Cyber-physical event reasoning for distributed energy resources

The widespread adoption of internet-connected and remotely controllable solar plants and energy storages renders coordinated cyber-physical attacks against distributed energy resources (DERs) an emerging risk for power systems. E ff ective incident response can be facilitated by online DER monitoring providing real-time information on event root causes and physical impacts. Such online event identification is challenged by the lack of historical attack observations, and emergence of new attack strategies. The Cy ber-Ph ysical E vent R easoning S ystem CyPhERS provides real-time information on both known and unknown attack types in form of informative and interpretable event signatures, without need to be trained on historical attack samples. To date, CyPhERS has only been demonstrated on a laboratory water distribution testbed of limited complexity, considering human evaluation of event signatures. This work methodologically adapts CyPhERS to specificities of DER operation such as weather and consumer-induced volatility, and introduces an automated signature evaluation system. The feasibility of applying CyPhERS for automated DER monitoring is investigated on a dataset recorded from a real photovoltaic-battery system targeted by several cyber and cyber-physical attack types. The results demonstrate that the proposed methodological adaptations and signature evaluation system enable the application of CyPhERS for automated online identification of di ff erent attack types targeting DERs, while greatly reducing the false positive rate.


Introduction
The transformation towards widespread use of sustainable energy sources is driven by decentralization and electrification.Both the replacement of centralized fossil power plants with renewable generation, as well as the electrification of the mobility and heating sectors are boosting the deployment of distributed energy resources (DERs) such as solar plants, electric vehicles, battery storages and heat pumps.The large-scale adoption of DERs provides benefits beyond decarbonizing energy consumption, including lower transmission costs and improved grid stability through provision of ancillary services [1].Harnessing this potential requires integration with information and communication technology (ICT) for continuous coordination and management of numerous geographically distributed devices.However, the associated connection to public networks and remote control capability, combined with often low security standards [2], render DERs promising targets for cyber criminals.Incidents such as the Mirai botnet attack have demonstrated that a fleet of internet of things (IoT) devices can be simultaneously seized [3].Malicious control of multiple DERs can provoke grid instability by switching the devices simultaneously on or off, rendering coordinated attacks on DERs a serious threat for power system operation [4].In this context, the increasing number of attacks on critical infrastructure underlines the need to support the large-scale deployment of DERs with adequate security mechanisms [5,6].
Attack detection is among the most frequently suggested security measures for DERs [5,7].Once an attack is detected and identified, affected systems and network zones can be isolated, and incident response mechanisms activated.In the light of cyber-physical attacks, timely and appropriate counteractions require real-time information on both root causes and physical impact.Most existing detection concepts exclusively monitor either cyber network traffic or physical process data [7].While cyber network attack detection potentially allows to distinguish several attack types, physical impacts are not identified.In contrast, physical attack detection can determine the attack impact, but not the underlying attack vector.Consequently, some works propose the combined evaluation of operational technology (OT) network traffic and process data [7], and demonstrate the superior performance of such cyber-physical attack identification concepts applying supervised machine learning (ML) [8].However, due to the dependency on historical samples of typically rarely occurring attacks, supervised methods lack practical relevance [9,10].In [11], the authors introduce CyPhERS, a Cyber-Physical Event Reasoning System which exploits advantages of cyber-physical monitoring while being independent of historical attack observations.So far, CyPhERS has only been demonstrated on a laboratory water distribution testbed exhibiting simple repeating process patterns.Moreover, the demonstrated version of the concept requires active involvement of human operators.In the context of DER monitoring, the problem is more complicated due to the pronounced volatility and randomness resulting from dependency on weather and consumer behavior [10].Moreover, especially for small scale DERs, active operator participation is impractical.Thus, this work addresses the following research question: How can real-time information about cyber(-physical) attacks against DERs such as occurrence, type, victim devices, attacker location, and physical impact be provided in an automated fashion, while being independent of historical attack observations?
For this purpose, the present study methodologically adapts CyPhERS to the specificities of DER operation, and introduces an automated signature evaluation system.Key features of the adaptation comprise switching from deterministic to probabilistic models and detection rules as well as considering and monitoring functional, behavioral and abstracting physical target features of a DER.The effectiveness of the adaptations and the automated signature evaluation system is demonstrated on a dataset derived from a real photovoltaic (PV)-battery system targeted by various cyber(-physical) attack types, and is supported by a quantitative performance comparison to the original version of CyPhERS.

Related work
An exhaustive review of literature related to CyPhERS, as well as a conceptual comparison and performance benchmarking with other event identification concepts is provided in [11].This section specifically reviews works on attack detection and identification methods for DERs and other power system applications.These can be broadly divided into methods monitoring the cyber network, physical process or both.

Physical attack detection and identification
Many works propose attack detection applying physics-based models [12][13][14][15][16].The models are used to emulate a DER under normal condition.By evaluating the residual between the model and actual measurements against a threshold, attacks can be detected [17].An advantage of this approach is the independency from attack samples [9].However, accurate modeling might be challenging for DERs with complex architectures (e.g., hybrid power plants) leading to imprecise detection.Moreover, the restriction to a binary detection problem (normal vs. abnormal operation) omits insights on root causes and physical impacts.Data-driven methods constitute another widely considered approach for physical attack detection and identification [7].One argument is generalizability as process representations are automatically learned from data, avoiding expensive manual model development.The majority of works considers supervised approaches such as binary [18,19] and multi-class classification [10,[20][21][22][23].The explicit learning from attack samples, on the one hand, allows to detect and differentiate various cyber-physical attack types based on their physical impact.On the other hand, it renders supervised methods impractical due to the natural scarcity of such data.Other works apply regression or autoencoder models to learn the normal behavior of a DER, and detect attacks by comparing the model with the actual measurements [24][25][26].Similar to the approaches applying physics-based models, the restriction to a binary detection problem makes them of limited use for incident response.

Cyber network attack detection and identification
Among the classical approaches for monitoring DER network data are signature-based intrusion detection systems applying tools such as Snort [27].These can detect and differentiate attacks in case of known attack signatures.Related but newer approaches include supervised detection of attack patterns, for example, firmware modifications in inverter-based microgrids [28].Neither the traditional signature-based nor the newer supervised ML-based methods can detect new attack strategies.Furthermore, they do not provide any information about the physical impact of an attack on the operation of a DER.Another approach is the detection of anomalies in network traffic, known as behavior-based intrusion detection [7].In the recent years, an increasing focus is on ML-based normal behavior reference models, which are compared to actual traffic, allowing to detect anomalies [29][30][31].Although such approaches can potentially detect both known and unknown types of attacks, they do not provide any information other than the occurrence of abnormal network behavior.

