Local Cyber-physical Attack with Leveraging Detection in Smart Grid

Local Cyber-physical Attack with Leveraging Detection in Smart Grid


A well-designed attack in the power system can cause an initial failure and then results in large-scale cascade failure. Several works have discussed power system attack through false data injection, line-maintaining attack, and line-removing attack. However, the existing methods need to continuously attack the system for a long time, and, unfortunately, the performance cannot be guaranteed if the system states vary. To overcome this issue, we consider a new type of attack strategy called combinational attack which masks a line-outage at one position but misleads the control center on line outage at another position. Therefore, the topology information in the control center is interfered by our attack. We also offer a procedure of selecting the vulnerable lines of its kind. The proposed method can effectively and continuously deceive the control center in identifying the actual position of line-outage. The system under attack will be exposed to increasing risks as the attack continuously. Simulation results validate the efficiency of the proposed attack strategy.

Index terms– Cyber-physical system, combinational attacks, smart grid, power line outages, power flow.

I Introduction

Power system plays an important role in supporting the modern economy. Initial failures in power system, without being promptly detected, may lead to large-scale cascade failure, and have adverse affects on nation’s economy and security [1]. Therefore, in the operation control center, various data processing modules such as state estimation (SE) and bad data detection are built to prevent the system operation from failures and malicious attacks. Although many protection and detection methods are used in system operation, these mechanisms can be corrupted by injecting carefully predesigned data to the measurements sent by Supervisory Control and Data Acquisition (SCADA). The topic has attracted much attention in the past few years [2, 3, 4, 5, 6, 7, 8, 9, 10].

In [2], the authors proposed the classic false data injection (FDI) attacks that can avoid being detected by existing bad data detection techniques if an attacker has the ability to alter the measurements of sensors and capture sufficient knowledge of the power system. Such FDI attacks are also known as cyber attacks. The designed attacks should obey the physical laws (Kirchhoff’s Current Law, KCL, and Kirchhoff’s Voltage Law, KVL). The authors in [3] and [4] studied the classic FDI attacks with incomplete information of the system, and [3] and [4] revealed that the attacks have the ability of passing the SE and bad data detection with only reduced network information.

Another type of attack called cyber-physical attacks involving cyber and physical levels have been investigated which can more efficiently interfere the operation of the system compared to classic FDI attack with only pure cyber attacks. For example, there are two types of cyber-physical attacks, which are line-removing attack and line-maintaining attack as described in [5]. The line-maintaining attacks mean that an attacker can let the target line be physically disconnected, and simultaneously mask this outage event with the altered measurements of sensors. The other advanced line-maintaining attacks have been studied in [6, 7, 8]. Specifically, the authors masked the outage event with local redistribution attack and extended to attack with incomplete topology information [6, 7]. The attack model was further derived with power flow method [8].

The line-removing attack is that an attacker generates a fake outage event so as to disturb the regular system operation. The attack has to avoid the trivial solution; otherwise, it can be easily detected by the control center. With this approach, the attacker can mislead the control center with an incorrect network topology and then make the system into unstable situation due to wrong dispatches. The line-removing attacks have been studied with partial and whole information of the system, and mitigated with the countermeasure for the proposed attack [9]. The authors of [10] focused on the line-removing attack in the local area, and proposed the method of finding the attack region. While implementing this attack, one must notice that not all transmission lines in the power system can be selected as attack targets because some lines are strictly protected by the control center. Only few studies, such as [5], considered the rules for selecting target lines.

Based on the discussions above, the previous approaches have obtained promising results and demonstrated the potential of the cyber-physical attacks. However, there is no guarantee that the line-maintaining attacks are always unobservable. To this end, the concept of the line-removing attack may be applied simultaneously to fake an obvious outage in order to attract the attention of control center, so that the disconnected line has lower chance to be identified. Additionally, with this approach, the longer the control center in figuring the problem at fake outage positions, the more risky the system is.

Inspired by the above observations, we develop a novel attack strategy that combines the line-removing and line-maintaining attack strategies. The attack is implemented in the local area and cannot be detected easily because our design makes sure that the physical laws of the power system are satisfied. In addition, unlike previous studies which randomly select the target lines, a rule of deciding the target lines is proposed in this work. To this end, we employ the line outage distribution factors (LODFs) as the impact of the attack line selections. The contributions of this study are as follows:

  • We propose a novel attack strategy called combinational attack whose goal is to attack the transmission line and simultaneously mask the real outage event with misleading the control center into another fake outage line.

  • We design a selection rule based on LODF for selecting the target lines instead of random selection.

  • To mislead the control center, the corresponding power flow must be dispatched according to the pattern of target line and misleading line. Hence, we propose an algorithm based on breadth-first search (BFS) [11], which is generally used for searching graph structure.

  • To test the effectiveness of the proposed attack strategy, the conventional SE and bad data detection are applied. The simulation results reveal that the misleading line can be actually detected by control center and the real outage event can be successfully hidden at the same time.

Ii System Model

The system considered in this study is shown in Fig. 1, which is divided into two parts, including state estimator, and cyber-physical attack model. In this section, we briefly illustrate the state estimator based on the DC model, and then the proposed attack strategy will be introduced in next section.

Fig. 1: The system block diagram

Ii-a DC Power Flow Model

We consider a power transmission network with buses and lines, and let and respectively be the sets of buses and lines. The power network can then be represented as a graph denoted as . Assuming a line that connects bus and , and then the power of line flowing from bus to denoted as can be represented as


where is the reactance of line , and and are the phases of bus and , respectively. With (1), the vector of all power flows and the phase angles of the buses should satisfy


where is a matrix whose row indicates the corresponding line, and the column presents the direction of line’s flow. Therefore, the -th row of which represents line flowing from bus to bus can be formulated as


Ii-B Linear State Estimation

Based on the DC power flow model, the system states are phase angles, , and therefore the measurements received by SCADA system without attack can be expressed as


Here, commonly comprises of the measurements of bus injection power and line power flow, and then is the jacobian matrix which depends on the network topology and network parameter vector representing the parameter errors. is the measurement errors. We further denote the measurements modified by the attacker with .

With the measurement expression, we adopt weighted least-squares (WLS) SE to estimate the system state . The objective of the SE problem is to minimize the sum of the squares of the weighted deviations of the estimated measurements from . The SE problem is then solved by the following optimization problem with assumption of zero parameter errors


where is the estimated system state, is the parameter error vector, is the measurement error covariance matrix.

Ii-C Bad Data and Parameter Error Detection

After applying SE, we have to pass through the bad data and parameter error detection to ensure there is no bad data or parameter errors within the measurements. In this context, the normalized residual and parameter error method is employed for detection.

The measurement residual vector can be represented as


If the Lagrangian multiplier method is applied in (5), is the Lagrangian multiplier related to the parameter error. Given and , the normalized residual and normalized parameter errors can be calculated. The normalized residuals are linked to the corresponding measurements, and the normalized parameter errors are related to the corresponding line’s parameter. References [12, 13, 14] provide further details. With the and , the errors are regarded as Gaussian distribution, and we choose the largest value among these two parameters. If the chosen value is below the identification threshold, then there is neither bad data nor parameter error existing. On the other hand, the measurement or the parameter corresponding to the chosen largest value will be identified as the error. The part corresponding to the error will be removed, and SE and bad data detection will be carried out again. Such procedure is performed until there is no error.

Iii Attack Model

In this section, the attacker block in Fig. 1 is illustrated. In particular, the capabilities for the attacker and the selecting limitations of target line are first explained. Then, the procedure of launching the proposed attack is separated into three parts for illustration which are selection of the line for attack target and decoy, determination of cyber attack region, and alteration of measurements.

Iii-a Introduction of the Attack

We assume that the attacker has the following capabilities:

  1. the attacker has knowledge about the topology of the entire system;

  2. the attacker has the capability to observe the sub-network of and perform the power flow calculation for the sub-network; and

  3. the attacker has the capability to change the states of the measurements in the sub-network rather than whole network.

To launch an attack, the attackers are limited to finite sets of target lines because of the following reasons:

  1. the line that connects to a transformer, or in between two generators cannot be physically attacked;

  2. the real and fake outage events cannot take place next to each other; otherwise, the true outage position can be easily observed if the operator goes to repair the misleading line;

  3. the generator output cannot be modified;

  4. the load of the buses in the attack region cannot be modified to be negative. Moreover, the difference of the states and measurements before and after the attack must be controlled within a specified range; and

  5. if the system is separated into two parts when a line is being attacked, then this line cannot be selected.

Iii-B Mathematical Formulation of Selecting Attack Target Line

To determine the lines for attack target and decoy, we employ Line Outage Distribution Factors (LODFs) matrix, denoted as , whose definition and calculation can be found in [15]. The -th row and -th column of , , represents the ratio of -th line’s power flow that will inject on -th line when -th line is in outage. With LODF matrix, we can define an influence factor denoted as whose -th element can be represented as


where means the -th column taken from . The parameter shows the amount of power flow increases for the whole system, when the -th line is disconnected. Therefore, we can determine the target line to be in outage


After determining the line to be disconnected, we have to choose which line is used to mislead the control center. The idea behind misleading is to let the control center find out fake outage event in the system instead of real one so that the control center is delayed the time of detecting the real outage event and even making wrong operation or decision. The more time the control center spends on identifying the location of real outage line, the more risk the system suffers. Therefore, for the choice of misleading, the residual lines should reach their thermal limits as close as possible after the misleading line is disconnected. In this context, the optimization problem of selecting the line is given as

s.t. (9b)

and denote the thermal limit and the modified real power of th line, respectively. Equation (9a) is the objective function that sums the ratio of the flow after outage to its thermal limit for all lines. Constraints (9b) and (9c) are the equations related to the selection vector, . Then, the calculation of the power flow after outage based on LODF matrix is shown in Equation (9d). Therefore, the misleading line is determined as .

The selected outage line, , and the buses connected by are assigned to set . Meanwhile, the buses linked by the misleading line, , are assigned to set .

Iii-C Attack Region

After selecting the target lines for physical outage and misleading, we then need to determine the attack region. This is due to the fact that attacks should not have the ability to alter the measurements of all sensors. Therefore, we assume that the attacks only have the limited capability that can observe and alter the sub-network of . To launch the combinational attack, the attacker aims to maliciously change the measurements in a sub-network of denoted as . The buses and lines in the attack region are assigned to the set and respectively. In the set , we further separate it into two sets, and . The boundary buses in are assigned to the set and others are placed in .

The key idea of finding the attack region is that we have to find a new path to re-dispatch the flow to supply the load of the buses in , and obtain the good estimate for power flow of and the states of the buses in . The sub-network can be obtained through BFS algorithm which is detailed later.

Iii-D Measurements Modification

For the measurement modification, we formulate an optimization problem taking two objectives into account. One is to minimize the difference of measurements before and after modification due to the attacker’s ability. These measurements may contain the angles, the loads of buses, and the power flows of the lines. However, the power flows of the lines are closely related to the angles and loads of buses, and hence the first objective can be defined as


where is the power flow after modification in the attack region. Another objective is to maximize the modified measurements corresponding to the power flow at line which flows from bus to bus , and can be defined as


That is, we try to prevent the amount of the flow at line from being so that it makes the attack noneffective.

We then formulate the optimization problem by considering and as follows:

s.t. (12b)

where and are the angle of bus before and after modification. indicates the modification range. Equation (12b) is that the angles of the boundary buses should remain the same, and Equation (12c) shows that the changes of the buses’ angle in should be controlled in a range. The load difference of bus inside the region before modification, , and after modification, , should be maintained in a range shown in Equation (12d). Then, the power injected into the bus should meet the load as listed in Equation (12e). The midified power flow in the attack region, , is calculated by Equation (12f). In the final, Equation (12g) shows that the flow of the -th line have to be managed under the thermal limits.

Iv Implementation Strategy

With the description in Section III, we now explain the implementation strategy of the proposed combinational attack. The section is divided into two phases as shown in Fig. 2. The first phase is focusing on finding the line for line-outage and misleading. Then, with the determined lines, the attack region and the modification are illustrated in the second phase.

Fig. 2: The implementation strategy of the proposed attack

For the first phase, we use Equation (7) to determine the line-outage position, and then the misleading line is selected with Equation (9). After determining the target lines, we must check if the selection fulfills the rules described in Section III-A. The detailed steps are shown as follow:

Step 1: We wish to select the line with the greatest influence to the system for its disconnection. Therefore, is selected as the description in (8), and the buses linked by are assigned to . Use LODF to calculate the power flow after is disconnected.

Step 2: For the selection of the misleading, we apply misleading line select algorithm (MSLA) listed in Algorithm 1. At the beginning of the algorithm, we construct a vector . Then, the exhaustive search is applied to calculate the objective function of (9) which is then assigned to . At the same time, we have to avoid the line being selected. In the final, the line with the largest value is selected to be .

Step 3: Once we obtain the lines, we have to check if the lines are reasonable or following the rules described in Section III-A. If not, we eliminate the from or from for the unreasonable line, and then start from Step 1 again. Otherwise, enter to the second phase.

Input: Power flow , LODF matrix
Output: misleading line
1 . for l = 1 to  do
2       if   then
3             .
4      else
5             . .
6      .
Algorithm 1 Misleading Line Select Algorithm (MLSA)

In the second phase, the attack region and the modification have to be determined based on the selected lines. The region of the sub-network is obtained by using BFS algorithm for finding the shortest path to redispatch the power flow, and the modification is based on the solution of the Problem . The detailed steps are listed as follow:

Step 4: Assuming the flow of the is from bus to bus . The trivial solution is that we just add and minus the flow amount to bus and , respectively. However, it can be easily recognized by the control center. To prevent from the trivial solution, we just add the flow amount to the load of bus , and try to find another path to supply the load at bus .

Step 5: Set the and in as empty sets first. To find a path to supply bus , we then use the BFS algorithm described in Algorithm 2 to find the shortest path for redispatching the flow. The path obtained from Algorithm 2 is regarded as the sub-network . We further includes to and the buses in to as the attack region.

Step 6: With the attack region, we now solve the optimization Problem . The formulation in (12) is a convex optimization problem with linear constraints. There are many existing algorithms and toolboxes dealing with convex optimization problem; therefore, one of them is applied. If the Problem has no solution, which means the current attack region cannot satisfy the constraints. Algorithm 2 is thus applied again, and go back to solve Problem again. With the solutions, set and replace the measurements of in with the solution of Problem .

Input: System topology , bus , sub-network , line
Output: Sub-network
1 Find a bus which has a generator and is the nearest to bus . Current system configuration is . : starting bus. : destination bus. let the bus be the progress bus and the level . Rest buses are set as unvisited buses. Search all of the unvisited buses connected to the buses in progress buses. Put such unvisited buses to progress buses and previous progress buses are assigned as visited buses. if  progress bus  then
2       go to step 11 of Algorithm 2.
4      repeat step of Algorithm 2 again. .
Backtrack from the destination bus to the starting bus level-by-Ievel, and identify the shortest path. The buses and lines in the path are given to and respectively.
Algorithm 2 BFS algorithm for finding misleading line

V Case Study

In this section, we adopt the IEEE 14-bus system [16] to illustrate the proposed attacking mechanism in detail. The system topology is shown in Fig. 3, and the thermal limit of each line is listed in Table I. Without any specification, the modification rage, , for all measurements is set to . The errors for all measurements are assumed to be . The identification threshold of bad data and parameter error detection is set to which is outside of confidence interval. The software toolbox, MATPOWER [17], is utilized to run the power flow to provide the initial information of the system. To solve the Problem , we use CVX [18], a package intended to solve convex programs.

