Recommended articles:
-
-
Global Energy Interconnection
Volume 4, Issue 2, Apr 2021, Pages 184-192
Dynamic load-altering attack detection based on adaptive fading Kalman filter in power systems
Keywords
Abstract
This paper presents an effective and feasible method for detecting dynamic load-altering attacks (D-LAAs) in a smart grid.First, a smart grid discrete system model is established in view of D-LAAs.Second, an adaptive fading Kalman filter (AFKF) is designed for estimating the state of the smart grid.The AFKF can completely filter out the Gaussian noise of the power system, and obtain a more accurate state change curve (including consideration of the attack).A Euclidean distance ratio detection algorithm based on the AFKF is proposed for detecting D-LAAs.Amplifying imperceptible D-LAAs through the new Euclidean distance ratio improves the D-LAA detection sensitivity, especially for very weak D-LAA attacks.Finally, the feasibility and effectiveness of the Euclidean distance ratio detection algorithm are verified based on simulations.
0 Introduction
Owing to the development of artificial intelligence and improvements living standards, people have increasingly higher requirements for power quality.In this context, smart grids have emerged.A smart grid combines a traditional power system with smart technology.It collects data and information and combines it with power equipment to monitor and control a power system in real time [1].The smart grid power transmission process can be divided into power generation, power transmission, distribution, power consumption, dispatch, and communication [2].With improvements in science and technology, power systems have become increasingly complex.The modern power system is a typical cyber-physical system.Today, with the rapid development of cyber-physical systems, power cyber-physical systems must keep pace with the times, and continuously improve [3].Power systems are becoming increasingly complex, and combining a power system with smart devices can lead to security risks in any link [4], such as vulnerability to denial-of-service attacks [5].There are many potential cyber-attacks for smart grids, including those based on integrity tampering [6], availability jamming [7], replay, wormholes [8], false data injection, password pilfering, and masquerading [9].
A load-altering attack (LAA) is a cyber-physical attack on the consumer side of a power system [10].A static LAA changes the load of the attacked load.A dynamic LAA (D-LAA) not only changes the load of the attacked load, but also changes its trajectory [11].This article mainly focuses on a D-LAA detection method for a smart grid.In [12], the principle and influence of the D-LAA were analyzed.Based on optimizing the pole placement, a protection system was proposed to protect the power system from D-LAAs.In [13], using smart meter data, a D-LAA was analyzed from the perspective of the frequency domain, and a D-LAA detection method was proposed.In [14], a robust slidingmode observer was designed for providing complete attack detection.However, the detection methods used in [13] and [14] required valid measurement data.When the measurement data contained random noise, the above methods were no longer practical.In contrast, the adaptive fading Kalman filter (AFKF)-based detection method adopted in this study can filter noise and detect system attacks.Moreover, the method is more sensitive to weak and imperceptible attack signals.Existing studies have indicated that there are many difficulties in detecting D-LAAs.Under these circumstances, we focus on a detection method for D-LAAs.Based on the design of the AFKF, we focus on applying the AFKF to D-LAA detection in a smart grid.The Kalman filter (KF) is a dynamic state estimator, and is optimal for providing linear system state estimations in the context of Gaussian noise.It is mainly used for target tracking, inertial navigation systems, and other fields.In recent years, it has been frequently used for power systems.The KF has many forms; these can be applied not only to linear systems, but also to nonlinear systems [15].In power systems, the KF is mainly used for parameter estimation and attack detection and has achieved good results, as described in [16] and [17].However, when a system modeling distortion leads to filter divergence, the AFKF (an improved filter based on KF) has strong robustness to the uncertainty of the system model, and can ensure the convergence of the filter [18].
