INTRODUCTION

In the face of escalating cyber threats, critical infrastructure sectors, such as power generation systems, remain highly susceptible to sophisticated cyber-physical attacks. The ever-increasing integration of digital technologies in these systems has led to heightened concerns regarding their resilience and ability to withstand potential disruptions.

The studies related to cyber attacks (CA) in power grid network, have been investigated broadly in three main aspects; characteristics and features of different types of CA, their detection and classification and their impact on the system operation. The authors [1] survey underscores the pressing need for robust cybersecurity in smart grids, serving as a pivotal resource for guiding research and safeguarding critical infrastructure.

The research [2, 3] constructed valid false data injection (FDI) attack with topology being falsified using an AC power flow model. The study [4] has attempted to model stealthy FDI (SFDI) type attack and assess its impact on power grid. The authors have mathematically verified the impact of SFDI using matrix analysis and graph theory on power flow changes assuming attack being on highly vulnerable power transmission lines. The attack model is developed by introducing attack vector in the state estimate of phase angle difference between power transmission lines. In ref. [5], authors have modelled the attack, considering compromised state of phasor data concentrators (PDCs) in order to achieve falsified measurement. In this study, a semi-Markov process incorporating diverse probability distributions of sojourn times was utilized to calculate the likelihood of compromise. Upon the compromise of the PDCs, an attack is initiated in two stages: first, disabling the Remedial Action Schemes (RAS), followed by the launch of stealthy coordinated attacks. The attack model proposed in ref. [6] only needs line parameters and measurement data from some areas and terminal power data of the line, with intruder can only attack the injected power and branch power flow, but not the power plant and zero injected node. The study in ref. [4] attempted to model SFDI type attack and assess its impact on power grid. The authors have mathematically verified the impact of SFDI using matrix analysis and graph theory on power flow changes assuming attack being on highly vulnerable power transmission lines. On other hand, ref. [7] focused on stochastic Petri nets, potentially excluding other modelling approaches, limiting the comprehensiveness of security assessment methodologies.

In recent years, vulnerabilities and impact of CA on power systems have drawn much attention among researchers. Modeling the impact of FDI attacks on state estimation, protection-based defensive and detection-based defensive strategies is proposed in ref. [8]. In study [9], the temporal occurrence pattern of CA is statistically analysed using the human dynamics theory. Also, static and Markov game techniques have been applied to model the attack/defence interactions of intelligent attackers and defenders. This is based on consideration that precise prediction of future attacks cannot be an easy task.

In recent years, sliding mode control (SMC) has been demonstrated effectively as robust control technique in wide range of applications. The study [10] proposed a dynamic output feedback SMC, integrating event-triggering mechanisms and designed statistical information for denial of service attacks such that the effect of CA on the system performance can be effectively attenuated. Among the emerging attack methodologies, the real-time sliding mode attack construction scheme has emerged as a particularly concerning threat, capable of targeting key components within power generation systems with precision and efficiency. The use of property about switched dynamic system referred to as sliding mode has been applied to construct the attack model [11]. In order to apply this attack, the intruder needs to have information about dynamic states, unlike model parameters; admittances of line in above discussed literature. With the information available about states like rotor angle and angular frequency of the target generator, it is possible to achieve successful attack.

As intruder may apply a new paradigm for gaining successful attacks, though still using partial information about the grid network. The challenge remains to specifically identify situations under which attack can lead to the most severe consequences. The study [5] is limited to analysis on FDI type attack against RAS, assuming that coordinated attack have already disconnected lines and falsified measurements at remote terminal units (RTUs). Further modelling of coordinated attack assumes having complete or partial information about Jacobian matrix, non-attackable zero injection buses, non-attackable generator measurements and availability of historical data. The researcher in ref. [12] explored the psychology and tactics of insider attackers in cyber-physical systems. They provided insights into detecting and preventing insider threats, enhancing system security, but the paper focuses primarily on insider threats, potentially overlooking external threats, limiting the scope of cybersecurity strategies in discussion.

The scenarios considered in ref. [13] indicate that attackers cannot always generate valid attack vectors into estimates of state variables, leading to successful attack detection in the power system. If the intruder successfully gains the access to cyber layer, it is possible to execute actions such as opening of circuit breakers (CBs) or even changing the control settings in the control loop. False tripping of CBs, due to relay malfunctioning, may result in cascaded failures. Multiple and coordinated CA may lead to cascaded events and finally to blackout situations.

The attack impact in terms of intensification in line power flows, overheating, increase in operation costs, resulting load curtailment as remedial schemes have been addressed in some of above literatures, however, an analysis in terms of power system instability has not been much focused. The power system frequency responses experienced under CA may be spatially distributed. The study [14] suggested that the rate of change of frequency (RoCoF) is usually higher for locations where networks are weakly interconnected. Considering the intervals between the two attacks and recovery time, CA can be as individual or consecutive attacks [9]. These authors have quantified the impact of substation cyber vulnerabilities.

An intruder is known getting access to cyber layer to introduce different forms of attack types. The above reported studies show some inconsistencies in a way intruder can launch attack on the power components, on getting access to cyber layer. These methods rely primarily on launching attack via signal injections. As such, they do not stimulate full propagation of attack events, that is, do not perform sets of events according to physics of grid dynamics. This is still an active field of research. The mechanisms that can evolve to propagate the attack on power components; CB, excitation system (ES) and governor system (GS) associated with the generator have not yet been addressed. It is necessary to construct more practical approach, that an intruder can apply attack against which, mitigation strategy must be careful known. The sliding surface design by the intruder to impose switching attack (SA) on the power components has the potential to cause generator instability spread within the power grid. By exploiting this strategy, adversaries can orchestrate simultaneous attacks on multiple critical components, potentially causing cascading failures that disrupt the entire grid. Understanding the intricacies and dynamics of such attacks is vital for devising effective defence mechanisms that can safeguard power generation systems from debilitating consequences.

The simulation of CPS necessitates a comprehensive mathematical modelling. Existing programming platforms/tools do not fully support the comprehensive modelling of cyber-physical layers; sensors, power components, communication networks etc. There is a need for high fidelity verification and validation studies, taking into account impact of CA on power components and communication delays, including delay introduced cyberattack.

From the above literature survey, two major research gaps have been identified.

