CAPRICA: A Testbed Demonstrating a Cyber-Secure Synchronous Power Island Dr Kieran McLaughlin, Dr David Laverty, Prof Sakir Sezer Queen s University Belfast October 2018
Overview About the CAPRICA project Secure Synchronous Island Use-case Testbed Components Physical Hardware & Secure ICT Conclusion & Future Directions
CAPRICA Project Converged Approach towards Resilient Industrial control systems and Cyber Assurance Part of the UK s National Research Institute in Trustworthy ICS (RITICS) Project Aims: Investigate a cyber-secure synchronous island (microgrid) use-case Demonstrate solutions in a practical testbed
Queen s University Belfast RITICS is a 2.5 million EPSRC/NCSC programme Projects began in 2015, with four other universities initially
Context: Ukraine power grid cyber-attack December 2015 Widely considered to be the first known successful cyberattack on a power grid
Context: Ukraine Power Grid Cyber-Attack Attacks on 7 110kV and 23 35kV substations Employees spear-phished. MS Office macros allowed BlackEnergy v3 malware to be installed Users monitored and credentials captured Firmware attacked on substation network gateways, scheduled UPS outages, opened circuit breakers KillDisk malware use to wipe hard drives Ref: E-ISAC, Analysis of the Cyber Attack on the Ukrainian Power Grid, March 18, 2016
CAPRICA Use-Case
Use-Case: Cyber-Secure Synchronous Islanding 33kV 11kV Islanded System ~ A B 415V Utility network loads ~ Challenges: Develop a platform enabling a microgrid to operate synchronized with the main grid. Support real-time dynamic disconnection / reconnection of micorgrids. Secure from IT perspective.
CAPRICA Global Energy Network Institute www.geni.org Why synchronous islands? O. Mogstad, M. R. Jacobsen, & J. Heggset, Challenges with Changeover to Island Mode Operation: Smart Grid Solutions. 13th International Conference on Development in Power System Protection 2016 (DPSP)
Use-Case: Cyber-Secure Synchronous Islanding Synchrophasor measurements provided in real-time by PMUs allow us to match the rotating vector in terms of required voltage magnitude, frequency and phase angle. In this scenario ICT plays a major role in communicating measurements in real time over a wide area network.
Feedback f r, r Phase Out of Controlled Phase f i f i, = f i r i = r PMU Export to Grid Power PMU Utility ~ ~ Grid Embedded Generator 50 Hz Circuit Breaker Load f i = f r i = r WAN Reference Synchronous Island Controller Phasor Measurement Unit (PMU) Wide Area Network (WAN)
Use-Case: Cyber-Secure Synchronous Islanding Precision reference data required from PMUs Highlighted areas may be different substations Cyber security concerns for substations networks and WAN Real-time ICT dependencies in the control loop
Testbed Components
R Pi Utility Reference r r K Phase Gain Frequency Control Loop K p Ki K d s G (s ) s PID Controller Prime Mover Phase Difference Control Loop g g LAN PMU Supervisory Control PC g g Setpoints WAN Process R Pi VTs PMU r r DAC R Pi DC Drive (Eurotherm) AVR Utility Supply Mains Prime Mover (DC Motor) Alternator (Synchronous Machine) Loads Generator Set
AVR The AVR is the Automatic Voltage Regulator for the synchronous machine. Maintains the voltage at the machine terminals at a setpoint, compensating for changes in load and changes in machine speed (Faraday s Law). For our machine, the setpoint will normally be 135 V phase (230 V line ). We may wish to dynamically adjust the setpoint of the machine for load relief (e.g. when islanding occurs, reduce voltage, hence load, to allow faster phase recovery). Mains Powered 100 V dc VT I f MOSFET Alternator Raspberry Pi AVR (PID) Setpoint Network
Prime Mover Controller The prime mover in our testbed is a DC machine. Provides mechanical torque to drive synchronous machine (alternator) that would normally be provided by an engine/turbine. In our testbed, the torque of the prime mover is electronically modulated by a DC Drive. It is controlled by an analogue input, range 0 to 10 V. By adjusting this, we control the speed of rotation of the DC motor and hence the synchronous machine. Setpoint Raspberry Pi AVR (PID) SPI DAC PSU Op-Amp 0-5 V 0-10 V N.B. Must use a unipolar op-amp (e.g. LM158) Prime Mover Controller Prime Mover Network Prime Mover Controller is receive only No transmit requirements
PID Phase Controller Utility Reference r r K Phase Gain K Frequency Control Loop p K i K d s G (s ) s PID Controller Prime Mover Phase Difference Control Loop g g The Phase Controller is a PID controller with two control loops. The main control loop, the Frequency Control Loop, is matches the speed of the islanded generator to the main utility grid. However, since a phase mismatch can occur between two machines operating at the same speed, a secondary control loop acts to eliminate the phase error. This is achieved by biasing the speed setpoint proportional to the error in phase angle. The measurements for this, frequency (w) and phase (phi), are measured using a PMU. The PID controller is implemented in Python.
