# Intelligent data attacks against power systems using incomplete network information: a review

## Abstract

With the integration of information technologies, power system operations are increasingly threatened by cyber-attacks. It has even been revealed that an attacker can inject false data into real-time measurements stealthily without knowing the full configuration (e.g., network topology) of a power system. In this paper, we present a comprehensive review on false data injection attacks which utilize barrier conditions, blind identification techniques and data driven approaches to overcome limitations of incomplete network information. We also point out future research topics for facilitating the detection and prevention of such false data attacks.

## Keywords

Cyber security False data injection attack Incomplete network information Power system state estimation## 1 False data attack model

The reliable and safe operation of power systems is crucial to the economy and homeland security of a nation [1, 2]. However, the operational security of modern power systems is being challenged by the high integration of information technologies [3, 4]. In fact, to monitor the real-time operation state of a power system, an increasing number of sensors and meters are being installed to collect the real-time measurements (such as bus voltages and line power flows) which are then transmitted to the control center. Power system operators make energy management decisions based on the received measurements that collectively contribute to the situational awareness of power system operations. These sensors and meters are therefore regarded as the eye of a power system. There will be certain uncontrollable noises in the real-time measurements due to the mechanical flaw of meters and measuring errors. To detect and screen out potential bad data, state estimation is employed in energy management system (EMS) to determine the most likely operating condition of the power system based on redundant power grid measurements. Random noises are not correlated with the physical characteristic of a power system, so they will increase the residual in the state estimation.

*r*is calculated:

Then the overall residual of the power system will remain the same as if there were no bad data. That is, if the original data can pass the bad data detection, the corrupted data will escape from detection in the same manner. Therefore, this kind of false data injection attacks can hardly be detected.

DC state estimation provides us a fast and simple method to estimate the operating condition of a power system. However, it ignores bus voltages, reactive power flows and line losses. To better reflect the operating condition of the power system, AC state estimation is usually used in practical power system applications.

*depends on the current state of the system so that (3) is rewritten as [7]:*

**H**We can see that the injected false data * a* depends on the current state of the power system. In other words, the attacker has to obtain or estimate the system state to construct the undetectable false data

*. Since only a few number of phasor measurement units (PMUs) have been instated in power systems, phase angles at most buses are unavailable. Consequently, it will be more difficult for an attacker to launch false data attack against AC state estimation.*

**a**Recently, false data injection attack has attracted intensive research interests. Significant efforts have been dedicated to reveal the wide impacts of false data injection attacks on economic operation [8, 9], transmission line power flows [10, 11, 12], real-time electric market [13, 14, 15], transient stability [16, 17], real-time topology [18, 19], line outage detection [20], PMU data quality [21, 22], microgrids [23, 24], automation generation control (AGC) [25, 26] and so on. Note that the existing models have a common drawback that limits their applications. It is known that the Jacobian matrix * H* is determined by the topology and line parameters of a power network. Thus, an attacker has to obtain the full topology and network parameters of the entire power system to construct the undetectable false data. As will be discussed later, this is an impractical assumption. In this paper, we review the existing literatures on false data injection attacks based on both DC and AC power flow models under the assumption of incomplete network information.

The rest of this paper is organized as follows. Section 2 discusses the motivation of developing a local model for false data injection attacks. Sections 3–7 investigate the local attack mechanism (with incomplete network information) based on barrier conditions, blind identification and data driven approaches. Section 8 further discusses three special cases for the local false data attacks. Finally, Sects. 9 and 10 discuss the future work and conclude the paper.

## 2 Why we need local attack model?

- 1)
The amount of required power grid data is huge

Numbers of buses and lines in different systems

Power grid | No. of nodes | No. of lines |
---|---|---|

IEEE 300 | 300 | 409 |

IEEE 2383 | 2383 | 2886 |

IEEE 3120 | 3120 | 3693 |

IEEE 6515 | 6515 | 8104 |

IEEE 13659 | 13659 | 20467 |

- 2)
Power grid data are difficult to obtain

On the other side, power grid is a critical infrastructure whose reliable and safe operation is very important to the economy prosperity and homeland security of a nation. In particular, the complicated international environment drives attackers to attack power grids. The number of cyber-attacks against power grids keeps increasing. An attacker can identify the weakness of a power system and launch a cyber or physical attack that will bring in severe consequences to the power system operation. Given these reasons, sensitive power system data are adequately protected. As a result, it is difficult for an attacker to access or obtain these data.

