Designing three indicators to detect false data injection attacks on smart grid by dynamic state estimation

Abstract

States data are among the most vital transferred data in power systems. Therefore, if the attacks to these states is not recognized, the system performance will get noisy and in the worst case, it will lead to widespread power outages. In this paper, three indicators will be presented to detect false data injection attack (FDI). These indicators use three factors to detect the attacks. The first indicator has been designed based on the performance of traditional power systems. The second indicator, in addition to the first factor, uses a relationship between angle and voltage changes in each bus to detect the attacks. The third one has been designed for detecting the attacks based on the neighbor buses performance. In this paper, FDI attacks have been classified into two categories: Manipulating attack, and PMU attack, in order to investigate the indicators performance. Using two standards of IEEE 14bus and New England 39bus, the indicators performance was analyzed. Our results show that all the three indicators have unique properties and all are successful in detecting attacks on smart grids.

Keywords

Dynamic state estimation phasor measurement units false data injection attacks cyber security.

Nomenclature

V _r

Voltage of bus r

δ _r

Voltage Angle of bus r

I _S

Output current of bus s

β _S

Suseptance of bus s

Measurement vector

Jacobian matrix

State vector

Attack vector

Noise vector

{\hat{x}}_{a}

State vector under attack

Residue index

R_a

Residue index under attack

F_k

nonzero diagonal matrix

G_k

nonzero vector with dimension (2n×1)

w_k

white Gaussian noise with zero mean

noise in the measurements vector

∂

deviation from SCADA measurements

λ (i, k)

The average of voltage state in instant time of k

φ (i, k)

The average of angle state in instant time of k

τ (i, k)

The average of λ (i, k) and φ (i, k)

Δ (i, k)

The mean value of τ (i, k)

ς (i, k)

The variance of τ (i, k) and Δ (i, k)

ϑ (i, k)

The instant variance of τ (i, k) and Δ (i, k)

1 Introduction

Smart grid as a kind of cyber physical system (CPS) is used to optimize the operation of power system by integrating physical power transmission system with the cyber process with information and communication technology (ICT) [1,2, 1,2]. Although there are many advantages for these kinds of technologies, there are some disadvantages too. As mentioned above smart grids are based on ICT infrastructures that can provide new vulnerabilities against cyber-attacks [3 –5]. According to these challenges, a new mission called cyber security versus cyber-attack should be determined.

Variety of data are exchanged in smart grids such as: Control commands, pricing data, state data etc. Manipulating any of these data can have economic or even national security effects. Among all these exchanged data, state data is the most important information that the reliability of the smart grids depends on it.

One of cyber-attacks that can impact on state data is False Data Injection (FDI) attack. Current power grid system uses bad data detection (BDD) to detect incorrect data caused by device error, communication noise or even malicious attacks like FDI. Nevertheless, new FDI attacks can bypass BDD [6]. Hence, an undetectable attack can lead to lose the load or even in a worse condition can cause the widespread blackout. Because of the importance of this issue, a lot of researches on the detection of these attacks have been carried out by researchers. Almost all researches are about investigating FDI attacks in static state estimation (AC or DC estimation).

The static state estimation as the base of grid operating define the steady state (or quasi-steady state) of the grid. After the occurrence of largest blackout on august 14, 2003 in North America and Canada [7] the importance of real time and dynamic monitoring of power system was found more than ever before. Nowadays wide-area measurement system (WAMS) is used to monitor the power grid dynamically. This can be done by escalating the deployment of phasor measurement units (PMUs) [8].

In this paper three indices are presented to detect FDI attacks in DSE systems. To verify the operation of suggested index, two types of undetectable attack are applied to DSE system namely: Manipulating database data attack and Manipulating PMUs sent data.

In this paper IEEE 14-bus and New England 39-bus power system are used to illustrate the performance of proposed indices. The rest of this paper is organized as follows. Section 2 presents related works. Section 3 gives a short introduction to dynamic state estimation. Bad data detection and undetectable FDI attack are discussed in section 4. In order to detect FDI attacks the suggested indices are formulated and discussed in section 5. Section 6 presents the results of simulation. Finally the paper is concluded in section 7.

2 Related work

In this section a brief review of prior works, related to our study, is presented. As mentioned before, state estimation is a very critical part of smart grid to keep system in a normal operation. Recently, some researches have been done to investigate the impact of FDI attacks on state estimations in power systems.