Fig. 3: IEEE 14-bus test system [16]
Line limit Line limit Line limit Line limit
number (MW) number (MW) number (MW) number (MW)
TABLE I: The thermal flow limit of IEEE 14-bus system

In the beginning, we select the target line based on the Step 1 to Step 3 in Section IV. Line is first selected for line outage and line is the line for misleading. However, the line connects two generators, and there is a transformer on line ; hence, we have to choose the target lines again. Following the proposed recursive way, the line and are finally selected as the line for outage and misleading respectively.

The direction of the misleading line is from bus to bus so that we have to find the path to supply the load of bus . Moreover, the nearest generator is at bus . Therefore, we now use the Algorithm 2 to find the shortest path from the starting bus, bus , to the destination bus, bus . Table II summarizes the attack region based on the results of Algorithm 2. Then, the measurements before and after modification based on the results of Problem are listed in Table III and IV.

Set Bus number Description
The buses in the attack region
The boundary bus of the attack region
The buses connecting the line-outage line
The buses connecting the misleading line
Set Line number  Description
The lines in the attack region
TABLE II: The description of the sets used in the modification
Bus number Phase (angle) Load (MW)
Before After Before After

TABLE III: The phase and load before and after modification

With the modified measurements, we perform SE and then bad data and parameter error detection. The equation of the power flow is linear, the solution of SE can be easily obtained as


Hence, we apply the detection by calculating the normalized residual and parameter errors, and sort the results shown in Table V(a) in a descending order. From the table, there are two largest parameter errors related to and and they are also larger than the identification threshold. We then eliminate the measurements having relation with and , and apply the bad data detection again. Table V(b) shows the results of the second-round detection. The largest value in Table V(b) is much lower than the threshold. Therefore, according to the results, we successfully let the control center find out there is an error happening in the misleading line.

The bad data and parameter error detection can be influenced by the noise, we further collect the results with Monte Carlo simulations. If the parameter of misleading line is recognized as the error, and the corresponding parameter error is larger than the threshold, the attack is regarded as a successful attack. Furthermore, the false alarm is defined as other parameter or measurement are regarded as the error. According to the results, the successful rate calculated by the ratio of the number of the successful attacks to is , and the false alarm rate is . That is, the error of the parameter at misleading line shows up at every simulation. However, the normalized parameter errors are sometimes not larger than the threshold with noise’s influence. Therefore, we can ensure the efficiency of the proposed attack strategy.

Line number Power flow (MW)
Before After

TABLE IV: The power flow before and after modification
(a) First Round     (b) Second Round
Parameter , Parameter ,
Measurement Measurement  
TABLE V: The bad data and parameter error detection results

Vi Conclusions

In this paper, we present the combinational attack which maliciously injects the false data in the cyber layer to cover the physical event in the power system. While launching the attack, the method of finding the target lines is introduced based on the LODF matrix. Moreover, an algorithm followed by BFS algorithm was proposed to find the attack region, and the modification results are from the power flow equations. The simulation results also reveal that the proposed scheme can successfully achieve the goal of misleading the control center and mask the line-outage event. As the future work, we will extend this study in two directions by proposing the attack based on AC power flow, and investigating a protection strategy for the cyber-physical system. Moreover, the assessment of the power system with the proposed attack method should also be discussed.

Vii Acknowledgements

This work was supported by Ministry of Science and Technology under grant numbers MOST 105-2221-E-001-009-MY3 and 104-2221-E-001-008-MY3, and Academia Sinica Thematic Project AS-104-TP-A05.



