Professional Documents
Culture Documents
False Data Injection Attacks Against Synchronization Systems in Microgrids
False Data Injection Attacks Against Synchronization Systems in Microgrids
Abstract—Synchronization systems play a vital role in the The cybersecurity of power systems control has been exam-
day-to-day operation of power systems and their restoration ined extensively in recent years at the generation, transmission
after cascading failures. Hence, their resilience to cyberattacks and distribution levels [6]. Yet, most of the literature on the
is imperative. In this paper, we demonstrate that a well-planned
false data injection attack against the synchronization system of cybersecurity of generation control loops has been focused on
a generator is capable of causing tripping subsequently leading automatic generation control (AGC) [7]–[9]. This is mainly
to instability and blackout. We present an analytical framework because AGC relies on supervisory control and data acquisi-
behind the design and implementation of the proposed cyberat- tion (SCADA) systems. In contrast, the cybersecurity of auto-
tack. Moreover, we derive and discuss the conditions for which a matic voltage regulation, governor and synchronization control
cyberattack interfering with a synchronizing signal can be suc-
cessful. Effective physical mitigation strategies are then proposed has received little attention since they commonly rely on local
to improve the cyber-resilience of synchronization systems. The control loops. Resilient synchrony of microgrids is another
proposed cyberattack model and mitigation strategies are ver- topic that has gained attention in recent years [10]–[14].
ified for a microgrid test system using an OPAL-RT real-time These papers are mostly focused on cyberattacks against the
simulator. secondary frequency control of inverter-based microgrids dur-
Index Terms—Cyber-physical systems, resilience, cyberattack, ing continuous islanded operation mode. These papers do
power system restoration, synchronization systems, microgrids. not investigate the resilience of the reconnection process of
islanded microgrids and the synchronization system used for
this purpose which is investigated in this paper.
I. I NTRODUCTION
Synchronization systems play a vital role in the day-to-
ONCERNS about the cybersecurity of power systems
C have been on the rise in recent years particularly follow-
ing the cyberattacks against the Ukrainian electricity infras-
day operation of power systems as well as their restoration
after cascading failures [15]. These systems have traditionally
been used for bringing baseload, peaking or standby gen-
tructure [1]–[3]. The North American Electric Reliability erators online and connecting them to the grid, as well as
Corporation (NERC) has taken initial steps towards address- reconnecting two synchronous systems during black start or
ing these concerns by mandating the critical infrastructure after system separation following a disturbance [16], [17].
protection (CIP) standards. The CIP standards require the iden- Today, synchronization systems play additional roles such as
tification, categorization and protection of cyber assets that connecting islanded microgrids to the main grid [18]–[20].
are essential to the reliable operation of the bulk electric Synchronization systems bring the voltage, frequency, and
system [4]. Yet, one of the main challenges facing the cyberse- phase angle differences between two spinning systems into
curity of power systems is their scale and complexity as well tolerable thresholds before safely connecting them by clos-
as their extensive reliance on information and communication ing the interconnecting circuit breaker (CB) [21], [22]. The
technologies [5]. synchronization system essentially adjusts the frequency and
voltage of the spinning systems by sending control commands
Manuscript received December 13, 2020; revised March 26, 2021; accepted
May 5, 2021. Date of publication May 17, 2021; date of current version to the governor and exciter of a generator or a set of gener-
August 23, 2021. This work was supported in part by the NSERC Discovery ators [23], [24] and can be managed manually by the system
Grants Program; in part by the NSERC Strategic Partnerships for Projects operator, by using auto-synchronization systems, or through
Programs; and in part by the Fonds de Recherche du Québec—Nature et
Technologies (FRQNT) Postdoctoral Fellowship. Paper no. TSG-01853-2020. some combination of both [16].
(Corresponding author: Mohammadreza Fakhari Moghaddam Arani.) Correct synchronization is critical to prevent damage to gen-
Amr S. Mohamed and Deepa Kundur are with the Department of Electrical erators or disturbance when connecting two or more power
and Computer Engineering, University of Toronto, Toronto, ON M5S 3G4,
Canada (e-mail: amr.mohamed@mail.utoronto.ca; dkundur@ece.utoronto.ca). systems [25]. As such, synchronization systems typically
Mohammadreza Fakhari Moghaddam Arani is with the Department include multiple levels of supervision including an auto-
of Electrical, Computer and Biomedical Engineering, Ryerson University, matic synchronization controller (ASC) and a human operator
Toronto, ON M5B 2K3, Canada (e-mail: marani@ryerson.ca).
Amir Abiri Jahromi is with the School of Electronic and Electrical overseeing it. Synchronism-check and voltage relays may be
Engineering, University of Leeds, Leeds LS2 9JT, U.K. (e-mail: employed as additional levels of supervision to prevent an
a.abirijahromi@leeds.ac.uk). interconnecting CB from closing during faulty synchroniza-
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TSG.2021.3080693. tion conditions [26]–[28]. This is while no supervision exists
Digital Object Identifier 10.1109/TSG.2021.3080693 on the synchronizing signal communicated from the ASC to
1949-3053
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
4472 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 5, SEPTEMBER 2021
the generator exciter and governor. Traditionally, the integrity • We develop and implement two physical mitigation strate-
of the synchronizing signal has not been of concern due to the gies to prevent the success of the attacks. Based on
absence of remote access to the synchronization system and theoretical analysis of synchronization control, we derive
the reliance on hardwired communication of signals from the equations to calculate the threshold for an anomaly
synchronization panel to the control systems of the governor, detection based strategy, and the saturation value for a
exciter and interconnecting CB [28]. limiter-block based strategy.
