method for monitoring the operation of an electric power system; and monitoring system

专利摘要:
METHOD TO MONITOR OPERATION OF AN ELECTRICITY SYSTEM; AND MONITORING SYSTEM. The present invention relates, in one method, to the operation of an electrical energy system that, having an automation system of electrical energy utility (1981-1984; 1991-1994), is monitored. The electricity utility automation system (1981-1984; 1991-1994) comprises a plurality of intelligent electronic devices (IEDs) (1981-1984; 1991-1994) that communicate via a communication network. During operation of the electric power system, the properties of the electric power system are monitored, the properties monitored comprising monitored data messages, which are transmitted by the plurality of IEDs (1981-1984; 1991-1994) through the communication network. The monitored data messages are evaluated based on the configuration information for the electricity utility automation system (1981-1984; 1991-1994), to detect a critical event. A warning signal is generated in response to the detection of a critical event.
公开号:BR102013015753B1
申请号:R102013015753-8
申请日:2013-06-21
公开日:2020-12-29
发明作者:Andreas Klien；Cristian Marinescu
申请人:Omicron Electronics Gmbh；
IPC主号:

专利说明:

Field of the Invention
[0001] The present invention relates to a monitoring method and system for monitoring the operation of an electric power system. The invention relates in particular to such a monitoring method and system configured to perform substation automation monitoring to detect a critical event, such as a security breach, during the operation of an electrical power system. Background of the Invention
[0002] Electric power systems for high and medium voltages are widely used. The need to transmit electrical energy over long distances, perform a voltage conversion at a transformer substation or distribute electrical energy requires complex electrical systems. In more recent years, so-called automation systems have become increasingly popular, which increases the degree of automation in electric power systems. For illustration, substations for electricity distribution through high and medium voltage networks include primary devices or field devices, such as electrical cables, lines, busbars, circuit breakers, power transformers, and instrument transformers, arranged in substations or stalls. These primary devices can be operated in an automated way, in a substation automation system (Substation Automation SA) reactive to substation control, protection, and monitoring. The SA system comprises programmable secondary devices, called Intelligent Electronic Devices (“Intelligent Electronic Devices” IED) interconnected with an SA communication network, and interacting with the primary devices via a process interface. Similarly, a wide variety of electrical power systems can have an associated electrical utility automation system including IEDs that perform control, protection, and monitoring functions for the respective electrical power system. Communication between IEDs can be carried out according to standardized protocols. For illustration, the IEC 61850 standard “Communications Networks and Systems in Substations” disconnects the application functionality of a specific substation, and, for this purpose, defines an abstract object model for compliant substations, and a method of how to access these objects through a network via the Abstract Communication Service Interface (ACSI “Abstract Communication Service Interface”).
[0003] With the increasing degree of automation and increasing use of IEDs, there is also an increasing need to reliably detect critical situations in the energy automation system. Examples of such critical events include security intrusion, operator errors, timing aspects, hardware failures, or any critical or incorrect state of the electrical power system and / or its electrical utility automation system.
[0004] U.S. 2011/0196627 A1 describes methods and devices in which real-time transmissions are detected and can be evaluated with respect to time-related information. Such a solution allows critical situations to be detected, when, for example, communication protocols are used that require messages transmitted between the IEDs to meet certain timing requirements.
[0005] In the field of computer networks, Intrusion Detection Systems (IDSs of "Intrusion Detecton Systems") are used to monitor the network or activity of systems to detect intrusions or harmful activities of unauthorized unauthorized third parties. IDSs are designed to identify possible incidents, log information, and to report possible attempts. The primary function of IDSs is to alert the operator of a secure perimeter, so that he can take measures to prevent the intrusion and minimize the impacts of attacks or perform a subsequent incident analysis. Signature-based IDSs use predefined signatures for known attacks (such as virus scanner signatures) to detect intrusions. This can be seen as a “blacklist” solution, in which the IDS alerts the operator to the observation of prohibited behavior, in the sense that this behavior is included in the “blacklist”. Such subscription-based solutions are widely used by IDSs in classical information technology systems (IT Information Technology). While the "blacklist" type solution can be used to detect critical events in utility automation systems, there may be problems with such a solution. The “black list” solution requires a signature for each critical event, to be identified. New or unknown attacks cannot be detected. In the context of electrical power systems, the number of attacks and vulnerabilities known to control and automation systems and their special protocols is very low. Therefore, an IDS based on a “black list” applied to electric power systems, to a large extent, would only be able to detect attacks known from the IT domain. The usefulness of “blacklisted” solutions, therefore, is limited, in particular, for IDSs in electrical power systems. Summary of the Invention
[0006] Therefore, there is a need for a method and system to monitor the operation of an electric power system having an automation system of associated electric power utility, such as, for example, a substation automation system. There is also a need for such methods and systems that not only rely on a list of signatures for critical events, but also can detect new critical events not included in a "blacklist".
[0007] A method of monitoring the operation of an electric power system is performed by a monitoring system. The electric power system has an automation system of electric power utility. The electricity utility automation system comprises a plurality of intelligent electronic devices (IEDs) that communicate via a communication network. The monitoring system uses configuration information that specifies the properties of the plurality of IEDs. The method comprises, during the operation of the electric power system, monitoring properties of the electric power system, the monitored properties comprising monitored data messages, which are transmitted by the plurality of IEDs through the communication network. The method comprises evaluating the monitored data messages to detect a critical event during operation of the electricity system, where the evaluation comprises analyzing the data content of at least some of the monitored data messages to determine, based on the configuration information , whether the data content corresponds to valid behavior. The method comprises generating an alert signal in response to data detection or a non-conforming status of the system.
[0008] The method advantageously uses the fact that electric power systems and their automation systems are largely deterministic. The number of devices, their addresses, protocols, and even the services performed by the electricity system as a whole are included in advance and do not change significantly over time. Therefore, the configuration information that specifies the behavior of the IEDs is used to determine whether the monitored properties match the configuration information. The monitoring system can check, based on the monitored properties, whether the monitored properties conform to the configuration information. The monitoring system thus uses a solution that does not necessarily require a “black list” including signatures for critical events. Instead, the monitoring system uses configuration information to check, based on the configuration information, whether the observed events correspond to valid system behavior. Through which the monitoring system identifies events that do not conform to a system model of the electric power system and its automation system of electric power utility.
[0009] The monitoring system can be or include a substation.
[00010] The electricity utility automation system can be or include an electricity utility automation system.
[00011] The monitoring system can be configured to passively monitor the properties, without actively interfering in the operation of any of the IEDs or components of the electricity system. The monitoring system can be configured in order to monitor the properties without sending messages to one of the IEDs during operation of the electricity system.
[00012] The monitoring system can generate a system model for the electric power system and its electric utility automation system based on the configuration information. The monitoring system, therefore, may appear to be a “white list” based solution, which uses an automatically generated system model for an electric power system with detailed behavior specifications to judge whether the monitored properties are in agreement. with normal operation, as defined by the behavior specifications in the system model.
[00013] The monitoring system can generate the system model based on the configuration information and application knowledge. Application knowledge can include information on the communication protocols used by IEDs to communicate via the communication network. Application knowledge can include information regarding communication protocols. Application knowledge can include information regarding when and what data is transmitted, in accordance with communication protocols. Application knowledge can include information regarding data models from IEDs or other devices, respectively for a plurality of different IEDs or devices. Application knowledge can include information regarding which functions are critical. Application knowledge can be stored in a database, from which the monitoring system retrieves information to generate the system model.
[00014] The generated system model must cover communication characteristics. The generated system model can define which IEDs communicate with each other and parameters of the respective communication. In addition, the system model can also use application knowledge with respect to the electrical power system. Through which, the monitoring system is also configured to analyze the data content of the transferred messages. The monitoring system can be configured to relate data messages from different sources. This can also include observing digitally transferred measurement values (eg voltages, signal waveform, binary / trigger events, including without limitation IEC 61850 messages). Since automation systems often have real-time requirements, time properties of messages can also be part of the system model. The system can not only inspect the network traffic and measurement values transferred over the network, but also, in addition, it may have electrical input ports (analog) to be able to compare electrical signals from the electrical power system with the model of internal system. The data contents of the monitored data messages and electrical signals can then be related, and compared against the system model. Application knowledge can be used to generate the system model.
