A review of cyber security risks of power systems: from static to dynamic false data attacks

With the rapid development of the smart grid and increasingly integrated communication networks, power grids are facing serious cyber-security problems. This paper reviews existing studies on the impact of false data injection attacks on power systems from three aspects. First, false data injection can adversely affect economic dispatch by increasing the operational cost of the power system or causing sequential overloads and even outages. Second, attackers can inject false data to the power system state estimator, and this will prevent the operators from obtaining the true operating conditions of the system. Third, false data injection attacks can degrade the distributed control of distributed generators or microgrids inducing a power imbalance between supply and demand. This paper fully covers the potential vulnerabilities of power systems to cyber-attacks to help system operators understand the system vulnerability and take effective countermeasures.


Introduction
With their extensive incorporation of information and communication technology, power systems are exposed to cyber threats.By targeting the information exchange process, malicious attackers can inject false data to cause power outage, economic loss, and system instability.False data injection (FDI) can also be employed to mask existing power system faults.This will affect operator's visibility on the faults and prevent proper countermeasures from being taken.
For example, in 2015, the Ukraine power grid was attacked and substation breakers were opened by malicious entities [1].To design proper protection measures for the improvement of system resilience, it is necessary to explore the way FDI affects the power system.Thus, there has been a lot of research on the attacking mechanism and effect of FDI.
In general, the paths through which FDI adversely affects a power system can be classified into three categories, i.e., the estimation of system states, the generation of control commands, and the actuation of control actions, as shown in Fig. 1.FDI can induce the generation of inappropriate control commands by directly targeting economic dispatch.In [2,3], false load data is injected into security-constrained economic dispatch which causes the line flows to exceed their overload tripping threshold, leading to line outage and even cascade failure.In [4][5][6], economic dispatch is intentionally affected to increase the operational cost or to obtain illegal profit from power markets.In [7], the potential risk of FDI attacks on economic dispatch is investigated where the attackers do not have full knowledge of network information.FDI can also penetrate a power system by attacking system state measurement and estimation, and cause damage to the integrity of power system state information.In [8], FDI is used as a tool to attack the supervisory control and data acquisition (SCADA) system, while in [9], false data is injected into the phasor measurement unit (PMU) to mislead the control center.By doing this, cyber attackers can affect the operator's visibility on the true operating condition of the system, resulting in the failure of the operator to take appropriate countermeasures.In [10,11], FDI is employed to induce arbitrary estimation errors of the state estimator, whereas FDI is applied to power system nonlinear state estimation in [12][13][14][15] and the corresponding countermeasures are discussed.In addition, FDI can modify the control input for the system, resulting in deteriorating power system stability.In [16], the input signal for a follower distributed generator is corrupted by FDI, causing the disagreement of a group of distributed generators.In [17], FDI is used to induce a synchronization problem for islanded microgrids, while system breakers are controlled to trigger instability in [18], and the gains of voltage control devices altered to initiate transient instability in [19].In [20], a malicious attack is implemented through emulated inertia control to cause instability of system frequency.
At present, investigation into the impact of FDI is mainly based on the single-snapshot FDI model and/ or the steady-state power system model, while the research considering the transient process of a power system is not thorough and comprehensive.To avoid being detected or reduce energy consumption during the attack process, smart attackers may change the injected data at every attack time instant.The use of the steady-state power system model is also not adequate to analyze the risk of FDI, as real power systems are networked control systems.Even though system state estimation and economic dispatch are resilient to FDI, attackers can still disrupt power system secure operation by attacking the automatic generation control system.Accordingly, considering FDI's dynamic characteristic and power system transient characteristic is of paramount importance to fully reveal the risk of FDI and then design effective countermeasures.
To unveil the risk of FDI in a comprehensive fashion, this paper reviews the research on FDI attacks on economic dispatch, state estimation, and power system dynamic stability, as shown in Fig. 1.

