Detecting and Mitigating Denial of Service Attacks on Wind Farms Utilizing Averaging and ARIMA

(1)

Master's Thesis

Detecting and Mitigating Denial of Service

Attacks on Wind Farms Utilizing

Averaging and ARIMA

A Simulation Approach

MSc Supply Chain Management

Faculty of Economics and Business University of Groningen

Author: Aljoscha Bock Student number: S3890864 1st Supervisor: Dr. Evrim Ursavas

2nd Supervisor: Dr. Ilke Bakir Co-assessor: Dr. Murat Yildirim

(2)

II

Abstract

Due to global warming and sustainability concerns, wind energy is increasingly gaining relevance in the electricity generation industry. The increased use of networked monitoring systems in wind farms creates a growing risk of cyber-attacks, such as widely used Denial of Service (DoS) attacks, which overload and crash a system causing loss of control and, especially for offshore wind farms, expensive maintenance. In order to ensure further growth of the wind farm industry, potential costs of a DoS attack need to be lowered by developing strategies to detect an attack and immediately mitigate its consequences.

This thesis suggests utilizing averaging of non-attacked turbines’ power outputs to predict suspicious turbines’ power outputs in order to detect and mitigate DoS attacks on homogeneous and heterogeneous wind farms, while being modified for the latter by means of historical deviations. By simulating successful DoS attacks on wind farms while applying averaging and autoregressive integrated moving average (ARIMA) models, averaging was verified to perform well in homogeneous wind farms, slightly worse in heterogeneous wind farms and significantly better than ARIMA models in heterogeneous wind farms.

With the proposed detection algorithm, averaging performed with a mean share in missed detections of relevant attacks of 23.89% and on average 0.115 false detections in homogeneous wind farms, and 33.75% missed detections and 0.265 false detections in heterogeneous wind farms in three simulated months. ARIMA was proved to perform significantly worse with a mean of 41.29% missed detections and 3.245 false detections in the same period.

It is further demonstrated that the performance of averaging and ARIMA as a mitigation method is not influenced by the type of DoS attack in terms of duration (2 h, 10 h or 24 h) or percentage of turbines being attacked (5%, 10%, 15%), but negatively influenced by weather data noise among turbines. For heterogeneous wind farms, modified averaging performed significantly better than ARIMA, while achieving on average a 40.43% lower maximum error, 91.67% lower mean error, 39.39% lower mean absolute error, 62.07% lower mean squared error and

38.88% lower mean absolute percentage error than ARIMA.

(3)

III

List of Figures

Figure 1: Historical development of total wind energy installations ... 1

Figure 2: Conceptual framework ... 9

Figure 3: Basic steps of the simulation model ... 11

Figure 4: Exemplary power curve of a turbine ... 13

Figure 5: Wake effect approach used in the simulation model ... 14

Figure 6: Exemplary power output graph with three turbines in a homogeneous wind farm .. 15

Figure 7: Additional steps of the simulation model ... 16

Figure 8: Proposed detection algorithm utilized in step seven of the simulation model ... 19

Figure 9: Optimal critical range as a function of the SD of noise for the detection algorithm 28

List of Tables

Table 1: Computation time per simulation run and number of runs for each sub-experiment 22 Table 2: Detection results for homogeneous wind farm utilizing averaging ... 25

Table 3: Detection results for heterogeneous wind farm utilizing modified averaging ... 26

Table 4: Detection results for heterogeneous wind farm utilizing ARIMA ... 27

Table 5: Mitigation results for homogeneous wind farm utilizing averaging ... 31

Table 6: Mitigation results for heterogeneous wind farm utilizing modified averaging... 32

Table 7: Mitigation results for heterogeneous wind farm utilizing ARIMA ... 33

Table 8: Average mitigation results among all scenarios for each prediction method ... 34

List of Appendices

Appendix 1: Libraries used in the simulation model ... 43

Appendix 2: Structure of weather data in the CSV file with one exemplary entry ... 43

Appendix 3: Notations used to describe the simulation model ... 44

Appendix 4: Overview of the most important assumptions made in the simulation model .... 45

Appendix 5: Exemplary power outputs of three turbines in a heterogeneous wind farm ... 46

Appendix 6: Exemplary mitigation of one attacked turbine by averaging ... 46

Appendix 7: Exemplary mitigation of one attacked turbine by modified averaging ... 47

(5)

V

List of Abbreviations

ARIMA – Autoregressive integrated moving average CSV – Comma-separated values

DDoS – Distributed Denial of Service DoS – Denial of Service

GW – Gigawatt(s)

MAE – Mean Absolute Error

MAPE – Mean Absolut Percent Error MSE – Mean Squared Error

MW – Megawatt(s)

(6)

1

1. Introduction

Due to the negative effects of fossil fuel consumption on the environment, more renewable and sustainable solutions, such as wind energy, are gaining relevance, in order to satisfy an increasing demand of power (Arshad & O’Kelly, 2019; Saidur, Islam, Rahim, & Solangi, 2010). Recently, wind energy evolved into a large industry with high capacities, still being predicted to grow further (GWEC, 2019). To take advantage of greater space and higher wind speeds (Pereira & Castro, 2019), the wind power sector started moving offshore (Bilgili, Yasar, & Simsek, 2011; Esteban, Diez, López, & Negro, 2011; Markard & Petersen, 2009). The exponential growth of wind energy generation and its offshore part, forming 4% of total wind energy installations in 2018 (GWEC, 2019), is illustrated in Figure 1.

Figure 1: Historical development of total wind energy installations (self-illustrated based on data from GWEC (2019))

Due to the growing contribution of wind farms to power generation, the risk of a turbine malfunction is more relevant to the management of supply chains than ever before, as reliable supply of electricity is crucial for numerous operations in nearly every supply chain. For example, without electricity, a production site is no longer able to operate according to its schedule, since machines do not work without power supply. Similarly, a power failure may also lead to traffic chaos due to non-functioning traffic lights, causing transportations to be

(7)

2 delayed. These supply chain disruptions could compromise all parts of a supply chain and lead to severe performance losses.

Cyber-attacks serve as an example of supply chain disruptions, since they can, for instance, shut down power systems (Li et al., 2012) and thus should be considered as a severe threat in the wind farm industry.

Technological progress led to an increasing number of cyber-attacks in general causing greater damages than ever before (Bendovschi, 2015). Past examples demonstrate the threat and potential impact of cyber-attacks on power systems (Negrete-Pincetic, Yoshida, & Gross, 2009). In August 2003, unbalanced loads and the lack of effective real-time diagnosis provoked an electrical blackout in North America, affecting 100 power plants and causing a total damage of US$ 10 billion (Li et al., 2012). Cyber-attacks could be responsible for the aforementioned imbalances. This was demonstrated in an experiment, conducted by the U.S. Department of Defense, in which a replicated power plant control system was hacked by means of a cyber-attack, causing one generator to destroy itself (Meserve, 2007). Recently, a renewable energy provider in Utah was hit by a first-of-its-kind cyber-attack causing grid operators to lose connection to several wind and solar farms (Sobczak, 2019). Although the aforementioned incident did not affect any operation, all these examples demonstrate the potential impact of cyber-attacks on power systems, such as offshore wind farms, and point out the relevance of reliable electricity generation and control.

