1 Introduction

Ensuring the operation security of a power system has always been a basic yet important requirement. Security assessment is essential to monitor and control the power system in near real-time, and also one of the most important functions of Energy Management System (EMS) [1, 2]. Usually, it consists of static security assessment (SSA) and dynamic security assessment (DSA). The former one mainly focuses on branch overflow and bus overvoltage following a disturbance [3]. The latter one mainly focuses on the stability criteria (including rotor angle, voltage, and frequency) is violated when be subject to a disturbance [47]. In this paper, we focus on the SSA which highly depends on the state estimation results. Therefore, the accuracy of state estimation result is of high importance for the SSA and the corresponding security enhancement.

Researches recently show that due to the deeper integration of physical system and cyber system, the security and economy of the modern power system might be affected by cyber-attacks. Cyber-attacks have already made destructions to the control system. For example, in 2003, a cyber-attack penetrated a computer network at the Davis-Besse nuclear power plant in the U.S. While in 2010, the Stuxnet worm attacked Iran’s Natanz nuclear fuel-enrichment facility [8]. The “BlackEnergy” worm has been confirmed of infecting multiple Ukrainian power substations in December, 2015. Around half of the homes in the Ivano-Frankivsk region in Ukraine were left without electricity for a few hours [9].

False data injection attack (FDIA) is a kind of cyber-attacks proposed by Liu et al. in 2009, which can make severely secure and economic impacts on the power system [10, 11]. Then, researches in FDIA-based cyber-attack have been extensive. Authors in [12] made a comprehensive review of state-of-the-art in FDIAs against modern power system. Liang et al. in [13] analyzed the physical consequences of FDIAs on the power system state estimation. Yu et al. [14] proposed a stealthy and blind attack without the knowledge of Jacobian matrix and any assumption about the distribution of stat variables. Hug et al. [15] studied the vulnerability assessment of FDIAs based on the AC state estimation model. Kim and Tong in [16] showed that the power system security and economy can be affected by the combination of topology attack and FDIA. The authors in [1719] made their contributions on the impacts of FDIAs on electricity market, and proposed that FDIAs can make huge economic losses to the power market. Yuan et al. in [20] and [21] proposed that FDIAs can cheat the control center to do unnecessary load shedding to the power system which is a severely destruction to the system’s economy and security. Yang et al. in [22] proposed a Polynomical-based compromise-resilient en-route filtering scheme to filter FDIAs effectively and achieve a high resilience to the number of compromised nodes without relying on static routes and node localization. Zhao et al. in [23] and [24] proposed a forecasting-aided implementation method to detect FDIA based on AC state estimation model. Chaojun et al. in [25] proposed a new detection method to detect FDIA by tracking the dynamics of measurement variations. Hao et al. in [26] proposed an efficient greedy search algorithm to quickly find subset of measurements to be protected to defend against FDIAs. Liu et al. in [27] expanded meters from the power side to the user side, and proposed an intrusion detection mechanism that can achieve collaborative detection of FDIA by setting spying domain randomly in physical memory in combination with using secret information and event log. From the literature, few researches focus on the impact analysis of FDIAs on the power system SSA. In this paper, we will analysis this problem based on nonlinear state estimation model which is more practical to the actual system operation.

As shown in Fig. 1, the security enhancement is implemented to the power system according to the SSA results. While, the SSA is based on the real-time system modeling and system monitoring. For modeling and monitoring, three types of measurements (i.e., the analog measurement, logic measurement, and pseudo- measurement) are gathered by Supervisory Control and Data Acquisition (SCADA) system and then transferred to other modules in EMS [28]. In EMS, topology processor is used to estimate the network topology; observability analysis represents that the power flow equations are solvable, which depends highly on the available measurements and their geographic distribution; and state estimation and bad data detection are used to estimate the state variables and filter raw data on the basis of redundant measurements [28]. Only when there is neither inconsistence between analog measurements and logic measurements, nor bad data signal shown in bad data detection module, can the estimated state variables be used in SSA and other higher layer applications afterwards.

