Verifiable Failure Localization in Smart Grid under Cyber-Physical Attacks
Yudi Huang, Ting He, Nilanjan Ray Chaudhuri, Thomas La Porta
11 Verifiable Failure Localization in Smart Grid underCyber-Physical Attacks
Yudi Huang,
Student Member, IEEE , Ting He,
Senior Member, IEEE , Nilanjan Ray Chaudhuri,
Senior Member, IEEE , and Thomas La Porta
Fellow, IEEE
Abstract —Cyber-physical attacks impose a significant threatto the smart grid, as the cyber attack makes it difficult toidentify the actual damage caused by the physical attack. Todefend against such attacks, various inference-based solutionshave been proposed to estimate the states of grid elements (e.g.,transmission lines) from measurements outside the attacked area,out of which a few have provided theoretical conditions forguaranteed accuracy. However, these conditions are usually basedon the ground truth states and thus not verifiable in practice. Tosolve this problem, we develop (i) verifiable conditions that canbe tested based on only observable information, and (ii) efficientalgorithms for verifying the states of links (i.e., transmissionlines) within the attacked area based on these conditions. Ournumerical evaluations based on the Polish power grid and IEEE300-bus system demonstrate that the proposed algorithms arehighly successful in verifying the states of truly failed links, andcan thus greatly help in prioritizing repairs during the recoveryprocess.
Index Terms —Power grid state estimation, cyber-physical at-tack, failure localization, verifiable condition.
I. I
NTRODUCTION
The close interdependency between the physical subsystem(power grid) and its control subsystem (Supervisory Controland Data Acquisition - SCADA or Wide-Area MonitoringProtection and Control - WAMPAC) in modern power gridsmakes them vulnerable to simultaneous cyber-physical attacksthat target both subsystems. Such attacks can cause devastatingconsequences, e.g., the attack on Ukraine’s power grid left225,000 people without power for days [1], as the attackersimultaneously opened circuit breakers (physical attack) whilekeeping the system operators unaware by jamming the phonelines and launching KillDisk server wiping (cyber attack).As the main challenge in dealing with cyber-physical attacksis the difficulty in accurately identifying the damaged gridelements (e.g., failed transmission lines) due to the lack ofmeasurements (e.g., breaker status) from the attacked areacaused by the cyber attack, efforts on countering such attackshave focused on estimating the grid state inside the attackedarea using power flow models and measurements outside thatarea. Specifically, assuming the post-attack power injectionsto be known, [2] developed methods to estimate the grid stateunder cyber-physical attacks using the direct-current (DC)power flow model , and [3] developed similar methods using
The authors are with the School of Electrical Engineering and ComputerScience, Pennsylvania State University, University Park, PA 16802, USA(e-mail: { yxh5389, tzh58, nuc88, tfl12 } @psu.edu).This work was supported by the National Science Foundation under awardECCS-1836827. Failure
Localization
Algorithm Verify
Accuracy of 𝐹 Output: 𝐹 Repair
Scheduling
Output: verifiedlink status
Figure 1. The role of failure localization verification. the alternating-current (AC) power flow model . Recently, [4]further extends such methods to handle unknown post-attackpower injections within the attacked area by proposing a linearprogramming (LP) based algorithm that can correctly identifyall the failed links (i.e., transmission lines) under certainconditions. The conditions, however, involve the ground truthlink states (i.e., whether a link has truly failed or not) withinthe attacked area and is thus not verifiable in practice.In this work, we advance the work in [4] by developingconditions and algorithms to verify the correctness of linkstates estimated by the LP-based algorithm proposed therein.Besides providing more confidence in the estimated link states,such algorithms can also facilitate recovery planning after anattack, which will schedule the repairs based on the results offailure localization under resource limitation. As no currentalgorithm can guarantee localization accuracy and falsealarms are costly, it is highly desirable to verify the correctnessof the failure localization results before scheduling repairs.The role of failure localization verification is shown in red inFig. 1, where the set ˆ F contains the estimated failed links. Oneapplication of the proposed method is to guide crew dispatchduring line repairing/restoration. A. Related Work
State estimation is of fundamental importance for thesupervisory control of the power grid [5]. Specifically, linkstatus identification or failed link localization is critical forpost-attack failure assessment and recovery planning. Todetect failed links in physical attacks, early works [6], [7]formulated this problem as a mixed-integer program, whichcannot scale to multi-link failures. Later works tackled thisproblem by formulating it as a sparse recovery problem overan overcomplete representation [8], [9], which is then relaxedinto an LP for computational efficiency, or applying machinelearning techniques [10], [11].Localizing failed links is more difficult under joint cyber-physical attacks. For cyber attacks that block sensor data tothe control center as considered in this work, [2] proposed anLP-based algorithm and graph-theoretic conditions for perfectfailure localization under the DC power flow model. In [12],a heuristic algorithm was proposed to handle cyber attacks a r X i v : . [ c s . PF ] J a n that distort sensor data or inject stealthy data. Moreover, [13]modified the algorithm and the theoretical guarantees in [2]according to the AC power flow model. However, the aboveworks were all based on the assumption that the power gridremained connected after the failures, which may not be trueunder multi-link failures [4]. Recently, [4] eliminated thisassumption by developing an LP-based algorithm that canjointly estimate the link states and the load shedding valueswithin the attacked area. However, despite the empirical successof this algorithm, there is no existing method for verifying thecorrectness of its estimates.Another line of related works is fault localization, e.g., [14]–[17] and references therein. These works differ from our workin the sense that they (i) target naturally-occurring faults whichexhibit signatures not necessarily present during maliciousattacks, (ii) mostly focus on finding the exact location of faultsalong a line as opposed to localizing the failed lines, and (iii)do not traditionally consider the lack of information due tocyber attacks. B. Summary of Contributions
We aim at estimating the states (failed/operational) of links(transmission lines) in a smart grid under a joint cyber-physicalattack, where the cyber attack blocks sensor data from theattacked area and the physical attack disconnects certain linksthat may disconnect the grid, with the following contributions:1) We provide conditions and a corresponding algorithmto verify the correctness of failure localization results(the states of links) using only observable information.Compared to previous recovery conditions in [4], [18]that cannot be tested during operation, the proposed algo-rithm requires no information about the ground truth linkstates and is thus applicable after cyber-physical attacks.2) We provide a further theoretical condition for verifyingthe states of potentially more links based on observableinformation and the link states that are already verifiedby the above algorithm, as well as the correspondingverification algorithm.3) We show that our conditions and algorithms canbe easily adapted to incorporate the knowledge ofconnectivity if the post-attack grid is known to remainconnected as assumed in most existing works.4) Our evaluations on the Polish grid and the IEEE 300-bussystem show that the proposed algorithms can verify – of failed links and – of operationallinks in general, and these numbers increase to – and – if the post-attack grid is known to remainconnected, which provides valuable information forprioritizing repairs during recovery. Roadmap.