In current literature, cyber-attacks on power grids are well researched. Several options to reveal security vulnerabilities and to increase the safety of power grids are available. However, in the context of wind farms, only few studies investigated the impact of cyber security concerns (Wu et al., 2019). Hence, the consequences as well as levels of risk in terms of blackouts and costs are uncertain (Stamp, McIntyre, & Ricardson, 2009). As a result of wind energy and network systems’ upward trend, cyber security gets increasingly relevant. Denial of Service (DoS) attacks count as the most likely imminence to steer a system (Byres, 2004). Furthermore, Carl, Kesidis, Brooks and Rai (2006) list DoS attacks as one of the most expensive security threats. They aim at overloading the attacked system by extensively sending requests to eventually cause the system to deny its service (Ashok, Hahn, & Govindarasu, 2014). The recent incident in Utah (see above) serves as a serious example for this type of attack (Sobczak, 2019).

(8)

3 Mitrokotsa, 2004; Long, Wu, & Hung, 2005). Consequently, it needs to be examined, which strategies might help to detect and subsequently mitigate successful DoS attacks in the specific context of wind farms. Due to hampered accessibility and higher maintenance costs of offshore wind farms compared to onshore wind farms (Pereira & Castro, 2019), these might be particularly endangered by DoS attacks.

This thesis contributes to existing literature by testing and comparing different methods to detect and mitigate successful DoS attacks on wind farms by means of numerous simulations. The effectiveness of each technique in contributing to reliable energy supply and, therefore, functioning supply chains worldwide is determined. Literature is currently lacking these crucial insights for wind farm operators and further research in order to ensure further growth of the wind energy sector.

Firstly, an algorithm to detect a successful DoS attack on power output sensors of a wind farm is proposed and tested in several simulations utilizing averaging of non-attacked turbines’ power outputs to predict expected power outputs of suspicious turbines, to be compared to their actual outputs. Secondly, this averaging approach is applied as a DoS attack mitigation technique to calculate power outputs that are missing due to the on-going attack. Both experiments are conducted for homogeneous wind farms, where all turbines are identical in terms of their efficiency factor (using simple averaging), and heterogeneous wind farms, where turbines differ (using a modified averaging approach considering the variety among turbines). For heterogeneous wind farms, averaging as a method to detect and mitigate DoS attacks on turbines’ power output sensors is compared to autoregressive integrated moving average (ARIMA) models.

Thus, this thesis addresses the following research question:

“How effective are averaging and ARIMA models as detection and mitigation methods to counteract a successful DoS attack on homogeneous and heterogeneous wind farms?”

(9)

4

2. Theoretical Background

This section starts by briefly illuminating the development of offshore wind farms and their consequentially evolving cyber risks. Afterwards, the purpose and functionality of DoS attacks in general, including defense strategies from literature, are clarified. Finally, the research gap and this thesis’ contribution toward it are highlighted.

2.1 Offshore Wind Farms

The main driver for the upward trend of the wind farm industry is the ongoing debate about climate change (Wang & Wang, 2015), primarily caused by air pollution (Ramanathan & Feng, 2009). Wind energy is deemed to be a clean and renewable source of energy while being the fastest growing power source in the whole world (Saidur et al., 2010).

Compared to other means of power generation, wind farms offer unique characteristics, such as the wake effect, which describes the power loss of a turbine operating in the wake of another turbine (Adaramola & Krogstad, 2011). Depending on the distance between the turbines as well as their operating conditions, this loss was found to be significant with up to 45% of the power output of downstream turbines (Adaramola & Krogstad, 2011).

While moving offshore, the total capacity installed seawards exponentially increased from two gigawatts (GW) in 2009 (Esteban et al., 2011) to 23 GW in 2018 (GWEC, 2019). Since offshore wind farms are installed in the sea, they also offer new challenges regarding their accessibility and servicing, like stronger wind, waves, sea currents and sometimes even floating ice (Anaya-Lara, Campos-Gaona, Moreno-Goytia, & Adam, 2014). Pereira & Castro (2019) point out that

“due to the lack of surrounding obstacles, wind is much less turbulent in the sea” (p. 750),

which results in higher wind speeds and, thus, higher power production at offshore wind farms. However, the authors also highlight higher investment, operation and maintenance costs compared to onshore wind farms (Pereira & Castro, 2019). Thus, high reliability of offshore wind turbines is of the utmost importance, and maintenance should be kept at a minimum in order to ensure a steady and cost-effective power supply.

(10)

5 In order to control, measure and monitor the electric power grid, smart grid technologies are used, which constantly increase in complexity due to information communication technologies, such as supervisory control and data acquisition (SCADA) systems (Ilić, Xie, Khan, & Moura, 2010). By that, smart power grids become dependent on their cyber infrastructure, leading to an increase in threats of cyber-attacks, motivated by different reasons like terrorism, geopolitics, criminality, or social issue driven organizations (Sánchez, Rotondo, Escobet, Puig, & Quevedo, 2019). Communication and computation infrastructure, such as the connection between sensors and turbines in a wind farm, may allow attackers to manipulate data flows or systems (Ashok et al., 2014). Amin, Cárdenas and Sastry (2009) state that a successful attack on such control networks can be more severe than on other networks, since control networks form the center of many critical infrastructures. This applies to wind farms as well, since turbines’ power output sensor readings are crucial for managerial decision-making and control. This thesis differentiates between homogeneous and heterogeneous wind farms. In homogeneous wind farms, all turbines are assumed to be identical, following the same underlying process with an equal efficiency factor. Contrary to that, heterogeneous wind farms consist of turbines differing from each other in terms of their efficiency factor. In reality, this could occur due to different types of turbines, a different age or varying maintenance intervals.

2.2 Denial of Service (DoS) Attacks

This subsection explains how present literature defines DoS attacks and which methods are currently used to detect and mitigate them.

(11)

6 Distributed Denial of Service (DDoS) attacks represent as specific type of DoS attacks, which basically works equally, but are executed through a botnet instead of a single host (Douligeris & Mitrokotsa, 2004). This botnet may consist of hundreds of remotely controlled computers (Kaur, Kumar, & Bhandari, 2017).

