Design of security situation awareness power grid SCADA system based on improved GWO-LSTM

Abstract

A grid supervisory control and data acquisition system is developed in this study to address the problem that the existing power grid information system often fails to achieve the high-precision requirements of modern power grid situational awareness. By introducing a nonlinear convergence factor and a microecological evolution mechanism, the grey wolf optimization algorithm is improved to enhance population diversity and local search performance. The enhanced optimization algorithm is then employed to fine-tune the key hyperparameters of a long short-term memory neural network, leading to a more accurate and stable situational prediction approach. Experimental results demonstrate that the mean square error of the proposed method was reduced by 78.33%, 65.79%, and 53.57%, respectively, compared with other benchmark models. The root mean square error was reduced by an average of 44.62%, and the coefficient of determination reached 0.85. The false positive rate and false alarm rate of the system designed by the study in situational assessment were reduced by 52.33% and 53.33% respectively as compared to the traditional methods of situational assessment. The results demonstrate that improving the grey wolf optimizer algorithm by using opposition-based learning and small habitat evolution mechanism can improve the algorithm’s search accuracy for localization. By utilizing the enhanced grey wolf optimizer method to identify and enhance the long short-term memory’s hyperparameters, it is possible to anticipate possible network intrusions and enhance the security of the grid information system.

Introduction

The rapid development of information technology has greatly promoted intelligent advancement in the fields of electric power, public services, and medical treatment. As an important part of the infrastructure of national life, the safe and stable operation of power grid plays a vital role in guaranteeing social and economic activities as well as the quality of people’s lives. Among them, grid information system (GIS), as an important part of the operation of electric power enterprises, stores key information and related data of the grid. Maintaining the electrical grid’s steady operation therefore requires comprehensive real-time monitoring and management^1,2. Due to advances in computer technology, the threat of cyberattacks has been continuously increasing, making effective cybersecurity research on GIS. Two important international network security standards for supervisory control and data acquisition (SCADA) systems have been developed to address these challenges: IEC 62,443 and IEC 62,351. However, the current network intrusion system is difficult to adapt to the complexity of the GIS network structure, and it is challenging to carry out efficient security protection in the complex grid environment^3,4. Therefore, network security situation awareness (NSSA) technology, which focuses on real-time monitoring and assessment of network security, has emerged⁵. NSSA provides network administrators with an in-depth understanding of the overall security situation of the network by monitoring, analyzing and predicting security events in the network in real time. It has been widely used in security studies of various interconnected networks^6,7. Based on this, the study proposes a SCADA system applied to power grids on the basis of NSSA technology, aiming to enhance the efficiency of security detection in power grids. To improve the prediction accuracy of network security, a novel improved grey wolf optimizer (GWO)-LSTM situational awareness method is designed by introducing GWO algorithm and long short-term memory (LSTM). Security situation awareness (SSA) of the power grid is achieved by improving the GWO algorithm on the basis of small habitat evolution and using it as a hyper-parameter selection for LSTM.

The research contributions are as follows: (1) By integrating the improved GWO (IGWO) algorithm with LSTM, a novel SSA prediction method for power grid SCADA systems is proposed. This addresses the current deficiencies in both efficiency and high-precision requirements within power grid information systems. (2) An innovative optimization algorithm based on microhabitat evolution is introduced, which is applied to the hyperparameter optimization of the LSTM network, significantly enhancing the model’s training effectiveness and predictive accuracy. (3) Compared to existing methods, the proposed IGWO-LSTM model has significant advantages in terms of predictive accuracy, false alarm rate (FAR), and false negative rate (FNR), demonstrating both theoretical significance and practical value..

The overall framework of this research is organized into five sections. The first section reviews the research progress and shortcomings in the field of intrusion detection and situational awareness at home and abroad. The second section studies and designs a security situational awareness model based on IGWO-LSTM. The third section tests and verifies the proposed security situational awareness model. The fourth section discusses and summarizes the research results. The fifth section proposes research limitations and future work.

Related works

With the increasing degree of power grid informatization and intelligence, security research based on NSSA technology has increasingly attracted the attention of experts and scholars. To solve the issue that the current assessment methods lack the thorough analysis of threat information, protection information, and environment information, which led to inaccurate assessment findings, X. Guo et al. suggested a defense stochastic game model. By solving the mixed-strategy Nash equilibrium issue, the forecast accuracy increased⁸. A. Presekal et al. proposed a new method of online cyberattack situational awareness based on communication anomalies to address the vulnerability of power networks to cyberattacks. The method built a time series classification anomaly detection model by combining graph-convolutional LSTM and deep convolutional networks, thereby improving the resilience of the power system and the accuracy of attack detection⁹. To improve the resistance to cyber threats to the US national infrastructure, A. O. Adewusi et al. proposed a detection method that combines machine learning (ML), natural speech processing, and neural networks. The method facilitated enhanced protection of the power system by establishing a regulatory framework and collaboration between government agencies, businesses, and others, thus facilitating enhanced protection of the power system¹⁰. To address disaster response management scenarios where there is insufficient infrastructure, communication, and coordination, C. Qu et al. suggested a unique approach for multi-UAV coordination and networking that is both energy-efficient and environmentally conscious. The approach improved network connectivity and detection efficiency¹¹. L Tightiz et al. addressed the new challenges and opportunities posed by the digitalization, decarbonization, and decentralization of smart grids by proposing the integration of the metaverse into smart grid architecture models. Through various use cases, they demonstrated how it could be used to enhance the operational efficiency of smart grids and reduce costs, while also analyzing the challenges associated with deploying the metaverse in smart grids. This approach optimized and expanded the development of new models for smart grids¹².