Junbo Zhao et al. extended the approximate dc model to a more general linear model that can handle both supervisory control and data acquisition and phasor measurement unit measurements. Then, a general FDIA based on this model derived and the error tolerance of such attacks is discussed. [9]. In [10] in order to detect FDI attacks in smart grid, a statistical anomaly detection approach based on Gaussian mixture model is presented by S. Armina Foroutan. The problem of simultaneous attacks in power grids in manipulating state estimation was considered in [11] in which a defensive approach against malicious data will be practical if it is possible to protect it against the attacks through a small amount of measurements. A new analytical technique was done in [12] to analyze the state estimation vulnerability, which describes how the physical properties of the power system can be used as an advantage to protect the power system against FDI attacks. All these studies are about detecting FDI attacks in steady state estimation and to the best of our knowledge there is just one effort on dynamic state estimation which was done in [2] and improved Kalman filter in dynamic state estimation to detect FDI attacks. As mentioned before, due to some important challenges in DSE, this technique cannot be used in a power system, alone. In practice, to overcome these problems, PMUs should be used with DSE. In this paper we used DSE prediction features to present three indices for detecting FDI attacks.

3 Dynamic state estimation in smart grid

In order to reach an exact performance of the energy management system (EMS), the accuracy of estate estimation should be high. In the power grid, loads are constantly changing but as we know, these changes are slow. Therefore, changing loads leads to the change of power flow in all lines and buses.This quasi-static behavior of the power system cannot be modelled by traditional state estimation. Therefore, a new technique called dynamic state estimation (DSE) was presented to capture dynamic changes in power grids in [13].

The process of common DSE can be studied in [13–14]. Because our case study is the smart grid and, as we know, in the smart grids, PMUs are used as widely as possible to keep system observable, the state filtering in DSE will change here. When the PMUs are widely used in smart grids, the buses which are equipped by the PMU, do not need the conventional state estimation, because their states are measured by PMU, and the state of other busses can be calculated as follow [15]: $V_{r} ∠ δ_{r} = V_{S} ∠ δ_{S} - ((I_{S} ∠ β_{S}) \times Z) + (V_{S} ∠ δ_{S}) \times Y \times Z$ (1)

After receiving information from PMUs in the time step k, this information are used by the DSE to predict the state of power grid at the time step k + 1. PMU sampling rate is 50/60 samples/s for 50/60 Hz systems. It means in a 50 Hz system, PMU sends state every 20 ms, so time prediction of DSE is 20 ms.

The conventional DSE process can be summarized as follow: $X_{k + 1} = F_{k} X_{k} + G_{k} + w_{k}$ (2)

Where X_(k+1) and X_k represent true state vector at k + 1th and kth time instants, respectively. For a system with n buses, there are 2n states, hence X is a matrix with dimension (2n×1). F_k is a nonzero diagonal matrix to model the state transition between these two instants of time with dimension (2n×2n). G_k is a nonzero vector with dimension (2n×1). w_k is the white Gaussian noise with zero mean andcovariance Q. $Z_{k} = H_{k} X_{k} + ν_{k}$ (3)

Where Z is the measurement vector sent by remote terminal units (RTUs), included power injection and power transmission data and also measured line current sent by PMUs. H is Jacobian matrix related to the measurements and the states vectors. ν is the noise in the measurements vector.

In this paper, by Holt’s double exponential smoothing method is used to model the parameters of power system [16].

In the next section it will be shown that the attacker can manipulate measurement matrix (Z) to launch a successful attack immune to detection. So in this paper, a new objective function is suggested tooptimize the predicted value. In this function unlike objective function of conventional DSE, we don’t use the measurement matrix. $J^{'} (x_{i}) = \frac{({\tilde{x}}_{i} (k + 1) - {\hat{x}}_{i} (k + 1))^{2}}{\partial_{i}^{2}}$ (4)

To minimize the above equation, the values of α and β in Holt’s double exponential smoothing method [16] will be changed by optimization algorithms, thus after achieving the optimal value, the predicted values in the next moment (k + 2) will have a highaccuracy.

In Equation (4), $\hat{x}$ is the measured state sent by PMUs and ∂ is deviation. ∂ is a deviation from SCADA measurements (buses without PMU) and σ _pmu is a deviation from the PMU measurements. It is clear that because of high accuracy in PMUs, we know that ∂_pmu << ∂. For each state (i) this process should be done separately. It means that F and G are variable and each element in them, is calculated separately.

4 False data injection attack

The smart grid is based on the cyber infrastructures and communications. So, there is always the risk of cyber-attacks. One of the ways for attacking to a smart grid is compromising the meters or sensors, then hacking the communication networks and sending wrong data. In July 2010, a virus called Stuxnet attacked to 46,000 computers all over the world. It was the first virus which had physical consequences rather than cyber consequences. So, the importance of defending against cyber-attacks was increased [17, 4].

There are several types of physical and cyber-attacks in the power systems. But in this paper, our focus is on False Data Injection (FDI) attacks. This kind of attack manipulates sent data in the data sending source such as RTUs and PMUs) or in databases in SCADA. If the FDI attack is not detected, according to data manipulation, it can lead to a wrong state estimation and, as a result, wrong commands will be send to the actuators.

