Wide Area Measurement-Based Cyber-Attack-Resilient Breaker Failure Protection Scheme

This article has been accepted for publication in IEEE Transactions on Smart Grid.
This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TSG.2024.3372632
Wide Area Measurement-Based

Cyber-Attack-Resilient Breaker Failure Protection
Scheme
Paawan Dubal, Sarasij Das, Senior Member, IEEE, and Tarlochan S. Sidhu, Fellow, IEEE
Abstract—Breaker Failure Protection trips the backup break-

ers when the primary breaker fails, causing a significant loss of
load. Hence, a cyber-attack on the Breaker Failure Protection
scheme may lead to major disturbance in a power system.
Currently, there is a lack of literature addressing the cyber-attack
on Breaker Failure Protection scheme. This paper proposes
a novel Wide Area Measurement-based cyber-attack-resilient
Breaker Failure Protection scheme. Modern digital relays have
Phasor Measurement Unit (PMU) integrated with them. A
digital relay with PMU functionality is called Relay-PMU in this
work. The proposed scheme has two parts. Part 1 is named
as Synchrophasor-based Fault Validation Algorithm. It checks
whether the Breaker Failure Protection operation is genuine or
due to a cyber-attack. Breaker Failure Protection Relay-PMU
will trigger the Part 1 of the proposed scheme which runs in
a Phasor Data Concentrator. A novel concept named Dynamic Fig. 1: Successful cyber-attack on the BFP Relay-PMU, R1
Relay White-listing is proposed to avoid the usage of phasors leads to tripping of Backup Breakers B2, B3, B4 B5, i.e.,
from the susceptible Relay-PMUs. Part 2 is the modifications isolation of entire bus/bus-section
to the logics of the existing common Breaker Failure Protection
schemes to incorporate the decision from the Synchrophasor-
based Fault Validation Algorithm. The proposed scheme is com-
putationally efficient and compatible with all common Breaker tion system is discussed in [9]. In [10], the authors present
Failure Protection schemes. PSCAD simulations of the IEEE-118
bus system validate the proposed scheme. The execution time of
a distributed multi-agent scheme to detect cyber attacks on
the proposed scheme in the lab implementation setup adheres to the protection systems of power grids. An anomaly detection
the timeline of the Breaker Failure Protection scheme. approach based on zone partitioning to combat cyber-attack
Index Terms—Cyber-attack, Power System Protection, Breaker
on industrial cyber-physical systems is investigated in [11]. A
Failure Protection, Wide Area Measurements, Synchrophasors distributed framework for the detection of data manipulation
attacks on the Phasor Measurement Unit (PMU) is presented
I. I NTRODUCTION in [12]. A context information-based classification between a
fault and a cyber-attack is discussed in [13]. In [14], authors
YBER-ATTACKS are a threat to modern power sys-
C tems. Cyber-attacks were executed on the power grid of
Ukraine in 2015 and 2016, causing wide-scale power outages
developed an algorithm that detects a stealthy false tap change
command sent to a transformer.
Breaker Failure Protection (BFP) commands the backup
[1]. Hence, power system-based attack detection mechanisms
breakers to clear the fault when the primary breaker fails [15]
are needed to prevent mal-operation when network security
[16]. Fig. 1 shows a single bus system with five feeders. B1,
layers fail. Research in cyber-security and cyber-resilience in
B2, B3, B4 and B5 are the circuit breakers of the five feeders
power system protection is in a nascent stage. In [2] and
connected to the bus. R1 is the BFP Relay-PMU connected
[3], authors address the counter-attack mechanism for False
to the feeder having the circuit breaker B1. During a cyber-
Data Injection (FDI) attack on Line Current Differential Relay
attack, the BFP Relay-PMU R1 maloperates, and it issues a
(LCDR). A learning-based framework to detect an FDI attack
false BFP trip to breakers B2, B3, B4 and B5. Therefore,
on LCDR is proposed in [4]. A cyber-attack detection scheme
BFP operation leads to the disconnection of a larger area,
for transmission line protection relays employing a deep-
causing a significant loss of load. So, a false BFP operation
learning-based approach is proposed in [5]. In [6], the author
may cause a major disturbance in a power system. Hence,
illustrates a mechanism to defend against cyber-attack on
BFP is a tempting target for cyber-attacks. The likelihood of a
the synchronization process of a synchronous generator. FDI
cyber-attack on the BFP scheme is explained in the Appendix
attack detection and mitigation on microgrid synchronization
Section V-A.
scheme are studied in [7]. Authors in [8] show attack models
for distance protection schemes and direct circuit breaker Authors in [16]–[18] propose voltage-based Breaker Failure
control. They also provide a framework to mitigate them. Protection. However, none of these papers address the issue
Combating cyber-physical threats to the transmission protec- of cyber-attacks on the BFP relay. These algorithms always
assume the received Breaker Failure Initiation (BF I) to be
This work was supported by Tata Consulting Engineers Limited. authentic. There is a gap in research towards addressing the
Authorized licensed use limited to: Universität Leipzig. Downloaded on March 11,2024 at 10:43:43 UTC from IEEE Xplore. Restrictions apply.
© 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See https://www.ieee.org/publications/rights/index.html for more information.
This article has been accepted for publication in IEEE Transactions on Smart Grid. This is the author's version which has not been fully edited and
Fig. 2: Various breaker failure schemes as per the "IEEE Guide for Breaker Failure Protection of Power Circuit Breakers",
IEEE Std C37.119-2016 [15]
(ATR). ATR extends the trip command to the circuit breakers

and other auxiliary functions. Therefore, a false BF I can be
issued to the BFP Relay-PMU by manipulating the dedicated
DO without issuing a trip to the primary breaker. Usually, BFP
is incorporated as a stand-alone digital relay or as a part of a
multi-functional IED. The BFP Relay-PMU receives a BF I
signal from a Relay-PMU. Suppose, the attacker accesses the
Relay-PMU and issues a false BF I to the BFP Relay-PMU.
From the cyber-attack point of view, a false/manipulated BF I
input to the BFP relay can trigger the BFP operation. The
possible attack models for the BFP scheme are as follows:
• Attack Model 1: The attacker captures a digital relay
and issues a false BFI as shown in Fig.2. The value of
50BF will be "1" at rated feeder loading. After the Timer
Fig. 3: BF I issued to the BFP Relay-PMU in substations 62 expires, as per BFP logic, the BFP scheme output
becomes "1" in no-fault condition. Therefore, BFP gets
activated wrongly by this cyber-attack.
cyber-attacks on the BFP schemes. Fig. 2 shows the various • Attack Model 2: The attacker captures a digital relay and
BFP schemes (as per IEEE Std C37.119-2016 [15]) which may blocks a legitimate BF I. Since BF I is legitimate, it
receive inputs from compromised digital relays. Generally, means that the relay has detected an actual fault within its
the inputs to the scheme are BFI, 50BF and/or 52a. When zone. Other backup protection will clear the fault if the
the relay detects a fault, it issues a BFI signal to the BFP breaker fails. So, this paper does not investigate Attack
relay. 52a is a normally open contact of the line breaker. Model 2.
52a will be "1" when the breaker is closed during normal
operation. 50BF turns "1" when the feeder current is more This paper counters Attack Model 1 by proposing a novel
than the threshold of 50BF. Reference [19] proposes to set Wide Area Measurement-based cyber-attack-resilient BFP
50BF threshold below 50% of the minimum fault current. In Scheme. The scope of the study is to check whether the BFI
multi-breaker configurations such as ring bus and breaker-and- issued to the BFP Relay-PMU is genuine or due to a cyber-
a-half, fault current may divide amongst the parallel breakers. attack. The aim of this study is to detect a single cyber-attack
So, the fault current through a breaker may be much lower during normal operation. It also aims to detect a single cyber-
than the load current. Thus, 50BF threshold cannot be set attack executed simultaneously with a power system fault. The
high. Authors in [20] suggest the 50BF threshold as 10% of proposed scheme should be compatible with the common BFP
the nominal Current Transformer (CT) secondary current. As schemes. The implementation of the proposed scheme should
a result, the value of 50BF will be "1" at rated feeder loading. adhere to the timing budget of the BFP scheme. Modern digital
A detailed discussion on the factors which influence the 50BF relays have PMU capability. Hence, this paper refers to them as
setting can be found in [15]. Relay-PMUs. Relay-PMUs also compute synchrophasors and
Fig. 3 shows the way BF I is issued to the BFP Relay- send them to Phasor Data Concentrator (PDC). The proposed
PMU in substations. Commercial BFP relays are fed with the scheme has two parts:
analog current signal from CT secondary [21], [22]. When the • Part 1: It is the Synchrophasor-based Fault Validation
Protective Relay-PMU detects a fault, it issues a BF I to the Algorithm (SFVA), which runs at the PDC. It receives a
BFP Relay-PMU via a dedicated Digital Output (DO) [23]. trigger from the BFP Relay-PMU. The purpose of SFVA
It also issues a signal via DO to the Auxiliary Trip Relay is to check whether the BFI issued to the BFP Relay-
PMU is genuine or due to a cyber-attack. SFVA has two TABLE I: Scope of the Proposed Scheme
layers: Status of PDC,
Status of Relay-PMU Proposed Scheme
– Layer-1: Fault Detection Algorithm (FDA) checks if Communications
there is a fault in the vicinity of the Relay-PMU that Not compromised Not compromised Within Scope
issued the BFI. Buses adjacent to the fault location Compromised Not compromised Within Scope
are expected to observe Under-Voltage (UV). It is a Compromised
Not compromised Within Scope
hierarchical voting scheme based on whether Relay- but detected
PMUs in the adjacent substations observe UV. Compromised Compromised Outside Scope
– Layer-2: Fault Confirmation Algorithm (FCA)
checks if the fault is within the zone of the Relay-
PMU that issued the BF I. BFP scheme should allow II. P ROPOSED S CHEME
BFP trip only if the fault is within the zone of the The proposed cyber-attack-resilient BFP scheme considers
Relay-PMU that issued the BFI. the following aspects:
• Part 2: It is the modification in the logic of the existing i. The relays in the substation are microprocessor-based
common BFP scheme at the BFP Relay-PMU to incor- relays with PMU capability. So, each Relay-PMU can
porate the decision from the SFVA. compute synchrophasors from the analog signals fed via
PSCAD simulations of the IEEE-118 bus system validate instrument transformers.
the proposed scheme. A lab implementation setup has also ii. Wide Area measurement systems (PDC, PMUs, commu-
been built to emulate synchrophasor communication for a part nication systems) are designed envisaging the nature of
of the IEEE-118 bus system. Lab implementation confirms applications and the volume of data they have to support.
that the execution time of the proposed scheme adheres to the To explain the proposed BFP scheme, Relay-PMU reporting
timing budget of the BFP scheme. rate of 50 frames per second is considered. So, a data frame is
The main contributions and characteristics of the proposed sent from each Relay-PMU to PDC after every 20 milliseconds
scheme are as follows: (ms). It is to be noted that the proposed scheme is applicable to
i. Proposed novel cyber-attack-resilient BFP scheme utilizes other synchrophasor reporting rates also. BFP scheme usually
the voltages observed by Relay-PMUs of the adjacent has a time budget of 10 to 12 power frequency cycles [20]. For
substation buses rather than utilizing the feeder current. a 50Hz system, 10 cycles translate to 200 ms. Fault detection
Since the proposed scheme does not employ current time for a Relay-PMU is considered as one power frequency
phasors, it eliminates issues due to CT saturation. cycle [24], i.e., 20 ms for a 50Hz system. Fig. 4 shows the BFP
ii. A novel concept of Dynamic Relay White-listing (DRW) operation timeline used for explaining the proposed method.
is proposed to avoid the usage of phasors from the Fig. 5 shows the proposed cyber-attack-resilient BFP Scheme.
susceptible Relay-PMUs in SFVA. When a Relay-PMU Consider a substation which has k Relay-PMUs and n Relay-
of a particular maker and family is compromised, other PMUs with BFP function. Relay-PMUs in the substations send
Relay-PMUs of the same maker and family are more synchrophasors to the PDC as per IEEE Std C37.118.2-2011
susceptible to the cyber-attack. The attacker can leverage [25]. The red outlined section of Fig. 5 shows the BFP Relay-
the same vulnerabilities to tamper with other Relay-PMUs PMU in which BFP scheme runs. It receives a BFI from an
of that particular make and family. So, SFVA does not use external compromised Relay-PMU. BF I can be issued by any
phasors from such Relay-PMUs. protective Relay-PMU such as feeder protection relay, trans-
iii. The proposed scheme is compatible with all the common former protection relay, bus protection relay, etc. Depending
BFP schemes. on the inputs BFI, 50BF, 52a and the BFP logic, a trigger is
iv. Proposed scheme works well even when a cyber-attack is sent to the PDC to activate the SFVA algorithm to validate the
executed simultaneously with a power system fault. BF I received. Depending on the inputs BFI, 50BF, 52a and
v. Proposed scheme is computationally efficient to imple- the BFP logic; the value of the T riggerP oint is determined.
ment because it only consists of a voting scheme and When the T riggerP oint becomes "1", following actions are
fault distance estimation. Thus, it adheres to the timing initiated:
requirements of the BFP scheme. i. The Main BFP Timer, i.e., Timer 62-1 is energized.
vi. This paper deals with the direct cyber-attack on a Relay- ii. The Re-Trip Timer, i.e., Timer 62-2 is energized.
PMU to issue false BF I. A Relay-PMU can also be iii. Checks for auxiliary BFP functions like pole discrepancy,
compromised via direct cyber-attacks on it without com- mechanical protection, etc are initiated.
promising the PDC and communication network. As an iv. Trigger is sent to the PDC.
example, an attacker can access a Relay-PMU via pass- When the primary breaker clears the fault before the Main
word hacking or software vulnerability. After exploring Timer 62-1 duration, the 50BF signal becomes "0". So, the
vulnerability of the Relay-PMU, the attacker can send a BFP Scheme Main Output remains "0". It ensures that the
false BFI to the BFP Relay-PMU. Similarly, malware can BFP scheme output never becomes "1" if the primary breaker
be inserted into a Relay-PMU during software update. In has cleared the fault. Similarly, if the primary breaker clears
addition, a Relay-PMU can come with inherent malware. the fault before the Re-Trip Timer 62-2, the 50BF signal
The scope of the proposed scheme is shown in Table I. becomes "0". So, the BFP Re-Trip Output remains "0". The
Fig. 4: Breaker failure protection timeline
Fig. 5: Proposed cyber-attack-resilient breaker failure protection scheme
Re-Trip Output becomes ’1’ only when the primary breaker the BFP Relay-PMU which asked for the validation. When
has failed to clear the fault. When the T riggerP oint becomes the BFP Relay-PMU receives the SFVA Decision, it makes
’1’, the check for Auxiliary BFP functions are initiated. These communication status active, i.e., Comm Active = 1 (in Fig.
Auxiliary BFP functions may include: 5). Comm Active status allows the SFVA Decision and Timer
• Pole discrepancy 62-1 output to decide the BFP Scheme Main Output. Similarly,
• Over-voltage Comm Active status also allows the SFVA Decision and the
• Mechanical protection Re-Trip Timer 62-2 to decide the BFP Re-trip output. If the
Depending on the operation philosophy of these Auxiliary BFP BFP Relay-PMU does not receive any SFVA Decision, the
functions, the output of the Auxiliary BFP functions energizes communication status is set to 0, i.e., Comm Active = 0 (in
the Timer 62-3. The output of the Timer 62-3 determines the Fig. 5). A NOT gate is used to enable passing of the Timer 62-
final BFP Scheme Main Output. On receiving the trigger from 1 signal and Re-trip Timer 62-2, if the Comm Active is 0 due
the BFP Relay-PMU, SFVA runs at the PDC. The purpose of to the unavailability of communication network. So, the Timer
SFVA is to check whether the BFI issued is genuine. When 62-1 output and the Re-trip Timer 62-2 output would decide
BFI issued to the BFP Relay-PMU is genuine, SFVA Decision the BFP Scheme Main Output and the BFP Re-trip output,
is "1". When a false BF I is issued to the BFP Relay-PMU, respectively. It behaves like the conventional BFP scheme.
the SFVA Decision is "0". PDC reverts the SFVA Decision to Thus, it is fail-safe to the loss of communication to PDC.
Fig. 6: Proposed scheme incorporated with various BF schemes
Fig. 4 shows the BFP timeline. dt is the communication and mon BFP schemes. The boolean logic equations for trip
processing delay from Relay-PMUs to PDC and vice-versa. and re-trip of the conventional BFP scheme are shown in
So, the time available for the SFVA execution is 200 − (2 ∗ dt ) (3) and (4) respectively. Here, f 1(BF I, 52a, 50BF ) and
ms. As per IEEE Std C37.244-2013, dt is around 30-40 ms f 2(BF I, 52a, 50BF ) indicate the conventional BFP scheme
for implementing protection functions [26]. NERC reports dt outputs Conv_BFP_Trip and Conv_BFP_Re-Trip respectively
of the order of 50 ms [27]. The value of dt depends on which can be made of any logical combinations of the three in-
the communication network properties such as bandwidth, puts to the BFP scheme. Conv_BFP_Trip and Conv_BFP_Re-
architecture, protocol, etc. The desired ’2*dt ’ value can be Trip correspond to Local output and Re-Trip Output respec-
achieved by properly designing the communication network. tively in Fig. 5. The boolean logic equations for trip (Pro-
This study considers dt as 60 ms, which is higher than the posedSchemeTrip) and re-trip (ProposedSchemeRe-Trip) are
cited sources. The duration of Re-Trip Timer 62-2 should be shown in (5) and (6) respectively. The BFP_Auxiliary_Trip of
more than the total of the turn-around communication delay (5) and (6) correspond to the BFP Auxiliary Function Output
from the BFP Relay-PMU to the PDC, SFVA execution time, in Fig. 5. The operators && and || indicate logical AN D and
and a safety margin. Otherwise, the false BF I signal will re- logical OR operations respectively. Following points should
trip the breaker before SFVA Decision reaches the BFP relay- be noted from the equations (5) and (6):
PMU. Therefore, the recommendation for Timer 62-2 duration 1) The proposed scheme trip equation utilizes the conven-
is given by (1). For this study, dt is considered as 60 ms and tional BFP scheme output and checks its validity with the
the total safety margin is 20 ms (one fundamental cycle at SFVA Decision. Therefore, the proposed scheme works
50 Hz). Lab implementation results of the proposed scheme with any existing common BFP scheme.
in section III-E1 mention the maximum SFVA execution time 2) When there is a loss of communication between the BFP
to be 587.63 µs. As per (1), the Timer 62-2 duration comes Relay-PMU and the PDC, the Comm Active becomes
out to be 140.588 ms (60*2+20+0.588 ms). It is equivalent "0" and hence Comm Active becomes "1". Therefore, the
to seven power frequency cycles approximately for 50 Hz proposed scheme trip is an OR operation of conventional
system. When Timer 62-2 is set as per (1), the chance of BFP trip and BFP Auxiliary Function Output. Therefore,
false BFP Re-Trip to the primary breaker is reduced. Lower the proposed scheme is fail-safe to loss of communication
communication delay will lead to lower setting of the Timer between the BFP Relay-PMU and the PDC.
62-2. This will give more time for the breaker operation and
50BF re-set. The duration of the Timer 62-3 is determined by B. Susceptibility and Dynamic Relay White-listing (DRW)
the protection schemes used for implementing the auxiliary A digital relay performs pre-defined computations to distin-
functions such as pole discrepancy protection, over-voltage guish between fault and normal operation. An attack can be
protection, mechanical protection, etc. The duration of Timer launched by exploiting the bug in the hardware or software
62-3 should be more than the total of the BFP auxiliary architecture of the relay. When a Relay-PMU of a particular
protection operation time and the safety margin as per (2). model and maker is attacked, then there is an increased suscep-
tibility to an attack on other Relay-PMUs of the same maker
A. Boolean Logic Expressions for the Proposed Scheme and family because they may share the same vulnerabilities.
This section explains the modifications proposed (Fig. 5) Here, the susceptibility arises because the Relay-PMUs of the
to incorporate cyber-attack resilience in the existing com- same group share similar hardware and software architecture.
T imer 62 − 2 ≥ (2 ∗ dt ) + SF V A Execution T ime + Saf ety M argin (1)
T imer 62 − 3 ≥ BF P Auxiliary P rotection Operation T ime + Saf ety M argin (2)
Conv_BF P _T rip = f 1(BF I, 52a, 50BF ) (3)
Conv_BF P _Re − T rip = f 2(BF I, 52a, 50BF ) (4)
P roposed Scheme T rip = (Conv_BF P _T rip && Comm Active && SFVA Decision)
∥ (Conv_BF P _T rip && Comm Active) ∥ BF P _Auxiliary_T rip (5)
P roposed Scheme Re − T rip = (Conv_BF P _Re − T rip && Comm Active && SFVA Decision)
∥ (Conv_BF P _T rip && Comm Active) (6)
TABLE II: Relay-PMU Categorisation in a Substation based Relaying Systems" suggests introducing intentional differences
on Maker and Relay Family in redundant protective relaying schemes to avoid common
Relay-PMU Groups General Description modes of failure [28]. The differences in redundant protective
relays can be in different makers, different protection functions
Group 1 Maker A, Relay-PMU Family 1
and/or different operating principles.
Group 2 Maker A, Relay-PMU Family 2
. . TABLE III: Example of Relay-PMU Categorisation for a
. . Typical Substation
Group i Maker M, Relay-PMU Family N
. . Relay-PMU General Description
. . Groups
Group r Maker X, Relay-PMU Family Y Group 1 Transformer Protection Relays - Maker A
Group 2 Transformer Protection Relays - Maker B
Group 3 Feeder Protection Relays - Maker A
So, the same bug/vulnerability is expected to be present in the Group 4 Feeder Protection Relays - Maker B
Relay-PMUs of the same group. As this vulnerability was not Group 5 Generator Protection Relays - Maker A
known before, the Relay-PMUs of the same group remain sus- Group 6 Generator Protection Relays - Maker B
ceptible. Hence, SFVA avoids phasors from such Relay-PMUs. Group 7 Busbar Protection Relays
It is a novel concept introduced by this paper to add a layer of
security against common mode of failure. Improvement in the Table III shows an example of relay grouping in a sub-
power system resiliency metric by implementation of DRW station. Consider the substation has protective relays of two
is explained in the Appendix Section V-B. The Relay-PMUs different makers, namely, Maker A and Maker B. Consider a
in each substation bus are divided into pre-defined groups as case when a feeder protection relay of Maker A, i.e., Group 3
per their maker and family. This grouping is done when the issues a BF I to the BFP Relay-PMU, then the measurements
Relay-PMUs are installed in the substations. Therefore, this that will participate in the SFVA shall be from Groups 1, 2,
grouping is done when there is no cyber-attack in the system. 4, 5, 6 and 7.
Table II shows the Relay-PMU groups for an arbitrary
substation. Consider a case when a Relay-PMU from Group C. Overview of Synchrophasor based Fault Validation Algo-
2 has issued the BF I. In such a case, measurements from all rithm (SFVA)
the groups except Group 2 will participate in the SFVA. This Fig. 6 shows how various BFP schemes will trigger the
exclusion of measurements from Group 2 in the SFVA happens SFVA. It shows four common BFP schemes and their com-
when the BF I is issued to the BFP Relay-PMU and the BFP patibility with the proposed scheme. The part shown in black
Relay-PMU has issued the Trigger to the SFVA. So, the Relay- colour is the existing scheme. The part shown in blue colour
PMU groups participating in the SFVA will be chosen depend- is the modification proposed to incorporate cyber-attack re-
ing on the Relay-PMU group that issued the BF I. Hence, it is silience. When SFVA receives a trigger, DRW determines
named as Dynamic Relay White-listing (DRW). IEEE PSRC Relay-PMUs whose phasors will participate in SFVA. Fig.
WG I report titled "Redundancy Considerations for Protective 7 shows the flowchart of the Synchrophasor-based Fault
the BFP Relay-PMU R. Therefore, the current and voltage

