Cyberphysical Infrastructures in Power Systems: Architectures and Vulnerabilities 0323852610, 9780323852616

In an uncertain and complex environment, to ensure secure and stable operations of large-scale power systems is one of t

791 146 16MB

English Pages 424 [426] Year 2021

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

Cyberphysical Infrastructures in Power Systems: Architectures and Vulnerabilities
 0323852610, 9780323852616

Table of contents :
Front Cover
Cyberphysical Infrastructures in Power Systems
Copyright
Contents
About the authors
Preface
Acknowledgments
Part 1 Background
1 Overview
1.1 Cyberphysical security modeling systems (CPS)
1.1.1 Introduction
1.1.2 Wide-area monitoring, protection and control systems
1.1.3 Wide-area protection
1.1.4 Phasor measurement units
1.2 Cyberattack taxonomy
1.2.1 Cyberattack classification
1.2.2 Coordinated attacks on WAMPAC
1.2.3 Cyberphysical security using game-theoretic approach
1.2.4 Cyberlayer risk assessment
1.2.5 Attack modeling
1.2.6 Game formulation and solution strategies
1.3 Challenges in cyberphysical power systems
1.3.1 Signal sampling
1.3.2 Signal quantization
1.3.3 Communication delay
1.3.4 Packet dropouts
1.3.5 Medium access constraints
1.3.6 Channel fading
1.3.6.1 Information-theory based approach
1.3.6.2 Stochastic system approach
1.3.7 Power constraints
1.3.7.1 Reducing the transmission rate
Deterministic case
Stochastic case
Event-based case
1.3.7.2 Packet size reduction
Deterministic case
Stochastic case
1.4 Secure industrial control systems
1.4.1 Introduction
1.4.2 Progress of SICS
1.4.3 Major security objectives
1.5 Game-theoretic methods
1.5.1 Robustness issue
1.5.2 Resilient control design
1.5.3 Hierarchical systems
1.5.4 Physical layer control system problem
1.6 Notes
References
2 Smart grids: control and cybersecurity
2.1 A view of networked microgrids
2.1.1 Introduction
2.1.2 Types of networked microgrids
2.1.3 Star-connected NMG
2.1.4 Ring-connected NMG
2.1.5 Mesh-connected NMG
2.1.6 Control approaches in NMGs
2.2 Cyberattack protection and control of microgrids
2.2.1 Model of microgrid system
2.2.2 Observation model and cyberattack
2.2.3 Cyberattack minimization in smart grids
2.2.4 Stabilizing feedback controller
2.2.5 Simulation results I
2.3 Smart grid cybersecurity analysis
2.3.1 Introduction
2.3.2 Power network model and state estimation
2.3.2.1 Unobservable data attack and security index
2.3.2.2 Measurement set robustness analysis
2.3.3 Attack construction problem
2.3.3.1 l1 relaxation problem (2.30) is a cardinality minimization problem
2.3.4 Main result
2.4 Main attributes
2.4.1 Rationale of the no injection assumption
2.4.2 Relationship with minimum cut based results
2.4.3 Relationship with compressed sensing results
2.4.4 Definitions
2.4.5 The equivalence between two relations
2.4.6 Proof of proposition
2.4.7 Simulation results II
2.5 Two-area power system
2.5.1 Introduction
2.5.2 Simulation results III
2.6 Notes
References
Part 2 Control, estimation, and fault detection
3 Safe control methods
3.1 Introduction
3.2 State feedback controller
3.2.1 Threat model
3.2.2 Design of the state feedback controller
3.3 Observer-based controller
3.3.1 Design of a state feedback controller
3.3.2 Simulation results
3.4 Performance-degradation issues
3.4.1 Preliminaries
3.4.2 System description
3.4.3 X2 failure detector
3.4.4 Threat model
3.4.5 Recursive version of Rk
3.4.6 Ellipsoidal approximation of Rk
3.4.7 Simulation results
3.5 Decentralized secure control
3.5.1 Problem statement
3.5.2 Design results
3.5.3 Application to a four-area power system
3.6 Notes
References
4 Event-triggering control of cyberphysical power systems
4.1 Introduction
4.2 Problem formulation and the control scheme
4.2.1 The event triggering mechanism
4.2.2 The attack model
4.2.3 The observer-based control scheme
4.3 Design results
4.4 Illustrative examples
4.4.1 Two-area power systems
4.4.2 A single machine connected to an infinite-bus
4.5 Conclusions
Appendix: proof of Theorem 14
References
5 Wide-area monitoring and estimation systems
5.1 Introduction
5.2 WAMS applications and state estimation
5.2.1 Three possible states
5.2.2 Basic paradigms of state estimation
5.2.3 State representation of a power grid
5.2.4 Properties of probability vector
5.2.5 Observation model
5.2.6 Correlation of noise
5.2.7 Function of frequency oscillation state
5.2.8 Attack vector
5.3 Median regression function-based approach
5.3.1 Initial regression analysis using the mapping function
5.3.2 Additional geometric properties
5.3.3 Frequency oscillation state estimation
5.3.4 Interacting multiple model (IMM)-based fusion
5.3.5 Residual generation using error matrix
5.3.6 Residual evaluation using cross-spectral density function
5.4 Implementation and evaluation results
5.4.1 System disturbances
5.4.2 Deliberate data-injection scenarios
5.4.3 Aim of a hacker
5.4.4 Performance evaluation using regression methods
5.4.5 Estimation comparison with track fusion
5.4.6 MSE-based estimation comparison
5.5 Notes
References
Part 3 Power systems' architectures
6 Future grid architectures
6.1 Communication architectures in smart grids
6.1.1 Introduction
6.1.2 A framework of the next-generation power grid
6.1.3 Network architecture
6.1.4 Wide-area networks
6.1.5 Field-area networks
6.1.6 Home-area networks
6.1.7 Delay pattern
6.2 Wide-area monitoring control of smart grids
6.2.1 Power system dynamic model
6.2.2 Sensors and actuators
6.2.3 Control design
6.2.4 Simulation results
6.3 Wide-area case studies
6.3.1 Monitoring system case study
6.3.2 Monitoring and control systems case study
6.4 Notes
References
7 Mature industrial functions
7.1 Secure remote state estimation
7.1.1 Introduction
7.1.2 Problem formulation
7.1.2.1 System model
7.1.2.2 Plant model
7.1.2.3 The χ2 detector
7.1.2.4 Linear FDI attack
7.1.3 Secure modules for data transmission
7.1.3.1 Structure of secure modules for data transmission
7.1.3.2 Feasibility analysis
7.1.4 Detection and performance analysis in various attack scenarios
7.1.4.1 Scenario I: no information leakage
7.1.4.2 Scenario II: partial information leakage
7.1.4.3 Scenario III: information leakage
7.1.5 Extension to detect other attacks
7.1.5.1 False-data injection attack
7.1.5.2 Replay attack
7.1.6 Proofs of the lemmas and theorems
Appendix A
A.1. Proof of Lemma 6
Appendix B
Proof of Lemma 7
Appendix C
Proof of Lemma 9
Appendix D
Appendix E
7.1.7 Simulation results
7.1.7.1 Simulation result in Scenario I
7.1.7.2 Simulation result in Scenario II
7.1.7.3 Simulation result in Scenario III
7.1.7.4 Extension to detect the replay attack
7.2 Notes
References
8 Secure filtering in power systems
8.1 Introduction
8.2 Problem description
8.3 Main results
8.4 Simulation results
8.5 Notes
References
9 Basic mathematical tools
9.1 Finite-dimensional spaces
9.1.1 Vector spaces
9.1.2 Norms of vectors
Induced norms of matrices
9.1.3 Some basic topology
9.1.4 Convex sets
9.1.5 Continuous functions
9.1.6 Function norms
9.1.7 Mean value theorem
9.1.8 Implicit function theorem
9.2 Matrix theory
9.2.1 Fundamental subspaces
9.2.2 Change of basis and invariance
9.2.3 Calculus of vector-matrix functions of a scalar
9.2.4 Derivatives of vector-matrix products
9.2.5 Positive definite and positive semidefinite matrices
9.2.6 Matrix ellipsoid
9.2.7 Power of a square matrix
9.2.8 Exponential of a square matrix
9.2.9 Eigenvalues and eigenvectors of a square matrix
9.2.10 The Cayley–Hamiltonian theorem
9.2.11 Trace properties
9.2.12 Kronecker product and vec
9.2.13 Partitioned matrices
9.2.14 The matrix inversion lemma
9.2.15 Strengthened version of the lemma of Lyapunov
9.2.16 The singular value decomposition
9.3 Some bounding inequalities
9.3.1 Bounding inequality A
9.3.2 Bounding inequality B
9.3.3 Bounding inequality C
9.3.4 Bounding inequality D
9.3.5 Young's inequality
9.4 Gronwall-Bellman inequality
9.5 Schur complements
9.6 Some useful lemmas
9.7 Fundamental stability theorems
9.7.1 Lyapunov–Razumikhin theorem
9.7.2 Lyapunov–Krasovskii theorem
9.7.3 Halany theorem
9.7.4 Types of continuous Lyapunov–Krasovskii functionals
9.7.5 Some discrete Lyapunov–Krasovskii functionals
9.8 Elements of algebraic graphs
9.8.1 Graph theory
9.8.2 Undirected graph
9.8.3 Main graphs
9.8.4 Graph operations
9.8.5 Basic properties
9.8.6 Connectivity properties of digraphs
9.8.7 Properties of adjacency matrix
9.8.8 Laplacian spectrum of graphs
9.9 Linear matrix inequalities
9.9.1 Basics
9.9.2 Some standard problems
9.9.3 The S-procedure
9.10 Some formulas on matrix inverses
9.10.1 Inverse of block matrices
9.10.2 The matrix inversion lemma
9.11 Notes
References
Index
Back Cover

Citation preview

CYBERPHYSICAL INFRASTRUCTURES IN POWER SYSTEMS

This page intentionally left blank

CYBERPHYSICAL INFRASTRUCTURES IN POWER SYSTEMS Architectures and Vulnerabilities

MAGDI S. MAHMOUD King Fahd University of Petroleum and Minerals Systems Engineering Department Dhahran, Saudi Arabia

HARIS M. KHALID Higher Colleges of Technology Department of Electrical and Electronics Engineering Sharjah, United Arab Emirates

MUTAZ M. HAMDAN King Fahd University of Petroleum and Minerals Systems Engineering Department Dhahran, Saudi Arabia

Academic Press is an imprint of Elsevier 125 London Wall, London EC2Y 5AS, United Kingdom 525 B Street, Suite 1650, San Diego, CA 92101, United States 50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom Copyright © 2022 Elsevier Inc. All rights reserved. MATLAB® is a trademark of The MathWorks, Inc. and is used with permission. The MathWorks does not warrant the accuracy of the text or exercises in this book. This book’s use or discussion of MATLAB® software or related products does not constitute endorsement or sponsorship by The MathWorks of a particular pedagogical approach or particular use of the MATLAB® software. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data A catalog record for this book is available from the Library of Congress British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library ISBN: 978-0-323-85261-6 For information on all Academic Press publications visit our website at https://www.elsevier.com/books-and-journals Publisher: Mara Conner Acquisitions Editor: Sonnini R. Yura Editorial Project Manager: Chiara Giglio Production Project Manager: Nirmala Arumugam Designer: Matthew Limbert Typeset by VTeX

This book is dedicated to our families for the love, unwavering support, and all the joy they bring. With tolerance, patience, and their wonderful frames of mind, they have encouraged and supported us for many years. Magdi S. Mahmoud, Haris M. Khalid, Mutaz M. Hamdan

This page intentionally left blank

Contents

About the authors Preface Acknowledgments

Part 1.

xiii xvii xxiii

Background

1. Overview 1.1. Cyberphysical security modeling systems (CPS) 1.1.1. Introduction 1.1.2. Wide-area monitoring, protection and control systems 1.1.3. Wide-area protection 1.1.4. Phasor measurement units 1.2. Cyberattack taxonomy 1.2.1. Cyberattack classification 1.2.2. Coordinated attacks on WAMPAC 1.2.3. Cyberphysical security using game-theoretic approach 1.2.4. Cyberlayer risk assessment 1.2.5. Attack modeling 1.2.6. Game formulation and solution strategies 1.3. Challenges in cyberphysical power systems 1.3.1. Signal sampling 1.3.2. Signal quantization 1.3.3. Communication delay 1.3.4. Packet dropouts 1.3.5. Medium access constraints 1.3.6. Channel fading 1.3.7. Power constraints 1.4. Secure industrial control systems 1.4.1. Introduction 1.4.2. Progress of SICS 1.4.3. Major security objectives 1.5. Game-theoretic methods 1.5.1. Robustness issue 1.5.2. Resilient control design 1.5.3. Hierarchical systems 1.5.4. Physical layer control system problem 1.6. Notes References

3 4 4 5 5 6 6 8 8 9 11 12 13 14 14 15 18 21 27 28 29 35 35 36 37 39 39 40 42 43 45 46 vii

viii

Contents

2. Smart grids: control and cybersecurity 2.1. A view of networked microgrids 2.1.1. Introduction 2.1.2. Types of networked microgrids 2.1.3. Star-connected NMG 2.1.4. Ring-connected NMG 2.1.5. Mesh-connected NMG 2.1.6. Control approaches in NMGs 2.2. Cyberattack protection and control of microgrids 2.2.1. Model of microgrid system 2.2.2. Observation model and cyberattack 2.2.3. Cyberattack minimization in smart grids 2.2.4. Stabilizing feedback controller 2.2.5. Simulation results I 2.3. Smart grid cybersecurity analysis 2.3.1. Introduction 2.3.2. Power network model and state estimation 2.3.3. Attack construction problem 2.3.4. Main result 2.4. Main attributes 2.4.1. Rationale of the no injection assumption 2.4.2. Relationship with minimum cut based results 2.4.3. Relationship with compressed sensing results 2.4.4. Definitions 2.4.5. The equivalence between two relations 2.4.6. Proof of proposition 2.4.7. Simulation results II 2.5. Two-area power system 2.5.1. Introduction 2.5.2. Simulation results III 2.6. Notes References

Part 2.

53 54 54 54 55 56 56 57 60 63 64 66 67 68 71 74 75 79 80 84 85 85 86 88 89 90 91 93 95 96 97 98

Control, estimation, and fault detection

3. Safe control methods 3.1. Introduction 3.2. State feedback controller 3.2.1. Threat model 3.2.2. Design of the state feedback controller 3.3. Observer-based controller 3.3.1. Design of a state feedback controller 3.3.2. Simulation results

105 105 109 111 112 116 119 122

Contents

3.4. Performance-degradation issues 3.4.1. Preliminaries 3.4.2. System description 3.4.3. X 2 failure detector 3.4.4. Threat model 3.4.5. Recursive version of Rk 3.4.6. Ellipsoidal approximation of Rk 3.4.7. Simulation results 3.5. Decentralized secure control 3.5.1. Problem statement 3.5.2. Design results 3.5.3. Application to a four-area power system 3.6. Notes References

4. Event-triggering control of cyberphysical power systems 4.1. Introduction 4.2. Problem formulation and the control scheme 4.2.1. The event triggering mechanism 4.2.2. The attack model 4.2.3. The observer-based control scheme 4.3. Design results 4.4. Illustrative examples 4.4.1. Two-area power systems 4.4.2. A single machine connected to an infinite-bus 4.5. Conclusions Appendix: proof of Theorem 14 References

5. Wide-area monitoring and estimation systems 5.1. Introduction 5.2. WAMS applications and state estimation 5.2.1. Three possible states 5.2.2. Basic paradigms of state estimation 5.2.3. State representation of a power grid 5.2.4. Properties of probability vector 5.2.5. Observation model 5.2.6. Correlation of noise 5.2.7. Function of frequency oscillation state 5.2.8. Attack vector 5.3. Median regression function-based approach 5.3.1. Initial regression analysis using the mapping function 5.3.2. Additional geometric properties

ix

125 128 130 131 132 136 138 144 145 146 150 154 157 159

163 163 167 167 168 169 173 178 178 179 184 185 191

195 195 196 197 198 200 200 202 202 203 203 204 204 205

x

Contents

5.3.3. Frequency oscillation state estimation 5.3.4. Interacting multiple model (IMM)-based fusion 5.3.5. Residual generation using error matrix 5.3.6. Residual evaluation using cross-spectral density function 5.4. Implementation and evaluation results 5.4.1. System disturbances 5.4.2. Deliberate data-injection scenarios 5.4.3. Aim of a hacker 5.4.4. Performance evaluation using regression methods 5.4.5. Estimation comparison with track fusion 5.4.6. MSE-based estimation comparison 5.5. Notes References

Part 3.

206 207 208 208 209 210 212 212 213 220 223 226 228

Power systems’ architectures

6. Future grid architectures 6.1. Communication architectures in smart grids 6.1.1. Introduction 6.1.2. A framework of the next-generation power grid 6.1.3. Network architecture 6.1.4. Wide-area networks 6.1.5. Field-area networks 6.1.6. Home-area networks 6.1.7. Delay pattern 6.2. Wide-area monitoring control of smart grids 6.2.1. Power system dynamic model 6.2.2. Sensors and actuators 6.2.3. Control design 6.2.4. Simulation results 6.3. Wide-area case studies 6.3.1. Monitoring system case study 6.3.2. Monitoring and control systems case study 6.4. Notes References

7. Mature industrial functions 7.1. Secure remote state estimation 7.1.1. Introduction 7.1.2. Problem formulation 7.1.3. Secure modules for data transmission 7.1.4. Detection and performance analysis in various attack scenarios 7.1.5. Extension to detect other attacks

233 233 235 236 237 238 239 240 241 243 243 245 245 248 251 251 260 267 267

271 271 271 273 276 280 288

Contents

7.1.6. Proofs of the lemmas and theorems 7.1.7. Simulation results 7.2. Notes References

8. Secure filtering in power systems

xi

290 296 301 301

305

8.1. Introduction 8.2. Problem description 8.3. Main results 8.4. Simulation results 8.5. Notes References

305 307 311 318 322 322

9. Basic mathematical tools

327

9.1. Finite-dimensional spaces 9.1.1. Vector spaces 9.1.2. Norms of vectors 9.1.3. Some basic topology 9.1.4. Convex sets 9.1.5. Continuous functions 9.1.6. Function norms 9.1.7. Mean value theorem 9.1.8. Implicit function theorem 9.2. Matrix theory 9.2.1. Fundamental subspaces 9.2.2. Change of basis and invariance 9.2.3. Calculus of vector-matrix functions of a scalar 9.2.4. Derivatives of vector-matrix products 9.2.5. Positive definite and positive semidefinite matrices 9.2.6. Matrix ellipsoid 9.2.7. Power of a square matrix 9.2.8. Exponential of a square matrix 9.2.9. Eigenvalues and eigenvectors of a square matrix 9.2.10. The Cayley–Hamiltonian theorem 9.2.11. Trace properties 9.2.12. Kronecker product and vec 9.2.13. Partitioned matrices 9.2.14. The matrix inversion lemma 9.2.15. Strengthened version of the lemma of Lyapunov 9.2.16. The singular value decomposition 9.3. Some bounding inequalities 9.3.1. Bounding inequality A 9.3.2. Bounding inequality B

328 328 330 331 331 334 334 335 335 336 337 339 340 341 343 343 344 344 344 345 345 347 348 349 350 350 352 352 352

xii

Contents

9.3.3. Bounding inequality C 9.3.4. Bounding inequality D 9.3.5. Young’s inequality 9.4. Gronwall-Bellman inequality 9.5. Schur complements 9.6. Some useful lemmas 9.7. Fundamental stability theorems 9.7.1. Lyapunov–Razumikhin theorem 9.7.2. Lyapunov–Krasovskii theorem 9.7.3. Halany theorem 9.7.4. Types of continuous Lyapunov–Krasovskii functionals 9.7.5. Some discrete Lyapunov–Krasovskii functionals 9.8. Elements of algebraic graphs 9.8.1. Graph theory 9.8.2. Undirected graph 9.8.3. Main graphs 9.8.4. Graph operations 9.8.5. Basic properties 9.8.6. Connectivity properties of digraphs 9.8.7. Properties of adjacency matrix 9.8.8. Laplacian spectrum of graphs 9.9. Linear matrix inequalities 9.9.1. Basics 9.9.2. Some standard problems 9.9.3. The S-procedure 9.10. Some formulas on matrix inverses 9.10.1. Inverse of block matrices 9.10.2. The matrix inversion lemma 9.11. Notes References Index

353 353 354 354 355 357 362 362 364 366 367 367 369 369 370 371 372 373 376 376 378 381 381 382 383 384 385 386 386 386 389

About the authors

Magdi S. Mahmoud obtained a B.Sc. (Honors) in Communication Engineering, a M.Sc. in Electronic Engineering, and a Ph.D. in Systems Engineering, all from Cairo University in 1968, 1972, and 1974, respectively. He has been a Professor of Engineering since 1984. He is now a Distinguished Professor at the King Fahd University of Petroleum and Minerals (KFUPM), Saudi Arabia. He was on the faculty at various universities worldwide, including in Egypt (Cairo University-CU, The American University in Cairo-AUC), Kuwait (Kuwait University-KU), UAE (United Arab Emirates University-UAEU), UK (University of Manchester Institute of Science and Technology-UMIST), USA (Pittesburgh UniversityPitt, Case Western Reserve University), Singapore (Nanyang Technological University) and Australia (University of Adelaide). He lectured in Venezuela (University of Caracas), Germany (University of Hannover), UK (University of Kent), USA (University of Texas at San Antonio-UoSA), Canada (Ecole Ecole Polytechnique de Montréal, Montreal) and China (Beijing Institute of Technology-BIT, University of Yanshan). He is the principal author of fifty-one books and the author/co-author of more than 610 peer-reviewed papers. He is a fellow of the IEE, a senior member of the IEEE and the CEI (UK), and a registered consultant engineer of information engineering and systems (Egypt). He received the Science State Incentive Prize for outstanding research in engineering (1978, 1986), the State Medal for Science and Art, First Class (1978), and the State Distinction Award (1986), all in Egypt. He was awarded the Abdulhamed Shwoman Prize for Young Arab Scientists in the field of engineering sciences (1986), in Jordan. In 1992, he received the Distinguished Engineering Research Award, College of Engineering and Petroleum, Kuwait University (1992), in Kuwait. He is co-winner of the Most Cited Paper Award 2009, “Signal Processing”, vol. 86, no. 1, 2006, pp. 140–152. The Web of Science ISI selected his papers as among the 40 best papers in Electrical & Electronic Engineering in July 2012. He was interviewed for “People in Control”, IEEE Control Systems Magazine, August 2010. He served as the Guest Editor of the special issue “Neural Networks and Intelligence Systems in Neurocomputing” and the Guest Editor for the 2015 International Symposium on Web of Things and Big Data (WoTBD 2015) 18–20 October 2015, Manama, Bahrain. He is a Regional Editor (Middle East and xiii

xiv

About the authors

Africa) of the International Journal of Systems, Control and Communications (JSCC), Inderscience Publishers since 2007, a member of the Editorial Board of the Journal of Numerical Algebra, Control and Optimization (NACO), Australia, since 2010, an Associate Editor of the International Journal of Systems Dynamics Applications (IJSDA), since 2011, a member of the Editorial Board of the Journal of Engineering Management, USA, since 2012, and an Academic Member of Athens Institute for Education and Research, Greece, since 2015. Since 2016, he is an Editor of the Journal of Mathematical Problems in Engineering, Hindawi Publishing Company, USA. He is currently actively engaged in teaching and research in the development of modern methodologies for distributed control and filtering, networked control systems, fault-tolerant systems, cyberphysical systems, and information technology. Haris M. Khalid received a B.Sc. (Honors) degree in Mechatronics and Control Systems Engineering from the University of Engineering and Technology, Lahore, Pakistan, in 2007, and M.Sc. and Ph.D. degrees in Control Systems Engineering from King Fahd University of Petroleum and Minerals, Dhahran, Saudi Arabia, in 2009 and 2012, respectively. He is currently an Assistant Professor in Electrical and Electronics Engineering with the Higher Colleges of Technology, Sharjah, UAE. He has also been appointed as the Applied Research Coordinator for the Sharjah campuses. In 2012, he joined the Distributed Control Research Group, King Fahd University of Petroleum and Minerals, as a Research Fellow. From 2013 to 2016, he was a Research Fellow with the Power Systems Research Laboratory, the iCenter for Energy, Masdar Institute (MI), Khalifa University of Science and Technology, Abu Dhabi, UAE, which is an MI-MIT Cooperative Program with the Massachusetts Institute of Technology, Cambridge, MA, USA. During this tenure, he was also a Visiting Scholar with the Energy Systems, Control, and Optimization Lab, ADNOC Research and Innovation Center, Khalifa University of Science and Technology. He has authored/co-authored more than 60 peer-reviewed research papers. He has served as an Energy Specialist in UAE Space Agency “Tests in Orbit” Competitions, which are partnered with Dream-Up and Nano-Racks. His research interests include power systems, cyberphysical systems, and electric vehicles; signal processing, V2G technology, fault diagnostics, filtering, estimation, and condition monitoring. Dr. Khalid was the Technical Chair of IEEE-ASET 2018–2020 (seven groups of conferences) organized annually in UAE since 2017. He is the Associate Editor of Frontiers in Energy Research | Smart Grid.

About the authors

xv

Mutaz M. Hamdan obtained a B.Eng. degree (Honors) in Mechanical Engineering, Mechatronics Engineering Branch from the Palestine Polytechnic University, Hebron, Palestine, in 2006. He received a M.Sc. and a Ph.D. in Systems and Control Engineering from the King Fahd University of Petroleum and Minerals (KFUPM), Dhahran, Saudi Arabia, in 2012 and 2019. He has authored several journal papers. He is currently a postdoctoral fellow at KFUPM, Saudi Arabia. His research interests include linear and nonlinear control systems, networked control systems, distributed control systems, and secure control systems.

This page intentionally left blank

Preface

Cyberphysical systems (CPS) or “smart” systems are co-engineered interacting networks of physical and computational components. These systems will build the basis of an infrastructure by • providing the foundation of our critical system, • forming the basis of emerging and future smart services, and • improving the quality of life of end users in many areas. The development of a smarter electric grid will depend on increased deployments of information and communication technology (ICT) to support novel communication and control functions. However, it turns out that this additional dependency could introduce the risk of cyberattacks. Well-designed systems with adequate cybersecurity units depend heavily on the availability of representative environments, such as testbeds, where current issues and future ideas can be envisioned. Sustainable power systems are one of the prime applications to be portrayed as CPS. They provide • smart integration to the power generation units, • end users and consumers, and • bi-directional power technology providers. This adaptive integration ensures a cost-effective route with comparatively low losses, improved levels of power quality, and cyberphysical security. This is validated by effective monitoring and control schemes. However, the main tool that holds the efficacy of these sustainable power systems is the internet. The internet promoted the utilization of synchrophasor measurements for wide-area monitoring applications to enable system operators to acquire real-time grid information. However, this opens a door to the vulnerability of sustainable power systems and to questioning the reliability of power transmission networks. This volume aims at laying down the basic definitions and essential ingredients. It provides some advanced developments in the fascinating area of cyberphysical infrastructures in power systems, with particular emphasis on architectures, methods, and vulnerabilities. Cyberphysical systems (CPS) will bring advances in personalized health care, emergency response, traffic flow management and electric power generation and delivery, as well as in many other areas just now being envixvii

xviii

Preface

sioned. Other terms that you might hear when discussing these and related CPS technologies include • internet of things (IoT), • industrial internet, • smart cities, • smart grid. In addressing CPS design challenges, it is important to take into consideration that a resilient CPS design includes three features: Stability: No matter how the environment generates noise and uncertain factors, the control system should always reach a stable decision result eventually; Security: The system should be able to detect and countermeasure cyberphysical interaction attacks; Systematization: The cyber and physical components should be seamlessly integrated together into a systematic design. The impact of the development of sensor technology, electromechanical systems, and digital communication networks enhances the fundamental framework and motivates the dynamic growth of control systems (CSs). Effectively, the elements of CSs are more intelligent, and they will never act as the single role of a controlled object or controller, rather an agent is now capable of integrating sensing, computing, and executing. Power systems are very complex artificial systems. With the development of the smart grid, high penetration of wind, solar power, and customers’ active participation have lead smart grids to operate in more uncertain, complex environments. Traditional power system analysis and control decision-making are primarily dependent on physical modeling and numerical calculations. The traditional methods find difficulty in addressing uncertainty and partial observability issues so that they cannot meet the requirements of future development of smart grids. On the other hand, widespread deployment of advanced metering infrastructures (AMI), widearea monitoring systems (WAMSs), and other monitoring/management systems produce massive data and provide a data basis for algorithm/model training in AI applications and the design of improved safe (secure) control/estimation/fault tolerant methods. These will be some of the enabling technologies for the future development and success of smart grids. Outstanding issues in this regard include: • The uncertainties of wind and solar energy cause many challenges for power systems. We should look for a potentially powerful tool to im-

Preface

xix

prove solar and wind generation prediction accuracy based on large data sets. • Research activities to provide effective solutions for managing flexible sources, including load forecasting, scheduling, dealing, etc. In an uncertain and complex environment, to ensure secure and stable operations of large-scale power systems is one of the greatest challenges that power engineers have to address today. Traditionally, power system operations and decision-making of controls are based on power system computations of physical models describing the behavior of power systems. Largely, physical models are constructed according to some assumptions and simplifications, and such is the case with power system models. However, the complexity of power system stability problems, along with the system’s inherent uncertainties and nonlinearities, can result in models that are impractical or inaccurate. This calls for adaptive or deep-learning algorithms to significantly improve current control schemes that solve decision and control problems. This book addresses advanced distributed methods for the important topic of CPS infrastructures in power systems. The chief goal of this book is to provide the readership with a high-level treatment and an extensive overview of CPS concepts and infrastructures in power systems with a focus on the current, state-of-the-art research in this field. Detailed classifications are pursued highlighting existing solutions, problems, and developments in this area. The content is divided into three parts, which include the following chapters: Part 1: Background Chapter 1 (Overview): In this chapter, an extensive overview of cyberphysical system concepts and infrastructures in power systems is carried out with a focus on the current, state-of-the-art research in this field. Detailed classifications are pursued highlighting existing solutions, problems, and developments in this area. Chapter 2 (Smart grids: control and cybersecurity): This chapter presents a modeling framework and defines the intended problem formulation. The dynamics of some typical practical cases are presented, such as SCADA networks, excitation systems, generator protection, voltage and frequency compensators, and economic dispatch scenarios where subsequently proposed algorithms are applied. Part 2: Control, estimation, and fault detection

xx

Preface

Chapter 3 (Safe control methods): Disturbance identification, stability assessment, and emergency control are fundamental to ensure the reliability and security of the power system. WAMSs provide massive volumes of data. In this chapter, formulations for various safe control methods problems are discussed and evaluated. Specifically, this chapter provides computational algorithms and assesses the performance of several phenomena, such as time-delay, actuator failures, switching and random networks, malicious attacks and false-data injection (FDI). Chapter 4 (Event-triggering control of cyberphysical power systems): In this chapter, we discuss and develop adaptive and deep-learning methods to help with • estimating state and parameters of the power systems both locally and globally, • identifying and predicting energy and flexibility on the demand side. Chapter 5 (Wide-area monitoring and estimation systems): Adequate fault/defect detection of electrical equipment is vitally important to ensure reliable power system operations. In a typical power system, many sensors and monitoring systems are installed and gradual changes are then analyzed. In addition, the prediction of renewable energy-generation output is crucial to improve their integration in the power grid by dealing with their uncertain and intermittent characteristics. In this chapter, deep-learning methods are employed to monitor the states of important components in power networks, including insulators, transformers, and transmission lines. Part 3: Power systems’ architectures Chapter 6 (Future grid architectures): In this chapter, we undertake the effort to implement the developed computational algorithms to problems arising in • wide-area monitoring systems (WAMSs), • wide-area control systems (WACSs), • wide-area monitoring and control systems (WAMCSs). Chapter 7 (Mature industrial functions): In this chapter, we continue the effort to implement the developed computational algorithms for problems arising in typical applications and case studies, namely • static applications, • adaptive applications, • frequency oscillation monitoring, • oscillation control, • load-frequency control, and

Preface

xxi

fusion-based architectures. Chapter 8 (Secure filtering in power systems): In this chapter, a secure filter for discrete-time systems affected by the two major kinds of cyberattacks, i.e., distributed denial-of-service (DDoS) and deception attacks is fully investigated. The cyberattacks are modeled as Bernoulli-distributed white sequences with variable probabilities. A predefined level of security is guaranteed by setting a sufficient condition using the techniques of stochastic analysis. Chapter 9 (Basic mathematical tools): Math tools and basic analytical results are collected and organized to make the book self-contained and help the readers follow up on the topics in a systematic and easy way. This includes a glimpse at graph theory, basic matrix inequalities, and stability notions. •

Magdi S. Mahmoud, Haris M. Khalid, and Mutaz M. Hamdan KFUPM–Saudi Arabia, HTC–UAE March 2021

This page intentionally left blank

Acknowledgments

Special thanks are due to the Elsevier team, particularly to the Acquisitions Editor Sonnini R. Yura, Editorial Project Manager Chiara Giglio and Production Manager Nirmala Arumugam, for their support, guidance, and dedication throughout the publishing process. Our technical collaboration with Dr. Uthman Baroudi has been instrumental on the emerging topic of secure control of cyberphysical systems. We are grateful to all the anonymous referees for carefully reviewing and selecting the appropriate topics for the final version of our manuscript. Portions of this volume were developed and upgraded while offering graduate courses SCE-701-191, SCE-515-192, SCE-555-191, SCE-606-192 at KFUPM, Saudi Arabia. Magdi S. Mahmoud, Haris M. Khalid, and Mutaz M. Hamdan January 2021

xxiii

This page intentionally left blank

PART 1

Background This part consists of two chapters: Chapter 1: Overview Chapter 2: Smart grids control and cybersecurity

1

This page intentionally left blank

CHAPTER 1

Overview Contents 1.1. Cyberphysical security modeling systems (CPS) 1.1.1 Introduction 1.1.2 Wide-area monitoring, protection and control systems 1.1.3 Wide-area protection 1.1.4 Phasor measurement units 1.2. Cyberattack taxonomy 1.2.1 Cyberattack classification 1.2.2 Coordinated attacks on WAMPAC 1.2.3 Cyberphysical security using game-theoretic approach 1.2.4 Cyberlayer risk assessment 1.2.5 Attack modeling 1.2.6 Game formulation and solution strategies 1.3. Challenges in cyberphysical power systems 1.3.1 Signal sampling 1.3.2 Signal quantization 1.3.3 Communication delay 1.3.4 Packet dropouts 1.3.5 Medium access constraints 1.3.6 Channel fading 1.3.6.1 Information-theory based approach 1.3.6.2 Stochastic system approach 1.3.7 Power constraints 1.3.7.1 Reducing the transmission rate 1.3.7.2 Packet size reduction 1.4. Secure industrial control systems 1.4.1 Introduction 1.4.2 Progress of SICS 1.4.3 Major security objectives 1.5. Game-theoretic methods 1.5.1 Robustness issue 1.5.2 Resilient control design 1.5.3 Hierarchical systems 1.5.4 Physical layer control system problem 1.6. Notes References Cyberphysical Infrastructures in Power Systems https://doi.org/10.1016/B978-0-32-385261-6.00010-5

Copyright © 2022 Elsevier Inc. All rights reserved.

4 4 5 5 6 6 8 8 9 11 12 13 14 14 15 18 21 27 28 28 29 29 30 33 35 35 36 37 39 39 40 42 43 45 46 3

4

Cyberphysical Infrastructures in Power Systems

1.1 Cyberphysical security modeling systems (CPS) In this section, we articulate the importance of securing the wide-area monitoring, protection and control (WAMPAC) systems to maintain bulk power system reliability. We present cyberattack taxonomy on WAMPAC, and also identify the cybersecurity requirements, concerns and future requirements for the various applications. Next we introduce different types of coordinated cyberattack scenarios in WAMPAC and presented their potential impacts.

1.1.1 Introduction Smart grid technologies utilize recent cyberadvancements to enhance control and monitoring functions throughout the electric power grid. The smart grid incorporates various individual technical initiatives such as advanced metering infrastructure (AMI), demand response (DR), WAMPAC systems based on phasor measurement units (PMUs), large scale renewable integration in the form of wind and solar generation, and plug-in hybrid electric vehicles (PHEVs). Of these initiatives, AMI and WAMPAC depend heavily on the cyberinfrastructure and its data transported through several communication protocols to utility control centers and the consumers. Cybersecurity concerns within the communication and computation infrastructure may allow attackers to manipulate either the power applications or physical system. Cyberattacks can take many forms depending on their objective. Attackers can perform various intrusions by exploiting software vulnerabilities or misconfiguration. System resources can also be rendered unavailable through denial of service (DoS) attacks by congesting the network or system with unnecessary data. Even secure cybersystems can be attacked due to insider threats, where a trusted individual can leverage system privileges to steal data or impact system operations. Also, weaknesses in communication protocols allow attackers to steal or manipulate data in transit. AMI is based on the deployment of smart meters at consumer end and the utility. This provides the utility with the ability to push real-time pricing data to consumers, collect information about current usage, and perform more advanced analysis of faults within the distribution system. Since AMI is associated with the distribution system, typically a huge volume of consumer meters needs to be compromised to create a substantial impact in the bulk power system reliability. This is in strong contrast to the impact a

Introduction

5

coordinated cyberattack on WAMPAC would have on bulk power system reliability. Therefore, the main focus of this chapter is to study pertinent issues in cyberphysical security of WAMPAC. However, it is important to note that several cybersecurity and privacy issues do exist with respect to AMI and are beyond the scope of this chapter.

1.1.2 Wide-area monitoring, protection and control systems WAMPAC leverage the phasor measurements units (PMUs) to gain realtime awareness of current grid operations and also provide real-time protection and control functions such as special protection schemes (SPSs) and automatic generation control (AGC), besides other emerging applications such as oscillation detection, and transient stability predictions. While communication is the key to a smarter grid, developing and securing the appropriate cyberinfrastructures and their communication protocols is crucial. WAMPAC can be subdivided further into its constituent components namely, wide-area monitoring systems (WAMSs), wide-area protection (WAP) systems, and wide-area control (WAC). PMUs utilize high sampling rates and accurate GPS-based timing to provide very accurate, synchronized grid readings. While PMUs provide increasingly accurate situational awareness capabilities, their full potential will not be realized unless these measurement data can be shared among other utilities and regulators. Additionally, power system applications need to be re-examined to determine the extent to which these enhancements can improve the grid’s efficiency and reliability. The development of advanced control applications will depend on WAMS, which can effectively distribute information in a secure and reliable manner. An example of WAMS deployment is NASPInet, which is the development of a separate network for PMU data transmission and data sharing including real-time control, quality of service and cybersecurity requirements [1,2].

1.1.3 Wide-area protection WAP involves the use of system wide information collected over a wide geographic area to perform fast decision-making and switching actions in order to counteract the propagation of large disturbances [3]. The advent of PMUs has transformed protection from a local concept into a system level wide-area concept to handle disturbances. Several protection applications fall under the umbrella of WAP, but the most common one among them is SPS. The North American Electric Reliability Council (NERC)

6

Cyberphysical Infrastructures in Power Systems

defines SPS as an automatic protection system designed to detect abnormal or predetermined system conditions, and takes corrective actions other than and/or in addition to the isolation of faulted components to maintain system reliability [4]. Such action may include changes in demand, generation (Megawatt (MW) and Mega volt-ampere reactive (MVAR)), or system configuration to maintain system stability, acceptable voltage, or power flows. Some of the most common SPS applications are as follows: generator rejection, load rejection, under frequency load shedding, under voltage load shedding, out-of-step relaying, volt-ampere reactive (VAR) compensation, discrete excitation control, High-Voltage Direct Current (HVDC).

1.1.4 Phasor measurement units Until the advent of PMUs, the only major WAC mechanism in the power grid was AGC. The AGC functions with the help of tie line flow measurements, frequency and generation data obtained from supervisory control and data acquisition (SCADA) infrastructure. The purpose of the AGC in a power system is to correct system generation in accordance with load changes in order to maintain grid frequency at 60 Hz. Currently, the concept of real-time WAC using PMU data is still in its infancy, and there are no standardized applications that are widely deployed on a system wide scale, though there are several pilot projects in that area [5]. Some of the potential WAC applications are secondary voltage control using PMU data, static VAR compensator (SVC) control using PMUs, and inter-area oscillation damping.

1.2 Cyberattack taxonomy Fig. 1.1 shows a generic WAMPAC architecture with the various components involved. The system conditions are measured using measurement devices (mostly PMUs). These measurements are communicated to a logic processor to determine corrective actions for each contingency, and then appropriate actions are initiated, usually through high speed communication links. The inherent wide-area nature of these schemes presents several vulnerabilities in terms of possible cyberintrusions to hinder or alter the normal functioning of these schemes. Even though SPS are designed to cause minimal or no impact to the power system under failure, they are not designed to handle failures that are due to malicious events like cyberattacks. Also, as more and more SPS are added in the power system,

Introduction

7

Figure 1.1 Generic WAMPAC architecture.

unexpected dependencies in the operation of the various schemes are introduced, and this increases the risk of increased impacts like system wide collapse due to a cyberattack. It therefore becomes critical to reexamine the design of the WAP schemes with a specific focus on cyberphysical system (CPS) security. In addition, Fig. 1.1 presents a control systems (CS) view of the power system and the WAP scheme. The power system is the plant under control, where the parameters like currents and voltages at different places are measured using sensors (PMUs) and sent through the high-speed communication network to the WAP controller for appropriate decision making. The controller decides based on the system conditions and sends corresponding commands to the actuators, which are the protection elements and VAR control elements like SVC and Flexible AC Transmission Systems (FACTS) devices for voltage control related applications. There are different places where a cyberattack can take place in this CS model. The cyberattack could affect the delays experienced in the forward or the feedback path or it could directly affect the data corresponding to sensors, the actuators or the controller. Fig. 1.1 also indicates the attack points on this CS model through the lightning bolts.

8

Cyberphysical Infrastructures in Power Systems

1.2.1 Cyberattack classification Conceptually, we identify three classes of attacks on this CS model for WAMPAC. They are timing based attacks, integrity attacks and replay attacks. Timing attacks: Timing is a crucial component in any dynamic system (here a protection scheme), and in our case the control actions should be executed on the order of 100–150 ms after the disturbance. This system therefore cannot tolerate any type of delay in communications and, therefore, are vulnerable to timing based attacks. Timing attacks tend to flood the communication network with packets, and this slows the network down in several cases and also shuts them down in some cases, both of which are not acceptable. These types of attacks are commonly known as DoS attacks. Data integrity attacks: Data integrity attacks are attacks where the data is corrupted in the forward or the reverse path in the control flow. This means that there could be an attack which directly corrupts the sensor data, which in this case is the PMU data, or the actuator data, which is the command given to the protection elements or the VAR control elements. This translates to actions like blocking of the trip signals in scenarios, where the controller actually sent a trip command to the protection elements or the controller commanded to increase VAR injection, while the attack caused the injection to decrease or vice versa. Replay attacks: Replay attacks are similar to data integrity attacks, where the attacker manipulates the PMU measurements or the control messages by hijacking the packets in transit between the PMU and the phasor data concentrator (PDC) or the control center. In several cases, a replay attack is possible even under encrypted communication as the attack packets are valid packets with the message’s data integrity being intact except for the timestamp information.

1.2.2 Coordinated attacks on WAMPAC Intelligent coordinated attacks can significantly affect a power system’s security and adequacy by negating the effect of system redundancy and other existing defense mechanisms. NERC has instituted the Cyber Attack Task Force (CATF) to gauge system risk from such attacks and develop feasible, and cost-effective mitigation techniques. NERC CATF categorizes intelligent coordinated cyberattacks as a category of events that have high-impact, low-frequency (HILF), causing significant impacts on power system reliability beyond acceptable margins [6].

Introduction

9

The failure of any single element in the power system, such as a transformer or a transmission line, is a credible contingency (N-1). The possibility of simultaneous failures of more than one element in the system is also taken into account when they are either electrically or physically linked. However, the definition of a “credible” contingency changes when potential failures from coordinated cyberattacks are considered. Also, an intelligent coordinated attack has two dimensions, where attacks can be coordinated in space and/or time. For example, elements that do not share electrical or physical relationships can be forced to fail simultaneously, or in a staggered manner at appropriate time intervals depending on the system response, which could result in unanticipated consequences. The traditional approach to determining system reliability with (N-1) contingencies and a restricted set of multiple contingencies is no longer sufficient.

1.2.3 Cyberphysical security using game-theoretic approach The previous section introduced the cyberattack classification on WAMPAC architecture and also presented how coordinated cyberattack scenarios can cause major operational impact on the system reliability. In this section, we introduce game theory and briefly explain how it can be used as a tool to address cyberphysical security for WAMPAC. Depending on the formulation of the strategic game, a game-theoretic setting can help identify the most likely attack scenarios and can provide a basis for security investments given a specific attacker characterization. The game-theoretic framework provides a pragmatic method to characterize the impacts of different types of coordinated cyberattacks and also helps to identify mitigation measures, either in terms of security reinforcements or in terms of developing new planning approaches to reduce the attack impacts, based on how the problem is formulated. It allows certain flexibility to adapt the modeling by allowing for different attacker models under different settings. The formulation of the game can incorporate uncertainties from the defender and the attacker in terms of the information sets of the attacker and the defender, i.e., the attack targets, the system operating conditions, the load variations and generation uncertainties. Also, the game-theoretic framework can capture the attack impacts in terms of load loss, line flow violations, voltage violations or even the possibility of cascading outages nicely in terms of a solution cost in order to obtain the best defender strategy. Dynamic game formulations provide a modeling framework where the attacker plays various strategies based on the defender actions, and the

10

Cyberphysical Infrastructures in Power Systems

defender can adapt his defense by learning how the attacker progressively updates his strategy. Cyberphysical security modeling using strategic games, as displayed in Fig. 1.3, provides a basic intuition about how our current work using game theory addresses the various issues in cyberphysical security. While several existing attempts [14–17] applying game theory in network security involve modeling the attacker and the defender costs in the cyberlayer (Cost 1 and Cost 2 in Fig. 1.2), the modeling is incomplete as they do not look at the impacts of the actions on the cyberlayer in the physical layer. Similarly, some of the earlier works studying cyberattacks on the power system consider only costs of attack impacts (Cost 3 in Fig. 1.2) represented as a physical system metric such as loss of load, and line flow violation. However, our approach using game theory models the interaction between the attacker and the defender in a CPS scenario capturing all the relevant costs together in a single framework: Cost 1: The attacker actions in the cyberlayer. Cost 2: The attack impacts from the cyberlayer to the impacts on the physical system. Cost 3: The defender actions in the cyberlayer in terms of security reinforcements. Cost 4: The defender actions in the physical layer in terms of new operational strategies. The role of game theory in the proposed research can further be understood by looking at how the proposed research closes the loop on both the cyber and the physical layers, as shown in Fig. 1.3. The intrusions on the cyberlayer of the power system, namely the SCADA cyberenvironment, are captured by using stochastic Petri nets (SPNs). SPN are used to model the entire cybernetwork, which can be characterized by various security measures like firewalls, intrusion detection systems (IDSs) and password mechanisms [18]. The modeling provides probabilities of attacks for the components of the cybernetwork. These probabilities can be translated into the attack costs for an attacker and help to characterize the attacker actions. The attacker actions can be used to evaluate the power system impacts, which also could be translated into costs of attack impacts. Based on these inputs, and an appropriate selection of information sets available for the attacker and the defender, a particular game formulation can be applied. Game theory then provides optimal response strategies for the defender given an attacker strategy, and this serves as a feedback mechanism to model new defense measures. As noted in Fig. 1.3, the defense measures could be modeled either in the cyberlayer or in the physical layer or both, depending on how the strategies of the defender are modeled.

Introduction

11

Figure 1.2 Cyberphysical game theory model.

Figure 1.3 A game-theoretic framework for cybersecurity.

1.2.4 Cyberlayer risk assessment Risk assessment at the cyberlayer involves defining the cybernetwork topology in terms of the existing SCADA security measures such as firewall and password models at various substations. Generalized stochastic Petri nets (GSPNs) can be used to model the cybernetwork [8]. The states of the stochastic process are the status of intrusions to a network that are inferred from the abnormal activities. These include malicious packets flowing through pre-defined firewall rules and failed logon passwords on the computer system. The detailed modeling of the cybernet using GSPN models for a standard test system can be found in Ten et al. [18]. By modeling the entire cybernetwork using the GSPN model, the steady state probabilities of an attacker passing through the various security measures to create a successful attack on selected components can be obtained. The probabilities of a particular cybercomponent being attacked given the SCADA security

12

Cyberphysical Infrastructures in Power Systems

measures is used to obtain the costs of the attacker and the defender, which is used as an input to the game formulation. The costs of the attacker hence can be defined as Costattacker = δ × π , where δ represents a conversion factor to translate the steady state probability π for a particular attack into an equivalent financial cost. Impact characterization: The physical impact of a cyberintrusion on a SCADA cybernet can be measured by defining the power system topology corresponding to the cybersystem and then deciding on the appropriate power system metrics to capture the impacts. In this regard, [7] uses loss of load as an impact metric in their risk-assessment framework. We note that, while loss of load could be a good candidate for assessing impact, not all cyberattacks would result in loss of load. Therefore, we propose to include other common operational metrics such as line flow violations, and voltage violations. Once the appropriate impact metrics are identified based on the particular application to be studied, we can easily define the impact of the attacks in terms of costs. Similar to the previous definition of attacker/defender costs, we can define the attack impact costs as Costimpact = κ × L , where κ represents the unit cost of an impact metric deviation L in terms of dollars. For example, if the impact metric is loss of load, the impact cost would be κL, where L is the amount of load lost in terms of MW, and κ is defined in terms of in dollars per MW. Different types of impact metrics could be a loss of load indices, flow violations, voltage violations, etc. Each of these impact metrics could be easily modeled as a cost depending on the application. The solution of the game will depend on what costs dominate the attacker and the defender payoffs. Therefore, if the game-theoretic framework is applied on obtaining a power system planning approach, we can ignore the attack and defense costs so that the solution is influenced only by the way the impacts are characterized.

1.2.5 Attack modeling The nature of the strategic interaction between the attacker and the defender is captured by attack modeling. First, the type of the particular

Introduction

13

attacks under study and their scope is clearly defined as, e.g., risk assessment of coordinated attacks. Then an appropriate attack template is identified, which indicates actual targets of the attack. In the power system, examples of attack targets are transmission lines, transformers, generators, loads, etc. Based on the attack model and the template, the attacker and the defender can be characterized with corresponding action spaces. The action space of the attacker is the set of actions, which the attacker can choose. For example, if the attack model is to choose to create a (N-2) contingency, then the action space consists of all possible combinations of any two components in the power system. Similarly, for the defender the action space could be the set of components that the defender chooses to protect. Depending on the application under study, the action spaces can be chosen to vary. Also, the characterization involves the clear identification of the information set that is available to each player on the other player’s preferences, payoffs and strategies.

1.2.6 Game formulation and solution strategies The formulation of the game model is very important in the entire modeling framework as it determines the nature of the solution strategies. Based on the attack modeling (which provides attacker/defender characterization), risk assessment (which provides attacker/defender costs) and impact characterization (which provides the impact costs), an appropriate game model can be chosen to obtain the best response strategies for the attacker and the defender. Potential game formulations: In the following, we identify several potential game-theoretic formulations, which help to model various cyberattack scenarios based on the attack model, and the information sets available to the attacker and the defender. The strategic game formulations could vary from a simple single stage game to a complex multistage game where the attacker and the defender play repeatedly over infinite possible rounds of the game. Some of the potential types of game formulations are as follows: Zero sum games: In its simplest form, this type of games involve two players having opposing objectives, in our case the attacker and the defender. We can consider the attacker’s gain as the loss for the defender and vice versa. Nonzero sum games: In this type of games, the two players do not have exactly opposing objectives. In our case, we consider scenarios where

14

Cyberphysical Infrastructures in Power Systems

the attacker’s payoffs for a certain action are different from that of the defender’s payoffs for a certain defensive action. Bayesian games: In a Bayesian game formulation, the information about characteristics and payoffs of the other players, namely the attacker/defender is incomplete. Players have probabilistic beliefs about the type of each player and they update their beliefs as the game is played, i.e., the belief a player holds about another player’s type might change based on the actions they have played. Learning and behavioral games: These types of games assume that players can learn over time about the game and how other players are behaving. Behavioral game-theoretic formulations are based on how humans actually play games. They are not based on the assumption that players respond optimally to a rival strategy. The solution strategies using game theory would be flexible based on the type of the application considered. For example, when performing risk-assessment and mitigation, the solution strategies identify the best responses in terms of security investments to tolerate the attacks that are modeled through the attacker’s actions. Similarly, game theory can also provide solution strategies in terms of minimizing the impact on the real-time operation of the power system, provided that the defender actions are characterized appropriately to correspond to operational strategies.

1.3 Challenges in cyberphysical power systems The purpose of this section is to address the major challenges in the field of cyberphysical power systems (CPPS). CPPS embody a communication network to facilitate their operation and, in turn, this gives rise to important issues related to signal sampling, signal quantization, communication delay, packet dropouts and medium access constraints.

1.3.1 Signal sampling The signals in CPS need to be sampled before the transmission through the communication network. The sampling periods are usually fixed in conventional systems due to its simplicity in design and analysis. They are called “time-triggered sampling”, “periodic sampling”, and “uniform sampling”. On the other hand, they vary with regard to the recent CPPS since they are waiting in a queue before the transmission process, which will be based on the availability of the network and the protocol used. It has been proven

Introduction

15

that sampling at varying time may have better results than sampling at fixed intervals [9]. Another method of sampling is event-triggered sampling. It is also called “Lebesgue sampling”, “level-crossing sampling”, “magnitude-driven sampling”, etc. In this case, the sampling and transmission occurs based on triggering an event such as changing one of the output signal to a specific value. There are several approaches for modeling sampled/transmission intervals [9]. The most famous one is the input delay approach due to the use of the linear matrix inequality (LMI). By applying this approach, it is easy to determine the maximum upper bound of two consecutive samplings and design the proper controller for the CPPS. Let the system with sampled signal given by x˙ = Ax(t) + Bu(t) , u(t) = Kx(tk ) , tk ≤ t < tk+1 ,

(1.1)

where x(t) ∈ Rn and u(t) ∈ Rm are the state vector of the system and control input vector, respectively. {t1 , t2 , ..., tk , ...} is a sequence of sampling such that tk < tk+1 , limk→∞ tk = ∞ and supk {tk+1 − tk } ≤ hu for some known hu > 0. By applying the input delay approach, the above system is rewritten as [10] x˙ = Ax(t) + BKx(t − τ (t)) ,

tk ≤ t < tk+1 ,

(1.2)

with piecewise time varying delay τ (t) := t − tk , tk ≤ t < tk+1 satisfying 0 ≤ τ (t) ≤ hu ∀t ≥ t0 . Using this model, the Lyapunov–Krasovskii functional approach could be used to obtain the stability conditions and formulate the LMIs for calculating the admissible upper bound of hu and the corresponding controller gain K [10]. Other examples of the input delay approach found in [11–16].

1.3.2 Signal quantization Due to the existence of the communication network and its limited transmission capacity, signals have to be quantized before they are transmitted. The quantization occurs for both control signal and plant output signal before they are sent to the network by implementing quantizers as shown in Fig. 1.4. A quantizer is the device that receives a real-valued signal and convert it to a piecewise constant one with a finite set of values.

16

Cyberphysical Infrastructures in Power Systems

Figure 1.4 System configuration of a CPPS with quantizers.

In the literature, there are two common types of quantization which are logarithmic quantization and uniform quantization. 1. Logarithmic quantization The logarithmic quantization is considered as static quantization. Its performance about the origin is better in comparison with uniform quantization, and it could be either with infinite quantization level or with finite quantization level. The logarithmic quantization with infinite quantization level is modeled as

q(y) =

⎧ ⎪ ⎪ ⎪ ⎨

vi ,

if

vi 1+δ

⎪ if 0, ⎪ ⎪ ⎩−q(−y), if

i < y < 1v−δ , y>0 , y=0 y 0 is the set of the quantization values. The logarithmic quantization with finite quantization level is modeled as

q(y) =

⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨

vi

if

if 0, ⎪ ⎪ ⎪ v , if 0 ⎪ ⎪ ⎩ −q(−y), if

vi 1+δ

i < y < 1v−δ , 0 M μ, then q(y) 2 > M μ − μ, where M and  are the saturation value and the sensitivity, respectively. The upper bound of the quantization error, when the quantization is not saturated, is represented by the first condition, while the second condition gives the way of testing the saturation of the quantization. The rectangularly shaped quantitative area is modeled as ⎧ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨

− 12 < y < 12 < y < 2i2+1 , q(y) = i = 1, 2, ..., K − 1 . ⎪ ⎪ ⎪ if y ≥ 2K2−1 K, ⎪ ⎪ ⎩ −q(−y), if y ≤ − 12

0 i,

if if

2i−1 2

(1.5)

More details about the two types of quantization could be found in [17] and [18]. Remark 1. The logarithmic quantization is mainly used with linear systems with infinite quantization levels, while the zoom strategy is a beneficial control policy when uniform quantization is applied. It has two steps: “zoom-in” and “zoomout” [17]. Remark 2. The implementation of zooming-in and zooming-out was initially discussed in [19,20]. It was used to obtain the sufficient condition for the asymptotic stability for linear and nonlinear systems. As a result of the quantization, information loss will be introduced in the system. Therefore, the model of CPPS has to take it into account. The quantization error is reversely proportional with the number of bits used for quantization, i.e., the small number of bits leads to a higher quantization error. Due to this fact, a significant research is directed to determine the minimum number of bits that is required for achieving the stability of the system. Some examples could be found in [19–23]. Some researchers focus on controlling the quantization and its effects on the system. Fu and Xie [22] proposed a sector-bounded approach

18

Cyberphysical Infrastructures in Power Systems

for dealing with the quantization errors, so its effects on CPPS could be investigated using the procedures of robust analysis. Quantization and stochastic packet dropouts were considered in the study of the quadratic stability of CPPS, and finite quantization were used for implementing the controller [24]. The quantizer step-size influence on CPPS considering packet dropouts and finite-level quantization were studied [25]. In [26] and [27], adaptable “center” and “zoom” parameters of the quantizers with finite values were considered, and the input-to-state stability was obtained by applying a strategy of continuously switching the controller between “zooming-out” and “zooming-in”. The same strategy of “zooming-out” and “zooming-in” was used to obtain parametrized input-to-state stability of CPPS that was subjected to packet dropout and unknown disturbances, but with random lengths of quantization regions based on the packet dropout process [28]. Lee et al. [29] have used sector-bounded and convex combination property of a quantizer for determining the sufficient conditions in order to achieve the desired control of CPPS subjected to several categories of asynchronous sampling and quantization. Quantization with the implementation of event triggering control was broadly discussed in the literature, e.g., in [30–33,95]. Remark 3. There are two phenomena caused by quantization: 1. Saturation, which occurs when the signal is larger than the quantization range: This leads to a higher quantization error causing instability in the closed loop system; 2. Deterioration of the performance around the original point occurs near the origin, which when the signal was not exactly quantized due to the limitation of the accuracy of the quantizers: This will prevent approaching the asymptotic stability of the closed-loop system.

1.3.3 Communication delay As shown in Fig. 1.5, the CPPS has two main kinds of delays: 1. Sensor-to-controller delay, which represents the time between sampling the signal from sensors and receiving it by the controller; 2. Controller-to-actuator delay, which represents the time between generating the control signal and receiving it by the actuator. Some of the sources of these delays are the limited data bandwidth, network traffic, and the used protocols in the network [34]. In the previous only one of these delays was considered in the design of the controller. It is called one-mode controller. On the other hand, a two-mode controller is used

Introduction

19

Figure 1.5 Network induced delay.

to show that both of the aforementioned delays were considered in the model. One of the earlier results on two-mode controllers were discussed in [35–37], where both of the sensor-to-controller and controller-to-actuator random delays were considered and modeled as Markov chain. The networked induced delay is represented by τ (tk ) = τsc (tk ) + τca (tk ) ,

(1.6)

where τ (tk ) is the total network-induced delay at sampling time tk . τsc and τca are the sensor-to-controller and controller-to-actuator delays. Fig. 1.6 shows the timing diagram of the signals in the CPPS. The overall delay in the CPPS is calculated by considering any possible delay in the system such as computational delays in the controller, actuator, and sensor nodes [38]. So, the complete delay in the system is represented by τ (tk ) = τsc (tk ) + τca (tk ) + τc (tk ) + τa (tk ) + τs (tk ) ,

(1.7)

where τc , τa , and τs are the computational delay in the controller, actuator, and sensor, respectively. Note that u as shown in Fig. 1.5 could be defined as u(t) = Kx(t − τ (tk )) ,

(1.8)

where K represents the feedback control gain matrix. Remark 4. The induced delay in the CPPS (τ ) could be extended to consider the dropouts in the system by representing it as a special case of time delay, such that τd = τ (tk ) + dh ,

(1.9)

20

Cyberphysical Infrastructures in Power Systems

Figure 1.6 Signals in a CPPS with delays.

where τd (tk ) is the overall delay including the dropouts delay, d is the number of dropouts, and h is the sampling period. There are four main models for random delays in CPPS which are [39], 1. Constant delay model The CPPS in this model is considered a deterministic system with a constant time delay normally equal to the maximum delay in the system similar to (1.6) or (1.7). It is used when it is difficult to characterize the random delay in the system. Here, a receiver buffer is introduced at the controller (or actuator) node, and its size is equal to the maximum delay (sensor to controller delay or controller to actuator delay) [40] and [41]. Thus, the CPPS can be treated as a deterministic system. Following this model, many deterministic control methods can be applied to achieve the stability of the CPPS. 2. Mutually independent stochastic delay model When the probabilistic dependence is unknown, the constant delay model and the deterministic control strategies could hardly achieve the required performance of the system. The reason is due to the presence of many stochastic factors in networks, such as load in network, com-

Introduction

21

petition between nodes, network congestion, and these factors make the network delay tend to be stochastic. The delay could be modeled either as mutually independent or probabilistically dependent. 3. Markov chain model This type considers the special dependency relationships among the delays which is the Markov chain. This model has two types: • One Markov chain including the sum of delays in the CPPS, i.e. sensor to controller and controller to sensor; • Two Markov chains for modeling both the sensor-to-controller and controller-to-actuator delays. 4. Hidden Markov model In this model, all stochastic factors, such as load in the network, competition of nodes, network congestion, are grouped into a hidden variable and defined as a network state. This network state governs the distribution of delays. The network state cannot be observed directly but rather it can be estimated through observing network delays, and so a hidden Markov model is applied to describe the relation between the network state and the network delay.

1.3.4 Packet dropouts Due to the use of the network for communication in CPPS, the signals of the systems need to be grouped before transmitting. Each group of signals is called “packet” and its size depends on the network used. The transmission of packets could be either single or multiple. In single packet transmission, all data are grouped from sensors or controller and transmitted together. On the other hand, in multiple packet transmission, the data are transmitted in several network packets, causing nonsimultaneous arriving of data to the controller or actuator. The limited size of the network is not the only reason for using parallel transmission, but also the distribution of sensors and actuators practically over a large area make it difficult to lump data into one network packet leading to use multiple transmission. The occurrence of failures or message collisions on nodes cause packet dropouts. To avoid that, most protocols use transmission-retry mechanisms. However, if the retransmission fails within a limited period of time, the packets are dropped. Since the communication network is the source of the losses, this type of dropouts is called “network-induced packet dropout”. Moreover, if a new packet sent earlier is available at the node later, it is more practical to discard it and use the recent one, and this type of packet

22

Cyberphysical Infrastructures in Power Systems

Figure 1.7 A CPPS with quantizers and packet dropout represented by a switch.

dropouts called “active packet dropout”. For tackling this issue, some techniques like logical zero-order hold (ZOH) mechanisms [42] and message rejection [43] were proposed. One method of dealing with packet dropouts is to design the controller to withstand with the upper bound of the dropouts in the system [44–46]. Another famous approach is to represent the dropout in the system by a switch [47–49]. As shown in Fig. 1.7, the dropout happens when the switch is open (T2 ), while there is no dropout when it is closed (T1 ). Then the relation between the packet dropout rate and the H∞ controller is derived to guarantee the exponential stability of the system. Consider the following discrete-time linear system model of a CPPS: x(k + 1) = Aσ (k) x(k) + Bσ (k) u(k) ,

(1.10)

where x(k) is the switched system state, σ (k) : R+ = {0, 1, 2, ...} → = {1, 2, ..., N } is the switching signal, which is a piecewise constant function depending on the time k and/or the state x(k). The subsystem i is activated when σ (k) = i, Ai and Bi are constant matrices. A hybrid state feedback controller u(k) is used such that, u(k) = −Kσˆ (k) xˆ (k) ,

(1.11)

where K is the controller gain to be designed, xˆ k is the switched system state, and σˆ (k) is the switching signal received by the hybrid controllers over the communication network. The subsystem i is activated at the time

Introduction

k when σi (k) = 1, and σi (k) = 0 otherwise, and thus discrete-time switched system is represented by xk+1 =

N 

N

i=1 σi (k) = 1.

σi (k)(Ai xk + Bi uk ) .

23

So, the

(1.12)

i=1

Now, let s be the transmission indicator function defined as 

s=

1, sample is transmitted, 2, sample is not transmitted.

(1.13)

Thus the dynamic of the switch system could be described by xˆ (k) = βs x(k) + (1 − βs )ˆx(k − 1) , σˆ (k) = βs σ (k) + (1 − βs )σˆ (k − 1) ,

(1.14) (1.15)

where βs is a switch variable, i.e., β1 = 1 and β2 = 0. By combining (1.10)–(1.12), the closed loop network switched CSs, with the hybrid state feedback controller is rewritten as x(k + 1) =

N 

N  σi (k)(Ai x(k) − Bi ( σˆ i )Ki xˆ (k)) .

i=1

(1.16)

i=1

Now, let ζ (k) = [x(k)T xˆ (k)T ] be the augmented state vector. Then the closed-loop network switched CSs with the network packet dropout effect is written as ζ (k + 1) = s ζ (k) .

(1.17)

Here we have two cases, when the switch is in T1 , s = 1, β1 = 1, thus, xˆ (k) = x(k) σˆ (k) = σ (k)

⎡N  ⎢i=1 σi (k)Ai 1 = ⎢ N ⎣ σi (k)Ai i=1

− −

N  i=1 N  i=1

⎤ σi (k)Bi Ki ⎥ ⎥. ⎦ σi (k)Bi Ki

When the switch is in T2 , s = 2, β2 = 0, thus xˆ (k) = x(k − 1)

24

Cyberphysical Infrastructures in Power Systems

σˆ (k) = σ (k − 1) ⎤ ⎡N N N    σ ( k ) A − σ ( k ) σ ( k − 1 ) B K i i i l i l⎦ . 2 = ⎣i=1 i=1 l=1

0

I

Theorem 1. For system (1.17), assume that the plant state and the switching signal in a single packet are transmitted at a rate of r (see [47]). If there exist symmetrical positive definite matrices Pi , Qi , i ∈ ϒ and scalars α1 , α2 > 0 such that α1r α2r −1 > 1 T1 Pj 1 T2 Pj 2

−2

+ Qi − α1 Pi ≤ 0 + Qi − α2−2 Pi ≤ 0

(1.18) (1.19) (1.20)

hold, then system (1.17) is exponentially stable. Remark 5. The proof of Theorem 1 could be derived using the following candidate switched Lyapunov-Krasovskii functional: N 

V (ζk ) = ζkT (

σi (k)Pi )ζk

i=1 N 

+ ζkT−1 (

σi (k − 1)Qi )ζk−1 .

(1.21)

i=1

Another method is to consider the packet dropout as a random process and then model it as a Markovian process as in [50] and [51] or as a Bernoulli distribution such as [52] and [53]. In [54], the stability analysis and controller synthesis problems were presented for CPPS with time-varying delays and affected by nonstationary packet dropouts. The plant is described by the following discrete-time linear time-invariant (LTI) system: xp (k + 1) = Axp + Bup , yp = Cxp ,

(1.22)

where xp (k) ∈ n is the state vector of the plant, and up (k) ∈ m and yp (k) ∈

p are the control input and output vectors of the plant, respectively. A, B, and C are real matrices with appropriate dimensions. The measurement received by the controller is affected by a randomly varying communication delay and represented by 

yc (k) =

yp (k − τkm ), δ(k) = 1 , yp (k), δ(k) = 0 ,

(1.23)

Introduction

25

where τkm is the ‘measurement delay’, which satisfies the Bernoulli distribution, and δ(k) is Bernoulli distributed white sequence representing the occurrence of packet dropouts in the CPPS. Also, let Prob{δ(k) = 1} = pk , where pk assumes discrete values. Thus, there are two classes to be considered [54]: Class 1. pk has the probability mass function where qr − qr −1 = const. for r = 2, ..., n. This covers a wide range of cases [54]. Class 2. pk = X /n, n > 0 and 0 ≤ X ≤ n is a random variable that follows the binomial distribution B(q, n), q > 0, that is 

Prob(pk = (ax + b)/n) =

n x



qx (1 − q)n−x , b > 0 ,

x = 0, 1, 2, ..., n, an + b < n . The following observer-based controller is required to be designed in case that the full state information is not available and the time delay occurs on the actuation side [55]: Observer: xˆ (k + 1) = Axˆ + Bup (k) + L (yc (k) − yˆ c (k)) 

yˆ c (k) =

C xˆ (k), δ(k) = 0 C xˆ (k − τkm ), δ(k) = 1 ,

(1.24)

Controller: uc (k) = K xˆ (k) 

up =

uc (k), α(k) = 0 uc (k − τka ), α(k) = 1 ,

(1.25)

where xˆ (k) ∈ n is the estimate of the system (1.22), yˆ c (k) ∈ p is the observer output, and L ∈ n×p and K ∈ m×n are the observer and controller gains, respectively, and τka is the actuation delay. Assume that the “actuation delay” τka and the “measurement delay” τkm are time-varying with a bounded condition as follows: τm− ≤ τkm ≤ τm+ , τa− ≤ τka ≤ τa+ .