Overloads caused by FDI attack
In a real power system, generators are dispatched every 5-15 min to minimize the operational cost.The load data adopted for security-constrained economic dispatch (SCED) is from the short-term load forecast, which uses historical and/or real-time load measuring values as input.False data which can pass the bad data detection (BDD) can be deliberately injected to alter the load information for the SCED and to modify the enforcement of branch flow limits, as shown in Fig. 2.
Let ΔD denote the injected data.The limits for line flows imposed by the SCED can be represented by [4,5]: where P FDI is the branch flow vector and D is the actual bus load vector.K P and K D are the bus-generator and bus-load incidence matrices, respectively.S F is the generation shift factor matrix and r is the normal capacity rating of the lines.
In addition, the true load used in the SCED is denoted by D and the true branch flow is given as: Combining (1) and (3) shows that the true branch flow P satisfies the constraint as: Equation (4) reveals that the true line flow is greater than its limits, i.e., |P| ≥ r.In real-time operation, if a generator follows the dispatch commands generated by the SCED under a FDI attack, severe transmission overloads may be induced, causing triggering actions of protection devices.
To launch a practical FDI attack, the injected data ΔD needs to satisfy the following constraints [6,7]: Fig. 1 Cyber-attacks on a power system Fig. 2 Illustration of FDI attacks on economic dispatch Equation ( 5) means that the sum of load changes is zero to guarantee power balance, while (6) constrains the magnitude of the FDI attack at a load bus.Such constraints for a FDI attack are commonly employed in the existing literature.
The above FDI attack model reveals the potential risks for safe power system operation, as blackouts in a power grid are usually caused by overloads and outages [21,22].As described in [23], three successive transmission line and transformer tripping were the main causes of the 2003 Northeast Blackout and the 2011 Southwest Blackout, respectively.Once an ensemble of critical lines known as initial contingency (IC) is identified [24,25], attackers can deliberately induce this initial contingency by using an FDI attack.Given the capability of the IC, sequential outrages and even cascade failures can be initiated, as illustrated in Fig. 3.

Increase of operational cost caused by FDI attack
Attackers can increase the operational cost of a power system by interrupting the SCED and changing the transmitted load data.The attack vector can be optimized by maximizing the operational cost, which is formulated as a bi-level linear programming problem as: Subject to 1 where c g and c d are the generation cost and load shedding cost vector, respectively.F is the calculated line flow vector containing false data, f max is the branch flow limit vector, and J is the load shedding vector.P is the generator output power vector, and P min and P max are the lower and upper bounds for the generator output, respectively.The upper level ( 7)- (8) shows that the false data ΔD is obtained by maximizing the load shedding after SCED.In the lower level ( 9)-( 14), the operational cost is minimized with the corrupted load data D + ΔD by considering the generator output power limits (12), transmission line flow limits (13), and load shedding limits (14).
Karush-Kuhn-Tucker (KKT) and dual based methods are widely used to solve the abovementioned bi-level optimization problem [4,26].The KKT-based approach requires the introduction of additional binary variables to form the so-called big-M constraints, reducing the computing efficiency of the algorithm.As regards the duality-based method, the bilinear terms of dual variables and the corresponding primal variables are involved, and thus the optimization problem is not easy to solve.
An alternative for attackers to construct the attack vector by using a fast approach is presented in [5].In order to increase the operational cost, the loading levels of the branches in set Ω are maximized through false data injection.The resultant optimization problem to determine the false data ΔD is described by: where l denotes the transmission line and S l is the l-th row of S F .The objective function is to maximize the loading levels of the transmission lines in set Ω. δ l = 1 if the flow of line l is positive, and δ l = − 1 otherwise.The term − S l K D ΔD denotes the incremental power flow through line l caused by the injected false data ΔD.
The false data ΔD can be obtained by solving (15), based on which the optimizing operational cost problem (9) with constraints ( 10)-( 14) can be easily solved.Since the attack vector is determined by solving the linear programming problem (15), the run time is significantly reduced compared to the KKT-based approaches.
3 Attacks on power system state estimation For a modern power system, many smart devices are deployed to acquire the real-time data related to its operation.By exploiting these measuring data, the operators can monitor the system operation status and take effective measures to mitigate potential risks.However, the measurements need to be transmitted to the control center over communication links, and, therefore, power systems face potential cyber-attacks because Fig. 3 Illustration of cascading failures caused by FDI [3] of the vulnerability of communication technologies.For example, a malicious agent may inject false data to induce the operators to make the wrong decision on the system status.