- 1)
Undetectable. As the EMS uses the bad data detection procedure to remove the interruption of false data on the state estimation, the first thing for an attacker is to design the false data that can escape from being identified as bad data. One possible method is to inject the false data that obey the physical laws of the power system, such as Kirchhoff Current Law (KCL) and Kirchhoff Voltage Law (KVL). By doing so, the injected false data will not increase the residual of the state estimation and eventually avoid being detected.

- 2)
Reduced requirement of network information. As discussed, an attacker needs to obtain the topology and line parameters of a power grid for making the injected data undetectable. However, it is difficult to for an attacker to obtain this information due to the security issue. So, from the perspective of an attacker, a more practical strategy is to compress the requirement of network information.

- 3)
Severe consequence of data attacks. The ultimate goal of a cyber-attack is to pose severe consequences to the power system operation, e.g., transmission line outage, loss of loads, increased operation cost. So, an attacker is always active in finding the vulnerability of a power grid and then launches a cyber-attack against it.

Once these three conditions are met, such an attack can be defined as an intelligent data attack.

## 3 Attack model based on DC barrier condition

In this section, we first investigate the attack mechanism of false data injection attack based on incomplete network information and DC power flow equations.

### 3.1 DC model

We proved the following theorem in [28].

### **Theorem 1**

*r*; \(\Delta {\varvec{P}}_{\text{A}}\) is the injected bus power injection vector in region A.

Then, the power flows in region N remain the same under the false data injection.

Theorem 1 tells that if we enforce all the changes of phase angles at the boundary buses in region A to be the same, no additional power exchange will occur between region A and the outer region. This phenomenon is referred as to the *barrier effect of power flows*. Constraint (5) is the *barrier conditions* for the DC case.

We can see that the boundary conditions met by the attacking region A enable an attacker to design the undetectable false data (that follows KCL and KVL) based on the topology and network parameters of the local attack region. There is no necessity of obtaining the network information in the outer region. The local model indicates that an attacker can launch a successful false data by paying a very low cost.

Followed by our work, a lot of research has been carried out to reveal the attack mechanism based on barrier effect of power flows.

A bilevel optimization model was proposed in [29] to evaluate the impacts of local false data attacks on the long-term power supply reliability. In the lower level, to avoid having access to the topology and line parameters of the entire power network, the authors adopted the barrier conditions to limit the additional power flows within the attacking region. Later, the impacts of the local load redistribution attacks with incomplete network information on power supply adequacy was also investigated in [30]. The attack process for modifying the measurements is modeled by the semi-Markov model.

Li et al. in [31] studied the local coordinated cyber-physical attack scheme using the incomplete network information. This is achieved by estimating the reactance of lines in the attacking region and replacing the non-attacking region with its equivalent network. It was demonstrated that such an attack can mask the outage of transmission lines.

Sun et al. [32] proposed a false data proportional attack, in which an attacker could construct the false data that is able to avoid the traditional bad data detection method just based on the topology information of a local region. The line parameters of transmission lines are not needed. In addition, it was proved that the injected false data can be adjusted proportionally when the measurement of a bus and transmission-line data is changed.

Ly et al. [33] employed the proposed local attack scheme in [28] to examine the rerouting strategy for defending false data attacks in power systems by increasing the power grid topology complexity. An algorithm was developed to evaluate the probability of a successful false data attack for a particular topology and status of circuit breakers.

The authors in [34] introduced a practical attack scheme using limited network information. Considering the limited information of the attacker, a multiple linear regression model was introduced to learn the relationship between the attack region and the outer subnetwork based on historical data. A bilevel optimization problem was set up to identify the most damaging consequences of the attack to the operation of the power system.

Zhang et al. [35] proposed a false data attack model with limited network information, in which an attacker has perfect knowledge of the network information of the targeted subnetwork but has only estimated knowledge of the power transfer distribution factor. It was revealed that such an attack scheme is able to avoid the traditional bad data detection.

### 3.2 Feasibility theorem

It should be pointed out that the boundary conditions will impact the feasibility of the DC power flows in region A when the phase angles at boundary buses are set the same value. So, it is necessary to develop a simple method to find a feasible region. A feasible attack region is defined as the region in which a nonzero attack vector can be constructed.

According to the graph theory, we in [28] introduced the following two theorems to find a feasible region.

### **Theorem 2**

Suppose a power grid is decomposed into two regions A and N connected by a set of lines (tie lines). Suppose the attacking region A consists of \(\rho\) non-boundary buses and \(\sigma\) boundary buses. If there are at most \(q = \rho - 1\) non-attackable bus injection measurements in region A, then there exists a feasible non-zero attacking vector.

