1. Introduction
The smart grid is responsible for the transmission, distribution, monitoring, and control of electricity, which may significantly improve the reliability and efficacy of the power system [
1,
2]. Currently, most governments view the electrical grid system as an essential infrastructure and have enacted security measures and accompanying regulations to protect it. The presence of a variety of DERs powered by renewable resources, in addition to information and communication systems, contributes to the increased complexity of the structure of the electricity network. Using intelligent electronic devices is one of the additional protection scheme implementation options that may be considered [
3]. With the introduction of this technology, a new idea known as an agent was established. The phasor measurement units (PMUs) were deployed to increase system reliability by making timely decisions based on gathered data [
4,
5,
6] since the architecture and design of current power systems are becoming more complicated. On the other hand, hackers can take advantage of vulnerabilities to deliberately induce overloaded branch tripping, which can lead to a cascade failure and, as a result, major damage to the smart grids [
7].
Therefore, smart grids that rely heavily on power electronics must ensure that cyber system data is reliable and efficient. A substation is the primary point of contact between a physical grid and a cyber-control system. The use of digital communication and computing has revolutionized substation monitoring and control [
8]. Unfortunately, these innovations make the grid more vulnerable to physical and cyber-attacks. Terrorists and nation-states are increasingly targeting the power infrastructure.
Therefore, developing intelligent and efficient methods to decrease the possibility of those attacks was of great interest to several researchers after those accidents [
9,
10,
11,
12]. The detection and location of distribution system faults and cyber-attacks have been improved with the development of different techniques in recent years. Using a continuous time domain, the authors of [
13] considered cyber-attacks on node dynamics and communication channels originating from nodes.
A static detector is used in place of the technique discussed in [
13] to detect attacks. In other words, the sensor uses network measurements to determine whether attacks are present at predetermined points in time without taking advantage of any correlation between measurements at different points. The authors also considered various attack types, such as bias injection and replayed attack, in [
14]. In a scenario where multiple adversaries are involved, certain knowledge and resources are assigned to them. There was also a discussion of bias injections and replay attacks and using zero dynamics to one’s advantage.
A multi-agent system (MAS) was made possible by the development of communication structures, intelligent agents, and the ability of the IEC 61850 standard to send and receive raw network data. Depending on the need, these communication structures can be based on the multi-agent system. The multi-agent system (MAS) is one of the most recent techniques used to detect electrical faults and cyber-attacks on the electrical network [
15,
16]
The authors in [
15] proposed a hierarchical multi-agent structure for detecting false measurements inserted by compromised phasor measurement units (PMUs). Therefore, rule-based detection allows for the detection of false data injection attacks in PMUs by evaluating the overall running status of each PMU. A decentralized system integrity protection method based on MAS is proposed to enhance cyber resilience. To mitigate denial of service attacks against the load-shedding scheme, the MAS issues a load rejection command after identifying an abnormal state [
16]. The authors in [
17] developed a rule-based intrusion detection solution based on a multi-agent system (MAS). Because of this solution, cyber-attacks can be distinguished from normal faults, and malicious trips of a relay can be detected. Since effective rules are only sometimes explicit and easy to summarize for complex functions, scalability might become a bottleneck when applying rule-based anomaly detection. The proposed solution requires multiple online controllers to receive redundant data simultaneously.
The authors in [
18] proposed a novel method for fault location and autonomous power restoration in the power distribution system with a wind generator based on the multi-agent system. Effective fault detection, localization, and high protection are necessary to protect systems from the blackout and properly configure them after an outage. The above methods do not distinguish between physical faults and cyber-attacks. Additionally, since each agent in the decentralized multi-agent structure masters only local power system information from local networks, it cannot deal with cyber-attacks from wide networks [
19]. The authors in [
20] develop hierarchical MAS to improve the overall architecture of substation protection systems to handle physical faults and cyber-attacks.
This paper presents a new approach for fault location and protecting the distribution network against physical faults and cyber-attacks. Real data from the distribution feeder of Kenitra City, Morocco are used for simulation purposes, and many case studies are verified to evaluate the performance of the proposed approach. The proposed technique uses a multi-agent system framework for fault location, line isolation, system reconfiguration, and cyber-attack detection for power system protection.