measurements of the primary Relay-PMU cannot be used by
the proposed scheme. However, the voltage measurements of
other Relay-PMUs, which have different makers and families,
can be used as a substitute for the voltage measurements of
the primary protection Relay-PMU. Therefore, the proposed
scheme utilizes voltage measurements. It should be noted that
the line currents observed by the other Relay-PMUs of the
bus cannot act as a substitute for the currents observed by the
primary protection Relay-PMU.
When a BFI is issued by feeder protection Relay-PMU,
the BFP scheme should issue a trip only if the fault is on
line 2-4. Similarly, if BFI is issued by bus protection Relay-
PMU, the BFP scheme should issue a trip only if the fault
is on Bus 2. The aim of the FCA is to check whether the
fault is on the relevant line/bus. It does not aim to serve as a
fault location technique. The existing fault location techniques
are computationally intensive. Therefore, this paper proposes
a computationally efficient method to identify whether the
fault is on the relevant line/bus using fault distance estimation.
Moreover, the existing fault location techniques assume that
all the measurements available to it are actual measurements.
However, in the proposed scheme, DRW provides a framework
to avoid the measurements from the Relay-PMUs that are more
susceptible to the cyber-attack.
If the FCA output is "1", the SFVA Decision becomes "1".
SFVA Decision "1" indicates that the BF I issued to the BFP
Relay-PMU is genuine. The decision is communicated back
to the BFP Relay-PMU which sent the trigger. The proposed
scheme can be extended to make it compatible with other BFP
Fig. 7: SFVA Flowchart
schemes as well.
D. FDA
FDA performs the task of checking whether the fault is
near the BFP Relay-PMU that triggered the SFVA. Usually,
adjacent substation buses observe positive-sequence (pos-seq)
under-voltage (UV). Therefore, the magnitude of pos-seq
voltage can indicate whether a particular Relay-PMU observes
a fault in its vicinity.
1) Hierarchical Voting Scheme
Fig. 9 shows the hierarchical voting scheme for the FDA.
Fig. 8: Six-bus system with BF I issued to the BFP Relay- When a trigger is received, FDA checks the synchrophasors
PMU R from the adjacent substation buses. It shows a general case
of K adjacent substation buses around the location of the
trigger. Relay-PMUs associated with each substation bus are
Validation Algorithm (SFVA). SFVA has two layers: FDA segregated into groups as per pre-determined criteria of sus-
and FCA. Consider a six-bus system shown in Fig. 8. R is ceptibility. DRW will decide the Relay-PMU groups whose
the BFP Relay-PMU on Line 2-4. When BFP Relay-PMU phasors will participate in the SFVA. Bus j considers a general
R receives a BFI from a Relay-PMU, it triggers SFVA at case of N Relay-PMU groups participating in voting after
PDC. Firstly, FDA is executed. FCA is executed only if DRW. Each Relay-PMU group has multiple Relay-PMUs that
FDA’s output is "1". FDA checks whether there is a fault will vote depending on the magnitude of the pos-seq voltage
in the vicinity of the BFP Relay-PMU that received a BFI. they observe.
Usually, faults cause a positive sequence under-voltage at The voting scheme starts from Relay-PMUs as per (7).
the adjacent substation buses. Therefore, FDA checks the |Vrp | is the magnitude of pos-seq voltage observed by the
positive sequence voltages observed by the Relay-PMUs at concerned Relay-PMU. Vth is the threshold voltage set for
the adjacent buses of Bus 2 (in Fig. 8) to find out whether the bus. Different buses can have different Vth .
there is a fault in the vicinity of the origin of the trigger.
Suppose, a primary protection Relay-PMU issues a BFI to |Vrp | < Vth ⇒ V ote 1 ; |Vrp | > Vth ⇒ V ote 0 (7)
should be chosen accordingly for such a configuration.

