered alarm. [0084] Monitoring devices configured to carry out any one or more of the methods illustrated above may be similar to existing IEDs, with appropriate modifications made to the processing circuits and/or interface circuits in or associated with the IED. An example monitoring device 2200 configured to carry out some of the disclosed methods is shown in Figure 22 and comprises a first interface circuit 2210 configured to receive sampled current and/or voltage data for a first monitored point in the power system. The same interface circuit 2210 or a different interface circuit is configured to receive, from a second monitoring device, a second series of sampled current and/or voltage data for a second monitored point in the power system, the second series corresponding in time with the first series.

[0085] Monitoring device 2200 further includes a processing circuit 2220, which, in some embodiments, is configured to detect a fault, using the sampled current and/or voltage data. The processing circuit 2200 is further configured to carry out one or more of the methods detailed above, in some embodiments.

[0086] The interface circuit 2210 in this example monitoring device comprises hardware and, when necessary, supporting software and/or firmware stored in a non-transitory a computer readable medium, such as memory, for receiving digital sampled value data from one or several merging units and/or from a common process bus, depending on the system configuration.

Interface circuit 2210 may be configured according to an industry standard, in some

embodiments, or may implement a proprietary design, in others.

[0087] The processing circuit 2220 in Figure 22 may comprise one or more microprocessors, microcontrollers, digital signal processors, or the like, designated as processor(s) 2224 in Figure 22, coupled with or including one or more memory devices 2228, where the memory device 2228 is a non-transitory computer readable medium structured to store program code for carrying out all or a portion of one or more of the methods detailed above. In some embodiments, the processing circuit 2220 may also comprise additional digital hardware 2226 for carrying out one or more of the operations in the above-described methods.

[0088] The monitoring device 2200 shown in Figure 22 may be configured to carry out one or several of the methods described in detail above, as well as variants thereof. Thus, for example, in some embodiments the processing circuit 2220 is configured, e.g., with appropriate program code, to calculate a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; compare each of the dissimilarity metrics to a first threshold value; and trigger an alarm in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value. It will be appreciated that processing circuit 2220 may be configured to carry out a correlation-based technique, or a technique based on Mahalanobis statistics, or a combination thereof, according to any of the various methods described above.

[0089] Embodiments of the techniques, apparatuses, and systems described above may be used to address emerging problems in power systems automation and control, and may provide several advantages over existing technology. More particularly, the disclosed techniques efficiently detect anomalies in sampled values, indicative of an attack on the sampled values. Once an attack is detected, an alarm may be triggered. For example, a trip blocking signal may be sent to a protective device, such as a circuit breaker, in order to prevent a wrongfully-induced tripping under normal operating conditions, or message can also be sent to the system operator, through SCADA. These techniques thus improve the resiliency of the power grid against a cyber-attack.

[0090] Further written description of a number of exemplary embodiments shall now be provided. One embodiment is a method for detecting a false fault detection in a power system including a first monitoring device and a second monitoring device, the method comprising collecting a first series of power system electrical characteristic samples of the first monitoring device; detecting an apparent fault with a first monitoring device; receiving, from the second monitoring device, a second series of power system electrical characteristic samples, the second series of electrical characteristic samples corresponding in time to the first series; calculating a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; and triggering an alarm in response to determining the apparent fault is a false fault detection using the calculated dissimilarity metrics.

[0091] In certain forms of the foregoing method, calculating the series of dissimilarity metrics comprises: calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients. In certain forms, the dissimilarity metrics are the calculated moving-average correlations, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that a predefined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below a first threshold value. In certain forms, the dissimilarity metrics are the calculated moving-average correlations, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In certain forms, calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics. In certain forms, calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics. In certain forms, calculating the series of dissimilarity metrics comprises calculating, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving- average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series. In certain forms, the dissimilarity metrics are the calculated moving-average distance statistics, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, the dissimilarity metrics are the calculated moving-average distance statistics, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics. In certain forms, calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics. In certain forms, each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power. In certain forms, triggering an alarm comprises refraining from tripping a protection device associated with the first monitoring device, upon determining that the detecting of the apparent electric fault is a false fault detection.

[0092] Another exemplary embodiment is a power system comprising a first monitoring device including one or more interface circuits configured to collect a first series of power system electrical characteristic samples corresponding to a first monitored point in the power system, and to receive a second series of power system electrical characteristic samples corresponding to a second monitored point in the power system, the second series corresponding in time with the first series; and a signal processing circuit configured to detect an apparent fault using the first series; calculate a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; and trigger an alarm in response to determining the apparent fault is a false fault detection using the calculated dissimilarity metrics.