Aiming at a power system with noise under a D-LAA attack, we established a discrete mathematical model for the power system.An AFKF filter noise estimation state was designed, and a Euclidean distance ratio detection algorithm was proposed based on the AFKF design to detect D-LAAs.Finally, simulation results were used to verify the feasibility of the detection algorithm, especially for D-LAA attacks that are not easily detectable.The main contributions of this study are summarized as follows.
i) The power system linear continuous mathematical model is transformed into a discrete model, and the process noise covariance and observation noise covariance are considered.
ii) A new Euclidean distance ratio algorithm is proposed for detecting D-LAAs using the AFKF, based on comparing the threshold and distance ratio.
Paper organization.Section 1 discusses the establishment of the smart grid system model and D-LAA attack model.In Section 2, an AFKF is designed, and a new distance ratio detection algorithm is proposed based on the AFKF.Section 3 discusses the simulations performed in this study.Finally, in Section 4, the conclusions are drawn.
Notations.Rn represents an n-dimensional real space.E[.] denotes a mathematical expectation.N a b( , ) represents a Gaussian distribution with a mean a and covariance b.
1 System model and problem setup
In this section, a discrete power system mathematical model and D-LAA attack model are established, and a complete detection scheme is described.
1.1 Smart grid model
In the design, we consider a power system with n generator buses and m load buses, in which the generator buses are denoted as Ψ={g1 , g2, …, gn} and load buses are denoted as Φ={b1 , b 2 , …, bm}.Each generator bus connects to a single generator.We can establish the mathematical model for the linear continuous system of the power system as follows [12]:
In the above, δ(t R)∈ n is the voltage phase angle at all generator buses, ω(t R)∈ n represents the frequency deviation of the generator bus, θ(t R)∈ n is the voltage angle, and PL ( t ) represents the load power demand vector.The Laplace matrix is as follows:
KI and KP are diagonal matrices, the diagonal terms of which are the integral controller coefficient and proportional controller coefficient of the generator on the generator bus, respectively.M and D are the diagonal matrices of the inertia coefficient and damping coefficient of the generator, respectively, and I R∈ n is the identity matrix.
By eliminating the voltage angle variables, we can obtain a non-singular state space expression for the power system, as follows:
1.2 Dynamic load-altering attack (D-LAA)
The classifications of the closed-loop D-LAA are shown in Fig.1.Fig.1(a) shows an open-loop D-LAA attack that relies on historical data to achieve the D-LAA.Fig.1(b) and Fig.1(c) show a single-point closed-loop D-LAA and multipoint closed-loop D-LAA, respectively; these require realtime monitoring of the power system frequency through sensors to achieve the D-LAA.In this study, we focus on detecting single-point and multi-point closed-loop D-LAAs.
Fig.1 Three examples of dynamic load-altering attacks: a) open-loop dynamic load-altering attack (D-LAA), b) singlepoint closed-loop D-LAA, c) multi-point closed-loop D-LAAs
The frequency feedback is obtained from the sensor bus s.Then, the attacker uses the frequency regulation to control the load power PLi [9].The D-LAA sequence in load bus i is as follows:
Here, 
is the proportional gain of the attack controller.
We consider that the load at a load bus i ∈Φ is hacked by a closed-loop D_LAA; ωs is the frequency deviation between the frequency of the sensor bus s and nominal value, and ∈Li is the vulnerable part of the load at bus i.Then, we can model the compromised power consumption level at bus i as follows:
In the above, PLi is the safe part of the load on bus i.The smart grid state-space model under attack becomes as follows:
Here, 
is the power system state vector, and f L(t) is the D-LAA signal in the power system, where
The system matrices 
and 
and it can be seen from (5) that the attacker can affect the stability of the system by adjusting its control matrix, affecting the system matrix and system poles.
Considering the information transmission, we can divide the power system into a physical layer and information layer, which are connected through a communication channel for transmitting communication data.In the field of communication, all of the data are discrete.Therefore, we can rewrite the above linear continuous system model into a discrete state-space model, as follows:
In the above, w ( k ) ~ N ( 0,Q) is the process Gaussian noise, and Q>0 is a positive definite symmetrical matrix.
