Resilient Consensus-Based AC Optimal Power Flow Against Data Integrity Attacks Using PLC

3786 IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO.
5, SEPTEMBER 2022
Resilient Consensus-Based AC Optimal Power Flow

Against Data Integrity Attacks Using PLC
Yang Yang , Graduate Student Member, IEEE, Gurupraanesh Raman , Member, IEEE,
Jimmy Chih-Hsien Peng , Senior Member, IEEE, and Zhi-Sheng Ye , Senior Member, IEEE
Abstract—This paper investigates the resilience of consensus- $2 billion per year, was also recently disrupted by a cyber
based AC optimal power flow (OPF) for distribution networks attack [3]. In view of such events, cyber security has become
against the data integrity attacks (DIA). The distribution network a major concern for the operation and control of modern power
is first decomposed into several autonomous microgrids to
achieve consensus-based AC OPF through the alternating direc- systems.
tion multiplier method (ADMM). Then the vulnerability of One of the most prominent types of cyber attacks is a
consensus-based AC OPF is analyzed by showing how the dis- data integrity attack (DIA), which aims to mislead the power
patch results can be easily altered by attackers through falsifying system by inserting or altering the data in the cyber layer [4].
the information (active power, reactive power, and voltage) shared Considerable research efforts have been devoted to DIAs on
between neighboring microgrids. Two different attack scenarios,
viz., economic-driven attacks and disruptive attacks, are studied the electricity market [5], state estimation [6], and energy man-
to show the malicious influence of cyber attacks on consensus- agement [7]. These works largely focus on centralized control
based AC OPF. A detection and mitigation strategy based on wherein the whole system is assumed to be monitored and
the existing power line communication (PLC) infrastructure is controlled by a central controller. Through a single DIA on
then described, where the critical information is not only shared the central controller, an attacker could potentially disrupt the
in the cyber layer, but also through the power lines. Game-
theoretic analysis is provided to demonstrate the effectiveness entire power system, and during the attack process, gain access
of the proposed mitigation strategy. Furthermore, to validate to the private information of all the involved utilities flowing
the authenticity of the information through PLC, a physical through the cyber layer [8].
encryption method based on the Lorenz system is proposed. Consensus-based control is a good solution to enhance
The effectiveness of the proposed attack-resilient mechanism is the power system resilience against DIAs by employing dis-
verified using the IEEE 123-bus test system.
tributed controllers which coordinate with neighboring devices
Index Terms—AC OPF, consensus-based optimization, data by iteratively sharing information through two-way communi-
integrity attack, distribution network, power line communication. cation links [9]. Despite this advantage, as consensus-based
applications require limited information flows, the unavail-
ability of global information makes the system vulnerable to
I. I NTRODUCTION cyber attacks. The impact of DIAs on consensus-based con-
HE INCREASING integration of sensing and commu-
T nication devices such as phasor measurement units has
largely improved the efficiency of power system operation
trol has been receiving increasing focus of late. The [10]
studied DIAs on DC optimal power flow (OPF) which can
lead to suboptimal or even infeasible solutions for microgrids.
and control [1]. At the same time, the increasing reliance In [11], the impact of DIAs on a consensus-based distributed
on communication also leaves the power system vulnerable energy management algorithm was analyzed, where attackers
to cyber attacks, potentially leading to failures and immense can mislead the system by sending manipulated information
economic losses. For example, 200 MW of generation capac- to achieve economic benefits without disrupting the system.
ity was shut down by a cyber attack in Kiev in 2016 [2]. The Reference [12] studied the influence of DIA on the cooperative
U.K. electricity market, which handles transactions of about control of virtual power plants. In [13], the attack on gener-
ation cost parameters to obtain additional economic benefits
Manuscript received 19 October 2020; revised 9 May 2021, was also investigated. These studies mainly focus on cyber
27 November 2021, and 21 February 2022; accepted 15 April 2022.
Date of publication 25 April 2022; date of current version 23 August 2022. attacks on DC OPF, while AC OPF is not considered. In
This work was supported in part by the National Research Foundation, Prime contrast to DC OPF, AC OPF considers reactive power and
Minister’s Office, Singapore, under its Campus for Research Excellence nodal voltage information in addition to active power, which
and Technological Enterprise (CREATE) Programme, and in part by the
National Science Foundation of China under Grant 72071138. Paper no. makes it more accurate but also more vulnerable to DIA in
TSG-01567-2020. (Corresponding author: Jimmy Chih-Hsien Peng.) terms of its potential impact, as we shall demonstrate in this
Yang Yang and Zhi-Sheng Ye are with the Department of Industrial Systems paper.