Theorem 2 can also be extended to include the cases where the attacking region A is disconnected and/or the non-attacking region N is disconnected, as shown in Theorem 2E.

### **Theorem 2E**

Suppose a power grid is decomposed into an attacking region A and a non-attacking region N connected by a set of lines (tie lines). Suppose the attacking region A consists of \(\rho\) non-boundary buses and \(\sigma\) boundary buses. The \(\sigma\) boundary buses in A are connected to \(n\) non-attacking islands. If there are at most \(q = \rho + n - 2\) non-attackable bus injection measurements in region A, then there exists a feasible non-zero attacking vector.

According to Theorems 2 and 2E, the only thing that we need to do is to count the number of buses. We use the following example to illustrate the two proposed feasibility theorems.

*α*and

*β*are the corresponding bus phase increment, the attacking region includes three boundary buses. There is only one non-boundary bus in the attacking region, so \(\rho = 1.\) The non-attacking region is connected, \(n = 1\). We can see that \(q > \rho + n - 2\), and thus Theorem 2 is not satisfied. That is, the attacking region is infeasible. However, as shown in the right of Fig. 2, if we add one attackable bus into the attacking region, \(\rho = 2\) and \(q \le \rho + n - 2\). Theorem 2 is then satisfied and the attacking region is feasible.

### 3.3 Optimizing the attacking region

As discussed in Sect. 2, it is difficult for an attacker to get the line parameters due to the security issues. Although the local DC model reveals that an undetectable attack vector can be constructed using incomplete network information, the following concern needs to be addressed instead: How much information is needed for launching a successful attack, given the fact that an attacker hopes to perform a successful false data injection with the same impact but based on as little information as possible?

The whole algorithm can be summarized as follows [36]:

*Step 1*: Determine an initial attacking region of a target component.

*Step 2*: Obtain the parameters of all lines in the attacking region.

*Step 3*: Set the phase angles at boundary buses the same value and then determine the feasibility of the attacking region.

*Step 4*: If a feasible attacking region is found, stop. Otherwise, go to *Step 5*.

*Step 5*: Expand the attacking region, go to *Step 2*.

As the attacking region starts from a small one, the size of the final attacking region will be controlled not to be unnecessarily large. Accordingly, the numbers of buses and lines included in the final attacking region will be relatively small compared to global models. So, the attacking cost to obtain the network information can be reduced significantly.

## 4 Attack model based on AC barrier condition

In this section, we continue to investigate the attack mechanism against AC state estimation based when the network information obtained by attackers is incomplete.

### 4.1 Local model

*is not constant under various operating conditions. In this sense, the boundary conditions (5) for ensuring the barrier effect of power flows are not valid. It is essential for us to develop new boundary conditions for the AC case. As shown in Fig. 4 [37], similar to the DC case, the power system is supposed to be decomposed into the attacking region A and non-attacking region N.*

**H**- 1)
The false data injected into the attacking region follows KCL and KVL;

- 2)
The voltage magnitudes at the boundary buses in the attacking region are set to the values of the corresponding measurements;

- 3)
The flows on the tie lines are set to the corresponding measurements.

### 4.2 Estimating phase angle difference

*b*and

*d*(see Fig. 5 [37]), if we find a path

*k*that connects these two buses (e.g., \(b, d\)), then it is trivial to prove that (10) holds [37],

*k*.

Constraint (10) indicates that one can select a path \(k\) that connects buses *b* and *d*, and then sum the angle differences of all lines along the path to determine the value of \(\theta_{b} - \theta_{d}\). By doing so, an attacker does not need to obtain the actual phase angles. However, the challenge here is how to calculate the angle difference of a line without knowing the phase angles at its terminal buses.

*i*

*-*

*j*is:

There is a trend that the greater the ratio of reactance \(X\) to resistance \(R\) of a line is, the smaller the difference would be. This motivates us to find a best path that has the largest average ratio of reactance to resistance [37].

Next, we introduce another approach to estimate the angle difference of line.

From (12), it can be observed that the line flow is actually determined by the angle difference of the line instead of actual values of phase angles. This provides a method to estimate the angle difference of a line using the associated bus voltage and line flow measurements.

The estimating principle of the angle difference of line *i**-**j* is explained as follows.

*i*

*-*

*j*is:

*i*; \(g_{ij}\) and \(b_{ij}\) are the parameters of line

*i*

*-*

*j*.

This implies that (17) has a unique solution that satisfies constraint (18).