The discrete form of the D-LAA model (4) is as follows:
The smart grid model under the D-LAA can be rewritten as follows:
Here, 
can be obtained by discretization of an accurate linear time-invariant system.T is the sampling period,y (k) is the measurement output vector, H is the output matrix, 
is the measurement noise, R >0 is a positive definite symmetrical matrix, and w (k) and v ( k) are independent of each other.
1.3 Scheme summary
The detection scheme used in this study is illustrated in Fig.2.After establishing the mathematical model for the power system, an AFKF was designed to filter the noise and estimate the system state.Finally, based on the AFKF, an Euclidean distance ratio detection algorithm was proposed for detecting D-LAAs.
2 D-LAA detection
Fig.2 D-LAA detection scheme (AFKF: adaptive fading Kalman filter)
This section is divided into two parts: the design of the AFKF and the Euclidean distance ratio detection algorithm based on the AFKF.
2.1 Adaptive fading Kalman filter (AFKF) design method
Even if the system model is not very accurate, the AFKF can maintain the filter convergence.A D-LAA affects the stability of the system by influencing the control matrix; this can be explained to a certain extent based on its effects on the system model.Therefore, the AFKF can be used to estimate the system state more accurately.
The measurement output vector y(k) is the filter input, and the calculation process for the AFKF is as follows:
In the above, 
is the a priori estimation.and 
is the posterior estimation.x0 is the initial state, where 
independent of w(k) and v(k).Here, ε(k) is the innovation sequence.It expresses the deviation between the measurement and predicted position.Q(k) is the covariance of w(k) at k, and R(k) is the covariance of v (k) at k.P (k|k-1) and P(k) are the predicted covariance and estimated covariance, respectively.η(k)≥1 is the adaptive suboptimal fading factor.K(k) is the filter gain.P0 is the initial value of P(k), and
When the KF is working, the parameter error of the system has a greater impact on its performance.This may lead to a decrease in the performance of the KF, and may even cause non-convergence in the calculation process.The values of the parameters x0, Q, and R in this study are approximate values, which may cause the Kalman filter to work abnormally.Adding a fading factor of η can ensure the convergence of the Kalman filter, and compensate for the adverse effects caused by inaccurate parameters.
The convergence criterion for the AFKF is as follows: 
The value of η(k) is updated only when the AFKF does not converge.Based on [19]-[20], by minimizing the defined criterion function, we can obtain the selection method for η(k), as follows:
After adding the forgetting factor (which is larger than 1), the weight of the measured data at time k is enhanced.In the iteration in the KF algorithm, the forgetting factor outweighs the influence of the most recent measurement at each time step, and correspondingly fades the memory of the past data.Accordingly, the cumulative error caused by the model parameter errors is avoided.
2.2 D-LAA detection algorithm
In the process of using the AFKF to estimate the system state, based on the designed system model, we can predict the current state based on the state estimate 
at the previous moment, so as to obtain the current moment state prediction value 
Assuming that the system is safe and reliable before time k, we denote the deviation between the estimated state vector
and predicted vector 
at k as e (k), which is determined as follows:
Similarly, we define the deviation of the state estimation vector and state prediction vector at k-1 as follows:
As the 2-norm of a vector is also called the Euclidean distance, we define the Euclidean distance of e (k) at k as γ(k), which is determined as follows:
Similarly, the Euclidean distance of e (k-1)is as follows:
In this section, we define the Euclidean distance ratio at k as follows:
If Q and R take fixed values, after the AFKF converges to a steady state, P and K will reach the steady-state values 
and the value of the suboptimal fading factor η(k) will not be updated.Thus, e (k) converges, and 
Even if there is a deviation between e ( k) and e ( k-1), the deviation will be within a small range, and we can choose a reasonable threshold rth.When the power system is operating normally, the Euclidean distance ratio does not exceed this threshold.