[00015] The system model can additionally include information regarding a logical interconnection between IEDs. That is, the system model can include information with respect to the topology of the electricity utility automation system. The system model can additionally include information regarding circuit breakers, which are used in the communication network. This allows the monitoring system to determine which data messages are expected at certain locations in the communication network, within a valid behavior of the automation system of utility electricity. The system model may include information regarding the capabilities of at least the IEDs in the utility automation system. The system model can include information with respect to the data messages transmitted by the IEDs.
[00016] The system model can have a format that defines a set of restrictions that are imposed for the valid behavior of the automation system of utility of electric energy by the configuration information and / or application knowledge. The set of restrictions may include restrictions on the data messages expected in certain locations of the communication network for a given topology of the electricity utility automation system. For illustration, a data message from a first IED to a second monitored IED at a communication network location represents valid behavior only if the topology defines that the first IED communicates with the second IED, and that the data messages pass the location at which the data message is monitored. For an additional illustration, the data message sent to an IED can represent valid behavior, only if it asks the IED to take action according to its capacity and function. Such verification can be formulated as a set of restrictions. Using a set of constraints to define the system model, the process for verifying that the monitored data messages correspond to valid behavior can be carried out efficiently.
[00017] The system model, therefore, can provide a specification for at least the automation system of utility of electric energy including communication network. The system model can provide a specification for both electrical utility automation system and electrical power system systems. The system model allows the monitoring system to monitor compliance with the specification, as defined by the system model.
[00018] If a deviation is detected from the expected behavior according to the system model, an alert will be triggered. Deviations from specified behavior can be caused not only by security breaches, but also by hardware failures, operator errors, timing problems, or configuration errors. Thus, the monitoring system is not only configured to detect a security intrusion, but also to detect any critical or incorrect state of the electricity system, which can be observed through the communication network. The monitoring system is capable of monitoring the health of the automation system of utility of electric energy, and alerting the operator of a critical condition.
[00019] The monitoring system is not only used during normal operation of the electricity system, but also during the configuration phase of the automation system. The method, therefore, may comprise performing field tests or acceptance tests to determine whether the utility automation system behaves (or not) as specified in the configuration information. Alternatively or additionally, the method can be used to determine whether the configuration information is correct and corresponds to the current state of the system. Alternatively or additionally, the method can be used to monitor the current status, and to generate configuration information from the current network traffic.
[00020] The assessment step may comprise forecasting anticipated data messages among the plurality of IEDs, based on the system model, and comparing the monitored data messages with the anticipated anticipated data messages. Knowledge of the electrical power system and its electrical utility automation system, as well as the specified behavior of these systems, can be used to determine whether the electrical power system and its electrical utility automation system exhibit the behavior expected according to the system model.
[00021] The forecasting step may comprise predicting the data content of the data messages transmitted by an IED, based on the configuration information and based on at least one data message previously transmitted by at least one of the plurality of IEDs. The data content of the data message transmitted by an IED can be predicted based on the configuration information and based on the data content of another data message previously transmitted by the same IED. The data content of a data message transmitted by an IED can be predicted based on the configuration information and based on the data content of another data message previously transmitted by another IED of the plurality of IEDs. Through which, the knowledge of the components of the electric power system and its associated electric utility automation system can be used to discriminate between normal and critical events.
[00022] The evaluation step may comprise determining whether the plurality of IEDs behave as specified by the configuration information. The critical event can be detected, if the plurality of IEDs does not behave as specified by the configuration information. This verification can be done without requiring a "black list" of critical events.
[00023] The configuration information may also include information on the components of the electricity systems and their interconnections. The evaluation step can comprise determining whether both the electric power system and its electric utility automation system behave as specified by the configuration information.
[00024] The monitoring system has an Ethernet Test Access Port (Ehernet Test Access TAP) to monitor data messages. The monitoring system can have a plurality of TAPs to monitor data messages. When the communication network has a star topology, as in many switched networks, the plurality of TAPs can be provided respectively in the data connections between IEDs and circuit breakers. TAPs can be located in different locations, throughout the entire communication network, and form a virtually distributed TAP.
[00025] Alternatively or additionally, the monitoring system can use a circuit breaker of the communication network to monitor data messages. The monitoring system can have an interface that functions as a mirror door, and the circuit breaker can be configured to transmit a copy of data messages received on the circuit breaker from the plurality of IEDs to the mirror door on the monitoring system. Alternatively or additionally, the monitoring system can be integrated with a communication circuit breaker.
[00026] The method can comprise a step of receiving, in the monitoring system, the configuration information. The method can comprise a step of automatically processing the received configuration information with the monitoring system, to generate the system model.
[00027] The configuration information received may comprise at least one configuration data file for the electrical power system and its electrical utility automation system. The configuration data file can be a Substation Configuration Description Language (SCL) file, as used by IEC 61860 systems. The SCL file can be an SCL file for a substation, and its substation automation system.
[00028] The monitored properties may additionally comprise analog signals from the electrical power system. The evaluation step can comprise: evaluating monitored data messages and analog signals based on the configuration information to detect the critical event. Analog signals can be compared to the electrical power system specification and electrical utility automation system, as defined by the SCL file.
[00029] The process to automatically create a system model of the electricity utility automation system can combine information from different data sources. Configuration data of the electric power system and its automation system components can be used, such as SCL files, as defined in IEC 61850-6. In addition or alternatively, passive observation of network communication can also be used to generate the system model. Such passive observation may include observing the communication between devices in the electricity utility automation system and / or the communication between network equipment (for example Rapid Spanning Tree Protocol). Additionally or alternatively, the communication active with devices (eg IEDs or network equipment) can also be used to generate the system model. Additionally or alternatively, the network breaker configuration data can be used to generate the system model. include circuit breaker MAC tables In addition or alternatively, a user input can also be used. For illustration, a user input can be received by defining the location of sensors that provide analog signals to the monitoring system's input ports.
[00030] In an implementation, the process for automatically creating a system model can be initiated with SCL files or other configuration data files to determine the internal system model of the electrical utility automation system devices. This can be used to deduce the type of device, sales information, and therefore its capacity. This can also determine which devices communicate and which messages are expected at certain locations in the SAs. Once the function or purpose of a device is known, its criticality can also be deduced, which allows the generation of ACLs (Access Control Lists) for the system model of the device.
[00031] The information can be combined with passive monitoring of the network to match the traffic present on the devices from the configuration to fill the information spaces (for example locations of a device on the network, addressing information). During the configuration phase of the communication network of the electricity utility automation system, the information generated from the configuration file can be compared with the current traffic to release the network or perform field or site acceptance tests. In addition, communication partners, not mentioned in the configuration data file, such as human-machine interface stations, can be identified, and specifications for these devices can be created (for example by showing (prompting) user insertion request).
[00032] The method can comprise the step of recording the time in the monitored properties and storing the monitored properties with the time recorded in response to the detection of the critical event. This allows the monitored properties to be subsequently analyzed. Selectively storing monitored properties with time recorded, only if a critical event is detected, that the storage space requirements can be kept more moderate.
[00033] The method can additionally comprise a step of generating, with the monitoring system, a “black list”, which defines signatures of abnormal operating states. The monitored properties can be compared with the “black list”, in addition to checking the system's behavior against configuration data to detect a critical event. The monitoring system can generate a “black list” based on the configuration information.
[00034] The method can be used to detect an unauthorized invasion. The monitoring system can thus operate as an IDS. Additionally or alternatively, the method can be used to detect hardware failure. Additionally or alternatively, the method can be used to detect operator error. Additionally or alternatively, the method can be used to detect a configuration error during a configuration phase of the substation or the utility automation system. Additionally or alternatively, the method can be used to detect a security policy violation, such as establishing a data connection between an unauthorized computing device and the utility automation system.
[00035] The method can be used to monitor and analyze electrical power system properties, to detect and alert critical operating states and / or security intrusions.
