SYSTEMS AND METHODS OF DETECTING UTILITY GRID INTRUSIONS

US 20160366170A1
Filed: 02/08/2016
Published: 12/15/2016
Est. Priority Date: 02/09/2015
Status: Abandoned Application

First Claim

Patent Images

1. A method of detecting an attack in a utility grid, comprising:

establishing, by an anomaly detector executing on one or more processors, a first metric using signals received from at least one of one or more controllers of the utility grid or one or more metering devices of the utility grid, the first metric identifying nominal behavior of at least one of control or consumption in the utility grid absent anomalies;

monitoring, by the anomaly detector, signals received from at least one of the one or more controllers or the one or more metering devices;

determining, by the anomaly detector, using the monitored signals a second metric identifying current behavior of at least one of control or consumption in the utility grid;

comparing, by the anomaly detector, the first metric with the second metric to detect an anomaly in at least one of control or consumption in the utility grid, wherein the anomaly is attributable to an attack on at least one of a controller of the one or more controllers or a metering device of the one or more metering devices; and

providing, by the anomaly detector, an alert indicating the detected anomaly.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of detecting an attack in a utility grid are described. An anomaly detector establishes a first metric generated using signals received from at least one of one or more controllers of the utility grid or one or more metering devices of the utility grid. The first metric identifies nominal behavior of control or consumption in the utility grid absent anomalies. The anomaly detector monitors signals received from the controllers or the metering devices. The anomaly detector determines, using the monitored signals, a second metric identifying current behavior of at least one of control or consumption in the utility grid. The anomaly detector compares the first metric with the second metric to detect an anomaly in control or consumption in the utility grid. The anomaly is attributable to an attack on a controller or a metering device. The anomaly detector provides an alert indicating the detected anomaly.

20 Citations

View as Search Results

20 Claims

1. A method of detecting an attack in a utility grid, comprising:
- establishing, by an anomaly detector executing on one or more processors, a first metric using signals received from at least one of one or more controllers of the utility grid or one or more metering devices of the utility grid, the first metric identifying nominal behavior of at least one of control or consumption in the utility grid absent anomalies;
  
  monitoring, by the anomaly detector, signals received from at least one of the one or more controllers or the one or more metering devices;
  
  determining, by the anomaly detector, using the monitored signals a second metric identifying current behavior of at least one of control or consumption in the utility grid;
  
  comparing, by the anomaly detector, the first metric with the second metric to detect an anomaly in at least one of control or consumption in the utility grid, wherein the anomaly is attributable to an attack on at least one of a controller of the one or more controllers or a metering device of the one or more metering devices; and
  
  providing, by the anomaly detector, an alert indicating the detected anomaly.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, comprising:
    - establishing, by the anomaly detector, the first metric as a first consumption metric and a first control metric;
      
      establishing, by the anomaly detector, the second metric as a second consumption metric and a second control metric;
      
      comparing, by the anomaly detector, the first metric with the second metric to detect the anomaly in an interaction between a control process of the one or more controllers and consumption observed via the one or more metering devices.
  - 3. The method of claim 1, comprising:
    - establishing, by the anomaly detector, the first metric as a first consumption metric;
      
      establishing, by the anomaly detector, the second metric as a second consumption metric;
      
      comparing, by the anomaly detector, the first consumption metric with the second consumption metric to detect the anomaly in consumption observed via the one or more metering devices, wherein the anomaly is attributable to the attack on the metering device of the one or more metering devices; and
      
      providing, by the anomaly detector, the alert indicating the detected anomaly and identifying the metering device affected by the attack that causes the anomaly.
  - 4. The method of claim 1, comprising:
    - establishing, by the anomaly detector, the first metric as a first control metric;
      
      establishing, by the anomaly detector, the second metric as a second control metric;
      
      comparing, by the anomaly detector, the first control metric with the second control metric to detect the anomaly in a control process of the one or more controllers, wherein the anomaly is attributable to an attack on the controller of the one or more controllers; and
      
      providing, by the anomaly detector, the alert indicating the detected anomaly and identifying the controller affected by the attack that causes the anomaly.
  - 5. The method of claim 1, wherein the attack comprises at least one of malware installed on the controller or the metering device configured to cause the anomaly, or malware installed on a third party device configured to attack the controller or the metering device via a network to cause the anomaly.
  - 6. The method of claim 1, comprising:
    - determining, by the anomaly detector, the first metric and the second metric based on one or more energy delivery process metrics comprising at least one of primary voltage information received via the one or more metering devices, secondary voltage information received via an advanced metering infrastructure (AMI) system, real energy or reactive energy observed at one or more devices located on a primary level of the utility grid, or voltage information observed at one or more delivery sites.
  - 7. The method of claim 1, comprising:
    - establishing, by the anomaly detector, the first metric and the second metric based on at least one of a covariance of a scalar stochastic time series, correlation of a scalar stochastic time series, entropy of a scalar stochastic time series, or a transfer function of a system representing the utility grid.
  - 8. The method of claim 1, comprising:
    - comparing, by the anomaly detector, the first metric with the second metric to detect the anomaly using at least one of a vector threshold, a linear discriminant technique, or a neural network.
  - 9. The method of claim 1, comprising:
    - providing, by the anomaly detector via a network, the alert to a supervisory system of the utility grid, the alert configured to cause the supervisory system to adjust an operation parameter of the controller or the metering device.
  - 10. The method of claim 1, comprising:
    - generating, by the anomaly detector, the first metric for a geographic area using at least one of temperature information, humidity information, cloud cover information, or seasonal insolation; and
      
      generating, by the anomaly detector, the second metric for the same geographic area to detect the anomaly.

