Online Detection of Stealthy False Data Injection Attacks in Power System State Estimation

State estimation is one of the fundamental functions in modern power grid operations that provide operators with situational awareness and is used by several applications like contingency analysis and power markets. Several research in the recent past have highlighted the vulnerability of state estimators to stealthy false data injection attacks that bypass bad data detection mechanisms. They primarily focused on identifying stealthy attack vectors and characterizing their impacts on state estimates. Existing mitigation measures either focus on masking the effect of attacks through redundant measurements or prevent attacks by increasing the cyber security of associated sensors and communication channels. The solutions based on these offline approaches make specific assumptions about the nature of attacks and of the system, which are often restrictive and grossly inadequate to deal with dynamically evolving cyber threats and changing system configurations. In this paper, we propose an online anomaly detection algorithm that utilizes load forecasts, generation schedules, and synchrophasor data to detect measurement anomalies. We provide some insight into the factors that affect the performance of the proposed algorithm. We also describe an empirical method to obtain the minimum attack magnitudes and the detection thresholds for meeting specified false positive and true positive rates. Finally, we evaluated the performance of the proposed algorithm using the IEEE 14 bus power system model for several measures (false positive, false negative, and thresholds). We observed that the best performance of the proposed algorithm relies on finding the right balance between the minimum attack magnitude and detection thresholds. We also observed that the minimum attack magnitudes and detection thresholds could be further improved through the use of a combination of more accurate forecasts and PMU measurements.