In cybersecurity and other security domains, SSA prediction methods can be used to predict and assess potential security threats, risks, and vulnerabilities. This allows for the identification and response to possible security threats in advance, enabling the implementation of effective preventive measures to reduce losses. J. Siswanto et al. proposed a DL prediction model based on LSTM for the challenge of predicting the number of cyberattacks. The method predicted the number of cyberattacks using time-series data based on factors such as attack type, processing action and severity, thus revealing the negative correlation between different attack types¹³. A. Alomiri et al. proposed a ML based ridge regression classifier model for the growing problem of security threats in IoT systems. The method enhanced real-time accurate identification and prediction of cyberattacks¹⁴. To solve the drawback of low detection accuracy of network intrusion detection systems in detecting suspicious activities, O. Berjawi et al. proposed a method based on DL classification techniques to analyze network traffic behavior. The method was developed by using multilayer perceptron and convolutional neural network techniques, thus achieving 94% accuracy in all feature recognition detection¹⁵. L Tightiz et al. addressed the issue of false data injection attacks on smart grids. They proposed a network state vector estimation method based on artificial intelligence models. This method used machine learning, such as decision trees, to identify attacks. Thus, it optimized the attack detection capabilities of smart grids¹⁶. A network anomaly detection framework based on continuous time graph neural networks was presented by G. Duan et al. to address the issue of frequent node visits and disconnections in network environments. The method refined the specific information interactions between network entities into a continuous time graph evolution process from a new interaction-centered perspective. It naturally incorporated new node access behaviors into the feature extraction of the neural network, which led to the prediction of new access combination and low-frequency behaviors¹⁷.

In summary, both domestic and international studies have achieved notable progress in network security research and prediction based on NSSA technology. However, the current GIS data sources show a variety of complex features, and the existing NSSA methods are difficult to meet the demand for high-precision monitoring of power grids. In addition, the traditional LSTM model has the defect of too many hyperparameters in the training process, which weakens the model training fitting effect. Based on this, the study introduces the GWO algorithm to improve the LSTM, proposes an SSA method based on the improved GWO-LSTM, and designs a grid SCADA system. Meanwhile, the study innovatively proposes an IGWO algorithm based on the evolution of small habitats, and applies the proposed method to the field of GIS security monitoring.

Methods and materials

First, the traditional GWOA and its limitations are analyzed. Then, the population initialization of the GWO algorithm is optimized using opposition-based learning (OBL), and an IGWO algorithm based on small-habitat evolution is developed. Next, the IGWO is applied to optimize the LSTM network, forming a grid SSA prediction method named IGWO-LSTM. Finally, a grid SCADA system is designed based on the proposed IGWO-LSTM framework.

Traditional GWO algorithms

The GWOA, as a group intelligence optimization algorithm that simulates the social hierarchy and hunting behavior of grey wolves, implements the algorithm to search for the optimum according to the four classes of wolf packs, namely “\(\alpha\) wolf, \(\beta\) wolf, \(\delta\) wolf and \(\omega\) wolf”^18,19. Among them, \(\alpha\) wolf is the most optimal individual, \(\beta\) wolf is the second optimal individual, \(\delta\) wolf is the third optimal individual, and the rest of the population is \(\omega\) wolf. In the GWO algorithm, the expression formula for the behavior of wolves gradually encircling the prey during predation can be shown in Eq. (1).

$$\left\{ {\begin{array}{*{20}l} {\vec{D} = \left\| {\vec{C} \cdot \vec{X}_{P} (t) - \vec{X}(t)} \right\|} \hfill \\ {\vec{X}(t + 1) = \vec{X}_{P} (t) - \vec{A} \cdot \vec{D}} \hfill \\ \end{array} } \right.$$

(1)

In Eq. (1), \(\vec{D}\) denotes the distance vector between the wolf pack and the prey. \(\vec{C}\) and \(\vec{A}\) denote the coefficient vectors. \(\vec{X}_{P} (t)\) denotes the position of the prey. \(\vec{X}(t)\) denotes the current position of the wolf pack. When the prey stops moving, the wolf pack launches an attack, which is represented by the formula shown in Eq. (2).

$$\left\{ {\begin{array}{*{20}l} {\vec{A} = 2a \cdot \vec{r}_{1} - \vec{a}} \hfill \\ {\vec{C} = 2\vec{r}_{2} } \hfill \\ \end{array} } \right.$$

(2)

In Eq. (2), \(a\) denotes the convergence factor (CF), whose value decreases linearly from 2 to 0, \(\vec{a}\) denotes the vector, and \(\vec{r}_{1}\) and \(\vec{r}_{2}\) denote the random vectors in the interval [0,1]. At this point, the wolves update the positions of other wolves based on the position information of \(\alpha\) wolves, \(\beta\) wolves and \(\delta\) wolves. The formula for the distance between the positions of \(\alpha\) wolf, \(\beta\) wolf and \(\delta\) wolf and the prey is shown in Eq. (3).

$$\left\{ {\begin{array}{*{20}c} {\vec{D}_{\alpha } = \left\| { - \vec{X} + \vec{C}_{1} \cdot \vec{X}_{\alpha } } \right\|} \\ {\vec{D}_{\beta } = \left\| { - \vec{X} + \vec{C}_{2} \cdot \vec{X}_{\beta } } \right\|} \\ {\vec{D}_{\delta } = \left\| { - \vec{X} + \vec{C}_{3} \cdot \vec{X}_{\delta } } \right\|} \\ \end{array} } \right.$$

(3)

In Eq. (3), \(\vec{D}_{\alpha }\), \(\vec{D}_{\beta }\), and \(\vec{D}_{\delta }\) denote the distance between \(\alpha\) wolf, \(\beta\) wolf, and \(\delta\) wolf and prey, respectively. \(\vec{C}_{1}\), \(\vec{C}_{2}\), and \(\vec{C}_{3}\) denote randomly generated vectors. \(\vec{X}_{\alpha }\), \(\vec{X}_{\beta }\), and \(\vec{X}_{\delta }\) denote the position vectors of \(\alpha\) wolf, \(\beta\) wolf, and \(\delta\) wolf, respectively. The position update equations for other wolves are shown in Eq. (4).

$$\left\{ {\begin{array}{*{20}l} {\vec{X}_{1} = - \vec{A}_{1} \cdot \vec{D}_{\alpha } + \vec{X}_{\alpha } } \hfill \\ {\vec{X}_{2} = - \vec{A}_{2} \cdot \vec{D}_{\beta } + \vec{X}_{\beta } } \hfill \\ {\vec{X}_{3} = - \vec{A}_{3} \cdot \vec{D}_{\delta } + \vec{X}_{\delta } } \hfill \\ {\frac{{(\vec{X}_{1} + \vec{X}_{2} + \vec{X}_{3} )}}{3} = \vec{X}(1 + t)} \hfill \\ \end{array} } \right.$$

(4)

In Eq. (4), \(\vec{X}_{1}\), \(\vec{X}_{2}\), and \(\vec{X}_{3}\) denote the positions of \(\alpha\) wolves, \(\beta\) wolves, and \(\delta\) wolves corresponding to the updated wolves, respectively. \(\vec{A}_{1}\), \(\vec{A}_{2}\), and \(\vec{A}_{3}\) denote the coefficient vectors.