The remainder of this paper is organized as follows. The model establishment of both physical failures and cyber-attacks is shown in
Section 2. The Proposed MAS structure is discussed in
Section 3, which also provides some summary information about the proposed MAS.
Section 4 is an in-depth explanation of the security measures taken and the proposed protection system. In
Section 5, we will review the outcomes received from running the simulations. This article ends with a conclusion and some suggestions for further research.
2. Model Establishment Cyber-Attack Detection
According to
Figure 1, the distribution automation system allows the distribution operation center to acquire information (voltage, current, fault indicator, and switch status) from field devices such as feeder remote terminal units (FRTUs) and phasor measurement units (PMUs) and monitor the distribution lines in real-time. Based on the properties of the system, digital relay trips caused by defects in cyber-physical systems can be categorized as either electrical failures or cyber-attacks.
Attacks against the digital relay can be categorized as either local area network (LAN) or wide area network (WAN) attacks, depending on the scope of the target network. In addition, electrical faults and cyber-attacks are abnormal faults that cause relay malfunctions [
21]. Consequently, the necessary models must be developed to diagnose physical problems and cyber-attacks, as shown in
Figure 1. This paper applies the overcurrent protection scheme to digital relays, including short-circuit, symmetrical, and asymmetrical faults.
2.1. Electrical Faults
Shunt faults are prevalent in distribution systems, and phase-overcurrent and ground-overcurrent relays are typically utilized to detect, locate, and isolate the damaged line. The significant characteristics of a shunt fault are a rise in current and a drop in voltage and frequency. The faults in the power system can be broken down into three distinct categories: single line-to-ground faults, double-line faults with or without ground connections, and three-phase faults with or without ground connections (
Figure 2).
2.2. Attack Model for the Hacker
There are two distinct network systems: the local area network (LAN), which is contained within a substation, and the wide area network (WAN), which connects all substations. The hacker can attack digital relay settings, substation center databases, and fabricated PMUs, and remote terminal unit (RTUs) information in WANs, as shown in
Figure 1. When the local area network (LAN) or a portion of the substation’s wide area network (partial WAN) is hacked, various cyber-attacks and potential repercussions are outlined below [
22].
The digital relay and circuit breaker (CB) may transmit incorrect control signals due to command injection attacks, which involve the forging of bogus control commands.
To disable digital relays, attackers can inject incorrect data into local area networks (LANs), for example, utilizing information from a substation LAN.
An attack using a man-in-the-middle technique is performed on substations to inject false commands into remote control units to cause relays to malfunction. Incorrect PMU data are uploaded to the phasor data concentrator as part of the man-in-the-middle attack against the area control center to influence the center’s decision-making.
Cyber-physical coordinated attacks: In this type of attack, physical attacks are hidden under a veil of cyber-attacks. If a circuit breaker is subjected to a physical attack, the supervisory control and data acquisition system may be unable to detect the destruction of the circuit breaker because sophisticated cyber-attacks are conducted to disguise the attack.
Based on the initial investigation findings, it was determined that successful cyber-attacks on protective systems can result in malfunctioning relays and circuit breakers. Even though hackers can only access the local area network (LAN) of a substation or a partial connection via a wide area network (WAN), they can still obtain knowledge about the protective systems and communication protocols to manipulate.
4. MAS-Based Protection System Architecture
This paper employs a multi-agent approach for fault location and cyber-attack detection in a distribution system. Normally, a distribution line relay issues a trip signal only if a short circuit occurs. When a fault occurs on a line, the physical layer will experience a decrease in voltage while simultaneously experiencing an increase in current. At the same time, a trip signal will be generated by the cyber layer’s digital relay.
In the proposed protective approach, the agent’s system coordinates the relay operating and controlling the circuit breakers (CB) for fault isolation. The agent’s decisions are based on PMU data and the exchange with other agents to enable accurate fault detection. In this study, the agents are intelligent electronic devices (IEDs) with fundamental characteristics and capabilities such as I/O interface, communication, and decision-making capacity. The agents collect data (current and voltage) from the distribution system and then process them. Depending on their tasks, they take the required actions, such as fault detection and location, sending messages to other agents and trip signals to relevant CBs.
