19.1.1.1 Vertical Structure

Modern power systems can be dissected into three layers: (i) a physical power grid (denoted as the grid), including generators, power delivery equipment, and lines, loads, and protective devices; (ii) a control layer, including central and local decision-making units; and (iii) a monitoring layer, including meters, actuators, and hardware to store and transmit measurements (see Figure 19.1). In the context of cyber–physical systems, the power grid is physical, whereas the monitoring and control layers are its cyber subsystems. The monitoring layer collects, transmits, processes, and analyzes the measurement over various service areas and at various rates. The control layer determines the current system status based on processed measurements and makes decisions accordingly. These decisions are passed onto intelligent electronic devices (IEDs), which finally trigger mechanical actions on the (physical) grid.

The interaction of this layered structure may be illustrated by an example of loss minimization in a local distribution grid. On the monitoring layer, nodal meters measure voltage and current values and transmit them through the supervisory control and data acquisition (SCADA) system [5]. On the control layer, the processed voltage and current values are input to the loss minimization algorithm in the distribution management system (DSM) software. Finally, on the grid, the voltage regulators receive control commands and change their tap positions accordingly. Following the voltage adjustment, power flows on the grid are redistributed, rendering minimum power delivery losses.

The physical grid consists of four sections: the generation section where primary energy is converted into electric power (electricity), transmission and distribution sections that transport this power, and the load section that uses power. Cities rarely host the generation and transmission sections. Large generating units are usually located outside densely populated areas. Urban electric grids take in power from their upstream transmission networks, transform it into lower voltages, and deliver it to commercial centers, small enterprises, residential users, factories, and municipal departments; they mainly consist of the distribution and load sections. Because of their function, we refer to the part of power systems in cities, including both its physical and cyber subsystems, as power delivery systems.

19.1.1.2 Transmission

The transmission system (above 138 kV) transports power from generating units to all the power delivery systems within its operation region. Events striking power systems at the transmission level, if not mitigated in time, may roll on to cascading blackouts to downstream power delivery systems. The transmission network is composed of power lines and stations/substations. In cities where real estate is valuable and transmission towers cannot be afforded, transmission lines sometimes adopt insulated cables buried underground.

19.1.1.3 Station and Substation

The connection between power delivery systems and transmission systems occurs at distribution substations. Stations and substations are common targets of both physical and cyber attacks. Stations and substations house transformers, switchgear, measurement instrumentation, and communication equipment. High-voltage (HV) transformers carry 60–70% of the nation's electricity. They are designed and manufactured to custom specifications for a specific network application. If an HV transformer is damaged, replacement could take from 5 to 20 months and cost from $2 million for a 230 kV unit to $7.5 million for a 765 kV unit [6]. The situation becomes more threatening as the power system will be operated under high stress and in a more vulnerable condition until replacement is completed.

Cyber attacks may happen at substations to switchgear and measurement instrumentation. Switchgear includes circuit breakers and other types of switches used to disconnect parts of the transmission network for system protection or maintenance. With the promotion of power system automation, more of these switchgear become digital and remotely controllable [7]. Cyber attacks that falsify control command can de-energize an important circuit and cause large-scale disturbances. Measurement instrumentation collects voltage, current, and power data for monitoring control and metering purposes. Communication equipment transmits these data to control centers and also allows switchgear to be controlled remotely. Cyber attacks to any of these devices will sabotage timely remedial actions when a system goes through abnormal status. Examples of these attacks are given in Section 19.2.

19.1.1.4 Distribution

Power delivery systems consist of distribution networks, loads, and their control and monitoring layers. Primary distribution networks operate from 2 kV to 35 kV, delivering electricity from substations, which are connected to transmission level. Transformers on primary distribution networks further step down the voltage to 120 V/480 V. The wires that operate at this low voltage level and are directly connected to end users are secondary distribution networks [8]. Power networks that are operated between 35 kV and the transmission voltage level (138 kV) are referred to as the sub-transmission level¹.

In cities, distribution networks are usually formed in mesh topologies, whereas in suburban and rural areas radial topologies are more dominant. Compared with radial topologies, mesh networks are more expensive but embody higher reliability and operation flexibility. In a contingency, they permit a load to be served through an alternative path when there is a problem in the original path. On the other hand, they may complicate the deployment of protection schemes due to the presence of multiple power flow paths. Cyber attackers can take advantage of this by hacking into the distribution management systems (DMS) and cause electricity disruption.

19.1.2.1 Control

The principle of control is to maintain the balance between generation and load, ensuring that the frequency and voltage of the power system stay within the established system standard. The grid response under disturbance depends on its control mechanisms.

Governor control is the initial corrective action to any change of load or generation. The governor is a device that controls the mechanical power driving the generator via the valve limiting the amount of primary energy, such as steam, water, or gas flowing to the turbine. The governor acts only in response to locally measuredchanges in the generator's output frequency, which is related to the rotor's rotation speed. The governor responds within seconds, and the rotational speed of the rotor (thus the output frequency of the generator) stays constant after the governor's response [9]. The resulting frequency will be lower than the initial frequency, 60 Hz, if the load dropped or higher if the load increased.