Once angle differences among boundary buses in the attacking region are determined, the attacker can choose one of these boundary buses as the reference bus and set its phase angle to be zero and determine the corresponding phase angles for the other buses without changing their angle differences.

## 5 Attack model based on blind identification

In this section, we will review the existing literatures that study local attack schemes using incomplete network information based on blind identification techniques.

Anwar et al. [38] showed that a stealthy attack vector can be constructed without any topology information and line parameters of a power grid. They demonstrated that the subspace transformation methods of the measurement matrix can be used to generate a hidden attack. However, such an attack scheme is only valid for the cases where measurement errors are identical to Gaussian noises. In the presence of gross errors, the injected false data will still trigger the alarm of the bad data detection procedure. To overcome this issue, a technique was developed to ensure the stealth of false data if the gross error exists.

The authors in [39] introduced a strategy to mask the sensitive information of a power grid when solving the multi-party AC optimal power flow problem in a public platform. In the attack model, the attacker has knowledge of the general AC optimal power model, but has no knowledge of the topology and parameters of the power grid. It was revealed that the topology information of a power grid may be identified if the rank information of the constraints is inferable.

The authors in [40] studied the principle of blind false data injection attacks using the principal component approximation method without knowing the Jacobian matrix and the distribution of state variables. The principal component analysis (PCA) is used to transform the measurement vector into a linear combination of several vectors with uncorrelated components. The simulation results demonstrated the stealth of the attack vector generated by the PCA matrix.

In [41], Chin et al. analyzed the blind attack scheme against the AC state estimation in a power system. The geometric approach was adopted to relax the strong assumption such that an attacker does not need to obtain the full topology and line parameter information. The criteria for successful AC blind and non-blind false data attacks (FDAs) are derived. Specifically, an attacker can modify the state of the targeted bus if the additional information of the original system states is known to this attacker.

## 6 Attack model based on data-driven approaches

In this section, we will review the existing literature that study local attack schemes using incomplete network information based on data driven techniques.

In [42], Xie et al. proposed a data driven approach to realize an undetectable false data injection attack with incomplete network information. The principle is to relax the system matrix used for constructing the injected false data. It was proved that such knowledge can be learned by a two-stage approach. In the first stage, a blind identification approach is employed to estimate the incomplete system matrix using a sequence of intercepted meter data. In the second stage, the estimated system matrix is used to construct the attack vector by a sparsity-exploiting method.

Chen et al. in [43] proposed a new strategy of false data injection attacks to disrupt the normal operation of a power system regulated by automatic voltage controls (AVC). Such an attack can be launched by an attacker who has little knowledge of the entire power grid. A partial observable Markov decision process is used to determine the optimal attack strategy. Moreover, a Q-learning algorithm with nearest sequence memory is used to realize the real-time data attack.

In [44], the authors proposed an alternative data-driven approach to construct stealthy attacks using only the subspace network information of the measurement signals without any requirement on the prior knowledge of the system states. However, such an attack scheme will fail if the measurement signals contain missing values. In this case, low-rank and sparse matrix approximation techniques are utilized to overcome this issue. By doing so, the injected false data is able to escape from the bad data detection.

Considering the difficulty of obtaining the information, Kim et al. in [45] proposed the subspace method to learn the system operating subspace from measurements. The feasibility conditions for an unobservable subspace attack are derived under both full and limited measurement assumptions. After the system subspace is estimated, two attack strategies are presented to ensure the impacts of such an attack to the operation of the system. The first one is to affect the system state directly by hiding the attack vector in the system subspace. The second strategy induces the operator to remove the normal data.

In [46], the authors further developed a data framing attack strategy which can impact the process of state estimation by an arbitrary level under the condition that only half of the critical measurements are acquired by the attackers. This type of stealthy attacks uses the subspace information of power systems measurements and exploits normal meter measurements as sources of malicious data. It is shown that the framing attack is able to misguide the operator to remove critical measurements from the framed meters, and the attacker can adjust the disturbance degree by carefully selecting a delicate attack magnitude.

## 7 Other local attack models

In Sects. 3–6, we will review local attack models that use limited network information of a power grid based on barrier conditions, blind identification and data driven approaches. Besides, there are several other local attack models.

The authors in [47] investigated the possibility of launching an undetectable false data injection attack without the prior knowledge of the power grid topology. The results show that the Jacobian matrix of a power grid can be approximately estimated by the linear independent component analysis when the system dynamics are small. Once the Jacobian matrix is estimated, the attacker can use it to design the injected false data that can pass the bad data detection procedure.