Cyber-physical attack detection and identification
As concepts which exclusively monitor either a DER's cyber or physical domain neither can identify both the attack root cause and physical impact nor accurately differentiate between cyber attacks, cyber-physical attacks, network failures, and process faults, many works suggest investigation of cyber-physical detection [7,8,32].Nevertheless, literature on the combined evaluation of process and network data of a DER or other power system applications is rare.The authors of [33] propose joint evaluation of synchrophasor measurements and properties of network traffic applying a multiclass decision tree classifier.In [34], unsupervised anomaly detection is applied to both network traffic and physical process features of a DER.A comparison of cyber, physical and cyber-physical detection in power systems is conducted in [35] by applying both supervised and unsupervised methods for the binary detection problem (normal vs. abnormal operation).The listed works all indicate that the joint monitoring of cyber and physical DER data improves detection performance.However, none of them combines root cause and physical impact identification with independence of historical attack samples.The authors in [11] propose the cyberphysical event reasoning system CyPhERS (see Fig. 1) to close this gap.CyPhERS utilizes a two-stage process to deduce event information, including the occurrence, type, location, and physical impact, from joint processing of network traffic and physical process data in real-time.The first stage generates informative event signatures for both unknown and known types of cyber attacks and physical faults.This is achieved through a combination of several methods including cyber-physical data fusion, unsupervised multivariate time series anomaly detection, and anomaly type differentiation.In the second stage, the event signatures are evaluated either through automated matching with a database of known event signatures or through manual interpretation by the operator.While the authors claim that the evaluation of event signatures can be automated, only manual interpretation is realized to date.Moreover, the concept demonstration is conducted on a simple laboratory water distribution system.Thus, applicability for DER monitoring first needs to be demonstrated.CyPhERS (Cyber-physical event reasoning system)

Contribution and paper structure
The main contributions of this work are as follows: • Methodological adaptation of CyPhERS to the operation of DERs, including switching to probabilistic models and detection rules, as well as monitoring of functional, behavioral, and abstracting target features.
• Introduction and realization of an automated event signature evaluation system in CyPhERS' Stage 2.
• Feasibility demonstration of applying the adapted version of CyPhERS for automated online identification of cyber(physical) attacks targeting DERs on data of a real PV-battery system, including a quantitative performance comparison to the original version.
The remainder of the paper is structured as follows: In Section 2, CyPhERS is conceptually summarized.Section 3 presents the real PV-battery system, attack scenarios and recorded dataset which serve as demonstration case.The methodology of CyPhERS and its adaptation to DER monitoring is detailed in Section 4 together with the implementation for the considered PVbattery system case.In Section 5, results of applying the adapted version of CyPhERS to the demonstration case are presented, including a performance comparison to the original version.Finally, key findings of the demonstration are discussed in Section 6, followed by a conclusion in Section 7.

Introduction of the CyPhERS concept
This section provides a summary of the detailed conceptual introduction of CyPhERS included in [11].The concept of the online event signature creation (Stage 1) is summarized in Section 2.1.Thereafter, Section 2.2 provides a conceptual overview of the signature evaluation (Stage 2).Methodological details of Stage 1 and 2 follow in Section 4.

Online event signature creation (Stage 1)
CyPhERS' Stage 1 (see Fig. 2) combines a range of concepts to produce informative and human-readable event signatures for known and unknown types of attacks and failures in an online fashion.The signatures encompass information including event occurrence, type, location, and physical impact.The applied concepts are introduced in the following.

Fusion of cyber and physical information
A key feature of Stage 1 is the joint monitoring and evaluation of physical process and cyber network data (see Fig. 2).The intention is to describe possible interactions between physical and network processes during detected events by means of the generated event signatures to facilitate the differentiation of cyber attacks, cyberphysical attacks, and physical failures in the subsequent signature evaluation (Stage 2).

Feature-level monitoring
The second concept is the individual monitoring and evaluation of multiple system variables of a DER and the representation of their potentially abnormal behavior in the event signatures.These cover both variables of multiple process or network components of a DER and multiple variables of the same component, as illustrated in Fig. 2. While the former allows to indicate affected DER components in a generated event signature, the latter further specifies abnormal behavior of the concerned device.The monitored variables are derived from sensor readings and OT network traffic, and in the following denoted target features, where I and J represent the physical and network feature subset, respectively.For a target feature c, its time series is given as The extraction of target features and the related proposed methodological adaptations for DER monitoring are further detailed in Section 4.1.

Unsupervised time series anomaly detection using covariates
The third conceptual element of Stage 1 is the utilization of covariate-based unsupervised time series anomaly detection for monitoring the set of physical and network target features within the signature extraction system (see Fig. 2).First, a normal behavior reference model is derived for each target feature.Their predictions are then compared to actual observations to detect abnormal behavior of individual target features.The key argument for applying unsupervised anomaly detection is the independence of historical event observations, which allows to indicate occurrence of both known and unknown event types in the event signatures.The benefit of monitoring target features as time series is the detection of deviations from normal behavior which are only abnormal in a  specific temporal context (local anomalies) [36].Additionally, covariates are used to provide the normal behavior reference models with further DER internal or external information, allowing detection of situational anomalies which are only abnormal in the context of the provided covariates (e.g., detecting abnormal PV feed in context of irradiation).A covariate time series associated with a target feature c is formally denoted Z c = {z c 1 , z c 2 , ..., z c N | z c i ∈ R ∀i} in the following.A detailed description of the applied anomaly detection methodology, including the proposed adaptation for DER monitoring, is provided in Section 4.2.

Differentiation of anomaly types
The fourth key feature of Stage 1 pertains to the differentiation of multiple anomaly types and their representation in the event signatures.Once an anomaly is detected for a target feature c, it is further classified using characteristics such as the direction of the deviation (e.g., abnormally low PV feed).The anomaly types are represented within the generated event signatures by different colors, enabling simple recognition and differentiation by humans (see Fig. 2).This distinction of anomaly types facilitates identification of event root causes and physical impacts in the subsequent signature evaluation (Stage 2).The series of anomaly flags produced by the signature extraction system for a target feature c is represented as The methodology of the anomaly type differentiation is further specified in Section 4.2.

Anomaly flags organization as readable event signatures
The fifth conceptual feature of Stage 1 is the joint visualization of the detection results of all target features as event signatures which can be easily interpreted by humans to identify included information.As previously described, Stage 1 takes multiple domains, system variables, and anomaly types into account to provide dense event information in form of anomaly flag series of a set of target features.To ease readability and information extraction, these flag series are re-organized by grouping them for each system zone of a DER (see Fig. 2).A system zone is defined as a collection of process and network components that are functionally linked (e.g., a battery stack and the associated smart battery inverter).Their logical relation facilitates associating anomaly flags of different target features.Consequently, Stage 1 of CyPhERS generates event signatures that are both rich in information and easily interpretable by humans.

