Security Assessment and Impact Analysis of Cyberattacks in Integrated T&D Power Systems
Ioannis Zografopoulos, Charalambos Konstantinou, Nektarios Georgios Tsoutsos, Dan Zhu, Robert Broadwater
SSecurity Assessment and Impact Analysis ofCyberattacks in Integrated T&D Power Systems
Ioannis Zografopoulos ∗ + , Charalambos Konstantinou ∗ , Nektarios Georgios Tsoutsos † , Dan Zhu ‡ , Robert Broadwater ‡∗ FAMU-FSU College of Engineering, Center for Advanced Power Systems, Florida State University † Department of Electrical and Computer Engineering, University of Delaware ‡ Electrical Distribution DesignEmail: { izografopoulos, ckonstantinou } @[email protected], { dan.zhu, robert.broadwater } @nisc.coop Abstract —In this paper, we examine the impact of cyberattacksin an integrated transmission and distribution (T&D) powergrid model with distributed energy resource (DER) integration.We adopt the OCTAVE Allegro methodology to identify criticalsystem assets, enumerate potential threats, analyze, and prioritizerisks for threat scenarios. Based on the analysis, attack strategiesand exploitation scenarios are identified which could lead tosystem compromise. Specifically, we investigate the impact of dataintegrity attacks in inverted-based solar PV controllers, controlsignal blocking attacks in protective switches and breakers, andcoordinated monitoring and switching time-delay attacks.
Index Terms —Cyberattacks, security assessment, impact anal-ysis, case studies, integrated power systems.
I. I
NTRODUCTION
The power grid is the largest machine ever built. Electricalgrids started to surface in the late 19th century providingenergy to consumers, but a lot has changed since then.Nowadays, modern grid deployments enable flexible controlover power generation to cover the current demand. In ad-dition, grid modernization efforts aim to upgrade the legacyinfrastructure and improve power generation and dispatchleveraging information and communication technologies (ICT)as well as renewable and distributed energy resources (DERs).DERs, being small generation or storage systems, such asrooftop solar, and battery storage, apart from their muchlower deployment and operation overheads, can be placedclose to distribution-level consumers allowing on-site powergeneration and consumption, minimization of delivery costs,and increased grid resiliency due to the generation redundancy.The increasing penetration of DERs and the ICT integrationemphasizes the need for understanding the interdependency ofthe interactions between distribution and transmission systems.In the past, power system studies were conducted by modelingand simulating the transmission and distribution (T&D) sys-tems independently. Recent works, however, utilize integratedT&D models demonstrating that this approach can capture gridsynergies with high fidelity [1]–[3]. Fig. 1 illustrates the toplevel architecture of an integrated T&D system. Such models + Corresponding author.This work was supported in part by the U.S. Department of Energy’s Officeof Energy Efficiency and Renewable Energy (EERE) under the Solar EnergyTechnology Office (SETO) Award Number DE-EE0008768. are crucial in investigating the effects of distribution systems’anomalous operation to the transmission systems, and viceversa, as well as the impact of cyberattacks holistically.The proliferation of smart meters and smart inverters in-creases the threat surface and exposes the power grid togreater risk of cyberattacks [4]. Thus, threat modeling andrisk assessment are important tools to identify and evaluatepotential threats, as well as prioritize the corresponding risksto the power system. In this work, we employ the
OCTAVEAllegro methodology to identify critical system assets andenumerate potential threats. We also perform a comprehensiveanalysis for threat scenarios and prioritize attack risks basedon their expected outcomes on system operation. Moreover,our cybersecurity analysis demonstrates the impact evaluationof the identified threat scenarios. Specifically, we perform animpact analysis study for three main attack categories on anactual integrated T&D model and dataset.The roadmap of the paper is as follows. Section II presentsthe background and risk assessment method. Section III de-scribes the attack classes, adversary objectives, and potentialattack outcomes. Section IV presents the simulation setup andexperimental results, while Section V concludes the paper.II. T
HREAT M ODELING AND R ISK A SSESSMENT
