This article has been accepted for inclusion in a future issue of this journal.
Content is final as presented, with the exception of pagination.
IEEE SYSTEMS JOURNAL
Performance of Electric Power Systems
Under Physical Malicious Attacks
Evangelos I. Bilis, Wolfgang Kröger, and Cen Nan
Abstract—This paper focuses on deliberate acts aimed at the
disruption of the electric power infrastructure and their impact
on its operational capability. Metrics derived from complex net-
work theory and social network analysis are used to identify the
important elements of the electric power transmission grid. Using
the outcomes of this screening procedure as a guide, a number
of physical attack scenarios have been fabricated and applied.
The nature of these scenarios is either deterministic (targeted
attacks) or stochastic (sets of elements are randomly attacked).
We appraise the effect of these attacks on the serviceability of
the electric power system by modeling of potential cascading
events through calculation of transmission grid components’
loading, a Monte Carlo simulation of hidden failures, and,
finally, operator performance analysis based on a simple human
reliability model. The effect of each attack scenario is quantified
in terms of the blackout size (electric-power-not-served). To
illustrate the application of the developed model to the security
assessment of targeted physical attacks against the electric power
infrastructure, the Swiss transmission grid is taken as the test
system.
Index Terms—Cascading failures, centrality metrics, complex
systems, industrial power system vulnerability, physical attacks.
I. Introduction
NERGY infrastructures have long been subject to de-
E liberate physical attacks in addition to cyber attacks
against their communication and control systems. A large
portion of these physical attacks were toward the electric
power infrastructure [1]–[8]. Today, with the omnipresent
threat of terrorism in industrialized countries, potential de-
liberate attacks against electric power systems (EPS) receive
extensive attention. A 2002 U.S. National Research Council
panel stated that “a coordinated attack on a selected set
of key points in the system could result in a long-term,
multi-state blackout” [9]. Concerns include the impact on
the electric power infrastructure from a possible physical
attack, the economic and social consequences of the latter, and
finally, discovering ways to impend potential attackers and to
mitigate the effects of such an attack. Many countries, having
realized the consequences of a targeted attack against their
Manuscript received August 14, 2010; revised October 29, 2010; accepted
November 1, 2010. This work was supported in part by the Swiss Federal
Office for Energy and Swisselectric Research.
The authors were with the former Laboratory of Safety Analysis,
Swiss Federal Institute of Technology, Zürich 8092, Switzerland (e-mail:
bilis@mavt.ethz.ch; wkroeger@ethz.ch).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/JSYST.2012.2223512
1932-8184/$31.00 
c 2012 IEEE
1
electric power infrastructure, have already taken steps toward
investigating the above concerns [10], [11].
Attempts to capture the effect of physical malicious attacks
against electric power systems range from lessons learnt
from historical records and enumeration of the critical points
of an EPS [12], [13] to the use of game theory concepts,
where the interaction between the threat and the defender
is envisaged as a game [8], [14]. Some simulation attempts
focus on evaluating defense strategies [8], while others take
the defense scheme as given and try to quantify the economic
impact of a potential attack [15].
This paper quantifies the effects of postulated attacks against
components of the electric transmission infrastructure using a
hybrid approach: a complex network theory approach is used
to fabricate the attack scenarios on an EPS and a realistic
model of the latter is used to appraise the effect of these
scenarios. Section II debates the characteristics of antagonistic
attacks against EPSs and whether the latter pose tempting
targets. Section III introduces a methodology for identifying
the most critical nodes of a transmission grid. To achieve that,
topological metrics borrowed from complex network theory
and social network analysis are used. The selected nodes
act as the targets in a number of targeted attack scenarios.
Section IV analyzes the response of a power system, following
a disruptive attack on a set of its elements. During the
system response analysis, potential cascading events following
the postulated attack are taken into consideration. Section V
presents the simulated response of the Swiss transmission
system when sets of its components are damaged or destroyed
due to malicious physical attacks. The effect of the latter on the
serviceability of the former is quantified. Sections VI and VII
present the conclusion of the procedure introduced and future
model additions and extensions.
II. Physical Malicious Attacks Against the
Electric Power Infrastructure
In the last 15 years, major electric power outages worldwide
emphasized the vulnerability of electric power systems to a
wide range of phenomena and activities: natural disasters,
component failures, erroneous actions by the system opera-
tor(s), and even acts of malicious intent all contributed in one
way or another to these wide area blackouts.
In this paper, however, the physical aspect of acts of
malicious intent will be investigated. This threat has re-
ceived heightened attention since military campaigns, terrorist
attacks, and acts of vandalism or sabotage targeted in one
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE SYSTEMS JOURNAL
way or another the electricity infrastructure (e.g., in July 2010,
Baksanskaya hydro plant in the North Caucasus area was shut
down after an attack on the facility that left two people dead
[16]; NATO destroyed portions of the Serbian electric power
infrastructure in 1999 [4]). But what are the distinguishing
characteristics of targeted physical attacks as compared to
other more traditional threats and what makes the electric
power infrastructure a tempting target?
A. Deliberate Physical Attacks Against EPSs
Physical attacks, in contrast to other threats, e.g., natural
disasters, are deterministic in nature (attackers know which
components to target). Moreover, they share a number of
characteristics that make them stand out.
1) They are selective. Does a successful attack affect more
than the immediate victims? Does the target have a big
potential to produce disruptive and/or cascading events?
Is it loosely protected? It is more likely to be attacked
in this case [17].
2) They exhibit temporal selectivity. The time of the attack
is chosen so that the effects are maximized (e.g., in the
case of EPS, launch of the attack during peak time).
3) The effects of a successful physical attack are possible to
be aggravated either directly (secondary attacks against
the same target) or indirectly (instilled fear and exposure
to an uncommon situation prolongs restoration process).
