Catching Anomalous Distributed Photovoltaics: An Edge-based Multi-modal Anomaly Detection

A significant challenge in energy system cyber security is the current inability to detect cyber-physical attacks targeting and originating from distributed grid-edge devices such as photovoltaics (PV) panels, smart flexible loads, and electric vehicles. Cyber grid defenders lack the necessary algorithms and other detection capabilities to distinguish between normal operations, cyber-attacks, and other exceptional circumstances. We address this concern by designing and developing a distributed, multi-modal anomaly detection approach that can sense the health of the device and the electric power grid from the edge. This is realized by exploiting unsupervised machine learning algorithms on multiple sources of time-series data such as voltage magnitude and phase angles from the area where the device interconnects with the power grid, power injected to and absorbed from the grid, and power quality of the edge device, fusing these multiple local observations and flagging anomalies when a deviation from the normal behavior is observed. We particularly focus on the cyber-physical threats to the distributed PVs that has the potential to cause local disturbances or grid instabilities by creating supply-demand mismatch, reverse power flow conditions etc. We use an open source power system simulation tool called GridLAB-D, loaded with real smart home and solar datasets to simulate the smart grid scenarios and to illustrate the impact of PV attacks on the power system. Various attacks targeting PV panels that create voltage fluctuations, reverse power flow etc were designed and performed. We observe that while individual unsupervised learning algorithms such as OCSVMs, Corrupt RF and PCA surpasses in identifying particular attack type, PCA with Convex Hull outperforms all algorithms in identifying all designed attacks with a true positive rate of 83.64% and an accuracy of 95.78%. Our key insight is that due to the heterogeneous nature of the distribution grid and the uncertainty in the type of the attack being launched, relying on single mode of information for defense can lead to increased false alarms and missed detection rates as one can design attacks to hide within those uncertainties and remain stealthy.