System Protection

Cyber security considerations for system protection

13 min readMay 31, 2023

In all likelihood, we have all experienced some form of electrical trip in our house. Perhaps the kettle/oven had some form of fault and suddenly the entire house has no power. In a non-South African (don’t ask) one is likely to come to the correct solution which is, that in fact, a circuit breaker at the distribution board has tripped. We can consider these to be local forms of system protection i.e. within the house. In this post, we will take a look at what these system protection mechanisms typically look like at the electrical grid scale.

Feel free to explore some of the other topics we have covered in this series including Substations, Coal Power Stations, Process Control, and Open Cycle Gas Turbines.

Security consideration: throughout this post you will find these security 
considerations. These are used to highlight some of the important processes
that may be worth considering from a security perspective. This is not an 
all-encompasing analysis, though, so try and keep the following questions 
in mind when reading the post - 
[1] Is this a critical process that may be worth protecting?
[2] What should we do to protect the system?
* Disclaimer: this information should not be used for nefarious or unauthorised
purposes but rather as an educational tool (see the Welcome post of this
blog).

Introduction

Before we dive into the different types of protection systems, it is important to consider what we are protecting ourselves against. Generally, the condition which occurs when a grid element is no longer able to perform its required purpose is referred to as a fault.

Practically, we may use this term interchangeably with a short circuit since this is the source of many of the faults. However, other conditions that could result in a fault include open circuits, failed devices, and overloads.

The purpose of a protection system is not just to detect a fault but also to respond to it as quickly as possible for the following reasons:

Maintain safety: a live wire could injure or kill people if they were to come in contact with a line that has not been isolated.
Prevent damage: short-circuit currents are typically orders of magnitude larger than the rated current and could subsequently damage equipment if not stopped quickly.
Maintain stability: faults on the grid that are not cleared could lead to stability issues for the larger grid.

Vegetation can often cause issues for power lines if it comes in contact with them as seen in Figure 1, below.

Figure 1: Branch connecting to power lines.

Security consideration: the suppression of a protection (safety) system 
could result in signficant consequences as the grid may be unable
to adequately respond to a fault. In the absolute worst-case, a cascading
failure could result in a collapse of the grid.

Before we dive into the different techniques used to manage faults, let us consider faults in a little more detail:

Faults

As discussed, faults can take various forms with the most common being a short circuit. A short circuit occurs when the current flows along an unintended (low impedance) path and typically bypasses the load. A bolted fault is a special type of short circuit where the impedance is zero resulting in the maximum flow of current.

If we take a quick detour to Ohms Law, we remember that V=IR, and as such if the resistance becomes very low or zero, the current increases significantly to ensure that the equation remains balanced. If we remember that P=VI, we note that with a large amount of current, we can generate a large amount of power which translates into some form of energy (usually heat which may cause fires). A short circuit could cause damage to equipment or injure people.

Side note: in our three-phase systems, a symmetrical fault relates to a fault in all three phases whilst an asymmetric fault does not affect all phases.

The Pacific Northwest National Laboratory provides us with a detailed breakdown of the different types of faults in Figure 2, below.

Figure 2 is accompanied by a 38-page whitepaper which largely falls out of scope for this post. Nevertheless, some interesting types of faults are described below:

Cold load pickup: during an extended period of no load, the sudden turn-on of loads could cause an overload fault. The reason for this is that electronic devices often have an inrush current that is higher than the rated current i.e. a device (typically a motor) may arbitrarily require 20A to start but only 10A to run. In this case, the inrush current exceeds the line rating and results in a fault. The correct approach would be to slowly add loads so that the inrush current is limited.
Underbuilt fault to transmission circuit: an underbuilt circuit refers to a distribution line being mounted below a transmission line (with potentially vast voltage differences) on the same pole/mast. If the two lines were to come into contact with one another an overvoltage condition would occur on the lower voltage distribution line.
Sympathetic trip: this type of trip occurs when a protection device in a healthy section of the grid trips due to a fault in another section of the grid resulting in unnecessary disconnections and disruptions of service.

Security consideration: a sympathetic trip may sound like a nuisance but since
the electrical grid is considered to be critical infrastructure, the 
availability requirements are high. Simply disconnecting a circuit could result
in important services such as hospitals losing power, potentially harming
human life.

Protection system components

Protection systems, that are used to react to faults, typically comprise three main components, namely, measuring devices (to determine whether a fault condition is present), protective relays (to institute some form of action), and control circuitry (to control the system).

Side Note: note the similarities in the buildup of these devices with the generic control system described in our process control post.