• (i)

  Real-time implementation of sliding surface-based attack model in CPS environment that can be applied to different power components.

• (ii)

  Vulnerability analysis of power components due to SA.

This paper aims to shed light on the resilience assessment of power generation systems against real-time sliding mode attack, that is, SA construction. The study delves into the potential vulnerabilities of critical power components/locations within the power grid, specifically focusing on the CB, ES and GS of the generator. In order to apply this attack, the intruder needs to have information about dynamic states, unlike model parameters; admittances of lines in above discussed literatures. With the information available about states like rotor angle and angular frequency of the target generator, it is possible to achieve successful attack. Through comprehensive combination of power components considered under SA, their implications on the stability are investigated.

The main objectives of the study are to (i) design sliding surface according to state variables to launch SA on power components; line CB, ES and GS associated with the generator, (ii) identify most relevant power components which on being subjected to SA, will lead to generator instability, that is, most vulnerable to power grid in terms of security, (iii) progression of multiple attack events with combinations of sets of power components and subsequent generator responses. The first objective is achieved by performing real-time simulation of power grid in real-time digital simulator (RTDS), with SA algorithm launched from MATLAB software via actual communication network. The second and third objectives are met by performing study with combination of different power components; CBs, GS and ES at different locations for changes in system inertia, attack time-instant and line CBs. A coordinated kind of attack according to generator state variables is launched on power components that can seriously impact the generator dynamics.

The main contributions in this paper can be summarised as follows:

• Aiming at the risk involved towards power system stability after successful first-instant of cyberattack, successive instants of attacks are designed on combination of different power components; CBs, GS and ES. With attacks on these power components, different operating scenarios; changes in load conditions, system inertia, attack time-instant and line CBs at different locations are included to quantify stability indices.

• Provide sets of power component combinations that will cause cascaded rotor dynamics on account of successive SA. This is supplemented by analysis on RoCoF variation to understand better the mechanisms (attack time instant, system inertia, power components).

• Vulnerabilities assessment on sets of switching signals, generated on power components that are most critical to generator stability.

The potential application of this study includes guidance for system operators on implementation of procedures to improve the generator response at the time of SA launched by the intruder, either on one of the components or their combinations. Some of these measures as mitigation approach can be adopted as decision making for frequency stability enhancement. It is hoped that the study will foster a greater understanding of the evolving cyber threats faced by critical infrastructure sectors, and facilitate the formulation of proactive strategies to ensure the continuity and security of global power supplies.

In the next Section 2, cyber-physical representation of power network is discussed, followed by SA design in Section 3 This follows Section 4, with presentation of SA implementation in real time. In the subsequent Section 5, discussion on results indicating security vulnerability of power components is given followed by conclusions in Section 6.

CYBER-PHYSICAL REPRESENTATION OF POWER NETWORK

Physical system-power grid

In this study, a standard IEEE 3-machine, 9-bus power grid network as shown in Figure 1, having representation of dynamics of generators, ES and GS is considered. The state (differential) equations of generators, ES and GS including turbines, and the power balance equations as algebraic equations at each node are obtained from ref. [15]. The electromechanical model of the generator is represented according to Equation (1), which is the swing equation dynamics of linearised generator i given as follows: 1 $${\increment}\dot{{\delta }_{i}}={\omega }_{s}{\increment}{\omega }_{i}$$ 2 $${\increment}\dot{{\omega }_{i}}=\frac{1}{{M}_{i}}\left({\increment}{P}_{{m}_{i}}-{\increment}{P}_{{e}_{i}}-{D}_{i}{\increment}{\omega }_{i}\right)$$ where δ_i is the rotor angle of the generator, in rad; ω_s is the synchronous angular speed of generator, in rad/s; ω_i is the rotor angular speed of the generator, in p.u.; M_i is moment of inertia of the rotor; $${P}_{{m}_{i}}$$ is the mechanical active power, in p.u.; $${{P}_{e}}_{i}$$ is electrical active power, in p.u.; D_i is the load damping factor, in p.u.

[IMAGE OMITTED. SEE PDF]

Cyber layer-communication network

In power systems, communication networks play a crucial role in enabling the efficient monitoring, control, and protection of the electrical grid. These communication networks are responsible for exchanging data between various devices and systems, such as supervisory control and data acquisition (SCADA) systems, intelligent electronic devices (IEDs), RTUs, phasor measurement units (PMUs), and other grid components. To achieve seamless communication within the power system network, the transmission control protocol/internet protocol (TCP/IP) suite is commonly used. TCP/IP is a set of protocols that facilitate reliable data transmission over interconnected networks, including the internet. It provides a standardised framework for data packets to be sent and received between devices, ensuring proper delivery and error handling. The TCP/IP stack is a software implementation of the TCP/IP protocol suite that usually resides in the communication devices like IEDs, RTUs, PMUs, or communication gateways. In the context to cyberattack, the intruder may be able to intrude at following four possible layers of communication channels that use TCP/IP protocol.

• (i)

  Transport layer: The TCP is commonly used in power systems to ensure reliable, error-checked data delivery. The TCP establishes connections between devices, handles data segmentation, retransmission of lost packets.

• (ii)

  Data transmission: The TCP/IP stack sends the packets over the communication network. The data can be transmitted through wired or wireless connections, depending on the specific communication network/infrastructure.

• (iii)

  Data reception and unpacking: At the receiving end, the packets are received and processed. The TCP/IP stack on receiving device reassembles the packets into the original data and forwards it to the respective application or system.

• (iv)

  Data analysis and control: The received data is analysed by control centres, SCADA systems, or other applications, allowing operators to monitor the power grid's state, make control decisions, and take corrective actions, if necessary.

The use of TCP/IP in power system communication ensures reliable and robust data exchange, which is essential to maintain grid stability, monitor critical parameters, detect faults, and manage power flow. However, it's worth noting that some power system applications may get intruded by imitating act.