Over the past years, power systems have experienced drastictransformations to address the growth in energy demand andenhance power quality and energy efficiency. The shift tothe smart grid involves, among others, the inclusion of smartinverters, intelligent electronic devices (IEDs), and advancedmetering infrastructure (AMI). Embedded device controllersare used to support the communication and control functionsof inverters [5]. Additionally, grid assets and their operationmechanisms (e.g., switches, breakers) are often controlledusing IEDs [6]. Furthermore, AMI, such as smart meters andmonitor points (MPs), enables better situational awarenessand helps detect anomalous system behavior and cyberattackintrusions. The inclusion of the aforementioned componentswithin T&D systems, however, increases the threat surface.Vulnerabilities of such units can be ported to the power grid[7], while insecure control networks and protocol implemen-tations further exacerbate the problem [8]–[10]. a r X i v : . [ ee ss . S Y ] F e b ig. 1. Integrated transmission and distribution (T&D) model.TABLE IC RITICAL A SSET T HREAT S CENARIOS . AffectedAsset* Outcome* RiskProbability Severity RiskScoreSolarInverters
Transient Voltage &Frequency Instability Medium 27 54
SCADADevices
Anomalous GridSectionalization &Electricity Loss Low 31 31
MonitorPoints
Loss of SituationalAwareness &Erroneous Control Medium 15 30*Assumptions: Threat actor = attacker, motive = deliberate, and theaccess = via technical means (i.e., without physical access)
We refer to mission-critical system assets that can jeopardizegrid operations if compromised by malicious actors as crown-jewels [11]. Notably, these devices include grid inverters,utility-to-device communication channels, physical interfaces,substation circuit breakers/reclosers, and controllers. Gainingaccess to any of these assets can enable an adversary tomanipulate the generated or stored energy, cause switch dis-connections altering the system topology, false trips, feederoverloadings, voltage-frequency violations, damage protectionequipment, or inflict system instabilities [5], [8], [12]. Inaddition, the grid communication infrastructure and industrialprotocols could be targeted by adversaries to mount theirattacks. For example, attacks targeting DNP3 communicationscould exploit vendor implementation issues of the protocol,protocol specification vulnerabilities, and/or vulnerabilities inthe supporting communication infrastructure. According to theElectric Power Research Institute (EPRI), more than 75% ofNorth American electric utilities use the DNP3 protocol forindustrial control applications and SCADA systems [13].
A. Security Assessment with OCTAVE Allegro
The power grid security assessment in our work is per-formed using the OCTAVE Allegro risk assessment methodol-ogy [14]. The first step of the analysis entails: (i) identification of critical system assets, (ii) identification of security require-ments, and (iii) identification of security threats to the criticalassets. The second step focuses on: (i) identifying the criteriafor impact evaluation when a threat is realized, (ii) defining thepriority/importance of the identified impact evaluation areas,and (iii) calculating the relative risk to each critical asset basedon the probability and impact of the applicable threats. Thethird step defines strategies to manage the identified risks.A threat refers to a situation or scenario in which anentity (e.g., a threat actor) or natural occurrence could causean undesirable outcome. During the first step of OCTAVEAllegro, the security threats applicable to the critical assetsare identified. Each threat is associated, and later analyzedaccording to its corresponding parameters: actor, affectedasset, outcome, motive, and access. Next, the threat scenariosare defined to show how a system asset is compromised ifan actor, who has a motive and an access method, causes anundesired outcome to the target asset. In essence, the devisedthreat scenarios are useful for articulating the existing risks tocritical assets.In our risk analysis, we focus on three core components ofthe grid infrastructure. We assume that the threat actor is amalicious adversary with deliberate motives to compromisethe system. Specifically, we investigate scenarios involvingDER and inverter control, SCADA controlled devices (e.g.,switches, reclosers, breakers), and MPs (e.g., smart meters).In Table I, we demonstrate the three aforementioned criticalassets alongside the respective threat scenarios, risk prob-abilities, severity, and comprehensive risk scores. The
RiskProbability for each scenario is determined by the securityanalysis team and reflects how plausible it is for such anattack to occur based on the asset’s location in the system,cyberphysical security perimeter, etc.