[00036] The monitored properties may include traffic from an electrical power system or automation system. The analyzed network can include a communication network to transmit electricity or relevant data from the automation system.
[00037] The monitoring system can monitor the state of the electric power system or automation system of electric power utility, monitoring the network traffic and / or analog power signals available.
[00038] The monitoring system can operate as an intrusion detection system (IDS of Intrusion Detection System). The monitoring system can use application knowledge of the power system.
[00039] The network traffic analysis may comprise a passive analysis of the network traffic to determine whether the electrical power system or electrical utility automation system behaves as specified.
[00040] The monitoring system can also report whether the electric utility automation system behaves (or not), as specified by the electric utility automation system system model.
[00041] The monitoring system can also report errors in the configuration phase of the electric power system or automation system of electric power utility.
[00042] The monitoring system can detect and report security intrusions, based on knowledge of the electricity system. Decisions are made considering the state of the power system, application-specific data, specific behavior pattern, and / or the like, and are not limited to these.
[00043] The monitoring system can detect and report operator errors and hardware failures in the electricity system. The information collected can include the recorded time and can be used for post-event analysis and debugging.
[00044] The monitoring system can combine a “black list” (that is, based on signatures) and IDS “white list” solutions with a system, where the “white list” solution includes verifying that messages from monitored data represent valid behavior.
[00045] The monitoring system can be configured to automatically generate the system model by IDS based on "white list" from the configuration data of the electricity system. Configuration data can include, but is not limited to, SCL files.
[00046] The monitoring system can be configured to automatically generate the system model by IDS based on subscription from the configuration data of the electricity system. Configuration data can include, but is not limited to, SCL files.
[00047] According to another modality, a monitoring system for an electric power system is provided, the electric power system including an electric utility automation system, the electric utility automation system comprising a plurality of Intelligent Electronic Devices (IEDs) that communicate via the communication network. The monitoring system comprises an interface to monitor, during operation of the electric power system, properties of the electric power system, the monitored properties comprising monitored data messages that are transmitted by the plurality of IEDs via the communication network. The monitoring system comprises a processing device, configured to evaluate the monitored data messages based on the configuration information, to detect a critical event, during the operation of the electricity system. The processing device is configured to analyze the data content of at least some of the monitored data messages to detect the critical event. The processing device is configured to generate an alert signal in response to the detection of a critical event.
[00048] The monitoring system can be configured to perform the method of any aspect or modality.
[00049] The monitoring system can comprise a plurality of separate monitoring devices, installed in different locations. Monitoring devices can be configured to communicate. The monitoring system can thus be configured as a distributed system. In such a distributed monitoring system implementation, the monitoring system's distributed monitoring devices can be synchronized by a synchronization protocol (such as IEEE 1588, PTP, IRI-B, etc.).
[00050] Additional aspects of the monitoring system and the effects achieved through them correspond to aspects of the method, according to the modalities. The processing of configuration information and / or monitored properties can be performed respectively by a system monitoring device.
[00051] According to another modality, a system is provided that comprises an electrical energy system, and the monitoring system of an aspect or modality. The electric power system has an electric utility automation system, the electric utility automation system comprising a plurality of intelligent electronic devices (IEDs) that communicate via the communication network.
[00052] Configuration monitoring systems and methods, in particular, can be used to monitor substation automation systems. Methods and systems for monitoring the modalities, in particular, can be used to detect invasions, but not limited to that. Brief Description of the Figures
[00053] Modalities of the invention will be explained below with reference to the figures. Throughout the figures, the reference numbers refer to similar elements.
[00054] Figure 1 shows, diagrammatically, elements of an electrical energy system, in which a monitoring system and method can be used.
[00055] Figure 2 shows, in diagrammatic form, a substation, in which a system and a monitoring method can be used.
[00056] Figure 3 shows, in diagrammatic form, yet another additional exemplary substation, in which a system and a method of monitoring the configurations can be used.
[00057] Figure 4 is a block diagram of a monitoring system according to a modality.
[00058] Figure 5 is a block diagram illustrating the generation of a system model according to modalities.
[00059] Figure 6 shows a technique by which the monitoring system of a modality can monitor data messages transmitted by electric utility automation system devices.
[00060] Figure 7 is a flow chart of a method of a modality.
[00061] Figure 8 illustrates data messages transmitted by devices of an automation system of utility of electric energy, which are evaluated by a monitoring system of a modality.
[00062] Figure 9 illustrates a functional block diagram of a modality monitoring system.
[00063] Figure 10 illustrates a flow chart of a method of a modality.
[00064] Figure 11 illustrates an electricity utility automation system according to a modality.
[00065] Figure 12 illustrates an electric power utility automation system having a monitoring system according to another modality.
[00066] Figure 13 illustrates an electric power utility automation system with a monitoring system according to another modality. Description of Modalities
[00067] Modalities of the invention will be described in more detail with reference to the figures. Although some modalities are described in specific contexts, such as substations of an electric power system, which are transformers or power plants, the method and monitoring systems are not limited to these contexts. Modalities can be used, in particular, for monitoring operation and, in particular, to detect invasions in substations of electrical energy systems having an automation system of utility of electrical energy in the form of a substation automation system.
[00068] Figures 1 to 3 show, in a diagrammatic and highly simplified way, fundamental components of an electric power system in which a monitoring system 10 of a modality can be used.
[00069] Generally, as will be explained in more detail below, a monitoring system 10 of a modality comprises interface 11 for communication with a communication network of an automation system of utility of electric energy. Using the interface, data messages transmitted over the communication network are received and monitored. The monitoring system 10 comprises a monitoring device 12 that processes the monitored data messages. The monitoring device 12 can evaluate at least the data content of some of the monitored data messages, to determine whether the electrical power system and its electrical utility automation system behave according to a system model 13 automation system for electricity utility. The data content of the monitored data messages, which is analyzed by the electronic device 12 of the monitoring system 10, can include process parameters of the electric power systems. The processing device 12 may comprise a processor, may comprise a plurality of processors communicating, or may include special circuits. For illustration, processing device 12 may include a Field Programmable Gate Array (FGPA) arrangement or a plurality of FGPAs communicating with each other. The processing device 12 can include one or a plurality of digital signal processors (DSPs). System model 13 can be stored in a monitoring system 10 storage device. System model 13 can be a system model that includes information on the devices, at least in the electricity utility automation system, communication between those devices and the data structures of those devices. System model 13 can be a system model that additionally includes information on the primary elements of the electricity system. The monitoring system 10 may have additional aspects, such as input ports for receiving sensor data from the electrical system. Monitoring system 10 can be configured to automatically generate system model 13 based on a configuration file for an electrical utility automation system, for example based on an SCL data file.
[00070] Figure 1 shows, in a diagrammatic and highly simplified way, elements of an exemplary subsystem of an electric power system. The electrical energy in figure 1 flows from left to right from power plant 1000, called “power station” via high voltage transmission lines 1501, 1502, to a transformer installation 1600 called “transformer station”. Electricity is produced in generators 1001 and 1002 and transformed to high voltage in output transformers 1201 and 1202. Such output transformers associated with generators are also called unit transformers or generator transformers. Electric power is transmitted from unit transformers 1201, 1202 to a bus 1401, through which it is distributed via high voltage transmission lines 1501, 1502. The high voltage transmission lines 1501, 1502, here are in the form of a line double. In practice, the double line, in most cases, is guided together in a mast system. In the installation of transformer 1600, the incoming lines 1501, 1502 are again combined on the 1411 bus. The electrical energy on the 1411 bus is transformed to a different voltage level by an output transformer 1211 and supplied to the 1412 bus. from bus 1412, the electrical energy is distributed additionally through lines 1701, 1702. Figure 1 shows the so-called equivalent circuit system of a line. However, the electrical power system is conventionally a three-phase system. So the elements shown represent three-phase shapes, for example, line 1501 shown as a line, actually consists of three cables.
[00071] The production, transmission, and distribution of electrical energy, therefore, occurs in the so-called primary elements described above, which, it must be said, the primary elements guide the primary currents and voltages, which together constitute primary parameters. The primary elements together are also called the primary system. Parallel to the primary system is the so-called secondary system, which consists of a protection and control device. The elements above a symbolic dividing line 2000 in figure 1 belong to the secondary protection and control system. Transformers 1903, 19011, 1952 and 1961 occupy an intermediate position. They are connected, on the one hand, to the primary system, and, on the other hand, to the secondary system, and therefore cannot be mistakenly classified.