This characteristic has been changing rapidly in recent We validate the FDI attacks and mitigation strategies via
years due to the need for improved reliability, reduced real-time simulations using a detailed microgrid model on
installation costs, as well as the movement toward automa- OPAL-RT HyperSim simulator.
tion and remote synchronization, particularly in the case of The remainder of this paper is organized as follows. In
microgrids [28]–[30]. Emerging synchronization systems pro- Section II, we present the attack model against synchronization
vide remote access features and employ open data transmission systems. The analytical framework is established in Section III
protocols on fiber-optic or Ethernet based communication to for designing a successful cyberattack. Moreover, sensitiv-
send correction pulses to the generator governor and exciter ity analyses are performed to examine how variations in the
to automatically adjust the frequency and voltage during syn- system parameters may affect the success of the attack against
chronization [31], [32]. A cyberattacker may infiltrate such synchronization systems. In Section IV, the mitigation strate-
a system more easily and proceed to install malware on the gies are developed and their impact on synchronization process
ASC, or access the communication channel of the synchro- is assessed. Section V details empirical testing and verifica-
nization system by adding a new malicious communication tion of the proposed mitigation strategies on a microgrid test
device. Subsequently, the cyberattacker can send corrupted system using an OPAL-RT real-time simulator. We provide the
control commands to the generator governor or exciter to cause concluding remarks in Section VI.
a generator trip, stability problems and/or a potential blackout.
The impact of attacks targeting automatic synchronization
systems has been recently studied by Kandasamy in [33]. It II. ATTACK M ODEL
is demonstrated in [33] that cyberattacks can delay the syn- Despite the massive integration of inverter-interfaced dis-
chronization of a generator indefinitely. This paper expands tributed energy resources (DERs) such as wind and solar,
on the work presented in [33] by considering how FDI attacks synchronous generators continue to play the key role in
against synchronization systems can be executed in the context the synchronization of bulk power systems and microgrids.
of microgrids. In this paper, we study a FDI attack model tar- This paper investigates the cybersecurity of the synchro-
geting automatic synchronization systems in microgrids which nization systems of synchronous generators in microgrids.
not only hinders the synchronization, but can also directly trip Nevertheless, the findings are applicable more generally to
a generator potentially leading to microgrid blackout. the cybersecurity of generator synchronization in bulk power
We present the analytical framework behind the design systems.
and implementation of the cyberattack. Sensitivity analy- Fig. 1 illustrates the schematic representation of cyberat-
ses of system parameters and how they may influence tacks against the synchronization system of a microgrid. At
the success of the cyberattack are further performed and the point of common coupling (PCC) of the microgrid and
presented. Afterwards, we propose two physical mitigation the main grid, an ASC monitors the voltage of the microgrid
strategies to enhance the cyber-resilience of synchronization and the main grid and sends control signals to the governor
systems. of the synchronizing generator to adjust the frequency of the
The main contributions of this paper are as follows. microgrid to the main grid by means of digital I/O pulses
• For the first time, we investigate cyberattacks interfering (e.g., ABB SYNCHROTACT [34]) or by interrogated contacts
with the microgrid synchronization process. We discuss (e.g., SEL A25A [35]). To model the control signals, (+1) and
how emerging synchronization systems in microgrids (−1) pulses are considered when commanding the generator
enable cyber vulnerabilities which allow a skilled attacker to respectively ramp up and down, and (0) is considered in
to execute FDI attacks with severe consequences. We the absence of control command or when communication is
demonstrate that the attacker is able to exploit system res- lost. The control signals are communicated over the microgrid
onance and influence the microgrid frequency to rapidly network to the governor of the synchronizing generator.
trip a generator which may potentially lead to microgrid Fig. 2 illustrates the signals and measurements which are
blackout. involved in the synchronization of the microgrid. Voltage
• We present an analytical framework for designing novel transformers are used to obtain local measurements of
attacks against synchronization systems. The framework the voltage of the main-grid (VGrid−side ) and microgrid
incorporates understanding of the operation of industrial (VMicrogrid−side ) at the PCC, and the circuit breaker at the
ASC devices and theoretical analysis of synchronization PCC is closed when the voltage profiles are sufficiently close
control. The framework highlights the threats of periodic and synchronization criteria are met. The synchronization con-
FDI attacks, and yields success conditions for the attacks trol signal ωcp is communicated from the PCC local-area
and design guidelines for the FDI attack signal. The network (LAN) to the synchronizing generator LAN over the
framework also identifies the fastest attack for tripping microgrid network typically using IEC61850 protocol. The
a generator by attacking its synchronization system. synchronizing signal communication is illustrated in Fig. 3.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
MOHAMED et al.: FALSE DATA INJECTION ATTACKS AGAINST SYNCHRONIZATION SYSTEMS IN MICROGRIDS 4473
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
4474 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 5, SEPTEMBER 2021
Fig. 6. Microgrid test system with the synchronous generator DG2 in charge
of synchronization with the main grid.