B. EPS’s Vulnerability to Deliberate Physical Attacks
Electric power systems have some inherent attributes that
render them tempting to malicious attacks.
1) Since terrorist attacks aim at having the largest impact on
society, EPSs pose a credible target; besides the direct
economic damage of a massive blackout, lack of the
necessary can instill fear in the citizenry [17].
2) EPSs are extensive and usually distributed over a huge
geographic area. In conflict situations, remote facilities
(e.g., substations), transmission lines, and generators
pose tempting targets.
3) Critical elements are spatially concentrated (e.g., high
voltage substations) making them susceptible to com-
mon cause initiating events.
4) With the exception of nuclear plants and some gen-
erating stations, most EPS sites are loosely protected.
Moreover, as noted by NERC in [18], “Most elec-
tricity sector members do not have in place business
recovery plans that include procedures for dealing with
widespread, well-planned attacks on physical facilities.
Likewise, they do not include procedures for dealing
with deliberate attempts to hamper repair and restoration
activities.”
5) Many critical EPS components are stationed in outdoor
locations, where they are vulnerable to a number of
threats (sabotage, material scavenging, etc.).
6) Spares for some EPS components are rarely available
(due to storage space deficiency or cost). The logistics
following the incapacitation of such a device could be
lengthy (for high voltage transformers up to a year or
more).
7) Since the deregulation in the electricity sector, power
grids are operating closer to their limits. This makes
them more susceptible to cascading events and potential
wide-area blackouts following an initial system distur-
bance [19].
8) Materials used in the electric power grids (e.g., high-
quality copper for transmission lines) are tempting tar-
gets for scavengers (nondirect threat against the electric
power infrastructure).
To sum up, multiple sources of threats exist for the electric
power infrastructure (natural hazards, cyber attacks, etc.),
which probably pose a higher risk than physical threats [20],
[21]. Nevertheless, the EPSs have been physically attacked in
the past and nothing precludes future attempts against them. To
quote from [22], “Any legislation on national security threats
to reliability should address not only cyber security threat, but
also intentional physical malicious acts (targeting for example,
critical substations and generating stations).”
III. Fabrication of Attack Scenarios
In this section, a number of attack scenarios against the
electric energy infrastructure are fabricated. Complex network
theory is used to form the sets of EPS elements assumed as
the salient targets in these scenarios. The selection of high
voltage substations (and transmission lines in the random
attack scenarios, as described in Section III-C) as the only
potential targets of physical attacks was based on the following
facts and assumptions.
1) Lines and substations belonging to the distribution level
usually feed small industries and neighborhoods. As
a consequence, this lowest level of the electric power
infrastructure poses an unattractive target of attack.
2) High voltage substations are important points of an
electric power grid since they constitute the part of an
EPS that is responsible for the routing of electric power.
They contain a plethora of critical components (massive
step-up/step-down transformers, circuit breakers, control
rooms, etc.) and are mostly unprotected [23]. Partial or
total incapacitation of a high voltage substation affects
all customers within its electric power service area.
3) In [7], it was shown that 60% of the analyzed ter-
rorist attacks on EPSs targeted lines and towers on
the transmission level. They pose easy targets since a
big portion of the transmission towers and cables pass
through isolated and uninhabited locations, making the
attack easier. The potential effects of such an attack
could be disproportionally high. The situation can be
aggravated if multiple transmission lines are subjected
to coordinated and periodically repeated attacks.
4) We make the assumption that nuclear power plants and
generating stations, in general, are well protected, and
are thus less attractive as targets and/or impervious to
physical malicious attacks.
A. Complex Network Theory as a Tool of EPS Analysis
Electric power systems gather some qualifications that al-
low their characterization as complex [24]. They are formed
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS
Fig. 1. Representation of the Swiss transmission grid by a 242-node, 310-
edge graph. Nodes represent substations, loads, or power generating stations.
Edges represent transmission lines. Node size is analogous to node degree
centrality.
by a large number of interacting elements and demonstrate
complicated dynamics.
Complex system analysis is mainly supported by three
toolboxes: 1) nonlinear dynamics; 2) statistical physics; and
3) network or graph theory [25]. Although the surge of
interest in 3) is recent, during the last decade a number
of graph-theoretic approaches attempted to link topological
properties of infrastructure networks (among them the electric
power sector) to system reliability, resilience, susceptibility
to cascading phenomena, and collective dynamical behavior
[26]–[35]. These approaches are based on the representation
of complex systems by a set of nodes and links, as well as
topological metrics such as degree and betweenness.
Here, the transmission level of an electric power system
is represented by a simple graph G that is defined by a pair
of sets (V , E), where V is a set of elements called nodes
or vertices and E is a set of unordered pairs of different
vertices, called edges or links. The vertices of the graph show
high voltage substations, generating plants and loads while
the edges represent transmission lines. The whole graph is
described by the N × N adjacency matrix A, where N is the
cardinality of set V. If aij is an element of the adjacency
matrix, then aij = 1 if vertices i and j are connected and
aij = 0 otherwise.
In Fig. 1, the graph representation of the Swiss transmission
system is shown.
B. Centrality Analysis of Electric Power Transmission
Networks
In complex network theory, centrality analysis is a graph-
based method that is used to rank and identify critical elements
in a network [36]–[39].
3
Although centrality metrics exist for both vertices and links,
in the postulated attack scenarios analyzed in Section III-C,
only high voltage substations (nodes) are exposed to targeted
attacks. Thus, we will present here the node centrality metrics
that were used along with the heuristic procedure implemented
to root out the most important substations.
