METHOD AND SYSTEM FOR DEFINING MALICIOUS ACTIVITY IN AN INTELLIGENT ELECTRIC NETWORK SYSTEM AND COMP

专利摘要:
method and system for defining malicious activity on a smart grid system and computer-readable storage media. the present invention relates to a system for characterizing malicious activity in a smart grid system that includes system storage, in which it stores a database including a plurality of rules. a collector is operable to collect and store information technology (ti) data in the system storage including it related activity of the smart grid system. a complex event processing bus (cep) is operable to receive non-ti data including location-specific data from a plurality of electronic sources, the additional cep bus operable to disregard non-ti data that does not meet a predetermined level of relevance for one of a plurality of risk-related events. a processor is operable to apply the plurality of rules to non-relevant data to: associate an unwanted event with reference to the activity related to you; and determining a likelihood that the unwanted event is indicative of malicious activity. the processor additionally applies a risk characterization to the unwanted event based on the probability and the activity related to it.
公开号:BR112012029417B1
申请号:R112012029417-2
申请日:2011-05-10
公开日:2020-12-15
发明作者:Anthony David Scott
申请人:Accenture Global Services Limited；
IPC主号:

专利说明:

PRIORITY CLAIM
[001] This application claims priority benefit from United States Provisional Patent Application Series No. 61 / 346,787 filed on May 20, 2010, which is incorporated by reference in this document. BACKGROUND 1. Field of the Invention
[002] The present invention in general concerns a system and a method for the detection and identification of undesired events in intelligent grid systems, and more particularly a system and method for the detection and identification of malicious attacks on a smart grid system. 2. Related Technique
[003] The purpose of the attacks on the Internet Protocol (IP) Industrial Control System (ICS), Physical Control System and Supervision and Data Acquisition Control (SCADA) on the Smart Grid is to circumvent the normal functioning of the network through exploitation of one or more deficiencies (for example, intentional Radio Frequency (RF) interference on wireless nodes in the network, derivation of the key, flashing of printed program, anonymous entries of inappropriate entities, adulteration of physical hardware). Many of these risks have well-defined solutions that are addressed by ICS / SCADA security controls, physical security controls or company information technology (IT) controls, operational, or physical security controls. Residual risk is the risk remaining after security controls have been applied. Most systems are never completely safe and the residual risk always remains. When faced with the cyber security challenges of the smart grid, a residual security risk remains that is beyond the typical risks mitigated by SCADA, company information technology (IT), operational, or physical security controls. BRIEF SUMMARY
[004] According to one aspect of the present disclosure, a method of characterizing malicious activity in a smart grid system may include receiving information technology (IT) data including IT related activity from the smart grid system. The method may further include receiving non-IT data including event location specific data from a plurality of electronic sources. Non-IT data, as will be explained in detail later, includes information related to information technology (or data) that is not traditionally used by a power grid as well as historical information, such as dates and addresses or high-target locations. value. The method may also include pre-processing of non-IT data including: disregarding non-IT data that does not meet a relevant level for one of a plurality of risk-related events. The method may also include applying a plurality of rules to pre-processed non-IT data to: associate an unwanted event with reference to IT-related activity; and determining a likelihood that the unwanted event is indicative of malicious activity. The event may have already occurred or may not have occurred yet. The method can also include the application of a risk characterization to the unwanted event based on the probability and the IT-related activity.
[005] According to another aspect of the disclosure, a system to characterize malicious activity in an intelligent electrical network may include system storage in which to store a database including a plurality of rules. A collector may be operable to collect and store information technology (IT) data in the system storage including IT-related activity of the smart grid system. A complex event processing (CEP) bus can be operable to receive non-IT data including location-specific data from a plurality of electronic sources, the additional CEP bus operable to disregard non-IT data that does not meet a predetermined level of relevance for one of a plurality of risk-related events. The method can be operable to apply the plurality of rules to relevant non-IT data to: associate an unwanted event with reference to IT-related activity; and determining a likelihood that the unwanted event is indicative of malicious activity. The processor can also be operable to apply a risk characterization to the unwanted event based on probability and IT-related activity. Risk characterization can include, for example, an engineering risk to which a maintenance team can be dispatched or it can be a security risk to which law enforcement authorities are alerted.
[006] Other systems, methods, characteristics and advantages will be or will become evident to the one with expertise in the technique after examining the figures below and the detailed description. All such systems, methods, features and additional advantages are intended to be included within this description being within the scope and being protected by the claims that follow. BRIEF DESCRIPTION OF THE DRAWINGS
[007] Figure 1 is a block diagram of an example of the global architecture for a power grid.
[008] Figure 2 is a block diagram of a CORE of the Smart Grid Data Company (INDE) DESCRIBED in figure 1.
[009] Figure 3 is a block diagram of another example of the global architecture for a power grid.
[0010] Figure 4 is a block diagram of an INDE SUBSTATION described in figure 1 and figure 3.
[0011] Figure 5 is a block diagram of an INDE DEVICE described in figures 1 and 3.
[0012] Figure 6 is a block diagram of another example of the global architecture for a power grid.
[0013] Figure 7 is a block diagram of another example of the global architecture for a power grid.
[0014] Figure 8 is a block diagram including a list of some examples of observation processes.
[0015] Figure 9 illustrates a flow diagram of Measurement of the Network Status and Operations Processes.
[0016] Figure 10 illustrates a flow diagram of Non-Operational Data Processes.
[0017] Figure 11 illustrates an event management process flow diagram.
[0018] Figure 12 illustrates a flow diagram of the Demand Response Signaling (DR) processes.
[0019] Figure 13 illustrates a flow diagram of Electric Power Interruption Intelligence processes.
[0020] Figure 14 illustrates a flow diagram of Intelligence Failure processes.
[0021] Figure 15 illustrates a flow diagram of Metadata Management processes.
[0022] Figure 16 illustrates a Notification Agent process flow diagram.
[0023] Figure 17 illustrates a flow diagram for the Collection of Meter Data (AMI) processes.
[0024] Figures 18A-D are an example of an entity relationship diagram, which can be used to represent minimal database connectivity.
[0025] Figure 19 illustrates an example of a progress flow chart scheme.
[0026] Figure 20 is a block diagram of an exemplary risk assessment system.
[0027] Figure 21 is a block diagram of an example of an intelligent power grid.
[0028] Figure 22 is an operational flow diagram of an exemplary risk assessment system. DETAILED DESCRIPTION
[0029] As an overview, the preferred embodiments described below refer to a method and system for managing a power network. As discussed in more detail below, certain aspects related to the power grid itself (including hardware and software in the transmission of electricity and / or in the distribution of electricity). In addition, some aspects relate to the functional capabilities of the central management of the power grid. These functional capabilities can be grouped into two categories, operation and application. Operations services allow utilities to monitor and manage smart grid infrastructure (such as applications, network, servers, sensors, etc.). The method and system disclosed in this document relate to the following patent applications, which are incorporated by reference in their entirety into this document: US Patent Application Serial No. 12 / 378,102 (published as Published Application US No. 2009/0281674 TO 1); and US Patent Application Serial No. 12 / 378,091 (published as US Published Application No. 2009/0281673 A1).
[0030] As discussed in more detail below, application capabilities may refer to the measurement and control of the network itself. Specifically, application services enable functionality that may be important for a smart grid, and may include: (1) data collection processes, (2) data categorization processes and persistence processes, and (3) observation processes. As discussed in more detail below, the use of these processes allows you to "observe" the network, analyze the data and obtain information about the network.
[0031] In one embodiment, a power grid system may include an intelligent security system to prevent malicious attacks on the intelligence of a power grid system to cause unwanted results. In order to prevent such malicious attacks, or at least to detect this type of attack quickly, the public utility system needs to be able to detect and characterize unwanted events, thus categorizing such events in a useful way. A utility system is a smart grid system. The attacks may include attacks on the Internet Protocol (IP) and Supervisory Control and Data Acquisition (SCADA) systems and may have particular purposes. These objects may include circumventing the normal functioning of the Smart Grid by exploiting one or more weaknesses, such as through intentional Radio Frequency (RF) interference on the nodes of the wireless network, key derivation, anonymous entity entries inappropriate, tampering with physical hardware. Many of these issues have solutions that are addressed by SCADA or company security controls and operational security controls. "Residual Risk" can be considered the risk remaining after security controls have been applied. When faced with the cyber security challenges of the Smart Grid, a residual security risk remains that may be beyond the typical risks mitigated by SCADA, company information technology (IT), operational, or physical security controls.
[0032] In one embodiment, an incident event (I) may be the occurrence of an unwanted event. The probability of an incident (P (I)), can be the possibility or probability that the occurrence of incidents is based on the existence of a threat and the existence of a vulnerability that can be exploited by the threat. A Threat Event (T) can be an intentional malicious attack or an unexpected danger. Equation 1 below is for the probability of an incident occurring as the sum (1) of the product of the probability of the occurrence of an intentional malicious attack (P (A)), and the probability of the existence of the exploitable vulnerability by the intentional malicious attack, and (2) the product of the probability of an unexpected hazard occurring (P (H)) and the probability of the existence of a vulnerability associated with the unexpected hazard. Equation 1 is the probability of an incident resulting from events that are independent of each other, for example, Intentional Attacks (A) independent of each other, and Unexpected Dangers (H).
Eq. 1
[0033] Where i, j are whole numbers.
[0034] Residual Risk (RR) may be the result of probabilistic security controls that do not mitigate malicious intentional attacks and unexpected dangers. Equation 2 is the residual risk (RR) of the intentional or unintended security incident that occurs due to the lack of adequate protections ("Control Gaps"), that is, the risk that security controls will not prevent detection and protection independent intentional counterattacks and Unexpected Danger events.
Eq. 2
[0035] security can be obtained with the company, operations and ICS. Equations 4 through 6 describe these equations. Eq.

[0036] Equation 7 shows that the probability of an incident on the smart grid is the sum of the probability of the sources of threat events, disconnected, for example, company, operational, SCADA and residual.

[0037] Where, attack (A), danger (H), Vulnerability (V), and Residual Risk (R) are mutually exclusive.
[0038] The vulnerabilities in Equations 3 to 5 can be addressed through the company's traditional passive IT security, for example, by taking advantage of header or packet inspection and usually use the port of the Switched Port Catalyst Analyzer (SPAN ) or Mirror port (For example, the Intrusion Detection System (IDS), Content Filter), traditional IT security based on active subscription, (for example, Firewall), Active IT security and Passive Intelligent Network security ( for example, Hardened Advanced Measurement Infrastructure components, Threat Definition files for Smart Grid for an IDS, automated policy managers for NERC-CIP compliance), and SCADA security. A sample of the vulnerabilities that are accounted for may include: Header Information Package Content SCADA Anomalies Communication Protocols IP Addresses Source and Target Ports TCP and UDP Source and Target Direction of Initiation of Communications Volume of Different Types of Traffic Formats and Content of Packages
[0039] In-depth implementation in the enterprise and in operational defense, layered security approaches, in addition to SCADA security can make the likelihood of an incident insignificant. As a result, Equation 7 can be simplified for Equation 8, as follows:

[0040] As Computer Emergency Response Teams (CERT) and other IT Security Monitoring organizations are not intended to collect information for control systems, the security of the control system must rely on institutional knowledge security monitoring data from your competitor's control systems. Access to this data is not normally shared due to the fact that public knowledge of security breaches would have adverse effects on investor confidence and the company's valuation. A Host Computer Intrusion Detection System (HIDS) takes advantage of software agents installed on machines to monitor host computers for abnormal behavior. Unfortunately, due to their intellectual property, real-time operating systems (OSs) or embedded OSs, not all smart grid components can have HIDS installed on them, for example, SCADA components that measure, control and monitor processes electrical. Thus, residual risk includes the lack of visibility that a HIDS would have represented in addition to the vulnerabilities associated with unintended events. Unjustified vulnerabilities are associated with: natural catastrophe, lack of capacity; unique protocols not recognized by IDS security information and event managers (SIEMS) (for example, Modbus TCP, DNP3, ODVA Ethernet / IP, ICCP); false negatives, for example, a power outage can be diagnosed as a safety event); access control for remote nodes (RTUs and PLCs); integrity and anomaly checks on patented nodes; Patented real-time OS or embedded OSS, and forensic limitations due to interoperability.
[0041] In one embodiment, a Complex Event Processor (or Processing) (CEP) bus can filter, process and correlate data from various sources and abstract events that may occur in the future or have occurred in the past such as power system failure or anomalies. To reduce the likelihood of residual risk, the CEP bus may be in line with public service rules, such as electricity service rules, to detect and filter anomalies not performed on an IDS, antivirus or firewall. The entries for the systems must be all data that influence the availability, integrity and confidentiality of the Network. Examples of inputs from various electronic sources include: Weather Inputs Disturbance Recorders Digital Fault Recorders (Oscillograph) Harmonic Recorders Power Quality Monitoring Device Status Connectivity Status Control Limit US CERT Inputs GPS Constituent Inputs RF Interference Unit Energy Management (PMU) Sensors Load Forecasts Renewable Generation Forecasts
[0042] For example, inputs on weather conditions can be used to predict interruptions and voltage drops due to an overvoltage in use (for example, high temperatures leading to increased energy consumption for units air conditioning). In addition, reports from CERT and other energy companies can collaborate and share databases of incident reports that can be inserted into your CEP bus to identify anomalies that are caused by system misuse or compromise.
[0043] In one embodiment, the occurrence of unwanted events associated with residual risk can be detected and determined by implementing a SIEM for an intelligent grid system to allow CEP and SIEM to identify malicious attacks as a probable cause of an unwanted event based on data other than information technology (IT) logs (eg Netflow Syslog, Vflow, jFlow, sFlow, SNMP traps, LDAP data). This data may include some IT data that is non-traditional and not normally analyzed with reference to safety controls for an electrical network. For example, they may include analog network measurements such as PMU phasor measurements, Global Positioning System (GPS) coordinates, addresses or geographical locations of high-value targets, or vehicle accident reports. Description of the INDE High Level Architecture General Architecture
[0044] Moving on to the drawings, where similar reference numbers refer to similar elements, figure 1 illustrates an example of a global architecture for INDE. This architecture can serve as a reference model that provides complete end-to-end collection, transport, storage and data management of smart grids; it can also provide analysis and analysis management, as well as integration of the above into utility processes and systems. Therefore, this architecture can be seen as an enterprise-wide architecture. Certain elements, such as operational management and aspects of the network itself, are discussed in more detail below.
[0045] The architecture described in figure 1 can include up to four data and integration buses: (1) a data bus from a high-speed sensor 146 (which can include operational and non-operational data); (2) a dedicated event processing bus 147 (which may include event data); (3) an operations service bus 130 (which can serve to provide information about the smart grid for power management office applications); and (4) a company service bus for the IT systems of the management office (shown in figure 1 as the company 114 integration environment bus to serve company 115 IT). Separate data buses can be achieved in one or more ways. For example, two or more of the data buses, such as the data bus of a high-speed sensor 146 and the event processing bus 147, can be different segments on a single data bus. Specifically, buses can have a segmented structure or platform. As discussed in more detail below, hardware and / or software, such as one or more switches, can be used to route data across different segments of the data bus.
[0046] As another example, two or more of the data buses can be on separate buses, as well as separate physical buses in terms of the hardware needed to carry data on the separate buses. Specifically, each of the buses can include cabling separate from each other. In addition, some or all of the separate buses can be of the same type. For example, one or more of the buses may comprise a local area network (LAN), such as Ethernet ® over unshielded twisted pair cabling and Wi-Fi. As discussed in more detail below, hardware and / or software, such as a or more routers can be used to route data on a bus between the different physical buses.
[0047] As in yet another example, two or more of the buses can be in different segments in a simple bus structure and one or more buses can be on separate physical buses. Specifically, the data bus of a high speed sensor 146 and the event processing bus 147, can be different segments on a single data bus, while the bus of the company 114 integration environment can be on a physically separate bus .
[0048] Although figure 1 describes four buses, smaller or higher numbers of buses can be used to transport the four types of data listed. For example, a single non-segmented bus can be used to communicate sensor data and event processing data (bringing the total number of buses to three), as discussed below. And, the system can operate without the operations service bus 130 and / or bus of the company 114 integration environment.
[0049] The IT environment can be compatible with SOA. Service Oriented Architecture (SOA) is an architectural style of computer systems for the creation and use of business processes, packaged as services, throughout their life cycle. SOA also defines and provides the IT infrastructure to allow different applications to exchange data and participate in business processes. Although, the use of SOA and the enterprise service bus are optional.
[0050] The figures illustrate the different elements within the global architecture, such as the following: (1) CORE INDE 120; (2) SUBSTATION INDE 180; AND (3) SINCE 188 DEVICE. This division of elements within the global architecture is for illustration purposes. Another division of the elements can be used. The INDE architecture can be used to support both distributed and centralized approaches to network intelligence, and to provide mechanisms for dealing with scale in large implementations. Distributed analysis and choice of event-related data can be pushed to the edges of the network, for example, to electrical meters, as the network-based structure includes the computing capacity to perform required processing tasks, whatever they may be. at those points in the network.
[0051] The INDE Reference Architecture is an example of the turatechnical architecture that can be implemented. For example, it can be an example of a meta-architecture, used to provide a starting point for the development of any number of specific technical architectures, one for each of the public service solutions, as discussed below. Thus, the specific solution for a particular public service may include one, some or all of the elements in the INDE Reference Architecture. And, the INDE Reference Architecture can provide a standardized starting point for the development of the solution. The methodology for determining the specific technical architecture for a particular electrical network is discussed below.
[0052] The INDE Reference Architecture can be an architecture for the entire company. Its goal may be to provide the framework for complete, end-to-end management of network data and integration of these into power grid systems and processes. Since smart grid technology affects all aspects of public service business processes, one must be aware of the effects not only on the network, operations and levels at the customer's premises, but also at the management office and company levels. Consequently, the INDE Reference Architecture can and does reference SOA at the enterprise level, for example, in order to support the SOA environment for interface purposes. This should not be taken as a requirement that a public service must convert its existing IT environment to SOA before a smart grid can be built and used. An enterprise service bus is a useful mechanism for facilitating IT integration, but it is not necessary in order to implement the rest of the smart grid solution. The following discussion focuses on different components of the INDE smart grid elements. INDE Component Groups
[0053] As discussed above, the different components in the INDE Reference Architecture can include, for example: (1) INDE CORE 120; (2) SUBSTATION INDE 180; AND (3) INDE DEVICE 188. The following sections deal with these three groups of exemplary elements of the INDE Reference Architecture and provide descriptions of the components of each group. CORE INDE
[0054] Figure 2 illustrates the INDE CORE 120, which is the part of the INDE Reference Architecture that can reside in an operations control center, as shown in figure 1. The INDE CORE 120 can contain a unified data architecture for network data storage and an integration scheme for analysis to operate with that data. This data architecture can use the Common Information Model (CIM) of the International Electrotechnical Commission (IEC) as its top level scheme. The IEC CIM is a standard developed by the electricity industry that has been officially adopted by the IEC, with the aim of allowing the application software to exchange information about the configuration and status of an electrical network.
[0055] In addition, this data architecture can make use of federation intermediate software 134 to connect to other types of utility data (such as, for example, meter data, operational and historical data, log files and events), and connectivity and metadata files in a single data architecture that can have a single entry point for accessing high-level applications, including business applications. Real-time systems can also access key data stores via the high-speed data bus, and multiple data stores can receive data in real time. Different types of data can be transported within one or more buses on the smart grid. As discussed below in the SUBSTATION INDE 180 section, the substation data can be collected and stored locally in the substation. Specifically, a database, which can be associated and close to the substation, can store the data of the substation. Analyzes related to the substation level can also be performed on the substation computers and stored in the substation database, and all or part of the data can be transported to the control center.
[0056] The types of data carried may include operational and non-operational data, events, network connectivity data, and network location data. Operational data may include, but is not limited to, changing state, power state, capacitor state, section state, meter status, FCI state, line sensor state, voltage, current, real power, reactive power, etc. Non-operational data may include, but is not limited to, power quality, power reliability, asset health, stress data, etc. Operational and non-operational data can be transported using an operational / non-operational data bus 146. Data collection applications in the transmission of electricity and / or distribution of electricity from the power grid may be responsible for sending some or all of data for the operational / non-operational data bus 146. In this way, applications that need this information may be able to obtain the data by subscribing to the information or invoking services that can make that data available.
[0057] Events may include messages and / or alarms from various devices and sensors that are part of the smart grid, as discussed below. The events can be generated directly from the devices and sensors in the smart grid, as well as those generated by the various analysis applications based on the measurement data from these sensors and devices. Examples of events may include lack of meter, meter alarm, transformer drop, etc. Network components, such as network devices (intelligent power sensors, such as a sensor with a built-in processor that can be programmed for digital processing capability, temperature sensors, etc.), power system components, which include additional processing (RTU's, etc.), smart meter networks (meter health, meter readings, etc.), and mobile field force devices (interruption events, work order conclusions, etc.) can generate data of events, operational and non-operational data. The event data generated within the smart grid can be transmitted via an event bus 147.
[0058] Network connectivity data can define the layout of the electrical network. There may be a basic layout, which defines the physical layout of the network components (substations, segments, feeders, transformers, switches, reclosers, meters, sensors, utility poles, etc.) and their interconnectivity in the installation. Based on events within the network (component failures, maintenance activity, etc.), network connectivity may change on an ongoing basis. As discussed in more detail below, the structure of how data is stored, as well as the combination of data, allows the historical reconstitution of the network layout in different past times. Network connectivity data can be extracted from the Geographic Information System (GIS) on a periodic basis as changes to the power grid are made and this information is updated in the GIS application.
[0059] Network location data may include information about the network component in the communication network. This information can be used to send messages and information to the particular network component. Network location data can be entered manually or into the Smart Grid database as new Smart Grid components are installed or are extracted from an Asset Management System if this information is maintained externally.
[0060] As discussed in more detail below, data can be sent from various components on the network (such as SUBSTATION INDE 180 and / or the DEDE 188 DEVICE). Data can be sent to the INDE 120 core wirelessly, wired, or a combination of both. The data can be received by the public service network communications networks160, which can send the data to routing device 190. Routing device 190 can include software and / or hardware for managing data routing in a segment a bus (when the bus includes a segmented bus structure) or on a separate bus. Routing device 190 may include one or more keys or a router. The routing device 190 may comprise a network device whose software and hardware routes and / or transmits the data to one or more of the buses. For example, routing device 190 can route operational and non-operational data to the operational / non-operational data bus 146. The router can also route event data to event bus 147.
[0061] Routing device 190 can determine how to route data based on one or more methods. For example, routing device 190 can examine one or more headers in the transmitted data to determine whether to route the data to the segment on the operational / non-operational data bus 146 or to the event bus segment 147. Specifically, one or more headers in the data can indicate whether the data is operational data / non-operational data (so that the routing device 190 forwards the data to the operational / non-operational data bus 146). Alternatively, the rotating device 190 can examine the data payload to determine the data type (for example, the routing device 190 can examine the data format to determine whether the data is operational data / non-operational data or event data).
[0062] One of the stores, such as the operational data store 137 that stores the operational data, can be implemented as a true distributed database. Another of the stores, the historian (identified as historical data 136 in figures 1 and 2) can be implemented as a distributed database. The other "extremes" of these two databases can be located in the SUBSTATION INDE 180 group (discussed below). In addition, events can be stored directly in any of the various data stores via the complex event processing bus. Specifically, events can be stored in event logs 135, which can be a repository for all events that have posted to event bus 147. The event log can store one, some or all of the following: Event ID ; kind of event; event source; priority of the event, and time of generation of the event. Event bus 147 does not need to store events over the long term, providing persistence for all events.
[0063] Data storage can be such that the data can be as close to the source as possible or viable. In an implementation, this may include, for example, substation data being stored in SUBSTATION INDE 180. But that data may also be needed at the level of operations control center 116 to make different types of decisions that consider the network in one much more granular level. In conjunction with a distributed intelligence approach, a distributed data approach can be adopted to facilitate data availability at all levels of the solution through the use of data links and data services, as applicable. In this way, the solution for storing historical data (which can be accessible at the level of operations control center 116) may be similar to that for operational data storage. The data can be stored locally in the substations and database links configured in the repository instance in the control center, provide access to the data in the individual substations. Substation analytics can be performed locally at the substation using the local data store. Historical / collective analytics can be performed at the level of operations control center 116 by accessing data in the instances of the local substation, using the database links. Alternatively, the data can be stored centrally in the CORE 120. However, given the amount of data that may need to be transmitted from the INDE 188 DEVICES, storage of the data in the INDE 188 DEVICES may be preferred. Specifically, if there are thousands or tens of thousands of substations (which can occur on a power grid), the amount of data that needs to be transmitted to the INDE 120 CORE can create a communications bottleneck.
[0064] Finally, CORE INDE 120 can program or control one, some or all SUBSTATIONS INDE 180 or DIS-POSITIVE INDE 188 in the power network (discussed below). For example, the INDE 120 core can modify the programming (such as downloading an updated program) or provide a control command to control any aspect of the INDE 180 substation or INDE 188 DEVICE (such as sensor or analytical control). Other elements, not shown in figure 2, may include several integration elements to support this logical architecture.
[0065] Table 1 describes certain elements of the NUCLEUS INDE 120 as illustrated in figure 2.