Improvement of GWOA based on evolution of microhabitat

In the traditional GWOA, the third process of wolf predation is attacking and rounding up prey. Grey wolves attack and hunt when the prey stops moving. However, the initial size of the wolf pack is randomly distributed in the solution space. This means that it cannot uniformly cover the entire space, which decreases the efficiency of the algorithm’s search and optimization^20,21. In addition, the coefficient vector \(\vec{A}\) changes with the value of the CF \(a\), which can cause the algorithm to fall into a local optimum, thus abandoning the more optimal solutions in the solution space. Therefore, the study utilizes the OBL strategy for initial population optimization. The traditional GWO algorithm search optimization performance is greatly diminished due to the randomly dispersed beginning size of the wolf packs in the solution space, which prevents them from uniformly covering the whole solution space^22,23. The positive population \(Pop\) is constituted according to the wolves’ quantity in the search space, and the specific formula is shown in Eq. (5).

$$F_{ij} = l_{j} + Randdom[0,1] \times (u_{j} - l_{j} ),i \in [1,N],j \in [1,D]$$

(5)

In Eq. (5), \(F_{ij}\) denotes the positive population \(Pop\). \(u_{j}\) and \(l_{j}\) are the upper and lower bounds on the values of the problem solution in the \(j\) th dimension and \(u_{j} < l_{j}\), respectively. \(Randdom\) denotes the stochastic process. \(N\) denotes the population individual size. \(D\) denotes the dimension size of the problem solution. In the OBL strategy, for each solution position in the solution space, a relative “reverse” solution is generated. This helps the algorithm to jump out of the local optimum and increases the effectiveness of the global search. Therefore, based on the forward population \(Pop\), the reverse population is further obtained and the reverse point of each grey wolf is generated. Based on this, the forward and reverse populations are merged into a single population \(2N\), and the individuals are ranked according to the fitness from high to low. At the same time, the study introduces a nonlinear CF to optimize the updating method of \(a\) in the GWO algorithm²⁴. The details are shown in Eq. (6).

$$a = 2 - 2\sqrt {1 - \frac{{(step_{\max } - step)^{2} }}{{step_{\max } }}}$$

(6)

In Eq. (6), \(step\) denotes the current iterations. \(step_{\max }\) denotes the maximum iterations. The nonlinear CF controls the convergence speed parameter of the algorithm. It changes with the increase in the iterations to achieve better search results. Therefore, according to the nonlinear convergence strategy, the convergence iteration comparison of GWOA with CF \(a\) optimization can be shown in Fig. 1.

Fig. 1

Change in CF before and after improvement.

In Fig. 1, with the nonlinear convergence strategy (blue dashed line), the algorithm CF \(a\) changes its value faster in the first period of iteration (0–40) and slower in the later period (40–100). The fast change in the value of CF is beneficial for the algorithm to realize the global search. However, as the iterations increases, the change in the value of CF \(a\) decreases, and the wolf movement step size decreases, which promotes the efficiency of local search. Based on this, the study introduces a small habitat evolutionary strategy to improve the GWO algorithm’s optimization finding ability and avoid its premature entry into convergence. The microhabitat definition is primarily based on the distance and fitness differences between wolf pack members. Compared to traditional global update methods, this method has the advantages of not requiring additional control parameters, being highly adaptable, and having a simple structure. These advantages make it particularly suitable for high-dimensional nonlinear optimization problems in situation recognition. When the distance between individuals is less than a set threshold (i.e., the small habitat radius), these individuals can be regarded as being in the same small habitat. This is shown in Eq. (7).

$$\left\{ {\begin{array}{*{20}l} {s(d_{ij} ) = \left\{ {\begin{array}{*{20}c} {1 - \left( {\frac{{d_{ij} }}{{\gamma_{sh} }}} \right)} & {d_{ij} < \gamma_{sh} } \\ 0 & {otherwise} \\ \end{array} } \right.} \hfill \\ {\gamma_{sh} = \sum\limits_{i = 1}^{m} {\frac{{d_{i} }}{m}} } \hfill \\ {d_{i} = \min (\left\| {F_{i} - F_{j} } \right\|)} \hfill \\ \end{array} } \right.$$

(7)

In Eq. (7), \(s(d_{ij} )\) denotes the degree of sharing between two grey wolves \(i\) and \(j\). \(d_{ij}\) denotes the relationship between two grey wolves \(i\) and \(j\). \(\gamma_{sh}\) denotes the radius of the microhabitat. \(d_{i}\) denotes the degree of sharing between grey wolves \(i\). \(m\) denotes the number of grey wolves. \(F\) denotes grey wolf population. The sharing degree function \(S_{i}\) between individual grey wolves and other populations and the adaptation degree function \(G^{\prime}(i)\) improved by using small habitat optimization are calculated as shown in Eq. (8).

$$\left\{ {\begin{array}{*{20}c} {S_{i} = \sum\limits_{j = 1}^{N} {s(d_{ij} )} } \\ {G^{\prime}(i) = \frac{G(i)}{{S_{i} }}} \\ \end{array} } \right.$$

(8)

In Eq. (8), \(G(i)\) denotes the original adaptation calculation function. The formula for updating the position of the grey wolf population under the evolutionary mechanism of microhabitat is shown in Eq. (9).

$$X_{i} (t + 1) = X_{i} (t) + \alpha \cdot C(t) \cdot (X_{\alpha } (t) - X_{i} (t)) + \beta \cdot C(t) \cdot (X_{\beta } (t) - (t)) + \delta \cdot C(t) \cdot (X_{\delta } (t) - X_{i} (t))$$

(9)

In Eq. (9), \(X_{\alpha } (t)\), \(X_{\beta } (t)\), and \(X_{\delta } (t)\) denote the corresponding optimal individual positions of \(\alpha\) wolves, \(\beta\) wolves, and \(\delta\) wolves, respectively. \(C(t)\) denotes the coefficient vector. By combining the aforementioned, Fig. 2 illustrates the IGWOA’s computational flow.

