Contents I. Introduction
During the past decades, Information and Communications Technology (ICT) has been widely adopted and integrated with the power grids. ICT brings many benefits for system operations, controls, engineering and maintenance [1]–[3]. IEC 61850 based digital substations have been installed to replace the conventional substations for the purpose of increasing reliability of the grid operations. For instance, multi-functional Intelligent Electronic Devices (IEDs) or relays can have a higher computational performance compared to conventional protection relays and devices, e.g., Phasor Measurement Units (PMUs) can send phasor measurements at the rate of 60 or 120 samples per second. Merging Units have 80 or 256 analog/digital sampling points per cycle [4]–[6]. Furthermore, high-speed communication network interfaces enable operators to exchange measurements data and operation commands between the control center and substations within a few milliseconds. Therefore, substation or system operators can have more response time to cope with emergency failure scenarios. However, the ICT infrastructure of power systems can be a target and entry points for cyber attacks. Vulnerabilities of substation or Supervisory Control And Data Acquisition (SCADA) ICT can be exploited and compromised by intruders. One of the major threats is the coordinated cyber attack. In [7], risk evaluation of coordinated cyber attacks on power grids has been proposed. As described in [8], a coordinated attack is “An organized cyber disruption disables or impairs the integrity of multiple control systems, or intruders take operating control of portions of the bulk power system such that generation or transmission system are damaged or operated improperly.” In coordinated cyber attacks, attackers may share the same goal. For instance, in a large scale coordinated cyber attack, one or more attackers may have a well-organized plan to launch multiple cyber attacks in order to compromise the same target [9]. They may find a minimum number of critical substations and compromise them (e.g., direct circuit breaker control attack) at the same time, and these attacks can be linked with each other. It is crucial to detect coordinated cyber attacks. In the worst case, a loss of multiple substations may lead a large scale power outage or blackout.