In order to defend a system against a DDoS attack, Douligeris & Mitrokotsa (2004) classify four activity phases, namely prevention, detection, response, and mitigation. Due to the similarity between DoS attacks and DDoS attacks, this thesis proposes this classification to be applicable to DoS attacks as well. Prevention refers to preventing attacks from being launched and detection aims at detecting active attacks. In the response phase the attack source is identified, while its traffic is blocked, and the mitigation phase tolerates an active attack while focusing on mitigating its consequences (Douligeris & Mitrokotsa, 2004).

Existing attack prevention and response techniques might be applicable to wind farms as well, since they mostly refer to network settings, which are not assumed to be different in wind farms. For instance, DoS attack prevention can be achieved by filtering (Park & Lee, 2001) or redirecting (Wang, Xu, & Gu, 2015) arriving packets. In order to respond to a DoS attack, Long et al. (2005) suggest an algorithm that drops background traffic with an increasing probability, if the number of arriving packets exceeds a certain threshold.

However, detection and mitigation of successful DoS attacks may be different for wind farms, since their power outputs are variable and strongly affected by wake effect and changing weather conditions. This distinguishes wind farms from other types of power systems. For example, a common detection approach is to detect abnormal behavior in a system (Li & Lee, 2005), for instance by using statistical anomaly detection algorithms (Siris & Papagalou, 2004) or prediction-based detection algorithms such as ARIMA models (Zhang, Jiang, Wei, & Guan, 2009). It needs to be examined, to what extend these methods are applicable to varying power outputs of wind farms. Mitigation can usually be achieved by providing duplicated network services (using another network link, if one is under attack) or by reallocating resources during an attack (Douligeris & Mitrokotsa, 2004). However, since this thesis investigates methods to counteract DoS attacks that were already successfully executed, this approach is not applicable in this context. Instead, mitigation in the present work is defined as the strategy to predict power outputs, which are missing due to a DoS attack, in order to avoid disruptions of information flows regarding decision-making and operational processes.

(12)

7

2.3 Contribution

Current literature mainly focusses on either DoS attacks or wind farms, but limited literature is available about DoS attacks related to wind farms. More specifically, simulations of detecting and mitigating DoS attacks on wind farms have not been studied in detail before.

Hence, this thesis contributes to literature by combining aspects of DoS attacks with the unique characteristics of wind farms by means of simulations in Python. The main goal is to measure the effectiveness of averaging and ARIMA models as detection and mitigation methods, while considering wake effect and changing weather conditions.

This thesis contributes to practice by providing new, simulation-based data, indicating the suitability of the aforementioned methods to counteract DoS attacks on wind farms. Recommendations about which method to use with which parameters for different types of wind farms are provided in order to help in preparing wind farms, especially offshore wind farms, for DoS attacks.

From an academic perspective, averaging as the suggested detection and mitigation approach of this thesis is tested in the context of DoS attacks on wind farms to test its eligibility. Additionally, it is compared to ARIMA models, as a suggested prediction method from literature. By that, the gap between DoS attacks and wind farms is closed and more attention is drawn to the field of DoS attacks on the quickly growing and increasingly important wind energy sector, to eventually motivate more researchers to contribute to it.

The contribution of this thesis can be summarized as follows:

1. Applying a DoS attack detection algorithm to wind farms: Zhang et al. (2009) suggest a (D)DoS attack detection algorithm predicting an expected service rate of a server by means of ARIMA models and comparing it to the actual service rate in order to detect abnormal behavior caused by an attack. The present thesis applies this approach to DoS attacks on wind farms’ power output sensors by considering their unique characteristics and by adding a turbine preselection procedure to the algorithm.

(13)

8 3. Testing averaging and ARIMA models as mitigation methods: Douligeris & Mitrokotsa (2004) suggest (D)DoS attack mitigation to minimize the impact of the attack through maximizing the quality of the attacked service while being attacked. This approach is simulated in a wind farm setting by predicting power output sensor readings, that are missing due to a DoS attack, as precise as possible. For that purpose, averaging and ARIMA models as prediction methods are tested and compared.

4. Considering homogeneous and heterogeneous wind farms: Averaging is utilized to detect and mitigate DoS attacks on homogeneous and heterogeneous wind farms. For heterogeneous wind farms, a modified averaging approach is suggested and compared to ARIMA models in terms of DoS attack detection and mitigation performance. 5. Developing a simulation model in Python: The aforementioned model developed for the

simulations may serve as a basis for further research in similar studies and as a tool for practitioners.

The next section describes the methodology utilized in this thesis to realize these contributions.

3. Methodology

To answer the research question, two computational experiments with six sub-experiments using Python 3.7.4 are conducted. Python is chosen since a specific library about wind farms, called “windpowerlib”, is available for it, which serves as a basis for further programming. In Python, a simulation model following the conceptual framework of section 3.1 was programmed. This model is able to calculate the non-attacked power output of each turbine of a wind farm based on weather data, apply a DoS attack to it, detect this attack, and predict missing power outputs to mitigate its consequences. The goal of the computational experiments is to test and compare averaging and ARIMA models as detection and mitigation methods in order to identify their suitability to DoS attacks on several types of wind farms.

Since randomness influences the model in numerous stages, it becomes complex and unpredictable. Therefore, a simulation approach is a suitable research method in order to gain insights into complex theoretical relationships and to extend simple theory by linking propositions (Davis, Eisenhardt, & Bingham, 2007).

(14)

9

3.1 Conceptual Framework

This subsection presents the conceptual framework of this thesis, as depicted in Figure 2. Data about the weather conditions (referred to as “Weather Data” in Figure 2) serve as the input of the simulation model, leading to calculated data about the power generation of a turbine (referred to as “Power Data” in Figure 2) as the output. From a modelling perspective, the weather data input positively affects the power data output – the more weather data are available, the more power data can be calculated.

Moreover, this output positively influences managerial decisions, since data about the output of a wind farm’s turbines act as an important basis in the decision-making process. For instance, predicting future power outputs of a wind farm based on past and current data might be relevant for power grid operators (Kusiak, Zheng, & Song, 2009). Hence, complete data about the power output of a wind farm is crucial. The more data about power outputs is available, the better control about operations by means of reasonable decision-making may be gained.

Finally, this thesis assumes a DoS attack on power output sensors to disrupt the system by preventing it from sending power data to the control system, meaning that the management is no longer informed about the current power output of the attacked turbines for the duration of the attack. This negatively affects the positive relationship between the power data and managerial decisions, since managers are not able to include information about power outputs in their decision-making while a DoS attack is executed. This concept is replicated in the simulation model, which is further described in the next section.

(15)

10

3.2 Simulation Model

This subsection reflects on the simulation model consisting altogether of nine steps – subclassified in basic model and model extensions – that were exerted for the computational experiments.