Fig. 1
figure 1

Major processes of the online SSA

Full size image

In this paper, we intend to perform security and economy analysis of the SSA based on nonlinear power system model under FDIAs with transmission line real power flow overload/non-overload situations. We focus on the analog measurement manipulation situation. The manipulation of logic measurement, pseudo-measurement, and topology information is out of the research range of this paper. We intend to launch a successful FDIA that would evade being detected by the system and cause adverse SSA results compared to the actual situations. As a consequence, the corresponding security enhancement implemented by the system operator might be deceived to do unnecessary actions or do not do necessary actions to the power system.

The major contributions of this paper are two-folds:

  1. 1)

    Analyze the influences of FDIAs on the SSA and show that the secure and insecure SSA results can be manipulated by the attacker;

  2. 2)

    Propose two targeted attack scenarios: fake secure signal attack and fake insecure signal attack. The former one is to convert the insecure situations into secure circumstances, in such a way that the control center is cheated to not do the necessary actions; the latter one is to convert the secure situations into insecure circumstances, in such a way that the control center is cheated to operate unnecessary actions.

This paper will be organized as follows. Section 2 introduces the basic theoretical background of launching a valid FDIA against state estimation based on linear and nonlinear model; Section 3 introduces the models and solving method of the proposed two targeted attack scenarios. Section 4 demonstrates the effectiveness of the proposed attack on IEEE benchmark system; Conclusions are drawn in Section 5.

2 Methodologies for FDIAs

In this section, the background of state estimation, bad data detection, and FDIA theory based on both linear and nonlinear power flow model are introduced.

2.1 Assumptions and preliminaries

This paper has the following assumptions:

  1. 1)

    The attacker has full knowledge of power topology information, system parameters, bad data detection strategy, etc.

  2. 2)

    The attacker is capable of falsifying any analog measurements that measured by meters.

Note that the above assumptions are commonly accepted in this research field [1032], especially when the Ukrainian regional electric power distribution companies experienced cyber-attacks and caused serious blackouts on 23 December 2015.

2.2 State estimation and bad data detection

The state estimator provides estimated state variables (i.e., voltage and phase angle on each bus) based on a combination of meter measurements. The estimated state variables are the parameters that reflecting the operation conditions of the power system for a period of time [21].

Consider a power system with \( n + 1 \) buses and \( m \) meters. The state estimation problem is to estimate the state variables \( {\varvec{x}} = (x_{1} ,x_{2} ,\cdot\cdot\cdot,x_{n} )^{T} \)based on the meter measurements \( {\varvec{z}} = (z_{1} ,z_{2} ,\cdot\cdot\cdot,z_{m} )^{T} \), under the assumption that the measurement noise \( {\varvec{e}} = (e_{1} ,e_{2} ,\cdot\cdot\cdot,e_{m} )^{T} \) follows Gaussian distribution (0 mean and \( \sigma^{2} \) covariance).

In linear power flow model, the state estimation model is formulated as

$$ {\varvec{z}} = {\varvec{Hx}} + {\varvec{e}} $$
(1)

where \( {\varvec{H}} \) is the Jacobian matrix, and \( m > n \). Model (1) is commonly solved by weighted least squares (WLS) method by achieving the following optimization problem:

$$ \hbox{min} \,\,J({\varvec{x}}) = \frac{1}{2}({\varvec{z}} - {\varvec{Hx}})^{T} {\varvec{W}}({\varvec{z}} - {\varvec{Hx}}) $$
(2)

where \( {\varvec{W}} = diag\{ \sigma_{1}^{ - 2} ,\sigma_{2}^{ - 2} ,\cdot\cdot\cdot,\sigma_{m}^{ - 2} \} \). The solution can be computed in closed-form:

$$ {\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }} = ({\varvec{H}}^{T} {\varvec{WH}})^{ - 1} {\varvec{H}}^{T} {\varvec{Wz}} $$
(3)

where \( {\varvec{x}} = [{\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{\theta } }},{\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{V} }}] \) is the estimated state variable with \( {\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{\theta } }} \) as the phase angle and \( {\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{V} }} \) as the voltage magnitude.