On the contrary, the primary as well as secondary bus of
a transformer, observe UV for a nearby fault, so they vote
identically. Therefore, p should be chosen accordingly for
such a configuration.
Fig. 10: Six-bus system with BF I issued to the BFP Relay-

PMU R for fault on line 2-4
Fig. 9: Voting scheme hierarchy at Relay-PMUs, Relay-PMU
groups and buses Fig. 10 shows a simple six-bus system with a fault on
line 2-4. Fault studies show that for a fault on line 2-4,
the pos-seq voltage observed at Buses 1-6 is less than 0.95
Fig. 9 shows the following three types of voting blocks: pu. NERC Guideline [29] and Indian Grid Code [30] allows
• Relay-PMU Voting Block (RVB): Fig. 9 has M Relay- voltage deviation of ±5% at transmission substations. In such
PMUs in Group i of Bus j. Each Relay-PMU will vote scenario, following are the setting examples for Buses 1-6:
"1" or "0" depending on (7). If at least x out of M Relay- • UV Threshold: Considering the steady state tolerable
PMUs vote "1", then the RV Bi will vote "1". RV Bi under-voltage limit provided by the Grid code and the
voting "1" indicates that the particular Relay-PMU group Fault studies, the UV Threshold of 0.95 pu is chosen for
observes a fault in its vicinity. Once all the RVBs are all the Buses 1 to 6.
executed, each Relay-PMU group has a status of either • Voting Scheme at Bus Voting Block (BVB): For a general
"1" or "0". p out of q voting scheme, p should be more than half of
• Group Voting Block (GVB): Consider a case of Bus j, q. So, 4 out of 6 voting scheme is recommended at Bus
which has N Relay-PMU groups after DRW. If at least level.
y out of N Relay-PMU groups vote "1", then the GV Bj Suppose, the line 4-6 in Fig. 10 is a long transmission line.
will vote "1". GV Bj voting "1" indicates that the j th Bus Fault studies indicate that for a fault on line 2-4, the pos-
observes a fault. Once all the GVBs are executed, each seq voltage at Bus 6 drops to 0.98 pu only. Rest of the buses
bus has a status of either "1" or "0". observe drop in pos-seq voltage below 0.95 pu. As a result, the
• Bus Voting Block (BVB): Amongst the Adjacent Substa- voting scheme for Bus Voting Block is set such that even if the
tion buses, if at least z out of K buses are observing Bus 6 does not vote "1" during an actual fault, FDA decision
a fault, the FDA will vote "1". FDA decision of "1" is correct. Therefore, as an example, a voting scheme of 3 out
indicates that fault is in the vicinity of the trigger. of 6 can be selected for Bus Voting Block in such a case.
2) UV Threshold and Voting Scheme Determination The salient features of the FDA are as follows:
The UV threshold and the voting scheme should consider i. FDA can overcome practical implementation issues by
the following aspects: tuning the threshold voltage and the voting scheme to
i. Grid Code: It provides tolerable voltage dips at the achieve the desired performance.
transmission substations. It serves as a guide for setting ii. FDA is computationally efficient because comparison with
the UV Threshold for the buses. a threshold and a voting scheme makes the execution
ii. Fault Studies: It provides the fault type and location that simple.
have minimum impact on the adjacent substation bus
voltages. It determines the UV threshold. Fault studies E. FCA
also indicate buses with stiff voltage, i.e., buses whose FCA confirms whether the fault is within the zone of the
voltage does not dip much during nearby faults. Relay-PMU that issued BFI to the BFP Relay-PMU. Fig. 8
iii. Power System Configuration: It affects the voltage profile shows a six-bus system where R is the BFP Relay-PMU.
during faults. Consider a general p out of q voting scheme. If a Bus Protection Relay-PMU (BPR-PMU) issues BFI to
The presence of stiff voltage sources, long transmission R, FCA confirms whether the fault is on Bus 2. Similarly,
lines, shunt capacitor banks, etc, do not allow the voltage if Feeder Protection Relay-PMU (FPR-PMU) issues a BF I,
to drop in the nearby buses during a fault. Thus, p FCA confirms whether the fault is on line 2-4. Fig. 11 shows
F. Practical Implementation Considerations

The following aspects should be considered for implemen-
tation:
1) Availability of Wide Area Measurement Systems (WAMS):
The proposed scheme is based on the Wide Area
Measurement System (WAMS). Therefore, the proposed
scheme is applicable to the voltage levels where WAMS
is available.
2) Phasor Estimation Error due to Coupling Capacitor Volt-
age Transformer (CCVT) Transient: Errors in the phasor
estimation are observed due to distortions in the CCVT
output signals. The remedy is to implement improved
filtering and phasor estimation algorithms explained in
[33] and [34].
3) Transmission Line Parameter Errors: Errors in the trans-
mission line parameters lead to erroneous line current
calculation and distance estimation. To avoid such errors,
References [35] and [36] can be used to estimate the
transmission line parameters using PMU data.
4) Fault Distance Estimation Error: A fault on line/bus
is confirmed by checking whether the summation of
calculated fault distance from both ends is equal to the
line length. There can be errors in the fault distance
calculation due to the current estimation errors, line data
errors, etc. Therefore, when fault distance estimated from
any one end is less than 10%, SFVA calculates fault
distance from adjacent buses to confirm whether the
fault is on the concerned line. So, the proposed scheme
is resilient to fault distance calculation errors. Fig. 11
explains the implementation.
5) Fault Distance Estimation for High Impedance Faults:
Fig. 11: FCA flowchart when BFI is issued by feeder protec-
Fault impedance introduces error in fault distance estima-
tion Relay-PMU to the BFP relay.
tion. A dedicated high impedance fault distance estima-
tion algorithm [32] is used to detect the presence of high
impedance faults. An OR operation of the FCA decisions
the flowchart of FCA when FPR-PMU has issued a BFI to R. with low impedance and high impedance fault distance
FCA is agnostic to the fault distance estimation methods. estimation is implemented to get the final FCA output.
FCA runs two fault distance estimation algorithms: 6) Lines with Series Compensation: Fault distance estima-
• FCA with Low Impedance Fault Distance Estimation: It tion for lines with a series capacitor is explained in [37],
utilizes the fault distance estimation from Reference [31]. [38]. These algorithms can be used in such scenario.
• FCA with High Impedance Fault Distance Estimation: 7) Power System Configuration: The power system configu-
Fault impedance introduces errors in fault distance esti- ration affects the voting scheme and UV threshold for
mation. Therefore, a dedicated fault distance estimation FDA. Refer to Section II-D2 for a discussion on the
scheme for high impedance faults is utilized, as explained impact of Power System Configuration on determining
in Reference [32]. the voting scheme and UV threshold.
8) Cyber-attack on the PDC and Communication Network:
An OR operation of the FCA decisions with low impedance The proposed scheme runs at the PDC and utilizes the
and high impedance fault distance estimation is implemented measurements from the Relay-PMUs to discriminate a
to get the final FCA output as shown in Fig.7. FCA has the cyber-attack from a fault. Therefore, a cyber-attack on
following salient features: the PDC and the communication network can be harmful
i. Current phasors required for the fault distance estimation to the decision-making of the proposed scheme. This
are calculated from bus voltages and line data. Hence, paper considers that there is a dedicated mechanism in
FCA does not work on the sensed current from the CT place to detect any cyber-attack on the PDC and the
secondary. Thus, it avoids issues due to CT saturation. communication network (see Table I). When a cyber-
ii. The distance estimation algorithm used is non-iterative. attack is detected, the proposed scheme would not provide
iii. FCA does not employ any machine-learning-based algo- its decision to the BFP Relay-PMUs. Hence, the Comm
rithm, so it does not require any training data. Active status remains "0". Therefore, the proposed scheme
10
would behave as a conventional BFP scheme. Therefore, TABLE IV: Computational Requirements of the Proposed
it is fail-safe to the cyber-attacks on the PDC and the Scheme
communication network. Algorithm Tasks Nature Real-time
9) PMU Reporting Rates: The proposed method can work Complexity
with existing 30-120Hz (IEEE) or higher (IEC) reporting
Relay Grouping Offline Not
rates. Reporting rates are not a constraint for the proposed
in DRW Applicable
algorithm. In some situation, it is better if the reporting
Exclusion of Real-time, Logical Operations
rate is higher. Then, the synchrophasors are available at
Measurements Non-iterative
smaller time intervals which reduces the waiting time for
in DRW
the synchrophasors. This may improve the SFVA Decision
FDA Real-time, Logical Operations
time of the proposed algorithm.
Non-iterative
10) Scalability: In practice, any WAMS system is designed
FCA Real-time, Solving few
considering the applications which will run on that system
Non-iterative Algebraic Equations
and also the timing requirements. The communication
depending on the
bandwidth and other network parameters will be selected
number of adjacent
by considering the size of the system and levels of
buses participating
PDCs (regional and national PDCs). In this case also,
in SFVA
the WAMS systems should be designed or upgraded
Proposed BFP Real-time, Few Boolean
appropriately considering the proposed method. As a
Logic Non-iterative Operations
result, our proposed method is scalable to any size of
Evaluation
power systems network.
as per (5) and (6)
G. Computational Requirements
Table IV shows the breakup of the steps involved in the
proposed scheme and their computational requirements. The
steps in the proposed scheme are as follows:
1) Relay-PMU Grouping in DRW: The grouping of Relay-
PMUs in the substation, depending on its maker and
family, is done at the time of the installation of the
Relay-PMUs in the substation. Therefore, it’s not a real-
time process. Hence, there is no real-time computational
complexity involved in this process. Fig. 12: Proposed scheme considered for the test cases
2) Exclusion of Measurements in DRW: The exclusion of
measurements from the relay-group that issued the trigger
by PSCAD simulations and lab implementation emulating
to the proposed scheme happens in real-time. It is non-
synchrophasor communication for a part of the IEEE-118 bus
iterative in nature. It involves logical operations to avoid
system [39] as shown in Fig. 13. The communication and
measurements from a specific relay-group to participate
processing delay dt (shown in Fig. 4) is considered 60 ms.
in the SFVA.
So, the time available for SFVA execution is (200 − 2 ∗ dt ),
3) FDA: FDA is executed in real-time. It checks whether
i.e., 80 ms. Though the results are shown for this particular
there is a fault near the BFP Relay-PMU that triggered
BFP scheme, the results can be extended to all common
the SFVA. Its computation is non-iterative in nature. It
BFP schemes [15]. The part shown in blue colour is the
involves comparing the pos-seq voltage with the threshold
modifications proposed to incorporate cyber-attack resilience.
for each Relay-PMU participating in SFVA. It is followed
Cyber-attack is initiated by giving a false BF I.
by a general p out of q voting scheme.
4) FCA: FCA is executed in real-time. It checks whether A. Threshold Voltage and Voting Scheme Determination
the fault is within the zone of the Relay-PMU that issued
the BF I to the BFP Relay-PMU. Its computation is non- 1) Threshold Voltage Determination
iterative in nature. It involves solving algebraic equations NERC Guideline [29], GB Grid Code [40] and Indian Grid
depending on the number of adjacent buses participating Code [30] allow voltage deviation of ±5% at the transmission
in the SFVA. substations. So, Vth of 0.95 pu is chosen in this sub-section.
5) Proposed BFP Logic Evaluation: The boolean equations 2) Voting Scheme Determination
for the proposed BFP scheme are shown in (5) and (6). It The voting scheme considers the following:
is real-time and non-iterative in nature. It involves a few • Transformers between Bus 17 and Bus 30, and Bus 37
boolean operations. and Bus 38: Buses 17, 30 and Buses 37, 38 will vote
identically in FDA.
III. R ESULTS • Long line between Bus 38 and Bus 65: Fault studies show
Fig. 12 shows the proposed scheme employed for the vali- that for a fault near Bus 30, Bus 65 does not violate the
dation. The performance of the proposed scheme is validated voltage threshold. So it may vote "0" in FDA.
11
Fig. 13: Part of IEEE-118 bus system in one and half breaker scheme and the lab implementation setup image
Therefore, a voting scheme of 4 out of 7 is chosen at the