Section II formulates our problem. Section IIIrecaps our previously proposed algorithm [4] and its properties.In Section IV, theoretical conditions and two algorithms aredeveloped to verify the correctness of the estimated link states.Section V evaluates the proposed algorithms on a real gridtopology. Finally, Section VI concludes the paper.
Operational
Link in 𝐸 ഥ𝐻 Operational
Link in 𝐸 𝐻 Failed link Node in 𝑉 𝐻 Node in 𝑉 ഥ𝐻 H Figure 2. A cyber-physical attack that blocks information from the attackedarea H while disconnecting certain links within H . II. P
ROBLEM F ORMULATION
A. Power Grid Model
We adopt the DC power flow model. The power grid ismodeled as a connected undirected graph G = ( V, E ) , where V denotes the set of nodes (buses) and E the set of links (transmis-sion lines). Each link e = ( s, t ) is associated with a reactance r st ( r st = r ts ) and a state ∈ { “operational” , “failed” } (assumedto be operational before attack). Let Γ := diag { r e } e ∈ E . Eachnode v is associated with a phase angle θ v and an active powerinjection p v , which are coupled by DC power flow equation: Bθ = p , (1)where θ := ( θ v ) v ∈ V , p := ( p v ) v ∈ V , and B := ( b uv ) u,v ∈ V ∈ R | V |×| V | is the admittance matrix , defined as: b uv = if u (cid:54) = v, ( u, v ) (cid:54)∈ E, − /r uv if u (cid:54) = v, ( u, v ) ∈ E, − (cid:80) w ∈ V \{ u } b uw if u = v. (2)Given an arbitrary orientation of the links, the topology of G can also be represented by the incidence matrix D ∈{− , , } | V |×| E | , where the entry for u ∈ V and e ∈ E is D u,e = if link e comes out of node u, − if link e goes into node u, otherwise. (3)We assume that each node is deployed with a phasormeasurement unit (PMU) that can measure its phase angle,and remote terminal units (RTUs) measuring the active powerinjection, as well as the (breaker) states and the power flows ofits incident links. These reports are sent to the control center,where the PMU measurements are communicated over a secureWAMPAC network [19], and the RTU measurements over amore vulnerable SCADA network. B. Attack Model
As illustrated in Fig. 2, a joint cyber-physical attack on anarea H = ( V H , E H ) (a subgraph induced by a set of nodes V H ⊆ V ) comprises of: (i) cyber attack that blocks reportsfrom the nodes in V H , and (ii) physical attack that disconnectsa set F ⊆ E H of links within H , where E H is the set of linkswith both endpoints in V H . In contrast to the previous works[2], [8], [9], we consider that the grid may be decomposedinto islands after attack, which leads to possible changes in p . Let ∆ = (∆ v ) v ∈ V := p − p (cid:48) denote the change in active Table IN
OTATIONS
Notation Description G = ( V, E ) power grid H , ¯ H attacked/unattacked area F set of failed links B admittance matrix D incidence matrix θ vector of phase angles p vector of active power injections ∆ vector of changes in active power injections x vector of failure indicators power injections, where p (cid:48) denotes the active power injectionsafter the attack. Define ˜ D := D Γ diag { D T θ (cid:48) } , (4)where θ (cid:48) denotes post-attack phase angles. For link e = ( u, v ) , ˜ D u,e = − ˜ D v,e = θ (cid:48) u − θ (cid:48) v r uv denotes the post-attack power flowon e if it is operational. If link e fails after attack, then ˜ D u,e represents the “hypothetical power flow”. C. Failure Localization Problem
Notation.
The main notations are summarized in Table I.Moreover, given a subgraph X of G , V X and E X denote thesubsets of nodes/links in X , and x X denotes the subvector ofa vector x containing elements corresponding to X . Similarly,given two subgraphs X and Y of G , A X | Y denotes thesubmatrix of a matrix A containing rows corresponding to X and columns corresponding to Y . We use [ A, B ] to denote thehorizontal concatenation of matrices A, B and I n to denotethe n × n identity matrix. We use D H ∈ {− , , } | V H |×| E H | and ˜ D H ∈ R | V H |×| E H | to denote the submatrices of D and ˜ D for the attacked area H . For each variable x , we use x (cid:48) to denote its value after the attack. We follow the conventionthat | x | indicates the absolute value if x is a scalar and | A | denotes the cardinality if A is a set. Goal.
Our goal is to localize the failed links F within the at-tacked area, based on knowledge before the attack and measure-ments from the unattacked area ¯ H after the attack. In contrast to[4], we aim at obtaining estimates with verifiable correctness . Assumptions.
Our analysis and solution are based on thefollowing assumptions:1.
DC power flow model:
This is an approximation of the ACpower flow model by neglecting resistive losses and assuming auniform voltage magnitude. Due to its computational efficiency,DC power flow model has been widely used for analyzing linkfailures in large power grids [2], [6]–[9], [11], [12]. We leavethe extension to the AC power flow model to future work.2.
Availability of phase angles:
We assume that the phaseangle at every bus is available before/after the attack. Before-attack observability from PMU measurements is consistentwith the goal of PMU deployment, at least in North Americanbulk transmission systems [20]. Under the North AmericanSynchroPhasor Initiative (NASPI) [21], the number of PMUsis steadily growing, and some utilities have already achieved full observability in their networks, e.g., Dominion Power haspiloted the PMU-based linear state estimator [22], [23]. Thesetrends indicate that it is just a matter of time that completeobservability through PMUs is achieved. The post-attack observ-ability can be achieved by securing PMU measurements throughthe stronger cyber security requirements of WAMPAC [24], orthrough inference when B ¯ H | H has a full column rank [4].3. θ (cid:48) s (cid:54) = θ (cid:48) t for each link ( s, t ) ∈ E H : This assumption simplymeans that we only focus on the states of links in H that willcarry power flow if not failed, as the states of links carryingno flow have no impact and thus cannot be identified [2], [4].III. E STIMATING L INK S TATES
To our knowledge, the only algorithm for estimating linkstates (and hence localizing failed links) under a cyber-physicalattack that can disconnect the grid is an algorithm called
FailedLink Detection (FLD) proposed in [4]. FLD has exhibited verygood accuracy in detecting the failed links with very few falsealarms [4]. Our idea is to develop algorithms to verify theoutput of FLD. In this section, we briefly recap FLD and itsexisting (unverifiable) recovery conditions for completeness.