Fig. 5. The block diagram of the transfer functions involved in attacks against
synchronization systems.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
MOHAMED et al.: FALSE DATA INJECTION ATTACKS AGAINST SYNCHRONIZATION SYSTEMS IN MICROGRIDS 4475
Another important observation in Fig. 7 is the reso- of the synchronous generator (JROCOF (ωattack ), JUF/OF (ωattack ))
nance frequency which occurs at ω = 3.60 rad/s. As syn- and the settings of the protective relays (R, UF, OF) as indi-
pk,R
chronous generators are more vulnerable to high oscillations at cated by (9)-(10). Moreover, the minimum value of uattack
their resonance frequencies, information about the resonance which corresponds to the maximum value of |JROCOF (ωattack )|
frequency can be used by a cyberattacker to design a fast occurs at the resonance frequency. This underscores the impor-
attack. The implications of this will be investigated further in tance of the resonance frequency while devising an attack
the next subsection. against the synchronization system of a synchronous generator.
The ROCOF and under-frequency/over-frequency protective
C. Conditions for Successful Attacks relays can be triggered through the synchronizing signal only
if the peak value of the signal uattack can satisfy the conditions
Now, we explore the characteristics of the synchronizing
in (9)-(10). Thus, we need to investigate the maximum realiz-
signal to derive the conditions for a successful cyberattack.
able peak value of the signal uattack in order to determine the
Industrial ASC devices offer a range of options to tailor
feasibility of implementing a successful attack. As discussed
the synchronization process to the requirements of generation
previously, ASC control signal consists of a stream of (+1)
plants. These options include the ability to choose between
and (−1) pulses. The maximum peak value of the fundamen-
a fixed or proportional frequency mode to specify the width
tal component of the signal u occurs when the synchronizing
of each correction pulse, and the pulse interval defining the
signal is a square wave with only (+1) and (−1) amplitudes.
time between the rising edges of consecutive correction pulses
The integrator ks /s in Fig. 5 transforms the square wave sig-
in the synchronizing signal [34], [35]. The synchronizing sig-
nal with only (+1) and (−1) amplitudes to a triangular signal.
nal consists of a stream of (+1) and (−1) pulses. Therefore,
The Fourier series of this triangular signal is given in (11):
the attacker should devise a similar pattern to make the
∞
attack signal unrecognizable from the synchronizing signal by 4ks (−1)(n−1)/2
operators. u(t) = sin ωattack nt (11)
π ωattack n2
We posit that it is possible to ignore the harmonic n=1
frequencies of the periodic attack signal considering the small pk,max
The maximum peak value of uattack , uattack = 4ks /π ωattack as
bandwidths of JROCOF (s) and JUF/OF (s). Therefore, the attack indicated in (11), is a function of the integrator gain ks and
signal uattack can be approximated with a pure sinusoidal sig- the frequency of the attack signal ωattack . As such, the only
nal with a fundamental frequency ωattack while deriving the parameter that can be controlled by the attacker in (9)-(11) to
conditions for a successful attack without loss of generality. implement a successful attack is the frequency or time period,
As such, the signals νROCOF and νUF/OF in Fig. 5 are also con- i.e., Tattack = 2π/ωattack , of the falsified synchronizing signal.
sidered to be sinusoidal. The peak values of the signals νROCOF This is again because the other parameters, i.e., JROCOF (ωattack ),
and νUF/OF can be calculated as given in (7)-(8) for the attack JUF/OF (ωattack ), R, UF, OF and ks , are dictated by the charac-
signal uattack : teristics of the synchronous generator and the settings of the
pk protective relays.
νROCOF = JROCOF ωattack uattack
pk
(7)
pk The ultimate conditions for implementing a success-
νUF/OF = JUF/OF ωattack uattack
pk
(8) ful attack against the synchronization system are given
in (12)-(13). The conditions indicate that the attack is fea-
where the magnitude of the transfer function J(s) at
sible only when the maximum achievable peak value of the
the attack frequency ωattack is denoted by |JROCOF (ωattack )|
signal uattack is larger than one of the minimum values required
and |JUF/OF (ωattack )| respectively for ROCOF and under-
to trigger a frequency protective relay of the synchronous
frequency/over-frequency relays.
generator.
The peak value of at least one of the measurements νROCOF
pk,R pk,max
and νUF,OF should violate the setting of the corresponding pro- uattack ωattack ≤ uattack ωattack OR (12)
tective relay for the attack to be successful. This means that pk,F pk,max
either the peak value of νROCOF should exceed the ROCOF relay uattack ωattack ≤ uattack ωattack (13)
pk
setting, R, i.e., νROCOF ≥ R or the peak value of νUF/OF should The data of the synchronous generator DG2 is used again
exceed one of the under-frequency/over-frequency relay set- here to demonstrate the attack conditions. The required peak
pk pk
tings, min{UF, OF}, i.e., νUF/OF ≥ min{UF, OF}. Thus, the value of the signal uattack for triggering the ROCOF and under-
conditions for successful attacks can be derived from (7)-(8) frequency/over-frequency protective relays of the synchronous
as given in (9)-(10). generator DG2 are illustrated in Fig. 8 as functions of Tattack ,
pk
pk pk,R R i.e., the time period of the signal uattack . The required peak
uattack ≥ uattack ωattack = (9) pk
J
ROCOF ωattack
value of the signal uattack for triggering the ROCOF relay with
pk pk,F min{UF, OF} a setting of R = 0.05 pu is illustrated by the curve in green.
uattack ≥ uattack ωattack = (10) pk
The required peak value of the signal uattack for triggering the
J ω
UF/OF attack
under-frequency/over-frequency protective relay with a setting
It is worth noting that the required peak values of the signal of min{UF, OF} = 0.03 pu is illustrated by the curve in black.
uattack for triggering the ROCOF and under-frequency/over- The relay settings are adopted from IEEE Std. 1547 [39] and
frequency protective relays are dictated by the characteristics provided in the Appendix. The green and black curves move
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
4476 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 5, SEPTEMBER 2021
up (down) as the corresponding relay setting is set to larger D. Modeling of the Synchronization System of a Microgrid
(smaller) values.
The proposed analytical model for the synchronization
The curve in red in Fig. 8 shows the maximum achievable
system of a synchronous generator is extended here to
peak value of the signal uattack as a function of Tattack .
pk,R microgrids. Inverter-interfaced DERs like storage, wind and
In Fig. 8, the minimum value of uattack occurs at Tattack solar do not commonly contribute to frequency regulation in
approximately equal to 1.73 seconds. This time period cor- traditional microgrids. The modeling of the synchronization
responds to the resonance frequency of the synchronous system in microgrids in which inverter-interfaced DERs do not
generator which is equal to 3.6 rad/s. contribute to frequency regulation is similar to the modeling
As illustrated in Fig. 8, the attacker can successfully trigger presented previously for a synchronous generator. Yet, there
the protective relays of a synchronous generator by manip- have been several initiatives in academia and industry in recent
ulating the time period of the falsified synchronizing signal years to realize frequency regulation using inverter-interfaced
to the governor. The protective relay is triggered by the DERs in microgrids. As such, we examine the impact of these
falsified synchronizing signal when the red curve is above resources on the attacks against the synchronization system of
the curve associated with the protective relay. For instance, a microgrid.
the ROCOF relay with the setting of 0.05 pu can be trig- The transfer function of an inverter-interfaced distributed
gered by the falsified synchronizing signals with time periods energy resource in droop control and virtual inertia mode are
larger than 1.52 seconds. Moreover, the under-frequency/over- given in (14)-(15), respectively:
frequency relay can be triggered by falsified synchronizing
signals with time periods larger than 3.15 seconds. Falsified
Kdr
synchronizing signals with time periods larger than 3.15 sec- PVSI(dr) = ω (14)
onds may trigger both relays. Yet, the ROCOF relay still may τv s + 1
be triggered first considering the slow behavior of JUF/OF (s) Kνi s
PVSI(νi) = ω (15)
for the under-frequency/over-frequency relay. Fig. 8 illus- τv s + 1
trates the vulnerability of the synchronization systems of the
synchronous generator DG2 as well as the conditions for The microgrid test system in Fig. 6 is employed for the
implementing a successful attack which is one of the main demonstration purposes. The required peak value of the signal
pk
objectives of the present paper. uattack for triggering the ROCOF protective relay of the syn-
The observations in Fig. 8 are consistent with the obser- chronous generator DG2 is illustrated in Fig. 9 as a function
vations in Fig. 7. As illustrated in Fig. 8 the under- of the maximum power output of inverter-interfaced DERs,
frequency/over-frequency relay can be triggered by falsified PmaxVSI . The setting of the ROCOF protective relay R and
synchronizing signals with time periods larger than 3.15 the time period of the attack signal Tattack are respectively
seconds. This range verifies the low-pass behavior of the considered to be 0.05 pu and 2 seconds.
under-frequency/over-frequency relay. Similarly, Fig. 8 veri- As illustrated in Fig. 9, the increase in Pmax VSI due to
fies the band-pass behavior of the ROCOF relay considering the contribution of inverter-interfaced DERs increases the
pk
that the falsified synchronizing signals with time periods less required uattack to trigger the ROCOF protective relay. The
than 1.52 seconds would not trigger the ROCOF relay. same trend exists for the under-frequency/over-frequency relay
The remaining question to be answered is the accessibility in the presence of droop control and virtual inertia from
of the required information for devising a successful attack to inverter-interfaced DERs. This indicates that it is more diffi-
the attacker. The settings of the generator protective relays can cult to implement a successful attack against synchronization
be gathered from various standards and manufacturer manu- systems when interconnecting two systems with high inertia
als. The data about the generator transfer function G(s) can be and frequency regulating mechanisms compared to intercon-
estimated using the approach presented in [40] by eavesdrop- necting a weak grid with low inertia and weak frequency
ping the system frequency ω during the system disturbances regulating mechanism like a microgrid to the main grid.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
MOHAMED et al.: FALSE DATA INJECTION ATTACKS AGAINST SYNCHRONIZATION SYSTEMS IN MICROGRIDS 4477
pk
Fig. 9. The conditions on the required peak value of uattack for the
successful implementation of an attack considering the contribution of the
inverter-interfaced DERs.
pk,R
Fig. 11. Sensitivity analysis; (a) uattack versus the droop gain kd , (b) Loci
of the eigenvalues of the mechanical mode when kd is changed from 10 to
80 with steps of 10. The increase is to the right.
pk,R
uattack to trigger the ROCOF relay, these values also decrease
the internal stability of the system. This is illustrated by Fig. 11
(b) which shows the impact of varying the droop gain from 10
to 80 on the location of the dominant mechanical eigenmode
of the system transfer function G(s). Increasing the droop gain
would eventually destabilize the system by moving the poles
of G(s) outside the stable left-half plane.
pk,R Thus, the attacks are applicable to systems with the consid-
Fig. 10. Sensitivity analysis; (a) uattack versus the AGC gain kc , (b) Loci of
the eigenvalues of the mechanical mode when kc is changed from 0.5 to 5 ered values of AGC and droop gain, and when not, the gain
with steps of 0.5. The increase is to the right. values themselves are impractical for the system.