[00072] Below the dividing line 2000, several protection devices are shown, for example, a generator protection system (GS) 2001, a transformer differential protection system (TS) 2002, 2012, and a protection system of line (LS) 2003, 2011, 2013. Only protection devices are shown in figure 1, for the sake of clarity, the control devices would be arranged at the same level. Protection and control devices cannot be connected directly to the high voltage primary elements to acquire information regarding the parameters in the primary system. The transformers, therefore, provide standardized images of the primary parameters, the so-called secondary parameters, for the protection and control devices. The relationships of current transformers, for example 1903, 1911, are such that they supply secondary currents of 1A or 5A, when the rated current flows in the primary system. Voltage transformers, for example 1952, 1961, provide a secondary voltage of 100V (in some parts of the world 110V, 115V, 120V), and nominal voltage in the primary system.
[00073] Additional elements of the primary system are also operated via protection and control devices. In particular, when a fault is identified, protective devices can activate circuit breakers, for example, and interrupt the current flow. In figure 1, this is shown, for example, for the two line protection devices 2003, 2011 and their associated circuit breakers 1103, 1111. There may be additional circuit breakers 1104. Circuit breakers 1103, 111 can interrupt the flow of current through the primary elements. This is also true, in particular, in the event of a fault, for example when a fault current significantly exceeds the normal operating current. Insulation circuit breakers, similarly present in real installations, are not shown.
[00074] Protection devices evaluate currents and voltages, and, where appropriate, additional information from the primary and secondary systems, and determine whether a normal operating state is present. In the event of a fault, a part of the installation identified as faulty must be disconnected as quickly as possible by activating the corresponding circuit breakers. Protection devices can be specialized for different tasks. The generator protection system 2001 both evaluates the currents and voltages in the generator and can also evaluate many other parameters. The transformer differential protection system 2002, 20021 applies the Kirchhoff nodal rule for currents at output transformer 1201, 1211. The line protection system 2003, 2011, 2013 can examine currents and voltages at the ends of the line and perform measurements impedance, for example. A bus protection system (not shown), which can be used to protect buses 1401, 1411, 1412, can also be provided. Protection devices can be multifunctional, that is, they can incorporate a plurality of protection functions, and also perform control functions (combined protection and control devices).
[00075] More recently, electronic IED devices have become increasingly popular. As shown in the transformer installation 1600, IEDs 1981, 1984, 1991, and 1994 can be provided. These IEDs have access to primary parameters and communicate with protection and control devices via network protocols. IEDs 1981, 1984, 1991, and 1994 can be connected as directly as possible to the primary elements. The so-called fusion units 1981, 1984 digitize the measured values from the current and voltage sensors 1961, 1964 and make them available for protection devices, as values shown via the network interface. Intelligent control units 1991, 1994 detect the status of the primary elements, and operate actuators on the primary elements. IEDs can communicate using a communication network. Communication between IEDs can be done according to a communication protocol. For illustration, the interconnection between the fusion units 1981, 1984 and line protection systems (LS) 2011, 2013 can be done via the communication network. Similarly, communication between other IEDs can be done through a communication network.
[00076] The system model 13 of the monitoring system can be generated based on the configuration data for IEDs of the automation system of electricity utility. Monitoring system 13 can include data models from IEDs, for example.
[00077] In the operation of the electric power system, the monitoring system 10 monitors the data messages transmitted by the IEDs. Data messages are digital data, which are generated according to a protocol, such as IEC 61850, and are not limited to this. The monitoring system 10 verifies, based on the system model 13, if the electric utility automation system shows an operation as expected according to the system model. If a deviation from the expected behavior defined by system model 13 is detected, a warning signal can be generated by the monitoring system 10.
[00078] Additional or alternative IEDs can be used in the electricity utility automation system, as illustrated in figure 2.
[00079] Figure 2 shows a substation configured as a transformer installation, in which even more conventional interfaces have been replaced. For this purpose, IEDs (19811984, 1991-1994) that, on the one hand, have access to primary parameters and, on the other hand, communicate with protection and control devices via network protocols are provided. Figure 2 shows an architecture of the switching system of figure 1. Fusion units 1981-1984 digitize the measured values from voltage sensors 1911-1961 and 1964 and make them available to protection devices, as values sampled via the interface network. The sensors can be based on any desired physical principle. A standardized protocol between the fusing unit and the protection device establishes interoperability. The sampled values, for example, can be sampled values according to IEC 61850 standard or according to the implementation manual “Implementation guideline for Digital Interface to Instrument Transformers using IEC 61850-9-2”. 1991-1994 intelligent control units detect the status of primary elements and operate actuators on the primary elements. Figure 2 shows, by way of example, circuit breaker control devices, in which the detected statuses are circuit breaker adjustment and, for example, instantaneous switching capacity, and the actuators operated are trigger coils and circuit breaker drivers. To transmit detected statuses to protection and control devices or receive commands from protection and control devices, intelligent control units similarly use protocols via network interfaces. Telegrams triggered by events, whose information content is updated and transmitted only when the status and commands change, are suitable for exchanging such information. Such telegrams triggered by an event can, for example, be called GOOSE messages, according to IEC 61850 standard.
[00080] Although in figure 2, the information is exchanged between fusion units 1981-1984 and smart control units 19911994, on the one hand, and protection and control devices 2011-2013, on the other hand, via point-to-point connections , figure 3 shows an architecture in which information is collected and distributed via an additional 2211 network. The 2211 network is also called a “process bus”, while the 2111 network is often called a “station bus”. The distinction between these networks (buses) and the nature of the information exchanged is not always entirely accurate and unambiguous. Thus, messages emitted by event (GOOSE messages) can be used similarly expediently on the station bus, even in an architecture according to figure 1. It is still possible that the process bus and station bus are combined in a physical network, if data traffic can be managed. In any event, more meaningful communication relationships are given by the 2211 network, which can be established by point-to-point connections in figure 2. New applications for protection and control functions are therefore possible. For example, the 2021 transformer protection system could examine the voltages on buses 1411 and 14122 via values sampled from the 1981 and 1984 fusion units, and make transformer 1211 communication dependent on their mutual phasing.
[00081] For electric power systems and associated automation systems, illustrated in figures 2 and 3, the monitoring system 10, again, can monitor the properties of the electric power system. Monitored properties can include data messages transmitted by IEDs. The monitoring system can be applied to the communication network of a power system, as shown in the example in figure 3, where the interface 11 of the monitoring system acts as a communication sensor. The communication sensor is coupled to the process bus 2211 and station bus 2111. The system described here can use communication sensors to observe communication on the station bus and process bus. Additional sensors could monitor electrical signals, such as secondary parameters. The system model 13 of the monitoring system can be generated in the configuration data for the IEDs of the electricity utility automation system. System model 13, again, may include IED data models, for example. In the operation of the respective substation, the monitoring system 10 monitors data messages transmitted by the IEDs. The monitoring system 10 verifies, based on the system model 13, if the automation system of utility of electric energy presents expected operation according to the system model. If a deviation is detected from the expected behavior defined by system model 13, a warning signal can be generated by monitoring system 10. Monitoring system 10 can detect whether the current status of the system corresponds to the system model.
[00082] Figure 4 shows a block diagram of a monitoring system 10 of a modality. The monitoring system 10 includes an interface 11 for receiving data messages transmitted from one IED to another IED. Interface 10 can be a network interface. The monitoring system 10 comprises a processing device 12, which evaluates the monitored data messages, and optionally other properties of the electricity system. The evaluation of the data messages includes evaluation of the data content of at least some of the monitored data messages. The data content includes process parameters of primary components of the electricity system. Thereby, the processing device 12 can determine whether the electrical power system and the electrical utility automation system behave according to system model 13. If the monitoring system 10 detects a behavior that does not comply with system model 13, an alert signal can be generated.
[00083] The processing device 12 can use the system model 13 to determine whether the data content of the two data messages transmitted by different IEDs of the electricity utility automation system conforms to the system model 13. The device Processor 12 can relate messages from different IEDs to each other. For illustration, a process parameter of a primary element included in the data message transmitted by a first IED must be included in another data message transmitted by a second IED. Through which, the deterministic behavior of the electric power system and the automation system of electric power utility can be used. A wide variety of other implementations can be used, in which monitoring system 10 uses electrical utility automation system configuration information to verify whether the monitored properties correspond to normal or abnormal system behavior. In the latter case, a warning signal can be triggered.
[00084] The processing device 12 can evaluate additional information to verify whether the electric power system and the electric utility automation system behave according to the system model. For illustration, the monitoring system 1 may have one or several input ports 15 for receiving analog signals. These analog power system signals can also be checked against the internal system model defined by system model 13.
[00085] System model 13 can be generated automatically based on configuration information. Configuration information can be received by monitoring the data messages between the IEDs or can be included in at least one data file, which is provided for the monitoring system. Other information can be used to generate system model 13 based on configuration information. In particular, application knowledge, which defines the operation of one or more communication protocols used by IEDs and / or the capabilities of different IEDs, can be combined with configuration information to generate system model 13. Application knowledge can be stored in a database to be used in the generation of the system model 13.