Tajer et al. in [48, 49, 50] investigated the attack strategy for an attacker who only has limited and imperfect information about the power grid. An optimal attack strategy was designed to ensure the economic profit of such an attack while taking into account the bounded errors of the knowledge of the power grid network information.

Bi et al. [51] introduced an optimal undetectable data attacks against the DC state estimation with partial topological knowledge. In particular, it was proved that such topological information is not required for constructing the undetectable false data if a power grid has a special structure, e. g., bridge structure. A Min-Cut method was proposed to minimize the required topological information.

Following the local attack scheme in [28], Deng et al. in [52] proposed an attack model against distribution system state estimation. Specifically, the authors discussed the strategy to avoid having the complete knowledge of the network topology and related parameters. Similarly, it is shown that an attacker can estimate system state only with the knowledge of power flow or power injection measurements. Moreover, it was also demonstrated that the states of buses in a local region can be obtained by accessing a small number of power flow or injection measurements.

## 8 Discussions on special cases

In this section, we will further discuss three special cases in which the required network information can be further reduced for constructing an undetectable attack vector.

### 8.1 Tree topology

*n*buses, then the number of lines is

*n*

*−*1. It is easy to prove that

Constraint (21) implies that for any power flow vector, KVL constraint in DC power flow equations can be ignored.

By doing so, we only need to obtain the topology information of a power grid for determining DC power flows, when the resistance of lines is not required. Accordingly, the attacking cost is reduced significantly.

### 8.2 Single loop

Since the power grid does not hold a tree topology, the KVL constraint cannot be discarded. That is, an attacker needs to obtain the parameters of these lines to construct the undetectable false data.

The outage of a line can be simulated by injecting a pair of additional power vector. Accordingly, we further proposed a topology attack scheme in which an attacker injects false data into buses to change the real-time topology of a power grid sensed by the control center [19].

Considering the case where the attacker disconnects one line in the single loop, it becomes a tree power network. Differently, this topology modification is not achieved by a physical attack, but by a false data injection attack. That is, an attacker changes the breaker status of one line from 1 to 0 by injecting false measurements.

In practice, a large number of PMUs have been installed to detect the outage of a line. According to the principle of line outage detection, the goal of the attacking is to minimize the residual (22) by injecting false data into a set of measurements [20].

By doing so, the residual used to detect the outage line in the PMUs based detection method will be disrupted.

- 1)
The false data injected into the attacking region follows KCL and KVL;

- 2)
The injected false data can simulate the outage of one line in this single loop;

- 3)
The injected false data can minimize the residual value in (22) such that the PMU based line detection becomes invalid.

### 8.3 Single tie line

When the AC power flow model is adopted, as discussed in Sect. 4, an attacker needs to estimate the phase angle differences among boundary buses in the attacking region A. In this section, we further consider a special case where an attacking region is connected to the non-attacking region N through a single tie line.

In this case, one question needs to be reinvestigated: is there a need to estimate the angle difference?

*b*is \(\alpha\), if we revise its phase angle to \(\beta\), then the error \(\tau\) will be

We can see that the angle difference of tie line *b*-*d* will not be changed. Since the power flow of a line is dependent on the angle difference of a line, rather than the actual phase angles at the terminal buses. This indicates that we can randomly assign a value to the phase angle at the boundary bus in region A.

In fact, since a power grid is highly sparse network, the ratio of the number of lines to the number of buses is usually below 1.5. As a result, such cases are not common in practice. For example, a sub-network is connected to another sub-network through a HVDC tie line. In this case, the local attack scheme can be applied.

## 9 Future work

- 1)
Attack mechanism against power dispatch without network parameters

We have reviewed several local attack mechanisms for launching false data injection attacks. However, in these models, the focus is to construct an undetectable attack vector based on incomplete network information. It remains to discuss sufficiently how to ensure these data can significantly impact the operation of power systems, e.g., *N*−*k* contingency analysis [53], dispatch security [54]. This will be investigated in our future work.

- 2)
Local attack mechanism against distribution systems with incomplete network information

- 3)
Effective detection methods

It is revealed that an attacker can launch an effective false data attack to pose severe consequences to a power system. Moreover, such an attack only requires an attacker to attack a small number of measurements with a few amount of topology and network information. So, it is necessary to develop some effective detection methods to defend against such attacks. The detection method should sufficiently considers the decision-making intelligence of an attacker. That is, the attack intelligence discussed in Sect. 2 might provide clues for developing some effective detection methods. On the other hand, increasing the complexity and unpredictability of state estimation could be an alternative countermeasure.