Table 1: Elements of the INDE CORE
[0066] As discussed in Table 1, the real-time data bus 146 (which communicates operational and non-operational data) and the real-time complex event processing bus 147 (which communicates event processing data) are combined within a single 346 bus. An example of this is illustrated in block diagram 300 in figure 3.
[0067] As shown in figure 1, the buses are separated for performance purposes. For CEP processing, low latency may be important for certain applications that are subject to very large message bursts. Most network data flows, on the other hand, are more or less constant, with the exception of digital fault recorder files, but these can generally be retrieved on a controlled basis, considering that event bursts are asynchronous and random. .
[0068] Figure 1 shows more additional elements in the operations control center 116 separate from CORE INDE 120. Specifically, figure 1 also shows Head of Meter Data Collection Head 153, a system that is responsible for communicating with meters (such as collecting data from them and providing the collected data to the public service network). Demand Response Management System 154 is a system that communicates with the equipment in one or more customer facilities that can be controlled by the public service network. Interruption Management System 155 is a system that assists a public service network in the management of interruptions by tracking the location of faults, managing what is being sent, and the way they are being corrected. Energy Management System 156 is a transmission system level control system that controls devices at substations (for example) in the transmission network. Distribution Management System 157 is a level control system of the distribution system that controls the devices at substations and supply devices (for example) for distribution networks. Network Services IP 158 is a collection of services operating on one or more servers that support IP type communications (such as DHCP and FTP). Mobile Data Dispatching System 159 is a system that transmits / receives messages to mobile data terminals in the field. Load Flow and Circuit Analysis, Planning, Lightning Analysis, and Network 152 Simulation Tools are a set of tools used by a utility in the design, analysis and planning of networks. IVR (integrated voice response) and Call Management 151 are systems for handling customer calls (automatic or by attendants). Incoming telephone calls regarding interruptions can be entered automatically or manually and forwarded to the Interrupt Management System 155. Work Management System 150 is a system that monitors and manages work orders. Geographic Information System 149 is a database that contains information about where the assets are geographically located and how the assets are linked together. If the environment has a Service Oriented Architecture (SOA), SOA 148 Operations Support is a collection of services to support the SOA environment.
[0069] In one embodiment, the SIEM 162 included in the IN-DE 120 core can be used in conjunction with the CEP 147 processing bus to detect and determine the occurrence of unwanted events associated with residual risk and determine whether such occurrences are likely to be the result of a malicious attack. Referring to figure 20, several types of data 2000 can be received by the CEP 147 bus. Table 2 below provides a non-exhaustive list of an example of types of information that can be used as 2000 data and where the data can originate from electronic sources 2001 within the INDE system of FIG. 1.
Table 2: Data types
[0070] In one embodiment, data from 2000 can be considered non-I or dynamic data, environment-specific, trend data (collectively referred to in this document as "non-IT data" for simplicity). Therefore, non-TI 2000 data may include, but is not limited to, non-traditional IT information, such as phasor measurements, connectivity states, and interruptions in other regions as shown in Table 2; event data from specific locations, as shown in Table 2; historical data that may show past trends or habitual behavior; and geographic location data (such as data relating to specific locations, such as notable or high-value targets, such as the Pentagon, the Federal Reserve, the White House, Army bases, foreign embassies, etc.). 2000 data can be received via various electronic sources 2001, such as sensors and detectors within the INDE, network-based data, Internet-based data or other suitable data types. A non-exhaustive list of 2001 electronic sources of non-IT data may include: a web tracking device; computing device with search engine capability, a web access device; a GPS device; a device for monitoring social media message flows; a thermometer; and an emergency response communicator. These 2001 electronic sources can be coupled with the 147 CEP bus. Here, the phrase: "coupled with", is understood to be directly connected to - or - indirectly connected through one or more intermediate components. Such intermediate components can include components based on both hardware and software.
[0071] A number of tools can be understood as usable by or with reference to electronic sources from 2001, including, but not limited to, social media compatible devices that run through Tweets, Facebook, or other social media streams for discussions based on in location as well as information confirming the location of users and that may indicate the possible occurrence of unwanted events, including natural disasters or acts of terror, for example. RMS sources can also be monitored. Location verification can include a user declaration, a cell phone application or computing device that obtains a user's authorization to publish or share the user's location (for example, through Places ® of the Facebook application; or through another application that allows the user to access a location from a mobile device), and triangulation, where authorized. IP addressing or investigating routes can also be performed to determine user locations. The tools can also include Web search engines, including a Web crawler that picks information out of Web pages on the Internet. Whether locations retrieved from these sources of information (or many others) are based on GPS, or not, the system can convert the locations to GPS locations and seek to correlate those GPS locations with corresponding locations or close to the smart grid system. With such a correlation, the system revealed in this document may be able to characterize an unwanted event as malicious or not (for example, a security risk or an engineering risk).
[0072] After the receipt of the 2000 data by the CEP 147 bus, the 2000 data can be pre-processed by a filter module 2002. The filter module 2002 can be responsible for pre-processing the data 2000, to determine the relevant data of those included in the 2000 data. For example, the CEP 147 bus can receive power interruption information for other Regions / Countries and Twitter trend statistics. Filtered (or pre-processed) 2003 data can then be received by a 2004 rules engine module. The 2004 rules engine module can include several predetermined rules or criteria against which to evaluate pre-processed data to determine whether pre-processed data -processed are representative of one or more occurrences of an unwanted event associated with the residual risk. These rules can be used to identify conditions present at INDE that may indicate that an unwanted event is occurring or may occur that is due to malicious activity. For example, a power outage at a given location may indicate that a malicious attack on INDE was occurring or that the power outage is due to non-malicious causes, such as adverse weather conditions or vehicular accidents. The rules engine module 2004 can receive information from a centralized control center indicating that the outage has occurred. Alternatively, the determination of interruptions or other unwanted events can be done through sensor outputs, meter data, or other suitable modes of detection.
[0073] In one embodiment, the rules engine module 2004 can receive the status of a given device or conditions as transmitted by data 2000 (for example, meter failure). By determining the status of various conditions, the rules engine module 2004 can apply pre-established rules to the various determined states to determine whether a malicious cause is likely responsible for the occurrence of unwanted events. The rules engine module 2004 can generate a level of probability to convey the probability that the occurrence of an unwanted event is due to malicious activity. The rule engine module 104 can generate risk probability as having a particular qualitative probability level of "high," average ", or" low ", depending on the determination made by the rule engine. For example, the rule engine module 104 can use a predetermined rule by examining an interruption location and weather conditions based on information received in the 2000 data. In alternative examples, the level of probability can be expressed using fewer or additional qualitative levels, a percentage or other suitable expression. The rules engine module 2004 can determine that if a power outage is present in a particular location (for example, postal code 12345) and current weather information indicates that a tornado is present in postal code 12345, then there is a low probability of that such an interruption is due to malicious intent and instead is probably due to other causes, such as inclement weather . In such a case, the rules engine module 2004 may determine that the likelihood of such an occurrence being malicious is "low", according to predetermined levels. The limit at which each level is determined can be based on several criteria, such as temperature, location, traffic accidents in the vicinity, fires in the vicinity, reports of gunshots in the vicinity, dollars, a series of statistics Twitter or statistics related to any type of social media messages or communications, PMU values, recent storms, National Security Threat Levels, Department of Defense - Threat Levels, National Threat Levels, time of day, and the like.
[0074] Table 3 provides a series of other examples that indicate a non-exhaustive list of examples illustrating how rules implemented by the rules engine module can be used to indicate the likelihood that a malicious attack on the INDE system may be occurring .
Table 3: Exemplary Rules
[0075] After determining the level of probability that a particular unwanted event is being maliciously caused, the rules engine module 2004 can cross reference the unwanted event with a 2006 historical correlation module. The 2006 historical correlation module can reference data 2000 and determine whether any of these conditions have already indicated the occurrence of a malicious attack or have indicated a false alarm in such a way. The 2006 historical correlation module can retrieve historical data from various sources, such as event records 135, historical data 136, and operational data 137 (see figure 1), for example, to obtain the relevant historical data. For example, in the scenario given above in which a power outage is present in a given area (for example, postal code 12345) and current weather information indicates that a tornado is present in postal code 12345, the 2006 historical correlation module can retrieve information historical with respect to postal code 12345 which indicates that no tornado has ever been registered in the area or that the area is not generally known for occurrences of tornadoes. If such historical information has been retrieved, the rule engine module 104 may determine that the state indicating that a tornado is possibly an unlikely event and would determine that the likelihood of malicious activity is "high". However, if historical information indicated that tornadoes or tornado-friendly conditions had historically been present, then the first indication of a "low" probability should be maintained by the 2004 rules engine module.
[0076] After determining that a malicious attack is likely to be occurring or has occurred, an indication of this can be provided by the rules engine module 2004 through the CPE 147 bus for SIEM 162 represented in FIG. 20 as a 2008 residual risk event message. The 2008 residual risk event message can include the analyzed condition, as an outage, as well as determining the probability level of malicious causes of the condition and relying on non-IT data to your determination. SIEM 162 can also receive information technology (IT) (or activity) 2010 events from IT hardware or software, such as routers, switches, firewalls, intrusion detection systems, or virus protection. IT 2010 events can provide various information about INDE's IT infrastructure, such as that included in key records. IT 2010 events can include information such as device registrations, IDS / IPS alerts, WIDS / WIPs alerts, antivirus alerts and device settings, for example. Any data or information that does not fall within these general types of IT events is considered non-IT data as that term is referred to in this document. Upon receipt of the 2008 residual risk event message and the IT 2010 event, SIEM 162 can determine a risk characterization that indicates the type of risk caused by the malicious activity. After determining the risk characterization, SIEM 162 can generate a 2012 risk characterization message that can be provided to a system administrator or other individual / entity responsible for reacting to any occurrences of unwanted events. The 2012 risk characterization message can indicate not only the level of probability of malicious intent for a given event, but also determine the area or areas of risk, such as security, engineering, communications, etc. In one example, this can be accomplished by the risk being characterized as the result of an unintended (or unexpected) danger or malicious attack. The correlation of residual risk with information from the network / IT facilitates the allocation of risk areas.
[0077] Referring again to figure 1, one or more of the systems in the Operations Control Center 116 that are outside the INDE 120 Nucleus are legacy product systems that a public service network may have and that can provide non-IT data. Examples of these legacy product systems include SOA Operations Support 148, Geographic Information System 149, Work Management System 150, Call Management 151 Circuit Analysis and Load Flow, Planning, Lightning Analysis, and Simulation Tools. Network 152, Meter Data Collection Head End (s) 153, Demand Response Management System 154, Interrupt Management System 155, Power Management System 156, Distribution Management System 157, Network Services IP 158, and Mobile Data Dispatch System 159. However, these legacy product systems may not be able to process or manipulate data that is received from an intelligent network. The INDE Nucleus 120 may be able to receive data from the smart grid, process the data from the smart grid, and transfer the processed data to one or more legacy product systems in a way that legacy product systems can use (such as particular formatting for the legacy product system). In this way, the INDE 120 Nucleus can be seen as an intermediate software that connects two different and separate applications.
[0078] The operations of the control center 116, including the NÚ CLEO INDE 120, can communicate with Enterprise IT115. In general, the functionality in the Enterprise IT 115 comprises operations from the management office. Specifically, Enterprise TI 115 can use the enterprise 114 integration environment bus to send data to various systems within Enterprise IT 115, including Business Data Warehouse 104, Business Intelligence Applications 105, Enterprise Resource Planning 106, various Financial Systems 107, Customer Information System 108, Human Resources System 109, Asset Management System 110, Company Support SOA 111, Network Management System 112 and Corporate Messaging Services 113. Enterprise IT 115 can also include a portal 103 to communicate with the Internet 101 through a firewall 102. SUBSTATION INDE
[0079] Figure 4 illustrates an example of high level architecture for the SUBSTATION INDE 180 group. This group can include elements that are actually hosted in substation 170 in a substation control house on one or more servers placed with the electronic components and substation systems.
[0080] Table 4 below lists and describes certain elements of the SUBSTATION INDE 180 group. Data security services 171 can be a part of the substation environment; alternatively, they can be integrated into the SUBSTATION INDE 180 group.

Table 4 Elements of INDE SUBSTATION
[0081] As discussed above, different elements within the smart grid may include additional functionality including additional processing / analytical capabilities and database resources. The use of this additional functionality within various elements in the smart grid allows distributed architectures with centralized management and administration of applications and network performance. For performance, functional and scalability reasons, an intelligent network involving thousands to tens of thousands of SUBSTATIONS INDE 180 and tens of thousands to millions of network devices can include distributed processing, data management and process communications.
[0082] The INDE 180 substation may include one or more processors and one or more memory devices (such as substation 181 non-operational data and substation 182 operation data). Non-operational data 181 and operational data from substation 182 can be associated and close to the substation, such as located inside or on the INDE SUBSTATION 180. The INDE 180 substation can also include the intelligent grid components, which are responsible for the possibility of observing the smart grid at a substation level. The components of the INDE 180 substation can provide three main functions: acquisition of operational data and storage in the distributed operational data warehouse; acquisition of non-operational data and storage in the historian; and processing local analysis on a real-time basis (such as a sub-second). Processing can include digital signal processing of voltage and current waveforms, detection and classification processing, including event flow processing and communication of processing results to local systems and devices as well as systems in the center. operations control 116. The communication between the INDE 180 substation and other devices on the network can be wired, wireless, or a combination of wired and wireless. For example, data transmission from SUBSTATION INDE 180 to operations control center 116 can be wired. The INDE substation 180 can transmit data, such as operational / non-operational data or event data to the operations control center 116. The routing device 190 can direct the transmitted data to one of the operational / non-operational data buses 146 or the event bus 147.
[0083] Optimization of the response to the demand for managing distribution losses can also be performed here. This architecture is in accordance with the distributed application architecture principle previously discussed.
[0084] For example, connectivity data can be duplicated at substation 170 and at operations control center 116, thus allowing a substation 170 to operate independently, even if the data communication network for the operations control is not working 116. With this information (connectivity) stored locally, analytical activities of the substation can be performed locally, even if the communication link with the operations control center is inoperative.
[0085] Likewise, operational data can be duplicated at operations control center 116 and at substations 170. Data from sensors and devices associated with a particular substation can be collected and the latest measurement can be stored in this data deposit at the substation. The operational data storage data structures can be the same and therefore the database links can be used to provide direct access to the data residing in the substations and through the operational data storage instance in the control center. This provides a number of advantages, including relieving data duplication and allowing data analysis at the substation, which is more time sensitive, to occur locally and without reliance on availability of communication beyond the substation. Analysis of data at the level of operations control center 116 may be less time sensitive (as operations control center 116 may normally examine historical data to discern patterns that are more predictive, rather than reactive) and may be able to work around network problems, if any.
[0086] Finally, historical data can be stored locally in the substation and a copy of the data can be stored in the control center. Or, database links / links can be configured on the repository instance at operations control center 116, providing the operations control center with access to data at individual substations. Substation analytics can be performed locally at substation 170 using local data storage. Specifically, using the additional intelligence and storage capacity in the substation allows the substation to analyze itself without the participation of a central authority. Alternatively, historical / collective analytics can also be performed at the level of operations control center 116 by accessing data in the instances of the local substation, using the database links / links. INDE DEVICE
[0087] The DEDE 188 DEVICE group can comprise any variety of devices within the smart grid, including various sensors within the smart grid, such as several distribution devices of the 189 grid (for example, line sensors over the power lines) , 163 meters at the customer's premises, etc. The DEDE 188 DEVICES group can comprise a device added to the network with special functionality (such as a Smart Remote Terminal Unit (RTU), which includes dedicated programming), or it can include an existing device within the network with additional functionality (such as a RTU from the top of the existing open architecture pole that is already in place on the network and that can be programmed to create a smart line sensor or smart grid device). The DEDE 188 DEVICE can also include one or more processors and one or more memory devices.
[0088] Existing network devices may not be opened from a software point of view, and may not be able to support much with regard to modern networks or software services. Existing network devices may have been designed to acquire and store data for occasional downloading to some other device, such as a portable computer, or to transfer batch files over the PSTN line to a remote central computer on demand. These devices may not be designed for operation in a digital network environment in real time. In these cases, data from the network device can be obtained at the substation 170 level, or at the operations control center 116 level, depending on how the existing communications network was designed. In the case of meter-controlled networks, this will normally be the case where data is obtained from the measurement data collection mechanism, since meter networks are generally closed and meters cannot be handled directly. As these networks evolve, meters and other network devices can be individually addressable, in such a way that data can be transported directly to where they are needed, which may not necessarily be the operations control center 116, but can be anywhere. place of the network.
[0089] Devices, such as defective circuit indicators, can be paired with wireless network interface cards, for connection in wireless networks with modest speed (such as 100 kbps). These devices can report the status by exception and perform fixed pre-programmed functions. The intelligence of many network devices can be increased using local smart RTU's. Instead of having pole top RTU's that are designed as a fixed function, closed architecture devices, RTU's can be used as open architecture devices that can be programmed by third parties and that can serve as an INDE 188 DEVICE in the INDE Reference Architecture . In addition, meters at customers' premises can be used as sensors. For example, meters can quantify consumption (such as the amount of energy that is consumed for billing purposes) and can measure voltage (for use in volt / VAR optimization).
[0090] Figure 5 illustrates an exemplary architecture for the INDE 188 DEVICE group. Table 5 describes certain elements of the INDE 188 DEVICE. The smart grid device can include an embedded processor, so that the processing elements are less like SOA services. and more like real-time library program routines, since the DIS-POSITIVE group is implemented in a dedicated real-time DSP or microprocessor.