Cyber-physical layer of power components

As shown in Figure 2a, geographically dispersed power plants and transmission network substations are linked to the main control centre via a wide-area network. The control centre carries out the monitoring, operating status, and power dispatching tasks. An intruder may be successful in accessing the control functions of the GS, ES of the synchronous generator, or the line CB despite varying levels of cyber security measures such as firewalls and intrusion detection systems deployed on gateways. After gaining access to the human machine interface, the attacker can transmit erroneous command signals to the CBs installed on the lines. As a result, if a line, generator, or load connected to this power plant is severed, the system may become unstable or possibly completely collapse. RAS [16] are used to stop uncontrolled cascades and strengthen the security of the electrical grid in the event of emergency situations. With the aid of compromised communication channels, the attacker via SA on the target CB may disable RAS trigger signals. As can be seen in Figure 2b, the full SA on the cyber-physical architecture compromises the switching state of the CB, ES, and GS, leading to significant variations in the control variables. The status of these components can be modified by applying switching logic to the state variables, so as to switch between two subsystems; A₁ and A₂ as discussed in the next section.

[IMAGE OMITTED. SEE PDF]

SWITCHING A IN VARIABLE STRUCTURE SYSTEM

This section presents discussion on switching system (physical system) for which intruder can design the sliding surface to drive the system trajectory as defined by sliding surface so as to switch between two subsystems. The discussion is further extended on SA logic design construction.

Switching system

Due to changing operating conditions in interconnected power grid networks (linear or nonlinear), they can be characterised as discontinuous dynamics based on variable structure system theory and thus can be considered as switched systems [17]. With a certain frame of rules governing their switching actions, the power network can consist of a family of subsystems. This follows an elementary variable structure system, which is described as follows: 3 $$\dot{x}(t)=\left\{\begin{array}{@{}c@{}}\,{f}_{1}(x,t,\tau ),\quad S(x) > 0\,\\ {f}_{2}(x,t,\tau ),\quad S(x)\le 0\end{array}\right.$$ where x ∈ R^n×1 is the system state vector, f_i(x,t) ∈ R^n×1 is a function representing the non-linear subsystem dynamics, for i = 1,2,…,n,S(x) ∈ R is the sliding surface and S(x) = Cx ∈ R for constant row vector C = [C₁C₂…C_n] ∈ R^1×n is a state-dependent switching signal, and S(x) = 0 is called the n-dimensional switching surface, and τ is a system time-delay. Equation (3) represents a system, which abruptly switches the dynamics between f₁(x,t,τ), that is, subsystem #1 and f₂(x,t,τ), that is, subsystem #2 depending on the value of S(x). There are two crucial conditions to be satisfied to achieve this switching phenomenon. The first necessary condition to achieve is an attractive switching surface, which means that within some subset of state space, trajectories converge to the switching surface making it a sliding surface. The second required condition is the variable structure system behaviour, confined to the sliding surface, that exhibits certain desired properties such as asymptotic stability, exponential growth or oscillation. The collective behaviour can be used to steer the state into a position of instability for attack. The stability analysis of switched systems is based on construction of common Lyapunov function, which allows for arbitrary switching [18]. The electromechanical model of the generator given by Equation (1) and Equation (2) are asymptotically stable and can have two structures containing two subsystems according to variable structure theory.

In general, the condition for sliding mode existence, with state dependent switching signal $$S(x)$$ is given as [19] (note: $$\dot{S}(x)$$ is the time derivative of $$S(x)$$): 4 $$S(x)\dot{S}(x)< 0\quad for\,S(x)\ne 0$$

Analytically, following theorem is presented about the existence of a sliding mode for incrementally linear subsystem dynamics.

$1$

Theorem

Existence of a sliding mode- Consider the variable structure system as: 5 $$\dot{x}=\left\{\begin{array}{@{}c@{}}\,{A}_{1}x(t)+{b}_{1},\quad S(x) > 0\,\\ \,{A}_{2}x(t)+{b}_{2},\quad S(x)\le 0\end{array}\right.$$ where x ∈ R^n×1, A_i ∈ R^n×n, B_i ∈ R^n×n, b_i ∈ R^n×1 and S(x) = Cx ∈ R for constant row vector C = [C₁C₂…C_n] ∈ R^1×n the necessary and sufficient conditions for existence of the sliding mode are as follows: 6 $$\left\{\begin{array}{@{}c@{}}C\left({A}_{1}x+{b}_{1}\right)< 0,\quad S(x) > 0\\ C\left({A}_{2}x+{b}_{2}\right) > 0,\quad S(x)\le 0\end{array}\right.$$

Proof.

The overall system of Equation (6) can be represented as (for simplicity, S(x) is denoted as S): 7 $$\dot{x}=[(1+sgn(S))/2]\left({A}_{1}x+{b}_{1}\right)+[(1-sgn(S))/2]\left({A}_{2}x+{b}_{2}\right)$$ where sgn(s) = 1 for S > 0 and sgn(s) = −1 for S ≤ 0.

From Equation (6), a sliding mode exists, if and only if, $$S\dot{S}< 0$$;

Next, the conditions to guarantee this inequality is determined, using Ssgn(S) = |S|: $$S\dot{S}=SC\dot{x}=SC\left\{\left[\frac{1+sgn(S)}{2}\right]\left({A}_{1}x+{b}_{1}\right)+[(1-sgn(S))/2]\left({A}_{2}x+{b}_{2}\right)\right\}$$ 8 $${=}\frac{1}{2}(S+\vert S\vert)C\left({A}_{1}x+{b}_{1}\right)+\frac{1}{2}(S-\vert S\vert )C\left({A}_{2}x+{b}_{2}\right)$$ 9 $${=}\left\{\begin{array}{@{}c@{}}S(x)C\left({A}_{1}x+{b}_{1}\right),S(x) > 0\\ S(x)C\left({A}_{2}x+{b}_{2}\right),S(x)< 0\end{array}\right.$$ which is equivalent to Equation (8), if $$S\dot{S}< 0$$ is imposed and also note that S + |S| > 0 and S-|S| > 0 for S > 0, and S + |S| > 0 and S-|S| > 0 for S < 0.

Thus, condition (9) is necessary and sufficient to guarantee that $$\mathrm{S}\dot{\mathrm{S}}$$ < 0 and represents a convenient test for the existence of a sliding surface. An opponent determines a vector C = [C₁C₂…C_n] (or an associated vector range) such that Equation (6) holds for a local region of the state space. From above discussion, it is expected that sgn(S) replicates the desired effect of switching the nature of dynamics as the signs of switching signal change.