In this paper, in order to evaluate the performance of the proposed indicators, an undetectable FDI attack is simulated. To determine an undetectable FDI attack measurement, matrix Z must be manipulated by adversary so the sent data by RTUs are changed.

The most common algorithm to detect bad data can be formulated as below: $r = Z - h (\hat{x})$ (5)

Based on Equation (5), if the estimated estate is wrong, there will be a difference between received measurement Z, and estimated measurement $h (\hat{x})$ . However we will illustrate that an adversary can bypass this method and manage a successful attack.

If Za is the attack measurement vector, a is the attack vector and ${\hat{x}}_{a}$ is attack state vector, then the Equation (5) can be rewritten as follow: $r_{a} = Z_{a} - h ({\hat{x}}_{a})$ (6)

$Z_{a} = Z + a$ (7)

If an attacker injects attack vector as $a = h ({\hat{x}}_{a}) - h (\hat{x})$ , so Equation (6) turns to: $\begin{matrix} r_{a} = Z_{a} - h ({\hat{x}}_{a}) = Z + a - h ({\hat{x}}_{a}) = \\ Z + h ({\hat{x}}_{a}) - h (\hat{x}) - h ({\hat{x}}_{a}) = r \end{matrix}$ (8)

It means if an attacker knows about the topology of the system, he/she can bypass common method against bad data detection and added vector to state vector is c as ${\hat{x}}_{a} = \hat{x} + c$ . As mentioned above, the key point for attacker is determining attack vector. Since attack vector is added to the measurement vector (Z), so this attack cannot be detected by common bad data detection. In next section we will propose a method to detect FDI attack without using measurement vector.

5 Detecting false data injection attack

In this section, three indicators are designed to identify FDI attacks. As mentioned before, here, it is assumed that sufficient numbers of PMU are used to keep system observable. The FDI attack at k + 1th time sinstant affects on the time step k, too. When an attack is done at k + 1th time step, it will be immune to the attack, because the predicted state at this time step is based on time step k. Thus, there is a large difference between predicted and measured states at time step k + 1. So, after reaching high accurate prediction, based on Equation (4), the first index can be formulated as below (Subscript 1, 2 and 3 are related to the first, second and third index, respectively). $λ_{1} (i, k) = \frac{{\tilde{x}}_{i} (k + 1) + {\hat{x}}_{i} (k + 1)}{2}$ (9)

$φ_{1} (i, k) = \frac{{\tilde{x}}_{i} (k) + {\hat{x}}_{i} (k)}{2}$ (10)

Fig.1

Transmission line equipped with phasor measurement.

Where i is ith element of state vector, k is kth time instant, $\tilde{x}$ is the predicted state, $\hat{x}$ is the sent state by PMU or the calculated state by Equation (1). $τ_{1} (i, k) = \frac{λ_{1} (i, k) + φ_{1} (i, k)}{2}$ (11) $Δ_{1} (i, k) = \frac{\sum_{k = 1}^{k} τ_{1} (i, k)}{k}$ (12)

where Δ (i, k) is the average of τ (i, k) up to kth time instant. In this paper, we used Iran winter load profile, and applied this load profile to IEEE 14-bus and New England 39-bus system.

As shown in Fig. 2, load profile in this paper is divided into three parts. This division is based on the curve slope changes of load profiles. So, from 12 p.m. to 6 a.m. the network is in a state of low-load, and the slope of the load profiles curve is decreasing. From 6 a.m. load is increasing, and the curve slope is switching from a descending mode to an ascending mode, and the process will continue until 8 p.m., then this process is again descending. So we divide the load profile to three parts. The first part is from 12 p.m.to 6 a.m., the second part is from 6 a.m. to 8 p.m. and the third part is from 8 p.m. to 12 p.m.

Fig.2

Load profile applied to the test system.

Then, two parameters ς (i, k) and ϑ (i, k) are defined as below: $ς_{1} (i, k) = \sqrt{\frac{\sum_{k = 1}^{k} {(τ_{1} (i, k) - Δ_{1} (i, k))}^{2}}{k}}$ (13) $ϑ_{1} (i, k) = \sqrt{{(τ_{1} (i, k) - Δ^{'}_{i} (i, k))}^{2}}$ (14)

Equations (13) and (14) are alike variance; where $Δ_{i}^{'} (i, k)$ is the average of τ (i, k) among part i in a day refer to Fig. 2. ς (i, k) is the total variance, and ϑ (i, k) is the instant variance. If the time interval is between 12 a.m. and 6 a.m., $Δ_{1}^{'} (i, k)$ will be used, and for the other time interval, $Δ_{2}^{'} (i, k)$ and $Δ_{3}^{'} (i, k)$ will be considered. The new index to detect FDI attack is suggested as below: $r_{1} = | ς_{1} (i, k) - ϑ_{1} (i, k) | < ε_{1}$ (15)

Where ε ₁ is the threshold and its amount can be calculated by a classification method like decision tree and etc. Since the amount of changes in voltage and angles are different, ε ₁ is divided into two parts, namely: ε _v and ε _δ.