Governor control is implemented to regain the local unbalance between the electric load and mechanical output of a generator. Automatic generation control (AGC) is used to bring all the generators within a control region back to 60 Hz. AGC can refer to two related concepts: (i) a device installed on generators and (ii) the control scheme that is implemented through these devices. A control area only has a select number of generators installed with AGC, which are of large capacities or at vital locations in the transmission network topology. After governor control, the control center in a region measures the difference between actual and scheduled net power flows with other control areas. This difference is called the area control error (ACE) [10]. A positive ACE means that the total amount of generation within the control area is more than the scheduled amount, because of a previous load drop and a governor's response. Receiving this ACE, the control center automatically sends signals to generators equipped with AGC to decrease the generator's output. Attacks at control systems have been studied for contaminating ACE signals or manipulating AGC on generators directly. Due to the natural influence of AGC-equipped generators, malicious manipulation will cause severe consequences on a large scale. Examples of these attacking models are presented in Section 19.2.

Beyond a certain level of power imbalance, generation reserves will be resorted to. The generation reserves in a control region are usually made of additional generating units that are on standby or those that can ramp up their output on request [10]. However, when all other options for balancing power have been exhausted, the system operator must proactively reduce the load, generally referred to as load shedding. Load shedding can be accomplished in the form of temporary power interruption to contracted users, voltage reductions, or rotating blackouts. Sometimes when rapid response is demanded, load shedding is automatically implemented through emergency control and protection schemes.

19.1.2.2 Scheduling

Scheduling ensures the long-term balance between generation and load. It determines which generating units should operate and at what power level, and it is accomplished on a predetermined fixed time interval. The objective is stated via economic means, to minimize cost, and subject to generation and transmission constraints. Scheduling consists of economic dispatch and unit commitment, each covering two overlapping time ranges.

Economic dispatch minimizes the overall production cost of electricity, considering the power delivery losses, by optimally allocating projected demand to generating units that are online. Computers at control centers run optimization algorithms, typically every 5 or 10 min, to determine the dispatch for the next hour and send these decisions to all the generators. Unit commitment decides when generators should start up and shut down, as it is not practical to keep all the generators online all the time. It is typically done 1 day ahead and covers dispatch for periods ranging from 1 to 7 days [10, 11].

Due to their financial meaning, the scheduling process is likely to be targeted by attackers motivated by increasing their own benefits or harming competitors' benefits. The consequence, nevertheless, is more than monetary loss and can lead to efficiency reduction, even frequency instability. Since the malicious intent may come from someone who actually owns the physical generating assets, the attack path is not confined to the cyber layers of power systems and can be difficult to defend against.

19.1.2.3 Protection

Another important aspect of the operation of power systems is protection. Protection devices are applied to specific equipment, including motor loads, generators, transmission lines, and other power delivery equipment. They serve to protect both grid assets and humans in contact with them. The coordinated operation of a group of protective devices on electric grids is defined as a protection scheme². Protection schemes are designed to benefit an entire power system rather than only protecting individual devices. Protection is achieved using sensing equipment (including current/voltage transformers and digital sensors), de-energizing equipment (such as circuit breakers and reclosers), and relays, which are the decision-making units.

When a fault is detected on the electric grid, the corresponding protection scheme selects the range of circuits to be de-energized. This range may be as limited as the faulted device itself or as great as a full section of the distribution network. The selection should minimize the loss of load and also depends on the system operation status, fault type, and location [12]. By removing the circuit, the electric grid benefits from eliminating the stress and preventing further equipment damage and any associated expensive and lengthy repairs. Protective action must be fast (usually in fractions of a second) and accurate.

Power systems, in order for the protection schemes to work, are designed with sufficient redundancies, so that they can withstand the removal of one or several elements without unduly stressing the overall physical grid. As discussed in Sections 19.3 and 19.4, the inherent strength of the physical grid is the best defense againstcatastrophic failures. However, if the system is already stressed for some reason, such as equipment outages, heavier than normal loads, or extreme weather, this corrective action may exacerbate the situation and result in wide-area outages.

By targeting protection schemes, cyber attacks can cause power failure in a fast and direct way. One fear is that if attackers can hack into relays, they could de-energize circuits by tripping circuit breakers. Another possibility is to suppress protective actions under real faults or to launch joint cyber–physical attacks, with the physical attack to cause faults. Studies on both of these attack models are presented in Section 19.2.

19.1.2.4 Distribution Automation

Compared with transmission networks, distribution networks are usually planned with less expensive technologies, mainly because their scale of impact is limited to local areas. During recent years, distribution automation (DA) has been promoted in urban power delivery systems. In densely populated urban areas, like New York City, cities that concentrate highly functional government departments, like Washington, D.C., or areas that encompass manufacturers and harbor information entities, like Silicon Valley, electric operation cost is nontrivial, and failure of power delivery systems will lead to substantial economic losses.