(1.26)

26

Cyberphysical Infrastructures in Power Systems

Also, let the estimation error e(k) be equal to xp (k) − xˆ (k). Then ⎧ ⎪ Axp (k) + BKxp (k − τkα ) ⎪ ⎪ ⎨ −BKe(k − τ α ) , α(k) = 1 , k xp (k + 1) = ⎪ ( A + BK ) x ( k ) − BKe (k) , p ⎪ ⎪ ⎩ α(k) = 0 ,

(1.27)

e(k + 1) = xp (k + 1) − xˆ (k + 1) 

Ae(k) − LCe(k − τkm ) , δ(k) = 1 , (A − LC )e(k), δ(k) = 0 .

=

(1.28)

In terms of ξ(k) = [xTp (k) eT (k)]T , systems (1.27) and (1.28) can be written in the following form: ξ(k + 1) = Aj ξ(k) + Bj ξ(k − τkm ) + Cj ξ(k − τka ) ,

(1.29)

where {Aj , Bj , Cj , j = 1, ..., 4} and j is an index identifying one of the following pairs {(δ(k) = 1, α(k) = 1), (δ(k) = 1, α(k) = 0), (δ(k) = 0, α(k) = 0), (δ(k) = 0, α(k) = 1)}: 

A1 = 

A3 = 

B1 = 

B3 = 

C1 = 

C3 =

A 0

0 A



 , A2 =

A + BK 0

−BK A − LC 

−BK

BK 0

A + BK 0



0

0 0

0 0

0 0

0 −LC

0 0

0 0



, B4 = 







, C4 =



0 0



0 0

0 0

−BK

BK 0

, C2 =

A A 0

, A4 =

, B2 = 

−BK

,

0 A − LC



 ,

, 

0 0 0 0 −LC 0 0



,  ,



.

(1.30)

Now, it is desired to design an observer-based feedback stabilizing the controller in the form of (1.24) and (1.25) such that the closed loop system (1.29) is exponentially stable in the mean square. The switched time-delay systems based approach is used to solve this problem [54].

Introduction

27

Theorem 2. [54] Let the controller and observer gain matrices K and L be given. The closed-loop system (1.29) is exponentially stable if there exist matrices 0 < P , 0 < QjT = Qj , j = 1, .., 4 and matrices Ri , Si , and Mi , i = 1, 2, such that the following matrix inequality holds 

 j =

1j ∗

2j 3j

< 0

1j = ⎤ ⎡ j + j1 −R1 + S1T −R2 + S2T ⎥ ⎢ ∗ −S1 − S1T − σˆ j Qj 0 ⎦ ⎣ ∗ ∗ −S2 − S2T − σˆ j Qj ⎤ ⎡ −R1 + M1T − j2 −R2 + M2T − j3 ⎥ ⎢ 2j = ⎣ −S1 − M1T 0 ⎦ 0 −S2 − M2T   −M1 − M1T + j4 j5 3j = ∗ −M2 − M2T + j6

(1.31)

(1.32)

where j

= −P + σˆ j (τm+ − τm− + τa+ − τa− + 2)Qj + R1 + R1T + R2 + R2T ,

j1

= (Aj + Bj + Cj )T σˆ j P (Aj + Bj + Cj ) ,

j2

= (Aj + Bj + Cj )T σˆ j PBj ,

j3

= (Aj + Bj + Cj )T σˆ j PCj , j5 = BTj PCj ,

j4

= BTj σˆ j PBj , j6 = CTj σˆ j PCj .

1.3.5 Medium access constraints In a CPPS, the communication network is normally shared with sensors and actuators by multiple nodes, and because of the limitation of data transmission, only one or some of these nodes are active at a time and have access to the network. This is the reason behind the communication constraints. Therefore, sometimes it is called as “medium access constraint”. As a result, the network requires a protocol for allocating the access of each node to it. This protocol could be either deterministic or random [56]. And so the model of constraints in the CPPS could be either deterministic or stochastic.

28





Cyberphysical Infrastructures in Power Systems

Deterministic model of communication constraints Previously, the problem was to choose a periodic communication sequence and, after that, to design a suitable controller for this [57]. But, this method is an NP-hard problem as shown in [58]. Thus, the subsequent task was to design the controller first and then to find the suitable communication sequence either off-line [59,60] or online [61–63]. Other examples of this type could be found in [64–68]. Stochastic model of communication constraints In this model a random media access control (MAC) protocol is used. One example is that a node makes sure that there is no other traffic before transmitting its data [56]. Examples of this model could be found in [69–74,74].

1.3.6 Channel fading In wireless communications, fading is a deviation of the attenuation affecting a signal over certain propagation media. The fading may vary with time, geographical position or radio frequency, and is often modeled as a random process. A fading channel is a communication channel that experiences fading. So far, many results have been reported for CPPS with channel fading problems, and these results are presented from a different point of view.

1.3.6.1 Information-theory based approach The research on CPPS cannot be carried out without the status of the communication channel, because it is a very important part of CPPS. It is well known that channel capacity is a very important index in the information theory. In the last decade, researchers tried to study the CPPS with channel fading from the information-theory point of view. Their main concern is how the channel affects the CS performance and how much channel capacity should be allocated to stabilize a plant. In [75], the minimal information capacity required to achieve state-feedback mean-square stabilization over a fading channel for single-input systems was deduced in terms of the Mahler measure of the plant. Xiao et al. [76] derived the necessary network resources to achieve the mean square stabilization over stochastic fading channels for multi-input-multi-output discrete-time systems. The main results of [75] have also been extended to the distributed CPPS, see [77] for more details.

Introduction

29

1.3.6.2 Stochastic system approach There are many channel models in fading networks, e.g., analog erasure channel, channel with delay and erasure, erasure with holder, Lth -order Ricean fading channel. Among them, the CPPS with Lth -order Ricean fading channel has recently become an attractive research topic. The Ricean fading channel is a model for wireless mobile links. It is described as r (k) =

L 

ai (k)v(k − i) + n(k) ,

(1.33)

i=0

where n(k) is a white Gaussian noise with zero mean and unit variance. ai (0), ai (1), . . . , ai (k) are the i.i.d. (independent, identically distributed) Gaussian random variables with mean ai and variance σi2 . Moreover, for each k, i = 0, 1, . . . , L, they are independent from each other and independent from n(k). Based on the above model, the closed-loop system becomes a stochastic system with multiple random parameters and delays. Recently, the fuzzy control of nonlinear CPPS with randomly occurring infinite distributed delays and channel fading was addressed, see [78]. The lifting technique was used to transform the closed-loop system into a delay free system. The envelope-constrained H∞ filtering with fading measurements and randomly occurring nonlinearities has been discussed in [79]. Other results can also be found in [80,81] and the references therein.

1.3.7 Power constraints With the recent development of wireless communication and hardware design, the wireless network such as the wireless sensor networks (WSNs) has been extensively applied onto the engineering field due to its merits such as much more flexibility in system design, and ease of installation. In WSNs, the sensor is usually equipped with a limited power from the battery, and replacing the battery during the operation of WSNs is very difficult. Hence, one should pay more attention on the power constraint in the wireless networked control systems (WCPPSss). It has been verified in [82] that most power is consumed in the signal transmission process and reducing the transmission rate and packet size are helpful to save the transmission power. Actually, many effective methods have been proposed by communication community but it is not our concern here as they do not consider the stability or stabilization of a target plant. We will also not discuss the issues such as the signal sampling, quantization, packet dropouts here since our main concern of this section is the power constraint.

30

Cyberphysical Infrastructures in Power Systems

1.3.7.1 Reducing the transmission rate Deterministic case

The switched system approach is successfully applied to reduce the transmission rate. A general time-varying transmission protocol was proposed such that each sensor can transmit the local measurement to a remote filter according to its power condition. Then a switched system modeling was developed to capture the time-varying transmissions [83]. Let us consider the following discrete-time linear time-invariant (LTI) system: 

x(k + 1) = Ax(k) + Bw (k) , y(k) = Cx(k) + Dw (k) ,

(1.34)

where x(k) ∈ Rn is the state, and y(k) ∈ Rp is the output. Let the maximal transmission time step be N and assume that the hold input scheme is used when the current measurement is not transmitted. So, the input of filter is represented by y˘ i (k) = Ci Eij (k)X (k) + Di Hij (k)W (k) , where



(1.35)

T

X (k) = xT (k)xT (k − 1) · · · xT (k − N + 1) ,  T W (k) = w T (k)w T (k − 1) · · · w T (k − N + 1) .

(1.36)

Ci and Di are the i-th element of matrix C and D, respectively. Eij (k) is an n by nN matrix with its j-th n by n sub-matrix being an identity matrix and the rest being zero, and Hij (k) a q by qN matrix with its j-th q by q submatrix being an identity matrix and the rest being zero, (j = 1, 2, . . . , N ). Let σi (k) ∈ {1, 2, . . . , N }, i = 1, 2, . . . , p, σ (k)  T = σ1 (k)σ2 (k) · · · σp (k) ,  Eσ (k) T   σ (k ) = E1T,σ1 (k) E2T,σ2 (k) · · · EpT,σp (k) , H T  = H1T,σ1 (k) H2T,σ2 (k) · · · HpT,σp (k) .

(1.37)

Then 

 σ (k) W (k) , H y˘ (k) = C Eσ (k) X (k) + D 





(1.38)

 = diag D1 , D2 , . . . , Dp . Note that the where C˜ = diag C1 , C2 , . . . , Cp , D total number of possible numerical realizations of σ (k) is N p , which corresponds to the total combinations of N values of each of p variable σi (k). By

Introduction

31

defining the set  = {1, 2, . . . , N p }, σ (k) can be viewed as the signal that takes one combination from the set  and specify one particular case of    σ (k) and thus one case of (1.35). So, system (1.35) is essentially a Eσ (k) , H switched system, with σ (k) is viewed as the switching signal. Zhang et al. [84] discussed the distributed filtering of wireless networked systems (WNSs), where a similar scheme was presented to regulate the working mode of sensors, i.e., sensors can work in receiving, transmitting and receiving/transmitting. The difference is, that the zero input signal was applied when the sensor can not obtain the information from others. The mode switching of each sensor is then transformed into the topology switching problem, where each topology refers to one possible working scenario. They showed that the stability of the filtering error system is guaranteed to the effect that the switching frequency of topology is bounded and some LMIs hold, see more details in [84,85]. The distributed stabilization of large-scale networked systems has been discussed in [86], where the power constraint and random sensor fault problems were addressed in a unified framework. Stochastic case

The stochastic approach was first encountered in [87], where the Kalman filtering with scheduled measurement problem was discussed. A stochastic binary value was introduced to model the transmission process, which is similar to the stochastic packet dropout problem. The calculation of the minimal transmission rate was presented in their work. It should be noted that they only considered the single sensor case. Recently, Zhang et al. [88] proposed a new stochastic transmission protocol for multiple sensor case. The modeling is similar to the work in [83], but a set of stochastic variables were introduced, i.e., the input of the filter is described   as yp (k) = αp,0 (k)yp (k) + αp,1 (k)yp (k − 1) + · · · + αp,Np −1 (k)yp k − Np + 1 , where αp,0 (k), αp,1 (k), . . . , αp,Np −1 (k) are a set of binary variables. By the lifting approach, a similar model as (1.35) was obtained, see the details in [88]. Based on the stochastic analysis, a sufficient condition was obtained such that the filtering error system is exponentially stable in the meansquare sense and achieves a prescribed H∞ performance level. Event-based case

In order to enhance the usage of real-time information and alleviate the unnecessary transmission of measurement data, the event-based control

32

Cyberphysical Infrastructures in Power Systems

algorithm has been proposed in [89]. In the event-based control, the system state is usually sampled and sent to the controller when some error signal violates a prescribed threshold. The event-based control is able to adjust the sampling period adaptively according to some designed “events”. Compared with the time-triggered control, the event-based control can significantly improve the system performance and reduce the communication load of the network. In the past few years, many “events” have been proposed to reduce the unnecessary transmission, see [89–94]. For example, Li et al. [90] firstly investigated the event-triggered control of nonlinear networked CSs under unreliable communication channels. In their work, the transmission occurs only if an error between the current measurement and the last transmitted one exceeds a prescribed bound, and an effective method has been proposed for the stability analysis and control synthesis based on the polynomial fuzzy model approach. Due to page limitation, we only discuss one event-based control here. Consider a LTI system: 

x(k + 1) = Ax(k) + Bu(k) u(k) = Kx(k) .

(1.39)

The event is designed as f (σ (k), δ) = σ T (k)σ (k) − δ xT (k)x(k) ,  

(1.40)

 

where σ (k) = x kl − x(k), with x kl being the measurement at the latest event time instant kl , and x(k) is the current measurement.  is a symmetric positive-definite weighting matrix, and δ ∈ [0, 1) is a threshold value. This value is usually given by tradeoff between the control performance and the transmission rate. The transmission only occurs when the event f (σ (k), δ) > 0 happens. Therefore, the sequence of event-triggered time instants 0 ≤ k0 ≤ k1 ≤ · · · kl ≤ · · · is determined by ¯ x(k) > 0 . f (σ (k), δ) = σ T (k)σ (k) − xT (k)

(1.41)

It follows from the event condition (1.40) that, when the event occurs, we have ¯ x(k) > 0 . f (σ (k), δ) = σ T (k)σ (k) − xT (k)

(1.42)

Then for k ∈ [tk , tk+1 ), the closed-loop system now becomes x(k + 1) = (A + BK )x(k) + BK σ (k) .

(1.43)

Introduction

33

It follows from the definition of σ (k) and the triggering condition that, for k ∈ [tk , tk+1 ), (1.41) holds. The asymptotic stability of a closed-loop system is guaranteed if the following inequality holds, ⎡

−P + λδ ⎢ ∗ ⎣ ∗

0 −λ ∗

⎤ (A + BK )T P ⎥ (BK )T P ⎦ 0 is an unknown scalar, and P is the Lyapunov matrix. The proof is easy to follow by constructing the Lyapunov function V (x(k)) = xT (k)Px(k), and using the inequality (1.42) above. Based on the stability condition, one may easily determine the controller gains. The above eventbased communication has been widely studied in recent years, and most of them have also discussed other network-induced issues with event-based communication. For example, a time-delay system method has been proposed in [91] to analyze the CPPS with event-based communication and communication delay, and the stability and stabilization problem were then discussed. Hu and Yue [95] studied the event-triggered control problem of linear networked systems with uniform quantization. Zhang et al. [96] discussed how to use the event-based communication scheme to design the distributed filtering system, in which the packet dropouts and filter gain variation problems were also taken into account. The implementation of event-based control algorithm requires a constant monitoring of the designed event, and it has been pointed out in [97] that, when the output-feedback controllers are used in a similar setup, the minimal inter-event time for a continuous-time plant might be zero and accumulations of event-times occur, which may cause the Zeno behavior. Subsequently, how to avoid the Zeno behavior has become an important research topic in the event-based CS design. Recently, the so-called self-triggered control algorithm was proposed in [98]. In contrast to the event-based control algorithm, the self-triggered control does not need the requirement of a continuous event detector because it computes the next sampled-data instant based on the current information. More discussion on the event-based control and the self-triggered control are given in [99].

1.3.7.2 Packet size reduction The packet-size reduction method is also an effective way to reduce the transmitted information. One can do this either by the deterministic way or the stochastic way.

34

Cyberphysical Infrastructures in Power Systems

Deterministic case

The signal quantization technique (that has been discussed in the previous section) is an effective method to reduce the packet size. Let focus here on the other method of reducing the packet size, which has been discussed in the literature. Consider an LTI system: 

x(k + 1) = Ax(k) + Bu(k) , u(k) = Kx(k) ,

(1.45)

where x(k) ∈ RN . The following structured matrix can be introduced Tρ(k) ∈ {[1 0 · · · 0], · · · , [0 0 · · · 1]} such that only one element is selected for feedback control, where ρ(k) = 1, 2, . . . , N. The closed-loop system in this scenario becomes x(k + 1) =   A + BKTρ(k) x(k), which essentially is a switched system. By doing so, the switched system approach can be applied to the stability analysis of the above system. The above idea was proposed by Zhang et al. [100] in their study on the distributed control of large-scale systems with power constraint. Actually they have proposed a unified switched system approach to study the distributed CPPS with power constraints. In their work, three switching signals are introduced to model the nonuniform sampling, packet size reduction and the transmission rate reduction, respectively. The related H∞ filtering results have also been reported in [101,102]. More specifically, they have performed a simulation study on the following four cases: Case 1: Sensor networks with only nonuniform sampling; Case 2: Sensor networks with nonuniform sampling and measurement size reduction; Case 3: Sensor networks with nonuniform sampling, measurement size reduction and signal quantization; Case 4: Sensor networks with nonuniform sampling, measurement size reduction, signal quantization and communication rate reduction. The simulation study in [102] has shown how much energy can be saved for these cases, and they also showed that the last case is the most energyefficient one. Stochastic case

Chen et al. [103] used a set of binary variables to reflect the variation of structured matrix T and addressed the distributed mixed H2 and H∞ fusion

Introduction

35

estimation problem. The stochastic approach has also been proposed from the Markovian system point of view. The modeling is similar to the above switched system based approach, i.e., the variation of structured matrix is assumed to obey the Markovian process. Ling et al. [104] have recently applied this approach in order to study the energy-efficient H∞ filtering problem for wireless networked systems, where two Markovian chains were proposed to describe the nonuniform sampling and packet size reduction. The exponential stability condition was derived based on the Markovian jump system theory.

1.4 Secure industrial control systems The purpose of this section is to provide guidance for establishing industrial control systems (ICSs), which include SCADA systems, distributed control systems (DCSs), and other smaller CS configurations such as skid-mounted programmable logic controllers (PLCs) are often found in the industrial control sectors. SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. DCSs are generally used to control production systems within a local area such as a factory using supervisory and regulatory control. PLCs are generally used for discrete control for specific applications and generally provide regulatory control. These CSs are critical to the operation of the critical infrastructures that are often highly interconnected and mutually dependent systems.

1.4.1 Introduction Initially, ICSs had little resemblance to traditional information technology (IT) systems in that ICSs were isolated systems running proprietary control protocols using specialized hardware and software. Widely available, lowcost internet protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cybersecurity vulnerabilities and incidents. As ICSs are adopting IT solutions to promote corporate connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OSs) and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICSs from the outside world than predecessor systems, creating a greater need to secure these systems. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken

36

Cyberphysical Infrastructures in Power Systems

when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. Effectively, this gives rise to secure industrial control systems (SICSs), an important topic for researchers and control designers as well. The relationship of SICS to what is typically used in the electric, gas, chemical, pharmaceutical and industries is of prime concern. SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. DCSs are generally used to control production systems within a local area such as a factory using supervisory and regulatory control. PLCs are generally used for discrete control for specific applications and generally provide regulatory control. These CSs are critical to the operation of the US critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 90% of the nation’s critical infrastructures are privately owned and operated. Federal agencies also operate many of the industrial processes mentioned above. Other examples include air traffic control and materials handling (e.g., postal service mail handling.) The following section provides an overview over these ICSs and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

1.4.2 Progress of SICS Looking closely at the ICSs and traditional IT systems it is found that ICSs were essentially isolated systems and mainly running proprietary control protocols. Nowadays, low-cost internet protocol (IP) devices are utilized to substitute proprietary solutions. This in turn increases the possibility of cybersecurity incidents. Additionally, ICSs incorporate IT solutions to promote corporate connectivity and remote access capabilities. They are customly designed and implemented based on industry standard computers, OSs and network protocols. To this end, they resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICSs from the outside world than predecessor systems, creating a greater need to secure these systems. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment.

Introduction

37

Although some characteristics are similar, ICSs also have characteristics that differ from traditional information processing systems. Many of these differences stem from the fact that logic executing in ICS has a direct affect on the physical world. Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial issues such as production losses, negative impact to a nation’s economy, and compromise of proprietary information. ICSs have unique performance and reliability requirements and often use OSs and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of CSs. Originally, ICS implementations were susceptible primarily to local threats, because many of their components were in physically secured areas and the components were not connected to IT networks or systems. However, the trend toward integrating ICSs with IT solutions provides significantly less isolation for ICSs from the outside world than predecessor systems, creating a greater need to secure these systems from remote, external threats. Also, the increasing use of wireless networking also places ICS implementations at greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment. Threats to CSs can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, natural disasters as well as malicious or accidental actions by insiders. Protecting the integrity and availability of ICS systems and data is typically of utmost importance, but confidentiality is also an important concern.

1.4.3 Major security objectives Before dwelling into the security themes, perhaps it is convenient to shed light on possible incidents an ICS may face, which include, • Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation; • Unauthorized changes to instructions, commands, or alarm thresholds, which could potentially damage, disable, or shut down equipment; • Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions; • ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects;

38

Cyberphysical Infrastructures in Power Systems

Interference with the operation of safety systems, which could endanger human life. Major security objectives for an ICS implementation often include the following: Restricting logical access to the ICS network and network activity. This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. Restricting physical access to the ICS network and devices. Unauthorized physical access to components could cause serious disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards. Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions, disabling all unused ports and services, restricting ICS user privileges to only those who are required for each person’s role, tracking and monitoring audit trails, and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware. Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS, or does not cause another problem elsewhere, such as a cascading event. To properly address security in an ICS, it is essential for a cross-functional cybersecurity team to share their varied domain knowledge and experience to evaluate and mitigate risk in the ICS. The cybersecurity team should consist of a member of the organization’s IT staff, a control engineer, network and system security experts, a member of the management staff, and a member of the physical security department at a minimum. For continuity and completeness, the cybersecurity team should consult with the CS vendor as well. The cybersecurity team should report directly to the site management or the company’s CIO/CSO, who, in turn, accepts complete responsibility and accountability for the cybersecurity of the corporate and



Introduction

39

ICS networks. An effective cybersecurity program for an ICS should apply a strategy known as “defense-in-depth”. This strategy means that security mechanisms are layered such that the impact of a failure in any one mechanism is minimized.

1.5 Game-theoretic methods Critical infrastructures, such as power grids and transportation systems, are increasingly using open networks for operation. The use of open networks poses many challenges for CSs. The classical design of CSs takes into account modeling uncertainties as well as physical disturbances, providing a multitude of control design methods such as robust control, adaptive control, and stochastic control. With the growing level of integration of CSs with new information technologies, modern CSs face uncertainties not only from the physical world but also from the cybercomponents of the system. The vulnerabilities of the software deployed in the new CS infrastructure will expose the CS to many potential risks and threats from attackers. Exploitation of these vulnerabilities can lead to severe damage as has been reported in various news outlets [105,106]. More recently, it has been reported [107,108] that a computer worm, Stuxnet, was spread to target Siemens SCADA systems that are configured to control and monitor specific industrial processes. Uncertainties from the cybersystem are often unanticipated and more catastrophic for CSs in terms of their high impact and low effort as compared to those from the physical world. It is imperative to consider the cyberuncertainties in addition to the physical ones in the controller design. Such uncertainties can be caused by intentional malicious behaviors and/or by rare events, such as severe weather or natural disasters. Engineers are accustomed to designing systems to be reliable and robust, despite noise and disturbances. However, the cybersecurity aspect of CSs has posed new challenges for engineers and system designers.

1.5.1 Robustness issue The notion of robustness often refers to a system’s ability to withstand a known range of uncertain parameters or disturbances, whereas security describes the system’s ability to withstand and be protected from malicious behaviors and unanticipated events. These two system properties are preevent concepts, that is, the system is designed to be robust or secure offline

40

Cyberphysical Infrastructures in Power Systems

before it is perturbed or attacked. Despite many engineering efforts toward designing robust and secure systems, it is costly and impractical, if not impossible, to achieve perfect robustness and security against all possible attacks and events. This fact, however, renders it essential to investigate the resilience aspect of a system, which refers to the system’s ability to recover online after adversarial events occur. It is a post-event concept. Hence, to provide performance guarantees, CSs should be designed to be inherently resilient, allowing them to self-recover from unexpected attacks and failures. Resilience has been studied in many fields such as psychology [109], ecology [110], and organizational behavior [111]. The concept has also appeared in various engineering fields, such as aviation, nuclear power, oil and gas, transportation, emergency health care, and communication networks [112,113]. The literature on resilience engineering is often found to be very diverse, qualitative, and area specific. Rieger et al. [114,115] propose the concept of resilient CSs, which emphasizes designing CSs for operation in an adversarial and uncertain environment. Resilient CSs are required to be capable of maintaining the state awareness of threats and anomalies and assuring an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature. Traditional concepts of robustness, reliability, and cybersecurity appear to be insufficient to address these emerging issues of CSs. Metrics for robustness in CSs have been well studied in the literature [116,117]. A game-theoretic approach has been introduced to obtain the H∞ optimal, disturbance-attenuating minimax controllers by viewing the controller as the cost minimizer and the disturbance as the maximizer. Likewise, cybersecurity problems have been studied using game theory [118], which provides a natural framework for capturing the conflict of goals between an attacker who seeks to maximize the damage inflicted on the system and a defender who aims to minimize it. Moreover, the design of security strategies is enabled by many existing analytical and computational tools [119].

1.5.2 Resilient control design The design of resilient CSs pivots on the fundamental system tradeoffs between robustness, resilience, and security. Perfect security could be achieved by making the system unusable, and likewise perfect robustness could be attained by making the control performance completely inadequate. The need for resilience is due to the fact that no desirable CSs exhibit perfect robustness or security. Hence, it is imperative in the control design to know

Introduction

41

what type of uncertainties or malicious events need to be considered for enhancing robustness and security and what uncertainties or malicious events need to be considered for post-event resilience. Studying these tradeoffs requires extending the CS design problem to include the cyberlayers of the system and understand the cross-layer issues in CPSs. Resilient control, however, poses new challenges, different from the ones encountered in robust control and security games. Resiliency should be considered together with robustness and security since the post-event resiliency relies on the pre-event designs. Resilience builds upon robustness and security frameworks and takes a crosslayer approach by considering post-event system features. Since game theory has been successfully applied to study robustness and security, it is natural to adopt it as the main tool to build an extended and integrated framework. In the sequel, we look at some game-theoretic methods for resilient control design and develop a framework that studies the tradeoff between robustness, security, and resilience. A hybrid dynamic game-theoretic approach is introduced that integrates the discrete-time Markov model for modeling the evolution of cyberstates with continuous-time dynamics for describing the underlying controlled physical process. The hybrid dynamic game model provides a holistic and cross-layer viewpoint in the decisionmaking and design for CPSs. The continuous-time dynamics model the physical layer, that is, the plant, subject to disturbances and control efforts. The discrete-time dynamics model the cyberlayer of the system, which involves system configurations and dynamic human–machine interactions (HMIs). A zero-sum differential game is used for a robust control design at the physical layer, while a stochastic zero-sum game between an administrator and an attacker is used for the design of defense mechanisms. The controlled transition between pre-event states to post-event states in the hybrid system framework leads to the design of the resilient hybrid dynamical system. The controller design at the physical layer and the security policy design at the cyberlayer of the system are intertwined. A policy made at the cyberlayer can influence the optimal control design for the physical system, and the optimal control design at the lower level needs to be taken into account when security policies are determined. For a class of system models, the overall optimal design of the CPS can be characterized by a HamiltonJacobi-Isaacs (HJI) equation together with a Shapley optimality criterion. The notations used in the chapter are summarized in the following figures for the reader’s convenience for a brief introduction to game theory.

42

Cyberphysical Infrastructures in Power Systems

Figure 1.8 The hierarchical structure of cyberphysical control systems.

Figure 1.9 Interaction between the cyber and physical systems.

1.5.3 Hierarchical systems A cross-layer approach is pivotal for designing resilient CSs. Integrating physical CSs with cyberinfrastructure to allow for new levels of HMI has been a growing trend in the past few decades. To manage the increasing complexity of CPSs, it is essential that control designs exploit the hierarchical nature of such systems. Depicted in Fig. 1.8, a cyberphysical CS can

Introduction

43

be conceptually divided into six layers: physical, control, communication, network, supervisory, and management. The physical layer comprises the physical plant to be controlled. The control layer consists of multiple control components, including observers/sensors, IDSs, actuators, and other intelligent control components. The physical layer together with the control layer can be viewed as the physical world of the system. On top of these two layers are the communication layer, which establishes physical layer wired or wireless communications, and the network layer that allocates resources and manages routing. The communication and network layers constitute the cyberworld of the system. Note that these two layers generally represent all the layers of open system interconnection (OSI) model, which can be incorporated into the cyberlayers of the system. The supervisory layer serves as the brain of the system, coordinating all lower layers by designing and sending appropriate commands. The management layer is a higher level decision-making engine, where the decision makers take an economic perspective towards the resource allocation problems in CSs. The supervisory and management layers are often interfaced with humans, and hence they contain human factor issues and HMIs. The layered architecture can facilitate the understanding of the cross-layer interactions between the physical layers and the cyberlayers. In Fig. 1.9, x(t) and i(t) denote the continuous physical state and the discrete cyberstate of the system, which are governed by the laws f and K, respectively. The physical state x(t) is subject to disturbances w and can be controlled by u. The cyberstate i(t) is controlled by the defense mechanism l used by the network administrator as well as the attacker’s action a. The hybrid nature of the cross-layer interaction leads to the adoption of a class of hybrid system models, as will be seen later.

1.5.4 Physical layer control system problem Resilient control requires a cross-layer control design. The control problem at the physical layer of the system is described below. Consider a general class of systems subject to two types of uncertainty: 1. a continuous deterministic uncertainty that models the known parametric uncertainties and disturbances and, 2. a discrete stochastic uncertainty that models the unknown and unanticipated events that lead to a change in the system operation state at random times.

44

Cyberphysical Infrastructures in Power Systems

Let the system state evolve according to the piecewise deterministic dynamics x˙ (t) = f (t, x, u, w ; θ (t, a, )), x(t0 ) = x0 ,

(1.46)

where x(t) ∈ n , x0 is a fixed (known) initial state of the physical plant at starting time t0 , u(t) ∈ r is the control input, w (t) ∈ p is the disturbance, and all these quantities lie at the physical and control layers of the entire system. The state of the cybersystem is described by θ . The evolution of θ depends on the cyberdefense action  and the attacker’s action a, which are also functions of time. θ (t) is a shorthand notation in place of θ (t, a, ) if the pair of actions (a, ) is fixed. For a given pair (a, ), θ (t)t ∈ [0, tf ], is a Markov jump process with right-continuous sample paths, with initial distribution π0 and rate matrix λ = {λij }i,j∈S , where S := {1, 2, ..., s} is the state space; λij ∈ + are the transition rates such that for i = j ,

λij ≥ 0 ,

λii = 1 −



λij ,

j =i

See Fig. 1.10 for illustration.

Figure 1.10 A networked control system under attack.

i∈S.

Introduction

45

It is observed that transitions between the structural states are controlled by the attacker and the system administrator. An attacker can exploit the vulnerabilities in the CS software and launch an attack to bring down the operation. An example is Stuxnet, a Windows-based worm that was recently discovered to target industrial software and equipment [107].

1.6 Notes This section provides an extensive overview on consensus control in multiagent systems from the network perspective. This class of systems are becoming increasingly popular among researchers due to its applicability in analyzing and designing coordination behaviors among agents in multiagent framework. Specifically the material presented agent models (discrete and continuous) as studied by earlier researchers. This follows a summary of different forms of consensus in multiagent systems and recent results in consensus-related problems involving network phenomenon such as timedelay, actuator failures, switching and random networks. Suggestions for future work towards designing better consensus protocols that addresses real-life problems in autonomous multiagent systems are outlined. Then, we quantify the performance degradation of CPSs under the effect of stealthy integrity attacks. The CPS is modeled as a stochastic LTI system equipped with a linear filter and feedback controller and X 2 failure detector. An adversary wishes to induce perturbation in the control loop by compromising a subset of the sensors and injecting an exogenous control input, while remaining stealthy. We show how the attacker’s strategy can be formulated as a constrained control problem and that the characterization of the maximum perturbation can be posed as reachable set computation, which can be solved by ellipsoidal approximation methods. Finally, a guaranteed-cost decentralized observer-based control approach has been developed to achieve the robust stabilization and the optimal performances of interconnected systems composed of linear models with nonlinear cross-coupling terms and uncertain parameters. It has been shown from the simulation results that the developed control scheme is efficient as it allows the rapid stabilization of the power system with three interconnected machines and good reconstruction of the unavailable state variables despite the presence of strong perturbations applied to the subsystems.

46

Cyberphysical Infrastructures in Power Systems

References [1] F. Cleveland, Cyber security issues for advanced metering infrastructure (AMI), in: Proc. Power and Energy Society General Meeting – Conversion and Delivery of Electrical Energy in the 21st Century, 2008. [2] R. Bobba, E. Heine, H. Khurana, T. Yardley, Exploring a tiered architecture for Naspinet, in: Proc Innovative Smart Grid Technologies, ISGT, 2010. [3] V. Terzija, G. Valverde, D. Cai, P. Regulski, P. Madani, J. Fitch, Wide-area monitoring, protection, and control of future electric power networks, Proc. IEEE 99 (1) (2011) 80–93. [4] V. Madani, D. Novosel, S. Horowitz, M. Adamiak, J. Amantegui, D. Karlsson, IEEE PSRC report on global industry experiences with system integrity protection schemes (SIPS), IEEE Trans. Power Deliv. (2010). [5] North American Synchrophasor Initiative (NASPI), Phasor data applications table [Internet], available from: https://www.naspi.org/File.aspx?fileID=537, 2009. [6] North American Electric Reliability Corporation, High-impact, low frequency event risk to the North American bulk power system, Jointly-commissioned summary, Report, US Department of Energy, 2009. [7] C.W. Ten, C.C. Liu, G. Manimaran, Vulnerability assessment of cybersecurity for SCADA systems, IEEE Trans. Power Syst. (2008). [8] F. Bause, P.S. Kritzinger, Stochastic Petri nets: an introduction to the theory, Sigmetrics Perform. Eval. Rev. 26 (2) (1998). [9] D. Zhang, P. Shi, Q.G. Wang, L. Yu, Analysis and synthesis of networked control systems: a survey of recent advances and challenges, ISA Trans. 66 (2017) 376–392. [10] E. Fridman, A. Seuret, J. Richard, Robust sampled-data stabilization of linear systems: an input delay approach, Automatica 40 (8) (Aug. 2004) 1441–1446. [11] L. Mirkin, Some remarks on the use of time-varying delay to model sample-and-hold circuits, IEEE Trans. Autom. Control 52 (6) (Jun. 2007) 1109–1112. [12] E. Fridman, A refined input delay approach to sampled-data control, Automatica 46 (2) (2010) 421–427. [13] K. Liu, E. Fridman, Wirtinger’s inequality and Lyapunov-based sampled-data stabilization, Automatica 48 (1) (2012) 102–108. [14] Z.G. Wu, P. Shi, H.Y. Su, J. Chu, Local synchronization of chaotic neural networks with sampled-data and saturating actuators, IEEE Trans. Cybern. 44 (12) (2014) 2635–2645. [15] Z.G. Wu, P. Shi, H.Y. Su, J. Chu, Exponential stabilization for sampled-data neuralnetwork-based control systems, IEEE Trans. Neural Netw. Learn. Syst. 25 (12) (2014) 2180–2190. [16] Y. Liu, S.M. Lee, Stability and stabilization of Takgsi-Sugeno fuzzy systems via sampled-data and state quantized controller, IEEE Trans. Fuzzy Syst. 24 (3) (2016) 635–644. [17] Y. Xia, Y. Gao, L. Yan, M. Fu, Recent progress in networked control systems - a survey, Int. J. Autom. Comput. 12 (4) (August 2015) 343–367. [18] H. Sun, N. Hovakimyan, T. Basar, L1 adaptive controller for quantized systems, in: Proceedings of the 2011 American Control Conference, San Francisco, CA, 2011, pp. 582–587. [19] R.W. Brockett, D. Liberzon, Quantized feedback stabilization of linear systems, IEEE Trans. Autom. Control 45 (7) (Jul 2000) 1279–1289. [20] D. Liberzon, Hybrid feedback stabilization of systems with quantized signals, Automatica 39 (9) (September 2003) 1543–1554. [21] N. Elia, S.K. Mitter, Stabilization of linear systems with limited information, IEEE Trans. Autom. Control 46 (9) (Sep 2001) 1384–1400.

Introduction

47

[22] M. Fu, L. Xie, The sector bound approach to quantized feedback control, IEEE Trans. Autom. Control 50 (11) (Nov. 2005) 1698–1711. [23] H. Gao, T. Chen, A new approach to quantized feedback control systems, Automatica 44 (2) (2008) 534–542. [24] K. Tsumura, H. Ishii, H. Hoshina, Tradeoffs between quantization and packet loss in networked control of linear systems, Automatica 45 (12) (Dec. 2009) 2963–2970. [25] Y. Ishido, K. Takaba, D. Quevedo, Stability analysis of networked control systems subject to packet-dropouts and finite-level quantization, Syst. Control Lett. 60 (5) (May 2011) 325–332. [26] Y. Sharon, D. Liberzon, Stabilization of linear systems under coarse quantization and time delays, IFAC Proc. Vol. 43 (19) (2010) 31–36. [27] Y. Sharon, D. Liberzon, Input to state stabilizing controller for systems with coarse quantization, IEEE Trans. Autom. Control 57 (4) (April 2012) 830–844. [28] J. Yan, Y. Xia, Quantized control for networked control systems with packet dropout and unknown disturbances, Inf. Sci. 354 (1 August 2016) 86–100. [29] T.H. Lee, J. Xia, J.H. Park, Networked control system with asynchronous samplings and quantizations in both transmission and receiving channels, Neurocomputing 237 (2017) 25–38. [30] L. Bao, M. Skoglund, K.H. Johansson, Encoder-decoder design for event-triggered feedback control over band limited channels, in: Proceedings of the American Control Conference, IEEE, Minneapolis, USA, 2006, pp. 4183–4188. [31] L. Li, X. Wang, M. Lemmon, Stabilizing bit-rates in quantized event triggered control systems, in: Proceedings of the 15th ACM International Conference on Hybrid Systems: Computation and Control, HSCC’12, Beijing, China, 2012, pp. 245–254. [32] E. Garcia, P.J. Antsaklis, Model-based event-triggered control for systems with quantization and time-varying network delays, IEEE Trans. Autom. Control 58 (2) (2013) 422–434. [33] H. Yan, S. Yan, H. Zhang, H. Shi, L2 control design of event-triggered networked control systems with quantizations, J. Franklin Inst. 352 (1) (January 2015) 332–345. [34] Y.L. Wang, Q.L. Han, Modelling and controller design for discrete-time networked control systems with limited channels and data drift, Inf. Sci. 269 (10 June 2014) 332–348. [35] L. Zhang, Y. Shi, T. Chen, B. Huang, A new method for stabilization of networked control systems with random delays, IEEE Trans. Autom. Control 50 (8) (Aug. 2005) 1177–1181. [36] Y. Shi, B. Yu, Output feedback stabilization of networked control systems with random delays modeled by Markov chains, IEEE Trans. Autom. Control 54 (7) (2009) 1668–1674. [37] Y. Shi, B. Yu, Robust mixed H2 /H∞ control of networked control systems with random time delays in both forward and backward communication links, Automatica 47 (4) (Apr. 2011) 754–760. [38] A. Onat, T. Naskali, E. Parlakay, O. Mutluer, Control over imperfect networks: model-based predictive networked control systems, IEEE Trans. Ind. Electron. 58 (3) (March 2011) 905–913. [39] Y. Ge, Q.G. Chen, M. Jiang, Y.Q. Huang, Modeling of random delays in networked control systems, J. Control Sci. Eng. 2013 (2013) 383415. [40] R. Luck, A. Ray, Delay compensation in integrated communication and control systems—I: conceptual development and analysis, in: Proceedings of American Control Conference, ACC’90, San Diego, Calif, USA, May 1990, pp. 2045–2050. [41] R. Luck, A. Ray, Delay compensation in integrated communication and control systems—II: implementation and verification, in: Proceedings of American Control Conference, ACC’90, San Diego, Calif, USA, May 1990, pp. 2051–2055.

48

Cyberphysical Infrastructures in Power Systems

[42] J. Xiong, J. Lam, Stabilization of networked control systems with a logic ZOH, IEEE Trans. Autom. Control 54 (2) (Feb. 2009) 358–363. [43] M. Cloosterman, L. Hetel, N. van de Wouw, W. Heemels, J. Daafouz, H. Nijmeijer, Controller synthesis for networked control systems, Automatica 46 (10) (Oct. 2010) 1584–1594. [44] D. Yue, Q.L. Han, C. Peng, State feedback controller design of networked control systems, in: Proceedings of the 2004 IEEE International Conference on Control Applications, 2004, vol. 1, 2004, pp. 242–247. [45] H. Gao, T. Chen, Network-based output tracking control, IEEE Trans. Autom. Control 53 (3) (2008) 655–667. [46] X. Na, Y. Zhan, Y. Xia, J. Dong, Control of networked systems with packet loss and channel uncertainty, IET Control Theory Appl. 10 (17) (21 Nov. 2016) 2251–2259. [47] D. Ma, G.M. Dimirovski, J. Zhao, Hybrid state feedback controller design of networked switched control systems with packet dropout, in: Proceedings of the 2010 American Control Conference, Baltimore, MD, 2010, pp. 1368–1373. [48] S. Yin, L. Yu, W.A. Zhang, A switched system approach to networked H ∞ filtering with packet losses, Circuits Syst. Signal Process. 30 (6) (2011) 1341–1354. [49] Y. Sun, S. Qin, Stability of networked control systems with packet dropout: an average dwell time approach, IET Control Theory Appl. 5 (1) (6 Jan. 2011) 47–53. [50] P. Seiler, R. Sengupta, Analysis of communication losses in vehicle control problems, in: Proc. Am. Control Conf. 2, 2001, pp. 1491–1496. [51] J. Xiong, J. Lam, Stabilization of linear systems over networks with bounded packet loss, Automatica 43 (1) (Jan. 2007) 80–87. [52] Z. Wang, F. Yang, D.W.C. Ho, X. Liu, Robust H∞ control for networked systems with random packet losses, IEEE Trans. Syst. Man Cybern. B: Cybern. 37 (4) (Apr. 2007) 916–924. [53] M.S. Mahmoud, S.Z. Selim, P. Shi, Global exponential stability criteria for neural networks with probabilistic delays, IET Control Theory Appl. 4 (11) (2011) 2405–2415. [54] M.S. Mahmoud, S.Z. Selim, P. Shi, M.H. Baig, New results on networked control systems with non-stationary packet dropouts, IET Control Theory Appl. 6 (15) (2012) 2442–2452. [55] X. Luan, P. Shi, F. Liu, Stabilization of networked control systems with random delays, IEEE Trans. Ind. Electron. 58 (9) (2011) 4323–4330. [56] A.L. Garcia, I. Widjaja, Communication Networks: Fundamental Concepts and Key Architectures, McGraw-Hill, 2001. [57] R.W. Brockett, Stabilization of motor networks, in: Proceedings of the 34th IEEE Conference on Decision and Control, 1995, pp. 1484–1488. [58] V. Blondell, J. Tsitsiklis, NP hardness of some linear control design problem, SIAM J. Control Optim. 35 (6) (1997) 2118–2127. [59] D.H. Varsakelis, Feedback control systems as users of a shared network: communication sequences that guarantee stability, in: Proceedings of the 40th IEEE Conference on Decision and Control, 2001, pp. 3631–3636. [60] M.S. Branicky, S.M. Phillips, W. Zhang, Scheduling and feedback co-design for networked control systems, in: Proceedings of the 41st IEEE Conference on Decision and Control, 2002, pp. 1211–1217. [61] L. Zhang, D.H. Varsakelis, Communication and control co-design for networked control systems, Automatica 42 (6) (2006) 953–958. [62] W.J. Rugh, Linear System Theory, Prentice Hall, Upper Saddle River, New Jersey, 1996. [63] Y.Q. Wang, H. Ye, S.X. Ding, G.Z. Wang, Fault detection of networked control systems subject to access constraints and random packet dropout, Acta Autom. Sin. 35 (9) (2009) 1235–1239.

Introduction

49

[64] H.B. Song, W.A. Zhang, L. Yu, H∞ filtering of network-based systems with communication constraints, IET Signal Process. 4 (1) (2010) 69–77. [65] H.B. Song, L. Yu, W.A. Zhang, Networked H∞ filtering for linear discrete-time systems, Inf. Sci. 181 (3) (2011) 686–696. [66] G. Guo, A switching system approach to sensor and actuator assignment for stabilization via limited multi-packet transmitting channels, Int. J. Control 84 (1) (2011) 78–93. [67] D. Zhang, L. Yu, Q.G. Wang, Fault detection for a class of network-based nonlinear systems with communication constraints and random packet dropouts, Int. J. Adapt. Control Signal Process. 25 (10) (2011) 876–898. [68] W.A. Zhang, L. Yu, G. Feng, Stabilization of linear discrete-time networked control systems via protocol and controller co-design, Int. J. Robust Nonlinear Control 25 (16) (2015) 3072–3085. [69] P.D. Zhou, L. Yu, H.B. Song, L.L. Ou, H-infinity filtering for network-based systems with stochastic protocols, Control Theory Appl. 27 (12) (2010) 1711–1716. [70] G. Guo, Z.B. Lu, Q.L. Han, Control with Markov sensors/actuators assignment, IEEE Trans. Autom. Control 57 (7) (2012) 1799–1804. [71] C.Z. Zhang, G. Feng, J.B. Qiu, W.A. Zhang, T-S fuzzy-model-based piecewise H? output feedback controller design for networked nonlinear systems with medium access constraint, Fuzzy Sets Syst. 248 (2014) 86–105. [72] H. Zhang, Y. Tian, L.X. Gao, Stochastic observability of linear systems under access constraints, Asian J. Control 17 (1) (2015) 64–73. [73] L. Zou, Z.D. Wang, H.J. Gao, Observer-based H∞ control of networked systems with stochastic communication protocol: the finite-horizon case, Automatica 63 (2016) 366–373. [74] D. Zhang, H. Song, L. Yu, Robust fuzzy-model-based filtering for nonlinear cyberphysical systems with multiple stochastic incomplete measurements, IEEE Trans. Syst. Man Cybern. Syst. PP (99) (2016) 1–13. [75] N. Elia, Remote stabilization over fading channels, Syst. Control Lett. 54 (3) (2005) 237–249. [76] N. Xiao, L. Xie, L. Qiu, Feedback stabilization of discrete-time networked systems over fading channels, IEEE Trans. Autom. Control 57 (9) (2012) 2176–2189. [77] M. Pajic, S. Sundaram, G.J. Pappas, R. Mangharam, The wireless control network: a new approach for control over networks, IEEE Trans. Autom. Control 56 (10) (2011) 2305–2318. [78] S. Zhang, Z. Wang, D. Ding, H. Shu, H∞ fuzzy control with randomly occurring infinite distributed delays and channel fadings, IEEE Trans. Fuzzy Syst. 22 (1) (2013) 189–200. [79] D. Ding, Z. Wang, B. Shen, H. Dong, Envelope-constrained H∞ filtering with fading measurements and randomly occurring nonlinearities: the finite horizon case, Automatica 55 (2015) 37–45. [80] S. Zhang, Z. Wang, D. Ding, H. Shu, H∞ output-feedback control with randomly occurring distributed delays and nonlinearities subject to sensor saturations and channel fadings, J. Franklin Inst. 351 (8) (2014) 4124–4141. [81] W. Ren, N. Hou, Q. Wang, Y. Lu, X. Liu, Non-fragile H∞ filtering for nonlinear systems with randomly occurring gain variations and channel fadings, Neurocomputing 156 (2015) 176–185. [82] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cayirci, A survey on sensor networks, IEEE Commun. Mag. 40 (8) (2002) 102–114. [83] D. Zhang, Q.-G. Wang, L. Yu, Q.-K. Shao, H∞ filtering for networked systems with multiple time-varying transmissions and random packet dropouts, IEEE Trans. Ind. Inform. 9 (3) (2012) 1705–1716.

50

Cyberphysical Infrastructures in Power Systems

[84] D. Zhang, L. Yu, H. Song, Q.-G. Wang, Distributed H∞ filtering for sensor networks with switching topology, Int. J. Syst. Sci. 44 (11) (2013) 2104–2118. [85] D. Zhang, L. Yu, W.-A. Zhang, Energy efficient distributed filtering for a class of nonlinear systems in sensor networks, IEEE Sens. J. 15 (5) (2015) 3026–3036. [86] D. Zhang, R. Ling, Q.-G. Wang, L. Yu, Y. Feng, Sensor-network-based distributed stabilization of nonlinear large-scale systems with energy constraints and random sensor faults, J. Franklin Inst. 352 (8) (2015) 3345–3365. [87] K. You, N. Xiao, L. Xie, Kalman filtering with scheduled measurements, in: Analysis and Design of Networked Control Systems, Springer, 2015, pp. 269–291. [88] D. Zhang, W. Cai, Q.-G. Wang, Energy-efficient H∞ filtering for networked systems with stochastic signal transmissions, Signal Process. 101 (2014) 134–141. [89] P. Tabuada, Event-triggered real-time scheduling of stabilizing control tasks, IEEE Trans. Autom. Control 52 (9) (2007) 1680–1685. [90] H. Li, Z. Chen, L. Wu, H.-K. Lam, Event-triggered control for nonlinear systems under unreliable communication links, IEEE Trans. Fuzzy Syst. 25 (4) (2016) 813–824. [91] D. Yue, E. Tian, Q.-L. Han, A delay system method for designing event-triggered controllers of networked control systems, IEEE Trans. Autom. Control 58 (2) (2012) 475–481. [92] H. Zhang, J. Cheng, H. Wang, Y. Chen, H. Xiang, Robust finite-time eventtriggered H∞ boundedness for network-based Markovian jump nonlinear systems, ISA Trans. 63 (2016) 32–38. [93] H. Li, Z. Chen, L. Wu, H.-K. Lam, H. Du, Event-triggered fault detection of nonlinear networked systems, IEEE Trans. Cybern. 47 (4) (2016) 1041–1052. [94] H. Zhang, Q. Hong, H. Yan, F. Yang, G. Guo, Event-based distributed H∞ filtering networks of 2-dof quarter-car suspension systems, IEEE Trans. Ind. Inform. 13 (1) (2016) 312–321. [95] S. Hu, D. Yue, Event-triggered control design of linear networked systems with quantization, ISA Trans. 51 (1) (2012) 153–162. [96] D. Zhang, P. Shi, Q.-G. Wang, L. Yu, Distributed non-fragile filtering for ts fuzzy systems with event-based communications, Fuzzy Sets Syst. 306 (2017) 137–152. [97] M. Donkers, W. Heemels, Output-based event-triggered control with guaranteed L∞ -gain and improved event-triggering, in: 49th IEEE Conference on Decision and Control, CDC, IEEE, 2010, pp. 3246–3251. [98] M. Velasco, J. Fuertes, P. Marti, The self triggered task model for real-time control systems, in: Work-in-Progress Session of the 24th IEEE Real-Time Systems Symposium, RTSS03, vol. 384, 2003. [99] Y. Tang, Self-triggered control of uncertain networked systems under packet dropouts, in: 2016 IEEE International Conference on Industrial Technology, ICIT, IEEE, 2016, pp. 2138–2142. [100] D. Zhang, P. Shi, Q.-G. Wang, Energy-efficient distributed control of large-scale systems: a switched system approach, Int. J. Robust Nonlinear Control 26 (14) (2016) 3101–3117. [101] R. Ling, D. Zhang, Non-fragile H∞ filtering for wireless-networked systems with energy constraint, Complexity 21 (S1) (2016) 79–89. [102] D. Zhang, P. Shi, W.-A. Zhang, L. Yu, Energy-efficient distributed filtering in sensor networks: a unified switched system approach, IEEE Trans. Cybern. 47 (7) (2016) 1618–1629. [103] B. Chen, G. Hu, W.-A. Zhang, L. Yu, Distributed mixed H2 H∞ fusion estimation with limited communication capacity, IEEE Trans. Autom. Control 61 (3) (2015) 805–810.

Introduction

51

[104] R. Ling, J. Chen, W.-A. Zhang, D. Zhang, Energy-efficient H∞ filtering over wireless networked systems—a Markovian system approach, Signal Process. 120 (2016) 495–502. [105] S. Gorman, Electricity grid in U.S. penetrated by spies, Wall Str. J. [Online], available: http://online.wsj.com/article/SB123914805204099085.html, Apr. 8, 2009. [106] B. Krebs, Cyber incident blamed for nuclear power plant shutdown, Washington Post [Online], available: http://www.washingtonpost.com/wp-dyn/content/article/ 2008/06/05/AR2008060501958.html, June 5, 2008. [107] S. Greengard, The new face of war, Commun. ACM 53 (12) (Dec. 2010) 20–22. [108] R. McMillan, Siemens: Stuxnet worm hit industrial systems [Online], available: http://www.computerworld.com/s/article/print/9185419, Sept. 16, 2010. [109] L. Gunderson, C.S. Holling, Panarchy: Understanding Transformations in Human and Natural Systems, Island Press, Washington, D.C., Dec. 2001. [110] B. Walker, D. Salt, W. Reid, Resilience Thinking: Sustaining Ecosystems and People in a Changing World, Island Press, Washington, D.C., Aug. 2006. [111] J.P. Kotter, Accelerate!, Harv. Bus. Rev. 90 (11) (Nov. 2012) 45–58. [112] E. Hollnagel, D.D. Woods, N. Leveson, Resilience Engineering: Concepts and Precepts, Ashgate Publishing, Farnham, U.K., Sept. 2006. [113] E. Hollnagel, J. Pariès, D.D. Woods, J. Wreathall, Resilience Engineering in Practice: A Guide Book, Ashgate Publishing, Farnham, U.K., Jan. 2011. [114] C. Rieger, D. Gertman, M. McQueen, Resilient control systems: next generation design research, in: Proc. 2nd Conf. Human System Interactions, 2009, pp. 632–636. [115] C. Rieger, Notional examples and benchmark aspects of a resilient control system, in: Proc. 3rd Int. Symp. Resilient Control Systems, 2010, pp. 64–71. [116] K. Zhou, J. Doyle, Essentials of Robust Control, 1st ed., Prentice-Hall, Englewood Cliffs, NJ, 1997. [117] T. Basar, P. Bernhard, H∞ Optimal Control and Related Minimax Design Problems: A Dynamic Game Approach, 1st ed., Birkhäuser, Switzerland, 1995. [118] M. Manshaei, Q. Zhu, T. Alpcan, T. Basar, J.-P. Hubaux, Game theory meets network security and privacy, ACM Comput. Surv. 45 (3) (June 2013) 1–39. [119] T. Alpcan, T. Basar, Network Security: A Decision and Game Theoretic Approach, Cambridge Univ. Press, Cambridge, U.K., 2011.

This page intentionally left blank

CHAPTER 2

Smart grids: control and cybersecurity Contents 2.1. A view of networked microgrids 2.1.1 Introduction 2.1.2 Types of networked microgrids 2.1.3 Star-connected NMG 2.1.4 Ring-connected NMG 2.1.5 Mesh-connected NMG 2.1.6 Control approaches in NMGs 2.2. Cyberattack protection and control of microgrids 2.2.1 Model of microgrid system 2.2.2 Observation model and cyberattack 2.2.3 Cyberattack minimization in smart grids 2.2.4 Stabilizing feedback controller 2.2.5 Simulation results I 2.3. Smart grid cybersecurity analysis 2.3.1 Introduction 2.3.2 Power network model and state estimation 2.3.2.1 Unobservable data attack and security index 2.3.2.2 Measurement set robustness analysis 2.3.3 Attack construction problem 2.3.3.1 1 relaxation problem (2.30) is a cardinality minimization problem 2.3.4 Main result 2.4. Main attributes 2.4.1 Rationale of the no injection assumption 2.4.2 Relationship with minimum cut based results 2.4.3 Relationship with compressed sensing results 2.4.4 Definitions 2.4.5 The equivalence between two relations 2.4.6 Proof of proposition 2.4.7 Simulation results II 2.5. Two-area power system 2.5.1 Introduction 2.5.2 Simulation results III 2.6. Notes References

54 54 54 55 56 56 57 60 63 64 66 67 68 71 74 75 76 77 79 79 80 84 85 85 86 88 89 90 91 93 95 96 97 98

Cyberphysical Infrastructures in Power Systems https://doi.org/10.1016/B978-0-32-385261-6.00011-7

53

Copyright © 2022 Elsevier Inc. All rights reserved.

54

Cyberphysical Infrastructures in Power Systems

2.1 A view of networked microgrids Microgrids (MGs) have become an integral part of smart grid initiatives for future power system networks. Networked MGs (NMGs) consist of several neighbouring MGs connected in a low/medium distribution network. The primary objective of a network is to share surplus/shortage power with neighbouring MGs to achieve mutual cost-effective operation, utilizing green energy from renewable energy resources (RESs) in the network and increasing the reliability of customer service.

2.1.1 Introduction In the last decade, distributed energy resources (DERs) have been integrated into transmission and distribution power networks to reduce the amount of carbon emissions worldwide and to meet the increasing demands of power systems [1,2]. An MG is one of the leading features of a smart grid power network for integrating DERs within a distribution network [3]. An MG can be defined as a low-voltage (LV)/medium-voltage (MV) power network that integrates DERs and energy-storage systems (ESSs) to create a grid that feeds different loads in the network and can operate in either grid-connected or island mode [4]. An NMG is an advanced MG concept, in which a network is formed using several adjacent MGs. Fig. 2.1 illustrates a typical NMG in a distribution network. The goal of such a network is to provide mutual power sharing with neighbouring MGs to increase the reliability of an MG network and to reduce operational costs. The network also enables restoring service to customers after a fault/deficient power condition occurs, efficient use of RESs in the network, providing mutual support in island operation and reducing the burden on the main grid in grid-connected operations. Several similar concepts for defining NMG exist in the literature.

2.1.2 Types of networked microgrids MGs in a certain geographical area can form a physical network to achieve a local/global objective through cooperative interaction amongst MGs and with the main grid. The interconnection amongst MGs depends on the requirement and agreement amongst MGs in a network during the formation of that network. In practice, limiting interconnection types amongst MGs is extremely difficult. Thus, this chapter discusses the most common types of NMGs used in recent research. NMGs can be classified into three types based on network formation: star-connected, ring-connected

Smart grids modeling

55

Figure 2.1 An NMG in a distribution network.

and mesh-connected NMGs. Each MG in a network can be formed with dispatchable/nondispatchable DERs, ESSs and controllable/uncontrollable loads. All MGs in the network can operate in both grid-connected and island mode. MGs in the network can use a common bus to connect with main grid or a separate electrical connection to connect themselves with the main grid.

2.1.3 Star-connected NMG The most common structure of NMGs is a star or radial structure. In a star structure, several MGs can be connected to a common bus to form a star network. MGs in the network can connect to the main grid through the common bus. Fig. 2.2(a) shows the typical architecture of a star-connected NMG connected to the main grid through a common bus. An MG in the network will exchange power/information with the main grid and with other MGs through the common bus to achieve economic optimization. If an MG in the network experiences a shortage of power, then it will buy the required power from other MGs in the network or from the main grid to realize power balance in the MG. Fig. 2.2(b) shows the typical architecture of a star-connected NMG connected in a separate common bus. The star network is easy to install and control because of existing radial power network in the distribution

56

Cyberphysical Infrastructures in Power Systems

system to exchange power/information with other MGs in the network. However, a single point of failure and high-cost installation are the major drawbacks of a star-connected network.

Figure 2.2 A star-connected NMG.

2.1.4 Ring-connected NMG In a ring structure several adjacent MGs can connect with one another to form a ring and share the power with the neighboring MGs. In this type of network, each MG can communicate with the neighboring MGs in the ring to share the power between them. Fig. 2.3 shows the typical architecture of a ring-connected NMG. Alternatively, any MG in the ring network can connect to the main grid through separate electrical connections.

2.1.5 Mesh-connected NMG In a mesh structure, several neighboring MGs in a region can connect to form a mesh for sharing power with all the other MGs in the network. Fig. 2.4 shows the typical architecture of a mesh-connected NMG. A mesh structure follows the ring structure but has redundant additional lines to avoid failure in the main loop.

Smart grids modeling

57

Figure 2.3 A ring-connected NMG.

Figure 2.4 A mesh-connected NMG.

2.1.6 Control approaches in NMGs Regulating the voltage and frequency of the network under different operating scenarios and system architecture is a challenging issue for the control of NMGs. Optimal power sharing amongst DERs is another challenge in an NMG. The control of single MGs was discussed in several articles. However, control in NMGs has recently become the focus because of the increasing interest in NMG research. Hierarchical and distributed control structures are used in research to achieve the control objectives of NMGs.

58

Cyberphysical Infrastructures in Power Systems

Figure 2.5 An NMG in a distribution network.

Fig. 2.5 illustrates the control pyramids of NMGs that use hierarchical (top) and distributed control (bottom) structures. In a hierarchical control structure, primary-level control implements droop control, island detection and local protection in an MG. Meanwhile, the secondary-level control performs voltage and frequency regulation due to primary-level deviation, grid synchronization, optimal operation of DERs in an MG/NMG and real-time energy management to maintain the power balance of individual MGs in the network. Tasks in secondary-level control can be performed using three controlling concepts: centralized, decentralized and

Smart grids modeling

59

distributed. In the centralized control approach, an MG central controller collects information from all the measurement units of the system through a communication link and performs optimal scheduling of DERs and load in an MG. The central controller also communicates with distributed network operator (DNO) or other MGs to implement tertiary-level control. Centralized control is the approach to power systems that is mostly applied due to its implementation flexibility. The major drawbacks of the central control approach are single point of failure, high bandwidth requirement and hindering of the plug-and-play functionality. Decentralized and distributed controls can be implemented using local information to eliminate the necessity of a central controller. Decentralized control does not consider information sharing with neighboring nodes and uses only local information to accomplish an optimal decision. Droop control can be used to implement decentralized control. The major drawback of decentralized control is its poor system performance due to lack of communication. The distributed control approach uses information sharing with neighboring DERs to overcome the downside of centralized and decentralized controls. DERs in an MG/NMG send/receive information with adjacent nodes to perform optimal operation and power sharing amongst DERs. Distributed control exhibits plug-and-play capability, low bandwidth requirement, high flexibility and system side performance enhancement. Tertiary-level control performs market operation with DNO. Each MG in the network shares its buy/sell information, such as price signal and reserve capacity, with DNO. On the basis of the information shared by individual MGs, DNO performs optimal market operation to facilitate network-wide power sharing. In cooperative island mode, MGs in the network can share information with a dominant MG instead of sharing information with DNO based on the previous consensus. The dominant MG performs market- and system-stability operations in island operation mode. Meanwhile, the distributed control structure consists of two levels: distributed primary- and distributed secondary-level control. In distributed primary-level control, each MG performs voltage, current and frequency regulation, island detection, grid synchronization and load power management in an MG. In distributed secondary-level control, MGs share the necessary information for power sharing or maintaining systemwide control to neighboring MGs or DNO. On the basis of network information, each MG determines the necessary actions to achieve the individual/network objectives based on the previous consensus between MGs and the DNO.

60

Cyberphysical Infrastructures in Power Systems

2.2 Cyberattack protection and control of microgrids The smart grid can provide an efficient way of supplying and consuming energy by providing two-way energy flow and communication [5]. It can integrate multiple renewable DERs, which are environment friendly, has low greenhouse emission and is effective to alleviate transmission power losses. The associated connectivity and advanced information/communication infrastructure make the smart grid susceptible to cyberattacks [5,6]. Statistics in the energy sector show that more than 150 cyberattacks happened in 2013 and 79 in 2014 [5]. As a result, the power outage cost is about 80 billion US$ per year in the USA. Usually, the utility operators amortize it by increasing the energy tariff, which is unfortunately transferred to the consumer expenses [7]. The renewable MG incorporating DERs can be a potential solution, but it needs to be properly monitored because its generation pattern depends on the weather and surrounding conditions. One of the smart grid features is that it can integrate multiple MGs and monitor them using reliable communication networks. Since the generation pattern of a MG varies on the time-place basis, its operating condition should be closely monitored. Therefore, the MG state estimation is an important function in the smart-grid energy-management system (EMS). As shown in Fig. 2.6 the system state estimation is an essential task for the monitoring and control of the power network. In order to monitor the grid information, the utility company has deployed a set of sensors around the smart grid. The communication infrastructure is used to send grid information from sensors to the EMS. The accurately estimated states can also be used in other functions of EMS such as contingency analysis (CA), bad-data detection (BDD), energy-theft detection, stability analysis, and optimal-power dispatch [8]. However, it is not economical or even infeasible to measure all states. Therefore, the state estimation is also a key task in this regard [9]. More importantly, cyberattacks can cause major social, economical and technical problems such as blackouts in power systems, tampering of smart meters reading and changing the forecasted load profiles [7]. These types of catastrophic phenomena can be committed in MGs much more easily and, thus, they create much more serious problems in the smart grid than in the traditional grid [10]. Therefore, the system state estimation under cyberattacks for smart grids has drawn significant interests in the energy industry and signal-processing based information and communication societies. Many studies have been carried out to investigate the cyberattacks in smart-grid state estimations. To begin with, most of the state estimation methods use the weighted least

Smart grids modeling

61

Figure 2.6 Flow of electricity and information between different sections of smart grid.

squares (WLS) technique under cyberattacks [11–13]. The chi-square detector is also used to detect those attacks. Even though this approach is easy to be implemented for nonlinear systems, it is computationally intensive, and it cannot eliminate the attacks properly [9,11]. To this end, the WLS-based l1 -optimization method is explored in [8]. Furthermore, a new detection scheme to detect the false-data injection (FDI) attack is proposed in [6]. It employs the Kullback-Leibler method to calculate the distance between the probability distributions, which are derived from the observation variations. A sequential detection of FDI in smart grids is investigated in [6]. It adopts a centralized detector based on the generalized likelihood ratio and cumulative sum (CUSUM) algorithm. Note that this detector usually depends on the parametric inferences and, thus, is inapplicable to the nonparametric inferences [14]. A semidefinite program based on the estimation of AC-power-system state is proposed in [15]. Thereafter, a Kalman-filter(KF)-based algorithm for MG energy theft-detection is presented in [7]. A lot of efforts have been devoted towards the power system state estimation under the condition of unreliable communication channels. Generally, the attackers have limited attacking energy to jam the channel in order to achieve the desired goals [16]. The sensor-data scheduling for state estimation with energy constraints is studied [17]. In this research, based on its energy and estimation-error-covariance matrix, the sensor has to de-

62

Cyberphysical Infrastructures in Power Systems

cide whether or not to send its data to a remote estimator. This idea is further extended in [18], where both the sensor and attacker have energy constraints for sending information. The considered attack is on the communication channel between a sensor and a remote estimator. Basically, the sensor aims to minimize the average estimation-error-covariance matrix, while attackers try to maximize it. An iterative game theory is used to solve the optimization problem. Due to the motivation of unknown attacking patterns, authors in [16,19] investigated how the attacker can design the attacking policy so that the estimation performance can be deteriorated. Subsequently, the average estimation-error covariance-based optimal scheduling strategy is proposed to avoid such kind of attacks. Many feedback-control algorithms have been proposed to regulate the system. The linear-quadratic Gaussian (LQG) based detecting techniques for cyberintegrity attacks on the sensors of a control system (CS) is proposed in [16,20]. It shows that the residual error based chi-squared detection technique is not suitable when the attacker does not know the system dynamics. Based on this analysis, they consider the cyberattack model as an i.i.d. (independent, identically distributed) Gaussian distribution, and then the LQG objective function is modified. Eventually, they developed a sufficient condition to detect the false-alarm probability and proposed an optimization algorithm to minimize it. In [21], a new strategy is recommended for designing a communication and control infrastructure in a distribution system based on the virtual MG concept. It is shown in [22,23], that designing a state feedback control framework for a general case of polynomial discrete-time system is quite challenging because the solution is nonconvex. Thus, the convex optimization-based controller design has gained growing interest in the research community. A comprehensive approach to understanding security concerns within the grid must utilize cyberphysical system (CPS) interactions to appropriately quantify attack impacts [24] and evaluate effectiveness of countermeasures. This section highlights CPS security for the power grid as the functional composition of the following: 1. the physical components and control applications; 2. the cyberinfrastructures required to support necessary planning, operational, and market functions; 3. the correlation between cyberattacks and the resulting physical system impacts; and 4. the countermeasures to mitigate risks from cyberthreats.

Smart grids modeling

63

Figure 2.7 Micro-sources connected to the power network.

The cybersystem of smart grid consisting of electronic field devices, communication networks, substation automation systems, and control centers, are embedded throughout the physical grid for efficient and reliable generation, transmission, and distribution of power. The control center is responsible for real-time monitoring, control, and operational decision making. Independent system operators (ISOs) perform coordination between power utilities and dispatch commands to their control centers. Utilities that participate in power markets also interact with the ISOs to support market functions based on real-time power generation, transmission, and demand.