substation level. For a general p out of q voting scheme, p
is recommended to be more than 50% of q. However, the
decision of the voting scheme depends on fault studies, power
system configuration, etc, as explained in Section II-D2.
B. PSCAD Simulation Setup

The signals generated by the PSCAD simulations are
sampled at 2500 samples/second. Full-cycle Discrete Fourier
Transform (DFT) is implemented on the sampled signal to
extract the fundamental frequency phasors. SFVA utilizes these
fundamental frequency phasors available at the PDC. The Fig. 14: Test case 1: Magnitude of pos-seq voltage at the
buses have breaker-and-a-half scheme. The nominal system adjacent buses when a fake BF I is issued in no-fault scenario
voltages are 138kV and 345 kV. Fig. 13 shows the BFP Relay-
PMU R, that has received a BF I from an external digital relay.
BFP relay R can receive BF I in the following cases: D. Simulation Results
• Fault is on Line 30-38.
The run-time is five seconds (sec) for all the PSCAD
• Fault is on Bus 30.
simulations. The communication status is considered active,
• Fake BF I is issued to the BFP relay, i.e., cyber-attack.
so Comm Active = 1 in Fig. 12. Therefore, the BFP scheme
output is effectively an AND operation of Timer 62 output and
C. Summary of Test Cases SFVA Decision. The following test cases are performed:
The following test cases are considered for validation: 1) Test case 1: Fake BF I issued by FPR-PMU in no-fault
• Fake BF I issued to BFP Relay-PMU by FPR-PMU and scenario
BPR-PMU during healthy condition. Fig. 13 shows BF I issued to BFP Relay-PMU R. Fig. 14
• Legitimate BF I issued to BFP Relay-PMU by FPR- shows the magnitude of pos-seq voltages at the adjacent buses
PMU during a line fault. and the BF I signal status. The BF I is issued at time = 2 sec.
• Legitimate BF I issued to BFP Relay-PMU by BPR-
• Pos-seq voltage at all the seven buses is above the
PMU during a bus fault.
threshold. Hence, each of them votes "0". 4 out of 7
• Fake BF I issued to BFP Relay-PMU by FPR-PMU for
voting scheme output is "0". So, FDA votes "0".
fault on the next line from the BFP Relay-PMU.
• SFVA Decision is "0". Therefore, the proposed BFP
• Fake BF I issued to BFP Relay-PMU by FPR-PMU for
scheme output is "0". Hence, a cyber-attack during
fault on the previous line from the BFP Relay-PMU.
healthy conditions is neutralized.
12
Fig. 16: Test case 3: Magnitude of pos-seq voltage at adjacent

Fig. 15: Test case 2: Magnitude of pos-seq voltage at adjacent buses when a False BF I is issued by BPR-PMU during no-
buses when there is AG fault at 50% length on Line 30-38, fault scenario
i.e., F1
2) Test case 2: Legitimate BF I issued by FPR-PMU during

AG fault at F1
Consider a case of AG fault at 50% length on line 30-38
named as F1 in Fig. 13. The fault is initiated at time = 2 sec
and cleared at time = 3 sec. Fig. 15 shows the magnitude of
pos-seq voltage at the adjacent bus voltages for this case. The
results are as follows:
• Pos-seq voltages at Buses 8, 26, 37, 38, 17 and 30 is
below the threshold voltage. Pos-seq voltage at Bus 65
is above the threshold. As per 4 out of 7 voting scheme, Fig. 17: Test case 4: Magnitude of pos-seq voltage at adjacent
FDA votes "1" and triggers FCA. buses when there is an AG fault at Bus 30, i.e., F2
• Fault distance observed from:
=> Bus 30 at 52.06% length of Line 30-38
=> Bus 38 at 50.41% length of Line 30-38 • Fault distance observed from:
• Fault distance summation from Bus 30 and Bus 38 is => Bus 30 at 7.59 ∗ 10−15 % length of Line 30-38
approximately equal to the line length 30-38. Hence FCA => Bus 38 at 98.01% length of Line 38-30
confirms that fault is within the zone of the FPR-PMU. => Bus 26 at 106.25% length of Line 26-30
• Since both FCA and FDA vote "1", SFVA votes "1". => Bus 8 at 107.39% length of Line 8-30
If the primary protection does not clear the fault, the 50BF • Fault distance observed from Bus 30 shows that the fault
signal will remain "1". Therefore, the input of Timer 62- is on Bus 30. Fault distances observed from Buses 8, 26,
1 will remain high. Once the Timer 62-1 expires, the BFP and 38 are approximately equal to their respective line
scheme output will become "1". Hence, the scheme permits a lengths to Bus 30. FCA confirms that the fault is within
legitimate BF I to issue a trip. the zone of BPR-PMU.
3) Test case 3: Fake BF I issued by BPR-PMU during no- • Since both FCA and FDA vote "1", SFVA votes "1".
fault If the primary protection does not clear the fault, the 50BF
Fig. 16 shows the magnitude of pos-seq voltages on the signal will remain "1". Therefore, the input of Timer 62-1 will
adjacent buses and the BF I signal status. The BF I is issued remain high. Once Timer 62-1 expires, the BFP scheme output
at time = 2 sec. will become "1". Hence the scheme allows a legitimate BFP
• Pos-seq voltages at all the seven buses are above the operation.
threshold. Hence, each of them votes "0". 4 out of 7 5) Test case 5: Legitimate BF I issued by FPR-PMU during
voting scheme output is "0". So, FDA votes "0". AG fault at F3
• SFVA Decision is "0". So, the proposed BFP scheme Consider a case of AG fault at 5% length on line 30-38
output is "0". Hence, the cyber-attack is neutralised. named as F3 in Fig. 13. The fault was initiated at time = 2
4) Test case 4: Legitimate BF I issued by BPR-PMU during sec and cleared at time = 3 sec. Fig. 18 shows the magnitude
AG fault at F2 of pos-seq voltages at the adjacent buses for this case. The
Consider a case of AG fault on Bus 30 named as F2 in Fig. results are as follows:
13. The fault is initiated at time = 2 sec and cleared at time • As per 4 out of 7 voting scheme, FDA votes "1" and
= 3 sec. Fig. 17 shows the magnitude of pos-seq voltages at triggers FCA.
the adjacent bus. The results are as follows: • Fault distance observed from:
• As per 4 out of 7 voting scheme, FDA votes "1" and => Bus 30 at 4.98% length of Line 30-38
triggers FCA. => Bus 38 at 97.49% length of Line 38-30
13
Fig. 18: Test case 5: Magnitude of pos-seq voltage at adjacent Fig. 19: Test case 6: Magnitude of Pos-Sequence voltage at
buses when there is an AG fault at 5% length on Line 30-38, adjacent buses when AG fault at 50% length on Line 38-65,
i.e., F3 i.e., F4

