Systems and methods for detecting and mitigating cyber attacks on power systems comprising distributed energy resources

Abstract

Extensive deployment of interoperable distributed energy resources (DER) on power systems is increasing the power system cybersecurity attack surface. National and jurisdictional interconnection standards require DER to include a range of autonomous and commanded grid-support functions which can drastically influence power quality, voltage, and the generation-load balance. Investigations of the impact to the power system in scenarios where communications and operations of DER are controlled by an adversary show that each grid-support function exposes the power system to distinct types and magnitudes of risk. The invention provides methods for minimizing the risks to distribution and transmission systems using an engineered control system which detects and mitigates unsafe control commands.

Claims

1. A detection and mitigation system for a distributed energy system comprising distributed energy resources (DER), comprising: an engineered control located at communication network nodes between DER and a DER management system (DERMS) or power system controller, the engineered control system comprising at least one or more processors coupled to a memory storing instructions configured to detect and reject an unsafe grid-support function command for the DER that falls out of a predetermined allowable range; wherein the engineered control system detects and rejects unsafe the grid-supported function command with an intrusion detection system (IDS) or intrusion prevention system (IPS) that executes steps comprising: establishing a set of allowable ranges for grid support settings for the DER; comparing a grid support setting from a DER command to a corresponding established range for that grid-support setting; determining in response to the grid support setting is outside the established range for that grid-support setting; and preventing the DER from executing the DER command in response to the grid support setting is outside the established range for that grid-support setting; wherein the unsafe grid-support support function command is selected from a group consisting of IEEE Std. 1547-2018 functions, frequency ride-through, voltage ride-through trip settings, normal ramp rate, soft-start ramp rate, frequency-watt, voltage-watt, connect or disconnect, limit maximum real power, power factor, volt-var mode, watt-power factor, and fixed reactive power.

2. The system of claim 1, further comprising an alarm that indicates when an unsafe grid-support function command is received at the engineered control system.

3. The system of claim 1, wherein the engineered control system is disposed in a communications pathway of the distributed energy system.

4. The system of claim 3, wherein the communications pathway is an internet communications pathway.

5. The system of claim 1, wherein the engineered control system is disposed in DER equipment, a communication gateway at a DER facility, a bump-in-the-wire or networking device, a DER vendor, aggregator, or owner/operator control or networking system, or a firewall, a utility firewall or networking systems, or a utility control software.

6. The system of claim 1, wherein the engineered control system is a component of a controller.

7. The system of claim 6, wherein the controller is a DER controller.

8. The system of claim 1, wherein the engineered control system is configured to take a corrective action upon determining a false command.

9. The system of claim 8, wherein the corrective action is selected from the group consisting of dropping the command from the DER, resetting the DER or a collection of DERs operating modes to a known safe configuration, prevent further communications to the DER or the collection on DERs for a period of time, revoke credentials of an operator who issued the unsafe command, or reconfigure DER communication system.

10. The system of claim 1, wherein the engineered control system comprises software or firmware verification or validation.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The disclosure refers to the following drawings, wherein like elements are referred to by like numbers.

(2) FIG. 1 is an illustration of IEC 61850-90-7 grid-support functions. *L/HFRT was not originally included in the IEC report, but is a common function in interconnection standards.

(3) FIG. 2 is a graph showing volt-var plane comparisons for cases simulated.

(4) FIG. 3 is a graph showing feeder voltage profile for different reactive power control modes.

(5) FIG. 4 is a graph showing maximum voltages for VV/SS-voltage distribution system control case with attack case results.

(6) FIG. 5(a) is a graph showing system frequency response for the loss of generation event with conventional droop.

(7) FIG. 5(b) is a similar graph, with communication enabled droop.

(8) FIG. 6 illustrates a communication control system for a DER device according to various embodiments of the disclosure.

(9) FIG. 7 illustrates example engineering control rules for VV curve parameters.

(10) FIG. 8 illustrates engineering control to minimize WP overvoltages due to misprogramming.

DETAILED DESCRIPTION OF THE INVENTION

(11) The present disclosure is directed to systems and methods for reducing the impact of attacks on power distribution grids that include distributed energy resources (DERs) by detecting, negating and/or mitigating security risks created by communication-enabled distribution and transmission DER control functions. For example, improper programming or malicious adjustment of grid-support functions for DER can lead to (a) voltage excursions above grid code standards which can lead to equipment damage, and (b) instabilities in the bulk power system that can lead to load shedding or blackout. According to an embodiment of the invention, one or more engineered control systems in DER, utility, aggregator, and/or networking firmware or software can be used to prevent a DER, and therefore the power system, from operating in unsafe modes.