2.2.1 Model of microgrid system In the following, we consider N micro sources connected to the main grid. For simplicity, we assume that N = 4 solar panels are connected through the IEEE-4 bus test feeder as shown in Fig. 2.7 [25]. Here, the input voltages are denoted by vp = [vp1 vp2 vp3 vp4 ]T , where vpj is the jth DER input voltage. The four micro-sources are connected to the power network at the corresponding points of common coupling (PCC) whose voltages are denoted by vs = [vs1 vs2 vs3 vs4 ]T , where vj is the jth PCC voltage. Now, by applying the Laplace transformation, the nodal voltage equation can be obtained: Y(s)vs (s) =

1 −1 L vp (s) , s c

(2.1)

64

Cyberphysical Infrastructures in Power Systems

where Lc = diag[Lc1 Lc2 Lc3 Lc4 ], and Y(s) is the admittance matrix of the entire power network incorporating four micro sources [26]. Now we can convert the transfer-function form into the linear state-space model. Given vref and vpref as the PCC reference voltage and the reference-control effort, the discrete-time linear dynamic system can be derived as follows: x(k + 1) = Ad x(k) + Bd u(k) + wd (k) ,

(2.2)

where x(k) = vs − vref is the PCC state-voltage deviation, u(k) = vp − vpref is the DER control-input deviation and wd (k) is a zero-mean process noise with the covariance matrix Qw . Typical values of the state matrix Ad and input matrix Bd for a prescribed discretization step t are ⎡ ⎢ ⎢ ⎣

Ad = ⎢ ⎡ ⎢ ⎢ ⎣

Bd = ⎢

175.9 −350 −544.2 −119.7

176.8 0 −474.8 −554.6

511 0 −408.8 −968.8

103.6 0 −828.8 −1077.5

175.9 −350 −544.2 −119.7

176.8 0 −474.8 −554.6

511 0 −408.8 −968.8

103.6 0 −828.8 −1077.5

⎤ ⎥ ⎥ ⎥, ⎦

(2.3)

⎤ ⎥ ⎥ ⎥. ⎦

(2.4)

In the sequel, the observation model and attack process is explored.

2.2.2 Observation model and cyberattack The measurements of the MG states are obtained by a set of sensors and can be modeled as follows: y(k) = Cx(k) + v(k) ,

(2.5)

where y(k) is the measurements, C is the measurement matrix and v(k) is a zero mean sensor measurement noise with the covariance matrix Rv . Generally, the objective of attackers is to insert false data into the observations as follows: y(k) = Cx(k) + v(k) + a(k) ,

(2.6)

where a(k) is the false data inserted by the attacker [5–7]. We consider that the attackers have complete access to the system infrastructure so that they can hijack, record and manipulate data according to their best interest. In

Smart grids modeling

65

Figure 2.8 Observation model with cyberattack in the microgrid.

this work, the cyberattack pattern is similar to those illustrated in [5,6,27]. Fig. 2.8 shows the observation model and cyberattack process in the context of smart-grid state estimations. In order to secure the system states, in the signal-processing research community the channel code is used. Motivated by the convolutional coding concept [28,29], the MG state-space and observation models are regarded as the outer code. Then, the standard uniform quantizer performs a quantization to get the sequence of bits b(k), which is encoded by the recursive systematic convolutional (RSC) channel code which is regarded as the inner code. The main reason for using the RSC code is to mitigate impairments and introduce redundancy in the system in order to protect the grid information. Generally speaking, the RSC code is characterized by three parameters: the codeword length n, the message length l, and the constraint length m, that is, (n; ; m). The quantity /n refers to the code rate, which indicates the amount of parity bits added to the data stream. The constraint length specifies m − 1 memory elements, which represents the number of bits in the encoder memory that affects the RSC generation output bits. If the constraint length m increases, the encoding process intrinsically needs a longer time to execute the logical operations. Other advantages of the RSC code compared to the convolutional and turbo encoder include its reduced computation complexity, systematic output features and no-error floor [30]. From this point of view, this chapter considers a (2, 1, 3) RSC code and (1 0 1, 1 1 1) code-generator polynomial in the feedback process. According to the RSC features, the code rate is 1/2, and there are two memories in the RSC process. As shown in Fig. 2.9, this RSC code produces two outputs and can convert an entire data stream into one single codeword [31]. The codeword is then passed through the binary phaseshift keying (BPSK) in order to obtain s(k), and then s(k) is passed through

66

Cyberphysical Infrastructures in Power Systems

Figure 2.9 An illustration of the cyberattack protection in smart grids.

the additive white Gaussian noisy (AWGN) channel. Fig. 2.9 illustrates the proposed cyberattack protection procedure in the context of smart grids. Finally, the received signal is, r (k) = s(k) + e(k) ,

(2.7)

where e(k) is the AWGN noise. The received signal is followed by the logmaximum a posteriori (Log-MAP) decoding for this dynamic system. The Log-MAP works recursively from the forward path to the backward path to recover the state information [28]. The Log-MAP output information is sent for demodulation and dequantization processes, followed by the state estimation scheme.

2.2.3 Cyberattack minimization in smart grids A recursive KF estimator (RKFE) is constructed to operate on observation information in order to produce the optimal state estimation. The forecasted system-state estimate is expressed as follows: xˆ r (k) = Ad xˆ (k − 1) + Bd u(k − 1) ,

(2.8)

where xˆ (k − 1) is the previous state estimate. Then the forecasted error covariance matrix is given by P r (k) = Ad P (k − 1)ATd + Qw (k − 1) ,

(2.9)

Smart grids modeling

67

where P (k − 1) is the previously estimated error covariance matrix. The observation innovation residual d(k) is given by d(k) = yrd (k) − C xˆ r (k) ,

(2.10)

where yrd (k) is the dequantized and demodulated output bit sequence. The Kalman gain matrix can be written as K (k) = P r (k)C T [CP r (k)C T + Rv (k)]−1 .

(2.11)

This yields the updated state estimation as xˆ (k) = xˆ r (k) − K (k)d(k) ,

(2.12)

along with the updated estimated error-covariance matrix P (k) = P r (k) − K (k)CP r (k) .

(2.13)

After estimating the system state, the proposed control strategy is applied for regulating the MG states as shown in the next section.

2.2.4 Stabilizing feedback controller Given the availability of the MG state-estimate information, we move to regulate the MG dynamics using the state-feedback controller u(k) = Fx(k)

(2.14)

by minimizing the quadratic cost function ⎡



N −1 1  T J = IE ⎣ lim {x (j)Qx x(j) + uT (j)Rx u(j)}⎦ , N −→∞ N j=0

(2.15)

where IE(.) denotes the expectation operator and F is the state-feedback gain matrix, Qx > 0 and Rx > 0 are state-weighting and control-weighting matrices. From (2.2) and (2.14), the closed loop system is x(k + 1) = (Ad + Bd F )x(k) + wd (k) .

(2.16)

Using the properties of the trace operator Tr (.) and (2.14), it is easy to see that, N −1 1  Tr (Qx x(j)xT (j) N −→∞ N j=0

J = IE[ lim

68

Cyberphysical Infrastructures in Power Systems

Figure 2.10 System level diagram for system state estimation and control.

+ F T Rx Fx(j)xT (j))]

P

= Tr (Qx + F T Rx F )P ⎡ ⎤ N −1  1 = IE ⎣ lim x(j)xT (j)⎦ . N −→∞

N

(2.17)

j=0

Algebraic manipulation yields ⎡



N −1 1  P = IE ⎣ lim x(j)xT (j)⎦ N −→∞ N j=0

− (Ad + Bd F )P (Ad + Bd F )T + Qw .

(2.18)

It follows that there exists a stabilizing matrix Po satisfying Po < P such that (Ad + Bd F )Po (Ad + Bd F )T − Po + Qw < 0 ,

(2.19)

which is a nonlinear matrix inequality in F and Po . By Schur complements, (2.19) can be cast into the following minimization problem over linear matrix inequality (LMI): min Tr (Qx + Po−1 WoT Rx Wo

Qw − Po Ad Po + Bd Wo 2, the solution label set in (2.27) is a critical p-tuple, which contains the specified measurement k [43,51]. Solving (2.25) solves (2.27) as well. The justification is given by the following statement inspired by the work of O. Kosut et al. [39]: Proposition 1. Let H ∈ m×n and k ∈ {1, 2, . . . , m} be given for problems (2.25) and (2.27). Denote the two conditions: I: H (k, :) = 0 II: H has full column rank (= n) The following three statements are true: (a) Problem (2.25) is feasible if and only if condition I is satisfied. (b) Problem (2.27) is feasible if and only if conditions I and II are satisfied. (c) If conditions I and II are satisfied, then (2.25) and (2.27) are equivalent (see Definition 2 in Section 2.4.4). Note that if condition I is not satisfied, the corresponding measurement k should be removed from consideration. Also, since measurement redundancy is a common practice in power networks [32,33], it can be assumed to have full column rank (= n). Therefore, conditions I and II in Proposi-

Smart grids modeling

79

tion 1 can be justified in practice. Finally, note that Proposition 1 remains true for the arbitrary matrix H (not necessarily defined by (2.21)).

2.3.3 Attack construction problem This section proposes an efficient solution to the security index to the attack construction problem in (2.26). The proposed result focuses on a special case of (2.26), where H in (2.21) does not contain injection measurements: H = PDBt

(2.28)

The limitation of assumption (2.28) will be discussed in the sequel. In the related publications, it is shown that (2.26) with assumption (2.28) is equivalent to minimize n θ ∈

subject to

  P (I , :)BT θ 

0

P (k, :)BT θ = 1 P (I , :)BT θ = 0 .

(2.29)

Instead of considering (2.29) directly, the proposed result pertains to a more general optimization problem associated with a totally unimodular matrix (i.e., the determinant of every square sub-matrix is either −1, 0, or 1 [52]). In particular, the following problem is the main focus of this section: minimize n

A(I , :)x0

subject to

A(k, :)x = 1 A(I , :)x = 0 ,

x∈

(2.30)

where A ∈ m×n is a given, totally unimodular matrix, and k ∈ {1, 2, . . . , m} and I ⊂ {1, 2, . . . , m} are given. Since B in (2.29) is an incidence matrix, PBT is a totally unimodular matrix. Therefore, (2.30) is a generalization of (2.29). However, neither (2.30) nor (2.26) include each other as special cases since (2.26) restricts its consideration to a particular class of totally unimodular constraint matrices (i.e., graph incidence matrices).

2.3.3.1 1 relaxation problem (2.30) is a cardinality minimization problem In general, no efficient algorithms for solving cardinality minimization problems have been found [53], so heuristic or relaxation-based algorithms are often considered. The l1 relaxation (i.e., basis pursuit [45]) is a relaxation

80

Cyberphysical Infrastructures in Power Systems

technique which has received much attention. In l1 relaxation, instead of (2.30), the following optimization problem is set up and solved: minimize n

A(I , :)x1

subject to

A(k, :)x = 1 A(I , :) , x = 0

x∈

(2.31)

where in the objective function in (2.31) the vector 1-norm replaces the cardinality in (2.30). Problem (2.31) can be rewritten as a linear programming (LP) problem in standard form ([54], pp. 4–6 and 17): |I¯ |

min

x+ ,x− ,y+ ,y−

subject to

j=1



y+ (j) + y− (j)

A(I , :) (x+ − x− ) = y+ − y− A(k, :) (x+ − x− ) = 1 A(I , :) (x+ − x− ) = 0 x+ ∈ n+ , x− ∈ n+ , y+ ∈ |+I | , y− ∈ |+I | ,

(2.32)



where |I | denotes the cardinality of the index set I . If x+ , x− , y+ , y− is a feasible solution to (2.32), x  x+ − x− is feasible to (2.30). Hence, an optimal solution to (2.32) if it exists, corresponds to a suboptimal solution to the original problem in (2.30). An important question is, under what conditions this suboptimal solution is actually optimal to (2.30). An answer is provided by our main result, based on the special structure in (2.30) and the fact that matrix A is totally unimodular.

2.3.4 Main result



Theorem 3. Let x∗+ , x∗− , y∗+ , y∗− be an optimal basic feasible solution to (2.32), where A, k and I are defined in (2.30). Then x∗  (x = −x∗ ) is an optimal solution to (2.30). Proof. Before proceeding, two lemmas which are a key to the proof, are presented. The first lemma states that problem (2.32), as set up by the l1 relaxation, has integer-valued optimal basic feasible solutions.



Lemma 1. Let x+ , x− , y+ , y− be an optimal basic feasible solution to (2.32). Then it holdsthat x (i)   x+ (i) − x− (i) ∈ {−1, 0, 1} for all 1 ≤ i ≤ n. In addition, y (j)  A(I (j), :)x  ∈ {0, 1} for all 1 ≤ j ≤ |I |, where I (j) denotes the jth element of I .

Smart grids modeling

81

Proof. Assume that the feasible set of (2.32) is nonempty, otherwise there is no basic feasible solution (cf. Definition 5). The following two claims are made: (a) A(k, :) cannot be a linear combination of the rows of A(I , :). (b) There exists I  ⊂ I such that either I  = ∅ or the rows of A I  , : are  linearly independent. In addition, in both cases A I , : θ = 0 and A(I , : )θ = 0 define the same constraints. Claims (a) and (b) together imply that problem (2.32) can be written as a standard form of an LP problem with a constraint matrix with full row rank (i.e., matrix C below): minimize subject to

f tθ Cθ = d

θ ≥0,

(2.33)

with ⎡

A(I , :) −A( I , :) −I|I | ⎢ C  ⎣ A I  , : −A I  , : 0 A(k, :) ⎡ −A(⎤ k, :) ⎡ 0 ⎤ ⎡ x+ 0n×1 0 ⎢ x ⎥ ⎢ 0 ⎥ ⎢ ⎢ ⎢ ⎥ d  ⎣ 0 ⎦ θ  ⎢ − ⎥ f  ⎢ n×1 ⎣ y+ ⎦ ⎣ 1|I |×1 1 y− 1|I |×1



I|I | ⎥ 0 ⎦ 0⎤ ⎥ ⎥ ⎥, ⎦

(2.34)

where I|I¯ | is an identity matrix of dimension |I |, and 1 is a vector of all ones. In order to see the claims, first note that (a) is implied by the feasibility of (2.32). For (b), if I = ∅ or A(I , :) = 0, then set I  = ∅. Otherwise, there exists I  ⊂ I with the properties that I   = rank(A(I , :)), A I  , : has  linearly independent rows and A(I , :) = SA I ; : for some matrix S. On the other hand, A I  , : = S A(I , :) for some matrix S , because I  ⊂ I . Hence, A(I , :)θ = 0 and A I  , : θ = 0 define the same constraints, see (b). The next step of the proof is to show that every basic solution of (2.33) has its entries being either -1, 0 or 1. Denote the matrix B1 as the first 2n columns of C, and let B˜ 1 be any square submatrix of B1 . If B˜ 1 has two columns

 (or rows), which are the same or negative of each other, then det B˜ 1 = 0. Otherwise, B˜ 1 is a (possibly row and/or column permuted) square submatrix of A, and A is assumed to be totally unimodular. Hence,

 ˜ det B1 ∈ {−1, 0, 1} and B1 is totally unimodular. Next consider the matrix

82

Cyberphysical Infrastructures in Power Systems

B defined as B





C ⎡

d

B1 ⎢ =⎣ 0 0

A(I , :) −A( I , :) −I|[] ⎢  = ⎣ A I , : −A I  , : 0 A(k, :) −A(k, :) 0

−I|I |

0 0



I|I | 0 1

0



I|I¯ | 0 0



0 ⎥ 0 ⎦ 1

⎥ ⎦.

Denote the number of rows and the number of columns of B as mB and nB respectively. Let J ⊂ {1, 2, . . . , nB } be any set of column indices of B such that |J | = mB (so that B(:, J ) is square). If B(:, J ) contains only columns of B1 , det(B(:, J )) ∈ {−1, 0, 1}, since B1 is totally unimodular. Otherwise, by repeatedly applying the Laplace expansion on the columns of B(:, J ), which are not columns of B1 , it can be shown that det(B(:, J )) is equal to the determinant of a square submatrix of B1 , which can only be −1, 0 or 1. Hence, by the Cramer’s rule the following holds: If v is the solution to the following system of linear equations B(:, J )v = B (:, nB ) , J ⊂ {1, . . . , nB − 1} |J | = mB , and det(B(:, J )) = 0 ,

(2.35)

then v(j) ∈ {−1, 0, 1},

∀j .

(2.36)

Lemma 3 and (2.35) together imply that the nonzero entries of all basic solutions to (2.33) are either −1, 0 or 1. Therefore, the basic feasible solutions, which are also basic solutions, to the polyhedron in (2.33) also satisfy     this integral property. Finally, let x+ , x− , y+ , y− be an optimal basic feasible solution. Then feasibility (i.e., nonnegativity) implies that x+ (j) ∈ {0, 1}, x− (j) ∈ {0, 1} y+ (j) ∈ {0, 1}, y− (j) ∈ {0, 1},

∀j .

(2.37)

The minimization excludes the possibility that, at optimality, y+ (j) = y− (j) = 1. Hence, it is possible to define x and y such that



x (i)  x+ (i) − x− (i) ∈ {−  1, 0, 1} ∀i y (j)  y+ (j) + y− (j) = A(I (j), :)x  ∈ {0, 1} ∀j .

(2.38)

Smart grids modeling

83

The second lemma is concerned with a restricted version of (2.30) with an infinity norm bound as follows: minimize

A(I , :)x0

subject to

A(k, :)x = 1 A(I , :)x = 0 Ax∞ ≤ 1 .

x

(2.39)

Lemma 2. Optimization problems (2.30) and (2.39) are equivalent. Proof. Suppose (2.30) is feasible, then it has an optimal solution denoted as x . Let I x ⊂ I be the row-index set such that A(j, :)x = 0 if and only if j ∈ I x∗ . Then it is claimed that there exists a common optimal solution to both (2.30) and (2.39) with the same optimal objective value. The argument is as follows: The property of x implies the feasibility of (2.32)’, which is denoted as a variant of (2.32) with I replaced by I x∗ . By Corollary 2.2 (see [54], p. 65), problem (12) , as a standard form LP problem, has at least one basic feasible solution. Furthermore, since the optimal objective value of (2.32)’ is bounded from below (e.g., by zero), Theorem 2.8 (see [54], p. 66) implies that (12) has an optimal     basic feasible solution x˜ + , x˜ − , y˜ + , y˜ − , which is integer-valued as spec ified by Lemma 1. Denote x˜   x˜ + − x˜ − . Then x˜  is feasible to both     (2.30) and(2.39) since I x∗ ⊂ I , A I x∗ , ; x˜   ∈ {0, 1} I x∗ and k ∈ I x∗ . Also,    A(I , :)˜x  = A I x∗ , : x˜   ≤ A I x∗ , : x  = A(I , :)x  , as the in0 0 0 0 equality is true because x˜  is an optimal solution to (12) . Hence x˜  is optimal to both (2.30) and (2.39) with the same objective value. Conversely, suppose (2.30) is infeasible, then (2.39) is also infeasible. This concludes that (2.30) and (2.39) are equivalent.

Next we provide a proof of Theorem 3. To this end, we let x+ , x− , y+ , y− be an optimal basic feasible solution to (2.32). Then there exist x and y as defined in Lemma 1. In particular, x = x+ − x− . It can be verified,   that x , y is an optimal solution to the following optimization problem: 

minimize x,y

subject to

|I |

j=1 y(i)

A(I , :)x ≤ y −A(I , :)x ≤ y A(k, :)x = 1 A(I , :)x = 0 0 ≤ y(j) ≤ 1 ∀j = 1, 2, . . . , |I | ,

84

Cyberphysical Infrastructures in Power Systems

where the inequalities above hold entry-wise. Because of the property that y (j) ∈ {0, 1} for all j, x , y is also an optimal solution to minimize x,y

subject to

|z| 

y(i)

j=1

A(I , :)x ≤ y

−A(I , :)x ≤ y A(k, :)x = 1 A(I , :)x = 0 y(j) ∈ {0, 1} ∀j = 1, 2, . . . , |I | .

(2.40)

It can be verified that (2.40) is equivalent to (2.39). Then Lemma 2 states that (2.40) is also equivalent to (2.30). Consequently, x , y , being an optimal solution to (2.40), implies that (2.30) is feasible with optimal objective  value being |j=I |1 y (j). A feasible solution to (2.30) is x . Since y (j) =      A(I (j), :)x  ∈ {0, 1}∀j, it holds that A(I , ; )x  = |I¯ | y (j). Hence, x is j=1 0

an optimal solution to (2.30). Remark 6. Theorem 3 provides a complete procedure for solving (2.30) via (2.32). If the standard-form LP problem in (2.32) is feasible, then it contains at least one basic feasible solution (see the definition in Sect. 2.4.4). Together with the fact that the objective value is bounded from below (e.g., by zero), Theorem 2.8 (see [54], p. 66) implies that problem (2.32) contains at least one optimal basic feasible solution, which can be used to construct an optimal solution to (2.30) according to Theorem 3. Conversely, if the feasible set of (2.32) is empty, the feasible set of (2.30) must also be empty, because a feasible solution to (2.30) can be used to construct a feasible solution to (2.32). Remark 7. In order to ensure that an optimal basic feasible solution to (2.32) is found if one exists, the simplex method (e.g., [54], Chapter 3]) can be used to solve (2.32). The proof of Theorem 3 will be given in Section 2.4.5. Before that, the related work are reviewed, and the assumption in (2.28) is discussed.

2.4 Main attributes In the sequel, we present some basic attributes of power systems and/or smart grids.

Smart grids modeling

85

2.4.1 Rationale of the no injection assumption Consider the case of (2.26), where I corresponds only to line-power flow measurements, then with the definition of H in (2.21) it can be verified, that (2.26) is equivalent to the following: minimize n θ ∈

subject to

      ˜ P (I , :)BT θ  + QBT DBθ 0 0

P (k, :)BT θ = 1 P (I , :)BT θ = 0 .

(2.41)

This indicates that the considered problem in (2.29) is a relaxation [54] of the general case in (2.41). K.C. Sou et al. [40] utilize this observation and obtain a satisfactory suboptimal solution to (2.26). Alternatively,Sou et al. [43] consider to indirectly account for the term QBT DBθ 0 in the objective function of (2.41). They demonstrate [43] that, solving the following problem, provides a satisfactory suboptimal solution to (2.41): minimize n θ ∈

subject to

   ˜ ˜ P (I , :)BT θ  0 P˜ (k˜ , :)BT θ = 1 P˜ (I˜ , :)BT θ = 0 ,

(2.42)

˜ Notice that (2.42) has the same form with appropriately defined P˜ , I˜ and k. as our considered problem in (2.29). In conclusion, the “no injection assumption” in (2.28), which leads to (2.29), introduces limitation, but it need not be as restrictive as it might first appear. The proposed result in Theorem 3 still leads to an LP-based approach to obtain suboptimal solutions to (2.41) (and hence (2.26)).

2.4.2 Relationship with minimum cut based results The main strength of the current result lies in the fact that it solves problem (2.30), where the A matrix is totally unimodular. (2.30) includes (2.29) as a special case where the corresponding constraint matrix is a transposed graph incidence matrix. This distinguishes the current work from [40,43,46], which specialize in solving (2.29) using graph-based minimum-cut algorithms (see, e.g., [55]). One example of A, which is totally unimodular but not associated with a graph, is the matrix with the property of consecutive ones (i.e., if either for each row or for each column, the 1’s appear consecutively) [56]. For a possible application, consider a networked control system (NCS) [57,58] with one controller and n sensor nodes. Each node contains

86

Cyberphysical Infrastructures in Power Systems

a scalar state value, constant over a period of m time slots. The nodes need to transmit their state values through a shared channel to the controller. Each node can keep transmitting over an arbitrary period of consecutive time slots. At each time slot, the measurement transmitted to the controller is the sum of the state values of all transmitting nodes. Denote z ∈ m as the vector of measurements transmitted over all time slots, and θ ∈ n as the vector of node state values. Then the measurements and the states are related by z = Aθ , where A ∈ m×n is a (0, 1) matrix with consecutive ones in the each column. Solving the observability problem in (2.27) with H = A can identify the vulnerable measurement slots, which should have higher priority in communication for such an NCS.

2.4.3 Relationship with compressed sensing results Problem (2.30) can be written in a form more common in the literature. Consider the case where the null space of AT is not empty (otherwise rank (A) = m and (2.30) is trivial). With a change of the decision variable z = Ax, (2.30) can be posed as, minimize m

z(I )0

subject to

Lz = 0 z(I ) = 0 z(k) = 1 ,

z∈

(2.43)

where L has full rank and LA = 0, and z(I ) denotes a sub-vector of z containing the entries corresponding to the index set I . (2.43) can be written as the cardinality minimization problem considered, for instance, in [53], [59–61]: minimizez˜ z˜ 0

subject to

z˜ = b ,

(2.44)

with the appropriately defined matrix  and a vector b. In this subsection, we restrict the discussion to the standard case. That is, (2.44) is feasible and  is a full-rank matrix with more columns than rows. As (2.44) is well-studied, certain conditions (regarding the precondition that its optimal solution can be obtained by l1 -relaxation) are known. For example, Denoho and Elad [59] and Gribonval and Nielsen [62] report a sufficient condition

Smart grids modeling

87

based on mutual coherence, which is denoted as μ() and is defined as μ() = max i =j

  (:, i)T (:, j) (:, i)2 (∗, j)2

(2.45)

.

The sufficient condition [61] states that if there exists a feasible solution z˜ in (2.44), which is sparse enough, z˜ 0 1 (i.e., Jθ ∗ \{k} > 0). If rank(H (Jθ ∗ ∪ {k}, :)) < n, then there exists θ˜ = 0 such that H J θ ∗ ∪ { k}, : θ¯ = 0. In particular, H (k, :)θ˜ = 0. Also, condition II ˜ implies that H Jθ ∗ \{k}, : θ = 0 (since otherwise H θ˜ = 0). Let q ∈ Jθ  \{k} such that H (q, :)θ˜ = 0. Note also that by definition of Jθ ∗ , H (q, :)θ  = 0.

 − H (q, :)θ  θ˜ . Then H (k, :)θ  = 1H (p, :)θ  = 0 Construct θ   (H (q, :)θ)θ  whenever H (p, :)θ = 0, but H (q, :)θ  = 0, while H (q, :)θ  = 0. This implies that θ  is feasible to (2.33) with a strictly less objective value than that of θ  , contradicting the optimality of θ  . Therefore, the claim that rank(H (Jθ  ∪ {k},:) = n is true. This implies that Jθ ∗ is feasible to (2.27) establishing the sufficiency of the second part. For the third portion, under conditions I and II both (2.25) and are feasible. In addition, Jθ ∗ constructed in the proof of the sufficiency part of (b) satisfies |Jθ ∗ | = H θ  0 , for θ  being an optimal solution to (2.25). This means that the optimal objective function value of (2.27) is less than or equal to that of (2.25). For the converse, suppose that J  is optimal to  (2.27),

 then  the feasibility of J implies that there exists θJ ∗ = 0 such that H J , : θJ ∗ = 0. This also implies that H θJ ∗ 0 ≤ |J  |. If H (k, :)θJ ∗ = 0,

− →









then H J  ∪ {k}, : θJ ∗ = 0. This implies that rank H J ∪ {k}, : < n, contradicting the feasibility of J  . Therefore, there exists a scalar α such that H (k, :) (αθJ ∗ ) = 1. Consequently, αθJ ∗ is feasible to (2.25) with an objective function value less than or equal to the optimal objective function value of (2.27).

Smart grids modeling

91

2.4.7 Simulation results II

Figure 2.20 Single line diagram of the IEEE14-bus system.

As a demonstration, instances of the restricted security-index problem in (2.29) are solved with P being an identity matrix and I being empty. The incidence matrix B describes the topology of one of the following benchmark systems: IEEE 14-bus, IEEE 57-bus, IEEE 118-bus, IEEE 300bus and Polish 2383-bus and Polish 2736-bus [66], see also Figs. 2.20–2.21. For each benchmark, (2.29) is solved for all possible values of k (e.g., 186 choices in the 118-bus case and 411 choices in the 300-bus case). Two solution approaches are tested. The first approach is the one proposed. It is denoted the l1 approach and includes the following steps: 1. Set up the LP problem in (2.32) with A being BT . 2. Solve (2.32) using an LP solver (e.g., CPLEX LP). Let x+ , x− , y+ , y− be its optimal solution. 3. Define θ  = x+ − x− . It is the optimal solution to (2.29) according to Theorem 3 The second solution approach to (2.29) is standard, and it was applied also in [40,43]. This second approach is referred to as the l0 approach, as (2.29) is formulated into the following problem:

92

Cyberphysical Infrastructures in Power Systems

Figure 2.21 Single line diagram of the IEEE 57-bus system.

minimize θ ,y



y(j)

j

subject to BT θ



My

−B θ



My

T

(2.49)

B(:, k) θ = 1 T

y(j)



{0, 1} 



∀j ,

where M is a constant required to be at least BT ∞ = B1 (i.e., the maximum column sum of the absolute values of the entries of B) [40]. Because of the binary decision variables in y, (2.49) is a mixed integer linear pro-

Smart grids modeling

93

gramming (MILP) problem [54]. It can be solved by a standard solver such as CPLEX. The correctness of the l0 approach is a direct consequence that (2.49) is a reformulation of (2.29). As a result, both the l1 and l0 approaches are guaranteed to correctly solve (2.29). Fig. 2.22 shows the sorted security indices (i.e., optimal objective values of (2.29)) for the four larger benchmark systems. The security indices are computed using the l1 approach. As a comparison, the security indices are also computed using the l0 approach, and they are shown in Fig. 2.23. The two figures reaffirm the theory that the proposed l1 approach computes the security indices exactly. Figs. 2.22 and 2.23 indicate that the measurement systems are relatively insecure, as there exist many measurements with very low security indices (i.e., equal to 1 or 2). In terms of computation time performances, it is well-known that the l0 approach is much more time-consuming than the l1 approach, because a MILP problem is much more difficult to solve than an LP problem of the same size [54]. Fig. 2.24 shows the computation time for computing all security indices for each benchmark systems, using the l1 and l0 approaches. It verifies that the proposed l1 approach is more effective. The computation time is about a magnitude shorter for the new l1 approach as compared to the l0 approach. In the above illustration, all computations are performed on a dual-core Windows machine with 2.4 GHz CPU and 2 GB RAM.

2.5 Two-area power system The control of power systems with time delays has been investigated by numerous researchers. They considered either the construction of controllers that are robust to time delays or controllers that use offline estimation. However, control methods and adaptive communication protocols that implement an online estimation of dynamic time delays and real-time control of power systems to overcome time-delay switch (TDS) attacks have received little interest. On a parallel avenue, the stability of power CSs with time delays was under major focus for decades. There were several methods to reduce oscillations resulting from time-delayed feedback control. These include a wide-area control system (WACS) for oscillations of a generator and controller proposed based on phasor measurements, to name a few. In this section, we introduce the load-frequency control (LFC) system and use the adaptive allocation method in order to demonstrate mechanisms to restore stability after a time-delay attack.

94

Cyberphysical Infrastructures in Power Systems

Figure 2.22 Security indices using the l1 approach.

Figure 2.23 Security indices using the l0 approach.

Smart grids modeling

95

Figure 2.24 Solve-time for computing all security indices for different benchmark systems.

2.5.1 Introduction The following section introduces the system and adversarial model used to validate the CF-TDSR (crypto-free TDS recovery) protocol. A twoarea power plant with automatic generation control (AGC) is depicted in Fig. 2.25. The LFC component sends control signals to the plant and receives state feedback through the communication channel. Different attack types can be launched against an LFC system, including DoS (denial of service), FDI and TDS attacks. The LFC is a large-scale NCS that regulates the power flow between different areas while holding the frequency constant. Power systems are usually large-scale systems with complex nonlinear dynamics. Modern power grids are divided into various areas. Each area is connected to its neighboring areas by transmission lines called tie-lines. Tie-lines facilitate power sharing between neighboring areas. LFC is used to make sure the power grid is stable and efficient. Furthermore, analysis of power generation and CSs’ markets showed that LFC plays an important role as one of the most profitable supporting services in these systems, which provide better conditions for electricity trading [31]. More information about technical part of LFC can be found.

96

Cyberphysical Infrastructures in Power Systems

2.5.2 Simulation results III Introducing a CF-TDSR protocol ensures reliability and security of CSs while minimizing cost of redundant communication channels. CF-TDSR is a novel solution that requires the controller to first compare the received packet against an internally generated one and then adapt itself and the communication channel. The CF-TDSR protocol requires time synchronization between the plant and the controller. If a discrepancy is detected, the telemetered information is discarded and the controller uses a predicted state, generated by a state predictor. If the data is delayed, the controller compares the value of the measured states against an internally predicted state, and in the case that the difference exceeds a predetermined threshold, the controller drops the packet and uses the estimated state instead. In both cases, the controller sends a command signal to the data-measurement unit to transmit the next data sets over multiple channels.

Figure 2.25 Controlled two-area power system under TDS attack.

Remark 8. In Fig. 2.25, the plant is a power area system controlled by the LFC. x(t) is a vector of the power area states and is measured and transmitted to the controller via communication links. u(t) is the control signals. r (t) is the desired state and e(t) is the difference between desired state and measured plant state. The

Smart grids modeling

97

attacker attacks the communication link between the plant and controller either by dropping the packets or delaying them.

Figure 2.26 Block diagram of CF-TDSR.

Remark 9. In Fig. 2.26, Tx is the plant transmitter of measured data. Tx receives as it inputs a signal from the delay detector if a time-delay attack is detected. The delay estimator unit continuously estimates the time delays in the communication link. The delay detector, or more appropriately, the adverse delays detector, receives a signal from the plant estimator and the delay estimator and makes a decision whether or not to inform the transmitter to request multiple redundant channels. The plant model estimates the plant state continuously. The controller produces the required control signals to stabilize the plant.

2.6 Notes In this chapter, we have addressed the cardinality-minimization problem, which is important but in general difficult to solve. A problem example is shown in this chapter as the smart-grid security-index problem in (2.26). The l1 relaxation is promising but, to establish the cases where it provides exact solutions, is nontrivial. Well-known results based on mutual coherence and RIP provide sufficient conditions under which a unique optimal solution solves both the cardinality-minimization problem and its l1 relaxation. However, this chapter identifies a class of application-motivated problems (as in (2.30)), which can be shown to be solvable by l1 relaxation,

98

Cyberphysical Infrastructures in Power Systems

even though results based on mutual coherence and RIP cannot make the assertion. In fact, the optimal solution to (2.30) might not be unique. The key property that leads to the conclusion of this chapter is total unimodularity of the constraint matrix. The total unimodularity of matrix A in (2.30) leads to two important consequences. Eq. (2.30) is equivalent to its ∞-norm restricted version in (2.39). Furthermore, (2.39) can be solved exactly by solving the LP problem in (2.32), thus establishing the conclusion that the l1 relaxation exactly solves (2.30).

References [1] Y. Yolda, et al., Enhancing smart grid with microgrids: challenges and opportunities, Renew. Sustain. Energy Rev. 72 (2017) 205–214. [2] M. Farrelly, S. Tawfik, Engaging in disruption: a review of emerging microgrids in Victoria, Australia, Renew. Sustain. Energy Rev. 117 (2020) 109–491. [3] N. Lidula, A. Rajapakse, Microgrids research: a review of experimental microgrids and test systems, Renew. Sustain. Energy Rev. 15 (1) (2011) 186–202. [4] M. Islam, et al., Grid power fluctuation reduction by fuzzy control based energy management system in residential microgrids, Int. Trans. Electr. Energy Syst. 29 (3) (2019) e2758. [5] D.B. Rawat, C. Bajracharya, Detection of false data injection attacks in smart grid communication systems, IEEE Signal Process. Lett. 22 (10) (Oct. 2015) 1652–1656. [6] S. Li, Y. Yilmaz, X.D. Wang, Quickest detection of false data injection attack in widearea smart grids, IEEE Trans. Smart Grid 6 (6) (Nov. 2015) 2725–2735. [7] M. Esmalifalak, G. Shi, Z. Han, L.Y. Song, Bad data injection attack and defense in electricity market using game theory study, IEEE Trans. Smart Grid 4 (1) (Mar. 2013) 160–169. [8] K.C. Sou, H. Sandberg, K.H. Johansson, On the exact solution to a smart grid cybersecurity analysis problem, IEEE Trans. Smart Grid 4 (2) (Jun. 2013) 856–865. [9] M. Esmalifalak, H. Nguyen, R. Zheng, Z. Han, Stealth false data injection using independent component analysis in smart grid, in: Proc. Int. Conf. Smart Grid Communications, Brussels, Belgium, 2011, pp. 244–248. [10] S.A. Salinas, P. Li, Privacy-preserving energy theft detection in microgrids: a state estimation approach, IEEE Trans. Power Syst. 31 (2) (Mar. 2016) 883–894. [11] M. Lemmon, Event-triggered feedback in control, estimation, and optimization, in: A. Bemporad, M. Heemels, M. Johansson (Eds.), Networked Control Systems, vol. 406, Springer, 2010, pp. 293–358. [12] M.S. Mahmoud, Switched Time-Delay Systems, Springer, New York, 2010. [13] M.C.F. Donkers, W.P.M.H. Heemels, Output-based event-triggered control with guaranteed L∞ -gain and improved event-triggering, in: Proc. the 49th IEEE Conf. on Decision Control, 2010, pp. 3246–3251. [14] A. Eqtami, D. Dimarogonas, K. Kyriakopoulos, Event–triggered control for discretetime systems, in: Proc. the 2010 American Control Conf., 2010, pp. 4719–4724. [15] D. Lehmann, J. Lunze, Extension and experimental evaluation of an event-based statefeedback approach, Control Eng. Pract. 19 (2011) 101–112. [16] P. Tabuada, Event-triggered real-real-time scheduling of stabilizing control tasks, IEEE Trans. Autom. Control 52 (2007) 1680–1685. [17] S. Boyd, L. El-Ghaoui, E. Feron, V. Balakrishnan, Linear Matrix Inequalities in System and Control Theory, SIAM Studies in Applied Mathematics, SIAM, Philadelphia, 1994.

Smart grids modeling

99

[18] M. Velasco, P. Marti, J.M. Fuertes, The self triggered task model for real-time control systems, in: Proc. the 24th IEEE Real-Time Systems Symposium (Work in Progress Session), Cancun, Mexico, 2003, pp. 67–70. [19] X. Wang, M.D. Lemmon, Self-triggering under state-independent disturbances, IEEE Trans. Autom. Control 55 (6) (2010) 1494–1500. [20] A. Anta, P. Tabuada, To sample or not to sample: self-triggered control for nonlinear systems, IEEE Trans. Autom. Control 55 (9) (2010) 2030–2042. [21] M. Mazo Jr., A. Anta, P. Tabuada, An ISS self-triggered implementation of linear controllers, Automatica 46 (8) (2010) 1310–1314. [22] H. Liu, F. Sun, Y. Hu, H∞ control for fuzzy singularly perturbed systems, Fuzzy Sets Syst. 155 (2) (2005) 272–291. [23] M.S. Mahmoud, Event-based control of discrete two-time-scale systems, in: Proceedings of the 2017 IEEE Industrial Electronics Conference, IECON2017, Beijing China, October 29–November 1, 2017, pp. 7217–7220. [24] GAO-11-117, Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to Be Addressed, U.S. Government Accountability Office (GAO), Jan. 2011. [25] H.J. Li, F.X. Li, Y. Xu, D.T. Rizy, J.D. Kueck, Adaptive voltage control with distributed energy resources: algorithm, theoretical analysis, simulation, and field test verification, IEEE Trans. Power Syst. 25 (3) (Aug. 2010) 1638–1647. [26] H.S. Li, L.F. Lai, H.V. Poor, Multicast routing for decentralized control of cyber physical systems with an application in smart grid, IEEE J. Sel. Areas Commun. 30 (6) (Jul. 2012) 1097–1107. [27] S. Ntalampiras, Detection of integrity attacks in cyber-physical critical infrastructures using ensemble modeling, IEEE Trans. Ind. Inform. 11 (1) (Feb. 2015) 104–111. [28] Y. Jing, A Practical Guide to Error-Control Coding Using MATLAB, Artech House, Boston, London, UK, 2010. [29] S.P. Gong, H.S. Li, L.F. Lai, R.C. Qiu, Decoding the ‘nature encoded’ messages for distributed energy generation control in microgrid, in: Proc. IEEE Int. Conf. Communications, Kyoto, Japan, 2011, pp. 1–5. [30] C. Vladeanu, S. El Assad, Nonlinear Digital Encoders for Data Communications, John Wiley & Sons, New York, USA, 2014. [31] M.M. Rana, L. Li, S.W. Su, Cyber attack protection and control in microgrids using channel code and semidefinite programming, in: Proc. Power and Energy Society General Meeting, Boston, MA, USA, 2016, pp. 1–5. [32] A. Abur, A. Exposito, Power System State Estimation, Marcel Dekker, Inc., 2004. [33] A. Monticelli, State Estimation in Electric Power Systems: A Generalized Approach, Kluwer Academic Publishers, 1999. [34] G. Andersson, P. Donalek, R. Farmer, N. Hatziargyriou, I. Kamwa, P. Kundur, N. Martins, J. Paserba, P. Pourbeik, J. Sanchez-Gasca, R. Schulz, A. Stankovic, C. Taylor, V. Vittal, Causes of the 2003 major grid blackouts in North America and Europe, and recommended means to improve system dynamic performance, IEEE Trans. Power Syst. 20 (4) (Nov. 2005) 1922–1928. [35] Y. Liu, M. Reiter, P. Ning, False data injection attacks against state estimation in electric power grids, in: Proc. the 16th ACM Conference on Computer and Communication Security, New York, NY, USA, 2009, pp. 21–32. [36] H. Sandberg, A. Teixeira, K.H. Johansson, On security indices for state estimators in power networks, in: Proc. First Workshop on Secure Control Systems, CPSWEEK, 2010. [37] G. Dan, H. Sandberg, Stealth attacks and protection schemes for state estimators in power systems, in: IEEE Smart Grid Comm., 2010.

100

Cyberphysical Infrastructures in Power Systems

[38] R. Bobba, K. Rogers, Q. Wang, H. Khurana, K. Nahrstedt, T. Overbye, Detecting false data injection attacks on dc state estimation, in: Proc. the First Workshop on Secure Control Systems, CPSWEEK, 2010. [39] O. Kosut, L. Jia, R. Thomas, L. Tong, Malicious data attacks on the smart grid, IEEE Trans. Smart Grid 2 (2011) 645–658. [40] K.C. Sou, H. Sandberg, K.H. Johansson, Electric power network security analysis via minimum cut relaxation, in: IEEE Conference on Decision and Control, December 2011. [41] A. Giani, E. Bitar, M. McQueen, P. Khargonekar, K. Poolla, Smart grid data integrity attacks: characterizations and countermeasures, in: IEEE Smart Grid Comm., 2011. [42] T.T. Kim, H.V. Poor, Strategic protection against data injection attacks on power grids, IEEE Trans. Smart Grid 2 (June 2011) 326–333. [43] K.C. Sou, H. Sandberg, K.H. Johansson, Computing critical k-tuples in power networks, IEEE Trans. Power Syst. 27 (3) (2012) 1511–1520. [44] S. Mallat, Z. Zhang, Matching pursuit with time-frequency dictionaries, IEEE Trans. Signal Process. 41 (1993) 3397–3415. [45] S.S. Chen, D.L. Donoho, M.A. Saunders, Atomic decomposition by basis pursuit, SIAM J. Sci. Comput. 20 (1998). [46] J. Hendrickx, K.H. Johansson, R. Jungers, H. Sandberg, K.C. Sou, An exact solution to the power networks security index problem and its generalized min cut formulation, in preparation. [47] G. Korres, G. Contaxis, Identification and updating of minimally dependent sets of measurements in state estimation, IEEE Trans. Power Syst. 6 (3) (Aug 1991) 999–1005. [48] M. de Almeida, E. Asada, A. Garcia, Identifying critical sets in state estimation using gram matrix, in: IEEE Power Tech, 28 June-2 July 2009, 2009, pp. 1–5. [49] M. Ayres, P.H. Haley, Bad data groups in power system state estimation, IEEE Trans. Power Syst. 1 (3) (Aug. 1986) 1–7. [50] K. Clements, G. Krumpholz, P. Davis, Power system state estimation residual analysis: an algorithm using network topology, IEEE Trans. Power Appar. Syst. PAS-100 (4) (April 1981) 1779–1787. [51] J.B.A. London, L. Alberto, N. Bretas, Network observability: identification of the measurements redundancy level, in: Proc. Int. Conference Power System Technology, vol. 2, 2000, pp. 577–582. [52] A. Schrijver, A Course in Combinatorial Optimization, CWI, Amsterdam, Netherlands, 2010. [53] E. Candes, T. Tao, Decoding by linear programming, IEEE Trans. Inf. Theory 51 (12) (Dec. 2005) 4203–4215. [54] J. Tsitsiklis, D. Bertsimas, Introduction to Linear Optimization, Athena Scientific, 1997. [55] M. Stoer, F. Wagner, A simple min-cut algorithm, J. ACM 44 (July 1997) 585–591. [56] A. Schrijver, Theory of Linear and Integer Programming, Wiley, 1998. [57] J. Hespanha, P. Naghshtabrizi, Y. Xu, A survey of recent results in networked control systems, Proc. IEEE 95 (1) (Jan. 2007) 138–162. [58] A. Bemporad, M. Heemels, M. Johansson, Networked Control Systems, Springer, 2010. [59] D.L. Donoho, M. Elad, Optimally sparse representation in general (nonorthogonal) dictionaries via l1 minimization, Proc. Natl. Acad. Sci. 100 (2003) 2197–2202. [60] E. Candès, M. Wakin, S. Boyd, Enhancing sparsity by reweighted l1 minimization, J. Fourier Anal. Appl. 14 (2008) 877–905. [61] A.M. Bruckstein, D.L. Donoho, M. Elad, From sparse solutions of systems of equations to sparse modeling of signals and images, SIAM Rev. 51 (2009). [62] R. Gribonval, M. Nielsen, Sparse representations in unions of bases, IEEE Trans. Inf. Theory 49 (12) (Dec. 2003) 3320–3325.

Smart grids modeling

101

[63] E.J. Candes, The restricted isometry property and its implications for compressed sensing, R. Math. 346 (910) (2008) 589–592. [64] A. Wood, B. Wollenberg, Power Generation, Operation, and Control, J. Wiley and Sons, 1996. [65] Cplex, http://www-01.ibm.com/software/integration/optimization/cplexoptimizer/. [66] R. Zimmerman, C. Murillo-Sanchez, R. Thomas, MATPOWER steady-state operations, planning and analysis tools for power systems research and education, IEEE Trans. Power Syst. 26 (1) (2011) 12–19.

This page intentionally left blank

PART 2

Control, estimation, and fault detection This part consists of three chapters: Chapter 3: Safe control methods Chapter 4: Event-triggering control of cyberphysical power systems Chapter 5: Wide area monitoring and estimation systems

103

This page intentionally left blank

CHAPTER 3

Safe control methods Contents 3.1. Introduction 3.2. State feedback controller 3.2.1 Threat model 3.2.2 Design of the state feedback controller 3.3. Observer-based controller 3.3.1 Design of a state feedback controller 3.3.2 Simulation results 3.4. Performance-degradation issues 3.4.1 Preliminaries 3.4.2 System description 3.4.3 X 2 failure detector 3.4.4 Threat model 3.4.5 Recursive version of Rk 3.4.6 Ellipsoidal approximation of Rk 3.4.7 Simulation results 3.5. Decentralized secure control 3.5.1 Problem statement 3.5.2 Design results 3.5.3 Application to a four-area power system 3.6. Notes References

105 109 111 112 116 119 122 125 128 130 131 132 136 138 144 145 146 150 154 157 159

3.1 Introduction Disturbance identification, stability assessment, and emergency control are fundamental to ensure the reliability and security of a power system. Widearea measurement systems (WAMSs) provide massive volumes of data. In this chapter, formulations for various safe (secure) control methods problems are discussed and evaluated. Specifically, this chapter provides computational algorithms and assesses their performance when subjected to several phenomenon such as time-delay, actuator failures, switching and random networks, malicious attacks, and false-data injection (FDI). Security in safety-critical systems in which physical damage can be caused is a crucial issue. In cyberphysical systems (CPSs), a lot of research can be done while considering security issues. Some examples of these issues are: The cyber attack on a supervisory control and data acquisition Cyberphysical Infrastructures in Power Systems https://doi.org/10.1016/B978-0-32-385261-6.00013-0

Copyright © 2022 Elsevier Inc. All rights reserved.

105

106

Cyberphysical Infrastructures in Power Systems

(SCADA) system is described in [1]. Other cyberattacks targeted water systems [2], power utilities [3], trams [4], and natural gas pipeline systems [5]. The most famous is the Stuxnet worm that affected SCADA system in Iran’s nuclear program control systems (CSs) causing substantial damage [6,7]. CPSs provide flexibility, reachability, and profitability, yet, they become vulnerable to cyberattacks. Security issues increase the challenges of controlling CPSs due to the fact these attacks are stealthy and can affect the system behavior without providing any notification about failure. These attacks can lead to a disruption to the physical system such as: The coordination packets disarrangement in medium access control layers could be the result of injecting some malware by an adversary. Moreover, to destroy the normal operation, an attacker can illegally obtain access to the supervision centers by obtaining the encryption key. That means that the system dynamics can be disturbed arbitrarily by the attacker, and, when there is a lack of security protection either in hardware or software strategies, he has the capability of inducing a perturbation [8]. The communication among the items of CSs, i.e., sensors, actuators, and controllers, occur through a common network medium. This network needs to be secured to prohibit vulnerability to attacks by adversaries during data transmission. These attacks could lead the system to instability or drive the plant to undesired operations as mentioned before. Thus, consideration of security issues is very important in designing of controllers for such a system. From a control security viewpoint, cyberattacks can be classified into two main types: 1) denial of service (DoS) attacks, which are strategies used for occupying the communication resources in order to prohibit transmitting the measurement or control signals, 2) deception attacks, defined as the modification of the data integrity of the transmitted packets among some cyberparts in the CPS. While some literature does not differentiate between deception attacks and FDI attacks [9], most of the literature differentiates between these types, and they consider FDI as a class of deception attacks [10–12]. Moreover, FDI attacks are not limited to “the modification of data integrity for the transmitted packets among some cyber parts”. There is man-in-the-middle attack (MITM) that occurs by modifying the software running on the devices themselves, i.e., the software may be compromised, but the packet transmission is fine. The control of CPS under cyberattacks is one of the urgent and major issues in control engineering, and it attracts a lot of research. Most of the

Safe control methods

107

existing works in the literature consider only one kind of the attacks such as: [13–18] for the DoS attacks. And [19–24] for the deception attacks. Recently, [25] proposed resilient state feedback controllers for a class of networked control systems (NCSs) affected by DoS attacks; the closed-loop system is described as an aperiodic sampled-data system closely related to the bounds of duration time of the DoS attacks and a linear matrix inequality (LMI) based criterion is proposed to achieve the stability of the system. [26] presented a two-stage distributed detection mechanism to signal the occurrence of a distributed deception attack for a discrete time-varying system monitored by a sensor network. The security control problem in NCSs was discussed by [27], and further discussion on DoS (data available attacks) and data integrity attacks that include the deception attack was presented. Some of the literature have considered two kind of attacks: Both randomly occurred DoS and deception attacks were considered in designing an event-based security CS [28]. In [29], the optimal control problem was investigated for a class of NCSs subject to DoS, deception and physical attacks using a delta operator approach and by applying  -Nash equilibrium. A resilient linear quadratic Gaussian (LQG) control strategy for NCSs affected by zero dynamic attacks was designed [30]. Dynamic programming was applied for the control strategy, and a power transmission strategy was designed using value iteration methods for a class of CPS subject to DoS attack [31]. In comparison with a single attack, considering two kinds of attack, i.e., DoS attacks and deception attacks, is more practical since we do not know what the attacker decides to use in the attack. Technically, considering these two kinds of attacks require more discussion of the possible effects of each kind on the nominal system. The occurrences of DoS attacks and deception attacks, while considering both as Bernoulli distributed white sequences with variable conditional probabilities, were discussed in the design of an observer-based controller for discrete-time CPS with the existence of physical attacks for the case of attacking actuating signals [32] and attacking both measuring and actuating signals [33]. In this chapter, a secure controller for a CPS will be designed in the presence of both DoS and deception attacks. The effect of DoS attack is considered as variables delays in signal transmission among the CPS components. On the other hand, the effect of deception attack is considered as modifications of the original signal, as will be explained in Sect. 3.3. Considering these effects with several properties causes complications in the

108

Cyberphysical Infrastructures in Power Systems

problem under discussion. In this chapter, the attacks are formulated and designed as random variables with variable conditional probabilities rather than as constant conditional probabilities, which is more representative of the practical situation. It is worth differentiating between faults and deception attacks. Faults are the unintentional failures that happen in a cyberphysical system, such as damaged pipes, faulty sensors, etc. On the other hand, a deception attack is an intentional and planned modification to the cyberphysical system data that compromises CPS security. The differentiation between faults and deception or DoS attacks is not an easy task. Nevertheless, the author in [34] proposed a method to distinguish between faults and attacks despite. Recently, [35] proposed an observer-based fault detection for switched system with all modes unstable. The average dwell time method and discretized Lyapunov function were implemented to obtain a switching signal, and then exponential stability and H∞ performance was achieved by solving LMIs. The existence of multiple time-varying delays and unknown nonlinear input faults was considered in designing a consensus observer-based controller for multiagent systems (MASs) by [36]. The most dangerous type of DoS attacks is the distributed DoS (DDoS), also called a coordinated attack, in which a large number of compromised machines are used to perform the DoS attack [37]. Moreover, DDoSs have frequently occurred due to the simplicity of creating them, their low cost, and high impact on systems, including the ability to completely disconnect an organization or cause a full collapse of the CPS [38,39]. It was shown that this attack could cause instability of power grids [40] and produce long delay jitters on NCSs [41]. Fig. 3.1 is a diagram of an example of a CPS that consists of a plant (power plant), an observer-based controller, and a network. The plant can include one or more actuators and/or sensors. The network can include a wired or wireless network such as a local-area network (LAN), a wide-area network (WAN), Wi-Fi, ethernet, cellular, the Internet, or other suitable network. Actuators can include linear actuators, rotary actuators, electronically controlled valves, relays, etc. Sensors can include sensors generating one or more signals based on a measured location, speed, spatial orientation, temperature, pressure, actuator state, pH, weight, flow rate, or other attribute. The observer-based controller can include a programmable logic controller (PLC) or other suitable device. The rest of this chapter is organized as follows. The problem of secure control of stochastic system subject to DoS and deception attacks is

Safe control methods

109

Figure 3.1 Diagrams of an example of power plant CPS.

formulated in Sect. 3.2. In Sect. 3.3, theories to solve this problem are presented. A well-known example of a two-area power system is explained in Sect. 3.3.2 to show the effectiveness of the theorem. Finally, Sect. 3.6 concludes this work with our findings and future directions for research.

3.2 State feedback controller A cyberphysical system (CPS) composed of actuator, plant, sensor, and controller is considered in this section, where the communication network is used for connecting controller and actuator as shown in Fig. 3.2. The considered system could be affected by both physical and cyberattacks. The physical attack affecting the plant is represented by (A1 ) in Fig. 3.2. A reliable network is used for data transmission between sensor and controller, while the channel used for communication between controller and actuator is unreliable, so it could be affected by a cyberattack that could be either denial of service (DoS) attack or deception attack, labeled as (A2 ) and (A3 ), respectively, as shown in Fig. 3.2. The plant is described by the following formula: x(k + 1) = Ax(k) + Bu(k) + η(k)f (k) ,

(3.1)

where x(k) ∈ Rnx , u(k) ∈ Rnu , and f (k) ∈ Rnf are the system state, the control input, and physical attack signal injected by the attackers, respectively. A and

110

Cyberphysical Infrastructures in Power Systems

Figure 3.2 Model of cyberphysical system.

B are known matrices with proper dimensions, and B is partitioned as 



B = B1 B2 · · · Br .

(3.2)

Also, control input received by the actuator u(k) is partitioned as 

u(k) = (k) uT1

uT2

· · · uTr

T ,

(3.3)

where (k) describes the occurrence of the DoS attack as  (k) = β1

β2

 · · · βr ,

(3.4)

with indicator βi (k), i ∈ R := {1, · · · , r } being the Bernoulli distributed white sequence. 2 The physical attack is considered to be source limited and  satisfies f (k) < δ1 , where δ1 is a known constant. The control signal is subjected to both DoS attacks and deception attacks, so it will be received by the actuator as ui (k) = Ki (k)x(k) + αi (k)ζi (k) ,

(3.5)

2  where ζi (k) is the deception attack signal affecting actuator i and ζ (k) < δ2 , where δ2 is a known constant. So, the closed-loop system is obtained by

substituting Eqs. (3.2)–(3.5) into system (3.1), and it is represented in the following form: x(k + 1) = Ax(k) +

r  i=1

 βi Bi Ki (k)x(k) + αi (k)ζi (k) + η(k)f (k) .

(3.6)

Safe control methods

111

Figure 3.3 Types of attacks.

3.2.1 Threat model The simultaneous occurrence of DoS and deception attacks is unlikely to happen. Also, the DoS attack is assumed in this chapter to cause loss of the signal, which means that the signal is lost either because of the DoS attack or manipulated because of the deception attack [8]. As a result, we will ignore this scenario. However, we will assume that both of these two types of attacks could be occur during the attack period, and we will consider this scenario in the illustrative example. Assumption. The indicator αi (k) is a Bernoulli distributed white sequence. Furthermore, the indicators η(k), αi (k) and βi (k), i ∈ R are uncorrelated with each other and with stochastic properties as listed in Fig. 3.3. Remark 10. As noted, the attacks can affect the CPS randomly since: (a) The cyber environment of CPS is complicated and fluctuates in a random way, and (b) the successful occurrence of attacks is largely determined by security facilities and has a random property [28]. So, it is more practical to consider the security problem of CPS affected by various types of stochastic attacks. Remark 11. Assuming that the attackers are energy-bounded is reasonable in engineering practice. So, it is valid to assume that the physical and deception attacks are both norm-bounded [44]. Remark 12. As noted from (3.6), there are three scenarios for cyberattacks on each channel i: 1) DoS attack, when βi (k) = 0 and regardless of the value of αi (k),

112

Cyberphysical Infrastructures in Power Systems

2) Deception attack, when βi (k) = 1 and αi (k) = 1, and 3) No cyberattack, when βi (k) = 1 and αi (k) = 0. These scenarios, in addition to the physical attack, are summarized in Fig. 3.3. Definition 6. Given the positive scalars δ1 and δ2 , t, the controller (3.5)  constant 2 is said to be δ1 , δ2 secure if E f (k) < δ12 and ζ (k)2 ≤ δ22 for all k.

3.2.2 Design of the state feedback controller The aim of this section is to propose a state feedback controller in the form of (3.5) to guarantee that the system (3.1) is δ1 , δ2 secure. Here, we will thoroughly investigate the stability analysis and observer-based design for any CPS in the shape shown in Fig. 3.2 and consist of a plant in the form of (3.1). First, we will derive a sufficient condition under which the controller (3.5) is δ1 , δ2 secure in the presence of stochastic DoS, deception, and physical attacks. Then, the designed method of the desired observerbased controller is provided using the obtained conditions. Theorem 4. Given the positive scalars ⎧ ⎪ ˆ 1 Since a(1) = −λmin (− ) such that a(s0 ) = 0. So, a scalar s0 > 1 could be found such that E[sT0 V (T )] − E[V (0)] ≤

s0 (1 − sT0 ) 2 φ . 1 − s0

(3.41)

Noting that   E[sT0 V (T )] ≥ λmin (P )sT0 E ||ξ(T )||2   ≥ λmin (P )sT0 E ||e(T )||2 ,

(3.42)

  E ||e(T )||2 ≤

(3.43)

we have (sT0 − 1)φ 2 T −1 s0 (s0 − 1)λmin (P )

.

Referring to (3.34), it can be shown that Ee(T )2 ≤ δ22 , which, from Definition 7, implies that the estimation error system (3.29) is δ1 , δ2 , δ3 secure, and so the proof of Theorem 6 is complete. Theorem 7. Given the positive scalars δ1 , δ2 , δ3 , a positive definite matrix P, and positive scalars ε1 and ε2 , the observer-based controller (3.24) and (3.25) is δ1 , δ2 , δ3 secure if there exist controller and estimator gains (K1 , K2 , . . . , Kr ) and L satisfying the following inequalities: 

≤0 φ 2 s20 λ min (P )(s0 −1)

where:

 11 ∗

with 11

⎡ −X¯ ⎢ = ⎣ ∗ ∗

where 

 1 = 3

 12 −X¯

0 ⎥ −ε2 I 0 ⎦, ∗ −ε1 I 

(3.45)

,



0

2 4

(3.44)

≤ δ32 ,

⎤  ⎢ ⎥ 12 = ⎣ B¯ T ⎦ , C¯ T ⎡

(3.46)

122

Cyberphysical Infrastructures in Power Systems

1

= XAT +

r 

βi (k)YiT BiT

i=1

2

= −

r 

(1 − βi (k))YiT BiT

i=1

3

= XAT +

r 

βi (k)YiT BiT

i=1

4

= XAT − Z T +

r  (1 − βi (k))YiT BiT i=1

and Ki = Yi X −1 , i = 1, · · · , r and L = ZX −1 C † . ˆ in (3.31) can be rewritten as Proof. ˆ = ˆ 11 + ˆ 22 ˆ T12 , ˆ 12

with ˆ 11

⎡ −P ⎢ = ⎣ ∗ ∗

ˆ 22

= P.



0

0 ⎥ −ε2 I 0 ⎦ ∗ −ε1 I

(3.47) ⎡



¯T A ⎢ ¯T⎥ ˆ 12 = ⎣ B ⎦ C¯ T

(3.48)

So, (3.31) is formulated using Schur complements as  ˆ 11 ∗

ˆ 12 −1 ˆ 22 −



(3.49)

.

Now, defining X¯ = P −1 , then multiplying (3.49) from right and left by diag{X¯ , I , I , I } and selecting 

X¯ = YiT



X 0 , 0 X

= XKiT ,

i = 1, 2, . . . , r ,

Z T = XC T L T ,

(3.45) can be obtained.

3.3.2 Simulation results The effectiveness of the proposed method presented in this chapter is shown by considering the following numerical example as shown in Fig. 3.5.

Safe control methods

123

Figure 3.5 A two-area interconnected power system.

Naturally, power systems have complex and multi-variable structures. Also, they consist of many different control blocks. Most of them are nonlinear and/or nonminimum phase systems. Power systems are divided into control areas connected by tie lines. All generators are supposed to constitute a coherent group in each control area. From experiments on power systems, it can be seen that each area needs its system frequency and tie line power flow to be controlled. Frequency control is accomplished by two different control actions in interconnected two-area power systems: primary speed control and supplementary or secondary speed control actions. The primary speed control makes the initial coarse readjustment of the frequency. By its actions, the various generators in the control area track a load variation and share it in proportion to their capacities. The speed of the response is limited only by the natural time lags of the turbine and the system itself. Depending upon the turbine type, the primary loop typically responds within 2–20 s. The supplementary speed control takes over the fine adjustment of the frequency by resetting the frequency error to zero through an integral action. The relationship between the speed and load can be adjusted by changing a load reference set-point input. In practice, the adjustment of the load reference set point is accomplished by operating

124

Cyberphysical Infrastructures in Power Systems

the speed changer motor. The output of each unit at a given system frequency can be varied only by changing its load reference, which, in effect, moves the speed-droop characteristic up and down. This control is considerably slower and goes into action only when the primary speed control has done its job. Response time may be of the order of one minute. The speed-governing system is used to adjust the frequency. An isochronous governor adjusts the turbine valve/gate to bring the frequency back to the nominal or scheduled value. An isochronous governor works satisfactorily when a generator is supplying an isolated load or when only one generator in a multigenerator system is required to respond to the load changes. For power and load sharing among generators connected to the system, speed regulation or droop characteristics must be provided. The speed-droop or regulation characteristic may be obtained by adding a steady state feedback loop around the integrator. An uncontrolled two-area interconnected power system is shown in Fig. 3.5 where f is the system frequency (Hz), Ri is regulation constant (Hz/per unit), Tg is the speed-governor time constant (s), Tt is turbine time constant (s), and Tp is the power-system time constant (s). The overall system can be modeled as a multivariable system in the form of ⎡

0

⎢ f0 ⎢− 2H1 ⎢ ⎢ 0 ⎢ ⎢ A = ⎢ 0 ⎢ f0 ⎢− 2H ⎢ 2 ⎢ 0 ⎣ ⎡

0 D1 − f2H 1

f0 2H1 − T1t1

− Tg11R1

0

0 0 0 0 0 0

0

1 Tg2



0 0 0

0 0 0 0

0 0

0 0 0

1 Tt1 − T1g1

− T1g1

0 0 0

0 0 0

−T12

0 0 0 − Tg21R1 − Tg21R2

0

0 0 0 0



⎥ ⎥ ⎥ ⎥ ⎥ ⎥ ⎥, 1 ⎥ − Tt2 ⎥ ⎥ − T1t2 ⎥ ⎦

0

⎥ ⎥ ⎥ ⎥ ⎥ ⎥, ⎥ ⎥ ⎥ ⎥ ⎦

 T ptie (t) f1 (t) pg1 (t) xv1 (t) f2 (t) pg2 (t) xv2 (t) , T  = pc1 (t) pc2 (t) . (3.50)

x = U

0

0

0

⎢0 ⎢ ⎢ ⎢0 ⎢ 1 B = ⎢ ⎢ Tg1 ⎢0 ⎢ ⎢ ⎣0

T12

Safe control methods

125

The process is controlled using an observer-based controller running in a remote computer, and a wireless network is used for the communications. The communication network has four nodes, including a relay node, as illustrated in Fig. 3.5. The physical attack (A1 ) is one in which the adversary could directly perturb the dynamics of the systems, such as the measurements of the levels in the tanks. The cyberattacks are performed through the relay node. The adversary may access and corrupt all control signals (U1 (k) and U2 (k)) by blocking the arrival of the signal in the case of DoS attack (A2 ) or modifying the signal in the case of deception attack (A3 ). Using Yalmip, the gains of the controller and estimator (3.24) and (3.25) were obtained by applying Theorem 2 to be as follows: 

K1 = − 5.0810  K2 = − 0.4143

− 3.9718 ⎤ 1.3862 −0.0862 ⎢−0.0375 1.6380 ⎥ ⎢ ⎥ = ⎢ ⎥. ⎣−0.0486 −0.4662⎦ −0.4410 −0.0623 ⎡

L

− 0.7155



0.5520 − 4.3266  − 5.2888 0.5746 (3.51)

The system model was build using Matlab® /Simulink in which the attack function is created with α(k), β(k), and ηk selected as Bernoulli distributed white sequences with probabilities as presented in Fig. 3.3. We have considered four scenarios in this chapter to represent all possible situations in CPS, and the states of the systems were obtained for each scenario using Matlab/Simulink as follows: 1. System without attack, Figs. 3.6–3.7, 2. System under DoS and physical attacks, Figs. 3.8–3.9, 3. System under deception and physical attacks, Figs. 3.10–3.11, 4. System under DoS, deception, and physical attacks, Figs. 3.12–3.13. As shown in Figs. 3.6–3.13, the designed observer-based controller shows stability in the states under all possible attacks.

3.4 Performance-degradation issues As we have learned, cyberphysical systems (CPS) refer to the embedding of widespread sensing, networking, computation, and control into physical spaces with the goal of making the systems safer, more efficient, and reliable. Driven by the miniaturization and integration of sensing, communication, and computation in cost-effective devices, CPS are certain to

126

Cyberphysical Infrastructures in Power Systems

Figure 3.6 States 1–4 of the two-area interconnected power system without any attack.

Figure 3.7 States 5–7 of the two-area interconnected power system without any attack.

transform many industries, such as aerospace, transportation, built environments, energy, health-care, and manufacturing, to name a few. However, using off-the-shelf networking and computing devices provides several opportunities for malicious entities to inject attacks on CPS. A wide variety of motivations exists for launching an attack on the CPSs, ranging from financial reasons, i.e., for monetary gain, all the way to terrorism, e.g., threatening the life of possibly an entire population by disrupting electric-

Safe control methods

127

Figure 3.8 States 1–4 of the two-area interconnected power system under DoS and physical attacks.

Figure 3.9 States 5–7 of the two-area interconnected power system under DoS and physical attacks.

ity and other life-critical resources. Any successful attack on safety-critical CPSs may significantly hamper the economy and even lead to the loss of human lives. While the threat of attacks on CPS tends to be underplayed at times, more recently Stuxnet [46] provided a clear sample of the possible future. Consequently, the research community has acknowledged the importance of addressing the challenge of designing secure CPS [47].

128

Cyberphysical Infrastructures in Power Systems

Figure 3.10 States 1–4 of the two-area interconnected power system under deception and physical attacks.

Figure 3.11 States 5–7 of the two-area interconnected power system under deception and physical attacks.

3.4.1 Preliminaries Classical system theory-based approaches, such as robust statistic [48] and robust control [49], seek to design algorithms that can withstand certain types of failures. In addition to robust method, Fault Detection and Isolation (FDI) have been extensively studied over recent decades [50]. The

Safe control methods

129

Figure 3.12 States 1–4 of the two-area interconnected power system under DoS, deception, and physical attacks.

