440 IEEE TRANSACTIONS ON POWER SYSTEMS, VOL. 35, NO.

1, JANUARY 2020

Cyber-Physical Attacks Targeting

Communication-Assisted Protection Schemes
Amir Abiri Jahromi , Member, IEEE, Anthony Kemmeugne, Deepa Kundur , Fellow, IEEE,
and Aboutaleb Haddadi , Member, IEEE

Abstract—The dependence of modern societies on electric energy on reliable power supply by the emergence of electric vehicles.
is ever increasing by the emergence of smart cities and electric vehi- Accordingly, the large area, long duration electricity outages
cles. This is while unprecedented number of cyber-physical hazards can disrupt the functioning of critical infrastructure services and
are threatening the integrity and availability of the power grid on
a daily basis. On one hand, physical integrity of power systems is throw society into chaos and distress. This may result in billions
under threat by more frequent natural disasters and intentional of dollars of societal and economical costs and damages as well
attacks. On the other hand, the cyber vulnerability of power grids as the possibility of loss of lives [1], [2].
is on the rise by the emergence of smart grid technologies. This In this environment, the increased energy demands, aging
underlines an imminent need for the modeling and examination legacy transmission and distribution assets, and increasing rate
of power grid vulnerabilities to cyber-physical attacks. This paper
examines the vulnerability of the communication-assisted protec- of natural disasters such as hurricanes, ice storms and floods are
tion schemes like permissive overreaching transfer trip to cyberat- threatening the reliability and resiliency of the electricity grid.
tacks using a co-simulation platform. The simulation results show The many high-profile electric-service interruptions that have
that the transient angle stability of power systems can be jeopar- occurred due to natural disasters such as Super-storm Sandy,
dized by cyberattacks on the communication-assisted protection and hurricane Katrina are testaments to ever increasing vulner-
schemes. To address this vulnerability, two physical solutions in-
cluding the deployment of communication channel redundancy, abilities of electricity grid [3], [4]. At the same time, there is a
and a more advanced communicated-assisted protection scheme, soaring risk of intentional physical attacks on electricity infras-
i.e., directional comparison unblocking scheme (DCUB), are con- tructures. This is while, the proliferation of smart grid related
sidered and tested. The proposed solutions address the vulnerabil- technologies is also expected to expand cyber vulnerabilities of
ity of the communication-assisted protection schemes to distributed
power grids through increased connectivity and remote access
denial of service attack to some extent. Yet, the simulation results
show the vulnerability of the proposed solutions to sophisticated points [5]–[7]. The physical attacks on substation transform-
cyberattacks like false data injection attacks. This highlights the ers in California [8] and cyber-attacks on the Ukrainian power
need for the development of cyber-based solutions for communica- grid [9], [10] are prime examples of cyber-physical attacks on
tion channel monitoring. power grids in recent years. In addition, the possibility of a joint
Index Terms—Cyber-physical systems, power system cyber-physical attack is a growing concern in modern societies,
resilience, co-simulation platforms, communicated-assisted where an attacker may seek to identify and exploit power grid
protection schemes, transient angle stability. vulnerabilities to obtain self benefits or boost political interests
[11]. The concerns about the vulnerability of power systems to
I. INTRODUCTION
cyber-physical threats have been reflected in several publications
HE modern society and its vital infrastructures such as
T water supply, communication system, health system and
public security depend on electricity. This dependence is ever
by governmental and non-govermental organizations [12]–[14].
For instance, the need for the protection of critical cyber assets
in power systems have been recongnized by North American
increasing as the transportation system also becomes dependent Electric Reliability Corporation (NERC) Critical Infrastructure
Protection (CIP) through standard 002-009 [15].
Manuscript received November 30, 2018; revised April 4, 2019; accepted To address these ever-increasing vulnerabilities, utility man-
June 9, 2019. Date of publication June 24, 2019; date of current version Jan- agers, investors and other stakeholders are developing strategies
uary 7, 2020. This work was supported in part by the Natural Sciences and
Engineering Research Council of Canada (NSERC) Discovery Grants Program to reduce the costly large area, long duration electricity inter-
and NSERC Strategic Partnerships for Projects Programs and in part by the ruptions. These strategies include programs to address potential
Fonds de Recherche du Québec – Nature et Technologies (FRQNT) postdoc- cyber vulnerabilities, fortify and expand existing cyber-physical
toral fellowship. Paper no. TPWRS-01809-2018. (Corresponding author: Amir
Abiri-Jahromi.) infrastructure, improve asset management and introduce au-
A. A. Jahromi, A. Kemmeugne, and D. Kundur are with the Department tomation strategies [16]–[18]. For instance, several North
of Electrical and Computer Engineering, University of Toronto, Toronto, ON American utilities have initiated investment programs to bring
M5S 3G4, Canada (e-mail: [email protected]; Anthony.kemmuegne@ece.
utoronto.ca; [email protected]). together academia, private technology companies, and govern-
A. Haddadi is with the Electrical Engineering Department, Montréal Polytech- ment defense agencies and motivate research and development
nique, Montréal, QC H3T 1J4, Canada (e-mail: [email protected]). in cyber-physical security area [19]. Nevertheless, such tasks
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org. can be daunting considering the size and complexity of the
Digital Object Identifier 10.1109/TPWRS.2019.2924441 electricity grid and limited resources available for research and

0885-8950 © 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
JAHROMI et al.: CYBER-PHYSICAL ATTACKS TARGETING COMMUNICATION-ASSISTED PROTECTION SCHEMES 441