(12) Based on the findings in distribution and transmission cases described, systems and methods are disclosed that predict the influence of adversary control of DER networks for different grid support functions and defend against those types of attacks. The anticipated effects of malicious control over DER advanced grid-support functions are described below. According to another embodiment of the disclosure, systems and methods are disclosed that include defense-in-depth security that minimizes the power system impact of this malicious control. The first embodiment comprises a set of device-level, pre-programmed firmware or software process rules designed to prevent DER from entering unsafe operating regions. The second embodiment includes a DER control network architecture that minimizes the power system impact from common-mode attacks by isolating the extent of the attack. These two defensive mechanisms can be implemented in additional to other standardized cybersecurity principles of keeping DER equipment available, ensuring the integrity of the data packages, and keeping data-in-transit confidential through access controls and encryption.

(13) FIG. 6 illustrates a communication control system for a DER device according to various embodiments of the disclosure. As can be seen in FIG. 6, various cybersecurity intrusion detection systems (IDSs) can be placed or established at various locations in the DER communications network. Those IDSs would not only block the dangerous communications traffic to the DER equipment but may also be connected to alarms that notify operators or communicate the risk to the power system or to other computer systems to autonomously take action. The operators that may be notified include grid operators, DER owners, aggregators, local or national security operations centers (SOCs) at these companies or organizations like the Electricity Information Sharing and Analysis Center (E-ISAC) that coordinate cybersecurity incident response actions. It is also possible to connect alarms to computer systems that could lock the user out of the system for a period of time, isolate the computer of system issuing the malicious command, or otherwise prevent additional actions by the originator of the command. One of the primary benefits of this technology is that insider threat actions can be detected and mitigated. The IDS can also detect when grid operators or other networked organizations or individuals make mistakes in DER programming and prevent those actions from reaching the DER equipment.

Power System Risks from DER Grid-Support Functions

(14) Based on the power system studies described above and knowledge DER control behaviors, the estimated aggregated control risk from each DER function is presented in Table 1. The risk presented due to improper programming of the grid-support function is evaluated using the following criteria: Low risk: limited power system impact Medium risk: regional voltage effects or localized loss of load (brownouts) High risk: bulks system power outages
Functions which adjust the DER active power could result in blackout situations, if the lost power generation, for example lost solar generation, occurs quickly and was providing power greater than the contingency reserves. In those cases, the risk is high. The functions which adjust reactive power are medium risk to the power system because these could cause localized high or low voltage issues or trip off some DER devices, as described in the section titled Distribution Cases. However, if the DER penetrations are high enough, the risk will increase because large portions of the grid will be disconnected.

(15) TABLE-US-00001 TABLE 1 Anticipated power system risk from adversary control of DER aggregations, assessed for each grid-support function. Grid-support Risk with function Risk Cause Controls Mitigation Plan Frequency Ride- High Tight FRT trip settings cause DER Low Enforce IEEE 1547, CA Rule 21, HI Rule Through (FRT) power loss with minor frequency 14 or other standards' ranges of Trip Settings deviations adjustability for each must-trip point will prevent the DER from prematurely tripping Voltage Ride- High Tight VRT trip settings cause DER Low Enforce IEEE 1547, CA Rule 21, HI Rule Through (VRT) power loss from minor voltage 14 or other standards' ranges of Trip Settings deviations adjustability for each must-trip point will prevent the DER from prematurely tripping. Normal Ramp Low Fast RR requires faster regulation but Low Set maximum ramp rate to reduce Rate (RR) minimal power system impact frequency regulation requirements Soft-Start Ramp Low Fast SS requires faster down-regulation Low Set maximum SS to prevent frequency Rate (SS) but minimal power system impact overshoot during black start Frequency-Watt High Improperly programmed FW curves Low Requiring parameter and deadband (FW) cause DER power loss, possibly constraints will prevent DER power resulting in a blackout reductions. Voltage-Watt High Improperly programmed VW curves Low Requiring parameter and deadband (VW) cause DER power loss, possibly constraints will prevent DER power resulting in a blackout reductions. Connect or High Aggregate DER power loss could High None. Requiring a randomization time Disconnect cause blackout window could prevent step changes in (INV1) production. Limit Max Real High Aggregate DER power loss could High None. Only limits on settling time or ramp Power (INV2) cause blackout rate would prevent under-generation. Power Factor Medium Extreme voltage conditions, DER will Medium None. Applying ramp rates would slow the (INV3) trip on VRT trip settings, possibly control action so other voltage regulation leading to outages* equipment could react. Volt-Var mode Medium Extreme voltage conditions, DER will Low Requiring the reactive power sign to (VV) trip on VRT trip settings, possibly provide negative feedback to the voltage leading to outages* deviation will prevent voltage excursions. Watt-Power Medium Extreme voltage conditions, DER will Low Constraining the W-PF curve will prevent Factor (WP) trip on VRT trip settings, possibly voltage excursions. leading to outages* Fixed Reactive Medium Extreme voltage conditions, DER will Medium None. Applying ramp rates would slow the Power trip on VRT trip settings, possibly control action so other voltage regulation leading to outages* equipment could react. *These scenarios are difficult to predict. DER will trip on overvoltage, thereby mitigating some of the voltage issues. Current-based protection systems will not isolate portions of the feeder. However, if enough distributed generation is tripped in high penetration environments (e.g., HI), bulk system impacts could occur.