• Fault distance summation from Bus 30 and Bus 38 is ap-
proximately equal to the length of Line 30-38. Moreover,
the fault distance from Bus 26 and Bus 8 shows that the
fault is on line 30-38. So FCA confirms that the fault is
within the zone of the FPR-PMU.
• Since both FCA and FDA vote "1", SFVA votes "1".
If the primary protection does not clear the fault, the 50BF
signal will remain "1". Therefore, the input of Timer 62-1 will
remain high. Once Timer 62-1 expires, the BFP scheme output
Fig. 20: Test case 7: Magnitude of pos-seq voltage at adjacent
will become "1". Hence the scheme allows a legitimate BF I
buses when AG fault at 50% length on Line 30-26, i.e., F5
to issue a trip.
E. Lab Implementation Results

• Fault Distance observed from:
Fig. 13 shows the lab implementation setup for validating => Bus 30 at 361.48% length of Line 30-38
the execution time of SFVA. It has eight industrial computers => Bus 38 at 83.93% length of Line 38-30
connected via an ethernet switch. Each computer acts as a • Fault distance summation from Bus 30 and Bus 38 is not
source for all the phasors from the Relay-PMUs belonging equal to the length of Line 30-38. Hence, FCA indicates
to a bus. The configuration of the computers is Intel Core i5 that the fault is not within the zone of the FPR-PMU. So
processor with 3.2 GHz frequency. Communication amongst FCA votes "0". So SFVA votes "0" and blocks the BFP
Relay-PMUs and PDC follows IEEE C37.118.2-2011 by UDP- trip. Therefore, the cyber-attack is neutralized.
IP protocol [25]. On receiving a synchrophasor frame from • SFVA execution time was in the range from 367.23 µs
Relay-PMU, PDC checks the following fields apart from the to 587.63 µs with a mean of 400.77 µs.
phasors it receives:
2) Test case 7: Fake BF I issued by FPR-PMU during AG
• SFVA trigger: It is sent from BFP Relay-PMU by making fault at F5
a pre-decided bit in Digital Status Word (DSW) as "1". Consider a case of AG fault at 50% length on Line 30-26
• Relay-PMU that issued BF I to BFP relay: A pre-decided named as F5 in Fig. 13. The fault is initiated at time = 2 sec
bit in DSW is made "1" to identify the Relay-PMU that and cleared at time = 3 sec. Fig. 20 shows the adjacent bus
issued the BF I. Therefore, phasors from that particular voltages for this case. The results are as follows:
Relay-PMU group are avoided by DRW.
• As per 4 out of 7 voting scheme, FDA votes "1" and
The following test cases are considered for lab implemen- triggers FCA.
tation: • Fault Distance observed from:
1) Test case 6: Fake BF I issued by FPR-PMU during AG =>Bus 30 at 258.18% length of Line 30-38
fault at F4 =>Bus 38 at 269.23% length of Line 38-30
Consider a case of AG fault at 50% length on line 38-65 • Fault distance summation from Bus 30 and Bus 38 is not
named as F4 in Fig. 13. The fault was initiated at time = 2 equal to the length of Line 30-38. Hence, FCA indicates
sec and cleared at time = 3 sec. Results are shown in Fig. 19. that the fault is not within the zone of the FPR-PMU. So,
• As per 4 out of 7 voting scheme, FDA votes "1" and FCA votes "0". Therefore, SFVA votes "0" and blocks the
triggers FCA. BFP trip. As a result, the cyber-attack is neutralized.
14
• SFVA execution time was in the range from 368.31 µs TABLE V: SFVA Execution Time at PDC
to 553.54 µs with a mean of 413.24 µs. Subject General Description
3) Comparison of the proposed BFP scheme with the Con- PDC Computer Intel Core i5 Processor
ventional BFP scheme Configuration with 3.2 GHz frequency
Operating System Ubuntu Linux (Non-real Time)
• Performance of conventional BFP scheme: Fig. 21 shows
Minimum SFVA 367.23 µs
the conventional BFP scheme employed for validating
execution time
the proposed scheme. The conventional BFP scheme has
Maximum SFVA 587.63 µs
two inputs 50BF and the BFI. 50BF is the instantaneous
execution time
overcurrent element for the BFP scheme. As explained
in Section I, the setting of the 50BF is very sensitive. Mean SFVA 400.77 µs
Therefore, its value is "1" at rated loading conditions. execution time
Timer 62-1 is an ON-delay timer, i.e., its output becomes
"1" when the input is "1" for the duration of Timer 62-
1. When the attacker issues a false BFI, the input to the IV. C ONCLUSION
Timer 62-1 becomes "1". After the duration of Timer 62- The paper proposes a novel cyber-attack-resilient BFP
1 expires, the BFP scheme output becomes "1". Hence, it scheme using Wide Area Measurements. The proposed scheme
leads to false BFP operation and consequently, trips the validates the authenticity of the BFI issued to the BFP scheme
backup breakers. using WAMS. Test cases 1 and 3 use PSCAD simulations
on IEEE-118 bus system to show that the proposed scheme
detects cyber-attack and blocks false BFP trip in no-fault
conditions. PSCAD simulations for test cases 2, 4 and 5 show
that the proposed scheme allows legitimate BFP trips. Test
cases 6 and 7 show that the proposed scheme works well
even when a cyber-attack is executed simultaneously with a
Fig. 21: Conventional BFP scheme considered for the test power system fault. Lab implementation of test cases 6 and 7
cases verify that the execution time of the proposed scheme is well
within the time budget of the BFP scheme. Dynamic Relay
White-listing avoids phasors from susceptible Relay-PMUs
• Performance of the proposed BFP scheme: Fig. 12 shows from participating in the proposed scheme. Hence it adds a
the proposed BFP scheme employed for validating the layer of security. Simulation results and lab implementation
proposed scheme. Consider test case 6 to validate the confirm that the proposed scheme can effectively detect a false
performance of the proposed scheme. Fake BF I is issued BF I issued to the BFP scheme and block the false BFP trip
to the BFP Relay-PMU by a Feeder-protection Relay- command in healthy as well as faulted conditions.
PMU while an AG fault is observed at 50% length on
Line 38-65 named as F4 in Fig. 13. The execution details V. A PPENDIX
are as follows:
A. Likelihood of a Cyber-attack on BFP
1) Value of 50BF element is "1". Therefore, it triggers
the SFVA at PDC. This sub-section first presents the equations for reward for
2) DRW excludes the measurements from the same cyber-attack in power systems. Then, it presents the expression
Relay-PMU group. for the likelihood for a cyber-attack. Finally, it uses these
3) FDA votes "1" as per 4 out of 7 voting at Bus Voting equations to explain the likelihood of BFP operation caused
Block Level. by cyber-attack.
4) FCA confirms that fault is not on line 30-38. Therefore, Given a system state, the cyber-attacker aims to maximize
FCA decision is "0". the sum of two rewards [41]:
5) Since FCA decision is "0", SFVA Decision is "0". • Net reward of current attack: Power system changes
6) Since SFVA Decision is zero, the BFP scheme output states when an event happens due to a cyber-attack. The
becomes "0". Therefore, the output of the proposed new state caused by cyber-attack may lead to deteriora-
BFP scheme is zero. Hence, it avoids the mal-operation tion of the system performance such as system stability,
of the BFP scheme. loss of load, etc. The attacker assesses the estimated
7) Table V shows the execution details of the proposed impacts of the current attack using net reward. The effort
scheme. The PDC computer configuration is Intel required to make a cyber-attack is modelled by a “cost”.
i5 processor with 3.2 GHz frequency. The operating The net reward is the reward minus the cost.
system employed was Ubuntu Linux (non-real time). • Aggregate reward from potential future attacks: If
The SFVA execution time ranged from 367.23 µs to the current attack remains undetected, the attacker may
587.64 µs with a mean execution time of 400.77 µs. launch future attacks which may further deteriorate the
The time of execution shows that the proposed scheme system performance. The attacker will also try to maxi-
is computationally efficient. mize the aggregated rewards from the future attacks. If
15
the current attack is detected, the operator will try to limit studies. The concept of “common failure modes” is also
the future choices of attacks. popularly used in the design of resilient protection schemes
Now, suppose, S = {s1 , s2 , ..., sn } is the set of power for power systems. If the Relay-PMUs belong to the same
system states. A = {a1 , a2 , ..., an } is the set of actions caused group (maker and family), there will be significant “common
by cyber-attacks. p(si |si−1 , ai−1 ) is the probability of system failure modes”. If a Relay-PMU of a group gets compromised,
transiting to a new state si from state si−1 due to the action then the chance of other Relay-PMUs from the same group
ai−1 . G(si−1 , ai−1 ) is the cost for the cyber-attacker for taking getting compromised is high due to “common failure modes”.
action ai−1 at state si−1 . R(si |si−1 , ai−1 ) is the reward to The DRW increases the reliability and resiliency by decreasing
the cyber-attacker when system state transits from si−1 to si the “common failure modes” with respect to the compromised
due to action ai−1 . R(si−1 , ai−1 ) is the expected immediate relay (due to cyber-attack) issuing false BF I. This sub-section
reward from action ai−1 at si−1 . The likelihood of attack ai−1 provides a probability-based analysis to explain the theoretical
at state si−1 is L(ai−1 , si−1 ). relation between the DRW and resilience metrics.
The expected immediate reward from action ai−1 at state
si−1 is shown in (8) [41]. Suppose, there are two groups of Relay-PMUs as per the
Dynamic Relay White-listing (DRW) as shown in Fig. 22. R11
is the compromised relay (due to cyber-attack) which is issuing
R(si−1 , ai−1 ) = E[R(si |si−1 , ai−1 )] false BF I to trigger BFP. Wrong triggering of BFP (due to
X cyber-attack) will impact the following resilient metrics:
= p(si |si−1 , ai−1 ) · (R(si |si−1 , ai−1 )) (8)
si ∈S • Loss-of-load Probability
Therefore, the likelihood of attack ai−1 at state si−1 is • Customer Disruption Probability
L(ai−1 , si−1 ) which is proportional to the "Net reward of • Blackout Probability
current attack" as shown in (9). Table VI shows the various attacks and their descriptions
L(ai−1 , si−1 ) ∝ (R(si−1 , ai−1 ) − G(si−1 , ai−1 )) (9) for the system shown in Fig. 22. Moreover, (10) represents the
probability of wrong operation of SFVA. The (11) represents
Now, a cyber attacker will choose BFP if the attacker finds the probability of wrong operation of BFP.
the value of “Net reward of current attack” comparatively
higher for BFP. During cyber-attack caused mal-operation of
R1 BFP relay, Breakers B2, B3, B4 and B5 open as back-up p(SF V A_wrong) = P robability of wrong operation of SF V A
as shown in Fig. 1. This leads to larger system disturbance (10)
(in terms of load/generation loss and stability deterioration)
in comparison to single line tripping due to cyber-attack.
p(BF P _wrong) = P robability of wrong operation of BF P
The larger system disturbance can lead to bigger system
(11)
performance issues.
The value of R(si−1 , ai−1 ) in (8) will be higher for BFP in 1) Without DRW
comparison to single transmission line tripping due to cyber- Now, Relay-PMUs within a group (such as Group 1 in