In nonlinear power flow model, \( {\varvec{h}}({\varvec{x}}) \) is used to denote the functional dependency between measurements and state variables. The model is then formulated as

$$ {\varvec{z}} = {\varvec{h}}({\varvec{x}}) + {\varvec{e}} $$
(4)

Then the corresponding optimization objective is:

$$ {\text{min}} \,\,{\varvec{J}}({\varvec{x}}) = \frac{1}{2}({\varvec{z}} - {\varvec{h}}({\varvec{x}}))^{T} W({\varvec{z}} - {\varvec{h}}({\varvec{x}})) $$
(5)

Due to the nonlinear relationship between measurement variables and state variables, it is difficult to have an analytical solution. Usually, iterative algorithm is applied to solve model in (4).

In bad data detection technique, the veracity of the estimated state variable is detected via the largest normalized residual (LNR) test, where the objective function \( {\varvec{J}}({\varvec{x}}) \) is assumed to follow a chi-squared distribution with at most \( m - n \) degrees of freedom, shown in Equation (6). \( {{\tau}} \) is the threshold determined by a certain significance level.

$$ J({\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }}) < {{\tau}} $$
(6)

If (6) is satisfied, it shows the estimated state variable is capable of being used in higher layer applications; if not, the corresponding raw data should be filtered. The estimator should re-estimate the state variable until (6) is satisfied.

2.3 False data injection attack

FDIA is studied on both DC and AC model. In the linear model, the attacker fools the control center mainly by keeping the measurement residual unchanged, although the attacker has injected bad data into meters.

Denoting \( {\varvec{a}} \) as the vector of malicious data which is injected into the original measurement data \( {\varvec{z}} \), therefore, the measurement vector is polluted as \( {\varvec{z}}_{bad} = {\varvec{z}} + {\varvec{a}} \) after attack. Denoting \( {\varvec{c}} \) as the deviation vector of the estimated state variable before and after the attack, the estimated state variable vector after attack can be represented as \( {\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }}_{bad} = {\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }} + {\varvec{c}} \), as shown in (7):

$$ \begin{aligned} {\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }}_{bad} &= ({\varvec{H}}^{T} {\varvec{WH}})^{ - 1} {\varvec{H}}^{T} {\varvec{Wz}}_{bad} = ({\varvec{H}}^{T} {\varvec{WH}})^{ - 1} {\varvec{H}}^{T} {\varvec{W}}({\varvec{z}} + {\varvec{a}}) \hfill \\ &= \,{\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }} + ({\varvec{H}}^{T} {\varvec{WH}})^{ - 1} {\varvec{H}}^{T} {\varvec{Wa}} = {\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }} + {\varvec{c}} \hfill \\ \end{aligned} $$
(7)

The target of the attacker is to find the vector of malicious data which keeps the measurement residual unchanged before and after attack. If \( {\varvec{a}} = {\varvec{Hc}} \), then:

$$ \begin{aligned} \left\| {{\varvec{z}}_{bad} - {\varvec{H\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }}_{bad} } \right\| &= \left\| {{\varvec{z}} + {\varvec{a}} - {\varvec{H}}({\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }} + ({\varvec{H}}^{T} {\varvec{WH}})^{ - 1} {\varvec{H}}^{T} {\varvec{Wa}})} \right\| \hfill \\ &= \left\| {{\varvec{z}} - {\varvec{H\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }} + ({\varvec{a}} - {\varvec{H}}({\varvec{H}}^{T} {\varvec{WH}})^{ - 1} {\varvec{H}}^{T} {\varvec{Wa}})} \right\| \hfill \\ &= \left\| {{\varvec{z}} - {\varvec{H\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }} + ({\varvec{a}} - {\varvec{Hc}})} \right\| = \left\| {{\varvec{z}} - {\varvec{H\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }}} \right\| \hfill \\ \end{aligned} $$
(8)

In this way, the attacker can make a successful attack stealthily without being detected by bad data detection.