  1. V. Rampurkar, P. Pentayya, H. A. Mangalvedekar, and F. Kazi, “Cascading Failure Analysis for Indian Power Grid,” in IEEE Trans. Smart Grid, vol. 7, no. 4, pp. 1951–1960, Jul., 2016.
  2. Y. Liu, P. Ning, and M. K. Reiter, “False Data Injection Attacks Against State Estimation in Electric Power Grids,” in Proceedings of the 16th ACM conference on Computer and communications security, ser. CCS ’09, pp. 21–32, Nov., 2014.
  3. Md. A. Rahman and H. M. Rad, “False Data Injection Attacks with Incomplete Information Against Smart Power Grids,” in IEEE Global Communications Conference (GLOBECOM), pp. 3153–3158, Dec., 2012.
  4. X. Liu, Z. Bao, D. Lu, and Z. Li, “Modeling of Local False Data Injection Attacks With Reduced Network Information,” in IEEE Trans. Smart Grid, vol. 6, no. 4, pp. 1686–1696, Jul., 2015.
  5. J. Zhang and L. Sankar, “Implementation of Unobservable State-preserving Topology Attacks,” in North American Power Symposium (NAPS), Oct., 2015.
  6. X. Liu and Z. Li, “Local Load Redistribution Attacks in Power Systems With Incomplete Network Information,” in IEEE Trans. Smart Grid, vol.5, no. 4, pp. 1665–1676, Jul., 2014.
  7. Z. Li, M. Shahidehpour, A. Alabdulwahab, and A. Abusorrah, “Analyzing Locally Coordinated Cyber-Physical Attacks for Undetectable Line Outages,” in IEEE Trans. Smart Grid, to be published.
  8. J. Zhang and L. Sankar, “Physical System Consequences of Unobservable State-and-Topology Cyber-Physical Attacks,” in IEEE Trans. Smart Grid, vol.7, no. 4, pp. 2016–2025, Jul., 2016.
  9. J. Kim and L. Tong, “On Topology Attack of a Smart Grid : Undetectable Attacks and Countermeasures,” in IEEE J. Sel. Areas Commun., vol. 31, no. 7, pp. 1294–1305, Jul., 2013.
  10. X. Liu and Z. Li, “Local Topology Attacks in Smart Grids,” in IEEE Trans. Smart Grid, to be published.
  11. C.-Y. Lee, “An Algorithm for Path Connections and Its Applications,” in IRE Trans. on Electron. Comput., vol. EC-10, no. 3, pp. 346–365, Sep., 1961.
  12. J. Zhu and A. Abur, “Identification of Network Parameter Errors,” in IEEE Trans. Power Syst., vol. 21, no. 2, pp. 586–592, May, 2006.
  13. Y. Lin and A. Abur, “A New Framework for Detection and Identification of Network Parameter Errors,” in IEEE Trans. Smart Grid, to be published.
  14. A. Abur and A. Gómez-Expósito, “Power System State Estimation : Theory and Implementation,” New York: Marcel Dekker, 2004.
  15. J. Guo, Y. Fu, Z. Li, and M. Shahidehpour, “Direct Calculation of Line Outage Distribution Factors,” in IEEE Trans. Power Syst., vol. 24, no. 3, pp. 1633–1634, Aug., 2009.
  16. R. D. Christie, “Power Systems Test Case Archive,” in IEEE Trans. Power Syst., University of Washington, Aug. 1993. [Online]. Available: https://www2.ee.washington.edu/research/pstca/pf14/pg_tca14bus.htm
  17. R. D. Zimmerman, C. E. Murillo-Sánchez, and R. J. Thomas, “MATPOWER: Steady-state Operations, Planning and Analysis Tools for Power Systems Research and Education,” in IEEE Trans. Power Syst., vol. 26, no. 1, pp. 12–19, Feb., 2011.
  18. M. Grant, and S. Boyd, “CVX: Matlab software for disciplined convex programming,” http://cvxr.com/cvx/, Mar. 2014.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minumum 40 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description