With the existence of sliding surface for every switched system, and row vector C ∈ R^1×n, each of the n switches can open and close according to the sign of i th element of $$S={\left[{S}_{1}\,{S}_{2},\text{\ldots },{S}_{\mathrm{n}}\right]}^{\mathrm{T}}$$. It is assumed that the power network has controllable switch that can be applied not only on CB, but also in the control loops of GS and ES of the synchronous generator.

Figure 2b illustrates the power network, which based on governing rules, with switching surface S(x) can be represented as subsystems #1 and #2. The state vector x represents the physical quantities of generator; rotor angle and rotor angular speed. As an example, with the toggle of switch ‘S’ positions among ES, GS and CB between position #1 and position #2, the grid network has the effect of changing system dynamics between f₁(x,t,τ) and f₂(x,t,τ), respectively. These subsystems status can be achievable via action of a line CB/sensor (feedback in control loop) in the cyber layer of power systems. According to variable structure system theory, the SA through cyber layer, including control (signals) can be designed to cause a disruption in the physical layer. The switch can toggle between positions #1 and #2, according to the designed sliding surface S(x) based on Lyapunov theory as discussed next.

Switching attack logic

Equation (3) can be written in the linearised form: 10 $$\dot{x}(t)=\left\{\begin{array}{@{}c@{}}{A}_{1}(x,t),S(x) > 0,i.e.\,subsystem{\equalparallel}1\,\\ {A}_{2}(x,t),S(x)\le 0,i.e.\,subsystem{\equalparallel}2\end{array}\right.$$

The switching action in Equation (10) defines the SA logic with the following assumptions, that intruder has:

• (i)

  knowledge about dynamics of minimum two state variables;

• (ii)

  knowledge about local model of power system network;

• (iii)

  information about most vulnerable physical switch (target);

• (iv)

  access to target switch over communication channel, related to the CB or any power system components; ES and GS of respective generators.

Both linear and non-linear sliding surface design for attack construction has been reported in the literature [20]. In this study, hysteresis switching type is considered for design of SA rule. As shown in Figure 3, a switch from subsystem #1 to subsystem #2 only occurs for states, where the regions of state spaces A₁ and A₂ are adjacent to each other. The switching occurs only, if the continuous trajectory has passed through the intersection of adjacent subsets A₁ and A₂. It is impossible to know a priori about region, if trajectory will intersect, but can be designed.

[IMAGE OMITTED. SEE PDF]

Designing logic for a SA in the power system involves careful planning and pre-analysis about system dynamics. SA aims to manipulate the behaviour of a power system by transitioning it between different operating modes. The dynamics of synchronous generator are given in terms of electromechanical equations (Equations (1) and (2)), along with governing equations associated with operation of ES and GS including turbines, and the power balance equations at each node in the power network. This model can further be represented as variable structure system as given by Equation (3). Equation represents subsystems A₁ and A₂ that is, system behaviour between two modes of switching (Figure 2b). The two modes of switching correspond to when the CB (and/or ES, GS) remains connected or disconnected. The sliding surface formation and SA steps are discussed next in the following for better understanding.

• (i)

  Sliding surface formation: The sliding surface is typically a hyperplane in the state space and can be represented as S(x) = 0, where $$S(x)=Cx\mathbb{\in }\mathbb{R}$$ and $$C=\left[{c}_{1}\,{c}_{2}\text{\ldots }{c}_{\mathrm{n}}\right]\in {\mathbb{R}}^{1\times \mathrm{n}}$$

The necessary and sufficient conditions for existence of the sliding mode holds for: 11 $$\left\{\begin{array}{@{}c@{}}C\left({A}_{1}x+{b}_{1}\right)< 0,S(x) > 0\\ C\left({A}_{2}x+{b}_{2}\right) > 0,S(x)\le 0\end{array}\right.$$

The study [11] asserts that the Equation (6) is useful for identifying the parameters C to construct coordinating variable structure switching attacks. Here foremost care is taken in choosing the value of parameter C wisely, so that it can also follow the dynamics of respective components (CB, ES or GS) under attack scenarios. The dynamics of CB are faster as compared to ES and GS, so the parameter is chosen in such a manner that phase-portrait of system and sliding surface will interact with each other as discussed later in Section 5.

• (ii)

  SA logic- This consists of following three steps:

  • a)

    Define attack triggers: Determine the conditions or events that trigger the SA. These triggers can be based on measurements of the system's state variables in the study cases.

  • b)

    Design the control logic: Develop the control logic that guides the system's behaviour during the attack. This logic should dictate when to transit between two different operating modes and how to manipulate the system variables to achieve the desired impact.

  • c)

    Implement control actions: Specify the actions that need to be taken when the system transits from one mode to another. This involves adjusting setpoints, switching devices, or reconfiguring control strategies.

Furthermore, the intruder can get remote access to line CB or other power system components; GS and ES. The identification of physical target switch can be made on the basis of system vulnerability and accessibility of physical switches, line switches are more vulnerable to load switches, line switches nearby to larger generator or load are more vulnerable than load switches at larger load and switches associated with longer transmission lines [21].

The attack construction logic is mainly based on following two factors:

• (i)

  Formation of sliding surface

• (ii)

  Start and stop time of attack

With trajectory of state x(t) attracted and confined to the S(x) = 0 manifold, the case of sliding mode is also termed as sliding surface. The choice of sliding surface is according to Lyapunov criterion, ensuring its existence. The start and stop times of attack is decided on the basis of interaction point of overlapping phase-portrait of given system, which is discussed further in Section 4.

CYBER-PHYSICAL ATTACK IMPLEMENTATION IN REAL-TIME

Test-bed for real-time simulation

In order to understand the complex relationship between the cyber and physical layers of the power system, and potential impacts on the physical (power) system, a test bed is developed. The power network under different physical contingencies and CA is simulated simultaneously in real-world environment.