Table 5 Elements of INDE DEVICE
[0091] Figure 1 further illustrates customer facilities 179, which may include one or more Smart Meters 163, a home display 165, one or more sensors 166, and one or more controls 167. In practice, sensors 166 can record data on one or more devices, at customer premises 179. For example, a sensor 166 can record data on several important devices within customer premises 179, such as the oven, hot water heater, air conditioning, etc. Those from one or more sensors 166 can be sent to Smart Meter 163, which can package the data for transmission to operations control center 116 via the utility utility communications network 160. Home display 165 can provide the customer at the customer's premises with an output device to view, in real time, the data collected from the Smart Meter 163 and one or more sensors 166. In addition, an input device (such as a keyboard) can be associated with the home display 165 so that the customer can communicate with operations control center 116. In one embodiment, the home display 165 can comprise a computer resident on the customer's premises.
[0092] Client facilities 165 can also include controls 167 that can control one or more devices at client facilities 179. Various devices at client facilities 179 can be controlled, such as the heater, air conditioning, etc., depending on of operations control center 116.
[0093] As represented in figure 1, the facilities of client 169 can communicate in several ways, such as through Internet 168, Public Switched Telephone Network (PSTN) 169, or through a dedicated line (such as through collect 164). Through any of the mentioned communication channels, data can be sent from one or more customer premises 179. As shown in figure 1, one or more customer premises 179 can comprise a Smart Meter Network 178 (comprising a plurality of smart meters 163), sending data to a collector 164 for transmission to the operations control center 116 through the utility grid management network 160. In addition, several distributed sources of energy generation / storage 162 ( such as solar panels, etc.) can send data to a monitor control 161 for communication with operations control center 116 through the utility grid management network 160.
[0094] As discussed above, devices on the electrical network outside the operations control center 116 may include processing and / or storage capacity. Devices may include the INDE 180 SUBSTATION and the INDE 188 DEVICE. In addition to the individual devices on the power grid including additional intelligence, the individual devices can communicate with other devices on the power grid in order to exchange information (including data sensor and / or analytical data (such as event data)), in order to analyze the state of the power network (such as determining failures), in order to change the state of the power network (for example, correcting defects ). Specifically, individual devices can use the following: (1) intelligence (such as processing power), (2) storage (such as distributed storage discussed above); and (3) communication (such as the use of one or more buses discussed above). In this way, the individual devices in the electrical network can communicate and cooperate with each other without the supervision of the operations control center 116.
[0095] For example, the INDE architecture revealed above may include a device that detects at least one switch in the supply circuit. The device may also include a processor that monitors the detected switch in the supply circuit and analyzes the detected switch to determine the state of the supply circuit. For example, the analysis of the detected switch can comprise a comparison between the detected switch with a predetermined threshold and / or can comprise a trend analysis. Such a detected parameter may include detection of the waveforms and such analysis may include determining whether the detected waveforms indicate a failure in the supply circuit. The device can also communicate with one or more substations. For example, a particular substation can supply power to a particular power circuit. The device can detect the state of the particular supply circuit, and determine whether there is a defect in the particular supply circuit. The device can communicate with the substation. The substation can analyze the defect determined by the device and can take corrective measures, depending on the failure (such as reducing the power supplied to the supply circuit). In the example of the data sending device indicating a failure (based on waveform analysis), a substation can change the power supplied to the supply circuit without the operations control center input 116. Or, the substation can combine the data indicating the failure with information from other sensors to further refine the failure analysis. The substation can also communicate with operations control center 116, such as the application of interrupt intelligence (as discussed in figure 13) and / or the application of fault intelligence (as discussed in figure 14). Thus, operations control center 116 can determine the failure and can determine the extent of the outage (such as the number of households affected by the failure). In this way, the device for detecting the state of the supply circuit can work cooperatively with the substation, in order to correct a potential defect, with or without the intervention requirement of the 116 operations control center.
[0096] As another example, a line sensor, which includes additional intelligence using processing and / or memory capacity, can produce the network status data in a part of the network (such as a supply circuit). Network status data can be shared with the demand response management system 155 at the operations control center 116. The demand response management system 155 can control one or more devices at customer facilities on the feeder circuit in response to network status data from the line sensor. In particular, the demand response management system 155 can command the energy management system 156 and / or the distribution management system 157 to reduce the load on the supply circuit by turning off the devices at the customer's receiving power plant of the supply circuit in response to the line sensor indicating an interruption in the supply circuit. In this way, the line sensor, in combination with the demand response management system 155, can automatically transfer the load from a defective feeder circuit and then isolate the fault.
[0097] As in yet another example, one or more relays in the electrical network may have a microprocessor associated with it. These relays can communicate with other devices and / or databases residing in the electrical network, in order to determine a fault and / or control the electrical network. INDS Concept and Architecture Outsourced Smart Grid Data / Analysis Services Model
[0098] An application for intelligent grid architecture allows the utility grid to subscribe to network data management analysis services, while maintaining traditional control systems and related operating systems at home. In this model, the utility grid can install and own network sensors and devices (as described above), and can either own and operate the communication system, transport network data, or can outsource it. Network data can flow from the public network to a remote hosting location of an Intelligent Network Data Service (INDS), where data can be managed, stored and analyzed. The utility grid can then apply for data and analysis services under a financially adequate service model. The public service electric grid can avoid the initial capital investment expenses and the current costs of supporting management, and updating the data infrastructure and analysis of the smart grid, the exchange of payments. The INDE Reference Architecture, described above, lends itself to the outsourcing agreement described here. INDS Architecture for Intelligent Network Services
[0099] In order to implement the INDS service model, the INDE Reference Architecture can be partitioned into a group of elements that can be hosted remotely, and those that can be maintained in the public utility grid. Figure 6 illustrates how the utility grid architecture can look once the CORE INDE 120 has been done remotely. A server can be included as part of the CORE INDE 120 which can act as the interface for remote systems. For electrical grid systems, this can appear as a virtual 602 INDE CORE.
[00100] As the general block diagram 600 in figure 6 shows, the SUBSTATION INDE 180 and DEVICE INDE 188 groups are unchanged in relation to those represented in figure 1. The structure of the multiple bus can also be used in the utility grid also .
[00101] The INDE 120 CORE can be hosted remotely, like the block diagram 700 that illustrates figure 7. At the hosting site, the INDE 120 CORE can be installed as needed to support subscribers of the INDS utility grid (shown as North American INDS Accommodation Center 702). Each CORE 120 can be a modular system, so adding a new subscriber is a routine operation. A separate part of the electricity utility can manage and support the software for one, some or all of the INDE 120 CORE, as well as the applications that are downloaded from the INDS hosting location for each SUBSTATION INDE 180 and DEVICES IN- FROM 188 of utility grid.
[00102] In order to facilitate communications, high bandwidth and low latency communications services, such as over the 704 network (for example; Multiple Identification Protocol Switching (MPLS) or another WAN), can be used, which can reach the operation centers of the subscriber's public service electric networks, as well as the INDS hosting locations. As shown in figure 7, several areas can be served, such as California, Florida, and Ohio. This modularity of operations not only allows efficient management of several different networks, it also allows for better inter-network management. There are cases where a failure in one network can affect operations on a neighboring network. For example, a failure in the Ohio network can have a cascading effect on the operations of a neighboring network, such as the Central Atlantic network. Using the modular structure, as illustrated in figure 7 allows the management of individual networks and the management of inter-network operations. Specifically, a global INDS system (which includes a processor and memory) can manage the interaction between the various INDE 120 CORE. For example, a failure in the Ohio network can spread to a neighboring network, such as the Central Atlantic network . The INDE 120 CORE dedicated to managing the Ohio network can attempt to correct the failure in the Ohio network. And, the global INDS system may try to reduce the possibility of a cascade failure occurring on neighboring networks. Specific examples of functionality in CORE INDE
[00103] As shown in figures 1, 6 and 7, several functionalities (represented by blocks) are included in the CORE INDE 120, two of which are meter data management services (MDMS) 121 and analysis and measurement services 122. Because of the modularity of the architecture, several features, such as MDM 121 and analysis and measurement services 122, can be incorporated. Observation Processes
[00104] As discussed above, an application services functionality may include observation processes. Observation processes can allow the utility to observe the network. These processes can be responsible for interpreting the raw data received from all sensors and devices on the network and transforming them into useful information. Figure 8 includes a list of some examples of observation processes.
[00105] Figure 9 illustrates a flow diagram 900 of Measurement of Network Status and Operations Processes. The Data scanner can request the meter data, in block 902. The request can be sent to one or more network devices, substation computers and line sensor RTU's. In response to the request, devices can collect data from operations, as shown in blocks 904, 908, 912, and can send data (such as one, some or all of the operational data, such as Voltage, Current, Actual Power data , and Reactive Power), as shown in blocks 906, 910, 914. The data scanner can collect operational data, as shown in block 926, and can send the data to operational data storage, as shown in block 928. The operational data store can store the operational data, as shown in block 938. The operational data store can also send a snapshot of all data to the historian, as shown in block 940, and the historian can store the data snapshot , as shown in block 942.
[00106] The meter status application can send a request for meter data to the DCE Meter, as shown in block 924, which in turn sends a request to one or more meters to collect meter data, as shown in block 920. In response to the request, one or more meters collect meter data, as shown in block 916, and send the voltage data to the DCE Meter, as shown in block 918. The DCE Meter can collect voltage data as shown in block 922, and send the data to the data requester, as shown in block 928. The meter status application can receive the meter data, as shown in block 930, and determine whether it is for a process single value or a voltage profile state of the grid as shown in block 932. If it is for the single value process, the meter data is sent to the requesting process, as shown in block 936. If the data from the meter are for storage to determine the state of the network at a future time, the meter data is stored in the operational data store, as shown in block 938. The operational data store additionally sends a snapshot of the data to the historian, as shown in block 940, and the historian stores the snapshot of the data, as shown in block 942.
[00107] Figure 9 further illustrates actions related to the demand response (DR). Demand response refers to dynamic demand mechanisms for managing the customer's electricity consumption in response to supply conditions, for example, having electricity customers who reduce their consumption at critical times or in response to market prices. This may actually involve reducing the power used or starting the generation at the site which may or may not be connected in parallel with the grid. This can be different from energy efficiency, which means using less energy to perform the same tasks, on an ongoing basis or whenever the task is performed. In response to demand, customers, using one or more control systems, can free up loads in response to a request from a utility network or market price. Services (lights, machinery, air conditioning) can be reduced according to an advance planned load prioritization scheme during critical time periods. An alternative to reduce the load is the local generation of electricity to complement the power grid. Under conditions of tight electricity supply, the response to demand can significantly reduce the peak price and, in general, the volatility of electricity prices.
[00108] Demand response can generally be used to refer to mechanisms used to encourage consumers to reduce demand, thereby reducing the peak demand for electricity. Since electrical systems are generally sized to match peak demand (more room for errors and unforeseen events), decreasing peak demand can reduce overall plant and capital cost requirements. Depending on the production capacity configuration, however, the demand response can also be used to increase demand (load) during times of high production and low demand. Some systems can therefore encourage energy storage for arbitrage between periods of low and high demand (or low and high prices). As the proportion of intermittent energy sources such as wind power grows in a system, responding to demand can become increasingly important for effective management of the electricity grid.
[00109] The DR status application can request the available DR capacity, as shown in block 954. The DR management system can then request the available capacity of one or more DR home devices, as shown in block 948. One or more home devices can collect available DR capacity in response to the request, as shown in block 944, and send the DR capacity and response data to the DR management system, as shown in block 946. The management system DR can collect DR capacity and response data, as shown in block 956, and send capacity and response data to the operational data store, as shown in block 958. The operational data store can store the DR capacity and response data, as shown in block 938. The operational data store can still send an instant data to the historian, as shown in block 940, and the historian can arm stop the data snapshot, as shown in block 942.
[00110] The substation computer can request application data from the substation application, as shown in block 974. In response, the application of the substation may require application of the substation device, as shown in block 964. The substation device can collect the application data, as shown in block 960, and send the application data to the substation device (which may include one, some or all of the Voltage, Current, Actual Power and Reactive Power data), as if shown in block 962. The substation application can collect the application data, as shown in block 966, and send the application data to the requester (which can be the substation computer), as shown in block 968. The The substation computer can receive the application data, as shown in block 970, and send the application data to the operational data store, as shown in block 972.
[00111] The measurement of the network status and the process of operational data may comprise derivation of network status and network topology at a given point in time, as well as providing this information to another system, and data stores. Subprocesses can include: (1) measurement and capture of network status information (this relates to the operational data related to the network that was discussed earlier); (2) sending information about the state of the network to other analytical applications (this allows other applications, such as analytical applications, to access network status data); (3) snapshot of network persistent state for storage of connectivity / operational data (this allows updating of network status information for storage of connectivity / operational data in the appropriate format as well as forwarding this information to the historian for persistence so that a network topology at one point in time can be derived at a later time); (4) derivation of the network topology at a point in time based on the standard connectivity and current network state (this provides the network topology at a given point in time, applying the point in time snapshot of the network state at historian for basic connectivity in the storage of connectivity data, as discussed in more detail below); and (5) providing network topology information for on-demand applications.
[00112] With regard to subprocess (4), the network topology can be derived for a predetermined time, such as in real time, 30 seconds ago, 1 month ago, etc. To recreate the topology of the network, several databases can be used, and a program to access the data in the multiple databases to recreate the topology of the network. A database can include a relational database that stores the database's connectivity data (the "connectivity database"). The connectivity database can maintain the network topology information, as constructed, in order to determine the base connectivity model. Asset and topology information can be updated in this database periodically, depending on updates to the power grid, such as the addition or modification of the power network circuits (for example, additional power circuits that are added to the power grid). The connectivity database can be considered as "static" as it does not change. The connectivity database may change if there are changes in the structure of the power grid. For example, if there is a change in the supply circuits, such as the addition of a supply circuit, the connectivity database may change.
[00113] An example of the 1800 structure of the connectivity database can be obtained from the hierarchical model described in figures 18A-D. Structure 1800 is divided into four sections with figure 18A being the upper left section, figure 18B being the upper right section, figure 18C being the lower left section and figure 18D being the lower right section. Specifically, figures 18A-D are an example of an entity relationship diagram, which is an abstract method for representing the basic connectivity database. The hierarchical model in figures 18A-D can maintain the metadata that describes the power network and can describe the various components of a network and the relationship between the components.
[00114] A second database can be used to store "dynamic" data. The second database can include a non-relational database. An example of a non-relational database may include a historian database which stores non-operational time series data, as well as operational historical data. The historian database can store a series of "flat" records, such as: (1) time stamp, (2) device ID, (3) a data value, and (4) the status of a device. In addition, the stored data can be compressed. Because of this, the operating / non-operating data in the power grid can be easily stored, and can be controllable even though a considerable amount of data may be available. For example, data on the order of 5 Terabytes can be online at any time, for use to recreate the network topology. Because the data is stored in the simple record plan (such as no organizational approach), it allows for efficient data storage. As discussed in more detail below, data can be accessed by a specific marker, such as the date and time.
[00115] Several analyzes for the network may want to receive, as input, the network topology at a certain point in time. For example, analyzes of power quality, reliability, asset health, etc., can use the network topology as an input. In order to determine the network topology, the baseline connectivity model, as defined by the data in the connectivity database, can be accessed. For example, if the topology of a particular supply circuit is desired, the base connectivity model can define the various parameters in the specific supply circuit in the power network. After that, the historian database can be accessed (based on the specific time), in order to determine the values of the parameters of the specific supply circuit. Then, a program can combine the data from the baseline of the connectivity model and the historian database in order to generate a representation of the specific power circuit, at the singular moment.
[00116] A more complicated example to determine the network topology may include multiple supply circuits (for example, supply circuit A and supply circuit B) that have an interconnect switch and disconnect switches. Depending on the switching states of certain switches (such as the interconnect switch and / or the disconnecting switches), sections of the supply circuits may belong to supply circuit A or supply circuit B. The program that determines the network topology it can access data from both the baseline connectivity model and the historian database in order to determine connectivity at a given time (for example, whose circuits belong to feeder circuit A or feeder circuit B).
[00117] Figure 10 illustrates a flow diagram 1000 of Non-Operational Data Processes. The non-operational extract application can request non-operational data, as shown in block 1002. In response, a data scanner can gather non-operational data as shown in block 1004, where various devices on the power grid, such as network devices, computer computers, substation, and RTU's line sensors can collect non-operational data, as shown in blocks 1006, 1008, 1110. As discussed above, non-operational data can include temperature, quality, power, etc. The various devices on the power grid, such as grid devices, substation computers, and RTU's line sensors can send non-operational data to the data scanner as shown in blocks 1012, 1014, 1116. The data scanner can collect non-operational data, as shown in block 1018, and send non-operational data to the non-operational extract application, as shown in block 1020. The non-operational extract application can collect non-operational data, as shown in block 1022, and sends the collected non-operational data to the historian, as shown in block 1024. The historian can receive the non-operational data, as shown in block 1026, store the non-operational data, as shown in block 1028, and send the non-operational data to one or more analytical applications, as shown in block 1030.
[00118] Figure 11 illustrates a 1100 flow diagram of Event Management processes. Data can be generated from various devices based on different events on the power grid and sent over event bus 147. For example, the meter's data collection mechanism can send outage / restoration notification information to the event bus, as shown in block 1102. RTU's line sensors generate a fault message, and can send the fault message to the event bus, as shown in block 1104. Substation analyzes can generate a fault message and / or interruption, and can send the fault and / or interrupt message to the event bus, as shown in block 1106. The historian can send signal behavior to the event bus, as shown in block 1108. E, multiple processes can send data through event bus 147. For example, the event bus can collect the various events, as shown in block 1114. Failure intelligence process, discussed in more detail in figure 14, you can send a fault analysis event through the event bus, as shown in block 1110. The interrupt intelligence process, discussed in more detail in figure 13, can send an interrupt event through the bus events, as shown in block 1112. The event bus can collect the various events, as shown in block 1114. And Complex Event Processing (CEP) services can handle events sent through the event bus, as shown in the block 1120. CEP services can process queries against multiple simultaneous high-speed event message flows in real time after processing by CEP services, event data can be sent over the event bus, as shown in block 1118. The historian can receive one or more event logs for storage via the event bus, as shown in block 1116. In addition, the event data o can be received by one or more applications, such as the interrupt management system (OMS), interrupt intelligence, fault analysis, etc., as shown in block 1122. In this way, the event bus can send the event data for an application, thereby avoiding the "silo" problem of not making the data available to other devices or other applications.
[00119] Figure 12 illustrates a 1200 flow diagram of Demand Response Signaling (DR) processes. DR can be requested by the operation distribution application, as shown in block 1244. In response, the state / connectivity of the network can collect DR availability data, as shown in block 1202, and can send the data, as shown in block 1204. The distribution operation application can distribute the DR availability optimization, as shown in block 1246, through the event bus (block 1254), to one or more DR Management Systems. The DR management system can send DR information and signals to one or more customer facilities, as shown in block 1272. One or more customer facilities can receive DR signals, as shown in block 1266, and send the response DR, as shown in block 1268. DR management can receive the DR response, as shown in block 1274, and send DR responses to one, some or all of the operations data buses 146, the billing database and the marketing database, as shown in block 1276. The billing database and the marketing database can receive responses, as shown in blocks 1284, 1288. Operations data bus 146 can also receive responses, as shown in block 1226, and send DR responses and available capacity for DR data collection, as shown in block 1228. DR data collection can process DR responses and available capacity, as shown in block 1291, and send the data to the operations data bus, as shown in block 1294. The operations data bus can receive DR and response availability, as shown in block 1230, and send it to the state / connectivity of the network. The network state / connectivity can receive the data, as shown in block 1208. The received data can be used to determine the network state data, which can be sent (block 1206) via the operations data bus (block 1220). The operating distribution application can receive network status data (as an event message for DR optimization), as shown in block 1248. Using network status and DR availability and response data, the distribution application operator can perform distribution optimization to generate distribution data, as shown in block 1250. Distribution data can be retrieved by the operations data bus, as shown in block 1222, and can be sent to the extract application connectivity, as shown in block 1240. The operational data bus can send data (block 1224) to the operation distribution application, which in turn can send one or more DR signals to one or more DR Management Systems (block 1252). The event bus can collect signals from each or more DR Management Systems (block 1260) and send the DR signals to each of the DR Management Systems (block 1262). The DR Management System can then process the DR signals, as discussed above.
[00120] The communication operation historian can send data to the event bus, as shown in block 1214. The communication operation historian can also send data from the generation portfolio, as shown in block 1212. Or, a communication device asset management such as Ventyx ® can request virtual power plant (VPP) information, as shown in block 1232. The operations data bus can collect VPP data, as shown in block 1216, and send the data to the resource management, as shown in block 1218. The operations data bus can collect VPP data, as shown in block 1216, and send the data to the asset management device as shown in block 1218. The Asset management can collect VPP data, as shown in block 1234, perform system optimization, as shown in block 1236, and send VPP signals to the event bus, as shown in bl hollow 1238. The event bus can receive the VPP signals, as shown in block 1256, and send the VPP signals to the operation distribution application, as shown in block 1258. The operation distribution application can then receive and process event messages, as discussed above.
[00121] The connection extraction application can extract data from new customers, as shown in block 1278, to be sent to the Marketing Database, as shown in block 1290.
[00122] The operator can send one or more overlap signals, when applicable, as shown in block 1242. Overlap signals can be sent to the operation distribution application. The overlap signal can be sent to the energy management system, as shown in block 1264, the billing database, as shown in block 1282, and / or the marketing database, as shown in block 1286.
[00123] Figure 13 illustrates a 1300 flow diagram of Electric Power Interruption Intelligence processes. Various devices and applications can send power failure notification, as shown in blocks 1302, 1306, 1310, 1314, 1318. Interrupt events can be collected by the event bus, as shown in block 1324, which can send events interruption for complex event processing (CEP), as shown in block 1326. In addition, various devices and applications can send the power restoration status, as shown in blocks 1304, 1308, 1312, 1316, 1320. CEP it can receive interrupt and restoration status messages (block 1330), process events (block 1332), and send event data (block 1334). The interrupt intelligence application can receive event data (block 1335) and request network and connectivity status data (block 1338). The operational data bus can receive the request for network status and connectivity data (block 1344) and forward it to one or both as the operational data store and to the historian. In response, the operational data store and the historian can send the network status and connectivity data (blocks 1352, 1354) through the operational data bus (block 1346) to the interrupt intelligence application (block 1340). It is determined if the data of the network and connectivity status indicate if it was a momentary, as shown in block 1342. If so, the transient / momentary are sent through the operational data bus (block 1348) to the database. transient-momentary data for storage (block 1350). If not, an outage case is created (block 1328) and the outage case data is stored and processed by the outage management system (block 1322).
[00124] Interrupt intelligence processes can: detect failures; classify and record transient-momentary; determine the extent of interruption; determine the original cause of the interruption (s); track interrupt restoration; survey the interruption events, and update the system performance indexes.
[00125] Figure 14 illustrates a flow diagram 1400 of the Failure Intelligence processes. Complex event processing can request data from one or more devices, as shown in block 1416. For example, network status and connectivity, in response to the request, can send network status and connectivity data for event processing complex, as shown in block 1404. Likewise, the historian in response to the request can send the switch status in real time for complex event processing, as shown in block 1410. And complex event processing can receive network status, connectivity data, and switch status, as shown in block 1418. Substation analyzes can request fault data, as shown in block 1428. Fault data can be sent by a variety of devices , such as RTU's of line sensors and the substation computers, as shown in blocks 1422, 1424. The data for various faults, network status, connectivity data and interruption status ptores can be sent for substation analysis for event detection and characterization, as shown in block 1430. The event bus can also receive event messages (block 1434) and send event messages for analysis of the substation (block 1436). Substation analyzes can determine the type of events, as shown in block 1432. For control and protection modification events, the substation computers can receive a fault event message, as shown in block 1426. For all other types events, the event can be received by the event bus (block 1438) and sent to the processing of complex events (block 1440). Complex event processing can receive event data (block 1420) for further processing. Likewise, network state and connectivity can send network state data for processing complex events, as shown in block 1406. And the Common Information Model (CIM) store can send metadata for event processing complexes, as shown in block 1414.
[00126] Complex event processing can send a fault event message, as shown in block 1420. The event bus can receive the message (block 1442) and send the event message to the fault intelligence application (block 1444). The fault intelligence application can receive event data (block 1432) and network status, request connectivity data, and switch status, as shown in block 1456. The fault intelligence application receives data (block 1458 ), analyzes the data and sends event data (block 1460). The event data can be received by the event bus (block 1446), and sent to the fault log file (block 1448). The fault log file can record the event data (block 1402). The event data can also be received by the operational data bus (block 1462), and sends it to one or more applications (block 1464). For example, the interrupt intelligence application can receive event data (block 1466), discussed above, with respect to figure 13. The work management system can also receive event data, in the form of a work order, as shown in block 1468. And, other requesting applications can receive event data, as shown in block 1470.
[00127] Intelligent failure processes can be responsible for interpreting the network data to obtain information about current and potential failures within the network. Specifically, failures can be detected using intelligent failure processes. A fault is typically a short-circuit caused when equipment in the utility grid is defective or an alternative path for the current flow is created, for example, a fallen power line. These processes can be used to detect typical faults (usually handled by conventional fault detection and protective equipment).
[00128] The failure intelligence process can also classify and categorize failures. This allows faults to be classified and categorized. Currently, there is no standard for systematic organization and classification of failures. A de facto standard can be established for it and implemented. The failure intelligence process can also characterize failures.
[00129] Fault intelligence can also determine the location of the fault. Troubleshooting the distribution system can be a difficult task, due to its high complexity and difficulties caused by the unique characteristics of the distribution system such as unbalanced load, three-phase, two-phase and single-phase branches, lack of sensors / measurements, different types of faults, different causes of short circuits, variable load conditions, long power supplies with multiple extensions and network configurations that are not documented. This process allows the use of a number of techniques to isolate the fault location as accurately as the technology allows.
[00130] Fault intelligence can, in addition, raise fault events. Specifically, this process can create and publish fault events to the event bus once a fault has been detected, classified, categorized, characterized and isolated. This process can also be responsible for collecting, filtering, checking and de-duplicating failures so that an individual failure event is generated, rather than a flood based on the raw events that are typical during a failure. Finally, fault intelligence can record failure events in the event log database.
[00131] Figure 15 illustrates a 1500 flow diagram of Metadata Management processes. Metadata management processes can include: list point management; communication connectivity and protocol management; and element naming and translation; sensor calibration factor management, and real-time network topology data management. The application to extract base connectivity can request base connectivity data, as shown in block 1502. The Geographic Information System (GIS) event bus can receive the request (block 1510) and send the data for the application to extract the basic connectivity (block 1512). The application to extract base connectivity can receive data (block 1504), extract, transform and load data (block 1506) and send base connectivity data to the data market (specific data repository) (block 1508). The connectivity data market can later receive the data, as shown in block 1514.
[00132] The connectivity data market may comprise personalized data that contains the electrical connectivity information of the network components. As shown in figure 14, this information can normally be obtained from the Geographic Information System (GIS) of the public service electricity network, which maintains the geographic location as constructed of the components that make up the network. The data in the data store describe the hierarchical information about all the components of the network (substation, feeder, section, branch, segment, t-section, circuit breaker, recloser, switch, etc. - basically all assets). This data warehouse can have the asset and connectivity information as built.
[00133] The application to extract metadata can request metadata for network assets, as shown in block 1516. The metadata database can receive the request (block 1524) and send the metadata (block 1526). The application to extract metadata can receive metadata (block 1518), extract, transform and load metadata (block 1520) and send the metadata to the CIM data store (block 1522).
[00134] The CIM (Common Information Model) data store can then store the data, as shown in block 1528. CIM can prescribe standard utility grid formats to represent the utility grid data. The INDE smart grid can facilitate the availability of smart grid information in a standard utility grid format. And, the CIM data warehouse can facilitate the conversion of specific INDE data to one or more formats, such as, for example, a prescribed standard public power grid format.
[00135] The application to extract assets can request information about assets, as shown in block 1530. The asset registry can receive the request (block 1538) and send new assets (block 1540). The asset extraction application can receive information about new assets (block 1532), extract, transform and load data (block 1534) and send information about new assets to the CIM data warehouse (block 1536).
[00136] The DR connectivity extraction application can request DR connectivity data, as shown in block 1542. The operational data bus can send the DR connectivity data request to the marketing database, as shown in the block 1548. The marketing database can receive the order (block 1554), extract, transform, load DR connectivity data (block 1556), and send DR connectivity data (block 1558). The operational data bus can send DR connectivity data to the application to extract DR connectivity (block 1550). The DR application to extract connectivity can receive DR connectivity data (block 1544), and send DR connectivity data (block 1546) through the operational data bus (block 1552) to the state of the network and DM connectivity, which stores DR connectivity data (block 1560).
[00137] Figure 16 illustrates a 1600 flow diagram of Notification Agent processes. A notification subscriber can enter a web page, as shown in block 1602. The notification subscriber can create / change / delete parameters from the scenario watch list, as shown in block 1604. The web page can store the list of scenario observation, created / modified / deleted, as shown in block 1608, and the CIM data store can create a list of data labels, as shown in block 1612. A name translating service can translate data labels into the historian (block 1614) and send the data tags (block 1616). The web page can send the data tag list (block 1610) through the operational data bus, which receives the data tag list (block 1622) and sends it to the notification agent (block 1624). The notification agent retrieves the list (block 1626), validates and merges the lists (block 1628), and checks the historian for notification scenarios (block 1630). If exceptions that match the scenarios are found (block 1632), a notification is sent (block 1634). The event bus receives the notification (block 1618) and sends it to the notification subscriber (block 1620). The notification subscriber can receive the notification via a preferred means, such as text, phone call, e-mail, etc., as shown in block 1606.
[00138] Figure 17 illustrates a 1700 flow diagram of the Meter Data Collection (AMI) processes. The current collector can request data from residential meters, as shown in block 1706. One or more residential meters can collect data from residential meters in response to the request (block 1702) and send the data from residential meters (block 1704). The current collector can receive data from the residential meter (block 1708) and send it to the operational data bus (block 1710). The meter data collection mechanism may request commercial and industrial meter data, as shown in block 1722. One or more commercial and industrial meters can collect data from commercial and industrial meters in response to the request (block 1728) and send data from commercial and industrial meters (block 1730). The meter data collection mechanism can receive data from the commercial and industrial meter (block 1724) and send it to the operational data bus (block 1726).
[00139] The operational data bus can receive data from the residential, commercial and industrial meter (block 1712) and send the data (block 1714). The data can be received by the meter data repository database (block 1716), or it can be received by the billing processor (block 1718), which in turn can be sent to one or more systems, such as a CRM system (Customer Relationship Management) (block 1720).
[00140] Observation processes may also include remote asset monitoring processes. Monitoring assets within an electrical network can be difficult. There may be different parts of the power grid, some of which are very expensive. For example, substations can include power transformers (which cost more than $ 1 million), and circuit breakers. Often, utilities would do little, if anything, to analyze assets and maximize asset use. Instead, the focus of the utility grid was typically to ensure that energy for the consumer was maintained. Specifically, the utility grid was focused on scheduled inspections (which normally take place at predetermined intervals) or "event-driven" maintenance (which could occur if a failure occurred in part of the grid).
[00141] Instead of typical regular inspections or "event-driven" maintenance, remote asset monitoring processes can focus on condition-based maintenance. Specifically, if a part (or the whole) of the power grid can be assessed (for example, on a periodic or continuous basis), the health of the power grid can be improved.
[00142] As discussed above, data can be generated in various parts of the power grid and transmitted to (or accessible through) a central authority. The data can then be used by the central authority in order to determine the health of the network. In addition to analyzing the health of the network, a central authority can perform usage monitoring. Typically, mains equipment is operated using considerable safety margins. One reason for this is that utilities are conservative in nature and seek to keep energy for the consumer within a wide margin of error. Another reason for this is that utility companies monitoring the grid may not be aware of the extent to which some of the equipment in the power grid is being used. For example, if a power company is transmitting power through a particular power circuit, the power company may not have a means by which to know if the power transmitted is close to the limit of the power circuit (for example, the power circuit may become overheated). Because of this, utility companies may be under-utilizing one or more parts of the power grid.
[00143] Concessionaires also normally spend a considerable amount of money to add capacity to the power grid as the load on the power grid has increased (for example, the amount of energy consumed has been increasing). Because of the ignorance of the concessionaires, they will expand the power grid unnecessarily. For example, feeder circuits that are not operating close to their capacity can nevertheless be upgraded by changing conductors (for example, larger cables are placed in the supply circuits), or additional feeder circuits can be implemented. This cost alone is already considerable.
[00144] Remote asset monitoring processes can monitor various aspects of the electricity network, such as: (1) analysis of the current health of the asset of one or more parts of the network; (2) future health analysis of the asset of one or more parts of the network, and (3) analysis of the use of one or more parts of the network. First, one or more sensors can measure and transmit to remote asset monitoring processes in order to determine the current health of the particular part of the network. For example, a sensor on a power transformer can provide an indicator of your health by measuring the gases dissolved in the transformer. Remote asset monitoring processes can then use analytical tools to determine whether the specific part of the network - such as the power transformer is healthy or unhealthy. If the specific part of the network is not healthy, the specific part of the network can be repaired.
[00145] In addition, remote asset monitoring processes can analyze the data generated from parts of the network in order to predict the future health of assets in parts of the network. There are things that cause stress / wear on electrical components. Stress factors may not necessarily be constant and may be intermittent. The sensors can provide an indicator of the stress on a certain part of the power network. Remote asset monitoring processes can record stress measurements, as indicated by the sensor data, and can analyze the stress / voltage measurement to predict the future health of the power network. For example, remote asset monitoring processes can use trend analysis to predict when the specific part of the network may fail, and can schedule maintenance before (or simultaneously with) the time when the specific part of the network can fail. In this way, remote asset monitoring processes can predict the life of a specific part of the network, and thus determine whether the life of that part of the network is too short (for example, it is the part of the network being used very quickly) .
[00146] In addition, the remote asset monitoring processes can analyze the use of a part of the power grid, in order to better manage the power grid. For example, remote asset monitoring processes can analyze a supply circuit to determine its operational capacity. In this example of the supply circuit, remote asset monitoring processes can determine that the supply circuit is currently being operated at 70%. Remote asset monitoring processes may also recommend that the power circuit in particular can be operated at a higher percentage (such as 90%), while still maintaining acceptable safety margins. Remote asset monitoring processes can thus allow an effective increase in capacity simply by analyzing utilization. Methodology for Determining the Specific Technical Architecture
[00147] There are several methodologies for determining the specific architecture that can use one, some or all of the elements of the INDE Reference Architecture. The methodology can include a plurality of steps. First, an initial step can be carried out in the generation of state documentation as it is of the public utility grid, and an assessment of the preparation for transition to a Smart Grid. Second, a requirements definition step can be carried out in generating the definition of the 'to be' state and the detailed requirements for reaching this state.
[00148] Thirdly, a solution development step can be carried out in generating the definition of the components of the solution architecture that will allow the Intelligent Network, including measurement, monitoring and control. For the INDE architecture, this can include measurement devices, the communication network for transmitting data from devices to the INDE 120 core applications, the INDE 120 core applications to persist and react to data, analytical applications to interpret data. data, data architecture to model measured and interpreted data, the integration architecture for exchanging data and information between INDE and utility grid systems, the technology infrastructure to run the various applications and databases and standards that can be followed to enable an efficient and durable industry standard solution.
[00149] Fourth, a value modeling can be performed in the generation of the definition of key performance indicators and success factors for the Intelligent Network and the implementation of the ability to measure and evaluate the performance of the system against the performance factors desired. The previous revelation refers to the architecture development aspect of step 3.
[00150] Figure 19 illustrates an example of a progress flow chart scheme. Specifically, figure 19 illustrates a process flow of steps that can be taken to define smart grid requirements. The smart grid development process can begin with a development of smart grid vision, which can outline the overall objectives of the project that can lead to the process of developing smart grid roadmaps. The script development process can lead to designing new services (blueprinting) and value modeling.
[00151] Designing new services (blueprinting) can provide a methodical approach to the definition of the smart grid in the context of the entire utility company. Designing new services (blueprinting) can include a global roadmap, which can lead to a baseline, systems assessment (BASE) and requirements definition and analytical selection (RDAS). The RDAS process can create the detailed definition of the utility-specific smart grid.
[00152] The BASE process can establish the starting point for the concessionaire, in terms of systems, networks, devices and applications to support smart grid capabilities. The first part of the process is to develop an inventory of network systems, which may include: network structure (such as generation, transmission lines, transmission substations, sub-transmission lines, distribution substations, distribution feeders, classes of tension); network devices (such as switches, reclosers, capacitors, regulators, voltage drop compensators, interconnect feeder); automation of substations (such as Ieds, Lans de su-bestação, instrumentação, RTU's of station / computers); distribution automation (such as capacitor and switch control; fault isolation and load scroll controls, LTC coordination systems; DMS; Demand Response Management System); and network sensors (such as sensor types, quantities, uses, and importance in distribution networks, transmission lines and substations); etc. Once the inventory is complete, an evaluation of the utility against a model for preparing a high-level smart grid can be created. A model of how the data is flowing and a systems diagram can also be created.
[00153] The architecture configuration process (ARC) can develop a preliminary technical smart grid architecture for the utility grid, combining the BASE process information, requirements and restrictions of the RDAs process and the INDE Reference Architecture to produce a technical architecture that meets the specific needs of the utility grid. The use of the INDE Reference Architecture can avoid the need to invent a customized architecture and ensures that the accumulated experience and best practices are applied to the development of the solution. It can also ensure that the solution can make maximum use of reusable smart grid assets.
[00154] The sensor network architecture configuration process (SNARC) can provide a framework for making the series of decisions that define the architecture of a distributed sensor network to support smart grid. The scheme can be structured as a series of decision trees, each oriented towards a specific aspect of the sensor network architecture. Once the decisions have been made, an architecture diagram of the sensor network can be created.
[00155] The allocation of sensors through the T-recurrence process (SATSECTR) can provide a scheme for determining how many sensors should be placed in the distribution network to obtain a given level of observation. This process can also determine the types of sensors and locations.
[00156] The evaluation of the solution element and component modeling process (SELECT) can provide a framework for the evaluation of types of solution components and provides a design model for each component class. The model can contain a reference model for the specifications of each of the elements of the solution. These templates can then be used to request quotes from suppliers and to support supplier / product evaluations.
[00157] The update planning process for applications and networks (UPlan) can allow the development of a plan for the improvement of existing public utility power grid systems, applications and networks to be ready for integration into a solution of smart grid. The risk assessment and management planning process (RAMP) can provide an assessment of the risk associated with specific elements of the smart grid solution created in the ARC process. The uplan process can assess the level of risk for the identified risk elements and offers an action plan to reduce the risk before the concessionaire commits to a construction. Change analysis and management planning process (CHAMP) can analyze the organizational and process changes that may be necessary for the utility to realize the value of investing in the smart grid and can provide a high-level management plan to make these changes synchronized with the deployment of the smart grid. The CHAMP process can result in designing new services (blueprinting).
[00158] The roadmap in the value modeling process can lead to the specification of value indicators, which can lead to cost and benefit estimates. The estimate can lead to the construction of one or more cases, such as a tariff case and a commercial case, which in turn can lead to a case closure. Blueprinting output and value modeling output can be sent to the utility for approval, which can result in updates to the utility grid system and smart grid deployments and risk mitigation activities, after which the grid it can be designed, built and tested, and then operated.
[00159] Figure 21 is a block diagram illustrating an alternative example of the smart grid system 2100 configured for a utility system, such as a utility grid system. In one embodiment, the smart grid system 2100 may include a plurality of meters 2102 that can be configured to measure and transmit data in relation to utility use, such as power, water, natural gas, etc. The 2100 network can include user stations 2104 and administrator stations 2106 each connected to a 2108 network. User stations 2104 can include computers that have a processor and memory allowing a user to interface with the 2100 network in order to recover data, control operations (with authorization), or use the 2100 network in any other information or control activity. Each 2106 administrator station can include a processor and memory and can be used by network administrators in an IT capacity to manage and protect the flow of information across the 2100 network.
[00160] Table 6 below describes the various functional components of the 2100 smart grid.