development programs. Another challenge is the diversity of protection scheme, i.e. directional comparison unblocking
power system vulnerabilities and the wide-variety of potential scheme (DCUB), are considered and tested to address the vulner-
failures that can happen due to these vulnerabilities. The dif- ability of the POTT protection scheme to cyberattacks. Although
ficulty in quantifying the consequences of potential failures in the proposed physical solutions are resilient to distributed denial
terms of magnitude and duration of electricity interruptions as of service (DDoS) attack to some extent, they are vulnerable to
well as the number and type of affected customers and busi- false data injection (FDI) attack. This vulnerability highlights
nesses is another restraining factor. Therefore, there is a pressing the need for developing cyber-based solutions for communica-
need for co-simulation platforms and testbeds with the ability tion channel monitoring.
to model and simulate various cyber-physical vulnerabilities of The main contributions of this paper are as follows.
power systems. The co-simulation platforms and testbeds will r The notion of cyber-physical attacks on communication-
facilitate the identification and protection of power system criti- assisted protection schemes is demonstrated using a
cal functions and assets whose failure may result in catastrophic co-simulation platform based on OPAL-RT real-time sim-
consequences [20]. ulator and Riverbed Modeler.
The cyber-physical vulnerabilities of power systems have r The potential physical solutions for addressing the cyber-
been the subject of extensive research in recent years [21]. The physical attacks targeting POTT protection scheme is pre-
cyberattacks on power system state estimation have been exam- sented and their vulnerability to false data injection attacks
ined in [22]–[24], and potential solutions provided. In [25]–[27] is revealed.
various attacks targeting the stability of power systems have r The importance of co-simulation platforms in developing
been studied. The role of protection schemes in cyber security cyber-based solutions for communication channels moni-
risk analysis has been studied in [28] from power system oper- toring is revealed and highlighted.
ations point of view. The development of a cyber-resilient line The reader should note that despite the distinct features of the
current differential relay has been presented in [29]. co-simulation platform presented in this paper, we do not claim
Several co-simulation platforms have also been developed the development of the co-simulation platform using OPAL-RT
over the past decade to bridge the gap between power system and real-time simulator and Riverbed Modeler as a contribution.
communication simulation tools and study cyber-physical as- The remainder of this paper is organized as follows.
pects of power systems [20]. A co-simulation platform based on Section II provides the necessary background about power
PSCAD/EMTDC electromagnetic transient simulator, the PSLF system transient angle stability and communication-assisted
electromechanical transient simulator, and the communication protection schemes. The cyber-phyiscal attacks targeting
Network Simulator 2 (NS2) has been presented in [30]. A co- communication-assisted protection schemes and the potential
simulation platform based on RINSE and PowerWorld has been physical solutions for addressing these attacks are further dis-
employed in [31] to study the vulnerability of the network client cussed. The co-simulation platform based on OPAL-RT real-
to a distributed denial of service attack. In [32], an integrated time simulator and Riverbed Modeler is presented in Section III.
platform for power and communication systems co-simulation The vulnerability of the power system stability to cyber-physical
is described and implemented. The virtual control system en- attacks targeting POTT protection schemes is uncovered in Sec-
vironment (VCSE) is proposed in [20], [33] for studying cyber tion IV using the co-simulation platform. Moreover, the ability
threats on system infrastructures. A testbed based on Riverbed of the physical solutions for addressing the vulnerability of the
Modeler and PowerWorld has been employed in [34] for ana- POTT protection scheme to DDoS attacks is demonstrated. Yet,
lyzing security of SCADA control systems. A testbed consisting it is shown that the proposed physical solutions are vulnerable
of control center EMS, substations and external link has been to FDI attacks. Finally, the conclusions of the paper are drawn
presented in [35] for intrusion detection and defense against in Section V.
cyberattacks. A testbed for SCADA vulnerability assessment
has been developed in [36]. In [37], a real-time co-simulation
platform using OPAL-RT and OPNET has been presented for II. BACKGROUND
analyzing smart grid performance. The available co-simulation A power system fault should be cleared quickly enough such
platforms reviewed in [38] and a PowerCyber testbed has been that the fault-on transient remains inside the stability bound-
presented for evaluating the impact of cyberattacks on volt- ary and power system maintains stability. Power systems with
age and rotor angle stability. This is while to the best of our small transient stability margins may benefit from communica-
knowledge, no prior work has investigated the vulnerability of tion networks to reduce the fault clearing time and prevent tran-
communication-assisted protection schemes to cyber-physical sient instability. This is because the speed of information transfer
attacks. The cyber-physical attacks targeting communication- using communication networks is much faster than power sys-
assisted protection schemes are of high importance since they tem instability propagation. Communication-assisted protection
target power systems in the most vulnerable state. scheme is a particular type of the power system protection that
This paper investigates the vulnerability of the communi- relies on communication networks to reduce fault clearing time
cation-assisted protection schemes like permissible overreach- and prevent instability.
ing transfer trip (POTT) to cyberattacks using a cosimula- Power system stability margins have been declining over the
tion platform based on OPAL-RT real-time simulator and past decade due to power system restructuring, and the in-
Riverbed Modeler. Two potential physical solutions including tegration of renewable energy resources. The limited invest-
communication channel redundancy and a more advanced ments in transmission lines caused by more strict environmental
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
 442 IEEE TRANSACTIONS ON POWER SYSTEMS, VOL. 35, NO. 1, JANUARY 2020

constraints have further exacerbated the existing stability prob-

lems. In this environment, protection schemes have been under
constant pressure to operate more quickly and reliably to coun-
teract transient stability dynamics and avoid wide area blackouts.
For instance, failure to isolate a faulted line near generating units
in a timely fashion can cause prolonged unbalance between me-
chanical and electrical output of generators and lead to transient
angle instability. Additionally, clearing faults as quickly as pos-
sible is always favorable since it reduces potential damages to
critical assets like transformers.
The need for high speed and reliable protection devices
has promoted communication-assisted protection schemes as a
prominent solution for addressing transient angle stability prob-
Fig. 1. The POTT protection scheme.
lems. The deployment of communication-assisted protection
schemes can result in significant reductions in the clearing time
of faults and disturbances compared to other protection schemes. distance protection (commonly referred to as step-distance pro-
Nevertheless, the complete reliance on communication-assisted tection) does not provide such a high-speed tripping for line-end
protection schemes increases the possibility and consequences faults since relays on the protected line are time coordinated with
of cyber-physical attacks on these protection schemes. relays on remote lines [42], [43]. High-speed clearing is desir-
able and may even be required for the following reasons: i) to
A. Transient Angle Stability
reduce the duration of a fault on a power system and thereby
Transient angle stability is concerned with the ability of a reduce the likelihood of power system instability; ii) to enable
power system to settle down to a stable steady state operating protection coordination in step-distance applications involving
point after it is subjected to a fault for a certain duration of time two adjacent lines with significantly different lengths; and iii)
[39], [40]. The transient angle stability analysis is commonly for power quality purposes to reduce the duration of voltage sag
performed by means of numerical integration of a set of differ- caused by a fault.
ential and algebraic equations (DAEs) describing power system Communication-assisted protection achieves high-speed fault
dynamics. An alternative approach to numerical transient angle clearing through communication between line terminals. Each
stability analysis is direct methods. Direct methods refer to the line terminal communicates its status as a bit of data to the re-
analytical approaches used to calculate power system stability mote end(s) over a communication channel. In some schemes,
margin and the associated fault clearing time [40]. this bit represents a signal which tells the other side that it
The maximum duration that a fault can remain on a power has permission to trip (permissive). In other schemes, the bit
system without causing instability is called critical clearing prevents the other end from tripping (block). There are many
time. If the critical clearing time is exceeded, the generators variations of communication-assisted protection; the most
will lose synchronism. In this situation, protection system will prevalent schemes include: 1) permissive overreaching transfer
remove the generator from the system to avoid damage to the trip (POTT), 2) permissive underreaching transfer trip (PUTT),
rotor shaft. Therefore, an attacker can cause a severe disturbance 3) direct transfer trip (DTT), direct underreaching transfer trip
or even a blackout in power systems by creating a fault on a (DUTT), directional comparison blocking (DCB), and direc-
transmission line close to a power plant and prolonging the tional comparison unblocking (DCUB) [41]–[43]. This paper
fault clearing time beyond the critical clearing time. The same focuses on the POTT scheme. Yet, the proposed co-simulation
scenario happens when a cyber intruder disables the com- platform can be extended to study other communication-assisted
munication channel of the communication-assisted protection protection schemes without the loss of generality. Moreover,
schemes when a fault has occurred due to natural disasters such the cyber-physical vulnerabilities demonstrated in this paper for
as hurricanes or thunder storms. This is a legitimate concern in POTT scheme exist in other communication assisted protection
particular at locations where communication-assisted protection schemes as well.
schemes are indispensable for reducing the fault clearing time Fig. 1 illustrates the basic logic of the POTT protection
and preventing instability. scheme based on distance relay zone 2 elements. The POTT pro-
An attacker can use both numerical and analytical methods tection scheme trips the circuit breaker at each end of a protected
to calculate the stability margin and critical clearing time of a line immediately after receiving the overreaching zone 2 signals
power system and target protection schemes whose misoperation from both terminals of a line. In other words, the POTT logic
results in instability. This is an interesting and relevant topic allows the local overreaching zone 2 signal to trip the circuit
which is out of the scope of this paper. This topic will be pursued breaker of the protected line instantaneously upon the receipt
as an important next step by the authors. of the permissive trip signal, i.e., overreaching zone 2 signal,
from the remote end of the line. The permissive trip signal from
B. Communication-Assisted Protection Schemes
the remote end of the protected line is communicated through
The objective of communication-assisted protection is to pro- a communication channel. By contrast, under steps-distance
vide high-speed tripping from both ends of a protected line protection the overreaching zone 2 has to wait typically 15 to
for faults along the entire line segment [41]–[43]. Multizone 30 cycles after picking up a fault before tripping the breaker
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
JAHROMI et al.: CYBER-PHYSICAL ATTACKS TARGETING COMMUNICATION-ASSISTED PROTECTION SCHEMES 443