Centrality is a function f, which assigns a numerical value
to each node in a given graph. We can say that vertex x is more
critical than vertex y if and only if f(x) > f(y) [40]. In the case
of graph representations of EPSs, centrality analysis translates
into locating the nodes (substations) whose incapacitation is
able to influence many others. Under the assumption that
a target is chosen on the basis of maximizing the negative
consequences of the target’s deactivation, these nodes pose
the most attractive targets of physical attacks [41].
During the search of the most suitable centrality metric,
we were faced with several dilemmas. As shown in [33], the
impact of node deletion (blackout size) depended largely on
the metric used as a guide for the targeted attacks (degree
attack, betweenness attack, etc.). In [40], it is shown that,
after stating and calculating different centrality metrics, only
a few of these correlate with a coefficient above 0.9 to other
centrality metrics. In [42] and [43], the removal of the most
connected nodes (degree centrality attack scheme) did not
necessarily imply maximal network damage, while in [27] it
is shown that for the cascading effects scheme employed, the
network is fairly robust to most failures, but very vulnerable to
failures of the nodes with high betweenness. In [44], electrical
centrality is investigated as a centrality metric of electrical
networks, while in [42], [43], and [45], the critical components
of the network are rooted out by considering the network’s
performance degradation caused by their deactivation. From
the above, it became obvious that there is no definitive answer
to the optimum centrality metric. Thus, for the selection of
the most influential nodes, we opted for the combination of
five centrality metrics through the process, as described in
Section III-C.
A presentation of the five centrality metrics used follows.
1) Degree Centrality: For a graph G = (V, E) with n
vertices, the degree centrality CD of a node v is defined as
follows:
deg(v)
CD (v) = (1)
(n − 1)
where deg(v) is the degree of a vertex v (the number of edges
that contain v)
deg(v) = |{y ∈ V |{v, y} ∈ E}| = |ϑ{x}| (2)
where ϑ{x} is the set of the neighbors of vertex v and |ϑ{x}|
denotes the cardinality of the set ϑ{x}.
Degree centrality can be interpreted in terms of the number
of vertices and edges that are directly influenced by the status
of node v.
2) Eccentricity: For a graph G = (V, E), the eccentricity
CE (v) of vertex v is defined as follows:
CE (v) = max[d(v, y)] (3)
y∈V
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE SYSTEMS JOURNAL
where d(v, y) is the length of the shortest path connecting
vertices v and y.
Low eccentricity of node v suggests that all other nodes are
in proximity.
3) Betweenness Centrality: For a graph G = (V, E) with
n vertices, the betweenness centrality CB (v) of vertex v is
defined as follows:
s=t
|σst (v)|
CB (v) =
s=v=t∈V
|σst |
where σst is the set of shortest paths from s to t and σst (v) is
the subset of σst that pass through vertex v.
For node v, high CB value means that this node, for certain
paths, is crucial to maintain node connections. Deactivation
of v should cause a number of node pairs either to be
disconnected or connected via longer paths [37].
4) Centroid Centrality: For a graph G = (V, E), the
centroid centrality CC (v) of vertex v is given by
CC (v) = d(v) − min[d(y)]
y=v
where d(v) is the status of vertex v
 for the title of the most important network node.
d(v) = d(v, y).
y∈V
This centrality metric suggests that a specific node has a
central position within a graph region, characterized by a high
density of interacting nodes [37], [38].
5) Radiality: This metric was introduced in [46]. For a
graph G = (V, E), the computation of this metric is based on
the distance matrix Dvy = d(v, y), where v, y V . The reverse
distance matrix RD is defined as follows:
RDvy = diameter (G) + 1 − Dvy .
The diameter of a graph G is the maximum eccentricity of
the graph.
Given the above, the radiality CR of vertex v is defined as
follows:
 2) The cost of disabling any node in the list is the same.
v=y RDvy
CR (v) = . (8)
(n − 1)
High radiality means that node v is, with respect to the
graph diameter, close to the other nodes. Low radiality can be
interpreted as the node being peripheral.
C. A Heuristic Methodology for Rooting out the Most Critical
Nodes
From Section III-B, it is obvious that specific centrality
metrics are more suitable for different types of graphs (biolog-
ical networks, social networks, infrastructure networks, etc.).
Moreover, in the case of targeted attacks, the centrality metric
used dictates the attack vector(s) (the sets of nodes that will
be deactivated).
Here, we propose a heuristic procedure for the selection of
the most important nodes of a graph, where the five centrality
metrics presented in the previous section are equally weighted
and combined.
Step 1) A given centrality metric is calculated for all nodes
(substations). The node with the highest value (indi-
cation of maximal criticality) is placed on the top of
the list linked with the metric and is deactivated. If
two nodes have the same centrality value, the node
to be deactivated is chosen at random. The centrality
metric is then recalculated for all the remaining
nodes. The node with the highest value is placed in
(4) position number 2 of the list linked with the metric.
In this manner, a list comprising the chosen metric
values for all nodes is constructed. The above proce-
dure is repeated for all the centrality metrics. In that
way, five lists are created, each one corresponding to
each one of the centrality metrics used.
Step 2) The upper 5% of the nodes in each list is rooted
out. That way, we are left with five lists, each one
containing the nodes that collected the 5% highest
values for the corresponding metric.
Step 3) A final list is created by selecting the nodes that
(5) appear at least in two of the lists created after Step 3.
Given the discussion in Section III-B, the nodes (sub-
stations) comprising this final list are good candidates
(6)
D. Attack Scenarios
The attack scenarios are comprised of: 1) targeted attacks
against the most critical nodes (substations); 2) random attacks
against nodes (Swiss substations); and 3) random attacks
against sets of edges (transmission lines).
In the test case presented in Section V, we investigate
diverse forms of the above attack scenarios.
We made the following assumptions when constructing the
targeted attack scenarios on nodes (substations).