If the power system is attacked by D-LAA at k, then the corresponding calculations are as follows:
In the above,f L( k) is the D-LAA vector.The Euclidean distance of e L( k ) at time k is expressed as follows:
The Euclidean distance ratio of the attack with D-LAA at k becomes as follows:
At this point, the value of rL ( k ) will be significantly greater than rth.
When the Euclidean distance ratio r (k) is greater than the threshold rL ( k ), it is considered that the power system is under attack, and the alarm device is activated.
Owing to the particularity of the power system, when the power system is operating normally, the state of the power system will not change suddenly.This causes the threshold to be a within a small (limited) range of values when the system is operating normally.Because the KF reaches a steady state and converges, the relevant parameters of the filter are fixed constants, and the state estimation error converges, i.e., e (k )≈e ( k-1).It can be seen that the threshold is close to 1, and we can choose a threshold close to 1.In the actual application process, appropriate adjustments can be made based on experience.
3 Simulation example
In this section, we consider a smart grid system with three generators and six buses as an example for determining the system parameters and initial values of the filters.Different methods were used to inject closed-loop D-LAAs into the smart grid, and to verify the effectiveness of the detection algorithm through simulations.
3.1 D-LAA detection algorithm
First, for the continuous linear system mathematical model of the system with three generators and six buses, for all load buses i ∈Φ, it was considered that PLi =1 p. u .In addition, the other system parameters of the smart grid were taken from [12].The discrete sampling time T was set to 0.001, the mathematical model of the above linear continuous system was discretized, and the relevant parameters of the discrete mathematical model for the system were determined as follows:
In the above, w (k) and v (k) are random numbers with a mean value of 0 and amplitude of 0 -0.0001.After adjusting Q and R, Q and R were selected as follows:
The initial values of the filter and smart grid system were set as follows: x0 = [ -0.045; -0.058; -0.07; 0.002;0.1;0.01]; η0 =1.At the same time, we selected the threshold as rth =1.2.Assuming that the loads on load buses 5 and 6 were controllable and vulnerable, we used different methods to inject closed-loop D-LAAs into the smart grid system, and verified the effectiveness of the detection algorithm through simulations.
3.2 D-LAA detection
As discussed in this section, we injected closedloop D-LAAs into load buses 5 and 6 of the smart grid, and verified the effectiveness of the previous detection algorithm based on the simulation results.It one example, it was assumed that the attacker installed the sensor on bus s = 1; the attack parameters on load buses 5 and 6 are listed in Table 1.
Table 1 Closed-loop dynamic load-altering attack (D-LAA) parameters and start time
Attack case Victim load Start time and D-LAA parameters Case 1 5 t=3s: f p u 5 1 L =+3 0.01( .)ω t=6s: f p u 5 1 L =+5 0.06( .)ω Case 2 5, 6 t=3s: f p u 5 1 L =+5 0.06( .)ω t=6s: f p u 6 1 L =+2 0.1( .)ω
3.2.1 Case 1: Single-point closed-loop D-LAA detection
In this case, it was considered that only the load on load bus 5 was attacked.We began to inject a closedloop 
into load bus 5 at t = 3 s, and changed the attack parameter to
at t = 6 s.The simulation results are presented in.Fig.3 and Fig.4.
Fig.3 Simulation result for smart grid under single-point closed-loop D-LAA
Fig.3(a) shows the change curve of load 5 under the D-LAA for different amplitudes of attack parameters.Fig.3(b) shows the system frequency measured values and AFKF estimated values of the smart grid under the singlepoint closed-loop D-LAA.The AFKF estimate accurately reflects the frequency fluctuations of the smart grid under the D-LAA.From the simulation results, it can be determined that when the smart grid is attacked by a singlepoint closed-loop D-LAA, the greater the attack parameter value, the greater the load overshoot and system frequency fluctuation.