[42], [43]; this time delay may be large enough to cause system
instability.

C. Cyber-Physical Attacks Targeting Communication-Assisted

Protection Schemes
The power grid is a cyber-physical system consisting of in-
formation and communication technologies (cyber assets) and
power delivery components such as generators, transmission
lines and loads (physical assets). Here, the physical-to-cyber
bridge is at sensors that convert physical signals to data (in-
formation) and the cyber-to-physical bridge is at actuation
whereby information is used to make changes to the power
system operations; common forms of actuation include control
and protection.
Cyberattacks are unwanted actions applied to target cyber
assets that exploit a vulnerability; their impacts are measured in
Fig. 2. The POTT protection scheme with communication channel
terms of their effects on information. In contrast, cyber-physical redundancy.
attacks typically aim to exploit vulnerabilities in cyber assets (in
the form of a cyberattack) to cause disruption in target physical
assets such as generators and transmission lines. They also can D. Physical Solutions to Cyber Attacks Targeting
involve coordinating cyberattacks with physical disruptions such Communication-Assisted Protection Schemes
as faults to maximize negative impacts on power systems. Cyber-
physical attacks are often measured in terms of their physical Solutions to address cyber-physical attacks can take both cy-
impacts; hence co-simulation represents an ideal framework in ber and physical forms. Cyber solutions, as typically defined,
which to model the application of cyberattacks and describe its involve employing existing cyber assets for mitigation of the
physical impacts. impacts of cyberattacks. Cyber solutions can include the mod-
Cyberattacks target information confidentiality, integrity or ification of communication protocols, transceiver operation or
availability (C-I-A). The C-I-A paradigm is a rich framework the application of cryptographic primitives on data. Whereas
employed for general cybersecurity studies whereby availabil- physical solutions entail actions on the part of physical assets
ity and integrity represent the most important cyber security for mitigation. Physical solutions can also include the addition
services for power grid operations because information must be of redundant physical infrastructure (including communication
both accessible in a timely manner and accurate for critical use channels).
in operational settings. Cyberattacks on availability and integrity Cyber solutions are most appropriately applied when there are
are known as distributed denial of service (DDoS) and false data sophisticated information and communication systems in place
injection (FDI), respectively. to enable complex information processing or communication
Communication-assisted protection schemes represent cyber- network reconfiguration. For the application focus of this paper,
physical assets in which communications facilitates more communication-assisted protection, such cyber solutions are not
responsive breaker action. Hence, attacking the associated com- feasible. Hence, we focus on physical solutions.
munication channel when breaker action is very much needed Two physical solutions are considered in this paper for ad-
can cause significant power grid disruption. Cyber-physical at- dressing the cyber-attacks targeting communication-assisted
tacks of communication-assisted protection may be applied, say, protection schemes like POTT. The first physical solution is
after a physical fault (caused naturally or otherwise) has oc- based on communication channel redundancy. The POTT pro-
curred. The cyber-physical attack could, for example, apply ei- tection scheme with communication channel redundancy is il-
ther a DDoS or FDI to prolong the fault clearing time at critical lustrated in Fig 2. Channel redundancy is an effective way to
transmission lines by either disabling the communication chan- provide resilience to system operation and its advantages in
nel between distance relays through say packet flooding (for communication-assisted protection schemes is studied in this
DDoS) or by providing incorrect permissive trip signals (FDI). paper. Communication redundancy increases an attackers level
Possible physical impacts include instability and blackout. of required effort often beyond available resources.
Execution of DDoS or FDI requires that a device with access The second physical solution is based on considering a more
to the relay communication channels be corrupt. This could oc- complex protection scheme, i.e., directional comparison un-
cur through malware that has propagated into a component of blocking (DCUB) scheme. Accounting for possible loss of a
the transceiver or by physically introducing a new communica- communication channel is imperative for overall POTT oper-
tion device that can access the channel. For DDoS the corrupt ation. The DCUB protection scheme is similar to the POTT
entity could flood the network with packets making permissive protection scheme in that they both share information about
trip communications impossible. For FDI, the corrupt entity can overreaching zone 2 pickup signal through a communication
insert fabricated permissive trip signals that can confuse normal channel. The difference is that DCUB scheme permits fast trip-
operation of communication-assisted protection scheme. ping when the communication channel is lost. In DCUB scheme
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
 444 IEEE TRANSACTIONS ON POWER SYSTEMS, VOL. 35, NO. 1, JANUARY 2020

Fig. 4. Schematic representation of the co-simulation platform.