In the proposed technique, the electrical current is measured by PMUs at both ends of each electrical line. The PMUs transmit these data to Line Agents (LA), which are in the middle of each electrical line.
To isolate the fault, LA transmits a control signal to the CBs and checks to see if the CBs have received this trip signal. In addition, this LA verifies that the primary relay’s current has dropped below its threshold value. To isolate the fault, LA transmits a control signal to the CBs connected at the two ends of the distribution line and checks whether the CBs have received this trip signal. In addition, this LA verifies if the current has dropped below its threshold value. In case of cyber-attacks applied on the trip signal, After the fault clearing time has expired, the agent LA sends a message to its neighboring upstream agent to change its control signal and to open its corresponding CBs. In this study, serval agents were implemented: load agents (CA), line agents (LA), and DG agents (DG). Each intelligent agent operates based on the algorithm designed for fault detection, location, and isolation.
- (a)
Fault detection
The agent detects faults based on the current threshold value. It is often between the maximum load current (
ILoadmax) and the minimum fault current (
IFaultmin) [
26]. Consequently, the relay pickup current is stated as follows:
The appropriate LA agent compares the current measured
IM with the
IT threshold value when an electrical failure occurs. Based on the relationship below, LA can determine when a defect has occurred.
Fd is the fault condition, IM is the RMS current measurement at the relay, and IT is the current threshold value.
The circuit breaker status signal is set to 1 (Bs = 1) under normal conditions (No fault), while a trip signal (
Ts = 0) is produced in the case of a fault to open CBs and isolate the affected line.
- (b)
Cyber-attack detection
Based on the previous analysis, the LA agent can combine the fault isolation, detection, and cyber-attack (CA) principle, which is expressed as follows:
The cyber-attack applied to the trip signal is modeled as a temporary deactivation of the protection system by delaying the generation of the signal by the protection system.
- (c)
Fault location technique
Figure 4 illustrates the proposed technique for the fault location and protection system. The current value is measured by the PMUs, which send these data to the LA at the line’s middle position. For fault detection, as data are received from each side, LA calculates the difference between these values and the threshold value using Equation (3). When a fault occurs, the associated LA of the electrical line sends a trip signal to open the corresponding CB to isolate the fault. If the fault is not cleared due to cyber-attacks on the trip signal and the fault persists, LA sends a message to its neighboring agent (CB + 1), which immediately changes its control signal.
Similarly, the control center receives the circuit breaker failure identification to resolve the cyber-attack problem. After isolating the fault, agents exchange data to identify the new system configuration for network restoration and backup protection.
5. Simulation Studies
The proposed technique is tested using a part of the real data power system in Kenitra city of Morocco, as shown in
Figure 5. The 20 kV power distribution is divided into two feeders based on the partition principle proposed by [
18]. Radial configurations with open tie-switches positioned on adjacent feeders are frequently employed to enhance the dependability of the medium-voltage distribution network topologies.
The power distribution system has nine electrical lines, two feeders, six loads, and sixteen circuit breakers (CBs). CBs are closed to act as links between the feeds, except the two generally open switches (CB8 and CB9). A 36MVA 60/20 kV transformer powers each subsystem to lower the voltage from 60 kV to the nominal 20 kV. Under typical working conditions, DG-2 provides subsystem-2 while DG-1 provides subsystem-1.
The distribution network data for testing the proposed technique are given in the following
Table 1.
5.1. Single-Line-to-Ground Fault with the Cyber-Attack
The single-line-to-ground short-circuit fault (Phase A to ground) is applied on line 3 in Feeder 1 at
t = 1.00 s. Since the loads in Feeder-1 are powered by Source-1, the fault current runs through PMUs 1 through 5, excepting PMU 6 (
Figure 6). This indicates that the fault is on line 3, and agent LA 3 detects and locates the fault. In this case, the agent LA 3 triggers a control signal (
Ts = 0) at
t = 1.01 s to open both circuit breakers CB5 and CB6, connected at both ends of line 3, to isolate line 3 from the rest of the network (
Figure 7).
After the fault isolation period has expired, LA3 checks to determine if the current has decreased below the threshold value. Given that the cyber-attack on CB5 has rendered it inoperable (CA = 1) and the fault current continues to flow, LA3 sends a message to its neighboring agent LA2, which immediately switches its control signal from (
Ts = 1) to (
Ts = 0), as shown in
Figure 8, to open the corresponding CB 4 at 1.02 s, thereby removing the fault.