FDIA theory based on nonlinear model is much more complicated because the state variable and observation value has nonlinear relationship. The estimated state variable is gained through iteration algorithm. Therefore, it is much more difficult to find an analytical function to express the relationship between the malicious data and the system parameters. The key idea of AC model based FDIA is to find a vector of malicious data that makes the objective function after attack falls below the threshold as

$$ J({\varvec{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\frown}$}}{x} }}_{bad} ) < {{\tau}} $$
(9)

3 SSA under FDIAs

FDIA is a harmful attack to the secure and economic operations of the whole power system because the estimated state variable used in all the higher layer applications in the control center is different from the actual one. More importantly, the control center will be cheated to believe the false estimated state variable. As a result, any operations based on the fake information will be implemented onto the actual system.

In this paper, the attacker’s target is considered to make confusions of the estimated power flow on transmission lines based on the estimated state variable. In the SSA, if the calculated power flow on a transmission line is higher than the limit, it is considered as an insecure situation. The system operator should take some corrective actions, such as generator rescheduling, load shedding, etc. If no signal shows there is insecure situation of the entire system, it is considered as a secure situation. So, it is unnecessary for the system operator to do extra corrective actions. As shown in Fig. 2, there are four scenarios of the SSA when applying FDIAs into state estimation.

Fig. 2
figure 2

Overview of the main purpose of FDIAs on the SSA

Full size image
  1. 1)

    The actual SSA result shows the system is insecure, while it shows secure after attack;

  2. 2)

    The actual SSA result shows the system is secure, while it shows insecure after attack;

  3. 3)

    The actual SSA result shows the system is secure, while it shows secure after attack;

  4. 4)

    The actual SSA result shows the system is insecure, while it shows insecure after attack;

Apparently, the first and second scenarios are the most serious situations. We focus on these two scenarios in this paper and name them as fake secure signal attack and fake insecure signal attack respectively.

3.1 Fake secure signal attack

In fake secure signal attack, we focus on manipulating the fault condition into normal circumstance. In this scenario, open circuit fault condition is considered as the base case and causes overload situation. Shown as the first timeline in Fig. 3, the fault condition and state estimation procedure happen between two rounds of OPF. Once the online SSA shows insecure signal to the control center, the system operator will take corresponding actions immediately. However, when under attack, the attacker will deceive the state estimation and online SSA to show secure signal instead. As a consequence, necessary operations will not be taken then.

Fig. 3
figure 3

Schematic diagram of fake secure signal attack

Full size image

The mathematical model is formulated as:

$$ \hbox{min} \left\| {\varvec{a}} \right\|_{0} $$
(10)
$$ {\text{s.t.}} \,\,{\varvec{z}}_{bad} = {\varvec{z}} + {\varvec{a}} $$
(11)
$$ {\varvec{P}}_{ij} \,{ = }\,{\varvec{V}}_{i} {\varvec{G}}_{ij} + {\varvec{V}}_{i} {\varvec{V}}_{j} \left( {{\varvec{G}}_{ij} \cos \theta_{ij} + {\varvec{B}}_{ij} \sin \theta_{ij} } \right) $$
(12)
$$ {\varvec{Q}}_{ij} \,{ = }\,{\varvec{V}}_{i} {\varvec{B}}_{ij} + {\varvec{V}}_{i} {\varvec{V}}_{j} \left( {{\varvec{G}}_{ij} \sin \theta_{ij} + {\varvec{B}}_{ij} \cos \theta_{ij} } \right) $$
(13)
$$ {\varvec{P}}_{i}\, { = }\,{\varvec{V}}_{i} \sum\limits_{j = 1}^{n} {{\varvec{V}}_{j} } \left( {{\varvec{G}}_{ij} \cos \theta_{ij} + {\varvec{B}}_{ij} \sin \theta_{ij} } \right) $$
(14)
$$ {\varvec{Q}}_{i} \,{ = }\,{\varvec{V}}_{i} \sum\limits_{j = 1}^{n} {{\varvec{V}}_{j} } \left( {{\varvec{G}}_{ij} \sin \theta_{ij} + {\varvec{B}}_{ij} \cos \theta_{ij} } \right) $$
(15)
$$ {\varvec{a}}_{\rm min} < {\varvec{a}} < {\varvec{a}}_{\rm max} $$
(16)
$$ [{\varvec{z}}_{bad} - {\varvec{h}}\left( {\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} } \right)]_{{}}^{{T}} {\varvec{W}}[{\varvec{z}}_{bad} - {\varvec{h}}\left( {\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} } \right)] < {{\tau}} $$
(17)
$$ {\varvec{P}}_{ij\hbox{min} } < {\varvec{P}}\left( {\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} } \right) < {\varvec{P}}_{ij\,{\rm max} } $$
(18)
$$ {\varvec{Q}}_{ij\, {\rm min} } < {\varvec{Q}}\left( {\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} } \right) < {\varvec{Q}}_{ij\,{\rm max} } $$
(19)

where the measurement vector under no attack is expressed as \( {\varvec{z}} = [{\varvec{zP}}_{ij} ,_{{}}^{{}} {\varvec{zQ}}_{ij} ,_{{}}^{{}} {\varvec{zP}}_{i} ,_{{}}^{{}} {\varvec{zQ}}_{i} ]^{\prime} \) which is composed of the real and reactive measurements from transmission lines and bus nodes, i.e., \( {\varvec{zP}}_{ij} \), \( {\varvec{zQ}}_{ij} \), \( {\varvec{zP}}_{i} \) and \( {\varvec{zQ}}_{i} \), respectively. The vector of malicious data is expressed as \( {\varvec{a}} = [{\varvec{z}}{\bar{\varvec{P}}}_{ij}, {\varvec{z}}{\bar{\varvec{Q}}}_{ij} , {\varvec{z}}{\bar{\varvec{P}}}_{i} , {\varvec{z}}{\bar{\varvec{Q}}}_{i} ]^{\prime} \) which is the corresponding injection values to the real and reactive measurements on transmission lines and bus nodes, i.e., \( {\varvec{z}}{\bar{\varvec{P}}}_{ij} \), \( {\varvec{z}}{\bar{\varvec{Q}}}_{ij} \), \( {\varvec{z}}{\bar{\varvec{P}}}_{i} \) and \( {\varvec{z}}{\bar{\varvec{Q}}}_{i} \), respectively.

Equation (10) is the objective to find the vector of malicious data \( {\varvec{a}} \) with minimum number of non-zero values which means the attacker will manipulate less meters to achieve his/her goal. (11)–(15) are the equality constraints; (11) shows that the vector of measurement used for state estimation is manipulated as \( {\varvec{z}}_{bad} \); (12)–(15) are the network equations with \( {\varvec{P}}_{ij} \) and \( {\varvec{Q}}_{ij} \) represent the power flow on transmission line, \( {\varvec{P}}_{i} \) and \( {\varvec{Q}}_{i} \) represent the power flow on bus i; \( \theta_{i} \),\( \theta_{j} \) is the phase angle on node i; \( \theta_{ij} = \theta_{i} - \theta_{j} \); \( {\varvec{V}}_{i} \), \( {\varvec{V}}_{j} \) are voltage magnitude on node i and node j; \( {\varvec{G}}_{ij} \) and \( {\varvec{B}}_{ij} \) are the real and imaginary part of admittance matrix on element ij;

Equation (16)–(19) are the inequality constraints; (16) is the constraint for the vector of malicious data \( {\varvec{a}} \) with \( {\varvec{a}}_{\rm min} \) and \( {\varvec{a}}_{\rm max} \) as the lower and upper boundary. In practical applications, the determinations of these boundary values can be determined by analyzing the historical operation data of the utility; (17) shows the bad data detection should be satisfied although the original measurements are manipulated; In (17), \( {\varvec{h}}(\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} ) = [{\varvec{P}}_{ij} (\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} ),{\varvec{Q}}_{ij} (\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} ),{\varvec{P}}_{i} (\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} ),{\varvec{Q}}_{i} (\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} )]' \), \( W \)is a diagonal matrix, \( \tau \) is the bad data detection threshold; (18) and (19) show that the real and reactive power flow based on the estimated state variables on transmission lines should be within limit, with \( P_{ij\,{\rm min} } \), \( {\varvec{Q}}_{ij\,{\rm min} } \), \( {\varvec{Q}}_{ij\,{\rm max} } \) and \( {\varvec{Q}}_{ij\,{\rm max} } \) as the lower and upper boundary.

By solving the proposed mathematical model, the attacker can successfully convert the insecure signal into secure signal by injecting the malicious data \( {\varvec{a}} \). Since the necessary corrective actions are not taken, before operating the next round of OPF, the physical system may experience the following two kinds of situations:

Scenario 1: the overloaded transmission lines can survive for a period of time until the next round of OPF;

Scenario 2: the overloaded transmission lines cannot survive for a period of time until next round of OPF.

Apparently, scenario 2 is much more dangerous than scenario 1 because scenario 2 may cause chain reaction so that the system is pushed to an emergency condition, and may even cause blackout. As to which kind of influence the attack will make, depends on the specific network operation condition.

3.2 False insecure signal attack

In fake insecure signal attack, we focus on manipulating the normal situation into transmission line overload circumstance.

Shown as the first timeline in Fig. 4, the system operator will do nothing until the next round of OPF because the online SSA sends secure signal to the control center. However, when under attack, the secure condition is converted into insecure condition. As a consequence, firstly, the system operator will reschedule OPF immediately; secondly, based on the real-time monitoring by meters, the measurement values will be updated as the ones that reflect the condition after rescheduling. By re-estimating the system variable and redoing online SSA,if the SSA shows secure signal, the system operator will do nothing until the next round of OPF; otherwise, the system operator will believe that rescheduling is not helpful and will take corresponding actions according to the SSA result, mostly it will be the load shedding.

Fig. 4
figure 4

Schematic diagram of fake insecure signal attack

Full size image

Denoting the state estimation before rescheduling as the first round of state estimation, and the state estimation after re-scheduling as the second round of state estimation, whether the attacker injects malicious data into both rounds of state estimation depends on his/her purposes. In situation like this, the attacker will have the following two kinds of targets.

Target 1: The attacker launches fake insecure signal attack for the purpose of making the system operator do unnecessary rescheduling.

The attacker based on target 1 only need to focus on the first round of state estimation and online SSA. For injecting the appropriate malicious data that causes rescheduling, the mathematical model is formulated as

$$ \hbox{min} \left\| {\varvec{a}} \right\|_{0} $$
(20)
$$ {\text{s.t.}} \,\,{\text{Eq}}.(11)\sim {\text{Eq}}.(17) $$
(21)
$$ \exists {\varvec{P}}_{ij} > {\varvec{P}}_{ij\,{\rm max} } ,\,{\varvec{P}}_{ij} \in {\varvec{P}}_{ij} (\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} ) $$
(22)

where the explanation of (20) and (21) is similar with that of (10)–(17). (22) represents that as long as there is at least one calculated power flow out of limit, it is a valid attack. This model means by injecting the malicious data into original measurements, the SSA will always show that there is overloaded circumstance.