The IEEE 3-machine, 9 bus power grid network is a model in a graphical modelling language called RSCAD. The real-time simulation step time is of order 50 μs. The RTDS is connected to connected devices through dedicated analogue and digital signal exchange devices. The giga-transceiver network communication interface (GTNET) provides the real-time communication over ethernet. The test bed is ensured to have capability of interacting with support from embedded sockets and mechanism for messages between the embedded socket and the communication network. GTNET is combined with the TCP/IP feature of LabView software to obtain real-time signals communicated through the internet. The interfacing of RSCAD/RTDS and MATLAB software (or any external program) as shown in Figure 4 can be implemented through TCP/IP socket communication. In this study, for cyber-physical simulation, so called “co-simulation” is applied between the two software. The RSCAD/Runtime offers a script function for automating the operation of the RTDS simulator. The script function can be used to interface MATLAB and RTDS. The ListenOnPort script command provides a way for an external process (MATLAB) to control RSCAD by sending regular script commands over a TCP/IP connection. When command ListenOnPort() is executed, RSCAD/Runtime starts acting like a socket server, whereas MATLAB acts like a socket client. Once the TCP socket is established, it can be considered as a pipeline where the RSCAD/Runtime script command can be fed at one end and taken out at the other end. The ListenOnPort() Command establishes TCP/IP socket communication with an interaction speed limit of up to hundreds of milliseconds. A C++ interface code is included to interact with the scheduler via sockets.

[IMAGE OMITTED. SEE PDF]

The MATLAB software platform feeds the above discussed and designed SA algorithm into the pipeline, while RSCAD/Runtime receives the said attack algorithm and changes the status of the CB/switch in the test system. The data corresponding to power network under CA is observed in RSCAD draft file. The CA events are implemented via switching algorithm run in MATLAB, which is equivalent to attacks implemented in any communication network simulator. All the physical dynamics associated with communication network are assumed to be negligible. In other words, influencing factors; properties associated with communication delays and link congestion have not been taken into account in analysis.

Attack implementation

An intruder has an objective to introduce successful attacks in the power network via exploiting the vulnerabilities in cyber layer. In the lines of this study, intruder could involve eavesdropping of local state information of the power network, and consequently fabricate a switching signal to control CB or other associated control systems; ES and GS in the synchronous generator. The implementation of switching-sliding mode attack requires control of CB, as such some modifications have been made in the draft model using control system library. The control system library allows customised control system to be created that can interact with the power system model and/or the outside world. The modifications in standard model incorporate: controllable CB with 6 switches corresponding each CB.

According to partial information available, an intruder is able to model the local generator (target) dynamics, given by its states, x as a switchable system (subsystem #1 and subsystem #2), with operation of CB. Based on satisfying conditions of states, these subsystems will be realised according to CB operation (Equation (10)). The sliding surface depends on the state dependent attack row vector C, which can be obtained from equilibrium point in the region of attraction of phase portrait.

MATLAB is a programming and numeric computing platform applied to imitate the intruder and develop an attack algorithm. The sliding surface S(x) is designed based on Lyapunov theory and further attack algorithm is designed based on sliding surface S(x). The switching time instant depends on interaction point of overlapping phase portrait. Therefore, an intruder is able to construct an attack via selecting appropriate sliding surface so as to cause destabilisation. The start-time of attack is assigned such that with one side of the sliding surface, S(x) = 0, the system will switch to one of the subsystems with trajectories pointing towards that surface. The start time of attack should lie in the attractive region of phase portrait. The stop-time is the point of interaction of phase-portrait at which trajectories move towards infinity. This ensures attack condition to get satisfied and successfully implemented.

Initial results on switching-attack implementation

The switching is applied at t = 0.0 s for 1.0 s. The change of status of CB depends on switching sequence according to the phase-portrait between rotor angle and angular speed of the generator. The observation of phase-portrait with respect to time provides start- and stop-time of SA. The start-time is chosen in such a manner so as to ensure small hysteresis band and prompt (swift) response are obtained. The CBs are made controllable through activating status of CB. The sliding surface is designed on the basis of Lyapunov theory as discussed above. In order to achieve successful attack from intruder's perspective, it becomes necessary to design a stable sliding surface so that the system trajectory is driven on to the desired sliding surface. When system trajectory reaches the sliding surface, the intruder starts switching sequences in such a manner that if, $$S > 0;\,CB\,is\,ON$$ $$S< 0;\,CB\,is\,OFF$$ With the SA introduced at t = 0.01 s, on CB#57, the phase-portrait is shown in Figure 5a from which it is recommended to stop the switching sequence when the trajectory of system directs towards infinity or instability. With switching sequence applied for 1.0 s, the variation in rotor speed is shown in Figure 5b.

[IMAGE OMITTED. SEE PDF]

REAL-TIME SIMULATION FOR CYBER-PHYSICAL ATTACK ANALYSIS

With the cyber-physical test bed developed and implementation of cyber-physical attack in real-time as discussed in above Section 4, it is intended to carry out impact of cyber-physical attacks on the power system stability. In this section, real-time CA has been performed on IEEE 3-machine, 9-bus system with details of different scenarios (S) for the power components under attack as given in Table 1. With line CB, GS and ES of generators under attack, different scenarios (S) namely; change in load conditions (S¹), attack time instant (S²), damping factor/system inertia (S³) and location of line CBs (S⁴) are considered in investigation. As referred in said table, the tick symbol (✓) is identified for different scenarios that have been investigated. For example, the physical attack on CB has been performed for all scenarios (S¹–S⁴). The nominal power rating as given in said system is considered as base case value. The SA is performed on CB that connects the generators, and ES and GS associated with the generators. The CA in the control loop of GS and ES results into switchable subsystems. The SA on CB follows a step change, and expected to cause large variations in state variable. On other hand, attack introduced via switching in the control loop of ES and GS, may result to fast and dynamic changes depending upon their respective inherent time constants.

TABLE 1 Cyber-physical attack case studies performed on power system components.

It is expected that these changes at load ends (S¹), the power flow along the line and thus its loading will also change. This translates to power re-dispatch in the network and update in the initial value of system state variables. There could be even overload on the line(s) with respect to base load condition. The changes in active power are applied, keeping reactive power at base value. The amount of change applied (reduction) in load power is given in Table 2. Similarly, onset of CA according to system state profiles is considered via scenario (S²) of attack time instant. The assessment involved with CA in power grid having reduced inertia is taken into account via scenario named changes in system inertia (S³). The consequence of physical attack on the generators is manifested with switching of corresponding line CBs (S⁴).

TABLE 2 Changes in load power (active power).