## 10 Conclusion

Today’s power systems are subject to increasingly frequent cyber-attacks due to the integration of information technologies. The existing models for analyzing malicious behaviors of an attacker share one shortcoming that the full network information of a power grid must be available to the attacker. To address this issue, we perform a literature review on false data injection attacks using incomplete network information based on barrier conditions, blind identification and data driven approaches. We also discussed several special cases in which an attacker can launch an effective data attack without knowing line parameters. These studies provide a more practical model to analyze the attack behaviors and highlight the cyber risk of power systems, as an attacker is possible to launch a successful false data injection attack after obtaining a limited amount of network information.

## Notes

### Acknowledgments

This work was supported by National Natural Science Foundation of China (No. 51777062), National key research and development program (No. 2018YFB0904200) the Fundamental Research Funds for the Central Universities, and Hunan science and technology project (No. 2017XK2014).

## References

- [1]Carreras BA, Lynch VE, Dobson I et al (2002) Critical points and transitions in an electric power transmission model for cascading failure blackouts. Chaos Interdiscip J Nonlinear Sci 12(4):985–994MathSciNetCrossRefMATHGoogle Scholar
- [2]U.S.-Canada Power System Outage Task Force (2004) Final report on the August 14, 2003 blackout in the United State and Canada: causes and recommendations. https://reports.energy.gov/. Accessed 1 January 2004
- [3]Ma R, Chen HH, Huang YR et al (2013) Smart grid communication: its challenges and opportunities. IEEE Trans Smart Grid 4(1):36–46CrossRefGoogle Scholar
- [4]National Institute of Standards and Technology (2011) NISTIR 7628 revision 1: guidelines for smart grid cyber security. https://www.nist.gov/sites/default/files/documents/smartgrid/nistir-7628_total.pdf. Accessed August 2010
- [5]Abur A, Exposito A (2004) Power system state estimation: theory and implementation. CRC Press, Boca Raton. https://doi.org/10.1201/9780203913673 CrossRefGoogle Scholar
- [6]Liu Y, Ning P, Reiter MK (2009) False data injection attacks against state estimation in electric power grids. In: Proceedings of the 16th ACM conference on computer and communications security, Chicago, USA, 9–13 November 2009, pp 21–32Google Scholar
- [7]Hug G, Giampapa JA (2012) Vulnerability assessment of AC state estimation with respect to false data injection cyber-attacks. IEEE Trans Smart Grid 3(3):1362–1370CrossRefGoogle Scholar
- [8]Yuan Y, Li Z, Ren K (2011) Modeling load redistribution attacks in power systems. IEEE Trans Smart Grid 2(2):382–390CrossRefGoogle Scholar
- [9]Liu X, Li Z, Shuai Z et al (2017) Cyber attacks against the economic operation of power systems: a fast solution. IEEE Trans Smart Grid 8(2):1023–1025Google Scholar
- [10]Liu X, Li Z (2017) Trilevel modeling of cyber attacks on transmission lines. IEEE Trans Smart Grid 8(2):720–729Google Scholar
- [11]Che L, Liu X, Shuai Z et al (2018) Cyber cascades screening considering the impacts of false data injection attacks. IEEE Trans Power Syst. https://doi.org/10.1109/TPWRS.2018.2827060 Google Scholar
- [12]Che L, Liu X, Li Z (2018) Mitigating false data attacks induced overloads using a corrective dispatch scheme. IEEE Trans Smart Grid. https://doi.org/10.1109/TSG.2018.2817515 Google Scholar
- [13]Xie L, Mo Y, Sinopoli B (2011) Integrity data attacks in power market operations. IEEE Trans Smart Grid 2(4):659–666CrossRefGoogle Scholar
- [14]Ye H, Ge Y, Liu X et al (2016) Transmission line rating attacks in two settlement markets. IEEE Trans Smart Grid 7(3):1346–1355CrossRefGoogle Scholar
- [15]Jia L, Kim J, Thomas RJ et al (2014) Impact of data quality on real-time locational marginal price. IEEE Trans Power Syst 29(2):627–636CrossRefGoogle Scholar
- [16]Mo Y, Kim THJ, Brancik K et al (2012) Cyber-physical security of a smart grid infrastructure. Proc IEEE 100(1):195–208CrossRefGoogle Scholar