Figure 3.13 States 5–7 of the two-area interconnected power system under DoS, deception, and physical attacks.

main drawback of such an approach is that the failures are usually assumed to be benign, independent, or random, while an attack could be carefully designed to exploit particular vulnerabilities of the system. Therefore, the applicability of robust and FDI techniques needs to be carefully reexamined when dealing with CPS security.

130

Cyberphysical Infrastructures in Power Systems

In the context of dynamical systems, research activities [51–54] demonstrate how to detect and identify malicious behaviors in consensus networks, power grids, wireless control networks, and CSs. However, in the majority of these contributions, the system model is assumed to be noiseless, which greatly favors the failure detector, since the evolution of the system is deterministic, and any deviation from the predetermined trajectory will be detected. As a consequence, in all the cited papers, the attacker can either arbitrarily perturb the system along certain directions or cannot induce any perturbation, without incurring detection. We believe that a more realistic scenario needs to account for a noisy environment. In this case, it is harder to detect malicious behavior since the adversary may inject an attack that inflicts a large perturbation on the system state, while only causing a slight increase in the detection rate. In the sequel, we focus on developing tools to quantify the maximum perturbation that an attacker can introduce into a CS via a stealthy integrity attack on a subset of the sensors and through the injection of exogenous control inputs. The system is modeled as a stochastic linear time-invariant (LTI) system equipped with a linear filter, a linear feedback controller, and a X 2 failure detector. We formulate the attacker’s action as a constrained control problem and quantify the resilience of the CPS to such attacks using the concept of an invariant and reachable set. We further provide a recursive algorithm to compute the inner and outer approximation of the reachable set of the attacker, thus providing a computational method to quantify the maximum perturbation inflicted by a stealthy attack. This article generalizes the preliminary results in [9,55], where we consider attacks on the sensors only.

3.4.2 System description We model the system as a linear CS that is equipped with a linear filter, a linear feedback controller, and a X 2 failure detector. We assume that the physical system follows: x(k + 1) = Ax(k) + Bu(k) + w (k) ,

(3.52)

where x(k) ∈ Rn is the vector of state variables at time k, u(k) ∈ Rp is the control input, w (k) ∈ Rn is the process noise at time k, and x(0) is the initial state. Moreover, w (k), x(0) are independent Gaussian random variables, and x(0) ∼ N (0, ), w (k) ∼ N (0, Q). A sensor network is deployed to monitor the system described in (3.52). At each step, all the sensor readings are collected and sent to a centralized

Safe control methods

131

estimator. The observation equation can be written as y(k) = Cx(k) + v(k) ,

(3.53)

where y(k) = [y1 (k), · · · , ym (k)]T ∈ Rm is a vector of sensor measurements, and yi (k), the measurement made by sensor i at time k.v(k) ∼ N (0, R), is an i.i.d. (independent, identically distributed) measurement noise independent of x(0) and w (k). A linear filter is used to compute the state estimation xˆ (k) from observations y(k) 





xˆ (k + 1) = Axˆ (k) + Bu(k) + K y(k + 1) − C Axˆ (k) + Bu(k)

. (3.54)

Define the residue z(k) and the estimation error e(k) at time k as







z(k) = y(k) − C Axˆ (k) + Bu(k) , e(k) = x(k) − xˆ (k) .

(3.55)

We assume that an LTI feedback controller is used to stabilize the system, which takes the following form: u(k) = L xˆ (k) .

(3.56)

It is well-known that the closed-loop system is stable if and only if both A − KCA and A + BL are stable [56]. For the rest of the discussion, we focus only on systems that are closed-loop stable and in steady state. Consider the CPS consisting of the physical system, the linear filter, and controller. We can immediately identify x(k) as the “physical” state and xˆ (k) as the “cyber” state. Thus, we define the state of the system x˜ (k) as 





x(k) In 0 = x˜ (k) = I n −I n e(k) 





x(k) ∈ R2n . xˆ (k)

(3.57)

3.4.3 X 2 failure detector Failure detectors are often used to detect anomalous operations. We assume that a X 2 failure detector [57,58] is deployed that computes the following quantity: g(k) = z(k)T Pz−1 z(k) ,

(3.58)

where Pz is the covariance matrix of the residue and z(k) is a constant matrix since we assume the system is in steady state. Define Pz−(1/2) to be

132

Cyberphysical Infrastructures in Power Systems

a symmetric matrix such that Pz−(1/2) × Pz−(1/2) = Pz−1 . Thus, (3.58) can be rewritten as g(k) = ||Pz−(1/2) z(k)||2 . Since z(k) is Gaussian distributed [57], g(k) is X 2 distributed with m degrees of freedom. The X 2 failure detector compares g(k) with a threshold η and triggers an alarm if g(k) is greater than η. Let us define the probability of triggering an alarm at time k as β(k)  P (g(k) ≥ η) .

(3.59)

When the system is operating normally, β(k) is a constant defined as the false-alarm rate α . In common practice, α is small since false alarms tend to increase the operation cost.

3.4.4 Threat model In this section, we describe the integrity attack model on the CPS. We assume that an adversary has the following capabilities: 1. The adversary knows the static parameters of the system matrices, namely, A, B , C , K , L , Q , R ; 2. The adversary compromises a subset {i1 , · · · , il } ⊆ {1, · · · , m} of sensors. The adversary can add arbitrary bias to the readings of the compromised sensors. Define the sensor selection matrix  as   [ei1 , · · · , eil ] ∈ Rm×l ,

(3.60)

where ei is the ith vector of the canonical basis of Rm . Further, define the bias injected by the attacker ya (k) ∈ Rl as ya (k)  [yai1 (k), · · · , yail (k)]T , where ya (k) indicates the injected bias on sensor i at time k. Thus, the modified reading received by the estimator can be written as y(k) = Cx(k) +  ya (k) + v(k) ;

(3.61)

3. The adversary can inject external control inputs to the system. As a result, the system equation becomes x(k + 1) = Ax(k) + Bu(k) + Ba ua (k) + w (k) ,

(3.62)

Safe control methods

133

where Ba ∈ Rn×q characterizes the direction of control inputs the attacker can inject to the system; 4. Without loss of generality, we assume that the injection of control inputs starts at time 0, and the manipulation of sensor measurements starts at time 1. In other words, ua (k) = 0, for all k ≤ −1, and ya (k) = 0, for all k ≤ 0. To simplify notations, let us define the following matrices: 

 ˜  A

A + BL −BL ∈ R2n×2n 0 A − KCA 



B˜ 

(3.63)

Ba 0 ∈ R2n(q+l) a B − KCBa −K 

C˜  Pz−1/2 [0 CA] ∈ Rm×2n ˜  Pz−1/2 [CBa ] ∈ Rm(q+l) D

(3.64)

and the attacker’s input ζ (k) at time k as 



ua (k) . ζ (k)  a y (k + 1) Since the system is linear, the cyberphysical state x˜ (k) can be seen as the sum of two signals: x˜ n (k), the state generated by noise and x˜ c (k) and the state generated by the attacker’s action. Similarly, the residue vector z(k) can be seen as the sum of zc (k) and zn (k). One can verify that ˜ x˜ c (k) + B˜ ζ (k) x˜ c (k + 1) = A − 12

(3.65)

˜ ζ (k) Pz zc (k + 1) = C˜ x˜ c (k) + D

I 0 ˜ x˜ n (k) + x˜ n (k + 1) = A I − KC −K − 12





− 12

Pz z (k + 1) = C˜ x˜ (k) + Pz n

n



C Im





w (k) v(k + 1)





w (k) . v(k + 1)

(3.66)

We further define the attacker’s action ζ ∞  (ζ (0), ζ (1), · · · ) as an infinite sequence of ζ (k)s, that is, if the attack stops at time T, then ζ (k) = 0 for all k > T. It is clear that x˜ c (k) and zc (k) are functions of ζ ∞ . Thus, we can write them as x˜ c (k, ζ ∞ ) and zc (k, ζ ∞ ), respectively. For simplicity, we will omit ζ ∞ when there is no confusion. Our goal is to characterize the

134

Cyberphysical Infrastructures in Power Systems

evolution of the state x˜ (k) during the integrity attack. It is easy to verify that x˜ n (k) is a stationary Gaussian process, which has the same statistics as x˜ (k) in the absence of the attacker. Consequently, we focus on x˜ c (k), i.e., the state generated by the attacker’s action. Obviously, without any constraint on the attacker’s action, the reachable ˜ , B). ˜ However, if the adversary region of x˜ c (k) is the reachable subspace of (A does not design its input ζ (k) cautiously, an alarm may be triggered, and the attack may be stopped by the system operator before the attacker achieves the goal. As a result, we restrict our attention to “stealthy” attacks. In this technical note, we assume that attackers constrain their action ζ ∞ to satisfy the following inequality: ˜ x˜ c (k) + D ˜ ζ (k)|| ≤ δ. ∀k = 0, 1, · · · , ||Pz−1/2 zc (k + 1)|| = ||C

(3.67)

where δ is a design parameter of the attacker. Since z(k) = zc (k) + zn (k) and zn (k) has the same distribution as z(k) in the absence of the attack, the adversary can make z(k) very similar to the “nominal” z(k) by assuring that zc (k) is small. In other words, the failure detector can hardly distinguish a system that is under attack from a “healthy” system. Such an observation is formalized by the following theorem: √

Theorem 8. For any δ ∈ (0, η), if (3.67) holds for all k, then "



m !!−1 m ( η − δ)2 β(k) ≤   , 2 2 2

#

(3.68)

,

$

where (s, x)  x∞ ts−1 e−t dt is the upper incomplete gamma function and (s)  (s, 0) is the gamma function. Furthermore, "

lim+ 

δ→0



#

m !!−1 m ( η − δ)2 =α.  , 2 2 2

(3.69)

Proof. By the triangle inequality, we know that g(k) = ||Pz−1/2 zn (k) + Pz−1/2 zc (k)||2 ≤



||Pz−1/2 zn (k)|| + ||Pz−1/2 zc (k)||

2

.



Hence, g(k) ≤ η when ||Pz−1/2 zn (k)|| ≤ η − δ , which implies that  √ β(k) ≤ P ||Pz−1/2 zn (k)|| + ( η − δ)2 .

(3.70)

135

Safe control methods

By the properties of X 2 distribution [59], the RHS of (3.70) equals the RHS of (3.68). Furthermore, (s, x) is continuous with respect to x by its definition, and hence (3.69) holds. Remark 14. Notice that by (3.69), the adversary can make the increase in β(k) arbitrarily small by choosing the right δ . This is in sharp contrast to the deterministic case discussed in [51–54], where the probability of alarm is either 0 or 1. As a consequence of (3.67), we can model the attacker’s strategy as a constrained control problem, where the system equation is given by ˜ x˜ c (k) + B˜ ζ (k) , x˜ c (k + 1) = A

(3.71)

and the constraint is as follows:   ˜ c ˜ ζ (k)|  ≤ δ, ∀k = 0, 1, · · · C x˜ (k) + D

(3.72)

Our goal is to compute the reachable region of the state x˜ c (k), which indicates the resilience of the system against integrity attacks. Due to the linearity of the system, we assume, without loss of generality, that δ = 1 for the rest of the technical note, leading to the following definitions: Definition 8. The attacker’s action ζ ∞ is called feasible if (3.67) holds for all k and δ = 1. Definition 9. The reachable region Rk of x˜ c (k) is defined as Rk  {x˜ c ∈ R2n : x˜ c = x˜ c (k, ζ ∞ ), for some feasible ζ ∞ } .

(3.73)

The union of all Rk is defined as R

∞ %

Rk .

(3.74)

k=0

Thus, R indicates all possible biases that an attacker can inflict on the system. Remark 15. For a noiseless system model considered in [51–54], the adversary has to enforce that (3.67) holds for δ = 0 to avoid being detected because even a small deviation from the nominal behavior of the system will result in an alarm. However, as was illustrated previously, it is entirely possible that the attacker, although he or she cannot inject anything when enforcing δ = 0, can inflict a large perturbation on the system with a small δ , which is hardly detectable in a noisy system. In [51–54],

136

Cyberphysical Infrastructures in Power Systems

such an attack with a nonzero δ would be considered as a failed attack for the deterministic settings. In this technical note, R is used to quantify the performance degradation of a noisy system under the attack. In what follows, we consider the problem of computing the reachable set Rk and R.

3.4.5 Recursive version of Rk First, we need to introduce the concepts of reach set and one-step set: Definition 10. Define the reach set Rch(S ) of set S ⊆ R2n to be 

Rch(S ) =



x˜ + ∈ R2n : ∃ζ ∈ Rp+l , x˜ c ∈ S ,



˜ x˜ c + B˜ ζ = x˜ + , C ˜ x˜ c + D ˜ ζ ≤ 1 . s.t., A

(3.75) Definition 11. Define the one-step set (PreS ) of set S ⊆ R2n to be 

Pre(S ) =



x˜ c ∈ R2n : ∃ζ ∈ Rp+l ,



˜ x˜ c + B˜ ζ ∈ S , C ˜ x˜ c + D ˜ ζ ≤ 1 . s.t., A

(3.76) Remark 16. The reach set of S indicates all the states x˜ c (k + 1) that can be reached with a one-step admissible attacker’s input ζ (k) when the current state x˜ c (k) is in S . On the other hand, the one-step set of S indicates all the previous states x˜ c (k − 1) that can be driven into S with a one-step admissible ζ (k − 1). Initially, it seems that Rk can be recursively defined as Kk+1 = Rch(Kk ). ˜ x˜ c (k) + D ˜ ζ˜ (k)|| ≤ 1 for the However, the reach set only guarantees that ||C current k, not for the future ks. To define Rk recursively, we need to introduce the concept of a controlled invariant set. Definition 12. A set C ⊆ R2n is called controlled invariant if, for all x˜ c ∈ C , there exists a ζ such that the following inequalities hold: ˜ x˜ c + B˜ ζ ∈ C , ||C ˜ x˜ c + D ˜ ζ || ≤ 1 . A

(3.77)

In the case that the current state x˜ c (k) belongs to C , then the attacker can always use a admissible ζ (k) to ensure that the next state x˜ c (k + 1)

Safe control methods

137

and hence all the future states will be in C . The following proposition characterizes several important properties of the reach set, the one-step set, and the controlled invariant set: Remark 17. Notice that Proposition 4 in [61] cannot be used to prove the last statement of Proposition 1 since it requires compactness, which may not hold in our case. A recursive definition of Rk is now provided. Theorem 9. R is controlled invariant, and hence R ⊆ C∞ . Furthermore, Rk satisfies the following recursive equation: Rk+1 = Rch(Rk )

&

with R0 = {0} .

C∞ ,

(3.78)

Proof. First, we need to prove that R is controlled invariant. By definition, for any x˜ c ∈ R, there exists k and a feasible ζ ∞ , such that x˜ c = x˜ c (k, ζ ∞ ). As a result, ζ (k) is the admissible control input to ensure that (3.77) holds, which implies that R is controlled invariant. Thus, R ⊆ C∞ due to the maximality of C∞ . We now prove (3.78) by induction. Since the attack starts at time 0, R0 = {0}. Now assume that (3.78) holds for k. From the definition of Rk+1 , and the fact that Rk+1 ⊆ R ⊆ C∞ , it is trivial to prove that ' Rk+1 ⊆ Rch(Rk ) C∞ . Therefore, we only need to prove the opposite side ' of the set inclusion, i.e., for all x˜ c ∈ Rch(Rk ) C∞ , there exists a feasible ζ ∞ that drives state x˜ c (k + 1, ζ ∞ ) at time k + 1 to x˜ c . We construct such ζ ∞ in three steps: 1. By the fact that x˜ c ∈ Rch(Rk ), we know that there exists an x˜ c ∈ Rk and ζ (k), such that  

 

˜ x˜ c (k) + B˜ ζ (k), C ˜ x˜ c (k) + D ˜ ζ (k) ≤ 1 ; x˜ c = A

2. Since x˜ c ∈ Rk , by the induction assumption, we know that there exist ζ (0), · · · , ζ (k − 1) and x˜ c (0) = 0, · · · , x˜ c (k − 1), such that for all t = 0, · · · , k − 1:  

 

˜ x˜ c (t) + B˜ ζ (t), C ˜ x˜ c (t) + D ˜ ζ (t) ≤ 1 ; x˜ c (t + 1) = A

3. Since x˜ c ∈ C∞ , one can find an admissible control ζ (k + 1), such that ˜ x˜ c + B˜ ζ (k + 1) also belongs to (3.77) holds. Now, since x˜ c (k + 2) = A C∞ , we can repeat this procedure to find ζ (k + 2), ζ (k + 3), · · · to ensure (3.77) holds for all k.

138

Cyberphysical Infrastructures in Power Systems

Therefore, ζ ∞ = (ζ (0), · · · , ζ (k), · · · ) is the required feasible sequence, which concludes the proof. Proposition 1 and Theorem 9 enable the computation of Ck and Rk by recursively applying the operator Pre and Rch. However, computing the exact shapes of these sets is numerically intractable as k goes to infinity. One standard technique to attack this problem is to compute the inner and outer approximations of Ck and Rk , using ellipsoids or polytopes. In this technical note, we use an ellipsoidal approximation procedure similar to the one proposed in [62]. The detailed approach is presented in the next section.

3.4.6 Ellipsoidal approximation of Rk This section is devoted to constructing an ellipsoidal inner and outer approximation of Ck and Rk . To this end, let us assume that Ck and Rk are approximated by the following ellipsoids:  E2n C in (k) ⊆  E2n Rin (k) ⊆

 Ck ⊆ E2n C out (k)  Rk ⊆ E2n Rout (k) ,

(3.79)

where C in (k), C out (k), Rin (k), Rout ∈ S2n + , and E2n (S) is defined as the following 2n dimensional ellipsoid:    E2n (S) = x˜ c ∈ R2n : (˜xc )T Sx˜ c ≤ 1 .

(3.80)

To compute Ck and Rk , we focus on the ellipsoidal inner and outer approximations of set intersection and the operators Pre and Rch, which are provided by the following proposition and theorem. Proposition 2. Letting S1 , S2 ∈ R2n be positive semidefinite, then the following set inclusions hold: E2n (S1 + S2 ) ⊆ E2n (S1 )

&

E2n (S2 ) ⊆ E2n (S1 /2 + S2 /2) .

(3.81)

Theorem 10. Let S ∈ R2n×2n be a positive semidefinite matrix. Then the following set inclusions hold: ! E2n Spin ⊆  E2n Srin ⊆

Pre (E2n (S)) ⊆ E2n Spout 

!

out

Rch (E2n (S)) ⊆ E2n Sr

(3.82) ,

(3.83)

Safe control methods

139

where f (S) 2 h(S) out Sr = 2

Spin = f (S) ,

Spout =

Srin = h(S) ,

(3.84) (3.85)

and f (S), h(S) are defined as the following Riccati equations: 

f (S) = 

h(S) =

˜ +C ˜ − (A ˜ T SA ˜ TC ˜ T SB˜ + C ˜ TD ˜) A ˜ +D ˜) ˜ )+ (B˜ T SA ˜ TD ˜ TC ×(B˜ T SB˜ + D ˆ +C ˆ − (A ˆ T SA ˆ TC ˆ T SBˆ + C ˆ TD ˆ) A +

ˆ +D ˆ). ˆ ) (Bˆ T SA ˆ TD ˆ TC ×(Bˆ T SBˆ + D ˆ ∈ R2n×2n , Bˆ ∈ R2n×(q+l+2n) , C ˆ ∈ Rm×2n , D ˆ ∈ Rm×(q+l+2n) are deThe matrices A fined as ˆ = A

˜] ˜ + B˜ , I2n − A ˜ +A Bˆ = [−A

˜ +, A



˜ +, ˜A C

ˆ = C 



˜ + B˜ , C ˜ +A ˜]. ˜A ˜ −C ˜A ˆ = [D ˜ −C D 

(3.86)

Proof of Theorem 10

We first prove (3.84). Consider the augmented set Sa ⊆ R2n+q+l of both the state x˜ c and attacker’s action ζ   x˜ c ˜ c ˜ : Ax˜ + Bζ ∈ E2n (S) , Sa = ζ

( c ˜ ˜ C x˜ + Dζ  ≤ 1 .

˜ x˜ c + B˜ ζ ∈ E2n (S) is equivalent to the following inIt is easy to see that A equality:  T    ˜ T SA ˜ A ˜ T SB˜ x˜ c A x˜ c ≤1. ˜ B˜ T SB˜ ζ ζ B˜ T SA ˜ x˜ c + D ˜ ζ || ≤ 1 is equivalent to Moreover, ||C  T  x˜ c C˜ T C˜ ˜ ˜ TC ζ D

˜ TD ˜ C T ˜ D ˜ D

  x˜ c ≤1. ζ

140

Cyberphysical Infrastructures in Power Systems

Therefore, the augmented set Sa is the intersection of the following two 2n + q + l dimension ellipsoids: ) Sa =

E2n+q+l

˜ T SA ˜ A ˜ T SB˜ A ˜ B˜ T SB˜ B˜ T SA

)

&

E2n+q+l

˜ TC ˜ C ˜ TD ˜ C T T ˜ ˜ C D ˜ D ˜ D

*

*

(3.87)

.

Thus, by Proposition 2, E2n+q+l (Sain ) ⊆ Sa ⊆ E2n+q+l (Saout ) ,

where 



Sain

=

Saout =



˜ A ˜ T SB˜ ˜ TD ˜ T SA ˜ A C˜ T C˜ C + T T T T ˜ B˜ SB˜ ˜ D ˜ C ˜ D ˜ B˜ SA D



Sain . 2

Using the Schur complement, we can project the two high-dimensional ellipsoids from R2n+q+l back to R2n to obtain (3.84). We now prove (3.85). From the definition of Rch, for any x˜ c ∈ Rch(E2n (S)), there exist x˜ − ∈ E2n (S) and ζ , such that ˜ x˜ − + B˜ ζ x˜ c = A ˜ x˜ − + D ˜ ζ ≤ 1 . C

(3.88) (3.89)

˜ is a pro˜ +A By the properties of the pseudoinverse, we know that I2n − A jection from R2n onto the kernel of A. Thus, (3.88) can be written as ˜ )˜x0 , ˜ + x˜ c − A ˜ + B˜ ζ + (I2n − A ˜ +A x˜ − = A

where x˜0 ∈ R2n is an arbitrary vector. Since x˜ − ∈ E2n (S), we know that ˜ + x˜ c − A ˜ )˜x0 ∈ E2n (S) . ˜ + B˜ ζ + (I2n − A ˜ +A A

(3.90)

Furthermore, (3.89) can be written as   ˜ ˜+ c ˜ + B˜ )ζ + (C ˜ +A ˜ )˜x0  ˜A ˜ −C ˜A ˜ −C C A x˜ + (D ≤1.

(3.91)

By the same argument as the proof of Theorem 10, we can obtain (3.85).

Safe control methods

141

The monotonicity of the f and h function is proved in the following theorem. Theorem 11. For any X ≥ Y ≥ 0, f (X ) ≥ f (Y ), h(X ) ≥ h(Y ). Proof. Let 















Xa =

˜ T XA ˜ A ˜ T X B˜ ˜ TD ˜ A C˜ T C˜ C + T T T T ˜ B˜ X B˜ ˜ D ˜ C ˜ D ˜ B˜ X A D

˜ TYA ˜ A ˜ T Y B˜ ˜ A C˜ T C˜ C˜ T D + . T T T T ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ B YA B YB D C D D

Ya =

Clearly Xa ≥ Ya , which implies that E2n+q+l (Xa ) ⊆ E2n+q+l (Ya ). Define a projection matrix M as 





02n×(q+l) ∈ R2n×(2n+q+l) ,

M = I2n

which implies that f (X ) ≥ f (Y ). Similarly, one can prove that h(X ) ≥ h(Y ).

We are now ready to describe a recursive algorithm to compute the ellipsoidal approximations C in (k), C out (k), Rin (k), Rout (k). By Theorem 10, we know that C in (k), C out (k) can be evaluated recursively as  out f C out (k) C (k + 1) = f C (k) , C (k + 1) = . in



in

2

(3.92)

Since C in ≥ C out (1) ≥ C in (0) = C out (0) = 0, it is easy to prove by induction that {C in (k)} and {C out (k)} are monotonically increasing and hence in and C out , the limits for both sequences exist. Let us denote the limits as C∞ ∞ respectively. Hence, Rin (k) and Rout (k) can be computed recursively as Rin (k + 1) = Rout (k + 1) =





 

in h Rin (k) + C∞





out /2 . h Rout (k) /2 + C∞

(3.93)

Remark 18. It is worth noticing that, other than the ellipsoidal approximation techniques [62], algorithms such as polyhedral approximation [63] can also be adopted to compute R. In the following, we recall some basic results.

142

Cyberphysical Infrastructures in Power Systems

Proposition 3. Let S ⊆ Rn be a closed, convex, and symmetric set. Then S can be decomposed as S =K+V ,

where V is a subspace of Rm and K is a compact, convex, and symmetric set, which is orthogonal to V . Proof. The proposition can be proved using Corollary 2.1 in [64]. Proposition 4. The following statements are true. 1. Letting K ⊂ Rn be a compact (closed and bounded) set and S0 ⊆ Rn be a closed set, then S = K + S0 is a closed set; and 2. Letting K ⊂ Rn be a compact set and f be a continuous function, then f (K ) is also compact. Proof. The proof can be found in [64]. Lemma 4. Letting S ∈ Rn be a closed, convex, and symmetric set, then 

Pre(S ) = x˜ c ∈ R2n : ∃ζ ,



˜ x˜ c + B˜ ζ ∈ S , C ˜ x˜ c + D ˜ ζ ≤ 1 s.t. A

is also closed, convex, and symmetric. Proof. One can verify that Pre(S ) is convex and symmetric. Hence, we only need to prove that Pre(S ) is closed. To this end, define (   x˜ c 2n+q+l ˜ c c ˜ x˜ + D ˜ ζ ≤ 1 . ∈R Sa = : Ax˜ + B˜ ζ ∈ S , C ζ 

˜ x˜ c + B˜ ζ and C ˜ x˜ c + D ˜ ζ are continuous with respect to x˜ c and ζ , Since A Sa is also closed, convex, and symmetric. By Proposition 3, we know that Sa = Ka + Va , where Ka is compact and V a is a subspace. Now define a projection matrix M 



M = I2n



02n×(q+l) ∈ R2n×(2n+q+l) .

Thus, Pre(S ) = M Sa = M Ka + M Va . By Proposition 4, M Ka is compact. Furthermore, M Va is a subspace of Rn and thus closed. Hence, by Proposition 4, Pre(S ) = M Sa = M Ka + M Va is closed. Proposition 5. The following statements hold for the operator Pre, Rch, and the controlled invariant set:

Safe control methods

143

1. Pre and Rch are monotonically nondecreasing, i.e., if S1 ⊆ S2 , then Pre(S1 ) ⊆ Pre(S2 ), Rch(S1 ) ⊆ Rch(S2 ) ;

(3.94)

2. Letting C to be a controlled invariant set, then C ⊆ PreC ); 3. There exists the maximum controlled invariant set C∞ , such that C ⊆ C∞ for all controlled invariant set C ; and 4. Letting C0 = R2n and Ck+1 = Pre(C ), then the following equality holds: C∞ =

∞ &

Ck .

(3.95)

k=0

Proof. The proof of the first three properties can be found in [60], while the proof of the last property is quite technical and is dealt hereafter based on Proposition 3, Proposition 4 and Lemma 4. It is worth noticing that, for general systems and feasibility constraints, (3.95) is not necessarily true [61]. Since C∞ is a controlled invariant, then it follows that C∞ ⊂ Pre(C⊂ ) and consequently, one can verify that C1 = Pre(Rn ) ⊂ Co . Thus, by the monotonicity of Pre, we know that C∞ ⊆ . . . ⊆ C1 ⊆ C0 .

'

Hence, we only need to prove that ∞ ˜c ∈ i=0 Ci ⊆ C∞ . Let x By definition, there exist ζi , i ∈ N, such that

(3.96) '∞

i=0 Ci .

˜ x˜ c + B˜ ζi ∈ Ci−1 , C ˜ x˜ c + D ˜ ζi  ≤ 1 . A

Such ζi s may not be unique. As a result, we will choose those ζi s with minimum norm. By Lemmas 4 and 3, we know that Ci can be written as Ci = Vi + Ki , where Ki is compact and Vi is a subspace. Now by (3.96), V0 ⊇ V1 ⊇ V2 ⊇ . . .

Let us define subspace 

V=

∞ &

Vi .

i=0

Since Vi is of finite dimension, there must exists an N such that Vi = V for all i ≥ N, which further implies that Ki ⊇ Ki+1 , i ≥ N. Hence, Ki is uniformly bounded.

144

Cyberphysical Infrastructures in Power Systems

Now we want to prove that ||ζi || is bounded. Consider the opposite. By the Bolzano–Weierstrass theorem, there exists a subsequence {ζij } such that lim ζij   =v. ζi  j

  lim ζij  = ∞ ,

j→∞

j→∞

Hence, ζij

1

ζij

ζij

˜ x˜ ) , B˜   ∈ Vi +   (Ki − A c

   ζi  !  ˜  j  1  ˜ x˜ c  , D    ≤   1 +C  ζij  ζij

˜ ∈ V , Dv ˜ = 0. Therefore, for any α ∈ R, which implies that Bv ˜ x˜ c + B˜ (ζi + α v) ∈ Ci−1 , A

  ˜ c ˜  C x˜ + D(ζi + α v) ≤ 1 .

As a result, the fact that ||ζi || is unbounded contradicts the minimality of ||ζi ||. Thus, ||ζi || must be bounded. Now by the Bolzano–Weierstrass theorem, there exists a subsequence {ζij } such that lim ζij = ζ .

j→∞

˜ x˜ c + D ˜ ζ || ≤ 1. On the other hand, for any j > i, It is easy to see that ||C ˜ x˜ c + B˜ ζj ∈ Cj − 1 ⊆ Ci . Since Ci is closed, we know that A ˜ x˜ c + B˜ ζ ∈ A

∞ &

Ci .

i=0

'

Thus, ∞ Ci is controlled invariant. Since C∞ is the largest controlled ini=0 ' variant set, ∞ i=0 Ci ⊆ C∞ , which concludes the proof.

3.4.7 Simulation results Consider the following LTI system: 



 

1 0 1 x(k + 1) = x(k) + w (k) + u(k) . 1 1 0

(3.97)

Suppose two sensors are measuring the first state x1 (k) and the second state x2 (k), respectively. Hence, y(k) = x(k) + v(k). The estimation and control

Safe control methods

145

gain matrices are 



0.594 0.079 , K= 0.079 0.694

L = [−1.244

− 0.422] .

(3.98)

We consider two cases, where either the first sensor or the second sensor is compromised, i.e.,  = [1, 0]T or  = [0, 1]T . We assume that Ba = 0 for both cases. Fig. 3.14 shows the inner and outer approximation of R when the first sensor is compromised. Since R is in R4 , we project the ellipsoid onto the space of the state xc (k) and the space of estimation error ec (k), respectively. From the simulation, we can conclude that the reachable region R is bounded. Therefore, the attacker cannot destabilize the system by compromising the first sensor. Fig. 3.15 shows the inner approximation of Rk when the second sensor is compromised. It can be seen that Rk is growing over time. In fact, by Theorem 9 in [55], Rk must be unbounded. It is worth noticing that, by linearity, the reachable set is unbounded for any δ > 0. However, if the system is noiseless, then the adversary needs to enforce δ = 0 to avoid detection, which by (3.67) enforces that ζk = 0 for all k. Therefore, no stealthy attack can be launched.

Figure 3.14 Inner and outer approximation of R when  = [1, 0]T . (a) State. (b) Estimation error.

3.5 Decentralized secure control It has been recently reported [65] that the theory of interconnected systems is devoted to problems due to dimensionality, information structure constraints, uncertainty, and delays. It is crucial to realize that, when dealing with several practical problems arising in power systems, manufacturing

146

Cyberphysical Infrastructures in Power Systems

Figure 3.15 Inner approximation of R1 to R7 when  = [0, 1]T . (a) State. (b) Estimation error.

systems, and irrigation systems, the changes in controller structure and settings might degrade the overall system performance [66,67]. Decentralized control has been a topic of interest because it avoids the communication transfer between the interconnected subsystems. Indeed, the main objective is to design a feedback control for each subsystem using only local information [68,69]. The main objective of this section is to design a decentralized control scheme that ensures the robust stabilization of interconnected systems while estimating the nonmeasurable state variables and minimizing the upper bound of a prescribed optimal performance index. An integral step is the stability analysis of an observer-based control scheme and formulating the sufficient conditions as an optimization problem subject to linear constraints. All the developed results are tested on an interconnected power system.

3.5.1 Problem statement We consider a class of nonlinear systems S composed of ns coupled subsystems Sj and modeled by the state-space model: x˙ j (t) = Aj xj (t) + Bj uj (t) + f (xj (t), δj (t)) +

ns 

Ajk xk (t) + Dj wj (t)

k=j

yj (t) = Cj xj (t) + Ej vj (t) zj (t) = Mj xj (t) ,

(3.99)

where for j ∈ {1, ..., ns }, xj (t) ∈ nj is the state vector; uj (t) ∈ mj is the control input; yj (t) ∈ qj is the measurement output, and zj (t) ∈ dj is the

Safe control methods

147

controlled output. The signals wj (t) ∈ rj , vj (t) ∈ pj are exogenous noises. The matrices Aj ∈ nj ×nj ,

Bj ∈ nj ×mj , Ej ∈ qj ×pj ,

Cj ∈ qj ×nj , Mj ∈ dj ×nj

Dj ∈ nj ×rj ,

are real and constant. The matrices Ajk ∈ nj ×nk sjth subsystem. The functions fj = (xj (t), δj (t)) ∈ nj ,

fj = (xj (t), 0) = 0

are vector-valued time-varying functions, treated as stochastic nonlinear perturbations with fj (0, t) = 0 ∀ t and satisfying the following condition for all (x, t), (ˆx, t) ∈ n × n : IE{fj (x(t), t) fkt (ˆx(t), t)|xj (t), xˆ k (t)} = 0 , IE{fj (x(t), t) fjt (ˆx(t), t)|xj (t)} =

ns 

k = j

ωq αqt xtj (t)q xj (t) .

(3.100)

q=1

For some constants, ωq > 0 and q ∈ nq × nq are constant matrices and s > 0 is a given integer. It should be pointed out that the open network could be vulnerable and encounter cyberattacks. In what follows, we will consider the effect from DoS attacks occurring in both the sensor-to-observer channel and the observer-to-observer channel. Specifically, data can be neither sent nor received in the presence of DoS attacks where the following attack ϕj (t) = αj (t)yj (t) ,

ηj (t) = βj (t)ξj (t) ,

(3.101)

where ϕj (t) ∈ sj is the measurement signal received by the observer j; ξj (t) ∈ nj is the state estimate of observer j, and ηj (t) ∈ nj is the signal broadcasted to the neighbor’s observers. Furthermore, the stochastic behavior of DoS attacks is governed by two stochastic variables αj (t) and βj (t), which are two mutually independent Bernoulli distributed white sequences taking value on 0 or 1 with the following probabilities: Prob{αj (t) = 0} = 1 − α¯ j , Prob{βj (t) = 0} = 1 − β¯j ,

Prob{αj (t) = 1} = α¯ j Prob{βj (t) = 1} = β¯j .

Here, α¯ j and β¯j are known scalars belonging to [0; 1]. It should be pointed out that the stochastic nature makes cyberattacks more secret in comparison to certain ones.

148

Cyberphysical Infrastructures in Power Systems

In the sequel, we consider stabilizing system (3.99) by means of a dynamic output-feedback controller, the observer part of which is described by ξ˙j (t) = Aj ξj (t) + Bj uj (t) +

ns 

Ajk ηk (t)

k=j

+Lj [ϕj (t) − α¯ j Cj ξj (t)] ,

(3.102)

and the controller part is given by uj (t) = −Kj ξj (t) ,

(3.103)

where Lj ∈ nj ×qj , Kj ∈ mj ×nj are the local observation and controller gain matrices, respectively. Introducing the perturbations x˜ j = xj − ξj , α˜ j = αj − α¯ j , β˜j = βj − β¯j . From (3.99) and (3.102), we obtain the dynamics of the observation error as x˙˜ j (t) = [Aj − α¯ j Lj Cj ]x˜ (t) − α˜ j Lj Cj xj (t) + +

ns 

ns 

β¯k Ajk x˜ k (t) +

k=j ns 

[1 − β¯k ]Ajk xk (t) + f (xk (t)) −

k=j

ns 

β˜k Ajk x˜ k (t)

k=j

β˜k Ajk xk (t) + Dj wj (t)

k=j

−α¯ j Lj Ej vj (t) − α˜ j Lj Ej vj (t) .

(3.104)

The augmented system, including system (3.99) through the observation error system (3.104) over j = 1, ..., ns , is expressed by ζ˙ (t) = [A + C ]ζ + α˜ B ζ + β˜ C ζ + Dν(t) + α˜ E ν(t) + h

z(t) = Mζ (t) , where ζj

= [xtj x˜ tj ]t , hj = [fj t fjt ]t , z = [z1 , ...., zns ]t

νj (t) = [xtj x˜ tj ]t , A = diag[A1 , ...., Ans ]t B

= diag[B1 , ...., Bns ]t ,

C = diag[C1 , ...., Cns ]t

D

= diag[D1 , ...., Dns ]t ,

α˜

E = diag[E1 , ...., Ens ]t β˜ = diag[β˜1 I , ..., β˜ns ] 

= diag[α˜ 1 I , ..., α˜ ns ] ,  Aj − Bj Kj −Bj Kj = 0 Aj − α¯ j Lj Cj

Aj

(3.105) (3.106)

Safe control methods

 Bj

= 

0 0

0 −L j C j

Dj Dj



 Cj =

, 

0 −α¯ j Lj Ej

0 −Ajk 

Dj

=

M

= diag[M1 , ...., MS ]t ,

,

Ej =

0 0

0 Ajk

149



0 −Lj Ej

Dj = [Mj 0] .



(3.107)

The objective now is to determine the control and observation gain matrices j = 1, ..., ns

Kj , Lj ,

that robustly stabilize the augmented system (3.105) with optimal performances. Before proceeding toward our goal, we recall the following two definitions. Definition 13. For ν(t) = 0, the closed-loop system (3.105) subject to DoS attacks is said to be exponentially mean-square stable if there exist constants κ > 0, 0 < μ < 1 such that IE{||ζ (t)||2 } ≤ κ exp−μt sup IE{||ζ (s)||2 } , s∈[0,∞)

∀t≥0.

(3.108)

Definition 14. Given a disturbance attenuation level γ > 0 and any nonzero ν(t) ∈ L2 [0; 1), the closed-loop system (3.105) subject to DoS attacks is considered to achieve the H∞ performance with the disturbance attenuation level γ if the following condition is true: +



s=0

+

IE{||z(s)|| }ds ≤ γ 2

2



s=0

IE{||ν(s)||2 } ds .

(3.109)

By resorting to standard Lyapunov arguments, given any positive definite matrix Q = Qt ∈ Rns ×ns , we let P be the unique solution of the overall Lyapunov equation P(A + C ) + (A + C )t P = −Q , P = diag{P1 ; P2 ; ...; Pns } ,

Q = diag{Q1 ; Q2 ; ...; Qns } . (3.110)

Then, by taking the Lyapunov function V (ζ (t)) = ζ t (t)Pζ (t) > 0, where ζ (t) = [ζ (t)1 , ..., ζ (t)ns ], and computing its derivative along the solution of (3.106) under ν = 0 and subject to DoS attacks, it is simple to verify that α1 ζ (t)2

≤ V (ζ (t)) ≤ α2 ζ (t)2

(3.111)

150

Cyberphysical Infrastructures in Power Systems

d V (ζ (t)) ≤ −γ1 ζ (t)2 dt

(3.112)

hold for all t ∈ R≥0 , with α1 and α2 equal to the smallest and largest eigenvalue of P, respectively, and γ1 is an appropriate decay factor. Then, one can immediately see that, under (3.106), (3.112) always satisfies a dissipationlike inequality. Summarizing the previous discussions, the objective of this section is to look for the control and observation-gain matrices Kj , Lj , j = 1, ..., ns such that the following requirements are met simultaneously: • For ν(t) = 0, the closed-loop large-scale system (3.106) subject to DoS attacks is exponentially mean-square stable; • For a given disturbance attenuation level γ > 0 and any nonzero ν(t) ∈ L2 ∈ L2 [0, ∞) ,

the closed-loop interconnected system (3.106) subject to DoS attacks achieves the predetermined H∞ performance.

3.5.2 Design results The objective is to determine the control and observation gain matrices Kj , Lj , j = 1, ..., ns that effectively stabilize the augmented system (3.105) with prescribed performances. In what follows, sufficient conditions are first derived by resorting to the standard Lyapunov stability approach, and the explicit expressions of the desired controller gains and observer gains are then obtained by means of convex optimization over LMIs. Theorem 12. Let the local observation and controller gain matrices Lj , Kj , j = 1, ..., ns and the desired H∞ performance index γ > 0 be given. The noisefree closed-loop large-scale systems (3.106) with the observer-based control protocol (3.103) subject to DoS attacks are said to be exponentially mean-square stable, if there exist positive definite matrices  = diag{1 ; 2 ; ...; ns } , Q = diag{Q1 ; Q2 ; ...; Qns }

P = diag{P1 ; P2 ; ...; Pns } ,

Safe control methods

151

satisfying the following conditions ⎡

−Q +  ⎢ • ⎣ •

, PB − α( ˜ 1 − α) ˜ •

⎤ PC ⎥ ⎦ < 0 - • ˜ ˜ − β(1 − β)

P(A + C ) + (A + C )t P = −Q .

(3.113) (3.114)

Proof. Defining the Lyapunov function candidate V (ζ (t)) = ζ t (t)Pζ (t) > 0 and evaluating the derivative V˙ (ζ, t) along the trajectories of system (3.105) under ν = 0 yields EV˙ (ζ (t)) = E{ζ t (t)Pζ˙ (t) + ζ˙ t (t)Pζ (t)} = E{ζ t (t)P(A + C )ζ (t) + ζ t (t)(A + C )t Pζ (t)} + E{ζ t (t)P(α˜ B + β˜ C )ζ + ζ t (α˜ B + β˜ C )t Pζ (t)} + E{ζ t (t)Phζ (t) + ζ t (t)ht Pζ (t)} .

(3.115)

Taking into consideration E{ζ t (t)Phζ (t) + ζ t (t)ht Pζ (t)} = {

ns 

ζqt (t)q ζj (t)}

(3.116)

q=1

E{ζ t (t)P(α˜ B + β˜ C )ζ (t) + ζ t (t)(α˜ B + β˜ C )t Pζ (t)} ˜ 1 − β)ζ ˜ t (t)PCC t Pζ (t)} , = E{α( ˜ 1 − α)ζ ˜ t (t)PBB t Pζ (t) + β(

(3.117)

one arrives at EV˙ (ζ (t)) = E{ζ t (t)[−Q +  + α( ˜ 1 − α)P ˜ BB t P ˜ 1 − β)ζ ˜ t PCC t P]ζ (t)} . +β(

(3.118)

When the algebraic inequality  = P(A + C ) + (A + C )t P +  + α( ˜ 1 − α)P ˜ BB t P ˜ 1 − β)ζ ˜ t PCC t P < 0, ∀ζ = 0 +β( 

(3.119)

= diag{1 , 2 , ..., ns }

is feasible, it follows under DoS attacks that EV˙ (ζj )(t) ≤ ζ t (t)ζ (t) < 0 .

(3.120)

152

Cyberphysical Infrastructures in Power Systems

This implies that there must exist a sufficiently small scalar θo > 0 such that  + θo diag{I , 0} < 0 .

(3.121)

Therefore, the following inequality can be obtained from (3.120)–(3.121) EV˙ (ζj )(t) ≤ −θo E{||ζ (t)||2 } .

(3.122)

By carefully examining the exponentially mean-square stability of the closed-loop interconnected system (3.106) and according to the definition of V (ζ (t)), it is easily verified that EV (ζ (t)) ≤ κ E{||ζ (t)||2 } ,

(3.123)

where κ = λmax (P). For scalars κ > 0, 0 < μ < 1 and combining (3.122) with (3.123), one arrives at EV˙ (ζ (t)) ≤ −ωo EV (ζ (t)) ,

(3.124)

where ωo = θo /κ . Employing standard comparison results for differential inequalities yields EV (ζ (t)) ≤ e−ωo t EV (ζ (0)) .

(3.125)

By conducting a similar analysis to [69], the exponentially mean-square stability of closed-loop systems (3.105) with ν(t) = 0 can be easily verified, and therefore the proof is complete. We next move to establish the H∞ performance. The following theorem establishes the main result. Theorem 13. Let the disturbance attenuation level γ > 0 and the control and observation gain matrices Kj , Lj , j = 1, ..., ns be given. The closed-loop interconnected systems (3.106) with the observer-based control protocol (3.102)–(3.103) subject to DoS attacks reach the predetermined H∞ performance, as well as the exponentially mean-square stability, if there exist the positive definite matrices  = diag{1 ; 2 ; ...; ns }, X = diag{Xo ; Xo }, Y = diag{Yo ; Yo }, Ga , Gc satisfying the following inequalities ⎡

−Y +  ⎢ • ⎢ ⎢ ⎣ • •

, BX − α( ˜ 1 − α) ˜ • •

CX

XM t

- 0 ˜ ˜ 1 − β) − β( •

0 0 −I

⎤ ⎥ ⎥ ⎥ 0 is a scalar, ey (k) = ypt (k) − yp (k), and ypt (k) is the transmitted signal in the last event instant. Here, δ1 is determined by the operator based on the application. And the transmitted signal ypt (k) must be saved in a memory to process the comparison with the current output presented in (4.2). Remark 19. The sequence of event triggered instants 0 < t0 < t1 < · · · < tl < · · · is calculated at each iteration by tl+1 = inf{k ∈ N|k > tl , eyT (k)ey (k) > δ12 } . So, for k ∈ [kt , kt+1 ), the signal received by the observer yc (k) is equal to ypt , which is equal ey (k) + yp (k). Remark 20. The event-triggering applied here was established in view of the work of [35] in which an event-triggered framework in the context of distributed networked control systems was proposed. The event-triggering in [35] is designed based on observed states, not on exact measurements. In this chapter, the measurements and transmitted signals are used to design the event-triggering scheme as given by (4.2).

4.2.2 The attack model Considering Remark 19, the measurement signal yc (k) after traversing the network, i.e. the signal received by the observer is formulated as 



yc (k) = (1 − α1 (k)) ey (k) + yp (k) + α2 (k)(−ey (k) − yp (k) + ζy (k))  f f f +α1 (k) ey (k − τk ) + yp (k − τk ) − α2 (k)yp (k − τk )  f +α2 (k)ζy (kτk ) .

(4.3)

In this chapter we assume that the DDoS attack cause a delay τkf with a Bernoulli distribution in the forward path. Also, the occurrence of the forward DDoS and deception attacks are considered to have Bernoulli distributed white sequences α1 (k) and α2 (k), respectively, while the deception attack modifies the forward signal by ζy (k). Although the absence of data packets is not stealthy since it is trivially detectable, DoS attacks may be misdiagnosed as a poor network condition. In the early work on this problem, [25–27,36,23] have modeled the DoS attack as Bernoulli distribution assuming constant probability.

Controlling of CPPS in the presence of simultaneous attacks

169

Nevertheless, the packet loss is stable and has the same behavior all the time. Thus, it is reasonable to model it with constant probabilities as found in the literature. On the other hand, the DDoS attack is a designed and manipulated attack that yields a packet loss as a byproduct; this is an important difference between the packet loss due to channel impairment and the DDoS attack. In this work, we model the DDoS attack as Bernoulli distributed white sequences while treating the conditional probabilities as variable quantities. These variable conditional probabilities allow our model to catch the frequency of initiating the attack by the intruder. In addition we consider the attack duration by defining boundaries of possible DDoS attack as shown in Fig. 4.1. This makes our model more practical and closer to a real DDoS attack where the attacker manipulates the attack parameters such as the timing, duration, etc. More details about modeling a DoS attack are discussed in [37,38]. As a future work, we are planning to build a realistic model of the DDoS attack using real traces/datasets of DDoS attacks. Remark 21. In order to facilitate the analysis of this chapter, we assume that the attack instants can be obtained in real time. In practice, the information related to the DDoS and deception attacks can be obtained online by using intrusion detection technology.

4.2.3 The observer-based control scheme The observer-based control scheme below is proposed with consideration of the existence of cyberattacks in the forward path: Observer: xˆ (k + 1) = Axˆ (k) + Buc (k) + L (yc (k) − yˆ c (k)) yˆ c (k) = C xˆ (k) Controller: uc (k) = K xˆ (k)   up (k) = (1 − β1 (k)) uc (k) + β2 (k)(−uc (k) + ζu (k))

(4.4)

   +β1 (k) uc (k − τkb ) − β2 (k) − uc (k − τkb ) + ζu (k − τkb ) ,

(4.5) where xˆ (k) ∈ n and yˆ c (k) ∈ p are the estimate of the states (4.1) and the observer output, respectively. K ∈ m×n and L ∈ n×p are the controller and observer gains, respectively. The DDoS attack causes a delay τkb with a Bernoulli distribution in the backward path.

170

Cyberphysical Infrastructures in Power Systems

Table 4.1 Cases of attacks. Case No. (i) F. DDoS B. DDoS

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

No No No No No No No No Yes Yes Yes Yes Yes Yes Yes Yes

No No No No Yes Yes Yes Yes No No No No Yes Yes Yes Yes

F. Deception

B. Deception

No No Yes Yes No No Yes Yes No No Yes Yes No No Yes Yes

No Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes

F. refers to forward and B. refers to backward.

The occurrence of the backward DDoS and deception attacks is considered to have the Bernoulli distributed white sequences β1 (k) and β2 (k), respectively, where these stochastic variables are mutually independent of α1 (k) and α2 (k), while the deception attack modifies the backward signal by ζu (k). In this chapter, τkb and τkf are assumed to be time-varying variables satisfying the following boundaries: f

τfmin ≤ τk ≤ τfmax ,

τbmin ≤ τkb ≤ τbmax .

(4.6)

In this chapter, we consider all possible scenarios of cyberattacks, that are, DDoS attack in the forward path, backward path, or both of them, deception attack in the forward path, backward path, or both of them, and any other possible simultaneous attacks, e.g. simultaneous DDoS and deception attack in the forward path and deception attack in the backward path. In total, we have 16 cases for the system as shown in Table 4.1. Each case (i) occurs with a probability ρi and an expected value ρˆi . Furthermore, case no. 1 represents the system when it is free of attacks, while case no. 16 represents the worst possible scenario where the system is under simultaneous DDoS and deception attacks on all paths.

171

Controlling of CPPS in the presence of simultaneous attacks

The estimation error is defined as e(k) = x(k) − xˆ (k). Then, one has 



x(k + 1) =

A − (1 − β1 (k))(1 − β2 (k))BK x(k) 



+ − (1 − β1 (k))(1 − β2 (k))BK e(k)   + β1 (k)(1 − β2 (k))BK x(k − τkb )   + − β1 (k)(1 − β2 (k))BK e(k − τkb ) +(1 − β1 (k))β2 (k)Bζu (k) + β1 (k))β2 (k)Bζu (k − τkb ) , (4.7)  e(k + 1) = (1 − β1 (k))(1 − β2 (k))BK





−(1 − α1 (k))(1 − α2 (k))LC − BK + LC x(k)

+ − (1 − β1 (k))(1 − β2 (k))BK  +A + BK − LC e(k)   + β1 (k)(1 − β2 (k))BK x(k − τkb )   + − β1 (k)(1 − β2 (k))BK e(k − τkb )   f + − α1 (k)(1 − α2 (k))LC x(k − τk ) +(1 − β1 (k))β2 (k)Bζu (k) − (1 − α1 (k))α2 (k)L ζy (k) f

+β1 (k)β2 (k)Bζu (k − τkb ) − α1 (k)α2 (k)L ζy (k − τk )   −(1 − α1 (k))(1 − α2 (k))L ey (k)   f −α1 (k)(1 − α2 (k)) ey (k − τk ) .

(4.8)

Let us define ξ(k) = [xT (k) eT (k)]T . System (4.7) and (4.8) are represented by f

ξj (k + 1) = Aj ξ(k) + Bj ξ(k − τk ) + Cj ξ(k − τkb ) +Dj ζ (k) + Ej ζ (k − τ ) + Fj e¯j (k) ,

j = 1, · · · , 16 , (4.9)

with ζ (k) = [ζuT (k) ζyT (k)]T , ζ (k − τ ) = [ζuT (k − τkb ) ζyT (k − τkf )]T , e¯j (k) = f [eyT (k) eyT (k − τk )]T and {Aj , Bj , Cj , Dj , Ej , Fj , j = 1, · · · , 16}, and j is

172

Cyberphysical Infrastructures in Power Systems

an index that represents each situation of the system with the following values:

Aj

Bj

Cj

Dj



⎪ A + BK −BK ⎪ ⎪ ⎪ for j = 1 ⎪ ⎪ ⎪ 0 A − LC ⎪ ⎪

⎪ ⎪ ⎪ A 0 ⎪ ⎪ for j = 2, 3, 4 ⎪ ⎪ ⎪ ⎪ ⎨ −BK A + BK − LC = A + BK −BK ⎪ for j = 5, 9, 13 ⎪ ⎪ ⎪ LC A − LC ⎪ ⎪

⎪ ⎪ ⎪ A 0 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ −BK + LC A + BK − LC ⎪ ⎪ ⎪ ⎩ for j = 6, 7, 8, 10, 11, 12, 14, 15, 16 , ⎧

⎪ 0 ⎪ ⎨ 0 for j = 9, · · · , 12 = −LC 0 ⎪ ⎪ ⎩ 0 for others, ⎧

⎪ ⎪ ⎨ BK −BK for j = 3, 7, 11, 15 = BK −BK ⎪ ⎪ ⎩ 0 for others,

⎧ ⎪ B 0 ⎪ ⎪ ⎪ ⎪ ⎪ B 0 ⎪ ⎪

⎪ ⎪ ⎪ 0 0 ⎪ ⎨ = 0 −L ⎪

⎪ ⎪ ⎪ B 0 ⎪ ⎪ ⎪ ⎪ ⎪ B −L ⎪ ⎪ ⎪ ⎩

0

Ej

⎧ ⎪ B 0 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ B 0 ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ 0 0 = 0 −L ⎪

⎪ ⎪ ⎪ B 0 ⎪ ⎪ ⎪ ⎪ ⎪ B −L ⎪ ⎪ ⎪ ⎩

0

for j = 2, 10, 14 for j = 5, 7, 8 for j = 6 for others, for j = 4, 8, 12 for j = 13, 14, 15 for j = 16 for others,

Controlling of CPPS in the presence of simultaneous attacks

Fj

⎧ ⎪ 0 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎨ −L

173

0 0

= 0 0 ⎪ ⎪ ⎪ ⎪ 0 −L ⎪ ⎪ ⎪ ⎩ 0

for j = 1, · · · , 4 for j = 9, · · · , 12 for others. (4.10)

Remark 22. In this chapter, the deception attack is considered as an arbitrary energy signal that satisfies the following boundaries: ζ T ζ < δ22 .

(4.11)

Definition 15. Given constant scalars δ1 , δ2 , δ3 > 0 such that eyT (k)ey (k) ≤ δ12 and ζ T ζ < δ22 . System (4.9) is δ1 , δ2 , δ3 -secure if the upper bound for the dynamics evolution of the attached system in the mean square sense is governed by Eξ(k)2 ≤ δ32 for all k.

4.3 Design results The objective in this chapter is to design an ETC scheme as formulated in (4.4) and (4.5) to guarantee that the closed loop system (4.9) is δ1 , δ2 , δ3 secure based on Definition 15. To simplify the expressions, each probability is denoted as ρj , and its expected value is denoted as E[ρj ] for j = 1, · · · , 16. Remark 23. The approach of this chapter is obtained by expanding the work of [39], [1], and [40]. However, the main difference between this study and the three articles is that the three articles consider only the attack on the network between the controller and the actuators [1] and did not consider the case of simultaneous attacks [40]. In this chapter, we consider all possible scenarios of attacks including the simultaneous scenario, which is more dangerous in industrial applications. Moreover, an event-triggered mechanism is implemented in this work to decrease the communication overhead in the system, where the sensor’s signal is sent only when a certain triggering condition is violated. The following candidate Lyapunov function will be used to derive the main theorems: V (ξ(k)) =

7  i=1

Vi (ξ(k)) ,

(4.12)

174

Cyberphysical Infrastructures in Power Systems

where V1 (ξ(k)) =

16 

ξ T (k)P ξ(k), P > 0 ,

j=1

V2 (ξ(k)) =

k−1 16  

ξ T (i)Qj ξ(i), Qj = QjT > 0 ,

j=1 i=k−τ f k

V3 (ξ(k)) =

k−1 16  

ξ T (i)Qj ξ(i) ,

j=1 i=k−τ b k

V4 (ξ(k)) =

k−1 16  

ζ T (i)Qj ζ (i) ,

j=1 i=k−τ

V5 (ξ(k)) =

16 

−τfmin +1

k−1 



ξ T (i)Qj ξ(i) ,

j=1 =−τfmax +2 i=k+ −1

V6 (ξ(k)) =

16  j=1

V7 (ξ(k)) =

−τbmin +1

k−1 



ξ T (i)Qj ξ(i) ,

=−τ max +2 i=k+ −1 b

min +1 16 −τ 

k−1 

ζ T (i)Qj ζ (i) .

(4.13)

j=1 =−τ max +2 i=k+ −1

Theorem 14. Given scalars δ1 , δ2 , δ3 > 0 and an observer-based controller of the form of (4.4) and (4.5) with associated gains K and L. System (4.9) is δ1 , δ2 , δ3 secure if there exist positive matrices P , QjT = Qj , SjT = Sj , j = 1, · · · , 16, and positive scalars ς1 and ς2 satisfying the following LMI:  j < 0 θ 2 q20 λmin (P )(q0 −1)

(4.14)

≤ δ32

where

j

⎡ 11j ⎢ • ⎢ ⎢ • ⎢ = ⎢ ⎢ • ⎢ ⎣ • •

12j 22j • • • •

13j 23j 33j • • •

14j 24j 34j 44j • •

15j 25j 35j 45j 55j •

⎤ 16j 26j ⎥ ⎥ 36j ⎥ ⎥ ⎥, 46j ⎥ ⎥ 56j ⎦ 66j

175

Controlling of CPPS in the presence of simultaneous attacks

11j

= ATj ρˆj P Aj − P + φ1 12j = ATj ρˆj P Bj , 13j = ATj ρˆj P Cj ,

14j

= ATj ρˆj P Dj , 15j = ATj ρˆj P Ej , 16j = ATj ρˆj P Fj ,

22j

= BjT ρˆj P Bj − ρˆj Qj , 23j = BjT ρˆj P Cj ,

24j

= BjT ρˆj P Dj , 25j = BjT ρˆj P Ej , 26j = BjT ρˆj P Fj ,

33j

= CjT ρˆj P Cj − ρˆj Qj 34j = CjT ρˆj P Dj ,

35j

= CjT ρˆj P Ej , 36j = CjT ρˆj P Fj ,

44j

= DjT ρˆj P Dj + φ2 , 45j = DjT ρˆj P Ej , 46j = DjT ρˆj P Fj ,

55j

= EjT ρˆj P Ej − ρˆj Sj , 56j = EjT ρˆj P Fj ,

66j

= FjT ρˆj P Fj − ς1 I ,

(4.15)

with φ1

= ρˆj (τfmax − τfmin + τbmax − τbmin + 2)Qj ,

φ2

= (τ max − τ min + 1 − ς2 )I ,

and θ 2 = ς1 δ12 + ς2 δ22 . The proof of Theorem 14 is included in detail in the Appendix. Remark 24. Theorem 14 provides a stability condition for a class of CPPS in the form of (4.9), including a linear or linearized system in the form of (4.1), with certain values of controller and observer gains subject to hybrid simultaneous DDoS and deception attacks. The DDoS attacks are considered to cause delays in transmitting signals from sensors to controller (forward bath) and/or from controller to actuators (backward path) with certain ranges, [τfmin , τfmax ], [τbmin , τbmax ], respectively. And the deception attacks could affect the forward and/or backward paths in the CPPS with a signal bounded by δ2 . Moreover, it is remarked that the implementation of Theorem 14 requires calling random generators to pick up numbers corresponding to the scalars ρˆj , j = 1, · · · , 16 to compute the state and error trajectories [41]. This feature is not shared by other methods in the literature for secure control of CPPS. Theorem 15. Given positive scalars δ1 , δ2 , δ3 , delay bounds τfmax , τfmin , τbmax , τbmin τ max , τ min , and ρˆj , j = 1, .., 16, matrices X , Y1 , Y2 , j > 0, j = 1, .., 16, and positive scalars ς1 and ς2 . System (4.9) is δ1 , δ2 , δ3 -secure if an observer-based controller exists in the form of (4.4) and (4.5) with gains of K and L satisfying the following LMI: 

≤0 θ 2 q20 λmin (P )(q0 −1)

≤ δ32 ,

(4.16)

176

Cyberphysical Infrastructures in Power Systems

where = ⎡ ρˆj Xˆ ⎢ • ⎢ ⎢ • ⎢ ⎢ ⎢ • ⎢ ⎢ • ⎢ ⎣ •

0 −ρˆj Qj • • • •

0 0 −ρˆj Qj

0 0 0

• • •

φ2 • •

0 0 0 0 −ρˆj Sj •



0 0 0 0 0

ˆj 

−ς1 I



⎥ ⎥ ⎥ ⎥ ⎥ ⎥, ⎥ ⎥ ⎥ ⎦

−ρˆj Xˆ

(4.17) with = X

X 0

0 X

(4.18)

,

T ˆ 1j BjT CjT DjT EjT FjT ,  ⎧

⎪ X AT −Y T B T + Z T ⎪ ⎪ ⎪ , ⎪ ⎪ ⎪ X AT + Y T B T − Z T ⎪ 0 ⎪ ⎪ ⎪ ⎪ j = 1, 2, 3, 5, 6, 7, 9, 10, 11 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪

⎪ ⎪ T T T ⎪ ⎪ ZT ⎪ XA + Y B ⎪ , j = 4, 8, 12 ⎪ ⎨ −Y T B T X AT − Z T ˆ 1j = ⎪ ⎪ ⎪

⎪ ⎪ ⎪ ⎪ X AT −Y T B T ⎪ ⎪ , j = 13, 14, 15 ⎪ ⎪ ⎪ 0 X AT + Y T B T − Z T ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪

⎪ ⎪ ⎪ ⎪ X AT + Y T B T 0 ⎪ ⎪ , j = 16 . ⎪ ⎩ −Y T B T X AT − Z T ˆj= 



(4.19)

Moreover, the observer-based controller parameters are K = YX −1 and L = ZX −1 C † . Proof. Let us define:  j = Aj

Bj

Cj

Dj

Ej

Fj

T .

Controlling of CPPS in the presence of simultaneous attacks

177

Now, inequality (4.15) can be represented as j + j P Tj < 0 , j = j = diag{−P + φ1 , −ρˆj Qj , −ρˆj Qj , φ2 , −ρˆj Qj } .

(4.20) (4.21)

Selecting Xˆ = P −1 and applying Schur complements, matrix j in (4.20) is formulated as ⎡ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎢ ⎣

−ρˆj Xˆ • • • • •

0 −ρˆj Qj • • • •

0 0 −ρˆj Qj

0 0 0

• • •

φ2 • • •

0 0 0 0 −ρˆj Sj •

0 0 0 0 0 −ς1 I



j

⎥ ⎥ ⎥ ⎥ ⎥ ⎥ 1 is defined, and from (4.42) and (4.43) we obtain E[qk+1 V (k + 1)] − E[qk V (k)] = qk+1 E[V (k)] + qk+1 E[V (k)] − sk E[V (k)]     ≤ qk+1 − λmin (−)E ||ξ(k)||2 + θ 2

(4.43)

Controlling of CPPS in the presence of simultaneous attacks

+qk (q − 1)E[V (k)]   ≤ h(q)qk E ||ξ(k)||2 + qk+1 θ 2 ,

191

(4.44)

where h(q) = −λmin (−)q + (q − 1)λmax (P ). For any integer s, the summation of both sides of (4.44) from 0 to s − 1 with respect to k gives E[qT V (s)] − E[V (0)] ≤ h(q)

s−1 





qk E ||ξ(k)||2 +

k=0

q(1 − qs ) 2 θ . 1−q

(4.45)

Since h(1) = −λmin (−) < 0 and limq→∞ = +∞, there exists a scalar q0 > 1 such that h(q0 ) = 0. Then, a scalar q0 > 1 could be found such that, E[qs0 V (s)] − E[V (0)] ≤

q0 (1 − qs0 ) 2 θ . 1 − q0

(4.46)

Note:   E[qT0 V (s)] ≥ λmin (P )qs0 E ||ξ(s)||2   ≥ λmin (P )qs0 E ||e(s)||2 .

(4.47)

  E ||e(s)||2 ≤

(4.48)

So, (qs0 − 1)φ 2

q0s−1 (q0 − 1)λmin (P )

.

Considering (4.39), one can show that Ee(s)2 ≤ δ22 , and using Definition 15, it is implied that the system is δ1 , δ2 , δ3 -secure, which concludes the proof.

References [1] M.S. Mahmoud, M.M. Hamdan, Improved control of cyber-physical systems subject to cyber and physical attacks, Cyber-Phys. Syst. (2019) 1–18. [2] M.S. Mahmoud, M.M. Hamdan, U.A. Baroudi, Modeling and control of cyberphysical systems subject to cyber attacks: a survey of recent advances and challenges, Neurocomputing 338 (2019) 101–115. [3] C. De Persis, P. Tesi, Resilient control under denial-of-service, IFAC Proc. Vol. 47 (3) (2014) 134–139. [4] Y. Yuan, H. Yuan, L. Guo, H. Yang, S. Sun, Resilient control of networked control system under dos attacks: a unified game approach, IEEE Trans. Ind. Inform. 12 (5) (2016) 1786–1794.

192

Cyberphysical Infrastructures in Power Systems

[5] V. Dolk, P. Tesi, C. De Persis, W. Heemels, Event-triggered control systems under denial-of-service attacks, IEEE Trans. Control Netw. Syst. 4 (1) (2017) 93–105. [6] C. Yang, W. Yang, H. Shi, Dos attack in centralised sensor network against state estimation, IET Control Theory Appl. 12 (9) (2018) 1244–1253. [7] H. Ge, D. Yue, X. Xie, C. Dou, S. Wang, Security control of cyber–physical system based on switching approach for intermittent denial-of-service jamming attack, ISA Trans. (2019). [8] M. Wang, Y. Liu, B. Xu, Observer-based hinfty control for cyber–physical systems encountering dos jamming attacks: an attack-tolerant approach, ISA Trans. (2020). [9] S. Amin, X. Litrico, S. Sastry, A.M. Bayen, Cyber security of water SCADA systems part I: analysis and experimentation of stealthy deception attacks, IEEE Trans. Control Syst. Technol. 21 (5) (2013) 1963–1970. [10] L. Ma, Z. Wang, Y. Yuan, Consensus control for nonlinear multi-agent systems subject to deception attacks, in: 2016 22nd International Conference on Automation and Computing, ICAC, IEEE, 2016, pp. 21–26. [11] X. Huang, J. Dong, Adaptive optimization deception attack on remote state estimator of aero-engine, in: 2017 29th Chinese Control and Decision Conference, CCDC, IEEE, 2017, pp. 5849–5854. [12] C.Z. Bai, F. Pasqualetti, V. Gupta, Data-injection attacks in stochastic control systems: detectability and performance tradeoffs, Automatica 82 (2017) 251–260. [13] D. Ding, G. Wei, S. Zhang, Y. Liu, F.E. Alsaadi, On scheduling of deception attacks for discrete-time networked systems equipped with attack detectors, Neurocomputing 219 (2017) 99–106. [14] H. Yuan, Y. Xia, Secure filtering for stochastic non-linear systems under multiple missing measurements and deception attacks, IET Control Theory Appl. 12 (4) (2017) 515–523. [15] D. Ding, Z. Wang, G. Wei, F.E. Alsaadi, Event-based security control for discrete-time stochastic systems, IET Control Theory Appl. 10 (15) (2016) 1808–1815. [16] Y. Yuan, P. Zhang, L. Guo, H. Yang, Towards quantifying the impact of randomly occurred attacks on a class of networked control systems, J. Franklin Inst. 354 (12) (2017) 4966–4988. [17] J. Liu, M. Yang, X. Xie, C. Peng, H. Yan, Finite-time h∞ filtering for state-dependent uncertain systems with event-triggered mechanism and multiple attacks, IEEE Trans. Circuits Syst. I, Regul. Pap. 67 (3) (2019) 1021–1034. [18] N. Hoque, H. Kashyap, D. Bhattacharyya, Real-time DDoS attack detection using FPGA, Comput. Commun. 110 (2017) 48–58. [19] M. Semerci, A.T. Cemgil, B. Sankur, An intelligent cyber security system against DDoS attacks in SIP networks, Comput. Netw. 136 (2018) 137–154. [20] Y. Ali, Y. Xia, L. Ma, A. Hammad, Secure design for cloud control system against distributed denial of service attack, Control Theory Technol. 16 (1) (2018) 14–24. [21] P. Srikantha, D. Kundur, Denial of service attacks and mitigation for stability in cyberenabled power grid, in: 2015 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference, ISGT, IEEE, 2015, pp. 1–5. [22] H. Beitollahi, G. Deconinck, A dependable architecture to mitigate distributed denial of service attacks on network-based control systems, Int. J. Crit. Infrastruct. Prot. 4 (3–4) (2011) 107–123. [23] S. Amin, A.A. Cárdenas, S.S. Sastry, Safe and secure networked control systems under denial-of-service attacks, in: International Workshop on Hybrid Systems: Computation and Control, Springer, 2009, pp. 31–45. [24] A. Teixeira, D. Pérez, H. Sandberg, K.H. Johansson, Attack models and scenarios for networked control systems, in: Proceedings of the 1st International Conference on High Confidence Networked Systems, 2012, pp. 55–64.