[0093] In certain forms of the foregoing system, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients. In certain forms, the dissimilarity metrics are the calculated moving-average correlations, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In certain forms, the dissimilarity metrics are the calculated moving-average correlations, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving- average correlations are below the first threshold value. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises calculating, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series. In certain forms, the dissimilarity metrics are the calculated moving-average distance statistics, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, the dissimilarity metrics are the calculated moving-average distance statistics, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving- average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics. In certain forms, each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power. In certain forms, the signal processing circuit is configured to refrain from tripping a protection device associated with the first monitoring device upon determining that the detecting of the apparent fault is a false fault detection.

[0094] A further exemplary embodiment is a method, in a first monitoring device in a power system, the method comprising collecting a first series of sampled current and/or voltage data for a first monitored point in the power system; receiving, from a second monitoring device in the power system, a second series of sampled current and/or voltage data for a second monitored point in the power system, the second series of sampled current and/or voltage data

corresponding in time to the first series; calculating a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; comparing each of the dissimilarity metrics to a first threshold value; and triggering an alarm in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value.

[0095] In certain forms of the foregoing method, calculating the series of dissimilarity metrics comprises calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients. In certain forms, the calculated moving- average correlations are the dissimilarity metrics, and wherein determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In certain forms, the calculated moving-average correlations are the dissimilarity metrics, and wherein determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In certain forms, calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics. In certain forms, calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving- average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics. In certain forms, calculating the series of dissimilarity metrics comprises computing, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series. In certain forms, the calculated moving-average distance statistics are the dissimilarity metrics, and wherein determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, the calculated moving-average distance statistics are the dissimilarity metrics, and wherein determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity comprises determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated

percentages are the dissimilarity metrics. In certain forms, calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving- average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics. In certain forms, each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power. In certain forms, the method further comprises detecting an apparent electric fault, based on the first series of sampled current and/or voltage data, but refraining from tripping a protection device associated with the first monitoring device, upon determining that the detecting of the apparent electric fault corresponds with the triggered alarm.

[0096] A further exemplary embodiment is a first monitoring device for use in a power system, the monitoring device comprising one or more interface circuits configured to collect a first series of sampled current and/or voltage data for a first monitored point in the power system and to receive, from a second monitoring device, a second series of sampled current and/or voltage data for a second monitored point in the power system, the second series corresponding in time with the first series; and a signal processing circuit configured to calculate a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; compare each of the dissimilarity metrics to a first threshold value; and trigger an alarm in response to determining that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity, as represented by the first threshold value.

[0097] In certain forms of the foregoing device, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises calculating a series of correlation coefficients from the first and second series, each correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients. In certain forms, the calculated moving-average correlations are the dissimilarity metrics, and wherein the signal processing circuit is configured to determine that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity by determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In certain forms, the calculated moving-average correlations are the dissimilarity metrics, and wherein the signal processing circuit is configured to determine that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity by determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average correlations, a number of moving- average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises computing, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series. In certain forms, the calculated moving-average distance statistics are the dissimilarity metrics, and wherein the signal processing circuit is configured to determine that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity by determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, the calculated moving-average distance statistics are the dissimilarity metrics, and wherein the signal processing circuit is configured to determine that said comparing indicates a dissimilarity between the first and second series that exceeds a target dissimilarity by determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics. In certain forms, the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving- average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics. In certain forms, each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power. In certain forms, the signal processing circuit is configured to detect an apparent electric fault, based on the a first series of sampled current and/or voltage data, but is further configured to refrain from tripping a protection device associated with the first monitoring device upon determining that the detecting of the apparent electric fault corresponds with the triggered alarm

[0098] Detailed examples of several embodiments of the present invention have been described above. Of course, it should be understood that the present invention is not limited to any particular example given in the foregoing description, nor is it limited by the accompanying drawings. Instead, the present invention is limited only by the following claims and their legal equivalents. In the claims and discussion that follows, terms such as "first", "second", and the like, are used to differentiate between several similar elements, regions, sections, etc., and are not intended to imply a particular order or priority unless the context clearly indicates otherwise. Furthermore, as used herein, the terms "having", "containing", "including", "comprising" and the like are open-ended terms that indicate the presence of stated elements or features but that do not preclude additional elements or features. The articles "a", "an" and "the" are intended to include the plural as well as the singular, unless the context clearly indicates otherwise. Like terms refer to like elements throughout the description.

Claims

CLAIMS What is claimed is:

1. A method for detecting a false fault detection in a power system including a first monitoring device and a second monitoring device, the method comprising:

collecting a first series of power system electrical characteristic samples of the first

monitoring device;

detecting an apparent fault with a first monitoring device;

receiving, from the second monitoring device, a second series of power system electrical characteristic samples, the second series of electrical characteristic samples corresponding in time to the first series;

calculating a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; and

triggering an alarm in response to determining the apparent fault is a false fault detection using the calculated dissimilarity metrics.