A similar sensitivity analysis as the one presented here can
be performed to demonstrate the impact of the parameters in
E. Sensitivity Analyses the transfer function JUF/OF (s) on the required peak value of the
signal u to trigger the under-frequency/over-frequency relay;
Sensitivity analyses are performed in this section to show
the results of this sensitivity analysis are not provided for the
that the attacks are applicable to systems with a wide range
sake of brevity.
of control system parameters. Specifically, we demonstrate
the impact of varying the parameters in the transfer func-
IV. M ITIGATION S TRATEGY
tion JROCOF (s) such as AGC and droop gains on the required
peak value of the signal uattack to trigger the ROCOF protec- Cyber and physical solutions can be used to mitigate the
tive relay. Moreover, the impact of the AGC and droop gains cyberattacks against synchronization systems. Cyber solutions
on the performance of the control loops of the synchronous either rely on the protection of cyber assets from intrusion or
generator is discussed. rely on encryption of data. This is while physical solutions
Fig. 10 illustrates the impact of varying the AGC gain kc entail physical modifications of the system. The deficiency
on the required peak value of the signal uattack to trigger the of the cyber solutions is that skilled attackers with suffi-
ROCOF relay and the performance of AGC. It can be observed cient resources may still compromise the security measures.
in Fig. 10 (a) that decreasing the AGC gain increases the Here, we propose two physical mitigation strategies as the last
pk,R
required peak value uattack . Fig. 10 (b) illustrates the impact line of defense against cyberattacks targeting synchronization
of varying the AGC gain from 0.5 to 5 on the location of the systems. The first mitigation strategy is based on an anomaly
dominant mechanical eigenmode of the system transfer func- detection system. The second mitigation strategy is based on
tion G(s). The red points in Fig. 10 (b) show the low values incorporating a limiter block in the governor control logic of
of the AGC gain for which the attack is infeasible. Although the synchronizing generator. We also verify that the mitiga-
small values of the AGC gain increase the required peak value tion strategies do not interfere with the normal synchronization
pk,R
uattack , these values are impractical as they also diminish the process.
performance of AGC.
Fig. 11 illustrates the impact of varying the droop gain kd A. Anomaly Detection Based Mitigation Strategy
on the required peak value of the signal uattack to trigger the The generator frequency during a successful cyberattack has
ROCOF relay and the performance of frequency-droop control. to change faster than during normal synchronization to prevent
It can be observed in Fig. 11 (a) that increasing the droop gain attack detection by operators. Hence, we propose an anomaly
pk,R
increases the required peak value uattack . Although the large detection based mitigation strategy capable of detecting attacks
values of the droop gain kd increase the required peak value by monitoring the rate-of-change of frequency of the system.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
4478 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 5, SEPTEMBER 2021
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
MOHAMED et al.: FALSE DATA INJECTION ATTACKS AGAINST SYNCHRONIZATION SYSTEMS IN MICROGRIDS 4479
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
4480 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 5, SEPTEMBER 2021
Fig. 15. Simulation results using OPAL-RT: An attack with the time period Fig. 17. Simulation results using OPAL-RT: An attack with time period of
of the system resonance and a stream of (+1) and (−1) pulses. the system resonance and a complex pattern.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
MOHAMED et al.: FALSE DATA INJECTION ATTACKS AGAINST SYNCHRONIZATION SYSTEMS IN MICROGRIDS 4481
Fig. 18. Simulation results using OPAL-RT: An attack with a time period Fig. 20. Simulation results using OPAL-RT: Periodic attack with the anomaly
different from the time period of the system resonance. detection based mitigation strategy.
Fig. 21. Simulation results using OPAL-RT: Ramp attack with the anomaly
Fig. 19. Simulation results using OPAL-RT: Saturated ramp attack. detection based mitigation strategy.
longer time to trip a generator as compared to the periodic 2) Case Study B2: In this case study, we consider a ramp
attack in Case Study A1. attack to demonstrate that the anomaly detection mitigation
strategy is capable of preventing non-periodic FDI attacks.
B. Anomaly Detection Based Mitigation Strategy Fig. 21 shows that the ramp attack is able to trip the gen-
erator in less than 6 seconds in the absence of the mitigation
The threshold value for the anomaly detection mitigation
strategy. Yet, the mitigation strategy successfully prevents the
strategy is set to be equal to 3 × 10−3 pu. This threshold is
attack.
shown with horizontal dashed blue lines in Figs. 20–21. When
The simulation results in Case Study A1-A5 and B1-B2
νROCOF exceeds this threshold, an anomaly is detected and a
demonstrate that the proposed mitigation strategies success-
local signal is sent to the governor to disable the synchroniza-
fully prevent all presented FDI attacks. This is evidenced
tion process temporarily until the rate-of-change of frequency
by the measurements shown in green not exceeding their
of the system settles back to the normal range. For the system
corresponding relay settings in Figs. 15–21.
under study, the synchronization is re-enabled when νROCOF has
stayed below the threshold for 3 seconds.