Risk Probability is qual-itatively assessed receiving scores Low ( ), Medium ( ), orHigh ( ), while Severity represents the impact of the scenarioto the grid operation. The impact areas are ranked based on theasset’s objective within the system, with scores from to ,with being the most significant. The areas and their severityscores are: safety and health ( ), financial ( ), productivity ( ),eputation ( ), fines and legal penalties ( ). Finally, the RiskScore is calculated as
Risk P robability × Severity , and it isused for comparisons between assets aiding the prioritizationof those with the highest relative risks.III. A
TTACK C LASSES
Our analysis focuses on three attack directions, aligned withour threat modeling in Section II and depicted in Fig. 2: (i) data modification attacks, (ii) loss/blocking attacks duringsystem-critical operations, and (iii) interruption of system-critical operation attacks.The first attack category refers to tampering attacks aimingto maliciously modify system data. Data tampering includesattack scenarios in which control commands are manipulatedwithout detection. Such attacks can be launched, for example,via communication channel corruption or exploitation of IEDvulnerabilities. In the second category, the adversarial objec-tive is to block operational commands in system-critical op-erations, i.e., commands from authorized entities are blockedwhen needed. For example, attackers could prevent access byoverwhelming a resource with traffic overflowing its networkbandwidth. In the third category, interruption of system-criticaloperations is enabled by delaying commands or data to gridcomponents despite being issued by legitimate operators. Thistype of time-based attacks could undermine system operationsby delaying real-time control signals or measurements [15].
A. Modification of data: DER integrity attacks
DERs and supporting inverters serve as ancillary generationsources providing power to the grid. To control inverters andharness the generated power, two main categories of grid func-tions are implemented: (i) functions used by operators givingthem direct control over the corresponding inverter operation,and (ii) autonomous functions which allow inverters to operateindependently, making decisions based on their environment(e.g., power demand, generation capacity, connected loads,etc.). Our analysis covers the first type of functions which,among others, include limiting the output power of an inverter,setting active and reactive power limits, changing the powerfactor of the inverter, as well as controlling volt-var and watt-var operational modes.Similar to grid operators, malicious users are able to bypassthe power system’s security mechanisms, they can modifycontrol commands or issue forged ones, altering the operationof inverters in order to destabilize the grid. Commands whichcould be of interest to malicious attackers are: (i) Constant power factor (PF) mode : an inverter is mali-ciously set to operate at a constant PF, inductive or capacitive,which could potentially create voltage regulation issues, in-crease system losses, and reduce the electric system powerquality. (ii) Limit active power ( P ) mode : the amount of P injectedby an inverter is maliciously controlled and limited to asetpoint, resulting in curtailing the injected P amount to thegrid. Fig. 2. Power grid cyberattack scenarios. (iii) Constant reactive power ( Q ) mode : Similar to the P mode, an inverter can inject or absorb a constant amountof Q defined by a maliciously modified setpoint, causingundervoltage/overvoltage at points of common coupling. B. Loss/blocking during system-critical operations: switchand breaker control attacks
Unexpected events can disrupt the steady-state operation ofpower systems, leading to line overload, frequency deviations,voltage instabilities, or even cascading outages. Such eventscan either be inadvertent, e.g., component or equipment fail-ure, or intentional in the case of malicious attacks. To dealwith the such events, immediate and protective actions shouldbe taken. Typical countermeasures to prevent these undesir-able effects and avoid a generalized system collapse involvepower generation and dispatch coordination, and system re-configuration via line and bus switching (through reclosercontrollers, switches, circuit breakers, etc.) which activelychanges the system topology.Attacks on switchers and breakers (e.g., by issuing mali-cious control commands to open/close) could trigger cascadedsequences of events. For example, if attackers gain access toa substation’s ICT network, they could falsify circuit breakercontrol signals at a targeted IED, causing tripping of the IED-connected breakers. The result of maliciously controlled break-ers could violate operational voltage limits and line overloadconditions initiating cascading outage events. In essence, theend goal of such attacks is to open or close circuit break-ers, change the system topology causing line overloads, andthus lead to serious problems including blackouts, brownouts,equipment failures, and uneconomical system operation.
C. Interruption of system-critical operations: coordinatedmonitoring and switching attacks
Protective switches and breakers are designed to handlepower network faults (e.g., short-circuits) and sectionalizeareas with sufficient response time to minimize fault duration,reroute power flow, and avoid any equipment damage. This ig. 3. Inverter violations before and after compromise. involves isolating areas via tripping the breakers and eventu-ally reclosing circuits automatically. This operation attemptsto preserve stability and minimize the impact on the rest of thesystem. Failure to open/close the switch/breaker may initiatechain reactions. In this category of attacks, we delay the con-trol commands to the switching devices despite being issuedby legitimate operators. At the same time, MPs due to theirsporadic (i.e., with sampling intervals ranging 10-15 minutes)and unsynchronized measurements, cannot effectively detectmomentary time-delay malicious events. Consequently, gridsituational awareness is compromised, monitoring routinescannot detect and promptly initiate mitigation strategies toavoid outage events, and adversaries stealthily mount theiradvanced persistent attacks undetected.Preserving grid stability relies on responding timely tosystem changes (e.g., faults). Situational awareness is criticalfor detecting abnormalities, generating automated responses,and mitigating threats. MPs serve as the system’s sensorsaiding system observability and detecting malicious or anoma-lous behaviors. Maintaining stable operation relies heavily onretaining visibility of the system states at all times, sinceadversaries can create transient events that cannot be detected.For instance, short and intermittent malicious events cannotbe detected by MPs if their duration is much smaller than theupdate frequency of the MP (e.g., 15 minutes).IV. S
IMULATION S ETUP AND R ESULTS
Grid devices for monitoring and controlling the operationof power systems can regulate the voltage output and thegenerated power ( P , Q ) under varying steady-state or transientevents. As a result, such devices can control the setpoints ofautomatic generation control functions, capacitor banks, reac-tors, load-tap changing transformers, and energy storage andinverter-based resources. Additionally, in many cases, networkswitching control is utilized by system operators to mitigatecomponent overloading scenarios and other emergencies. Thesystem reconfiguration, i.e., alteration of the system topologyvia network switching, can involve opening/closing inter-connection switches using alternative T&D lines or splittingbusbars to meet power demand [16]. These alternative networkarchitectures, although they can mitigate the propagation ofadverse effects, they can also lead to uneconomical operation or violation-inducing scenarios [17]. Thus, in order to evaluatethe impact of the cyberattack use cases in the integrated T&Dmodel, we utilize the number of violations as an indicatorbefore and after the compromise.Violation definition: With the term violation, we refer tosystem component behavior exceeding the nominal opera-tional limits and potentially compromising the stable systemoperation. For instance, voltage violations are triggered ifthe voltage at a specific system component surpasses theacceptable range, i.e., higher than V (overvoltage), orlower than V (undervoltage), for a V nominal busvoltage with a 5% allowed deviation. Similarly, we havecurrent and power violations for components, buses, or lines, ifthese values exceed the prescribed limits, jeopardizing systemoperation, equipment performance, and human safety.Simulation setup details: The simulation analysis and im-pact evaluation of the attack classes are performed usingthe Distributed Engineering Workstation (DEW) simulationsoftware. Additionally, an integrated T&D model composedof 1834 T&D load points, 218 solar PV inverters, and 3,000sectionalizing devices (e.g., cut-out switches, circuit breakers,reclosers, etc.) is employed to highlight the comprehensiveimpact as well as the interdependency of T&D networks. A. Modification of data: DER integrity attacks
As discussed in Section III, DERs and inverters can sup-port grid operation providing power either by respondingto operator requests (e.g., via issued control commands) orin an autonomous fashion. In this simulation scenario, weassume that an adversary, by compromising the commu-nication infrastructure (i.e., the communication links usedby utilities to control DER assets), can modify and injectmalicious commands to the deployed inverters. Specifically,the adversary maliciously controls inverters and sets themoperating in a purely active ( P ) mode of operation, i.e., thePF is set to . , while their generation limits ( P , Q ) havebeen decreased inhibiting the inverters to provide power tothe grid. To illustrate the grid dependency on inverter-basedgenerated power, we have compiled the voltage, current, andpower violation reports corresponding to the aforementionedinverter control modifications. In Fig. 3, we provide a graphicalrepresentation of the generated violations throughout a dayonce the system’s inverters get compromised. Notably, duringpeak working hours the number of violations is much higher,compared to early in the morning or late at night when theinverter contribution is expected to be minimal. B. Loss/blocking during system-critical operations: switchand breaker control attacks