Table 6: Alternative Smart Grid Configuration Components
[00161] As described with reference to figure 1, the CEP 2190 Console can operate similarly to the CEP 147 processing bus. In one example, the CEP 2190 Console can be configured to operate with SIEM 2194 and generate an event message residual risk 2010 that can be supplied to SIEM 194 allowing the generation of a 2012 residual characterization message.
[00162] Figure 22 is an operational flow diagram of an intelligent network, such as that shown in figure 1. The complex event processing bus 147 can receive non-TI 2000 data (2200), which can include data non-traditional security measures. The received data 2000 can be filtered or pre-processed by the data filter module 2002 (2202). Preprocessing may include disregarding non-IT data on the CEP 147 bus that fails to satisfy a certain level of relevance for one of a plurality of risk-related events. The rules engine module 2004 can apply a particular set of rules to filtered data 2003 to determine a level of probability that an event is being caused by malicious activity (2204). The 2004 rules engine can access the 2006 historical correlation module in one embodiment to verify that such activity is probably not due to causes other than malicious activity (2206). Based on the historical data from the 2006 historical correlation module, the 2004 rules engine can generate a 2008 residual risk event message and provide it to SIEM 162 (2208). SIEM 162 can also receive data from TI 2010 event (2210). SIEM 162 can generate a 2012 risk characterization message based on the 2008 residual risk event message and TI 2010 event data (2212) which can be further reviewed by those supervising the operations of the INDE network or another smart grid implementing the particular configuration.
[00163] While several embodiments of the innovation have been described, it will be evident to those specialized in the technique that many more concretisations and implementations are possible within the scope of the innovation. Consequently, innovation is not to be restricted except in light of the attached claims and their equivalents.