attack. As G(si−1 , ai−1 ) value primarily depends on the relay Fig. 22) will have higher common failure modes with respect
hardware and software rather than protection type, therefore to cyber-attacks due to the use of common hardware and
the cost to the attacker will be similar irrespective of the software platforms. As a result, probabilities p(R12F |R11F )
protection being attacked. As a result, the likelihood value and p(R13F |R11F ) will be higher as shown in (12) and (13).
L(ai−1 , si−1 ) will be higher for BFP in comparison to primary
protection which opens a transmission line. p(R12F |R11F ) = Higher (12)
B. Relation between DRW and Resliency Metrics
The concept of DRW is inspired from “common failure p(R13F |R11F ) = Higher (13)
modes” which is popularly used in reliability and resiliency
If p(SF V A_wrong) = Higher ⇒ p(BF P _wrong) = Higher (14)
If p(BF P _wrong) = Higher ⇒ p(Loss_of _load) = Higher (15)
If p(BF P _wrong) = Higher ⇒ p(Customer_Disruption) = Higher (16)
If p(BF P _wrong) = Higher ⇒ p(Black_out) = Higher (17)
16
Fig. 22: Failure modes of Relay-PMUs groups used in DRW
Fig. 23: SFVA success probability while using DRW and without DRW
If p(SF V A_wrong) = Lower ⇒ p(BF P _wrong) = Lower (18)
If p(BF P _wrong) = Lower ⇒ p(Loss_of _load) = Lower (19)
If p(BF P _wrong) = Lower ⇒ p(Customer_Disruption) = Lower (20)
If p(BF P _wrong) = Lower ⇒ p(Black_out) = Lower (21)
TABLE VI: Descriptions of Attacks measurements from Relay-PMUs without DRW increases the
Event Description probability of wrong BFP trip, large loss-of-load, larger cus-
tomer disruption and blackout. Therefore, non-implementation
R11F Compromise of Relay-PMU R11 by cyber-attack of DRW leads to compromise in the resiliency metrics likes
R12F Compromise of Relay-PMU R12 by cyber-attack loss-of-load, customer disruption and blackout.
R13F Compromise of Relay-PMU R13 by cyber-attack 2) With DRW
R21F Compromise of Relay-PMU R21 by cyber-attack Now, if DRW is used, then Relay-PMUs from a different
R22F Compromise of Relay-PMU R22 by cyber-attack group (such as Group 2 in Fig. 22) will have lower common
R23F Compromise of Relay-PMU R23 by cyber-attack failure modes with respect to cyber-attacks due to lesser
amount of common hardware and software platforms. As a
result, probabilities p(R21F |R11F ) and p(R22F |R11F ) will be
Fig. 23 shows the Relay-PMUs whose measurements will lower as shown in (12) and (13).
be employed for the SFVA implementation. When there is
no DRW, measurements from R12 and R13 may be used. In
p(R21F |R11F ) = Lower (22)
that situation, the probability of SFVA mal-operation will be
higher, i.e., p(SF V A_wrong) = higher.
From (14), (15), (16) and (17), it can be said that employing p(R22F |R11F ) = Lower (23)
17
Fig. 23 shows the Relay-PMUs whose measurements will be [17] X. Feng, L. Tan, Y. Wang, Y. Mao, J. Qiao, X. Yin, and D. Shi,
employed for the SFVA implementation. When there is DRW, “Improved generator circuit breaker failure protection method combined
with voltage quantities,” Energy Reports, vol. 8, pp. 419–427, 2022.
it means we would employ measurements from R21 and R22 . [18] M. Thompson and D. Finney, “New voltage-based breaker failure
Then the probability of SFVA mal-operation will be lower, scheme for generators,” in 15th International Conference on Develop-
i.e., p(SF V A_wrong) = lower. ments in Power System Protection (DPSP 2020), 2020.
[19] Y. Xue, M. Thakhar, J. C. Theron, and D. P. Erwin, “Review of the
From (18), (19), (20) and (21), it can be said that the use breaker failure protection practices in utilities,” in 2012 65th Annual
of measurements from Relay-PMUs after DRW decreases the Conference for Protective Relay Engineers. IEEE, 2012, pp. 260–268.
chance of wrong BFP activation. Therefore, implementation [20] B. Kasztenny, V. Muthukrishnan, and T. S. Sidhu, “Enhanced numerical
breaker failure protection,” IEEE Transactions on Power Delivery,
of DRW leads to better resiliency metrics such as lower vol. 23, no. 4, pp. 1838–1845, 2008.
probabilities of loss-of-load, customer disruption and blackout. [21] SEL-352, Breaker Failure and Monitoring Relay, SEL, 2011.
[22] Multilin 850, Feeder Protection System, GE Grid Solutions, 2018.
[23] B. Kasztenny and M. J. Thompson, “Breaker failure protec-
tion—standalone or integrated with zone protection relays?” in 2011
R EFERENCES 64th Annual Conference for Protective Relay Engineers. IEEE, 2011,
pp. 385–395.
[1] J. Slowik, “Crashoverride: Reassessing the 2016 ukraine electric power [24] S. Zubic, Z. Gajic, and D. Kralj, “Line protection operate time: How
event as a protection-focused attack,” Dragos, Inc, 2019. fast shall it be?” IEEE Access, vol. 9, pp. 75 608–75 616, 2021.
[2] A. Ameli, A. Hooshyar, E. F. El-Saadany, and A. M. Youssef, “An [25] “IEEE Standard for Synchrophasor Data Transfer for Power Systems,”
intrusion detection method for line current differential relays,” IEEE IEEE Std C37.118.2-2011 (Revision of IEEE Std C37.118-2005), pp.
Transactions on Information Forensics and Security, vol. 15, pp. 329– 1–53, 2011.
344, 2019. [26] “IEEE Guide for Phasor Data Concentrator Requirements for Power
[3] A. Ameli, A. Hooshyar, and E. F. El-Saadany, “Development of a cyber- System Protection, Control, and Monitoring,” IEEE Std C37.244-2013,
resilient line current differential relay,” IEEE Transactions on Industrial pp. 1–65, 2013.
Informatics, vol. 15, no. 1, pp. 305–318, 2019. [27] “PMU Placement and Installation,” Guideline, NERC Reliability, NERC,
[4] A. Ameli, A. Ayad, E. F. El-Saadany, M. M. A. Salama, and A. Youssef, Atlanta, GA, USA, 2016.
“A learning-based framework for detecting cyber-attacks against line [28] "Redundancy Considerations for Protective Relaying Systems", PSRC
current differential relays,” IEEE Transactions on Power Delivery, Working Group 119 Report, 2010.
vol. 36, no. 4, pp. 2274–2286, 2021. [29] “Reliability Guideline: Reactive Power Planning,” Guideline, NERC
[5] Y. M. Khaw, A. Abiri Jahromi, M. F. M. Arani, S. Sanner, D. Kundur, Reliability, NERC, Atlanta, GA, USA, 2016.
and M. Kassouf, “A deep learning-based cyberattack detection system [30] “Indian Electricity Grid Code,” National Grid Electricity Transmission,
for transmission protective relays,” IEEE Transactions on Smart Grid, 2017.
vol. 12, no. 3, pp. 2554–2565, 2021. [31] Z. Xu, S. Huang, L. Ran, J. Liu, Y. Qin, Q. Yang, and J. He, “A distance
[6] N. K. Kandasamy, “An investigation on feasibility and security for protection relay for a 1000-kv uhv transmission line,” IEEE Transactions
cyberattacks on generator synchronization process,” IEEE Transactions on Power Delivery, vol. 23, no. 4, pp. 1795–1804, 2008.
on Industrial Informatics, vol. 16, no. 9, pp. 5825–5834, 2019. [32] Y. Liang, Z. Lu, W. Li, W. Zha, and Y. Huo, “A novel fault impedance
calculation method for distance protection against fault resistance,” IEEE
[7] A. S. Mohamed, M. F. M. Arani, A. A. Jahromi, and D. Kundur, “False
Transactions on Power Delivery, vol. 35, no. 1, pp. 396–407, 2020.
data injection attacks against synchronization systems in microgrids,”
[33] F. B. Ajaei, M. Sanaye-Pasand, M. Davarpanah, A. Rezaei-Zare, and
IEEE Transactions on Smart Grid, vol. 12, no. 5, pp. 4471–4483, 2021.
R. Iravani, “Mitigating the impacts of ccvt subsidence transients on the
[8] J. Hong, R. F. Nuqui, A. Kondabathini, D. Ishchenko, and A. Martin,
distance relay,” IEEE transactions on power delivery, vol. 27, no. 2, pp.
“Cyber attack resilient distance protection and circuit breaker control
497–505, 2012.
for digital substations,” IEEE Transactions on Industrial Informatics,
[34] E. P. Machado, D. Fernandes, and W. L. A. Neves, “Tuning ccvt fre-
vol. 15, no. 7, pp. 4332–4341, 2018.
quency response data for improvement of numerical distance protection,”
[9] A. Ahmed, V. V. G. Krishnan, S. A. Foroutan, M. Touhiduzzaman, IEEE Transactions on Power Delivery, vol. 33, no. 3, pp. 1062–1070,
C. Rublein, A. Srivastava, Y. Wu, A. Hahn, and S. Suresh, “Cyber 2018.
physical security analytics for anomalies in transmission protection [35] D. Ritzmann, P. S. Wright, W. Holderbaum, and B. Potter, “A method
systems,” IEEE Transactions on Industry Applications, vol. 55, no. 6, for accurate transmission line impedance parameter estimation,” IEEE
pp. 6313–6323, 2019. Transactions on instrumentation and measurement, vol. 65, no. 10, pp.
[10] M. S. Rahman, M. A. Mahmud, A. M. T. Oo, and H. R. Pota, “Multi- 2204–2213, 2016.
agent approach for enhancing security of protection schemes in cyber- [36] H. Goklani, G. Gajjar, and S. A. Soman, “Instrument transformer
physical energy systems,” IEEE Transactions on Industrial Informatics, calibration and robust estimation of transmission line parameters using
vol. 13, no. 2, pp. 436–447, 2017. pmu measurements,” IEEE Transactions on Power Systems, vol. 36,
[11] J. Yang, C. Zhou, S. Yang, H. Xu, and B. Hu, “Anomaly detection based no. 3, pp. 1761–1770, 2021.
on zone partition for security protection of industrial cyber-physical [37] S. Gajare and A. K. Pradhan, “An accurate fault location method for
systems,” IEEE Transactions on Industrial Electronics, vol. 65, no. 5, multi-circuit series compensated transmission lines,” IEEE Transactions
pp. 4257–4267, 2018. on Power Systems, vol. 32, no. 1, pp. 572–580, 2017.
[12] J. Wang, D. Shi, Y. Li, J. Chen, H. Ding, and X. Duan, “Distributed [38] M. Saha, J. Izykowski, E. Rosolowski, and B. Kasztenny, “A new
framework for detecting pmu data manipulation attacks with deep accurate fault locating algorithm for series compensated lines,” IEEE
autoencoders,” IEEE Transactions on Smart Grid, vol. 10, no. 4, pp. Transactions on Power Delivery, vol. 14, no. 3, pp. 789–797, 1999.
4401–4410, 2019. [39] S. Peyghami, P. Davari, M. Fotuhi-Firuzabad, and F. Blaabjerg, “Stan-
[13] S. Sheng, W. L. Chan, K. K. Li, D. Xianzhong, and Z. Xiangjun, “Con- dard test systems for modern power system analysis: An overview,”
text information-based cyber security defense of protection system,” IEEE Industrial Electronics Magazine, vol. 13, no. 4, pp. 86–105, 2019.
IEEE Transactions on Power Delivery, vol. 22, no. 3, pp. 1477–1481, [40] “THE GRID CODE,” Central Electricity Regulatory Commission, 2010.
2007. [41] Y. Hao, M. Wang, and J. H. Chow, “Likelihood analysis of cyber
[14] S. Chakrabarty and B. Sikdar, “Detection of hidden transformer tap data attacks to power systems with markov decision processes,” IEEE
change command attacks in transmission networks,” IEEE Transactions Transactions on Smart Grid, vol. 9, no. 4, pp. 3191–3202, 2018.
on Smart Grid, vol. 11, no. 6, pp. 5161–5173, 2020.
[15] IEEE Guide for Breaker Failure Protection of Power Circuit Breakers,
IEEE Std C37.119-2016 (Revision of IEEE Std C37.119-2005), pp. 1–73,
2016.
[16] A. Radhakrishnan and S. Das, “Impact of converter-interfaced renewable
generations on breaker failure protection of the emanant transmission Paawan Kirankumar Dubal obtained his B.Tech degree in Electrical Engi-
lines,” IET Renewable Power Generation, vol. 15, no. 3, pp. 641–652, neering from the School of Technology of Pandit Deendayal Energy University
2021. in 2016. He carried out this research work while pursuing M.Tech(Research)
18
degree at the Electrical Engineering Department of the Indian Institute of