1) Case Study B1: In this case study, we reconsider the VI. C ONCLUSION
attack in Case Study A1 which has the shortest success This paper presented an analytical framework for deriving
time. Fig. 20 shows that the mitigation strategy disables the conditions for the successful implementation of FDI cyber-
synchronizing signal in less than 1 second after the attack attacks against the synchronization systems of synchronous
starts. Synchronization is re-enabled approximately after 8 generators in microgrids. We show that an attacker can imple-
seconds but promptly disabled again due to the detection of ment a fast successful attack by manipulating the time period
anomaly. Similar results are observed in the other periodic of the synchronizing control signal to the governor of a syn-
attack patterns. The simulation results obtained for the other chronous generator. Moreover, we demonstrate that the time
periodic attacks are not provided here for the sake of brevity. period associated with the resonance frequency of the targeted
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
4482 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 5, SEPTEMBER 2021
TABLE I T
T EST S YSTEM DATA B1g = kc 0 0 0
T
B2g = B3g = 0 0 0 −1/M .
R EFERENCES
[1] S. K. Khaitan, J. D. McCalley, and C. C. Liu, Cyber Physical Systems
Approach to Smart Electric Power Grid. Heidelberg, Germany: Springer,
2015.
[2] G. Liang, S. R. Weller, J. Zhao, F. Luo, and Z. Y. Dong, “The 2015
Ukraine blackout: Implications for false data injection attacks,” IEEE
Trans. Power Syst., vol. 32, no. 4, pp. 3317–3318, Jul. 2017.
[3] (2016). Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT) Cyber-Attack Against Ukrainian Critical
Infrastructure. Accessed: Aug. 29, 2019. [Online]. Available:
https://us-cert.cisa.gov/ics/alerts/IR-ALERT-H-16-056-01
[4] (2019). North American Electric Reliability Corporation (NERC)
Critical Infrastructure Protection (CIP) Reliability Standards. Accessed:
Aug. 29, 2019. [Online]. Available: http://www.nerc.com
[5] G. N. Ericsson, “Cyber security and power system communication—
Essential parts of a smart grid infrastructure,” IEEE Trans. Power Del.,
vol. 25, no. 3, pp. 1501–1507, Jul. 2010.
TABLE II [6] S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber–physical system
DG2 R ELAY S ETTINGS - IEEE C ATEGORY III P ROTECTION R ELAY security for the electric power grid,” Proc. IEEE, vol. 100, no. 1,
S TANDARDIZED S ETTINGS AS IN [39] pp. 210–224, Jan. 2012.
[7] P. M. Esfahani, M. Vrakopoulou, K. Margellos, J. Lygeros, and
G. Andersson, “Cyber attack in a two-area power system: Impact iden-
tification using reachability,” in Proc. Amer. Control Conf., Baltimore,
MD, USA, Jul. 2010, pp. 962–967.
[8] S. Sridhar and M. Govindarasu, “Model-based attack detection and miti-
gation for automatic generation control,” IEEE Trans. Smart Grid, vol. 5,
no. 2, pp. 580–591, Mar. 2014.
[9] A. Ameli, A. Hooshyar, E. F. El-Saadany, and A. M. Youssef, “Attack
system results in the fastest attack. Yet, the attacker does not detection and identification for automatic generation control systems,”
need to have exact knowledge of the resonance frequency to IEEE Trans. Power Syst., vol. 33, no. 5, pp. 4760–4774, Sep. 2018.
[10] S. Sahoo, Y. Yang, and F. Blaabjerg, “Resilient synchronization strategy
implement a successful attack. for AC microgrids under cyber attacks,” IEEE Trans. Power Electron.,
The proposed analytical framework is further employed to vol. 36, no. 1, pp. 73–77, Jan. 2021.
devise effective physical mitigation strategies, one of which is [11] Y. Chen, D. Qi, H. Dong, C. Li, Z. Li, and J. Zhang, “A FDI attack-
resilient distributed secondary control strategy for islanded microgrids,”
based on incorporating a limiter into the synchronization con- IEEE Trans. Smart Grid, vol. 12, no. 3, pp. 1929–1938, May 2021.
trol loop, and the other is based on detecting anomalies in the [12] S. Zuo, O. A. Beg, F. L. Lewis, and A. Davoudi, “Resilient networked
power system rate-of-change of frequency during the synchro- AC microgrids under unbounded cyber attacks,” IEEE Trans. Smart
nization process. It is determined that the proposed mitigation Grid, vol. 11, no. 5, pp. 3785–3794, Sep. 2020.
[13] H. Zhang, W. Meng, J. Qi, X. Wang, and W. X. Zheng, “Distributed load
strategies do not have a tangible impact on the synchronization sharing under false data injection attack in an inverter-based microgrid,”
process in the absence of cyberattacks. Moreover, the proposed IEEE Trans. Ind. Electron., vol. 66, no. 2, pp. 1543–1551, Feb. 2019.
mitigation strategies do not interfere with other control loops [14] S. Abhinav, H. Modares, F. L. Lewis, F. Ferrese, and A. Davoudi,
“Synchrony in networked microgrids under attacks,” IEEE Trans. Smart
of the synchronous generator. Grid, vol. 9, no. 6, pp. 6731–6741, Nov. 2018.
Lastly, sensitivity analyses are performed to explore the [15] K. Koellner, C. Anderson, and R. Moxley, “Generator black start
impact that parameters such as AGC and droop gains of a validation using synchronized phasor measurement,” in Proc. Power
Syst. Conf. Adv. Metering Prot. Control Commun. Distrib. Resources,
synchronous generator have on the successful implementation Clemson, SC, USA, 2007, pp. 498–504.
of the attack. The impact of the inverter-based DERs is further [16] W. M. Strang et al., “Generator synchronizing industry survey results,”
investigated for the successful implementation of cyberattacks IEEE Trans. Power Del., vol. 11, no. 1, pp. 174–183, Jan. 1996.