FDI attack with complete network information
Measurements are used to estimate the system state and because of the existence of measurement errors, operators predefine a threshold to detect bad data.If the threshold is exceeded, the measurements are considered to be bad data.Hence, if attackers want to launch a successful attack by FDI, the injected false data has to pass the bad data detection.Power system state estimation can be expressed as [11]: where x is the state vector and x is the estimated state vector.z is the measurement state, H the Jacobian matrix of the power system, and ‖⋅‖ 2 the Euclidean norm.
To detect the bad data, the residue r is defined as: The term on the right-hand side of (18) indicates the difference between the measured and actual values.This difference is caused by measurement errors and disruptions.A threshold for r is pre-determined by the operator, and data is considered to be bad if the threshold is exceeded.
For illustration purposes, a power grid is divided into regions A and N with a set of tie lines between them, while the measurements in region A are assumed to have been attacked by a malicious entity.The measurement vector z is decomposed into z 1 and z 2 , where z 1 contains all the measurements in the targeted region A without the power flow measurements on the tie lines and z 2 collects the rest of the measurements in region A. Similarly, the state vector x is divided into x 1 and x 2 , where x 1 collects all the buses in the targeted region A without the boundary buses and x 2 contains the rest of the buses.
To attack the measurements in region A, attackers need to design an attack vector to pass the bad data detection in state estimation.This means that the false data injected by the attackers should prevent the residual of the state estimation from exceeding its threshold.
In the absence of the injected false data, the measurement errors contribute to the residual.If the measurements are noise-free, the residual is equal or close to zero.In reality, measurement inaccuracy causes inconsistent measurements, leading to an increase of the residual.Less consistency of measurement implies a higher residual.Smart attackers may construct false data that are consistent with the physical property of the power system.Therefore, the false data z 0 1 designed by the attackers is likely to follow Kirchhoff's Current Law (KCL) and Kirchhoff's Voltage Law (KVL), given by: The measurements in the attack-free region are unchanged.
The attacking mechanisms of FDI on power system state estimation have been elucidated in [8][9][10][12][13][14][15].When the false data is not injected, the state estimation equation is given by: where e 1 and e 2 are the measurement errors of z 1 and z 2 , respectively.It can be seen that z 2 is only a function of x 2 .In the case of DC state estimation, H 11 , H 12 , and H 22 are constant, while they are functions of the state vector in AC state estimation.
When the false data is injected, measurement z 1 is replaced by the attack vector z 0 1 , and the corresponding measurement vector is denoted as z Then the residual is represented by: To obtain a feasible estimate of the state vector b x 0 ¼ ½x 1 x2 T , the following constraint needs to be satisfied: Equation ( 22) reflects the decrease of the overall residual as the false data is injected.This can be explained by the fact that the false data injected in the attack region obey KCL and KVL, and hence have better consistency than the original measurements.It should be clarified that the decreased residual under FDI attack does not necessarily imply that the false data is close to the true value [11].In fact, attackers can simultaneously induce severe disruptions while maintaining a small residual by FDI.
To construct the attack vector in (19), the line flows in the attack region are computed by: where V i is the voltage magnitude at bus i. b ij and g ij are the susceptance and conductance between line i-j, respectively.p ij and q ij are the active and reactive power flows between line i-j.
Since KCL is applicable in (19) for the non-boundary buses in the attack region, the algebraic sum of the flows of the lines connected to a bus equals the power injected at this bus.For the boundary buses in the attack region, parts of the lines linked to this bus belong to the nonattack region (see Fig. 4).Hence, the resulting power balance equations are expressed as: where p i and q i are the active and reactive power injected into bus i. p ij and q ij are the active and reactive power flows of line i-j out from the attack region.From ( 27) and ( 28), we see that the measurements in the non-attack region are not attacked.Thus, pij and qij in ( 25) and ( 26) are of the given values, which will change the Jacobian matrix of the power injected into the boundary buses.
Note that (17) results in the state variables on one snapshot.To account for the dynamic behavior of FDI, (17) can be easily reformulated as a summation of z − Hx over T snapshots, and the resulting optimization problem can be solved in a similar way.The details can be found in [27].