[00086] Figure 5 illustrates the generation of the system model. The monitoring system uses configuration information 16 and can combine configuration information 16 with application knowledge 17 to generate system model 13. The monitoring system can receive configuration information 16 in any of a variety of ways. For illustration, the configuration data file of the electricity utility automation system can be provided to the monitoring system as configuration information 16. Additionally or alternatively, the monitoring system can monitor data messages transmitted by IEDs during the configuration phase or during operation, to acquire configuration information 16. Application knowledge 17 may include information regarding the communication protocols used by the IEDs. Application knowledge 17 can also include information regarding device functionality and capabilities for each IED of the plurality of IEDs. This information can be stored in application knowledge 17, depending on the vendor or device identifier, for example.
[00087] System model 13 can be generated including information 131 with respect to the logical interconnection between IEDs. Ie, the system model may include information 131 with respect to the topology of the electricity utility automation system. The system model can additionally include information regarding the circuit breakers used in the communication network. This allows the monitoring system to determine which data messages are expected at certain locations in the communication network for valid behavior of the utility automation system. System model 14 may include information 132 with respect to the functionality and capacity of at least the IEDs in the electricity utility automation system. The system model may include information 133 with respect to the data messages transmitted by the IEDs.
[00088] The system model 13 can have a format that defines a set of restrictions, which is imposed on the valid behavior of the automation system of utility of electric energy by the configuration information and / or application knowledge. The set of restrictions may include restrictions on the data messages expected in certain locations of the communication network for a given topology of the electricity utility automation system. For illustration, a data message from the first IED to the second IED, monitored at a certain location in the communication network, represents valid behavior, only if the topology defines that the first IED communicates with the second IED, and that data message pass the location where the data message is monitored. For further illustration, a data message sent to an IED can represent valid behavior only if the IED is required to take action according to its capabilities and functions. Such checks can be formulated as a set of restrictions. Using the set of restrictions to define the system model, the process for verifying that the monitored data messages correspond to valid behavior can be carried out efficiently.
[00089] For any identified data message representing valid system behavior, the data message can be analyzed based on a plurality of restrictions. For illustration, a data message can be analyzed to determine if it meets a constraint with respect to the system topology (for example that the data message is expected at the location where it was monitored) if it meets another constraint regarding IED functionality ( for example that the received IED can actually perform the function requested by the data message) and whether it meets yet another restriction regarding the structure of the data messages (for example the data content according to the communication protocol). The data content of the data message can be used to determine whether the data message meets the restriction on IED functionality and the restriction on the structure of data messages. More than three restrictions can be used to analyze the data message.
[00090] System model 13 can be generated in order to define a set of restrictions, which is used to verify that the monitored data message conforms to the restrictions.
[00091] Although a monitoring system 10 implemented as a single device is illustrated in Figure 4, the operation of monitoring system 10 can also be implemented in a distributed system comprising a plurality of physically separate devices. The plurality of devices can be installed at various locations in the automation system of utility electricity, helping to monitor different views of network traffic. The distributed devices of the monitoring system can be synchronized with each other, and, ideally, also with the electrical power system or substation. The distributed devices of the monitoring system can communicate via the communication network of the monitoring system. The distributed devices of the monitoring system can be synchronized with each other and with the automation system of utility of electric energy by any suitable protocol, such as IEEE 1588, pulse per second techniques or IRIG-B. A clock device, for providing a clock signal, can be substantially a clock device for example. Failure analysis is facilitated using such synchronization. In addition, a time ordering used to identify the behavior of the line system is achieved.
[00092] Process bus and station bus networks do not need to have physical bus topologies, but they often have physical star topologies, built using network breakers. In this case, communication sensors from the monitoring system can be applied using Ethernet Test Access Port (TAP) or by configuring automation network breakers to send a copy of all network traffic to a mirror port. The monitoring system interface 11 can be connected to the mirror port.
[00093] Figure 6 illustrates such a configuration. The TAP or circuit breaker 23 is provided on the network lines 21, 22. The network lines 21, 22 can be process bus lines or station bus lines. The TAP or circuit breaker 23 sends a copy of all the network traffic to the communication sensor 24, which is a mirror port of the network traffic. Communication sensor 24 can be interface 11 or can be connected to interface 11 of monitoring system 10.
[00094] Other modalities can directly implement a network or TAP functionality in a device to allow observing network traffic without a separate TAP. That is, the operation of the monitoring system 11 can be integrated into a circuit breaker of the process bus network or station bus. Several of such network circuit breakers or TAP devices having integrated functions to monitor the operation of the electricity utility automation system can be used. These devices can be synchronized with each other.
[00095] Since not all network traffic can be accessed from one location, different physical devices in the monitoring system or its sensors can also be applied multiple times in an electrical power system. The activated devices can then cooperate to form a distributed monitoring system.
[00096] Figure 7 is a flow chart of a method of a modality. The method can be carried out automatically using a single mode monitoring system. Method 30 can be performed to detect critical events during the operation of an electrical power system and its utility automation system.
[00097] In step 31, a system model for at least the electricity utility automation system is generated. The system model can be based on configuration information for a plurality of electrical utility automation system IEDs. The system model, additionally, can also define primary elements of the electricity system. The system model can be a system model that describes the behavior of the electricity utility automation system.
[00098] The monitoring system can generate the system model automatically, and based on a configuration file of the electricity utility automation system. Step 31, to automatically create the system model of the electricity utility automation system can combine information from different data sources, such as, but not limited to: configuration data of the electricity system and its components. automation system (such as SCL files, as defined in IEC 61850-6; passive observation of network communication, such as communication between automation system devices and / or communication between network equipment (eg Rapid Transposition Tree Protocol ), active communication with devices (for example IEDs or network equipment), configuration data of network breakers (if accessible, for example MAC tables), or user inputs.
[00099] In some implementations, step 31 to automatically create the system model of the electricity utility automation system can be started with SCL files or other configuration files to determine the internal data model of the IEDs. This can be used to deduce the device's type, vendor information, and therefore its capabilities. A lookup table can be used to deduce the device type or other similar information, based on the configuration file. The monitoring system can also determine which devices communicate with each other and which messages are to be expected at certain locations in the SAS. Once an IED's function and purpose are known, its criticality can also be deduced, allowing the generation of Access Control Lists (ACLs of Access Control List) for the data model of the device.
[000100] The information can be combined with passive network monitoring to match the current traffic to the IEDs from the configuration file to fill in the information spaces (eg location a device on the network, addressing information). During the configuration phase of the SAS network, the information generated from the configuration file can be compared with the current traffic, to release the network or perform field or site acceptance tests. User input can define additional configuration of the electric power network or automation system of electric utility (not included in the configuration file). For illustration, communication partners, not mentioned in the configuration file, such as human-machine interface stations, can be identified, and specifications for these devices can be created by dedicated user input.
[000101] The generation of the system model in step 31 can also be performed differently. For illustration, passive network monitoring during the configuration phase can be used to generate the system model without requiring configuration files.
[000102] In 32, data messages transmitted by IEDs in the communication network are recovered. For a communication network with a star topology, this can be done using any of the techniques described with reference to figure 6.
[000103] At 33, the data content of the data messages is determined. The content of transmitting and receiving. The data content can include a process parameter for a primary element of the electricity system.
[000104] In 34, it is determined whether the data content corresponds to the system model. If the data content matches the system model, the behavior of the system is determined to be normal. The method passes to monitoring in step 32. Otherwise, a warning signal is generated in step 35. The method then goes back to step 32 to proceed with the monitoring.
[000105] Additional information can be evaluated with the monitoring method of figure 7. For illustration, analog values received by the monitoring system through the analog input ports can also be evaluated to determine if they are in accordance with the expected behavior, according to the specification of the system.
[000106] Monitoring systems and configuration monitoring methods can analyze the content of transferred messages and relate messages from different sources.