Controlling of CPPS in the presence of simultaneous attacks

193

[25] W. Zhang, M.S. Branicky, S.M. Phillips, Stability of networked control systems, IEEE Control Syst. Mag. 21 (1) (2001) 84–99. [26] L. Schenato, B. Sinopoli, M. Franceschetti, K. Poolla, S.S. Sastry, Foundations of control and estimation over lossy networks, Proc. IEEE 95 (1) (2007) 163–187. [27] L. Schenato, To zero or to hold control inputs with lossy links?, IEEE Trans. Autom. Control 54 (5) (2009) 1093–1099. [28] M.S. Mahmoud, Y. Xia, Chapter 2 - networked control systems’ fundamentals, in: M.S. Mahmoud, Y. Xia (Eds.), Networked Control Systems, ButterworthHeinemann, 2019, pp. 37–89. [29] X. Li, Z. Sun, Y. Tang, H. Karimi, Adaptive event-triggered consensus of multi-agent systems on directed graphs, IEEE Trans. Autom. Control (2020). [30] X. Li, Y. Tang, H.R. Karimi, Consensus of multi-agent systems via fully distributed event-triggered control, Automatica 116 (2020) 108898. [31] Y. Tang, D. Zhang, P. Shi, W. Zhang, F. Qian, Event-based formation control for multi-agent systems under dos attacks, IEEE Trans. Autom. Control (2020). [32] S. Hu, D. Yue, Q.-L. Han, X. Xie, X. Chen, C. Dou, Observer-based event-triggered control for networked linear systems subject to denial-of-service attacks, IEEE Trans. Cybern. 50 (5) (2019) 1952–1964. [33] J. Liu, E. Tian, X. Xie, H. Lin, Distributed event-triggered control for networked control systems with stochastic cyber-attacks, J. Franklin Inst. 356 (17) (2019) 10260–10276. [34] T. Li, X. Tang, H. Zhang, S. Fei, Improved event-triggered control for networked control systems under stochastic cyber-attacks, Neurocomputing 350 (2019) 33–43. [35] M.S. Mahmoud, M. Sabih, M. Elshafei, Event-triggered output feedback control for distributed networked systems, ISA Trans. 60 (2016) 294–302. [36] A. Teixeira, Toward cyber-secure and resilient networked control systems, Ph.D. dissertation, KTH Royal Institute of Technology, 2014. [37] A. Cetinkaya, H. Ishii, T. Hayakawa, An overview on denial-of-service attacks in control systems: attack models and security analyses, Entropy 21 (2) (2019) 210. [38] A.M. Mohan, N. Meskin, H. Mehrjerdi, A comprehensive review of the cyber-attacks and cyber-security on load frequency control of power systems, Energies 13 (15) (2020) 3860. [39] M.S. Mahmoud, Y. Xia, Robust stability and stabilization of a class of nonlinear switched discrete-time systems with time-varying delays, J. Optim. Theory Appl. 143 (2) (2009) 329–355. [40] M.S. Mahmoud, M.M. Hamdan, U.A. Baroudi, Secure control of cyber physical systems subject to stochastic distributed dos and deception attacks, Int. J. Syst. Sci. (2020) 1–16. [41] M. Mahmoud, S. Selim, P. Shi, M. Baig, New results on networked control systems with non-stationary packet dropouts, IET Control Theory Appl. 6 (15) (2012) 2442–2452. [42] H.M. Soliman, M. Soliman, Design of observer-based robust power system stabilizers, Int. J. Electr. Comput. Eng. (2088-8708) 6 (5) (2016).

This page intentionally left blank

CHAPTER 5

Wide-area monitoring and estimation systems Contents 5.1. Introduction 5.2. WAMS applications and state estimation 5.2.1 Three possible states 5.2.2 Basic paradigms of state estimation 5.2.3 State representation of a power grid 5.2.4 Properties of probability vector 5.2.5 Observation model 5.2.6 Correlation of noise 5.2.7 Function of frequency oscillation state 5.2.8 Attack vector 5.3. Median regression function-based approach 5.3.1 Initial regression analysis using the mapping function 5.3.2 Additional geometric properties 5.3.3 Frequency oscillation state estimation 5.3.4 Interacting multiple model (IMM)-based fusion 5.3.5 Residual generation using error matrix 5.3.6 Residual evaluation using cross-spectral density function 5.4. Implementation and evaluation results 5.4.1 System disturbances 5.4.2 Deliberate data-injection scenarios 5.4.3 Aim of a hacker 5.4.4 Performance evaluation using regression methods 5.4.5 Estimation comparison with track fusion 5.4.6 MSE-based estimation comparison 5.5. Notes References

195 196 197 198 200 200 202 202 203 203 204 204 205 206 207 208 208 209 210 212 212 213 220 223 226 228

5.1 Introduction Power grids represent a complex interconnected network of generating stations, electrical substations, high voltage distribution lines, and loads. This is due to 1) increase in demand of power, 2) interface to renewable energy integration, which requires to expand the grid size. Cyberphysical Infrastructures in Power Systems https://doi.org/10.1016/B978-0-32-385261-6.00015-4

Copyright © 2022 Elsevier Inc. All rights reserved.

195

196

Cyberphysical Infrastructures in Power Systems

This would eventually result to increase the distribution and network which further increases the dimensionality of information. As the dimensionality increases, the number of model parameters increase which require a higher number of manpower to monitor the power flow. Due to this complexity of information and structure, modern power grids have deployed phasor measurements units (PMUs) and wide-area monitoring systems (WAMS) to better manage these resources and have more access towards the observability of the power system [1–4]. WAMSs readily manage the high interconnectivity, measurement of physical quantities on the grid and their interdependency by data acquisition technology of PMUs through its applications [5–13]. The optimal installation of PMUs from the perspective of location could provide additional features of visibility and monitoring, where they can extract information about frequency quantities like phase angles and magnitudes. This information is synchronized after every 100 ms with global positioning system (GPS). The phasor data concentrator (PDC) is somehow a central hub where all this information is gathered, and thereby status of regional variations and instabilities can be monitored and detected. This is followed by an adequate and timely action to enhance the regulation of power flow. However, this whole modern network of timely monitoring with rigorous transfer of information and communication is dependent on the internet. The internet protocol suite (TCP/IP) which communicates between networks and devices is prone and vulnerable to deliberate injections and actions in the form of cyber-attacks, which could question the power grid infrastructure and security protocols [14–18]. Tales of such a breach are 1) the 2015 Ukranian power grid attack [19], and 2) Cluster of attacks reported by ASEA Brown Boveri (ABB) [20,21], which exposed the tenderness of WAMS and its applications towards networking technology and world wide web. The focus of this chapter is towards the cyber-security of network-based digital infrastructure of WAMS applications.

5.2 WAMS applications and state estimation Of the growing number of WAMS applications, “state estimation” is a mature and widely used function installed by the power transmission utilities [9–13]. An intriguing question rises here: what is the need to have state estimation? The operation of electric power systems uses the principal strategy of security control to prevent an impending emergency, to correct

Wide-area monitoring

197

an existing emergency, or to recover from an emergency. All these transient situations require the knowledge of the state of the system under steadystate conditions. The most practical way of obtaining this knowledge of the system state is through state estimation. It further allows the determination of the power flows in parts of the power system which are not directly metered. The bus voltage magnitude, real power injections, reactive power injections, active power flow, reactive power flow and line current flows are common measurements available in modern power grids. State estimation is a very handy support function to achieve an economic and secure operation of transmission networks.

5.2.1 Three possible states The variable behavior of modern power grids do operate on system-level in three possible states. These are [22] 1) normal state, 2) abnormal state, and 3) restorative states. B.1 Normal State: Normal state of a power system defines that all the system state variables are operating within their operating limits. In the normal operating state, the system is defined to be secure. Moreover, all the constraints such as node voltages, real and reactive power generation, real and reactive power flows are satisfied. The idea of a normal or secure state of the power system is to keep the system parameters within the operating range. B.2 Abnormal State: In the event of a disturbance, like generator outage or line outage, the operating conditions change and the variables like nodes voltages and powers (real and reactive), real and reactive power flows violate the operating limits or constraints. When power systems operating in a normal state violate their operational range, the system is considered vulnerable to instabilities and prone to intrusion. When such contingencies take place, the power system will be unbalanced and unserved. Such a state is considered to be an abnormal state of power system. The abnormal state of power system is further classified in to the following states: 1) alert state, 2) emergency state, 3) islanding state. B.3 Restorative State: A power system can be brought from the emergency state to the normal state. The transient phase of such a power system

198

Cyberphysical Infrastructures in Power Systems

is called the ‘restorative state’, in which control procedures and actions are employed to reinstate the system to its original normal state while being balanced and operating with no system violations.

5.2.2 Basic paradigms of state estimation Apart from system-level classification, state estimation is further divided into two basic paradigms of 1) static state estimation (SSE), and 2) dynamic state estimation (DSE) methods [23]. Static state estimation: The chief types of static state estimation are: conventional state estimation, distributed state estimation or multi-area state estimation, and sequential state estimation [23,24]. All these methods have to cope with the fast digital dynamics of PMUs so as to capture the smallest of the variations happening in the whole network, which could be due to the rise of generation and load demands. However, an accurate execution of state estimation in such situations becomes challenging while capturing the full stretch of dynamics. A static state estimation algorithm based on linear programming known as least absolute value was also developed in [25,26]. Generally, under normal operating conditions, the power system is regarded as a quasi-static system that changes steadily but slowly [27]. Therefore, in order to continuously monitor the power system, state estimators must be executed at short intervals of time. But with the inherent expansion of power systems, with the increase of generations and loads, the system becomes extremely large for the state estimation to be executed at short intervals of time since it requires heavy computation resources. Therefore, a technique known as tracking state estimation [28,29] was developed. Once state estimates were calculated, the method simply updates the next instant of time using a new measurement set obtained for that instant, instead of again running the entire static state estimation algorithm. Tracking estimators help energy management systems to keep track of the continuously changing power system without actually having to execute the entire state estimation algorithm. This allows continuous monitoring with reasonable utilization of computing resources. Another type of static state estimation in utilities — one of the most commonly used types — is the weighted least squares method [30]. It was formulated as an optimization problem with a notion of minimizing the squares of the differences between the measured and estimated values and was calculated using the corresponding power flow equations. The weighted least square uses the Newton-Raphson algorithm to obtain the state estimates. There have been

Wide-area monitoring

199

numerous findings on different variations of weighted least square to further improve specific aspects of the algorithm. The fast decoupled state estimator [31,32] is an example in which voltage magnitudes and phase angles are processed separately. The voltage magnitude values are concerned with the reactive power measurements while angles were related to active power measurements. In [33], the authors proposed a regularized least square scheme for power systems, which is a type of weighted least squares family, that was able to function in cases of partial observability. Dynamic state estimation: The DSE methods have been dominated by recursive techniques built on a–priori knowledge. The most widely used are based on a Kalman filter (KF) framework. This also involves the variants techniques of KF, such as, 1) the unscented KF (UKF), 2) robust H-infinity UKF, 3) the ensemble KF (EnKF), and 4) the particle filter (PF) [10–13]. Other non-recursive estimators can also be adopted for the state and parameter estimation, such as the infinite impulse response filter, the finite impulse response filter, etc. [34]. From the perspective of cyber-attacks, cases of KF have also been discussed in situations with bad-data injection attacks [35–40]. However, with the expansion of modern power grids with renewable energy integration and its awareness to the hackers, the adversary can model the attack vector as well as make a sensible choice on site of the attack. This can lead to more devastating impacts while affecting the safety and consumer economy. To the best of the author’s knowledge, such a situation has not been investigated in power systems dynamic state estimation, where these variations and deviations could be modeled as an exogenous variable to enhance the resilience of a power grid. A failure to notice these variations by system-level identification could result in amplifying the surged instabilities of a modern power grid. The main contribution and novelty of this chapter is, to propose a new method to enhance the resilience of the WAMS applications with renewable energy integration in the presence of data-injection attacks. This is achieved by proposing a signal processing-based solution involving a dynamic state estimation approach. A novel median regression function-based dynamic state estimation method is derived for estimating the contaminated frequency oscillations. The aim is to maintain the accuracy of state estimation while identifying the detection of the deliberately injected variations.

200

Cyberphysical Infrastructures in Power Systems

In order to accurately estimate such dynamic states, it is assumed that the hacker can access the whole network of PMUs, which are deployed as an integral unit of WAMS operation. Mapping the function-based initial regression analysis also helped to depict the margins of state estimation in the presence of injections. This would allow to propose a post-contingency step towards dynamic vulnerability assessments (DVA). These assessments are interfaced to coordinate for corrective control actions. Notations

In what follows, a structured notation scheme is defined. IEμ1/2 is the median-based expectation operator. The symbol ˜ over a variable denotes the estimate error, e.g. P˜ is the estimate error of P . A hat over a variable represents an estimate of the variable, e.g. Pˆ is an estimate of P . The individual entries of a variable like P are denoted by (.) after the variable, e.g., P (.). When any of these variables becomes a function of time, the time index t appears as a subscript e.g. Pt . The notation P0T is used to represent the sequence (e.g. P0 , P1 , ..., PT ). The problem formulation of a power grid under attack is derived in this section. It is assumed that an attacker could have access to digital information of sensor-nodes of the power grid. An overview of the formulation can be seen in Fig. 5.1.

5.2.3 State representation of a power grid A state representation of power grid Pt can be described as: PtX+1

= f (Pε,Xt ) + GtX wtX ,

(5.1)

where P0X ∈ IRn×1 represents an initial condition of the frequencyoscillation state transition model at time-instant t, such that t = 1, 2, ..., T with X = [PtU , PtV , ...PtZ ] for a number Z of PMU nodes in the plant. The superscript n represents the state-vector size in subspace IR. The subscript ε represents the exogenous variable. GtX ∈ IRr ×r is the noise transition matrix. This can be defined as a probability vector p(Gk,t ) such that n k=1 p(Gk,t ) = 1.

5.2.4 Properties of probability vector In this probability vector, each individual component shall have the following properties: Property 1: It is a nonnegative real number;

Wide-area monitoring

201

Figure 5.1 Formulation framework of the proposed scheme.

Property 2: It must have a probability between 0 and 1, such that 0 ≤ |p(Gk,t )| ≤ 1; Property 3: It has sum of all numbers equal to 1.

202

Cyberphysical Infrastructures in Power Systems

Also, wtX ∈ IRr is the random process noise. Once the state representation is made, the observation model is stated.

5.2.5 Observation model Let the observation model for the oscillation state described in (5.1) at time-instant t can be represented as YtU = HtU PtX + d(at )PtX + vtU ,

(5.2)

where YtU ∈ IRm×1 is the observation output of frequency oscillation state, m is the number of simultaneous observations made by U PMUs at timeinstant t. HtU ∈ IRm×r and vtX ∈ IRm are the observation matrix and the observation noise respectively. d(at ) ∈ IRo¯ ×1 is the attack vector function. Here the superscript o¯ belongs to the set A ⊆ {1, 2, ...¯o}. Once the observation model is formulated, the correlation between process noise and observation model is defined.

5.2.6 Correlation of noise The noises wt and νt are all initially uncorrelated zero-median white Gaussian such that IEμ1/2 [wt ] = IEμ1/2 [νt ] = 0, ∀ t .

(5.3)

IEμ1/2 [wp νq ] = 0 .

(5.4)

Also,

Here (5.4) is defined for two instants p and q. Also, IEμ1/2 [wp wq ] = Rt δpq ,

(5.5)

where noise processes are considered to be serially uncorrelated, zeromean, constant, and finite variance processes. Note that the variable Rt denotes the covariance matrix, and δpq is a Kronecker delta function used for shifting the integer variable after the presence or absence of noise. Similarly, IEμ1/2 [νp νq ] = Qt δpq ,

(5.6)

with Qt being the process noise correlation factor. Once the correlation of noises are defined, the function of the oscillation state is modeled.

Wide-area monitoring

203

5.2.7 Function of frequency oscillation state The function of the frequency oscillation state is represented in the oscillation state model. It is represented as an exogenous regressor variable, such that f(Pε,Xt ) ∈ IRr . f (Pε,Xt ) represents a nonlinear mapping function, such that IEμ1/2 f (Pε,Xt )|PtX+1 = 0. Let f (P , Y , ε) = g(P , ε) − h(P , Y ). Here g(.) and h(.) are the nonlinear vector functions. The exogenous property satisfies, f (Pε,Xt ) = arg max IEμ1/2 [f (P , Y , ε)|H, Y ] X ∈{0,1} Pε, t

= arg max

X ∈{0,1} Pε, t

=

⎧ ⎪ ⎨ 1 ⎪ ⎩

0



(5.7) 

IEμ1/2 [g(P , ε)|H, Y ] − h(P , Y )

if IEμ1/2 [g(P , ε)|H, Y ] − h(1, Y ) ≥ . IEμ1/2 [g(0, ε)|H, Y ] − h(0, Y ) , Otherwise

(5.8)

(5.9)

Once the exogenous function of the oscillation state is modeled on extracted measurements, the attack vector is defined.

5.2.8 Attack vector An attack vector is defined by the hacker as a pathway to access or penetrate the target system. The function of an attack vector is represented in the observation model (5.2) as d(at ) ∈ IRo¯ ×1 . The superscript o¯ belongs to the set A ⊆ {1, 2, ...¯o}. It contains PMU sensor-nodes installed in the plant that is under attack. This shows the attack vector for any U -th and V -th sensornode as d(aUt V ) = 0 ,

(5.10)

where U ∈ AC and V ≥ 0. Here the superscript C denotes the set size of A, such that AC =

S A

.

(5.11)

sup(aVt ) ⊆ A for all V ≥ 0. Here the function d(at ) itself represents the      U stochastic nonlinearity such that IE d(at )|PtX = 0, also IE d(aX t )d (at ) = 0, U = V . Here ‘ ’ represents the transpose operator.

Once the attack vector is modeled on the measurements extract, the proposed scheme is formulated.

204

Cyberphysical Infrastructures in Power Systems

Figure 5.2 Median gradient-based convergence diagram.

5.3 Median regression function-based approach The proposed scheme is built on the problem formulation. An overview of the framework can be seen in Fig. 5.1. The initial regression analysis is expressed below in (5.12). Afterwards, the additional geometric properties of median regression function-based approach are made in (5.13)–(5.17). The inference-based frequency oscillation state estimation is derived in (5.18)–(5.21). The generation of residual and threshold based evaluation of residual is determined at (5.22), (5.23) and (5.24), respectively.

5.3.1 Initial regression analysis using the mapping function The initial regression analysis towards the data-injection attacks can be achieved by demonstrating a mapping function. This mapping function is defined here by determining a mapping function for predicting the initial observation. It can be expressed as M(Pε,t ) = C

M

k=1



M

k=1

1 2

(ξk+ + ξk− ) + w 2 −

αk+ (ζ + ξk+ + yk − Tk ) −

M

M + − − (μ+ k ξk + μk ξk )

k=1

αk− (ζ + ξk+ − yk + Tk )

(5.12)

k=1

where C is the variable controlling the trade-off between the variables defined for mapping and size of the margin, ξk+ and ξk− are positive and negative mapping variables, w is normal to the mapping, μ ≥ 0, ζ is the distance from the actual value, T is the actual value, and α is the mapping variable. Once the initial regression analysis using the mapping function is made, the additional properties of median regression function-based approach is defined.

205

Wide-area monitoring

5.3.2 Additional geometric properties The median regression function-based approach is built on the update the probability for a hypothesis on the available information, see Fig. 5.2. This requires some additional properties to derive the median-based expectation operator. These properties can be built on [41]. Some additional properties are defined as follows. Property 1: Let A and B be two random variables. The variables have a Gaussian distribution. If A, B ∈ IRn , then limA→B IEμ1/2 [|A − B|2 ] = 0.

p A, B ≤ μ1/2



= p A, B ≥ μ1/2   = IEμ1/2 (A)2 + (B)2 − 2(A)(B) μ1/2 μ1/2

2

2 af (a) + bf (b) = −∞

(5.13)

−∞

where f (a) is the probability mass function of A. It further simplifies as

p A, B ≤ μ1/2



μ1/2 μ1/2



af (a) bf (b) = −2

=

1 2

2

−∞

+

1 2

2

−∞

1 1

−2

2 2

=0

(5.14)

Note for A, B, that the whole process is called a median-square continuous such that for all A, B ∈ IRn . Property 2: A Gaussian process-based function f is said to be medianbased differentiable on IRr . This is possible if for every sequence {An } for i = 1, ..., n converges An − A → 0. Considering the gradient property in [41] and as shown in Fig. 5.2, let P1 , P2 , P3 , ..., Pn ∈ H. Also ϒ ∈ H, and r is the radius with μ1/2 − ϒ > r and γ > 0. A derivative is considered to be derived in the direction of ϒ − μ1/2 for f˙ (An ), such that ∂ f (μ1/2,n,ϒ − μ1/2,n ) = lim

t→0

f (μ1/2,n + t(ϒ − μ1/2,n )) − f (μ1/2,n ) . (5.15) t

Similarly for the derivative in the direction of ϒ − μ1/2 for f˙ (X ) gives ∂ f (μ1/2,ϒ − μ1/2 ) = lim

t→0

f (μ1/2 + t(ϒ − μ1/2 )) − f (μ1/2 ) . t

Since μ1/2 minimizes the function f , this indicates that

(5.16)

206

Cyberphysical Infrastructures in Power Systems

∂ f (μ1/2,n,ϒ − μ1/2,n ), ∂ f (μ1/2,ϒ − μ1/2 ) ≥ 0.

(5.17)

2

Based on (5.15)–(5.17), IEμ1/2 [ f˙i (An ) − f˙i (A) ] = 0 holds. Note the additional properties remain the same for symmetric error distributions as well. Once the additional geometric properties are defined, the variations are further derived. This is a challenging task because of the following: 1) deriving a median regression function-based property, and its structural transformation from a conventionally utilized tool for data analysis, forecasting and computer vision to an inference system where updates are generated using probability for a hypothesis on the available information, 2) derivation of the regression structure by considering the medianbased expectation over the classic weighted average-based expectation.

5.3.3 Frequency oscillation state estimation The frequency oscillation-state estimation is made by using the inference system, which is calculated and built by the log-likelihood function. This is to get an estimate of the latent variations of the oscillation state as L( )

= log p PtX , f (Pε,Xt )

= IEμ1/2 ,Ht |P0 ,t ,Yt log p PtX , f (Pε,Xt )

+ IEμ1/2 log p f (Pε,Xt )|PtX ,

(5.18)

where is the vector of all involved parameters. The computation of the derivatives of L with respect to each of the parameters is stated as ∂ L( ) ∂ PtX ,f (Pε,Xt )

= arg max IEμ1/2 ,Ht |P0 ,t ,Yt log p(Yt , Ht |Pt ) Pt

var Pt−1 − μ1,2.t−1 ×p(Pt ) + arg min var Pt

= arg max IEμ1/2 ,Ht |P T ,Yt Yt log(bt PtX Pt

0 ,t

Ht ∈

(Ptvar −γ J (Pt ) + arg min −1 − μ1/2 , t − 1) Ptvar (bt PtX − IEμ1/2 ,Ht |P0 ,t ,Yt Ht = arg min Pt

Ht ∈

× log(bt PtX ) + γ J (PtX ) + arg min (Ptvar −1 − μ1/2,t−1 ) var Pt

(5.19)

Wide-area monitoring

207

where IEμ1/2 is the median-based expectation operator, denotes the possible realization of PtX . The realization of the observation matrix HtX is denoted by bt PtX . J is a positive energy function, and γ is a positive parameter. Considering the difference between (5.1) and (5.2) gives the covariance matrix such that PtX − Pˆ tX|t−1 = PtX|t−1 . It is presented as PtX|t−1 = f (Pε,Xt ) + GtX wtX − arg min PtX



(bt PtX )

HX t ∈

+IEμ1/2 ,Ht |P T ,Yt Ht log(bt PtX ) − γ J (PtX ) 0 ,t

var − arg min P t−1 − μ1/2,t−1 . var Pt

(5.20)

Further simplifying (5.20) gives PtX|t−1 = − arg min PtX



(bt PtX ) + IEμ1/2 ,Ht |P0 ,t ,Yt Ht log(bt PtX )

HX t ∈

X

X X −γ J (Pt ) − arg min (Ptvar −1 − μ1/2,t−1 ) + Gt wt . var Pt

(5.21)

The state estimation and covariance matrix will now incorporate in information fusion architecture using the interacting multiple model (IMM) algorithm. IMM is preferred over other fusion techniques, since it considers state hypothesis of multiple models with changing and time-varying dynamics.

5.3.4 Interacting multiple model (IMM)-based fusion The IMM-based fusion is processed by fusing information of estimated parameters from each installed sensor-node. The extracted information from U -th sensor-node PtU is merged as Pˆ tIMM |t

=

Z

PrU V (PtU )Pˆ tU|t

(5.22)

PrU V (PtU )(covUt|t + [Pˆ tU|t − Pˆ t|t ][Pˆ tU|t − Pˆ t|t ] ),

(5.23)

χ =U

= covIMM t|t

Z χ =U

where superscript IMM represents the processed variable after any IMMbased fusion performed, PrU V is the probability that model will switch from sensor-node PtU to PtV , given the probability of PtU at time-instant t. The output of the IMM-fusion will determine the residual generation.

208

Cyberphysical Infrastructures in Power Systems

5.3.5 Residual generation using error matrix The generated generation is made here using the error matrix. The error matrix eres is usually calculated to detect any 1) unusual dynamic variations, 2) data-injections, 3) biased signatures, and 4) system-faults. For an oscillation state, these variations can be detected as X X = HtX eP eres ,Y ,t ,t+1

= Ht FtX − [IEμ1/2 PtX+1 (YtX − vt ) ]Re−,t1 HtX ×(PtX − Pˆ tX ) + [ξt f (YtX , PtX ) − ξf ,t f (YtX , PtX )],

(5.24)

where Ftc1 ∈ IRr ×r is the modal matrix of the exogenous function, Re,t is the covariance of observation noise. This covariance matrix has a zeromean multivariate normal distribution N such that Re,t : vt ∼ N (0, Re,t ), f (YtX .PtX ) ∈ IRr is a nonlinear vector function of YtX and PX . Note ξt , ξf ,t ∈ IR are the fault-injection f -based change dependent parameters. Note that the generated residual is asymptotically convergent when the parameters show no change due to the fault injection. This is represented X such that ξt , ξf ,t , limt→∞ eres ,Y ,t = 0. Here the difference between residual generation and the estimated state can be represented by a Lyapunov variable V . This is represented as V

  = IEμ1/2 V (eP ,t+1 |eP ,t , PtX − Pˆ tX ) X X X X ≤ −eres ,Y ,t ℵt eP ,t + 2 (eres,Y ,t |Re,t ξf ,t |V eP ,t X 2 X ≤ −ρ eres ,Y ,t − V (eres,Y ,t )

ηth

no attack attack ,

(5.26)

Wide-area monitoring

209

Figure 5.3 Model of revised New-England 39-bus system with large scale PV power plant.

where the cross-spectral density function can be stated as f (St , Sf ,t ) = |St Sf ,t |2

St2 Sf2,t

. Here St and Sf ,t are the cross-spectral densities of data-injection

free and data-injected parameters respectively. ηth is a computed threshold value. The value of the computed threshold is chosen and determined to ensure a low false alarm probability. This is during the course of an accurate residual evaluation.

5.4 Implementation and evaluation results The validation of the proposed scheme is conducted on the simulated synchrophasor measurements collected from the revised New England, 39-bus, 10-machines system with large scale PV power plant as shown in Fig. 5.3. Modeling details are based on [42,43]. Measurements are collected from generators G30, G35, G37, G38 and G39, loads 4, 15, and 29, buses 16–18.

210

Cyberphysical Infrastructures in Power Systems

Figure 5.4 Dynamic response of phase voltage angles to the prescribed disturbances (θ1 − θ 21).

Note that the 0.69-Hz mode will be considered as an inter-area oscillation. All loads are continuously being subjected to random small magnitude fluctuations of up to 10 MW/s. All simulations are performed using DIgSILENT PowerFactory Ver. 15.1 [44]. From the collected measurements, monitoring schemes updated the averaged oscillatory parameters every 5 s. Figs. 5.4 and 5.5 show the dynamic response of the phasor voltage angles to the prescribed set of disturbances. In addition, Fig. 5.6 shows the dynamic response of the PV power plant. It is noticed that the output power at the point of common coupling (PCC) follows the variations of solar irradiance. Meanwhile, a constant DC voltage is maintained across the DC link due to the employment of proper control of the VSC.

5.4.1 System disturbances Furthermore, the system is excited by five large-signal disturbances over a period of 60 s as follows:

Wide-area monitoring

211

Figure 5.5 Dynamic response of phase voltage angles to the prescribed disturbances (θ22 − θ 42).

Figure 5.6 Dynamic response of phase voltage angles to the PV power plant.

212

• •



• •

Cyberphysical Infrastructures in Power Systems

First Disturbance: A three-phase-to-ground fault occurred at bus 24 at 5 s. It was cleared after 0.1 s. Second Disturbance: Uncertainty of PV power generation due to changes in solar radiation. A ramp down in solar irradiance from 1000 to 200 W/m2 at 25 s. A ramped up in solar irradiance from 200 to 1100 W/m2 at 50 s. Third Disturbance: The active and reactive power demands load connected at bus 21. These power demands of load are ramped up by 30% and 10% respectively over 10 s. Fourth Disturbance: The line connecting buses 16 and 17 is disconnected at 25 s. It was reconnected after 5 s. Fifth Disturbance: The active and reactive load demands at bus 4 increased by 20% and 10%, respectively. This occurred over a 5 s ramp.

5.4.2 Deliberate data-injection scenarios To simulate deliberate attack scenarios, data-injections are carried out in the collected synchrophasor measurements. The neighboring nature shown in Fig. 5.3 helped to create a situation of regional attacks on measured data. Simulated injection of attack scenarios at buses 16–18 are as follows: • First Injection: A high energy potency signal was injected at bus 16 from 30.6 to 35 s. • Second Injection: A data-repetition attack of samples from bus 17 at 10.2–15 s was injected at the same bus from 30.2 to 35 s. • Third Injection: A random noise attack at bus 17 from 50 to 55 s. • Fourth Injection: A coordinated attack at buses 16 and 17 of random noise-like variations from 40 to 45 s respectively. • Fifth Injection: Another coordinated attack at buses 16 and 18 of random noise-like variations from 40.2 to 45.3 s respectively.

5.4.3 Aim of a hacker The aim of a hacker is to penetrate the system while remaining anonymous and unrecognized. A maximum duration with such a penetration will enable the hacker to access important information and manipulate some level of coordination, which could lead to system instability and transient behavior. The first injection is a high-energy potency noise-like heavy signal. This injection aims to possibly bring down a local network. The second injection is a data-repetition attack. This attack is introduced to mislead the operators towards stability of the grid while delaying the supplementary

Wide-area monitoring

213

damping actions. The third injection is a random noise attack. This is a typical random attack with no correlation to any signal characteristics. The fourth and fifth injections are a set of coordinated attacks. These attacks represent a set of regional attacks attempting to generate a spreading failure leading to wide-area blackouts. The purpose of injecting a number of various signals as attacks in multiple locations is to access the robustness of the proposed scheme.

5.4.4 Performance evaluation using regression methods In this section, the proposed method is referenced comprehensively with other regression methods [45–47]: 1) linear regressions, 2) standard Gaussian processes, 3) support vector machine (SVM), 4) neural networks (NNs), 5) regression trees, 6) boosted trees (BOT), and 7) bagged trees (BAT). The later are regression methods, and they are not originally designed to estimate the frequency oscillations in WAMS operations in the presence of data-injection attacks. Due to the nonavailability of more than one data cycle, for the operation of the proposed RFA scheme, the data were split into two separate subsets for training and testing respectively. The training data-set represents a window of 0–27 s, i.e. 45% of the total time-window of 60 s. The remaining 55%, i.e. 27–60 s are reserved for testing. Note that the classifiers are trained only on the training data-set. The performance of the proposed RFA scheme for estimation with no attack injections was made. Figs. 5.7–5.9 show the training and testing results of such a case. The visually noticeable variation of the bus signals between the training-data (0–27 s) and the testing-data (27–60 s) suggest a good capture of the regression model of the relationship between the bus under investigation and the other signals of the grid. Bus 16 is geographically located far from the other two buses (buses 17 and 18) on the grid, and thus showing higher error values for the training and testing. It is important to note that only a part of the measurements collected from the grid were available to be included in the modeling, i.e., five generators, three loads and three buses. Therefore, it is understandable that certain quantities can be predicted better than others depending on how many dependent

214

Cyberphysical Infrastructures in Power Systems

Figure 5.7 (a)–(b) Estimation performance of bus 16 with no data-injection attacks.

measurements were used in the training. Sparse regression methods eliminate nonpertinent inputs as part of the learning. Therefore, using a full or a larger set of the voltage measurements collected from the system will certainly reduce the error for all buses estimations. The error profile of these estimations with no attack injections can be seen in Figs. 5.10–5.12. Once the estimation performance is evaluated for an attack-free situation, it is followed by the evaluation-of-state estimation at the situation of injected attacks. The fault injections were made in buses 16–18 as shown in

Wide-area monitoring

215

Figure 5.8 (a)–(b) Estimation performance of bus 17 with no data-injection attacks.

Figs. 5.13–5.15. In the first injection scenario, a large spike was introduced during the 30.6–35-s time-window of bus 16 (Fig. 5.16a). Due to the location of the injection, the corrupted bus-16 signal does not show a significant visually apparent change, which makes the detection of the attack a challenging task. However, the estimation error signal shows a significant increase of during 30.6–35 s compared to the profile before and after the attack. This was well detected by the coherence spectra-based residual evaluation method while avoiding the false alarms as shown in Fig. 5.16b.

216

Cyberphysical Infrastructures in Power Systems

Figure 5.9 (a)–(b) Estimation performance of bus 18 with no data-injection attacks.

In the second injection scenario, a data-repetition attack at bus 17 from 10.2–15 s time-window was injected replicating the same measurements as of 30.2–35 s (Fig. 5.17a). Although the chosen repeated window (10.2–15 s in bus 17) has similar local variation as to the attacked window (32.2–35 s in bus 17) in the original signal, the estimation error signal shows a significant variation during 30.6–35 s in the residual evaluation, which were well captured by the proposed residual evaluation method. This can be seen in Fig. 5.17b.

Wide-area monitoring

217

Figure 5.10 Error Profile of bus 16 with no injections.

Figure 5.11 Error Profile of bus 17 with no injections.

In the third injection scenario, a random noise attack was injected at bus 17 from 50 to 55 s as shown in Fig. 5.18a. This is a typical random attack with no correlation to any signal characteristics. Note the original signal of bus 17 in the time-window 50–55 s also mimics to a random attack signal. Therefore, injecting a similar random attack signal had a better chance to deceive the operator and pass undetected. However, the residual

218

Cyberphysical Infrastructures in Power Systems

Figure 5.12 Error Profile of bus 18 with no injections.

Figure 5.13 Fault injections in bus 16.

evaluation showed a significant dip during the attack period which was well detected by the threshold (see Fig. 5.18a). To mitigate regional attacks on measured data affecting more than one bus, two scenarios of coordinated attacks were injections in sets. The first set comprises of a coordinated attack on buses 16 and 17 (40–45 s) (see Figs. 5.19a and 5.20a), and the second set comprises of a simulated coordi-

Wide-area monitoring

219

Figure 5.14 Fault injections in bus 17.

Figure 5.15 Fault injections in bus 18.

nated attack on buses 16 and 18 (40–45 s) (see Figs. 5.21a and 5.22a). These attacks mimic an attempt to create a spreading failure leading to widearea blackouts. The random attacks were injected in regions where the original signals look random-like and the attack remains undetected. The estimation-error signals show a significant increase in variations during the attack period compared to the signals before and after the attack. Moreover,

220

Cyberphysical Infrastructures in Power Systems

Figure 5.16 Estimation performance of testing data-set and residual evaluation for (a– b) bus 16 with its first injection.

there were some variations in the nonattack zone too. This could be due to the coordinated nature of the attack. However, the proposed thresholdbased detection scheme was able to detect the presence of these attacks adequately. This can be seen in Figs. 5.19b, 5.20b, 5.21b, and 5.22b).

5.4.5 Estimation comparison with track fusion An estimation comparison was made with the track-fusion technique of [18]. The comparison was made using the mean-square error (MSE). The

Wide-area monitoring

221

Figure 5.17 Estimation performance of testing data-set and residual evaluation for (a– b) bus 17 with its second injection.

performance comparison can be seen in Fig. 5.23. The tracking performance without the presence of data-injections can be observed in the 0–30-s time-window. The only impact was the occurrence of disturbances during this time-window. Both methods were able to estimate the state oscillations decently. A variation and slight increase in MSE was observed during this time-window of 0–27 s. This is due to the occurrence of multiple disturbances during this time-window. In fact, during the 10–15-s

222

Cyberphysical Infrastructures in Power Systems

Figure 5.18 Estimation performance of testing data-set and residual evaluation for (a– b) bus 17 with its third injection.

time-window, the TFMP scheme lost track of the estimation. This may be due to the cross-covariance computation at each sensor node, which could not capture the fast dynamics. The MSE was high for both methods in this time-window. This follows with the performance under deliberate data-injection attacks in the 27–60-s time-window. The injection scenarios were a variation of a high energy potency signal, data-repetition and coordinated injections, which almost directly impacted time-windows of 30–35 s, 40–45 s, and 50–55 s. The TFMP lost track of the oscillation esti-

Wide-area monitoring

223

Figure 5.19 Estimation performance of testing data-set and residual evaluation for (a– b) bus 16 with its fourth injection.

mation once again due to high nonlinear variations and its interaction with neighboring nodes to find the best fit. The proposed scheme kept track of all oscillations due to its regression property.

5.4.6 MSE-based estimation comparison An estimation comparison based on MSE was also made with the regression methods as shown in Fig. 5.24. The LR method has the lowest perfor-

224

Cyberphysical Infrastructures in Power Systems

Figure 5.20 Estimation performance of testing data-set and residual evaluation for (a– b) bus 17 with its fourth injection.

mance as compared to the other methods. This was expected due to its linear and least complex model representation. The BAT method and the NN method also followed the footsteps of a less precise and inconsistent performance. This was more visible with increased MSEs in the testing window. This is due to the random sampling nature of bagging technique and overfitting limitation of NN method. The trees and SVM were comparatively better in their performances with relatively less degradation in

Wide-area monitoring

225

Figure 5.21 Estimation performance of testing data-set and residual evaluation for (a– b) bus 16 with its fifth injection.

their test performances. In comparison with the proposed RFA technique, BOT and Gaussian processes (GPs) showed the most consistent performances with almost similar MSE for training and testing. However, there was a noticeable performance deterioration between their training and testing phases. On the other hand, the proposed RFA scheme was consistent and had minimal dip in its accuracy towards both windows.

226

Cyberphysical Infrastructures in Power Systems

Figure 5.22 Estimation performance of testing data-set and residual evaluation for (a– b) bus 17 with its fifth injection.

5.5 Notes In this chapter, the state estimation accuracy of an infected power grid is achieved. The proposed scheme is validated on an IEEE 39-Bus New England test system with renewable energy integration of large scale PV power plant. The method would have performed even better when more measurements from the grid are available to use as input to the prediction models. This is due to the nature of the training process that it would

Wide-area monitoring

227

Figure 5.23 State estimation MSE-based comparison with TFMP [18].

Figure 5.24 State estimation MSE-based comparison with regression methods. The acronyms are defined as (1) bagged trees (BAT), (2) support-vector machine (SVM), (3) boosted trees (BOT), (4) linear regression (LR), (5) Gaussian processes (GPs), (6) neural network (NN), and (7) median regression function (MRF).

naturally select pertinent input for the estimation of each bus to avoid the problem of estimation in high dimensionality. Future work may lead towards

228

Cyberphysical Infrastructures in Power Systems

1) scalability of the proposed scheme with relatively a larger-scaled test system, 2) examine cyber-security risks at renewable generation sites of the modern power grid involving wind farms and solar parks.

1. 2. 3.

4.

To this end, the key features of this chapter have been The resilience of the grid is enhanced by the median regression function (MRF)-based algorithm; The proposed MRF-based algorithm was well-supported by the mapping function for initial regression analysis; An exhaustive testing of the algorithm in the presence of multiple data-injection and its comparative analysis indicate a potential scope of deploying this algorithm in real-time while enhancing the resistance of grid towards uncertainties and deliberate injections; The trained regression model successfully captured the correlation between the different measurements of the grid. This also allowed the good prediction of the bus signals and the detection of different types of attacks at their occurrence.

References [1] A.G. Phadke, R.M. de Moraes, The wide world of wide-area measurement, IEEE Power Energy Mag. 6 (2008) 52–65. [2] A. Phadke, J. Thorp, Synchronized Phasor Measurements and Their Applications, Springer, New York, 2008. [3] T. Ahmad, N. Senroy, Statistical characterization of PMU error for WAMS analytics, IEEE Trans. Power Syst. 35 (2) (Mar. 2020) 920–928. [4] X. Wang, D. Shi, Z. Wang, C. Xu, Q. Zhang, X. Zhang, Z. Yu, Online calibration of phasor measurement unit using density-based spatial clustering, IEEE Trans. Power Deliv. 33 (3) (Jan. 2018) 1081–1090. [5] H.M. Khalid, J.C.-H. Peng, Improved recursive electromechanical oscillations monitoring scheme: a novel distributed approach, IEEE Trans. Power Syst. 30 (2) (Mar. 2015) 680–688. [6] H.M. Khalid, J.C.-H. Peng, Tracking electromechanical oscillations: an enhanced maximum-likelihood based approach, IEEE Trans. Power Syst. 31 (3) (May 2016) 1799–1808. [7] J. Follum, J.W. Pierre, R. Martin, Simultaneous estimation of electromechanical nodes and forced oscillations, IEEE Trans. Power Syst. 32 (5) (Sep. 2016) 3958–3967. [8] U. Agrawal, J.W. Pierre, Detection of periodic forced oscillations in power systems incorporating harmonic information, IEEE Trans. Power Syst. 34 (1) (Jan. 2019) 782–790. [9] J.B. Zhao, M. Netto, L. Mili, A robust iterated extended Kalman filter for power system dynamic state estimation, IEEE Trans. Power Syst. 32 (4) (Jul. 2017) 3205–3216.

Wide-area monitoring

229

[10] G. Anagnostou, B.C. Pal, Derivative-free Kalman filtering based approaches to dynamic state estimation for power systems with unknown inputs, IEEE Trans. Power Syst. 33 (1) (Jan. 2018) 116–130. [11] A. Rouhani, A. Abur, Constrained iterated unscented Kalman filter for dynamic state and parameter estimation, IEEE Trans. Power Syst. 33 (3) (May 2018) 2404–2414. [12] J.B. Zhao, L. Mili, Robust unscented Kalman filter for power system dynamic state estimation with unknown noise statistics, IEEE Trans. Smart Grid 10 (2) (Mar. 2019) 1215–1224. [13] J.B. Zhao, L. Mili, A decentralized H-infinity unscented Kalman filter for dynamic state estimation against uncertainties, IEEE Trans. Smart Grid 10 (5) (Sep. 2019) 4870–4880. [14] H.M. Khalid, S.M. Muyeen, J.C.H. Peng, Cyber-attacks in a looped energy-water nexus: an inoculated sub-observer-based approach, IEEE Syst. J. 14 (2) (Jun. 2020) 2054–2065. [15] R. Fu, X. Huang, Y. Xue, Y. Wu, Y. Tang, D. Yue, Security assessment for cyberphysical distribution power system under intrusion attacks, IEEE Access 7 (Jul. 2018) 75615–75628. [16] N. Forti, G. Battistelli, L. Chisci, S. Li, B. Wang, B. Sinopoli, Distributed joint attack detection and secure state estimation, IEEE Trans. Signal Inf. Process. Netw. 4 (1) (Mar. 2018) 96–110. [17] H.M. Khalid, J.C.-H. Peng, A Bayesian algorithm to enhance the resilience of WAMS applications against cyber attacks, IEEE Trans. Smart Grid 7 (4) (March 2016) 2026–2037. [18] H.M. Khalid, J.C.-H. Peng, Immunity towards data-injection attacks using track fusion-based model prediction, IEEE Trans. Smart Grid 8 (2) (March 2017) 697–707. [19] R.M. Lee, M.J. Assante, T. Conway, Analysis of the cyber attack on the Ukrainian power grid: Defense use case, Technical Report no. EISAC/SANS/Ukraine/DUC/5, E-ISAC, Mar. 2016, pp. 1–29. [20] N. B.-Westmoreland, J. Styczynski, S. Stables, When the lights went out: Ukraine cybersecurity threat briefing, Technical Report no. 2016/09, Booz Allen Hamilton, Nov. 2016, pp. 1–82. [21] Cyber security notification – Meltdown & Spectre, impact on Symphony Plus, ABB Security Not. Rep., ID 8VZZ000522, Jan. 2018, pp. 1–4. [22] A. Abur, A.G. Exposito, Power System State Estimation: Theory and Implementation, Marcel Dekker, New York, 2004, pp. 1–327. [23] Y.-F. Huang, S. Werner, J. Huang, N. Kashyap, V. Gupta, State estimation in electric power grids: meeting new challenges presented by the requirements of the future grid, IEEE Signal Process. Mag. 29 (5) (Sep. 2012) 33–43. [24] A. G.-Expósito, A.V. Jaén, C. G.-Quiles, P. Rousseaux, T.V. Cutsem, A taxonomy of multi-area state estimation methods, Electr. Power Syst. Res. 81 (4) (Apr. 2011) 1060–1069. [25] A. Abur, M.K. Celik, Least absolute value state estimation with equality and inequality constraints, IEEE Trans. Power Syst. 8 (1993) 680–686. [26] M.K. Celik, A. Abur, A robust WLAV state estimator using transformations, IEEE Trans. Power Syst. 7 (1992) 106–113. [27] N. Shivakumar, A. Jain, A review of power system dynamic state estimation techniques, in: IEEE Power System Technology – Power India Conference, 2008, pp. 1–6. [28] A.S. Debs, R. Larson, A dynamic estimator for tracking the state of a power system, IEEE Trans. Power Appar. Syst. (1970) 1670–1678. [29] D. Falcao, P. Cooke, A. Brameller, Power system tracking state estimation and bad data processing, IEEE Trans. Power Appar. Syst. (1982) 325–333.

230

Cyberphysical Infrastructures in Power Systems

[30] W.-g. Li, J. Li, A. Gao, J.-h. Yang, Review and research trends on state estimation of electrical power systems, in: Power and Energy Engineering Conference, APPEEC, Asia-Pacific, 2011, pp. 1–4. [31] A. Garcia, A. Monticelli, P. Abreu, Fast decoupled state estimation and bad data processing, Trans. Power Appar. Syst. (1979) 1645–1652. [32] A. Monticelli, Fast decoupled state estimator, in: State Estimation in Electric Power Systems, Springer, 1999, pp. 313–342. [33] M.C. de Almeida, A.V. Garcia, E.N. Asada, Regularized least squares power system state estimation, IEEE Trans. Power Syst. 27 (2012) 290–297. [34] J. Proakis, D. Manolakis, Digital Signal Processing: Principles, Algorithms, and Applications, Prentice-Hall, 1996, pp. 1–1016. [35] T. Huang, B. Satchidanandan, P. Kumar, L. Xie, An online detection framework for cyber attacks on AGC, IEEE Trans. Power Syst. 33 (6) (Apr. 2018) 6816–6827. [36] H. Karimipour, V. Dinavahi, Robust massively parallel dynamic state estimation of power systems against cyber-attack, IEEE Access 6 (Dec. 2017) 2984–2995. [37] H. Karimipour, V. Dinavahi, On false data injection attack against dynamic state estimation on smart power grids, in: IEEE International Conference on Smart Energy Grid Engineering, SEGE, Oshawa, ON, Canada, 14-17 Aug. 2017, 2017, pp. 388–393. [38] J. Zhao, G. Zhang, M.L. Scala, Z.Y. Dong, C. Chen, J. Wang, Short-term state forecasting-aided method for detection of smart grid general FDIA, IEEE Trans. Smart Grid 8 (4) (Jul. 2017) 1580–1590. [39] A. Anwar, A.N. Mahmood, Z. Tari, Ensuring data integrity of OPF module and energy database by detecting changes in PFP in smart grids, IEEE Trans. Ind. Inform. 13 (6) (Dec. 2017) 3299–3311. [40] Y. Li, J. Li, X. Luo, X. Wang, X. Guan, Cyber attack detection and isolation for smart grids via unknown input observer, in: 37th Chinese Control Conference, CCC, Wuhan China, 25-27 Jul. 2018, 2018, pp. 1–6. [41] H.M. Khalid, Q. Ahmed, J.C.-H. Peng, Health monitoring of li-ion battery systems: a median expectation-based diagnosis approach (MEDA), IEEE Trans. Transp. Electrif. 1 (1) (Jul. 2015) 94–105. [42] B. Pal, B. Chaudhuri, Robust Control in Power Systems, Springer, 2005. [43] J.C.-H. Peng, J.L. Kirtley, An improved empirical mode decomposition method for monitoring electromechanical oscillations, in: IEEE PES Inn. Smart Grid Techn. Conf., ISGT, 2014, pp. 1–5. [44] DIgSILENT, PowerFactory 15 user manual, 2013. [45] D.J.C. MacKay, Information Theory, Inference and Learning Algorithms, Cambridge Uni. Press, New York, NY, USA, 2002, pp. 1–640. [46] S. Haykin, Neural Networks: A Comprehensive Foundation, Prentice Hall, Upper Sddle River, New Jersey, 1999, pp. 1–842. [47] J.S. Taylor, N. Cristianini, Kernel Methods for Pattern Analysis, Cambridge Uni. Press, 2004, pp. 1–462.

PART 3

Power systems’ architectures This part consists of four chapters: Chapter 6: Future grid architectures Chapter 7: Mature industrial functions Chapter 8: Secure filtering in power systems Chapter 9: Basic mathematical tools

231

This page intentionally left blank

CHAPTER 6

Future grid architectures Contents 6.1. Communication architectures in smart grids 6.1.1 Introduction 6.1.2 A framework of the next-generation power grid 6.1.3 Network architecture 6.1.4 Wide-area networks 6.1.5 Field-area networks 6.1.6 Home-area networks 6.1.7 Delay pattern 6.2. Wide-area monitoring control of smart grids 6.2.1 Power system dynamic model 6.2.2 Sensors and actuators 6.2.3 Control design 6.2.4 Simulation results 6.3. Wide-area case studies 6.3.1 Monitoring system case study 6.3.2 Monitoring and control systems case study 6.4. Notes References

233 235 236 237 238 239 240 241 243 243 245 245 248 251 251 260 267 267

6.1 Communication architectures in smart grids A brief comparison between the existing power grid and the smart grid is provided in Fig. 6.1.

Figure 6.1 Table of comparison.

The communication architectures to be used in the smart grid provide the platform to build the automated and intelligent management functions Cyberphysical Infrastructures in Power Systems https://doi.org/10.1016/B978-0-32-385261-6.00017-8

Copyright © 2022 Elsevier Inc. All rights reserved.

233

234

Cyberphysical Infrastructures in Power Systems

in power systems. The functional requirements of communication architectures depend on the expected management tasks. To better understand our research goals on the communication networks that support the system management, we first discuss the vision and framework of a smart grid. For ease of presentation, we list in Fig. 6.2 all the smart grid related acronyms used in this section.

Figure 6.2 Acronyms in smart grid.

The current electric power systems have been serving us for more than five decades. They rely heavily on fossil fuels, including oil, coal, and natural gas, as the energy sources. These fossil fuels are nonrenewable and the reserves on the Earth are being consumed rapidly. The emerging energy crisis has called for global attention to finding alternative energy resources that

Future grid architectures

235

can sustain long-term industrial development. The identified renewable energy resources (RESs) include wind, small hydro, solar, tidal, geothermal, and waste [1], which are also called green energy due to the fact that they do not release carbon dioxide (CO2) into the atmosphere in the process of electric energy generation. The RESs are important complements to, and replacements for, fossil fuels because of their exploitation durability and environment friendliness. In fact, active research studies and deployment activities are underway across the world [1,2] for effective harnessing of the RESs.

6.1.1 Introduction In the next-generation electric power systems that incorporate diversified RESs, automated and intelligent management is a critical component that determines the effectiveness and efficiency of these power systems. Management automation and intelligence are envisioned to offer a variety of advantages over the current systems in terms of digitalization, flexibility, intelligence, resilience, sustainability, and customization [3], justifying the term Smart Grid for next-generation power systems. The smart-control centers are expected to monitor and interact with the electric devices remotely in real time; the smart transmission infrastructures are expected to employ new technologies to enhance the power quality; and the smart substations are expected to coordinate their local devices intelligently [3]. Enabled by the significant advancements in system automation and intelligence, the concept of the Energy Internet [4] has been proposed that envisions an exciting prospect of the future energy-utilization paradigm throughout all of the energy generation, storage, transmission and distribution phases. As one of the enabling technologies, a fast, reliable, and secure communication network plays a vital role in power system management. The network is required to connect the multitude of electric devices in distributed locations and exchange their status information and control instructions. System-wide intelligence is feasible only if the information exchange among the various functional units is expedient, reliable, and trustworthy. The current communication capabilities of the existing power systems are limited to small-scale local regions that implement basic functionalities for system monitoring and control, such as power-line communications [5–8] and the supervisory control and data acquisition (SCADA) systems [9–11], which do not yet meet the demanding communication requirements for the automated and intelligent management in next-generation

236

Cyberphysical Infrastructures in Power Systems

electric power systems. Future power systems comprise a diversity of electric generators and power consumers located distributively over vast areas and connected together into the same management network. Real-time bidirectional communications are the foundations of support for the comprehensive power system management tasks which, in certain cases, require time-sensitive and data-intensive information exchange, which do not yet meet the demanding communication requirements for the automated and intelligent management in the next-generation electric power systems.

6.1.2 A framework of the next-generation power grid In the smart grid, many distributed renewable energy sources will be connected into the power transmission and distribution systems as integral components. The typical renewable energy sources include wind, solar, small hydro, tidal, geothermal, and waste. These sources generate additional electricity that supplements the electricity supply from large power plants and, when the electricity generated by distributed small energy sources exceeds the local needs, the surplus is sold back to the power grid. With the addition of renewable energy sources, bi-directional dynamic energy flows are observed in the power grid. We illustrate in Fig. 6.3 the framework of a smart grid. Note in Fig. 6.3 that • A is a wind power plant, • B is a large hydropower plant, • C is a coal-fired power plant, • D is a geothermal power plant, • E and F are houses with solar-electricity generation, • G and H are houses with wind-electricity generation, • I is the power transmission infrastructure, • J is the communication infrastructure, and • K–Q are the seven constituent domains: bulk generation, transmission, distribution, operation, market, customer, and service provider, respectively. To effectively manage this complex power system, which involves an enormous number of diversely functional devices, a co-located communication infrastructure is required to coordinate the distributed functions across the entire power system. This system consists of seven functional blocks [12], which are, namely, bulk generation, transmission, distribution, operation, market, customer, and service provider.

Future grid architectures

237

Figure 6.3 A framework of next-generation power grid.

The future power systems comprise a diversity of electric generators and power consumers that are located distributively over vast areas and connected all together into the same management network. Real-time bidirectional communications are the foundations supporting the comprehensive power system management tasks which, in certain cases, require time-sensitive and data-intensive information exchange.

6.1.3 Network architecture The communication infrastructure in smart grids must support the expected smart grid functionalities and meet the performance requirements. Because the infrastructure connect an enormous number of electric devices and manages the complicated device communications, it is constructed in a hierarchical architecture with interconnected individual subnetworks, each taking responsibility for a separate geographical region [13]. An illustrative example of this architecture is shown in Fig. 6.4. In general, the communication networks can be categorized into three classes: wide-area networks (WANs), field-area networks, and home-area networks.

238

Cyberphysical Infrastructures in Power Systems

Figure 6.4 A communication architecture in a smart grid.

• • • • • • •

Note in Fig. 6.4 that A is a power substation, B is a segment of power transmission lines, C is a PEV charging station, D is a residential subdivision installed with solar panels, E is a residential complex with AMI (advanced metering infrastructure), F is a smart energy house with electric appliances connected to the smart grid, and The internet and ISPs serve as the backbone for connecting the distributed subnetworks.

6.1.4 Wide-area networks WANs form the communication backbone connecting the highly distributed smaller-area networks that serve the power systems at multiple locations. When the control centers are located far from the substations or the end consumers, the real-time measurements taken at the electric devices are transported to the control centers through the WANs and, in the

Future grid architectures

239

reverse direction, the WANs transfer the instruction communications from control centers to the electric devices. For enhanced wide-area situational awareness, RTOs require a lot of information about the state of the power grid. This is achieved by using fast, time-stamped, and real-time information about the system from specialized electrical sensors (PMUs/phasor measurement units) at the substations. The PMU devices capture current and voltage-phasor information from the electrical buses at the substations at sample rates up to 60 Hz. The information received from PMUs is used by the EMS systems at control centers for improved state estimation, monitoring, control, and protection. The WANs also convey communications between the intelligent electronic devices (IEDs) and the control centers. The IEDs are installed along transmission lines and in the substations to capture local SCADA information and act upon the control and protection commands from the control centers. Moreover, to support the reception of high speed PMU data at the control centers, a high-bandwidth network is required. Currently, the substations communicate with the control centers using point-to-point telephone or microwave links. Thus in the absence of high speed network, the sensed digital data from PMUs is only limited inside substations and cannot be effectively utilized by the control centers. This underscores the need of a high bandwidth WAN in the smart grid system.

6.1.5 Field-area networks Field-area networks form the communication facility for the electricity distribution systems. The electrical sensors on the distribution feeders and transformers, IED devices capable of carrying out control commands from DMS, DERs in the distribution systems, PEV charging stations and smart meters at customer premises form the main sources of information to be monitored and controlled by the DMS at the control centers. The power system applications operating in the distribution domain utilize field-area networks to share and exchange information. These applications can be categorized as either field-based (related to transmission lines, sensors, voltage regulators, etc.) or customer-based (related to end customers, like houses, buildings, industrial users, etc.). Field-based applications include OMS, SCADA applications, DER monitoring and control, etc. Customerbased applications include AMI, DR, LMS, MDMS, etc. These two classes of applications operating in the distribution domain have different critical

240

Cyberphysical Infrastructures in Power Systems

requirements. For example, customer-based applications require the communication network between the utility and the customer to be highly scalable. This would allow the addition of more applications and customers in the future. Time sensitivity is not much of an issue for such applications. Field-based applications, on the other hand, are more time sensitive in nature. Hence the utilities have a choice in adopting either communication networks dedicated to each class of applications or a single shared communication network for both classes. A shared field-area network will be able to minimize development cost and issues, while a dedicated network will have the advantages of real-time communication capability and additional security.

6.1.6 Home-area networks Home-area networks are needed in the customer domain to implement monitoring and control of smart devices in customer premises and to implement new functionalities like DR and AMI. Within the customer premises, a secure two-way communication interface called an ESI acts as an interface between the utility and the customer. The ESI may support different types of interfaces, including the utility secured interactive interface for secure two-way communications and the utility public broadcast interface for one-way receipt of event and price signals at the customer devices. The ESI may be linked (either hardwired or through the home-area networks) to a smart meter capable of sending metering information. This information is communicated to the utility. The ESI also receives RTP from the utility over the AMI infrastructure and provides it to the customers. The customers may use a display panel (called an IHD) linked to the ESI or a web-based customer EMS (residing in the smart meter, an independent gateway, or some third party) and respond to pricing signals from the utility. The ESI and smart devices provide the utility with the ability to implement its load-control programs by accessing the control-enabled devices at the customer site. WANs form the communication backbone to connect the highly distributed smaller-area networks that serve the power systems at various locations. When the control centers are located far from the substations or the end consumers, the real-time measurements taken at the electric devices are transported to the control centers through the WANs and, in the reverse direction, the WANs transfer the instruction communications from control centers to the electric devices. For enhanced wide-area situational awareness, regional transmission operators (RTOs) require a lot

Future grid architectures

241

of information about the state of the power grid. This is achieved by using fast, time-stamped, and real-time information collected about the system by specialized electrical sensors (PMUs) at the substations. The PMU devices capture current and voltage-phasor information from the electrical buses at the substations at sample rates up to 60 Hz. The information received from PMUs is used by the EMS systems at control centers for improved state estimation, monitoring, control, and protection. The WANs also convey communications between the IEDs and the control centers. The IEDs are installed along transmission lines and in the substations to capture local SCADA information and act upon the control and protection commands from the control centers. Moreover, to support the reception of high-speed PMU data at the control centers, a high-bandwidth network is required. Currently, the substations communicate with the control centers using point-to-point telephone or microwave links. Thus, in the absence of high speed network, the sensed digital data from PMUs is only limited inside the substations and cannot be effectively utilized by the control centers. This underscores the need of a high-bandwidth WAN in the smart grid system.

6.1.7 Delay pattern The communication delay in a smart grid is defined as the time lapse between the sending of a message at the source IED and the receiving of message at the destination IED. It is measured end-to-end between the two applications running at the source and destination systems. An illustration of the delay definition is shown in Fig. 6.5. As can be seen in the figure, the end-to-end delay is the sum of all the time pieces experienced by the message during its processing and transmission at every traversed node: The source IED incurs some delay to format the message for transmission, each intermediate forwarding node adds in extra delay to process and relay the message, and the destination IED spends additional time to decode the message and present it to the application program. Because the electric power devices do not have any communication capability by themselves, each electric device is attached with an embedded computer system to serve as the communication interface to the network infrastructure. The electric device and the embedded computer system together form an IED. The message processing steps within an IED are illustrated in Fig. 6.6, in which a message containing the device status data is generated and transmitted through four modules in the IED:

242

Cyberphysical Infrastructures in Power Systems

Figure 6.5 The message delay in smart grid communications.

(i) the analog–digital converter transforms a status measurement into digital data, (ii) the CPU processes the measurement data, (iii) the set-point structure stores the current measurement data, and (iv) the network protocol stack formats the message and sends it into the network. The time spent within an IED is part of the end-to-end delay as described in Fig. 6.5.

Figure 6.6 The processing time spent in an IED device.

Future grid architectures

243

6.2 Wide-area monitoring control of smart grids Because we increasingly rely on information transmitted to distant areas over communication networks, it becomes imperative to model the effects of the communication system on the stability of the power grid. Communication networks introduce random time-varying delays, packet dropouts, and packet disordering into the information transmitted. Several approaches exist in control theory to study such systems, widely referred to as networked control systems (NCSs) [1], [2]. Extensive research exists in control theory to model the effects of packet delays, dropouts, and disordering due to transmission of sensor and actuator signals via a limited communication network on system stability [3], [4]. Networked control perspectives have been successfully adopted in many other areas like automobile systems [5] [6], process systems [7], fuel-cell plants [8] [9] etc. The application of NCS theory to power systems is very recent. In a recent paper, Wang et al. [10] described a design for an excitation controller based on wide-area measurements obtained through a delayed communication network. WAMS-based control schemes for inter-area and small signal oscillations have been studied extensively in the power system literature [11], [12], [13]. The effects of signal transmission delays on wide-area control (WAC) were overcome using a predictor-based control design approach in [14], [15]. Studies have also been carried out for load-frequency control (LFC) taking into account communication delays [16–27]. However, most of these approaches do not take into account both the random delays and packet dropouts due to a realistic communication network. In this section, we present an NCS-based approach to damp inter-area oscillations in power systems based on wide-area measurements transmitted over a limited communication network. The NCS with delays and packet losses is modeled as a switched system. A switched system formulation is chosen as it does not assume knowledge of the probability distributions for packet losses and delays in the network. Moreover, switched system theory provides a plethora of design tools that can easily be used. A stabilizing controller is designed taking into account both delays and packet losses due to the communication network. The controller performance is analyzed on the sample WSCC 9-bus test system in the presence of disturbances like faults and load changes.

6.2.1 Power system dynamic model Fig. 6.7 shows the general schematic of networked control of a power system with integrated communication infrastructure. Power system signals are

244

Cyberphysical Infrastructures in Power Systems

Figure 6.7 Schematic of power system with networked control.

measured, sampled, and transmitted via a limited communication network that induces both delays and packet dropouts. The power system operates in continuous time, while the networked controller is in discrete time. Ms1 , ... Msn represent wide-area measurements of an arbitrary subset of the states and outputs of the generation sources, and M1 , ... Mn represent selected current and voltage measurements in the network. In what follows, we present detailed models of the power system and network-induced effects like delays and packet dropouts for NCS design. The dynamics of the power system are captured in a set of differentialalgebraic equations of the form x˙ = f (x, y, u) 0 = g(x, y) .

(6.1)

The system is then linearized around a steady-state operating point to give a linear state-space model as follows: Af

=

Cf

=

∂f ∂g ∂f |(x ,y ,u , Ag = |(x ,y , Bf = |(xo ,yo ,uo , ∂x o o o ∂x o o ∂u ∂f ∂g |(xo ,yo ,uo , Cg = |(xo ,yo . ∂y ∂y

(6.2)

Future grid architectures

245

Introducing x = x − xo , y = y − yo , u = u − uo ,

Ac = Af − Cf Cg−1 Ag

(6.3)

and eliminating y, we have ˙x = Ac x + Bc u .

(6.4)

For the purpose of networked control design, the system model is discretized with a suitable sampling time to give x(k + 1)

=

Ax(k) + Bu(k)

u(k)

=

K x¯ (k) ,

(6.5)

where x(k) ∈ n , u(k) ∈ m and K ∈ m×n is the static feedback controller to be designed, and x¯ (k) is the measured state.

6.2.2 Sensors and actuators As the controllers and actuators are usually collocated, we assume that there is no communication link in the controller-actuator loop. Communication delays and packet dropouts occur on the sensor-controller path. The sensors are assumed to be time-driven, while the controller is assumed to be event-driven. The sensor measurements are sampled and transmitted periodically to the controller, which updates the control output as every new time measurement become available.

6.2.3 Control design The NCS is modeled as a switched system for control design and stability analysis. The controller uses the most recent measurements available to it when the current state is not available. For example, if a packet dropout occurs, then, i.e., the controller retains the previous state. We present hereafter an iterative approach to establish the NCS. From (6.5), it follows that, x(k + 1)

=

Ax(k) + BKx(k) .

(6.6)

Let τ be the maximum transmission period of the sensor with successive transmitted measurements given by (0), x( k1 ), ..., x( kj ), .... We assume that the first packet is transmitted successfully.

246

Cyberphysical Infrastructures in Power Systems

On considering a one-step delay, we have x(1)

=

Ax(0),

x(2)

=

Ax(0) + BKx(0) .

(6.7)

For an arbitrary x(kj ) with Sj,j−1 = Akj −kj−1 , the time evolution is expressed as x(kj )

=

(Sj,j−1 + Sj−,j2−1 BK + ... + BK )x(kj−1 )

+

Sj,j−1 BKx(kj−2 ), j = 1, 2, ...

(6.8)

To proceed further, we introduce the following sequence: z(0) = x(0) ,

z(1) = x(k1 ), ..., z(j) = x(kj ) .

(6.9)

Using (6.9) into (6.8), it becomes z(j)

=

A(j)z(j − 1) + B(j)z(j − 2), j = 1, 2, ...

A(j)

=

(Sj,j−1 + Sj2,j−1 BK + ... + BK )

B(j)

=

Sj,j−1 BK .

(6.10)

In turn, we rewrite (6.10) in the form  ω(j + 1)

(j) i

=

A(j) I

B(j) 0

 ω(j)

=

(j) ω(j), j = 1, 2, ...



,  = {1 , 2 , ..., τ }  Ai + Ai−2 BK + ... + BK

=

I

Ai−1 BK 0

 .

(6.11)

Effectively, the NCS with a one-step delay is represented by the switched system ω(k + 1) = j ω(k), k = 1, 2, ... ,

(6.12)

with arbitrary switching. The switched system described by (6.12), and hence the NCS described by (6.5), is asymptotically stable if there exists a positive definite matrix

247

Future grid architectures

P ∈ n×n satisfying the LMI [14] 

P •

ti P −P



0, ∀i = 1, 2, ..., τ .

(6.13)

The foregoing analysis can be readily extended to model an NCS with an -step delay as a switched system with the switch parameter given by  i =

Ai Q + Ai−−1 BW + ... + BW I

Ai−1 BW + ... + Ai− BW 0

 .

(6.14) This leads to the following theorem Theorem 16. [15] If there exist a positive definite matrix Q ∈ n×n and another matrix W ∈ m×n satisfying the following system of LMIs ⎡  ⎢ ⎢ ⎢ ⎢ ⎣

−Q

0 −Q

0 i 

i =

i

Q



⎤ 

ti −Q

0

0 −Q

⎥ ⎥  ⎥ < 0, i = 1, 2, ...., τ ⎥ ⎦

Ai−1 BW + ... + Ai− BW 0



i = Ai Q + Ai−−1 BW + ... + BW ,

(6.15)

then the NCS described by ( ) can be asymptotically stabilized by the static-state feedback law u(k) = W Q−1 x¯ (k)

(6.16)

for -step delays and packet dropout within the bound τ − 1. The power system model described in Sect. 6.2.1 is reduced to a switched system model of the form given by (6.12) as just described. Here, an excitation controller is designed for the generators by solving the system of LMIs given by (6.15). However, other controllers like load frequency controllers, static VAR compensator (SVC) controllers, PSS, etc. can be designed in a similar manner depending on the specific system.

248

Cyberphysical Infrastructures in Power Systems

Figure 6.8 Sample WSCC 9-bus test system with operating point for linear analysis.

6.2.4 Simulation results In the sequel, the networked controller designed in the foregoing manner is tested against a benchmark system in the presence of various disturbances. The sample WSCC 9-bus system Fig. 6.8 is used as a benchmark to analyze the performance of the networked controller. Each generator is modeled as a fourth-order system with state variables δ , ω, ed , eq . The generators are fitted with IEEE Type-1 AVR excitation systems described by a fourth-order system with state variables νm , νr1 , νr2 and νf , and an external reference signal νref that is modulated by the networked controller. The system is linearized around the operating point in Fig. 6.8 and discretized, as described in Sect. 6.2. We obtain a state space model of the power system with 24 states and three inputs (the AVR reference signals). We consider full state feedback, with the sensor locations S1 , S2 , S3 shown in Fig. 6.8. It is assumed that the sensor sampling time is 10 ms. The system response to various disturbances is tested on the original nonlinear model, and the performance of the networked controller is compared to that of a traditional AVR controller. The power system and network effects are simulated using Matlab® as a platform.

Future grid architectures

249

It is to be noted that the analysis in the case of loss of sensors is beyond the scope of this work and is not considered here. It is assumed that complete measurements are available at the sensors, and the transmission of these measurements through a communication network causes certain packets to be dropped or delayed. Moreover, issues related to sampling and quantization of measurements and the finite bit rate of the network are not considered. A. Performance under fault conditions In this scenario, a three-phase fault is applied at bus 7. The performance of the system with and without networked control is compared for the case where no delay or packet dropout occurs Fig. 6.9. It can be seen that the regular controller and the networked controller have a similar performance for this case. Now, the performance of the system under deteriorated network conditions is analyzed. The networked controller is able to stabilize the system even at 70% packet dropout, while the traditional controller fails in Fig. 6.10. The performance of the networked controller and the traditional controller are also compared at 25% packet dropout, where both are able to stabilize the system in Fig. 6.11. It is observed that the networked controller is able to stabilize the system with a packet dropout of up to 74% as compared to 34% for the traditional controller in the presence of a fault.

Figure 6.9 Performance of networked controller and traditional controller with no delay or packet dropout.

250

Cyberphysical Infrastructures in Power Systems

Figure 6.10 Performance of networked controller and traditional controller with 25% packet dropout probability.

Figure 6.11 Performance of networked controller and traditional controller with 70% packet dropout probability.

B. Performance for load change To test the controller performance under increased system loading, we assume that all loads in the system are increased by 40% from time to time. The system response with no delay or packet dropouts and for a constant delay with packet dropout of 50% are shown in Figs. 6.12 and 6.13, respectively.

Future grid architectures

251

When the system is subjected to the cited load change, it is observed that the networked controller is able to stabilize the system for packet dropouts of up to 70%, while the traditional controller can stabilize the system with packet dropouts up to 34% for the same delay. Fig. 6.14 shows the voltage profile of the system at bus 1 for a packet dropout of 70%. It is seen that the addition of a networked controller helps the system maintain an adequate voltage profile in the presence of load changes, even with communication delays and 70% of the packets dropped. From these simulations, we can see that the wide-area networked controller enhances the overall stability of the system in the presence of disturbances and functions well, even with severely deteriorated communication.

Figure 6.12 System performance for load change with no network effects.

6.3 Wide-area case studies In this section, applications of wide-area architectures are discussed. The architectures are thoroughly demonstrated with through simulation and implementation. Case studies for wide-area monitoring system (WAMS) and wide-area monitoring and control system (WAMCS) are thoroughly illustrated.

6.3.1 Monitoring system case study The proposed scheme is validated using the positive-sequence fundamental frequency model of the IEEE New-England, 39-bus, ten-machine system

252

Cyberphysical Infrastructures in Power Systems

Figure 6.13 System performance for load change with 50% packet dropout.

Figure 6.14 System performance for load change with voltage profile at bus 1 following a 40% load change, with networked control at 70% packet dropout.

as shown in Fig. 6.15. The system parameters and the modeling details of the test system are based on [51,52]. In this system, a sixth-order model is used to depict the dynamics of all synchronous generators. In addition to that, the generators, G1–G9 are equipped with 1. IEEE DC1A exciters, and 2. speed sensitive two lead-lag power system stabilizer (STAB1). The PMUs which are highlighted in red (dark gray in print version) are installed at nine locations to provide observability of the entire system [51,52]. The measurements are collected from PMU units at a sampling rate of 60

Future grid architectures

253

Figure 6.15 Model of the IEEE New-England 39-bus, ten-machine system.

Hz. From each PMU location, both voltage magnitude and angle measurements are considered as two separate data-sets. Fig. 6.16 shows the dynamic response of the voltage magnitudes (V ) and phase angles (θ ) collected from PMU devices. In what follows, the proposed scheme is evaluated using the following performance metrics: 1) estimation of the corrupted signal; 2) comparative analysis of the estimation performance, the reconstruction error (the distance between the original measurements and the projection estimate) analysis using mean-square error (MSE), average mean-square error (AMSE), maximum MSE (MMSE), standard deviation, and CPU time. For a comprehensive evaluation of the proposed scheme, a test case has been designed. The test case has multiple power system disturbances, as well as data-injection attacks. These variations have been experienced by the system over a duration of 60 s time-window. The system faced the following four disturbances: • First Disturbance: The first disturbance is a three-phase-to-ground fault at bus 24, which occurred at 1 s and was cleared at 100 ms.

254

Cyberphysical Infrastructures in Power Systems

Figure 6.16 (a) the voltage magnitude, (b) phase angles collected from PMU devices.

Second Disturbance: The second disturbance is an active and reactive power of the load connected at bus 21. This occurred at 20 s and was increased by 30% and 10% respectively. This was further ramped over 10 s. • Third Disturbance: The third disturbance was a line outage happening experienced between buses 16 and 17 at 25 s. The line is reconnected at 30 s. • Fourth Disturbance: Meanwhile, the fourth disturbance impacted bus 4 at 45 s. The active and reactive power of the load connected at bus 4 was increased by 20% and 10%, respectively for a ramp duration of 5 s. Considering the New-England 39-bus system in Fig. 6.15, the simulation results are carried out as planed. Note that the loading of the system is continuously perturbed with small random fluctuations. These fluctuations are up to ten MW to reflect the operation of practical systems. Similarly, to mimic the activity of a cyberattack, several data-injections have been made at various instants of the case duration as follows: •

Future grid architectures

255

First Injection with single stream of PMU Data: A parameter manipulation attack from 33 to 50 s window is generated at bus 16 using the weighted sum of three damped sinusoids with frequencies and damping ratios of (0.382 Hz, 8.0%), (0.55 Hz, 4.4%) and (0.618 Hz, 5.7%), respectively. • Second Injection with multiple streams of PMU Data: A fault resembling injection attack with frequency fluctuations is injected randomly at three out of nine PMU deployed locations. The attack was injected in collected measurements for 1000 samples in the same time window of 33 s. The proposed scheme is evaluated against the l1 -based robust principal component analysis (RPCA) [53], which already superseded the principal component pursuit (PCP)-based block processing algorithm [54]. All the performance evaluations were made using a sampling time τs of 50 ms. The success of a hacker is usually determined by probing deep into the system while remaining unrecognized for a maximum time-period. This would allow the hacker to access important information of the system and manipulate some level of coordination, which could lead to create venues of system instability. The first attack is a parameter manipulation attack. This kind of attack is based on tampering with the parameters and related measurements to modify the information in PMU measurements. This could eventually affect the application functionality and control of PMUs in general. The objective behind performing this attack could be to exploit the PMU information or target the monitoring system by introducing a man-in-the-middle (MITM) attack. This would eventually disrupt the communication between phasor data concentrators (PDCs) and its subsystems. Upon going unrecognized, the hacker could worsen the situation by splitting the communication information and inserting false statistics in the intercepted communication. The second kind of attack is a fault-resembling injection attack. In these attacks, a portion of archived transient data, which could resemble a physical fault, is deliberately injected. Here it is injected in the voltage phase angle in the form of noninvasive glitch, which could eventually propagate across the whole power network or other locations. The objective of such an attack is to have accessibility to rarely activated nodes and processor registers in the system. Note that the aim of having a set of diversified attack injections is to assess the agility and resilience of the proposed scheme. The first attack injection was made on bus 16. It is an attack generated on a single stream of PMU data at bus 16 using the weighted sum of three damped sinusoids across 33–50 s time-window. The profile of the •

256

Cyberphysical Infrastructures in Power Systems

Figure 6.17 First injection with single stream of PMU data: (a–d) Parameter manipulation attack at single PMU (θ16 under transient condition), standard performance of the proposed scheme, and its dynamic response.

original, corrupted and estimated signal along with the generated error can be seen in Fig. 6.17a–d. This shows the standard performance of the proposed scheme and its dynamic response when subjected to the described attack. Fig. 6.17a shows the original signal and corrupted signal. Fig. 6.17b shows the standard estimation performance of the proposed scheme towards the original signal. Fig. 6.17c shows the corruption identification using the proposed scheme. An accurate identification of the corrupted signal has a major role in the residual-based generation for attack localization. Fig. 6.17d shows the residual-error generation and its evaluation. Residual error is the difference between the original signal and the reconstructed signal. Here the reconstructed signal shows the restoration of the original PMU data from the induced corruption using the proposed scheme. The threshold for evaluation is selected using cosine similarity. Since the residual is generated for the original signal without corruption, the selected thresh-

Future grid architectures

257

Figure 6.18 First injection with single stream of PMU data: (a–d) Comparative analysis of the estimation performance of the proposed median filter and l1 RPCA method for parameter manipulation attack at single PMU (θ16 ).

old is ±0.3. The performance evaluation quality of the proposed median approach using comparative analysis is illustrated in Fig. 6.18. Fig. 6.18a shows the original signal and corrupted signal under a parameter manipulation attack. Fig. 6.18b shows the standard estimation of the proposed scheme and its performance comparison with l1 -RPCA method [53]. Fig. 6.18c shows the identification of corruption, which is calculated by taking the difference between the original signal and reconstructed signal obtained from estimation. Both techniques have performed well. However, the proposed method gave more accurate results than l1 -RPCA method. Moreover, it was also able to estimate the deviations of outliers with precision. This was due to its estimating nature by using the calculated median of the sample size. This was not the case with l1 -RPCA method due to its rotational invariant nature to abrupt data-injections. This is also visible in Fig. 6.18d and Table 6.1 (30–50 s time-window), where the l1 -RPCA method has lost the route to estimate the data-injection instant variations. This could also be due to the property of l1 -RPCA method, which is

258

Cyberphysical Infrastructures in Power Systems

Table 6.1 First Injection with single stream of PMU Data: MSE-based estimation comparison Analysis∗ . Time Window 0–5 s 5–10 s 10–15 s 15–20 s − 3 − 5 − 4 MSPMSE 2.58 × 10 3.77 × 10 1.23 × 10 1.12 × 10−4 − 3 − 5 − 4 RPCAMSE 7.21 × 10 5.26 × 10 3.32 × 10 2.58 × 10−3

Time

10−5

25–30 s 8.30 × 1.62 × 10−5

1.32 × 9.06 × 10−3

1.08 × 10−3 1.69 × 10−2

Time

40–45 s

45–50 s

50–55 s

55–60 s

8.94 × 1.51 × 10−2

10−4

7.57 × 1.25 × 10−2

10−3

35–40 s

8.66 × 1.40 × 10−3 10−4

10−6

30–35 s

MSPMSE RPCAMSE MSPMSE RPCAMSE ∗

20–25 s

10−4

1.25 × 5.91 × 10−4

2.31 × 10−4 3.13 × 10−4

In this table, MSE is the mean-square error of estimates, and subscript MSP and RPCA are the acronyms of proposed median-based state prediction and robust principal component analysis approach [53], respectively.

highly dependent on the projection vector and the dimension of subspace. The instant injections may create an offset in the forecast of the projection vector on the subspace. The threshold selected for proposed scheme is ±0.3. However, this threshold is not appropriate for l1 -RPCA method due to its poor evaluation, which could lead to false alarms for 0–5 s and 30–35 s respectively. The MSE values of the reconstruction errors are computed for the proposed median filter and the l1 -RPCA method over a five-s window as shown in Table 6.1. It can be seen that the proposed median filter has maintained a better track than the l1 -RPCA method during the time windows where the attack signal is injected i.e., (30–50 s). It can be seen that the attack signal is not completely estimated by the l1 -RPCA method as indicated in the MSE values in comparison to the proposed median filter. On the contrary, the proposed median filter has provided better performance in terms of capturing the entire attack signal as indicated by the low MSE errors over that time span. Furthermore, the overall performance comparison is also determined using the tools like average mean square error (AMSE), standard deviation, maximum MSE (MMSE), and the computational time of all estimated signals as shown in Table 6.2. It can be seen that the proposed median filter has thoroughly outperformed the l1 -RPCA method in terms of accuracy. From the computational complexity perspective, the l1 -RPCA method lags in performance. The l1 -RPCA method is computationally expensive because it is based on linear or quadratic programming structure, which has the polynomial complexity of variables and constraints at each iteration. On the other hand, the proposed approach was able to

Future grid architectures

259

Table 6.2 First Injection with single stream of PMU Data: overall performance Comparison∗ . Performance AMSE Standard MMSE CPU Measure Deviation Time (s) MSP 2.10 × 10−3 4.50 × 10−3 5.50 × 10−2 2.43 × 100 − 3 − 2 − 1 RPCA 4.70 × 10 2.11 × 10 7.61 × 10 4.02 × 103 ∗

In this table, AMSE and MMSE are the acronyms of average mean-square error and maximum meansquare error, respectively.

Figure 6.19 Second injection with multiple streams of PMU data: (a–c) Performance analysis of the proposed median algorithm and l1 -RPCA method at bus-15.

provide fast performance during the estimate, as well as the reconstruction phase of the affected measurements with a better CPU1 time. To evaluate the robustness of the proposed scheme, the second attack is injected at multiple streams of PMU data. The chosen attack locations were buses 15, 16, and 17. The second attack scenario corresponds to 30% corruption. Fig. 6.19 shows the overall estimation performance of 1 CPU Hardware Configuration: Intel(R) Core(TM) i7-8565U CPU, Windows 10 oper-

ating system, 4 processors, main memory of 12 GB DDR4 SDRAM 1800 MHz, hybrid storage capacity of 128 GB SSD and 1 TB, instruction set of 64-BITS, cache of 8 MB.

260

Cyberphysical Infrastructures in Power Systems

Table 6.3 Second Injection with multiple Streams of PMU data: MSE-based estimation comparison analysis. Time Window 0–5 s 5–10 s 10–15 s 15–20 s − 3 − 3 − 3 MSPMSE 1.09 × 10 4.16 × 10 1.08 × 10 4.34 × 10−4 − 3 − 3 − 3 RPCAMSE 5.34 × 10 9.26 × 10 2.86 × 10 2.33 × 10−3

Time

20–25 s

25–30 s 1.67 × 6.09 × 10−3

1.36 × 3.62 × 100

1.12 × 10−3 3.41 × 100

Time

40–45 s

45–50 s

50–55 s

55–60 s

9.56 × 9.08 × 100

10−4

8.31 × 4.95 × 100

10−3

35–40 s

2.11 × 1.68 × 10−3 10−4

10−3

30–35 s

MSPMSE RPCAMSE MSPMSE RPCAMSE

10−4

10−5

4.51 × 6.74 × 10−4

3.78 × 10−4 8.44 × 10−4

Table 6.4 Second Injection with multiple streams of PMU Data: overall performance comparison. Performance AMSE Standard MMSE CPU Measure Deviation Time (s) MSP 1.90 × 10−3 1.24 × 10−3 2.10 × 10−3 4.60 × 100 0 0 0 RPCA 1.78 × 10 1.45 × 10 2.66 × 10 4.28 × 103

the proposed median filter and is compared with the l1 -RPCA method for measurements collected from bus 15. The median filter has successfully estimated the corruption signal as indicated by the low error between the original signal and its estimate. It can also be seen that the attack signal has been successfully removed from all measurements. This can also be noticed from the statistical analysis of the error as shown in Table 6.3. In contrast, the l1 -RPCA method underperformed the estimation of the attacked signal. This could be indicated by its associated performance error. Figs. 6.20 and 6.21 show the performance of the median filter, which has provided an accurate estimate of the original signal for PMU measurements collected from buses 16 and 17. The reconstruction performance is pictured in Table 6.4. The l1 -RPCA method was low in performance while canvassing the instant attack variations. This can be seen in Table 6.4, as well as Figs. 6.22 and 6.23. This was followed by the generation of false alarms during the residual evaluation phase in Figs. 6.22b and 6.23b respectively.

6.3.2 Monitoring and control systems case study The numerical simulations of WAMCS are made using a four-area interconnected power system. Modeling details and system parameters are based

Future grid architectures

261

Figure 6.20 Second injection with multiple streams of PMU data: (a–c) Performance analysis of the proposed median-based predictive method at bus 16.

on [55]. Each area contains a load, wind-power output, generator turbine, battery system, and heat-pump system, such that for area 1, inertia M is 0.20 puMWEs/Hz, damping D is 0.26 puMW/Hz, governor time τg is 0.20 s, gas-turbine time τd is 5 s, battery energy-storage system (BESS) time τBESS is 0.20 s, heat-pump system time τH is 4.5 s, regulation Rg is 2.5 Hz/puMW, and synchronizing coefficient Tij is 0.50 puMW, for area 2, inertia M is 0.23 puMWEs/Hz, damping D is 0.28 puMW/Hz, governor time τg is 0.25 s, gas-turbine time τd is 4 s, BESS time τBESS is 0.23 s, heat-pump system time τH is 4.8 s, regulation Rg is 2.1 Hz/puMW, and synchronizing coefficient Tij is 0.53 puMW, for area 3, inertia M is 0.29 puMWEs/Hz, damping D is 0.20 puMW/Hz, governor time τg is 0.28 s, gas-turbine time τd is 6 s, BESS time τBESS is 0.27 s, heat-pump system time τH is 4.0 s, regulation Rg is 2.1 Hz/puMW, and synchronizing coefficient Tij is 0.55 puMW, and for area 4, inertia M is 0.30 puMWEs/Hz, damping D is 0.21 puMW/Hz, governor time τg is 0.27 s, gas-turbine time τd is 5.3 s, BESS time τBESS is 0.24 s, heat-pump system time τH is 4.6 s, regulation Rg is 2.9 Hz/puMW, and synchronizing coefficient Tij is

262

Cyberphysical Infrastructures in Power Systems

Figure 6.21 Second injection with multiple streams of PMU data: (a–c) Performance analysis of the proposed scheme at bus 17.

0.52 puMW. In this chapter, the proposed scheme is evaluated against the decentralized technique of [56]. To evaluate the proposed scheme, the following dynamics have been injected (see Figs. 6.22 and 6.23): • First Injection: A disturbance is injected as a load fluctuation at 2–5 s at area 1. • Second Injection: A disturbance is injected as a load fluctuation at 5–13 s at area 1. • Third Injection: A random noise-like disturbance injected to represent turbulence for whole 0–60 s time window at area 2. The first and second injections were made on the frequency profile of area 1. The main difference between both injections is the span of fluctuation. Overall, the proposed scheme and the decentralized adaptive controller were able to control the injections with reasonable accuracy. This can be observed in Figs. 6.24 and 6.25 respectively. However, the proposed scheme was able to provide better results, while damping the oscillations more effectively. This is due to its property of handling the input and out-

Future grid architectures

263

Figure 6.22 Second injection with multiple streams of PMU data: (a–b) Performance analysis of l1 -RPCA method at bus 16.

Figure 6.23 Second injection with multiple streams of PMU data: (a-b) Performance analysis of l1 -RPCA method at bus 17.

264

Cyberphysical Infrastructures in Power Systems

Figure 6.24 First and second injections in area 1.

Figure 6.25 Third injection in area 2.

put constraints and sustaining the effect of unknown interactions. This was observed particularly due to the nature of random injections. Huang et al. [56] lost track of the variations. This could be perhaps due to its nonexogenous representation of handling the random variations and constraints. A relatively intense injection was made on the frequency profile of area 2

Future grid architectures

265

Figure 6.26 First injection: Comparative analysis of the control performance of the proposed scheme and [28] at area 1.

Figure 6.27 Second injection: Comparative analysis of the control performance of the proposed scheme and [28] at area 1.

as shown in Fig. 6.23. The backstepping design of the proposed scheme effectively took the noise-based turbulence as a parametric system uncertainty. It was able to handle these injections, while suppressing any control overshoots and an adequate settling time (Fig. 6.26). The step response due

266

Cyberphysical Infrastructures in Power Systems

Figure 6.28 Third injection: Comparative analysis of the control performance of the proposed scheme and [28] at area 2.

Figure 6.29 Comparative analysis of the step response due to the reference input at area 2.

to the control input at area 2 is also represented in Fig. 6.27. Simulation results indicate the effective overall performance of the proposed control scheme, which can enhance transient stability and dampen the power angle oscillations in the presence of injected disturbances. Under the frequency deviations in Figs. 6.24–6.27, the circuit breakers trip at frequency devia-

Future grid architectures

267

tions of ±1.5 Hz. Figs. 6.24–6.27 show that the proposed design does not violate the permissible frequency deviations. Thus the unnecessary circuit breakers tripping is avoided. Taking the design parameters into consideration, the design parameters are chosen as follows: α1,i = α2,i = 0.05, k1,i = k2,i = 1, ε1,i = ε2,i = 2. All the initial conditions are null except those of the load, wind-power output, generator turbine, battery system, and heat-pump system. The responses of the closed-loop system (6.10)-(6.12) are recorded. This can be seen in Figs. 6.28 and 6.29. It can also be seen that the finite-time regulation of closed-loop system state of the four-area interconnected power system is achieved as proven in the theorems. The adaptive parameters are hereby converged and show the efficiency of the controller. Moreover, the timevarying bounds are imposed on the state response. The time-varying bound is an adaptive envelop that is built using (6.13)-(6.14). It can be seen that the state response remains within a given envelop. Also, it is important to note that the control input is bounded and saturated as per the proposed decentralized finite-time approach. Interestingly enough, the results reported in this chapter can be further investigated and amended along the research lines pursued in [29–50].

6.4 Notes In this chapter, an approach for the design of a wide-area damping controller that uses system-wide signals is presented using an NCS framework. The controller takes into account the effects of delays and packet losses due to the transmission of sensor signals via a limited communication network. The networked controller has been found to enhance system stability in the presence of disturbances. While this paper presents a state-feedback based controller, the technique can be extended to design a more realistic outputfeedback networked controller. This work can also be extended to control power systems with distributed generation sources that are geographically dispersed around the grid.

References [1] L.A. Barroso, H. Rudnick, F. Sensfuss, P. Linares, The green effect, IEEE Power Energy Mag. 8 (5) (2010) 22–35. [2] R. Moreno, G. Strbac, F. Porrua, S. Mocarquer, B. Bezerra, Making room for the boom, IEEE Power Energy Mag. 8 (5) (2010) 36–46. [3] F. Li, W. Qiao, H. Sun, H. Wan, J. Wang, Y. Xia, Z. Xu, P. Zhang, Smart transmission grid: vision and framework, IEEE Trans. Smart Grid 1 (2) (2010) 168–177.

268

Cyberphysical Infrastructures in Power Systems

[4] A.Q. Huang, J. Baliga, FREEDM system: role of power electronics and power semiconductors in developing an energy internet, in: Proceedings of International Symposium on Power Semiconductor Devices, 2009. [5] N. Ginot, M.A. Mannah, C. Batard, M. Machmoum, Application of power line communication for data transmission over PWM network, IEEE Trans. Smart Grid 1 (2) (2010) 178–185. [6] J. Anatory, N. Theethayi, R. Thottappillil, Channel characterization for indoor powerline networks, IEEE Trans. Power Deliv. 24 (4) (2009) 1883–1888. [7] V.K. Chandna, M. Zahida, Effect of varying topologies on the performance of broadband over power line, IEEE Trans. Power Deliv. 25 (4) (2010) 2371–2375. [8] C. Konate, A. Kosonen, J. Ahola, M. Machmoum, J.-F. Diouris, Power line communication in motor cables of inverter-fed electric drives, IEEE Trans. Power Deliv. 25 (1) (2010) 125–131. [9] V.I. Nguyen, W. Benjapolakul, K. Visavateeranon, A high-speed, low cost and secure implementation based on embedded ethernet and internet for SCADA systems, in: Proceedings of SICE Annual Conference, 2007. [10] J.D. McDonald, Developing and defining basic SCADA system concepts, in: Proceedings of Rural Electric Power Conference, 1993. [11] I. Ali, M.S. Thomas, Substation communication networks architecture, in: Proceedings of Joint International Conference on Power System Technology and IEEE Power India Conference, 2008. [12] National Institute of Standards and Technology, NIST framework and roadmap for smart grid interoperability standards, release 1.0, http://www.nist.gov. [13] V.C. Gungor, F.C. Lambert, A survey on communication networks for electric system automation, Elsevier Comput. Netw. 50 (7) (2006) 877–897. [14] M.S. Mahmoud, Switched Time-Delay Systems, Springer-Verlag, Boston, July 2010. [15] M. Yu, Long Wang, T. Chu, G. Xie, Stabilization of networked control systems with data packet dropout and network delays via switching system approach, in: Proc. 43rd IEEE Conference on Decision and Control, vol. 4, 2004, 2004, pp. 3539–3544. [16] F. Cleveland, Cybersecurity issues for advanced metering infrastructure (AMI), in: Proc. Power and Energy Society General Meeting–Conversion and Delivery of Electrical Energy in the 21st Century, 2008. [17] R. Bobba, E. Heine, H. Khurana, T. Yardley, Exploring a tiered architecture for naspinet, in: Proc Innovative Smart Grid Technologies, ISGT, 2010. [18] K.E. Martin, J.R. Carroll, Phasing in the technology, IEEE Power Energy Mag. 6 (5) (Sep. 2008) 24–33. [19] H.M. Khalid, J.C.-H. Peng, Improved recursive electromechanical oscillations monitoring scheme: a novel distributed approach, IEEE Trans. Power Syst. 30 (2) (Mar. 2015) 680–688. [20] H.M. Khalid, J.C.-H. Peng, Tracking electromechanical oscillations: an enhanced maximum-likelihood based approach, IEEE Trans. Power Syst. 31 (3) (May 2016) 1799–1808. [21] J. Follum, J.W. Pierre, R. Martin, Simultaneous estimation of electromechanical nodes and forced oscillations, IEEE Trans. Power Syst. 32 (5) (Sep. 2016) 3958–3967. [22] U. Agrawal, J.W. Pierre, Detection of periodic forced oscillations in power systems incorporating harmonic information, IEEE Trans. Power Syst. 34 (1) (Jan. 2019) 782–790. [23] J.B. Zhao, M. Netto, L. Mili, A robust iterated extended Kalman filter for power system dynamic state estimation, IEEE Trans. Power Syst. 32 (4) (Jul. 2017) 3205–3216. [24] G. Anagnostou, B.C. Pal, Derivative-free Kalman filtering based approaches to dynamic state estimation for power systems with unknown inputs, IEEE Trans. Power Syst. 33 (1) (Jan. 2018) 116–130.

Future grid architectures

269

[25] A. Rouhani, A. Abur, Constrained iterated unscented Kalman filter for dynamic state and parameter estimation, IEEE Trans. Power Syst. 33 (3) (May 2018) 2404–2414. [26] J.B. Zhao, L. Mili, Robust unscented Kalman filter for power system dynamic state estimation with unknown noise statistics, IEEE Trans. Smart Grid 10 (2) (Mar. 2019) 1215–1224. [27] J.B. Zhao, L. Mili, A decentralized H-infinity unscented Kalman filter for dynamic state estimation against uncertainties, IEEE Trans. Smart Grid 10 (5) (Sep. 2019) 4870–4880. [28] H.M. Khalid, S.M. Muyeen, J.C.H. Peng, Cyber-attacks in a looped energy-water nexus: an inoculated sub-observer-based approach, IEEE Syst. J. 14 (2) (Jun. 2020) 2054–2065. [29] R. Fu, X. Huang, Y. Xue, Y. Wu, Y. Tang, D. Yue, Security assessment for cyberphysical distribution power system under intrusion attacks, IEEE Access 7 (2019) 75615–75628. [30] N. Forti, G. Battistelli, L. Chisci, S. Li, B. Wang, B. Sinopoli, Distributed joint attack detection and secure state estimation, IEEE Trans. Signal Inf. Process. Netw. 4 (1) (Mar. 2018) 96–110. [31] H.M. Khalid, J.C.-H. Peng, A Bayesian algorithm to enhance the resilience of WAMS applications against cyber attacks, IEEE Trans. Smart Grid 7 (4) (March 2016) 2026–2037. [32] H.M. Khalid, J.C.-H. Peng, Immunity towards data-injection attacks using track fusion-based model prediction, IEEE Trans. Smart Grid 8 (2) (March 2017) 697–707. [33] R.M. Lee, M.J. Assante, T. Conway, Analysis of the cyber attack on the Ukrainian power grid: Defense use case, Technical Report no. EISAC/SANS/Ukraine/DUC/5, E-ISAC, Mar. 2016, pp. 1–29. [34] N.B. Westmoreland, J. Styczynski, S. Stables, When the lights went out: Ukraine cybersecurity threat briefing, Technical Report no. 2016/09, Booz Allen Hamilton, Nov. 2016, pp. 1–82. [35] Cyber security notification – Meltdown & Spectre, impact on Symphony Plus, ABB Security Not. Rep., ID 8VZZ000522, Jan. 2018, pp. 1–4. [36] Y.-F. Huang, S. Werner, J. Huang, N. Kashyap, V. Gupta, State estimation in electric power grids: meeting new challenges presented by the requirements of the future grid, IEEE Signal Process. Mag. 29 (5) (Sep. 2012) 33–43. [37] Q. Yang, D. An, R. Min, W. Yu, X. Yang, W. Zhao, On optimal PMU placementbased defense against data integrity attacks in smart grid, IEEE Trans. Inf. Forensics Secur. 12 (7) (Jul. 2017) 1735–1750. [38] A. Ameli, A. Hooshyar, A.H. Yazdavar, E.F. El-Saadany, A. Youssef, Attack detection for load frequency control systems using stochastic unknown input estimators, IEEE Trans. Inf. Forensics Secur. 13 (10) (Oct. 2018) 2575–2590. [39] Z. Zhang, R. Deng, D.K.Y. Yau, P. Cheng, J. Chen, Analysis of moving target defense against false data injection attacks on power grid, IEEE Trans. Inf. Forensics Secur. 15 (Jul. 2019) 2320–2335. [40] M.N. Kurt, Y. Yilmaz, X. Wang, Real-time detection of hybrid and stealthy cyberattacks in smart grid, IEEE Trans. Inf. Forensics Secur. 14 (2) (Feb. 2019) 498–513. [41] S. Ghosh, M.R. Bhatnagar, W. Saad, B.K. Panigrahi, Defending false data injection on state estimation over fading wireless channels, IEEE Trans. Inf. Forensics Secur. 16 (2021) 1424–1439, https://doi.org/10.1109/TIFS.2020.3031378. [42] M.N. Kurt, Y. Yilmaz, X. Wang, Distributed quickest detection of cyber-attacks in smart grid, IEEE Trans. Inf. Forensics Secur. 13 (8) (Aug. 2018) 2015–2030. [43] A.G. Exposito, A.V. Jaen, C.G. Quiles, P. Rousseaux, T.V. Cutsem, A taxonomy of multi-area state estimation methods, Electr. Power Syst. Res. 81 (4) (Apr. 2011) 1060–1069.

270

Cyberphysical Infrastructures in Power Systems

[44] T. Huang, B. Satchidanandan, P. Kumar, L. Xie, An online detection framework for cyber attacks on AGC, IEEE Trans. Power Syst. 33 (6) (Apr. 2018) 6816–6827. [45] H. Karimipour, V. Dinavahi, Robust massively parallel dynamic state estimation of power systems against cyber-attack, IEEE Access 6 (Dec. 2017) 2984–2995. [46] H. Karimipour, V. Dinavahi, On false data injection attack against dynamic state estimation on smart power grids, in: IEEE International Conference on Smart Energy Grid Engineering, SEGE, Oshawa, ON, Canada, 14–17 Aug. 2017, 2017, pp. 388–393. [47] J. Zhao, G. Zhang, M.L. Scala, Z.Y. Dong, C. Chen, J. Wang, Short-term state forecasting-aided method for detection of smart grid general FDIA, IEEE Trans. Smart Grid 8 (4) (Jul. 2017) 1580–1590. [48] A. Anwar, A.N. Mahmood, Z. Tari, Ensuring data integrity of OPF module and energy database by detecting changes in PFP in smart grids, IEEE Trans. Ind. Inform. 13 (6) (Dec. 2017) 3299–3311. [49] Y. Li, J. Li, X. Luo, X. Wang, X. Guan, Cyber attack detection and isolation for smart grids via unknown input observer, in: 37th Chinese Control Conference, CCC, Wuhan China, 25–27 Jul. 2018, 2018, pp. 1–6. [50] H.M. Khalid, Q. Ahmed, J.C.-H. Peng, Health monitoring of li-ion battery systems: a median expectation-based diagnosis approach (MEDA), IEEE Trans. Transp. Electrif. 1 (1) (Jul. 2015) 94–105. [51] M.A. Pai, Energy Function Analysis for Power System Stability, Kluwer Academic Publishers, Boston, 1989, pp. 1–245. [52] R.D. Zimmerman, C.E.M. Sanchez, R.J. Thomas, Matpower: steady-state operations, planning, analysis tools for power systems research and education, IEEE Trans. Power Syst. 26 (1) (Feb. 2011) 12–19. [53] K. Mahapatra, M. Ashour, N.R. Chaudhuri, C.M. Lagoa, Malicious corruption resilience in PMU data and wide-area damping control, IEEE Trans. Smart Grid 11 (2) (Mar. 2020) 958–967. [54] K. Mahapatra, N.R. Chaudhuri, Online robust PCA for malicious attack-resilience in wide-area mode metering application, IEEE Trans. Power Syst. 34 (4) (Jul. 2019) 2598–2610. [55] W. Yan, L. Sheng, D. Xu, W. Yang, Q. Liu, H∞ robust load frequency control for multi-area interconnected power system with hybrid energy storage system, MPDI – Appl. Sci. (Sep. 2018) 1–14. [56] R. Huang, J. Zhang, Z. Lin, Decentralized adaptive controller design for large-scale power systems, Automatica 79 (May 2017) 93–100.

CHAPTER 7

Mature industrial functions Contents 7.1. Secure remote state estimation 7.1.1 Introduction 7.1.2 Problem formulation 7.1.2.1 System model 7.1.2.2 Plant model 7.1.2.3 The χ 2 detector 7.1.2.4 Linear FDI attack 7.1.3 Secure modules for data transmission 7.1.3.1 Structure of secure modules for data transmission 7.1.3.2 Feasibility analysis 7.1.4 Detection and performance analysis in various attack scenarios 7.1.4.1 Scenario I: no information leakage 7.1.4.2 Scenario II: partial information leakage 7.1.4.3 Scenario III: information leakage 7.1.5 Extension to detect other attacks 7.1.5.1 False-data injection attack 7.1.5.2 Replay attack 7.1.6 Proofs of the lemmas and theorems Appendix A Appendix B Appendix C Appendix D Appendix E 7.1.7 Simulation results 7.1.7.1 Simulation result in Scenario I 7.1.7.2 Simulation result in Scenario II 7.1.7.3 Simulation result in Scenario III 7.1.7.4 Extension to detect the replay attack 7.2. Notes References

271 271 273 273 274 275 275 276 277 279 280 280 285 286 288 288 289 290 290 292 293 294 295 296 296 298 299 300 301 301

7.1 Secure remote state estimation 7.1.1 Introduction Cyberphysical power systems (CPPSs) have a wide spectrum of applications, including environment monitoring, smart grids, and intelligent transportation [1,2]. However, the use of unprotected wireless networks Cyberphysical Infrastructures in Power Systems https://doi.org/10.1016/B978-0-32-385261-6.00018-X

Copyright © 2022 Elsevier Inc. All rights reserved.

271

272

Cyberphysical Infrastructures in Power Systems

exposes the systems’ vulnerabilities to malicious cyberattacks, which may cause great damage to the national economy, and even enormous loss of human life [3]. According to the two main security goals, availability and integrity, the attacking patterns can be categorized into two types: denial-of-service (DoS) attacks and deception attacks [4]. The DoS attack can block wireless channels to cause packet loss. It affects not only the remote state estimation but also damages the closed-loop control system (CS) [5–9]. On the other hand, deception attacks, including false-data injection (FDI) attacks and replay attacks, can intercept and modify the exchanged information. The consequences of deception attacks have been well-studied in works such as [10,11]. Compared with the DoS attack, the deception attack may aggravate the damage to operating systems (OPs) because it can remain undetected and misdirect the center to fuse fake data. To detect the cyberattack, the residue-based χ 2 detector, which is based on the statistical properties of the arriving data, is widely applied to the remote state-estimation scenario. However, the works in [12–14] revealed that the χ 2 detector has some inherent weaknesses, which may be exploited by adversaries. For instance, [12] proposed an optimal linear man-in-themiddle (MITM) attack that maximizes the estimation-error covariance, while remaining undetected by the χ 2 detector. Note that not only the χ 2 detector, but almost all the statistics-based detectors fail to detect such an attack. This is because the transmitted data modified by the attack in [12] can preserve the same statistical properties as the original one. To address such a problem, several studies have made improvements to the original χ 2 detector or even put forward other defense mechanisms. In [15], an anomaly detector was proposed based on the causal relationship among the data sequences from multisensors. In [16], a detection method, relying on the correlations between the safety sensors and the suspicious sensors, was proposed to detect the attack. In [17], the authors designed a stochastic event-based detector that can increase the robustness of the system under attack. The majority of the current literatures, e.g., [15,16], is limited to multisensor systems, where more information conducive to the attack detection can be extracted at the expense of consuming more sensing resources. In contrast, for the lack of useful information about the attack behavior, the existing attack defense methods in the single-sensor system can neither detect the attack effectively nor guarantee the estimation performance of the remote side. For example, the method in [17] improved the estimation performance to some extent under the same type of attack

Mature industrial functions

273

as that in [12], but was unable to distinguish whether such an attack occurs or not. Motivated by the cited problems, an attack defense method in a singlesensor system is proposed here that can effectively address the linear FDI attack without sacrificing the estimation performance in normal operation. In contrast to the watermarking utilized in the closed-loop CS in [18], this section takes the pseudorandom number as a watermarking to encrypt and decrypt the transmitted data in the remote state-estimation framework. The method presented in this section can eliminate the attached watermarking to recover the original data, and does not affect the estimation performance in the normal operation. Meanwhile, the data modified by the linear FDI attack can be marked with the extra added watermarking, so that the χ 2 detector can effectively distinguish the existence of such an attack to guarantee the remote estimation performance. Notations

Let N and R denote the sets of nonnegative integers and real numbers, n are the respectively. Rn is the n-dimensional Euclidean space. S+n and S++ sets of n × n positive semi-definite and positive definite matrices. When n ), we write X  0( or X > 0). If X  Y , X − Y ∈ Sn , simX ∈ Sn+ ( or S++ + n . Tr {·} is the trace of a square matrix. The ilarly, if X > Y , X − Y ∈ S++ superscript  refers to the transposition of a matrix. diag (e1 , . . . , en ) represents the diagonal matrix with its diagonal elements varying from e1 to en . The notation E[·] stands for the expectation of a random variable. P[·] stands for the probability of an event. For functions f1 , f2 with appropriate domains, f ◦ f1 (x) stands for the function composition f1 f2 (x) .(·) represents the probability density function (pdf) of a variable satisfying gamma distribution.

7.1.2 Problem formulation The system architecture of the security problem in the remote stateestimation scenario is introduced in this section. The detailed models are described in the following.

7.1.2.1 System model Consider the following discrete-time linear time-invariant (LTI) process, which can be modeled as xk+1 = Axk + wk

(7.1)

274

Cyberphysical Infrastructures in Power Systems

yk = Cxk + vk ,

(7.2)

where k ∈ N is the time index, xk ∈ Rn is the state of the process, yk ∈ Rm is the measurement of the sensor, wk ∈ Rn , and vk ∈ Rm are the corresponding process noise and measurement noise, which are both zero-mean i.i.d. (independent, identically distributed) Gaussian white noises with covariances Q  0 and R > 0. Note that wk and vk are mutually uncorrelated with each other. Moreover, the initial state of the process x0 is a zero-mean i.i.d. Gaussian white noise with its covariance 0 , and is uncorrelated with wk and vk . A and C are the system matrix and  measurement matrix, respectively. The pair (A, C ) is detectable and (A, Q) is stabilizable.

7.1.2.2 Plant model Smart sensors are equipped with computation modules to process the sampled measurement yk in (7.2) at each time step. Here, the smart sensor adopts a standard Kalman filter (KF) to locally estimate the system state: xˆ −k = Axˆ k−1 Pk− = APk−1 A + Q 

−1

Kk = Pk− C  CPk− C  + R   xˆ k = xˆ −k + Kk yk − C xˆ −k Pk = (I − Kk C ) Pk− ,

(7.3a) (7.3b) (7.3c) (7.3d) (7.3e)

where xˆ −k and xˆ k are the a priori and the a posteriori minimum meansquare error (MiMSE) estimates of the state xk , and Pk− and Pk are the corresponding estimation-error covariances. The recursion starts from xˆ 0 = 0 and P0 = 0  0. Then the smart sensor can get the innovation zk , which is sent to the remote side and can be defined as zk = yk − C xˆ −k , which is a zero-mean i.i.d. Gaussian random variable with its covariance  −   z  E zk zk = CPk C + R. To simplify our subsequent discussions, the Lyapunov and Riccati operators h, g˜ are defined as Sn+ → Sn+ as h(X )   −1 AXA + Q, g˜ (X )  X − XC  CXC  + R CX. It is well-known that the KF enters into the steady state exponentially fast from any initial condition [19]. Hence, it is assumed that the iteration of the filter starts from the steady state, i.e., 0 = limk→∞ Pk− = P, where P¯ is the unique positive semi-definite solution of h ◦ g˜ (X ) = X Under this

Mature industrial functions

275

assumption, besides z , the corresponding gain of the KF will become a fixed value as well: 

¯ +R ¯  C PC K = PC

−1

.

(7.4)

With the innovation zk sent by the smart sensor through the wireless network, the remote estimator also applies a KF (7.3a)–(7.3e) to monitor the system state xk .

7.1.2.3 The χ 2 detector To detect the attack, the remote side is equipped with a residue-based χ 2 detector, which is widely applied in fault detection and process monitoring (e.g., [12,16,20]). Based on statistical properties of the innovation zk , the following hypothesis testing is taken as the detection criterion: ξk 

k 

H0 zi z−1 zi > < ζ, H1 i=k−J +1

(7.5)

where the null hypotheses H0 means that the arriving data is trustworthy while H1 is on the contrary, J and ζ are the window size and the threshold of the detector, respectively, and ξk is the sum of normalized squared residues and satisfies the χ 2 distribution with mJ degree of freedom. ζ is determined by the confidence coefficient, which is denoted as Pζ . In other  words, the false-alarm rate is 1 − Pζ . With the window size J = 1, the statistics ξk depends on not only the present received data but also the previous ones. To reflect the one-to-one correspondence among the attack, the detector, and estimator more clearly and concisely, we set J = 1. Note that, since the innovation zk is independent, ξk with a long window size is just the linear combination of the one in each time step without any coupling. Thus, for the more general case, when J = 1, the analytical method and the obtained results are the same in the following subsections.

7.1.2.4 Linear FDI attack The FDI attack is a third malicious party that can intercept messages passing through the wireless network and then inject falsified data [18]. Particularly, [12,13] proposed an innovation-based linear FDI attack that can modify the transmitted data without being detected by the χ 2 detector. Since the data modified by such an attack can preserve the same statistical properties as the original one, almost all the statistic-based detectors including the χ 2

276

Cyberphysical Infrastructures in Power Systems

detector fail to detect the attack. Thus, it raises the challenging problem of how to protect the transmitted data against the attack in the single-sensor remote state-estimation system. The aim of this section is to address the security problem caused by the linear FDI attack, whose attack model is defined as z˜ k = Tk zk + bk ,

(7.6)

where z˜ k is the innovation modified by the attacker, Tk ∈ Rm×m is an arbitrary matrix, and bk is a zero-mean i.i.d. Gaussian random variable with its covariance b , which is independent of zk . According to [16], the physical meaning of bk is the malicious data injected into the sensor readings through the transmission module or gateway (cyberpart) of the sensor. Thus z˜ k also follows a normal distribution with zero-mean and covariance Tk z Tk + b . Based on whether the attack exists or not, the alarm rate of the χ 2 detector can be divided into the detection rate and the false-alarm rate (false positive rate), respectively. Note that the detection rate is equal to one minus the miss rate. If z˜ k maintains the same statistical characteristics as the original innovation zk , the detection rate under the attack (7.6) is equal to the falsealarm rate (1 − Pζ ) in normal operation [12]. In other words, the attack in (7.6) should satisfy the following feasibility constraint to remain undetected: Tk z Tk + b = z .

(7.7)

Among all the attack strategies satisfying (7.7), the optimal linear FDI attack (OLMA) strategy was derived in [12], which is summarized as Lemma 5. [12] Tk = −I and bk = 0 is the OLMA in the sense that yields the largest state-estimation error at the remote side without being detected. The corre¯  z−1 C P. ¯ sponding estimation error covariance follows the recursion: Pk = Pk− + 3PC

7.1.3 Secure modules for data transmission In this section, secure modules for data transmission are introduced that can assist the χ 1 detector to detect the original undetectable attack and recover the innovation zk in the absence of the attack. The structure of the secure modules is illustrated, and then the corresponding mechanism is analyzed. Finally, the feasibility of whether the modules can be realized in the real application is discussed.

Mature industrial functions

277

Figure 7.1 Block diagram of the overall system. The system blocks marked by the blue dashed frame, which are located at both sides of the communication channel, are the so-called secure modules for data transmission against the linear FDI attack. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this book).

7.1.3.1 Structure of secure modules for data transmission Based on the original system architecture, secure modules for data transmission are added, which are marked by the blue dashed frames in Fig. 7.1. At the sending side, a data preprocessing submodule is constructed, whose structure is given in the following form: fk = azk + mk ,

(7.8)

where a ∈ R is a constant factor, mk ∈ Rm is the so-called watermarking, which is a zero-mean i.i.d. Gaussian random variable with the covariance m and is independent with zk , and fk ∈ Rm is the output of (7.8). Note that the choice of a, m is given in Sect. 7.1.4. It is worth noting that it is fk , rather than the real innovation zk that is transmitted through the wireless network. Under the proposed scheme, the linear attack (7.6) can be rewritten as f¯k = Ti fk + bk ,

(7.9)

where f¯k is the data modified by the attack. To recover zk from f¯k in the absence of the attack, we place the following data recovering submodule on he remote side: zrk =

f¯k − mk , a

(7.10)

where zrk is the output of (7.10). Substituting (7.8) and (7.9) into (7.10) zrk can be represented as

278

Cyberphysical Infrastructures in Power Systems

1 1 zrk = Ti zk + bk + (Tk − I ) mk . a a

(7.11)

Clearly, ztk also follows a zero-mean Gaussian distribution, whose covariance 2 is given as 2 = Tk z Tk +

1 1 b + 2 (Tk − I ) m (Tk − I ) . a2 a

(7.12)

According to (7.11) and (7.12), in the absence of the attack, i.e., Tk = I, bk = 0, the remote side can recover zrk to zk by eliminating the attached watermarking of zrk . Otherwise, zrk is watermarked by a and mk , with which can assist the χ 2 detector to detect the attack. Note that, since the innovation zk can be completely recovered by the secure modules in the absence affected by our of the attack, the false-alarm rate of the χ 2 detector is not   proposed modules, and still equals the original one, i.e., 1 − Pζ . Remark 27. To assist the χ 2 detector to address the original undetectable attack proposed in [12], the structure of the secure modules in the specific form is constructed as shown in (7.8), (7.10). For a more complex or even arbitrary attack model, a method to protect the integrity of the wireless transmitted data is provided. To be specific, the structure of the secure modules is reconstructed to assist other powerful detection tools, including correlation analysis and the detectors in [21] and [22] to detect those attacks. As shown in Fig. 7.1, the sensor remains outside of the protection of the secure modules, so that the proposed approach is defenseless against attacks corrupting the measurements yk . Remark 28. Compared with the attack detection methods in [16] and [18], one of the advantages of the proposed method here is that the estimation performance can be guaranteed in the absence of the attack because the original innovation can be recovered by eliminating the watermarking completely. ¯ the mean of Remark 29. When mk in (7.11) is a constant, denoted as m, zrk is 1a (Tk − I ) m¯ and its covariance becomes Tk z Tk + a12 b . Once any linear attack occurs, i.e., Tk = I or bk = 0, at least one of its statistical properties will be different from the one of the innovation zk . This indicates that a constant can also be utilized as the watermarking. However, note that the mean and the covariance of the transmitted data fk are m¯ and a2 z in that case. By eavesdropping fk from the wireless network for a long period, the attacker with the priori knowledge of z can estimate a and m¯ to obtain zk . Thus, the secure modules with such a watermarking may be bypassed by the attacker and lose efficacy completely. It is the prime reason why we utilize a random number as the watermarking mk , rather than a constant.

Mature industrial functions

279

7.1.3.2 Feasibility analysis In order to guarantee the feasibility of the presented approach, there are two critical questions needing to be addressed: 1. How does one keep the watermarking sequences in (7.8), (7.10) consistent with each other at the same time step? 2. May an attacker infer the real innovation zk from the intercepted data fk ? The first question aims to ensure that the watermarking can be fully eliminated in the absence of the attack, and the second question makes sure that the effectiveness of the presented approach without being bypassed by the attacker. The corresponding solutions are listed in the following: 1. Inspired by the pseudorandom number studied in information science [23], a pseudorandom sequence, which approximates to the i.i.d. Gaussian distribution, is taken as the watermarking mk . Since an identical seed generates a unique and determinate sequence, we can take an arbitrary constant as the seed and exploit some existing secret key distribution and management techniques [24] to write it into on-board chips of the both watermarking generators beforeforehand. Then, the watermarking sequences of the both sides can be kept consistent. On the other hand, without the knowledge of the seed, the pseudorandom sequence is still random and unknown to the attacker. Furthermore, consider the network delay that causes (7.10) to generate a mismatched watermarking with the delayed data. However, by utilizing the time stamp attached to the data packet [25], we can still solve this problem. 2. The processes of (7.8), (7.10) can be regarded as the encryption and decryption, whose secret key is the seed of the pseudorandom sequence and should be kept unavailable to the attacker. In fact, pseudorandom numbers are widely utilized in cryptography [26]. By applying cryptographically strong pseudorandom number-generation algorithms, we can still guarantee the stealthiness of the watermarking sequence. Moreover, since mk and the random number zk are coupled with each other in the intercepted data fk , neither mk nor zk can be extracted from fk by the attacker. Remark 30. Encryptions are also able to guarantee both data confidentiality and data integrity [27]. However, the limited energy resources of battery-supplied sensors and communication bandwidth usually constrain the applicability of encryptions in wireless sensor networks (WSNs) [28]. To address the computation and communication overheads of encryption, the proposed watermarking scheme is an alternative

280

Cyberphysical Infrastructures in Power Systems

low-cost method to protect the transmitted data. Specifically, from the computation perspective, the watermarking scheme requires only O(m) basic multiplication and addition operations to address innovations zk ∈ Rm based on the low-cost and cryptographically secure pseudorandom number mk [29]. From the communication perspective, the watermarking scheme changes only the value of zk into fk , and does not require additional bits for each plain-text message of the transmitted data.

7.1.4 Detection and performance analysis in various attack scenarios For the attacker, the designed attack strategy depends on its acquired system knowledge. The extent of the information leakage can be divided into the following three cases: 1. The attacker is not aware of the existence of the secure modules; 2. The attacker has the knowledge of the structures of (7.8), (7.10), except the detailed information of mk and a; 3. Both the model structure of ((7.8), (7.10)) and the statistical properties of mk , along with the value of a, are disclosed to the attacker. Since the attacker may have a different level of knowledge of the system, these three scenarios potentially exist for the attacker. In the following, we present mainly a comprehensive assessment of the proposed watermarking scheme from the three situations. To be specific, for the fixed parameter set a and m of the watermarking generators, we analyze the effect of secure modules (7.8), (7.10) on the performance of both detection and estimation under the three cases, respectively. Furthermore, we derive the optimal a and m that can minimize the estimation error under the linear attack.

7.1.4.1 Scenario I: no information leakage In this subsection, it is assumed that the attacker is not aware of the existence of the secure modules and still launches the original OLMA in Lemma 5. Without loss of generality, the covariance of mk is designed as m = ηz ,

(7.13)

where η ∈ R is a nonnegative scalar. We will adopt such a watermarking mk in the rest of this section. Under the OLMA, zrk in (7.11) and z in (7.12) can be rewritten as 

zrk



2 4η = −zk − mk , z = 1 + 2 z , a a

(7.14)

Mature industrial functions

281

where the derivation of z is based on (7.13). Equipped with the secure modules, the detection rate of the χ 2 detector under the OLMA is summarized as follows. Theorem 17. For the system in Fig. 7.1, the detection rate of the χ 2 detector (7.5) to detect its received data zrk under the OLMA at the time step k is F (ζ˜ , m) 

ζ



1 2m/2 (m/2)

m

e−x/2 x 2 −1 dx ,

which is monotonically increasing with ζ˜  1+4ζη/a2 . Moreover, when the parameters of (7.8) and (7.10) are chosen as η/a2 → ∞, the detection rate is equal to 100%. Proof. Due to the positive definiteness of z , we can make an eigenvalue decomposition for z as z = U1 1 U1 , where U1 is a unitary matrix and 1  diag (λ1 , . . . , λm ) is the diagonal matrix containing the eigenvalues −1 {λ1 , . . . , λm } of z . Then zrk can be transformed into k1  2 2 U1 zrk , where   2 = 1 + 4η/a2 1 , and k1 follows a standard zero-mean Gaussian distribution, whose covariance is an identity matrix. For the data checked by the χ 2 detector is zrk , the left-hand side of (7.5) with J = 1 can be rewritten as   ξk = zrk z−1 zrk   = zrk U1 1−1 U1 zrk    r   − 12 −1 2 2 U1 zrk = 1 + 4η/a2 zk U1 2    = 1 + 4η/a2 k1   m k1 i 2 2 = 1 + 4η/a , i=1 k1

(7.15)

i is the i-th element of k1 . According to the statistical properties where k1

m  i 2 of k1 , i=1 k1 follows a χ 2 distribution with the degree of freedom m. Thus the probability of triggering the alarm can be represented as

    m i 2 ˜ P [ξk > ζ ] = P i=1 k1 > ζ ∞ m 1 e−x/2 x 2 −1 dx  F (ζ˜ , m) , = ζ 2m/2 ( m/2)

which depends on η/a2 , so that we can derive that limη/a2 →∞ F (ζ˜ , m) = 100%. This indicates that the χ 2 detector can absolutely detect the OLMA when η/a2 → ∞. Then the relationship between the estimation performance under the OLMA and the parameter set of a and η is analyzed. Define γk as the alarm

282

Cyberphysical Infrastructures in Power Systems

of the χ 2 detector at each time step, i.e.,  γk =

0, 1,

 r 

zk z−1 zrk > ζ otherwise .

(7.16)

Based on γk , the remote estimator decides how to estimate the state. When γk = 1, the remote estimator decides to fuse zrk . Otherwise, it abandons zrk and replaces the state estimation with the one-step prediction x˜ −k . Thus, the recursion of the state estimation can be shown as x˜ −k = Ax˜ k−1 −

x˜ k = x˜ k + γk Kzrk

.

(7.17) (7.18)

x0 , (7.18) can be recursively exWith the steady-state assumption of x˜ 0 =  panded to the initial step as x˜ k = Ak x0 +

k 

γi Ak−i Kzri .

(7.19)

i=1

This indicates that x˜ k depends on Ik  {γk , γk zk }. Based on Ik , the estimation-error covariances conditioned by the two different γk are derived as follows. Lemma 6. For the system in Fig. 7.1 under the OLMA, the estimation-error covariance in the condition of γk = 1, which is denoted as P˜ k1 , is bounded by ¯   C P¯ ≤  ¯   C P¯ , P˜ k− + 2PC Pk1 ≤  Pk− + (2 + ζ )PC

(7.20)

where  Pk− = A Pk−1 A + Q. Otherwise, the one conditioned by γk = 0, which is 2 Pk , equals  Pk− . denoted as  Proof. The proof is detailed in the end of the section. Remark 31. zk , it can be utilized not only to estimate the current state [30], but also to update the historical estimation, which is the smoothing process of the KF [19]. According to (7.14), (7.16), γk is composed of mk and zk . One may wonder whether γk can provide some information of zk and thus affect the conditional expectations in (7.38), (7.42). However, (7.51) in the Appendix E indicates that γk has no benefit for the cognition of zk , and can only provide the information of zrk . It is the theoretical reason for the derivations of (u) and (v).

Mature industrial functions

283

Based on Lemma 6, the evolution of the expected estimation-error covariance under the OLMA is derived. Theorem 18. For the system in Fig. 7.1, the minimum expected estimation-error covariance of the remote estimator under the OLMA at the time step k is   lim E  Pk | Ik−1 =  Pk− ,

(7.21)

η/a2 →∞

when the parameters of the secure modules in (7.8) and (7.10) satisfy η/a2 → ∞(ζ˜ → 0) .

Proof. From (7.15), (7.16), the alarm γk depends on a χ 2 variable 

m i 2 with the rei=1 k1 , whose pdf (pdf) is defined as fχ 2 (t ). Combined   sult in Lemma 6, we can get the lower bound of E  Pk | Ik−1 as follows: 

˜ E Pk | Ik−1 = 

P˜ k fχ 2 (t)dt

0



ζ¯

=



0 ζ¯

≥ 0

P˜ k1 fχ 2 (t)dt + 





ζ˜

P˜ k2 fχ 2 (t)dt



P˜ k− + 2P¯   C P¯ fχ 2 (t)dt + 

=P˜ k− + 2

ζ¯



ζ˜



P˜ k− fχ 2 (t)dt

fχ 2 (t)dt P¯  C   C P¯ ,

(7.22)

0

the limitation of which is P˜ k− with ζ˜ →  0. Similarly, we can get the limitation of the upper bound of E P˜ k | Ik−1 , which is the same as the limitation of the lower bound. Utilizing the squeeze theorem [31], we can derive the ¯   C P, ¯ result as (7.21). Due to the positive definiteness of the matrix PC  − we can obtain that E P˜ k | Ik−1 ≥ P˜ k from (7.22). Thus the expected estimation-error covariance is minimal with ζ˜ → 0. Remark 32. When the remote estimator is equipped with the stochastic χ 2 detector, Li and [17] proved that its expected estimation-error covariance under the OLMA is P˜ k− + 9/4P˜ k− C   C P˜ k− , which is larger than the result of (7.21). Thus, this method has a sharper bound on estimation error than the stochastic χ 2 detector under the OLMA in regard to the estimation performance. As for the case in the absence of the attack, the secure modules do not sacrifice the estimation performance.

284

Cyberphysical Infrastructures in Power Systems

However, the stochastic χ 2 detector still aimlessly changes its threshold. Intuitively, this method can maintain the estimation performance and is better than the one in [17]. Without any knowledge of the attack, the remote side can only abandon suspicious data if the detector alarms. However, when the attacking pattern of the OLMA is known, the remote estimator may further improve its estimation performance by correcting the fake data zrk into zk . The data correcting step can be represented as 2 zrck = −zrk − mk , a

(7.23)

where zrck is the output of (7.23) and is equal to zk when the OLMA occurs. Note that whether to run (7.23) depends on the decision of the χ 2 detector. If the alarm of the χ 2 detector is triggered, the remote estimator will utilize the correcting step in (7.23) to modify the suspicious data. Otherwise, it will directly fuse the received data. However, due to the existence  of the false-alarm rate 1 − Pζ , the χ 2 detector may mistakenly regard the innovation zk as zrk in the absence of the attack. The relationship between the alarm and the attack can be described by the following Bayes’ rule: P[β | α]P[α] P[β | α]P[α] + P[β | α]P[ ¯ α] ¯ P[α]   = , P[α] + 1 − Pζ (1 − P[α])

P[α | β] =

(7.24)

where α represents that the attack occurs, α¯ is the opposite, β means that the alarm is triggered, and (7.24) is based on P[β | α] = 100% in Theorem 17. Since the OLMA may intermittently occur, i.e., P[α] = 100%, the alarm does not mean that the OLMA exists with the probability 100%. In the absence of the attack, (7.23) may falsely modify zk as 2 z˜ rck = −zk − mk , a

(7.25)

where z˜ rck is the falsely corrected data, and exactly equals zrk Inspired by Theorem 18, the falsely corrected data cannot bypass the χ 2 detector. Thus, the solution is to run the χ 2 detector again to verify z˜ rck . For the data modified by (7.23), the remote estimator will only accept those data, which will pass the χ 2 detector. In this way, we can avoid the case that the datacorrecting step in (7.23) falsely modifies zk into zrk when the detector falsely

Mature industrial functions

285

alarms in the absence of the attack. Then, the estimation performance can be further improved to match that under normal operation.

7.1.4.2 Scenario II: partial information leakage With the original feasibility constraint in (7.7), the attack fails to deceive the system in Fig. 7.1, which is equipped with secure modules in (7.8) and (7.10). Meanwhile, the attacker with limited information cannot construct a new feasibility constraint either. Thus, the attacker is supposed to launch an arbitrary linear attack in the form of (7.6), and the detection performance is analyzed under such an attack. A property of the χ 2 detector is given as follows. Lemma 7. Assume that there are two random sequences {zk3 } and {zk4 } are checked by the χ 2 detector, with their covariances z3 and z4· . If z3 > z4 , then E [ξk3 ] > E [ξk4 ], where ξk3 and ξk4 are calculated by (7.5) from zk3 and zk4 . Proof. See the end of the section. Substituting (7.13) into (7.12), i can be rewritten as i = Tk z Tk +  2 2 2 b + η/a (Tk − I ) z (Tk − I ) , where 1/a and η/a can be regarded as the amplification factors, which can enlarge i in the presence of the attack. When the parameters of the secure modules are set as 1/a2 

a → 0,

η

a2

→∞,

(7.26)

z¯ under almost all the linear attacks in (7.6) can be amplified to infinity (except Tk → I , b → 0). According to Lemma 7, we can obtain that E [ξk | α] → ∞. Since ξk in the absence of the attack is a χ 2 variable with ¯ = m, which is a determined the degree of freedom m, we can get E [ξk | α] constant. Thus, with the parameters set as (7.26), the χ 2 detector can sig-

nificantly detect almost all the linear attacks in (7.6), except a few cases to be discussed in Remark 33. Remark 33. If the attacker slightly modifies the data, i.e., Tk → I , b → 0, it is unsure whether z¯ can be amplified. Hence, the χ 2 detector with the parameters ¯ , which in (7.26) may be unable to significantly distinguish E [ξk | α] and E [ξk | α] leads to the failure of attack detection. Note that for the original system, which is not equipped with the secure modules, such an attack can hardly modify the transmitted data and almost has no effect on the performance degradation. Thus the solution is to switch the system back to the original one by cutting out the secure modules. It depends on the cognition degree between the attacker and the system and can be further modeled in a game-theoretic framework.

286

Cyberphysical Infrastructures in Power Systems

7.1.4.3 Scenario III: information leakage In this subsection, the linear FDI attack is assumed to have knowledge of the overall system model. In that case, to bypass the χ 2 detector in the new system, the attacker can utilize the disclosed information of a and η to reconstruct its attack strategy Tk and b , which satisfies the following feasibility constraint: Tk z Tk +

η 1 b + 2 (Tk − I ) z (Tk − I ) = z , 2 a a

(7.27)

properties as zk , so that the under which zrk preserves the same statistical  detection rate of the χ 2 detector is 1 − Pζ . Since the χ 2 detector still fails to detect the redesigned attack satisfying (7.27), it seems that the secure modules are ineffective. However, with the appropriate parameter set of a and η, we can prove that such an attack has no effect on the estimationperformance degradation. Under the attack, the remote estimation-error covariance is denoted as P˜ k· . The evolution of P˜ k is summarized as follows. Lemma 8. Under the linear attack (7.9) satisfying the feasibility constraint (7.27), the recursion of the estimation-error covariance at the remote estimator follows: 



¯   − Tk  −  Tk C P¯ , P˜ k = AP˜ k−1 A + Q + PC 

¯ +R where  = C PC

−1

(7.28)

.

Proof. We first rewrite the expression of (7.11) as zrk = Tk zk + nk ,

(7.29)

where nk = 1a bk + 1a (Tk − I ) mk is a zero-mean i.i.d. Gaussian variable, and is independent of zk . Since the structure of zrk in (7.29) is the same as the one in [12], the subsequent proof is similar to the one in [12], and so is omitted here. To analyze the bound of estimation performance under all the linear attacks satisfying (7.27), we need to derive the optimal one Tk∗ , b∗k and its corresponding estimation-error covariance P˜ k∗ which are summarized as follows. Lemma 9. For the system equipped with the secure modules (7.8) and (7.10) in Fig. 7.1, the optimal attack in (7.9) is

Mature industrial functions

Tk∗ =

η/a2 − 1 ∗ I, b = 0 , η/a2 + 1 k

287

(7.30)

which yields the largest estimation-error covariance P˜ k∗ = AP˜ k−1 A + Q +

3 − η/a2 ¯  PC  C P¯ . η/a2 + 1

(7.31)

Proof. See the end of the section. Remark 34. When η = 0 and a = 1, the optimal linear attack strategy is Tk∗ = −I and b∗k = 0, which means that Theorem 18 in [12] is a special case of Lemma 9. Theorem 19. For the system in Fig. 7.1, when the parameters of (7.8) and (7.10) are chosen as η/a2 → ∞, the estimation-error covariance under any linear FDI attack (7.9) satisfying the feasibility constraint (7.27) tends to ¯   C P¯ , P˜ k = AP˜ k−1 A + Q − PC

which is equal to the one in the absence of the attack. Proof. The estimation-error covariance P˜ k in (7.28) can be rewritten as ¯ Note that ¯   − T   −  Tk C P. AP˜ k−1 A + Q + w , where w = PC k Tk = I , bk = 0 yields the optimal estimation, which is the lower bound of (7.28). Combined with the result in Lemma 9, we can obtain ¯   C P¯ ≤ w ≤ −PC

3 − η/a2 ¯  PC  C P¯ . η/a2 + 1

(7.32)

As η/a2 → ∞, the upper bound of (7.32), tends to the lower bound, i.e., 3−η/a2 ¯  ¯ ¯   C P. PC  C P¯ → −PC η/a2 +1 Remark 35. With the parameters chosen as η/a2 → ∞, any linear attack that satisfies (7.27) to remain undetected, has no effect on the performance degradation of the remote estimator. According to Theorems 18 and 19, it can be seen that the estimation-error covariance P˜ k = AP˜ k A + Q in the first scenario is larger than the ¯ However, it should be ¯   C P. one in the third scenario, i.e., P˜ k = AP˜ k A + Q − PC emphasized that the larger estimation-performance degradation in the first scenario is at the expense of losing stealthiness as demonstrated in Theorem 1. That is to say, if the condition (7.27) is not satisfied, the statistical properties of zrk must be different from zk so that the χ 2 detector can detect the data anomalies caused by the attack. In other words, the secure modules fill the loopholes of the χ 2 detector to detect such an attack.

288

Cyberphysical Infrastructures in Power Systems

Remark 36. Note that η/a2 → ∞ is the optimal result for the proposed secure modules to choose their parameters. It provides a theoretical indication for how to select a and η to improve the estimation performance under the linear attack in (7.9). However, it should be emphasized that it is unnecessary to choose η/a2 as an infinite number in practical application. As shown in Sect. 7.1.7, we can get satisfactory simulation results when η/a2 is relatively large. Moreover, it should be mentioned that η/a2 → ∞ is derived only in the context of protecting data integrity. However, this does not appear to be beneficial for data confidentiality since the pseudorandom sequence is almost exposed to the attacker in that case. Thus, the choice of η/a2 → ∞ is a tradeoff between confidentiality and integrity. Remark 37. The wireless network here is assumed to be completely reliable without a time delay, packet loss, and communication noise. Clearly, those networkinduced phenomena influence the estimation performance. Note that both time delay and packet loss do not change the value of the optimal parameter set η/a2 since those two factors can be straightforwardly identified, and thus do not affect the effect of the watermarking scheme on attack detection. To be specific, the time delay can be identified based on the time stamp attached to a transmitted data packet, while packet loss can be identified by the remote side via judging whether the data is received or not. However, since communication noise has the same effect on modifying the content of data packet as the attacker, it raises a challenge for the proposed watermarking scheme to distinguish between the noise and the attack. In that case, from the perspective of maximizing the estimation performance, the value of the optimal parameter set may be different from the η/a2 → ∞ derived in this chapter. Extending the proposed method to the situation that considers communication noise is another future research direction.