(7) 1) The choice of targets relies only on the importance of
the node, as dictated by the list created in Section III-
C. In other words, the target is chosen on the basis of
maximizing the negative consequences of the target’s
deactivation.
3) A targeted attack against a substation results in total
damage (complete knockout of the node, along with the
deactivation of all links incident upon this node).
IV. System Response Analysis
The aim of the system response analysis conducted here is
to provide the state of the system that would be seen by an
operator, after the electric power system is inflicted by damage
caused from targeted or random physical attacks.
A. AC Power Model
The AC power model developed in [20] is used here. It can
capture a wide area of interactions and events in a transmis-
sion grid, on many different levels (sympathetic tripping of
transmission lines due to misoperation of their protection and
control systems, checking for abnormal voltages in bus bars,
checking for overloading in transmission lines, and a simple
operator model).
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS
Fig. 2. Flowchart implemented in the system response analysis of physical
attacks on electric power systems.
As can be seen in Fig. 2, we followed a quasi-dynamic
procedure. Each simulation starts from the state of the electric
power system, after the application of a scenario attack. The
procedure from the time of the attack until the time that no
other alterations take place in the EPS modeled, is broken
down to time slots. The duration of each time slot is dictated
by the time that is needed by the operator to act, given a
contingency in the power grid. Since in our model, the role of
the operator is restricted to alleviating problems in lines and
issuing warnings for abnormal voltages in bus bars, we make
the assumption that he has 20 min to learn about and respond
to unplanned events. This time duration is considered realistic
from a transmission system operator (TSO) perspective. Each
time a line is taken out due to erroneous operator handling of
a contingency situation, an algorithm loop takes place. This
way, events that happen inside loop n are regarded as having
taken place 20 min later than events that happened during loop
n-1. Each simulation stops when during a loop, no lines are
taken out due to overloading.
B. Load Flow Analysis
Load (or power) flow analysis is called into action when
we want to describe the operating state of an electric power
system. It can be implemented only under the assumption that
the system is operating under balanced conditions.
5
Given certain known quantities, the load flow analysis can
provide the magnitudes and phase angle of voltages, as well as
the active and reactive power flow in each transmission line.
For a system containing n nodes (buses), the load flow
problem reduces to the solution of the system of n equations
n
Pi = |Vi ||Vk |[gik cos(θi − θk ) + bik sin(θi − θk )] (9)
k=1
n
Qi = |Vi ||Vk |[gik sin(θi − θk ) + bik cos(θi − θk )] (10)
k=1
where:
1) Pi is the real power at bus i;
2) Qi is the reactive power at bus i;
3) |Vi is the voltage magnitude at bus i;
4) gik is the conductance of link connecting buses i, k;
5) bik is the susceptance of link connecting buses i, k;
6) (θi − θk ) is the voltage angle difference for buses i, k.
There are several solution methods. For the test case pre-
sented in Section V, the Newton Raphson method was used.
C. Hidden Failures
It has been recognized in [47] that protection and control
systems’ misoperations have been a leading cause of major
blackouts. Nearly 45% of bulk power system disturbances in
North America during 2007 can be attributed to P&C misop-
erations, while almost 30% of the latter comprises P&Cs’
wiring/design/logic/setting errors.
We adopt the terminology of [48], and refer to de-
sign/logic/setting errors of the protection equipment as hid-
den failures (HF). They can cause intact equipment to be
unnecessarily disconnected, following a fault on a neighboring
component [49], [50].
D. System Operator Response Analysis
In EPSs, the human factor comes in the form of the TSOs,
whose role is the overall management and control of the
transmission grid(s). In our analysis, the role of the operator
is triple: 1) check transmission lines for overloading and try
to alleviate the problem; 2) issue warnings for lines that were
overloaded at some time, but the problem was alleviated before
the line’s protection system kicked in; and 3) issue warnings
for buses with abnormal voltage (the safety window adopted
for busbar voltage was [0.9Vnom − 1.1Vnom ], where Vnom was
the busbar’s nominal voltage).
In our study, we are treating situations where short-term
response is required, under potentially high stress, with po-
tentially multiple failure occurrences [51]. The nominal like-
lihood of failure of the operator(s) to alleviate possible line
overheating is assessed using the human error assessment and
reduction technique (HEART) [52]. The estimated value was
approximately 10%.
V. Test Case−Swiss Transmission System
To demonstrate the feasibility of the approach proposed, we
particularized it to analyze the consequences of a number of
physical attack scenarios against the Swiss electrical transmis-
sion infrastructure.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6 IEEE SYSTEMS JOURNAL
A. The Swiss Transmission System
Due to the geographical position of Switzerland, in the cen-
ter of Europe, the importance of its high-voltage (280/380 kV)
grid is inversely proportional to its size. In particular, the
380 kV portion is considered an electricity superhighway,
primarily for important transit flows in Europe and Switzer-
land, while at the same time being a platform for European
electricity trading in a Europe-wide liberalized market [53].
B. Centrality Analysis
The Swiss high-voltage grid was represented by an undi-
rected and unweighted graph; the nodes of this graph repre-
sented high-voltage substations, power plants, and loads inside
Swiss borders, as well as substations outside Swiss borders
that were neighbors to their Swiss counterparts.
We followed the procedure proposed in Section III to root
out the most critical Swiss substations, thus most attractive for
targeted attacks. That left us with eight nodes (substations).
For security reasons, their names are not disclosed here. We
refer to them as HVS1–HVS8.
C. Attack Scenarios
We postulated 46 targeted attack scenarios against the Swiss
HV substations. Eight of them targeted each one of the eight
critical nodes, as mentioned in Section III-B, 28 had pairs of
these eight nodes as targets and ten had triplets of these eight
nodes (simultaneous targeted attacks) as targets. This set of
targeted attacks was followed by a set of 15 attack scenarios
that implemented random node removal in triplets.