Signature evaluation (Stage 2)
Fig. 3 illustrates the concept of CyPhERS' Stage 2. Stage 2 is concerned with the evaluation of event signatures provided by Stage 1, which can be performed by human operators or automated evaluation systems.The signatures are distinguishable and specific to event types.For known attack or fault vectors, they can be pre-defined and stored in a database.Once Stage 1 detects an event, the provided signature can be compared to the database.If a match is found, information such as the type of event, the affected components, the attacker location, and the physical impact can be retrieved to form a hypothesis about the event.Matching of signatures can be done by visual comparison or an automated evaluation system.One automation approach is the transformation of a pre-defined signature into a set of rules in the following form: flagging of anomaly type 1 in target feature X and type 2 in target feature Y indicates device A being targeted by attack type B causing physical impact C.
Importantly, signatures can also be defined for unknown event types based on partial knowledge, for example, flagging of anomaly type 1 in target feature X indicates device A failure [type unknown] causing physical impact B. Consequently, even without the expert knowledge required to pre-define and recognize signatures of specific event types, or in case of new attack vectors, basic event information such as the occurrence, affected devices, and physical impact can be provided.

Demonstration case description
This section introduces the demonstration case considered for evaluating the effectiveness of the proposed methodological adaptations and automated signature evaluation system for applying CyPhERS for automated online DER monitoring.The demonstration case is based on cyber attack experiments on a real DER system, allowing to evaluate CyPhERS under realistic conditions and without assumptions and simplifications associated with simulation-based studies for the first time.The real PV-battery system which builds the foundation of the demonstration case is detailed in Section 3.1.Thereafter, Section 3.2 describes the considered attack scenarios.Finally, Section 3.3 details the realization of the attack experiments on the real PV-battery system, and the resulting dataset on which the CyPhERS demonstration in Section 5 is based.

PV-battery system
The cyber-physical structure of the considered real PV-battery system is schematically depicted in Fig. 4. The system is located at the Karlsruhe Institute of Technology (KIT), Germany.The system comprises four PV inverters, each with four dedicated solar panel strings (PV1-4), four battery stacks with associated battery inverters (BAT1-4), four energy meters (M1-4), a data manager (DM), and a data server (DS).The communication is based on modbus (MB), transmission control protocol (TCP), address resolution protocol (ARP), and user datagram protocol (UDP).Each battery stack has a capacity of 10.24 kWh and a maximum dis-/charge power of 5 kW.The connected solar panel strings of each inverter have a peak power between 15.50 kW p and 16.74 kW p .While PV1-4 are connected to all phases (L1-L3), BAT1-4 are linked to individual lines (see Fig. 4).The three phases are measured individually by M1-3.In addition, M4 measures all three phases and thus provides measurement redundancy.The PV and battery inverters are connected to the same grid connection point (GCP) as the building load.The load is characterized by typical office building patterns (higher load during working hours, lower on weekends).An additional characteristic are periodic load peaks due to activation of an air compressor.The control objective of the system is to minimize active power exchange with the grid.Consequently, batteries are charged if PV production exceeds the load, and discharged in the opposite case, provided an appropriate state of charge (SOC).As BAT1-4 are connected to individual phases, power flows P L1 -P L3 are controlled separately by a dedicated battery.An exception is P L1 , which is connected to BAT1 and BAT4.
In case that batteries reach its maximum dis-/charging power, the offset on the respective phase is compensated by the other batteries on their phase, which is coordinated by communication among BAT1-4.Fig. 5 illustrates the operation of the batteries on the example of BAT3 for a representative day.At ∼09:30, P L3 changes from grid import to export due to the increasing PV feed.Consequently, BAT3 starts charging to minimize the grid exchange.Between ∼11:00 and ∼17:00, the maximum charging power and SOC of BAT3 are reached, resulting in a deviation of P L3 from zero.At ∼17:00, P L3 changes back from export to import due to the decreasing PV feed.As a result, BAT3 discharges to minimize the grid exchange until it is fully depleted at ∼20:00.The battery controllers receive the required measurements of P L1 -P L3 through subscription to the UDP multicast of the respective energy meter (M1, M2 or M3).The DM collects measurements from solar panels and batteries such as panel and cell temperatures.The DS hosts a custom data visualization software for users and builds the interface to the external network.

Attack scenarios
For the demonstration case, a threat scenario is assumed in which the attacker gained virtual access to the local DER network by hijacking the DS (see Fig. 4).From there she/he launches several cyber and cyber-physical attacks targeting different devices of the PV-battery system.The considered attack types are among the most relevant ones for DERs [10,37,38].The cyber attacks comprise synchronize (SYN) scans and hypertext transfer protocol secure (HTTPS) requests, falling under the category of reconnaissance activities, as well as ARP spoofing used for eavesdropping, which belongs to data collection activities [39].Among the cyberphysical attacks are false data injection attacks (FDIAs), false command injection attacks (FCIAs), and replay attacks, which all intent to alter the power output of the PV-battery system, as illustrated in Fig 6 .In case of the FDIAs, false active power readings are injected in the name of the respective meter, causing an abrupt dis-/charging process of the batteries.The FCIAs comprise shutdown of either PV or battery inverters.For the replay attacks, the attacker repeats valid active power readings of the energy meters, which multiplies the control error and thus results in oscillation of the batteries.Given a simultaneous manipulation of multiple DERs, the considered cyber-physical attacks could provoke a sudden static (FDIA and FCIA) or dynamic (replay attack) load altering in the power system, which can cause congestion as well as voltage and frequency stability issues [40].Attacks with the intent to create power quality disturbances on a millisecond or waveform scale are outside the scope of this work as those cannot be captured with the given data resolution of the considered real PV-battery system (see Section 3.3).

Attack experiments and dataset
The experiments have been conducted in October 2022.After recording the system under normal operation for approximately two weeks, 15 attacks were launched within one day between 10:00 and 17:00 local time (see Table 1).
The data was recorded using port mirroring in form of a passive packet capture of the local network.Both physical process and network traffic features are extracted from the resulting pcap file.The set of considered raw features is listed in Table 2.The physical data have a resolution between one second and one minute, depending on the respective feature.Network data on average comprise 7539 packets per minute.