its input/output (I/O) modules and Ethernet ports. Moreover,

OPAL-RT real-time simulator supports the IEC 61850 proto-
cols such as generic object oriented substation event (GOOSE)
and sampled value (SV) [44]. The IEC 61850 GOOSE protocol
is used for fast event driven messaging while IEC 61850 SV
Fig. 3. The DCUB protection scheme.
protocol is used for the transmission of analog values such as
current and voltage. In this paper, the IEC 61850 GOOSE pro-
distance relays initiate a timer in case the communication chan- tocol is employed to communicate information between OPAL-
nel is lost and permit the distance relays to trip the breaker faster RT real-time simulator and Riverbed Modeler. The IEC 61850
provided their overreaching zone 2 elements still see the fault. GOOSE packets generated by the OPAL-RT real-time simu-
After certain time elapses, distance relay tripping with over- lator is embedded in Ethernet frames with source and destina-
reaching zone 2 pickup signal is blocked to prepare for the next tion address fields containing the medium access control (MAC)
fault incident. addresses of the communicating nodes. The network interface
Fig. 3 illustrates the basic logic of the DCUB protection cards enable the GOOSE traffic exchange between OPAL-RT
scheme. As illustrated in Fig. 3, the DCUB protection scheme real-time simulator and Riverbed Modeler. The publisher and
consists of two AND gates and one OR gate. The AND1 gate subscriber traffic between the two simulators is separated us-
operates when the communication channel is lost and the lo- ing two Ethernet switches and cables as illustrated in Fig. 4.
cal overreaching zone 2 signal is present. It is noteworthy that The system-in-the-loop (SITL) feature of the Riverbed Modeler
the communication channel status is 0 when the channel is op- permits the real-time simulation. The SITL publisher and sub-
erational and becomes 1 when the channel is lost. The AND2 scriber ports provide the interface between Riverbed Modeler
gate implements a logic similar to the POTT protection scheme and hardware/software applications such as OPAL-RT real-time
where the permissive trip signal i.e. the overreaching zone 2 sig- simulator.
nal from the remote end of the protected line is communicated A benchmark test system involving distance relays and POTT
through a communication channel. Thus, the DCUB protection protection scheme is implemented in the OPAL-RT real-time
scheme allows fast circuit breaker tripping in two cases; 1) The simulator. The distance relays issue permissive trip signals, i.e.,
communication channel has been lost and the local overreaching overreaching zone 2 pickup signals, whenever a fault occurs
zone 2 pickup signal is present i.e. the AND1 gate in Fig. 3, 2) in the zone 2 of the distance relays. The OPAL-RT real-time
The communication channel is operational and the POTT logic simulator generates IEC 61850 GOOSE packets containing the
of the DCUB protection operates i.e. the AND2 gate in Fig. 3. permissive trip signals through its I/O module and sends them
toward Riverbed Modeler using the interface network cards.
III. CO-SIMULATION PLATFORM
The SITL publisher ports in the Riverbed Modeler receive the
The main objective of the real-time co-simulation platform real GOOSE packets from the network interface card of the
presented here is to provide the ability to simulate both cyber and Riverbed Modeler machine. SITL publisher ports then con-
physical parts of a communication-assisted protection scheme vert the real GOOSE packets to simulated GOOSE packets and
like POTT for a benchmark test system. The co-simulation send them to the communication network model implemented
platform is of immense importance since cyber-physical attacks in the Riverbed Modeler using SITL links. The communication
on communication-assisted protection schemes involve both network model implemented in Riverbed Modeler consists of
electrical and communication parts of an electric system. two router switches and a SITL link which connects the router
The OPAL-RT real-time simulator and Riverbed Modeler are switches. Each of the router switches represents the substation
integrated together to create such a co-simulation platform. gateway at one end of the protected line and the SITL link be-
Riverbed Modeler is a flexible communication networking tween the router switches represents the communication chan-
simulator that models a variety of protocols, technologies nel. The IEC 61850 GOOSE packets enter the SITL subscriber
and network types and provides a sophisticated development ports through a SITL link after passing through the network
environment to develop proprietary protocols, evaluated en- model. The SITL subscriber ports convert the simulated GOOSE
hancements to standards-based protocols and technologies, and packets to real GOOSE packets and deliver them to the network
demonstrate design in a realistic environment. interface card of the Riverbed Modeler machine. The OPAL-
The OPAL-RT real-time simulator provides the interface with RT real-time simulator receives the IEC 61850 GOOSE packets
a communication simulator such as Riverbed Modeler through from the network interface cards and delivers them to the POTT
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
JAHROMI et al.: CYBER-PHYSICAL ATTACKS TARGETING COMMUNICATION-ASSISTED PROTECTION SCHEMES 445

Fig. 6. The IEEE PSRC D6 benchmark test system.

Fig. 5. Schematic representation of the implementation of the benchmark test

system in the cosimulator.

protection scheme. The implementation of the benchmark test

system in the cosimulator is schematically shown in Fig. 5.
Fig. 7. Part of the IEEE PSRC D6 benchmark test system illustrating a
In Fig. 5, the SITL publisher port1 in Riverbed Modeler re- permanent three-phase-to-ground fault on line L1.
ceives the IEC 61850 GOOSE packets generated by the pub-
lisher I/O1 in OPAL-RT real-time simulator and delivers it to
stability of the generators G1-G4 when a fault occurs. The trans-
the SITL subscriber port2 through the router switches and the
mission lines L1-L4 of the benchmark test system are protected
SITL link. The SITL subscriber port2 in Riverbed Modeler then
by step-distance protection in case study I and by POTT pro-
sends the IEC 61850 GOOSE packets toward the subscriber I/O2
tection in case study II. Case study III demonstrates the vulner-
in OPAL-RT real-time simulator. Similarly, the SITL publisher
ability of the POTT protection scheme to DDoS attack. Case
port2 in Riverbed Modeler receives the IEC 61850 GOOSE
study IV investigates the DDoS attack on the POTT protection
packets generated by the publisher I/O2 in OPAL-RT real-time
with communication channel redundancy. Case study V exam-
simulator and delivers it to the SITL subscriber port1 through
ines both DDoS and FDI attacks on DCUB protection and un-
the router switches and SITL link. The SITL subscriber port1 in
derlines the need for the development of cyber-based solutions
Riverbed Modeler then sends the IEC 61850 GOOSE packets
for communication channel monitoring.
toward the subscriber I/O1 in OPAL-RT real-time simulator.
In the case studies, a permanent three-phase-to-ground mid-
It is noteworthy that the physical attack i.e., fault caused by in-
line fault occurs at t = 0.2 s on line L1 of the benchmark test
tentional or unintentional factors on the electric grid is simulated
system as illustrated in Fig. 7. The location of the fault is at 82%
in the OPAL-RT real-time simulator and the cyberattacks i.e.,
of the transmission line from bus A which is within zone 2 of
DDoS and FDI attacks are simulated in the Riverbed Modeler.
the protection relay 1 (R1) and zone 1 of the protection relay
2 (R2). The reach of zone 1 and 2 of the distance relays are
IV. SIMULATION RESULTS respectively set at 80% and 120% of the transmission lines. The
Fig. 6 illustrates the IEEE power system relaying committee zones 1 and 2 of the distance relays are forward zones. Zone 1
(PSRC) D6 benchmark test system [45], [46]. The benchmark is instantaneous, while backup zone 2 has a time delay of 30
test system consists of a 500 kV transmission system connecting cycles i.e. 0.5 s.
four identical 400 MVA synchronous generators to the rest of
the grid. The rest of the grid is modeled by a 230 kV ideal A. Case Study I: Simulating the IEEE PSRC D6 Test System
voltage source. All the circuit breakers in the benchmark test Under Step-Distance Protection
system except the circuit breaker CB10 are initially closed as In this case study, transmission lines L1-L4 are protected by
illustrated in Fig. 6. The power flows from G1-G4 to S1 through step-distance relays. As illustrated in Fig. 8(b), the step-distance
the transmission lines L1-L4. relay 2 (R2) sees the fault in zone 1 and 2 (21G_Z1 PKP, and
Five case studies are considered here. The objective of the case 21G_Z2 PKP) and instantaneously issues 21G_Z1 trip signal
studies I and II is to demonstrate the need for the communication- to the circuit breaker CB2. The opening of the circuit breaker
assisted protection scheme to maintain the transient rotor angle CB2 disconnects the transmission line L1 from bus B. However,
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
 446 IEEE TRANSACTIONS ON POWER SYSTEMS, VOL. 35, NO. 1, JANUARY 2020

Fig. 8. Step-distance relay signals and circuit breakers state of (a) Relay 1 and
CB1 and (b) Relay 2 and CB2. Fig. 10. POTT protection signals and circuit breakers state of (a) Relay 1 and
CB1 and (b) Relay 2 and CB2.