Finally, 60 attack scenarios that implemented random link
(transmission line) removals were simulated.
D. Response Analysis of the Swiss Transmission System
Considering its position as a European electricity hub,
it was decided to treat the Swiss transmission grid not as
a stand-alone, isolated system; during the system response
analysis the whole synchronous UCTE network was modeled
(Fig. 3). In that way, we were able to capture interactions
with the neighboring countries’ transmission networks, i.e.,
consequences of potential outages inside the Swiss’ borders on
other countries’ high voltage grids. Moreover, the transmission
lines of neighboring countries could take on part of the
additional load in case of outages inside the Swiss borders,
helping us avoid overestimation of an impact.
The input that dictated the initial intact state of the UCTE
grid (and consequently of the Swiss high voltage grid) became
available to the authors in the form of UCTE files. They
are appropriately constructed to mirror a specific topology
and loading of the former UCTE transmission network at a
particular point in time. The file used in our analysis was a
so-called reference case snapshot: a merged set of balanced
snapshots of all the UCTE countries, done by Amprion,
Germany. Two files are created per year. Without going into
more details, the file used for load flow analysis represented
an average load day in winter, close to peak load.
Fig. 3. ENTSO-E grid (purple and orange colored countries). Former syn-
chronous UCTE grid in purple, with Switzerland highlighted in darker
purple.
E. Simulations
For each one of the 121 (46 targeted and 75 random) attack
scenarios, we repeated the system response analysis procedure
30 times. The average of these 30 simulating results had been
taken as the result for the corresponding scenario.
A number of assumptions and parameter values were used
during the simulation procedure.
1) Attack against a substation leads to its complete in-
capacitation. No redundancy (e.g., spare or alternate
transformers) is taken into account.
2) Line redundancy (double lines between two terminal
spots) is taken into account during the system response
analysis.
3) The hidden failure probability was taken equal to
0.5%.
4) It was assumed that only one operator manages the
whole grid.
5) During the system response analysis, the upper limit of
the current that transmission lines can carry before the
automatic protection system trips them was set to 150%
with respect to the maximum rated current [54].
6) No abnormal conditions or hidden failures were taken
into account for the grids that do not neighbor with a
Swiss transmission line or substation.
F. Results
1) Targeted Node Attacks: Thirty-six attack scenarios
were investigated. For scenarios HVS1–HVS8, each one of
the critical substations (as dictated by the centrality analysis
described) is deactivated in turn. In every one of the following
28 scenarios (HVS1–HVS2 to HVS7–HVS8), the critical sub-
stations are deactivated in pairs (e.g., scenario HVS1–HVS2
represents the deactivation of substation HVS1 and HVS2).
For each one of the 36 attack scenarios, we repeated the system
response analysis procedure 30 times. The average of these 30
simulating results is taken as the result for the corresponding
scenario.
In Figs. 4–6, the mean load lost, generating power lost,
and mean imbalance ratio are shown, respectively, for the 36
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS 7

Fig. 4. Mean load lost (in MW) for each targeted attack scenario.

Fig. 5. Mean generating power lost (in MW) for each targeted attack scenario.

targeted attack scenarios postulated (single substation out or
pairs of substations out).
These figures, as well the results of the 1080 simulation
runs, have shown the following.
1) The load flow problem converged to a solution in
all the attack scenarios. This is a good indica-
tion that no highly unstable/major-blackout conditions
emerged from the targeted attack of the most critical
substations.
2) The effect of cascading failures was very small; the
maximum mean generation and load lost solely due to
cascading failures was, respectively, GLCF = 40.8 MW
and appeared for the attack scenario (HVS4-HVS7), and
LLCF = 7.73 MW, which appeared for the attack scenario
HVS3–HVS7.
3) Overloading of remaining transmission lines arose only
from a few simulations (44 out of 1080). This shows
that the operation of the Swiss transmission grid has
good safety margins; the remaining transmission lines
are able, in most situations, to take on the additional
load induced by the hypothetical physical attacks against
substations. In almost all the response analysis iterations
that featured overloaded lines, substation HVS3 was
involved.
4) Frequency stability refers to the ability of an EPS to
maintain steady frequency following a severe system
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

8 IEEE SYSTEMS JOURNAL

Fig. 6. Mean power imbalance ratio, following a postulated targeted attack.

Fig. 7. Mean load lost (in MW) for each random attack scenario.

disturbance [55]. We used the safety margins used in
[54] that are dictated by the ratio of the total power
demand to the total power supply as
Total Power Demand
0.95 > > 1.05.
Total Power Supply
As can be seen in Fig. 6, many attack scenarios
demonstrated a ratio outside the safety margins. This
imbalance could potentially lead to some synchronous
machines tripping and could be translated into a minor
underestimation of the targeted attacks’ consequences
(since historical events show that frequency instabilities
can cause the tripping of some synchronous generators
but protective systems do not allow the disturbance to
cascade and transform into a wide area outage [56]).
2) Random Transmission Line Attacks: Sixty attack sce-
narios were investigated. For the first 30 scenarios, sets of
ten transmission lines were randomly selected while for the
other 30, sets of 15 transmission lines were randomly selected.
These sets dictated the sets of transmission lines that were
deactivated during the attack scenarios (10L-1 to 10L-30 are
the code names for the ten-line attack scenarios and 15L-1 to
15L-30 the code names for the 15-line attack scenarios).
In Figs. 7–9, the mean load lost, generating power lost,
and mean imbalance ratio are shown, respectively, for the 60
hypothetical random attack scenarios.
Comparing the above results with the corresponding results
for targeted node attacks, we can see that the effects of
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS 9

Fig. 8. Mean generating power lost (MW) for each random attack scenario.