Target 2: The attacker launches fake insecure signal attack for the purpose of making the system operator perform unnecessary and costly load shedding.

Load shedding is a costly operation for the power grid. Usually, when the system is under the insecure situation, the operator would do re-scheduling to try to solve the problem. Only when re-scheduling does not work, load shedding is then taken as an emergency action to avoid the situation become worse. Different from target 1, target 2 requests the attacker has multiple injections. The attacker in this scenario not only needs to manipulate before the rescheduling, but also needs to manipulate after rescheduling. Normally, the attacker will solve model in (20)–(22) based on the measurement value after the first round of OPF, and solve model (20)–(22) again based on the updated measurement value after the rescheduling.

Shown in Fig. 4, the rescheduling is actually in between two rounds of OPF, followed by the second round of state estimation. The attacker should calculate the malicious data for the first and second round of state estimation based on the corresponding measurements. Therefore, by multiple injections, the attacker will successfully make the system take further corrective actions, i.e., load shedding.

Apparently, target 2 is much more dangerous to the power system than target 1 because implementing target 2 will cause costly load shedding. Usually, the system operator chooses to use the power transfer distribution factors (PTDFs) to determine the load shedding value for emergency measures. The PTDF is a sensitivity matrix that represents the sensitivities of branch flows to changes in nodal real power injections. The mathematical model is formulated as

$$ \hbox{min}\,{\varvec{c}}(\Delta {\varvec{P}}_{D} ) $$
(23)
$$ {\text{s.t.}} \,\Delta {\varvec{P}}_{bus} = \Delta {\varvec{P}}_{D} $$
(24)
$$ \Delta {\varvec{P}}_{f} = {\varvec{H}}_{nbr \times nb} \Delta {\varvec{P}}_{bus} $$
(25)
$$ {\varvec{P}}_{ij\,{\rm min} } < {\varvec{P}}_{ij} (\theta_{ij} ,{\varvec{V}}_{i} ,{\varvec{V}}_{j} ) - \Delta {\varvec{P}}_{f} < {\varvec{P}}_{ij\,{\rm max} } $$
(26)

where \( \Delta {\varvec{P}}_{D} \) is the vector of load shedding value; in (23), \( {\varvec{c}}( \cdot ) \) represents the cost function of load shedding; usually, it is a linear relationship between the cost and the load shedding value; (24) refers to the energy imbalance equation when shedding load, i.e., the vector of the decreased injected power \( \Delta {\varvec{P}}_{bus} \) equals to the decreased load value \( \Delta {\varvec{P}}_{D} \); (25) is the PTDF sensitivity model for the change in the real power flow in branches given a unit decrease in the power injected node, where \( {\varvec{H}}_{nbr \times nb} \) is the PTDF sensitivity matrix, and \( \Delta {\varvec{P}}_{f} \) is the corresponding decreased power flow; (26) shows that the power flows after load shedding should still be within limits.

3.3 Solution method

For the proposed fake secure signal attack and fake insecure signal attack models, intelligence algorithms are usually used to find the solutions. In this paper, differential evolution (DE) method is used to solve this problem. DE method is a simple and efficient heuristic algorithm to optimize certain properties of a system by pertinently choosing the system parameters [32]. In this paper, by applying DE algorithm, we are interested in finding the appropriate malicious data which will neither lead to system unobservable nor be detected by bad data detection when adding malicious data to the meter measurements within iteration time.

4 Simulation results

In this section, we simulate the problems of FDIAs on the SSA on the modified IEEE-39 benchmark system. All simulation programs presented in this paper are implemented on MATLAB using MatPower. The IEEE-39 bus system has 10 generators and 46 branches. Each transmission line deploys a meter which measures the corresponding real and reactive power flows. The bad data detection threshold is set to be 70.993 (freedom \( m - n = 46 \times 2 - 39 \); \( \alpha = 0.05 \)) in this paper. The maximum power flow on transmission lines is set to be 2 (p.u.). Table 1 shows the load value used by the OPF dispatch during this period of time. Table 2 is the DE parameter setting for solving the problem.