The first subsection briefly refers to technical requirements to run the simulation model, general notations used to describe the most relevant variables of it, and assumptions made during its development. Afterwards, the basic model, consisting of five steps, is explained incrementally. Subsequently, the extensions of the model – DoS attack, detection and mitigation – are presented.

3.2.1 Technical Requirements, Notations and Assumptions

In order to successfully execute the model, five public libraries are required to be installed, which are listed and briefly described in Appendix 1, including their command to install them via “pip” in the terminal.

Furthermore, a comma-separated values (CSV) file called “weather.csv”, containing weather data for every considered period, needs to be provided in the project folder. The structure of this weather data is exemplary illustrated in Appendix 2.

After arranging these two technical requirements, the model can be run.

In order to describe essential parameters and attributes of the model, several different terms are used throughout the remainder of this thesis. Appendix 3 provides an overview of definitions for the most relevant notations.

Finally, the underlying assumptions, which are mentioned among the following two subsections and identified by respective parentheses (such as “(A1)” for assumption one) are summarized in Appendix 4.

3.2.2 Basic Model

(16)

11 Before the actual simulation starts, the model will check the provided matrix first, to make sure, that at least one turbine is present. Consequently, the assumption follows that a wind farm consists of at least one turbine and no upper limit for the number of turbines (A2). It should be noticed that the simulation time increases with the number of turbines.

Five main steps form the basic model of the actual simulation, as illustrated in Figure 3. Each step is generally explained below – further details can be found as comments in the simulation model.

Figure 3: Basic steps of the simulation model

Step 1: The simulation starts by creating noise-added weather data for each turbine of the wind

farm layout. For this purpose, the original weather data from the provided file (see 3.2.1) is taken as a basis and slightly modified per turbine by means of a small noise as a consequence of natural variations (A3). In this thesis, highly realistic hourly data of a full year (2010) is used (365 x 24 = 8,760 recordings), which is provided by the “windpowerlib” library. These data are part of a data set generated by a climate model called “COSMO-CLM”1. The usage of highly realistic data (instead of self-generated data) leads to a more representative wind farm setting, since real trends, peaks and other wind farm related characteristics are considered as comprehensively as possible.

The original weather data include air pressure in Pascal, air temperature at two different heights (2 and 10 meters) in Kelvin, wind speed at two different heights (10 and 80 meters) in meters per second and surface roughness length in meters (see Appendix 2 for the structure). Since the surface roughness length of a turbine does not change over time, it will not be further adjusted or considered within this thesis but set to the exemplary value of 0.15.

For all other parameters, a randomly generated noise is added to the initial value of the original weather data for each period and every turbine. Each noise is normally distributed and individually generated (being independent to time and turbine). The expected value of a noise is zero, indicating that it can equally get positive and negative. Its standard deviation (SD) is set as a specific percentage of the respective average parameter value (like average wind speed).

(17)

12 The exact percentage depends on an individual wind farm and is part of the computational experiments. Regardless of the noise, wind speed is restricted to be positive, whereas air pressure and temperature theoretically could become negative.

At the end of this step, noise-added weather data for all turbines are available, being similar among turbines, but not identical due to the noise. However, during the simulation, this weather data is only used for calculations, but it is assumed not to be available for the operators of the wind farm, meaning that no other readings are available than those from the power output sensor of each turbine in every period (A4).

Step 2: As the second step of the simulation, the turbines are technically initialized as objects

using turbine data from the “OpenEnergy Database” – a turbine library that is provided along with the “windpowerlib” library including several different types of real turbines. In the simulation model, the type of turbine and its hub height, which is used for every turbine from the wind farm layout, can be modified. Within the framework of this thesis, for all computational experiments, the exemplary turbine type “Enercon E-126” – a common type of turbine – with a hub height of 135 meters is used. However, the type of turbine is not focus of this work and does not influence the simulated relationships. Thus, it is assumed, that all turbines in a wind farm are of the same type (A5).

Step 3: Based on weather data and turbine objects, the power output of each turbine is

calculated in step three of the model. The “windpowerlib” library provides several calculation options that could be changed in the simulation model of this thesis as well. Similar to the type of turbine, those settings are not relevant for the computational experiments of this thesis. Consequently, they remain the same throughout all experiments. For the actual power output calculation, a power curve of the Enercon E-126 from the turbine database is used, which indicates the power output according to the wind speed at hub height (Lydia, Kumar, Selvakumar, & Prem Kumar, 2014). With the settings used in the present simulation model, this power curve is adjusted based on the air density at hub height of a turbine. This air density depends on the air pressure and temperature at hub height, which are calculated based on the weather data of the turbine determined in step one.

(18)

13 dangerous for a turbine to operate, causing it to completely stop rotating, leading to a power production of zero (Lydia et al., 2014). Furthermore, turbines have a minimum wind speed (called “cut-in speed”, in Figure 4: ~ 2 m/s) needed to start operating (Lydia et al., 2014). The “windpowerlib” library considers all these requirements and sets the power output for wind speeds below the cut-in speed or above the cut-out speed to zero. For an Enercon E-126 the usual cut-in speed is 3 m/s, whereas the rated wind speed is 16.5 m/s and the cut-out speed is 34 m/s (Bauer & Matysik, 2019). With the settings of this simulation, the maximum power output before wake loss per turbine are 4.2 megawatts (MW) (A6).

Figure 4: Exemplary power curve of a turbine

(19)

14

Step 4: Step four of the model transforms the previously calculated power outputs before wake

loss into power outputs after wake loss. For this purpose, the simulation goes through every turbine, calculates its wake loss based on the position of itself and other turbines, and subtracts this from the power output before wake loss. In the present simulation model, a self-developed, simple approach is used to consider the wake effect, representing the basic characteristics of wake loss. Since no information about wind direction are considered in the simulation model, it is assumed that on average the wind equally blows from every direction (A7). Consequently, the wake loss in percent is calculated by adding single percentages for nearby turbines together, representing the fractions of power output that are lost due to wake effect caused by respective turbines. For simplification, the assumption is made that only turbines being one or two spots away from a focal turbine induce wake loss. These spots form two layers around the focal turbine to be considered for wake loss, as illustrated in Figure 5. Turbines that are further away do not influence a focal turbine’s wake loss. Turbines in layer one, which is closer to the focal turbine than layer two, have a higher impact on the focal turbine in terms of wake loss than turbines in layer two (A8). In the present simulation model, every turbine in layer one causes a wake loss of 2%, whereas turbines in layer two lead to a wake loss of 1%, indicating a maximum wake loss of 16% per layer and 32% in total (8 x 2% for layer one and 16 x 1% for layer two).