Fig. 9. Mean power imbalance ratio, following a postulated random attack.

targeted node (high voltage substations) attacks are far greater
than random link (transmission lines) attacks: 1) generating
power lost was greater than 100 MW only in 5 out of 60
random attack scenarios; 2) no scenarios demonstrated load
loss greater than 25 MW; and 3) the power demand/power
supply only in one scenario (10L-5) fell outside the [0.95,
1.05] safety margins.
3) Targeted Versus Random Node Removals: Ten targeted
attack scenarios against triplets of the five most critical nodes
were investigated. This set of simulations was followed by a
set of 15 attack scenarios against randomly picked triplets of
all the node graphs (Swiss substations). The attacks against the
triplets of attacked substations are assumed to be synchronous.
For each one of the 25 simulated attack scenarios, we repeated
the system response analysis procedure 30 times. The mean
load lost and mean generating power lost for each scenario
are shown in Figs. 10 and 11. Comparing the results presented
in these figures, we can see that the effects of targeted high
voltage substation attacks are far greater than random high
voltage substation attacks.
1) In one of the targeted attack scenarios, a convergent
solution of the power flow equations could not be ob-
tained (nonconvergence indicates an unstable condition
and possible wide-area blackout). No such situations
emerged during the random node-attack scenarios.
2) Generating power lost was greater than 1000 MW in six
out of ten targeted attack scenarios. The same applied
only to one out of 15 random attack scenarios.
3) Nine out of ten targeted attack scenarios demonstrated
load loss greater than 500 MW. The same applied only
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10
Fig. 10. Mean generating power lost (in MW) and mean load lost (in MW)
for synchronous targeted attack scenarios against triplets of substations.
Fig. 11. Mean generating power lost (in MW) and mean load lost (in MW)
for random attack scenarios against triplets of substations.
in one out of 15 random attack scenarios.
VI. Conclusion
A hybrid methodology was developed for the quantification
of deliberate physical acts aiming at the disruption of the
electric power system infrastructure (EPS). We used metrics
derived from complex network theory and social network
analysis to identify the most critical elements that comprised
the marks in a number of targeted attack scenarios. The effect
of the latter, along with the effect of random attack scenarios,
was assessed by a detailed AC power model that takes into
account the structure and internal behavior of an EPS on many
different levels.
To illustrate the application of our model to the security
assessment of physical malicious threats to EPSs, the Swiss
transmission system was chosen as the test system. The case
study revealed the following.
1) The effect of targeted node (substation) removals is
far greater than the one observed after random node
(substation) or link (transmission lines) attacks.
2) Cascading phenomena contributed marginally to the
blackout size. Future sensitivity analysis could help
evaluate the impact of the model parameter values that
were used.
3) The biggest threat resulting from a targeted substation
attack seems to be frequency instability due to power
IEEE SYSTEMS JOURNAL
demand to power supply imbalance.
Due to the availability of free graph analysis software tools
and the quasi-dynamic nature of the system response model,
this method seems to be quite flexible and can be applied to all
electric systems, regardless of the granularity desirable (total
or partial node damage, modeling of only the transmission
grid or the transmission and distribution grid, incorporating
substation redundancy or not). Although the temporal and
spatial prediction of physical targeted attacks to an EPS
is difficult, the methodology proposed here can help grid
operators identify the elements and contingency situations to
which an electrical power system is most vulnerable and assist
operation planners in choosing the appropriate prevention and
protection measures against physical malicious attacks.
VII. Outlook
The future steps should include the following:
1) attack scenarios combining concurrent targeted node and
random link attacks;
2) targeted attack scenarios against links (transmission
lines) by calculating graph-based, link related metrics;
3) sensitivity analysis of our model by varying the sys-
tem response analysis model parameters (hidden failure
probability, human error probability, etc.);
4) investigation of the impact that a partial node destruction
(HV substation not fully functional after attack) would
have on the serviceability of the power system.
References
[1] K. A. Seger, Utility Security: A New Paradigm. Tulsa, OK: PennWell,
2004, p. 238.
[2] P. W. Parfomak, “Pipeline security: An overview of federal activites
and current policy issues,” Congressional Research Service, Washington
D.C., Rep. RL31990, 2004.
[3] Office of Technology Assessment, The Effects of Nuclear War, U.S.
Congress, Washington D.C., 1979.
[4] N. Mijuskovic, “Serbia restoration after war damages May-99,” pre-
sented at the CIGRE Session 2000, SC 39 Workshop on Large Distur-
bances.
[5] Energy and Defense Project, “Dispersed, decentralized, and renewable
energy sources: Alternatives to national vulnerability and war: Final
report, work conducted for the federal emergency management agency,”
Contract: DCPA-01-79-C-0320, FEMA Work Unit #2314-F, Washington
D.C., 1980.
[6] W. C. Clark, D. D. Jones, and C. S. Holling, “Lessons for ecological
policy design: Case-study of ecosystem management,” Ecol. Modelling,
vol. 7, no. 1, pp. 1–53, 1979.
[7] R. Zimmerman et al.. (2005). “Electricity case: Main report—risk,
consequences, and economic accounting,” CREATE Rep. [Online].
Available: http://www.usc.edu/dept/create/reports.php
[8] Å. J. Holmgren, E. Jenelius, and J. Westin, “Evaluating strategies for
defending electric power networks against antagonistic attacks,” IEEE
Trans. Power Syst., vol. 22, no. 1, pp. 76–84, Feb. 2007.
[9] National Research Council, Making the Nation Safer: The Role of
Science and Technology in Countering Terrorism. Washington D.C.:
National Academies Press, 2002.
