Keywords

1 Introduction

1.1 Overview

Transmission system is one of the most important assets in secure power delivery. Recent advancements toward automation of smart grids and application of supervisory control and data acquisition (SCADA) systems have increased vulnerability of power grids to cyberattacks. Cyberattacks on transmission network, specifically the power transmission lines, are among crucial emerging challenges for the operators. If not identified properly and in a timely fashion, they can cause cascading failures leading to blackouts. This chapter tackles false data injection modeling from the attacker’s perspective. It further develops an algorithm for detection of false data injections in transmission lines. To this end, first, a bi-level mixed integer programming problem is introduced to model the attack scenario, where the attacker can target a transmission line in the system and inject false data in load measurements on targeted buses in the system to overflow the targeted line. Second, the problem is analyzed from the operator’s viewpoint and a detection algorithm is proposed using l 1 norm minimization approach to identify the bad measurement vector in data readings. In order to evaluate the effectiveness of the proposed attack model, case studies have been conducted on IEEE 57-bus test system.

In recent years, as online monitoring devices have widely being developed and implemented in smart grids, cybersecurity has also become a more serious issue to be tackled. In addition, interconnection of power systems in different areas and development of advanced communication technologies to automate smart grid assets have made the grid more vulnerable to cyber-physical attacks. A cyberattacker can therefore inject computer viruses or anomalies to endanger the security and resiliency of the smart grid system [1,2,3,4]. Example of such attach includes Russian’s cyberattack on obtaining detailed data on nuclear power plants and water facilities in the USA in 2018 [6]. Another real-world example is the successful cyberattack by Russian hackers in December 2015 on the Ukraine power grid. In this cyberattack, 30 substations were switched off by hackers which resulted in a power outage of 1–6 h for almost 230,000 people [7].

Transmission lines are the most important assets in power delivery in smart grids, and if failed, can cause serious cascading problems leading to blackouts. One example of such cascading failure was a blackout in Italy that happened in 2004 [8]. Cyberattacks on transmission lines are normally designed to overflow a line or series of lines with the aim of cascading failures. Such transmission line congestion can be achieved if an attacker injects false data on load measurements without being detected by bad data detection algorithms in state estimation process. Recent studies show that by having information on the topology of the system, these false data injections can be designed in a way to bypass state estimation methods without being detected [9,10,11]. Thus, to protect the smart grid against these vulnerabilities and increase the resiliency of the system, it is crucial to understand the problem from attacker’s point of view and develop models that account for various attack scenarios in transmission line congestion.

A few studies developed models for false data injection attacks with the aim of bypassing state estimation in smart grids [12,13,14,15,16,17]. For instance, [12] extensively modeled false data injection attacks which could not be detected by DC state estimation algorithms. It was shown that if the injected false values in load buses follow system’s admittance matrix (B), the attack can be successful. To identify the worst attacking strategy in false data injection attacks, a heuristic algorithm was developed in [14]. Furthermore, an attack model was formulated in [16] that would allow the attacker to make profits in real-time markets. Moreover, a comparison between few bad data detection algorithms were reported in [17]. Although these studies provided a full insight to false data injection problems in smart grids, they did not focus on transmission line congestion and also would require the attacker to have complete access to the system, which was not realistic.

There are also several studies which aimed to generalize false load data injection attacks by focusing on incomplete power system models and limited access by the attackers [18,19,20,21,22]. For example, a practical model on false data injection attack was introduced in [19]. Physical constraints of the smart grid system were considered to formulate the model. The model was developed based on the fact that the attackers could not alter the generator output powers. As a result, the power balance needed to be met continuously. Furthermore, an attack model was developed in [18], which only relied on the data and the topology of a local targeted region that could bypass the bad data detection algorithm. Recent studies showed that mixed integer linear programming (MILPs) modeling of the cyberattacks is the most suitable and practical modeling procedures for false data injection attacks [19, 21]. Several studies introduced MILP attack models to initially maximize the system costs [20, 22]. Nevertheless, the main focus of these studies were on attacks which maximized the system costs, and attacks on transmission lines’ congestion were not considered.

In [23], in order to overflow transmission lines, a tri-level MILP solution was developed. This model took into account the security constrained economic dispatch problem to find an optimal strategy to overflow multiple targeted transmissions lines through data falsification. Although this model is effective for the scenario in which attacker has access to all lines, in realistic scenarios attacker does not have access to all buses. Due to complexity of tri-level model, it increases the complexity of protection schemes as well. In order to tackle the complexity issues regarding the model in [23], a bi-level MILP model was proposed in [24]. This model also ignored some practical limits. Optimal injection on load buses was not modeled in this study, i.e., there is no specific strategy to choose the most vulnerable bus from attacker’s perspective. In practice, this may not be possible due to limited access to a part of network.

This study addresses two cybersecurity problems from two completely different perspectives: (1) optimal attack strategy from the attacker’s viewpoint, (2) state estimation to identify bad data injection considering presence of cyberattacks from operator’s viewpoint. The main advantages of the presented MILP approach for the attacker are:

  • Optimizing false data injections rather than number of target buses to achieve a more realistic attack model to overflow the transmission lines.

  • Restricting transmission line overflow to a certain upper limit to prevent unrealistic spike in line flow, e.g., two times as compared with normal operating scenario in some cases [24].

  • Making the realistic assumption that all lines/buses may not be accessible to the attacker. To this end, our model assumes attacking to a target load bus without being detected by the operator.

  • Developing a bi-level MILP model as an alliterative to tri-level methods. This simplifies protection scheme in resilient power system studies. Further, we have included load injection limits to outperform the bi-level model in [24].

More importantly, this chapter proposes a detection framework that identifies the false data injections in smart grids, this has never been studied in the existing literature.

The organization of this chapter is as follows. Section 8.2 provides the preliminaries regarding DC power flow model. Section 8.3 explains the false data injection attacks and their effect on smart grid state estimation. Section 8.4 explores a bi-level MILP model to find the optimal strategy of an attacker in transmission networks. Section 8.5 is devoted to the operator’s strategy for bad data injection identification using sparsity-based decomposition. Section 8.6 includes the case studies on IEEE 57-bus benchmark model, followed by Sect. 8.7 that concludes the paper. The overall structure of this study is provided in Fig. 8.1.

Fig. 8.1
figure 1

Overall structure of this study: exploring the cyberattack from attacker’s and operator’s perspectives

Full size image

2 DC Power Flow Model

Here, we provide the preliminaries for DC power flow formulation. This notation is used both for finding the optimal cyberattack strategy for the attacker and developing a bad data detection method for the operator.

The following assumptions are made due to the physical characteristics of transmission networks to obtain linear DC power flow formulation as opposed to nonlinear AC power flow model:

  1. 1.

    Due to the high XR ratio in transmission networks, only the inductive component of impedance is considered [25], i.e., R ij = 0 for all lines.

  2. 2.

    Voltage mismatch among neighboring (connected) buses is negligible, i.e., δ i − δ j ≈ 0; hence, we can make the following approximations \(\cos (\delta _i-\delta _j) \approx 1\) and \(\sin (\delta _i-\delta _j) \approx 0\).

  3. 3.

    Due to the low voltage deviation in transmission networks, all voltage magnitudes are set to 1 p.u.

Newton–Raphson power flow method is the most suitable approach to solve the power flow equations due to its quadratic convergence. DC power flow is a simplified version of decoupled power flow by further dropping the Q −|V | equations and assuming a constant voltage profile for all the buses in the system. Therefore, it is assumed that |V i| = 1 p.u. for all the buses. Assuming the system has N buses and bus number 1 is the slack bus (e.g., \(V_1=1\angle 0\) p.u.), the decoupled power flow can be modeled by

$$\displaystyle \begin{aligned} \begin{bmatrix} \varDelta P \\ \varDelta Q \end{bmatrix}= \begin{bmatrix} J_1 & 0 \\ 0 & J_4 \end{bmatrix} \begin{bmatrix} \varDelta \theta \\ \varDelta |V| \end{bmatrix} \end{aligned} $$
(8.1)

where ΔP = [ΔP 2, ΔP 3, …, ΔP N] and ΔQ = [ΔQ 2, ΔQ 3, …, ΔQ N] are vectors representing the mismatch between the scheduled and calculated active/reactive powers (e.g., \(\varDelta P_i=P_i^{\mathrm {sch}}-P_i^{(k)},\ \varDelta Q_i=Q_i^{\mathrm {sch}}-Q_i^{(k)}\)), J 1 and J 4 are elements of Jacobean matrix represented by

(8.2)

Disregarding the resistance of transmission lines, this model can be further simplified to the DC power flow formulation as,

$$\displaystyle \begin{aligned} \begin{bmatrix} \varDelta P_2 \\ \vdots \\ \varDelta P_N \end{bmatrix}=\begin{bmatrix} B_{11} & B_{12} & B_{13} & \dots & B_{1N} \\ B_{21} & B_{22} & B_{23} & \dots & B_{2N} \\ \vdots & \vdots & \vdots & \ddots & \vdots \\ B_{N1} & B_{N2} & B_{N3} & \dots & B_{NN} \end{bmatrix} \begin{bmatrix} \varDelta \theta_2 \\ \vdots \\ \varDelta \theta_N \end{bmatrix} \end{aligned} $$
(8.3)

where \(B_{ik}=-\dfrac {1}{x_{ik}}\) and \(B_{ii}=\sum _{i=1}^N \dfrac {1}{x_{ik}}\), and x ik is the reactance of the transmission line between bus i and bus k. In a matrix form, the DC power flow is formulated as

$$\displaystyle \begin{aligned} P-D=B\theta \end{aligned} $$
(8.4)

where P is the vector of generated active powers and D is the demand vector in the system. The power flow in transmission lines between bus i and k using DC power flow is formulated by

$$\displaystyle \begin{aligned} P_{ik}=\dfrac{1}{x_{ik}}(\theta_i-\theta_k) \end{aligned} $$
(8.5)

3 False Data Injection Attacks Based on DC State Estimation

In smart grids, the supervisory control and data acquisition is in charge of estimating the parameters of the system based on received phasor measurement unit (PMU) measurements. This is mainly to ensure an error-free measurement by running a bad data detection algorithm in state estimation process. State estimation is the process of using sample measurements to calculate the values of state variables in power systems. In DC power flow, since the only variables are bus voltage angles, the objective of state estimation is to estimate the bus voltage angles using measured values. The maximum likelihood criterion is normally used to estimate the parameters of the system in this case. The objective of maximum likelihood criterion is to maximize the probability that estimated value (\(\hat x\)) is the true value of the state variable x. This can be formulated as

$$\displaystyle \begin{aligned} P(\hat{x})=x \end{aligned} $$
(8.6)

In the maximum likelihood criterion, it is assumed that the probability density function (PDF) of the random measurement errors is known. However, if the PDF of sample measurements is assumed to follow a normal (Gaussian) distribution function, the least square estimates can be used to estimate the states of the system [26]. Therefore, if a single parameter, θ, is to be estimated using N m measurements, the objective is to [26]

$$\displaystyle \begin{aligned} \mathrm{min} \ \sum_{i=1}^{N_m} \dfrac{\left[\theta_i^{\mathrm{meas}}-f_i(\theta)\right]^2}{\sigma_i^2} {} \end{aligned} $$
(8.7)

where f i(θ) is the function used to calculate the bus voltage angles, which is equal to in DC power flow. It is noted that H is an N m × N s matrix of the coefficients of linear function f i(θ) and is related to transmission line reactances. Furthermore, \(\sigma _i^2\) is the variance of ith measurement, \(\theta _i^{\mathrm {meas}}\) is the measured bus voltage angle, and N m is the total number of measurements in the system. By converting (8.7) to matrix form, the problem can be written as [26]

$$\displaystyle \begin{aligned} \mathrm{min} \ J(\theta) =[\theta^{\mathrm{meas}}-H\theta ]^TW^{-1}[\theta^{\mathrm{meas}}-H\theta ] {} \end{aligned} $$
(8.8)

where J(θ) is the measurement residual, and θ meas and W are defined as

$$\displaystyle \begin{aligned} \theta^{\mathrm{meas}}= \begin{bmatrix} \theta_1^{\mathrm{meas}} \\ \theta_2^{\mathrm{meas}} \\ \vdots \\ \theta_{N_m}^{\mathrm{meas}} \\ \end{bmatrix}, W= \begin{bmatrix} \sigma_1^2 & & & \\ &\sigma_2^2 && \\ &&\ddots& \\ &&& \sigma_{N_m}^2 \end{bmatrix} \end{aligned} $$
(8.9)

To find the minimum of J(θ) in (8.8), the gradient of measurement residual must be zero (e.g., ∇J(θ) = 0), this will result in a solution of estimated values

$$\displaystyle \begin{aligned} \hat{\theta} =[H^TW^{-1}H]^{-1}H^TW^{-1}\theta ^{\mathrm{meas}} \end{aligned} $$
(8.10)

After deriving the estimated values, the SCADA system normally runs a bad data check to calculate the two-norm value of the mismatch between the estimated values and measured values. If the error is greater than the threshold, the bad data is detected. It was proved in [23] that an attacker can bypass the bad data detection algorithm if the false data is designed to satisfy

$$\displaystyle \begin{aligned} \varDelta z=H\varDelta \theta {} \end{aligned} $$
(8.11)

where Δθ is the change in the bus voltage angles, and Δz is the change in the measurement vector due to the false data injection.

It should be noted that the successful attack might not be guaranteed, this is because of the fact that after the false data injections, the control center should adjust the generation powers for an optimal power flow that results in a lower system cost. The economic dispatch problem will then be run in presence of false data injection, which results in a new transmission flow that deviates from normal load flow results. Since the economic dispatch might have multiple solutions, the success of attack cannot be guaranteed [23]. The main assumptions for false data injection attacks due to system limitations can be listed as [27]:

  • The synchronous generator readings cannot be altered

  • The measurement tampering on each load is limited within its nominal rating

  • Power balance, which is a mismatch between the generation and load, should always be met

These limitations will mathematically be modeled and included in the cyberattack problem to be formulated in the next section. It is also assumed that the attacker has limited access to the system buses for false data injection. Therefore, a subset of all system buses (F) that the attacker can access is defined to highlight the fact that the attack can only be done on the subset. In addition, to avoid supply–demand violation, sum of injected powers by the attacker has to be zero, this can be formulated as

$$\displaystyle \begin{aligned} \sum_{i \in F} \varDelta D_i=0 \end{aligned} $$
(8.12)

where ΔD i is false active power injection at bus i. To account for limited injection on each measurement, a new constraint has to be defined,

$$\displaystyle \begin{aligned} -\tau D_i\leq \varDelta D_i \leq \tau D_i \end{aligned} $$
(8.13)

where τ is the limit on the maximum injection and is considered as 15% in this study, and D i is the nominal load at bus i.

4 Attacker’s Problem: Finding the Optimal Set of Target Transmission Lines using MILP

In this section, the attacker’s problem is modeled as a bi-level mixed integer linear programming (MILP) optimization model, where an attacker can target a transmission line and overflow the targeted line by injecting false data on targeted buses. The assumption is that the attackers have enough information on topology of the system to conduct attacks; however, they might not have access to all buses in the system. The attacker’s problem is designed in a way that the transmission flow of a targeted line always exceeds the maximum thermal limit of the line after running the security constraint economic dispatch problem. As a result, regardless of the economic dispatch solution (it might have multiple solutions), the targeted line will always be overflowed. Another assumption of this problem is that all generating units are online in the period of false data injection. Thus, instead of unit commitment, economic dispatch is formulated.

$$\displaystyle \begin{aligned} \mathrm{min} \ & \sum_{i \in F} \varDelta D_i {} \end{aligned} $$
(8.14)
$$\displaystyle \begin{aligned} s.t.\ \ &P_{ij}^{t} +U_iM \geq \alpha P_{ij}^{\max} {} \end{aligned} $$
(8.15)
$$\displaystyle \begin{aligned} &-P_{ij}^{t} +(1-U_i)M \geq \alpha P_{ij}^{\max} {} \end{aligned} $$
(8.16)
$$\displaystyle \begin{aligned} & -1.2 \leq \dfrac{P_{ij}^{t}}{P_{ij}^{\max}} \leq 1.2 {} \end{aligned} $$
(8.17)
$$\displaystyle \begin{aligned} &\sum_{i \in F} \varDelta D_i=0 {} \end{aligned} $$
(8.18)
$$\displaystyle \begin{aligned} &-\tau D_i\leq \varDelta D_i \leq \tau D_i {} \end{aligned} $$
(8.19)
$$\displaystyle \begin{aligned} &P-(D+\varDelta D) = B\theta^t {} \end{aligned} $$
(8.20)
$$\displaystyle \begin{aligned} & P_{ij}^{t}=\dfrac{\theta_i^t-\theta_j^t}{x_{ij}} {} \end{aligned} $$
(8.21)
$$\displaystyle \begin{aligned} &-2\pi\leq \theta_i^t \leq 2\pi {} \end{aligned} $$
(8.22)
$$\displaystyle \begin{aligned} \mathrm{min} \ &\sum_{i=1}^{n_G} C_{g,i}(P_{G,i}) {} \end{aligned} $$
(8.23)
$$\displaystyle \begin{aligned} s.t. \ \ & C_{g,i}(P_{G,i})=a_i+b_iP_{G,i}+c_iP_{G,i}^2 {} \end{aligned} $$
(8.24)
$$\displaystyle \begin{aligned} & P-(D+\varDelta D) = B\theta^f {} \end{aligned} $$
(8.25)
$$\displaystyle \begin{aligned} &P_{G,i}^{\min}\leq P_{G,i} \leq P_{G,i}^{\max} {} \end{aligned} $$
(8.26)
$$\displaystyle \begin{aligned} &-P_{ij}^{\max} \leq \dfrac{\theta_i^f-\theta_j^f}{x_{ij}} \leq P_{ij}^{\max} {} \end{aligned} $$
(8.27)

The developed MILP problem is separated into two sub-problems known as upper level and lower level problems. The upper level problem formulates the attack using a given power flow results and outputs the injection vector on targeted lines to ensure bypassing the bad data detection method in DC optimal power flow. The lower level problem formulates the DC economic dispatch problem with false data injections to retain the operation of power system within the desired limits. The problem is shown in (8.14)–(8.27).

The upper level objective function (8.14) is designed to find the minimum injections needed in a subset of targeted buses (F). The main target of the attacker is to overflow a targeted transmission line, it is also noted that the transmission line flow can be bi-directional, this can be formulated as

$$\displaystyle \begin{aligned} |P_{ij}^{t}| \geq \alpha_l P_{ij}^{\max} {} \end{aligned} $$
(8.28)

where \(|P_{ij}^{t}|\) is the transmission flow between bus i and j, the absolute value is used to reflect the fact the flow can be bi-directional, \(P_{ij}^{\max }\) is the maximum thermal limit of the line between bus i and j, and α is a number greater than 1 to ensure the transmission line flow will be greater than the limit. Due to the existence of absolute value in the constraint (8.28), the problem becomes nonlinear. To solver the issue, this constraint can be linearized by introducing a binary variable U i and a large enough constant M. The linearization will result in two constraints shown in (8.15) and (8.16). The readers are encouraged to refer to [28] for more information on linearizing the constraints with absolute value using the big M method.

Constraint (8.17) enforces the overflow to be within 20% of maximum power flow, although the main target is to overflow a line, to avoid being detected by the operator, the max flow should be limited. Constraint (8.18) is designed to ensure the power balance is always met; therefore, summation of all the injections should be zero at any moment. Constraint (8.19) refers to the fact that an attacker cannot inject any amount of data at any load bus; therefore, the false injected power at any bus is limited to τ% of the nominal load at that bus. Constraint (8.20) ensures bypassing the bad data detection. As it was mentioned in (8.11), the attacker can bypass the DC state estimation without being detected if the injected data is designed based on (8.11). By rearranging (8.20),

$$\displaystyle \begin{aligned} (P-D)+\varDelta D=B\theta+ B\varDelta \theta {} \end{aligned} $$
(8.29)

where Δθ is the change in the bus voltage angles due to false data injection. Knowing the fact that P − D = , (8.29) can be simplified to (8.11). Constraints (8.21) and (8.22) relate the transmission flow to maximum allowable limits of bus voltage angles. The lower level problem is the economic dispatch problem based on DC power flow, which is formulated through (8.23)–(8.27). In the lower level problem, the objective is to minimize the generation cost for all n G generators in the system. It is assumed that the generating units do not contain several control valves. Hence, the “convex” cost function of the generators is represented by \(a_i+b_iP_{G,i}+c_iP_{G,i}^2\), where P G,i is the active power generated by generator i, and a, b, and c are cost function constants (constraint (8.24)). Constraint (8.25) represents the power balance equation in presence of false data injection, constraints (8.26) and (8.27) ensure the generator powers and transmission line flows are within the limit after injection, where x ij is the reactance of the transmission line between bus i and j.

4.1 Identifying Feasible Attacks

Realistically, physical limitations of power systems and solution of economic dispatch problem limit the feasibility of the attacks from attacker’s point of view. In other words, it is impractical to target all the transmission lines in the system and only a few lines might be practically targeted at any moment. Therefore, the attacker’s first step is to recognize the feasible attacks and then inject data on selected buses (targeted buses) to overflow those lines that can result in a feasible solution. An algorithm is defined to identify the feasible solution of overflowing transmission lines in the system. The model requires the power flow data from previous step to result in a successful subset of transmission line numbers that can be targeted without violating the bad data detection algorithm in state estimation procedure. The flowchart of the proposed algorithm that results in feasible solutions of the line overflows is shown in Fig. 8.2.

Fig. 8.2
figure 2

Flowchart of the proposed BMILP program for line overflow feasibility in

Full size image

5 Operator’s Problem: Bad Data Detection to Prevent Outages Caused by Cyberattack

In the previous section, we explained the algorithm for finding the optimal attack strategy from attacker’s perspective. Successful attack will affect the result of DC power flow problem. Power system operator is responsible for maintaining situational awareness, as well as ensuring resilient and secure energy delivery by identifying these attacks and deploying preventive measures [29]. In this section, we focus on a specific algorithm to identify bad data injection attacks, i.e., attacks that manipulate the measurement vector to falsify the real values used for DC power flow calculation in transmission networks. The main idea is to design a state estimator which is robust to error/attack in the measurement vector while obtaining the power flows. This estimator leverages the structure of admittance matrix to efficiently identify bad data injection attacks.

The following section is devoted to the details of this state estimator. To this end, we build on the proposed sparsity-based error detection algorithm proposed in [30]. This algorithm leverages the singularity of B matrix due to the geographically dispersed transmission networks, as well as the sparse nature of estimation error vector. Sparsity-based cyberattack detection algorithm is based on the following steps:

  1. 1.

    Reformulating the DC power flow problem into a sparse vector recovery problem

  2. 2.

    Deploying l 1-norm minimization approach [31]

  3. 3.

    Obtaining the bad data elements in the measurement vector

  4. 4.

    Identifying bad data injection attacks and measurement error given the normal distribution of measurement noise

There is a low dimensional structure in most of the collected data and measurements in real-world applications, including DC power flow problem. This has been leveraged by some of the prior studies to improve sparse vector recovery [31, 32], e.g., they have explored sparse vector recovery in case of having limited available measurements. In order to recover an N-dimensional sparse vector, these algorithms do not necessarily require N data points [32, 33].

Candes et al. [32] proposed a sparse vector recovery algorithm that only needs a minor portion of random orthogonal projection [30]. Let \(\mathbf v \in \mathbb {R}^{N}\) denote an arbitrary sparse vector with its number of non-zero components defined as l 0-norm, i.e., ∥v0. We define set of orthonormal basis matrix as \(\mathbf O \in \mathbb {R}^{N \times N}\). We have

$$\displaystyle \begin{aligned} \begin{array}{rcl} \mathbf O^T \mathbf O = \mathbf I, \end{array} \end{aligned} $$
(8.30)

where I represents identity matrix. We represent a set of random columns from O as \(\mathbf M \in \mathbb {R}^{N \times m}\). We further let μ denote the lowest value that meets the following inequality:

$$\displaystyle \begin{aligned} \begin{array}{rcl} \underset{i}{\max} \|\mathbf M^T\mathbf e_i\|{}_2 \leq \frac{\mu m}{N} , {} \end{array} \end{aligned} $$
(8.31)

where e i denotes a standard basis. Note that the dimension of space is N × m. Small values of μ refers to the fact that the subspace corresponding to columns of M is not in the same direction as standard basis. The orthogonal matrix M is used to measure the sparse vector. As we use this matrix to measure sparse vector, it should not be sparse.

According to [32], if

$$\displaystyle \begin{aligned} \begin{array}{rcl} m \ge c \| \mathbf v \|{}_0 \mu \log \frac{N}{\delta} {} \end{array} \end{aligned} $$
(8.32)

where c is a constant, then, solution of following optimization problem

$$\displaystyle \begin{aligned} \begin{array}{rcl} \begin{aligned} &\displaystyle \underset{\hat{\mathbf z}}{\min} &\displaystyle &\displaystyle \| \hat{\mathbf z}\|{}_1 \\ &\displaystyle \text{subject to} &\displaystyle &\displaystyle \mathbf M^T \hat{\mathbf z} = \mathbf M^T \mathbf v \end{aligned} \end{array} \end{aligned} $$
(8.33)

is the same as v with a lower probability bound of (1 − δ), i.e., we can reconstruct the N-dimensional vector given a limited set of random measurements [34].

Given the above-mentioned preliminaries on sparse vector recovery, we now explain the sparsity-based decomposition algorithm for bad data injection in DC power flow calculation [30]. In the B matrix, due to the row corresponding to slack bus, there is at least one row which can be obtained as linear combination of the other rows, i.e., B matrix is not full rank. Let r B denote rank of B matrix. Hence, we can reformulate DC power flow problem as p = Qθ + 𝜖, where \(\mathbf Q \in \mathbb {R}^{\aleph \times r_B}\) represents orthonormal basis for column subspace of B matrix. Conventionally, in order to estimate the coefficient vector, which is equivalent to the voltage angles vector in DC power flow problem (i.e., θ ) least square approach is used as follows:

$$\displaystyle \begin{aligned} \begin{array}{rcl} \underset{\hat{\theta}}{\min} \, \, \| \mathbf p - \mathbf Q \hat{\theta} \|{}_2 {} \end{array} \end{aligned} $$
(8.34)

The optimization problem in (8.34) basically projects p on the columns subspace of Q. Hence, the effectiveness of the estimator depends on the noise vector 𝜖 and its projection on column subspace of B matrix. Note that noise vector aims at modeling the natural measurement noise in normal situation. However, in presence of attackers (e.g., the attack scenario that has been introduced in previous section) or measurement anomalies (e.g., communication failure or defective equipment), some elements of this vector will have abnormal value.

We assume that the error/attack vector 𝜖 is a sparse vector, i.e., attackers cannot manipulate all measurements at the same time. As opposed to l 2-minimization, l 1-minimization methods are adaptive in presence of sparse error/attack vector [34, 35], i.e., if 𝜖 is sufficiently sparse and Q meets incoherency criterion [31, 35], solution of

$$\displaystyle \begin{aligned} \begin{array}{rcl} \underset{\hat{\theta}}{\min} \, \, \| \mathbf p - \mathbf Q \hat{\theta} \|{}_1 {} \end{array} \end{aligned} $$
(8.35)

is θ.

In the proposed sparsity-based decomposition algorithm in [30], based on the sparsity assumption for B matrix, r B < . If \(\mathbf Q^{\perp } \in \mathbb {R}^{\aleph \times (\aleph - r_B)}\) represent the matrix that complements the column subspace of Q, according to [31, 35], we can rewrite (8.35) as

$$\displaystyle \begin{aligned} \begin{array}{rcl} \begin{aligned} &\displaystyle \underset{\hat{\mathbb{\epsilon}}}{\min} &\displaystyle &\displaystyle \| \hat{\mathbb{\epsilon}}\|{}_1 \\ &\displaystyle \text{subject to} &\displaystyle &\displaystyle (\mathbf Q^{\perp})^T \hat{\mathbb{\epsilon}} = (\mathbf Q^{\perp})^T \mathbf p \end{aligned} {} \end{array} \end{aligned} $$
(8.36)

If the following inequality holds,

$$\displaystyle \begin{aligned} \begin{array}{rcl} (\aleph - r_B) \ge c \| \mathbb{\epsilon}\|{}_0 \mu_B \log \frac{N}{\delta} \end{array} \end{aligned} $$
(8.37)

then, with a lower bound probability of (1 − δ), the optimal solution of (8.36) is θ, where μ B is obtained using the following:

$$\displaystyle \begin{aligned} \begin{array}{rcl} \underset{i}{\max} \|(\mathbf Q^{\perp})^T_i\|{}_2 \leq \frac{\mu_B (\aleph - r_B)}{\aleph} \end{array} \end{aligned} $$
(8.38)

Consequently, given the assumption regarding low rank of B matrix ((− r B) is fairly large), the optimization problem in (8.35) can find the exact estimation.

6 Case Studies

The proposed BMILP cyberattack model is validated in IEEE 57-bus benchmark model using MATLAB. The parameters of the system are derived from MATPOWER toolbox, which is an open access MATLAB toolbox used for load flow studies [36]. The maximum flow limits (\(P_{ij}^{\max }\)) for IEEE 57-bus system were not provided in the toolbox, and it was considered to be 120 MW for each transmission line. The structure of the system is illustrated in Fig. 8.3, the system is composed of 7 generators, 80 transmission lines, and 42 loads. The upper level problem for best scenario false data injection attacks represented in (8.14)–(8.22) is solved using (“intlinprog”) function of MATLAB, which is designed to solve mixed integer linear programming problems. The lower problem represented in (8.23)–(8.27) involves a nonlinear objective function and therefore, a nonlinear solver of MATLAB named (“fmincon”) is used to solve the lower level problem. A few case studies are carried out in the following sections.

Fig. 8.3
figure 3

Schematic of the IEEE 57-bus system studied in this work; transmission lines highlighted by red color indicate the potential lines that can be targeted by attackers. The highlighted area is used to illustrate the effect of gaining access to a complete area in the system

Full size image

6.1 Feasibility of Line Overflow

Due to the physical limitations imposed on cyberattacks and false data injections, the attackers cannot target any transmission line in the system. For example, the factor τ limits the injection on each load to 15% in this study. Furthermore, the flow of a line cannot exceed 120% of the maximum limit (1.2 × 120 MW). These limitations will leave the attackers with few options to overflow. The proposed attack model in (8.14)–(8.27) can be run for all the buses in the system in order to identify a list of transmission lines that can be overflowed successfully. In this case study, the algorithm was run for all 80 transmission lines in the IEEE 57-bus system to identify a list of lines to be targeted for overflowing. To solve this problem, the objective function in (8.14) is run for all buses in the system instead of a subset F of system buses. This means, the subset F is considered as i = 1, 2, …, 57.

Test results for the list of feasible attacks on targeted transmission lines to overflow in IEEE 57-bus system are illustrated in Table 8.1. It is seen that four transmission lines can be targeted in this system by attackers, which includes transmission lines number 3, 15, 37, and 79. The second and third column represent that each line number is assigned based on the MATPOWER data from one bus to another, and the last column shows the value of the binary variable for overflowing the line (U i). These transmission lines are highlighted by red color in IEEE 57-bus system depicted in Fig. 8.3. It is worth mentioning that the results in Table 8.1 are only valid for the conditions considered in this case (e.g., τ = 15%, α = 1.01). Therefore, the results might change if the security constraints in (8.15), (8.16), and (8.19) are relaxed.

Table 8.1 Feasibility of line overflow in IEEE 57 case
Full size table

6.2 Targeted Attack on Line 15

This case investigates targeted attacks to overflow transmission line number 15, which connects bus 1 to bus 15 in IEEE 57-bus system as shown in Fig. 8.3. Since the attacks are targeted, the attacker can target any set of buses to inject false data and overflow this line. Ideally, the attacker would access buses close to the targeted line and inject data. A few set of feasible solutions to overflow line number 15 is shown in Table 8.2. Three different combinations are considered to overflow line 15, in the first scenario, the attacker targets buses 12, 44, 47, and 49 that are very close to the targeted transmission line. In the second case, the attacker targets buses 8, 9, and 12, and finally, it is shown that if the attacker only targets buses 9 and 12, the attack can successfully be done. Table 8.2 shows the attack results for these three test scenarios. It is noted that the attackers target specific buses in the system that they can access and the program outputs the minimum injections needed to overflow the targeted transmission line. It is observed that the targeted line 15 is overflowed in all three cases as its power flow (P 15) is more than 120 MW limit. The last two columns show the cost of the system with no attack and after attack, it can be inferred from the Table 8.2 that in case 2 and 3, the system cost is less with data injections, compared to the no data injection case, which might trick the operator to choose this scenario as an acceptable economic dispatch case study.

Table 8.2 False data injection on buses to overflow line 15
Full size table

6.3 Severe Attack on an Area

This case study considers a severe false data injection attack, where the attacker(s) can access an area in the power system and can inject false data in any bus within that area. This concept is illustrated in the highlighted area shown in Fig. 8.3. The attacker targets line 15 and injects data on buses 1, 12, 13, 16, 17, and 49 within the area. Results of false data injection on the whole area are illustrated in Table 8.3. The false data injections are also shown in second and fourth column for each bus. It is observed that the attack can successfully overflow line 15 and the cost of operation has also increased after the attack.

Table 8.3 False data injection on buses to overflow one area
Full size table

7 Conclusion

In this chapter, a framework was proposed to initially model the false data injection attacks on smart grids with the aim of transmission line congestion on targeted buses and eventually proposed a detection framework to detect such injections. A bi-level mixed integer programming problem was considered for the attacker’s problem that would allow attackers to target a transmission line in the system and inject false data on targeted buses in vicinity of the targeted transmission line to cause congestion without being detected by DC state estimation algorithm. Through case studies, it was shown that the proposed attack model results in a list of available transmission lines to overflow. Furthermore, it was shown that the attacker can inject false data on selected buses or buses in a hacked area in the system to overflow a targeted line. To detect these attacks, a detection framework from operator’s point of view is also developed that uses l 1 norm minimization to identify the bad measurement vector. The proposed model can easily be integrated to the security constraint economic dispatch problem in order to protect the smart grid against transmission lines congestion cyberattacks. Future research will focus on (1) validating the detection algorithm in IEEE benchmarks, (2) proposing a framework that would protect the system against congestion attacks on multiple lines at the same time, and (3) introducing market frameworks in which market participants can gain profit by contributing to mitigation of system congestion caused by cyberattacks.