Figure 5: Wake effect approach used in the simulation model

(20)

15

Step 5: If activated in the settings, the final power outputs are plotted by utilizing the

“matplotlib” library. The power output time series of each turbine is put together into one graph to provide an overview of all turbines. An exemplary plot from a simulation of three turbines in a homogeneous wind farm is presented in Figure 6. All turbines follow the same pattern throughout the year, slightly differing in power output due to the added weather data noise described in step one. An example for the same setup, but for a heterogeneous wind farm is illustrated in Appendix 5.

Figure 6: Exemplary power output graph with three turbines in a homogeneous wind farm

3.2.3 DoS attack, detection and mitigation

Based on the basic model, three major extensions are added to the simulation, namely DoS attack, detection and mitigation (step six, seven and eight). Subsequently, the performance of detection and mitigation is measured in step nine, the last step of the model, as depicted in Figure 7.

(21)

16

Figure 7: Additional steps of the simulation model

Step 6: As underlined in the theoretical background, this simulation illustrates a successfully

executed DoS attack. Thus, it is assumed that every DoS attack in a simulation is a successful DoS attack (A9). Furthermore, every simulation run will face exactly one DoS attack and no other types of attack (A10).

In step six, first, the number of attacked turbines is determined. It can either be stated in the settings or randomly generated by means of a uniform distribution. For the latter it is assumed that at least one turbine and a maximum of 50% of all turbines are attacked (A11).

Afterwards, random turbines are selected to be attacked, until the number of attacked turbines is reached.

Next, the duration of the attack, which is assumed to be at least one hour and a maximum of 24 hours (A12), is randomly determined by means of a uniform distribution. Alternatively, the duration can be fixed in the settings. The same applies to the point in time, at which the attack starts, while 24 hours before the attack are required to be available as historical data for the next step of the simulation. Thus, an attack can start anytime from the 25th hour to the end of the simulated time span less the duration of the attack itself.

(22)

17 In this step, randomness can influence the process numerous times. The following list summarizes all stages of the simulation model where randomness may be present, mostly depending on the settings of the model:

• Weather data noise (step one) • Power output noise (step three)

• Number of attacked turbines (step six) • Selection of attacked turbines (step six) • Start of the DoS attack (step six) • Duration of the DoS attack (step six)

The remainder of the model does not include any randomness but utilizes the information from the first six steps to detect and mitigate the DoS attack.

Step 7: In order to detect the DoS attack, step seven scans each power output in real time to

detect a potential attack as fast as possible and to determine which turbines are affected in which periods. This information is crucial in order to initiate countermeasures at the right place at the right time. Due to high costs of physically reaching and maintaining offshore wind farms (Pereira & Castro, 2019; Snyder & Kaiser, 2009), it is assumed that physical inspections of single turbines or the whole wind farm are not possible during a DoS attack (A16). Moreover, electrical power output is not visible, and hence, cannot be observed at any point in time, but only be measured by the potentially attacked sensors (A17).

For most of the scenarios, the detection of a DoS attack is rather simple: as soon as the attack starts, the power output sensor readings begin to replicate. However, since wind speeds below the cut-in speed or above the cut-out speed lead to a power output of zero, and wind speeds between the rated wind speed and the cut-out speed lead to the identical maximum power output (see step three), consecutive duplicates can naturally occur as well. Hence, in every period – representing a real time simulation – for each turbine, the detection algorithm, that is proposed in this thesis, is executed, as illustrated in the flowchart in Figure 8.

(23)

18 wind farms, the efficiency factor is reversed in order to identify whether the inspected value is the maximum power output of the current turbine. A result between the minimum (0 MW) and maximum (4.2 MW) power output means that this turbine is certainly under attack (= 1) with the current period as the detected start of the attack. This is justified by the fact that it is nearly impossible that two consecutive periods produce exactly the same power output without an attack (accurate to 15 decimals), if it is not the minimum or maximum power output. Otherwise, if the duplicated power output of a turbine is the minimum or maximum power output, it needs to be further checked whether this naturally occurred or whether an attack has caused it. Thus, this turbine is flagged as being preliminarily suspicious (= 2) and will be further examined as soon as the preselection of all turbines in the current period is completed.

For turbines that are currently flagged as being attacked (= 1), the algorithm inspects if the power output has changed again, which indicates that the attack has stopped, resulting in the flag being removed from the turbine (= 0).

If a turbine is flagged as suspicious (= 3), its power output is examined in the current period as well. In the event of a changing output, the flag is removed from the turbine (= 0), since it cannot be under attack then. Otherwise, it is flagged as preliminarily suspicious again (= 2) to be investigated afterwards.

Following the turbines’ preselection, all preliminarily suspicious turbines with minimum or maximum power output (= 2) are examined in more detail by comparing their actual power output without wake loss to the expected power output without wake loss. The calculation of the expected power output depends on the chosen prediction method (averaging or ARIMA) and on the type of wind farm (homogeneous or heterogeneous). It is conducted in a similar manner as in the mitigation phase. In case of averaging, current power output information of the previously determined non-attacked turbines (= 0) are considered, whereas ARIMA focuses on historical data of the attacked turbine itself (for detailed explanations see step eight). If the actual power output of a turbine deviates from the expected power output by more than the critical range (being part of the computational experiments), this turbine is flagged as being attacked (= 1). Otherwise, it is flagged as being suspicious (= 3) to be examined in the next period again. By that, the algorithm finishes and is repeated for the subsequent period.

(24)

19

(25)

20

Step 8: After detecting a DoS attack, missing power outputs need to be calculated in order to

mitigate the attack’s consequences by ensuring continuous supply of realistic power output information for the decision-making process of wind farm operators. The present simulation model provides two different mitigation techniques to calculate missing power outputs, which are similarly utilized to calculate expected power outputs as part of the detection algorithm in the previous step, namely averaging and ARIMA.

With averaging, for every attacked period, the average power output before wake loss of all non-attacked turbines is calculated2. By that, for homogeneous wind farms, available data of non-attacked turbines can be effectively utilized. If the wind farm is heterogeneous, the average percentage deviation of every attacked turbine’s power outputs from the average non-attacked turbines’ power outputs in the past (from starting the simulation to the previous period) is calculated. Afterwards, the previously calculated current average of non-attacked turbines is adjusted according to this average deviation. For instance, if the current turbine is found to have deviated from non-attacked turbines by + 20% on average in the past, the current average of non-attacked turbines is adjusted by + 20% as well (through multiplication by 120%). By applying this technique, in this thesis referred to as “modified averaging”, the differences among turbines in heterogeneous wind farms are considered in the power output prediction as precise as possible. Subsequently, regardless of the type of wind farm, the wake effect is applied to the previously predicted value of each attacked turbine. Finally, their attacked sensor readings are overwritten by these predicted power output values after mitigation by [modified] averaging.