A. Existing Algorithm
Let x H ∈ { , } | E H | be an indicator vector such that x e = 1 if e ∈ F and x e = 0 if e ∈ E H \ F . It has been shown in [4]that any feasible solution to x H and ∆ H must satisfy ∆ H = B H | G ( θ − θ (cid:48) ) + D H Γ H diag { D TG | H θ (cid:48) } x H , (5) p v ≥ ∆ v ≥ , ∀ v ∈ { u | u ∈ V H , p u > } , (6) p v ≤ ∆ v ≤ , ∀ v ∈ { u | u ∈ V H , p u ≤ } , (7)FLD formulates the problem of failure localization as an LP: ( P1 ) min x H , ∆ H (cid:107) x H (cid:107) (8a)s.t. (5) , (6) , (7) , (8b) ≤ x H ≤ . (8c)which is the convex relaxation of a sparse-recovery-basedformulation. After solving (P1) in polynomial time, FLDestimates the set of failed links as ˆ F = { e : x e ≥ η } , (9)where η ∈ (0 , is a threshold for rounding the factionalsolution of x H to an integral solution ( η = 0 . in this paper). B. Existing Recovery Conditions
FLD is known to recover the link states correctly under thefollowing conditions [18] (which improved the conditions in[4]), where x ∗ H and ∆ ∗ H denote the true values of x H and ∆ H .
1) Implicit Conditions:
Denote V L ⊆ V H as the setcontaining nodes with p v ≤ , and V G := V H \ V L as theremaining nodes in V H (with p v > ). Accordingly, ∆ i and p i ( i = L, G ) denote the subvectors of ∆ H and p H ,respectively, corresponding to V i , and ˜ D i denotes the submatrixof ˜ D H containing the rows corresponding to V i . Given aset Q m := F \ ˆ F of failed links that are missed and a set Q f := ˆ F \ F of operational links that are falsely detected, define W m ∈ { , } | Q m |×| E H | as a binary matrix where ( W m ) i,j = 1 indicates the i -th missed link to be e j , and define W f ∈ { , } | Q f |×| E H | similarly such that ( W f ) i,k = 1 if the i -th false-alarmed link is e k . Based on these notions, define A TD := [ ˜ D TL , − ˜ D TL , − ˜ D TG , ˜ D TG ] ∈ R | E H |× | V H | , (10a) A Tx := [ − I | E H | , I | E H | ] ∈ R | E H |× | E H | , (10b) W T := [ W Tm , − W Tf ] ∈ R | E H |× ( | Q m | + | Q f | ) , (10c) g TD := [ − ( ∆ ∗ L ) T , ( − p (cid:48) L ) T , ( ∆ ∗ G ) T , ( p (cid:48) G ) T ] , (10d) g Tx := [( x ∗ H ) T , T − ( x ∗ H ) T ] ∈ R × | E H | , (10e) g Tw := [( η − T , − η T ] ∈ R × ( | Q m | + | Q f | ) . (10f)Then, the correctness of FLD is guaranteed as follows. Lemma III.1 ([18]) . A link e ∈ F cannot be missed ( e / ∈ F \ ˆ F )by FLD if for any Q m containing e , there is a solution z ≥ to [ A TD , A Tx , W T , ] z = , (11a) [ g TD , g Tx , g Tw , ] z < . (11b) Similarly, a link e ∈ E H \ F cannot be falsely detected as failedif for any Q f with e ∈ Q f , there is a solution z ≥ to (11) .2) Explicit Conditions: Besides Lemma III.1, [18] alsoprovided more explicit conditions in terms of post-attack powerflows and power injections. The following definitions will beneeded to present this result. Let z D ∈ R | V H | , z x ∈ R | E H | , z w ∈ R | Q m | + | Q f | and z ∗ ∈ R denote subvectors of z corresponding to A TD , A Tx , W T , and in (11a). Denote ˜ D u asthe row in ˜ D corresponding to node u , and ˜ D u,e as the entryin ˜ D u corresponding to link e . Denote z D,u as the entry in z D corresponding to ˜ D u in A D and z D, − u as the entry corre-sponding to − ˜ D u in A D . Define g D,u and g D, − u as the entriesin g D corresponding to z D,u and z D, − u , respectively, i.e., g D,u := (cid:26) − ∆ ∗ u if p u ≤ ,p (cid:48) u if p u > , g D, − u := (cid:26) − p (cid:48) u if p u ≤ , ∆ ∗ u if p u > . (12)Moreover, if link e is the i th link in Q m , then z w,m,e is usedto denote the entry in z w that corresponds to the i th columnof W Tm ; z w,f,e is defined similarly if e ∈ Q f . For each link e , we denote z x − ,e as the entry in z x corresponding to x ∗ e in g x and z x + ,e as the entry corresponding to (1 − x ∗ e ) in g x .Referring to a set of nodes U ⊆ V H that induce a connectedsubgraph before attack as a hyper-node , [18] establishedrecovery conditions based on the following attributes of hyper-nodes. Define E U as the set of links in H with exactly oneendpoint in U , i.e, E U := { e | e = ( s, t ) ∈ E H , s ∈ U, t / ∈ U } .If E U ∩ F (cid:54) = ∅ , define: ˜ D U,e := (cid:88) u ∈ U ˜ D u,e , (13a) S U := { e ∈ E U \ F | ∃ l ∈ E U ∩ F, ˜ D U,l ˜ D U,e > } , (13b) f U,g := (cid:40)(cid:80) u ∈ U g D,u if ∃ l ∈ E U ∩ F, ˜ D U,l < , (cid:80) u ∈ U g D, − u otherwise. (13c)An illustrative example of hyper-node is U = { u , u , u } in Fig. 3, where E U = { l , l , l , l } . If E U ∩ F = ∅ , we define: f U,g := (cid:26) (cid:80) u ∈ U g D,u if ∃ l ∈ E U \ F, ˜ D U,l > , (cid:80) u ∈ U g D, − u otherwise. (14) Theorem III.1 ([18]) . A failed link l ∈ F will be detected byFLD, i.e., l ∈ ˆ F , if there exists at least one hyper-node (say U ) such that l ∈ E U , for which the following conditions hold: ∀ e, l ∈ E U ∩ F , ˜ D U,e ˜ D U,l > , S U = ∅ , and f U,g + ( η − | ˜ D U,l | < . Theorem III.2 ([18]) . An operational link l ∈ E H \ F willnot be detected as failed by FLD, i.e., l / ∈ ˆ F , if there exists atleast one hyper-node (say U ) such that l ∈ E U , for which thefollowing conditions hold: ∀ l, l (cid:48) ∈ E U \ F, ˜ D U,l ˜ D U,l (cid:48) > , S U = ∅ if E U ∩ F (cid:54) = ∅ , and f U,g − η | ˜ D U,l | < . While useful for performance analysis, the above conditionscannot be directly applied to verify whether the estimated stateof a link is correct or not as the ground truth F is unknown.IV. V ERIFYING E STIMATED L INK S TATES