Fig. 2

IGWO algorithm computational flow.

Figure 2 shows that, after initializing the population using the OBL strategy, the IGWO algorithm generates the initial population in the solution space according to Eq. (5). Then, it defines the maximum iteration A and performs individual fitness calculations. After determining the position information of \(\alpha\), \(\beta\), and \(\delta\) wolves, the grey wolf individual position update is carried out according to Eq. (4), and the CF is updated using the nonlinear convergence strategy according to Eqs. (2) and (6). Second, the individual fitness of the population is updated according to the microhabitat evolutionary mechanism, and then the positions of \(\alpha\) wolf, \(\beta\) wolf, and \(\delta\) wolf are updated. When the algorithm satisfies the convergence condition, output the \(\alpha\) wolf position information. Conversely, other grey wolf individual positions is recalculated.

SSA prediction method based on IGWO-LSTM

Based on the IGWO algorithm proposed in the previous study, the study further improves the LSTM network and designs an IGWO-LSTM-based SSA prediction method. First, the parameter-seeking ability of the IGWO algorithm is combined with the timing processing of the LSTM so as to predict the SSA of the grid. Figure 3 depicts the particular architecture.

Fig. 3

SSA prediction framework based on IGWO-LSTM.

In Fig. 3, the study mainly applies the IGWO algorithm to the parameter optimization stage of LSTM. After the grid data is processed by data processing, the LSTM network carries out the extraction of data timing features, and then outputs the SSA prediction results. The specific execution flow is shown in Fig. 4.

Fig. 4

IGWO-LSTM based SSA prediction process for power grid.

In Fig. 4, when the grid SSA data is converted to multidimensional data after normalization, the data is reconstructed using sliding windows and divided into training and testing sets. Next, grey wolf population initialization as well as parameter initialization is performed according to the value range of network hyperparameters. The IGWO algorithm is utilized to optimize the LSTM network hyperparameters (e.g., learning rate and number of hidden neurons) without being directly involved in the network training phase. Moreover, in predictive modeling, “expected judgment” typically refers to the outcome of the model’s predicted output. This output is an estimate of a future trend or state based on the model’s learning from historical data. The fitness calculation function for this stage is shown in Eq. (10).

$$G(i) = \frac{1}{RMSE} = \sqrt {\frac{1}{n}\sum\limits_{i = 1}^{n} {(y_{i} - \hat{y}_{i} } )^{2} }$$

(10)

In Eq. (10), \(RMSE\) denotes root mean square error (RMSE). \(y_{i}\) is the observed value. \(\hat{y}_{i}\) is the predicted value (PV). \(n\) is the total quantity predicted individuals. Based on all the fitness values obtained, the grey wolf individuals with the highest fitness are selected and defined as \(\alpha\) wolves, \(\beta\) wolves and \(\delta\) wolves.

Cascading fault analysis and emergency response guidelines

Power system is a highly complex and interconnected network, and its operation status is affected by many factors. A cascading fault occurs when a localized fault triggers a series of chain reactions through network interactions, ultimately resulting in large-scale power outages or other serious consequences. This failure mode poses a major threat to the security, stability and reliability of the power system. Therefore, conducting a cascading fault analysis is an important part of assessing the security of a power system. This analysis can help identify potential risk points in advance, optimize the power grid’s operational strategy, and formulate effective emergency measures. Analytical methods based on complex network theory, simulation and modeling methods, and data-driven methods are usually employed for cascading fault analysis. Therefore, the study combines cascading fault analysis with the IGWO-LSTM model to improve the model’s safety and reliability when dealing with complex fault scenarios. The IGWO-LSTM model is used to analyze the real-time operational data of the grid and predict the possible fault points and fault propagation paths. Moreover, the predicted fault paths are dynamically analyzed by combining with simulation and modeling methods. On this basis, the operation strategy of the power grid is adjusted according to the results of the cascading fault analysis. Furthermore, in order to cope with the faults and emergencies in the power system, a set of emergency guidelines is developed in the study. The details are shown in Table 1.

Table 1 Principles and criteria of emergency response guideline design.

They are combined with cascading fault analysis based on the contingency guidelines in Table 1 to provide more comprehensive theoretical support and practical guidance for power system safety assessments.

GRID SCADA system based on grid SSA prediction methodology

On this basis, the study further designs a grid SCADA system based on the IGWO-LSTM grid SSA prediction method. The details are shown in Fig. 5.

Fig. 5

Power grid SCADA system architecture.

In Fig. 5, the overall system architecture consists of three layers: the presentation layer of the visualization interface, the business layer perceived by NSSA technology, and the data storage layer. Among them, the business layer encompasses core functions such as user authentication, data uploading, preprocessing, situational assessment, and prediction. To ensure the effective operation of the grid SCADA system, the study utilizes deep belief network (DBN) as a ML model for grid situation assessment, and optimizes the hyperparameters of DBN using bat algorithm with Lévy flight (BA-LF)^25,26. DBN is a generative DL model stacked with multiple constrained Boltzmann machines, combining the properties of DL and the probabilistic graphical model of belief networks. Utilizing DBN for grid situation assessment can effectively guarantee the situational awareness capability of SCADA system. Therefore, the population initialization optimization of BA-LF algorithm is firstly carried out using Tent chaotic mapping. The specific formula is shown in Eq. (11).

$$F_{k + 1} = \left\{ {\begin{array}{*{20}c} {2F_{k} + Random(h\frac{q - k}{q})} & {0 \le F_{k} \le 0.5} \\ {2(1 - F_{k} ) + Random(h\frac{q - k}{q})} & {0.5 < F_{k} \le 1} \\ \end{array} } \right.$$

(11)

In Eq. (11), \(F_{k}\) denotes the result of \(k\) times Tent chaos mapping calculation. \(h\) denotes the perturbation coefficient in the calculation process. \(q\) denotes all the times that the Tent chaos mapping solution needs to be performed. \(k\) denotes the number of calculations. After the initialization and optimization of Tent chaos mapping, the local new solution of the algorithm is generated according to the Lévy flight strategy, as shown in Eq. (12).