Methodological adaptation and implementation of CyPhERS
This section details the methodology of CyPhERS with a particular focus on the proposed adaptation for DER monitoring and

Physical target features
According to [11], physical target features are monitored to identify both true physical events and manipulations of processrelevant data.The former requires features which represent the operation of all physical components of the system in question in order to localize the affected ones, and derive the physical impact on them.The latter necessitates monitoring of sensor readings used for process control.Therefore, this work considers physical target features which 1) represent the physical operation of PV1-4, BAT1-4, and M1-3, and 2) monitor the multicasted active power readings required for controlling the batteries.A specificity of DERs is that attacks can directly target the functionality of a component (e.g., switch battery off) or exploit the normal functionality to achieve an abnormal behavior (e.g., control battery to create load oscillation).Thus, this work suggests to extend the original CyPhERS methodology by considering and differentiating both target features that represent either the technical functionality or As a result, a behavioral anomaly is flagged.In case of only monitoring the functionality, the attack impact would not be detected.On the contrary, when solely monitoring the behavior, it could not be determined whether the anomaly stems from device disfunction or misuse.Table 3 lists the extracted physical target features and associated model inputs for the PV-battery system demonstration case. 1 The average active load P fmean is selected as target feature representing the functionality of PV1-4, BAT1-4, and M1-3.In these cases, model inputs exclusively stem from the component's variables and immediate inputs, or data of a redundant device.The behavior of the batteries is represented by P BATi bmean , which is the average active load of the i-th battery modeled based on the time of the day and PV feed.Consequently, anomalies in P BATi bmean indicate abnormal battery behavior given the current time and PV feed.For the energy meters, the absolute sum of the active load readings |P Mi sum | modeled based on P Mi fmean is considered as behavioral feature.As the meters multicast on constant frequency, a sum/mean-mismatch can be a sign for abnormally many or few multicasts, potentially indicating misuse.
The battery operation in the given PV-battery system is influenced by weather and consumer behavior.The associated volatility and randomness potentially complicate the detection of anomalies.For such cases, this work proposes to extend the original CyPhERS methodology by extracting additional features that break down a component's complex behavior to simpler abstractions such as the on/off state.Two such abstracting features are considered for the demonstration case.P BATi osc describes how much power changes the i-th battery conducts in a 15s period.An unusually high value can be an indicator for abnormal load oscillation.Finally, S BATi describes the on/off state of a battery modeled under use of the current time of the day and PV feed.This target feature is supposed to indicate whether a battery is activated during times and PV feeds where it usually is deactivated and vice versa.

Network target features
Following the descriptions in [11], the purpose of traffic monitoring is twofold: 1) localization of compromised network devices, and 2) determination of attack vectors.To achieve the former, the traffic of each network device should be monitored individually.The latter necessitates extracting several informative features per device.Consequently, this work considers multiple network features for the PV and battery inverters, energy meters, DM, and DS (see Table 4).The features comprise counts of packets with specific protocols, TCP flags and MB function codes for periods of 15s.Within the local network of the considered PV-battery system, a variety of protocols are used, which enable certain functionalities, such as communicating process-relevant data (UDP packets from energy meters) or sending control commands (MB packets to battery inverters).Thus, unusual deviations in the packet count of certain protocols can point to specific attack types.Abnormal numbers of packets with SYN flags can be an indicator for adverse connection attempts and is thus taken into account.Finally, packets with function code 4 (read registers) and 16 (write registers) are counted.In particular, abnormal high numbers of packets with function code 16 can be a sign for adverse control commands.In all cases, network target features are modelled using lag values and the time of day as model input.Time of day is an important covariate in OT networks, as certain processes often are regularly conducted at specific times, e.g.every full hour.
Note that a broad spectrum of further useful features can be extracted.For example, the number of ports used within a certain period would provide information to identify port scans.Other features could be derived, among others, from IP/MAC addresses, packet sizes or checksums.However, for the sake of comprehensi-bility of the results in Section 5, only features which are considered most relevant are taken into account.Due to the same reason, only packets sent to a device are taken into consideration in most cases.Exceptions are M1-3 and the DS.As the meters M1-3 multicast process-relevant data, monitoring UDP packets send from them is of importance.Moreover, as the DS is available for users and thus directly connected to the external network, it constitutes a likely target for attackers.Thus, both packets send to and from the DS are monitored.

Signature extraction system
The signature extraction system generates anomaly flags for the set of target features, which eventually form the event signatures (see Fig. 2).The authors of CyPhERS argue for using individual models for each target feature [11].Consequently, the signature extraction system comprises a set of individual anomaly detection and classification pipelines.Among the reasons is the independent selection of covariates, which becomes particularly relevant in context of the previously introduced differentiation between functionality-and behavior-describing target features.
The methodology of the anomaly detection and classification pipelines is explained in Section 4.2.1 with a particular focus on the transformation from deterministic to probabilistic models and detection rules as proposed in this work.After that, Section 4.2.2 addresses the time series models which are used within the pipelines.Finally, the procedure for automated implementation of the signature extraction system and its realization for the given demonstration case is detailed in Section 4.2.3.

Anomaly detection and classification pipelines
As explained in [11], a pipeline comprises a target feature model and consecutive anomaly detector (see Fig. 8).While the model predicts the normal behavior of the respective target feature, the detector compares the predictions with the ground truth observations to decide whether to flag an anomaly.In the original version of CyPhERS, both the predictions and the detector's decision function are deterministic [11].Due to the weather-and consumer-induced randomness and variability of DER operation, modeling of some features is subject to pronounced uncertainties, rendering anomaly detection more challenging.Thus, this work

Anomaly detector
Ground truth (x c t-l ,...,x c t ) Figure 8: Schematic representation of the anomaly detection pipeline of a target feature c based on [11].Packets with read register code send to the device proposes to apply probabilistic time series prediction and decision functions when using CyPhERS for DER monitoring.In this way, the detection sensitivity is dynamically adjusted to the model's current confidence level, which potentially reduces the number of false positives during times of low confidence, and improves the detection of actual events at periods where model confidence is high.For that purpose, the lower quantile q L , median q M , and upper quantile q U are predicted for each target feature.Given where n is the number of covariates, and w the length of the history window.Note that, depending on the target feature, x c t−w , ..., x c t−1 and z c 1,t , ..., z c n,t are only partially used (see Section 4.1).A model is trained to predict xq,c by minimizing the quantile loss function [41] L q ( xc i , The quantile predictions of the target feature are forwarded to the anomaly detector.In the original version of CyPhERS, the detector decides whether to flag an anomaly based on the distance between ground truth observations and deterministic predictions [11].The present work proposes to extend to the distance between the ground truth and the probabilistic prediction interval (PI) [ xq L ,c , xq U ,c ].In this way, the dynamical adaption of the detection sensitivity to the current model's confidence is realized.When a model is certain about its predictions, even small deviations are accounted for.On the other hand, low model confidence (larger PI) will reduce the calculated distance.The distances are averaged over the last l observations according to For the PV-battery system demonstration case, l = 5, q L = 0.01, and q U = 0.99 is selected ∀c ∈ I and J. Based on ε c t and further characteristics of the current target feature observation, different anomaly types are distinguished, which is expressed by the decision function ) and ( Is zero with τ c being a target feature-specific threshold.The anomaly types are further explained in Table 5.Both the direction of an abnormally large deviation and the information about a target feature being zero provides valuable information for identification of event root causes and physical impact.For example, an abnormally high number of UDP packets send by an energy meter may indicate a FDIA, while a PV feed of zero during daytime may points towards a switched off inverter.