We will show that in some cases, we can guarantee thecorrectness of estimated link states based on observableinformation. Our idea is to (1) derive stronger recoveryconditions that can be tested without knowledge of the groundtruth link states, and then (2) extend these conditions to testmore links based on the link states verified in step (1).Our results are based on the assumption that the grid followsthe proportional load shedding/generation reduction policy ,where (i) either the load or the generation (but not both)will be reduced upon the formation of an island, and (ii) ifnodes u and v are in the same island and of the same type(both load or generator), then p (cid:48) u /p u = p (cid:48) v /p v . This policymodels the common practice in adjusting load/generation dueto islanding [25], [26]. Under this policy, it is known thatthe post-attack power injections can be recovered under thefollowing condition. Lemma IV.1 ([4]) . Let N ( v ; ¯ H ) denote the set of all the nodesin ¯ H that are connected to node v via links in E \ E H . Thenunder the proportional load shedding/generation reductionpolicy, ∆ v for v ∈ V H can be recovered unless N ( v ; ¯ H ) = ∅ or every u ∈ N ( v ; ¯ H ) is of a different type from v with ∆ u = 0 . Define U B as the set of nodes such that ∀ u ∈ U B , ∆ u canbe recovered through Lemma IV.1.Our key observation is that for any hyper-node U , ˜ D U,l forany l ∈ E U can be computed with the knowledge of θ (cid:48) , and f U,g can be upper-bounded by ˆ f U,g := (cid:88) u ∈ U ∩ U B f u,g + (cid:88) u ∈ U \ U B | p u | , (15)where f u,g is defined in (13c) for U = { u } . Since f u,g isknown for nodes in U B and p u (power injection at u beforeattack) is also known, ˆ f U,g is computable. We now show howto use this information to verify the estimated link states basedon Lemma III.1 and Theorems III.1–III.2. H ! " $ % & ' ( $ ( % ( ! ( ( " ( ) ( & ( ' Failed Links Operational Links
Figure 3. An example of hyper-node (arrow denotes the direction of a powerflow over an operational link or a hypothetical power flow over a failed link).
A. Verification without Knowledge of Ground Truth
We first tackle the links whose states can be verified withoutany knowledge of the ground truth link states.
1) Verifiable Conditions:
The basic idea is to rule outthe other possibility by constructing counterexamples to thetheorems in Section III-B if the estimated link state is incorrect.
Links in -edge cuts: If link e = ( u , u ) forms a cut of H , i.e., ( V H , E H \ { e } ) contains more connected componentsthan H , then by breadth-first search (BFS) starting from u and u respectively without traversing e , we can constructtwo hyper-nodes U and U such that E U = E U = { e } andthus S U = S U = ∅ . For example, in Fig. 3, link e := l isa 1-edge cut, and thus U := { u , u } and U := V H \ U satisfy this condition. Then the following verifiable conditionsare directly implied by Theorems III.1–III.2: Corollary IV.1. If e ∈ ˆ F and min { ˆ f U ,g , ˆ f U ,g } − η | ˜ D U ,e | < , then we can verify e ∈ F . If e ∈ E H \ ˆ F and min { ˆ f U ,g , ˆ f U ,g } + ( η − | ˜ D U ,e | < , then we can verify e ∈ E H \ F .Proof. If e ∈ ˆ F and min { ˆ f U ,g , ˆ f U ,g } − η | ˜ D U ,e | < , then e must have failed, since otherwise e would have been estimatedas operational according to Theorem III.2. Similarly, if e ∈ E H \ ˆ F and min { ˆ f U ,g , ˆ f U ,g } + ( η − | ˜ D U ,e | < , then e must be operational, since otherwise e would have beenestimated as failed according to Theorem III.1. Note that as ourverification is based on contradiction, ˆ f U i ,g should be computedas if e ∈ E H \ F to verify e ∈ ˆ F and vice-versa. Links in -edge cuts: If links e , e ∈ E H together forma cut of H but each individual link does not, then by BFSstarting from the endpoints of e (or e ) without traversing e or e , we can construct two hyper-nodes U , U such that E U = E U = { e , e } . For example, as e := l and e := l form a -edge cut of H in Fig. 3, U := { u , u } and U := V H \ U satisfy this condition. Moreover, any pair of links ina cycle C form a 2-edge cut if they are not in any other cyclein H , e.g., any pair of links in the cycle { l , l , l } satisfy thiscondition. Based on this observation, we provide the followingconditions for verifying the states of such links. Theorem IV.1.
Consider a hyper-node U with E U = { e , e } and e , e ∈ E H \ ˆ F . If ˜ D U,e ˜ D U,e < , then e , e areguaranteed to both belong to E H \ F if ˆ f U,g + ( η −
1) min {| ˜ D U,e | , | ˜ D U,e |} < , and η < − min { ˆ f U,g + | ˜ D U,e || ˜ D U,e | , ˆ f U,g + | ˜ D U,e || ˜ D U,e | } .If ˜ D U,e ˜ D U,e > , then we can verify: e ∈ E H \ F if (1 − η ) | ˜ D U,e | > ˆ f U,g + | ˜ D U,e | , e ∈ E H \ F if (1 − η ) | ˜ D U,e | > ˆ f U,g + | ˜ D U,e | .Proof. We first prove the case that ˜ D U,e ˜ D U,e < . Given e , e ∈ E H \ ˆ F where ˆ F is returned by FLD, there are 3possible forms of mistakes when the ground truth failed linkset F is unknown, and we will prove the impossibility for eachof them. If e ∈ F, e ∈ E H \ F , Theorem III.1 guarantees that e / ∈ Q m due to condition 1), which introduces contradiction.Similarly, e ∈ F, e ∈ E H \ F is also impossible. If e , e ∈ Q m , assume without loss of generality that η < − ˆ f U,g + | ˜ D U,e || ˜ D U,e | .Then, we construct the following z : ∀ u ∈ U , z D,u = 1 if ˜ D U,e < or z D, − u = 1 if ˜ D U,e > , z w,m,e = | ˜ D U,e | , z x − ,e = | ˜ D U,e | , and other entries of z as 0. Then, (11a)holds for sure and (11b) holds since it can be expanded as ˆ f U,g + ( η − | ˜ D U,e | + | ˜ D U,e | < due to condition 2).According to Lemma III.1, it is impossible to have e , e ∈ Q m ,which verifies that e , e ∈ E H \ F .Next, with ˜ D U,e ˜ D U,e > , we show how to verify e . If e ∈ Q m , regardless of the true state of e , we construct thefollowing z for Lemma III.1: ∀ u ∈ U , z D,u = 1 if ˜ D U,e < or z D, − u = 1 if ˜ D U,e > , z w,m,e = | ˜ D U,e | , z x + ,e = | ˜ D U,e | , and other entries of z as 0. Then (11) holds due tocondition 1), which contradicts the assumption that e ∈ Q m .The verification condition for e can be derived similarly. Theorem IV.2.
Consider a hyper-node U with E U = { e , e } and e ∈ ˆ F , e ∈ E H \ ˆ F . If ˜ D U,e ˜ D U,e > , then the statesof e , e are guaranteed to be correctly identified if ˆ f U,g − η | ˜ D U,e | < , ˆ f U,g + ( η − | ˜ D U,e | < , and either η > ˆ f U,g + | ˜ D U,e || ˜ D U,e | or η < − ˆ f U,g + | ˜ D U,e || ˜ D U,e | .If ˜ D U,e ˜ D U,e < , then we can verify: e ∈ F if η | ˜ D U,e | > ˆ f U,g + | ˜ D U,e | , e ∈ E H \ F if (1 − η ) | ˜ D U,e | > ˆ f U,g + | ˜ D U,e | .Proof. We first prove the impossibility of each possible mistakeif ˜ D U,e ˜ D U,e > . First, we rule out the possibility that e ∈ Q f , e ∈ E H \ F according to Theorem III.2 and condition 1).Similarly, according to Theorem III.1 and condition 1), e ∈ F while e ∈ Q m is also impossible. Next, we prove theimpossibility of e ∈ Q f , e ∈ Q m by constructing a solution z to (11). Specifically, if η > ˆ f U,g + | ˜ D U,e || ˜ D U,e | , then ∀ u ∈ U ,we set z D,u = 1 if ˜ D U,e > or z D, − u = 1 if ˜ D U,e < , z w,f,e = | ˜ D U,e | , z x − ,e = | ˜ D U,e | , and other entries of z as 0. If η < − ˆ f U,g + | ˜ D U,e || ˜ D U,e | , then ∀ u ∈ U , we set z D,u = 1 if ˜ D U,e < or z D, − u = 1 if ˜ D U,e > , z w,m,e = | ˜ D U,e | , z x + ,e = | ˜ D U,e | , and other entries of z as 0. It is easy tocheck the satisfaction of (11) under both constructions above,which rules out the possibility of e ∈ Q f , e ∈ Q m accordingto Lemma III.1 and e ∈ F, e ∈ E H \ F is thus guaranteed.Next, we prove the verification condition for e / ∈ Q f if ˜ D U,e ˜ D U,e < . We prove by constructing a solution z asfollows regardless of the status of e : ∀ u ∈ U , if ˜ D U,e < ,we set z D, − u = 1 ; otherwise, we set z D,u = 1 . Then, we set z w,f,e = | ˜ D U,e | , z x + ,e = | ˜ D U,e | , and other entries of z as0. Then, (11a) holds for sure and (11b) holds since it can be expanded as ˆ f U,g − η | ˜ D U,e | + | ˜ D U,e | < due to condition1), which rules out the possibility of e ∈ Q f according toLemma III.1 and thus verifies that e ∈ F . The verificationcondition for e / ∈ Q m can be proved similarly. Theorem IV.3.
Consider a hyper-node U with E U = { e , e } and e , e ∈ ˆ F . Then, we can verify: e ∈ F if η | ˜ D U,e | > ˆ f U,g + | ˜ D U,e | , e ∈ F if η | ˜ D U,e | > ˆ f U,g + | ˜ D U,e | .Proof. We only prove the verification condition for e ∈ F since the condition for e can be proved similarly. We proveby contradiction that constructs a solution to (11) if e ∈ Q f .Specifically, with condition 1), we can always construct a z for (11) as follows regardless of the status of e : ∀ u ∈ U , z D,u = 1 if ˜ D U,e > or z D, − u = 1 if ˜ D U,e < and z w,f,e = | ˜ D U,e | . In addition, if ˜ D U,e ˜ D U,e > , weset z x − ,e = | ˜ D U,e | ; otherwise, we set z x + ,e = | ˜ D U,e | .Finally, other entries of z are set as 0. It is easy to check thesatisfaction of (11a), and (11b) holds since it can be expandedas [ g TD , g Tx , g Tw , ] z ≤ ˆ f U,g + | ˜ D U,e | − η | ˜ D U,e | < , wherethe last inequality holds due to condition 1). Thus, we musthave e / ∈ Q f according to Lemma III.1. Remark:
While in theory such verifiable conditions can alsobe derived for links in larger cuts, the number of cases willgrow exponentially. We also find – -edge cuts to cover themajority of links in practice (see Fig. 4).
2) Verification Algorithm:
Based on Lemmas IV.1–IV.3, wedevelop an algorithm as shown in Algorithm 1 for verifyingthe link states estimated by FLD, which can be applied tolinks in – -edge cuts. Here, E a denotes the set of all thelinks in -edge cuts of H , while E c denotes the set of -edgecuts. In the algorithm, links in E a are tested before links in E c since it is easier to extend the knowledge of U B based on thetest results for E a . As for the complexity, we first note thatthe time complexity of each iteration is O ( | E H | + | V H | ) dueto BFS. Then, it takes O ( | E H | ) iterations to verify E a and O ( | E H | ) iterations for E c , which results in a total complexityof O ( | E H | ( | E H | + | V H | )) . B. Verification with Partial Knowledge of Ground Truth
Algorithm 1 assumes no knowledge of the ground truth linkstates, even if the states of some links are already verified.However, links that cannot be verified by Algorithm 1 maybecome verifiable after obtaining partial knowledge of theground truth (i.e., link set E v verified by Algorithm 1). Inaddition, links in larger cuts are not tested in Algorithm 1. Toaddress these issues, we propose a followup step designed toverify the states of the links in E H \ E v .