11. A system to detect an attack in a utility grid, comprising:
- a metric detector executed by one or more processors configured to establish a first metric using signals received from at least one of one or more controllers of the utility grid or one or more metering devices of the utility grid, the first metric identifying nominal behavior of at least one of control or consumption in the utility grid absent anomalies;
  
  the metric detector further configured to monitor signals received from at least one of the one or more controllers or the one or more metering devices;
  
  the metric detector further configured to determine using the monitored signals a second metric identifying current behavior of at least one of control or consumption in the utility grid;
  
  a metric discriminator executed by the one or more processors configured to compare the first metric with the second metric to detect an anomaly, wherein the anomaly is attributable to an attack on at least one of a controller of the one or more controllers or a metering device of the one or more metering devices; and
  
  an alert generator executed by the one or more processors configured to provide the alert indicating the detected anomaly.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, comprising:
    - the metric detector further configured to establish the first metric as a first consumption metric and a first control metric;
      
      the metric detector further configured to establish the second metric as a second consumption metric and a second control metric;
      
      the metric discriminator further configured to compare the first metric with the second metric to detect the anomaly in an interaction between a control process of the one or more controllers and consumption observed via the one or more metering devices.
  - 13. The system of claim 11, comprising:
    - the metric detector further configured to establish the first metric as a first consumption metric;
      
      the metric detector further configured to establish the second metric as a second consumption metric;
      
      the metric discriminator further configured to compare the first consumption metric with the second consumption metric to detect the anomaly in consumption observed via the one or more metering devices, wherein the anomaly is attributable to the attack on the metering device of the one or more metering devices; and
      
      the alert generator further configured to provide the alert indicating the detected anomaly and identifying the metering device affected by the attack that causes the anomaly.
  - 14. The system of claim 11, comprising:
    - the metric detector further configured to establish the first metric as a first control metric;
      
      the metric detector further configured to establish the second metric as a second control metric;
      
      the metric discriminator further configured to compare the first control metric with the second control metric to detect the anomaly in a control process of the one or more controllers, wherein the anomaly is attributable to an attack on the controller of the one or more controllers; and
      
      the alert generator further configured to provide the alert indicating the detected anomaly and identifying the controller affected by the attack that causes the anomaly.
  - 15. The system of claim 11, wherein the attack comprises at least one of malware installed on the controller or the metering device configured to cause the anomaly, or malware installed on a third party device configured to attack the controller or the metering device via a network to cause the anomaly.
  - 16. The system of claim 11, comprising:
    - the metric detector further configured to determine the first metric and the second metric based on one or more energy delivery process metrics comprising at least one of primary voltage information received via the one or more metering devices, secondary voltage information received via an advanced metering infrastructure (AMI) system, real energy or reactive energy observed at one or more devices located on a primary level of the utility grid, or voltage information observed at one or more delivery sites.
  - 17. The system of claim 11, comprising:
    - the metric detector further configured to establish the first metric and the second metric based on at least one of a covariance of a scalar stochastic time series, correlation of a scalar stochastic time series, entropy of a scalar stochastic time series, or a transfer function of a system representing the utility grid.
  - 18. The system of claim 11, comprising:
    - the metric discriminator further configured to compare the first metric with the second metric to detect the anomaly using at least one of a vector threshold, a linear discriminant technique, or a neural network.
  - 19. The system of claim 11, comprising:
    - the alert generator further configured to provide, via a network, the alert to a supervisory system of the utility grid, the alert configured to cause the supervisory system to adjust an operation parameter of the controller or the metering device.
  - 20. The system of claim 11, comprising:
    - the metric detector further configured to generate the first metric for a geographic area using at least one of temperature information, humidity information, cloud cover information, or seasonal insolation; and
      
      the metric detector further configured to generate the second metric for the same geographic area to detect the anomaly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Utilidata, Inc.
Original Assignee
Utilidata, Inc.
Inventors
Bell, David Gordon

Application Number

US15/018,596
Publication Number

US 20160366170A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G01D 2204/22   Arrangements for detecting ...

G01D 4/004   Remote reading of utility m...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Y02B 90/20   Smart grids as enabling tec...

Y04S 20/30   Smart metering, e.g. specia...

SYSTEMS AND METHODS OF DETECTING UTILITY GRID INTRUSIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS OF DETECTING UTILITY GRID INTRUSIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links