[10] U.S. Congress Office of Technology Assessment, Physical Vul-
nerability of Electric Systems to Natural Disasters and Sabo-
tage, OTA-E-453. Washington D.C.: U.S. Government Printing Of-
fice, 1990 [Online]. Avaialbale: http://www.wws.princeton.edu/cgibin/
byteserv.prl/∼ota/disk2/1990/9034/9034.PDF
[11] D. G. Kamien, Ed., The Mcgraw-Hill Homeland Security Handbook.
New York: McGraw-Hill, 2006.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

BILIS AND KRÖGER: PERFORMANCE OF ELECTRIC POWER SYSTEMS UNDER PHYSICAL MALICIOUS ATTACKS 11

[12] A. E. Farrell, H. Zerriffi, and H. Dowlatabadi, “Energy infrastructure [34] K. Okamoto, W. Chen, and X. Li, “Ranking of closeness centrality for
and security,” Annu. Rev. Environment Resources, vol. 29, pp. 421–469, large-scale social networks,” in Springer Lecture Notes in Computer
Aug. 2004. Science. Berlin, Germany: Springer, 2008, pp. 186–195.
[13] A. Volkanovski, M. Èepin, and B. Mavko, “Application of the fault tree [35] R. V. Solé et al. “Robustness of the European power grids under
analysis for the power system reliability,” Reliab. Eng. Syst. Saf., vol. intentional attack,” Phys. Rev. E, vol. 77, no. 2, p. 026102, 2008.
94, no. 6, pp. 1116–1127J, 2009. [36] S. Wuchty and P. Stadler, “Centers of complex networks,” J. Theor. Biol.,
[14] E. Bompard et al., “Risk assessment of malicious attacks against power vol. 223, nos. 45–53, pp. 45–53, 2003.
systems,” IEEE Trans. Syst., Man, Cybern. A, Syst. Humans, vol. 39, [37] F. Harary, “Status and contrastatus,” Sociometry, vol. 22, no. 1, pp. 23–
no. 5, pp. 1074–1085, Sep. 2009. 43, 1959.
[15] A. Rose, “Economic resilience to natural and man-made disasters: [38] P. J. Slater, “Maximum facility location,” J. Res. Natl. Bur Stand. B,
Multidisciplinary origins and contextual dimensions,” Environmental vol. 79, pp. 107–115, 1975.
Hazards, vol. 7, no. 4, pp. 383–398, 2007. [39] L. C. Freeman, “A set of measures of centrality based on betweenness,”
[16] T. Maxim. (2010, Jul. 21). Power Plant Ter- Sociometry, vol. 40, no. 1, pp. 35–41, 1977.
ror Attack Kills 2 in Russia [Online]. Available: [40] D. Koschützki et al., “Network analysis: Methodological foundations,”
http://edition.cnn.com/2010/WORLD/europe/07/21/russia.station.attack/index.htmlin Centrality Indices, Chapter 3 in Brandes and Erlebach (LNCS
[17] E. Bompard et al., Approaches to the Security Analysis of Power Tutorial, vol. 3418). Berlin, Germany: Springer 2003.
Systems: Defense Strategies Against Malicious Threats, EUR 22683 EN, [41] E. Bompard, R. Napoli, and F. Xue, “Analysis of structural vulnerabili-
JRC36743, 2007. ties in power transmission grids,” Int. J. Crit. Infrastructure Protection,
[18] North American Electric Reliability Council (NERC), An Approach vol. 2, no. 1, pp. 5–12, 2009.
to Action for the Electricity Sector. Princeton, NJ: North American [42] V. Agoston, P. Csermely, and S. Pongor, "Multiple weak hits confuse
Electric Reliability Council (NERC) Working Group Forum on Critical complex systems: A transcriptional regulatory network as an example,"
Infrastructure Protection, 2001. Phys. Rev. E, vol. 71, no. 5, p. 051909, 2005.
[19] M. Schläpfer and H. Glavitsch, “Learning from the past: Electric power [43] V. Latora and M. Marchiori, “Vulnerability and protection of infrastruc-
blackouts and near misses in Europe,” in Critical Infrastructures at ture networks,” Phys. Rev. E, vol. 71, no. 1, p. 015103, 2005.
Risk—Securing the European Electric Power System, A. V. Gheorghe, [44] H. Hines and S. Blumsack, “A centrality measure for electrical net-
M. Masera, M. P. C. Weijnen, and L. J. De Vries, Eds. Dordrecht, The works,” in Proc. 41st Hawaii Int. Conf. Syst. Sci., 2008, p. 185.
Netherlands: Springer, 2006. [45] Y. Yan-Ping et al., “Multiple partial attacks on complex networks,” Chin.
[20] E. Bilis, M. Raschke, and W. Kroeger, “Seismic response of the swiss Phys. Lett., vol. 25, no. 2, pp. 769–772, 2008.
transmission grid,” unpublished. [46] T. W. Valente and R. K. Foreman, “Integration and radiality: Measur-
[21] I. Eusgeld and C. Nan, “Creating a simulation environment for critical ing the extent of an individual’s connectedness and reachability in a
infrastructure interdependencies study,” in Proc. IEEE Int. Conf. Ind. network,” Social Netw., vol. 1, no. 1, pp. 89–105, 1998.
Eng. Eng. Manage., Dec. 2009, pp. 2104–2108. [47] R. Sergel, Letter to NERC Board of Trustees and NERC Stakeholders,
[22] Testimony of Joseph McClelland, Director, Office of Electric Reliability, Apr. 24, 2009.
Federal Energy Ragulatory Commission, Before the Committee on [48] A. G. Phadke and J. S. Thorp, “Expose hidden failures to prevent
Homeland Security, Subcommittee on Emerging Threats, Cybersecurity cascading outages,” IEEE Comput. Appl. Power, vol. 9, no. 3, pp. 20–23,
and Science and Technology, United States House of Representatives. Jul. 1996.