[000107] Figure 8 illustrates data messages 41, 44, 47 monitored by the monitoring system of a modality. Data messages 41, 47 are transmitted via an automation system IED. The data message 44 is transmitted by another IED. Data message 41 includes header data 42, which may include an identifier for transmit and receive IEDs. Data message 41 additionally includes data content 43. Similarly, data message 44 includes header data 45 which can include identifier for transmit and receive IED. Data message 44 additionally includes data content 46. Data message 47 includes header data 48, which can include an identifier for IED transmitting and receiving. The data message 47 additionally includes data content 49.
[000108] The data content 43, 46, 49 of the data messages relates to process parameters of the electricity system. For illustration, the data content of some data messages may include digitally transferred measurement values, for example, voltages, signal waveforms, binary signals, or trigger events.
[000109] Monitoring systems and methods of any modality can use the data content 43 of a data message 41 transmitted by an IED to determine whether the data content 46 of the data message 44 transmitted by another IED corresponds to a behavior of valid system. The system model is used to relate the data contents 43, 46 of the data messages 41, 44 transmitted by different IEDs to each other. Similarly, data content 46 of data message 44 can be used to determine whether data content 49 of data message 47 corresponds to valid system behavior.
[000110] Systems and methods of monitoring the configurations can not only use the data content, but additionally also the timing of the data transmissions, to check if the system's behavior is normal, that is, that no critical event has occurred. For illustration, the rate at which an IED transmits data messages may depend on the value of a process parameter. The transmission rates for various process parameter values or ranges of process parameter values can be included in the configuration data for the respective IED, which is used to generate the system model. This allows monitoring systems and methods to also identify critical events, based on the timing of transmitted data messages, when timing is assessed based on the system model and data content of a data message transmitted by an IED.
[000111] Reverting to figure 8, a time interval 50 or transmission rate in which an IED transmits data messages 41, 47 can vary, depending on a process parameter the electric power system. The monitoring system can determine the value of the process parameter based on the data content of a data message transmitted by one of the IEDs. The monitoring system can use the system model to determine at what time intervals 50 the data messages are to be transmitted for that process parameter value. The monitoring system can verify that data messages 41, 47 are transmitted at the expected timing. Based on this, it can be determined whether the system is in its normal operating state.
[000112] Modality systems and methods can use "blacklist" type solutions to detect critical events, in addition to the verification of normal system behavior based on the system model of the electricity utility automation system. This can be beneficial, in particular, when the substation automation system also uses classic IT protocols and technologies. These often exhibit non-deterministic behavior, which cannot be specified in sufficient detail. Modality monitoring systems and methods, therefore, can additionally use intrusion detection methods based on "blacklist", as traditionally, to detect security attacks targeting classic IT technologies.
[000113] Figure 9 outlines a logical structure for such a monitoring system, and figure 10 is a flow chart of a method performed by such monitoring system.
[000114] Figure 9 shows a block diagram of a monitoring system 60 of a modality. The monitoring system 60 generally operates on the basis of a system model 62 of the electricity utility automation system and based on signatures 64 of critical events. Invasions are an example of critical events, whose 64 signatures can be stored. Signatures 64 can form a “black list”, so that a critical event is detected and an alert signal is issued, when one of the signatures 64 is observed in the automation system of electricity utility.
[000115] The monitoring system 60 has a data collection component 61. The data collection component 61 can receive data messages transmitted by the IEDs. These data messages can be retrieved using the communication sensor 67 installed or coupled to the communication network 69 of the automation system. The data collection component 61 can also collect analog signals received at the analog input ports of the monitoring system.
[000116] The monitoring system 60 has a system model comparison component 63, which compares the monitored properties of the electricity system with the expected behavior according to system model 62. If it is detected that the power system electrical does not present an expected behavior, according to system model 62, an alert generation component 66 generates an alert. The operation of the system model comparison component 63 can operate in the manner described with reference to any of the modalities here.
[000117] The monitoring system 60 has a signature detection component 63 that compares signatures, for example the content in one or more data messages with the stored signatures 64. If a match is detected, the alert generation component 66 issues an alert.
[000118] Signatures 64 can be provided for the monitoring system from an external network. The 64 signatures can include intrusion signatures for IT protocols that are used in the IT components of the electricity utility automation system. Such signatures can be independent of the system model 62.
[000119] In another implementation, signatures 64 may include signatures of critical events that are generated based on system model 62. In this case, the monitoring system can generate signatures 64 automatically, based on configuration information for IEDs of the automation system, for example.
[000120] Figure 10 is a flow chart of a method 70 of a modality. Method 70 can be performed by a monitoring system that also uses critical event signatures, such as the monitoring system 60 in figure 9.
[000121] In step 71, a packet is captured. The package can be a data message transmitted by an automation system IED. At 72, the package is decoded. Packet decoding may include retrieving the data content from the data messages. Decoding can include reading a digitally transmitted process parameter from the data message.
[000122] In step 73, it is determined whether the monitored data message corresponds to the system model. This can be implemented with reference to any of the configurations in figures 1 to 8. If the monitored data message matches the system model, the method can revert to step 71. Otherwise, a warning signal is generated in step 75 .
[000123] In step 74, it is determined whether the monitored data message corresponds to one of the signatures of critical events. These signatures can include hacking signatures. If a match occurs, an alert signal is generated at step 75. Otherwise, the method can revert to step 71.
[000124] Modality monitoring systems can have any one of a variety of configurations. For illustration, the monitoring system can be integrated with another device, such as a circuit breaker in the communication network. Additionally or alternatively, the monitoring system can be a distributed monitoring system that has a plurality of devices distributed throughout the communication network. For illustration, instead of limitation, some configurations will be explained with reference to figures 11 to 13. In each of these configurations, the monitoring system can operate as described above, checking if the data content of the data messages represents a behavior of valid system as defined by a system template.
[000125] Figures 11 to 13 respectively show an automation system of utility of electric energy with a plurality of IEDs 82-85. IEDs 82-85 communicate with each other through a communication network. The communication network can be a switched communication network. The communication network can have a star topology. A circuit breaker or several breakers can be used in the communication network. A clock generator 86 can be used to generate synchronization signals to synchronize IEDs 82-85. In addition, timing generator 86 can also be used to synchronize monitoring system 10 with IEDs 82-85.
[000126] Figure 11 shows an electric power utility automation system 80 according to a modality. In the electricity utility automation system 80, monitoring system 10 is integrated with circuit breaker 81. If the communication network has several circuit breakers, monitoring system 10 can be integrated with one of the circuit breakers or be distributed among several circuit breakers .
[000127] Figure 12 shows an automation system for electricity utility 90 according to another modality. In the electricity utility automation system 90, the monitoring system includes a plurality of monitoring devices 92-95 installed in different locations. For illustration, a first monitoring device 92 can be a first TAP installed between IED 82 and circuit breaker 91. A second monitoring device 93 can be a second TAP installed between another IED 83 and circuit breaker 91. In the implementation of figure 12 , each of the monitoring devices 2-95 can include the entire system model 13. Each of the 92-95 monitoring devices, then, can have full knowledge of valid system behavior. Each of the monitoring devices 92-95 can determine whether the data messages received on the respective TAP are in accordance with the system model. The monitoring devices 92-95 can communicate with each other through the communication network. For illustration, if a first of the 92-95 monitoring devices uses the data content of a data message received on a second of the 92-95 monitoring devices to verify that the electrical utility automation system 90 has a valid behavior, the second of the monitoring devices can notify the first of the monitoring devices of this data content.
[000128] Figure 13 shows an electric power utility automation system 100 according to another modality. In the electricity utility automation system 100, the monitoring system includes a plurality of TAPs 102-104 installed in different locations, and being operative to receive data messages. For illustration, a first TAP 102 can be installed between IED 82 and circuit breaker 101. A second TAP 103 can be installed between another IED 83 and circuit breaker 101. TAPs 102-104 can respectively route received data messages to a monitoring device 105, which includes the system model and evaluating the data messages received on at least one of the 102-104 TAPs. The TAPs 102-104 serve as communication sensors for the monitoring device 105. The monitoring device 105 can be integrated with another TAP 05 or, instead, be a separate device. In the implementation of figure 13, not all 102-105 devices need to store the entire system model 13. For illustration, only the monitoring device 105 or only some of the monitoring devices can be fully aware of valid system behavior. Monitoring devices 105 store the system model to verify that the utility utility automation system 100 shows valid behavior.
[000129] Various other configurations could be used. For illustration, the monitoring system may have more than one monitoring device to store the system model.
[000130] While monitoring systems and methods according to the modalities have been described with reference to the drawings, modifications can be implemented in other modalities. For illustration, while some modalities have been described in the context of invasion detection, modality methods and systems can also be used to detect component errors, operating errors, or other critical events in electrical power systems.