In this paper, a day is divided into 60 steps. First, the system is simulated in a normal operation, without any attacks. After the simulation, using classification the threshold values of angles and voltages are obtained, according to the Table 1.

Table 1

Range of threshold ε ₁

Normal	Bad Estimation	Attack
ε _v < 0.02	0.02 < ε _v < 0.03	ε _v > 0.03
ε _δ < 4	4 < ε _δ < 6	ε _δ > 6

In order to detect FDI attacks, the PMUs data and predicted data were used. Also, the final index system for detecting attacks is obtained by analyzing the power system behavior in the past referring to Equation (15).

The second index is based on a relationship between voltage and angle of each bus. This index can be formulated as below: $λ_{2} (i, k) = e^{\frac{{\tilde{V}}_{i} (k + 1) + {\hat{V}}_{i} (k + 1)}{2}}$ (16) $φ_{2} (i, k) = e^{\frac{{\tilde{δ}}_{i} (k + 1) + {\hat{δ}}_{i} (k + 1)}{2}}$ (17)

where V and δ represent voltage and angle of i^th bus. $τ_{2} (i, k) = B (i, k) \times \frac{λ_{2} (i, k)}{φ_{2} (i, k)} + A (i, k)$ (18) $B (i, k) = γ \times \frac{{\tilde{V}}_{i} (k + 1) + {\hat{V}}_{i} (k + 1)}{2}$ (19) $A (i, k) = ω \times ln (\frac{{\tilde{V}}_{i} (k + 1) + {\hat{V}}_{i} (k + 1)}{2})$ (20)

Where ω and γ are weighted coefficients. $Δ_{2} (i, k) = \frac{\sum_{k = 1}^{k} τ_{2} (i, k)}{k}$ (21)

In Equation (24), A represents the influence of the change on voltage in i^th bus at kth time instant. If the measured value and the predicted value of each bus are close to 1pu, the amount of this term will be near zero. When there is a large difference between the predicted and measured voltages, this value will be changed. $ς_{2} (i, k) = \sqrt{\frac{\sum_{k = 1}^{k} {(τ_{2} (i, k) - Δ_{2} (i, k))}^{2}}{k}}$ (22) $ϑ_{2} (i, k) = (τ_{2} (i, k) - Δ^{'}_{i} (i, k))$ (23)

Weighted coefficients are calculated by an optimization method. In this paper, ω and γ are 1.5 and 20, respectively.

Ultimately, the second index for detecting FDI attack, is suggested as below: $r_{2} = | ς_{2} (i, k) - ϑ_{2} (i, k) | < ε_{2}$ (24)

The range of threshold for index 2 is given in Table 2.

Table 2

Range of threshold ε ₂

Normal	Bad Estimation	Attack
ε ₂ < 0.25	0.25 < ε ₂ < 0.4	ε ₂ > 0.4

In the third indicator, for evaluating the accuracy of the state data on each bus, the other buses data connected to it, has been studied. In this indicator, for evaluating the data accuracy of the bus, the other buses are divided into two layers. The first layer consists of the bus which is directly connected to the studied bus, and the second layer consists of the bus which is connected to the first layer. $λ_{3} (i, k) = \frac{{\tilde{x}}_{i} (k + 1) + {\hat{x}}_{i} (k + 1)}{2}$ (25) $φ_{3} (j, k) = \sum_{j \in s} \frac{{\tilde{x}}_{j} (k) + {\hat{x}}_{j} (k)}{2 d}$ (26) $γ_{3} (j, k) = \sum_{j \in g} \frac{{\tilde{x}}_{j} (k) + {\hat{x}}_{j} (k)}{2 e}$ (27)

In Equation (25), i is relevant to the studied bus, and in (26),s is a set of buses that were studied in the first layer, and d is the number of the members of g. In (27) g is a set of buses that were studied in the second layer and e is the number of the members of g.

$τ_{3} = e^{(u \times (w \times λ_{3} - α \times φ_{3} - β \times γ_{3}))^{2}}$ (28)

In Equation (28), u, w, α and β are weighting coefficients, in which u for the case related to the voltage size equals to 1 and for the state related to the voltage angle is considered equal to 0.21. w, α and β are the coefficients of the studied bus, buses of the first layer and buses of the second layer, respectively. It is normal that the amount of w is more than the others, and if the bus get farther from the studied bus, their weight indicator will be reduced. In this paper, w = 1.46, α = 0.8 and β = 0.65 are intended.