Let us consider each of these components in a little more detail:

Measuring devices

The measuring device, as the name implies, measures the conditions on a line to determine whether a fault has occurred. In most cases, voltage/current are measured with deviations from the normal conditions potentially indicating a fault. For example, a sudden increase in current or an increase/decrease in voltage on the line could indicate a fault. Importantly, the devices cannot make use of the actual current and voltage on the line, so they need to be scaled down.

In order to perform this scaling down, we use, yes, you guessed it, transformers. Specifically, we have three types of transformers we commonly use:

Current Transformers (CT): a current transformer scales down the power current to a proportional value that can be used by the measuring device (often in the magnitude of 2500:1 even though the actual value may vary). Figure 3, below, shows how the CTs are often mounted to the base of bushings (the silver disks) (even though this may not always be the case).

Voltage Transformers (VT): voltage transformers have the same function as CTs except that they reduce the voltage (typically to ≤ 120V). They operate in a very similar way to a normal transformer (the ones we discussed in our Fundamentals of the Electrical Grid post) and are often referred to as Potential Transformers (PTs). Figure 4 provides a detailed overview of the different components one may find in a VT/PT.

Coupling capacitance voltage transformers (CCVT): as the voltage increases above 100kV, VTs become very expensive necessitating the need for CCVTs. A CCVT is subsequently a series arrangement of capacitors that uses voltage division to achieve the required voltage. CCVTs are not as accurate as VTs/PTs and may be undesirable in certain high-accuracy scenarios. Figure 5 highlights a CCVT:

Protective Relays

Now that we have covered measuring devices, the next components of our protection systems are protective relays. Protective relays are used to compare current system conditions to expected system conditions in an attempt to determine whether a fault is present. Older relays typically took a mechanical form such as induction disks, springs, and timers. Protective relays are covered in more detail below.

Control Circuitry

The third element is the control circuitry which includes components like wires, batteries, and other supporting equipment. Once the relay contacts have been closed, the control circuitry sends a signal to the circuit breaker in order to trip it.

Security consideration: a failure of any of the three components within our
protection systems could cause serious damage (since the failure of the
protection system prevents the mitigation of the problem). If a 
microprocessor-based system were to incorrectly interpret values, the 
protection system may not perform correctly when called upon. Alternatively,
the protection system may execute its function when not called upon.

Protection Zones

Before we dive deeper into the different types of relays, we first need to define protection zones. A protection zone is “the specific region within the system that is monitored and protected from faults by protective relays.” Figure 6 provides an overview of protection zones within an electrical grid.

It is important to note that zones typically overlap. A fault in the generator zone would result in the circuit breaker opening (isolating the bus from the generator). A fault in the bus zone would open all incoming and outgoing circuit breakers, thereby isolating the generator, in order to protect it.

Side note: a protection zone may be said to overreach/underreach. We ideally want circuit breakers to only operate for faults within their zones. The reason for this is that we may otherwise have unnecessary disruptions. By means of example, if the line zone breaker were to trip due to a fault in the very right yellow zone, this would result in a service disruption for all zones fed by the line zone, even if they do not contain a fault (hence, overreach). If a generator were to go down (thereby introducing less current into the line) and the overcurrent threshold of the line zone breakers is not adjusted, the circuit breaker may not trip during a fault condition resulting in underreach (this ‘recalibration’ is a common issue with overcurrent relays and will be discussed in more detail below).

Relay Types

Line protection systems

If we recall from our Fundamentals of the Electrical Grid post, we have two broad categories of line systems.

The distribution system is typically subjected to a number of faults including trees and other physical disturbances (more so than the transmission network). These may be intermittent and the fast clearing of the fault could prevent it from becoming permanent.

Whilst distribution lines may expect more faults, transmission lines contain different conditions that warrant additional/different protection measures. The reasons for this include:

Transmission lines are often connected to various generators resulting in the ability for current to flow in both directions.
The fault in a transmission line may vary depending on conditions such as the number of generators that are online. In this case, overcurrent relays would have to be readjusted when changes in conditions occur otherwise unnecessary tripping may occur.
Fault currents are high and if they are not cleared quickly, the larger grid may rapidly become unstable.

Nevertheless, there are several types of line protections including:

Time overcurrent relays: A time overcurrent relay, as one example, pretty much performs the function implied in its name: checking for an overcurrent, over a pre-defined period of time.

Figure 7, below, highlights what the configuration for a directional time overcurrent relay may look like. A, B, and C partition the different sections of a line. In this case, since we have a source on both sides of the line, we require two relays per section to ensure that the fault is isolated for both sides of the line. A fault on line AB would trip the two relays connected to the line.

Figure 7: Directional overcurrent relay configuration.

Side note: time overcurrent relays may have different delays applied to them depending on where they are placed on the line (referred to as coordination). In the example of Figure 7, it would be undesirable for the relays in section BC to react to a fault in section AB. In this case, Relay R1, which isolates AB from the left source should have a longer delay than R2 so that R1 does not trip for a fault in BC.

