Automated Anomaly Detection in Distribution Grids Using µ PMU Measurements Mahdi Jamei ∗ , Anna Scaglione ∗ , Ciaran Roberts † , Emma Stewart † , Sean Peisert † , Chuck McParland † , Alex McEachern ‡ , ∗ School of Electrical, Computer, and Energy Engineering, Arizona State University, Tempe, AZ, USA † Lawrence Berkeley National Laboratory, Berkeley, CA, USA ‡ Power Standards Laboratory, Alameda, CA, USA Abstract—The impact of Phasor Measurement Units (PMUs) for providing situational awareness to transmission system op- erators has been widely documented. Micro-PMUs (µPMUs) are an emerging sensing technology that can provide similar benefits to Distribution System Operators (DSOs), enabling a level of visibility into the distribution grid that was previously unattainable. In order to support the deployment of these high resolution sensors, the automation of data analysis and prioritizing communication to the DSO becomes crucial. In this paper, we explore the use of µPMUs to detect anomalies on the distribution grid. Our methodology is motivated by growing concern about failures and attacks to distribution automation equipment. The effectiveness of our approach is demonstrated through both real and simulated data. Index Terms—Intrusion Detection, Anomaly Detection, Micro- Phasor Measurement Unit, Distribution Grid I. I NTRODUCTION The state vectors of the transmission grid are closely monitored and their physical behavior is well-understood [1]. In contrast, Distribution System Operators (DSOs) have historically lacked detailed real-time actionable information about their system. This, however, is set to change. As the distribution grid shifts from a demand serving network towards an interactive grid, there is a growing interest in gaining situational awareness via advanced sensors such as Micro- Phasor Measurement Units (µPMUs) [2]. The deployment of the µPMUs in isolation without addi- tional data driven applications and analytics is insufficient. It is critical to equip DSOs with complimentary software tools that are capable of automatically mining these large data sets in search of useful, actionable information. There has been a lot of work focused on using PMU data at the transmission level to improve Wide-Area Monitoring, Protection and Control (WAMPC) [3], [4]. The distribution grid, however, is lagging in this respect. Due to inherent differences between operational behavior, such as imbalances and increased variability on the distribution and transmission grid, the algorithms derived for WAMPC at the transmission level are generally not directly applicable at the distribution level. Our work is aimed at addressing this issue. We focus on an important application of µPMU data in the distribution system: anomaly detection, i.e., behavior that differs significantly from normal operation of the grid during (quasi) steady-state. An anomaly can take a number of forms, including faults, misoperations of devices or switching transients, among others, and its root cause can be either a natural occurrence, error or attack. The risk of cyber-physical attacks via an IP network has recently gained significant interest due to the increase in automation of our power gird via two-way communication. This communication is typically carried out on breachable networks that can be manipulated by attackers [5]. Even if an anomaly naturally occurs, it is important to notify the DSO to ensure proper remedial action is taken. A. Related Work The majority of published work in anomaly detection using sensor data, primarily SCADA and PMU data, has focused on the transmission grid. The proposed methods are typically data-driven approaches, whereby the measurements are in- spected for abnormality irrespective of the underlying physical model. One such example, the common path data mining approach implemented on PMU data and audit logs at a central server, is proposed in [6] to classify between a disturbance, an attack via IP computer networks and normal operation. Chen et al., [7] derive a linear basis expansion for the PMU data to reduce the dimensionality of the measurements. Through this linear basis expansion, it is shown how an anomaly, which changes the grid operating point, can be spotted by comparing the error of the projected data onto the subspace spanned by the basis and the actual values. Valenzuela et al., [8] used Principal Component Analysis (PCA) to classify the power flow results into regular and irregular subspaces. Through analyzing the data residing in the irregular subspace, their method determines whether the irregularity is caused by a network attack or not. Jamei et al., [9] propose an intrusion detection architecture that leverages µPMU data and SCADA communication over IP networks to detect potentially damag- ing activities in the grid. These aforementioned algorithms are all part of the suite of machine learning techniques that the security monitoring architecture will rely on. B. Our Contribution µPMUs, due to their high sampling frequency, are a much richer data source in comparison to traditional Distribution Supervisory Control and Data Acquisition (DSCADA). In this