$Δ_{3} (i, k) = \frac{\sum_{t = 1}^{k} τ_{3} (i, t)}{k}$ (29) $ς_{3} (i, k) = \sqrt{\frac{\sum_{k = 1}^{k} {(τ_{3} (i, k) - Δ 3 (i, k))}^{2}}{k}}$ (30) $ϑ_{3} (i, k) = (τ_{3} (i, k) - Δ^{'}_{i} (i, k))$ (31)

Equation (30), is alike the variance and is related to the start of the simulation up to the moment. Equation (31) is the variance of the moment. The third indicator is calculated as follow. $r_{3} = | ς_{3} (i, k) - ϑ_{3} (i, k) | < ε_{3}$ (32)

The range of threshold for index 3 is given in Table 3.

Table 3

Range of threshold ε ₃

Normal	Bad Estimation	Attack
ε ₃ < 0.0004	0.0004 < ε ₃ < 0.0008	ε ₃ > 0.0008

To evaluate the amount of range of suggested threshold, at first we ran system in normal situation for several times and calculated the thresholds. After that we ran system on under an over load situation in several times and calculate another thresholds. Finally by Sensitivity analysis we determine the border of thresholds for normal, bad data and attack situation.

In next section to verify the suggested indices two kinds of undetectable FDI attacks namely: 1. Manipulating database data attack 2. Manipulating PMUs data attack, are applied to IEEE 14-bus and New England 39-bus test system.

6 Simulation and results

To verify the operation of proposed indices, IEEE 14-bus and New England 39-bus test systems have been chosen. As it is assumed that the system is observable, there are 3 PMUs in IEEE 14-bus in buses 2, 6 and 9 and 8 PMUs in New England 39-bus in buses 3, 8, 10, 16, 20, 23, 25 and 29 [18]. As mentioned before, two types of FDI attacks are applied to evaluate the suggested index.

6.1 Manipulating database data attack

It is assumed that an attacker manipulates data in the energy management system database or in the SCADA database, while the sent data by PMUs are correct.

As shown in Table 4, it is assumed that an attacker attempts to manipulate the state by adding matrix c at time steps 57, 58, 59 and 60 in 13th bus of IEEE 14 bus system and at time steps 37, 38, 39 and 40 in 18th bus of New England 39-bus test system.

Table 4
Matrix c as an attacked states added to database

State number Added to true voltage State number Added to true angle

IEEE 14-bus C13 0.08pu C27 0 deg

New England 39-bus C18 -0.085pu C57 0 deg

	State number	Added to true voltage	State number	Added to true angle
IEEE 14-bus	C13	0.08pu	C27	0 deg
New England 39-bus	C18	-0.085pu	C57	0 deg

6.2 Manipulating PMUs sent data

In this type of attack, the sent data by PMUs are under attack. Referring Table 5, it is assumed that an adversary manipulates sent data by PMU which was installed in bus 6 of IEEE 14-bus system at time steps 42, 43, 44 and 45, and manipulates PMU which was installed in bus 29 of New England 39-bus system at time steps 27, 28 and 29. The attacked state are 0.0673 and 16.8816 in IEEE 14-bus, and -0.0608 and -20/1810 in New England 39-bus system which added to true measured voltage and angle respectively.

Table 5
Manipulating PMUs sent data

PMU place Added to true measured voltage Added to true measured angle

IEEE 14-bus PMU 6 0.0673pu 16.8816

New England 39-bus PMU 29 −0.0608pu −20.1810 deg

	PMU place	Added to true measured voltage	Added to true measured angle
IEEE 14-bus	PMU 6	0.0673pu	16.8816
New England 39-bus	PMU 29	−0.0608pu	−20.1810 deg

C Evaluation of index performance

The first index, based on the state distribution in 3 time intervals, is shown in Fig. 2. This index verifies each state separately and as the range of changes in voltage and angles are different, so this index is divided into two parts with two thresholds.

The first index can detect both attacks after one time step. For example, as shown in Fig. 3, in the first type of attack, the voltage of bus 13 in IEEE 14-bus test system is increased about 0.08pu at 57th time step. At this time instant, the measured state is manipulated but the predicted state has been predicted in the previous time step. Therefore, the predicted state for 57th time step is not exposed to an attack.

Fig.3

Voltage of bus 13 at IEEE 14-bus system in normal and under attack situation.

Refer to Fig. 4, the manipulating attack in x13, related to bus13 is detected by index1. Also, the PMU attack in bus 6 has an effect on the estimated state in bus 13, in which the attack is indirectly and is detected accurately.

Fig.4

The performance of index 1 in IEEE 14-bus system.

Fig. 5 shows the performance of index 1 in New England 39-bus test system. As shown in Fig. 5, the manipulating attack in x18 related to bus18 is detected by index1, too. Index 1 also detects PMU attack in bus 29, and as bus 28 is connected to bus 29, so this bus will be affected by attack, too.

Fig.5

The performance of index 1 in New England 39-bus system.

Figure 5 shows the performance of first indicator in the New England 39-bus test system. As shown in Fig. 5, the first type of attack has been identified by this indicator in voltage of bus 18. Also, the second type of attack is detected in bus 29, which equipped by PMU. As the bus 28 is connected to this one, so it is affected by the second attack, and the first indicator will detect the attack condition in bus 28.