7.1.5 Extension to detect other attacks 7.1.5.1 False-data injection attack In contrast to the attack in [18], which injects fake data into compromised sensors, we focus on another type of FDI attack, which tampers the wireless network by injecting an arbitrary bias. It can be formulated as f˜k = fk + lk ,

(7.33)

where lk ∈ Rm is an arbitrary false data injected into the transmitted data fk . Substituting (7.8), (7.33) into (7.10), the data checked by the χ 2 detector is zrk = zk + 1a lk . Then the left-hand side of (7.5) can be calculated as

Mature industrial functions







289



1  1 E [ξk | α] = E zk + lk z−1 zk + lk a a  −1  −1 lk z lk zk z lk lk z−1 zk  −1 + + = E zk z zk + a2 a a   1 1 lk + 2zk z−1 lk . =m+ E a a

(7.34)

With the parameters in (7.26), the attack should satisfy lk = −2azk to bypass the detector. Otherwise, (7.34) is amplified to infinity. However, the innovation zk is inaccessible to the attacker since it is encrypted by mk . Thus the attacker cannot successfully inject false data.

7.1.5.2 Replay attack The replay attack can record previously transmitted data fk and repeat them afterwards [4]. It can be formulated as f˜k = fk−τ , where τ ∈ N. Since the effect of the replay attack is similar to the network delay, the timestamp is utilized to differentiate them. After attaching the timestamp, the transmitted   data packet becomes fk , k . The following theorem analyzes the case when fk is incorrectly matched with its time stamp k. Theorem 20. For the system in Fig. 7.1, if fk and its timestamp k are mismatched, the alarm rate of the detector is 

F

ζ

1 + 2η/a2

,m

.

(7.35)

When the parameters of (7.8) and (7.10) are chosen as η/a2 → ∞, the χ 2 detector triggers the alarm with probability of 100%. Proof. Assume that the timestamp attached to the transmitted data fk is k − τ . Then (7.10), generates mk−τ as the watermarking, which leads to zrk becoming zrk = zk −

1 (mk − mk−τ ) . a

(7.36)

variable, the covariance of (7.36) can be deSince mk is an i.i.d. Gaussian  2η rived as 2 = 1 + a2 z . Similar to Theorem 17, we can get the alarm rate as shown in (7.35). When η/a2 → ∞, the detector must trigger the alarm.

290

Cyberphysical Infrastructures in Power Systems

Inspired by Theorem 20, the timestamp and the χ 2 detector can be applied to defend against the replay attack. Assume that the attacker can   identify the structure of the data packet fk , k . If the attacker just modifies   fk without changing the timestamp, i.e., fk−τ , k , the χ 2 detector must trigger the alarm based on Theorem 20. Otherwise, if the attacker modifies   the whole data packet into the previous one fk−τ , k − τ , the timestamp k − τ occurs again, so that we can easily detect such an attack.

7.1.6 Proofs of the lemmas and theorems Appendix A A.1. Proof of Lemma 6

We first derive the case of γk = 1, and get 



P˜ k1 =E (xk − x˜ k ) (xk − x˜ k ) | Ik−1 , γk = 1

    r =E xk − x˜ − k − Kzk (.) | Ik−1 , γk = 1     =E xk − x˜ − xk − x˜ −k | Ik−1 , γk = 1 k      + K E zrk zrk | Ik−1 , γk = 1 K      r  − E xk − x˜ − z | I , γ = 1 K k − 1 k k k     , − K E zrk xk − x˜ − | I , γ = 1 k − 1 k k

(7.37)

which consists off the terms needing to be calculated. For the first term of (7.37), we can get E









xk − x˜ −k xk − x˜ −k | Ik−1 , γk = 1

  =E (Axk−1 + wk−1 − Ax˜ k−1 ) (.) | Ik−1 , γk = 1   =AE (xk−1 − x˜ k−1 ) (xk−1 − x˜ k−1 ) | Ik−1 , γk = 1 A   + E wk−1 wk −1 | Ik−1 , γk = 1     =AE (xk−1 − x˜ k−1 ) (.) | Ik−1 A + E wk−1 wk −1 =AP˜ k−1 A + Q ,

(7.38)

where the specific explanation how to derive the equation (u) is given in Remark 31. Due to the independence of zTi and zrj for ∀i = j, the second term of (7.37) can be rewritten as

Mature industrial functions



291



 

K E zrk zrk | γk = 1 K 

 1 −1 =K E U1 12 1 2 U1 zrk (.) | γk = 1 K    1 4η −1 = 1 + 2 K E U1 12 2 2 U1 zrk (.) | γk = 1 K  a    1 1 4η   = 1 + 2 KU1 12 E k1 k1 | k1 k1 ≤ ζ˜ 12 U1 K  a  1 1 4η = 1 + 2 KU1 12 diag (1 , . . . , m ) 12 U1 K  ,

a



(7.39)

  i 2 ˜ ≤ ζ . Due to the fact that 0 ≤ k1 ≤ i=1  2     

m j i 2 i 2 | k1 = 0 ≤ i ≤ ζ˜ − j=1,j=i k1 ≤ ζ˜ , we can obtain that 0 = E k1     i 2 i 2 | k1 ≤ ζ˜ ] < ζ˜ . Then we can obtain the upper bound of (7.39), E k1   1 1 which is 1 + 4a2η KU1 12 (ζ˜ I ) 12 U1 K  = ζ K 2 K  . Similarly, it can be cal2 m 

i where i  E k1 |

i k1

2

culated that the lower bound of (7.39) is equal to 0. Since the Kalman gain K may not be a full rank matrix, we can get 



 

0 ≤ K E zrk zrk | γk = 1 K  ≤ ζ K z K  .

(7.40)

Based on (7.1), (7.17) and (7.19), we can get 



xk − x˜ −k = Ak x0 − xˆ 0 + −   

Since E zri zrj

k−1 i=1

k−1 i=0

Ai wk−1−i

γi Ak−i Kzri .

= 0, ∀i = j, and mk is independent of all terms of (7.41),

the second to last term of (7.37) is E

(7.41)





  

xk − x˜ −k zrk | Ik−1 , γk = 1 K 

= E[{A (x0 − xˆ 0 ) + k

n 

Ai wk−1−i }{zrk }|Ik−1 , γk = 1]K 

i=0

= E[{Ak (x0 − xˆ 0 ) + = E[{Ak (x0 − xˆ 0 ) +

k−1 

2 Ai wk−1−i }{−zk − mk }|·]K  a i=0

k−1  i=0

Ai wk−1−i }{−zk } | ·]K 

292

Cyberphysical Infrastructures in Power Systems

v

= −E[{Ak (x0 − xˆ 0 ) +

k−1 

Ai wk−1−i }zk ]K 

i=0

¯ K , = −PC 



(7.42)

where the derivation of (v) is similar to (u), and the proof of (7.42) is the same as Theorem 17 in [12], and thus is omitted. Similarly, we can obtain: 







K E zrk xk − x˜ −k | Ik−1 , γk = 1 = −KC P¯ .

(7.43)

Substituting (7.38), (7.40), (7.42) and (7.43) into (7.37), the bound of the error covariance P˜ k1 is given in the form of (7.20). In the same way, we can obtain that P˜ k2 = P˜ k− .

Appendix B Proof of Lemma 7

Similar to the proof of Theorem 17, we utilize the eigenvalue decomposition to get z3 = U3 3 U3 , z4 = U4 4 U4 , and transform zk3 and zk4 −1

−1

into k3  3 2 U3 zk3 , k4  4 2 U4 zk4 , where k3 , k4 are both the standard Gaussian variables with covariance matrixes I. Then we calculate the expectation of the statistics ξk3 .





− 12

1 2

−1

1 2



− 12



E [ξk3 ] = E zk3 U3 3 3 U3 z U3 3 3 U3 zk3  1 1  −1  2 2 = E k3 3 U3 z U3 3 k3   1 1 −1  2 2 = Tr 3 U3 2 U3 3   = Tr z−1 z3   −1 −1 = Tr 1 2 U1 z3 U1 1 2 . 

− 12



− 12

Similarly, we can get E [ξk4 ] = Tr 1 U1 z4 U1 1 − 12



. From the assump−1

tion that z3 > z4 , we can prove that A1 U1 (z3 − z4 ) U1 1 2 is a positive definite matrix. Thus we can obtain E [ξk3 ] > E [ξk4 ].

Mature industrial functions

293

Appendix C Proof of Lemma 9

Similar to [12], we utilize the duality relationship between the optimal attack and the optimal estimation to derive the optimal attack strategy. According to the optimality of the KF for the state estimation in a LTI process [19], the estimation-error covariance in the absence of the attack, which is denoted as Tk1 = I and bk1 = 0, is the minimum one among all the attacks (7.9). Hence, for any attack Tk2 = I + M, where M is an arbitrary matrix satisfying the constraint: (I + M )z (I + M ) +

η

a2

M z M   z ,

(7.44)

we can obtain the following inequality: 







  ¯   − Tk2 PC  −  Tk2 −  − Tk1  −  Tk1 C P¯   ¯  −M   −  M C P¯  0 . =PC

(7.45)

Assume that we can find an attack strategy of the form of Tk3 = ρ I, where ρ ∈ R. For any Tk4 = ρ I − M, where M is an arbitrary matrix satisfying the constraint: (ρ I − M )z (ρ I − M ) η + 2 (ρ I − M − I )2 (ρ I − M − I )  z ,

(7.46)

a

we can obtain 







  ¯   − Tk3 PC  −  Tk3 −  − Tk4  −  Tk4 C P¯

  ¯  −M   −  M C P¯  0 , =PC

(7.47)

which is based on (7.45). This means that Tk3 is the optimal attack strategy since its corresponding estimation-error covariance is larger than the one under any attack Tk4 . Then, we simplify the left-hand sides of (7.44) and (7.46) to obtain 

η



a2 

1+ 1+

η

a2

M  z M  + z + M z + z M  

M z M  + ρ 2 +

η

a2



(ρ − 1)2 z +

   η η −ρ − 2 (ρ − 1) z M  + −ρ − 2 (ρ − 1) M z .

a

(7.48)

a

(7.49)

294

Cyberphysical Infrastructures in Power Systems

Based on the one-to-one correspondence between the optimal attack and the optimal estimation, M should simultaneously satisfy (7.44), (7.46). Thus the coefficients of (7.48), (7.49) should be the same, i.e., 

ρ 2 + η/a2 (ρ − 1)2 = 1 −ρ − η/a2 (ρ − 1) = 1 .

(7.50)

a −1 From (7.50), we can obtain ρ = η/ , which means that the optimal attack η/a2 +1 ∗ exists with the form of Tk = ρ I. Then, we substitute Tk∗ and (7.13) into the constraint (7.27) and get b = 0, which means that b∗k = 0. Finally, by substituting Tk∗ into (7.28), we can get  Pk∗ as shown in (7.31). 2

Appendix D Lemma A.1. Let x ∈ R be a zero-mean Gaussian variable with the covariance     E x2 = 1.  is a nonnegative constant (7.37). E x2 ||x |≤  increases mono  tonically with  (7.38). If  > 0, one has E x2 ||x |≤  < 2 . 



Proof. From the definition of conditional expectation, E x2 ||x |≤  can be rewritten as   − E x x |≤  =   

2

−

√t



t2

2



e− 2 dt

0

= 

t2

e− 2 dt 2π

√1

0

√t

2



t2

e− 2 dt t2

e− 2 dt 2π

√1

.



 Then we take the derivative of E x2 x |≤  and get    d E x2 ||x |≤  d() 2 − 2   1 t2 2   t 2 t2  √ e 2 √ e− 2 dt − √1 e− 2 √ e− 2 dt 0 0 2π 2π 2π 2π =  2  1 − t2 √

0

= 

√1





0

√1

e





2 − 2 t2



e− 2 dt

2



0

e

2

dt

2 − t2 − t2 e 2 dt > 0 , √ 2π

which completes the proof of (7.37). Due to the fact that, for ∀t ∈ [0, ], 2 ≥ t2 ≥ 0, we can prove that   0 E x x |≤  =   

2

√t

2



t2

e− 2 dt

√1 e 0 2π

2 − t2

dt

 0

0. The filter in the form of (8.7) applied to a discrete-time CPPS in the form of (8.1) is said to be α1 , α2 , α3 secure if, when E 2 (k) ≤ α32 , ζ (k)2 ≤ α12 , then Ee(k)2 ≤ α22 , ∀k ≥ τm+ + 1. Remark 41. α1 , α2 , and α3 do have their own engineering insights. To be specific, α1 is the energy bound for the false signals that the adversary likes to impose on the measurement output from the attacked system during the deception attack, α3 is associated with the external noise affecting the system, α2 is associated with the desired error of the filter. So, these three parameters have essential roles for the system security performance evaluation and design.

8.3 Main results The objective of this chapter is to design a filter as in (8.7) that guarantees that system (8.9) is α1 , α2 , α3 secure. The proposed approach based on the concepts of switched time-delay systems [56] and inspired by [57]. The probability of each possible attack in introduced as ρj and has an expected value defined as E[ρj ] for j = 1, 2, 3, 4 as mentioned in (8.2). In this section, we will investigate the stability analysis and filter synthesis problem for the discrete-time system (8.1). Initially, a sufficient condition will be derived such that the filter (8.7) is α1 , α2 , α3 secure subject to stochastic DDoS and deception attacks. After that, the derived conditions will be used to present the design of the desired filter. Theorem 21. For scalars α1 , α2 , α3 > 0 and the filter gains K , L. The filter (8.7) is α1 , α2 , α3 secure if there exist matrices P , Q > 0 and scalars 1 , 2 , 3 , 4 > 0 satisfying the following inequalities: ⎧ ⎪ ¯ = 11 + 12 22 T12 < 0 ⎨

θ 2 r02 z(r0 ) ⎪ ≤ α32 , , max ⎩ λmin (P ) λmin (P )(r0 −1)

where



11

12

⎤ 0 0 0 ψ1 ⎢ ∗ −Q 0 0 ⎥ ⎢ ⎥ = ⎢ ⎥, ∗ − 1 I 0 ⎦ ⎣∗ ∗ ∗ ∗ − 3 I  T ¯ A ¯ m B¯ C , 22 = P , = A

¯ = ρˆ1 A1 + ρˆ2 A2 + ρˆ3 A3 + ρˆ4 A4 , A

(8.11)

312

Cyberphysical Infrastructures in Power Systems

A¯ m = ρˆ1 Am1 + ρˆ2 Am2 + ρˆ3 Am3 + ρˆ4 Am4 , ¯ = ρˆ1 B1 + ρˆ2 B2 + ρˆ3 B3 + ρˆ4 B4 , B ψ1

= (τm+ − τm− + 1)Q − P ,

θ2

= 1 α12 + 2 α22 ,

and z(r0 ) = 2(μ1 + μ2 )α22 , μ1 μ2

τ+

= τm+ λmax (Q)(r0m − 1)(τm+ − τm− + 1) ,   + + − = τm max λmax (P ), (τm − τm + 1)λ max (Q) ,

and r0 > 1 is the solution of ¯ r0 + (r0 − 1)λmax (P ) −λmin (− )

τ+

+2r0 (τm+ − τm− + 1)λmax (Q)(r0m − 1) = 0 .

(8.12)

Proof. Let us select the following Lyapunov function: V (k) = V1 (k) + V2 (k) + V3 (k) ,

(8.13)

where V1 (k) = ξ T (k)P ξ(k), P > 0 , k−1 

V2 (k) =

ξ T (i)Qξ(i), Q = QT > 0 ,

i=k−τkm −τm− +1



V3 (k) =

k−1 

ξ T (i)Qξ(i) .

(8.14)

=−τm+ +2 i=k+−1

By calculating the difference of V1 (k), we have   E[V1 (k)] = E V1 (k + 1) − V1 (k)  ¯ − P )ξ(k) + 2ξ T (k)A¯ T P A¯ m ξ(k − τ m ) = E ξ T (k)(A¯ T P A k

¯ ζ¯ (k) + 2ξ T (k)A¯ T P C (k) +2ξ T (k)A¯ T P B ¯ T P A¯ m ξ(k − τ m ) + 2ξ T (k − τ m )A¯ T P B ¯ ζ¯ (k) ξ T (k − τ m )A k

m

k

k

m

313

Secure filtering in power systems

+2ξ T (k − τkm )A¯ Tm P C (k) + 2ζ¯ T (k)B¯ T P B¯ ζ¯ (k)  T T T T ¯ ¯ +2ζ (k)B P C (k) + 2 (k)C P C (k) .

(8.15)

A straightforward computation gives 

k 

E[V2 (k)] = E

ξ T (i)Qξ(i) −

i=k+1−τkm+1

 ξ T (i)Qξ(i)

k−1  i=k−τkm

 = E ξ T (k)Qξ(k) − ξ(k − τkm )Qξ(k − τkm ) +

k−1 

ξ T (i)Qξ(i) −

i=k+1−τkm+1

 ξ(i)Qξ(i) . (8.16)

k−1  i=k+1−τkm

Notice that k−1 

k−τkm

ξ (i)Qξ(i) = T

i=k+1−τkm+1



i=k+1−τkm+1



k−1 

k−1 

ξ T (i)Qξ(i) +

ξ T (i)Qξ(i)

i=k+1−τkm k−τm−



ξ (i)Qξ(i) + T

ξ T (i)Qξ(i) . +

i=k+1−τkm

i=k+1−τm

(8.17) We readily obtain E[V2 (k)]  ≤ E ξ T (k)Qξ(k) − ξ T (k − τkm )Qξ(k − τkm ) +

k−τm−



 ξ T (i)Qξ(i) .

i=k+1−τm+

(8.18) Finally  E[V3 (k)] = E (τm+ − τm− )ξ T (k)Qξ(k) −

k−τm−



 ξ (i)Qξ(i) . T

(8.19)

i=k+1−τm+

Remark 42. We have selected V2 (k)–V5 (k) by following the procedure in [57]. So, we obtained (8.18)–(8.19) in a format that will lead to an easy to handle formula by eliminating the similar terms between (8.18) and (8.19).

314

Cyberphysical Infrastructures in Power Systems

On combining (8.15)–(8.19) while noting (8.6), we reach  E[V (k)] ≤ E ξ T (k)(A¯ T P A¯ − P )ξ(k) ¯ m ξ(k − τ m ) + 2ξ T (k)A¯ T P B¯ ζ¯ (k) +2ξ T (k)A¯ T P A k T T ¯ +2ξ (k)A P C (k) ¯ m ξ(k − τ m ) + 2ξ T (k − τ m )A¯ T P B ¯ ζ¯ (k) +ξ T (k − τkm )A¯ Tm P A m k k ¯ T P C (k) + 2ζ¯ T (k)B¯ T P B ¯ ζ¯ (k) +2ξ T (k − τ m )A k

m

+2ζ¯ T (k)B¯ T P C (k) + 2 T (k)CT P C (k) + (τm+ − τm− + 1)Qξ(k) −ξ

T

 T 2 T ¯ ¯ − ζ (k)ζ (k)) + 3 (α2 − (k) (k)) .

(k − τkm )Qξ(k − τkm ) + 1 (α12

(8.20) So,   ¯ k) + θ 2 , E[V (k)] ≤ E T (k) (

(8.21)

T  (k) = ξ T (k) ξ T (k − τkm ) ζ¯ T (k) T (k) .

(8.22)

with

From (8.21), one knows that   ¯ E[V (k)] ≤ −λmin (− )E ||ξ(k)||2 + θ 2 ,

(8.23)

and referring to the definition of V (k), we have 

V (k) ≤ λmax (P )E ||ξ(k)||2 +





+λmax (Q)(τm − τm + 1)

k−1 

  E ||ξ(i)||2 .

(8.24)

i=k−τm+

Also, we introduce a scalar r > 1. Then it follows from (8.23) and (8.24) that, E[r k+1 V (k + 1)] − E[r k V (k)] k−1      r k E ||ξ(i)||2 + r k+1 θ 2 , ≤ a(r )r k E ||ξ(k)||2 + c (r ) +

i=k−τm

(8.25)

315

Secure filtering in power systems

where ¯ r + (r − 1)λmax (P ) , a(r ) = −λmin (− )

c (r ) = (τm+ − τm− + 1)(r − 1)λmax (Q) . For any integer T ≥ (τm+ ) + 1, the summation of the two parts of (8.25) from 0 to T − 1 with respect to k gives E[r T V (T )] − E[V (0)] ≤ a(r )

T −1 





r k E ||ξ(k)||2 +

k=0

+c (r )

T k−1 m −1 

r (1 − r T ) 2 θ 1−r





r k E ||ξ(i)||2 .

(8.26)

k=0 i=k−τm+

Now, the last two terms can be presented as T −1  k−1 

+ −1  r τm − 1     2 r E ||ξ(i)|| ≤ E ||ξ(i)||2 r − 1 + +

k

k=0 i=k−τm

+

τ+

i=−τm

r (r m − 1) r −1

T −1 





r i E ||ξ(i)||2 +

i=0

T −1

 r (r τm −1 − 1)  i  r E ||ξ(i)||2 : r −1 i=0 +

(8.27) Substituting (8.26) and (8.27), it is obtained E[r T V (T )] − E[V (0)] ≤ +

r (1 − r T ) 2 θ 1−r

  c (r )(r τm − 1)τm+ sup E ||ξ(i)||2 + r −1 −τm+ ≤i≤0 +g(r )

T −1 





r k E ||ξ(k)||2 ,

k=0

where +

g(r ) = a(r ) +

2rc (r )(r τm − 1) : r−1

(8.28)

316

Cyberphysical Infrastructures in Power Systems

¯ < 0 and limr →∞ = +∞, there exists a scalar r0 > 1 Since g(1) = −λmin (− ) such that g(r0 ) = 0. Thus, r0 > 1 could be calculated by E[r0T V (T )] − E[V (0)] ≤

r0 (1 − r0T ) 2 θ 1 − r0

τ+

  c (r0 )(r0m − 1)τm+ sup E ||ξ(i)||2 . + r0 − 1 −τm+ ≤i≤0

(8.29)

Note: 



sup E ||ξ(i)||2 ≤ 2α22 ,

−τm+ ≤i≤0

  E[r0T V (T )] ≥ λmin (P )r0T E ||e(T )||2 ,

(8.30)

(8.31)

and   E[V (0)] ≤ τm+ max λmax (P ), (τm+ − τm− + 1)λmax (Q)   × sup E ||ξ(i)||2 . −τm+ ≤i≤0

(8.32)

So, we have   E ||e(T )||2



(r0T − 1)θ 2

r0T −1 (r0 

− 1)λmin (P )

z(r0 ) T r0 λmin (P )  2 θ r0

+

θ 2 r0 z(r0 ) + − λmin (P ) λmin (P )(r0 − 1) λmin (P )(r0 − 1)

θ 2 r0 z(r0 ) ≤ max (8.33) , . λmin (P ) λmin (P )(r0 − 1)

= r0−T

From (8.11), we conclude Ee(T )2 ≤ α22 and, referring to Definition 16, it implies that filter (8.7) is α1 , α2 , α3 secure, and this completes the proof of Theorem 21. Theorem 22. For scalars α1 , α2 , α3 > 0. If matrices exist P = diag{P1, P2} > 0, Q > 0, matrices X, Y and scalars 1 , 2 , 3 , 4 > 0 satisfy the following in-

317

Secure filtering in power systems

equalities: ⎧   ⎪ 3 11 ⎪ ⎪ 1 is obtained by solving: −λmin (− )r0 + (r0 − 1)λmax (P ) τ+

+2r0 (τm+ − τm− + 1)λmax (Q)(r0m − 1) = 0 .

(8.36)

Then, the filter (8.7) is α1 , α2 , α3 -secure. And, the gained matrices of the filter K and L are calculated by the following equations: K = P2−1 X ,

L = P2−1 Y .

(8.37)

¯ < 0 is reformulated as Proof. Using Schur complement,  ¯ = 11 ∗

 12 −1 < 0 . − 22

(8.38)

By multiplying the inequality (8.38) by diag{I , P } from right and left, it is obtained  11 = ∗

 3 0, matrix Q, matrices X, Y and scalars 2 , 3 , 4 > 0 with a predefined scalars α2 , α3 > 0 satisfying the following inequalities: ⎧  



⎪ ⎪ 11 3 ⎪ 0 such that ||x|| < r, ∀x ∈ S; compact if it is closed and bounded; and convex if for

332

Cyberphysical Infrastructures in Power Systems

Figure 9.1 Convex (left) and nonconvex (right) sets.

every x, y ∈ S, and every real number α, 0 < α < 1, the point α x + (1 − α)x ∈ S. Let us now define the line segment that joins two points in V . Suppose that v1 , v2 ∈ V , then we define the line segment L(v1 , v2 ) between them as the set of points L(v1 , v2 ) = {v ∈ V : v = μv1 + (1 − μ)v2 ,

for some μ ∈ [0, 1]} .

Clearly, the end points of the line segment are v1 and v2 , which occur in the parametrization when μ = 1 and μ = 0, respectively. We can now turn to the idea of convexity. Suppose that K is a nonempty subset of the vector space V . Then K is defined to be convex set if, for any v1 , v2 ∈ K, the line segment L(v1 , v2 ) is a subset of K, see Fig. 9.1. This simply means that given two points in a convex set, the line segment between them is also in the set. Note in particular that subspaces and linear varieties (a linear variety is a translation of linear subspaces) are convex. Also the empty set is considered convex. Clearly, any vector space is convex, just as is any subset {ν} of a vector space containing only a single element. Consider the expression v : v = μ1 v1 + ... + μn vn , μ1 + ... + μn = 1 , which provides a clear generalization to an average to n points v1 , ..., vn . Extending this further, the generalization of the line segment between two points to n points yields a point inside the perimeter defined by the points v1 , ..., vn . This is illustrated in Fig. 9.2. Building on this intuition from 2 , we extend the idea to an arbitrary vector space V . Given v1 , ..., vn , we define the convex hull of these points by con({v1 , ..., vn }) = {v ∈ V : v =

n  k=1

μk vk , ...μk ∈ [0, 1],

n 

μk = 1} .

k=1

With reference to Fig. 9.2 this set is made of a; the points inside the perimeter, that is, the convex hull of the points v1 , ..., vn is simply the set composed of all

Basic mathematical tools

333

Figure 9.2 Convex hull of finite number of points in 2 .

weighted averages of these points. In particular, we have that for two points L(v1 , v2 ) = con({v1 , vn }) . It is not difficult to show that if R is convex, so it necessarily contains any convex hull formed from a collection of its points, generalizing this to an arbitrary set. Given a set R, we define its convex hull con(R) by con(R) = {v ∈ V :

there exist n and

{v1 , ..., vn } ∈ R

such that v ∈ con({v1 , ..., vn }) }. In brief, the convex hull of R is the collection of all possible weighted averages of points in R. The following facts provide important properties for convex sets and convex hull. 1. Let Cj , j = 1, ..., m be a family of m convex sets in n . Then the intersection C1 ∩ C2 ∩ .... ∩ Cm . 2. Let C be a convex set in n and xo ∈ n . Then the set {xo + x : x ∈ C } is convex. 3. A set K ⊂ n is said to be convex cone with vertex xo if K is convex and x ∈ K implies that xo + λx ∈ K for any λ ≥ 0. 4. The subset condition R ⊂ con(R) is satisfied. 5. The convex hull con(R) is convex. 6. The relationship con(R) = con(con(R)) holds. 7. A set R is convex if and only if con(R) = R is satisfied, see Fig. 9.3. An important class of convex cones is the one defined by the positive semidefinite ordering of matrices, that is, A1 ≥ A2 ≥ A3 . Let P ∈ n×n be a positive semidefinite matrix. The set of matrices X ∈ n×n such that X ≥ P is a convex cone in n×n .

334

Cyberphysical Infrastructures in Power Systems

Figure 9.3 Convex hull of a set R.

9.1.5 Continuous functions A function f : n −→ m is said to be continuous at a point x if f (x + δ x) −→ f (x) whenever δ x −→ 0. Equivalently, f is continuous at x if, given  > 0, there is δ > 0 such that ||x − y|| <  =⇒ ||f () − f (y)|| <  .

A function f is continuous on a set of S if it is a continuous at every point of S, and it is uniformly continuous on S if given  > 0, there is δ() > 0 (dependent only on  ), such that the inequality holds for all x, y ∈ S. A function f :  −→  is said to be differentiable at a point x if the limit f (x + δ x) − f (x) δ x→0 δx

f˙ (x) = lim

exists. A function f : n −→ m is continuously differentiable at a point x (a set S) if the partial derivatives ∂ fj /∂ xs exist and continuous at x (at every point of S) for 1 ≤ j ≤ m, 1 ≤ s ≤ n, and the Jacobian matrix is defined as J=

 ∂f ∂x



∂ f1 /∂ x1 ⎢ .. = ⎣ . ∂ fm /∂ x1

··· .. . ···

⎤ ∂ f1 /∂ xn ⎥ .. m×n . ⎦ ∈  . ∂ fm /∂ xn

9.1.6 Function norms Let f (t) : + −→  be a continuous function or piecewise continuous function. The p−norm of f is defined by  ||f ||p

=



1/p |f (t)| dt p

, for p ∈ [1, ∞)

0

||f ||∞

= sup t ∈ [0, ∞)|f (t)|, for p = ∞ .

By letting p = 1, 2, ∞, the corresponding normed spaces are called L1 , L2 , L∞ , respectively. More precisely, letting f (t) be a function on [0, ∞) of the

Basic mathematical tools

335

signal spaces, they are defined as  

L1 =



f (t) : + −→ |||f ||1 = 



L2 = 



|f (t)| dt < ∞ , convolution kernel  ∞ 2 −→ |||f ||2 = |f (t)| dt < ∞ , finite energy 0  −→ |||f ||∞ = sup |f (t)| < ∞ , bounded signal . 0



f (t) : + 

L∞ =



f (t) : +

t∈[0,∞)

From a signal point of view, the 1-norm, ||x||1 of the signal x(t) is the integral of its absolute value, the square ||x||22 of the 2-norm is often called the energy of the signal x(t), and the ∞-norm is its absolute maximum amplitude or peak value. It must be emphasized that the definitions of the norms for vector functions are not unique. In the case of f (t) : + −→ n , f (t) = [f1 (t)f2 (t)...fn (t)]t , which denotes a continuous function or piecewise continuous vector function, the corresponding p−norm spaces are defined as  

Lnp =

 

Ln∞ =

 ||f (t)||p dt < ∞, for p ∈ [1, ∞) 0  n −→  |||f ||∞ = sup ||f (t)|| < ∞ . 

f (t) : + −→ n |||f ||p = f (t) : +



t∈[0,∞)

9.1.7 Mean value theorem Assume that f : n →  is continuously differentiable at each point x of an open set S ⊂ n . Let x and y be two points of S such that L (x, y) = {z|z = θ x + (1 − θ )y, 0 < θ < 1} ⊂ S , where L (x, y) is a line segment connecting x and y. Then there exists a point z of L (x, y) such that f (y) − z; f (x) =

∂f |x=z (y − x) . ∂x

9.1.8 Implicit function theorem Assume that f : n × m → n is continuously differentiable at each point (x, y) of an open set S ⊂ n × m . Let (xo , yo ) be a point in S for which f (xo , yo ) = 0 and for which the Jacobian matrix [∂ f /∂ x](xo , yo ) is nonsingular. Then there exist neighborhoods U ⊂ n of xo and V ⊂ m of yo such

336

Cyberphysical Infrastructures in Power Systems

that, for each y ∈ V , the equation f (x, y) = 0 has a unique solution x ∈ U. Moreover, this solution can be given as x = g(y), where g is continuously differentiable at y = yo . For a detailed account of the foregoing two theorems, the reader is referred to [1].

9.2 Matrix theory In this section, we focus on matrix theory and solicit some basic facts and useful relationships from linear algebra and calculus of matrices. The material are stated along with some hints whenever needed but without proofs unless we see the benefit of providing a proof. We start by introducing the concept of a linear mapping between vector spaces. The mapping M : V → W is linear if M (α v1 + β v2 ) = α Mv1 + β Mv2 for all v1 , v2 ∈ V and all scalars α and β . Here V and W are vector spaces with the same associated filed F. The space V is called the domain of the mapping, and W its codomain. Given bases {v1 , v2 , ..., vn } and {w1 , w2 , ..., wn } for V and W , respectively, we associate scalars mjk with the mapping M, defining them such that they satisfy Mvk = m1k w1 + m2k w2 + ... + mmk wm for each 1 ≤ k ≤ n. Namely, given any basis vector vk , the coefficients are the coordinates of Mvk in the selected basis of W . It turns out that these mn numbers mjk completely specify the linear mapping M. To demonstrate that this is true, consider any vector v ∈ V , and let w = Mv. We can express both vectors in their respective bases as v = α1 v1 + α2 v2 + ... + αn vn , w = β1 w1 + β2 w2 + ... + βm wm . Now we have w = Mv = M (α1 v1 + α2 v2 + ... + αn vn ) = α1 Mv1 + α2 Mv2 + ... + αn Mvn =

m n   k=1 j=1

αk mjk wj

Basic mathematical tools m  n 

=

j=1

337

 αk mjk wj ,

k=1

and therefore by uniqueness of the coordinates we must have βj

n 

=

αk mjk , j = 1, ..., m .

k=1

To express this relationship in a more convenient form, we can write the set of numbers mjk as the m × n matrix ⎡ ⎢ [M ] = ⎣

··· .. . ···

m11 .. .

mm1

m1n



⎥ ··· ⎦ .

mmn

Then, via the standard matrix product, we have ⎡

⎤ ⎡ β1 m11 ⎢ .. ⎥ ⎢ .. ⎣ . ⎦=⎣ . βm mm1

··· .. . ···

⎤ α1 ⎥⎢ . ⎥ · · · ⎦ ⎣ .. ⎦ . αn mmn

m1n

⎤⎡

In summary, any linear mapping M between vector spaces can be regarded as a matrix M mapping n to m via matrix multiplication. It should be noted that the numbers mjk depend intimately on the bases {v1 , v2 , ..., vn } and {w1 , w2 , ..., wn }. Frequently, we use only one basis for V and one for W , and thus there is a need to distinguish between the map M and the basis dependent matrix [A]. We will henceforth write M to denote either the map or the matrix, making which is meant context dependent. When reference is made to matrix function M (t), we have the form: ⎡ ⎢

M (t) = ⎣

m11 (t) .. .

mm1 (t)

··· .. . ···

m1n (t)



⎥ ··· ⎦ . mmn (t)

9.2.1 Fundamental subspaces Building upon the previous section, the idea now is to introduce four important subspaces that are useful. The entire linear vector space of a specific problem can be decomposed into the sum of these subspaces. The column space of a matrix A ∈ n×m is the space spanned by the columns of A and is also called the range space of A, denoted by R[A].

338

Cyberphysical Infrastructures in Power Systems

Similarly, the row space of A is the space spanned by the rows of A. Since the column rank of a matrix is the dimension of the space spanned by the columns and the row rank is the dimension of the space spanned by the rows, it is clear that the spaces R[A] and R[At ] have the same dimension r = rank(A). The right null space of A ∈ Ren×m is the space spanned by all vectors x that satisfy Ax = 0 and is denoted N [A]. The right null space of A is also called the kernel of A. The left null space of A is the space spanned by all vectors y that satisfy yt A = 0. This space is denoted N [At ] since it is also characterized by all vectors y such that At y = 0. The dimensions of the four spaces R[A], R[At ], N [A], and N [At ] are to be determined in the sequel. Since A ∈ n×m , we have the following: 

r

=

dim N [A]



=

n

=

rank(A) = dimension of column space R[A] dimension of right null space N [A] total number of columns of A .



Hence the dimension of the null space dim N [A] = n − r. Using the fact that rank(A) = rank(At ), we have r dim N [At ]

m



=

rank(At ) = dimension of row space R[At ]  = dimension of left null space N [At ]  = total number of rows of A .

Hence the dimension of the null space dim N [At ] = m − r. These facts are summarized here. 

R[At ]

=

N [A]



=

R[A]

=

N [At ]

=

 

row space of A: dimension r right null space of A: dimension n − r column space of A: dimension r left null space of A: dimension n − r .

(9.1)

Note from these facts that the entire n-dimensional space can be decomposed into the sum of the two subspaces R[At ] and N [A]. Alternatively, the entire m-dimensional space can be decomposed into the sum of the two subspaces R[A] and N [At ]. An important property is that N [A] and R[At ] are orthogonal subspaces, that is, R[At ]⊥ = N [A]. This means that every vector in N [A] is orthogonal

Basic mathematical tools

339

to every vector in R[At ]. In the same manner, R[A] and N [At ] are orthogonal subspaces, i.e., R[A]⊥ = N [At ]. The construction of the fundamental subspaces is appropriately attained by the singular value decomposition.

9.2.2 Change of basis and invariance Suppose that {v1 , v2 , ..., vn } is chosen as a basis for V . Then for any vector x ∈ V , there are unique scalars xv = {α1 , α2 , ..., αn } ∈ n such that x = α1 v1 + α2 v2 + ... + αn vn . In turn, this raises the question: How can we effectively move between this basis and another basis {u1 , u2 , ..., un } for V ? That is, given x ∈ V , how are the coordinate vectors xv , xu ∈ n related? To answer this question, suppose that each vector uk is expressed by uk = t1k v1 + t2k v2 + ... + tmk vm in the basis {v1 , v2 , ..., vn }. Then the coefficients tjk define the matrix ⎡

t11

⎢ T = ⎣ ... tn1

··· .. . ···

t1n



⎥ ··· ⎦ ,

tnn

which is obviously nonsingular since it represents the identity mapping IV in the bases {v1 , v2 , ..., vn } and {u1 , u2 , ..., un }. Then the relationship between the two coordinate vectors is T xu = xv . Now suppose that M : V → V and that Mv : n → n is the representation of M on the basis {v1 , v2 , ..., vn } and Mu is the representation of M on the basis {u1 , u2 , ..., un }. How is Mu related to Mv ? To examine this, take any x ∈ V and let xv , xu be its coordinates in the respective bases, and zv , zu be the coordinates of Ax. Then we have zu = T −1 zv = T −1 Av xv = T −1 Av T xu . Since this identity and zu = Au xu both hold for every xu , we conclude that Au = T −1 Av T , which is frequently called a similarity transformation.

340

Cyberphysical Infrastructures in Power Systems

Now the notion of invariance of a subspace to a mapping is presented. We say that a subspace S ⊂ V is M −invariant if M : V → V and M S ⊂S . It is readily seen that every map has at least two invariant subspaces, the zero subspace and entire domain V . For subspaces S of intermediate dimension, the invariance property is expressed most clearly by saying the associate matrix has the form ⎡ ⎢ [M ] = ⎣

M1

M2

0

M4

⎤ ⎥ ⎦,

where we assumed that our basis for V is obtained by extending a basis for S .

9.2.3 Calculus of vector-matrix functions of a scalar The differentiation and integration of time functions involving vectors and matrices arises in solving state equations, optimal control, etc. This section summarizes the basic definitions of differentiation and integration on vectors and matrices. A number of formulas for the derivative of vector-matrix products are also included. The derivative of a matrix function M (t) of a scalar is the matrix of the derivatives of each element in the matrix ⎡

dM (t) ⎢ =⎣ dt

dM11 (t) dt

.. .

dMm1 (t) dt

··· .. . ···

dM1n (t) dt

···

⎤ ⎥ ⎦.

dMmn (t) dt

The integral of a matrix function M (t) of a scalar is the matrix of the integral of each element in the matrix  a

⎡ b b



M (t)dt = ⎢ ⎣

a

b a

M11 (t)dt .. .

Mm1 (t)dt

··· .. . ···

b a

b a

M1n (t)dt ···

⎤ ⎥ ⎥. ⎦

Mmn (t)dt

The Laplace transform of a matrix function M (t) of a scalar is the matrix of the Laplace transform of each element in the matrix

Basic mathematical tools

 a

⎡ b b



M (t)e−st dt = ⎢ ⎣

a

M11 (t)e−st dt

b

··· .. .

.. . b −st a Mm1 (t )e dt

M1n (t)e−st dt

341



⎥ ⎥. ··· ⎦ b −st a Mmn (t )e dt a

···

The scalar derivative of the product of two matrix time-functions is d(A(t)B(t)) A(t) B(t) B(t) + A(t) = . dt dt dt This result is analogous to the derivative of a product of two scalar functions of a scalar, except caution must be used in reserving the order of the product. An important special case follows. The scalar derivative of the inverse of a matrix time-function is A(t) dA−1 (t) A(t) . = −A−1 dt dt

9.2.4 Derivatives of vector-matrix products The derivative of a real scalar-valued function f (x) of a real vector x = [x1 , ..., xn ]t ∈ Ren is defined by ⎡ ⎢ ∂ f (x) ⎢ ⎢ =⎢ ⎢ ∂x ⎣



∂ f (x) ∂ x1 ∂ f (x) ∂ x2

⎥ ⎥ ⎥ ⎥, ⎥ ⎦

.. .

∂ f (x) ∂ xn

where the partial derivative is defined by ∂ f (x)  f (x + x) − f (x) = lim , xj →0 ∂ xj xj

x = [0...xj ...0]t .

An important application arises in the Taylor’s series expansion of f (x)  about xo in terms of δ x = x − xo . The first three terms are f (x) = f (xo ) +

 ∂ f (x) t ∂x



δx +



1 t ∂ 2 f (x) δx , δx 2 ∂ x2

342

Cyberphysical Infrastructures in Power Systems

where ⎡ ⎢ ⎢ ⎢ = ⎢ ⎢ ⎢ ⎣

∂ f (x) ∂x

⎡   ∂ ∂ f (x) t ∂ 2 f (x) = ∂ x2 ∂x ∂x

⎢ ⎢ = ⎢ ⎣

∂ f (x) ∂ x1

.. .

⎤ ⎥ ⎥ ⎥ ⎥, ⎥ ⎥ ⎦

∂ f (x) ∂ xn ∂ 2 f (x) ∂ x21

.. .

∂ 2 f (x) ∂ xn ∂ x1

··· .. .

∂ 2 f (x) ∂ x1 ∂ xn

···

∂ 2 f (x) ∂ x2n

···

⎤ ⎥ ⎥ ⎥. ⎦

The derivative of a real scalar-valued function f (A) with respect to a matrix ⎡ ⎢

A=⎣

··· .. . ···

A11 .. .

An1

A1n



⎥ n×n · · · ⎦ ∈ Re

Ann

is given by ⎡ ∂ f (A) ⎢ =⎢ ⎣ ∂A

∂ f (A) ∂ A11

.. .

··· .. .

∂ f (A) ∂ A1n

∂ f (A) ∂ An1

···

∂ f (A) ∂ Ann



⎥ ⎥ ··· ⎦ .

A vector function of a vector is given by ⎡ ⎢ ⎢

v(u) = ⎢ ⎢ ⎣

v1 (u) .. . .. .

⎤ ⎥ ⎥ ⎥, ⎥ ⎦

vn (u) where vj (u) is a function of the vector u. The derivative of a vector function of a vector (the Jacobian) is defined as follows ⎡ ∂ v(u) ⎢ =⎢ ⎣ ∂u

∂ v1 (u) ∂ u1

.. .

∂ vn (u) ∂ u1

··· .. . ···

∂ v1 (u) ∂ um



⎥ ⎥ ··· ⎦ .

∂ vn (u) ∂ um

Basic mathematical tools

343

Note that the Jacobean is sometimes defined as the transpose of the foregoing matrix. A special case is given by ∂(S u) =S, ∂u

∂(ut Ru) = 2 ut R ∂u

for arbitrary matrix S and symmetric matrix R. The following section includes useful relationships and results from linear algebra.

9.2.5 Positive definite and positive semidefinite matrices A matrix P is positive definite if P is real, symmetric, and xt Px > 0, ∀x = 0. Equivalently, if all the eigenvalues of P have positive real parts. A matrix S is positive semidefinite if S is real, symmetric, and xt Px ≥ 0, ∀x = 0. Since the definiteness of the scalar xt Px is a property only of the matrix P, we need a test for determining definiteness of a constant matrix P. Define a principal submatrix of a square matrix P as any square submatrix sharing some diagonal elements pf P. Thus the constant, real, symmetric matrix P ∈ n×n is positive definite P > 0) if any of these equivalent conditions holds, • All eigenvalues of P are positive; • The determinant of P is positive; • All successive principal submatrices of P (minors of successively increasing size) have positive determinants.

9.2.6 Matrix ellipsoid Given three matrices X t = X ∈ m×m , Y ∈ m×p , and 0 < Z t = Z ∈ p×p , consider the following set 



K ∈

m×p

: [I K ]

X •

Y Z



I K



 ≤ 0 .

This set is called a matrix ellipsoid. Some of the relevant properties are, • The matrix ellipsoid can be written as (K − Ko ) Z (K − Ko )t ∈ ≤ R , • • •

where R is the radius and Ko = −YZ −1 is the center of the ellipsoid; A matrix ellipsoid is nonempty if and only if the radius R = YZ −1 Y t − X ≥ 0; If X = YZ −1 Y t the matrix ellipsoid is a singleton; A matrix ellipsoid is a compact convex set.

344

Cyberphysical Infrastructures in Power Systems

9.2.7 Power of a square matrix For positive m, Am for a square matrix A is defined as A A...A, there being m terms in the product. For negative m, let m = −n, where n is positive; Am = (A1− )n . It follows that Ap ; Aq = Ap+q for any integers p and q, positive or negative, and likewise that (Ap )q = Apq .  A polynomial in A is a matrix p(A) = mj=1 αj Aj , where the αj are scalars. Any two polynomials is the same matrix commute, i.e., p(A)q(A) = q(A)p(A) , where p and q are polynomials. It follows that p(A)q−1 (A) = q−1 (A)p(A) and that such rational functions of A also commute.

9.2.8 Exponential of a square matrix Let A be a square matrix. Then it can shown that the series I +A+

1 2 1 A + A3 + ... 2! 3!

converges, in the sense that the j − k entry of the partial sums of the series converges for all j and k. The sum is defined as eA . It follows that eAt = I + At +

1 22 1 A t + A3 t3 + ... 2! 3!

Moreover, p(A) eAt = eAt p(A) for any polynomial A, and e−At = [eAt ]−1 .

9.2.9 Eigenvalues and eigenvectors of a square matrix Let A be an n × n matrix. The polynomial det[sI − A] is termed the characteristic polynomial of A, and the zeros of this polynomial are the eigenvalues of matrix A. If λj is an eigenvalue of A, there always exists a least one vector x satisfying A x = λj x .

Basic mathematical tools

345

The vector x is termed an eigenvector of matrix A. If λj is not a repeated eigenvalue, i.e., if it is a simple zero of the characteristic polynomial to within a scalar multiple. x is unique. If not, there may be more than one eigenvector associated with λj . If λj is real, the entries of x are real, whereas if λj is complex, the entries of x are complex. If A has zero entries everywhere off the main diagonal, i.e., if ajk for all j, k, j = k, the A is termed diagonal. It follows trivially from the definition of an eigenvalue that the diagonal entries of the diagonal A are precisely the eigenvalues of A. It is also true that for a general matrix A, det(A) =

n 

λj .

j=1

If A is singular, A possesses at least one zero eigenvalue. The eigenvalues of a rational function r (A) of A are the numbers r (lambdaj ), where λj are the eigenvalues of A. For example, the eigenvalues of eAt are eλj t .

9.2.10 The Cayley–Hamiltonian theorem A formal definition of the Cayley–Hamiltonian theorem is that every square matrix satisfies its own characteristic equation. If A is a square matrix and det[sI − A] = sn + α1 sn−1 + ... + αn , then An + α1 An−1 + ... + αn I = 0 . From the Cayley–Hamiltonian theorem, it follows that any analytic function f (A) of A is expressible as a linear combination of {I , A, An−1 }, i.e., Am for any m ≥ n and eA .

9.2.11 Trace properties The trace of a square matrix P, trace(P ), equals the sum of its diagonal elements or equivalently the sum of its eigenvalues. A basic property of the trace is invariant under cyclic perturbations, that is, trace(AB) = trace(BA) ,

346

Cyberphysical Infrastructures in Power Systems

where AB is square. Successive applications of the previous results yield trace(ABC ) = trace(BCA) = trace(CAB) , where ABC is square. In general, trace(AB) = trace(Bt At ) . Another result is that trace(A BA) = t

p 

atk Bak ,

k=1

where A ∈ n×p , B ∈ n×n and {ak } are the columns of A. The following identities on trace derivatives are noted: ∂(trace(AB)) ∂A

= =

∂(trace(AB)) ∂B

= =

∂(trace(BAC )) ∂A

= = =

∂(trace(At BA)) ∂A

= =

∂(trace(At Bt )) ∂(trace(Bt At )) = , ∂A ∂A ∂(trace(BA)) = Bt , ∂A ∂(trace(At Bt )) ∂(trace(Bt At )) = , ∂B ∂B ∂(trace(BA)) = At , ∂B ∂(trace(Bt C t At )) ∂(trace(C t At Bt )) = , ∂A ∂A ∂(trace(ACB)) ∂(trace(CBA)) = , ∂A ∂A ∂(trace(At Bt C t )) = Bt C t , ∂A ∂(trace(BAAt )) ∂(trace(AAt B)) = , ∂A ∂A (B + Bt )A .

Using these basic ideas, a list of matrix calculus results are given here: ∂(trace(AX t )) ∂X ∂(trace(AX t B)) ∂X ∂(trace(AX t )) ∂Xt

∂(trace(AXB)) = At B t , ∂X ∂(trace(AX )) = B A, =A, ∂Xt ∂(trace(AXB)) = At , =BA, ∂Xt = A,

Basic mathematical tools

∂(trace(AX t B)) ∂Xt ∂(trace(XX t )) ∂X

= At B t ,

347

∂(trace(XX )) = 2 Xt , ∂X

= 2X , t  n−1  j n−j−1 = X AX ,

∂(trace(AX n )) ∂X

j=0

∂(trace(AXBX )) ∂X ∂(trace(AXBX t )) ∂X ∂(trace(X −1 )) ∂X ∂(trace(AX −1 B)) ∂X ∂(trace(AB)) ∂A

= At X t B t + B t X t At , = At XBt + AXB ,  t = − X −2 , t  −1 −1 = − X BAX , = Bt + B − diag(B) .

9.2.12 Kronecker product and vec Let A ∈ m×n , B ∈ p×r . The product C ∈ mp×nr defined as ⎡

a11 B ⎢ ⎢ a21 B

C=⎢ ⎢ ⎣

a1n B a2n B ⎥ ⎥

···

amn B

.. .

am1 B



··· ···

⎥ ⎥ ⎦

and written C = A ⊗ B is termed the Kronecker product of matrices A and B. In case A and B are square, the set of eigenvalues of C is given by λj (A)λk (B), ∀j, k. The Kronecker product is associative, i.e., (A ⊗ B)(C ⊗ D) = AC ⊗ BD, (A ⊗ B)t = At ⊗ Bt .

Let A ∈ m×n . The column mn-vector, obtained by stacking column 2 of A after column 1, column 3 of A after column 2, and so forth, is termed vecA. If M , N are matrices for which the product MN can be formed, then vec(MN ) = [I ⊗ M ]vecN = [N t ⊗ I ]vecM .

348

Cyberphysical Infrastructures in Power Systems

9.2.13 Partitioned matrices Given a partitioned matrix (matrix of matrices) of the form ⎡

A

B

C

D



M =⎣

⎤ ⎥ ⎦,

where A, B, C and D are of compatible dimensions, then: 1. if A−1 exists, a Schur complement of M is defined as D − CA−1 B, and 2. if D−1 exists, a Schur complement of M is defined as A − BD−1 C. When A, B, C and D are all n × n matrices, then: ⎡ ⎢

A

B

C

D

A

B

C

D

det ⎣

a)

⎡ ⎢

det ⎣

b)



⎥ −1 ⎦ = det(A)det(D − CA B), det(A) = 0 , ⎤ ⎥ −1 ⎦ = det(D)det(A − BD C ), det(D) = 0 .

In the special case, we have ⎡ ⎢

A

B

0

D

det ⎣

⎤ ⎥ ⎦ = det(A)det(D) ,

where A and C are square. Since the determinant is invariant under row operations, it follows that ⎡ ⎢

A

B

C

D

det ⎣





⎥ ⎢ ⎦ = det ⎣ ⎡ ⎢ = det ⎣

A

B

C − CA−1 A

D − CA−1 B

A

B

0

D − CA−1 B

= det(A)det(D − CA−1 B) ,

which justifies the foregoing result. Given matrices A ∈ m×n and B ∈ n×m , then det(Im − AB) = det(In − BA) .

⎤ ⎥ ⎦

⎤ ⎥ ⎦

349

Basic mathematical tools

In the case that A is invertible, then det(A−1 ) = det(A)−1 .

9.2.14 The matrix inversion lemma Suppose that A ∈ n×n , B ∈ n×p , C ∈ p×p , and D ∈ p×n . Assume that A−1 and C −1 both exist. Then (A + BCD)−1 = A−1 − A−1 B(DA−1 B + C −1 )−1 DA−1 .

In the case of partitioned matrices, we have the following result ⎡ ⎢ ⎣

A

B

C

D

⎤−1 ⎥ ⎦

⎡ ⎢ = ⎣

A−1 + A−1 B −1 CA−1

−A−1 B −1

− −1 CA−1

−1

⎤ ⎥ ⎦

= (D − CA−1 B)

provided that A−1 exists. Alternatively, ⎡ ⎢ ⎣

A

B

C

D

⎤−1 ⎥ ⎦

⎡ ⎢ = ⎣

−1

− −1 BD−1

−D−1 C −1

D−1 + D−1 C −1 BD−1

⎤ ⎥ ⎦

= (D − CA−1 B)

provided that D−1 exists. For a square matrix Y , the matrices Y and (I + Y )−1 commute, that is, given that the inverse exists, Y (I + Y )−1 = (I + Y )−1 Y . Two additional inversion formulas are Y (I + XY )−1 = (I + YX )−1 Y , (I + YX )−1 = I − YX (I + YX )−1 . The following result provides conditions for the positive definiteness of a partitioned matrix in terms of its submatrices. The following three statements are equivalent: ⎡ ⎢

Ao

Aa

Ata

Ac

1) ⎣

⎤ ⎥ ⎦ > 0,

350

Cyberphysical Infrastructures in Power Systems

2) Ac > 0, Ao − Aa Ac−1 Ata > 0 , 3) Aa > 0, Ac − Ata Ao−1 Aa > 0 .

9.2.15 Strengthened version of the lemma of Lyapunov The basic Lemma of Lyapunov states that for positive definite C, there exists a unique positive definite P such that PA + At P + C = 0 , if and only if λj (A) < 0. The first strengthening states that, if [A, D] is completely observable, there exists a unique positive definite P such that PA + At P = −DDt if and only if λj (A) < 0. The second strengthening states that, if [A, D] is completely detectable, there exists a unique nonnegative definite P such that PA + At P = −DDt if and only if λj (A) < 0. In all cases where P exists, 

P =



t

eA t DDt eAt dt .

0

9.2.16 The singular value decomposition The singular value decomposition (SVD) is a matrix factorization that has found a number of applications for engineering problems. The SVD of a matrix M ∈ n×m is M = U S V† =

p 

σj Uj Vj† ,

j=1

where U ∈ α×α and V ∈ β×β are unitary matrices (U † U = U U † = I and V † V = V V † I); S ∈ α×β is a real, diagonal (but not necessarily square); and p min(α, β). The singular values {σ1 , σ2 , ..., σβ } of M are defined as the positive square roots of the diagonal elements of St S, and are ordered from largest to smallest. To proceed further, we recall a result on unitary matrices. If U is a unitary matrix (U † U = I), then the transformation U preserves length, that is ||U x||

=

(Ux)† (Ux) =



x† U † U x ,

Basic mathematical tools



=

351

x† x = ||x|| .

As a consequence, we have ||M x||



=



=

x† M † M x =



x† VSt U † USV † x ,

x† VSt SV † x .

To evaluate the maximum gain of matrix M, we calculate the maximum norm of the previous equation to yield max ||M x||

||x||=1

=

max



||x||=1

x† VSt SV † x = max



||˜x||=1

x˜ † VSt S x˜ .

Note that maximization over x˜ = Vx is equivalent to maximizing over x since V is invertible and preserves the norm (equals 1 in this case). Expanding the norm yields max ||M x||

=

||x||=1

max

||˜x||=1

=

√ 

max

||˜x||=1

x˜ † VSt S x˜ ,

σ12 |x˜ 1 |2 + σ22 |x˜ 2 |2 + ... + σβ2 |x˜ β |2 .

The foregoing expression is maximized, given the constraint ||x˜ || = 1, when x˜ is concentrated at the largest singular value, i.e., |x˜ | = [1 0 ... 0]t . The maximum gain is then max ||M x||

||x||=1

=



σ12 |1|2 + σ22 |0|2 + ... + σβ2 |0|2 = σ1 = σM .

In so many words, this reads the maximum gain of a matrix is given be the maximum singular value σM . Following similar lines of development, it is easy to show that min ||M x||

||x||=1

= =

σβ = σm , ! σp

0

A property of the singular values is expressed by σM (M −1 ) =

1 . σm (M )

α≥β α 0 .

Proof. This inequality can be proved as follows. Since t  ≥ 0 holds for any matrix , then take  as  = [α 1/2 1 − α −1/2 2 ].

Expansion of t  ≥ 0 gives ∀α > 0 α 1 1t + α −1 2t 2 − 1t 2 − 2t 1 ≥ 0,

which by simple arrangement yields the desired result.

9.3.2 Bounding inequality B Let 1 , 2 , 3 and 0 < R = Rt be real constant matrices of compatible dimensions and H (t) be a real matrix function satisfying H t (t)H (t) ≤ I. Then, for any ρ > 0 satisfying ρ 2t 2 < R, the following matrix inequality holds:  −1 ( 3 + 1 H (t) 2 )R−1 ( 3t + 2t H t (t) 1t ) ≤ ρ −1 1 1t + 3 R −ρ 2t 2

3t .

Proof. The proof of this inequality proceeds like the previous one by considering that  = [(ρ −1 2 2t )−1/2 2 R−1 3t − (ρ −1 2 2t )−1/2 H t (t) 1t ] .

Recall the following results ρ 2t 2 < R , [R − ρ 2t 2 ]−1 = [R−1 + R−1 2t [ρ −1 I − 2 R−1 2t ]−1 2 R−1 2 ,

353

Basic mathematical tools

and H t (t)H (t) ≤ I =⇒ H (t)H t (t) ≤ I . Expansion of t  ≥ 0 under the condition ρ 2t 2 < R with standard matrix manipulations gives

3 R−1 2t H t (t) 1t + 1 H (t) 2 R−1 3t + 1 H (t) 2 2t H t (t) 1t ≤ ρ −1 1 H (t)H t (t) 1t + 3t R−1 2 [ρ −1 I 2 2t ]−1 2 R−1 3t =⇒ ( 3 + 1 H (t) 2 )R−1 ( 3t + 2t H t (t) 1t ) − 3 R−1 3t ≤ ρ −1 1 H (t)H t (t) 1t + 3t R−1 2 [ρ −1 I − 2 2t ]−1 2 R−1 3t =⇒ ( 3 + 1 H (t) 2 )R−1 ( 3t + 2t H t (t) 1t ) ≤

3 [R−1 + 2 [ρ −1 I − 2 2t ]−1 2 R−1 ] 3t + ρ

−1

1 H (t)H

t

(t) 1t



−1

1 H (t)H

t

(t) 1t



+ 3 R − ρ 2t 2

−1

3t ,

which completes the proof.

9.3.3 Bounding inequality C For any real vectors β , ρ and any matrix Qt = Q > 0 with appropriate dimensions, it follows that −2ρ t β ≤ ρ t Q ρ + β t Q−1 β .

Proof. Starting from the fact that [ρ + Q−1 β]t Q [ρ + Q−1 β] ≥ 0 , Q > 0 ,

one expands and arranges it to yield the desired result.

9.3.4 Bounding inequality D For any quantities u and v of equal dimensions and for all ηt = i ∈ S , it follows that the following inequality holds ||u + v||2 ≤ [1 + β −1 ] ||u||2 + [1 + β]||v||2

for any scalar β > 0, i ∈ S . Proof. Since [u + v]t [u + v] =

(9.2)

354

Cyberphysical Infrastructures in Power Systems

ut u + vt v + 2 ut v .

(9.3)

It follows by taking norm of both sides of (9.3) for all i ∈ S that ||u + v||2 ≤ ||u||2 + ||v||2 + 2 ||ut v|| .

(9.4)

We know from the triangle inequality that 2 ||ut v|| ≤ β −1 ||u||2 + β ||v||2 .

(9.5)

On substituting (9.5) into (9.4), one arrives at (9.2).

9.3.5 Young’s inequality For any scalars ε > 0, p > 1, q = (1 − p−1 )−1 > 1 and vectors a ∈ n and b ∈ n , it follows that q−1

at b ≤ ε|a|p /p + |b|q /(qε ) .

9.4 Gronwall-Bellman inequality Let σ : [a, b] →  be continuous and β : [a, b] →  be continuous and nonnegative. If a continuous function z : [a, b] →  satisfies 

b

z(t) ≤ σ (t) +

β(s)z(s)ds , a

for a ≤ t ≤ b, then on the same interval 

z(t) ≤ σ (t) +

b

σ (s)β(s)exp a

"



t

# β(s)ds .

s

In particular, if σ (t) ≡ σ is a constant, then z(t) ≤ σ exp

"



t

# β(s)ds .

s

If, in addition, β(t) ≡ β ≥ 0 is a constant, then z(t) ≤ σ exp[β(t − a)] . 

Proof. Let y(t) = ab β(s)z(s)ds and w (t) = y(t) + σ (t) − z(t) ≥ 0. Then, z is differentiable and (˙z) = β(t)z(t) = β(t)y(t) + β(t)σ (t) − β(t)w (t) ,

Basic mathematical tools

355

which describes a linear state equation with an associated state transition function φ(t, s) = exp

"



t

# β(τ )dτ .

s

Since y(a) = 0, we have 

t

y(t) =

φ(t, s)[β(s)σ (s) − β(s)w (s)]ds .

a

Observe that



t

φ(t, s)β(s)w (s)ds ≥ 0 .

a

Therefore, 

y(t) ≤

t

exp a

"



t

# β(τ )dτ β(s)σ (s)ds .

s

Since z(t) ≤ σ (t) + y(t), the proof is completed in the general case. When σ (t) ≡ σ , we have 

t

exp a

"

 s

t

  t   " t # # d exp β(τ )dτ ds = − β(τ )dτ ds a ds s    " t # s=t = − exp β(τ )dτ |s=a s  t " # = −1 + exp β(τ )dτ , a

which establishes the part of the lemma when σ is constant. The remaining part, when both σ and β are constants, follows by integration.

9.5 Schur complements Given a matrix  composed of constant matrices 1 , 2 , 3 , where 1 = t1 and 0 < 2 = t2 as follows 

  =

we have the following results:

1 t3

3 2

,

356

Cyberphysical Infrastructures in Power Systems

(A)  ≥ 0 if and only if either ⎧ ⎪ ⎨

2 ≥ 0  = ϒ2 ⎪ ⎩  1 − ϒ 2 ϒ t ≥ 0

or

(9.6)

⎧ ⎪ ⎨

1 ≥ 0  = 1  ⎪ ⎩  − t   ≥ 0 2 1

(9.7)

hold where , ϒ are some matrices of compatible dimensions. (B)  > 0 if and only if either !

2 > 0 1 − 3 2−1 t3 > 0

or !

1 ≥ 0 2 − t3 1−1 3 > 0

hold where , ϒ are some matrices of compatible dimensions. In this regard, matrix 3 2−1 t3 is often called the Schur complement 1 (2 ) in . Proof. (A): To prove (9.6), we first note that 2 ≥ 0 is necessary. Let zt = [zt1 zt2 ] be a vector partitioned in accordance with . Thus we have zt  z = zt1 1 z1 + 2zt1 3 z2 + zt2 2 z2 .

(9.8)

Select z2 such that 2 z2 = 0. If 3 z2 = 0, let z1 = −π3 z2 , π > 0. Then it follows that zt  z = π 2 zt2 t3 1 3 z2 − 2π zt2 t3 3 z2 , which is negative for a sufficiently small π > 0. We thus conclude 1 z2 = 0, which then leads to 3 z2 = 0, ∀z2 and consequently  3 = ϒ 2

for some ϒ .

(9.9)

357

Basic mathematical tools

Since  ≥ 0, the quadratic term zt z possesses a minimum over z2 for any z1 . By differentiating zt z from (9.8) wrt zt2 , we get ∂(zt  z) = 2t3 z1 + 22 z2 = 22 ϒ t z1 + 22 z2 . ∂ zt2

Setting the derivative to zero yields 2 ϒ z1 = −2 z2 .

(9.10)

Using (9.9) and (9.10) in (9.8), it follows that the minimum of zt z over z2 for any z1 is given by min zt  z = zt1 [1 − ϒ 2 ϒ t ]z1 , z2

which prove the necessity of 1 − ϒ2 ϒ t ≥ 0. On the other hand, we note that the conditions (9.6) are necessary for  ≥ 0 and since together they imply that the minimum of zt z over z2 for any z1 is nonnegative, they are also sufficient. Using similar argument, conditions (9.7) can be derived as those of (9.6) by starting with 1 .

9.6 Some useful lemmas The basic tools and standard results that are utilized in robustness analysis and resilience design in the various chapters are collected here. Lemma 10. The matrix inequality −  + S −1 St < 0

(9.11)

holds for some 0 <  = t ∈ n×n , if and only if 

− •



SX −X − X t + Z

< 0

(9.12)

holds for some matrices X ∈ n×n and Z ∈ n×n . Proof. (=⇒) By Schur complements, inequality (9.11) is equivalent to 

− •

S−1 −−1

 < 0.

(9.13)

358

Cyberphysical Infrastructures in Power Systems

Setting X = X t = Z = −1 , we readily obtain inequality (9.12). (⇐=) Since the matrix [I S] is of full rank, we obtain 

I St

t 

− •



SX −X − X t + Z



I St

< 0 ⇐⇒

−  + S Z St < 0 ⇐⇒ −  + S −1 St < 0 , Z = −1 , (9.14)

which completes the proof. Lemma 11. The matrix inequality AIP + IPAt + Dt IR−1 D + IM < 0

(9.15)

holds for some 0 < IP = IPt ∈ n×n , if and only if ⎡ ⎢ ⎣



AV + V t At + IM IP + AW − V • •

Dt IR ⎥ 0 ⎦ 0, V , W such that inequality (9.16) holds. (⇐=) In a similar way, Schur complements to inequality (9.16) imply that ⎡ ⎢ ⎣

AV + V t At + IM IP + AW − V 

⇐⇒

I A

• • 

−W − W t •



Dt IR ⎥ 0 ⎦< 0 −IR

AV + V t At + IM + Dt IR−1 D

IP + AW − V



−W − W t

⇐⇒ AIP + IPAt + Dt IR−1 D + IM < 0 , V = V t ,

which completes the proof. The following lemmas are found in [8]



I A

t < 0

(9.18)

359

Basic mathematical tools

Lemma 12. Given any x ∈ n : max {[xt RH G x]2 :  ∈ } = xt RHH t R x xt Gt G x .

Lemma 13. Given matrices 0 ≤ X = X t ∈ p×p , Y = Y t < 0 ∈ p×p , 0 ≤ Z = Z t ∈ p×p , such that [ξ t Y ξ ]2 − 4 [ξ t X ξ ξ t Z ξ ]2 > 0

for all 0 = ξ ∈ p is satisfied, then there exists a constant α > 0 such that α2 X + α Y + Z < 0 .

The following lemma can be found in [3]. Lemma 14. For a given two vectors α ∈ IRn , β ∈ IRm and matrix IN ∈ IRn×m defined over a prescribed interval , it follows for any matrices X ∈ IRn×n , Y ∈ IRn×m , and Z ∈ IRm×m , the following inequality holds  

 −2

α t (s) IN β(s) ds ≤ 



α(s) β(s)

t 

X Y t − INt

Y − IN Z



α(s) β(s)



ds ,

where 

X Yt

Y Z

 ≥0.

An algebraic version of Lemma 14 is stated here. Lemma 15. For a given two vectors α ∈ IRn , β ∈ IRm and matrix IN ∈ IRn×m defined over a prescribed interval , it follows that, for any matrices X ∈ IRn×n , Y ∈ IRn×m , and Z ∈ IRm×m , the following inequality holds  − 2 α IN β t



α β

t 

X Y t − INt

Y − IN Z



 α β

= α t X α + β t (Y t − INt )α + α t (Y − IN)β + β t Z β

subject to 

X Yt

Y Z

 ≥0.