Engineering and Management, National University of Singapore, Singapore.
Gurupraanesh Raman and Jimmy Chih-Hsien Peng are with the Electrical To enhance the resilience of consensus-based control of
and Computer Engineering Department, National University of Singapore, power systems against DIAs, several mechanisms have been
Singapore (e-mail: j.peng@ieee.org). proposed. For instance, a neighborhood-watch mechanism is
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TSG.2022.3170009. proposed in [10] whereby each controller monitors its one-
Digital Object Identifier 10.1109/TSG.2022.3170009 hop neighbors’ behavior by analyzing the information sent
1949-3053
c 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: American University of Sharjah. Downloaded on October 16,2022 at 09:51:30 UTC from IEEE Xplore. Restrictions apply.
YANG et al.: RESILIENT CONSENSUS-BASED AC OPTIMAL POWER FLOW AGAINST DIAs 3787
and received from its neighbors. In [14], the communication whose presence in the power line serves as verification of the
between smart meters is encrypted with a digital signature data accuracy.
to ensure privacy and security against possible cyber attacks. The remainder of this paper is organized as follows.
In [15], a distributed discord-element-based detection strategy Section II introduces the modeling of consensus-based AC
was proposed to recognize false data and identify the agents OPF for distribution networks. Then the ADMM algorithm is
under attack. While these methods can effectively detect and introduced and the designed attacking scenarios on the ADMM
mitigate DIAs, they still rely on the communication system in algorithm are proposed in Section III. Section IV introduces
the cyber layer, which leaves them vulnerable to other types of the proposed PLC-based mitigation strategy and the corre-
cyber attacks, e.g., denial-of-service (DoS) attacks. To resolve sponding attack detection method based on the Lorenz system
this, Sahoo and Peng [16] propose reverting to locally mea- is presented. The case studies based on the IEEE-123 bus
sured and estimated information to operate the system when system are given in Section V. Finally, the main conclusions
the cyber attacks are recognized, removing the dependence of the paper are summarized in Section VI.
on the communication network altogether. However, such an
approach will result in suboptimal system operation for an II. R EVIEW OF C ONSENSUS -BASED AC OPF M ODELING
extended period of time following the attack, resulting in Consider a radial distribution network composed of sev-
higher operation costs to the system. eral microgrids, each with distributed generators and loads.
In this paper, we bridge the gap in the literature with respect The individual microgrids are controlled by their own con-
to attacks on consensus-based AC OPF by demonstrating that trollers, which communicate among each other to realize the
attacks on reactive power and voltage information in the cyber consensus-based AC OPF. Define Gm := {Nm , Em } as the
layer can also disrupt its accuracy and convergence, similar to microgrid m, where Nm and Em represent the node set and
attacks on active power. The main contributions are as follows. branch set, respectively. Each node i ∈ Nm has an ancestor
First, we describe two different attack scenarios designed g g g
node Ai and multiple child nodes Ci . Let si := pi + jqi and
particularly for AC OPF, namely, economic-driven attacks si := pi +jqi be the respective complex power output of gener-
d d d
and disruptive attacks. The attacks are tailor-made for the ator and load demand on node i. Let vi := |Vi |2 be the squared
alternating direction multiplier method (ADMM), which is magnitude of voltage on node i. For each branch (i, j) ∈ Em ,
a prominent consensus-based optimization algorithm where let zij := rij + jxij be the complex impedance, Sij := Pij + jQij
neighboring microgrids exchange limited information such as be the nominal branch power flow, lij := |Iij |2 be the squared
active and reactive power, and voltage to achieve global opti- magnitude of branch current Iij .