IEEE defines a DA system as one that enables an electric utility to remotely monitor, coordinate, and operate distribution components in a real-time mode from remote locations. The principal objective of DA can be summarized as energy conservation and self-healing under faults [13]. Two prominent examples are automated fault detection, isolation, and restoration (FDIR) and optimization of system voltage and power flows. In an automated distribution network, voltage values are collected and power flows are monitored in real time. Once a fault is detected, circuit breakers and sectionalizers are controlled remotely to de-energize the faulted circuit and reroute the power to restore the loads. With regard to energy conservation, power delivery losses can be minimized with voltage control devices such as switched capacitor banks, load tap changers (LTCs) on the substation transformers, or voltage regulators installed along distribution feeders.

On the one hand, DA reduces the risk of power failures under probabilistic events, like tree intrusion into power lines, and disastrous weather. On the other hand, its communications, IT infrastructure, and sensors create vulnerabilities to cyber attacks. As renewable energy sources, such as roof photovoltaic (PV), are aggressively promoted under the smart cities context, urban electric grids can no longer be considered as passive power sinks. If manipulated by adversaries, DA systems can even drive flow back to its upstream transmission level. Correlated attacks at the distribution level can cause catastrophicconsequences.

19.2.1.1 Threats from Weather Hazards

In the 2013 report from the National Research Council (NRC) on power delivery systems, weather hazards are identified as the main threat to the national grid and the original cause of 60% cascading blackouts worldwide in the past 50 years, since the 1965 blackout [3].Disastrous weather events directly destroy or damage power delivery components simultaneously and on a great scale. Stations and substations are less affected. The major damage is concentrated on the transmission and distribution networks, as transmission lines and distribution feeders are sparsely located over a distance. Strong wind and heavy ice can easily bring down transmission lines and distribution feeders, interrupting the power delivery passages. Storms and earthquakes can take out a transmission tower, which disables all circuits amounted to it, manifesting domino effect. In the winter of 1998, an ice storm struck Quebec and the Northeastern United States; 2.3 million customers lost power. In 1999, Taiwan wasaffected by transmission tower collapse due to earthquake [3].

Storms take an annual toll on many distribution networks. Fortunately, utilities are usually prepared for such emergencies and often pool their resources to aid each other in restoring service. The single-contingency criterion () and multiple-contingency criterion () network planning is used in reliability planning for this purpose [8]. DA technologies that enable faster reconfiguration of a network are often deployed in cities, which demand high reliability, to reduce the weather-related losses. If a weather event is widespread and long lasting, neighboring utilities might lose their backup, and this method becomes ineffective. For example, in 1990, Hurricane Sandy caused Long Island to lose all ties to Connecticut and New Jersey, and New York City lost all ties to New Jersey. The flooding resulted in over 2 million customer outages. “While utilities may typically prepare for an N-1 or N-2 event…It is an N-90 contingency,” as noted by the New York Independent System Operator (NYISO) [3].

Extremely hot weather can overheat the transmission lines and distribution feeders. This heat itself, though causing extra power delivery losses, is unlikely to damage the lines and feeders. However, overheated lines and feeders will sag, which lower the clearance to ground and result in short circuit by touching a tree branch or other ground objects. Such incidents are more often observed in Asian countries at the distribution level, where the ground clearance of distribution feeders is lower [15].

Among all weather disasters, solar storms are rare in occurrence (happening around every 11 years) but could entail great impact on transmission and distribution networks, transformers, and relays. Its interaction with the Earth's magnetic field can produce auroral currents, or electrojects, that follow generally circular paths around the two magnetic poles at altitudes of 100 km or more. In March 1989, the entire Hydro-Quebec power system, including the major metropolitan areas of Montreal and Quebec City, was blacked out due to a gigantic solar storm. Several large power transformers also failed elsewhere in Canada and the United States, and hundreds of relays misoperated. Power systems in the northern hemisphere suffered voltage depressions and unusual swings in real and reactive power flows [16].

19.2.1.2 Threats from Malicious Attacks

Malicious attacks on the physical grid of power systems, though generally more fearsome, entail much less cost compared with disastrous weather and are unlikely to cause damage on a large scale. In general, there are three types of malicious attacks: small-scale vandalism by small groups with limited technical sophistication, well-planned terrorist activities, and strategic war activities.

Bulk transmission substations have unique security concerns to terrorist attacks in that they are relatively soft targets; they are vulnerable to standoff attacks as well as penetration attacks by adversaries compromising the substations' perimeter fences. HV transformers are difficult to replace, which could take as long as 15 months and cost as much as US$7.5 million. At the occurrence of transformer attacks, power systems may go under transient instability, and damage to HV transformers can separate power delivery systems from generation for long periods. Such attacks were launched on a frequent basis in the United Kingdom, by the Irish Republican Army, and in Iraq, by insurgent groups [6].

During wartime, electric grids were once important targets. In particular, air planners tended to become enamored with the vulnerability of electric grids to air strikes [17]. Historically, there have been four basic strategies behind attacks on national electric systems: to cause a decline in civilian morale, to inflict cost on the political leaders to induce a change, to hamper military operation, and to hinder war production [17]. However, hardly any war attacks on electric grids were successful in history. On the one hand, the military is relatively unaffected by a loss of power, as they are a high-priority user and can be self-supported. As power technologies evolve, many military bases are innovated into a microgrid [18]. On the other hand, the induced civilian damage was usually politically counterproductive. Therefore, threat models of war attacks on electric grids are less considered.

19.2.1.3 Models for Threats on the Physical Grid

Two approaches are common in modeling threats on electric grids: high-level probabilistic models and high-risk multiple contingencies. High-level probabilistic models do not model power system physics, that is, they allow neglecting time-dependent dynamics and grid configuration changes under threats. The initial overall system stress is represented by upper and lower bounds on a range of random initial component loadings. The model is parameterized by initial disturbances from weather [19]. High-risk multiple contingencies use a deterministic approach. Failures of components are selected from the worst case rather than the most likely case or every likely case. They are used to evaluate a power system's performance under the loss of a group of its most critical components, from which a plan is concluded to reinforce the power grids.

Both methods are commonly used in modeling damage from attacks and weather to the grid. Engineers and researchers have their own preference in choosing one method over the other, depending on applications. For instance, in power system planning, high-risk multiple contingencies are used by utilities, while the high-level probabilistic method is more preferred in estimation of cascading failures among layers of civil infrastructures.

19.2.2.1 How Secure Is the Cyber Layer of Power Systems?

The monitoring layer and control layer of a power system consist of sensors and automated and manual controls, all of which are tied together through communication networks. Early communication networks used in power systems were carefully isolated and tightly controlled. Historically, utilities typically own and operate at least parts of their own telecommunication systems, which often consist of a fiber-optic or microwave backbone connecting major substations, with spurs to smaller sites [20]. However, economic pressure from deregulation of the power industry pushed utilities to make greater use of commercially available communications and other equipment that was not originally designed with security in mind. Traditional external entities including suppliers, consumers, regulators, and even competitors now must have access to segments of the network [20].

From a security perspective, such interconnections with office and electronic business systems through other layers of communication have created vulnerabilities. Intrusions intending to bring down the power system can follow the same passage of a utility's daily operation. For example, remote access to a substation network from a corporate office or location is not uncommon for control and maintenance purposes. Dial-up, virtual private network (VPN), and wireless are available between remote access points and the substation local area network (LAN) [2, 21]. These access points are potential sources of cyber vulnerabilities.

Figure 19.2 illustrates the intrusion points in a power system communication network. Intrusions can originate from remote access points within a control center or a substation. If an intrusion originates from communication networks, it needs to pass the firewalls within the control center or substation of the target. As an alternative, intrusions can contaminate user interfaces of the control center or substation directly and gain access to other facilities within the target. Activities that compromise these remote access points could steal critical information (such as grid configurations) and cause electricity disruption by opening circuit breakers. In some cases, these malicious activities could result in physical damage of key grid components, as was demonstrated in the experiment of generation self-destruction by a cyber attack, launched by the Department of Homeland Security, in March 2007 [22].

19.2.2.2 Classification of Cyber Attacks

In EPRI's 2000 survey, utilities ranked bypassing controls, integrity violation, and authorization violation [23] as their top 3 perceived threats among all attacking methods in Table 19.1. The surveyed attacking methods, however, pause at the level of communication networks and do not reflect the final consequences inflicted on power grids. Here we present a comprehensive classification of cyber attacks, which describes their attacking paths on the vertical structure of power systems: control attack, monitoring attack, control–monitoring (CM) attack, and monitoring–control (MC) attack. Figure 19.3 illustrates their attacking strategies. The rest of this section explains these four classes of cyber attacks in detail.

19.2.2.3 Attacks on the Control Layer

The attacking classes on the control layer include a control attack and CM attack, illustrated in Figure 19.3b. In control attacks, hackers may hijack IEDs and falsify decisions. Knowledge of the original decision is not necessary. This class of attacks is essentially the same as physical attacks, in the sense that the grid's configuration is altered by control signals in a way similar to mechanical operation. For instance, the action of opening a circuit breaker through control logic and that of physically opening it on-site results in the same physical consequence on the grid.

In 2008, hackers turned out lights in multiple cities in an unnamed country, as revealed by a senior CIA analyst. The hackers demanded extortion payments before totally disrupting the power supply of the entire country. To date, the identities of the hackers remain unknown, but the intrusion was confirmed as via the Internet [2]. In the same year, a penetration test was performed in the United States by a team of security experts. With simple rootkits, the red team broke into the security system of an unnamed utility within the first few minutes of testing [24]. More worrisome control attacks might happen on the transmission level, where losing any key components such as transmission lines or a generating unit could result in instability of system frequency and voltage.

Compared with physical attacks, the adverse consequences of attacks on the control layer can be magnified in two ways: (i) more sophisticated manipulation of the IEDs is possible, and (ii) a large number of IEDs can be manipulated simultaneously. For example, Ref. [25] shows coordinated control of a group of generators in a manner that destabilizes other machines in the system and forces them to be disconnected from the system. Reference [26] shows control attacks on the distribution level. The attacker destabilizes voltages in an inverter-based power distribution grid by falsifying reference signals of the voltage droop controllers.

If the control attack is coupled with an attack that contaminates measurements, system operators would not be able to detect the malicious activities for a long time. After a certain point, the system may not be restorable, and wide-area outages could occur. This class of attacks targets control functions and are accessorized/facilitated by injecting false measurements on the monitoring layer. We call these CM attacks. In network security, similar attacking strategies are referred to as covert attacks [27]. The attacking strategy is illustrated in Figure 19.3b. By injecting attacking measurements , the attacker corrupts system measurements of real power, magnitudes of voltage, and current. The corrupted measurements result in incorrect estimation of power system state variables (voltage magnitudes and phase angles) . The corrupted measurements and estimated states disguise the malicious control activities . The operation status of the electric grid is driven from the operator-desired state to the attacker's desired state without being detected.

19.2.2.4 Attacks on the Monitoring Layer

Hovering over the control layer and the grid, the monitoring layer provides the power system's status in real time and inspects the condition of critical assets. With developed metering and communication technologies, the automation level at all layers of power grids can be greatly advanced. However, connecting a large number of devices over a wide area raises the concern of attacks on the monitoring layer. Moreover, attacks on the monitoring layer can manipulate information athigher resolutions and of nuanced values over a wider area [5, 28–30]. This causes great difficulties in detection and defense against these attacks; yet the adverse consequences resulting from these attacks are complex, uncertain, and hard to predict.

Attacks on the monitoring layer include monitoring attacks and MC attacks. Monitoring attacks aim at sabotaging and disturbing the information collection process in power system operation. MC attacks contaminate measurements to manipulate decision-making process. Their attacking strategies are illustrated in Figure 19.3a and c.

The effectiveness of monitoring attacks largely depends on its launch timing. Under critical system conditions, if measurements are not correct or delayed in transmission, operators will not be able to take proper control actions, resulting in severe consequences. For monitoring attacks on real-time measurements, one problem is how to inject false measurements that can bypass the detection of state estimators. The two conditions of injecting false measurements are that (i) they must be within the error tolerance of a state estimator and (ii) they must align with data structures of actual measurements, which are implied from the network topology of the target electric grid [31]. If they satisfy these two conditions, attacking measurements can be constructed to manipulate the state estimation in arbitrary ways.

In monitoring attacks, an attacker's goal is modeled as causing the maximum erroneous deviation from actual measurements in its th norm; false measurements are constructed to satisfy the mathematical form: . The attacking models are extended by considering the constraints on an attacker's resources, for example, meter numbers and accessible locations [5]. Consequences of monitoring attacks include implying incorrect power system topologies and erroneous power system states, misleading state estimators to reject the actual measurements of un-attacked meters (so-called data framing, borrowing the note of framing innocent ones as criminals) [32, 33]. However, there is clear indication of what physical damage monitoring attacks will inflict on the grid.

Unlike monitoring attacks, MC attacks require great knowledge of system operation strategies and configurations. MC attacks not only make operators (or automated control programs) see what the adversary wants them to see but also fool operators to take actions that are unwarranted, so that the operators themselves damage the infrastructure, not the attacker. By injecting false measurements , MC attackers manipulate control command in order to accomplish the attacking goal on the physical grid.

MC attacks are more difficult to detect, mainly for two reasons. First, they are accomplished via longer attack paths, which are initiated from the monitoring layer and completed on the physical grid. Second, existing mechanisms against malicious actions, which inspect control decisions' inconsistency with system states, are incapable of detecting MC attacks. Under MC attacks, control decisions are driven by corrupted measurements. Thus, control output and systemstates are always consistent. Reference [34] demonstrates using minimax formulation the reconstruction of attacking measurement vectors based on the consequences caused by an MC attack on the physical grid. Reference [35] exemplifies an MC attack aimed at local voltage instability by rerouting the voltage measurements in a power distribution grid.

MC attacks demand the most sophistication of attackers. Nevertheless, they could be the most harmful cyber attacks to power systems among the four classes, because of their potential consequences, difficulty of detection, and impact scale.

19.3.1.1 Circuit Faults

A circuit fault is formed by an undesired topological change inside power delivery equipment or on power transmission and distribution networks. The basic topological changes are short circuit, by adding an undesired electrical path, and open circuit, by eliminating a functional (but not necessarily active) electrical path.

Faults can occur within generators, motors, or transformers, on cables, or even within protective devices, such as a circuit breaker. Sometimes they can directly result in permanent damage of these grid assets. Fortunately, these faults are not common, as most of the grid assets are under regular inspection and encapsulated. Even though they have not happened in reality yet, cyber attacks could cause a fault on a generator, motor, or transformer by operating them above thermal ratings over a long period. This was demonstrated in the 2007 Aurora Generator Test by the Idaho National Laboratory [22].

If a fault occurs on transmission and distribution lines, they are line faults. Line faults are most common because lines are exposed to the environment. Bad weather and physical attacks can easily cause line faults, both short circuit and open circuit. Short-circuit faults are often triggered by lightning strikes. Extremely hot weather can cause line sags and make tree contact, and wind and ice loading may cause insulator strings to fail mechanically, both resulting in short-circuit faults. Storms can topple towers and poles, leading to open-circuit faults. Physical attacks often cause open-circuit faults. In Columbia, the Fuerzas Armadas Revolucionarias de Colombia (FARC)carried out hundreds of attacks on a monthly basis against transmission and distribution facilities [22].

Not only do line faults greatly reduce the power delivery capabilities of the transmission and distribution networks, but they are also accompanied by many other severe consequences. At the fault point, fire and even explosion may happen. There may be destructive mechanical forces due to high currents. The high currents in the faulted system may overheat equipment, reducing their useful life. In addition, unsymmetrical faults (if the faults do not occur at all three phases equally) will cause unbalanced operation of the electric grid; open-circuit faults on transmission lines that are carrying high currents may cause transient (frequency) instability, which entails an adverse impact over a great scale on the power grid.

19.3.1.2 Frequency Instability

Frequency instability of a power system depends on the system configuration and operating mode. Since power systems rely on synchronous machines to generate electrical power, a necessary condition for stable and nominal system frequency is that all synchronous machines remain “in step.” Physically, this means all generators' rotors rotate at the same pace. When the configuration and operating mode (e.g., electricity demand or generation capability) are subjected to a change, this pace is disturbed. As introduced in Section 19.1, the system frequency starts to increase if the electricity generation amount exceeds the demand, and vice versa. The disturbance is said to result in frequency instability if some generators lose synchronism with the rest of the system. In other words, their rotors run at a higher or lower speed than the system synchronous speed. Unstable system frequency will result in large fluctuation in the generators' power output, current, and voltage.

Based on the causes, the magnitude of the disturbances over a duration can be large or small. Continuous small variations in loads and generation are small disturbances. With the control and scheduling methods (introduced in Section 19.1), modern power systems can remain in stable mode under small disturbance. However, cyber and physical attacks could temporarily disable the control and monitoring functions of power systems. This instability that follows can be of two forms: (i) rotor oscillations of increasing amplitudes and (ii) a steady increase in rotors' rotating pace of a group of generators [36]. These instability phenomena after small disturbance are small-signal instability.

If a disturbance is of large magnitude and happens over a short duration, it might result in transient instability. Loss of running generating units and active transmission lines because of malicious attacks and weather hazards and sharp increase in demand due to extreme hot or cold weathers are all transient disturbances. A system's ability to remain stable depends on both the initial system operation state and severity of the disturbance. Unstable grid response involves large excursion of generator rotor angles [36]. Modern power systems are designed to operate as stable for a selected set of contingencies. However, this selection is hard to make exhaustive and currently incapable of handling attacks that aim at the vulnerable control and protection of the system.

19.3.1.3 Voltage Instability

A power system is said to be voltage stable if after any disturbance it is able to restore the voltage to a steady state and to have this voltage of an acceptable magnitude. The main condition of voltage instability is that the power system cannot meet the demand for reactive power, which may be caused by generators' excitation limit, transmission lines' high inductance, load characteristics, or even the voltage control devices on transmission and distribution networks that are supposed to support voltage [37].

Another phenomenon often mentioned with voltage instability is voltage collapse. They are two different concepts. Voltage instability is a local phenomenon but may have a widespread impact. Voltage collapse is more complex and is the result of a sequence of events accompanying voltage instability, leading to a low-voltage profile in a significant part of the electric grid. Voltage collapse is difficult to simulate and does not have fixed patterns. Despite its severe adverse impact, it is unlikely to be manufactured by malicious attackers.

Voltage instability is sometimes associated with frequency instability. The gradual loss of synchronism of generators would result in low voltage at the intermediate points in the network [37]. Studies have shown that malicious attacks become a great concern of system voltage, even if the grid was evaluated as voltage stable under regular disturbances. These attacks could happen at both the transmission and distribution levels. In particular, in the urban electric grid that is microgrid and integrated with renewable energies, high reactive power demand can be manipulated to lead to unstable voltage of loads across the city [26].

