SYSTEMS AND METHODS OF DETECTING UTILITY GRID INTRUSIONS
First Claim
1. A method of detecting an attack in a utility grid, comprising:
- establishing, by an anomaly detector executing on one or more processors, a first metric using signals received from at least one of one or more controllers of the utility grid or one or more metering devices of the utility grid, the first metric identifying nominal behavior of at least one of control or consumption in the utility grid absent anomalies;
monitoring, by the anomaly detector, signals received from at least one of the one or more controllers or the one or more metering devices;
determining, by the anomaly detector, using the monitored signals a second metric identifying current behavior of at least one of control or consumption in the utility grid;
comparing, by the anomaly detector, the first metric with the second metric to detect an anomaly in at least one of control or consumption in the utility grid, wherein the anomaly is attributable to an attack on at least one of a controller of the one or more controllers or a metering device of the one or more metering devices; and
providing, by the anomaly detector, an alert indicating the detected anomaly.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods of detecting an attack in a utility grid are described. An anomaly detector establishes a first metric generated using signals received from at least one of one or more controllers of the utility grid or one or more metering devices of the utility grid. The first metric identifies nominal behavior of control or consumption in the utility grid absent anomalies. The anomaly detector monitors signals received from the controllers or the metering devices. The anomaly detector determines, using the monitored signals, a second metric identifying current behavior of at least one of control or consumption in the utility grid. The anomaly detector compares the first metric with the second metric to detect an anomaly in control or consumption in the utility grid. The anomaly is attributable to an attack on a controller or a metering device. The anomaly detector provides an alert indicating the detected anomaly.
20 Citations
20 Claims
-
1. A method of detecting an attack in a utility grid, comprising:
-
establishing, by an anomaly detector executing on one or more processors, a first metric using signals received from at least one of one or more controllers of the utility grid or one or more metering devices of the utility grid, the first metric identifying nominal behavior of at least one of control or consumption in the utility grid absent anomalies; monitoring, by the anomaly detector, signals received from at least one of the one or more controllers or the one or more metering devices; determining, by the anomaly detector, using the monitored signals a second metric identifying current behavior of at least one of control or consumption in the utility grid; comparing, by the anomaly detector, the first metric with the second metric to detect an anomaly in at least one of control or consumption in the utility grid, wherein the anomaly is attributable to an attack on at least one of a controller of the one or more controllers or a metering device of the one or more metering devices; and providing, by the anomaly detector, an alert indicating the detected anomaly. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system to detect an attack in a utility grid, comprising:
-
a metric detector executed by one or more processors configured to establish a first metric using signals received from at least one of one or more controllers of the utility grid or one or more metering devices of the utility grid, the first metric identifying nominal behavior of at least one of control or consumption in the utility grid absent anomalies; the metric detector further configured to monitor signals received from at least one of the one or more controllers or the one or more metering devices; the metric detector further configured to determine using the monitored signals a second metric identifying current behavior of at least one of control or consumption in the utility grid; a metric discriminator executed by the one or more processors configured to compare the first metric with the second metric to detect an anomaly, wherein the anomaly is attributable to an attack on at least one of a controller of the one or more controllers or a metering device of the one or more metering devices; and an alert generator executed by the one or more processors configured to provide the alert indicating the detected anomaly. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification