False Data Injection Attacks Against State Estimation in ... - IEEE Xplore

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSG.2018.2813280, IEEE 1 Transactions on Smart Grid

False Data Injection Attacks Against State Estimation in Power Distribution Systems Ruilong Deng, Member, IEEE, Peng Zhuang, Student Member, IEEE, and Hao Liang, Member, IEEE

Abstract—The existing research on false data injection (FDI) attacks against state estimation in transmission systems cannot be trivially extended to distribution feeders. The main reason is that a strong condition that requires the attacker to know the estimated state of distribution systems is needed, which makes the traditional FDI attacks difficult to be implemented in practice. In this paper, we propose a practical FDI attack model against state estimation in distribution systems, without paying expensive cost for obtaining the system state. We show that the attacker can approximate the system state based on power flow or injection measurements without too much effort. For local FDI attacks, the strong condition can be further relaxed to the knowledge of local state, which can be approximated based on a small number of power flow or injection measurements. Simulation results based on the IEEE test feeder demonstrate that the proposed practical FDI attack, even with the approximated system state, is more likely to compromise the state estimation without being detected, in comparison with the traditional attacks. This paper provides a basis to study the attack behaviors in distribution systems and a theoretical guide to develop protective countermeasures. Index Terms—Cyber security, false data injection attacks, power distribution systems, smart grid, state estimation.

I. I NTRODUCTION YSTEM monitoring is necessary for achieving the safe and reliable operation of power systems. State estimation is used in system monitoring to best estimate the state of power systems through analysis of meter measurements and system models. As the traditional electrical grid evolves toward an intelligent smart grid, the integration of information and communications technology (ICT) enables the supervisory control and data acquisition (SCADA) system to remotely monitor and control the operation of power systems [1]–[3]. For the same reason, power systems are also subject to high risks of cyber attacks due to the vulnerability of the ubiquitous and pervasive use of communication networks and cyber components [4], [5]. For example, in the December 2015 Ukrainian power grid cyber attack, the attacker intruded the SCADA system to open circuit breakers and cause a power outage of 225,000 customers [6]. Therefore, cyber security has been recognized as one of the critical issues to ensure the normal operation of power systems. At the transmission system level, Liu et al. [7] propose that an attacker can launch false data injection (FDI) attacks against state estimation to avoid being detected by the commonly used residual-based bad data detection (BDD). This result has

S

Manuscript received October 25, 2017; revised December 14, 2017 and February 07, 2018; accepted March 5, 2018. This work was supported in part by the Alberta Innovates—Technology Futures Post-Doctoral Fellowship, and in part by the Natural Sciences and Engineering Research Council of Canada. Paper no. TSG-01550-2017. (Corresponding author: Ruilong Deng.) The authors are with the Department of Electrical and Computer Engineering, University of Alberta, Edmonton, AB, Canada T6G 1H9 (e-mail: {ruilong, pzhuang, hao2}@ualberta.ca). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org.

motivated researchers to do extensive study on investigating the construction of FDI attacks, the impact on the operation of power systems, and possible protective countermeasures [8]. For example, Liu and Li [9] show that an attacker can attack the real-time topology using the local network information of a power grid. In particular, a mixed integer programming model is set up to minimize the required network information. However, most prior works are based on the DC (linearized) state estimation, which is an approximation of the AC (nonlinear) model in real-world power systems. It has been demonstrated that the FDI attacks constructed using the DC model would contribute to a large residual to the AC state estimation [10]. The proposed AC attack model in [11]–[14] requires the attacker to know the estimated state of transmission systems due to the nonlinearity of AC power flow equations. For example, Teixeira et al. [15] characterize AC attacks as an optimization problem and discuss two main limitations of the linear attack policy. In order to solve the optimization problem accurately without aforementioned limitations, the nonlinear attack policy lies in that the attacker needs to obtain the system’s state. In practice, however, the voltage phase angles of most nodes are unavailable since so far there have been a small number of phasor measurement units (PMUs) installed to provide such information. This will obviously make the implementation of stealthy AC attacks more difficult. To address the challenge, Liu and Li [16] relax the strong condition by approximately calculating the voltage phase angle difference between two nodes from power flow measurements. However, this relaxation requires the assumption of significantly large ratios of reactance x to resistance r of lines, which typically holds for transmission systems but does not apply to distribution feeders. As more real-time measurements (e.g., power flow, power injection, and voltage magnitude measurements) become available in future smart distribution systems, state estimation will be used for feeder monitoring as widely as it is used for monitoring of transmission systems today [17], [18]. From the above, the existing research on FDI attacks against state estimation in transmission systems cannot be trivially extended to distribution feeders that typically have very low x/r ratios. We believe that such complexity is the reason why FDI attacks at the distribution system level have not been much explored and hence are set as the focus of this paper. In distribution systems, Isozaki et al. [19] consider cyber attacks against voltage regulation by merely falsifying voltage magnitude measurements without triggering threshold alarms, which, however, cannot avoid being detected by BDD in state estimation. Teixeira et al. [20] show that the stealthy FDI attacks against state estimation require strategically corrupting a set of measurements simultaneously. However, this work still include the strong condition that requires the attacker to know the estimated state of distribution systems, which, as

1949-3053 (c) 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.


aforementioned, makes the traditional FDI attacks difficult to be implemented in practice. Thus, the lack of consideration of the above mentioned difficulties to construct FDI attacks in distribution systems would make it impractical and cannot reflect the real attack behaviors. It seems to be much more difficult to launch a successful FDI attack against state estimation in distribution systems. This might contribute to one possible explanation for the fact that so far the FDI attacks on real-world distribution feeders have not been reported although their vulnerability has been revealed over years. However, from the perspective of distribution system operators, it is necessary to evaluate if an attacker has techniques to avoid difficulties to construct an undetectable FDI attack. If so, distribution systems are still subject to high risks of cyber attacks. A practical attack model is supposed to enable an attacker to implement FDI attacks against state estimation in distribution systems, without paying expensive cost for obtaining the system state. In this paper, our focus is to investigate the possibility of attacking distribution system state estimation using such a practical model. Inspired by a recent literature [21], our research indicates that it is possible for the attacker to approximate the system state based on power flow or injection measurements without too much effort. We, for the first time, incorporate the state approximation into FDI attacks, showing that FDI attacks on distribution systems are practically applicable. We also provide insights into the feasibility and limitations of performing FDI attacks based on the approximated system state. The main contributions of this paper are threefold: 1) We propose a practical FDI attack model against state estimation in distribution systems, where the system state can be approximated based on power flow or injection measurements without too much effort. 2) For local FDI attacks, the strong condition can be further relaxed to the knowledge of local state (the voltage magnitudes and phase angle differences in the local region), which can be approximated based on a small number of power flow or injection measurements. 3) Simulation results based on the IEEE test feeder demonstrate that the proposed practical FDI attack, even with the approximated system state, is more likely to compromise the state estimation without being detected by the current BDD, in comparison with the traditional attacks. The remainder of this paper is organized as follows. The system model is introduced in Section II. In Section III, we investigate the basic principle of FDI attacks against state estimation in distribution systems. In Section IV, local FDI attacks with the relaxed condition are proposed. We demonstrate the implementation of the proposed practical FDI attack model in Section V. Concluding remarks are drawn in Section VI, followed by future research directions. II. S YSTEM M ODEL In the distribution system state estimation (DSSE), the nodal voltage based DSSE model, proposed by Baran and Kelley [22], is widely accepted. Below we model the DSSE using guidelines from [22]. For notational convenience, throughout this paper, we will use (~·) ∈ C to denote complex variables, and (·) ∈ R to denote real variables.

A. AC State Estimation Real-time monitoring of distribution systems is critical for maintaining the system safety and reliability. Distribution system operators use meters to monitor distribution system components and report their readings to the control center, which estimates the state of distribution systems according to these meter measurements. The measurements used in DSSE include real-time, pseudo, and virtual measurements [23]. Specifically, real-time voltage, current, and power measurements are gathered from distribution automations (DA), SCADA systems, smart meters, and intelligent electronic devices (IEDs). Pseudo power injection measurements (loads) at feeder buses can be defined as Gaussian distributions with their means at half the transformer rating, or determined based on customer billing data and typical load profiles. Virtual measurements are zero voltage drops in closed switching devices, zero power flows in open switching devices, and zero bus injections that can be found at the nodes such as a switching station. The system state is a set of variables (usually voltage magnitudes and phase angles) such that if they are known, then every other quantity of the distribution system can be calculated from them. Hence the system state basically determines the operating point of distribution systems. Suppose that a distribution system with s state variables is monitored by m meters (usually m > s meaning measurement redundancy). These meters are taken in such a way that the distribution system becomes observable, i.e., it is possible to determine all state variables from meter measurements [24, Ch. 7]. State estimation is to estimate state variables x ∈ Rs×1 based on meter measurements z ∈ Rm×1 , under independent random measurement noises e ∈ Rm×1 , which follow distributions with zero means. The mathematical relation between meter measurements z and state variables x is z = h (x) + e,

(1) |

where h (x) = [h1 (x) , . . . , hi (x) , . . . , hm (x)] are measurement functions of x. These measurement functions are dependent on the specific measurement type and involving the network topology and parameters of distribution systems, which will be elaborated in Section II-C with more details. State estimation is to obtain the estimate of state variables x that is the best fit of meter measurements z according to the mathematical model (1). The basic approach for state estimation is called the weighted least squares (WLS) method [23]. The WLS based state estimation is to solve the following optimization problem: min x

J (x) =

m X

2

wi [zi − hi (x)]

i=1

(2)

|

= [z − h (x)] W [z − h (x)] , where wi represents the weight associated with the meter measurement zi . These weights are chosen as proportional to the accuracy of meter measurements and thus the weight matrix W is a diagonal matrix whose entries are reciprocals of the variances of measurement noises, i.e., W = −2 | diag σ1−2 , . . . , σi−2 , . . . , σm , where diag (·) denotes a diagonal matrix having entries of the vector as diagonal elements, and σi2 is the variance of measurement noise of the ith meter. For conventional meters, the standard deviation can



be assumed as σi = (0.02a + 0.0052b) /3, where a is the measured value and b is the full scale value [25]. The solution of the optimization problem (2) gives the best ˆ which must satisfy the following optimization estimated state x condition (first order necessary condition): |

ˆ W [z − h (x)] ˆ = 0, ∂J (x) /∂x = 0 ⇒ H (x)

V0 V1 PCC

where k ∈ N denotes the index of iterations. Eq. (4) is called the normal equation of the WLS based state estimation, where G (x) is called the gain function and is usually chosen as G (x) = H | (x) W H (x) . Then xk+1 = xk + ∆xk will be used to update the Jacobian matrix H xk+1 for the next iteration. Note that the Jacobian matrix H xk+1 is updated only in the Honest Gauss Newton method. In the Dishonest Gauss Newton method, the Jacobian matrix H x0 is initiated at flat-start and is fixed throughout the iterations. The above steps are repeated until the state variables converge to a fixed criteria point. The convergence

are ∆xk ∞ ≤ 0.001 and J xk+1 − J xk < 1 [26]. B. Attack Model Note that a significant practical limitation for FDI attacks on distribution systems is the impact of volt-VAR control (VVC), which includes voltage regulation by a load tap changer (LTC) and reactive power regulation by capacitor banks. The LTC and capacitor bank settings directly determine the parameters of distribution systems (such as the reference voltage and shunt admittances), and thus the measurement functions h (x). In this way, if the system operator changes the VVC settings but the attacker is unaware of the changes, the FDI attack will be detected. The detailed analysis will be left for our future work. In this paper, to clarify the attack model, we assume no VVC on distribution systems, and base the presentation of following results on this assumption.

attack Vj Pij,Qij

... I0

(3)

where H (x) = ∂h (x) /∂x is the Jacobian matrix of the measurement functions h (x). The number of rows and columns of the Jacobian matrix is equal to that of meter measurements and state variables, respectively. The entry in row i and column j of the Jacobian matrix denotes the derivative of the ith meter measurement with respect to the j th state variable based their relationships in the measurement functions. The solution of the nonlinear equation (3) can be obtained by different iterative methods [24, Ch. 12]. In the Honest Gauss Newton method, the Jacobian matrix is updated at each iteration. While in the Dishonest Gauss Newton method, the Jacobian matrix is the same as that in the previous iteration. At flat-start, all voltage magnitudes are set to 1 p.u. and all phase angles are set to 0, i.e., x0 = [1; 0]. Then, a linear equation of the following type is solved at each iteration to compute the correction ∆xk : G xk ∆xk = H | xk W z − h xk , (4)

Vi

Vj’

Fig. 1.

Iij

The measurement functions h (x) are based on the representation (i.e., modeling) of distribution systems. In this paper, we focus on a symmetric and balanced distribution system, for

...

I1 Ii In Ij’ local Ij P1,Q1 Pj’,Qj’ Pi,Qi region Pj,Qj Pn,Qn

A portion of a symmetric and balanced distribution system.

which the single-phase feeder model is commonly used [19], [20]. We demonstrate that, the idea proposed in this paper can be potentially extended to the unbalanced three-phase feeder model, but the details still require extensive research, which will be considered in our future work. In particular, we consider a portion of the distribution system that is connected to the power grid at one point - the distribution substation, or point of common coupling (PCC), delivering electricity to a number of nodes, as shown in Fig. 1. We denote the set of nodes by {0, N }, where the index 0 refers to the PCC, and N , {1, . . . , n} refers to the other nodes. We denote the set of lines by L , {1, . . . , l}. Each line k ∈ L is represented by a set of two nodes as k = {i, j}. We will limit our study to the steady state of distribution systems, when all voltages are sinusoidal signals at the same frequency. Each signal can therefore be represented via a complex number (~·) = |·| ej∠· , whose absolute value |·| corresponds to the signal root-mean-square value, and whose phase ∠· corresponds to the signal phase with respect to an arbitrary global reference. We model the PCC as the reference (slack) node, in which ~0 = V0 ejθ0 is imposed. We model the other nodes a voltage V as PQ nodes, in which a complex power injection is imposed, ~i = V ~i I~i∗ S

∀i ∈ N ,

(5)

where I~i∗ is the complex conjugate of I~i . Then, each line is associated with a complex power flow ∗ ~ij = V ~i I~ij S

∀ {i, j} ∈ L.

(6)

In the rest of this paper, we assume that the shunt admittance on each node is negligible. Under this assumption, we have a nodal current X I~i = I~ij ∀i ∈ N , (7) j∈N (i)

where N (i) represents the set of node i’s all neighboring nodes. By recursion, we have a line current I~ij =

n X

I~k

∀ {i, j} ∈ L.

(8)

k=j

In the single-phase feeder model, the terminal equation that ~i and V ~j across terminals of the line describes the voltages V {i, j} as a function of the line current I~ij is given by ~j = V ~i − ~zij I~ij V

C. Single-Phase Feeder Model

Vn

∀j ∈ N ,

(9)

where ~zij is the impedance of the line {i, j}. For state estimation in the single-phase feeder model, the voltages are chosen as the state variables, i.e., x = [VN ; θN ], where VN and θN are the voltage magnitudes and phase angles



on all PQ nodes N , respectively. For this formulation, we need to rearrange the terminal equation (9) and put it in the following admittance form: ~i − V ~j I~ij = ~yij V ∀ {i, j} ∈ L, (10) where ~yij is the admittance of the line {i, j}. The measurement functions h (x) can now be written for the meter measurements considered which are (i) power flow (in both forward and reverse directions), (ii) power injection load), and (iii) voltage magnitudemeasurements [17]: z = (i.e., rvs rvs fwd fwd PLfwd , Qfwd L , PL , QL ; PN , QN ; VN , where PL , QL and rvs rvs PL , QL are the power flow measurements in both forward and reverse directions on all lines L, while PN , QN and VN are the power injection and voltage magnitude measurements on all PQ nodes N , respectively. The detailed measurement functions h (x) are listed below: • If the meter measurement is a power flow measurement Pij , Qij on the line {i, j}, then based on (6) and (10), we have ∗ ~i ~y ∗ V ~i − V ~j . hpij (x) + jhqij (x) = V (11) ij •

If the meter measurement is a power injection measurement Pi , Qi on the node i, then based on (5), (7) and (10), we have ∗ X ∗ ~i ~i − V ~j . hpi (x) + jhqi (x) = V ~yij V (12) j∈N (i)

•

A voltage magnitude measurement Vi on the node i can be represented as hvi (x) = Vi . (13)

Note that the measurement functions (11) and (12) are nonlinear functions of state variables, except (13). The corresponding Jacobian matrix associated with these measurement functions can be found in [24, Ch. 10]. D. Bad Data Detection Bad measurements may be introduced due to various reasons such as meter failures or malicious attacks. Intuitively, normal meter measurements usually give an estimate of state variables close to their true value, while abnormal ones will “move” the estimated state away from their actual state. Thus, there is usually “inconsistency” among the good and bad measurements. Distribution system operators use the measurement residualbased detector to ensure the accuracy of state estimation. The measurement residual vector is the difference between the ˆ observed measurements z and the estimated measurements z, ˆ and the residual (gross errors or i.e., r = z − zˆ = z − h (x); bias) is its L2 norm, i.e., r = krk2 . The residual-based BDD is to compare the residual r with a predetermined threshold τ to identify bad measurements (outliers). Precisely, if r > τ , then bad measurements are assumed to exist; otherwise z is taken as normal measurements. When the meter measurement noises e are assumed to follow normal distributions, then r2 follows a chi-square distribution with (m−s) degrees of freedom, i.e., χ2m−s . According to [24, Ch. 8], the threshold τ is predetermined by a hypothesis test with a significance level α. In other words, r > τ detects bad measurements with a false alarm probability α.

III. FALSE DATA I NJECTION ATTACKS Based on the AC state estimation and nonlinear measurement functions, we first propose the nonlinear attack policy with the strong condition. Then, we show that the attacker can approximate the system state based on power flow or injection measurements without too much effort. A. Nonlinear Attack Policy Let a ∈ Rm×1 denote the attack vector (the malicious data injected into meter measurements). Then, the bad measurements with the malicious data a is given by zbad = z + a. Let ˆ bad denote the estimate of x using the malicious measurex ˆ bad can be represented as x ˆ bad = x ˆ + c, ments zbad . Note that x where c ∈ Rs×1 is a nonzero vector reflecting the estimation error injected by the attacker. As introduced in Section II, the BDD algorithm uses the residual to check whether bad measurements exist or not. The biased measurement residual vector of zbad is ˆ + c) . rbad = zbad − zˆbad = z + a − h (x

(14)

In general, if the malicious data a is unstructured, the attack vector is likely to be detected by BDD since rbad 6= r. However, if the attack vector a is well-structured as ˆ + c) − h (x) ˆ , a = h (x

(15)

then the bad measurements zbad could circumvent BDD since the measurement residual of zbad is the same as that of z. Remark 1: Suppose the original measurements z can pass BDD. The malicious measurements zbad = z + a can also pass BDD if the attack vector a is well-structured as Eq. (15). Substituting (15) into (14), the biased measurement residual ˆ + c) − h (x) ˆ − h (x ˆ + c) = vector of zbad is rbad = z + h (x ˆ = r. That is, the biased measurement residual vector z −h (x) is the same as that without the malicious data a. Thus, zbad will not be detected as long as the original measurements z can pass BDD. In this paper, we refer to the attack, in which the attack vector a is well-structured as Eq. (15), as the FDI attack. By ˆ bad = x ˆ + c will be launching FDI attacks, the biased value x mistaken by the control center as a valid state estimation, and thus, the attacker can inject arbitrary estimation errors without being detected. Note from Eq. (15) that the construction of the FDI attack vector a relies on the following strong condition. Strong condition: In order to compromise state estimation in distribution systems, the attacker needs to know the system ˆ i.e., the voltage magnitudes VN and phase angles θN state x, on all PQ nodes N . Intuitively, this condition can be achieved by directly measuring the quantities using any available meters. Such meters include existing meters that are hacked by the attacker and/or new ones that the attacker may temporarily deploy. The challenge here is to deal with the voltage phase angles. Although they can be directly measured by PMUs, there will not be enough PMUs installed to provide such information. On the other hand, it is still expensive to deploy a PMU to get this information. In practice, for an attacker with limited budget and resource, it might be impractical to do so. Therefore, a more practical implementation should not require too much



effort of obtaining the system state. Inspired by a recent literature [21], we discover that it is possible for the attacker to approximate the system state based on power flow or injection measurements without too much effort. B. Approximating State from Power Flow Measurements ~ L , I~L , S ~ L ∈ Cl with the entries We define the vectors V ~ ~ ~ ~k = V ~i if k = {i, j}. Vk , Ik , Sk , ∀k ∈ L, respectively, where V Then, (6) can be written in the compact form of ~ L = diag V ~ L I~∗ . S (16) L We model the lines via their branch admittance matrix ~ brch ∈ Cl×(n+1) , also known as the Y-branch, which gives a Y linear relation between line currents and voltages in the form of ~0 V ~ ~ IL = Ybrch ~ . (17) VN The branch admittance matrix satisfies ~ brch 1 = 0, Y

(18)

where 1 is the vector of all ones and 0 is that of all zeros. Considering the same partitioning as the voltages, we can ~ brch accordingly, and partition the branch admittance matrix Y rewrite (17) as ~0 V ~ ~ ~ IL = YL0 YLN (19) ~N , V ~ LN ∈ Cl×n is pseudo-invertible. Using (18) and (19), where Y we can obtain ~N = V ~ N L I~L , ~0 1 + Z V (20) n×l ~ where the branch impedance matrix ZN L ∈ C is the ~ LN . pseudo-inverse of Y Note that from (16) we have i∗ h ~L . ~ −1 S I~L = diag V L The following approximation is based on two typical observations for distribution systems: • In distribution systems, the voltage magnitudes are very close to each other. The typical range under most operating conditions is from 0.95 to 1.05 [27]. • The voltage phase angle differences in distribution systems are very small, owing to small power flows and short distances. For example, a typical angle difference for a distribution feeder at full load might be 0.1◦ /mile, which is one to two orders smaller than that between transmission nodes (tenths of a degree, not tens of degrees) [28]. Therefore, in distribution systems, the line currents I~L can be approximated as h i∗ ∗ ~L = S ~ L /V ~ −1 1 S ~0 . I~L ≈ diag V (21) 0 Then, using (20) and (21), we have the following remark. ~ L , the Remark 2: Based on power flow measurements S ~ voltages VN can be approximated as ∗ ~N ≈ V ~NL S ~ L /V ~ N LS ~ ∗ /V 2 . ~0 1 + Z ~0 = V0 ejθ0 1 + Z V L 0 From the above, the system state VN and θN can be approximated based on power flow measurements PL , QL , with the PCC voltage magnitude V0 and phase angle θ0 as reference.

C. Approximating State from Power Injection Measurements ~ N , I~N , S ~ N ∈ Cn with the entries We define the vectors V ~ ~ ~ Vi , Ii , Si , ∀i ∈ N , respectively. Then, (5) can be written in the compact form of ~ N = diag V ~ N I~∗ . S (22) N ~ bus ∈ We model the lines via their nodal admittance matrix Y C , also known as the Y-bus, which gives a linear relation between nodal currents and voltages in the form of ~ I~0 ~ bus V0 . = Y (23) ~N I~N V (n+1)×(n+1)

The Y-bus corresponds to the weighted Laplacian matrix with edge weights equal to the admittance of corresponding lines. The nodal admittance matrix satisfies ~ bus 1 = 0. Y

(24)

Considering the same partitioning as the nodal currents and ~ bus voltages, we can partition the nodal admittance matrix Y accordingly, and rewrite (23) as ~ 0N ~0 ~00 Y I~0 V Y = ~ (25) ~N , ~N N I~N V YN 0 Y ~ N N ∈ Cn×n is invertible. Using (24) and (25), we where Y can obtain ~N = V ~ N N I~N , ~0 1 + Z V (26) ~ N N ∈ Cn×n is defined where the nodal impedance matrix Z −1 ~ ~ as ZN N , YN N . Note that from (22) we have i∗ h ~N . ~ −1 S I~N = diag V N As aforementioned, in distribution systems, the nodal currents I~N can be approximated as h i∗ ∗ ~N = S ~ N /V ~ −1 1 S ~0 . I~N ≈ diag V (27) 0 Then, using (26) and (27), we have the following remark. ~ N , the Remark 3: Based on power injection measurements S ~ voltages VN can be approximated as [21, Cor. 2] ∗ ~N ≈ V ~NN S ~ N /V ~NN S ~ ∗ /V 2 . ~0 1+Z ~0 = V0 ejθ0 1 + Z V N 0 From the above, the system state VN and θN can be approximated based on power injection measurements PN , QN , with the PCC voltage magnitude V0 and phase angle θ0 as reference. IV. L OCAL FDI ATTACKS Note that in Section III-A, the strong condition is required if the attacker aims to compromise every state estimation in distribution systems. For local FDI attacks that the attacker aims to compromise the specific state estimation, the strong condition can be further relaxed to the knowledge of local state, which can be approximated based on a small number of power flow or injection measurements. We also provide insights into the feasibility and limitations of performing FDI attacks based on the approximated system state.



A. Construction of Local FDI Attacks In distribution systems, voltage regulation/control is the first priority with objectives to maintain voltage magnitudes within acceptable ranges (95 to 105% of nominal, and in particular above 95% at line end) [20]. Assume a local FDI attack that the attacker aims to compromise the state estimation for the voltage magnitude on the node i (i.e., the attacked state Vî ). Let cVi denote the error that the attacker intends to inject into the specific state estimation Vî . We define L (i) as the local region of node i, which includes itself, its neighboring nodes, and their connecting lines, as shown in Fig. 1. To implement the local FDI attack, the attacker needs to manipulate meter measurements in the local region L (i), as listed in Table I. TABLE I L OCAL FDI

ATTACK REQUIREMENT

Local meter measurements to manipulate

Local state to know

bad , Qbad |j ∈ N (i) Power flow Pij ij bad , Qbad |j ∈ N (i) Power flow Pji ji Power injection Pibad , Qbad i Power injection Pjbad , Qbad j |j ∈ N Voltage magnitude Vibad

Vi and Vj , θij |j ∈ N (i) Vj , θij |j ∈ N (i) Vi and Vj , θij |j ∈ N (i) Vj , θij |j ∈ N (i) Null

(i)

Similarly, from (29), the voltage phase angle θj can be calculated by ~ ∗ /V 2 ∀j ∈ N . θj = θi + ∠ 1 − ~zij S ij i Using the fact that ∠ [1 + (~·)] ≈ Im (~·) for |~·| 1, we obtain ∗ ~ij θj ≈ θi −Im ~zij S /Vi2 = θi −(Pij xij − Qij rij ) /Vi2 ∀j. In the per-unit system, the voltage phase angle difference θij is usually approximated as θij ≈ Pij xij − Qij rij

∀ {i, j} ∈ L.

(31)

From the above, the voltage phase angle difference θij can be approximated based on the power flow measurement Pij , Qij . Remark 4: Based on the voltage magnitude measurement Vi and power flow measurement Pij , Qij , the voltage magnitude Vj and phase angle difference θij can be approximated as (30) and (31). 2) Based on Power Injection Measurements: From (5), (6), and (8) we have ~ij /V ~i = S

n X

~k /V ~k S

∀ {i, j} ∈ L.

k=j

From the above, the construction of the local FDI attack vector aL(i) relies on the following relaxed condition. Relaxed condition: In order to compromise the specific state ˆ L(i) , estimation Vî , the attacker needs to know the local state x i.e., the voltage magnitudes Vj , ∀j ∈ L (i) and phase angle differences θij , ∀ {i, j} ∈ L (i) in the local region. Similarly, we discover that it is possible for the attacker to approximate the local state based on a small number of power flow or injection measurements.

As aforementioned, in distribution systems, the power flow measurement Sij can be approximated as ~ij ≈ S

n X

~k S

∀ {i, j} ∈ L.

(32)

k=j

Then, using (30) and (32), the voltage magnitude Vi can be approximated as Vj ≈ Vi −

n X

(Pk rij + Qk xij ) ∀j ∈ N .

(33)

k=j

B. Approximating Local State 1) Based on Power Flow Measurements: From (6) we have, ∗ ~ij /V ~i I~ij = S ∀ {i, j} ∈ L. (28) ~j can be calculated by Then, using (9) and (28), the voltage V ∗ ~j = V ~i − ~zij S ~ij /V ~i = Vi ejθi 1 − ~zij S ~ ∗ /V 2 . (29) V ij

where zij = rij + jxij . In the per-unit system, the voltage magnitude Vj is usually approximated as [27] ∀j ∈ N .

θij ≈

i

From (29), the voltage magnitude Vj can be calculated by ∗ ~ij Vj = Vi 1 − ~zij S /Vi2 ∀j ∈ N . ~∗ 2 If we assume that ~zij S ij /Vi 1, that the voltage drop is much smaller than the nominal voltage (a typical observation for distribution systems), then from the fact that |1 + (~·)| ≈ 1 + Re (~·) for |~·| 1, we obtain ∗ ~ij Vj ≈ Vi − Re ~zij S /Vi = Vi − (Pij rij + Qij xij ) /Vi ∀j,

Vj ≈ Vi − (Pij rij + Qij xij )

From the above, the voltage magnitude Vj can be approximated based on the voltage magnitude measurement Vi and power injection measurements Pj , Qj , . . . , Pn , Qn . Similarly, using (31) and (32), the voltage phase angle difference θij can be approximated as

(30)

From the above, the voltage magnitude Vj can be approximated based on the voltage magnitude measurement Vi and power flow measurement Pij , Qij .

n X

(Pk xij − Qk rij ) ∀ {i, j} ∈ L.

(34)

k=j

From the above, the voltage phase angle difference θij can be approximated based on power injection measurements Pj , Qj , . . . , Pn , Qn . Remark 5: Based on the voltage magnitude measurement Vi and power injection measurements Pj , Qj , . . . , Pn , Qn , the voltage magnitude Vj and phase angle difference θij can be approximated as (33) and (34). C. Summary In light of the above, according to the attacker’s capability, there exist different approaches to achieve the relaxed condition that the implementation of local FDI attacks requires the knowledge of local state. For obtaining the voltage magnitudes Vj , ∀j ∈ L (i) in the local region: • They can be directly measured using voltage meters; • They can be approximated as Remark 4 based on a small number of power flow measurements;



V. S IMULATION R ESULTS In order to illustrate the practical FDI attack model proposed in the previous sections, we consider a 56-node test feeder [21] as shown in Fig. 2, which is a symmetric and balanced testbed with the radial structure. This test-bed comes from the modified IEEE 123 test feeder [29]. 55 39

51 37,38

40

PCC

52

0

4

0.95

Phase angle (o)

Magnitude (p.u.)

Approximated system state (Remark 2)

0

5

10 15 20 25 30 35 40 45 Node index Approximated voltage phase angles based on power flow measurements (Remark 2)

50

55

10 15 20 25 30 35 40 45 50 Node index Approximated voltage magnitudes based on power injection measurements (Remark 3)

55

0 Approximated system state (Remark 2)

Accurate system state

−1 −2 −3

Magnitude (p.u.)


1

0

5

1.05 Approximated system state (Remark 3)


1

0.95

0

5

10 15 20 25 30 35 40 45 50 Node index Approximated voltage phase angles based on power injection measurements (Remark 3)

55

0 Approximated system state (Remark 3)


−1 −2 −3

0

5

10

15

20

25 30 Node index

35

40

45

50

55

Fig. 3. Comparison of accurate and approximated system state based on power flow measurements (Remark 2) or power injection measurements (Remark 3).

TABLE II AVERAGE AND MAXIMUM APPROXIMATION ERRORS

``` ```Metrics ``` Approx.

Absolute error Avg. Max

Relative errora Avg. Max

Remark 2 Voltage magnitude (p.u.) Voltage phase angle (◦ )

0.0016 0.0033

0.0026 0.0087

3.00% 0.15%

4.11% 0.41%

Remark 3 Voltage magnitude (p.u.) Voltage phase angle (◦ )

0.0037 0.0081

0.0051 0.0148

7.41% 0.39%

7.94% 0.59%

34,35

46

17 11

5…6 10

16 8

36

V32 attack 32

18

12…15

7

B. Comparison of FDI Attack and Traditional Attacks

27…31

19

26 23…25

20

9

21 22

Fig. 2.

Approximated voltage magnitudes based on power flow measurements (Remark 2) 1.05

33

41…45 1…3

In Fig. 3, we illustrate the accurate system state obtained by MATPOWER [30], in comparison with the approximated system state based on power flow measurements (Remark 2) or power injection measurements (Remark 3). The average and maximum approximation errors are listed in Table II. It can be seen that the approximated system state is very close to the accurate system state. Besides, the approximated system state based on power flow measurements (Remark 2) is more accurate than that based on power injection measurements (Remark 3), since power flow measurements include line loss, while power injection measurements cannot.

a The relative error for the voltage magnitude and phase angle on each node i is calculated with respect to the voltage drop V0 − Vi and phase angle difference θ0 − θi , respectively.

53,54

47…50

A. Comparison of Remark 2 and Remark 3

Phase angle (o)

They can be approximated as Remark 5 based on a small number of power injection measurements. Similarly, for obtaining the voltage phase angle differences θij , ∀ {i, j} ∈ L (i) in the local region: • They can be calculated from direct measurements θi and θj using PMUs; • They can be approximated as Remark 4 based on a small number of power flow measurements; • They can be approximated as Remark 5 based on a small number of power injection measurements. 1) Feasibility and Limitations: In practice, the power injection (i.e., load) meters are widely deployed than power flow meters. It would be easier for the attacker to hack existing meters than temporarily deploy new ones. The tradeoff is, the approximated system state based on power flow measurements is more accurate than that based on power injection measurements, since power flow measurements include line loss, while power injection measurements cannot. This observation is related to that the attacker approximately calculates voltages based on power flow measurements or power injection measurements. In distribution feeders, due to the existence of line loss, the sum of power injection measurements of all downstream nodes (Sj +Sj+1 +· · ·+Sn−1 +Sn ) is not exactly the upstream power flow measurement (Sij ). Thus, based on power flow measurements, the attacker could calculate voltages more accurately, compared with power injection measurements. Nevertheless, the feasibility of attacking distribution system state estimation still exists, which indicates that the vulnerability of distribution systems must be revisited from the practical perspective. 2) Case of PV Nodes: For PV nodes, since the active power injection and voltage magnitude are known, the reactive power injection and voltage phase angle are state variables. Thereinto the reactive power injection can be easily measured, and the voltage phase angle can be approximated as (34). In this way, PV nodes in distribution systems are also vulnerable to FDI attacks. The detailed analysis will be left for our future work. •

A 56-node test feeder [21].

For state estimation, the iteration process is illustrated in Fig. 4(a). Here, we use the Dishonest Gauss Newton method as described in Section II, whose computational complexity is less than that of the Honest Gauss Newton method. It can be seen that state estimation converges in less than 350 iterations. The state estimation for voltage magnitudes is very close to the true value in spite of measurement noises.


Attacked state: Node 32 voltage magnitude V32 1 State estimation

0.95 0

50

True value

100

Meter measurement

150 200 Interation index

250

300

350

Magnitude (p.u.)

Magnitude (p.u.)


Largest normalized residual

2

Residual

Residual

0

10

0.9 0

50

100


250

300

250

300

350

250

300

350

Voltage magnitudes State estimation

True value

Meter measurement

1 0.95 0

0

5

10

15

20

25 30 Node index

35

40

45

10

350

50

55

Magnitude (p.u.)

50

0

50

True value

Meter Measurement

0.95 0.9 0

50

100

150


300

350

400

450


2

150 200 Interation index Voltage magnitudes

1.05 State estimation

True value

Meter Measurement

1 0.95 0.9 0

5

10

15

20

25 30 Node index

35

40

45

50

55

Attacked state: Node 32 voltage magnitude V

32

1 State estimation

100

bad = 0.91. (b) A simple attack [19] with V32

Magnitude (p.u.)

Magnitude (p.u.)


10

Attacked state: Node 32 voltage magnitude V

32

1 State estimation

True value

Meter Measurement

0.95 0.9 0

50

100


250

300

350

250

300

350


2

10 Residual

10 Residual

100


(a) No attack.

0

10

−2

0

100

150


300

350

400


True value

Meter Measurement

1 0.95 5

10

15

20

25 30 Node index

35

40

45

50

10

450

Voltage magnitudes

0.9 0

0

10

−2

50

55

bad = 0.91 and a = Hc. (c) A linear attack [15] with V32

Magnitude (p.u.)

Magnitude (p.u.)

Meter measurement

−2

0

1.05

10

True value

10

−2

Magnitude (p.u.)

State estimation 0.95

2

10

10

Attacked state: Node 32 voltage magnitude V32 1

0

50

100

150 200 Interation index Voltage magnitudes


True value

Meter Measurement

1 0.95 0.9 0

5

10

15

20

25 30 Node index

35

40

45

50

55

bad = 0.91 and a = h (x ˆ + c) − h (x). ˆ (d) An FDI attack with V32

Fig. 4. Comparison of state estimation under no attack, a simple attack [19], a linear attack [15], and an FDI attack: (Top) State estimation for the attacked state Vˆ32 . (Middle) Largest normalized residual on the logarithmic coordinate. (Bottom) State estimation for voltage magnitudes.

For the FDI attack, we assume that the attacker aims to compromise the state estimation for the voltage magnitude bad on the node 32 (i.e., the attacked state Vˆ32 ) to Vˆ32 = 0.91 p.u. For this purpose, the attacker needs to manipulate meter measurements in the local region according to Eq. (15), which bad bad bad include power flow P31,32 , Qbad 31,32 , P32,31 , Q32,31 , power inbad bad bad bad bad jection P31 , Q31 , P32 , Q32 , and voltage magnitude V32 . We compare the FDI attack with the traditional attacks from related works. One is a simple attack proposed in [19], where the attacker only manipulates the voltage magnitude measurement bad V32 . However, since the measurement model in [20] is very different from that in our paper, we cannot directly compare our proposed FDI attack model with that in [20]. Therefore, we additionally choose a more relevant basis for comparison, i.e., a linear attack proposed in [15] with a = Hc, where H is the linearized measurement model. The iteration process is illustrated in Fig. 4(b), 4(c), and 4(d). Here, we assume that the FDI attacker has the knowledge of accurate local state. It can be seen that the state estimation under the simple and FDI attacks converges as fast as that without attack,

while that under the linear attack takes a bit more time, since the linearized measurement model is not so consistent with the nonlinear measurement functions. After the simple attack, the state estimation for the attacked state Vˆ32 is the same as that without attack, which means that the attacker cannot compromise the state estimation by the simple attack. While the FDI attack can successfully compromise the state bad estimation to Vˆ32 = 0.91 p.u. The state estimation after the linear attack approaches the target, but with a small gap due to the model error from linearization. Through the comparison of the largest normalized residual (LNR) on the logarithmic coordinate, it can be seen that the FDI attack has almost the same LNR as that without attack, such that it is more likely to pass BDD without being detected. However, the simple attack and linear attack obviously increase the LNR than that without attack, such that they are more likely to be detected by BDD. The results show that the FDI attack is more likely to be successful in compromising the state estimation while not being detected by the current BDD, in comparison with the traditional attacks.



Attacked state: Node 32 voltage magnitude V32 0.97

Magnitude (p.u.)

0.95

Magnitude (p.u.)

No attack Simple attack Linear attack FDI attack w/ accurate state

0.96

0.94 0.93 0.92

1

20

40 60 Scenario index

80

0.915

0.9

100

Attacked state: Node 32 voltage magnitude V32

No attack Simple attack Linear attack FDI attack w/ accurate state

0.05 0.04 0.03 0.02 0.01

1

20


80

100

1

20


80

100

FDI attack with accurate or approximated local state 0.016



0.92

0.905

0.06

0

0.925

0.91

0.91 0.9

FDI attack with accurate or approximated local state 0.94 Linear attack 0.935 FDI attack w/ accurate state FDI attack w/ approx. state (Remark 4) 0.93 FDI attack w/ approx. state (Remark 5)

Linear attack FDI attack w/ accurate state FDI attack w/ approx. state (Remark 4) FDI attack w/ approx. state (Remark 5)

0.014

0.012

0.01

0.008

0.006

1

20


80

100

Fig. 5. Comparison of state estimation under no attack, a simple attack [19], a linear attack [15], and an FDI attack (with accurate or approximated local state) for 100 different scenarios of measurement noises: (Top) State estimation for the attacked state Vˆ32 . (Bottom) Largest normalized residual.

C. Comparison of Remark 4 and Remark 5 We repeat the simulation in Fig. 4 for 100 different scenarios of measurement noises and illustrate the performance (in terms of the state estimation for the attacked state Vˆ32 and LNR) in Fig. 5. It can be seen that the FDI attack has almost the same LNR as that without attack, even with the approximated system state, such that it is more likely to pass BDD without being detected. While after the simple attack, the LNR has obviously increased than that without attack, and the linear attack increases the LNR a bit more than the FDI attack, which means that they are more likely to be detected by BDD. The results show that the FDI attack, even with the approximated system state, is more likely to be successful in compromising the state estimation while not being detected by the current BDD, in comparison with the traditional attacks. On the other hand, to implement the local FDI attack, the relaxed condition requires the attacker to have the knowledge of local state, i.e., V31 , V32 , and θ31,32 in the local region. We compare FDI attacks with the accurate and approximated local state based on power flow measurements (Remark 4) or power injection measurements (Remark 5). It can be seen that the performance of the FDI attack with the approximated local state is very close to that with the accurate local state, since the approximated local state is very close to the accurate local state. Besides, the performance of the FDI attack with the approximated local state based on power flow measurements (Remark 4) is more accurate than that based on power injection measurements (Remark 5), since power flow measurements

include line loss, while power injection measurements cannot. D. Summary As illustrated in the above example, the proposed practical FDI attack could stealthily compromise the state estimation for the voltage magnitude on the end-node (e.g., below 0.95 p.u.). Such a biased state estimation will mislead the voltage regulator to make wrong decisions and unnecessary or even harmful operations to the feeder (e.g., to induce tap changes and cause voltage violation). The detection algorithm with simple rules [19] cannot detect this kind of attack, neither the current BDD, since the attack vector can be well-structured. Detection in the joint cyber and physical space [31], [32] might be a potential solution, but extensive research is still needed. VI. C ONCLUSION AND F UTURE W ORK In this paper, we investigate FDI attacks against state estimation in distribution systems. Our research indicates that the attacker can approximate the system state based on power flow or injection measurements without too much effort. For local FDI attacks, the strong condition can be further relaxed to the knowledge of local state, which can be approximated based on a small number of power flow or injection measurements. Thus, our proposed model will reduce the effort of obtaining the system state, representing much more realistic FDI attacks against state estimation in distribution systems. Simulation results based on the IEEE test feeder demonstrate that the



proposed practical FDI attack, even with the approximated system state, is more likely to compromise the state estimation without being detected by the current BDD, in comparison with the traditional attacks. Several future research directions can be explored based on the theoretical foundation provided in this paper. In particular, we will investigate protective countermeasures to mitigate the vulnerability of distribution systems due to potential cyber attacks. Also, how to extend the current research to the state estimation of multi-phase and unbalanced distribution systems and how to take advantage of the pseudo measurements in distribution systems for cyber attack and defense still require extensive research. We will focus on a decoupled state estimation method for multiphase and unbalanced distribution networks and investigate its vulnerability to FDI attacks following the idea proposed in this paper. To improve the accuracy of pseudo measurements and DSSE performance, we will study a closed-loop scheme where the DSSE results will be fed back to the load modeling. R EFERENCES [1] X. Fang, S. Misra, G. Xue, and D. Yang, “Smart grid — the new and improved power grid: A survey,” IEEE Communications Surveys & Tutorials, vol. 14, no. 4, pp. 944–980, 2012. [2] R. Deng, Z. Yang, J. Chen, and M.-Y. Chow, “Load scheduling with price uncertainty and temporally-coupled constraints in smart grids,” IEEE Transactions on Power Systems, vol. 29, no. 6, pp. 2823–2834, 2014. [3] C. Zhao, J. He, P. Cheng, and J. Chen, “Consensus-based energy management in smart grid with transmission losses and directed communication,” IEEE Transactions on Smart Grid, vol. 8, no. 5, pp. 2049–2061, 2017. [4] Y. Mo, T. H.-J. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig, and B. Sinopoli, “Cyber–physical security of a smart grid infrastructure,” Proceedings of the IEEE, vol. 100, no. 1, pp. 195–209, 2012. [5] R. Deng, G. Xiao, and R. Lu, “Defending against false data injection attacks on power system state estimation,” IEEE Transactions on Industrial Informatics, vol. 13, no. 1, pp. 198–207, 2017. [6] Electricity Information Sharing and Analysis Center. (2016) Analysis of the Cyber Attack on the Ukrainian Power Grid. [Online]. Available: https://ics.sans.org/media/E-ISAC SANS Ukraine DUC 5.pdf [7] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against state estimation in electric power grids,” in Proc. ACM Conference on Computer and Communications Security (CCS), 2009, pp. 21–32. [8] R. Deng, G. Xiao, R. Lu, H. Liang, and A. V. Vasilakos, “False data injection on state estimation in power systems—attacks, impacts, and defense: A survey,” IEEE Transactions on Industrial Informatics, vol. 13, no. 2, pp. 411–423, 2017. [9] X. Liu and Z. Li, “Local topology attacks in smart grids,” IEEE Transactions on Smart Grid, vol. 8, no. 6, pp. 2617–2626, 2017. [10] M. A. Rahman and H. Mohsenian-Rad, “False data injection attacks against nonlinear state estimation in smart power grids,” in Proc. IEEE Power and Energy Society General Meeting (PES-GM), 2013, pp. 1–5. [11] G. Hug and J. A. Giampapa, “Vulnerability assessment of AC state estimation with respect to false data injection cyber-attacks,” IEEE Transactions on Smart Grid, vol. 3, no. 3, pp. 1362–1370, 2012. [12] L. Jia, R. J. Thomas, and L. Tong, “On the nonlinearity effects on malicious data attack on power system,” in Proc. IEEE Power and Energy Society General Meeting (PES-GM), 2012, pp. 1–8. [13] J. Liang, O. Kosut, and L. Sankar, “Cyber attacks on AC state estimation: Unobservability and physical consequences,” in Proc. IEEE Power and Energy Society General Meeting (PES-GM), 2014, pp. 1–5. [14] J. Wang, L. C. Hui, S. Yiu, E. K. Wang, and J. Fang, “A survey on cyber attacks against nonlinear state estimation in power systems of ubiquitous cities,” Pervasive and Mobile Computing, no. 39, pp. 52–64, 2017. [15] A. Teixeira, G. Dán, H. Sandberg, and K. H. Johansson, “A cyber security study of a SCADA energy management system: Stealthy deception attacks on the state estimator,” IFAC Proceedings Volumes, vol. 44, no. 1, pp. 11 271–11 277, 2011. [16] X. Liu and Z. Li, “False data attacks against AC state estimation with incomplete network information,” IEEE Transactions on Smart Grid, vol. 8, no. 5, pp. 2239–2248, 2017. [17] D. Della Giustina, M. Pau, P. A. Pegoraro, F. Ponci, and S. Sulis, “Electrical distribution system state estimation: Measurement issues and challenges,” IEEE Instrumentation & Measurement Magazine, vol. 17, no. 6, pp. 36–42, 2014.

[18] R. Deng, Z. Yang, F. Hou, M.-Y. Chow, and J. Chen, “Distributed realtime demand response in multiseller–multibuyer smart distribution grid,” IEEE Transactions on Power Systems, vol. 30, no. 5, pp. 2364–2374, 2015. [19] Y. Isozaki, S. Yoshizawa, Y. Fujimoto, H. Ishii, I. Ono, T. Onoda, and Y. Hayashi, “Detection of cyber attacks against voltage control in distribution power grids with PVs,” IEEE Transactions on Smart Grid, vol. 7, no. 4, pp. 1824–1835, 2016. [20] A. Teixeira, G. Dán, H. Sandberg, Johansson, R. Berthier, R. B. Bobba, and A. Valdes, “Security of smart distribution grids: Data integrity attacks on integrated volt/VAR control and countermeasures,” in Proc. IEEE American Control Conference (ACC), 2014, pp. 4372–4378. [21] S. Bolognani and S. Zampieri, “On the existence and linear approximation of the power flow solution in power distribution networks,” IEEE Transactions on Power Systems, vol. 31, no. 1, pp. 163–172, 2016. [22] M. E. Baran and A. W. Kelley, “State estimation for real-time monitoring of distribution systems,” IEEE Transactions on Power Systems, vol. 9, no. 3, pp. 1601–1609, 1994. [23] A. Primadianto and C.-N. Lu, “A review on distribution system state estimation,” IEEE Transactions on Power Systems, vol. 32, no. 5, pp. 3875–3883, 2017. [24] A. Monticelli, State Estimation in Electric Power Systems: A Generalized Approach. Springer, 1999. [25] Q. Li, R. Negi, and M. D. Ilić, “Phasor measurement units placement for power system state estimation: A greedy approach,” in Proc. IEEE Power and Energy Society General Meeting (PES-GM), 2011, pp. 1–8. [26] J. Allemong, L. Radu, and A. Sasson, “A fast and reliable state estimation algorithm for AEP’s new control center,” IEEE Transactions on Power Apparatus and Systems, vol. PAS-101, no. 4, pp. 933–944, 1982. [27] M. E. Elkhatib, R. El-Shatshat, and M. M. Salama, “Novel coordinated voltage control for smart distribution networks with DG,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 598–605, 2011. [28] A. Von Meier, D. Culler, A. McEachern, and R. Arghandeh, “Microsynchrophasors for distribution systems,” in Proc. IEEE Innovative Smart Grid Technologies Conference (ISGT), 2014, pp. 1–5. [29] W. H. Kersting, “Radial distribution test feeders,” in Proc. IEEE Power Engineering Society Winter Meeting, 2001, pp. 908–912. [30] R. D. Zimmerman, C. E. Murillo-Sánchez, and R. J. Thomas, “MATPOWER: Steady-state operations, planning, and analysis tools for power systems research and education,” IEEE Transactions on Power Systems, vol. 26, no. 1, pp. 12–19, 2011. [31] S. Soltan, M. Yannakakis, and G. Zussman, “Joint cyber and physical attacks on power grids: Graph theoretical approaches for information recovery,” in Proc. ACM SIGMETRICS, 2015, pp. 1–14. [32] R. Deng, P. Zhuang, and H. Liang, “CCPA: Coordinated cyber-physical attacks and countermeasures in smart grid,” IEEE Transactions on Smart Grid, vol. 8, no. 5, pp. 2420–2430, 2017.

Ruilong Deng (S’11-M’14) received the B.Sc. and Ph.D. degrees in control science and engineering from Zhejiang University, Hangzhou, China, in 2009 and 2014, respectively. He is currently an AITF Post-Doctoral Fellow with the Department of Electrical and Computer Engineering, University of Alberta, Edmonton, AB, Canada. His research interests include smart grid, cyber security, and wireless communications and networking.

Peng Zhuang (S’16) received the B.Sc. degree in electrical and computer engineering from the University of Alberta, Edmonton, AB, Canada, in 2015, where he is currently pursuing the Ph.D. degree. His research interests include stochastic optimization of power system planning and operation, energy management in smart grid, and cyber security.

Hao Liang (S’09-M’14) received the Ph.D. degree from the Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON, Canada, in 2013. He has been an Assistant Professor with the Department of Electrical and Computer Engineering, University of Alberta, Edmonton, AB, Canada, since 2014. His current research interests are in the areas of smart grid, wireless communications, and wireless networking.


False Data Injection Attacks Against State Estimation in ... - IEEE Xplore

False Data Injection Attacks Against State Estimation in ... - IEEE Xplore

Suggest Documents

False Data Injection Attacks against State Estimation in ... - Google Sites

False Data Injection Attacks against State Estimation in Electric Power ...

False Data Injection Attacks against State Estimation in Wireless

False Data Injection Attacks against State Estimation in ... - CiteSeerX

False Data Injection Attacks against State ... - Semantic Scholar

On Applying Fault Detectors against False Data Injection Attacks in

On Applying Fault Detectors against False Data Injection Attacks in ...

Defending Against False Data Injection Attacks on Power System ...

On False Data Injection Attacks Against Railway Traction Power Systems

On False Data Injection Attacks Against Railway Traction Power Systems

Online False Data Injection Attack Detection with ... - IEEE Xplore

False Data Injection Attacks in Control Systems - The Team for ...

Achieving Efficient Detection against False Data ... - IEEE Xplore

False Data Injection Attacks on Phasor Measurements That Bypass ...

Modeling and Mitigating Impact of False Data Injection Attacks on

Detecting False Data Injection Attacks on Power ... - Semantic Scholar

Secure State Estimation against Sensor Attacks in the ... - arXiv

Interleaved Hop-by-Hop Authentication Against False Data Injection ...

Optimal False Data Injection Attack against Automatic Generation

Detectors on Edge Nodes against False Data Injection on ... - MDPI

Detecting SQL Injection Attacks Using SNORT IDS - IEEE Xplore

Limiting False Data Attacks on Power System State ... - Google Sites

Pitfalls in GPR Data Interpretation: False Reflectors ... - IEEE Xplore

State Estimation Sensitivity Analysis - IEEE Xplore