权利要求:
Claims (11)
[0001]
1. Method to define malicious activity in a smart grid system (2100), the method executable by a computer having at least one processor and at least one memory, characterized by the fact that it comprises the steps of: receiving, at least for a processor, first data including IT-related activity from the smart grid system (2100); receiving, at least one processor, second data (2000) including location-specific event data from a plurality of electronic sources (2001); measurements of analog networks comprising phasor measurements, and a list of targets and corresponding geographic locations; preprocess, by at least one processor, the second data (2000), including: disregarding the second data (2000) that do not meet a predetermined level of relevance for one of a plurality of risk-related events; apply, at least one processor, a plurality of rules to the second pre-processed data (2000) comprising: associating an unwanted event with reference to the IT related activity; and determining a probability that the unwanted event is indicative of malicious activity, including comparing predetermined criteria to the second data to generate one of a plurality of probability levels as a sum of: 1.) a product of a probability of occurrence of a intentional malicious attack and a likelihood of a vulnerability exploitable by the intentional malicious attack; and 2.) a product of a probability of an unexpected danger occurring and a probability of a vulnerability associated with the unexpected danger, in which the intentional malicious attack and the unexpected danger comprise mutually independent events; and applying, at least one processor, a risk definition to the unwanted event associated with IT-related activity, where the risk definition comprises an indication of: an unintended or unexpected danger, or a malicious attack based on the determined probability .
[0002]
2. Method, according to claim 1, characterized by the fact that the definition of risk still comprises an engineering risk or a security risk; and where the electronic sources (2001) of the second data (2000) include one or a combination of the following inputs: a meteorology supply, a disturbance recorder supply, a digital fault recorder supply, a harmonic recorder supply ; a power quality monitor supply; a device state; a state of connectivity; a control limit; US CERT feeds; GPS feeds; a Power Management Unit (PMU) supply; sensor feeds; load forecasts; and renewable generation forecasts.
[0003]
3. Method, according to claim 1, characterized by the fact that applying the plurality of rules comprises comparing predetermined criteria to the second data (2000) for which one of a plurality of different levels of probability is generated.
[0004]
4. Method, according to claim 1, characterized by the fact that the second data (2000) still includes historical data (136) retrieved from: event records (135), geographic locations associated with corresponding parts of the power grid system intelligent (2100), and operational data (137); and where the application of the plurality of rules includes the comparison of IT-related activity with historical data (136).
[0005]
5. Method according to claim 1, characterized by the fact that at least part of the IT-related activity comprises an event message from a smart meter, and applying the risk definition includes determining an area within the power grid system (2100) where malicious activity is taking place.
[0006]
6. System to define malicious activity in a smart grid system (2100), characterized by the fact that it comprises: system storage in which to store a database including a plurality of rules; collector (164) operable to collect and store in the storage system first data including IT related activity of the smart grid system (2100); a complex event processing (CEP) bus (147) operable to receive second data including location-specific data from a plurality of electronic sources (2001); analog network measurements comprising phasor measurements; and a list of targets and corresponding geographic locations, the CEP bus (147) still operable to disregard the second data that does not meet a predetermined level of relevance for one of a plurality of risk-related events; an operable processor to apply the plurality of rules to the relevant second data by: associating an unwanted event with reference to IT-related activity; and determination of a probability that the unwanted event is indicative of malicious activity, including comparison of predetermined criteria to the second data to generate one of a plurality of probability levels as a sum of: 1.) a product of a probability of occurrence an intentional malicious attack and a likelihood of a vulnerability exploitable by the intentional malicious attack; and 2.) a product of a probability of an unexpected danger occurring and a probability of a vulnerability associated with the unexpected danger, in which the malicious intentional attack and the unexpected danger comprise mutually independent events; and the processor to further apply a risk definition to the unwanted event associated with the IT-related activity, where the risk definition comprises an indication of: an unintended or unexpected danger, or a malicious attack based on the determined probability.
[0007]
7. System, according to claim 6, characterized by the fact that it still comprises the CEP bus (147) coupled with one or a combination of the following electronic sources (2001) of second data (2000): a tracking device in the Web; computing device with search engine capability, a web access device; a GPS device; a device for monitoring social media message flows; a thermometer; and an emergency response communicator.
[0008]
8. System, according to claim 6, characterized by the fact that the unwanted event has not yet happened, and in which the definition of the risk still comprises an engineering risk or a security risk.
[0009]
9. System according to claim 6, characterized by the fact that the second data (2000) still includes historical data (136) retrieved from: event records (135), geographic locations associated with corresponding parts of the power grid system intelligent (2100), and operational data (137); and where the processor applies the plurality of rules comparing IT-related activity with historical data (136).
[0010]
10. System according to claim 6, characterized by the fact that at least part of the IT-related activity comprises an event message from a smart meter, and the processor applies the definition of risk by determining an area within the system of smart grid (2100) where malicious activity is taking place.
[0011]
11. Computer-readable storage media characterized by the fact that it comprises a set of instructions that, when executed by a computer, cause the computer to execute a method to: define malicious activity in an intelligent electrical system (2100) as any one of claims 1 to 6 is defined.