1) Verifiable Conditions:
The idea for verifying the correct-ness of e ∈ ˆ F (or e ∈ E H \ ˆ F ) is to construct a solution to(11) as if e ∈ E H \ F (or e ∈ F ). Specifically, it can be shownthat for a link e ∈ ˆ F , if there exists z ≥ for (11) where W is constructed for Q f = { e } and Q m = ∅ , then e is guaranteedto have failed since otherwise it must have been estimatedto be operational. The challenge is the unknown g D , g x , and g w due to unknown F and ∆ ∗ H . To tackle this challenge, we Algorithm 1:
Verification without Ground Truth
Input: ˜ D , p , ∆ ¯ H , U B , η, E a , E c , ˆ F Output: E v E v ← ∅ ; /* verifiable links */ foreach e = ( u , u ) ∈ E a do Construct hyper-nodes U and U such that E U = E U = { e } ; if e ∈ ˆ F then Add e to E v if min { ˆ f U ,g , ˆ f U ,g } − η | ˜ D U ,e | < ; else Add e to E v if min { ˆ f U ,g , ˆ f U ,g } + ( η − | ˜ D U ,e | < ; if e is verified to be in E H \ F then Add u i to U B if ∆ u i ( i = 1 , ) can berecovered through Lemma IV.1; foreach { e , e } ∈ E c do Construct hyper-nodes U and U such that E U = E U = { e , e } ; Test the satisfaction of Lemma IV.1, IV.2, or IV.3for U and U , respectively; Add e i ( i = 1 , ) to E v if it is verified;approximate these parameters by their worst possible values (interms of satisfying (11)), which leads to the following result: Theorem IV.4.
Given a set E v of links with known states, wedefine ˆ g D ∈ R | V H | and ˆ g x ∈ R | E H | as follows: ˆ g D,u = (cid:40) g D,u , if u ∈ U B , | p u | , otherwise, ˆ g x,e = (cid:40) g x,e , if e ∈ E v , , otherwise,and define ˆ g D, − u and ˆ g x, − e similarly. Then, a link l ∈ ˆ F isverified to have failed if there exists a solution z ≥ to [ A TD , A Tx , w T , ] z = , (16a) [ˆ g TD , ˆ g Tx , g w , ] z < , (16b) where w ∈ { , } | E H | is defined to be W f with Q f = { l } ,and g w := − η . Similarly, a link e ∈ E H \ ˆ F is verified to beoperational if ∃ z ≥ that satisfies (16) , where w ∈ { , } | E H | is defined to be W m with Q m = { e } , and g w := η − .Proof. We only prove for the case that l ∈ ˆ F since the casethat e ∈ E H \ ˆ F is similar. First note that if ∃ z ≥ thatsatisfies (11) for W constructed according to Q f = { l } and Q m = ∅ , then for any W corresponding to Q f that contains l ,we can always construct a non-negative solution to (11) basedon z by setting z w,f,e (cid:48) = 0 , ∀ e (cid:48) ∈ Q f \ { l } . Thus, accordingto Lemma III.1, l can be verified as l ∈ F if ∃ z ≥ for (11)where W is constructed for Q f = { l } and Q m = ∅ , sinceotherwise l must have been estimated to be operational. Thus,we only need to prove that any solution to (16) is a solutionto (11) when Q f = { l } and Q m = ∅ . To this end, let ¯ z ≥ be a feasible solution to (16). First, (11a) holds since it is thesame as (16a) in this case. As for (11b), we have [ g TD , g Tx , g w , ] ¯ z ≤ [ˆ g TD , ˆ g Tx , g w , ] ¯ z < , (17) where the first inequality holds since ≤ [ g TD , g Tx ] ≤ [ˆ g TD , ˆ g Tx ] (element-wise inequality), while the second inequality holdssince ¯ z satisfies (16). Therefore, ¯ z is also a feasible solutionto (11), which verifies that l ∈ F .
2) Verification Algorithm:
All the elements in (16) areknown, and thus the existence of a solution can be checked bysolving an LP. Based on this result, we propose Algorithm 2for verifying the estimated states of the remaining links, whichiteratively updates E v . Each iteration of Algorithm 2 involvessolving O ( | E H | ) LPs, each of which has a time complexity thatis polynomial in the number of decision variables ( | E H | ) andthe number of constraints ( | V H | + | E H | ) [27]. Since Algorithm 2has at most | E H | iterations, the total time complexity ofAlgorithm 2 is polynomial in | E H | and | V H | . Algorithm 2:
Verification with Partial Ground Truth
Input: ˜ D , p , ∆ ¯ H , U B , η, E H , E v , ˆ F , ˆ g D , ˆ g x while E H \ E v (cid:54) = ∅ do ¯ E v ← E v ; foreach e ∈ E H \ E v do if ∃ z ≥ satisfying (16) for e then ¯ E v ← ¯ E v ∪ { e } ; Update ˆ g x ; if | ¯ E v | > | E v | then E v ← ¯ E v ; else break; C. Special Case of Connected Post-attack Grid
In this section, we study the special case that the grid isknown to stay connected after the attack, which is assumedin most of the existing works [2], [8], [9]. In this case, FLDis modified by replacing constraints (6) and (7) with ∆ H = (implied by the assumption of the connected post-attackgrid). Next, we demonstrate how Algorithm 1-2 will changein this case. To this end, we study the effect of ∆ H = on Lemma III.1. Noting that according to [18], any pair of ( ∆ H , x H ) satisfying (5) can be represented by c ∈ R | E H | as ∆ H = ∆ ∗ H + ˜ D H c , x H = x ∗ H + I | E H | c . (18)Thus, we have ˜ D H c = due to ∆ H = ∆ ∗ H = , which isequivalent to requiring ˜ D H c ≤ and − ˜ D H c ≤ . Accord-ingly, A D and g D in (11), which used to model (6) and (7), nowbecome A TD := [ ˜ D TH , − ˜ D TH ] , g D := . The direct implicationof g D = is that f U,g = (cid:80) u ∈ U f u,g = 0 , ∀ U ⊆ V H . That isto say, Theorems IV.1-IV.3 still hold for the modified FLDexcept that ˆ f U,g = , which implies the following result: Corollary IV.2.
If it is known that the post-attack grid G (cid:48) =( V, E \ F ) is connected, then the state of any link that formsa 1-edge cut of H will be identified correctly by a variationof FLD that replaces the constraints (6) and (7) by ∆ H = . The exact order of the polynomial depends on the specific algorithm usedto solve the LP [27]. |F| F r a c t i on o f li n ks Testable 1-edge cutVerifiable 1-edge cutTestable 2-edge cutVerifiable 2-edge cutVerifiable - Alg. 2 (a) Fraction of failed links |F| F r a c t i on o f li n ks Testable 1-edge cutVerifiable 1-edge cutTestable 2-edge cutVerifiable 2-edge cutVerifiable - Alg. 2 (b) Fraction of operational links
Figure 4. Fraction of testable/verifiable links in Polish system ( | V H | = 40 ). Proof.