Fig. 4 illustrates an architectural diagram of the integratedT&D system under test. It is important to note that Fig. 4does not reflect the ‘actual’ grid interconnections and topol-ogy; for confidentiality and security reasons, the integratedT&D system model topology cannot be disclosed. Similarly,the nameplate capacities of generators, number of connectedresidential/commercial loads, microgrid characteristics, power ig. 4. Simplified integrated T&D model single line diagram. flows, etc. are not provided since they would expose sensitiveinformation regarding the actual power system architecture.Thus, we have sanitized the analysis results delineating criticalinformation without open sourcing intelligence for the electricpower critical infrastructure which, if maliciously exploited,could endanger the operation of the power system. Equallyimportant to the power system topology information is thelocation and control of switching devices. We have underlinedthe importance of breakers and recloser switches in section-alizing parts of the grid during adverse events impeding theirspread system-wide; however, adversaries can leverage thesemechanisms to compromise the system operation, leaving partsof it without power. For our analysis, we mainly focus on twosub-circuits on the distribution level since they arise as moreprominent targets for adversaries compared to transmissionsystems which are typically better protected and monitored.By performing power flow analysis and through maliciouslymodifying the behavior of SCADA controlled switches andbreakers, we generate violation reports demonstrating thedegree of impact introduced by such adversarial actions on thepower system. The aforementioned violation reports (outlinedin Fig. 5) illustrate the most critical points for the system.Hence, their security should be prioritized since they would bethe most favorable targets for adversaries aiming to maximizethe inflicted damage. In Fig. 5, we present the number ofviolations which occur in the integrated T&D system modelonce any of the components (on the horizontal axis) getscompromised. Furthermore, the geographical distance betweenthe attacked device and the generation facility is indicated. Weobserve that there is correlation between the device proximityto the generation point and the number of violations. If adevice gets compromised, all the successive devices on thesame path will also be affected. Circuit breaker
Fig. 5. Switch and circuit breaker violations. implies that in the event of a breaker
C. Interruption of system-critical operations: coordinatedmonitoring and switching attacks
Situational awareness is essential in order to preserve powersystem reliability, stability, and mitigate the impact of adverseevents such as blackouts and equipment failures. AMI andMPs enhance the observability of the power system states(e.g., voltage and current magnitude/angle, frequency, power,etc.) by providing regular updates to system operators. Inthis scenario, we consider time-delay attacks in which con-trol commands to switches are delayed due to the lack ofsynchronization between system operation and MPs.For our case study, the MPs are assumed to communicatewith the control center (system operator side) at regularintervals, typically in the range of 10-15 minutes, thus shorttransient events can pass unnoticed if properly timed betweensystem MP sampling intervals. The knowledge of the mostcritical component, i.e., circuit breaker ig. 6. Monitor point (MP) frequency update granularity. for evaluating the condition of system operations. The pro-posed framework can be employed to identify power systemrelated vulnerabilities, examine the efficiency of mitigationstrategies against such vulnerabilities, and design redundancymeasures to overcome cyberattacks or unexpected failures. Ourmethodology serves as a proof-of-concept in this direction,and as such, the violation terminology can assume differentdefinitions depending on the type of analysis being conductedand the nature of the system being investigated. For example,if we are simulating an attack scenario on switch and breakercontrols, the number of violations could indicate the numberof compromised/offline devices, loads being shed, overloadedlines, sectionalized power equipment, etc. On the other hand,if we are conducting a data integrity or injection attack type ofstudy where adversaries aim to falsify the locational marginalprice (LMP) mechanism, violations could be triggered ifthe electricity price surpasses a certain threshold yieldinguneconomical grid operation. Regardless of the case study andthe investigation-specific characteristics, the synergistic appli-cation of system simulations and risk assessment is beneficialin designing secure and resilient power systems.V. C