FDI attack with incomplete network information
Equation (19) indicates that the constructed attack vector z 0 1 depends on the estimates of voltage magnitudes and phase angles of the boundary buses in the attack region.It also requires the attackers to have the topology information of the whole power network as well as line parameters [8][9][10][12][13][14][15].However, network information of a power grid is confidential and the attackers are likely to have difficulty in obtaining this.In addition, there exist thousands of buses and lines in a modern power system.This means that the attackers need to deal with extensive information concerning network topology.Therefore, the assumption that attackers are able to acquire the estimated values from state estimation is impractical.
To construct a practical attack model against state estimation, the above conditions are relaxed in [11], in which the false data injection model requires only the network information of the attack region (see Fig. 5) rather than that of the whole power network.In addition, the attack vector in [11] does not directly rely on the estimates of phase angles but rather the angle differences of the lines.The FDI attack model used in [11] is reformulated by the following steps: 1) Substitute the measured voltages for the estimates of voltage magnitudes at the boundary buses in the attack region; 2) Replace the estimates of voltage magnitudes and phase angles with the corresponding measurements to determine the flows on the tie lines.
Fig. 4 A boundary bus in the attacking region Fig. 5 A power system decomposed into attack and attack-free regions By doing the above, the estimated state of the system is no longer required in the design of the attack vector.
The phase angles at the boundary buses in the attack region play an essential role in the implementation of the mentioned attack model.Even though the measurements of phase angles can be accessed by PMU, this would require the deployment of sufficient PMUs to provide this information, and such solutions can be hard to scale up.To successfully launch an FDI attack on a power system without sufficient PMU data, it is desirable for attackers to construct a more practical attack model without requiring the measured values of the phase angles.From the perspective of the defender, it is also of paramount importance to explore the possibility of attacking state estimation using such an attack model.
According to ( 23) and ( 24), line flow in a power system is computed using the angle difference of the line.If the angle differences between lines are known, the line flows can be determined.This means that the actual phase angles at the boundary buses are not required to determine the line flows, and the angle differences of the line can be used to compute the attack vector in (19) even in the absence of actual bus phase angles.The following investigates how to employ line angle differences instead of bus phase angles to design the attack vector.
Equation (19) implies that phase angles at the boundary buses are fixed to the estimates of the state estimator.Accordingly, the angle differences between buses are also fixed.Considering the actually estimated phase angle at bus i to be θi , the following expression holds: Equation (29) shows that when the phase angles of two boundary buses are changed by α, the corresponding angle difference is unchanged.Thus, the phase angles used for the calculation of the attack vector can be obtained by the following steps [11]: Step 1. Select an arbitrary value for a boundary bus; Step 2. Choose the phase angles for the remaining boundary buses based on the angle differences.
Due to the random value for the boundary bus, the phase angles obtained by the steps above do not represent the actual ones.However, the angle differences are the same as the actual ones, and thus the line flows are unchanged.Therefore, there is no need for attackers to acquire the actual values of the estimated phase angles to construct the attack vector, and the only information needed is the differences of the estimated phase angles.
Assuming there is a path k that links two neighboring buses, as shown in Fig. 6, it can be proved that the following equation holds for a specified direction: From ( 30), for the path {l ∈ S k } connecting bus b and d, the angle difference between the two buses can be computed by summing the angle differences of lines in this path.This means that attackers do not need to acquire the actual values of estimated phase angles at the boundary buses.To compute the angle difference without knowledge of the actual phase angles, the following approximations are considered: Substituting (31) into (27) yields Thus, the angle difference can be computed as: Equation (33) shows that the line power measurement can be employed to compute the angle difference, while the error of the angle difference is partly caused by the use of the approximations in (31).Therefore, the accuracy of the angle difference obtained by (33) depends on the conditions under which (31) holds.It is known that the difference reduces with the increase of the X/R ratio of a line.Thus, to reduce the error induced by (31), an optimal path k in the attack region is identified by maximizing the average X/R ratio of ρ k as [11]: As shown in (22), to avoid being detected by the bad data detection, the overall residual with the injected false data should be smaller than the predefined threshold.Fig. 6 A path connecting two neighboring buses Therefore, the false data following KCL and KVL is injected in the attack region, while the line flows are computed by (23) and (24).The injected power at the non-boundary bus is the sum of the flows over the lines connected to this bus, whereas the injected power at the boundary buses is obtained by (25) and (26).The presented algorithm to construct the attack vector can be summarized as follows.
Step 1. Set initial values to the state vector as Step 2. Obtain the attack vector [p q P Q] T using the current state vector x = [θ V] T ; Step 3. Evaluate whether the injected power at a bus and the active/reactive line flows are confined within lower and upper bounds, as: This can reduce the chance of being detected as the operator can access the information of the flow distribution.If the conditions hold, it terminates; otherwise, it goes to the next step.
Step 4. Compute the incremental Δx = [Δθ ΔV] T by optimizing the objective function as: min Δθ ΔV where the slack variable S t is non-negative, and H 1 = ∂p/ ∂θ, H 2 = ∂p/∂V, H 3 = ∂q/∂θ, H 4 = ∂q/∂V, H 5 = ∂P/∂θ, H 6 = ∂P/∂V, H 7 = ∂Q/∂θ, H 8 = ∂Q/∂V.The expressions of H 1 -H 4 are provided in [28], while the expressions of H 5 -H 8 need to be determined.G represents the transition matrix which transforms the phase angle vector into the phase angle difference vector.For the boundary buses in the attack region, using (26) leads to: For the non-boundary buses in the attack region, the non-zero entries can be determined using a similar way to that shown in [28].
Step 5. Update the state vector as: and then go back to Step 2. By using Step 1-5, attackers can attain an attack vector against power system state estimation.This method can avoid bad data detection while requiring no information on the network topology of the whole system and phase angles at buses.