19.4.2.1 Emergency Control and Protection

When the electric grid is under high stress and failure starts to propagate, emergency schemes that coordinate the control and protection efforts to deal with this situation are then deployed to preserve system stability, maintain overall system connectivity, and avoid serious equipment damage. These emergency schemes areusually referred to as SPS (Special Protection System) or RAS (Remedial Action Scheme) [60, 61]. A good example in the United States is the SPS installed in the Florida Power and Light system [62]. Many studies and practice have been devoted to the development of SPS, but so far there is not a rigorous standard defining its functionalities and operation. Technologies that are commonly regarded as essential to SPS include, but are not limited to, adaptive relaying that adjusts tripping settings based on the stress level of the grid, automatic reactive power compensation using microprocessor controls, phasor measurement units (PMU) that enable near real-time synchronized monitoring over wide areas, and digital control and protection at power plants that block unit tripping during stressed grid operation [63]. Typical key operations in SPS are as follows:

1. 1. When great imbalance is observed between generation and loads and reserves are exhausted, underfrequency load shedding and undervoltage load shedding are deployed for noncritical loads. These load-shedding relays are installed at planned locations, and their action will not affect service to critical loads. The tripping range of frequency and voltage are usually preset. Sometimes, remote control tripping is also allowed.
2. 2. If load shedding does not clear the imbalance, the system may be separated into predefined islands. This intentional separation is distinct from the islands that are formed by coherent swings among generation groups in frequency instability. Out-of-step relays are installed at limited locations to control the propagation of failures.
3. 3. Out-of-step relays are also installed at generating units to prevent permanent equipment damage due to frequency excursion. When the system is assessed under high stress, these relays are blocked to prevent equipment loss that exacerbates the situation.
4. 4. When the power system cannot meet reactive power demand, static VAR compensator (SVC) and static compensator (STATCOM) are coordinated to prevent voltage instability.
5. 5. After faults are isolated and disturbances are cleared, selected gas turbines are reconnected and controlled to restored service. This black-start procedure must be coordinated among generating units and with the load recovery level.

19.4.2.2 Restoration from the Distribution Level

Restoration from the distribution level is often associated with two concepts: distributed generation (DG) and microgrids. Compared with conventional power plants, DG are connected at the distribution level, have much smaller capacity (from a few kilowatts to megawatts), and often use renewable energy as the primary source [64]. They are identified as valuable resources to maintain service to critical loads, such as hospitals, fire stations, and police stations [57]. Light-emitting diode (LED) traffic and street lights paired with distributed energy resource (DER) can operate when the bulk power supply is not accessible [65]. Recent studies show that DERs that are installed with battery storage can be deployed in black start and achieve faster and more efficient restoration [66].

Microgrids are distribution networks consisting of DG, energy storage, and loads. They normally operate connected to the main grid but can break off and run in an autonomous mode in emergent situations [64]. One successful example of microgrid in grid's resilience is the Sendai Microgrid in Sendai City, Japan. In the Tohoku Region Pacific Coast Earthquake, 2011, the inland areas of the Tohoku and Kanto regions suffered from damage to lifeline utilities due to the shutting down of power plants and collapse of infrastructure. Electric power was partially restored after 3 days of the earthquake. Nevertheless, the Sendai Microgrid was able to supply power to loads continuously within its service area. The autonomous operation started by battery supplies, followed by gas engine restoration [67].

Microgrids have clear boundaries; they are connected to the main grid at a point of common coupling that maintains voltage at the same level of the main grid. During the islanding operation, a switch can separate the microgrid from the main grid automatically or manually. In the autonomous mode, the generation and storage are coordinated, and some loads are shed, in order to maintain the power balance within the microgrid [68]. After the main grid is cleared from the threats, by regulating DG, a microgrid is synchronized to the same frequency as the main grid and reconnected to it. A microgrid comes in a variety of designs and sizes. It can be a single facility like the Santa Rita Jail microgrid in Dublin, California, or a distribution network that powers a large area like in Fort Collins, Colorado.

19.4.3.1 Defense on the Physical Grid

To defend against physical threats, the electric grid needs to be planned for long-term infrastructure reinforcement and to prepare an operation for contingent conditions. Defense methods on electric grid planning focus on identifying critical grid assets. If ceasing or degrading its function will induce great impact on the rest of the system, then the asset is a critical asset. This definition is similar to vulnerable grid components.

Some grid assets are critical by nature, for example, substation transformers and HV transformers, while others may depend on its operating condition and location. For widely distributed transmission lines, it is financially impossible to harden or monitor every individual line. In [51–53, 69], a bi-level optimization problem is posed to identify the critical transmission lines of a power grid as

The transmission lines selected by the attacker induce the maximum impact post-contingency. In the attack, the attacker possesses asymmetrical information, knowing the contingent rescheduling policy that the operator will initiate after the chosen transmission lines are taken off. While the operator tries to minimize the attack's impact, the attacker maximizes this impact by “foreseeing” the operator's strategy. This model is also referred as the offender–defender model, where the power system operator happens to play the defender's role.