Fig.4 Detection result for single-point closed-loop D-LAA
The detection results for the single-point closedloop D-LAA are shown in Fig.4.The Euclidean distance ratios are 1.7735 and 18.4013 at t = 3.001 s and t = 6.001 s, respectively, far exceeding the threshold of 1.2.The greater the attack parameter value, the greater the Euclidean distance ratio.When the attacker injects the D-LAA attack into the smart grid, the Euclidean distance ratio always exceeds the threshold, thereby activating the alarm device.
3.2.2 Case 2: Multi-point closed-loop D-LAAs detection
In this case, it was considered that the loads on the load bus 5 and 6 were attacked.We began to inject closed-loop 
into load bus 5 and 6 at t = 3 s and t = 6 s, respectively.The simulation results are shown in Fig.5 and Fig.6.
Fig.5 Simulation result for smart grid under multi-point closed-loop D-LAAs
Fig.5(a) shows the load changes of the load buses 5 and 6 under the multi-point closed-loop D-LAAs, and Fig.5(b) shows the frequency change in the AFKF-estimated values for the smart grid under the multi-point closed-loop D-LAAs.From the simulation results, it can be determined that when the smart grid is attacked by multi-point closed-loop D-LAAs, every time, the attacked load variation and system frequency will both produce overshoots; nevertheless, the system can quickly return itself to normal.However, as the number of attacked loads increases, the overshoot will become larger.
The detection results for the multipoint closed-loop D-LAAs are shown in Fig.6.The Euclidean distance ratios are 10.2325 and 1.7027 at t = 3.001 s and t = 6.001 s, respectively, far exceeding the threshold of 1.2.Thus, the system automatically activates the alarm, every time.
Fig.6 Detection results for multi-point closed-loop D-LAAs
4 Conclusion
The greater the load attacked in the smart grid, the greater the impact of the closed-loop D-LAA on the system.The detection algorithm proposed in this study, based on the AFKF, can detect an attack in time when a D-LAA is injected.In many cases, D-LAA attacks lead to system state changes that are not evident; nevertheless, the proposed Euclidean distance ratio algorithm can still detect them.The larger the attack parameters, the larger the distance ratio.We can estimate the attack condition of the system according to the change in the distance ratio.
Acknowledgements
This work was supported by the Science and Technology Project of the State Grid Shandong Electric Power Company: Research on the vulnerability and prevention of the electrical cyber-physical monitoring system based on interdependent networks; the National Natural Science Foundation of China (61873057); and the Education Department of Jilin Province (JJKH20200118KJ).
Declaration of Competing Interest
We declare that we have no conflict of interest.
References
-
[1]
Muhammed ZG, Das R (2020) Cyber-security on smart grid: Threats and potential solutions.Computer Networks, 169:107094 [百度学术]
-
[2]
Zakaria EM, Naima K, Hassan EG, et al (2018) Cyber-security in smart grid: Survey and challenges.Computers & Electrical Engineering, page S0045790617313423 [百度学术]
-
[3]
Wang HZ, Ruang JQ, Zhou B, et al (2019) Dynamic data injection attack detection of cyber physical power systems with uncertainties.IEEE transactions on industrial informatics / a publication of the IEEE Industrial Electronics Society [百度学术]
-
[4]
Gunduz MZ, Das R (2018) A comparison of cyber-securityoriented testbeds for iot-based smart grids.In: Proceedings of the 2018 6th International Symposium on Digital Forensic and Security (ISDFS) general meeting [百度学术]
-
[5]
Liu J, Xiao Y, Li S, et al (2012) Cyber security and privacy issues in smart grids.IEEE Communications Surveys & Tutorials, 14(4):981-997 [百度学术]
