Real-time detection of insider attacks on substation automation systems using short length orthogonal wavelet filters and OPAL-RT

Substation Automation Systems (SASs) integrate communication networks with physical equipment and are vulnerable to cyberattacks. A subset of these attacks, namely Insider attacks, are launched from knowledgeable insiders and therefore they are typically difficult to detect. This paper presents a new method for detecting and classifying Insider cyberattacks as well as power disturbances on SASs using short-length orthogonal wavelet filters in real-time using an OPAL-Real-Time (OPAL-RT) simulator. An Intrusion Detection System (IDS) is proposed in which custom-designed wavelet filters of short length are developed to better extract both the network and physical data of the SASs into time–frequency spectrograms. The advantage of using the short length filters is to provide fast detection of these time-sensitive Insider attacks and disturbances in real-time, which is a key requirement for mitigation to be possible. The generated spectrograms are fed to a Convolutional Neural Network (CNN) that automates the classification process. An experimental dataset is developed from real-time testing using OPAL-RT that implements several types of cyberattacks including Insider attacks and other popular attacks such as Denial-of-Service and False Data Injection as well as challenging attacks such as Replay and Message Suppression attacks. The results of experimentally testing the proposed method in real-time using OPAL-RT demonstrate that the use of the short-length custom-designed orthogonal wavelet filters achieves a detection accuracy of 97.37 % compared to other methods as well as a low runtime of 33.786 ms.