Fig. 9. The rotor speed of the generating unit G1 when the permanent
three-phase-to-ground fault at 82% of the line L1 is cleared after 30 cycles. Fig. 11. The rotor speed of the generating unit G1 when the permanent three-
phase-to-ground fault at 82% of the line L1 is cleared instantaneously.

the fault does not get isolated instantaneously because the step-
distance relay 1 (R1) sees the fault in zone 2 (21G_Z2 PKP)
which has the time delay of 30 cycles before issuing the 21G_Z2
Trip to the circuit breaker CB1 as illustrated in Fig. 8(a). Within
this time delay, the transmission line L1 remains connected to
the bus A, and the generators G1-G4 continue to feed the fault.
As illustrated in Fig. 9 for the generating unit G1, the rotor speed
of the generating units continues to increase and the generators
eventually lose synchronism. This is because the fault clearing
time is longer than the critical clearing time of the generators.
This instability problem can be resolved by clearing the fault
from both ends of the transmission line L1 more quickly through
a communication-assisted protection such as POTT. In practice, Fig. 12. The DDoS attack implemented in Riverbed Modeler on the commu-
the over speed protection of the generator trips the unit when nication channel between distance relays.
the rotor speed exceeds a certain limit typically 1.1 per unit.
Nevertheless, this protection has not been modeled in this paper. signals (POTT) to the circuit breakers CB1 and CB2. The open-
ing of the circuit breakers CB1 and CB2 disconnects the trans-
B. Case Study II: Simulating the IEEE PSRC D6 Test System mission line L1 from the buses A and B and instantaneously
Under POTT Protection clears the faults. As illustrated in Fig. 11 for the generating unit
G1, the generators’ rotor speed remains stable in this case.
In this case study, transmission lines L1-L4 are protected by
POTT protection scheme. The successful operation of the POTT
protection scheme requires the receipt of the permissive trip sig- C. Case Study III: Simulating DDoS Attack on POTT
Protection
nal (PTS), i.e. overreaching zone 2 signal, from the remote relay
and the presence of the overreaching zone 2 signal (21G_Z2 In this case study, transmission lines L1-L4 are protected by
PKP) at the local relay. As illustrated in Fig. 10(a), relay 1 sees POTT protection scheme. The DDoS attack is implemented in
the fault in zone 2 and sends the permissive trip signal (PTS_TX Riverbed Modeler as illustrated in Fig. 12 to disable the com-
in blue) to relay 2. Similarly, relay 2 sees the fault in zone 2 and munication channel between distance relays R1 and R2. The
sends the permissive trip signal (PTS_TX in green) to relay 1 as CyberEffects tool in Riverbed Modeler is used to implement the
illustrated in Fig. 10(b). The POTT protection scheme receives DDoS attack. The DDoS attack execution involves two phases;
the permissive trip signals (PTS_RCV) from the remote relay 1) infection, and 2) flooding. In order to implement the infec-
and instantaneously issues permissive overreaching transfer trip tion and flooding phases, two workstation nodes i.e. attacker
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
JAHROMI et al.: CYBER-PHYSICAL ATTACKS TARGETING COMMUNICATION-ASSISTED PROTECTION SCHEMES 447

Fig. 13. POTT protection signals and circuit breakers state of (a) Relay 1 and
CB1 and (b) Relay 2 and CB2 considering the DDoS attack. Fig. 14. The implementation of the communication channel redundancy
between the relays in Riverbed Modeler.

and receiver are required as illustrated in Fig. 12. The attacker

workstation is required to infect the workstation nodes in the
network i.e. nodes 1–5 and execute the flooding phase of the
DDoS attack. The IP address of the receiver node is required by
the CyberEffects tool to define the destination node of the pack-
ets generated by the DDoS attack. The traffic generated by the
DDoS attack towards the receiver workstation node overflows
the router switch1 in Fig. 12 and causes the denial of service.
As illustrated in Fig. 13(a), relay 1 sees the fault in zone 2
(21G_Z2 PKP) and sends the permissive trip signal (PTS_TX Fig. 15. Schematic representation of the implementation of the POTT
in blue) to relay 2. Moreover, relay 2 sees the fault both in zone 1 protection with communication redundancy in OPAL-RT real-time simulator.
and 2 (21G_Z1 PKP and 21G_Z2 PKP) and sends the permissive
trip signal (PTS_TX in green) to the relay 1 as illustrated in
Fig. 13(b). Nevertheless, the permissive trip signals get blocked
by the DDoS attack and do not reach the respective remote relay.
The relay 2 (R2) instantaneously issues 21G_Z1 trip signal to
the circuit breaker CB2 as illustrated in Fig. 13(b) because it sees
the fault in zone 1 (21G_Z1 PKP). This is while the relay 1 (R1)
waits for 30 cycles before issuing the 21G_Z2 trip signal to the
circuit breaker CB1 as illustrated in Fig. 13(a). This is because
relay 1 does not receive the permissive trip signal (PTS_RCV)
from the relay 2. Thus, the generators lose synchronism in this
case similar to Case Study I.
Fig. 16. POTT protection with communication channel redundancy signals
and circuit breakers state considering the DDoS attack on the communication
D. Case Study IV: Simulating DDoS Attack on POTT channel1 (a) Relay 1 and CB1, (b) Relay 2 and CB2.
Protection With Communication Channel Redundancy
In this case study, transmission lines L1-L4 are protected by POTT protection does not receive the permissive trip sig-
POTT protection scheme with communication channel redun- nals (PTS_RCV1) through the communication channel1. How-
dancy (see the logic of the POTT protection with communication ever, the POTT protection receives the permissive trip signals
channel redundancy in Fig. 2). Fig. 14 illustrates the implemen- (PTS_RCV2) through the communication channel2 and instan-
tation of the communication channel redundancy in the Riverbed taneously issues permissive overreaching transfer trip signals
Modeler. As shown in Fig. 14, two sets of SITL subscriber and (POTT) to the circuit breakers CB1 and CB2. The opening of
publisher ports are implemented for each substation. The SITL the circuit breakers CB1 and CB2 isolates the transmission line
publisher/subscriber ports in Riverbed Modeler communicate L1 and instantaneously clears the fault. Therefore, the generators
with the publisher/subscriber ports of their respective relays in remain stable in this case similar to Case Study II.
OPAL-RT real-time simulator shown in Fig. 15. In the second scenario, both communication channels are dis-
Two scenarios are considered here. In the first scenario, the abled by the DDoS attack. As illustrated in Fig. 17(a) and (b)
DDoS attack is implemented to disable the communication chan- both relays see the fault in zone 2 (21G_Z2 PKP) and send
nel1 between the relays R1 and R2. As illustrated in Fig. 16(a) the permissive trip signals (PTS_TX1 and PTS_TX2) to the re-
and (b), both relays see the fault in zone 2 (21G_Z2 PKP) mote relay. However, the POTT protection does not receive the
and send the permissive trip signals (PTS_TX1 and PTS_TX2) permissive trip signals (PTS_RCV1 and PTS_RCV2) due to
through the communication channels to the remote relay. The the DDoS attack on both communication channels and fails to
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
 448 IEEE TRANSACTIONS ON POWER SYSTEMS, VOL. 35, NO. 1, JANUARY 2020