The transmission lines are identified by whose removal will most significantly reduce the power transfer capability (whereas these transmission lines themselves are not necessarily of the greatest volt-amp capacity). The small-world network concept was used to describe the electric grid's response on a high level. Based on the topology of a transmission network, we can calculate the clustering coefficient and characteristic length path as

where is the number of nodes in the network, is the number of edges in the subgraph associated with node , is the number of adjacent nodes of , and is the shortest path length between nodes and . The transmission lines are selected if is increased without these lines.

In operation defense, a tri-level model is proposed in [53] as an extension of [52, 69]. The objective of the formulation is

which reschedules against the attacker's selection in the bi-level optimization model. This model is commonly referred as the defender–attacker–defender model.

The interaction between the attacker and defender can go on for virtually infinite iterations, and the challenge is presented as finding the solution to this problem. In the simple case as presented earlier, where the attacker and operator have exactly the same objective of opposite optimizing directions, the problem is a zero-sum game. A Nash equilibrium can be found, at which the defender can no longer reduce the negative impact and the attacker can no longer increase it [70, 71]. However, in reality, the operator is unlikely to game with the attacker; she/he has her/his own priority of operating the grid. The solution to the problem can be complex.

19.4.3.2 Defense on the Control Layer

In Section 19.2, cyber threats from malicious attacks are classified as monitoring attacks, control attacks, MC attacks, and CM attacks. To protect the power system against these threats, defense methods on the control layer are represented by terminating susceptive control actions, hardening communication infrastructure, active signaling, and inference control.

If malicious intentions have been successfully detected and identified, the operator can simply terminate the control functions on the target. For example, Internet-based load altering attacks are studied in [72]. These attacks attempt to control and change loads that are accessible through the Internet in order to damage the grid through circuit overflow or disturbing the balance between demand and supply. Once such attacks are detected, immediate actions are suggested to shut down automated load scheduling or curtail the targeted loads.

Hardening communication infrastructure resembles the idea of reinforcing critical grid assets. The communication links to be hardened are identified by estimating the value of investment (alternatively, by estimating the cost without hardening the object). The mathematical models usually take the form of a bi-level mixed-integer problem, with an objective

where is the negative impact from the attack and is the object to protect. The condition can be included in the constraints; defining the attack is ineffective to the hardened objects. In [72], this method is applied to identify the minimum load groups to protect, so that Internet-based load attacks result in the least negative impact. In [73], attackers attempt to obtain economic benefits by controlling generators' output in electricity markets. Using the same method, the most influential generators are identified.

In CM attacks, measurements are corrupted to cover the malicious control actions. Therefore, the malicious control is difficult to detect directly. Reference [74] studies a general cyber–physical system. The attackerlaunches a replay attack by replacing the actual measurements with the recorded measurements. The attacked system correspondingly performs the control of recorded action. In this way, the attacker manipulates the system control, which may be harmful to the actual conditions. The proposed solution for the operator is to inject a control signal on top of the optimal control . If the system is under attack, the asymptotic expectation of detector will have a higher value due to the . Thus, the attack can be detected. The weakness of active signaling is sacrificing control performance by deviating from the .

In MC attacks, measurements are corrupted to manipulate power system operation. The defense challenge arises for the control functions that rely on real-time measurement input. Even if an MC attack is detected, it is difficult to identify and restore the contaminated data set in real time. In this case, inference control is applied. In [75], ACE is contaminated in the secondary frequency control. The untrusted measurements are discharged and the control center is “flying blind.” The proposed defense method predicts the AGC performance based on load forecast and obtains a new ACE. For different possible load scenarios, the mean of the new ACE is used to issue generator correction during an MC attack.

19.4.3.3 Defense on the Monitoring Layer

The main function of the monitoring layer is to collect data for decision support on the control layer and to inspect the performance of the physical grid. Defense methods on the monitoring layer include the following categories:

(i) Assessing system vulnerability to threats based on operating status.

In order to be successful, attacks on measurements, including monitoring attacks, MC attacks, and CM attacks, must not trigger the alarm of state estimators. Therefore, these attacks are either unobservable or cause very small deviations that are within the tolerance of the state estimator detector [76]. In [77], security indices, for unobservable sparse attack and for small magnitude attack , are created by solving

where denotes the number of nonzero elements in the attacking vector , is an arbitrary vector, and is the Jacobian matrix derived from power flow equations. is the 1-norm of .

Control attack is studied in [28], which considers a general linear time-invariant (LTI) cyber–physical system. The work proposes the condition of static detectability and dynamic detectability of malicious controlaction . These conditions and security indices depend on the system topology and operating conditions. They provide a security assessment of the entire system.