Engineering Controls

(16) The present inventions provide an engineered control method to reduce the risk presented by interoperable DER equipment with grid-support functions. As shown previously, power system quality of service can be impacted by improperly set grid-support parameters, so software or hardcoded firmware rules can be implemented in the DER, utility, DER aggregator, or DER control network that reject the grid-support settings if they fall outside of an allowable range. These engineering control rules can largely prevent PV systems from causing adverse power system effects through adversary actions or accidental misconfiguration. For each of the advanced grid-support functions (e.g., volt-var, freq-watt, specified power factor, etc.), the parameters that define these functions can be checked against simple mathematical rules and be required to fall within safe operating regions for the particular power system. When parameters are set outside of these limits, the verification system, communication module, or inverter microprocessor can verify the setting and reject the update if necessary. Ranges of values or mathematical rules for each of the parameters in the information models (e.g., Common Smart Inverter Profile (CSIP): IEEE 2030.5 Implementation Guide for Smart Inverters, AN2018-001 DNP3 Application Note, SunSpec Modbus Models, IEC 61850) would be established based on the particular power system the DER equipment was interconnected. Theoretical cyber attacks, as described below, can determine parameter constraints for grid-support functions to minimize the risk of adversary manipulation.

(17) FRT and VRT: Frequency and voltage ride-though and trip requirements determine when the DER will cease to energize (often called gate blocking) and disconnect from the power system. IEEE 1547a, IEEE 1547 full revision, Rule 21, and Rule 14 have default values and ranges of adjustability for these parameters. There is variability in the power system voltage and frequency naturally. These variations are typically small and occur as the load and generation mix changes on the power system. One risk of this function is that if the voltage or frequency magnitude were adjusted to commonly occurring levels (such as nominal frequency or voltage), the FRT and VRT function would disconnect the DER. Simple rules to limit the trip settings ranges of adjustment can prevent this type of attack.

(18) RR and SS: Normal and soft start ramp rates determine the maximum change in active power of the DER during normal operation and start-up. In general, these functions are unlikely to be configured in a manner to cause power system disturbances. One potential exception is a case where there is a disruption to the bulk system and all inverters are disconnected from the system. When the system re-energizes, if the inverters all start exporting power after the reconnection delay (typically 5 minutes) with a high soft start ramp rate, it could cause a high frequency event. To avoid this risk, maximum ramp rates can be established, as they have been in CA Rule 21, and enforced in the DER when they are issued a command.

(19) FW: Frequency-watt functions provide grid stability during over-frequency events (or under-frequency events). See J. Johnson et al., “Photovoltaic Frequency-Watt Curve Design for Frequency Regulation and Fast Contingency Reserves,” IEEE JPV, vol. 6, no. 6, pp. 1611-1618, November 2016. However, if these functions are programmed with no deadband and steep slope, the DER would rapidly change its output with minor over- or under-frequency events. Since frequency is system-wide, there would be a high correlation of power changes between DER, which could lead to bulk system effects such as a blackout.

(20) VV: The volt-var pointwise curves are defined by (V, Q) points. To prevent the type of attack presented earlier, rules can be enforced to ensure the points are assigned to be in Q2 and Q4 in the V-Q plane and rejected otherwise (i.e., points assigned to be in Q1 and Q3 would be rejected), as shown in FIG. 7.

(21) VW: The volt-watt function is designed to reduce the active power during high voltage events. The same risks that exist for the FW function exist with the VW function. If the function is programmed such that nominal voltages generate zero power, this function would produce the same effect as a disconnect command. To protect against this type of attack, required deadband sizes and nominal production values can be instigated.

(22) PF: As described above, the fixed power factor function can be manipulated to increase the local grid voltage. It is unlikely any engineering controls can be placed on this function for general operations, however for the case of reducing voltage as active power increases, the power factor can be limited to the reactive power absorption quadrant (Q4).

(23) WP: The watt-power factor risks are the same as those from the fixed power factor function because a horizontal line can be programmed so that regardless of the DER power production, the DER operates at a fixed PF. Since this function has a relatively limited use case, a region can be blocked off, as shown in FIG. 8, where the DER cannot produce reactive power above a set active power output level. This reduces the risk presented in section above titled “Fixed power factor” where the DER PF drove the point of common coupling (PCC) voltage even higher. It is unlikely that there would be a use case for this function where the DER would source reactive power at high DER power.

(24) Fixed Reactive Power: A fixed reactive power function presents nearly the same risks as a fixed power factor function, except the reactive power is not reduced at low DER power. Depending on the use case, any number of reactive power levels can be used, so there is no engineering control to minimize the power system risk from this function.

(25) The present invention has been described as methods to mitigate cyber attacks on power systems comprising distributed energy resources. It will be understood that the above description is merely illustrative of the applications of the principles of the present invention, the scope of which is to be determined by the claims viewed in light of the specification. Other variants and modifications of the invention will be apparent to those of skill in the art.