Website-Still Icons Background Bar.png

Cybersecurity

White Paper

ADEPT Adaptive Deep-learning for Energy Protection and Threat-detection

Executive Summary

SCADA systems are subject to an array of cyber threats, including false data injection (FDI), denial of service (DoS), and spoofing attacks. These threats are exacerbated by the vast volumes of telemetry, system logs, and alarms generated by SCADA systems, which often obscure patterns of malicious activity and increase the likelihood of delayed or missed anomaly detection.

Recognizing these pressing challenges, the Department of Energy (DOE) has prioritized the development of innovative technologies capable of detecting, diagnosing, and explaining malicious activities to enhance grid resilience and security. Building on these challenges, it is imperative to develop robust solutions that adapt to the dynamic and interconnected nature of SCADA systems.

By detecting and understanding attacks as they occur, even novel, never-before-seen attacks, critical energy systems can be better protected from hostile adversaries. This includes not only mitigating damage from ongoing attacks but also establishing preventive measures for future attacks that may occur.

1. Introduction

As the backbone of the modern energy grid, SCADA systems play a pivotal role in ensuring operational efficiency and reliability. Yet, their critical importance also makes them a prime target for increasingly sophisticated and evolving cyber threats, such as the Stuxnet worm’s targeting of Iranian nuclear facilities and the 2015 cyberattack on Ukraine’s power grid. These events illustrate the catastrophic consequences of undetected or poorly mitigated threats, which can compromise operations, impose severe economic damage, and endanger public safety. These vulnerabilities pose significant risks, including disruptions to grid stability, public safety, and national security.

2. Background

The electrical grid is a critical infrastructure that underpins national security, economic stability, and technological progress. To enhance efficiency and reliability, the energy sector is transitioning from conventional substations to digital substations, which integrate intelligent electronic devices (IEDs) and advanced communication protocols for real-time monitoring and automation. While these advancements improve grid performance and resilience, they also introduce new operational complexities and security challenges. As Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) become more interconnected, they generate vast streams of telemetry, logs, and alarms that require sophisticated analysis to detect anomalies and potential cyber threats. This increasing system complexity highlights the need for innovative AI-driven approaches to ensure secure and reliable grid operations.

3. Limitations of existing solutions

Despite incremental advances, current SCADA cybersecurity frameworks exhibit significant limitations in detecting novel attack patterns, providing actionable diagnostics, and analyzing diverse and dynamic data streams. Conventional anomaly detection approaches are predominantly signature-based and inherently lack the flexibility to identify zero-day attacks or other emergent anomalies. These methods depend on pre-defined rules and are effective only for known threats, leaving systems vulnerable to sophisticated adversaries exploiting unknown vulnerabilities. Furthermore, as the complexity of the electric grid grows, traditional approaches struggle to adapt to the scale and diversity of real-time data streams.

Phasor Measurement Units (PMUs) have been deployed across the U.S. transmission network since 2003 as part of the North American SynchroPhasor Initiative (NASPI), achieving near-full coverage by 2011. Commercial PMUs are available for substations, offering accuracy comparable to transmission-level PMUs, and micro-PMUs have been deployed in distribution networks as well to enhance visibility at lower voltage levels. Recognizing the need for advanced analytics in power grid security, the DOE launched the Big Data Synchrophasor Analysis initiative in 2019, funding research into machine learning (ML) applications for PMU data to enhance real-time anomaly detection. Despite these advancements, traditional anomaly detection methods still struggle to effectively integrate PMU and SCADA data, limiting their ability to detect and mitigate malicious events in real-time.

4. Opportunity for innovation

Transformers have demonstrated remarkable success in various NLP tasks including machine translation, question answering, and sentiment analysis. In each of these tasks, transformers leverage their self-attention layers to weigh the relevance of different words across sentences. Thus, effectively learning, from context, complex relationship patterns in long temporal sequences. For instance, in machine translation, this context-aware mechanism enables the model to track linguistic dependencies across entire passages, ensuring coherent output. Similarly, question answering and sentiment analysis benefit from the understanding of how different parts of the text relate to each other, allowing the model to pick up subtle cues about subject matter, tone, and emotional polarity.

The principles of capturing nuanced relationships, managing context and adapting dynamically are directly applicable to SCADA-based energy infrastructure. Just as transformers learn to map input text to output, they can be trained on multivariate time-series data to identify normal operation patterns, detect anomalies, and recognize subtle deviations. Applied to SCADA systems, the task translates to predicting the next expected measurement value based on previous sensor readings and flagging unexpected fluctuations that may indicate equipment malfunctions or security breaches. By aligning the transformer concepts – such as self-attention, dynamic contextual weighing and sequence to sequence learning – with SCADA systems, a robust anomaly detection and diagnosis model can be designed. Additionally, transformers’ scalability allows them to process the high-dimensional and multivariate data generated by SCADA environments, making them highly effective for real-time anomaly detection and diagnosis.

