Model-Based Detection of Coordinated Attacks (DCA) in Distribution Systems

The fast-paced growth in digitization of smart grid components enhances system observability and remote-control capabilities through efficient communication. However, enhanced connectivity results in heightened system vulnerability towards cybersecurity risks in the cyber-physical power system. Coordinated cyber-attacks (CCA), when undetected, lead to system-wide impact in terms of large disturbances or widespread outages. Detecting CCA in the cyber layer is critical to thwart cyber-attacks in real-time before the attack impacts the physical system. The challenge of locating CCA stems from the complex grid dynamics, making it difficult to distinguish between normal operational variations and cyber-attack impact. CCA often employs multiple attack vectors targeting geographically distributed components, further complicating CCA identification. Existing research in intrusion detection is primarily focused on the transmission network and limited to detecting individual attacks. In this paper, a novel proactive DCA strategy is proposed for early detection of CCA by establishing correlations among distinct attack events through model-based reinforcement learning that utilizes abductive reasoning to conclude the attacker goal. The solution includes understanding the system model, learning the system dynamics, and correlating individual cyber-attacks to extract the attacker's objective. The developed learning algorithm identifies the most probable attack path to reach the attacker's objective by predicting the next attack steps. A DNP3-based cyber-physical co-simulation testbed is developed to test the proposed algorithm using the IEEE 13-node test feeder.