[17] M. J. Thompson, “Fundamentals and advancements in generator syn-
against synchronization systems in microgrids. The simulation chronizing systems,” in Proc. 65th Annu. Conf. Prot. Relay Eng., College
results illustrate that inverter-based DERs, whether operated in Station, TX, USA, 2012, pp. 203–214.
virtual inertia or droop control mode, make it more difficult [18] C. Cho, J.-H. Jeon, J.-Y. Kim, S. Kwon, K. Park, and S. Kim, “Active
synchronizing control of a microgrid,” IEEE Trans. Power Electron.,
to implement a successful attack against the synchronization vol. 26, no. 12, pp. 3707–3719, Dec. 2011.
system of a microgrid. [19] D. Shi, Y. Luo, and R. K. Sharma, “Active synchronization control for
microgrid reconnection after islanding,” in Proc. IEEE PES Innovat.
Smart Grid Technol., Istanbul, Turkey, 2014, pp. 1–6.
A PPENDIX [20] Y. Zhang, R. A. Dougal, and H. Zheng, “Tieline reconnection of
microgrids using controllable variable reactors,” IEEE Trans. Ind. Appl.,
S TATE S PACE R EPRESENTATION M ATRICES vol. 50, no. 4, pp. 2798–2806, Jul./Aug. 2014.
[21] IEEE Standard for Salient-Pole 50 Hz and 60 Hz SGs and
⎡ ⎤ Generator/Motors for Hydraulic Turbine Applications Rated 5 MVA and
0 0 0 −kc Above, IEEE Standard C50.12–2005, 2005.
⎢kG /τG −1/τG 0 −kd kG /τG ⎥ [22] IEEE Standard for Cylindrical-Rotor 50 Hz and 60 Hz SGs Rated 10
A=⎢
⎣ 0
⎥
⎦ MVA and Above, IEEE Standard C50.13–2014, 2014.
kT /τT −1/τT 0 [23] D. L. Ransom, “Get in step with synchronization,” IEEE Trans. Ind.
0 0 1/M −D/M Appl., vol. 50, no. 6, pp. 4210–4215, Nov./Dec. 2014.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.
MOHAMED et al.: FALSE DATA INJECTION ATTACKS AGAINST SYNCHRONIZATION SYSTEMS IN MICROGRIDS 4483
[24] S. M. Manson, A. Upreti, and M. J. Thompson, “Case study: Smart auto- Mohammadreza Fakhari Moghaddam Arani
matic synchronization in islanded power systems,” in Proc. IEEE/IAS (Member, IEEE) received the M.Sc. degree in elec-
51st Ind. Commer. Power Syst. Techn. Conf. (I&CPS), Calgary, AB, trical engineering from the University of Waterloo,
Canada, 2015, pp. 1–10. Waterloo, Canada, in 2012, and the Ph.D. degree in
[25] M. J. Thompson and K. G. Ravikumar, “New developments in generator energy systems from the Department of Electrical
synchronizing systems,” in Proc. 13th Annu. Western Power Del. Autom. and Computer Engineering, University of Alberta,
Conf., 2011, pp. 1–9. Edmonton, Canada, in 2017. From 2012 to 2013, he
[26] R. A. Evans, “A manual/automatic synchronization circuit for a 37.5 worked as a Research Associate with the University
MVA steam-turbine-driven generator,” IEEE Trans. Ind. Appl., vol. 26, of Waterloo. He was a NSERC Postdoctoral Fellow
no. 6, pp. 1081–1085, Nov./Dec. 1990. with the University of Toronto from 2017 to 2019.
[27] L. C. Gross, L. S. Anderson, and R. C. Young, Avoid Generator and He joined Ryerson University, Toronto, Canada, as
System Damage Due to a Slow Synchronizing Breaker, Wisconsin Elect. an Assistant Professor in July 2019. His research interests include cyber–
Power Company, Milwaukee, WI, USA and Schweitzer Eng. Lab., physical security of smart grids, renewable and distributed generation, plug-in
Pullman, WA, USA, 1997. hybrid electric vehicles, microgrids dynamics and control, and power system
[28] M. Thompson, “Advancements in synchronizing systems for microgrids stability. He is the holder of the Canada Research Chair in Smart Grid
and grid restoration,” in Proc. 13th Int. Conf. Develop. Power Syst. Prot., Cyber–Physical Security.
2016, pp. 1–6.
[29] M. J. Thompson, A. Li, R. Luo, M. C. Tu, and I. Urdaneta, “Advanced
synchronizing systems improve reliability and flexibility of offshore
power systems,” in Proc. IEEE Petrol. Chem. Ind. Committee Conf.
(PCIC), Houston, TX, USA, 2015, pp. 1–9.
[30] T. Foxcroft and M. Thompson, “Advanced synchronising system pro-
vides flexibility for complex bus arrangement,” in Proc. 42nd Ann.