Only being applied to heterogeneous wind farms, an ARIMA model is created in every affected period for each attacked turbine based on its past 24 power outputs, utilizing the “statsmodels” library. To apply this rolling forecast along the attacked periods, the historical data of an attacked turbine needs to be updated from period to period, in order to continuously consider the last 24 observations. However, since the power output of an attacked turbine is not observable at any time, the identical approach as for modified averaging is utilized by incorporating the average of non-attacked turbines and the average deviation of the focal turbine’s power outputs from non-attacked turbines’ power outputs in the past. For instance, if the third affected period of the attack is investigated, 22 historical observations (from 24 periods

2_{In the rare case of all turbines being flagged as attacked or suspicious due to minimum or maximum power}

(26)

21 to three periods ago) and two predicted “observations” based on modified averaging (from two periods to one period ago) are considered. Next to historical data, three parameters need to be provided for each ARIMA model: number of autoregressive terms (p), number of differences transforming the data into stationary data (d), and number of moving average terms (q) to include in the prediction. Since power output of wind turbines is highly volatile, d is set to the maximum of two in order to ensure stationarity. Not every parameter combination is feasible, thus, the present simulation model tries different p-q-combinations by starting at p = q = 5 and reducing them alternately (i.e., first only p, then only q and otherwise both), until it finds a feasible model. By that, the model is likely to realize a suitable setting for each ARIMA model. An individual examination or a more sophisticated method such as “Akaike’s information criterion” or the “Bayesian information criterion”, as suggested in Chen, Pedersen, Bak-Jensen and Chen (2010), could identify optimal parameters. However, since the creation of ARIMA models in the present simulation model is time-consuming, while its frequency would be required to significantly increase in order to improve the choice of parameters, the aforementioned approaches are not realized due to time constraints. After creating a feasible ARIMA model, it is utilized to predict the power output of the focal turbine for the currently investigated period, replacing its attacked sensor reading. An example for DoS attack mitigation using averaging, modified averaging and ARIMA is illustrated in Appendix 6, Appendix 7 and Appendix 8.

Step 9: The last step of the simulation model measures the detection and mitigation quality of

the specific forecasting method used in the previous two steps.

Detection performance is measured by comparing actual to detected attack information by calculating the number of total detections, correct detections (true positives), false detections (false positives), missed detections (false negatives) and periods to detect attacked turbines producing minimum or maximum power output. Furthermore, general attack information regarding the number of suspicious turbines and turbines producing minimum or maximum power output while being attacked are collected.

The accuracy of the mitigation is determined by comparing actual to predicted power outputs. For that purpose, five different performance measures are calculated: Maximal Forecast Error, Mean Forecast Error, Mean Absolute Error (MAE), Mean Squared Error (MSE) and Mean Absolute Percent Error (MAPE).

(27)

22

4. Computational Experiments

In this thesis, two major computational experiments were performed. The first examined the detection of a DoS attack by means of the proposed algorithm, whereas the second experiment investigated the mitigation of a DoS attack by predicting missing power outputs. Both experiments were executed for homogeneous and heterogeneous wind farms. Two types of experiments, wind farms and prediction methods result in eight potential combinations. However, Lei, Shiyan, Chuanwen, Hongling and Yan (2009) list ARIMA models as a forecasting method to potentially achieve precise power output predictions by considering the underlying process of an individual turbine in terms of historical data. This seems merely reasonable for heterogeneous wind farms. Thus, only six sub-experiments were investigated in this thesis, since ARIMA models are not assumed to be suitable for homogeneous wind farms in both experiments (i.e., detection and mitigation). Hence, the experiments were performed for homogeneous wind farms by means of averaging, and for heterogeneous wind farms by means of modified averaging and ARIMA models.

For all simulations Python 3.7.4 was used on a desktop computer running Windows 10 with an AMD FX-8350 4 GHz eight-core processor and 8 GB of RAM. To decrease computation time, all experiments were conducted for three representative months (October, November and December 2010 = 2,209 h) instead of a whole year. The required time to execute a single simulation run on a computer with the settings above and the number of runs conducted for each scenario are illustrated in Table 1. A time range indicates the computation time to be dependent on different parameter settings within an experiment. In total, the results of 4,620 simulation runs are incorporated in this thesis.

Homogeneous Wind Farms Heterogeneous Wind Farms

Averaging Modified Averaging ARIMA

Detection ~ 11 seconds (1,000 runs) ~ 18 – 42 seconds (1,000 runs) ~ 3.5 – 8 minutes (1,000 runs) Mitigation ~ 22 seconds (540 runs) ~ 23 seconds (540 runs) ~ 0.5 – 5.5 minutes (540 runs)

(28)

23

4.1 Detection

The first experiment evaluated the effectiveness of the proposed DoS attack detection algorithm in step seven of the simulation model in different scenarios utilizing averaging, modified averaging and ARIMA as prediction methods. Its goal was to find the most effective critical ranges for all three sub-experiments in order to compare them among each other.

4.1.1 Setup

The detection experiment was conducted for different SDs of weather data noise added in step one, representing different types of wind farms. Numerous pretests revealed the suitability of specific critical ranges (from 0.05 MW to 3.5 MW, depending on the sub-experiment) for four different SDs of noise (5%, 10%, 15% & 20%). This results in 20 different scenarios with 50 simulation runs each for all three sub-experiments regarding detection, leading to a total of 3,000 conducted runs.

Throughout this experiment, a wind farm layout with ten turbines in the shape of a 2x5 field was used. The number of attacked turbines was fixed to five in order to ensure comparability across cases.

To provide an overview, the simulation was executed ten times with a whole year of original data and ten turbines in a homogeneous wind farm with a SD of weather data noise of 10%. This pre-test resulted in an average of 99.9 cases (ranging from 89 to 122 with a median of 97 and a SD of 9.47) in which a turbine was suspicious of being attacked due to minimum or maximum power output. On the one hand, this demonstrates how often this scenario occurs in reality, indicating that a good detection algorithm with optimal parameters is required in order to ensure correct detections and avoid false alarms. On the other hand, considering the total number of hours in a whole year, the chance of a turbine to be attacked while producing minimum or maximum power output seems relatively small. Thus, the weather data could be modified in order to produce minimum or maximum power outputs more frequently, leading to higher measurability of the detection algorithm. However, to guarantee realistic conditions due to original weather data, this approach was not utilized. Instead, more simulation runs than for the second experiment were performed for each setting (50 instead of 30).

(29)

24

4.1.2 Results

Table 2, Table 3 and Table 4 contain the results of all 20 scenarios for averaging, modified averaging and ARIMA, respectively. Each number represents the average of 50 simulation runs. In all three sub-experiments, several trends and trade-offs are observable.