权利要求:
Claims (11)
[0001]
1. Method for monitoring operation of an electric power system (1000, 1600) having an electric utility automation system (1981-1984, 1991-1994), the electric utility automation system (1981-1984 , 1991-1994) comprising a plurality of intelligent electronic devices (IEDs) communicating via a communication network, the method comprising the following steps performed by a monitoring system (10; 92-95; 102-105) that uses configuration information (16) which specifies properties of the plurality of IEDs (1981-1984; 82-85), and also includes information on the components of the electricity system (1000, 1600) and their interconnections, to monitor, during operation of the electricity system (1000, 1600), electrical power system properties (1000, 1600), monitored properties comprising monitored data messages (41, 44, 47) that are transmitted by the plurality of IEDs (1981-1984; 82-85) through of the network Communication; and evaluate the monitored data messages (41, 44, 47) based on the configuration information (16) to detect a critical event during operation of the electricity system (1000, 1600), and the evaluation comprises analyzing data content (43, 46, 49) of at least a portion of the monitored data messages (41, 44, 47) which includes a process parameter of a primary element of the electricity system (1000, 1600) to determine, based on the configuration information (16), whether the data content (43, 46, 49) corresponds to a valid behavior of both the electric power system (1000, 1600) and the electric utility automation system (1981-1984 , 1991-1994); and the monitoring system (10; 92-95; 102-105) generates a system model (13) for the electric power system (1000, 1600) and its electric utility automation system (1981-1984 , 1991-1994) based on configuration information (16); and the assessment step comprises, anticipating data messages in advance among the plurality of IEDs (1981-1984; 82-85), based on the system model (13); and compare the monitored data messages (41, 44, 47) with the anticipated anticipated data messages (41, 44, 47), characterized by the fact that, the forecast stage comprises the use of the system model and the parameter of process of the primary element included in the data message transmitted by a first IED to predict which value for another process parameter must be included in another data message transmitted by a second IED; and the method also includes the generation of an alert signal in response to the detection of the critical event.
[0002]
2. Method according to claim 1, characterized by the fact that the evaluation comprises determining whether the plurality of IEDs (1981-1984; 82-85) behaves as specified by the configuration information (16); the critical event being detected if the plurality of IEDs (1981-1984; 82-85) does not behave as specified by the configuration information (16).
[0003]
3. Method according to any one of the preceding claims, characterized by the fact that the monitoring system (10; 92-95; 102-105) has an Ethernet Test Access Port (TAP) (23; 92-95; 102-105) to monitor the data messages (41, 44, 47).
[0004]
4. Method according to any of the preceding claims, characterized by the fact that the monitoring system (10; 92-95; 102-105) uses a circuit breaker (81, 91) from the communication network to monitor data messages (41, 44, 47).
[0005]
5. Method according to any of the previous claims, characterized by the fact that it additionally comprises, receiving, by the monitoring system (10; 92-95; 102-105), at least one configuration data file, in particular one SCL file, of the electric power system (1000, 1600) and its automation system of electric power utility (1981-1984, 1991-1994).
[0006]
6. Method according to any one of the preceding claims, characterized by the fact that the monitored properties additionally comprise analog signals from the electric power system (1000, 1600); and the evaluation comprises evaluating both monitored data messages (41, 44, 47) and analog signals based on the configuration information (16) to detect the critical event.
[0007]
7. Method according to any one of the preceding claims, characterized by the fact that the monitoring system (92-95; 102-105) is a distributed monitoring system (92-95; 102-105) comprising a plurality of devices monitoring devices (92-95; 102-105), the plurality of monitoring devices (92-95; 102-105) being installed in order to be distributed through a communication network, the plurality of monitoring devices (92- 95; 102-105) being synchronized with each other and with the automation system of utility of electric energy (1981-1984, 1991-1994).
[0008]
8. Method according to any of the previous claims, characterized by the fact that it additionally comprises, generating, by the monitoring system (10; 92-95; 102-105), a “black list” that defines the signatures of operating states abnormal, and the monitoring system (10; 92-95; 102-105) generates the “black list” based on the configuration information (16); and compare the monitored properties with the “blacklist” to detect the critical event, so that the monitoring system (10; 92-95; 102-105) uses both, determined valid system behavior, based on configuration information (16), and “black list”, to detect the critical event.
[0009]
9. Method according to any of the preceding claims, characterized by the fact that the method is used to detect a critical event select from at least one of the following, unauthorized invasion; breach of security policy; hardware failure; timing problem; operator error; and / or configuration error during a configuration phase of the substation or utility automation system (1981-1884, 1991-1994).
[0010]
10. Monitoring system (10; 92-95; 102-105) for an electric power system (1000, 1600) the electric power system (1000, 1600) having an automation system of electric power utility (1981- 1984; 1991-1994), the electrical utility automation system (1981-1984; 1991-1994) comprising a plurality of intelligent electronic devices (IEDs) (1981-1984; 82-85) communicating via communication, the monitoring system (10, 92-94, 102-105) comprising, an interface (11, 15) to monitor, during operation of the electric power system (1000, 1600), the properties of the electric power system ( 1000, 1600), the monitored properties comprising monitored data messages (41, 44, 47), which are transmitted by the plurality of IEDs (1981-1984; 82-85) via the communication network; a processing device (12) configured to evaluate monitored data messages (41, 44, 47) based on configuration information (16) to detect a critical event during operation of the electricity system (1000, 1600), the configuration information (16) specifying the properties of the plurality of IEDs (1981-1984; 82-85) and also includes information about components of the electric power system (1000, 1600) and their interconnections, where the processing device (12) is configured to analyze the data content (43, 46, 49) of at least some of the monitored data messages (41, 44), 47) which includes a process parameter of a primary element of the electricity system (1000, 1600) to determine, based on the configuration information (16), whether the data content (43, 46, 49) corresponds to a valid behavior of both the electric power system (1000, 1600) and the automation of utility electricity a (1981-1984, 1991-1994); and the monitoring system (10; 92-95; 102-105) is configured to generate a system model (13) for the electric power system (1000, 1600) and its electric utility automation system (1981-1984, 1991-1994) based on configuration information (16); and the processing device (12) being configured to evaluate the monitored data messages (41, 44, 47) by predicting expected data messages among the plurality of IEDs (1981-1984; 82-85) based in the system model (13), and comparison of the monitored data messages (41, 44, 47) with the expected data messages (41, 44, 47), characterized by the fact that the processing device (12) is configured to predict the expected data messages using the system model and process parameter of the primary element included in the data message transmitted by a first IED to predict which value for another process parameter should be included in another data message transmitted by a second FDI; and the processing device (12) is configured to generate an alert signal in response to the detection of the critical event.
[0011]
11. Monitoring system according to claim 10, characterized by the fact that the monitoring system (10; 92-95; 102-105) is configured to carry out the method, as defined in any of claims 1 to 9.