PMU Top: Modular OpenPMU architecture https://sites.google.com/site/openpmu/ Bottom: Data acquisition unit capable of synchronously acquiring 8 analogue waveforms at a precise rate of 12.8 khz (for 50 Hz systems) with 16-bit resolution and 94.2 db SNR. Data communicated along with the time at which it was acquired and other metadata in an XML datagram Zhao, Laverty, McKernan, Morrow, McLaughlin, & Sezer. "GPS-disciplined analog-to-digital converter for phasor measurement applications." IEEE Transactions on Instrumentation and Measurement 66, no. 9 (2017): 2349-2357.
Secure ICT Aspects
Synchronous Islanding Testbed (Control System) Security Testbed (ICT Communication) OpenPMU, SCADA IDS, Security Gateway, GDOI Classical PID controller on Rasp Pi platform, receives setpoint and feedback from PMU. Generator Set implemented on laboratory machines (three-phase, 5 kva).
CAPRICA Gateways fully implement: IEEE C37.118.2 and IEC 61850-90-5 (with full security specification, GDOI). Standards for synchrophasor data transfer. First real-time control demo with physical hardware and security features Additional network IDS sensors developed.
Security Framework IEC 61850-90-5 IEEE C37.118 IEC 61850-90-5 IEEE C37.118 IEEE C37.118 IEC 61850-90-5 IEEE C37.118 IEEE C37.118 IEC 61850-90-5
CAPRICA Testbed Hardware in the loop: commercial PMUs, OpenPMU, electrical loads, and machines (three-phase 5 kva synchronous generator and DC motor) Synchronous island control software Telecommunications Open Source Phasor Measurement Unit
CAPRICA Testbed IEC 61850-90-5 secure gateway (i.e. modern protection) IDS for IEEE C37.118.2 (i.e. detection for older protocol threats) Telecoms network is implemented in hardware/ emulated software using NRL core. NRL core, VLAN switches, key distribution server and IDS gateways (Rasp Pi) are pictured, along with IDS GUI
Conclusions
Conclusions Sophisticated and realistic testbed Hardware in the loop; generators and electrical loads Real components; vendor and developed PMUs Realistic emulated IT network environment Up to TRL4 Supports detailed experimentation and validation of components developed for application to real-time control Accuracy and dependability of OpenPMU platform Latency, security, dependability of security aspects
Future Directions CAPRICA will evolve to investigate more fundamental over-the-horizon technology demonstrations: What if we only keep bare minimum physical equipment, i.e. sensors/actuators? Do we really need SCADA-specific networking protocols? How much functionality can we migrate to the cloud?
Thank you CAPRICA: A Testbed Demonstrating a Cyber-Secure Synchronous Power Island Kieran McLaughlin Papers > go.qub.ac.uk/mclaughlin