Table 1 Demand parameters of the IEEE-39 benchmark system
Full size table
Table 2 Differential evolution parameter setting for solving the models
Full size table

4.1 False secure signal attacks

In the case of fake secure signal attacks, the open circuit fault condition is assumed to happen on the 30th transmission line in IEEE-39 bus system.

With the demand value provided in Table 1, some of the actual power flows on transmission lines exceed the limit because of the fault condition, shown as the orange bar in Fig. 5. It is clearly seen that the open circuit fault condition causes overload on transmission line 3 and 25. When under no attack, the online SSA will immediately react to the situation and send insecure signal to control center. Then, control center will take corrective actions.

Fig. 5
figure 5

State estimation result with and without attack (fake secure signal attack)

Full size image

However, by injecting malicious data into the original measurements, the overloaded situation is manipulated within limit shown as the blue bar in Fig. 5. It is clearly seen that no line is in overload situation. Since the real power flow overload situation is of the most concern, we only compare the real power flow on transmission lines in this paper. Shown in Fig. 6, the orange bar represents the original real power flow measurements on transmission lines, while the blue bar represents the corresponding injection data. Consequently, the control center will do nothing during this period of time.

Fig. 6
figure 6

Measurement data and injection data (fake secure signal attack)

Full size image

4.2 False insecure signal attacks

In the case of fake insecure signal attack, no matter the attacker’s target is to make system do rescheduling or load shedding, he/she needs to manipulate the normal situation to overload situation by solving Equation (20)–Equation (22) based on the corresponding measurements. For the IEEE-39 bus system, the original real power flow measurements on transmission lines before re-scheduling are the values shown as the orange bar in Fig. 7. Then the state estimation calculates the corresponding state variables. As a consequence, the calculated power flow values are shown as the orange bar Fig. 8. It is clearly seen that the system is operating in good condition.

Fig. 7
figure 7

Measurement data and injection data (fake insecure signal attack)

Full size image
Fig. 8
figure 8

State estimation result with and without attack (fake insecure signal attack)

Full size image

However, by injecting malicious data (blue bar in Fig. 7) into the original real power flow measurement on transmission lines, the attacker causes fake overloaded situations shown as the blue bar in Fig. 8. It is clearly seen from Fig. 8 that the secure situation is converted into insecure situation with overload situation on transmission line 27, 33, 34, 35, 37, 39, 41 and 46.

Based on the insecure signal sent by the online SSA, the control center will do rescheduling. As discussed in Section 3, the attacker calculates the malicious data by solving (20)–(22) using the updated measurements, then injects malicious data after rescheduling. Load shedding is then implemented as an emergency measure. As shown in Table 3, the load shedding value for the IEEE-39 bus system is displayed, which is also calculated using DE algorithm. It can be seen from Table 3 that the total load shedding value is 123.65 MW. The unit load shedding cost is set to be \( 3.00 \times 10^{4} \) $/MW. Therefore, it takes the power system \( 3.71 \times 10^{6} \) $ as the extra increased cost which is actually unnecessary at all.

Table 3 The load shedding value of the IEEE-39 benchmark system
Full size table

5 Conclusions

The cyber-attack is a harmful threat to the security and economy of modern power system. This paper analyzes the influences of FDIA, which is a kind of cyber-attack, on the SSA based on nonlinear power flow model. It shows that the attacker can make confusions of the secure and insecure signal to the control center by injecting malicious data into meter measurements. The system operator is therefore operating based on the false information which would make economic losses and may even lead to blackouts. Therefore, researches on how will cyber-attacks manipulate the power system and what influences will cyber-attacks make to the power system would have significant importance to enhance power system security.