Time series models
The authors of CyPhERS suggest the use of specific models for different target feature classes, which includes the use of longshort term memory (LSTM) networks for network traffic features.However, given the computational limitations of small DERs, the use of resource intensive models is impractical.Thus, this work proposes to apply gradient-boosted decision trees (GBDT) [42] for predicting the quantiles ∀c ∈ I and J. GBDT is a frequently applied ML technique, popular for high accuracy and efficiency, which renders them a good fit for the given problem [43].GBDT consists of a set of simple decision trees, which are connected in series.Thus, each of them minimizes the prediction error of the preceding tree.For a detailed explanation, the reader is referred to [42].

Automated model and detector tuning procedure
In [11], the authors of CyPhERS suggest an automated implementation procedure for the signature extraction system, which comprises independent tuning of the individual detection and classification pipelines (see Fig. 9).First step is the training and hyperparameter selection of the GBDT models of all target features.For the PV-battery system demonstration case, selection of hyperparameters is conducted on 75 % of the two-week normal operation data.The tuned hyperparameters and associated search spaces are summarized in Table 6.Next, the anomaly detectors of all pipelines are tuned.For that purpose, the fitted models are used to predict the remaining 25 % of normal operation data.Based on the predictions, the distances test and a threshold factor f , the featurespecific thresholds are determined according to where the threshold factor is selected as f = 1.1 in this work.Therefore, an anomaly within a target feature c at time t is flagged if ε c t exceeds the largest distance during normal operation by at least 10 %.Before the anomaly detection pipelines are applied for online flagging of new observations, the models are retrained on the entire set of historical normal operation data (see Fig. 9).
Finally, the resulting anomaly flag series provided by the individual pipelines are grouped for each system zone to obtain human-readable event signatures as output of CyPhERS' Stage 1.For the PV-battery system demonstration case, the defined system zones comprise PV1-4, BAT1-4, M1-3, DM, and DS.

Signature evaluation (Stage 2)
This section details the methodology of CyPhERS' signature evaluation with a focus on the realization of an automated signature evaluation system, and describes its implementation for the PV-battery system demonstration case.First, the definition of a signature database is addressed in Section 4.3.1,followed by an explanation of the proposed automated signature evaluation system in Section 4.3.2.

Signature database
Signature evaluation in CyPhERS is based on manually or automatically matching the organized anomaly flags of the set of target features provided by Stage 1 with a database of known event signatures [11].The signatures of the attack types included in the demonstration case are depicted in Fig. 10 on the example of selected victim devices and physical impacts.The associated signature descriptions are provided in Table 7.For the sake of conciseness, target features of the same kind are jointly represented in one row in Fig. 10.More precisely, for individual system zones, the various protocol count flags are combined in v n proto , and flags in counts of different MB function codes (v n 16 d and v n 4 d ) in v n fcode .Signatures can also be defined for unknown event types, which then carry reduced information such as indication of affected system zones.For the sake of clarity, however, these are not included in Fig. 10.

Automated signature evaluation
The demonstration of the original version of CyPhERS in [11] includes manual recognition and evaluation of the event signatures provided by Stage 1.In case of larger plants, such as medium voltage level-connected wind and solar parks, visual recognition of event signatures in control rooms may be feasible.However, for smaller resources such as residential PV-battery systems, manual evaluation is impractical.For the sake of proving feasibility of automated signature evaluation, this work formulates and applies a rule-based signature evaluation system which jointly evaluates the most recent flags of all target features within a moving

SYNs
UDPs UDPs The signatures are depicted for selected victim devices and physical impacts.
Table 7: Description of the event signatures of the attack types included in the demonstration case (see Fig. 10).

Attack
Event signature description

Scan
A device (e.g., PV inverter) receives an abnormally large number of TCP packets (v n TCP d = 1) with connection request (v n SYN d = 1) over a longer period.Simultaneously, another device (e.g., DS) sends unusually many TCP packets (v n TCPs = 1) with connection request (v n SYNs = 1).Together, this points towards scanning of a victim device (here, the PV inverter), where the attacker is located on a local device (here, the DS).The lack of anomaly flags in physical target features indicates a pure cyber attack without physical impact.

HTTPS request
A device (e.g., battery inverter) receives abnormally many TLS packets (v n TLS d = 1) over short period, pointing towards a web service call (HTTPS request).Simultaneously, another device (e.g., DS) sends more TLS packets than usual (v n TLSs = 1), which suggests the attacker being located on this device.Parallel increase of TCP packets (v n TCP d = 1) and packets with SYN flags (v n SYN d = 1) due to connection establishment between attacker and victim device.The absence of anomaly flags in physical target features indicates a cyber attack without any physical impact.

ARP spoof
Two devices (e.g., PV inverter and DM) receive abnormally many ARP packets (v n ARP d = 1), while another (e.g., DS) sends more than expected (v n ARPs = 1).This points towards ARP spoofing where the attacker is located on a local device (here, the DS).The two victim devices receive less (or no) UDP packets (v n UDP d = −1 or −2), while the device occupied by the attacker receives more (v n UDP d = 1), which suggests that the communication between the victims is successfully redirected via the occupied device a .Lack of flags in physical features imply eavesdropping instead of manipulation of process-relevant data.

FCIA
A device (e.g., PV inverter) receives an abnormally large number of MB packets (v n MB d = 1) with write register function code 16 (v n 16 d = 1).In parallel, another device (e.g., DS) sends more MB packets than usual (v n MBs = 1).Together, this indicates an attacker sending false control commands to a victim device (here, the PV inverter) from the occupied local device (here, the DS).Parallel increase of TCP packets and packets with SYN flags because of connection establishment between occupied and victim device.Abnormally low and zero PV feed (v P fmean = −2) indicate that the attacker switched off the PV inverter b .

FDIA
An energy meter Mi sends unusually many UDP packets c (v n UDPs = 1) while the absolute sum of its active power readings is too high (v |Psum| = 1).Together this points towards unusual frequent broadcasting of active power readings.The parallel abnormally low mean (v P fmean = −1) indicates false P Mi injection imitating grid exports.For the battery which uses Mi readings, an unusually low mean active power given the current time and PV feed (v P bmean = −1) suggests reaction with charging b .Absence of anomalies in P BATi fmean underlines that the battery accepts the false data and reacts to them in an expected way.