- [17]Mo Y, Sinopoli B (2010) False data injection attacks in control systems. In: Proc. 1st workshop secure control syst., Stockholm, SwedenGoogle Scholar
- [18]Kim J, Tong L (2013) On topology attack of a smart grid: undetectable attacks and countermeasures. IEEE J Sel Areas Commun 31(7):1294–1304CrossRefGoogle Scholar
- [19]Liu X, Li Z (2017) Local topology attacks in smart grids. IEEE Trans Smart Grid 8(6):2617–2626CrossRefGoogle Scholar
- [20]Liu X, Li Z (2016) Masking transmission line outage detection via false data attacks. IEEE Trans Inf Forensics Secur 11(7):1592–1602CrossRefGoogle Scholar
- [21]Jiang X, Zhang J, Harding B et al (2013) Spoofing GPS receiver clock offset of phasor measurement units. IEEE Trans Power Syst 28(3):3253–3262CrossRefGoogle Scholar
- [22]Zhang Z, Gong S, Dimitrovski A et al (2013) Time synchronization attack in smart grid: impact and analysis. IEEE Trans Smart Grid 4(1):87–98CrossRefGoogle Scholar
- [23]Liu X, Shahidehpour M, Li Z et al (2017) power system risk assessment in cyber attacks considering the role of protection systems. IEEE Trans Smart Grid 8(2):572–580Google Scholar
- [24]Liu X, Shahidehpour M, Cao Y et al (2017) Microgrid risk analysis considering the impact of cyber attacks on solar PV and ESS control systems. IEEE Trans Smart Grid 8(3):1330–1339CrossRefGoogle Scholar
- [25]Huang T, Satchidanandan B, Kumar PR et al (2018) An online detection framework for cyber-attacks on automatic generation control. IEEE Trans Power Syst. https://doi.org/10.1109/TPWRS.2018.2829743 Google Scholar
- [26]Tan R, Nguyen HH, Foo EY et al (2017) Modeling and mitigating impact of false data injection attacks on automatic generation control. IEEE Trans Inf Forensics Secur 12(7):1609–1624CrossRefGoogle Scholar
- [27]Zimmerman RD, Murillo-Sánchez CE, Thomas RJ (2011) MATPOWER: steady-state operations, planning and analysis tools for power systems research and education. IEEE Trans Power Syst 26(1):12–19CrossRefGoogle Scholar
- [28]Liu X, Li Z (2014) Local load redistribution attacks in power systems with incomplete network information. IEEE Trans Smart Grid 5(4):1665–1676CrossRefGoogle Scholar
- [29]Xiang Y, Ding Z, Zhang Y et al (2017) Power system reliability evaluation considering load redistribution attacks. IEEE Trans Smart Grid 8(2):889–901Google Scholar
- [30]Ding Z, Xiang Y, Wang L (2016) Quantifying the influence of local load redistribution attack on power supply adequacy. In: Proceedings of 2016 IEEE power and energy society general meeting (PESGM), Boston, USA, 17–21 July 2016, pp 1–5Google Scholar
- [31]Li Z, Shahidehpour M, Alabdulwahab A et al (2018) Analyzing locally coordinated cyber-physical attacks for undetectable line outages. IEEE Trans Smart Grid 9(1):35–47CrossRefGoogle Scholar
- [32]Sun Y, Li WT, Song W et al (2015) False data injection attacks with local topology information against linear state estimation. In: Proceedings of 2015 IEEE innovative smart grid technologies—Asia (ISGT ASIA), Bangkok, Thailand, 3–6 November 2015, pp 1–5Google Scholar
- [33]Ly K, Kwiat K, Kamhoua C et al (2017) Approximate power grid protection against false data injection attacks. In: Proceedings of 2017 IEEE 15th intl conf on dependable, autonomic and secure computing, 15th intl conf on pervasive intelligence and computing, 3rd intl conf on big data intelligence and computing and cyber science and technology congress (DASC/PiCom/DataCom/CyberSciTech), Orlando, USA, 6–10 November 2017, pp 527–533Google Scholar
- [34]Zhang J, Chu Z, Sankar L et al (2018) Can attackers with limited information exploit historical data to mount successful false data injection attacks on power systems? IEEE Trans Power Syst. https://doi.org/10.1109/TPWRS.2018.2818746 Google Scholar
- [35]Zhang J, Chu ZG, Sankar L et al (2016) False data injection attacks on power system state estimation with limited information. In: Proceedings of 2016 IEEE power and energy society general meeting (PESGM), Boston, USA, 17–21 July 2016, pp 1–5Google Scholar