$$F_{new} = F_{old} + \eta sign(rand - 0.5) \oplus \mu$$

(12)

In Eq. (12), \(F_{new}\) denotes the local new solution generated according to the Lévy flight strategy. \(F_{old}\) denotes the original localized solution. \(\eta\) denotes the parameter that changes with iterations of the BA-LF algorithm. \(rand\) denotes a random number taking values 0–1. \(\oplus\) denotes same as multiplication. \(\mu\) denotes a random step that satisfies the Lévy distribution. The BA-LF algorithm determines the optimal hyperparameter settings for the DBN network during training. Then, the bat individuals are encoded based on the outcomes of network parameter optimization. After several iterations to get the bats that satisfy the optimal individuals, the optimal bat individuals are saved and the situation assessment model is constructed for the grid network security situation assessment. Therefore, the whole situation assessment process is shown in Fig. 6.

Fig. 6

BA-LF posture assessment process for grid SCADA systems.

In Fig. 6, the system situation assessment module firstly processes and classifies the input grid data, including data processing such as symbol feature numericalization, feature dimensionality reduction, and feature coding. Second, the DBN network is utilized for data classification and assessment, and the hyperparameters of DBN are optimized by the BA-LF algorithm. Based on the DBN outputs, the data is processed using binary classification and multiclassification, while the computation of security posture values is performed^27,28. The DBN-BA-LF method is primarily responsible for assessing the current power grid situation. It optimizes the DBN network structure using the BA-LF algorithm, thereby improving its ability to classify and evaluate input features. The IGWO-LSTM method predicts future power grid security conditions. Optimizing the hyperparameters of the LSTM network structure enables proactive prediction of potential attack trends and network risks. These two methods are used sequentially within the larger system: first for assessment and then for prediction. Together, they support the SCADA system’s real-time monitoring and risk warning capabilities in complex power grid environments. In this case, the calculation formula of attack probability \(p\) and attack impact \(L_{i}\) can be shown in Eq. (13).

$$\left\{ {\begin{array}{*{20}l} {p = \frac{{\sum\limits_{i = 1}^{M} {DBN(i)} }}{M}} \hfill \\ {L_{i} = round_{2} (\log_{2} (\frac{{w_{1} 2^{{\partial_{i} }} + w_{2} 2^{{\theta_{i} }} + w_{3} 2^{{\vartheta_{i} }} }}{3}))} \hfill \\ \end{array} } \right.$$

(13)

In Eq. (13), \(DBN(i)\) denotes the result obtained by binary categorization of the \(i\) th data. \(M\) denotes the amount of grid network data in a certain period. \(round_{2} ( \cdot )\) denotes the retention of two decimal places. \(w_{1}\), \(w_{2}\), and \(w_{3}\) denote the weights of grid GIS confidentiality, integrity and availability, respectively. \(\partial_{i}\) denotes the degree of impact of \(i\) kind of attacks on the confidentiality of the Grid GIS. \(\theta_{i}\) denotes the degree of impact of \(i\) kind of attack on the integrity of Grid GIS. \(\vartheta_{i}\) denotes the degree of influence of \(i\) kind of attack on the availability of Grid GIS. The calculation results of grid GIS network security posture value are shown in Eq. (14).

$$V = \frac{{p \times \sum\nolimits_{i = 1}^{m} {L_{i} \times M_{i} } }}{{M_{A} }}$$

(14)

In Eq. (14), \(M_{i}\) is the quantity of \(i\) types of attacks. \(m\) is the total attack types. \(M_{A}\) is the total attacks suffered by power grid GIS. Meanwhile, the study classifies the cybersecurity posture value of power grid GIS into five levels according to the relevant regulations of China’s emergency response plan for public emergencies, as shown in Table 2^29,30.

Table 2 Cybersecurity posture assessment leveling.

In Table 2, the security posture value is defined as a continuous variable in the interval [0, 1]. Therefore, this is essentially a regression prediction problem. The model produces continuous values to characterize subtle changes in network security. In practice, however, these values are divided into discrete security levels (safe, low risk, medium risk, high risk, and extremely high risk) based on national emergency response standard thresholds. Combining the above, the study designs the SCADA system into six modules: user management, background data preprocessing, situational assessment, situational prediction, situational visualization, and data storage. Meanwhile, the whole system is developed using Python Programming Language version 3.8 (https://www.python.org/), HyperText Markup Language (HTML), Cascading Style Sheets (CSS), Java Programming Language, and MySQL Community Server version 8.0 (https://www.mysql.com/). Moreover, the system is implemented under the Flask Web Framework version 2.0.3 (https://flask.palletsprojects.com/), Vue.js version 2.6.14 (https://vuejs.org/), Element UI version 2.15.7 (https://element.eleme.io/), and Apache ECharts version 5.3.3 (https://echarts.apache.org/) frameworks. Table 3 presents the data dimensions for each processing segment alongside the hyperparameter configurations employed during model training. Among them, \(D\) denotes the sample count, \(F\) represents the feature dimension of the input data, \(G\) indicates the number of neurons within the LSTM layer, and \(H\) signifies the quantity of optimized parameters.

Table 3 Model training data dimensions and hyperparameter settings.

Results

To validate the proposed method, the study first compares the IGWO-LSTM-based network situational prediction approach with other existing models to evaluate its effectiveness. Subsequently, the performance of the designed grid SCADA system is verified and analyzed, focusing on its capability to assess security situations and predict network states across different services, hosts, and layers.

Experimental data and experimental environment

Since the grid GIS network security data involves national confidentiality requirements and cannot be used publicly, the study utilizes the publicly available network security dataset UNSW-NB15 from the University of New South Wales (UNSW) as a source of performance validation data for the proposed method. It is also pre-processed with feature encoding, data normalization and feature dimensionality reduction. The UNSW-NB15 dataset is widely used in network traffic analysis and intrusion detection research. Especially in evaluating and testing NSSA, anomaly detection, and intrusion detection systems, it exists large-scale network traffic data and contains samples of multiple network attack types, which are based on real-world network traffic records. In addition, the UNSW-NB15 dataset is relatively balanced in terms of the number of samples of various types, which helps to avoid bias in the training process of the model. Table 4 displays the preprocessed data distribution.