Science, Bengaluru, India.
Sarasij Das (Senior Member, IEEE) received the Ph.D. degree from the
University of Western Ontario, London, ON, Canada, in 2014. He was with the
Schneider Electric India Pvt. Ltd., Bangalore, India, and Power Research and
Development Consultants Pvt. Ltd., Bangalore, India. He is currently working
as an associate professor at the Electrical Engineering Department of Indian
Institute of Science, Bangalore, India.
Tarlochan S. Sidhu (Fellow, IEEE) received the Ph.D. degree in electrical

engineering from the University of Saskatchewan, Saskatchewan, Saskatoon,
SK, Canada, in 1989. He is currently a Professor of Faculty of engineering
and applied science with the University of Ontario Institute of Technology
(UOIT), Oshawa, ON, Canada. Prior to this, he was a Professor and Chair of
the Electrical and Computer Engineering Department with the University of
Western Ontario, London, ON, Canada. He also has held the NSERC/Hydro
One Senior Industrial Research Chair in Power Systems Engineering. His
research interests include power system protection, monitoring, control and
automation.

Wide Area Measurement-Based Cyber-Attack-Resilient Breaker Failure Protection Scheme

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Wide Area Measurement-Based Cyber-Attack-Resilient Breaker Failure Protection Scheme

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in IEEE Transactions on Smart Grid.

Wide Area Measurement-Based

Abstract—Breaker Failure Protection trips the backup break-

(ATR). ATR extends the trip command to the circuit breakers

Fig. 4: Breaker failure protection timeline

Fig. 5: Proposed cyber-attack-resilient breaker failure protection scheme

Fig. 6: Proposed scheme incorporated with various BF schemes

T imer 62 − 2 ≥ (2 ∗ dt ) + SF V A Execution T ime + Saf ety M argin (1)

T imer 62 − 3 ≥ BF P Auxiliary P rotection Operation T ime + Saf ety M argin (2)

Conv_BF P _T rip = f 1(BF I, 52a, 50BF ) (3)

Conv_BF P _Re − T rip = f 2(BF I, 52a, 50BF ) (4)

the BFP Relay-PMU R. Therefore, the current and voltage

should be chosen accordingly for such a configuration.

Fig. 10: Six-bus system with BF I issued to the BFP Relay-

F. Practical Implementation Considerations

Therefore, a voting scheme of 4 out of 7 is chosen at the

B. PSCAD Simulation Setup

Fig. 16: Test case 3: Magnitude of pos-seq voltage at adjacent

2) Test case 2: Legitimate BF I issued by FPR-PMU during

=> Bus 26 at 123.05% length of Line 26-30

E. Lab Implementation Results

If p(SF V A_wrong) = Higher ⇒ p(BF P _wrong) = Higher (14)

If p(BF P _wrong) = Higher ⇒ p(Loss_of _load) = Higher (15)

If p(BF P _wrong) = Higher ⇒ p(Customer_Disruption) = Higher (16)

If p(BF P _wrong) = Higher ⇒ p(Black_out) = Higher (17)

Fig. 22: Failure modes of Relay-PMUs groups used in DRW

If p(SF V A_wrong) = Lower ⇒ p(BF P _wrong) = Lower (18)

If p(BF P _wrong) = Lower ⇒ p(Loss_of _load) = Lower (19)

If p(BF P _wrong) = Lower ⇒ p(Customer_Disruption) = Lower (20)

If p(BF P _wrong) = Lower ⇒ p(Black_out) = Lower (21)

degree at the Electrical Engineering Department of the Indian Institute of

Tarlochan S. Sidhu (Fellow, IEEE) received the Ph.D. degree in electrical

You might also like