mality. In essence, the economic-driven attack aims to increase The objective of the consensus-based AC OPF is to mini-
the active power output of certain generators to yield higher mize the overall generation cost in the distribution network:
profits for certain utilities without violating the physical con- g
straints. On the other hand, a disruptive attack aims to mislead min fi pi , (1)
the microgrids to violate the physical constraints, thereby m i∈Nm
preventing convergence of the ADMM algorithm. g
where fi (pi )
is the cost for generator on node i. The objective
Second, we propose to leverage existing power line commu- is subject to the security range of each microgrid Km , which
nication (PLC) infrastructure to detect and mitigate DIAs on is defined by the power balance constraints (2), power flow
the cyber layer by sharing essential information that is required constraints (3)-(5), voltage limits (6) and generation limits (7)
for the ADMM. Note that PLC has been widely used in power and (8), as follows:
system communication for protection and telemetering pur- g
poses [17], [18], and therefore its use in attack mitigation SAi i − Sij + lij zij + si = sdi ∀i ∈ Nm , (2)
does not require additional investment. To the best of our j∈Ci

knowledge, this is the first work that leverages physical layer vi − vj = Sij∗ zij + Sij z∗ij − lij |zij |2 ∀(i, j) ∈ Em , (3)
information to detect and mitigate attacks on the cyber layer. 2
The advantage of this approach is that we no longer rely on Sij = lij vi ∀(i, j) ∈ Em , (4)

the trustworthiness of certain cyber layer information (e.g., that lij ≤ l̄ij ∀(i, j) ∈ Em , (5)
the neighbors’ information remains accurate [10], [19]) when
V 2i ≤ vi ≤ V̄i2 ∀i ∈ Nm , (6)
a DIA has been detected. Using Stackelberg game theory, we g g g
demonstrate that the incorporation of the PLC-based detection si ≤ si ≤ s̄i ∀i ∈ Nm , (7)
g
scheme can effectively dissuade attackers by reducing their s · φ ≤ s g ∀i ∈ Nm . (8)
i i
expected payoff to zero. g g
Here, s̄i and si are respectively the maximum and minimum
Finally, we propose a DIA detection mechanism on the PLC
power output of the generator, V i and V̄i , the voltage magni-
system itself. As it is realized in the physical layer, PLC is
tude limits, taken here as 0.95 p.u. and 1.05 p.u., respectively,
significantly difficult for attackers to penetrate as compared
and l̄ij , the line current limit. φ denotes the minimum power
to the cyber layer. This makes it less susceptible to DIA
factor of generator. The notation ∗ denotes the conjugation of
and DoS attacks. Nevertheless, to ensure the veracity of the
a complex value. Since (4) is non-convex, a second-order cone
information obtained from the PLC, a physical layer DIA-
relaxation can be applied as [20]:
detection method based on the Lorenz system is proposed.
Specifically, an additional encryption signal is transmitted, 2Sij , vi − lij ≤ vi + lij ∀(i, j) ∈ Em (9)
2
3788 IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO. 5, SEPTEMBER 2022
neighbors.
⎛

2
Skn , Vnk = argmin⎝(ρ/2)S − S̃kn + ξnk + (ρ/2)
S,V∈Km 2
⎞
2 g
k k
× V − V̄n + μn + fi pi ⎠,
2
i∈Nm
(12)
Fig. 1. The implementation of consensus-based AC OPF on a sample dis-
tribution system divided into two microgrids G1 and G2 by junction node 6, where ρ is the penalty parameter.
showing the information flows in the cyber layer.
Step-2: Each microgrid updates the dual variables ξnk and
μn with state variables Skn and Vnk from its neighbors.
k

Furthermore, the microgrids are connected with their neigh- ξnk = S̄kn + ξ̄nk , (13)
bors through the junction nodes, where the Kirchhoff’s law
μkn = Ṽnk + μ̃kn . (14)
must be satisfied with:
The termination criterion can be determined by the pri-
1
S̄n = Sn,m = 0 ∀n ∈ J, (10) mary and dual residuals of the k-th iteration, which are
|n |
rkn = (S̄kn , Ṽnk ) and dnk = ρ(S̃kn − S̃kn , V̄nk − V̄nk ). Given a
m∈n
1 predefined tolerance δ, the iterations can be terminated when:
Ṽn = Vn,m − Vn,m = 0 ∀n ∈ J, (11)
|n |
m∈n 2 2
max rkn , dnk ≤ δ. (15)
2 2
where | · | is the cardinality, n is the set of microgrids that
contain junction node n, and J is the set of junction nodes. For B. The Proposed Attacking Strategies
example, node 6 in Fig. 1 is the junction node of microgrids
The generic implementation of the consensus-based AC
G1 and G2 , and hence n = {G1 , G2 }. Sn,m and Vn,m denote
OPF is shown in Fig. 1. In general, the aim of the attacker is
the power flow and voltage of microgrid m on the junction
to alter the final result of the ADMM algorithm by falsifying
node n, respectively. Sn and Vn are the sets of power flows
the information shared between neighboring microgrids. As
Sn,m and voltages Vn,m , respectively. S̄n and Ṽn are the sets
can be seen from (12)-(14), the iteration process relies on cor-
of average power imbalance and voltage magnitude residue.
rectly exchanged information (Skn , Vnk ) through the cyber layer
(The superscripts ¯ and ˜ refer to the average and the residue
between neighboring microgrids, which makes it vulnerable
of a set, respectively.)
to various types of cyber attacks. For instance, the iteration
can be interrupted by DoS attacks, which totally block the
information exchange between microgrids. Alternatively, as
III. T HE P ROPOSED DIA M ECHANISMS ON we shall demonstrate, attackers may change the final results or
C ONSENSUS -BASED AC OPF even produce infeasible solutions by launching DIAs during
This section first describes the distributed AC OPF mecha- the iteration process.
nism, followed by how an adversary can alter the final results In the proposed attack mechanisms, the DIAs are perpe-
by falsifying the information exchanged between microgrids trated by falsifying the information shared between neigh-
during the solution process. boring microgrids during Step-1 of the OPF solution pro-
cess. During such an attack, the neighboring controllers
progress through the iterative solution process with the fal-
A. Solution Process for Consensus-Based AC OPF sified information, due to which the power flows and the
In consensus-based AC OPF, the solution for the OPF voltages at the junction node(s) will be altered. DIAs can be
problem is obtained in a distributed manner. For achieving specifically formulated with two distinct motives, whereby the
consensus, we adopt the ADMM algorithm because of its attacks can be classified as being either: 1) economic-driven
fast convergence capability [21]–[23]. The ADMM formula- or 2) disruptive. These are detailed below.
tion for (1)-(11) is given below, where the microgrids share 1) Economic-Driven Attack: To facilitate the analysis of
only the state variable and dual variable information for their the economic-driven attacks, we assume that all the genera-
own smaller optimization problems, to achieve the global tors inside a microgrid are operated by a single electric utility,
optimality of the whole system. which can intercept the information and falsify the dispatch
Step-1: During the k-th iteration, each microgrid result of the distributed controllers in the cyber layer. The
updates the state variables Skn and Vnk with the updated electric utilities with higher costs tend to launch the economic

dual variable ξnk and μkn from the previous iteration attack to generate more electricity and increase profits. As a

k = k − 1, which are then communicated to its result, the consumers have to afford a higher electricity cost.
Proposition 1: If the true active power information Pnk =

R(Skn ) is replaced by false information −P̂n ∈ ∩m∈n Km dur-
ing the iteration process, the active power flow result will
finally converge to −P̂n and the final result will be suboptimal.
Proof: The proof is provided in Appendix A.
As an example, in microgrid G1 of Fig. 1, the exported
powerg must lie between the security region KG1 :=
active
[0, i∈G1 (p̄i − pdi ) − p ]. For microgrid G2 , the imported
active
power must lie in the security region KG2 :=
g
[ i∈G2 (pdi − p̄i ) + p , i∈G2 pdi + p ] to meet the power bal-
ance constraints. Here, p is the active line loss inside the Fig. 2. Mitigation strategy against cyber attacks by transmitting crucial
microgrid which can be estimated from empirical data. At information through the physical layer.
the end of the iteration process, the state variable Pk6 must
lie inside the security region KG1 ∩ KG2 . If the electric util-
ity in G2 maliciously wishes to increase the power output replace the true exchanged information to a value that is
of its generators, it can falsify the shared active power flow out of the security region P̂6 ∈ / KG2 to violate the active
information Pk6 between G1 and G2 with a smaller value power balance constraint. For example, the malicious attacker
{P̂6 |P̂6 < Pk6 , ∀P̂6 ∈ KG1 ∩ KG2 }. Hence, the information can the active power information such that P̂6 <
falsify d − p̄g ) + , which will ensure that the ADMM
that microgrid G1 and G2 receive would be −P̂6 and P̂6 , (p
i∈G2 i i p
respectively. Consequently, the final result of active power algorithm will not converge. Along similar lines, a falsi-
flow on node 6 converges to P̂6 and −P̂6 for microgrid G1 power Q̂6g ∈
fied reactive / KG2outside the security region
and G2 , respectively. The falsified
generation dispatch inside KG2 := [ i∈G2 (qdi − q̄i ) + q , i∈G2 (qdi + qgi ) + q ] can be
g
G2 is increased from PG2 = i∈G2 pi = i∈G2 pdi − Pk6 to transmitted by the microgrid G2 , which would also guarantee

g
P̂G2 = i∈G2 p̂i = i∈G2 pdi − P̂6 . The increased economic that the ADMM does not converge. Here, q is the reactive
benefits of the utility in G2 through the DIA is: line loss. Compared to attacking the active or reactive power
g g information, attacking the voltage requires limited knowledge
B = P̂G2 ∗ λ̂ − fi p̂i − PG2 ∗ λ + fi pi , (16) of the system parameters. For a microgrid located downstream
i∈G2 i∈G2 in the distribution network, the security region of voltage at
the junction node is Km := {Vn |Vn > 0.95 p.u.} to maintain
where λ and λ̂ refer to the marginal prices before and after the
all the nodal voltages greater than 0.95 p.u.. Therefore, by
cyber attack, respectively. The marginal price λ is calculated
simply falsifying the original voltage information V6k as 0.95
by the derivatives of the cost functions of marginal generators:
g g g p.u., the voltage limits are sure to be violated, disallowing the
df1 p1 df2 p2 dfi pi convergence of the ADMM algorithm.
λ= g = g = ··· = g . (17)
dp1 dp2 dpi
Since the local OPF model is implemented in each microgrid IV. M ITIGATION S TRATEGY AGAINST C YBER -ATTACKS
with falsified information, the post-attack marginal price λ̂ is To make the ADMM algorithm resilient to DIAs on the
calculated as per equation (17), albeit with the falsified power cyber layer, we propose that the crucial information between
being shared amongst the generators in that microgrid. If this microgrids be transmitted in the physical layer using PLC,
were not the case, then the attack would be immediately appar- as shown in Fig. 2. In contrast, the mitigation mechanisms in
ent, as the marginal prices would be different for generators prior works were implemented in the cyber layer, which could
within the microgrid. Moreover, we note that if non-identical themselves be attacked, for instance, by DoS attacks. Whereas
falsified information is sent to different neighbors, the AC OPF if PLC is employed, the system becomes largely invulnera-
will not converge, as Kirchhoff’s law will be violated. This ble to attacks due to the difficulty in physically penetrating
would instead be classified as a disruptive attack, which is substations.
described in more general terms below. Despite the security advantage, the PLC technique can only
2) Disruptive Attack: The attacker is able to cause infeasi- support data transmission at a few kB/s [24], and will there-
ble solutions by misleading the ADMM algorithm to violate fore increase the solution time for real-time OPF. Here, we
the system constraints (e.g., active and reactive power balance propose a strategy to combine the advantages of both layers.
constraints and voltage limits) by attacking the active power The information required for the ADMM algorithm is trans-
P, reactive power Q, and voltage V information. mitted through the cyber layer during each iteration. However,
Proposition 2: If the true information (Skn , Vnk ) is replaced in the physical layer, the information is recorded and trans-
by false information (Ŝn , V̂n ) ∈
/ ∩m∈n Km during the iteration mitted only once, say, every 10 iterations. Note that a shorter
process, the ADMM algorithm will not converge and the final reporting interval demands a higher bandwidth on the PLC,
solution will be infeasible. whereas a longer interval increases the time to detect attacks.