Attacks on power control system
The power control system plays a vital role in maintaining power supply in response to customer demand.An imbalance between supply and demand can cause system frequency instability, threatening the operational security of the power system.A central control scheme is commonly employed in traditional power systems, and the scheme features a single control center which collects information from and sends control commands to all agents.However, such a central control architecture no longer meets the need of current power systems.For example, geographically dispersed distributed generators are increasingly integrated into the power grid.These are not suitable for coordination by central control because of the requirement of plug and plug operation [29,30].Central control is also not applicable to microgrid operation, where distributed generators are required to supply power in island mode [31].Because of its reliability, scalability, and flexibility, distributed control is preferred over central control [32][33][34].However, in distributed control, local controllers have access to local information and neighbor information, and hence are vulnerable to cyber-attack.A malicious entity can disrupt data exchange among neighboring local controllers by launching FDI attacks [16][17][18][19][20].

FDI attack on distributed generator
Considering a converter-based distributed generator i, P i and P i,max are the active power output and the maximal power, respectively.Using the d-q transformation, the d-and q-axis voltages can be computed by U di = U i and U qi = 0. Assuming the d-and q-axis currents are I di and I qi , respectively, the active power output can be obtained by: If the power converter is controlled by a grid-feeding scheme [31], I di should converge to its reference value I di_ref in a sampling period of T. In the k th iteration, I di_ref can be determined by where the design parameter α i denotes the utilization ratio defined by P i / P i,max .When I di converges to I di_ref in the k th iteration, P i (k) = P i, max α i (k).
According to (41), the active power output of distributed generator i can be regulated by altering the utilization ratio α i .Since the rated power of converterbased distributed generators is relatively small, multiple distributed generators are used in a distribution network for increased capacity.Such a system can be considered as a virtual power plant (VPP), as shown in Fig. 7, where P tran accounts for the total active power transmitted to the transmission network.
To track the dispatch command P ref , the group of distributed generators in a VPP are coordinated using a leader-follower algorithm [16]: ] is a weighted matrix with a ij > 0 and a ii ¼ 1 − P n − 1 j¼0; j≠i a ij .K is the controller gain and O is the zero matrix.P load and P loss represent the aggregated load power consumption and power loss in the VPP, respectively.By selecting proper A and K, the convergence of (4) can be proved [16].When convergence is achieved, utilization ratios of all distributed generators reach an agreement and P tran is steered to its preference value P ref .
Equation (42) shows that the communication network among distributed generators plays a key role in the regulation of the active power output of the VPP.If the local controller of a certain distributed generator is attacked by FDI attacks, its utilization ratio will be prevented from converging to the consensus value, resulting in failed tracking of P tran to P ref [35,36].
Attackers can attack the controller of a distributed generator by injecting false data into the actuator and making it send the same control command to its geographical neighbors.Assuming that r distributed generators are subjected to FDI attacks and considering where I r × r is the identity matrix.[A 0 A M A W ] is equal to the n-r rows of A + BK.P M,max = [P 1,max ,. .., P r,max ] T , and P W,max = [P (r + 1),max ,. .., P n,max ] T .Note that the first term on the right-hand side of (43) can be represented by the sum of the matrix 5 and its perturbation matrix Δ ¼ − P 0; max P M; max P W ; max 0 nÂ1 0 nÂr 0 nÂðn − rÞ ! .Hence perturbation theory can be employed to analyze system stability [37].
It is observed that Ã is a lower block-triangular matrix with the eigenvalues λ i = 1 for i = 1,..., r + 1, and the eigenvalues λ j for j = r + 2,..., n-r.Since the blocks A 0 , A M , and A W are the same as the original system in (42), λ j locates in the open unit disk.Assuming v r and u r are the respective left and right eigenvectors of Ã with v r u r = 1, when K is sufficiently small, the perturbation on λ i = 1 can be characterized by [16]: , and P max = [ P 0,max ,. .., P n,max ] T .Fig. 7 Illustrative diagram of distributed control of distributed generators V T ΔU has a negative eigenvalue and an eigenvalue 0 with algebraic multiplicity r.Accordingly, Ã +Δ has an eigenvalue 1 with algebraic multiplicity r if K is sufficiently small.The rest of the eigenvalues lie in the open unit disk.This indicates that Ã +Δ is stable.It is straightforward to verify that the system is stable at the steady state fα Ã 0 ; α Ã M T ; α Ã W T g T with: The analytical results show that the well-behaving distributed generators converge to the space spanned by α Ã 0 and α M .Thus, the false data is injected by attackers, utilization ratios of distributed generators fail to agree, preventing the active power output of a VPP from tracking the dispatch command.In addition, according to [16], the adjustable range of P tran can be narrowed by FDI attacks in a large group of distributed generators.This degrades the controllability of the VPP.