Table 6 shows the value of voltage, τ, Δ and r related to the index1, 2 and 3 in 13th bus of IEEE 14-bus system, under manipulating attack between 54th and 60th time steps. The amount of τ ₁ (i, k) based on Equation (11) is also given in Table 6.

Table 6

The value of voltage, τ and Δ′ related to index1, 2 and 3 in 13th bus of IEEE 14-bus system under manipulating attack

Time – step	Attack situation	Measured state	Predicted state	τ ₁ (i, k)	Δ′ (i, k) (20pm to 24pm)	τ ₂ (i, k)	Δ′ (i, k) (20pm to 24pm)	τ ₃ (i, k)	Δ′ (i, k) (20pm to 24pm)	r1	r2	r3
54	Normal condition	1.04	1.04	1.04	1.04	7.17	7.20	1	1.0001	0.0008	0.0168	0.000005
55		1.04	1.04	1.04	1.04	7.12	7.18	1	1.0001	0.0009	0.0285	0.000008
56		1.04	1.04	1.04	1.04	7.13	7.17	1.0001	1.0001	0.0001	0.0066	0.000009
57	Attack condition	1.12	1.04	1.06	1.04	8.42	7.38	1.0039	1.0001	0.0167	0.8417	0.0027
58		1.12	1.12	1.10	1.05	9.68	7.70	1.0140	1.0004	0.0445	1.6125	0.0096
59		1.12	1.13	1.12	1.06	9.72	7.96	1.0133	1.0006	0.0547	1.4122	0.0077
60		1.12	1.12	1.12	1.07	9.58	8.14	1.0136	1.0008	0.0477	1.1180	0.0069

As shown in Table 6, among time steps 54 to 56, the system is on a normal condition, and predicted and measured states are close to each other. Also, the value of τ ₁ (i, k) and Δ′ (i, k) are also close to each other.

In 57th time step, at the beginning of attacks, there is only one parameter affected by attacks (measured state), so according to Equations (12) to (15), since measured and predicted states at 56th time step and also predicted state at 57th time step are safe, so the value of τ ₁ (i, k) and Δ′ (i, k) are between the normal and attack condition. So the first step in the attack was not detected and it is classified as a badestimation.

The performance of index 2 in IEEE 14-bus and New England 39 bus system have been shown in Figs. 6 and 7 respectively. As shown in Figs. 6 and 7 both attacks are detected at the beginning of attack.

Fig.6

The performance of index 2 in IEEE 14-bus system.

Fig.7

The performance of index 2 in New England 39-bus system.

Refer to Table 6, it can be seen that the value of τ ₂ at the beginning of attack (57th time instant) is 8.4227 and it is more than the normal value before the attack (7.1). Because the second index is formulated based on a relationship between voltage and angle of each bus, so second index can detect the attack from its beginning.

When the load of each bus decreases, its voltage increases. In addition, because the need for transmitted power has been reduced, the amplitude of the angle is reduced, too. According to Tables 3 and 5, in manipulating database data attack, for example at 57th time step, an adversary added 0.08 to voltage of bus 13, but there are not any changes in the angle, so the index 2 detects an irregular condition, and because the amount of the index is higher than the threshold, so an attack has been detected at bus 13 (Fig. 6). In manipulating PMUs data attack, an adversary will manipulate the sent data from PMU; so, other connected buses to PMUs are affected. For example, regarding to the Tables 5 and 7 at 27th time step, the installed PMU at bus 29 in New England 39-bus system is exposed to an attack. The measured voltage and angle of this bus is manipulated by adding -0.0608 and -20/1810 to true measured voltage and angle, respectively. So, this attack leads to wrong state estimations at bus 26, 28 and 38.

At first, the relationship between voltage and angle of bus 29 is regular, but regarding to the history of index among 6 a.m. and 8 p.m. (shown in Fig. 2), it is found that there is an unusual situation and so the value of second index is higher than the threshold, and an attack has been detected. Regarding to Fig. 7, it can be shown that the second index can detect attacks in bus 29 at 27th, 28th and 29th time steps, carefully. Also because bus 28 is connected to bus 29 (PMU bus), so an attack has been detected there, too. Finally, it is found that the second index can detect both attacks in each bus with a high accuracy.

Table 7 shows the value of voltage, τ and Δ related to index1, 2 and 3 in 29th bus of New England 39-bus system under PMU attack between 24th and 29th time steps.