Replay attack
An energy meter Mi sends abnormally high numbers of UDP packets c (v n UDPs = 1), and the absolute sum of its active power measurements is higher than expected (v |Psum| = 1).Together this indicates unusually frequent broadcasting of active power readings.As the mean is normal (v P fmean = 0), no false data is injected, and instead, a replay of valid P Mi readings is likely.Abnormally high power changes (v Posc = 1) of one or more batteries indicates load oscillation due to multiplication of the control error through replaying P Mi values.a Parallel network anomalies for other devices which communicate with the victims possible as victim functionality can be affected by the attack.b Physical impact depends on the malicious control command/injected false data, and the victim device.c Parallel network anomalies for other devices possible due to UDP traffic overloading of those.time window T eval of five minutes.A simplified representation is provided in Algorithm 1.In case that no anomaly is detected (i.e., v c = 0, ∀c ∈ I and J) within T eval , the system predicts normal operation.Given that the flags within T eval match with one of the pre-defined event signatures, the associated event description forms the prediction, for example, FCIA against PV1 from DS with physical impact "PV1 switched off".In case that anomaly flags provided by Stage 1 do not match any of the defined rules, the evaluation system predicts Unknown abnormal behavior.In contrast to the simplified representation in Algorithm 1, additional rules for different variations of specific attack types are defined.For example, Replay attack against meter M1 with physical impact "oscillation" on BAT1 can be with or without parallel traffic overloading of other devices.Further rules predict affected system zones in case of unknown event types, for example, Unknown network anomaly affecting PV2 and DS.Finally, some rules additionally take previous predictions into account.For example, in case of predicting a battery being switched off by a FCIA, information about the injected false command is stored over a time period larger than T eval in order to avoid switching to prediction of a pure physical failure after five minutes.

Demonstration of CyPhERS for DER monitoring
This section first demonstrates results from applying the adapted version of CyPhERS to the experimentally derived dataset of a real PV-battery system, as introduced in Section 3. The included attack types are successively evaluated in Sections 5.1-5.6.Thereafter, a quantitative performance comparison to the original version of CyPhERS [11] is conducted in Section 5.7 to assess the impact of the proposed methodological adaptations.The binary (normal vs. abnormal operation) detection performance is com-pared based on the true and false positive rate according to where N TP , N FP , N P , and N N are the number of true positive, false positive, actual positive, and actual negative observations, respectively.The binary anomaly flags are created following Observations within a 5-minute window after each attack event are excluded from the FPR calculation to avoid considering positive anomaly flags (v binary t = 1) during recovery of the attacked system as false positives, which would bias the performance assessment.
The identification performance is evaluated for each attack type a based on the identification rate according to with N a being the total number of event instances of attack type a and N identified a the corresponding subset of correctly identified instances.

Scanning attacks
The event signatures provided by CyPhERS' Stage 1 during the two scanning attacks are depicted in Fig. 11 together with the predictions of the rule-based signature evaluation system (Stage 2).Note that system zones without flagged anomalies are not depicted in the following.In both cases the provided signatures correspond to the signature of scanning attacks (see Fig. 10).Thus, visual recognition of the signature allows identifying the attack type (scan), victim (PV3 or PV4, respectively), and attacker location (DS) manually.The same predictions are provided by the rulebased system without human interaction.During the first scan, the rule for predicting a scan is not immediately fulfilled, since flagging v n DS TCPs = 1 is delayed.Therefore, the rule-based system initially predicts an unknown network traffic anomaly for PV3 and DS, based on the occurrence of flags in the associated network target features.Fig. 12 exemplifies the advantage of modeling target features with time series models.Since n DS TCP s exhibits normal peaks at full hours, the increase during scanning of PV4 only constitutes a local anomaly which cannot be detected by static thresholds not taking temporal information into account.In contrast, the applied GBDT model allows to detect the scanning-induced local anomaly by learning that peaks should only occur at full hours.

HTTPS request attacks
The provided event signatures and rule-based predictions for the two HTTPS requests are depicted in Fig. 13.Due to a match with the signature of HTTPS requests (see Fig. 10), the attack type can be identified together with the victims (BAT1 and DM, respectively), and attacker location (DS), both through visual signature recognition and the rule-based system.

ARP spoofing attacks
Fig. 14 depicts the provided event signatures and predictions of the rule-based system for both ARP spoofing attacks.The signatures match the one for ARP spoofing (see Fig. 10).Since the associated rules are fulfilled, Stage 2 predicts ARP spoofing attacks from an attacker located on the DS against PV3|DM, and PV4|DM, respectively.As the attacks distract the DM, its UDP communication pattern to non-victim devices is also affected, resulting in parallel network anomaly flags for BAT1 during the first ARP spoof and PV3 during the second.As this behavior is considered as a sub-case of the ARP spoofing signature, and integrated as such in the rule-based system, predictions switch between ARP spoofing with and without parallel traffic distraction of other devices (see Fig. 14).
Algorithm 1 Simplified representation of the proposed rule-based signature evaluation system.
T eval ← Last 5 minutes if all flags in T eval are zero then , and v X P fmean = −2 within T eval then prediction ← FCIA against device X from device Y with physical impact A (here, switch X off) , and v X P bmean = −1 within T eval then prediction ← FDIA against meter M with physical impact A on device X (here, battery charging)  Another event is detected shortly before the second ARP spoof.As the provided anomaly flags do not match with the signature of a known attack, reduced event information (occurrence, affected network device, no physical impact) is provided by Stage 2. This example demonstrates that CyPhERS can automatically provide information such as event occurrence and affected devices also for unknown event types.
To illustrate the prediction and flagging process of the underlying anomaly detection and classification pipelines, some examples are provided in Fig. 15.Fig. 15 (a) represents n PV4 ARP d during the second ARP spoofing attack.It can be noticed that the spoofs result in pronounced global anomalies which are immediately detected.As ARP packets during normal operation occur non-deterministically, the small peaks cannot be learned by the GBDT model.Instead, it puts the PI on a constant level to capture those peaks, which illustrates that the GBDT model approximates a static but accurate threshold in cases without learnable pattern.Fig. 15 (b) shows n DM UDP d during the first ARP spoof.As the DM maintains UDP communication with non-victim devices, the oscillation pattern persists, however, on a lower level.The level decrease is detected by the underlying pipeline.Fig. 15 (c) depicts an excerpt of the UDP traffic distraction of BAT1 during the first ARP spoof.It can be seen that the distraction only expresses as a local and short pattern interruption without specific traffic increase or decrease.

False command injection attacks
Fig. 16 depicts the event signatures of Stage 1 and predictions of Stage 2 during the four FCIAs.In all cases, the provided signatures match the FCIA signature (see Fig. 10), allowing to identify the attack type, victims, attacker location, and physical impact, as the rule-based predictions indicate.Fig. 17 illustrates the detection of false commands on the example of n DS MB s during the FCIA against PV1.The underlying GBDT model successfully learned the normal peaks at full hours.Moreover, it understands that small positive peaks are usually followed by negative ones.As the injection of false commands is not followed by a negative peak, the larger distance between prediction and ground truth results in an anomaly flag.
The yellow or orange flags (v = − 2 or 2) in the physical target features indicate that the attacker switched off the respective victim device.The detection of the physical impact is exemplified on the FCIAs against PV1 and BAT32 in Fig. 18.It can be noticed that modeling of physical target features is subject to larger uncertainties compared to network traffic modeling.As a result, smaller physical impacts may be missed by some features as, for example, the case for v P BAT4 fmean and v P BAT4 bmean during the FCIA against BAT4.Note that, on the abstraction level of the battery state S , the switch-off is detected, which highlights the importance of such abstracting target features for applying CyPhERS for DER monitoring, as proposed in this work.