Fig. 19. DCUB protection signals and circuit breakers state of (a) Relay 1 and
CB1 and (b) Relay 2 and CB2 considering the DDoS attack on the communica-
tion channel.
Fig. 17. POTT protection with communication channel redundancy signals
and circuit breakers state of (a) Relay 1 and CB1 and (b) Relay 2 and CB2
considering the DDoS attack on both communication channels. Two scenarios are considered here. In the first scenario, the
DDoS attack is implemented in Riverbed Modeler as illustrated
in Fig. 12 to disable the communication channel between the
relays R1 and R2. The study starts from a condition where
the DDoS attack on the communication channel has been in
progress. As illustrated in Fig. 19(a) and (b), both relays see
Fig. 18. The logic employed to identify communication channel loss. the fault in zone 2 (21G_Z2 PKP) and send the permissive trip
signals (PTS_TX) through the communication channel to the re-
open the circuit breaker CB1. The relay 2 (R2) instantaneously mote relay. As illustrated in Fig. 19, the DCUB protection does
trips the circuit breaker CB2 because it sees the fault in zone 1 not receive the permissive trip signals (PTS_RCV) because of
(21G_Z1 PKP) as illustrated in Fig. 17(b). This is while the re- the DDoS attack. Nevertheless, the DCUB protection identifies
lay 1 waits for 30 cycles before tripping the circuit breaker CB1 the communication channel loss (Ch_Status). The DCUB pro-
as illustrated in Fig. 17(a). This is because relay 1 sees the fault tection issues the DCUB trip signals (DCUB Trip) to the circuit
in zone 2 (21G_Z2 PKP) and does not receive the permissive breakers CB1 and CB2 because the local overreaching zone 2
trip signal from relay 2 (PTS_TX1 and PTS_TX2). Thus, the signal (21G_Z2 PKP) is present and communication channel is
generators lose synchronism in this case similar to Case Study I. lost (see DCUB protection logic in Fig. 3). The opening of the
It is noteworthy that cyberattackers require more resources circuit breakers CB1 and CB2 isolates the transmission line L1
to attack two communication channels in the case of com- and clears the fault. Therefore, the generators remain stable in
munication channel redundancy compared to the case with a this case similar to case study II.
single communication channel. Thus, communication channel In the second scenario, the FDI attack is implemented on the
redundancy reduces the risk of successful cyberattacks against communication channel between the relays 1 and 2. In order to
the communication-assisted protection schemes because the re- implement the FDI attack in the co-simulation environment, the
quired resources in this case are often beyond available resources Wireshark tool is employed. Wireshark tool is an open source
of cyberattackers. software which is able to monitor, and save communication
packets. First, the OPAL-RT real-time simulator is employed
to generate GOOSE packets containing false GOOSE packets
E. Case Study V: Simulating DDoS and FDI Attacks on DCUB
indicating that the overreaching zone 2 signal is not present.
Protection The Wireshark tool is then employed to save the false GOOSE
This case study investigates the performance of DCUB pro- packets. Afterwards, the benchmark test system is simulated and
tection under cyberattack. In order to identify communication the false GOOSE packets are injected into the communication
channel status the logic shown in Fig. 18 is implemented in the channel between the relays 1 and 2 using the Wireshark tool as
co-simulation platform. As illustrated in Fig. 18, the original illustrated in Fig. 20.
signal and its inverted value are sent over the communication As illustrated in Fig. 21(a) and (b) both relays see the fault
channel. When the communication channel is operational, the in zone 2 (21G_Z2 PKP) and send the permissive trip signals
output of the OR gate is always one and the output of the NOT (PTS_TX) to the remote relay. Nevertheless, the attacker re-
gate on the right hand side of Fig. 18 is zero. This is because one places the original GOOSE packets containing the permissive
of the signals entering the OR gate is always one. In contrast, trip signals with false GOOSE packets indicating no permissive
when the communication channel is lost, the output of the OR trip signals (PTS_RCV). Moreover, the communication channel
gate becomes zero and the output of the NOT gate becomes one. status (Ch_Status) is operational in this case. Therefore, DCUB
This is because both signals entering the OR gate become zero protection does not issue DCUB trip signals (DCUB Trip). The
when the communication channel is lost. Thus, it is possible to distance relay 2 sees the fault in zone 1 (21G_Z1 PKP) and
identify the status of the communication channel using the logic instantaneously issues 21G_Z1 trip signal to the circuit breaker
shown in Fig. 18. CB2 as illustrated in Fig. 21(b). This is while the distance relay 1
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
JAHROMI et al.: CYBER-PHYSICAL ATTACKS TARGETING COMMUNICATION-ASSISTED PROTECTION SCHEMES 449

for communication channels monitoring. This topic will be

pursued in our future research.