Line CB under attack

• 1)

  Changes in load power conditions- With case (i), the SA is applied at t = 0.01 s on CB#57 using the sliding surface S¹ = 0.0095δ-ω (Lyapunov theory) for 1.0 s time duration. The said CB is operated remotely such that generator state trajectory is driven towards chosen sliding surface. The rotor speed of generators; G2 and G3 gradually increases and violates the frequency stability criterion as shown in Figure 6a. The CA being nearest to G2, its rotor speed is found to be deviated maximum. For reduced loads (L5 and L6), as in case (ii), there is no significant change in rotor speed deviation with respect to case (i) as indicated in Figure 6b. On other hand, with load conditions in case (iii), generator G3 after deviating to maximum value around t = 2 s, bounds back to nominal frequency, while that G2 follows similar trend as previous cases. This is observed in Figure 6c. From this, it can be said that impact of SA on the nearest generator in terms of frequency deviation is independent of changes (reductions) in load conditions. However, far away generators from CA locations experience improvements in frequency profile.

• 2)

  Attack time instant- As discussed above, the start-time of attack is influenced by interaction between overlapping phase portrait of state variables, different time instants are chosen to analyse the generator dynamic variations. As observed in Figure 7a, the variation in rotor speed ramps up for three generators, while those in Figure 7b, low frequency oscillations for brief period (3–4 s) are indicated. On other hand in Figure 7c, rotor speed dynamics of generators G2 and G3 overlap each other and decay down to have ultra low frequency oscillations, while that generator G1 ramps up to settle down at new steady value. These generator dynamics will be further analysed via estimation of RoCoF later in this section.

• 3)

  System inertia- In this scenario, SA with sliding surface as S1 = 0.0095δ-5ω is applied on CB#57 for different values of system inertia (inertia constant). This change in inertia is considered in the synchronous generator parameter “H” of the bus network, which attributes to reduction in value due to integration of power electronics-based generation resources in the area. Table 3 lists the values of system inertia used in study. For example, case (i) is for reduction in system inertia by 30% of base value, that is, 18.91 in area having synchronous generator G1, while for other two areas, the system inertia is fixed at their respective base values.

  An attempt is made to introduce attack at t = 0.01 s for 1.0 s. As seen in Figure 8a,b, due to rotor speed decay for one of the generators G3 beyond the limit (violates the frequency stability criteria), the attack becomes successful at t = 3.0 s Note that the said generator (system) has lowest inertia. The frequency nadir below 49.5 Hz will activate the under frequency load shedding (UFLS). The generator G2 closest to the point of SA experiences significant oscillations. On the other hand, the generator with smallest inertia constant, drops below the lowest 49.5 Hz (after t = 3 s) in these two cases. This is further confirmed in Figure 8c. The estimated RoCoF of G1 is shown in Figure 9. Due to system inertia, the frequency will not decline sharply, but will follow gradually. However, with onset of SA, RoCoF crosses the limits of 0.125 Hz/s, which as per [22] should be at all times (post frequency limits) maintained to avoid the tripping of RoCoF sensitive protection relays. A large power change will accelerate the frequency drop. Higher inertia of generator results in longer tripping time, because due to larger inertia, more energy is released, which opposes the drop in frequency and RoCoF. For a generator having higher inertia, the frequency drops at a slower rate such that RoCoF value does not exceed 2 Hz/s. Due to differences in the inertia constants of individual areas and propagation of disturbance on account of SA at different components (locations), the RoCoF values in individual areas differ but have not been shown in said figure.

• 4)

  Different CBs: This case is applied with attack on the line CBs, connecting to each of the generators at t = 0.1 s for 1.5 s time duration. In Figure 10, at t = 0 s, the rotor speed of three generators is at 377 rad/sec. As a result of CBs being opened, that is, line trip, the rotor speed immediately shoots up, with that of G2 being the largest and of G1 being smallest. Here, the generator frequency does not remain within ±2% of the nominal value.

[IMAGE OMITTED. SEE PDF]

[IMAGE OMITTED. SEE PDF]

[IMAGE OMITTED. SEE PDF]

TABLE 3 Changes in system inertia.

[IMAGE OMITTED. SEE PDF]

ES under attack

The control function of ES is under attack via switching action for several combinations of CBs and ESs at different time instants. Table 4 lists such combinations for which influence of attack is analysed on generator dynamics. In this section, several case studies are considered to demonstrate the implications of distinct attack instants.

• 1/2 CB and 1 ES: In this scenario, combinations of 1/2 CBs and one of the ES are considered. For example, in Table 4, case (i) refers to attack on CB#69 on the line connecting G3 at t = 0 s, followed by another CB#89 on the line connecting G3 at t = 4.5 s, and final attack on ES (E1) associated with generator G1 at t = 30 s. In Figure 11a, corresponding results are shown. The rotor speed of G3 shoots up due to CB#69 opening, while that of G1 and G2 decays until another CB#89 is under attack. As a result, rotor speed of G3 again has risen, but settles down further. On other hand, for G1 and G2, there is improvement in profile with positive slope and becomes stationary. Note that, both generators; G1 and G2 had same profile variation, until attack in E1 at t = 30 s leads to G1 deviate out from G2. Similarly, for case (ii) in Figure 11b, due to attack on E2 (at 5.5 s), associated generator rotor speed gets overshoot, while that of G1 decays further and fail to recover back to nominal value. In Figure 11c, attack on CB#45 at t = 2.5 s, causes G1 to have increase in rotor speed, while that of G2 and G3 decays. However, with attack on E2, at t = 4.5 s, their rotor speed signals increase to peak value, after which, G3 starts to decay, while of G2 further shoots up. The above discussion suggests that generator with its line CB under attack has its rotor speed overshoot, while remaining generators get aligned with other, until attack on their associated ES leads to respective rotor speed deviating out.