-
[6]
Gunduz MZ, Das R (2018) Analysis of cyber-attacks on smart grid applications.In: Proceedings of the 2018 International Conference on Artificial Intelligence and Data Processing (IDAP), 2018 [百度学术]
-
[7]
Lopez C, Sargolzaei A, Santana H, et al (2015) Smart grid cyber security: An overview of threats and countermeasures.Journal of Power and Energy Engineering, 9(007):632-647 [百度学术]
-
[8]
Procopiou A, Komninos N (2016) Current and future threats framework in smart grid domain.In: Proceedings of the Annual IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems [百度学术]
-
[9]
Yang Y, Littler T, Sezer S, et al (2012) Impact of cyber-security issues on smart grid.In: Proceedings of the 2011 2nd IEEE PES International Conference and Exhibition on Innovative Smart Grid Technologies, 2012 [百度学术]
-
[10]
Yankson S, Ghamkhari M (2019) Transactive energy to guard against a zero-day load altering attack on power distribution systems.In: Proceedings of the IEEE International Conference on Smart Energy Grid Engineering, 2019 [百度学术]
-
[11]
Amini S, Pasqualetti F, Mohsenian-Rad H (2016) Dynamic load altering attacks against power system stability: Attack models and protection schemes.IEEE Transactions on Smart Grid, PP (99):1-1 [百度学术]
-
[12]
Amini S, Mohsenian-Rad H, Pasqualetti F (2015) Dynamic load altering attacks in smart grid.In 2015 IEEE Power Energy Society Innovative Smart Grid Technologies Conference (ISGT), pages 1-5, 2015 [百度学术]
-
[13]
Amini S, Pasqualetti S, Mohsenian-Rad H (2015) Detecting dynamic load altering attacks: A data-driven time-frequency analysis.In 2015 IEEE International Conference on Smart Grid Communications (Smart Grid Comm), pages 503-508, 2015 [百度学术]
-
[14]
Su QY, Li SQ, Gao YC, et al (2021) Observer-based detection and reconstruction of dynamic load altering attack in smart grid, Journal of the Franklin Institute,2021.02.008 [百度学术]
-
[15]
Ren P, Lev-Ari H, Abur A (2016) Robust continuous-discrete extended Kalman filter for estimating machine states with model uncertainties.In: Proceedings of the Power Systems Computation Conference, 2016 [百度学术]
-
[16]
Rouhani A, Ali A (2018) Constrained iterated unscented Kalman filter for dynamic state and parameter estimation.IEEE Transactions on Power Systems, 33(99):2404-2414 [百度学术]
-
[17]
Hadis K, Henry L (2010) Relaxation-based anomaly detection in cyber-physical systems using ensemble Kalman filter.IET Cyber-Physical Systems: Theory & Applications, 5(1):49-58 [百度学术]
-
[18]
Zhao YF, Xu J, Wang X, et al (2018) The adaptive fading extended Kalman filter soc estimation method for lithium-ion batteries.Energy Procedia, 145:357-362 [百度学术]
-
[19]
Xia QJ, Rao M, Ying YQ, et al (1994) Adaptive fading Kalman filter with an application.Automatica, 30(8):1333-1338 [百度学术]
-
[20]
Ding WD, Wang JL, Chris R, et al (2007) Improving adaptive Kalman estimation in gps/ins integration.Journal of Navigation, 60(3):517-529 [百度学术]
Fund Information
supported by the Science and Technology Project of the State Grid Shandong Electric Power Company: Research on the vulnerability and prevention of the electrical cyber-physical monitoring system based on interdependent networks; the National Natural Science Foundation of China (61873057); the Education Department of Jilin Province (JJKH20200118KJ);
supported by the Science and Technology Project of the State Grid Shandong Electric Power Company: Research on the vulnerability and prevention of the electrical cyber-physical monitoring system based on interdependent networks; the National Natural Science Foundation of China (61873057); the Education Department of Jilin Province (JJKH20200118KJ);
Author
-
Qiang Ma
-
Zheng Xu
-
Wenting Wang
-
Lin Lin
-
Tiancheng Ren
-
Shuxian Yang
-
Jian Li