REFERENCES
[1] Enhancing the Resilience of the Nation’s Electricity System. Washington,
DC, USA: National Academies Press, 2017.
[2] “Economic benefits of increasing electric grid resilience to weather out-
ages,” Executive Office of the President, Washington, DC, USA, Tech.
Rep., USA, 2013.
[3] “Comparing the impacts of the 2005 and 2008 hurricanes on U.S.
energy infrastructure,” U.S. Dept. Energy, 2009. [Online] Available:
Fig. 20. The FDI attack implemented using Wireshark tool and Riverbed https://www.oe.netl.doe.gov/docs/HurricaneComp0508r2.pdf. Accessed
Modeler. on: Jun. 2019.
[4] “Macroeconomic and budgetary effects of hurricanes Katrina and Rita,”
Testimony Before the Committee on Budget, U.S. House of Representa-
tives, Congressional Budget Office, Washington, DC, USA, 2005.
[5] J. Hull, H. Khurana, T. Markham, K. Staggs, “Staying in control: Cyber
security and the modern electric grid,” IEEE Power Energy Mag., vol. 10,
no. 1, pp. 41–48, Jan./Feb. 2012.
[6] T. Flick and J. Morehouse, Security the Smart Grid. Rockland, MA, USA:
Syngress, 2011.
[7] E. D. Knapp and R. Samani, Applied Cyber Security and the Smart Grid:
Implementing Security Controls Into the Modern Power Infrastructure.
Rockland, MA, USA: Syngress, 2013.
[8] R. Smith, “Assault on California power station raises alarm on potential
for terrorism,” Wall Street J., 2014.
[9] G. Liang, S. R. Weller, J. Zhao, F. Luo, and Z. Y. Dong, “The 2015 Ukraine
blackout: Implications for false data injection attacks,” IEEE Trans. Power
Syst., vol. 32, no. 4, pp. 3317–3318, Jul. 2017.
[10] Cyber-Attack Against Ukrainian Critical Infrastructure, Industrial Con-
trol Systems Cyber Emergency Response Team (ICS-CERT), Feb. 2016.
[Online]. Available: https://www.us-cert.gov/ics/alerts/IR-ALERT-H-16-
Fig. 21. DCUB protection signals and circuit breakers state of (a) Relay 1 and 056-01. Accessed on: Jun. 2019.
CB1 and (b) Relay 2 and CB2 considering the FDI attack on the communication [11] D. Kushner, “The real story of stuxnet,” IEEE Spectr., vol. 50, no. 3,
channel. pp. 48–53, Feb. 2013.
[12] “Vulnerability analysis of energy delivery control systems,” Idaho Nat.
Lab., Idaho Falls, ID, USA, Tech. Rep. INL/EXT-10-18381, 2011.
(R1) waits for 30 cycles before issuing the 21G_Z2 trip signal [13] M. Govindarasu, A. Hann, and P. Sauer, “Cyber-physical systems secu-
to the circuit breaker CB1 as illustrated in Fig. 21(a). Thus, the rity for smart grid,” Future Grid Initiative, Power Syst. Eng. Res. Center,
generators lose synchronism in this case similar to Case Study I. Tempe, AZ, USA, White Paper, Feb. 2012.
[14] “Guidelines for smart grid cyber security,” Nat. Inst. Standards Technol.,
This case study highlights the vulnerability of the DCUB pro- Gaithersburg, MD, USA, NISTIR 7628, Revision 1, 2011.
tection scheme to FDI attacks and the need for the development [15] North American Electric Reliability Corporation (NERC) Critical Infras-
of cyber-based solutions for communication channel monitoring tructure Protection (CIP) Reliability Standards. 2017. [Online]. Available:
http://www.nerc.com
in the communication-assisted protection schemes. [16] “Post sandy enhancement plan,” Consolidated Edison Company, New
York, NY, USA, Jun. 2013.
[17] “Hardening and resiliency: U.S. energy industry response to recent hur-
V. CONCLUSION ricane seasons,” U.S. Dept. Energy, Washington, DC, USA, Tech. Rep.,
Aug. 2010.
This paper demonstrated the vulnerability of communication- [18] Y. Wang, C. Chen, J. Wang, and R. Baldick, “Research on resilience of
assisted protection schemes like permissible overreaching power systems under natural disasters—A review,” IEEE Trans. Power
Syst., vol. 31, no. 2, pp. 1604–1613, Mar. 2016.
transfer trip to cyber-physical attacks. Moreover, it is demon- [19] “Cyber threat and vulnerability analysis of the U.S. electric sector,” Idaho
strated that this vulnerability can be exploited to destabilize Nat. Lab., Idaho Falls, ID, USA, Tech. Rep. INL/EXT-16-40692, Jun.
the power system and potentially create cascading failures. The 2017.
[20] J. McDonald, N. Conrad, C. Service, and H. Cassidy, “Cyber effects anal-
simulation studies performed using a co-simulation platform ysis using VCSE: Promoting control system reliability,” Sandia Nat. Lab.,
based on OPAL-RT real-time simulator and Riverbed Modeler. Albuquerque, NM, USA, Tech. Rep. SAND2008-5954, 2008.
A case study is employed to demonstrate that a cyber intruder [21] S. K. Khaitan, J. D. McCalley, and C. C. Liu, Cyberphysical Systems Ap-
praoch to Smart Electric Power Grid. Berlin, Germany: Springer-Verlag,
can disable the communication channel between two distance 2015.
relays at critical times using the distributed denial of service [22] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against state
attack and destabilize the power system. Two physical solutions estimation in electric power grids,” ACM Trans. Inf. Syst. Secur., vol. 14,
no. 1, pp. 13–24, 2011.
including communication channel redundancy and a more [23] S. Zonouz, K. Rogers, R. Berthier, R. Bobba, W. Sanders, and T. Overbye,
complicated protection scheme i.e., directional comparison “SCPSE: Security-oriented cyber-physical state estimation for power grid
unblocking protection scheme are employed for addressing the critical infrastructures,” IEEE Trans. Smart Grid, vol. 3, no. 4, pp. 1790–
1799, Dec. 2012.
vulnerability of the POTT protection scheme to DDoS attacks. [24] W. L. Chin, C. H. Lee, and T. Jiang, “Blind false data attacks against AC
Although these physical solutions can be employed to address state estimation based on geometric approach in smart grid communica-
the DDoS attacks to some extent, they are still vulnerable to tions,” IEEE Trans. Smart Grid, vol. 9, no. 6, pp. 6298–6306, Nov. 2018.
[25] D. Kundur, X. Feng, S. Mashayekh, S. Liu, T. Zourntos, and K. Butler-
false data injection attacks. This highlights the importance of Purry, “Towards modeling the impact of cyber attacks on a smart grid,”
co-simulation platforms in developing cyber-based solutions Int. J. Secur. Netw., vol. 6, no. 1, pp. 2–13, 2011
Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.
 450 IEEE TRANSACTIONS ON POWER SYSTEMS, VOL. 35, NO. 1, JANUARY 2020