Table 4 Division of the preprocessed UNSW-NB15 dataset.

According to the training set and test set division shown in Table 4, the SCADA system is utilized for validation, and the DBN outputs of situation assessment results are used as the data for IGWO-LSTMsituation prediction. In addition, the hardware environment used for the experiment is AMD Ryzen 7 5800H with 16 GB of RAM and Win 11 as the operating system.

To comprehensively evaluate the classification and prediction performance of the model, this study employs multiple commonly used metrics. In terms of classification, accuracy measures the model’s overall identification capability. Meanwhile, the FAR and the false positive rate (FPR) assess the proportion of normal samples that are incorrectly classified as attacks. Finally, the FNR reflects the risk of attack samples being incorrectly classified as normal. F1-score can more comprehensively measure classification performance when the sample categories are unbalanced. For prediction, mean squared error (MSE), mean absolute error (MAE), and root mean squared error (RMSE) are used to measure the magnitude and stability of the error between predicted and actual values. Moreover, mean absolute percentage error (MAPE) reflects the relative error level. The mean squared relative error (MSRE) and the root mean squared relative error (RMSRE) are used to characterize the relative deviation between the PV and the true value. The root mean squared percentage error (RMSPE) combines the error magnitude and proportional deviation to more strictly reflect the stability of the model. Coefficient of determination (R²) is used to measure the model’s fit to the data, with values closer to 1 indicating higher prediction accuracy.

Validation of situational awareness method for IGWO-LSTM

To verify the effectiveness of IGWO-LSTM, the study firstly set the sliding window size to 5. After processing the posture data, the prediction efficiency of the LSTM network under the optimization of the two algorithms, GWO and IGWO, is compared. Among them, the population size of both algorithms is 30, the maximum iterations is 400, and the initial CF \(a\) takes the value of 2. The small habitat radius \(\gamma_{sh}\) of the IGWO algorithm takes the value of 0.5. Figure 7 displays the outcomes of the training prediction of the network situational prediction method based on LSTM under the two methods.

Fig. 7

Validation of the effectiveness of the IGWOA.

The prediction results of IGWO-LSTM are shown in Fig. 7a. After 400 iterations, the model training prediction accuracy is 96.87% while the validation accuracy is 95.03%. In Fig. 7b, the training accuracy of LSTM based on GWO algorithm optimization is 86.75% and the validation accuracy is 88.22%. This displays that the IGWO algorithm can enhance the LSTM model training effect and hyper-parameter seeking optimization ability, thus obtaining a high prediction accuracy. The ablation experiments for each key module are validated as shown in Table 5.

Table 5 Comparison of IGWO-LSTM ablation experiment results.

As shown in Table 5, removing any of the improvement modules results in a decline in model performance. Without the OBL strategy, the mean relative error (MRE) increases from 4.86 to 7.91%, and the accuracy rate drops 7.46 percentage points. This indicates that adversarial learning significantly improves global search capabilities during population initialization. The microhabitat mechanism and the nonlinear CF primarily play a role in the mid-to-late stages of iteration. These factors help maintain population diversity and convergence stability. Removing either of these factors also results in varying degrees of performance degradation. Therefore, the study introduced back propagation neural network (BPNN), support vector machine (SVM) and unimproved LSTM for performance comparison. Figure 8 displays both the actual data and the predictions made by the four approaches.

Fig. 8

Predicted versus actual results for 4 methods.

The IGWO-LSTM prediction results in Fig. 8a are more similar to the actual results than the BPNN prediction results. This may be due to the fact that the BPNN network is prone to falling into local optimality and its overfitting phenomenon in data with high network complexity. In Fig. 8b, the maximum error of the BPNN prediction results from the true posture value is 0.262. The maximum error of SVM prediction is 0.234. The maximum error of LSTM prediction is 0.243. The maximum error of IGWO-LSTM prediction is only 0.103. On the whole, the prediction error of the study’s proposed method is significantly reduced from the other three methods. Therefore, the study further compares the performance metrics such as MAE of the four methods. The details are shown in Fig. 9.

Fig. 9

Comparison of MAE and MSE for 4 methods. Note: Different letters (a, b, c) in the figure indicate that the differences between models in the corresponding indicators are statistically significant (p < 0.05), based on one-way analysis of variance (ANOVA) and Tukey’s post hoc test.

Figure 9 shows the performance comparison of the four models in terms of the MAE and MSE metrics. The a, b, and c are used to indicate statistical differences between models. Figure 9a shows that the IGWO-LSTM model has the lowest MAE (marked as c) and that it differs significantly from the other three models (marked as a or b) (p < 0.05). This indicates that the IGWO-LSTM model significantly outperforms the other models in reducing prediction absolute error. Figure 9b shows that the IGWO-LSTM model performs best in terms of MSE. It achieves reductions of 78.33%, 65.79%, and 53.57%, which further validates its superiority in suppressing large error fluctuations compared to the other three methods. On this basis, the study further analyzes the performance of the four methods in terms of RMSE and the degree of model fit (R²) to the observed data. The details are shown in Fig. 10.

Fig. 10

Comparison of RMSE, MAPE and R² for 4 methods. Note: Different letters (a, b, c) in the figure indicate that the differences between models in the corresponding indicators are statistically significant (p < 0.05), based on ANOVA and Tukey’s post hoc test.

In Fig. 10a, b, the MAPE and RMSE of IGWO-LSTM are significantly lower than the other 3 methods. The RMSE of IGWO-LSTM is reduced by 44.62% on average and the MAPE is reduced by 52.11% on average than the other 3 methods. The goodness-of-fit (GOF) coefficient of determination, R², is a statistical measure of the GOF of a regression model that indicates the strength of the correlation between the model’s PVs and the actual observations. In Fig. 10c, the R² value of 0.85 reflects a notable improvement over other methods, highlighting the superior fitting performance of the proposed approach. This suggests that the research-proposed strategy is more predictively successful and has a considerable advantage in cybersecurity crisis prediction. The comprehensive performance comparison results of different methods are shown in Table 6.