类似技术:

---

公开号 | 公开日 | 专利标题

---

BR112012029417B1|2020-12-15|METHOD AND SYSTEM FOR DEFINING MALICIOUS ACTIVITY IN AN INTELLIGENT ELECTRIC NETWORK SYSTEM AND COMPUTER-READABLE STORAGE MEDIA

---

US10833532B2|2020-11-10|Method and system for managing a power grid

---

US9897665B2|2018-02-20|Power grid outage and fault condition management

---

ES2450121T3|2014-03-24|Public service electrical network order filter system

---

EP3065245B1|2018-01-31|Power grid outage and fault condition management

---

AU2012241193B2|2015-06-25|Method and system for managing a power grid

---

AU2015230786B2|2016-09-08|Method and system for managing a power grid

同族专利:

---

公开号 | 公开日

---

EP2572278A4|2015-06-17|

---

SG185492A1|2012-12-28|

---

CN102947801B|2016-01-20|

---

RU2583703C2|2016-05-10|

---

RU2012155276A|2014-06-27|

---

MY163819A|2017-10-31|

---

NZ605003A|2014-12-24|

---

AU2011256481A1|2012-01-19|

---

AU2011253630A1|2012-01-12|

---

CN102947801A|2013-02-27|

---

WO2011146284A2|2011-11-24|

---

AU2011256481B2|2014-07-03|

---

JP2013533531A|2013-08-22|

---

US8712596B2|2014-04-29|

---

EP2572278B1|2018-03-07|

---

BR112012029417A2|2017-02-21|

---

CA2799858A1|2011-11-24|

---

EP2572278A2|2013-03-27|

---

WO2011146284A3|2012-02-02|

---

JP5921531B2|2016-05-24|

---

ZA201208380B|2014-04-30|

---

US20110288692A1|2011-11-24|

---

CA2799858C|2018-08-14|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

US7552480B1|2002-04-23|2009-06-23|Citibank, N.A.|Method and system of assessing risk using a one-dimensional risk assessment model|

---

US6952779B1|2002-10-01|2005-10-04|Gideon Cohen|System and method for risk detection and analysis in a computer network|

---

US7233843B2|2003-08-08|2007-06-19|Electric Power Group, Llc|Real-time performance monitoring and management system|

---

RU2263342C2|2003-11-04|2005-10-27|Шульман Илья Александрович|Device for checking efficiency of local network segments|

---

US20060034305A1|2004-08-13|2006-02-16|Honeywell International Inc.|Anomaly-based intrusion detection|

---

US8473263B2|2005-06-09|2013-06-25|William J. Tolone|Multi-infrastructure modeling and simulation system|

---

JP2008022606A|2006-07-11|2008-01-31|Chugoku Electric Power Co Inc:The|Device and method for supporting evaluation of accident rate|

---

JP5052093B2|2006-10-23|2012-10-17|中国電力株式会社|Power failure related information provision system|

---

US20090187344A1|2008-01-19|2009-07-23|Brancaccio Daniel S|System, Method, and Computer Program Product for Analyzing Power Grid Data|

---

US8000913B2|2008-01-21|2011-08-16|Current Communications Services, Llc|System and method for providing power distribution system information|

---

SG10201606766QA|2008-05-09|2016-10-28|Accenture Global Services Ltd|Method and system for managing a power grid|

---

JP5088628B2|2008-07-09|2012-12-05|清水建設株式会社|Power failure evaluation device|US6505123B1|2000-07-24|2003-01-07|Weatherbank, Inc.|Interactive weather advisory system|

---

US8229467B2|2006-01-19|2012-07-24|Locator IP, L.P.|Interactive advisory system|

---

US20120284790A1|2006-09-11|2012-11-08|Decision-Zone Inc.|Live service anomaly detection system for providing cyber protection for the electric grid|

---

US20120173717A1|2010-12-31|2012-07-05|Vince Kohli|CloudInnovator|

---

US8676187B2|2011-02-08|2014-03-18|T-Mobile Usa, Inc.|Dynamic binding of service on bearer|

---

US9281689B2|2011-06-08|2016-03-08|General Electric Technology Gmbh|Load phase balancing at multiple tiers of a multi-tier hierarchical intelligent power distribution grid|

---

US8965590B2|2011-06-08|2015-02-24|Alstom Grid Inc.|Intelligent electrical distribution grid control system data|

---

US9641026B2|2011-06-08|2017-05-02|Alstom Technology Ltd.|Enhanced communication infrastructure for hierarchical intelligent power distribution grid|

---

US20120316688A1|2011-06-08|2012-12-13|Alstom Grid|Coordinating energy management systems and intelligent electrical distribution grid control systems|

---

ES2459119T3|2011-08-31|2014-05-08|Abb Technology Ag|Security event logging and conversion of security event messages into process control|

---

US20130086685A1|2011-09-29|2013-04-04|Stephen Ricky Haynes|Secure integrated cyberspace security and situational awareness system|

---

US8732840B2|2011-10-07|2014-05-20|Accenture Global Services Limited|Incident triage engine|

---

US20140075557A1|2012-09-11|2014-03-13|Netflow Logic Corporation|Streaming Method and System for Processing Network Metadata|

---

US9037306B2|2011-11-10|2015-05-19|International Business Machines Corporation|Monitoring and optimizing an electrical grid state|

---

US9043037B2|2011-11-10|2015-05-26|International Business Machines Corporation|Monitoring and optimizing an electrical grid state|

---

US9661016B2|2011-12-06|2017-05-23|Avocent Huntsville Corp.|Data center infrastructure management system incorporating security for managed infrastructure devices|

---

CN102609785B|2012-01-19|2015-06-03|中国科学院自动化研究所|Complex event processing system and deploying method thereof|

---

US9020652B2|2012-04-13|2015-04-28|The Boeing Company|Event processing system for an electrical power system|

---

CN102684944B|2012-04-20|2015-06-24|北京启明星辰信息技术股份有限公司|Method and device for detecting intrusion|

---

US8863293B2|2012-05-23|2014-10-14|International Business Machines Corporation|Predicting attacks based on probabilistic game-theory|

---

WO2013182915A2|2012-06-04|2013-12-12|Intelligent Software Solutions, Inc.|Temporal predictive analytics|

---

WO2013184099A1|2012-06-05|2013-12-12|Empire Technology Development, Llc|Cross-user correlation for detecting server-side multi-target intrusion|

---

US9923952B2|2012-06-08|2018-03-20|Hewlett Packard Enterprise Development Lp|Cloud application deployment|

---

US20140019335A1|2012-07-12|2014-01-16|Ca, Inc.|Systems and methods for self-service cloud-based arenas for information technology-driven situational management|

---

ES2655137T3|2012-08-21|2018-02-19|Omicron Electronics Gmbh|Method to monitor the operation of an electric power system and monitoring system|

---

CN103679306A|2012-08-31|2014-03-26|国际商业机器公司|Method and system for saving building energy consumption|

---

US9535917B1|2012-09-28|2017-01-03|Emc Corporation|Detection of anomalous utility usage|

---

PT106586A|2012-10-17|2014-04-17|Inov Inesc Inovaç O Inst De Novas Tecnologias|METHOD AND SYSTEM OF DETECTION OF INTRUSION IN NETWORKS AND SYSTEMS BASED ON SPECIFICATION OF BUSINESS PROCESSES|

---

AU2014205737B2|2013-01-08|2016-01-28|Secure-Nok As|Method, device and computer program for monitoring an industrial control system|

---

US9342806B2|2013-02-28|2016-05-17|P800X, Llc|Method and system for automated project management|

---

US10496942B2|2013-02-28|2019-12-03|P800X, Llc|Method and system for automated project management of excavation requests|

---

US9405900B2|2013-03-13|2016-08-02|General Electric Company|Intelligent cyberphysical intrusion detection and prevention systems and methods for industrial control systems|

---

WO2014144246A1|2013-03-15|2014-09-18|Cyberricade, Inc.|Cyber security|

---

RU2525108C1|2013-04-22|2014-08-10|Федеральное государственное казенное учреждение "27 Центральный научно-исследовательский институт" Министерства обороны Российской Федерации|System for detecting vulnerability of critical units of complex social and technological systems|