Amir Abiri Jahromi (Senior Member, IEEE)
Western Protective Relay Conf., Spokane, WA, USA, Oct. 2015,
received the Ph.D. degree in electrical and computer
pp. 1–11.
engineering from McGill University, Montréal, QC,
[31] T. M. L. Assis and G. N. Taranto, “Automatic reconnection from inten-
Canada, in 2016.
tional islanding based on remote sensing of voltage and frequency sig-
From January 2018 to December 2019, he was a
nals,” IEEE Trans. Smart Grid, vol. 3, no. 4, pp. 1877–1884, Dec. 2012.
Postdoctoral Fellow with the University of Toronto,
[32] R. J. Best, D. J. Morrow, D. M. Laverty, and P. A. Crossley,
where he was a Research Associate in 2020. He is
“Synchrophasor broadcast over Internet protocol for distributed gen-
currently a Lecturer with the School of Electronic
erator synchronization,” IEEE Trans. Power Del., vol. 25, no. 4,
and Electrical Engineering, University of Leeds.
pp. 2835–2841, Oct. 2010.
His research interests are in the fields of power
[33] N. K. Kandasamy, “An investigation on feasibility and security for
system modeling, cyber–physical security, reliability,
cyberattacks on generator synchronization process,” IEEE Trans. Ind.
economics, and optimization of power systems.
Informat., vol. 16, no. 9, pp. 5825–5834, Sep. 2020.
[34] (2019). ABB SYNCHROTACT 5—Synchronizing Relays. Accessed:
Aug. 30, 2019. [Online]. Available: https://new.abb.com/power-
electronics/synchronizing-equipment/relays/synchrotact-5
[35] (2019). SEL-451 Protection, Automation, and Bay Control
System. Accessed: Aug. 30, 2019. [Online]. Available:
https://selinc.com/products/451/
[36] J. Hong, C.-C. Liu, and M. Govindarasu, “Detection of cyber intrusions Deepa Kundur (Fellow, IEEE) was a native of
using network-based multicast messages for substation automation,” in Toronto, Canada. She received the B.A.Sc., M.A.Sc.,
Proc. Conf. Innovat. Smart Grid Technol. (ISGT), Washington, DC, and Ph.D. degrees in electrical and computer engi-
USA, 2014, pp. 1–5. neering from the University of Toronto in 1993,
[37] Y. M. Khaw, A. A. Jahromi, M. F. M. Arani, S. Sanner, D. Kundur, and 1995, and 1999, respectively.
M. Kassouf, “A deep learning-based cyberattack detection system for She is a Professor and the Chair of The Edward S.
transmission protective relays,” IEEE Trans. Smart Grid, vol. 12, no. 3, Rogers Sr. Department of Electrical and Computer
pp. 2554–2565, May 2021. Engineering, University of Toronto. She is also a rec-
[38] P. Kundur, N. J. Balu, and M. G. Lauby, Power System Stability and ognized authority on cyber security issues. She has
Control, vol. 7. New York, NY, USA: McGraw-Hill, 1994. authored over 200 journal and conference papers.
[39] IEEE Standard for Interconnection and Interoperability of Distributed Her research interests lie at the interface of cyber-
Energy Resources with Associated Electric Power Systems Interfaces, security, signal processing, and complex dynamical networks.
IEEE Standard 1547-2018, 2018. Prof. Kundur’s research has received best paper recognitions at numerous
[40] R. Tan et al., “Optimal false data injection attack against automatic venues, including the 2015 IEEE Smart Grid Communications Conference,
generation control in power grids,” in Proc. ACM/IEEE 7th Int. Conf. the 2015 IEEE Electrical Power and Energy Conference, the 2012 IEEE
Cyber Phys. Syst., Vienna, Austria, 2016, pp. 1–10. Canadian Conference on Electrical & Computer Engineering, the 2011 Cyber
Security and Information Intelligence Research Workshop, and the 2008
IEEE INFOCOM Workshop on Mission Critical Networks. She has also
been a recipient of teaching awards at both the University of Toronto and
Texas A&M University. She has served in numerous conference execu-
tive organization roles, including as a Publicity Chair for ICASSP 2021, a
Track Chair for the 2020 IEEE International Conference on Autonomous
Systems, a General Chair of the 2018 GlobalSIP Symposium on Information
Processing, Learning and Optimization for Smart Energy Infrastructures, and
a TPC Co-Chair for IEEE SmartGridComm 2018. A Symposium Co-Chair
for the Communications for the Smart Grid Track of ICC 2017, a General
Amr S. Mohamed received the M.A.Sc. degree Chair for the Workshop on Communications, Computation and Control for
in electrical and computer engineering from the Resilient Smart Energy Systems at ACM e-Energy 2016, the Workshop
University of Toronto in 2020, where his research on Cyber–Physical Smart Grid Security and Resilience at Globecom 2016,
focused on smart grid cyber–physical security. He the Symposium on Signal and Information Processing for Smart Grid
is currently pursing the Ph.D. degree with the Infrastructures at GlobalSIP 2016, the 2015 International Conference on
Department of Electrical and Computer Engineering, Smart Grids for Smart Cities, 2015 Smart Grid Resilience Workshop at IEEE
University of Toronto. His research interests are GLOBECOM 2015, and the IEEE GlobalSIP’15 Symposium on Signal and
in utilizing machine learning methods to enhance Information Processing for Optimizing Future Energy Systems. She currently
cyber–physical systems’ security, resilience, and serves on the Advisory Board of IEEE Spectrum. She is a Fellow of the
control. Canadian Academy of Engineering, and a Senior Fellow of Massey College.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:49:23 UTC from IEEE Xplore. Restrictions apply.