[26] A. Farraj, E. Hammad, and D. Kundur, “A cyber-physical control frame- Anthony Kemmeugne received the Engineering de-
work for transient stability in smart grids,” IEEE Trans. Smart Grid, vol. 9, gree in telecommunication and electronics from Tele-
no. 2, pp. 1205–1215 Mar. 2018. com Saint-Etienne, Saint-Étienne, France, in 2018,
[27] E. Hammad, A. M. Khalil, A. Farraj, D. Kundur, and R. Iravani, “A class and the M.Sc. degree in electrical and computer engi-
of switching exploits based on inter-area oscillations,” IEEE Trans. Smart neering from the Université du Quebec à Chicoutimi,
Grid, vol. 9, no. 5, pp. 4659–4668, Sep. 2018. Chicoutimi, QC, Canada, in 2018. He is currently
[28] X. Liu, M. Shahidehpour, Z. Li, X. Liu, Y. Cao, and Z. Li, “Power sys- working toward the Ph.D. degree with the Department
tem risk assessment in cyber attacks considering the role of protection of Electrical and Computer Engineering, University
systems,” IEEE Trans. Smart Grid, vol. 8, no. 2, pp. 572–580 Mar. 2017. of Toronto, Toronto, ON, Canada.
[29] A. Ameli, A. Hooshyar, and E. F. El-Saadany, “Development of a cyber- From 2017 to 2018, he was a Research Engi-
resilient line current differential relay,” IEEE Trans. Ind. Informat., vol. 15, neer with the Research Institute of Hydro Québec,
no. 1, pp. 305–318, Jan. 2019. Montreal, QC, Canada. His research interests include communication systems,
[30] K. Hopkinson, X. Wang, R. Giovanini, J. Thorp, K. Birman, and D. Coury, and advanced simulation method including telecommunications, power systems
“EPOCHS: A platform for agent-based electric power and communication cosimulation, and smart grid cybersecurity.
simulation built from commercial off-the-shelf components,” IEEE Trans.
Power Syst., vol. 21, no. 2, pp. 548–558, May 2006.
[31] C. M. Davis, J. E. Tate, H. Okhravl, C. Grier, T. J. Overbye, and D. Nicol,
“SCADA cybersecurity test bed development,” in Proc. 38th North Am.
Power Symp., Sep. 2006, pp. 483–488.
[32] J. Nutaro, P. T. Kuruganti, L. Miller, S. Mullen, and M. Shankar, “Inte- Deepa Kundur (S’91–M’99–SM’03–F’15) received
grated hybrid-simulation of electric power and communications systems,” the B.A.Sc., M.A.Sc., and Ph.D. degrees in electri-
in Proc. IEEE Power Eng. Soc. Gen. Meeting, 2007, pp. 1–8. cal and computer engineering from the University of
[33] M. J. McDonald et al., “Modeling and simulation for cyber-physical sys- Toronto, Toronto, ON, Canada, in 1993, 1995, and
tem security research, development and applications,” Sandia Nat. Lab., 1999, respectively.
Albuquerque, NM, USA, Tech. Rep. SAND2010-0568, Feb. 2010. From January 2003 to December 2012, she was
[34] M. Mallouhi, Y. Al-Nashif, D. Cox, T. Chadaga, and S. Hariri, “A testbed a Faculty Member with the Department of Electrical
for analyzing security of SCADA control systems (TASSCS),” in Proc. and Computer Engineering, Texas A&M University.
IEEE Power Energy Soc. Innov. Smart Grid Technol., Jan. 2011, pp. 1–7. From September 1999 to December 2002, she was
[35] J. Hong et al., “An intrusion and defense testbed in a cyberpower system a Faculty Member with the Department of Electrical
environment,” in Proc. IEEE Power Energy Soc. Gen. Meeting, San Diego, and Computer Engineering, University of Toronto,
CA, Jul. 2011, pp. 1–5. where she is currently a Professor and the Chair of The Edward S. Rogers Sr.
[36] C. Queiroz, A. Mahmood, and Z. Tari, “SCADASimA framework for Department of Electrical and Computer Engineering. She is an author of more
building SCADA simulations,” IEEE Trans. Smart Grid, vol. 2, no. 4, than 200 journal and conference papers. Her research interests include interface
pp. 589–597, Dec. 2011. of cybersecurity, signal processing, and complex dynamical networks. She has
[37] D. Bian, M. Kuzlu, M. Pipattanasomporn, S. Rahman, and Y. Wu, “Real- participated on several Editorial Boards and currently serves on the Advisory
time co-simulation platform using OPAL-RT and OPNET for analyzing Board of IEEE Spectrum. She has served as the General Chair for the 2018
smart grid performance,” in Proc. IEEE Power Eng. Soc. Gen. Meeting, Global Conference on Signal and Information Processing (GlobalSIP) Sympo-
2015, pp. 1–5. sium on Information Processing, Learning, and Optimization for Smart Energy
[38] A. Hahn, A. Ashok, S. Sridhar, and M. Govindarasu, “Cyber-physical Infrastructures, and the Technical Program Committee Co-Chair for the IEEE
security testbeds: Architecture, application, and evaluation for smart grid,” International Conference on Smart Grid Communications in 2018. She has also
IEEE Trans. Smart Grid, vol. 4, no. 2, pp. 847–855, Jun. 2013. served as the Symposium Co-Chair for the Communications for the Smart Grid
[39] P. Kundur, Power System Stability and Control (EPRI Power System En- Track of the International Conference on Communications in 2017, the General
gineering Series). New York, NY, USA: McGraw-Hill, 1994. Chair for the Workshop on Communications, Computation and Control for Re-
[40] H. D. Chiang, Direct Methods for Stability Analysis of Electric Power silient Smart Energy Systems at ACM e-Energy in 2016, the General Chair for
Systems: Theoretical Foundation, BCU Methodologies, and Applications. the Workshop on Cyber-Physical Smart Grid Security and Resilience at Globe-
Hoboken, NJ, USA: Wiley, 2011. com in 2016, the General Chair for the Symposium on Signal and Information
[41] IEEE Guide for Protective Relay Applications to Transmission Lines, IEEE Processing for Smart Grid Infrastructures at GlobalSIP in 2016, the General
Standard C37.113-2015, Dec. 2015. Chair for the 2015 International Conference on Smart Grids for Smart Cities,
[42] M. Kezunovic, J. Ren, and S. Lotfifard, Design, Modeling and Evalua- the General Chair for the 2015 Smart Grid Resilience (SGR) Workshop at IEEE
tion of Protective Relays for Power Systems. Berlin, Germany: Springer Global Communications Conference in 2015, and the General Chair for the IEEE
International Publishing, 2006. GlobalSIP’15 Symposium on Signal and Information Processing for Optimizing
[43] S. V. Achanta, R. Bradetich, and K. Fodero, “Speed and security consid- Future Energy Systems.
erations for protection channels,” in Proc. 42nd Annu. Western Protective Prof. Kundur’s research has received best paper recognitions at numerous
Relay Conf., College Station, TX, Oct. 2015, pp. 1–9. venues including the 2015 IEEE Smart Grid Communications Conference, the
[44] Communication Networks and Systems in Substations—Part 8-1: Specific 2015 IEEE Electrical Power and Energy Conference, the 2012 IEEE Canadian
Communication Service Mapping (SCSM) Mappings to MMS, IEC Stan- Conference on Electrical and Computer Engineering, and the 2011 Cyber Se-
dard 61850-8-1-2011, Feb. 2012. curity and Information Intelligence Research Workshop. She is a Fellow of the
[45] IEEE Power System Relaying Committee WG D6, “Power swing and Canadian Academy of Engineering.
out-of-step considerations on transmission lines,” Jul. 2005.
[46] H. Gras et al., “A new hierarchical approach for modeling protection
systems in EMT-type software,” in Proc. Int. Conf. Power Syst. Transients,
Jun. 2017, Paper 17IPST108.

Amir Abiri Jahromi (S’10–M’16) received the

Ph.D. degree in electrical and computer engineering Aboutaleb Haddadi (S’11–M’15) received the Ph.D.
from McGill University, Montréal, QC, Canada, in degree in electrical and computer engineering from
2016. He was a Postdoctoral Fellow with the Univer- McGill University, Montréal, QC, Canada, in 2015.
sity of Denver in 2017. He is currently a Postdoctoral From 2015 to 2018, he was a Postdoctoral Fellow
Fellow with the University of Toronto, Toronto, ON, with Montréal Polytechnique, Montréal, where he is
Canada. currently a Research Associate. He is the Lead Author
He was a Research and Development Engi- of the CIGRÉ Technical Brochure Power System Test
neer with ITA-UIS Company, Dubai, United Arab Cases for EMT-Type Simulation Studies. His research
Emirates, from 2008 to 2010. His research interests interests include power system protection, power sys-
include power system modeling, cyberphysical secu- tem simulation, and renewable resources integration.
rity, reliability, economics, and optimization of power systems.

Authorized licensed use limited to: Universitatsbibliothek Erlangen Nurnberg. Downloaded on October 30,2024 at 13:08:14 UTC from IEEE Xplore. Restrictions apply.