Table 6 Comparison of comprehensive performance of different models based on regression and classification indicators.

As shown in Table 6, the IGWO-LSTM model achieves the best results in MSRE, RMSRE, RMSPE, MARE, MAE and MAPE significantly lower than the comparison models. This demonstrates that this method not only excels in traditional error metrics but also has significant advantages in the more rigorous relative error evaluation system. Furthermore, in the classification metrics, the IGWO-LSTM achieves the highest accuracy and F1 score, demonstrating its enhanced robustness and practicality in the security situation classification task.

Verification of grid SCADA system based on IGWO-LSTM

The study first examines the situational awareness evaluation module’s evaluation efficiency with the aim to confirm the efficacy of the suggested SCADA system. It also introduces BPNN, LSTM, DBN with five-fold cross-test optimization search, and K-nearest neighbors (KNN) to compare the effectiveness of situational awareness. Figure 11 displays the accuracy, FAR, FNR, and FPR of the five approaches in the UNSW-NB15 dataset.

Fig. 11

Comparison of the performance of different methods.

In Fig. 11a, the DBN accuracy of the proposed research utilizing BA-LF algorithm to find the optimal hyperparameters is as high as 93.72%. FNR indicates the percentage of normal traffic that is misreported as attack traffic, which displays that the proposed method has the lowest FNR value of 4.09%. The comparison of FPR and FAR is shown in Fig. 11b. FPR indicates the percentage of attack traffic that is misreported as normal traffic. The comparison displays that the FPR value of the proposed method is the lowest. The FPR and FAR of the proposed method are reduced by 52.33% and 53.33%, respectively, when compared to the DBN with five-fold cross-checking for optimality. Overall, the selection of DBN hyperparameters for optimization using BA-LF algorithm can significantly improve the DBN network performance and increase the efficiency of network situational assessment. On this basis, the study further carried out grid SCADA system performance verification. Setting every 5 min as a time window, and with three services and two hosts, the hierarchical calculation of the posture values of different services, hosts, and networks under attack as well as the situational prediction efficiency is carried out. Among them, the situational awareness results are shown in Fig. 12.

Fig. 12

Monitoring results of the network security monitoring system.

Figure 12a shows the situational awareness results of three common services, domain name system (DNS), hyper text transfer protocol (HTTP) and simple mail transfer protocol (SMTP), in the host. The HTTP service has the highest peak in the 48th-50th time window, which indicates a large-scale attack. The SMTP service, on the other hand, has a peak in the 35–40 time window, but it is smaller than HTTP, indicating that it is subjected to a larger scale attack. Compared to DNS, HTTP and SMTP services suffer multiple small-scale attacks throughout the time window. Figure 12b in that the 2 hosts show different distributions of host posture values throughout the time window. In particular, host 1 suffers from large-scale attacks in the 10th, 70th and 110th windows, while host 2 suffers from large-scale attacks in the 35th and 60th time windows. Figure 12c displays the posture analysis of the network layer. The network experienced eight larger-scale attacks and several smaller-scale attacks in the time windows that followed the 10th-15th time windows. Based on this, the study examines the suggested method’s efficacy in predicting the security state of various services, hosts, and networks that are vulnerable to attack.

As shown in Fig. 13, there is a clear superiority in the security effectiveness of the proposed method of the study with respect to different attacks, hosts, and networks. In Fig. 13a, the accuracy of security situation prediction for DNS by the proposed method under study is in the range of 97.53–99.67%, while the prediction accuracy for both HTTP and SMTP is above 98%. This may be due to the fact that the DNS protocol involves resolution of domain names and forwarding of packets, which increases the complexity of situation prediction. In addition, the small packet size and relatively simple query and response patterns of DNS prevent IGWO-LSTM from capturing enough information for training and prediction. In Fig. 13b, the prediction accuracy of IGWO-LSTM exceeds 99.2% for the two hosts and the network layer. This demonstrates the effectiveness of the proposed grid SCADA system for situational security awareness in networks. It also confirms the reliability and superiority of the IGWO-LSTM prediction method.

Fig. 13

Predicted security posture results for different services, hosts and networks under attack.

Scenario simulation attack validation

In this study, a test environment is constructed that matches the actual situation. The operation status and fault scenarios of real power grids are simulated, and actual grid operation data, public datasets, and simulation data are introduced to comprehensively evaluate the model’s performance. The test environment consists of three parts: hardware equipment, software tools, and data sources. The hardware equipment includes high-performance servers (configured with AMD Ryzen 7 5800H processors and 16 GB of RAM), network equipment (switches, routers, and firewalls), and storage equipment (large-capacity hard disk storage arrays). The software tools include MATLAB/Simulink version R2021b for power system simulation (https://www.mathworks.com/), Python Programming Language version 3.8 (https://www.python.org/) and MATLAB R2021b for data analysis, and Apache ECharts version 5.3.3 (https://echarts.apache.org/) for data visualization. The data sources cover actual grid operation data (key parameters such as voltage, current, power, etc. obtained from the partner utilities), the publicly available dataset UNSW-NB15, and simulation data. Sensors and smart meters are used to obtain real-time operational data from the grid system. Packets in the grid communication network are captured using the Wireshark packet grabbing tool. This data is then fed into the IGWO-LSTM model for fault detection, situational awareness, and security assessment.

To validate the computation time and prediction performance of the IGWO-LSTM model in different power system operation scenarios, the study designs three experimental scenarios: (1) Normal operation scenario, where the GIS is running normally in a no-attack state. (2) Small-scale attack scenario, where the GIS is subject to a small number of network attacks, including DoS attacks and Backdoor attacks. (3) Large-scale attack scenarios, where the GIS is subject to multiple network attacks such as DoS, Backdoor, Exploits and Fuzzers. Each scenario is simulated using the corresponding data from the UNSW-NB15 dataset. Table 7 shows the computation time of the IGWO-LSTM and traditional LSTM models in different scenarios.

Table 7 Experimental verification of different attack scenarios.