• 2 CBs and 2 ESs: This case is extended with inclusion of attack on ES at different locations in the network in addition to SA implemented on both line CBs associated with a given generator. The case (i) corresponds to SA on line CB with one of the generators, followed by attack on ES on remaining generators at same time. As in Figure 12a, due to attack on CB#57 at t = 0 s, nearby generator G2 experiences overshoot, while those of G1 and G3 decays (get aligned) until attack on both E1 and E3 occurs at t = 5 s. Following this, rotor speed of G3 shoots up, while that of G1 gains positive slope. However, finally, their signals converge to settle. On other hand for case (ii) in Figure 12b, with attack on E1 at t = 4 s, its signal deviates out, while of G3 decays down, until another attack at t = 5 s further leads to increased deviation. Note that, signals of both generators remain synchronised until t = 4 s and successive attack on their ES (E1 and E3) causes separation out. As observed in Figure 12c, this case (iii) is very similar to case (ii), attack on ES being at different time instants, but there exist two successive attacks on ES, followed by CB. As such, rotor speed signal of generators under influence of ES attack gets aligned themselves at later stage (post-attack). In case (iv), attack is introduced on both CB and ES for a given generator at the same time. As shown in Figure 12d corresponding rotor speed shoots up, while those of G1 and G3 remain aligned until attack on E3 leads to rotor speed (G3) overshoot. However, note in exception to above observation, in the absence of attack on ES (E1), its generator rotor speed decays further to settle at deviated range. In other words, in the absence of attack on E1 does not lead to converge its signal with G3. Having simultaneous attack on CB#45 and its associated E1 (G1) at t = 2.5 s as shown in Figure 12e indicates separation of rotor speed with respect to G2 and G3, which remain synchronised to each other. As noted in said figure even after attack on E3 at t = 5 s, rotor speed signals of G2 and G3 vary together until reaching peak. From this onwards, these signals separate out and undergo oscillations. Further to illustrate instability of generator behaviour, RoCoF of G1 is shown in Figure 12f for all cases (i–v). This clearly indicates that for cases (i–iv), RoCoF crosses the limits of 0.125 Hz/s and thus activates the RoCoF sensitive protection relays [22]. On the other hand, in case (v), RoCoF does not vary so significantly until t = 3 s, however recovers back in less than 2 s time duration. But to note, for case (v), dynamics of G3 is significant (Figure 12e) and so has its RoCoF crossing the limits to activate the relay. Subsequently, as expected, large power change will accelerate the frequency drop of G1.

• 2 CBs and 3 ESs: This case is extension of above analysis with inclusion of attack introduced on one more ES along with switching of both line CBs associated with same generator. This coincides with the last attack instant. As shown in Figure 13a, the profile of rotor speed variation is similar to above 2) case (iii). This suggests, difference in attack instants between combination of two different ESs (E1+E3, E2+E3) within the attack period does not effectively influence generator dynamics. In Figure 13b, due to consecutive SA attack on CB#89 and ES (E3), corresponding to generator G3, its dynamics is excited with overshoot, while those of G1 and G2 get aligned. However, G2 separates out when its ES is under attack at t = 5.5 s. As a consequence, G1 and G3 now get aligned to each other. The observations in Figure 13c for generator dynamics are similar to 3) case (i)

[IMAGE OMITTED. SEE PDF]

TABLE 4 Combinations of CBs and ESs.

The discussion confirms that SA attack on line CB leads to overshoot of associated generator, while remaining generator get aligned. However, SA on ES of one of these aligned generatos results to separate out the generator, which has comparatively low inertia. Furthermore, post-attack time, low inertia generators get aligned with dynamics of high inertia generators. More importantly, sequence of SA; consecutively and successively between ESs (their combinations) does not bear significant influence on the generator dynamics.

[IMAGE OMITTED. SEE PDF]

[IMAGE OMITTED. SEE PDF]

[IMAGE OMITTED. SEE PDF]

GS under attack

Next, the risk due to SA introduced in the control function of GS for several combinations of CBs at different time instants is analysed as per the list given in Table 5. Similarly, as discussed, these combinations are formed with GS and CB of a given generator or GS and CB belonging to different generators. The SA is applied for time duration of 1.5 s. Following switching of line CB, based on static power-frequency characteristic of the generators, power imbalance is compensated at the expense of frequency deviation.

• 1)

  1 CB and 1 GS: With combination of these two components, three cases with pair of lines CB of the generator and GS of other generator are considered for analysis. Figure 14a indicates sharp decline in rotor speed of the generator G3 and reaches to a limit of violation, with SA on its GS until switching is discontinued while those of G1 and G2 have a steady frequency change. On the other hand, as seen in Figure 14b with SA on line CB#57, associated generator exhibits an overshoot, while generator (G1) with its GS under attack, deviates out and follows a sharp decline. In addition, dynamics of G3 also get aligned with G1 until SA launched on CB#57. As a consequence of SA at t = 3.5 s, the rotor speed of G3 swings back to nominal value, however begins to oscillate with increasing amplitude. Similarly, with onset of SA on GS2 at t = 0.3 s, followed by line CB#89 associated with G3, the frequency stability is not guaranteed. This is shown in Figure 14c.

  The attacker needs less time to cause frequency instability, which indicates large manipulations in the control loop facilitate the objective of attacker. As the frequency reaches to nadir point (outside the deadband), the decay of frequency must, be arrested to avoid triggering UFLS. Note that UFLS control has capability to achieve stability characteristics, which have not been included in this analysis. Also, inertia-dependent scheduling of generators will lead to respect the RoCoF and nadir constraints, which have not been taken into consideration for analysis. The above discussion suggests that with SA launched on GS, its associated generator gets failed to be stabilised.

• 2)

  1 CB and 2 GSs: These combinations are formed out of two GSs and one of the line CB. Regarding case (i), line CB#45 associated with generator G1 along with its own GS1 and GS2 are considered under attack. As a consequence of attack on these two GSs, followed by CB#45, it is indicated in Figure 15a that generator (G2) deviates and loses synchronism. Similarly in case (ii), as illustrated in Figure 15b, with attack introduced on GS1 and GS2 along with its associated line CB#57, it is generator G1 to deviate out from the system. Also, to note, the generator which does not have its associated line CB under attack, but only GS, fails to guarantee frequency stability. In other words, between the two generators, which have their GS under attack (same time), followed by attack on the line CB associated with one of these generators leads to frequency instability of another generator. On the other hand in case (iii), for SA on two GSs (GS1 and GS2) and line CB#89 belonging to third generator (G3), the deviations of G1 and G2 can be observed in Figure 15c. Further to mention, the time instant of attack does not influence the rotor dynamics. It can be confirmed from these results that at least one of the generators experiences drop in frequency below 49.5 Hz and does not seem to recover within 60 s [22]. Thus, frequency stability is not guaranteed unless, ancillary services or primary frequency reserves get activated.