Proof: The proof is provided in Appendix A. A cyber attack, if it occurs, is detected by comparing the
If an attacker wishes to launch an attack on the active information from both layers every 10 iterations. If a cyber
power information to cause an infeasible solution, they can attack is detected, the controllers discard the past 10 iterations.
Fig. 4. Physical layer attack detection mechanism using an encryption signal.
push the system into a chaotic state, which in turn can be used
as a detection mechanism. This is shown in Fig. 4. Further,
to reduce the attack detection time, the time domain of the
Fig. 3. Lorenz system to detect the encryption signal of 90 kHz frequency. Lorenz system can be re-scaled by a factor T. Let t = τ/T
a) Lorenz system under static state shows the existence of encryption signal; and g(t) = β cos(ω/T · τ ) = β cos(ω τ ), then:
b) Lorenz system under chaotic state shows that an attack exists.
X(t) = X(τ/T) = X † (τ ), (20)
dX(t) dX(τ/T) dX(τ/T) dX † (τ )
Assuming the data from the physical layer is authentic, the = =T =T . (21)
dt d(τ/T) dτ dτ
iteration process is restarted from 10 iterations ago. The iter-
ations continue solely based on the information from the Similar modifications are carried out for Y and Z.
physical layer, albeit at a slower speed. To further improve the Substituting (20) and (21) into (18) and omitting the super-
reliability of the proposed resilient OPF scheme, the reporting scripts † on all the variables, the following equation can be
rate for the physical layer (10 in the above discussion) can be obtained:
⎧ dX
changed randomly. ⎨ T dτ = σ (Y − X)
dτ = rref X − Y − XZ.
T dY
While the information from the physical layer is assumed (22)
⎩ dZ
to be authentic, there is nevertheless a small possibility that it T dτ = XY − bZ
also be attacked. To identify such an occurrence, we propose
Since (22) are derived from (18), the system properties and
an attack detection method based on the Lorenz system. Here,
critical values are not altered, whereas the angular speed ω is
a sinusoidal signal is transmitted along with the information
divided by the time re-scale factor T. The time re-scale factor
through the physical layer to serve as an authentication mark.
T can be chosen depending on the required detection interval.
As the attacker is not aware of the existence of the encryption
Since the consensus-based OPF depends on the Lorenz system
signal, it will be erased by DIAs. By detecting the existence
to detect attacks, it is desired that the existence of an attack
of the encryption signal, the controllers are able to verify the
be detected within one iteration, e.g., 1s. Here, the frequency
authenticity of the information from the physical layer. This
of the encryption signal g(t) is taken as 90 kHz, which con-
method has the following advantages: 1) it does not suffer from
forms to the CENELEC standard for PLC [17]. Accordingly,
latency issues, unlike standard digital encryption methods that
the relative amplitude of the encryption signal β is set as 85,
typically entail adding 64 to 128 bits to every message [25];
the parameter r of Lorenz system is set as 25, the time scaling
2) it does not introduce any communication burden to the
factor T is set as 90. The Lorenz system will reach either a
distributed controllers, given that the distributed AC OPF is
static or chaotic state within 0.5 s, as shown in Fig. 3. By
already computationally cumbersome; and 3) it can be realized
measuring the variance of the Lorenz parameter X, the exis-
at low cost with simple analog circuits based on the existing
tence of the encryption signal can be determined, from which
PLC infrastructure [26].
the existence of the attack can also be inferred.