As in the proof of Corollary IV.1, for any link e =( u , u ) ∈ ˆ F forming a cut of H , we can verify that e ∈ F if min { f U ,g , f U ,g }− η | ˜ D U ,e | < (otherwise, e must have beenestimated as operational by Theorem III.2). Since f U i ,g = 0 ( i = 1 , ) if the grid remains connected after the attack and | ˜ D U ,e | > by Assumption 3, e ∈ F can always be verified.Similar argument applies to any link l ∈ E H \ ˆ F .By Corollary IV.2, the verification of the link states in E a canbe skipped if the post-attack grid is known to stay connected.V. P ERFORMANCE E VALUATION
We first test our solutions on the Polish power grid (“Polishsystem - winter 1999-2000 peak”) [28] with nodes and links, where parallel links are combined into one link.We generate the attacked area H by randomly choosing onenode as a starting point and performing a breadth first search toobtain H with a predetermined | V H | . We then randomly choose | F | links within H to fail. The generated H consists of busestopologically close to each other, which will intuitively sharecommunication links in connecting to the control center andcan thus be blocked together once a cyber attack jams some ofthese links. Note, however, that our solution does not depend onthis specific way of forming H . The phase angles of each islandwithout any generator or load are set to , and the rest are com-puted according to (1). For each setting of | V H | and | F | , we gen-erate different H ’s and different F ’s per H . Each evalu-ated metric is shown via the mean and the th / th percentile(indicated by the error bars). The threshold η is set as . .We first evaluate the fraction of verifiable links in E a (links in1-edge cuts) and E c (links in 2-edge cuts, i.e., E c := (cid:83) s ∈E c s ),as shown in Fig. 4. For each generated case (combination of H and F ), denote E a,v := E a ∩ E v and E c,v := E c ∩ E v .Then in Fig. 4(a), we evaluate the fractions of testable andverifiable links in E a ( E c ) for failed links, i.e., | E a ∩ F || F | ( | E c ∩ F || F | )and | E a,v ∩ F || F | ( | E c,v ∩ F || F | ). The evaluation for operational links isconducted similarly in Fig. 4(b). As can be seen, (i) the fractionsof testable and verifiable links both stay almost constant withvarying | F | , which demonstrates the robustness of Algorithm 1;(ii) among the testable links ( E a ∪ E c ), most of the failedlinks are verifiable, but only half of the operational links areverifiable; (iii) compared to links in E c , links in E a have ahigher chance of being verifiable, which indicates that it iseasier to recover the states of the critical links in the attackedarea (that form 1-edge cuts).Next, we evaluate two metrics to study the value ofAlgorithm 2. The first is the fraction of links verified by Table IIP
ERCENTAGE OF CASES THAT A LGORITHM VERIFIES ADDITIONAL LINKSIN P OLISH SYSTEM
Type of links | F | = 3 | F | = 6 | F | = 9 | F | = 12 Failed Links .
86% 31 .
94% 45 .
69% 54 . Operational Links .
13% 84 .
24% 85 .
41% 85 . All Links .
75% 88 .
23% 91 .
02% 91 . |F| F r a c t i on o f li n ks Verifiable - Alg.1 + Alg.2GuaranteedExperiment Results (a) Fraction of failed links. |F| F r a c t i on o f li n ks Verifiable - Alg.1 + Alg.2GuaranteedExperiment Results (b) Fraction of operational links.
Figure 5. Comparison between verifiable links, theoretically guaranteed links,and actually correctly identified links in Polish system ( | V H | = 40 ). Algorithm 2 but not Algorithm 1, as shown in Fig. 4 as’Verifiable - Alg. 2’. The second is the percentage of cases thatAlgorithm 2 can verify additional links, given in Table II fordifferent | F | . We observe that Algorithm 2 can usually verifymore links based on the results of Algorithm 1, although thenumber of additionally verified links is not large.Then, we compare the fraction of verifiable links withunknown ground truth of F to the fraction of links whose statesare guaranteed to be correctly estimated by FLD based on theground truth F according to Lemma III.1 (‘Guaranteed’) andthe actual fraction of links whose states are correctly estimatedby FLD (‘Experiment Results’), as shown in Fig. 5. We seethat most of the failed links are verifiable, while only half ofthe operational links are verifiable. This indicates that most(more than ) of the unverifiable links are operational. Tounderstand such a phenomenon, we observe in experimentsthat many operational links carry small post-attack power flow,which makes the conditions in Theorem IV.1-IV.3 hard tosatisfy. On the contrary, the values of hypothetical power flowson failed links are usually large. Nevertheless, the fraction oflinks whose states are correctly identified by FLD is muchhigher: out of all the failed links, over will be estimated asfailed and verified as so, while another will be estimatedas failed but not verified; out of all the operational links, over will be estimated and verified as operational, while therest will also be estimated as operational but not verified.Finally, for the special case that the post-attack grid staysconnected, we study the benefits of knowing the connectivityand the corresponding modification in Section IV-C, as shownin Fig. 6 and Table III. Specifically, ‘X-agnostic’ denotes theperformance of ‘X’ without knowing the connectivity, while‘X-known’ denotes the counterpart that adopts the modificationin Section IV-C. The meaning of ‘X’ is the same as in Fig. 5.In Table III, we evaluate the percentage of randomly generatedcases ( H and F ) that the post-attack grid G (cid:48) remains connected.We observe that (i) the knowledge of connectivity can helpverify more than additional failed links and additional Table IIIP
ERCENTAGE OF CASES OF CONNECTED POST - ATTACK P OLISH SYSTEM ( | V H | = 40 ) | F | = 3 | F | = 6 | F | = 9 | F | = 12 % % % % |F| F r a c t i on o f li n ks Verifiable-agnosticVerifiable-knownGuaranteed-agnosticGuaranteed-knownExperiment Results-agnosticExperiment Results-known (a) Fraction of failed links. |F| F r a c t i on o f li n ks Verifiable-agnosticVerifiable-knownGuarantee-agnosticGuarantee-knownExperiment Results-agnosticExperiment Results-known (b) Fraction of operational links.
Figure 6. Performance comparison for connected post-attack Polish system( | V H | = 40 ). operational links; (ii) when | F | is small (e.g., | F | ≤ ), G (cid:48) remains connected in the majority of the cases. These resultsindicate the value of the knowledge of connectivity.To validate our observations, we further evaluate our solu-tions on the IEEE 300-bus system extracted from MATPOWER[28], as shown in Fig. 7–8 and Table IV. The configuration ofthese experiments is the same as before, except that | V H | = 20 due to the smaller scale of the test system. Compared withFig. 5–6 and Table III, all the results from the IEEE 300-bus system are qualitatively similar to those from the Polishsystem, and hence validate the generality of our previouslyobservations. VI. C ONCLUSION
We considered the problem of localizing failed links in asmart grid under a cyber-physical attack that blocks sensor datafrom the attacked area and disconnects an unknown subset oflinks within this area that may disconnect the grid. Building ontop of a recently proposed failure detection algorithm (FLD)that has shown empirical success, we focused on verifying |F| F r a c t i on o f li n ks Verifiable - Alg.1 + Alg.2GuaranteedExperiment Results (a) Fraction of failed links. |F| F r a c t i on o f li n ks Verifiable - Alg.1 + Alg.2GuaranteedExperiment Results (b) Fraction of operational links.