The number of suspicious turbines due to minimum or maximum power output, which are neither related to the critical range nor to the prediction method, clearly increases with the SD of weather data noise. Thus, the higher the noise, the more relevant an optimal detection algorithm gets, since the probability of a turbine being attacked while producing minimum or maximum power output increases.

Furthermore, the number of total detections logically decreases with the size of the critical range, since the power outputs need to deviate more to be detected as being attacked.

That number is further classified into correct detections (true positives) and false detections (false positives), which both decrease with the size of the critical range. This represents a trade-off between both measurements, dependent on the chosen critical range: with a higher critical range, the number of false detections generally decreases, whereas the number of correct detections decreases as well.

The number of missed detections (false negatives) as the counterpart of correct detections consequently increases with the size of the critical range, since it is more likely to overlook an attacked turbine when using a greater critical range.

Moreover, the number of attacked turbines, that produced minimum or maximum power output while being attacked, naturally increases with the SD of weather data noise but is not related to the critical range or prediction method (similarly to the number of suspicious turbines, which both serve as information to compare with other measurements).

(30)

25

Method

Detection – Homogeneous Wind Farm – Averaging

SD of noise

5%

10%

15%

20%

Critical range

(± MW) 0.05 0.10 0.15 0.20 0.25 0.25 0.50 0.75 1.00 1.25 0.75 1.00 1.25 1.50 1.75 1.50 2.00 2.50 3.00 3.50

Scenario 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

No. of suspicious turbines due to min./max. output

36.46 36.92 36.20 36.58 36.36 51.80 50.00 52.06 50.70 51.36 80.38 82.04 81.26 79.28 80.82 129.80 130.72 133.10 132.74 132.80

No. of total detections 11.62 6.4 5.22 5.02 4.92 11.3 5.72 5.16 4.96 4.98 11.06 7.96 5.9 5.14 5.08 10.02 6.40 5.30 4.90 4.78

No. of correct detections (true positives)

5.00 5.00 5.00 5.00 4.92 5.00 4.94 5.00 4.94 4.98 4.98 5.00 4.96 4.96 4.94 4.78 4.86 4.86 4.80 4.74

No. of false detections (false positives)

6.62 1.42 0.22 0.02 0.00 6.3 0.78 0.16 0.02 0.00 6.08 2.96 0.94 0.18 0.14 5.24 1.54 0.44 0.10 0.04

No. of missed detections (false negatives)

0.00 0.00 0.00 0.00 0.08 0.00 0.06 0.00 0.06 0.02 0.02 0.00 0.04 0.04 0.06 0.22 0.14 0.14 0.20 0.26

No. of attacked turbines with min. or max. output

0.02 0.06 0.12 0.10 0.18 0.10 0.20 0.04 0.14 0.04 0.06 0.12 0.12 0.10 0.12 0.36 0.24 0.22 0.36 0.36

Ø no. of periods to detect min./max. output attacks

0.00 5.00 3.00 0.00 2.50 4.00 2.75 5.00 10.00 8.00 3.00 2.40 3.67 5.67 13.00 7.00 4.00 10.50 7.20 17.25

(31)

26

Method

Detection – Heterogeneous Wind Farm – Modified Averaging

SD of noise

5%

10%

15%

20%

Critical range

(± MW) 0.05 0.10 0.15 0.20 0.25 0.25 0.50 0.75 1.00 1.25 0.75 1.00 1.25 1.50 1.75 1.50 2.00 2.50 3.00 3.50

Scenario 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

36.36 36.32 37.54 37.44 37.52 52.08 51.62 52.04 51.42 51.06 81.50 83.34 80.44 81.62 82.06 131.86 130.62 128.62 130.78 130.72

5.00 5.00 5.00 5.00 4.94 5.00 5.00 4.98 4.96 5.00 4.94 4.94 4.98 4.92 4.96 4.84 4.78 4.94 4.86 4.80

10.84 3.76 0.86 0.30 0.08 5.82 0.66 0.20 0.10 0.14 5.06 2.50 1.16 0.60 0.06 4.80 1.42 0.50 0.36 0.08

0.00 0.00 0.00 0.00 0.06 0.00 0.00 0.02 0.04 0.00 0.06 0.06 0.02 0.08 0.04 0.16 0.22 0.06 0.14 0.20

0.04 0.00 0.04 0.04 0.08 0.10 0.04 0.04 0.06 0.00 0.10 0.16 0.08 0.12 0.16 0.24 0.34 0.10 0.20 0.24

1.00 - 8.00 2.50 0.00 2.00 10.50 1.00 9.00 - 0.00 7.63 7.33 8.00 5.17 1.67 6.30 3.00 9.00 3.00

(32)

27

Method

Detection – Heterogeneous Wind Farm – ARIMA

SD of noise

5%

10%

15%

20%

Critical range

(± MW) 0.25 0.50 0.75 1.00 1.25 0.50 0.75 1.00 1.25 1.50 1.00 1.25 1.50 1.75 2.00 1.50 2.00 2.50 3.00 3.50

Scenario 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

36.48 36.16 37.66 37.64 37.38 53.02 51.40 50.94 50.30 50.14 79.96 78.96 80.72 79.34 79.74 132.08 131.88 131.68 130.10 132.86

5.00 4.90 4.98 4.98 4.96 4.98 4.90 4.92 4.98 4.98 4.86 4.86 4.96 4.92 4.96 4.92 4.90 4.82 4.80 4.86

19.18 8.32 4.00 1.94 0.86 17.82 8.58 4.46 2.56 1.60 11.80 7.22 4.74 3.18 2.08 14.24 7.08 3.76 1.68 1.50

0.00 0.10 0.02 0.02 0.04 0.02 0.10 0.08 0.02 0.02 0.14 0.14 0.04 0.08 0.04 0.08 0.10 0.18 0.20 0.14

0.04 0.12 0.02 0.06 0.04 0.02 0.10 0.12 0.06 0.02 0.24 0.22 0.08 0.08 0.04 0.20 0.14 0.22 0.22 0.16

0.50 0.00 - 3.00 - - - 8.00 8.50 - 2.80 9.33 1.00 - - 4.00 8.00 12.50 17.00 16.00

(33)

28 Comparing all measurements among different critical ranges for each SD of noise, the optimal critical ranges were determined. For this purpose, the most efficient combination of false and missed detections as well as average time to detect attacked turbines with minimum or maximum power output was identified. In reality, this is assumed to depend on the relevance and impact of false and missed detections. For instance, a false detection may be less severe than a missed detection. However, in the framework of this thesis, both were considered identically, since the assumption was made that real power output is not observable (A17). This indicates that wind farm operators do not know if a detection was correct or false or whether an attack was missed.

Consequentially, the optimal critical range for each SD of noise that is recommended by this thesis, depending on the prediction method, is highlighted in red in Table 2, Table 3 and Table 4, and summarized in Figure 9. The latter demonstrates the logical trend of higher SDs of noise leading to higher optimal critical ranges, regardless of the prediction method.

