A watchdog model for physics-based anomaly detection in digital substations

The security of cyber-physical systems (CPS) presents new challenges stemming from computations that work primarily with live physics data. Although there is a body of previous research on detection of malware on CPS, more effective designs are needed to address limitations such mimicry attacks and other forms of evasive techniques. Relay algorithms in particular, such as differential and harmonic protection algorithms, are essential to protecting physical equipment such as power transformers from faults. Relay algorithms, though, are often disabled, altered, or otherwise suppressed by malware. In this paper, we first provide background on the main types of failures that may occur in an electrical power substation after relay algorithms are disabled by malware. We also provide some initial insights into malware methods that involve physics -informed data manipulations, which in turn may lead to power outages and physical damage to power transformers. We then describe the design of a watchdog algorithm that is continuously on the look out for anomalies in the execution time of relay algorithms along with their associated performance counters. We implemented the watchdog approach in Python, and evaluated it empirically on emulations of differential and harmonic protection algorithms on a computing machine.