2. The method of claim 1, wherein calculating the series of dissimilarity metrics comprises: calculating a series of correlation coefficients from the first and second series, each

correlation coefficient indicating a correlation between a subset of the first series and a corresponding subset of the second series; and

calculating a moving-average correlation corresponding to each correlation coefficient in the series of correlation coefficients, based on the correlation coefficient and at least a predetermined number of preceding correlation coefficients in the series of correlation coefficients.

3. The method of claim 2, wherein the dissimilarity metrics are the calculated moving-average correlations, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that a predefined percentage of moving- average correlations among a predetermined number of consecutive moving-average correlations are below a first threshold value.

4. The method of claim 2, wherein the dissimilarity metrics are the calculated moving-average correlations, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.

5. The method of claim 2, wherein calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average correlations, a percentage of moving- average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.

6. The method of claim 2, wherein calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.

7. The method of claim 1, wherein calculating the series of dissimilarity metrics comprises: calculating, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and

calculating, for each Mahalanobis statistic, a moving-average distance statistic based on the Mahalanobis statistic and Mahalanobis statistics for at least a predetermined number of values in the other one of the first and second series.

8. The method of claim 7, wherein the dissimilarity metrics are the calculated moving-average distance statistics, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.

9. The method of claim 7, wherein the dissimilarity metrics are the calculated moving-average distance statistics, and wherein using the calculated dissimilarity metrics to determine the detected fault is a false fault detection comprises determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.

10. The method of claim 7, wherein calculating the series of dissimilarity metrics further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.

11. The method of claim 7, wherein calculating the series of dissimilarity metrics further comprises counting, for each of the moving-average distance statistics, a number of moving- average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.

12. The method of any of claims 2-11, wherein each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power.

13. The method of any of claims 1-12, wherein triggering an alarm comprises refraining from tripping a protection device associated with the first monitoring device, upon determining that the detecting of the apparent electric fault is a false fault detection.

14. A power system comprising: a first monitoring device including:

one or more interface circuits configured to collect a first series of power system electrical characteristic samples corresponding to a first monitored point in the power system, and to receive a second series of power system electrical characteristic samples corresponding to a second monitored point in the power system, the second series corresponding in time with the first series; and a signal processing circuit configured to:

detect an apparent fault using the first series;

calculate a series of dissimilarity metrics for the first and second series, wherein the dissimilarity metrics are based on the covariance of the first and second series; and

trigger an alarm in response to determining the apparent fault is a false fault detection using the calculated dissimilarity metrics.

15. The system of claim 14, wherein the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises:

calculating a series of correlation coefficients from the first and second series, each

16. The system of claim 15, wherein the dissimilarity metrics are the calculated moving-average correlations, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined percentage of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.

17. The system of claim 15, wherein the dissimilarity metrics are the calculated moving-average correlations, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined number of moving-average correlations among a predetermined number of consecutive moving-average correlations are below the first threshold value.

18. The system of claim 15, wherein the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average correlations, a percentage of moving-average correlations, among the moving-average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.

19. The system of claim 15, wherein the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average correlations, a number of moving-average correlations, among the moving- average correlation and a predetermined number of consecutive moving-average correlations preceding the moving-average correlation, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.

20. The system of claim 14, wherein the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating comprises:

calculating, for each value in one of the first and second series, a Mahalanobis statistic for the value, with respect to a corresponding subset of values in the other one of the first and second series; and

21. The system of claim 20, wherein the dissimilarity metrics are the calculated moving-average distance statistics, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined percentage of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.

22. The system of claim 20, wherein the dissimilarity metrics are the calculated moving-average distance statistics, and wherein the signal processing circuit is configured to use the calculated dissimilarity metrics to determine the detected fault is a false fault detection by determining that at least a predetermined number of moving-average distance statistics among a predetermined number of consecutive moving-average distance statistics are below the first threshold value.

23. The system of claim 20, wherein the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises calculating, for each of the moving-average distance statistics, a percentage of moving-average correlations, among the moving-average distance statistics and a predetermined number of consecutive moving-average distance statistics preceding the moving-average distance statistic, that are below a second threshold value, and wherein the calculated percentages are the dissimilarity metrics.

24. The system of claim 20, wherein the signal processing circuit is configured to calculate the series of dissimilarity metrics such that said calculating further comprises counting, for each of the moving-average distance statistics, a number of moving-average distance statistics, among the moving-average distance statistics and a predetermined number of consecutive moving- average distance statistics preceding the moving-average distance statistics, that are below a second threshold value, and wherein the counted numbers are the dissimilarity metrics.

25. The system of any of claims 15-24, wherein each subset comprises a time-series of samples corresponding to at least a half cycle of monitored electric power.

26. The system of any of claims 14-25, wherein the signal processing circuit is configured to refrain from tripping a protection device associated with the first monitoring device upon determining that the detecting of the apparent fault is a false fault detection.