The detection mechanism for the encryption signal g(t) =
As long as the encryption signal is detected (i.e., the Lorenz
β cos(ωt) is implemented using a modified Lorenz mathemat-
system is in the static state), the data from the physical layer
ical model [27] (see Appendix B):
⎧ can be used to locate and mitigate a DIA. However, if the
⎨ Ẋ = σ (Y − X) encryption signal is not detected, this means that the physi-
Ẏ = rref X − Y − XZ, (18) cal layer has been attacked. Under this unlikely scenario, the
⎩
Ż = XY − bZ ADMM algorithm should be stopped as the data flows in both
the cyber and physical layers are no longer reliable. In such
where
a case, the different microgrids can revert to a predetermined
σβ 2 safe state until a detailed examination of the cyber and phys-
rref = r 1 − r 2 , (19)
2w ical layers is carried out. The detailed mitigation strategy is
and σ , r and b are the parameters of Lorenz system. The shown in algorithm form in Table I.
Lorenz system presents various dynamic regimes with differ-
ent values of the parameter rref . A standard set of σ, b are V. O PTIMAL D EFENDING S TRATEGY:
set as 10, 8/3. If 0 < rref < 24.74, the Lorenz system will be A G AME T HEORY A NALYSIS
under static states, but if rref > 24.74, the Lorenz system will The previous section detailed how DIAs on consensus-based
be under chaotic state, as shown in Fig. 3. By carefully choos- AC OPF can be detected and mitigated. In this section, we
ing the value of β and r, the existence of g(t) can be used to present a Stackelberg game-theoretic analysis [28] to show

TABLE I Ca
M ITIGATION S TRATEGY AGAINST C YBER L AYER DIA S = sa Ba 1 − − s d
(24)
Ba
Note that if sd > 1 − Ca /Ba , then φ a (sa , sd ) > 0. The
expected payoff is maximized only when Pr(sa = 1) = 1. If
sd < 1−Ca /Ba , then φ a (sa , sd ) > 0 and the expected payoff
is maximized only when Pr(sa = 0) = 1. Specifically, if
sd = 1−Ca /Ba , then φ a (sa , sd ) = 0 for all sa . However, due
to the item I{φ a (sa ,sd )=0} sa , the expected payoff is maximized
only when Pr(sa = 0) = 1. Hence, the unique optimal solution
of (23) is:
Ca
Pr(sa = 0) = 1, if sd ≥ 1 − B a
(25)
Pr(sa = 1) = 1, otherwise
which means if the defender launches the mitigation process
with a chance higher than 1 − Ca /Ba , the strategic attacker
tends not to launch the attack. Otherwise, its expected payoff
obja will be strictly negative.
Cost of the defender: The defender will suffer an economic
loss Ced , if it fails to detect and mitigate the DIA, which is
equivalent to the benefits Ba for the attacker. On the other
hand, the defender is assumed to have an operation cost Cpd ,
that DIAs can be prevented by launching the detection and which mainly reflects the communication burden pertaining
mitigation procedure with a high enough frequency. to monitoring possible attacks. Even though Cpd is generally
We make the assumption that both the attackers (utilities much smaller than Ced , it is still considered to make the model
themselves or external malicious actors) and the defenders (the more comprehensive. Say that the defender plays a strategy
microgrid controllers) are strategic and own a set of attack- sd with probability Pr(sd ). The defender aims to achieve the
ing strategies and defending strategies. The possible strategy minimum expected cost objd by assuming the attacker will
spaces of attackers and defenders are SA = {sa |0 ≤ sa ≤ 1} and play a certain strategy sa :
SD = {sd |0 ≤ sd ≤ 1}, respectively. The attacking strategy sa
means that the chance of launching the DIA at any operation objd = min Pr sd · φ d sa , sd
period by attackers is equal to sa . The defending strategy sd Pr(sd ) d D
s ∈S
means that the chance of launching the mitigation process in
s.t. Pr sd = 1, 0 ≤ Pr sd ≤ 1 (26)
Table I at any operation period by the defender is equal to sd .