Security consideration: if the delay times for the relays are not correctly 
configured the protection devices may not operate as expected. This could
result in sympathetic trips or, in a worse case, damage to components.

Side note: time overcurrent relays are typically used as a backup for distance relays (discussed below).

Distance relaying: distance relaying is performed by a relay that measures the voltage and current and calculates the impedance to determine whether a threshold has been exceeded. The important aspect is that the distance relay considers the ratio of voltage to current (impedance) and not just the current thereby solving issue (2) above. Figure 8, below (from a considerably old but very informative YouTube series) provides an overview of how a distance relay may be configured.

Figure 8, highlights an interesting property of the distance relay, namely, the ability to adjust to the distance of the line. In this case, if the line has an impedance of 100Ω, the relay would trip if the impedance dropped below 90Ω. We can subsequently detect a fault between the relay point and 90% of the line (the relays are typically not set to 100% due to overreach concerns). The voltage and current values are supplied by the VTs and CTs defined above.

Pilot schemes: in order to increase the speed at which a line is tripped, we can introduce some form of communication between the two ends of a line. We can subsequently introduce a pilot channel that allows for the exchanging of information between the terminals.

Figure 9, below, highlights how the two zones have been configured to cover 80% of the line with overcurrent relays. In this case, if relay 2 detects a fault, a signal is sent to relay 1 which will subsequently also trip resulting in an isolation of the line.

Side note: to prevent the line from tripping for external faults (e.g., on line H), directional relays can be used.

Security consideration: if the signal to trip does not reach the receiver or
the incorrect signal is received, the system may not respond as intended. If
the signal to trip is sent, without the use-case being present, the 
availability of the grid is affected. If the signal is sent but not received, 
the circuit breaker will not open and the fault may damage equipment.

Substation equipment protection systems

Substations also contain various protection mechanisms which we have discussed in great detail in our Substation post. Nevertheless, we still need to look at the relays:

Differential relay: a differential relay works by monitoring the change in a condition (typically current). In the case of a transformer, the input current should equal the scaled output current (in reality they are not exactly the same). Likewise, the total current on two terminals of a line should be approximately the same (if no load is connected).
Sudden pressure relays: a sudden pressure relay is typically employed in oil-filled transformers where an increase in pressure could indicate a fault. The relay de-energises the transformer when such a condition is observed.
Fuses: fuses are often employed around transformers to isolate a transformer during an overcurrent condition. Figure 10, below, shows a line fuse that also serves as a disconnect switch for a pole-mounted transformer (a smaller transformer connected to a line). During an overcurrent scenario, the fuse will melt/explode resulting in an isolation of the line. Under normal operation, the operators can use a hot stick (pole) to disconnect the transformer (for maintenance purposes as an example).

Security consideration: a fault within a transformer could cause excessive
heat resulting in the formation of gas. If the pressure increases above design
limits, the transformer may explode. Sudden pressure relays are critical 
for the monitoring of transfomers.

Generator protection systems

Generators are a fundamental component of any power system and damage to a generator could have a significant impact on the ability of the electrical grid to operate correctly. Subsequently, generators also have special protection mechanisms applied to them, including, but not limited to:

Winding differential relay: as with a normal differential relay, the conditions on a single phase of the generator are compared.
Unbalanced fault relays: the conditions on the phases of a generator should be the same under normal conditions. If they are not, i.e. the phases are unbalanced, the relay will trip.
Overload relays: typically, a resistance temperature detector (RTD) is used to measure whether an overheating condition is occurring due to an overload. If a pre-defined threshold is crossed, a relay trips the system.
Generator motoring: if a turbine were to lose power (e.g. lack of steam), the turbine will compensate by drawing real power from the generator (reverse power flow). A special system is used to detect this condition.

Security consideration: if the monitoring systems of a relay were to receive
the incorrect information, the relays may compensate in an unnecessary and
unwanted manner. If the value received from the RTD is higher than what it
actually is, the generator may be disconnected without reason. If the value
is lower than expected, and the generator moves into a dangerous state, the 
protection system may not react potentially resulting in damage to the
generator.

Conclusion

In this post, we learned quite a bit about the different protection mechanisms that we may use to protect the integrity and availability of our electrical grid. The protection mechanisms are employed to quickly detect and isolate faults so that the effect on the larger grid is minimised. Whilst the protection systems serve an important purpose, they can be misused to generate unwanted, and potentially dangerous conditions within the electrical grid.

Security consideration: we managed to identify several security 
considerations throughout this post. Nevertheless, we may have missed 
something. Feel free to leave a comment with additional considerations!