Table 7

The value of voltage, τ and Δ′ related to index1, 2 and 3 in 29^th bus of New England 39-bus system under PMU attack

Time – step	Attack situation	Measured state	Predicted state	τ ₁ (i, k)	Δ′ (i, k) (6Am to 20pm)	τ ₂ (i, k)	Δ′ (i, k) (6Am to 20pm)	τ ₃ (i, k)	Δ′ (i, k) (6Am to 20pm)	r1	r2	r3
24	Normal condition	1.05	1.04	1.04	1.05	5.72	5.80	1.0002	1.0002	0.0006	0.1489	0.000001
25		1.05	1.05	1.05	1.05	5.79	5.79	1.0003	1.0002	0.0001	0.1421	0.000045
26		1.05	1.04	1.051	1.05	5.80	5.79	1.0002	1.0002	0.0108	0.1891	0.000011
27	Attack condition	0.98	1.05	1.03	1.04	5.89	5.79	1.0063	1.0002	0.0271	0.4865	0.0045
28		0.98	0.98	1.00	1.04	5.98	5.79	1.0091	1.0004	0.0442	0.7481	0.0073
29		0.98	0.97	0.98	1.04	6.30	5.79	1.0115	1.0006	0.0382	0.4625	0.0087

The performance of the third indicator to identify attack FDI in the IEEE 14bus test system and New England 39 bus test system are shown in Figs. 8 and 9, respectively. When the first type of attack is applied to bus 13 in the IEEE 14bus, since the buses connected to bus 13or the bus of the first layer (buses 6, 12 and 14) and buses of second layer (buses 5, 6, 9 and 11) do not exposed to an attack, the values of buses in first and second layers are on a normalcondition. But bus 13 is exposed to an attack and its state values are changed in comparison to previous time step. So, bus 13 has a significant change in values but buses in the first and second layers are in a normal condition.

Fig.8

The performance of index 3 in IEEE 14-bus system.

Fig.9

The performance of index 3 in New England 39-bus system.

Here, as shown in Table 6, in 57th time instant, the incensement of the voltage of bus 13 might be due to lose lots of loads in the bus.

As a result, the transfer power value from the first layer bus to this bus should be changed; at least the value of the voltage and angle of the first layer should be changed, but this fact has not been observed and, according to the Equation (32), the indicator value (r3) is more than the normal value and an attack is detected. In Table 7, the third indicator values in normal and abnormal situations, is shown. Moreover, after applying the second type of attack to the bus 29, it is obvious that the first layer buses are directly exposed to an attack, due to their connection with PMU, but as the weighting coefficient (w) in Equation (28) is more than the other coefficients, so the attack is easily detected

Figure 8 shows the performance of the third indicator in both types of attacks to IEEE 14bus system. As it can be seen, this indicator in the attack type 1, has an excellent performance and the attack on the bus 13 is detected. In the attack type 2, PMU attack in the bus which is equipped by PMU, is well detected. But, for example, according to the Equation (28) for the first layer buses which are indirectly affected by the attack on the bus 6, the buses have lower values of index; because in this indicator, changes in bus 6 is higher than others. But still an indirect attack has been identified in two steps, in busses of the first layer. Figure 9 shows the third indicator performance in New England 39 bus system, which has a performance similar to the IEEE 14bus. Also, the attack type 1in bus 18, has been completely recognized. According to the Table 7, the attack type 2 in PMU, which is installed in the bus 29, is clearly identified, and also the first layer buses are exposed to an attack, because they are connected to PMU in bus 29, and attack in these buses are detected with lower values in the index. Then, it can be concluded that all these three indicators have the ability to identify manipulating attack and PMU attack.

The first Indicator can detect those attacks with one time step delay. One of the weaknesses of the first indicator is the lack of distinction between overload or severe load shedding with attack. The second indicator detected both attacks at the attack moment. Because the second indicator is based on the relationship between voltage and voltage angle in each bus, the problem listed in the first indicator will be solved in this indicator. The third indicator is based on the behavior of the nearby buses and both attacks are detected at the action moment. The disadvantage of this indicator is in the attack type2 by detecting indirect attacks to the buses in first. In this type of attack, attack to a bus which is equipped by PMU can be detected accurately. But the value of the indicators in neighbor buses due to low weighting coefficients, is lower than the value of indicator in the studied bus. So, if the amount of attack vector elements is small, the attack in the first layer might not be recognized. However, since the bus, which is equipped by PMU, is directly exposed to an attack, so the attack in that bus will be detected. However, this problem can be solved by calculating states of buses in the first layer by other PMUs.

A comparison between the performances of these three indicators is given in the Table 8.

Table 8

The comparison between performances of three indicators

Suggested Indicator	Time attack detection	The distinction between huge changes in load and attack	Detecting manipulating attack	Detecting PMU attack	Detecting indirect attack in buses connected to PMU
First indicator	With one time-step delay	No	Yes	Yes	Yes
Second indicator	At attack moment	Yes	Yes	Yes	Yes
Third indicator	At attack moment	Yes	Yes	Yes	Limited

7 Conclusion

In this paper, three indicators were designed to identify FDI attacks. In all these three indicators to detect attacks, the features of the state predicting in dynamic state estimation approach was used.