---

EP3011466A1|2013-06-18|2016-04-27|Hewlett Packard Enterprise Development LP|Prioritizing event notices utilizing past-preference pairings|

---

US9516041B2|2013-07-25|2016-12-06|Bank Of America Corporation|Cyber security analytics architecture|

---

US8966074B1|2013-09-13|2015-02-24|Network Kinetix, LLC|System and method for real-time analysis of network traffic|

---

US9779377B2|2013-09-18|2017-10-03|Globalfoundries Inc.|Customization of event management and incident management policies|

---

CN105684376A|2013-09-28|2016-06-15|迈克菲公司|Location services on a data exchange layer|

---

CN105531711B|2013-09-28|2018-10-02|迈克菲股份有限公司|Context-aware network on data exchange layer|

---

EP3053074A4|2013-09-30|2017-04-05|Hewlett-Packard Enterprise Development LP|Hierarchical threat intelligence|

---

CN104810823B|2014-01-24|2017-07-14|国际商业机器公司|Produce method, equipment and the system of transformer station's load transfer control parameter|

---

EP2908195B1|2014-02-13|2017-07-05|Siemens Aktiengesellschaft|Method for monitoring security in an automation network, and automation network|

---

US9632922B2|2014-02-28|2017-04-25|International Business Machines Corporation|Workload mapper for potential problem areas using modules and defect data|

---

US9971801B2|2014-03-26|2018-05-15|Interject Data Systems, Inc.|Grid cell data requests|

---

CN103905451B|2014-04-03|2017-04-12|国网河南省电力公司电力科学研究院|System and method for trapping network attack of embedded device of smart power grid|

---

US20150350260A1|2014-05-30|2015-12-03|General Electric Company|Systems and methods for managing infrastructure systems|

---

US10180867B2|2014-06-11|2019-01-15|Leviathan Security Group, Inc.|System and method for bruteforce intrusion detection|

---

US20150378795A1|2014-06-27|2015-12-31|Pivotal Software, Inc.|Stream computing event models|

---

US11093562B2|2014-08-04|2021-08-17|Ent. Services Development Corporation Lp|Event stream processing|

---

US9930058B2|2014-08-13|2018-03-27|Honeywell International Inc.|Analyzing cyber-security risks in an industrial control environment|

---

EP3195066B1|2014-09-06|2019-08-07|Mazebolt Technologies Ltd.|Non-disruptive ddos testing|

---

WO2016064919A1|2014-10-21|2016-04-28|Abramowitz Marc Lauren|Dynamic security rating for cyber insurance products|

---

US9807118B2|2014-10-26|2017-10-31|Mcafee, Inc.|Security orchestration framework|

---

US9591022B2|2014-12-17|2017-03-07|The Boeing Company|Computer defenses and counterattacks|

---

US20160189043A1|2014-12-24|2016-06-30|Locator IP, L.P.|Crime forcasting system|

---

US9787638B1|2014-12-30|2017-10-10|Juniper Networks, Inc.|Filtering data using malicious reference information|

---

US9577884B2|2015-01-01|2017-02-21|Bank Of America Corporation|Enterprise quality assurance and lab management tool|

---

US9917738B2|2015-01-13|2018-03-13|Accenture Global Services Limited|Intelligent device data router|

---

CN104638762B|2015-01-19|2017-04-26|浙江工商大学|Method and system for detecting illegal data implantation internal attack in smart power grid|

---

US10075474B2|2015-02-06|2018-09-11|Honeywell International Inc.|Notification subsystem for generating consolidated, filtered, and relevant security risk-based notifications|

---

US10021125B2|2015-02-06|2018-07-10|Honeywell International Inc.|Infrastructure monitoring tool for collecting industrial process control and automation system risk data|

---

US10075475B2|2015-02-06|2018-09-11|Honeywell International Inc.|Apparatus and method for dynamic customization of cyber-security risk item rules|

---

US10021119B2|2015-02-06|2018-07-10|Honeywell International Inc.|Apparatus and method for automatic handling of cyber-security risk events|

---

US20160234240A1|2015-02-06|2016-08-11|Honeywell International Inc.|Rules engine for converting system-related characteristics and events into cyber-security risk assessment values|

---

US10298608B2|2015-02-11|2019-05-21|Honeywell International Inc.|Apparatus and method for tying cyber-security risk analysis to common risk methodologies and risk levels|

---

US20180114021A1|2015-03-26|2018-04-26|Nokia Solutions And Networks Oy|Optimizing data detection in communications|

---

DE102015205670A1|2015-03-30|2016-06-09|Volkswagen Aktiengesellschaft|Attack detection method, attack detection device and bus system for a motor vehicle|

---

US9473522B1|2015-04-20|2016-10-18|SafeBreach Ltd.|System and method for securing a computer system against malicious actions by utilizing virtualized elements|

---

US9710653B2|2015-04-20|2017-07-18|SafeBreach Ltd.|System and method for verifying malicious actions by utilizing virtualized elements|

---

KR20180015640A|2015-05-04|2018-02-13|사이드 캄란 하산|Method and apparatus for security management in a computer network|

---

US9800604B2|2015-05-06|2017-10-24|Honeywell International Inc.|Apparatus and method for assigning cyber-security risk consequences in industrial process control environments|

---

CN106709613B|2015-07-16|2020-11-27|中国科学院信息工程研究所|Risk assessment method applicable to industrial control system|

---

US10015188B2|2015-08-20|2018-07-03|Cyberx Israel Ltd.|Method for mitigation of cyber attacks on industrial control systems|

---

US9906561B2|2015-08-28|2018-02-27|Nicira, Inc.|Performing logical segmentation based on remote device attributes|

---

US9621569B1|2015-09-29|2017-04-11|Alexander McEachern|Method and apparatus for detecting cyber attacks on an alternating current power grid|

---

US10708151B2|2015-10-22|2020-07-07|Level 3 Communications, Llc|System and methods for adaptive notification and ticketing|

---

US10609079B2|2015-10-28|2020-03-31|Qomplx, Inc.|Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management|

---

US9800606B1|2015-11-25|2017-10-24|Symantec Corporation|Systems and methods for evaluating network security|

---

EP3206368B1|2016-02-10|2020-08-05|Accenture Global Solutions Limited|Telemetry analysis system for physical process anomaly detection|

---

WO2017138673A1|2016-02-12|2017-08-17|모니터랩|Method and system for tracking web-database user by using data mining|

---

US10003598B2|2016-04-15|2018-06-19|Bank Of America Corporation|Model framework and system for cyber security services|

---

US9948652B2|2016-05-16|2018-04-17|Bank Of America Corporation|System for resource-centric threat modeling and identifying controls for securing technology resources|

---

US9832201B1|2016-05-16|2017-11-28|Bank Of America Corporation|System for generation and reuse of resource-centric threat modeling templates and identifying controls for securing technology resources|

---

EP3258661B1|2016-06-16|2020-11-18|ABB Schweiz AG|Detection of abnormal configuration changes|

---

US10372569B2|2016-07-25|2019-08-06|General Electric Company|Methods and system for detecting false data injection attacks|

---

US10694487B2|2016-09-15|2020-06-23|Cisco Technology, Inc.|Distributed network black box using crowd-based cooperation and attestation|

---

FR3056318B1|2016-09-20|2018-10-26|Thales|METHOD FOR ANALYZING MALFUNCTIONS OF AN ONBOARD SYSTEM, COMPUTER PROGRAM PRODUCT, AND ANALYZING DEVICE THEREFOR|

---

CN109690324A|2016-09-21|2019-04-26|株式会社日立高新技术|Automatic analysing apparatus and remote maintenance system and maintaining method|

---

US10642852B2|2016-09-26|2020-05-05|Splunk Inc.|Storing and querying metrics data|

---

US11012461B2|2016-10-27|2021-05-18|Accenture Global Solutions Limited|Network device vulnerability prediction|

---

US10305932B2|2016-12-21|2019-05-28|Abb Inc.|System and method for detecting false data injection in electrical substations|

---

US10581802B2|2017-03-16|2020-03-03|Keysight Technologies SingaporePte. Ltd.|Methods, systems, and computer readable media for advertising network security capabilities|

---

US10721239B2|2017-03-31|2020-07-21|Oracle International Corporation|Mechanisms for anomaly detection and access management|

---

US10592837B2|2017-04-21|2020-03-17|Accenture Global Solutions Limited|Identifying security risks via analysis of multi-level analytical records|

---

EP3618354A4|2017-05-31|2020-12-02|Wen Tang|Industrial control system and network security monitoring method therefor|

---

US10339309B1|2017-06-09|2019-07-02|Bank Of America Corporation|System for identifying anomalies in an information system|

---

EP3646220A4|2017-06-29|2021-01-27|Hewlett-Packard Development Company, L.P.|Computing device monitorings via agent applications|

---

US10586051B2|2017-08-31|2020-03-10|International Business Machines Corporation|Automatic transformation of security event detection rules|

---

US10713224B2|2017-11-15|2020-07-14|Bank Of America Corporation|Implementing a continuity plan generated using solution data modeling based on predicted future event simulation testing|

---

US10749791B2|2017-11-15|2020-08-18|Bank Of America Corporation|System for rerouting electronic data transmissions based on generated solution data models|

---

US10496460B2|2017-11-15|2019-12-03|Bank Of America Corporation|System for technology anomaly detection, triage and response using solution data modeling|

---

US10609038B2|2018-02-20|2020-03-31|Cyberark Software Ltd.|Discovering and evaluating privileged entities in a network environment|

---

EP3756254A1|2018-02-21|2020-12-30|Telefonaktiebolaget LM Ericsson |Reactive power control in power systems|

---

CN108154354A|2018-03-13|2018-06-12|南京审计大学|Rural area three provides audit and supervision system|

---

CN108683642B|2018-04-25|2019-03-15|长沙学院|The detector and detection method of smart grid line status wrong data injection attacks|

---

US10970406B2|2018-05-08|2021-04-06|Bank Of America Corporation|System for mitigating exposure associated with identified unmanaged devices in a network using solution data modelling|

---

US10977283B2|2018-05-08|2021-04-13|Bank Of America Corporation|System for mitigating intentional and unintentional exposure using solution data modelling|

---

US10936984B2|2018-05-08|2021-03-02|Bank Of America Corporation|System for mitigating exposure associated with identified impacts of technological system changes based on solution data modelling|

---

US11023835B2|2018-05-08|2021-06-01|Bank Of America Corporation|System for decommissioning information technology assets using solution data modelling|

---

US10965703B2|2018-06-06|2021-03-30|Reliaquest Holdings, Llc|Threat mitigation system and method|

---

US10602099B2|2018-07-10|2020-03-24|Saudi Arabian Oil Company|Cogen-mom integration using tabulated information recognition|

---

US11093618B2|2018-10-23|2021-08-17|Jpmorgan Chase Bank, N.A.|Systems and methods for using an application control prioritization index|

---

CN111343136A|2018-12-19|2020-06-26|福建雷盾信息安全有限公司|Network abnormal behavior analysis and detection method based on flow behavior characteristics|

---

US11206287B2|2019-01-29|2021-12-21|Battelle Memorial Institute|Evaluating cyber-risk in synchrophasor systems|

---

RU2700665C1|2019-03-22|2019-09-18|ФЕДЕРАЛЬНОЕ ГОСУДАРСТВЕННОЕ КАЗЕННОЕ ВОЕННОЕ ОБРАЗОВАТЕЛЬНОЕ УЧРЕЖДЕНИЕ ВЫСШЕГО ОБРАЗОВАНИЯ "Военная академия Ракетных войск стратегического назначения имени Петра Великого" МИНИСТЕРСТВА ОБОРОНЫ РОССИЙСКОЙ ФЕДЕРАЦИИ|Information and technological action detection method|

---

USD926809S1|2019-06-05|2021-08-03|Reliaquest Holdings, Llc|Display screen or portion thereof with a graphical user interface|

---

USD926810S1|2019-06-05|2021-08-03|Reliaquest Holdings, Llc|Display screen or portion thereof with a graphical user interface|

---

USD926782S1|2019-06-06|2021-08-03|Reliaquest Holdings, Llc|Display screen or portion thereof with a graphical user interface|

---

USD926811S1|2019-06-06|2021-08-03|Reliaquest Holdings, Llc|Display screen or portion thereof with a graphical user interface|

---

USD926200S1|2019-06-06|2021-07-27|Reliaquest Holdings, Llc|Display screen or portion thereof with a graphical user interface|

---

US11206280B2|2019-11-04|2021-12-21|Olawale Oluwadamilere Omotayo Dada|Cyber security threat management|

---

US10686810B1|2020-02-05|2020-06-16|The Florida International University Board Of Trustees|Systems and methods for providing security in power systems|

---

WO2021158220A1|2020-02-06|2021-08-12|Siemens Canada Limited|Event prediction|

---

RU2738460C1|2020-02-26|2020-12-14|Общество с ограниченной ответственностью "Сайберлимфа"|Method for detecting anomalies in operation of automated system network|

---

CN111581196A|2020-04-29|2020-08-25|深圳市双合电气股份有限公司|Supply and distribution power grid intelligent data acquisition and arrangement system based on intelligent factory framework|

---

US11144862B1|2020-09-02|2021-10-12|Bank Of America Corporation|Application mapping and alerting based on data dependencies|

---

CN113179256B|2021-04-12|2022-02-08|中国电子科技集团公司第三十研究所|Time information safety fusion method and system for time synchronization system|

法律状态:
2018-12-26| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]|

---

2020-05-26| B06A| Patent application procedure suspended [chapter 6.1 patent gazette]|

---

2020-09-01| B09A| Decision: intention to grant [chapter 9.1 patent gazette]|

---

2020-12-15| B16A| Patent or certificate of addition of invention granted [chapter 16.1 patent gazette]|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 10/05/2011, OBSERVADAS AS CONDICOES LEGAIS. |

优先权:

---

申请号 | 申请日 | 专利标题

---

US34678710P| true| 2010-05-20|2010-05-20|

---

US61/346,787|2010-05-20|

---

PCT/US2011/035888|WO2011146284A2|2010-05-20|2011-05-10|Malicious attack detection and analysis|

---