5. Lymba’s proposed solution

Lymba introduces a novel unsupervised learning AI-driven cybersecurity system designed for real- time detection and diagnosis of malicious activities in SCADA environments, particularly within digital substations of the electric grid. Unlike conventional security approaches that rely on signature-based detection, our system integrates transformer-based deep learning, Generative Adversarial Networks (GANs), and multimodal fusion into a unified, adaptive defense mechanism. This architecture not only identifies known attack patterns but also detects previously unseen cyber threats by learning complex dependencies across diverse SCADA data streams. We call the system proposed here: Adaptive Deep-learning for Energy Protection and Threat-detection (ADEPT).

Lymba proposes a novel multimodal fusion mechanism that unifies multiple SCADA data sources— such as telemetry, system logs, alarms, and power flow analytics—through modality-specific autoencoders embedded in a transformer architecture, building on previous SCADA fusion methods. This holistic approach overcomes single-modal limitations by capturing interdependencies among diverse data types while remaining adaptable to new sources. To detect anomalies effectively, we leverage GANs, wherein a generator produces synthetic data that mimics normal operational patterns and a discriminator learns to distinguish it from real data. Through this iterative zero-sum competition, GANs model the distribution of normal system behavior, enabling robust detection and classification of anomalies in ICS and SCADA environments.

The benefits of GANs in SCADA cybersecurity are particularly noteworthy. Real-world attack scenario data is scarce, making supervised learning approaches impractical. GANs circumvent this limitation by training exclusively on normal operational data, allowing them to adapt dynamically to evolving threats. Additionally, they enhance the robustness of anomaly detection systems by generating diverse synthetic scenarios that improve the model’s ability to detect previously unseen attack patterns.

We illustrate in Figure 1 the proposed architecture for anomaly detection and diagnosis in SCADA environments. The solution is composed of two key stages: (1) Early Modal Fusion: This module preprocesses any number of multimodal inputs to transform them into a structured matrix representation, , which captures correlations between different data sources 2. Anomaly Detection & Diagnosis: a transformer-based GAN that detects anomalous behavior from the fused data and diagnoses the modalities most responsible for anomalies from its reconstructed output.

 

Fig. 1: System overview

The fusion module processes multivariate and multimodal input data. This input could consist of any number of modalities such as voltage, current, power flow, system log embeddings, and alarms. Each modality is encoded into a latent representation using a modality encoder which ensures different types of input data are transformed into a structured format of the same dimensionality that can be fused effectively. In the GAN-based reconstruction using Transformers module, the decoders try to reconstruct the original time series and compete against each other to train on patterns. Once the training is complete, on the inferencing stage, a dynamic threshold is used to gauge whether an anomaly occurs.

ADEPT introduces an anomaly attribution mechanism to provide transparency into the source and nature of detected threats. Unlike black-box detection systems, Lymba’s approach traces anomalies back to their origin, helping operators understand which data sources contributed most to an anomaly score. This is achieved by analyzing per-feature reconstruction errors, highlighting which aspects of the fused multimodal representation deviated from normal patterns. Additionally, attention-based feature importance analysis within the transformer provides a human-readable explanation of anomaly detections. By integrating these interpretability mechanisms, our model ensures that security analysts not only detect threats but can also identify their root causes, improving response times and incident resolution in digital substation environments.

6. Anticipated benefits

This project will deliver significant technical, economic, and social benefits, addressing the urgent need for robust cybersecurity in SCADA systems. By leveraging advanced machine learning paradigms, including transformers, GANs, and multimodal fusion, the project will enhance grid resilience and operational security by detecting and diagnosing malicious events in real time.

From a technical perspective, the proposed solution directly addresses the growing complexities of digital substations, providing tools for early detection of sophisticated cyber threats such as false data injection, denial of service, and spoofing attacks. These innovations align with the Department of Energy’s (DOE) priorities to secure critical infrastructure and improve real-time situational awareness, creating a more resilient energy grid.

Economically, this technology mitigates the financial impact of cyberattacks, including costly downtime, equipment damage, and disruptions to service. By ensuring operational continuity and minimizing cascading failures, the solution will generate long-term cost savings for utilities, grid operators, and end users, enhancing overall energy reliability.

The social and national security benefits are equally significant. Protecting the energy grid reduces the risk of widespread outages that can disrupt healthcare, transportation, and communication systems. Proactively safeguarding critical infrastructure fosters public confidence in the reliability of essential services while strengthening national energy security. In the commercial sector, utility companies, grid operators, and IoT manufacturers stand to gain from a scalable, state-of-the-art cybersecurity solution tailored to their needs.

The most significant restraints for the market include the inability of AI to stop zero-day and advanced threats and the rise in insider cyber threats. Limited cybersecurity and AI professionals, lack of interoperability with existing information systems, and shortcomings of AI, all pose significant challenges to the market for AI in cybersecurity.

7. Conclusion

Lymba is engaged in research of ADEPT framework based on leveraging GAN-based reconstruction using transformers for anomaly detection and diagnosis. If you would like to learn more, visit www.lymba.com or email us at info@lymba.com.