In order to evaluate the proposed indicators, two types of attack, called manipulating attack and PMU attack were applied to the standard IEEE 14 bus system and New England 39 bus system. In the first type of the attack, the measured and estimated data in energy management system were manipulated. The second type of attack was about manipulating sent data by PMUs.

The Performance of all these three indicators in detecting attacks showed that all of them are able to detect FDI attacks. Among these indicators, the best performance belongs to the second indicator and, as shown before, it is able to detect both attacks at the moment of attack. First indicator detected the attack with one delay in step time and it, was not able to distinguish between heavy changes of load and the attack in the system. If the range of attack vector by the attacker is small, the third indicator might not be able to identify the attack in the bus of the first layer. But a direct attack to PMU can be detected completely. Finally, we can conclude that all these three indicators provide suitable functions to identify FDI attacks; however the second indicator has the high accuracy.

References

Chen

P.Y.

, Yang

, McCann

, Lin

and Yang

, Detection of false data injection attacks in smart-grid systems, Communications Magazine, IEEE, 53(2) (2015), 206–213.

Yang

, Chang

and Yu

, On false data injection attacks against Kalman filtering in power system dynamic state estimation, Security and Communication Networks, (2013).

Yang

, Littler

, Sezer

, McLaughlin

and Wang

H.F.

, Impact of cyber-security issues on smart grid, In Innovative Smart Grid Technologies (ISGT Europe), 2011 2nd IEEE PES International Conference and Exhibition on 2011, pp. 1–7.

Hossein

, Bathaee

S.M.T.

, Abedini

, Hosseina

and Fereidunain

, Defending false data injection attack on smart grid network using neuro-fuzzy controller, Journal of Intelligent and Fuzzy Systems, 27(3) (2014), 1457–1467.

, Kim

T.H.

, Brancik

, Dickinson

, Lee

, Perrig

and Sinopoli

, Cyber–physical security of a smart grid infrastructure, Proceedings of the IEEE, 100(1) (2012), 195–209.

Liu

, Ning

and Reiter

M.K.

, False data injection attacks against state estimation in electric power grids, ACM Transactions on Information and System Security (TISSEC) 14(1), 2011.

Andersson

, Donalek

, Farmer

, Hatziargyriou

, Kamwa

, Kundur

, Martins

et al., Causes of the major grid blackouts in North America and Europe, and recommended means to improve system dynamic performance, Power Systems, IEEE Transactions on, 20(4) (2005), 1922–1928.

Phadke

A.G.

and de Moraes

R.M.

, The wide world of wide-area measurement, Power and Energy Magazine, IEEE, 6(5) (2008), 52–65.

Zhao

, Zhang

, La Scala

, Yang Dong

, Chen

and Wang

, Short-term state forecasting-aided method for detection of smart grid general false data injection attacks, IEEE Transactions on Smart Grid, 8(4) (2017), 1580–1590.

10.

Armina Foroutan

and Salmasi

Farzad R.

, Detection of false data injection attacks against state estimation in smart grids based on a mixture Gaussian distribution learning method, IET Cyber-Physical Systems: Theory & Applications, 2(4) (2017), 161–171.

11.

Kim

T.T.

and Poor

H.V.

, Strategic protection against data injection attacks on power grids, Smart Grid, IEEE Transactions on, 2(2) (2011), 326–333.

12.

Hug

and Giampapa

J.A.

, Vulnerability assessment of AC state estimation with respect to false data injection cyber-attacks, Smart Grid, IEEE Transactions on, 3(3) (2012), 1362–1370.

13.

Debs

A.S.

and Larson

, A dynamic estimator for tracking the state of a power system, Power Apparatus and Systems, IEEE Transactions on, 7 (1970), 1670–1678.

14.

Da Silva

A.L.

, Do Coutto Filho

M.B.

, and De Queiroz

J.F.

, State forecasting in electric power systems, In IEE Proceedings C (Generation, Transmission and Distribution) 130(5) (1983), pp. 237–244. IET Digital Library

15.

Aminifar

, Shahidehpour

, Fotuhi-Firuzabad

and Kamalinia

, Power system dynamic state estimation with synchronized phasor measurements, Instrumentation and Measurement, IEEE Transactions on, 63(2) (2014), 352–363.

16.

Lin

J.M.

, Huang

S.J.

and Shih

K.R.

, Application of sliding surface-enhanced control for dynamic state estimation of a power system, IEEE Trans Power Syst, 18(2) (2003), 570–577.

17.

Chen

T.M.

, Stuxnet, the real start of cyber warfare? [Editor’s Note]. Network, IEEE, 24(6) (2010), 2–3.

18.

Chakrabarti

and Kyriakides

, Optimal placement of phasor measurement units for power system observability, Power Systems, IEEE Transactions on, 23(3) (2008), 1433–1440.