In Table 7, the computation time of IGWO-LSTM is mainly affected by the size and complexity of the data volume. In the normal operation scenario, the data volume is small and the computation time is short. Wile in the large-scale attack scenario, the data volume increases and the computation time is prolonged. However, under the same data scale and attack scenarios, the IGWO-LSTM model generally takes slightly longer to compute than the traditional LSTM model. This difference is mainly due to the additional computational overhead caused by the hyperparameter optimization process in the IGWO stage. The operational results show that the training and inference times of the IGWO-LSTM increase compared to the traditional LSTM in large-scale attack scenarios. While this difference is relatively limited, it still poses potential challenges in ultra-low latency applications that are extremely sensitive to latency. Notably, in the high-throughput, real-time monitoring environment of power grid SCADA systems, this additional overhead can be reduced through multi-core parallel computing, batch inference on edge nodes, and lightweight model optimization. These methods ensure the model’s scalability for real-time deployment under large-scale, concurrent data streams.

Computational complexity analysis

Theoretically, the time complexity of an LSTM is approximately O(T·n²), where T represents the sequence length and n represents the number of hidden units. IGWO introduces an additional population search overhead, with a complexity of approximately O(N·D). Among them, N is the population size and D is the feature dimension. Therefore, the overall complexity of the IGWO-LSTM model can be expressed as O(T·n² + N·D). This indicates that the computational burden of the model primarily comes from the LSTM’s recurrent operations and the IGWO’s population optimization process. To quantify the actual runtime overhead more precisely, the study compared the parameter size, average training time and single-sample inference time of different baseline models in the same experimental environment^31,32. The results are shown in Fig. 14.

Fig. 14

Time complexity comparison of different models.

As shown in Fig. 14, both the BPNN and SVM models have lower training and inference times. However, their predictive performance is significantly inadequate. While maintaining a certain level of accuracy, the LSTM incurs some increased computational overhead. By contrast, the introduction of IGWO to the LSTM has slightly increased the training and inference times of the IGWO-LSTM. However, this additional overhead remains within the acceptable range for the real-time requirements of SCADA systems. Compared to the recently popular graph convolutional networks (GCNs) and Transformer architectures, the IGWO-LSTM has significantly lower training and inference times, demonstrating a significant complexity advantage. Therefore, the IGWO-LSTM strikes the optimal balance between prediction accuracy and computational efficiency, making it better suited to practical power grid security situational awareness deployments.

discussion and conclusion

The study proposed a new grid SSA prediction method by improving GWO algorithm and applying it to LSTM network hyperparameter optimization, and designed a corresponding SCADA system. The MSE values of IGWO-LSTM were reduced by 78.33%, 65.79%, and 53.57%, respectively, compared to other neural networks. The FPR and FAR of the grid SCSADA system designed for the study in terms of situational assessment were reduced by 52.33% and 53.33% compared to the DBN with five-fold cross-testing for finding the optimum, respectively. The MSE of the model was reduced from 0.0016 to 0.0014 when the number of neurons was increased from 50 to 100. The IGWO algorithm could effectively optimize the hyperparameters of the LSTM and improve the training efficiency and prediction accuracy of the model. The network posture prediction method based on IGWO-LSTM could effectively achieve the prediction of potential attacks on the network and improve the security of the grid GIS system.

Grid SCADA system had feasibility and rationality in the security protection of power network informatization, which could promote the efficiency of power grid situational awareness and improve the security of data information. In the power grid field, real-time sensing and abnormal prediction of power grid operation posture can be realized by collecting voltage, current, and other data in real time and inputting them into the IGWO-LSTM model after preprocessing. Warning signals can be issued through a visualized interface, and the security strategy can be optimized to cope with cyberattacks. In the monitoring of natural gas pipelines, the model was utilized for situational awareness and risk assessment by integrating pressure, flow, and other multi-source data to detect leakage risks in time, issue early warnings, and provide emergency response recommendations. For water treatment systems, the technology predicted equipment failures and provides maintenance recommendations through real-time monitoring and analysis of water quality parameters and equipment status to ensure the stable operation of the water treatment process. In the traffic control system, the IGWO-LSTM model could also be used to analyze the traffic flow and equipment status, achieve traffic situational awareness and congestion prediction, and optimize signal timing to improve the safety and operational efficiency of the traffic system. In summary, this method effectively improves the safety and operational efficiency of critical infrastructure by providing real-time monitoring, situational awareness, risk assessment, and optimized control. It also ensures safe operation.

Limitations and future work

Although the proposed IGWO-LSTM model has promising performance in security situational awareness for power grid SCADA systems, several limitations still exist. First, sensor signals in real SCADA systems are often affected by measurement noise, signal drift, and data loss. Although the model uses the temporal smoothing capability of LSTM and the optimization ability of IGWO to improve robustness, it does not yet provide a comprehensive solution to mitigate sensor-related errors. Second, similar to most deep learning methods, IGWO-LSTM remains a black-box framework, whose internal decision-making process is difficult to interpret, resulting in limited model transparency and explainability. Third, the experiments are based on the UNSW-NB15 dataset. This dataset is widely used for intrusion detection research, but it is not specifically designed for power grid SCADA applications. This leads to a somewhat abstract mapping between attack categories and actual grid attacks. Finally, the current model still has limited generalization ability when confronted with different attack types, system scales, and datasets with significantly varied feature distributions. In addition, real-world deployment may encounter challenges, such as limited edge computing resources and processing high-frequency data streams, which could impact real-time performance.

To address these issues, future work will focus on the following directions. First, enhanced data preprocessing, anomaly detection, and robust training strategies will be incorporated to improve the model’s tolerance to sensor noise and data corruption. Second, feature attribution techniques such as SHapley additive exPlanations (SHAP), local interpretable model-agnostic explanations (LIME), and attention visualization can be incorporated to enhance model explainability and user trust. Third, datasets more closely aligned with actual grid SCADA traffic will be constructed or obtained, and collaborations with industry will be pursued to access real-world logs, thereby increasing the representativeness and engineering value of the findings. Fourth, cross-domain data training and reinforcement learning mechanisms will be used to improve generalization further. Model compression and lightweight deployment strategies will be applied to enhance operational efficiency in edge computing environments. Fifth, situational awareness will be integrated with cascading fault analysis to establish emergency decision-making mechanisms under complex scenarios and to extend the applicability of the method to other critical infrastructure systems.