- [36]Liu X, Bao Z, Lu D et al (2015) Modeling of local false data injection attacks with reduced network information. IEEE Trans Smart Grid 6(4):1686–1696CrossRefGoogle Scholar
- [37]Liu X, Li Z (2017) False data attacks against AC state estimation with incomplete network information. IEEE Trans Smart Grid 8(5):2239–2248CrossRefGoogle Scholar
- [38]Anwar A, Mahmood AN (2016) Stealthy and blind false injection attacks on SCADA EMS in the presence of gross errors. In: Proceedings of 2016 IEEE power and energy society general meeting (PESGM), Boston, USA, 17–21 July 2016, pp 1–5Google Scholar
- [39]Wu D, Lesieutre BC, Ramanathan P et al (2016) Preserving privacy of AC optimal power flow models in multi-party electric grids. IEEE Trans Smart Grid 7(4):2050–2060CrossRefGoogle Scholar
- [40]Yu ZH, Chin WL (2016) Blind false data injection attack using PCA approximation method in smart grid. IEEE Trans Smart Grid 6(3):1219–1226MathSciNetCrossRefGoogle Scholar
- [41]Chin WL, Lee CH, Jiang T (2017) Blind false data attacks against AC state estimation based on geometric approach in smart grid communications. IEEE Trans Smart Grid. https://doi.org/10.1109/TSG.2017.2708114 Google Scholar
- [42]Xie S, Yang J, Xie K et al (2017) Low-sparsity unobservable attacks against smart grid: attack exposure analysis and a data-driven attack scheme. IEEE Access 5:8183–8193CrossRefGoogle Scholar
- [43]Chen Y, Huang S, Liu F et al (2018) Evaluation of reinforcement learning based false data injection attack to automatic voltage control. IEEE Trans Smart Grid. https://doi.org/10.1109/TSG.2018.2790704 Google Scholar
- [44]Anwar A, Mahmood AN, Pickering M (2016) Data-driven stealthy injection attacks on smart grid with incomplete measurements. In: Intelligence and security informatics. Springer International Publishing, pp 180–192Google Scholar
- [45]Kim J, Tong L, Thomas RJ (2015) Subspace methods for data attack on state estimation: a data driven approach. IEEE Trans Signal Process 63(5):1102–1114MathSciNetCrossRefGoogle Scholar
- [46]Kim J, Tong L, Thomas RJ (2013) Data framing attack on state estimation with unknown network parameters. In: Proceedings of 2013 Asilomar conference on signals, systems and computers, Pacific Grove, USA, 3–6 November 2013, pp 1388–1392Google Scholar
- [47]Esmalifalak M, Nguyen H, Zheng R et al (2011) Stealth false data injection using independent component analysis in smart grid. In: Proceedings of 2011 IEEE international conference on smart grid communications (SmartGridComm), Brussels, Belgium, 17–20 October 2011, pp 244–248Google Scholar
- [48]Mengis M, Tajer A (2017) Data injection attacks on electricity markets by limited adversaries: worst-case robustness. IEEE Trans Smart Grid. https://doi.org/10.1109/TSG.2017.2695120 Google Scholar
- [49]Tajer A (2017) False data injection attacks in electricity markets by limited adversaries: stochastic robustness. IEEE Trans Smart Grid. https://doi.org/10.1109/TSG.2017.2733346 Google Scholar
- [50]Xue M, Tajer A (2016) Robust false data injection attacks in electricity markets by limited adversaries. In: Proceedings of 2016 50th Asilomar conference on signals, systems and computers, Pacific Grove, USA, 6–9 November 2016, pp 1370–1374Google Scholar
- [51]Bi S, Zhang YJ (2014) Using covert topological information for defense against malicious attacks on DC state estimation. IEEE J Sel Areas Commun 32(7):1471–1485CrossRefGoogle Scholar
- [52]Deng R, Zhuang P, Liang H (2018) False data injection attacks against state estimation in power distribution systems. IEEE Trans Smart Grid. https://doi.org/10.1109/TSG.2018.2813280 Google Scholar
- [53]Che L, Liu X, Li Z (2017) A mixed integer programming model for evaluating hidden probabilities of
*N−k*line contingencies in smart grids. IEEE Trans Smart Grid. https://doi.org/10.1109/TSG.2017.2758389 Google Scholar - [54]Che L, Liu X, Li Z (2018) An intra-interval security risk regarding regulation burden due to wind variation in high-wind-penetrated power systems. IEEE Trans Power Syst 33(3):3213–3216CrossRefGoogle Scholar

## Copyright information

**Open Access**This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.