Non-Intrusive Hybrid Two-Stage Detection of Dynamic Attacks in Wide-Area Damping Controller Using Autoencoder and Unscented Kalman Filter with Unknown Input Estimation

Wide-area damping controllers (WADCs) help in damping poorly damped inter-area oscillations (IAOs) using wide-area measurements. However, the vulnerability of the communication network makes the WADC susceptible to malicious dynamic attacks. Existing cyber-resilient WADC solutions rely on accurate power system models or extensive simulation data for training the machine learning (ML) model, which are difficult to obtain for large-scale power system. This paper proposes a novel non-intrusive hybrid two-stage detection framework that mitigates these limitations by eliminating the need for real-time access to large system data or attack samples for training the ML model. In the first stage, an autoencoder is deployed at the actuator location to detect dynamic attacks with sharp gradient variations, e. g., triangular, saw-tooth, pulse, ramp, and random attack signals. In the second stage, an unscented Kalman filter with unknown input estimation at the control center identifies smoothly varying dynamic attacks by estimating the control signal received by the actuator using synchrophasor measurements. A modified cosine similarity (MCS) metric is proposed to compare and quantify the similarity between the estimated control signal and the control signal sent by the WADC placed at the control center to detect any dynamic attacks. The MCS is designed to differentiate between events and dynamic attacks. The performance of the proposed framework has been validated on a hardware-in-the-loop (HIL) cyber-physical test-bed built by using the OPAL-RT simulator and industry-grade hardware.