1 Abstract — The proposed testbed of the cyber‐power system consists of power system simulation, substation automation, and the SCADA system. Scenarios for substation cyber security intrusions and anomaly detection concepts have been proposed. An attack tree method can be used to identify vulnerable substations and intrusions through remote access points. Specific substation vulnerability scenarios have been tested. Temporal anomaly is determined by data and information acquired at different time points. This is a metric to determine the anomaly between two snapshots. In a distributed intrusion detection algorithm, distributed agents are trained with a large number of scenarios and intended for real‐time applications. In a distributed environment, if an anomaly is detected by one agent, it is able to distribute critical information to other agents in the network. Index Terms — Cyber Security of Substations, Anomaly Detection, Defense System, Network Security. I. INTRODUCTION ritical infrastructure is a term that refers to the assets or facilities that support important operations for the society, economy as well as national security. Examples of critical infrastructures are energy, telecommunications, public health, and transportation, etc. Normally, the information and communications technology (ICT) network in a specific sector is on a private network and has limited connectivity with other sectors. However, as interconnectivity increases, the cascading contingencies among multiple systems could be triggered by a fault or failure in the complex infrastructures. The other concern is that conventional security borders are replaced by electronic security perimeters which make the interlinked infrastructures more vulnerable with respect to cyber attacks. Securing the ICT networks to sustain reliable operation of critical infrastructures against cyber intrusions has become a major concern. As a result, various vulnerability assessment methods [1-2] and countermeasures [3-5] have been proposed. An on‐going research program at University College Dublin (UCD) supported by Science Foundation Ireland (SFI) is focused on vulnerability assessment of critical power and energy infrastructures which serve as the core infrastructures This research is sponsored by Science Foundation Ireland (SFI) at University College Dublin (UCD) through a Principal Investigator Award. J. Hong, S.-S. Wu, A. Stefanov, and C.-C. Liu are with the School of Electrical, Electronic and Mechanical Engineering and A. Fshosha, and P. Gladyshev are with the School of Computer Science and Informatics, University College Dublin, Belfield, Dublin 4, Ireland (e-mails: junho.hong@ucdconnect.ie, shinn-shyan.wu@ucdconnect.ie, alexandru.stefa- nov@ucdconnect.ie, ahmed.shosha@ucdconnect.ie, liu@ucd.ie, pavel.glady- shev@ucd.ie). M. Govindarasu is with Iowa State University (email: gmani@iastate.edu). [6]. The purpose of the project titled, “Vulnerability Assessment and Mitigation of Information and Communication Systems for Critical Infrastructures,” is to develop a systematic methodology to evaluate the vulnerability of a cyber‐power grid for cyber intrusion scenarios. Although the enforcement of standardized ICT policies has strengthened the way a cyber system is deployed, on-line mitigation strategies for cyber-power infrastructures are under developed. The cyber security framework for the Supervisory Control and Data Acquisition (SCADA) system consists of four major tasks, i.e., (1) real-time monitoring, (2) anomaly detection, (3) impact analysis, and (4) mitigation strategies [7]. The proposed framework is established to improve situation awareness with an efficient coordination scheme against cyber attacks by correlating events from various sources. Section II provides an explanation of the proposed cyber- power system framework. Section III is a technical description of the cyber security testbed. Section IV describes a plan to apply the Inter-Control Center Communications Protocol (ICCP) to link two testbeds in Ireland and U.S. The conclusion and future work are described in Section V. II. RAIM FRAMEWORK The real-time Monitoring, Anomaly detection, Impact analysis, and Mitigation strategies (RAIM) are the primary tasks in the proposed cyber security framework as illustrated in Fig. 1. Fig. 1. RAIM Framework Real-time monitoring allows tracking of the activities on the cyber-power system. Anomaly detection is to identify the events on cyber systems that are indicative of potential cyber intrusions. The task of impact analysis is to evaluate the Junho Hong, Shinn-Shyan Wu, Alexandru Stefanov, Ahmed Fshosha, Student Member, IEEE, Chen-Ching Liu, Fellow, IEEE, Pavel Gladyshev, Manimaran Govindarasu, Senior Member, IEEE An Intrusion and Defense Testbed in a Cyber- Power System Environment C 978-1-4577-1002-5/11/$26.00 ©2011 IEEE