360

Cyberphysical Infrastructures in Power Systems

The following lemma can be found in [11] Lemma 16. Let 0 < Y = Y t and M , N be given matrices with appropriate dimensions. Then it follows that Y + M  N + N t t M t < 0 , ∀ t  ≤ I holds if and only if there exists a scalar ε > 0 such that Y + ε M M t + ε−1 N t N < 0 . In the following lemma, we let X (z) ∈ IRn×p be a matrix function of the variable z. A matrix X∗ (z) is called the orthogonal complement of X (z) if X t (z)X∗ (z) = 0 and X (z)X∗ (z) is nonsingular (of maximum rank). Lemma 17. Let 0 < L = L t and X , Y be given matrices with appropriate dimensions. Then it follows that the inequality L (z) + X (z) P Y (z) + Y t (z) P t X t (z) > 0

(9.19)

holds for some P and z = zo if and only if the following inequalities X∗t (z) L (z) X∗ (z) > 0 , Y∗t (z) L (z) Y∗ (z) > 0

(9.20)

hold with z = zo . It is significant to observe that feasibility of matrix inequality (9.19) with variables P and z is equivalent to the feasibility of (9.20) with variable z and thus the matrix variable P has been eliminated from (9.19) to form (9.20). Using Finsler’s lemma [2], we can express (9.20) in the form L (z) − β X (z) X t (z) > 0 , L (z) − β Y (z) Y t (z) > 0

(9.21)

for some β ∈ IR. Lemma 18. For any constant matrix 0 < ∈ n×n , scalar σ < τ (t) < , and vector function x˙ : [−, −σ ] → n such that the following integration is welldefined, then it holds that  −( − σ )

t−σ

t−

x˙ t (s) x˙ (s) ds

≤ − [x(t − σ ) − x(t − )]t [x(t − σ ) − x(t − )] .

Basic mathematical tools

361

Lemma 19. Given constant matrices 1 , 2 , 3 , where 1 = T1 and 2 = T2 , then 1 + T3 2−1 3 < 0

if and only if  1 3

T3 −2



 0, if there exists a vector function r (s) : [0, φ] → n such that the following integrations are well-defined, then 

0

−φ



r (s)Mr (s)ds ≥ t

φ

φ

t



r (s)ds M 0

φ



r (s)ds . 0

Lemma 22 (The S procedure). Denote the set Z = {z}, and let F (z), Y1 (z), Y2 (z), ..., Yk (z) be some functionals or functions. Define domain D as D = {z ∈ Z : Y1 (z) ≥ 0, Y2 (z) ≥ 0, ..., Yk (z) ≥ 0}

and the two following conditions: 1. F (z) > 0, ∀z ∈ D,  2. ∃ε1 ≥ 0, ε2 ≥ 0, ..., εk ≥ 0 such that S (ε, z) = F (z) − kj=1 εj Yj (z) > 0∀z ∈ Z, then 2 implies 1.

362

Cyberphysical Infrastructures in Power Systems

Lemma 23. For real matrices A, B, X , Y , Z and a regular matrix S with appropriate dimensions, we have 

X + Bt S−1 B Z 



X Z + AB

Zt Y + ASAt Z t + B T At Y

 0 for s > 0 and there exists a continuous nondecreasing function p(s) > s for s > 0 such that V˙ (t, x) ≤ −w (x) whenever V (t + θ, x(t + θ )) ≤ p(V (t, x(t))) for θ ∈ [−τ, 0], then the system is uniformly asymptotically stable. If, in addition, lim u(s)s→∞ = ∞, then the system is globally asymptotically stable. The argument behind the theorem goes like this: V¯ is serving as a measure for the V in the interval t − τ to t, then if V (x(t)) is less than V¯ it is not necessary that V˙ < 0, but if V (x(t)) becomes equal to V¯ , then V˙ should be < 0 such that V will not grow. The procedure can be explained better through the following discussion: Consider a system and a selected Lyapunov function V (x) that positive semi-definite. By taking the time derivative of this Lyapunov function, we get V˙ . According to the Razumikhin theorem, this term does not always need to be negative, but if we added the following term a(V (x) − V (xt ))a > 0 to V˙ , then the term V˙ + a(V (x) − V (xt ))

(9.24)

should always be negative, and by looking at this term, we find that this condition is satisfied if V˙ < 0 and V (x) ≤ V (xt ), meaning that the system states are not growing in magnitude and are approaching the origin (stable system). Or a(V (x) < V (xt )) and V˙ > 0 but V˙ < |a(V (x) − V (xt ))| then, although V˙ is positive and the states are increasing but the Lyapunov function is limited by an upper bound and it will not grow without limit. The third case is that both of them are negative, and it is clear that it is stable. This condition insures uniform stability, meaning that the states may not reach the origin but it is contained in a domain, say  , that obeys the primary definition of the stability. To extends this theorem for asymptotic stability, we can consider adding the term p(V (x(t))) − V (xt ), where p(.) is a function that has the following characteristics p(s) > s and then the condition becomes V˙ + a(p(V (x(t))) − V (xt )) < 0, a > 0 .

(9.25)

364

Cyberphysical Infrastructures in Power Systems

Because of this, when the system reaches some value that makes p(V (x(t))) = V (xt ), it requires V˙ to be negative but at this instant V (x(t) < V (xt ) so that in the coming τ interval the V (x) will never reaches V (xt ) and the maximum value in this interval is the new V (xt ) which is less than the previous value and with time the function keeps decreasing until the states reach the origin.

9.7.2 Lyapunov–Krasovskii theorem The Razumikhin theorem attempts to construct a Lyapunov function while Lyapunov–Krasovskii uses functionals because V , which can be considered as an indicator for the internal power in the system, is a function of xt . Then it is logical to consider V which is a function of function and hence a functional. The terms of V (xt ) should contain terms for the x in the interval (t − τ ) to t and V˙ should be < 0 to ensure asymptotic stability. This method will be covered in more detail in the next section. In many cases, Lyapunov–Razumikhin can be found as a special case of Lyapunov–Krasovskii, which make the former more conservative. The Lyapunov–Krasovskii method tries to build a Lyapunov functional that is a function in xt , and the time derivative of this Lyapunov function should be negative for the system to be stable. Previously, there was a criticism of Lyapunov Krasovskii because it was used for systems with the third category of delay mentioned chapter 2 only when τ˙ ≤ μ ≤ 1, but the recent results resolve this problem as we have seen in chapters 3 and 6. Another criticism is that the Krasovskii methods can not deal with delay in the second category but also the recent results for this method succeed including this case [3]. The remaining advantage of the Razumikhin method is its simplicity, but the Krasovskii method proved to give less conservative results, which is the characteristic that makes interesting to most of the researchers in recent years. Before addressing the theorem in detail, we have to define the following notations: φ φc

= xt , = maxθ ∈[−τ,0] x(t + θ ) .

(9.26)

Lyapunov–Krasovskii theorem statement [4]

Suppose f is a functional that takes time t and initial values xt and gives a vector of n states x˙ and u, v, w are class K functions u(s) and v(s) are positive for s > 0 and u(0) = v(0) = 0, v is strictly increasing. If there exists

Basic mathematical tools

365

a continuously differentiable function V : R × Rn → R such that u(φ) ≤ V (t, x) ≤ v(φc )

(9.27)

and the time derivative of V along the solution x(t) satisfies V˙ (t, x) ≤ −w (φ) for θ ∈ [−τ, 0], then the system is uniformly stable. If, in addition, w (s) > 0 for s > 0, then the system is uniformly asymptotically stable. If, in addition, lim u(s)s→∞ = ∞, then the system is globally asymptotically stable. It is clear that V is a functional, and V˙ should always be negative. When considering a special class of systems that consider the case of linear time-invariant (LTI) system with multiple discrete-time delay which is given by [4] x˙ (t) = Ao x(t) +

m 

Aj x(t − hj ) ,

(9.28)

j=1

hj j = 1, 2..., m are constants, then this case is a simplified case and in spite of that the Lyapunov–Krasovskii functional that gives a necessary and sufficient condition for the system stability is given by V (xt ) = x (t)U (0)x(t) +

m  m 





x (t + θ2 )Ak ×

k=1 k=1



−hk

U (θ1 + θ2 + hk − hj )

0

× Aj x(t + θ1 )dθ1 dθ2 k=1  −hk  + x (t + θ )[(hk + θ )Rk + Wk ]x(t + θ )dθ , (9.29) m

0

where W0 ; W1 ; ...; Wm ; R1 , R2 ; ...; Rm are positive definite matrices and U is given by  d U (τ ) = U (τ )A0 + U (τ − hk )Ak dτ k=1 m

τ ∈ [0, maxk (hk )] .

(9.30)

This theorem was found by trying to imitate the situation of delay-free systems by finding the state transition matrix and then use it to find P that makes x (t)(PA + A P )x(t) = −Q ,

Q>0,

P>0.

366

Cyberphysical Infrastructures in Power Systems

This Lyapunov functional gives a necessary and sufficient condition for the system stability, but finding the U for this equation is very difficult “and involves solving algebraic ordinary and partial differential equations with appropriate boundary conditions, which is obviously unpromising” [4]. Moreover, even if we can find this U, the resulting functional leads to a complicated system of partial differential equations yielding infinite dimension LMI. That is why many authors considered special forms of it and thus derived simpler but more conservative, sufficient conditions which can be represented by an appropriate set of LMIs. This is the case for LTI system with fixed time delay and then, considering time-varying delay or generally nonlinear systems, make it more difficult. But looking at these terms one can have some idea about the possible terms that can be used in the simplified functional.

9.7.3 Halany theorem The following fundamental result plays an important role in the stability analysis of time-delay systems. Suppose that constant scalars k1 and k2 satisfy k1 > k2 > 0 and y(t) is a nonnegative continuous function on [to − τ, to ] satisfying dy(t) ≤ − k1 y(t) + k2 y¯ (t) dt

(9.31)

for t ≥ to , where τ ≥ 0 and y¯ (t) = sup {y(s)} . t−τ ≤s≤t

Then, for t ≥ to , we have y(t) ≤ y¯ (to ) exp(−σ (t − to )) , where σ > 0 is the unique solution of the following equation σ = k1 − k2 exp(σ τ ) .

It must be emphasized that the Lyapunov–Krasovskii theorem, Lyapunov– Razumikhin theorem, and Halanay theorem can be effectively used to derive stability conditions when the time-delay is time-varying and continuous, but not necessarily differentiable. Experience and the available literature show that the Lyapunov–Krasovskii theorem is more useful, particularly for obtaining delay-dependent stability and stabilization conditions.

367

Basic mathematical tools

9.7.4 Types of continuous Lyapunov–Krasovskii functionals In this section, we provide some Lyapunov–Krasovskii functionals and their time-derivatives, which are of in common use in stability studies throughout the text. 

V1 (x) = xt Px + 

V2 (x) =

0

0



t

V3 (x) =

t+θ 0  t

(9.33)



x˙ (α)W x˙ (α) dα dθ , t

−τ

(9.32)



xt (α)Rx(α) dα dθ ,

−τ



xt (t + θ )Qx(t + θ ) dθ ,

−τ

t+θ

(9.34)

where x is the state vector, τ is a constant delay factor, and the matrices 0 < P t = P, 0 < Qt = Q, 0 < Rt = R, 0 < W t = W are appropriate weighting factors. Standard matrix manipulations lead to V˙ 1 (x) = x˙ t Px + xt P x˙ + xt (t)Qx(t) − xt (t − τ )Qx(t − τ ) , (9.35) V˙ 2 (x) =



0

−τ



 x (t)Rx(t) − x (t + α)Rx(t + α) d θ t

t



= τ xt (t)Rx(t) −

V˙ 3 (x) =

0 −τ

 τ x˙ t (t)Wx(t) −



xt (t + θ )Rx(t + θ ) d θ ,

(9.36)

x˙ t (α)W x˙ (α) dα .

(9.37)

t

t−τ

9.7.5 Some discrete Lyapunov–Krasovskii functionals In this section, we provide some a general-form of discrete Lyapunov– Krasovskii functionals and their first-difference that can be used in stability studies of discrete time throughout the text. V (k) = Vo (k) + Va (k) + Vc (k) + Vm (k) + Vn (k) Vo (k) = xt (k)Pσ x(k), Va (k) =

k−1 

xt (j)Qσ x(j),

j=k−d(k)

Vc (k) =

k−1 

xt (j)Zσ x(j) +

j=k−dm

Vm (k) =

−dm 

k−1 

xt (j)Sσ x(j),

j=k−dM k−1 

j=−dM +1 m=k+j

xt (m)Qσ x(m)

368

Cyberphysical Infrastructures in Power Systems − dm −1  k−1

Vn (k) =

δ xt (m)Raσ δ x(m)

j=−dM m=k+j −1 k−1  

+

δ xt (m)Rcσ δ x(m) ,

(9.38)

j=−dM m=k+j

where 0 < Pσ

=

N 

λj Pj , 0 < Qσ =

N 

j=1

0 < Zσ

=

λ j Q j , 0 < Sσ =

j=1

N 

λ j Z j , 0 < Ra σ =

j=1

N 

λ j Sj ,

j=1

N 

λj Raj , 0 < Rcσ =

j=1

N 

λj Rcj

(9.39)

j=1

are weighting matrices of appropriate dimensions. Consider now a class of discrete-time systems with interval-like time-delays that can be described by x(k + 1) = Aσ x(k) + Dσ x(k − dk ) + σ ω(k) , z(k) = Cσ x(k) + Gσ x(k − dk ) + σ ω(k) ,

(9.40)

where x(k) ∈ n is the state, z(k) ∈ q is the controlled output, and ω(k) ∈ p is the external disturbance, which is assumed to belong to 2 [0, ∞). In the sequel, it is assumed that dk is time-varying and satisfies dm ≤ dk ≤ dM ,

(9.41)

where the bounds dm > 0 and dM > 0 are constant scalars. The system matrices containing uncertainties that belong to a real convex bounded polytopic model of the type ! (λ := [Aλ , Dλ , ..., λ ] [Aσ , Dσ , ..., σ ] ∈ =

N 

) λj [Aj , Dj , ..., j ], λ ∈  ,

(9.42)

j=1

where  is the unit simplex   N   = (λ1 , · · · , λN ) : λj = 1 , λj ≥ 0 . 

j=1

(9.43)

Basic mathematical tools

369

Define the vertex set N = {1, ..., N }. We use {A, ..., } to imply generic system matrices and {Aj , ..., j , j ∈ N } to represent the respective values at the vertices. In what follows, we provide a definition of exponential stability of system (9.40). A straightforward computation gives the first-difference of V (k) = V (k + 1) − V (k) along the solutions of (9.40) with ω(k) ≡ 0 as Vo (k) = xt (k + 1)Pσ x(k + 1) − xt (k)Pσ x(k) = [Aσ x(k) + Dσ x(k − dk )]t Pσ [Aσ x(k) + Dσ x(k − dk )] − xt (k)Pσ x(k) Va (k)



k −dm

xt (k)Qx(k) − xt (k − d(k))Qx(k − d(k)) +

xt (j)Qx(j)

j=k−dM +1

Vc (k) = x (k)Z x(k) − x (k − dm )Z x(k − dm ) + x (k)S x(k) t

t

t

− xt (k − dM )S x(k − dM ) Vm (k) = (dM − dm )xt (k)Qx(k) −

k −dm

xt (k)Qx(k)

j=k−dM +1

Vn (k) = (dM − dm )δ xt (k)Ra δ x(k) + dM δ xt (k)Rc δ x(k) −

k− dm −1

δ x (j)Ra δ x(j) −

j=k−dM

t

k−1 

δ xt (j)Rc δ x(j) .

(9.44)

j=k−dM

9.8 Elements of algebraic graphs Graph theory plays a crucial role in describing the interconnection topology of multiagent systems. In this section, we present only basic definitions, concepts, and results about graph theory. For systematic study of graph theory, the reader is referred to [14].

9.8.1 Graph theory A directed graph (in short, a digraph) G = (V; E; A) of order N is composed of a vertex set V = {v1 , v2 , ..., vN }, E = {eij = (vi , vj )} ⊆ V × V of ordered pairs of vertices called edges and a weighted adjacency matrix A = [aij ] with nonnegative adjacent elements aij . For emphasis, we denote by V(G) and E(G) the vertex set and edge set of graph G, respectively. The node indexes belong to a finite index set I = {1, 2, . . . , n}. Moreover, aij > 0 if (vi , vj ) ∈ E and aij = 0 if (vi , vj ) ∈/ E for all i = 1, ..., n. Also, (vi , vj ) ∈ E if and only if the i-th agent can receive information from the j-th agent directly. If a directed

370

Cyberphysical Infrastructures in Power Systems

graph has the property that aij = aji for any i, j ∈ I, the directed graph is called undirected. In addition, N = {vj ∈ V : (vi , vj ) ∈ E is defined as the set of neighbors of node vi . An undirected graph (in short, a graph) consists of a set V of nodes and of a set E of unordered pairs of nodes, called edges. For u; v ∈ V and u = v, the set {u, v} denotes an unordered edge. For an edge (i, j), node i is called the parent node, j the child node, and j is neighboring to i. A graph with the property that (i, j) ∈ E implies (j, i) ∈ E is said to be undirected—otherwise, directed. A path on G from node i1 to node i is a sequence of ordered edges of the form (ik , ik+1 ), k = 1, ...,  − 1. A directed graph has or contains a directed spanning tree if there exists a node called root such that there exists a directed path from this node to every other node in the graph.

9.8.2 Undirected graph A digraph G(V , E ) is said to be a subgraph of a digraph (V, E) if V ⊂ V and E ⊂ E. In particular, a digraph G(V , E ) is said to be a spanning subgraph of a digraph (V, E) if it is a subgraph and V = V. The digraph (V , E ) is the subgraph of (V, E) induced by V ⊂ V if E contains all edges in E between two vertices in V . An undirected graph (in short, graph) G consists of a vertex set V and a set E of unordered pairs of vertices. If each edge of the graph G is given a particular orientation, then we get an oriented graph of G, denoted by G→ , which is a digraph, denoted by G← , the reverse of G→ . Then, G = G→ ∩ G← . For an undirected graph G, the in-neighbor set of any vertex is always equal to the out-neighbor set of the same vertex. Therefore, in the undirected case, we simply use the terminations neighbor, neighbor set and degree. For an undirected graph, if it contains a globally reachable node, then any other vertex is also globally reachable. In that case, we simply say that the undirected graph is connected. For an undirected graph, it is said to be a tree if it is connected and acyclic. The following results hold: Theorem 23. G(V, E) is a tree if and only if G is connected and |E| = |V| − 1. Alternatively, G(V, E) is a tree if and only if G is acyclic and |E| = |V| − 1. Theorem 24. A graph is connected if and only if it contains a spanning tree.

Basic mathematical tools

371

9.8.3 Main graphs In the sequel, we present various graphs of dimension n in common use in system and network theory as follows: (a) Path graph: nodes are ordered in a sequence and edges connect subsequent nodes in the sequence; (b) Cycle (or ring) graph: all nodes and edges can be arranged as the vertices and edges of a regular polygon; (c) Star graph: edges connect a specific node, called the center, to all other nodes; (d) Complete graph: every pair of nodes is connected by an edge; (e) Two-dimensional grid graph: nodes are ordered in row and column sequences and edges connect subsequent nodes in both horizontal and vertical sequences; (f) Petersen graph: nodes are arranged in closed, outer hexagonal and closed, inner hexagonal; (g) Complete bipartite graph: nodes are divided into two sets and every node of the first set is connected with every node of the second set. Fig. 9.4 illustrates these graph types. Further details about Bipartite graph follow.

Figure 9.4 Type graphs.

A graph G is a bipartite graph with vertex classes V1 and V2 if V(G) is a direct sum of V1 and V2 , that, V = V1 ⊕ V2 , which implies that V = V1 ∪ V2 and V = V1 ∩ V2 , and every edge joins a vertex of V1 to a vertex of V2 . It is also said that G has bipartition (V1 , V2 ).

372

Cyberphysical Infrastructures in Power Systems

Figure 9.5 A bipartite graph.

Fig. 9.5 shows an example of a bipartite graph, where the vertex set V is a direct sum of V1 = {v1 , v2 , v3 } and V2 = {vI , vII , vIII , vIV } V 1 = and V 2 = vI , vII , vIII , vIV . Each vertex in V1 has neighbors only in V2 , and

vice versa. The following result holds: Theorem 25. A graph is bipartite if and only if it does not contain an odd cycle.

9.8.4 Graph operations In a multiagent system, each agent can be considered as a vertex in a digraph, and the information flow between two agents can be regarded as a directed path between the vertices in the digraph. Thus, the interconnection topology of a multiagent system can be described by a digraph. However, differing from the classic signal-flow graph [11], in this book and in many other references on distributed control/multiagent systems, the direction of an edge in the digraph does not mean the direction of an information flow. Let us consider the digraph shown in Fig. 9.6 for instance. Denote by xi ∈ , i = 1, ..., 5, the state of agent i associated with vertex i. The existence of edge eij implies that agent i gets the state information xj from agent j. For example, agent 1 gets information from agent 2. In principle, we can construct new graphs from old ones by graph operations. For two graphs G1 = (V1 ; E1 ) and G2 = (V2 ; E2 ), the intersection and union of G1 and G2 are defined by G1 ∩ G2

:= (V1 ∩ V2 , E1 ∩ E2 ) ,

G1 ∪ G2

:= (V1 ∪ V2 , E1 ∪ E2 ) .

Basic mathematical tools

373

For a digraph G = (V; E), the reverse digraph of G is a pair rev(G) = (V; rev(E)), where rev(E) consists of all edges in E with reversed directions. If W ⊂ G(G), then G − −W = G[V\W] is the subgraph of G obtained by deleting the vertices in W and all edges incident with them. Obviously, G − −W is the subgraph of G induced by V\W. Similarly, if E ⊂ E, then G − E = (V(G), E(G) \ E ). If W or (E ) contains a single vertex w (or a single edge xy), respectively, the notion is simplified to G − −w or G − −xy, respectively. Similarly, if x and y are nonadjacent vertices of G, then G + xy is obtained from G by joining x to y.

9.8.5 Basic properties For a graph G with m nodes, the row-stochastic matrix D ∈ m×m is defined  with dii > 0, dij > 0 if (j, i) ∈ E but 0 otherwise, and mj=1 dij = 1. It follows from the foregoing consideration, that all of the eigenvalues of D are either in the open unit disk or equal to 1, and furthermore, 1 is a simple eigenvalue of D if and only if graph G contains a directed spanning tree. For an undirected graph, D is symmetric. Let m denote the set of all directed graphs with m nodes such that each graph contains a directed spanning tree, and let ≤δ (0 < δ < 1) denote the set of all directed graphs containing a directed spanning tree, the nonone eigenvalues of which lie in the disk of radius δ centered at the origin. A path in a digraph is an ordered sequence of vertices such that any ordered pair of vertices appearing consecutively in the sequence is an edge of the digraph. A path is simple if no vertices appear more than once in it, except possibly for the initial and final vertices. The length of a path is defined as the number of consecutive edges in the path. For a simple path, the path length is less than the number of vertices contained in the path by unity. A vertex vi in digraph G is said to be reachable from another vertex vj if there is a path in G from vi to vj . A vertex in the digraph is said to be globally reachable if it is reachable from every other vertex in the digraph. A digraph is strongly connected if every vertex is globally reachable. In Fig. 9.6, v1 , v2 , v3 , v4 are globally reachable vertices. But the digraph is not strongly connected because v3 is unreachable from the other vertices. A cycle is a simple path that starts and ends at the same vertex. A cycle containing only one vertex is called a self-cycle (or self-loop). The length of a cycle is defined as the number of edges contained in the cycle. A cycle is odd (even) if its length is odd (even). If a vertex in a cycle is globally

374

Cyberphysical Infrastructures in Power Systems

Figure 9.6 A diagraph.

reachable, then any other vertex in the cycle is also globally reachable. In Fig. 9.6, the path (v1 , v2 , v5 , v1 ) is a cycle. The path {v2 , v4 , v5 , v2 } and the path {v1 , v2 , v4 , v5 , v1 } are also cycles. This digraph has no self-cycle. A digraph with self-cycle is shown in Fig. 9.7.

Figure 9.7 A diagraph with a self-cycle.

A digraph is acyclic if it contains no cycles. An acyclic digraph is called a directed tree if it satisfies the following property: There exists a vertex, called the root, such that any other vertex of the digraph can be reached by one and only one path starting at the root. A directed spanning tree of a digraph is a spanning subgraph that is a directed tree. The digraph shown in Fig. 9.8 is a directed tree. Obviously, it is a directed spanning tree of both the digraph in Fig. 9.6 and the digraph in Fig. 9.7. The degree matrix D(G) = diag{d1 , d2 , ..., dn } is a diagonal matrix, whose diagonal elements are given as di = degout (vi ). A directed path is a sequence of edges in a directed graph of the form (v1 , v2 ), (v2 , v3 ), ..., vi ∈ V.

Basic mathematical tools

375

Figure 9.8 A directed tree.

A directed graph contains a directed spanning tree if there exists at least one agent which is called a root node that has a directed path to every other agents. The |V| × |E| incidence matrix, E(G), for a graph with arbitrary orientation. The columns of E(G) are indexed by the edges, and the i-th row entry takes the value one if it is the initial node of the corresponding edge, negative one if it is the terminal node, and zero otherwise. The adjacency matrix, A(G), is the symmetric |V| × |V| matrix with zero on the diagonal and one in the ij-th position if node i is adjacent to node j. The (graph) Laplacian of G is a rank deficient, symmetric, and positive semi-definite matrix defined by L(G) := E(G)E(G)t = (G) − A(G) n  aij . := [ij ], ij = −aij , ii = j=1

Lemma 25. [15] If the graph G has a spanning tree, then its Laplacian L has the following properties: 1. Zero is a simple eigenvalue of L, and 1n is the corresponding eigenvector, that is L1n = 0; 2. The rest n − 1 eigenvalues all have positive real parts. In particular, if the graph G is undirected, then all these eigenvalues are positive and real. Lemma 26. [14] Consider a directed graph G. Let D ∈ n×|E| be the 01-matrix with rows and columns indexed by the nodes and edges of G, and E ∈ |E|×n be the 01-matrix with rows and columns indexed by the edges and nodes of G, such that

376

Cyberphysical Infrastructures in Power Systems

!

Duf

= !

Efu =

1 if the node u is the tail of the edge f 0 otherwise 1 if the node u is the head of the edge f 0 otherwise ,

where |E| is the number of the edges. Let Q = diag{q1 , q2 , . . . , q|E| }, where qp (p = 1, . . . , |E|) is the weight of the pth edge of G (i.e., the value of the adjacency matrix on the pth edge). Then, the Laplacian of G can be transformed into L = (DQDT − E).

9.8.6 Connectivity properties of digraphs There are four useful connectivity notions for a digraph G: (1) G is strongly connected if there exists a directed path from any node to any other node; (2) G is weakly connected if the undirected version of the digraph is connected; (3) G possesses a globally reachable node if one of its nodes can be reached from any other node by traversing a directed path; and (4) G possesses a directed spanning tree if one of its nodes is the root of directed paths to every other node.

Figure 9.9 A weighted graph.

9.8.7 Properties of adjacency matrix Note that, in the case of undirected graphs, the adjacency matrix is symmetric. In general, given the adjacency matrix depicted in Fig. 9.9, the adjacency matrix is given by ⎡ ⎢ ⎢ ⎢ A=⎢ ⎢ ⎣

0 3.7 8.9 0 0 0 0 0 4.4 0

2.6 0 0 0 0

0 1.2 1.9 0 2.7

0 0 2.3 0 4.4

⎤ ⎥ ⎥ ⎥ ⎥. ⎥ ⎦

Basic mathematical tools

377

Table 9.1 A Table of Correspondence. Diagraph G Nonnegative matrix A (adjacency of G) G is undirected A = At G is weight-balanced AIn = At In , that is Dout = Din

(no self-loops) node i is a sink (no self-loops) node i is a source each node has weighted out-degree equal to 1 (Dout = In ) each node has weighted out-degree equal to 1 (Din = Dout = In )

(zero diagonal) i-th row-sum of A is zero (zero diagonal) i-th column-sum of A is zero A is a row-stochastic A is a

doubly-stochastic

In the sequel, we focus on the case of binary adjacency matrices. We denote A(G) by the (0, 1) adjacency matrix of the graph G. Let Aij ∈  be its i, j element, then Ai,i = 0, ∀i = 1, . . . , N, Ai,j = 0 if (i, j) ∈/ A and Ai,j = 1 if (i, j) ∈ A, ∀i, j = 1, . . . , N, i = j. If the in-degree equals to the out-degree for all nodes i ∈ N, the graph is said to be balanced. Let S(A(G)) = {λ1 (A(G)), . . . , λN (A(G))} be the spectrum of the adjacency matrix associated with an undirected graph G arranged in nondecreasing semi-order. Property 1: λN (A(G)) ≤ dmax (G). This property together with Proposition 1 implies Property 2: γi ≥ 0, ∀γi ∈ S(dmax IN − A). In what follows, we let the given G be a weighted digraph and A its weighted adjacency matrix or, equivalently, we let A be a nonnegative matrix and G be its associated weighted digraph (that is, the digraph with nodes {1, ..., n} and with weighted adjacency matrix A). To summarize, we make some straightforward statements, organized as a table of correspondences in Table 9.1.

378

Cyberphysical Infrastructures in Power Systems

9.8.8 Laplacian spectrum of graphs This section is a concise review of the relationship between the eigenvalues of a Laplacian matrix and the topology of the associated graph. We list a collection of properties associated with undirected graph Laplacians and adjacency matrices, which will be used in subsequent sections of the chapter. A graph G is defined as G = (V, A) ,

(9.45)

where V is the set of nodes (or vertices) V = {1, . . . , N } and A ⊆ V × V the set of edges (i, j) with i ∈ V, j ∈ V. The degree dj of a graph vertex j is the number of edges that start from j. Let dmax (G) denote the maximum vertex degree of the graph G. We define the Laplacian matrix of a graph G in the following way: L(G) = D(G) − A(G) ,

(9.46)

where D(G) is the diagonal matrix of vertex degrees di (also called the valence matrix). Eigenvalues of Laplacian matrices have been widely studied by graph theorists. Their properties are strongly related to the structural properties of their associated graphs. Every Laplacian matrix is a singular matrix. By Gershgorin’s theorem [13], the real part of each nonzero eigenvalue of L(G) is strictly positive. For undirected graphs, L(G) is a symmetric, positive semidefinite matrix, which has only real eigenvalues. Let S(L(G)) = {λ1 (L(G)), . . . , λN (L(G))} be the spectrum of the Laplacian matrix L associated with an undirected graph G arranged in nondecreasing semiorder. Then, Property 3: 1. λ1 (L(G)) = 0 with corresponding eigenvector of all ones, and λ2 (L (G)) iff G is connected. In fact, the multiplicity of 0 as an eigenvalue of L (G) is equal to the number of connected components of G. 2. The modulus of λi (L (G)), i = 1, . . . , N is less then N. The second smallest Laplacian eigenvalue λ2 (L(G)) of graphs is probably the most important information contained in the spectrum of a graph. This eigenvalue, called the algebraic connectivity of the graph, is related to several important graph invariants, and it has been extensively investigated. Let L(G) be the Laplacian of a graph G with N vertices and with maximal vertex degree dmax (G). Then, the properties of λ2 (L(G)) include

Basic mathematical tools

379

Property 4: 1. λ2 (L(G)) ≤ (N /(N − 1)) min{d(v), v ∈ V}; 2. λ2 (L(G)) ≤ v(G ) ≤ η(G); 3. λ2 (L(G)) ≥ 2η(G )(1 − cos(π/N )); and 4. λ2 (L(G)) ≥ 2(cos Nπ − cos 2 Nπ )η(G) − 2 cos Nπ (1 − cos Nπ )dmax (G), where v(G) is the vertex connectivity of the graph G (the size of a smallest set of vertices whose removal renders G disconnected) and η(G) is the edge connectivity of the graph G (the size of a smallest set of edges whose removal renders G disconnected) [12]. Further relationships between the graph topology and Laplacian eigenvalue locations are discussed in [14] for undirected graphs. Spectral characterization of Laplacian matrices for directed graphs can be found in [15]. A lemma about Laplacian L associated with a balanced digraph G is given here: Lemma 27. If G is balanced, then there exists a unitary matrix ⎛ ⎜ ⎜

∗ ∗ .. . ∗

√1

n √1 n

V=⎜ ⎜ .. ⎝ .

√1

n

... ... ...

∗ ∗ .. . ∗

⎞ ⎟ ⎟ ⎟ ∈ C m×n ⎟ ⎠

(9.47)

such that  ∗

V LV =



0 H

=  ∈ Cn×n ,

H ∈ C(n−1)×(n−1) .

(9.48)

Moreover, if G has a globally reachable node, H + H∗ is positive definite. Proof. Let V = [ζ1 , ζ2 , . . . , ζn ] be a unitary matrix, where ζi ∈ Cn (i = 1, . . . , n) are the column vectors of V and √ √ √ √ ζ1 = (1/ n)1 = (1/ n, 1/ n, . . . , 1/ n)T .

Notice that, if G is balanced, it implies that ζ1∗ L = 0. Then we have V∗ LV = V∗ L[ζ1 , ζ2 , . . . , ζn ]

380

Cyberphysical Infrastructures in Power Systems

⎛ ⎜ ⎜ = ⎜ ⎜ ⎝  =

ζ1∗ ζ2∗ .. . ζn∗

0 •

⎞ ⎟ ⎟ ⎟ [0n , Lζ2 , . . . , Lζn ] ⎟ ⎠

0Tn−2 H

 .

Furthermore, if G has a globally reachable node, then L + Lt is positive semidefinite, see Theorem 7 in [11]. Hence, V∗ (L + Lt )V is also positive semidefinite. From Lemma 25, zero is a simple eigenvalue of L and, therefore, H + H∗ is positive definite. Lemma 28. [16] Suppose that G is strongly connected. Let ξ = [ξ1 , ξ2 , . . . , ξN ]T be the positive left eigenvector of L associated with zero eigenvalue. Then, L + Lt ≥ 0, where = diag(ξ1 , ξ2 , . . . , ξN ). Lemma 29. [16] For a strongly connected graph G with Laplacian matrix L, we define its generalized algebraic connectivity as a(L) =

xt ( L + Lt ) , ξ t x=0,x =0 xt x min

where ξ and are defined as in Lemma 28. Then, a(L) > 0. Let the symbol dmax (A) denote a maximal in-degree of the G(A). In correspondence with the Gershgorin theorem [11], we can deduce another important property of the Laplacian L: All eigenvalues of the matrix L(A)L (A) have a nonnegative real part and belong to the circle centered on the real axis at the point 90, dmax (A)) and with a radius equals to dmax (A). Let {λ1 , · · · , λN } denote eigenvalues of the matrix L(A). We arrange them in ascending order of real parts: 0 ≤ Re(λ1 ) ≤ Re(λ2 ) ≤ · · · ≤ Re(λN ) . By virtue of Lemma 25, if the graph has a spanning tree, then λ1 = 0 is a simple eigenvalue and all other eigenvalues of L are in the open right half of the complex plane. The second eigenvalue λ2 of L is important for analysis in many applications. It is usually called the Fiedler eigenvalue. For undirected graphs it was shown in [11] that,

Basic mathematical tools

Re(λ2 ) ≤

N N −1

min di (A) ,

381

(9.49)

i ∈N

and for the connected undirected graph G(A) Re(λ2 ) ≥

1 μθ˙

(9.50)

,

where μ is the longest distance between two nodes and θ =



i∈N di (A).

9.9 Linear matrix inequalities It has been shown that a wide variety of problem arising in system and control theory can be conveniently reduced to a few standard convex or quasiconvex optimization problems involving linear matrix inequalities (LMIs). The resulting optimization problems can then be solved numerically very efficiently using commercially available interior-point methods.

9.9.1 Basics One of the earliest LMIs arises in Lyapunov theory. It is well-known that the differential equation x˙ (t) = A x(t)

(9.51)

has all of its trajectories converge to zero (stable) if and only if there exists a matrix P > 0 such that At P + A P < 0 .

(9.52)

This leads to the LMI formulation of stability, that is, an LTI system is asymptotically stable if and only if there exists a matrix 0 < P = P t satisfying the LMIs At P + AP < 0 ,

P>0.

Given a vector variable x ∈ and a set of matrices 0 < Gj = Gjt ∈ n×n , j = 0, ..., p, then a basic compact formulation of an LMI is n

G(x) := G0 +

p 

xj Gj > 0 .

(9.53)

j=1

Notice that (9.53) implies that vt G(x)v > 0∀0 = v ∈ n . More importantly, the set {x|G(x) > 0 is convex. Nonlinear (convex) inequalities are converted

382

Cyberphysical Infrastructures in Power Systems

into LMI form using Schur complements in the sense that 

Q(x)

S(x) R(x)



 > 0,

(9.54)

where Q(x) = Qt (x), R(x) = Rt (x), S(x) depends affinely on x, is equivalent to R(x) > 0 , Q(x) − S(x)R−1 (x)St (x) > 0 .

(9.55)

More generally, the constraint Tr [St (x) P −1 (x) S(x)] < 1 , P (x) > 0 , where P (x) = P t (x) ∈ n×n , S(x) ∈ n×p depend affinely on x, is handled by introducing a new (slack) matrix variable Y (x) = Y t (x) ∈∈ p×p and the LMI (in x and Y ): 

TrY < 1 ,

Y •

S(x) P (x)

 > 0.

(9.56)

Most of the time, our LMI variables are matrices. It should clear from the foregoing discussions that a quadratic matrix inequality (QMI) in the variable P can be readily expressed as LMI in the same variable.

9.9.2 Some standard problems Here we provide some common convex problems that we have encountered throughout the monograph. Given an LMI G(x) > 0, the corresponding LMIP is to • find a feasible x ≡ xf such that G(xf ) > 0, • or determine that the LMI is infeasible. It is obvious that this is a convex feasibility problem. The generalized eigenvalue problem (GEVP) is to minimize the maximum generalized eigenvalue of a pair of matrices that depend affinely on a variable, subject to an LMI constraint. GEVP has the general form minimize λ subject to λB(x) − A(x) > 0 , B(x) > 0, C (x) > 0 ,

(9.57)

Basic mathematical tools

383

where A, B, C are symmetric matrices that are affine functions of x. Or, equivalently stated: minimize λM [A(x), B(x)] subject to B(x) > 0 , C (x) > 0 ,

(9.58)

where λM [X , Y ] denotes the largest generalized eigenvalue of the pencil λY − X with Y > 0. This is problem is quasiconvex optimization problem since the constraint is convex and the objective λM [A(x), B(x)], is quasiconvex. The eigenvalue problem (EVP) is to minimize the maximum eigenvalue of a matrix that depends affinely on a variable, subject to an LMI constraint. EVP has the general form minimize λ subject to λ I − A(x) > 0 , B(x) > 0,

(9.59)

where A, B are symmetric matrices that are affine functions of the optimization variable x. This is problem is convex optimization problem. EVPs can appear in the equivalent form of minimizing a linear function subject to an LMI, that is minimize c t x subject to G(x) > 0 ,

(9.60)

where G(x) is an affine function of x. Examples of G(x) include PA + At P + C t C + γ −1 PBBt P < 0 ,

P>0.

It should be stressed that the standard problems (LMIPs, GEVPs, EVPs) are tractable, from both theoretical and practical viewpoints: • They can be solved in polynomial-time. • They can be solved in practice very efficiently using commercial softwares.

9.9.3 The S-procedure In some design applications, we faced the constraint that some quadratic function are negative whenever some other quadratic function is negative. In such cases, this constraint can be expressed as an LMI in the data variables defining the quadratic functions.

384

Cyberphysical Infrastructures in Power Systems

Let Go , ..., Gp be quadratic functions of the variable ξ ∈ n : Gj (ξ ) := ξ t Rj ξ + 2utj ξ + vj , j = 0, ..., p, Rj = Rjt . We consider the following condition on Go , ..., Gp : Go (ξ ) ≤ 0 ∀ξ

such that Gj (ξ ) ≥ 0 ,

j = 0, ..., p .

(9.61)

It is readily evident that, if there exist scalars ω1 ≥ 0, ..., ωp ≥ 0 such that ∀ξ,

Go (ξ ) −

p 

ωj Gj (ξ ) ≥ 0 ,

(9.62)

j=1

then inequality (9.61) holds. Observe that if the functions Go , ..., Gp are affine, then Farkas lemma states that (9.61) and (9.62) are equivalent. Interestingly enough, inequality (9.62) can written as 

Ro •

uo vo

 −

p 

 ωj

j=1

Rj •

uj vj

 ≥ 0.

(9.63)

The foregoing discussions were stated for nonstrict inequalities. In the case of strict inequality, we let Ro , ..., Rp ∈ n×n be symmetric matrices with the following qualifications: ξ t Ro ξ > 0 ∀ξ

such that ξ t Gj ξ ≥ 0 ,

j = 0, ..., p .

(9.64)

Once again, it is obvious that there exist scalars ω1 ≥ 0, ..., ωp ≥ 0 such that, if ∀ξ,

Go (ξ ) −

p 

ωj Gj (ξ ) > 0 ,

(9.65)

j=1

then inequality (9.64) holds. Observe that (9.65) is an LMI in the variables Ro , ω1 , ..., ωp . It should be remarked that the S-procedure deals with nonstrict inequalities allows the inclusion of constant and linear terms. In the strict version, only quadratic functions can be used.

9.10 Some formulas on matrix inverses This concerns some useful formulas for inverting of matrix expressions in terms of the inverses of its constituents.

Basic mathematical tools

385

9.10.1 Inverse of block matrices Let A be a square matrix of appropriate dimension and partitioned in the form 

A=

A1 A3

A2 A4



(9.66)

,

where both A1 and A4 are square matrices. If A1 is invertible, then 1 = A4 − A3 A1−1 A2

is called the Schur complement of A1 . Alternatively, if A4 is invertible, then 4 = A1 − A2 A4−1 A3

is called the Schur complement of A4 . It is well-known that matrix A is invertible if and only if either A1

and

1

are invertible ,

A4

and

4

are invertible .

or

Specifically, we have the following equivalent expressions 

A1 A3

A2 A4

A1 A3

A2 A4

−1

 =

ϒ1

−A1−1 A2 1−1 1−1

4−1

−4−1 A2 A4−1 ϒ4

−1−1 A3 A1−1

 ,

(9.67)

,

(9.68)

or 

−1

 =

−A4−1 A3 4−1



where ϒ1

= A1−1 + A1−1 A2 1−1 A3 A1−1 ,

ϒ4

= A4−1 + A4−1 A3 4−1 A2 A4−1 .

(9.69)

Important special cases are 

A1 A3

0 A4

−1

 =

A1−1 −1 −A4 A3 A1−1

0 A4−1



(9.70)

386

Cyberphysical Infrastructures in Power Systems

and 

A1 0

A2 A4

−1

 =

A1−1 0

−A1−1 A2 A4−1

A4−1

 .

(9.71)

9.10.2 The matrix inversion lemma Let A ∈ n×n and C ∈ m×m be nonsingular matrices. By using the definition of matrix inverse, it can be easily verified that [A + B C D]−1 = A−1 − A−1 B [D A−1 B + C −1 ]−1 DA−1 .

(9.72)

9.11 Notes The topics covered in this chapter are meant to provide the reader with a general platform containing the basic mathematical information needed for further examination of switched time-delay systems. These topics are properly selected from standard books and monographs on mathematical analysis. For further details, the reader is referred to the standard texts [1,6, 7] where the fundamentals are provided.

References [1] T.M. Apostol, Mathematical Analysis, Addison-Wesley, Reading, MA, 1957. [2] S. Boyd, L. El Ghaoui, E. Feron, V. Balakrishnan, in: Systems and Control Theory, in: SIAM Studies in Applied Mathematics, SIAM, Philadelphia, 1994. [3] E. Fridman, U. Shaked, Delay-dependent stability and H∞ control: constant and timevarying delays, Int. J. Control 76 (2003) 48–60. [4] K. Gu, V.L. Kharitonov, Jie Chen, Stability of Time-Delay Systems, Birkhauser, Boston, 2003. [5] J.K. Hale, S.M. Verduyn Lunel, Introduction to Functional Differential Equations, Springer-Verlag, 1993. [6] T. Kailath, Linear Systems, Prentice-Hall, New Jersey, 1980. [7] H.K. Khalil, Nonlinear Systems, second edition, Prentice-Hall, New Jersey, 2002. [8] I.R. Petersen, Syst. Control Lett. 8 (1987) 351–357. [9] A.A. Bahnasawi, M.S. Mahmoud, Control of Partially-Known Dynamical Systems, Springer-Verlag, Berlin, 1989. [10] G. Leitmann, Guaranteed ultimate boundedness for a class of uncertain linear dynamical systems, IEEE Trans. Autom. Control 23 (9) (1978) 1109–1110. [11] M.S. Mahmoud, Y. Xia, Applied Control Systems Design: State-Space Methods, Springer-Verlag, London, 2012. [12] M.S. Mahmoud, Multiagent Systems: Introduction and Coordination Control, CRC Publishers- Taylor and Francis Group, New York, 2020. [13] R. D’Andrea, Extension of Parrott’s theorem to non-definite scalings, IEEE Trans. Autom. Control 45 (5) (2001) 937–940. [14] C. Godsil, G. Royle, Algebraic Graph Theory, Springer, Berlin, 2001.

Basic mathematical tools

387

[15] F. Bullo, Lectures on Network Systems: Ed 1.3, Kindle Direct Publishing, New York, 2019. [16] Z. Qu, Cooperative Control of Dynamical Systems: Applications to Autonomous Vehicles, Springer, London, 2009.

This page intentionally left blank

Index

Symbols 1-norm of signal, 335 2-norm of signal, 335 ∞-norm of signal, 335

A Actuation delay, 25, 184 Actuators data, 8 delay, 20 failures, 45, 105 signals, 166, 177 Acyclic digraph, 374 Adaptive control, 39, 166 Additive white Gaussian noisy (AWGN), 66 Adjacency matrices, 377, 378 Admissible control, 137 Admissible control input, 137 Advanced control applications, 5 Advanced metering infrastructure (AMI), 4 Alarm rate, 276, 289, 296 Anomaly detector, 272 ASEA Brown Boveri (ABB), 196 Attack behavior, 272 construction, 74, 75, 79 coordinated, 8, 9, 13, 108, 165, 212, 213, 218, 307 costs, 10 DDoS, 164, 166, 168–170, 175, 307, 309, 318, 322 defense, 272, 273 detection, 272, 285, 288 detection methods, 278 duration, 169 effect, 299 impact, 9, 10, 62 impact costs, 12 injections, 213, 214, 255 instants, 169 model, 13, 165, 168, 276, 278

modeling, 12, 13 occurrence, 111 optimal, 286, 293, 294 packets, 8 period, 111, 218, 219 random, 213, 217 scenarios, 9, 259, 280, 301 scenarios injection, 212 signal, 217, 258, 260 strategy, 276, 280, 286, 287, 293, 299 targets, 9, 13 template, 13 vector, 203 Attacked signal, 260 system, 311 window, 216 Attacker actions, 10 characterization, 9 models, 9 strategy, 10 Attacking patterns, 272, 296 policy, 62 Automatic generation control (AGC), 5, 6, 95 Automatic protection system, 6 Automatic voltage regulator (AVR), 179, 319 Autonomous multiagent systems, 45 Average mean-square error (AMSE), 253, 258

B Bad-data detection (BDD), 60 alarm, 76 algorithm, 74 perspective, 76 test, 76 Bagged tree (BAT), 213, 224, 227 Basic topology, 331 389

390

Index

Basis for a space, 329 Bernoulli distribution, 24, 25, 165, 168, 169, 309 Block matrices, 385 Boosted tree (BOT), 213, 225, 227 Bounding inequality, 352, 353 Bus estimations, 214 frequency, 182 power injections, 71 power network, 87 signals, 213, 228

C Calculus and algebra of matrices, 336 Cayley-Hamiltonian theorem, 345 Central controller, 59 Centralized control, 59 control approach, 59 detector, 61 Change of basis, 339 Column space, 337 Command signal, 96 Communication architectures, 233, 234 architectures in smart grids, 233 backbone, 238, 240 bandwidth, 279 capability, 235, 241 channel, 28, 62, 95, 96, 164 community, 29 constraints, 27, 28 constraints stochastic model, 28 delay, 14, 18, 24, 33, 241, 243, 245, 251 facility, 239 in filter systems, 305 information, 255 infrastructure, 60, 236, 237, 243 interface, 241 layer, 43 link, 6, 59, 96, 97, 245 load, 32 network, 8, 14, 15, 21, 22, 27, 40, 63, 69, 109, 116, 125, 234, 237, 240, 243, 249, 309

noise, 288 overhead, 166, 167, 173, 184, 279 perspective, 280 protocols, 4, 5, 93 requirements, 235, 236 resources, 106, 163 sequence, 28 societies, 60 system, 167, 243 Compounded disturbances, 306 Compressed sensing results, 86 Compromised sensors, 132 Computational delays, 19 Conditional probabilities, 107, 108, 159, 164–166, 169, 184, 307 Consensus networks, 130 Constant delay factor, 367 delay model, 20 time delay, 20 Contingency analysis (CA), 60, 71, 76 Continuous function, 334 Control actions, 8, 123 applications, 62 approach, 59 approach in NMG, 57 area, 123 blocks, 123 centers, 4, 8, 63, 72, 238–241 commands, 239 components intelligent, 43 components multiple, 43 decentralized, 59, 146 design, 39, 40, 42, 245 designers, 36 efforts, 41 engineer, 38 engineering, 106 flow, 8 frequency, 123 gain matrices, 145 in multiagent systems, 45 in NMGs, 57 infrastructure, 62 input, 24, 44, 45, 70, 109, 110, 117, 130, 132, 133, 146, 166, 167, 266, 267

Index

input injection, 133 input vector, 15 instructions, 235 layer, 43 loop, 45, 72 messages, 8 methods, 93, 105 networked, 243, 249 optimal, 306 output, 245 performance, 32, 40 PMUs, 255 policy, 17 power, 93, 267 problem, 43, 157, 163 procedures, 198 production systems, 35, 36 scheme, 45, 166, 167, 184 security, 106 signals, 15, 18, 95–97, 106, 110, 118, 125 stochastic, 39 synthesis, 32 tasks, 166 technique, 70 theory, 243 Control system (CS), 5, 7, 43, 62, 106, 163, 166, 260, 272 Controllable/uncontrollable loads, 55 Controller delay, 20 design, 39, 41 gain matrices, 148, 150 gains, 22, 25, 33, 68, 117, 150 networked, 244, 248, 249, 251, 267 part, 148 performance, 243, 250 secure, 107 structure, 146 synthesis, 24 Controlling concepts, 58 CPPS, 163 CPSs, 106 systems, 177 Convex feasibility problem, 382

391

Convex sets, 331 Coordinated attack, 8, 9, 13, 108, 165, 212, 213, 218, 307 cyberattack, 5, 8, 9 cyberattack scenarios, 4, 9 injections, 222 intentional data attack, 74 Corrective control actions, 200 Corrupted signal, 253, 256, 257 Corruption signal, 260 Cyber Attack Task Force (CATF), 8 Cyberattacks classification, 8, 9 coordinated, 5, 8, 9 for smart grids, 60 malicious, 272 minimization in smart grids, 66 model, 62 pattern, 65 process, 65 protection, 60 scenarios, 13 taxonomy, 4, 6 Cyberintegrity attacks, 62 Cyberlayer, 10, 11, 41, 43 Cyberlayer risk assessment, 11 Cybernetwork, 10, 11 Cybernetwork topology, 11 Cyberphysical power system (CPPS), 14, 15, 17–22, 24, 25, 27–29, 33, 165–167, 175, 184, 271, 305–307, 318, 322 controlling, 106, 163 interconnected, 305 model, 183 nonlinear, 177 secure control, 175 security, 108, 129 security problems, 309 stability, 18 Cyberphysical security, 4, 9, 10 Cyberphysical system (CPS), 4, 41, 105, 108, 109, 116, 125, 126, 157 interactions, 62 security, 7, 62

392

Index

Cybersecurity analysis, 74 incidents, 36 issue, 73 problems, 40 program, 39 requirements, 4, 5 smart grid, 71 team, 38 vulnerabilities, 35 Cybersystem, 12, 39, 44 Cybersystem smart grid, 63

D Data actuators, 8 attacks, 73–76 integrity attacks, 8, 107 packets, 168 PMUs, 6, 8, 239, 255, 256, 259 transmission, 109, 116 transmitted, 272, 273, 275, 276, 278, 280, 285, 288, 289, 301 DC power, 74, 75 Decentralized adaptive controller, 262 control, 59, 146 control gain matrix, 157 control scheme, 146 secure control, 145 Deception attacks, 106–112, 116, 118, 125, 163, 164, 166–170, 173, 175, 177, 179, 272, 306–311, 318, 322 occurrence, 309 scenario, 309 signal, 110, 118 Defender actions, 9, 10, 14 costs, 10 payoffs, 12 strategy, 9 Delay actuators, 20 bounds, 175 communication, 14, 18, 24, 33, 241, 243, 245, 251

controller, 20 definition, 241 detector, 97 in communications, 8 in signal transmission, 107 jitter, 307 maximum, 309 measurements, 25, 309 minimum, 309 model constant, 20 network, 21 stochastic, 20 Delayed data, 165 measurements, 305 Deliberate attack scenarios, 212 injections, 196, 228 Demand response (DR), 4 Demilitarized zone (DMZ) network architecture, 38 Denial-of-service (DoS) attacks, 4, 8, 107, 108, 110, 111, 116–118, 125, 147, 149–152, 156, 163, 165, 166, 168, 169, 179, 183, 272, 306, 307 attacks occurrences, 107 attacks stochastic behavior, 147 Derivatives of vector-matrix products, 341 Detection rate, 130, 276, 281, 286, 297–299, 301 Deteriorated network conditions, 249 Deterministic control methods, 20 strategies, 20 Discrete control, 35, 36 stochastic uncertainty, 43 Dispatchable/nondispatchable DERs, 55 Distributed control system (DCS), 35, 36 Distributed denial-of-service (DDoS), 108, 165, 322 attack, 164–166, 168–170, 175, 177, 184, 307–309, 318, 322 attack occurrence, 309 stochastic, 308, 311

Index

Distributed energy resource (DER), 54, 57–59, 239 Distributed Kalman fusion filter (DKFE), 306 Distributed network operator (DNO), 59 Distribution network, 54 power networks, 54 Diversified attack injections, 255 RESs, 235 Droop control, 58, 59 Dynamic state estimation (DSE), 198, 199 Dynamic vulnerability assessment (DVA), 200

E Electric devices, 235, 237–240 power devices, 241 power distribution, 71 power grid, 4 power systems, 196 Electrical buses, 239, 241 sensors, 239 Emergency control, 105 Encrypted communication, 8 Energy signal, 173, 310 Energy-management system (EMS), 60, 69, 72 Energy-storage system (ESS), 54, 55 Event-triggered control (ETC), 166 scheme, 166, 167, 173, 177, 184 Exogenous control inputs injection, 130 Exponential stability, 22, 108, 369 Exponential stability condition, 35

F False-data injection (FDI), 105, 208 attack, 61, 95, 106, 272, 273, 275–277, 286–288, 296, 305 Farkas lemma, 384 Fault Detection and Isolation (FDI), 128, 129

393

Feasibility analysis, 279 constraint, 276, 285–287 Filter gains, 311 in CPPS, 305 Kalman, 199, 274 secure, 307, 318, 322 synthesis, 311 Filtering problems, 306, 307 Finite-dimensional spaces, 328 Flexible AC Transmission System (FACTS), 7 Forward path, 66, 168–170 signal, 168 Frequency buses, 182 control, 123 data packets, 165 error, 123 fluctuations, 255 oscillation, 199, 202, 203, 213 oscillation state estimation, 206 Function norms, 334 Fundamental subspaces, 337

G Gaussian process (GP), 225, 227 Generalized eigenvalue problem (GEVP), 382 Generalized stochastic Petri net (GSPN), 11 Generic system matrices, 369 WAMPAC architecture, 6 Global positioning system (GPS), 196 Globally reachable, 373 node, 370, 376, 379, 380 vertices, 373 Grid information, 60, 65 main, 54–56, 63 power, 6, 39, 62, 95, 108, 130, 165, 195, 197, 199, 200, 226, 233, 236, 239, 241, 243, 306, 307 resilience, 228 size, 195

394

Index

smart, 4, 54, 60, 61, 66, 68, 84, 233, 235–239, 241, 271 synchronization, 58, 59 Gronwall-Bellman Inequality, 354

H Halany theorem, 366 Hierarchical control structure, 58 High-impact, low-frequency (HILF), 8 Hybrid attacks occurrence, 177 controllers, 22 simultaneous DDoS, 167 Hydropower plant, 236

I Implicit function theorem, 335 Independent system operator (ISO), 63 Induced p-norm, 330 Industrial control sectors, 35 Industrial control system (ICS), 35–37 environments, 36 implementation, 37, 38 networks, 37–39 software, 37 Information technology (IT), 35 Injected attacks, 214 disturbances, 266 Injection measurements, 74, 79 scenario, 215–217, 222 Instant attack variations, 260 injections, 258 Instruction communications from control centers, 239, 240 Integrity attack, 8, 132, 134 Intelligent attacks, 165 control components, 43 coordinated attacks, 8 Intelligent electronic device (IED), 239, 241 Interacting multiple model (IMM), 207

Intercepted communication, 255 Interconnected CPPS, 305 individual subnetworks, 237 network, 195 power system, 146 Internet protocol (IP), 35, 36 Intrusion detection system (IDS), 10, 43

J Jacobian matrix, 334, 335 Jamming attacks, 305

K Kalman filter (KF), 199, 274, 306 Kronecker product and vec, 347

L Lp -norm, 330 Laplacian matrix, 378–380 spectrum, 378 Left null space, 338 Lemma of Lyapunov, 350 Linear actuators, 108 attack, 277, 285–288, 298, 299 Linear matrix inequality (LMI), 15, 68, 107, 150, 247, 322, 366, 381 Linear programming (LP) problem, 80, 81, 83, 84, 91, 93, 98 Linear quadratic Gaussian (LQG) control strategy, 107 Linear regression (LR), 223, 227 Linear time-invariant (LTI) feedback controller, 131 process, 273, 293 system, 24, 30, 32, 34, 130, 144, 365, 366, 381 system stochastic, 45 Local network, 212 Logarithmic quantization, 16, 17 Lyapunov function, 108, 113, 119, 312, 362–364 functional, 364, 366 stability, 150

Index

Lyapunov-Krasovskii theorem, 364 Lyapunov-Razumikhin theorem, 362

M Main grid, 54–56, 63 Malicious attackers, 72 attacks, 105 cyberattacks, 272 packets, 11 Man-in-the-middle (MITM) attack, 255, 272, 299 Management network, 236, 237 Manipulation attack, 255, 257 Matrix calculus, 340 derivative, 340 eigenvalues, 344 ellipsoid, 343 exponential, 344 integral, 340 inversion lemma, 349 Laplace transform, 340 measurements, 155 plant, 167 power, 344 trace, 345 Maximum delay, 20, 309 Maximum MSE (MMSE), 253, 258 Mean value theorem, 335 Mean-square error (MSE), 253, 258 Measurements delay, 25, 309 extract, 203 matrices, 155 multiple, 76 PMUs, 255 reactive power, 199 signal, 168, 309 Media access control (MAC), 28 Median regression function (MRF), 227, 228 Meter measurements, 74 Microgrid (MG), 54 control, 60 networked, 54 system, 63

395

Minimum delay, 309 Mismatched watermarking, 279 Mixed integer linear programming (MILP) problem, 93 Mobile communication, 306 Multiagent system (MAS), 45, 108, 166, 369, 372 Multidimensional filtering, 306 Multiple control components, 43 disturbances occurrence, 221 measurements, 76 Multivariate exponentially weighted moving average (MEWMA), 298

N Neighboring DERs, 59 MGs, 56, 59 Network activity, 38 administrator, 43 architecture, 38, 237 communication, 8, 14, 15, 21, 22, 27, 40, 63, 69, 109, 116, 125, 234, 237, 240, 243, 249, 309 congestion, 21, 165 connections, 154 delay, 21 effects, 248 formation, 54 information, 59, 76 infrastructure, 241 interconnected, 195 layer, 43, 154 medium, 106 objectives, 59 operator, 74, 77 packet, 21 packet dropout effect, 23 power, 54, 55, 60, 63, 72, 75, 255 protocols, 35, 36 resources, 28 security, 10 stability, 70 states, 21, 75, 76

396

Index

topology, 38 traffic, 18, 38 wireless, 29, 108, 125, 271, 275, 277, 278, 288, 299 Networked control, 243, 249 control design, 245 controller, 244, 248, 249, 251, 267 induced delay, 19 systems, 33, 165 Networked control system (NCS), 85, 107, 108, 163, 165, 243, 307 Networked MG (NMG), 54, 55, 57, 58 Networking technology, 196 wireless, 37 Neural network (NN), 213, 224, 227 Noise matrices, 155 Nonlinear CPPS, 177 CPPS fuzzy control, 29 disturbances, 306 filters, 306 networked CSs, 32 Nonuniform sampling, 34, 35 Normed spaces, 334 Norms, 330 Norms of vectors, 330 North American Electric Reliability Council (NERC), 5

O Observer gains, 150, 169, 175 loop, 157 output, 117, 169 Occurrence attack, 111 deception attack, 309 Open system interconnection (OSI), 43 Operating systems (OS), 35 Optimal attack, 286, 293, 294 attack strategy, 293 control, 306 control design, 41 control problem, 107, 163

power, 57 state estimation, 66 Optimal linear FDI attack (OLMA), 276, 280–284, 295–298 Optimal power-flow (OPF) dispatch, 71, 74, 76

P p-norm of function, 334 Packet delays, 243 dropout, 14, 18, 21, 22, 24, 25, 33, 243–245, 247, 249–251, 309 dropout rate, 22 loss, 165, 169, 272, 288 Particle filter (PF), 199 Partitioned matrices, 348, 349 Permissible frequency deviations, 267 Phasor data concentrator (PDC), 8, 196, 255 Phasor measurement unit (PMU), 4–7, 196, 198, 200, 202, 239, 241, 252 control, 255 data, 6, 8, 239, 255, 256, 259 data transmission, 5 measurements, 255 Plant estimator, 97 matrices, 167 model, 97 output signal, 15 power, 108, 209, 226, 236 state, 24, 97 transmitter, 97 Plug-in hybrid electric vehicle (PHEV), 4 Positive definite matrices, 343 Power area, 96 area states, 96 balance, 55, 58 constraint, 29, 31, 34 control, 93, 267 demands, 212 flow, 6, 196 flow equations, 198 generation, 63, 95

Index

grid, 6, 39, 62, 95, 108, 130, 165, 195, 197, 199, 200, 226, 233, 236, 239, 241, 243, 306, 307 grid infrastructure, 196 injections, 76, 197 management, 59 network, 54, 55, 60, 63, 72, 75, 255 network model, 75 optimal, 57 outage cost, 60 plant, 108, 209, 226, 236 quality, 235 sharing, 54, 59, 95 stability, 93 substation, 238 system, 5–10, 12, 13, 54, 59, 60, 78, 84, 105, 123, 124, 145, 155, 157, 165, 196–198, 234–236, 238–240, 243, 244, 247, 248, 305 disturbances, 253 dynamic model, 243 dynamic state estimation, 199 management, 235 management tasks, 236, 237 networks, 54 planning approach, 12 reliability, 5, 8 state estimation, 61 transmission, 196, 236 transmission lines, 238 utilities, 63 Power system stabilizer (PSS), 182, 319 Price signals, 240 Principal component pursuit (PCP), 255 Programmable logic controller (PLC), 35, 36, 108 Properties of convex sets, 333 Properties of fundamental spaces, 338 Proprietary control protocols, 35 Protection commands, 239, 241 cyberattacks, 60 resources, 74 schemes, 5, 8 security, 106, 305 PV power generation, 212 PV power plant, 209–211, 226

397

Q Quadratic matrix inequality (QMI), 382

R Random attack, 213, 217 attack signal, 217 delays, 20, 243 networks, 45, 105 Range space, 337 Reactive power, 212, 254 flows, 197 generation, 197 injections, 197 measurements, 199 Reciprocal projection lemma, 361 Recursive systematic convolutional (RSC) channel, 65 code, 65, 69 features, 65 generation output bits, 65 Regional attacks, 218 Regional transmission operator (RTO), 239, 240 Regulatory control, 35, 36 Remote estimator, 62, 275, 282–284, 286, 287, 299 side, 272, 274–278, 284, 288, 300 state estimation, 272 Remote terminal unit (RTU), 71–73 Renewable energy resource (RES), 54, 235 Replay attack, 8, 272, 289, 290, 300 Resilience aspect, 40 engineering, 40 Resilient control, 41, 43 control design, 40, 41 filters, 305 Restricted isometry property (RIP), 87, 88, 97 Right null space, 338 Ring network, 56 Robust principal component analysis (RPCA), 255, 257 Rotary actuators, 108 Row space, 338

398

Index

S Schur complements, 116, 122, 177, 355, 357, 358, 382 Secure communication network, 235 control system, 184 controller, 107 cybersystems, 4 filter, 306, 307, 318, 322 modules, 276–278, 280, 281, 283, 285–287, 296, 301 systems, 40 Secure industrial control system (SICS), 35, 36 Security concerns, 62 control, 38, 106, 196 control problem in NCSs, 107 cyberphysical, 4, 9, 10 facilities, 111, 309 frameworks, 41 games, 41 index, 77, 79, 93 investments, 9, 14 issues, 35, 36, 105, 106 measures, 10 mechanisms, 39 network, 10 objectives, 37, 38 policy, 41 protection, 106, 305 protocols, 196 reinforcements, 9, 10 strategies, 40 themes, 37 threats, 157, 322 vulnerabilities, 77 Signal attack, 217, 258, 260 attacked, 260 characteristics, 213, 217 measurements, 168, 309 oscillations, 243 processing, 306 transmission, 163 transmission delays, 243 transmitted, 163, 164, 166, 168, 308, 318

Singular value decomposition (SVD), 350 Smart grid, 4, 54, 60, 61, 66, 68, 84, 233, 235–239, 241, 271 control, 243 cybersecurity, 71 cybersystem, 63 power network, 54 substations, 235 Spanning a space, 329 Sparse sensor integrity attacks, 306 Special protection scheme (SPS), 5, 6 Specialized electrical sensors, 239, 241 Stability analysis, 24, 32, 34, 60, 112, 119, 146, 245, 311, 366 arguments, 154 assessment, 105 conditions, 15, 33, 175, 366 CPPS, 18 Lyapunov, 150 network, 70 power, 93 studies, 367 theorems, 362 Stabilizing controller, 243 feedback controller, 67 Star network, 55 States estimation, 60, 61, 68, 75, 196–199, 204, 207, 239, 241, 271, 282, 293 estimation methods, 60, 199 estimation scheme, 66 feedback control, 62 feedback controller, 109 network, 21, 75, 76 reach, 364 Static state estimation (SSE), 198 Static VAR compensator (SVC), 6, 7, 247 Stealthy attack, 130, 145, 184 integrity attacks, 45, 130 Stochastic analysis, 31, 322 analysis techniques, 159, 306

Index

approach, 31, 35 attacks, 111, 309 characteristics, 322 control, 39 CPPS secure control, 167 DDoS, 308, 311 delay, 20 factors, 20, 21 LTI system, 45 nature, 147 nonlinear perturbations, 147 packet dropouts, 18, 31 process, 11 system, 29 system approach, 29 system secure control, 108 variables, 31, 147, 170 Stochastic Petri net (SPN), 10 Substations smart, 235 Supervisory control, 35, 36, 116 Supervisory control and data acquisition (SCADA) infrastructure, 6 security measures, 12 system, 35, 36, 71, 72, 105, 235 Support vector machine (SVM), 213, 224, 227 Switched system, 31, 34, 108, 243, 246, 247 approach, 30, 34, 35 for control design, 245 formulation, 243 model, 247 modeling, 30 state, 22 theory, 243 Symmetric matrices, 343, 383, 384 Synchronizing coefficients, 261

T Time-delay switch (TDS) attacks, 93, 95 recovery, 95 Timing attacks, 8 Totally unimodular matrix, 79–82, 85

399

Transmitted data, 272, 273, 275, 276, 278, 280, 285, 288, 289, 301 data packet, 288, 289 nominal signal, 164 signal, 163, 164, 166, 168, 308, 318

U Undetectable attack, 276, 278 Unobservable attack, 76, 77 data attack, 76 Unreliable communication channels, 32, 61

V Vector spaces, 328 Volt-ampere reactive (VAR) compensation, 6 control, 7, 8 injection, 8 Voltage control, 6, 7 measurements, 244

W Watermarking generators, 279, 280 scheme, 280, 288 sequences, 279 Weighted least square (WLS), 61, 76 Wide-area control system (WACS), 93 Wide-area control (WAC), 5 Wide-area monitoring, protection and control (WAMPAC), 4, 5, 8, 9 architecture, 9 cyberphysical security, 5 leverage, 5 systems, 4 Wide-area monitoring and control system (WAMCS), 251 Wide-area monitoring system (WAMS), 5, 196, 251 applications, 196, 199 Wide-area network (WAN), 237–241

400

Index

Wide-area protection (WAP), 5 controller, 7 schemes, 7 Wind power plant, 236 Wireless communications, 28, 29, 43 control networks, 130 network, 29, 108, 125, 271, 275, 277, 278, 288, 299

networking, 37 transmitted data, 278 Wireless networked system (WNS), 31, 35 Wireless sensor network (WSN), 29, 279, 305

Y Yalmip, 125, 159, 178, 321, 322 Young’s inequality, 354