False data injection attacks
Fig. 19 depicts the provided event signatures of Stage 1 and predictions of the rule-based system (Stage 2) during the FDIAs.As the signatures during all three attacks correspond to the ones of FDIAs (see Fig. 10), attack type, victim device, and physical impact can be derived through visual signature recognition or automated rule-based predictions.Since the batteries accept the injected false data and react to them in an expected way, no disfunctionality is flagged (v P BATi fmean = 0).At the same time, anomaly flags in v P BATi bmean indicate untypical battery behavior given the current time of the day and PV feed 3 .While blue flags (v P bmean = − 1) indicate abnormal charging, red flags (v P bmean = 1) point towards unusual discharging.This example underlines the importance of considering both functional and behavioral target features for identification of the physical attack impact in case of DER monitoring, as suggested in this work.

Replay attacks
The event signatures of Stage 1 and predictions of Stage 2 during the two replay attacks are depicted in Fig. 20.During both attacks, anomalies are flagged in almost all system zones as the network devices are distracted by processing the large number 3 Note that v BAT3 S = 1 during the first FDIA indicates that BAT3 was first activated by the attack.   of replayed energy meter multicasts.In this case, visual recognition of specific attack patterns is challenging.In contrast, the rule-based system quickly identifies the signature as the associated rules are still fulfilled.Since parallel traffic flooding is integrated into the rule-based system as a sub-case of the replay attack signature, Stage 2 predicts the attack type, victim device, and physical impact along with network flooding.The correct identification of affected batteries and the physical impact on them is the result of incorporating abstracting target features, as proposed in this work (load oscillation of BATi indicated by v P BATi osc = 1).The batteries which are controlled based on the replayed power readings oscillate between full charging and discharging power.Since they reach their maximum power limits, the other batteries take over, as explained in Section 3.1, and thus, begin to oscillate as well.However, since BAT1 and BAT4 are fully discharged during the second attack, no oscillation is indicated for them.
Towards the end of the second replay attack, the inverter in PV3 crashes since it cannot process the large number of packets as pointed out by the yellow flags in the network target features.Shortly after, v P PV3 fmean = − 2 indicates that also the feed of the associated solar panel string is interrupted.

Performance impact of the methodological adaptations
Table 8 provides a performance comparison of applying the original and adapted version of CyPhERS to the dataset of the considered PV-battery system demonstration case.The adapted version achieves a significantly lower false positive rate.This improvement is mainly caused by the switch to probabilistic models and detection rules, which enable automatic reduction of the detection sensitivity at times of low confidence of the prediction model due to randomness and volatility in DER operation, thus, reducing false positives.From the identification rates in Table 8, it can be further seen that the identification of cyber attacks without physical impact (Scan, HTTPS, and ARP spoof) can be achieved  based on the event signatures of both CyPhERS versions with comparable performance.However, the original CyPhERS fails to provide informative signatures for the identification of the cyber-   physical attacks (FCIA, FDIA, and replay attack) in most cases.The FCIAs against BAT3 and BAT4 cannot be identified as the abnormal battery operation is not detected and described in the provided signatures, which is due to two reasons: 1) The lower sensitivity of the deterministic detection approach at times of high model confidence, and 2) the lack of abstracting physical target features that break down modeling complexity of the battery operation, such as the on/off state of a battery.Finally, the FDIAs and replay attacks cannot be identified by evaluating the event signatures of the original CyPhERS version due to the lack of behavioral target features which indicate misuse of the normal battery functionality, for example, oscillation during replay attacks.

Discussion
In this section, the results of applying CyPhERS for DER monitoring are discussed and put into a wider perspective.
6.1.Applicability of CyPhERS for monitoring of DERs and other power system applications The results in Section 5 demonstrate that the proposed methodological adaptations and realization of an automated signature evaluation system enable application of CyPhERS for automated online DER monitoring.During all considered attacks, CyPhERS' Stage 1 provides event signatures which are automatically associated with the correct attack type, victim device, attacker location, and physical impact in Stage 2. In particular, the significant reduction of false positives and increased identification rate for cyberphysical attacks compared to the original version of CyPhERS (see Table 8) demonstrate the effectiveness of the proposed methodological adaptations, namely the 1) application of probabilistic models and detection rules, 2) differentiation of functionality-and behavior-describing physical target features, and 3) consideration of abstracting target features such as the on/off state of batteries.Given the complexity of the considered PV-battery system demonstration case, applying CyPhERS to other power system applications, including substations and energy communities, is considered possible.A potentially limiting factor for resource-constrained systems is the linear dependency between the number of models and target features.Thus, careful selection of monitored features is of high relevance for minimizing the computational burden of CyPhERS.

The role of ML in CyPhERS
In CyPhERS, ML is used to model target features and eventually provide the indicator for deciding whether an observation is normal or abnormal.The results in Section 5 demonstrate that ML allows to detect complex local anomalies which are only abnormal in a specific temporal or situational context (see, for example, Fig. 17).In case of some target features, similar detection results could be achieved with simpler methods.For example, the global anomaly in n ARP d during ARP spoofs (see Fig. 15 (a)) could be detected with a pre-defined static threshold.However, ML allows to generalize and automate modeling of target features and definition of detection rules.Thus, even in cases where simpler methods can achieve the same performance, ML is advantageous as it avoids manual effort, which is particularly relevant for larger numbers of target features.Furthermore, through regular retraining, the models automatically adapt to changes such as new consumer behavior.

Uniqueness of event signatures
For the sake of conciseness and readability, the number of target features (in particular network features) is limited in this work.Many other relevant features which are, for example, based on port numbers or MAC and IP addresses are neglected.Moreover, other information sources are fully excluded.These include human interactions with the system (e.g., maintenance activities), and system logs.Consequently, some of the event signatures may be explainable by other incidents as well.For example, the pattern of a FCIA may also result from the rare event of switching off inverters for maintenance.If models are informed about such activities, these events can be distinguished.Thus, for implementation outside an academic environment, all relevant target features should be taken into account, in order to guarantee uniqueness of the event signatures.