ONCLUSIONS
In this paper, we present a cybersecurity analysis encom-passing risk and impact assessment of power grids withDERs. Three different attack classes are discussed includ-ing data integrity attacks, alongside attacks aiming to blockand and interrupt critical grid functions. Furthermore, wedemonstrate how simulation-aware risk assessment analysesare critical for identifying vulnerable grid components. Thesecurity enhancement of such components could lead to moreresilient power systems against cyberattacks. An integratedT&D system model is used for the attack simulations andimpact evaluations, while the OCTAVE Allegro methodologyis utilized for the risk assessment process.D
ISCLAIMER
This paper was prepared as an account of work sponsoredby an agency of the United States Government. Neither theUnited States Government nor any agency thereof, nor any oftheir employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy,completeness, or usefulness of any information, apparatus,product, or process disclosed, or represents that its use wouldnot infringe privately owned rights. Reference herein to anyspecific commercial product, process, or service by tradename, trademark, manufacturer, or otherwise does not nec-essarily constitute or imply its endorsement, recommendation,or favoring by the United States Government or any agencythereof. The views and opinions of authors expressed hereindo not necessarily state or reflect those of the United StatesGovernment or any agency thereof.R
EFERENCES[1] H. Jain, A. Parchure, R. P. Broadwater, M. Dilek, and J. Woyak,“Three-phase dynamic simulation of power systems using combinedtransmission and distribution system models,”
IEEE Transactions onPower Systems , vol. 31, no. 6, pp. 4517–4524, 2016.[2] A. Tbaileh, H. Jain, R. Broadwater, J. Cordova, R. Arghandeh, andM. Dilek, “Graph trace analysis: An object-oriented power flow, verifi-cations and comparisons,”
Electric Power Systems Research , vol. 147,pp. 145–153, 2017.[3] B. A. Bhatti, R. Broadwater, and M. Dilek, “Analyzing impact of dis-tributed pv generation on integrated transmission & distribution systemvoltage stability—a graph trace analysis based approach,”
Energies ,vol. 13, no. 17, p. 4526, 2020.[4] A. Peedikayil Kuruvila, I. Zografopoulos, K. Basu, and C. Konstanti-nou, “Hardware-assisted detection of firmware attacks in inverter-basedcyberphysical microgrids,” arXiv preprint arXiv:2009.07691 , 2020.[5] J. Qi, A. Hahn, X. Lu, J. Wang, and C.-C. Liu, “Cybersecurity fordistributed energy resources and smart inverters,”
IET Cyber-PhysicalSystems: Theory & Applications , vol. 1, no. 1, pp. 28–39, 2016.[6] C. Konstantinou and M. Maniatakos, “Impact of firmware modificationattacks on power systems field devices,” in
Int’l Conference on SmartGrid Communications (SmartGridComm) . IEEE, 2015, pp. 283–288.[7] C. Glenn, D. Sterbentz, and A. Wright, “Cyber threat and vulnerabilityanalysis of the us electric sector,” Idaho National Lab.(INL), Idaho Falls,ID (United States), Tech. Rep., 2016.[8] J. Johnson, “Roadmap for photovoltaic cyber security,”
Sandia NationalLaboratories , 2017.[9] I. Zografopoulos and C. Konstantinou, “DERauth: a battery-based au-thentication scheme for distributed energy resources,” in
IEEE ComputerSociety Annual Symposium on VLSI (ISVLSI) , 2020, pp. 560–567.[10] I. Zografopoulos, J. Ospina, and C. Konstantinou, “Special Session:Harness the Power of DERs for Secure Communications in ElectricEnergy Systems,” in . IEEE, 2020, pp. 49–52.[11] The MITRE Corporation, “Crown Jewels Analysis,” 2019.[12] J. Ospina, X. Liu, C. Konstantinou, and Y. Dvorkin, “On the feasibility ofload-changing attacks in power systems during the covid-19 pandemic,”
IEEE Access , vol. 9, pp. 2545–2563, 2021.[13] D. Jin, D. M. Nicol, and G. Yan, “An event buffer flooding attack in dnp3controlled scada systems,” in
Proceedings of the 2011 Winter SimulationConference (WSC) . IEEE, 2011, pp. 2614–2626.[14] I. Zografopoulos, J. Ospina, X. Liu, and C. Konstantinou, “Cyber-Physical Energy Systems Security: Threat Modeling, Risk Assessment,Resources, Metrics, and Case Studies,”
IEEE Access , vol. 9, pp. 1–44,2021.[15] J. Ospina, I. Zografopoulos, X. Liu, and C. Konstantinou, “Demo:Trustworthy cyberphysical energy systems: Time-delay attacks in a real-time co-simulation environment,” in
Proceedings of the 2020 JointWorkshop on CPS&IoT Security and Privacy , ser. CPSIOTSEC’20.New York, NY, USA: ACM, 2020, p. 69.[16] K. W. Hedman, S. S. Oren, and R. P. O’Neill, “A review of transmissionswitching and network topology optimization,” in . IEEE, 2011, pp. 1–7.[17] N. M¨uller and V. Quintana, “Line and shunt switching to alleviateoverloads and voltage violations in power networks,” in