类似技术:

---

公开号 | 公开日 | 专利标题

---

BR102013015753B1|2020-12-29|method for monitoring the operation of an electric power system; and monitoring system

---

Davis et al.2015|A cyber-physical modeling and assessment framework for power grid infrastructures

---

Yang et al.2014|Multiattribute SCADA-specific intrusion detection system for power networks

---

EP2721801B1|2019-10-09|Security measures for the smart grid

---

Sridhar et al.2011|Cyber–physical system security for the electric power grid

---

Liu et al.2011|Intruders in the grid

---

Hong et al.2014|Detection of cyber intrusions using network-based multicast messages for substation automation

---

Ten et al.2015|Cyber-based contingency analysis

---

Zografopoulos et al.2021|Cyber-physical energy systems security: Threat modeling, risk assessment, resources, metrics, and case studies

---

Parvania et al.2014|Hybrid control network intrusion detection systems for automated power distribution systems

---

Parthasarathy et al.2012|Bloom filter based intrusion detection for smart grid SCADA

---

Hong et al.2015|Cyber-physical security testbed for substations in a power grid

---

da Silva et al.2017|A new methodology for real-time detection of attacks in IEC 61850-based systems

---

Paudel et al.2016|Data integrity attacks in smart grid wide area monitoring

---

El Hariri et al.2017|A targeted attack for enhancing resiliency of intelligent intrusion detection modules in energy cyber physical systems

---

Yang et al.2017|Extended enumeration of hypothesized substations outages incorporating overload implication

---

Zhou et al.2021|Multi-agent-based hierarchical detection and mitigation of cyber attacks in power systems

---

Albarakati et al.2021|Security monitoring of IEC 61850 substations using IEC 62351-7 network and system management

---

Pan et al.2013|Causal event graphs cyber-physical system intrusion detection system

---

Guo et al.2016|Cyber-Physical Power System | reliability assessment considering cyber attacks against monitoring functions

---

Pan2014|Cybersecurity testing and intrusion detection for cyber-physical power systems

---

Hahn2013|Cyber security of the smart grid: Attack exposure analysis, detection algorithms, and testbed evaluation

---

Hong2014|Cyber security of substation automation systems

---

Wei et al.2014|Research on information security testing technology for smart Substations

---

Sridharan2012|Cyber security in power systems

同族专利:

---

公开号 | 公开日

---

ES2655137T3|2018-02-19|

---

EP2701340A1|2014-02-26|

---

PL2701340T3|2018-03-30|

---

EP2701340B1|2017-10-18|

---

US10338111B2|2019-07-02|

---

US20140058689A1|2014-02-27|

---

NO2701340T3|2018-03-17|

---

CA2816486A1|2014-02-21|

---

AU2013205761B2|2015-07-09|

---

CA2816486C|2019-04-30|

---

CN103633639A|2014-03-12|

---

AU2013205761A1|2014-03-13|

---

BR102013015753A2|2014-12-23|

---

CN103633639B|2016-08-10|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

US20070050777A1|2003-06-09|2007-03-01|Hutchinson Thomas W|Duration of alerts and scanning of large data stores|

---

EP1850447A1|2006-04-24|2007-10-31|Abb Research Ltd.|Intelligent electronic device configuration inspection|

---

EP2109204A1|2008-04-11|2009-10-14|ABB Technology AG|Analysis of a substation automation system|

---

ES2369800T3|2008-08-18|2011-12-07|Abb Technology Ag|COMMUNICATION CONFIGURATION ANALYSIS IN A PROCESS CONTROL SYSTEM.|

---

EP2355412A1|2010-02-05|2011-08-10|Omicron electronics GmbH|Method and device for evaluating an electric assembly of an electric energy system|

---

EP2362577A1|2010-02-23|2011-08-31|ABB Technology AG|Analysing communication configuration in a process control system|

---

US8712596B2|2010-05-20|2014-04-29|Accenture Global Services Limited|Malicious attack detection and analysis|

---

US8756411B2|2010-12-06|2014-06-17|Siemens Aktiengesellschaft|Application layer security proxy for automation and control system networks|

---

US8893216B2|2011-06-15|2014-11-18|Cisco Technology, Inc.|Security measures for the smart grid|

---

ES2655137T3|2012-08-21|2018-02-19|Omicron Electronics Gmbh|Method to monitor the operation of an electric power system and monitoring system|ES2655137T3|2012-08-21|2018-02-19|Omicron Electronics Gmbh|Method to monitor the operation of an electric power system and monitoring system|

---

US20160146864A1|2013-06-20|2016-05-26|Hitachi, Ltd.|Power System Monitoring and Control Apparatus, and Power System Monitoring and Control Method|

---

US9378082B1|2013-12-30|2016-06-28|Emc Corporation|Diagnosis of storage system component issues via data analytics|

---

EP2908195B1|2014-02-13|2017-07-05|Siemens Aktiengesellschaft|Method for monitoring security in an automation network, and automation network|

---

CN103954862B|2014-04-23|2017-03-29|国家电网公司|A kind of power transformer intelligent assembly on-the-spot test method|

---

CN104201785B|2014-09-25|2016-08-24|国家电网公司|Hydraulic power station monitoring and control system adjustment method and debugging system|

---

CN104391501B|2014-11-10|2017-09-26|国家电网公司|A kind of condition monitoring system and method for Supervisory Computer Control System For Hydroelectic Power Plant|

---

CN104459413A|2014-12-17|2015-03-25|朱明�|Multi-loop electricity monitoring device capable of achieving intelligent household electricity utilization management|

---

CN104579776B|2015-01-05|2019-01-29|南京智晓信息科技有限公司|A kind of smart grid maloperation analysis system based on non-interfering|

---

US9825463B2|2015-02-12|2017-11-21|The Mitre Corporation|Devices and systems for distributed power-grid monitoring|

---

US10534090B2|2015-03-19|2020-01-14|Mitsubishi Electric Corporation|Process bus-applied protection system|

---

CN104809063A|2015-04-24|2015-07-29|百度在线网络技术（北京）有限公司|Test method and device of distributed system|

---

EP3133374A1|2015-08-19|2017-02-22|LSIS Co., Ltd.|Power monitoring system|

---

ES2839500T3|2016-02-05|2021-07-05|Sungrow Power Supply Co Ltd|Power generation system connected to medium and high voltage network, system connected to medium and high voltage network|

---

US10802081B2|2016-04-04|2020-10-13|Schneider Electric USA, Inc.|Method and system for analyzing waveforms in power systems|

---

US10826324B2|2017-05-18|2020-11-03|Schweitzer Engineering Laboratories, Inc.|Mitigation of gratuitous conditions on electric power delivery systems|

---

TWI636631B|2017-07-31|2018-09-21|四零四科技股份有限公司|Switch device for substation and error warning method thereof|

---

CN109391484B|2017-08-04|2021-11-23|四零四科技股份有限公司|Exchanger device suitable for transformer substation and fault warning method|

---

EP3855264A1|2020-01-21|2021-07-28|Sick Ag|Method for automatically checking the behaviour of a device configuration|

---

US10686810B1|2020-02-05|2020-06-16|The Florida International University Board Of Trustees|Systems and methods for providing security in power systems|

法律状态:
2014-12-23| B03A| Publication of an application: publication of a patent application or of a certificate of addition of invention|

---

2018-12-04| B06F| Objections, documents and/or translations needed after an examination request according art. 34 industrial property law|

---

2020-06-30| B07A| Technical examination (opinion): publication of technical examination (opinion)|

---

2020-11-03| B09A| Decision: intention to grant|

---

2020-12-29| B16A| Patent or certificate of addition of invention granted|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 21/06/2013, OBSERVADAS AS CONDICOES LEGAIS. |

优先权:

---

申请号 | 申请日 | 专利标题

---

EP12005971.2A|EP2701340B1|2012-08-21|2012-08-21|Method of monitoring operation of an electric power system and monitoring system|

---

EP12005971.2|2012-08-21|

---