Integration into a distributed attack detection system
The steadily growing number of solar plants, battery storages, and electric vehicles makes coordinated malicious control of DER fleets an emerging opportunity for large-scale attacks against power systems.CyPhERS could provide the foundation of a bottom-up security architecture for power systems, which identifies such threats in a timely and reliable manner.Attack reports of multiple distributed CyPhERS systems could be aggregated and jointly evaluated by a cyber security incident response team (CSIRT).The CSIRT could then inform affected transmission or distribution system operators about cyber incidents in their area, including information on location, capacity and type of affected energy resources, to enable incident response such as isolation of affected DERs.

Conclusion
This work adapts and evaluates the Cyber-Physical Event Reasoning System CyPhERS for automated online DER monitoring.CyPhERS is a two-stage process, where Stage 1 generates informative and interpretable signatures from an online evaluation of physical process and network traffic data, which are evaluated in Stage 2 to conclude on event root causes and physical impacts.Among the key strengths are the independence of historical event observations, and capability to provide information on cyber, physical and cyber-physical event types.To enable applicability of CyPhERS for DER monitoring, this work proposes and realizes several methodological adaptations for Stage 1, including 1) switching to probabilistic models and detection rules, 2) differentiating functional and behavioral target features, and 3) describing complex DER behavior via abstracting target features.Moreover, a rule-based system is formulated and implemented to automate signature evaluation in Stage 2. The applicability of the adapted version of CyPhERS for DER monitoring is evaluated on a dataset which describes several cyber and cyber-physical attack types targeting a real PV-battery system.The results demonstrate that the proposed methodological adaptations and rule-based signature evaluation system enable CyPhERS to automatically infer attack occurrence, type, victim devices, attacker location, and physical impact in all considered attack scenarios.The effectiveness of the methodological adaptations is particularly evident in significantly higher identification rates for cyber-physical attacks, and a reduction of the false positive rate from FPR = 0.15 to 0.02.

Figure 4 :
Figure 4: Illustration of the real PV-battery system considered for demonstrating the application of CyPhERS for DER monitoring.

Figure 5 :
Figure 5: Illustration of the operation of the batteries on the example of BAT3.

Figure 6 :
Figure 6: Physical impact of the considered cyber-physical attacks.

Figure 10 :
Figure 10: Event signatures of the attack types included in the demonstration case.The signatures are depicted for selected victim devices and physical impacts.

Figure 11 :Figure 12 :
Figure 11: Event signatures provided by CyPhERS' Stage 1 and predictions of the rule-based signature evaluation system (Stage 2) during the scan attacks.

Figure 13 :
Figure 13: Event signatures provided by CyPhERS' Stage 1 and predictions of the rule-based signature evaluation (Stage 2) during the HTTPS requests.

Figure 14 :
Figure 14: Event signatures provided by CyPhERS' Stage 1 and predictions of the rule-based signature evaluation system (Stage 2) during the ARP spoofs.

Figure 15 :
Figure 15: Ground truth, prediction (98 % PI and median), and anomaly flag for (a) n PV4 ARP d during second ARP spoof, (b) n DM UDP d during first ARP spoof, and (c) n BAT1 UDP d

Figure 16 :Figure 17 :
Figure 16: Event signatures provided by CyPhERS' Stage 1 and predictions of the rule-based signature evaluation system (Stage 2) during the FCIAs.

Figure 19 :
Figure 19: Event signatures provided by CyPhERS' Stage 1 and predictions of the rule-based signature evaluation system (Stage 2) during the FDIAs.

Figure 20 :
Figure 20: Event signatures provided by CyPhERS' Stage 1 and predictions of the rule-based signature evaluation system (Stage 2) during the replay attacks.

Table 1 :
Schedule of the attack experiments.In this section, the extraction of target features and covariates from raw data of a DER is presented.Physical and network target features are addressed sequentially in the Sections 4.1.1 and 4.1.2.
get features.Thereafter, the signature evaluation (Stage 2) is explained in Section 4.3, which involves introduction of the proposed automated signature evaluation system.Along the methodological description of Stage 1 and 2, details on the implementation to the PV-battery system demonstration case are provided.4.1.Target feature and covariate extraction

Table 2 :
Raw network and process features considered in the demonstration case.Figure 7: Comparison of functionality-and behavior-describing target features on the example of a physical "attack" where PV panels are covered.behavior of DER components.Whether a target feature is functional or behavioral depends on the model inputs (target feature lags and covariates).More precisely, even a model of the same feature can represent either the functionality or behavior depending on the input, as demonstrated in Fig.7.In the depicted example, the attacker wants to create a sudden change of the PV feed.
Instead of directly damaging the plant, the attacker uses the normal functionality (reduced feed if less sun) to launch the attack.The functionality model uses the local Ir measurement as input and predicts the expected feed reduction.Thus, no functional anomaly is flagged.The behavior model uses an external Ir measurement which results in a deviation between the predicted and actual feed.

Table 3 :
Overview of physical target features extracted for the PV-battery system demonstration case.time step τ 60 the mean value is determined as average over the N τ60 data packets carrying P PVi within τ 60 according to P PVi mean,τ60 = PVi p /N τ60 .Anomalies in P PVi fmean can indicate disfunction of the i-th solar panel string or its inverter.60 the mean value is determined as average over the N τ60 data packets carrying P BATi within τ 60 according to P BATi mean,τ60 = time step τ 5 the mean value is determined as average over the N τ5 data packets carrying P Mi within τ 5 according to P Mi mean,τ5 = BATi mean,τ+ f |, where τ is the start time of τ 15 .Anomalies in P BATi osc can indicate oscillation of the i-th battery.Mi p .Anomalies can indicate abnormal behavior of the i-th meter given the current P Mi mean (sending abnormally many or few packets carrying P Mi ).
For every τ 60 the on-off state (S BATi τ60 ∈ [0, 1]) is determined.Anomalies may indicate that BATi is unexpectedly online/offline given the current time of day and PV feed.mean , time of day Behavioral For every τ 60 the mean value is determined as average over the N τ60 data packets carrying P BATi within τ 60 according to P BATi mean,τ60 = p /N τ60 .Anomalies can indicate abnormal behavior of BATi given the current time of day and PV feed.mean Behavioral For every τ 5 the absolute sum is determined as |P Mi sum,τ5 | =

Table 4 :
Overview of network target features extracted for the PV-battery system demonstration case.Indices s and d refer to source and destination, respectively.Packets are counted for 15s periods.

Table 5 :
Definition of considered anomaly types.

Table 6 :
Hyperparameters and search spaces of the GBDT models.
a Only for target features considering lag values.
and v X P osc = 1 within T eval then prediction ← Replay attack against meter M with physical impact A on device X (here, battery oscillation) else prediction ← Unknown abnormal behavior

Table 8 :
[11]arison of the original[11]and adapted version of CyPhERS.Version TPR FPR IR Scan IR HTTPS IR Spoof IR FCIA IR FDIA IR Replay