Figure 7. Comparison between verifiable links, theoretically guaranteed links,and actually correctly identified links in IEEE 300-bus system ( | V H | = 20 ).Table IVP ERCENTAGE OF CASES OF CONNECTED POST - ATTACK
IEEE 300-
BUSSYSTEM ( | V H | = 20 ) | F | = 2 | F | = 4 | F | = 6 | F | = 8 % % % % |F| F r a c t i on o f li n ks Verifiable-agnosticVerifiable-knownGuaranteed-agnosticGuaranteed-knownExperiment Results-agnosticExperiment Results-known (a) Fraction of failed links. |F| F r a c t i on o f li n ks Verifiable-agnosticVerifiable-knownGuarantee-agnosticGuarantee-knownExperiment Results-agnosticExperiment Results-known (b) Fraction of operational links.
Figure 8. Performance comparison for connected post-attack IEEE 300-bussystem ( | V H | = 20 ). the correctness of the estimated link states, by developingtheoretical conditions that can be verified based on observableinformation and polynomial-time algorithms that use theseconditions to verify link states. Our evaluations based onthe Polish power grid showed that the proposed algorithmsare highly successful in verifying the states of truly failedlinks. Compared to the previous solutions (including [18])for link state estimation that label links with binary states(failed/operational) without guaranteed correctness, our solutionlabels links with ternary states (failed/operational/unverifiable),where the states of verifiable links are identified with guaranteedcorrectness. This, together with the observation that most of theunverifiable links are operational, provides valuable informationfor planning repairs during the recovery process.R EFERENCES[1] “Analysis of the cyber attack on the Ukrainian power grid,” March 2016,https://ics.sans.org/media/E-ISAC SANS Ukraine DUC 5.pdf.[2] S. Soltan, M. Yannakakis, and G. Zussman, “Power grid state estimationfollowing a joint cyber and physical attack,”
IEEE Transactions onControl of Network Systems , vol. 5, no. 1, pp. 499–512, 2018.[3] S. Soltan and G. Zussman, “Power grid state estimation after a cyber-physical attack under the AC power flow model,” in
IEEE PES-GM ,2017.[4] Y. Huang, T. He, N. R. Chaudhuri, and T. L. Porta, “Power grid state es-timation under general cyber-physical attacks,” in
IEEE SmartGridComm .IEEE, 2020.[5] Y.-F. Huang, S. Werner, J. Huang, N. Kashyap, and V. Gupta, “Stateestimation in electric power grids: Meeting new challenges presented bythe requirements of the future grid,”
IEEE Signal Processing Magazine ,vol. 29, no. 5, pp. 33–43, 2012.[6] J. E. Tate and T. J. Overbye, “Line outage detection using phasor anglemeasurements,”
IEEE Transactions on Power Systems , vol. 23, no. 4, pp.1644–1652, 2008.[7] ——, “Double line outage detection using phasor angle measurements,”in . IEEE, 2009,pp. 1–5.[8] H. Zhu and G. B. Giannakis, “Sparse overcomplete representations forefficient identification of power line outages,”
IEEE Transactions onPower Systems , vol. 27, no. 4, pp. 2215–2224, November 2012.[9] J.-C. Chen, W.-T. Li, C.-K. Wen, J.-H. Teng, and P. Ting, “Efficientidentification method for power line outages in the smart power grid,”
IEEE Transactions on Power Systems , vol. 29, no. 4, pp. 1788–1800,2014.[10] M. Garcia, T. Catanach, S. Vander Wiel, R. Bent, and E. Lawrence, “Lineoutage localization using phasor measurement data in transient state,”
IEEE Transactions on Power Systems , vol. 31, no. 4, pp. 3019–3027,2015.[11] Y. Zhao, J. Chen, and H. V. Poor, “A learning-to-infer method for real-time power grid multi-line outage identification,”
IEEE Transactions onSmart Grid , vol. 11, no. 1, pp. 555–564, 2020.[12] S. Soltan, M. Yannakakis, and G. Zussman, “React to cyber attacks onpower grids,”
IEEE Transactions on Network Science and Engineering ,vol. 6, no. 3, pp. 459–473, 2018. [13] S. Soltan and G. Zussman, “Expose the line failures following a cyber-physical attack on the power grid,”
IEEE Transactions on Control ofNetwork Systems , vol. 6, no. 1, pp. 451–461, 2018.[14] T. Adu, “A new transmission line fault locating system,”
IEEE Transac-tions on Power Delivery , vol. 16, no. 4, pp. 498–503, October 2001.[15] R. H. Salim, M. Resener, A. D. Filomena, K. R. C. De Oliveira, andA. S. Bretas, “Extended fault-location formulation for power distributionsystems,”
IEEE Transactions on Power Delivery , vol. 24, no. 2, pp.508–516, 2009.[16] A. Codino, Z. Wang, R. Razzaghi, M. Paolone, and F. Rachidi, “Analternative method for locating faults in transmission line networks basedon time reversal,”
IEEE Transactions on Electromagnetic Compatibility ,vol. 59, no. 5, pp. 1601–1612, October 2017.[17] M. M. Saha, J. J. Izykowski, and E. Rosolowski,
Fault location on powernetworks
IEEE PES General Meeting . IEEE, 2010, pp. 1–3.[22] K. D. Jones, J. S. Thorp, and R. M. Gardner, “Three-phase linear stateestimation using phasor measurements,” in . IEEE, 2013, pp. 1–5.[23] K. D. Jones, A. Pal, and J. S. Thorp, “Methodology for performingsynchrophasor data conditioning and validation,”
IEEE Transactions onPower Systems , vol. 30, no. 3, pp. 1121–1130, 2014.[24] “Wide area monitoring, protection, and control systems (WAMPAC)standards for cyber security requirements,” National Electric SectorCybersecurity Organization Resource (NESCOR), October 2012, https://smartgrid.epri.com/doc/ESRFSD.pdf.[25] B. Pal and B. Chaudhuri,
Robust control in power systems . SpringerScience & Business Media, 2006.[26] M. Lu, W. ZainalAbidin, T. Masri, D. Lee, and S. Chen, “Under-frequencyload shedding (ufls) schemes-a survey,”
International Journal of AppliedEngineering Research , vol. 11, no. 1, pp. 456–472, 2016.[27] T. Terlaky,
Interior point methods of mathematical programming .Springer Science & Business Media, 2013, vol. 5.[28] R. D. Zimmerman and C. E. Murillo-S´anchez, “Matpower 7.0 user’smanual,”