(2009, July 21) [Online]. Available: (http://www.ferc.gov/eventcalendar/ [49] K. Bae and J. S. Thorp, “An importance sampling application: 179
Files/20090721140215-Joe\%20McClelland\%20Testimony.pdf) bus WSCC system under voltage based hidden failures and relay
[23] J. M. Arroyo and F. D. Galiana, “On the solution of the bilevel misoperation,” in Proc. 31st Hawaii Int. Conf. Syst. Sci., vol. 3. 1998,
programming formulation of the terrorist threat problem,” IEEE Trans. pp. 39–46.
Power Syst., vol. 20, no. 2, pp. 789–797, May 2005. [50] J. Chen, J. S. Thorp, and I. Dobson, “Cascading dynamics and mitigation
[24] M. E. J. Newman, “The structure and function of complex networks,” assessment in power system disturbances via a hidden failure model,”
SIAM Rev., vol. 45, no. 2, p. 167, 2003. Int. J. Electron. Power Energy Syst., vol. 27, no. 4, pp. 318–326,
[25] L. A. N. Amaral and J. M. Ottino, "Complex networks— 2005.
Augmenting the framework for the study of complex [51] V. M. Andersen and E. T. Burns, “Human error probability models in
systems," Eur. Phys. J. B, vol. 38, pp. 147–162, the BWR individual plant evaluation methodology,” in Proc. 4th IEEE
May 2004. Conf. Human Factors Power Plants, Jun. 1988, pp. 323–342.
[26] R. Albert, I. Albert, and G. L. Nakarado, “Structural vulnerability of the [52] J. C. Williams, “A data-based method for assessing and reducing human
North American power grid,” Phys. Rev. E, vol. 69, no. 2, p. 025103-7, error to improve operational performance,” in Proc. IEEE 4th Conf.
2004. Human Factors Power Plants, Jun. 1988, pp. 439–450.
[27] P. Crucitti, V. Latora, and M. Marchiori, “A topological analysis of the [53] Swiss Federal Office of Energy, Report on the blackout in Italy on 28
Italian electric power grid,” Phys. A Statist. Mech. Its Appl., vol. 338, September 2003, Nov. 2003.
nos. 1–2, pp. 92–97, 2004. [54] M. Shinozuka et al., “Advances in seismic performance evaluation
[28] R. Kinney et al., “Modeling cascading failures in the North American of power systems,” in Research Progress and Accomplishments 2001-
power grid,” Eur. Phys. J. B Condens. Matter, vol, 46, no. 1, pp. 101– 2003. Buffalo, NY: Multidisciplinary Center for Earthquake Engineering
107, 2005. Research, University at Buffalo, 2003.
[29] D. P. Chassin and C. Posse, “Evaluating North American electric grid [55] P. Kundur et al., “Definition and classification of power system stability,”
reliability using the Barabasi–Albert network model,” Phys. A: Statist. IEEE Trans. Power Syst., vol. 19, no. 3, pp. 1387–1401, Aug. 2004.
Mech. Its Appl., vol. 355, nos. 2–4, pp. 667–677, 2005. [56] Y. Sherif, “Earthquakes: Risk, damage and recovery,” Reliab. Eng. Syst.
[30] A. J. Holmgren, “Using graph models to analyze the vulnerability of Safety, vol. 31, no. 1, pp. 117–126, 1991.
electric power networks,” RiskAnalysis, vol. 26, no. 4, pp. 955–969,
2006.
[31] M. I. Rosas-Casals, S. Valverde, and R. V. Sole, “Topological vulner-
Evangelos I. Bilis received the M.Sc. degree in
ability of the European power grid under errors and attacks,” Int. J.
radioelectrology and telecommunications.
Bifurcation Chaos, vol. 17, no. 7, pp. 2465–2475, 2007.
He is currently a Physicist with the Laboratory
[32] L. Buzna, L. Issacharoff, and D. Helbing, “The evolution of the topology of Safety Analysis, Swiss Federal Institute of Tech-
of high-voltage electricity networks,” Int. J. Crit. Infrastructures, vol. 5, nology, Zürich, Switzerland. His current research
no. 1, pp. 72–85, 2009. interests include applications of group theory to
[33] L. Dueñas-Osorio and S. M. Vemuru, “Cascading failures in complex quantum mechanics, string theory, and modeling of
infrastructure systems,” Structural Safety, vol. 31, no. 2, pp. 157–167, complex systems.
2009.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
12
Wolfgang Kröger received the Doctorate degree
in mechanical engineering from RWTH Aachen,
Aachen, Germany, in 1974, and the Habilitation
degree in 1986.
He has been an Ordinarius of Safety Technology
with the Swiss Federal Institute of Technology,
Zurich (ETH) since 1990 and the Director of the
Laboratory for Safety Analysis until his retirement
in 2011. In parallel he was the Head of Research on
nuclear energy and safety with the Paul Scherrer In-
stitute, Switzerland, where he was also on the Board
of Directors until he was elected as Founding Rector of the International Risk
Governance Council in 2003. His current research interests include methodical
issues pertaining to modeling, analysis, and optimization of complex technical
systems in view of reliability, risk, and vulnerability. Currently, he is the
Executive Director of the ETH Risk Center.
IEEE SYSTEMS JOURNAL
Cen Nan received the M.Eng. degree in oil and
gas engineering from the Memorial University of
Newfoundland, Canada, in 2007, and the Doctorate
degree in process and mechanical engineering from
ETH Zurich, Zurich, Switzerland, in 2012.
He is currently a Research Assistant at ETH
Zurich. His current research interests include the de-
velopment of advanced modeling/simulation meth-
ods for assessing complex behaviors of infrastructure
systems.