Figure 9: Optimal critical range as a function of the SD of noise for the detection algorithm

A comparison of the results with optimal critical ranges among the prediction methods clearly reveals that the type of wind farm (homogeneous or heterogeneous) does not significantly influence the choice of the optimal critical range in terms of averaging, nor does it affect the performance of the proposed detection algorithm. On average, the number of false detections with averaging was found to be generally low and only slightly higher in heterogeneous wind

0 0,5 1 1,5 2 2,5 3 3,5 5% 10% 15% 20% C ritical ran g e (± MW )

SD of weather data noise

(34)

29 farms (0.265 instead of 0.115 per simulation run). The percentage of attacked turbines with minimum or maximum power output, that were missed to detect, is 23.89% in homogeneous wind farms (with averaging) and 33.75% in heterogeneous wind farms (with modified averaging) as an average among all SDs of weather data noise.

In contrast, ARIMA was found to perform significantly worse than averaging in heterogeneous wind farms. For low SDs of noise, higher critical ranges are required to avoid an excessive number of false attacks. On average, the number of false attacks with modified averaging is 91.83% lower compared to ARIMA in the respective optimal critical ranges (0.265 instead of 3.245 per simulation run). Furthermore, the average share in missed attacks on turbines with minimum or maximum power output is higher while utilizing ARIMA (41.29%) instead of modified averaging (33.75%).

Thus, it can be concluded that averaging for homogeneous wind farms and modified averaging for heterogeneous wind farms were found to be suitable prediction methods within the suggested detection algorithm. Additionally, ARIMA was proven to perform significantly worse than modified averaging in heterogeneous wind farms.

4.2 Mitigation

In the second experiment, the prediction methods from the first experiment – averaging, modified averaging and ARIMA – were utilized to mitigate the consequences of a successful DoS attack by calculating missing power outputs in step eight of the simulation model. The goal was to measure the performance of each mitigation method, as described in step nine of the model.

4.2.1 Setup

(35)

30 Throughout this experiment, the wind farm consisted of 20 turbines in the shape of a 4x5 field. Since this experiment did not focus on detection, this step was not considered, ensuring real attack information for the mitigation part.

In the following two subsections, the results of the mitigation experiment for a homogeneous wind farm (through averaging) and heterogeneous wind farm (through modified averaging and ARIMA) are presented.

4.2.2 Results

Table 5, Table 6 and Table 7 contain the results of the three sub-experiments with five performance measurements calculated in step nine of the model. In accordance with experiment one, all numbers represent the average of 30 simulation runs, except for MAPE. In this case, the median instead of the average was utilized in order to avoid outliers distorting the average. The maximum error clearly increases with the SD of noise for all sub-experiments, since higher differences in turbines’ power outputs due to higher noise logically lead to less precision of averaging. Additionally, the maximum error constantly increases with the percentage of attacked turbines and the duration of the attack, which can be reasoned by the fact that a greater number of calculations increases the probability of getting an extreme outcome.

According to logical expectation, the mean error of averaging and modified averaging fluctuated around zero for every scenario. This is explainable by the law of large numbers, stating that the more frequent a random experiment is executed, the closer its average gets to the expected value (Etemadi, 1981). Consequently, if the current experiment would be conducted infinite times, the mean error on average would be zero for both averaging methods. Thus, no influence of any parameter on the mean error was observed.

In contrast, the mean error of ARIMA was negative in every scenario except scenario 13, indicating that ARIMA strongly tends to underpredict power outputs.

For all three prediction methods, the MAE and MSE undoubtedly increase in the SD of noise but are not affected by the percentage of attacked turbines or the duration of the attack. The former naturally occurs due to higher differences among the turbines’ power outputs at higher noise, and thus, higher deviations of actual outputs from predicted outputs.

(36)

31

Method

Mitigation – Homogeneous Wind Farm – Averaging

SD of noise

_10%

_20%

Turbines being attacked

5%

1 10%

2 15%

3 5%

1 10%

2 15%

3

Duration of the DoS attack (h)

2

10

24

2

10

24

2

10

24

2

10

24

2

10

24

2

10

24

Scenario 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Max. Error (MW) 0.294 0.584 0.787 0.362 0.810 0.919 0.502 0.823 1.036 0.768 1.191 1.758 0.800 1.683 1.711 1.205 1.569 2.099 Mean Error (MW) 0.035 -0.016 0.006 -0.024 0.023 0.005 0.034 0.028 -0.002 0.058 -0.043 -0.027 -0.099 -0.019 0.006 -0.046 -0.017 -0.008 MAE (MW) 0.257 0.269 0.221 0.256 0.263 0.255 0.280 0.251 0.252 0.527 0.532 0.534 0.456 0.524 0.514 0.536 0.495 0.524 MSE (MW) 0.139 0.128 0.097 0.114 0.128 0.120 0.129 0.122 0.116 0.555 0.461 0.500 0.365 0.489 0.449 0.521 0.415 0.488 MAPE (%) 19.21 30.04 44.86 33.69 28.59 35.26 31.69 37.41 38.40 58.73 105.03 134.93 64.78 113.43 114.38 73.58 113.19 98.21

(37)

32

Method

Mitigation – Heterogeneous Wind Farm – Modified Averaging

SD of noise

_10%

_20%

Turbines being attacked

5%

1 10%

2 15%

3 5%

1 10%

2 15%

3

Duration of the DoS attack (h)

2

10

24

2

10

24

2

10

24

2

10

24

2

10

24

2

10

24

Scenario 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Max. Error (MW) 0.381 0.798 0.838 0.482 0.782 0.943 0.764 0.850 1.111 0.715 1.330 1.657 0.987 1.355 1.971 1.195 1.755 2.253 Mean Error (MW) 0.099 -0.017 -0.022 -0.008 -0.024 -0.011 0.024 0.009 -0.003 -0.074 -0.036 -0.057 0.070 -0.054 -0.041 -0.126 -0.026 -0.067 MAE (MW) 0.254 0.298 0.271 0.244 0.257 0.249 0.314 0.240 0.249 0.498 0.552 0.579 0.517 0.488 0.548 0.563 0.490 0.542 MSE (MW) 0.119 0.173 0.143 0.122 0.133 0.122 0.210 0.109 0.123 0.542 0.540 0.617 0.448 0.418 0.547 0.546 0.466 0.536 MAPE (%) 27.16 30.85 36.23 27.07 36.99 36.18 34.42 28.46 38.98 46.00 67.31 91.32 51.18 95.94 80.59 83.59 101.72 128.25

Detecting and Mitigating Denial of Service Attacks on Wind Farms Utilizing Averaging and ARIMA

Master's Thesis