After fault isolation, the corresponding LA3 sends a message containing the attacked circuit breaker’s data (CB5) to the control center to solve the cyber-attacks.
Once the LA2 has cleared the fault, the CB4 is opened by the agent, as shown in
Figure 9, to isolate the fault (line 3), and loads 2 and 3 are also disconnected from the system. The simulation results show that the agent LA3 can properly coordinate with other agents to restore the system after the fault is eliminated, even under extreme conditions. The automatic restoration of load 2 and load 3 and the distribution system’s reconfiguration is made by an interchange of data between the agents.
5.2. Double-Line-to-Ground Fault with the Cyber-Attack
This case study applies a double-line-to-ground fault on line 3, and the cyber-attack is on CB5 in subsystem-1 at
t = 1.00 s. Since power is delivered from source 1 to subsystem-1 loads, the fault current travels via PMUs 1–5, excepting PMU6 (
Figure 10), and the power flow is measured in opposite directions at both ends of the branch, and a short-circuit fault is present on the line. Once the fault is located, agent LA 3 sends a trip signal at
t = 1.01 s to isolate the fault by opening the circuit breakers CB5 and CB6 on both ends of line 3. (
Figure 11).
The agent detects that the trip signal delivered to the circuit breaker CB5 due to the cyber-attack (
) differs from zero after the fault-clearing period. As seen in
Figure 12, LA3 sends a signal to its neighboring agent, LA2, which instantly alters its control signal to open CB3 and CB4 at 1.015 s to clear the fault.
Figure 13 illustrates that when the fault is cleared, no current flows through CB5 and CB6, respectively, from 1.015 s onward. This is because both breakers are tripped properly to remove the fault.
It is evident from the case study that the proposed approach is effective in the event of a communication cyber-attack between the agent and the circuit breaker.
5.3. Three-Phase Short-Circuits Fault without Cyber-Attacks
In this scenario, to evaluate the performance of the proposed technique for fault detection, location, and isolation in the distribution system and automatic power restoration, a three-phase fault is applied in line 3 of subsystem-1 at
t = 1 s (
Figure 14). The fault current measured by the PMU1-5 has passed the threshold value and current measured by PMU6 tends to be zero. This means that the fault is located on line 3, then the LA3 agent detects and locates the fault. As shown in
Figure 15, the agent then produces the control signal to open the relevant CBs (CB5 and CB6) for fault isolation at
t = 1.01 s.
The defect is appropriately identified and eliminated in the quickest period (
t = 0.05 s), as depicted in
Figure 16. After the fault is isolated, load 3 is switched off from feeder 1 to prevent further damage. The data exchange between agents LA3, LA5, and CA3 makes it possible for load 3 to be recovered automatically and for the distribution system to be reconfigured. At a time of
t = 1.052 s, the agent LA5 causes a control signal to be transmitted to trip the circuit breakers CB8 and CB9, as shown in
Figure 17, so that load 3 can be supplied by subsystem 2. In this particular scenario, the open point is located on line 3.
During a fault, the current and voltage of load 3 are depicted in
Figure 18a,b. The duration of a power outage at full load is minimal to prevent system instability. To reconfigure the system, load 3 needs 2 MW of power.
Figure 19a,b shows the output power from both power source units. It can be seen that power source 1 has lost 2 MW of real power while power source 2 has gained 2 MW of real power to satisfy the load’s energy requirements.
Multiple fault types are studied to test the proposed approach to show the efficacy of fault detection, location, and isolation in the presence of cyber-attacks. The study found that the fault position was more precise than the resent [
22]. As a result, the proposed solution was more efficient because it took electrical and cyber-attack failures into account. The outcomes also demonstrate the ability of the suggested protection mechanism to identify and correct various errors that co-occur in the system. Although digital relays detect malicious trips, the proposed approach focuses on local circuit breaker protection. Since effective rules are only sometimes apparent and simple to extract in complex environments, the scalability of rule-based anomalous detection might become a bottleneck if local and wide-area protection were taken into account concurrently.