FDI attack on microgrid
In a typical microgrid, a power inverter includes a DC power source, inverter bridge, power sharing unit, output filter, and voltage and current control loops.The output power dynamics of inverter i are: where v odi and v oqi are the d-and q-axis components of the output voltage.i odi and i oqi are the d-and q-axis components of the output current.P i and Q i are the active and reactive output power.ω ci is the cut-off frequency of the output filter.The large-signal dynamic of the inverter is given by [38]. where The detailed model of the inverter can be found in [38].
The power sharing function is realized by droop control expressed as [39][40][41][42][43]: where v mag,i and ω i are the reference voltage and frequency, respectively.m pi and n qi are the respective droop coefficients, and ω ni and V ni are the set points.
Droop control makes voltage and frequency deviate from their set points.The cooperative control structure is used to alter ω ni and V ni in (48) to steer voltage and frequency to their reference values.Each converter can exchange information with its neighbors.Differentiating (48) yields: The auxiliary control input is defined as: and the cooperative control law is given by [44][45][46][47][48][49][50]: where N i contains the inverters that neighboring inverter i, and g i represents the non-zero gain for inverter i.
The auxiliary input u i is: where c ω is a coupling gain, and the set point in (49) satisfies: From ( 50)-( 53), the auxiliary input u i uses the neighbor's frequency to mitigate system frequency deviation.The information exchange among neighboring inverters is vulnerable to malicious attacks, which can make the frequency deviation fail to go back to zero.Since the traditional bad data detection evaluates the validity of the received data in a centralized way, it is not applicable to distributed control of microgrids.
Two types of attacks, namely controller attacks and communication channel attacks, are considered as shown in Fig. 8 [51].Attacks on controllers inject false data into actuators/sensors to attack the local controller, and FDI attacks on actuators can be modeled as [52,53]: where u a i is the false data injected into actuator i. u c i is the corrupted control input and u i is the original auxiliary input.μ i is the attack signal, and when attack occurs, μ i = 1, otherwise, μ i = 0. Note that the attack signal can be either non-constant or constant.A nonconstant attack signal that is viewed as noise can be handled by noise filtration techniques, while the attack signal is considered to be constant here [54].
If the whole controller is hijacked, the frequency corruption of inverter i can be expressed as where ω a i is the false frequency data injected into controller i. ω c i is the corrupted inverter frequency and ω i is the reference frequency in (48).η i = 1 represents the presence of attack.
If the communication channel between two neighboring inverters is attacked by FDI, the local controller receives the corrupted frequency signal [7,11,[55][56][57].FDI attack on the communication channel can be modeled by: where ω a i is the false data injected into controller i, and ω j i is the corrupted inverter frequency transmitted to inverter j. η i = 1 implies the presence of attack.
The next step is to reveal the vulnerability of the cooperative control of a microgrid under FDI attack.Considering the cooperative control protocol (51) is under attack, the synchronization error will not return to zero for an intact inverter if it is reachable from a corrupted inverter [17].For example, considering ω T are the respective attack vectors injected to sensors and actuators, the global synchronization error dynamic is obtained by applying the control strategy ( 50) and ( 52) as well as FDI attacks ( 54)-( 56), as: where L is the Laplacian matrix defined as L = D − A, while more properties of L can be found in [58][59][60].D = diag{N i } with N i being the set of inverters that send data to inverter i (the neighbors of inverter i).A = [a ij ] with a ij being the weights of communication links between inverter i and j.
, and μ = diag ( μ i ), the solution to (57) is: Given that (L + G) is a positive definite matrix, the first term in (58) approaches zero for c ω > 0. Using e At ¼ P ∞ m¼1 ðAtÞ m yields: If m is the first integer such that l m ij ¼ ððL þ GÞ m Þ ij is not zero, node i is reachable from node j, and m is the length of the shortest directed path from j to i. Consequently, there exists l m ij ≠0 for 0 < m < N − 1 if inverter i is reachable from the compromised inverter j.