• 3)

  1 CB and 3 GSs: In this combination, all the three GS and line CB#45 associated with G1 are under attack at the same time (t = 0.0 s), and it can be observed in Figure 16 that G2 and G3 fail to remain synchronised. It is evident that impact on G1 does not unfold into instability.

  As a result, considering the fact that any detection scheme at other control centres still needs time to trace the attack source and perceive the attack. The attack on exciter/CB associated with one of the generators may be stealthier to the control centres of other areas, but due to interconnections, the impact may be observed in associated areas too. For increase in number of power components under attack event, that is, amount of manipulation introduced, the variation in state variables becomes stronger and thus, less time is required to cause frequency instability. It may be argued here, due to strong variation, attack may be noticeable easily.

TABLE 5 Combinations of GS and CBs.

[IMAGE OMITTED. SEE PDF]

[IMAGE OMITTED. SEE PDF]

[IMAGE OMITTED. SEE PDF]

The above assessment suggests criticality of SA launched on GS, along with line CB, which can result in significant generator instability. The worst case of instability gets unfolded for the generator, which does not encounter its associated line CB under attack.

Vulnerability analysis of critical power components

In this section, vulnerability of GS and CB is highlighted against SA in relevance of generator instability. The selection of GS and CB is motivated by the above discussion with identification of critical components. The quantitative index is computed to reflect stability assessment against SA, which is in turn determined by switching signals, corresponding to state variables. The vulnerability analysis can reveal sets of switching signals that result in generator dynamics with larger consequences, based on calculated transient stability index (TSI) and transient kinetic energy (TKE), given as follows: 12 $$\text{TSI}=\frac{{360}^{o}-{\delta }_{\max }}{{360}^{o}+{\delta }_{\max }}\times 100\,\%$$ where δ_max is the maximum rotor angle difference between any two generators in the system immediately after attack. The value of TSI closer to 100% suggests stable system, even after attack. 13 $$TKE=\sum\limits _{i=1}\frac{1}{2}{J}_{i}\bullet {\increment}{\omega }_{i}^{2}$$ where J_i and $${\increment}{\omega }_{\mathrm{i}}^{2}$$ are the angular momentum of the rotor at synchronous speed and change in rotor speed respectively of ith generator

With SA on GS, initial power imbalance is compensated by the generator rotor kinetic energy. However, depending on its switching status, large active power deficit leads to a significant rotor speed deviation. A graphical representation as lattice diagram is obtained to determine the sets of switching signals, for which calculated indices share the highest intensity. This graphical representation allows to visualise the extent to which, the applied SA can uncover the subsets of switching signals with high impact on generator instability.

The SA is accomplished when switching status of CB and GS changes according to intruder's designed sliding surface. The sliding surfaces S1 = 5δ-0.005ω and S2 = 0.0095δ-∆ω are chosen for CB and GS, respectively. Using switching logic, Equation (11), according to sequences of switching signal, the two indices; TSI and TKE are calculated at every t = 16.67 ms time interval. These computed values for generator 2 are represented as lattice diagram, shown in Figure 17. With attack launched on GS, as depicted in Figure 17a, the lattice joints lie in the neighbourhood of lower and upper bounds with quantitative index in range of ∼50 to ∼56. In other words, lattice pairs distribute periodically across least upper bound and greatest lower bound. However, in Figure 17b having attack launched on CB, though distribution lie on the boundary, but is more spatial towards least upper bound for sets of switching signals.

[IMAGE OMITTED. SEE PDF]

With the lattice diagram obtained for TKE as shown in Figure 18a, it is clear that GS is unable to sustain the regulation capability for a longer switching signals. The centrally concentrated bound of quantitative index (∼50 to ∼56) suggests restoration of rotor speed to a stable value but lies insecure region. This is due to the fact that its lattice is associated with greatest lower bound and greatest upper bound. On other hand, in Figure 18b, TKE obtained for the time period with attack on CB#57, sets of switching signals have associations with greatest lower bounds, but least upper bound.

[IMAGE OMITTED. SEE PDF]

CONCLUSIONS

The real-time implementation of SA design launched on CB GS and ES of the generators was taken up to determine the most vulnerable power system components for which attack defence strategies are most required. The study presented vulnerability of these power components to quantify their impact on system instability. The different cases of SA applied on combinations of power components, including their locations in the network highlighted significant disruptions in the grid's performance and compromised its overall resilience. The real-time simulation studies identified the critical components and their combinations that have the potential to cause generator instability. In particular, some of the combinations of CB and GS resulted in highest risk impact. This was further verified via lattice representation of calculated TSI and TKE for sets of switching signals.

This study underscores the urgency of implementing robust cybersecurity measures and enhancing the resilience of power generation infrastructures against emerging cyber threats. The findings serve as a wake-up call for power utilities, policymakers, and cybersecurity experts to collaboratively develop countermeasures to safeguard the reliability and security of critical energy infrastructures.

AUTHOR CONTRIBUTIONS

Seema Yadav: Conceptualization; data curation; formal analysis; investigation; methodology; resources; software; writing – original draft. Nand Kishor: Conceptualization; investigation; methodology; supervision; writing – review & editing. Shubhi Purwar: Conceptualization; project administration; supervision; visualization. Saikat Chakrabarti: Investigation; project administration; visualization. Petra Raussi: Funding acquisition; project administration; visualization. Avinash Kumar: Investigation; methodology.

ACKNOWLEDGEMENTS

This research has been performed using the ERIGrid 2.0 Research Infrastructure and is part of a project that has received funding from the European Union's Horizon 2020 Research and Innovation Programme under the Grant Agreement No. 870620. The support of the European Research Infrastructure ERIGrid 2.0 and its partner VTT Lab is very much appreciated. The above discussed real-time simulation results are obtained in VTT Intelligent Energy testbed through ERIGrid 2.0 project and Department of Electrical Engineering, MNNIT Allahabad and Department of Electrical Engineering, IIT Kanpur, India via the project SERB/CRG/2019/000951.

CONFLICT OF INTEREST STATEMENT

The authors declare no conflicts of interest.

DATA AVAILABILITY STATEMENT

Data sharing is not applicable to this article as no new data were created or analysed in this study.