Results and discussion
In current research on the impacts of FDI on power systems, the adopted FDI model is often static on a single snapshot, ignoring the complexity of the attack behavior.The risk of FDI cannot be fully revealed as attackers are capable of constructing a subtly dynamic attack to avoid detection.Future effort should be dedicated to a more detailed FDI model to account for the dynamic behavior of attacks.
Although there is a lot of literature on the influence of FDI on power system state estimation, studies on its influence on power system dynamic state estimation are limited.Power system dynamic state estimates can be used as controller inputs (e.g.wide-area damping controllers) to improve control performance, while attackers can decrease control performance by attacking the dynamic state estimation.To promote proper countermeasures, it is necessary to investigate the impacts of FDI on power system dynamic state estimation.
Most research on FDI impact on power system stability focuses on breaking the frequency stability by causing an imbalance between supply and demand.Future research needs to be conducted to study the interaction between FDI and small signal/transient stability.In the modern-day power grid, the wide area measurement system is greatly exploited for detection of power system anomalies.The data from the phasor measurement units (PMUs) is communicated to the control center to monitor and damp inter-area oscillations [61].The communication between the PMU and the control center can be corrupted by FDI attacks.This can degrade the damping of inter-area oscillations and induce small-signal instability.

Conclusion
With the rapid development of the smart grid, and wide employment of information and communication technology in the traditional power grid and microgrid, the power industry is facing cyber threats.This paper has conducted a comprehensive investigation into the potential risks of false data injection attacks on power systems.State-of-the-art models and methods are reviewed to explain how attackers might attack the system by injecting false data.First, an attack vector can be constructed by solving a linear programming problem, and false data is injected to significantly increase the operational cost of the power system.Economic dispatch can also be adversely affected by designing optimal FDI attacks and triggering an initial contingency that consequently initiates sequential outages.Second, an undetectable FDI attack can be constructed to disrupt power system state estimation, Such an attack can be launched using the full/local network information.Third, frequency instability can be caused by injecting false data that prevents the active power output of a power inverter from tracking its dispatch command.Attackers can also compromise the cooperative control of a microgrid by attacking the controllers.Finally, an assessment of research results is provided, and the findings can help to fully reveal the potential risks of FDI and promote comprehensive protection measures.

Methods section
The aim of this paper is to investigate the mechanism of how FDI affects power systems.This is achieved from the perspectives of economic dispatch, power system state estimation, and distributed control of distributed generators/microgrids.The mathematical models for economic dispatch and power system state estimation are presented.The design of a successful FDI attack is then formulated as an optimization problem, which can be solved in the MATLAB environment.For the cooperative control of distributed generators/microgrids, a rigorous mathematical proof method is used to construct the FDI attacks.

Fig. 8
Fig. 8 Illustrative diagram of consensus-based control of inverter i under FDI attacks

Xu
Protection and Control of Modern Power Systems (2020) 5:19