For instance, sd = 0.5 means that the defender launches the sd ∈SD
mitigation process with a 50% chance in any given interval. where φ d (sa , sd ) is the cost function of the defender when the
Payoff of the attacker: The attacker can have a profit Ba , attacker plays a strategy sa and the defender plays a strategy sd :
if the DIA is launched and there is no mitigation procedure
applied by the defenders. Each time a DIA is launched, the φ d sa , sd = sa 1 − sd Ced + sd Cpd (27)
attacker will have to pay a cost Ca . Say that the attacker plays
a strategy sa with probability Pr(sa ). The attacker aims to Given the attacker’s strategy in (25), the defender’s cost
achieve a maximum expected payoff obja given the defender’s function φ d (sa , sd ) can be reformulated as:
strategy sd :
sd C d , Ca
if sd ≥ 1 − B
φ s , s = p d d
d a d a
(28)
obja = maxa Pr sa · φ a sa , sd − I{φ a (sa ,sd )=0} sa 1 − s Ce + sd Cpd , otherwise
Pr(s )
sa ∈SA
Note that φ d (sa , sd ) decreases with sd when sd < 1−Ca /Ba ,
s.t. Pr sa = 1, 0 ≤ Pr sa ≤ 1 (23)
and then increases with sd when sd ≥ 1 − Ca /Ba . Moreover,
sa ∈SA
φ d (sa , sd ) is minimized only when sd = 1 − Ca /Ba .
where φ a (sa , sd ) is the payoff function of the attacker when Substituting (28) into (26), the objective function of the
attacker plays a strategy sa and the defender plays a strategy sd . defender then becomes:
I{φ a (sa ,sd )=0} is the indicator function, which equals to 1 when
φ a (sa , sd ) = 0, and equals to 0 otherwise. This penalty item objd = min Pr sd 1 − sd Ced + sd Cpd
Pr(sd ) Ca
reflects the aversion of launching an attack when the payoff is sd <1− B a

zero. Moreover, as will be clear shortly, the inclusion of this
+ Pr sd sd Cpd
item ensures a unique optimal solution for the defender. The C a
sd ≥1− B
payoff function φ a (sa , sd ) is expressed as:
a
Ca
φ a sa , sd = sa 1 − sd Ba − sa Ca ≥ Cp 1 −
d
(29)
Ba
where the equality holds only when Pr(sd = 1−Ca /Ba ) = 1,

which satisfies the constraints in (26). Hence, the unique
optimal solution for the defender is playing the strategy
sd = 1 − Ca /Ba with probability 1, denoted as S∗d . Any
other defending strategies will lead to a higher expected cost.
Moreover, as indicated by (25), the strategic attacker tends not
to launch the attack under the optimal defending strategy. We
denote this attacking strategy as S∗a .
Proposition 3: Given a fixed pair of cost Ca and the benefit
Ba , a unique equilibrium is achieved when the defender plays
strategy S∗d and the attacker plays strategy S∗a .
Proof: The proof is provided in Appendix C.
The variation of load level and generation level during the Fig. 5. The IEEE 123-bus distribution system divided into four microgrids.
grid’s operation changes an attack’s payoff from time to time.
Therefore, for determining the optimal defending strategy, we TABLE II
calculate the highest possible payoff for the attacker Ba . Let PARAMETERS OF D ISTRIBUTED G ENERATORS
Bam,t denote the payoff for the electricity utility of microgrid
Gm at operational time t, which aims to obtain economic
benefits by launching a DIA. This can be calculated as:
Bam,t ≤ Bmax
m,t − Bm,t ,
0
(30)
where B0m,t is the benefit without launching DIA, and Bmax

m,t
is the maximal benefit that can be obtained by launching an
attack. We have, VI. R ESULTS AND D ISCUSSIONS
g g g In this section, the IEEE 123-bus distribution system is used
m,t = P̄m,t · λ P̄m,t − f P̄m,t ,
Bmax (31)
⎧ ⎫ to validate the effectiveness of the proposed attack-resilient
⎨ g⎬ consensus-based AC OPF algorithm. The network is divided
g
P̄m,t = max dm,t , P̄i , (32) into 4 microgrids, with 5 distributed generators installed at
⎩ ⎭
i∈Gm different nodes as shown in Fig. 5. The original system data
g can be found in [29]. The generation costs are approximated
where P̄m,t is the maximum generation in microgrid Gm due g g g
in the quadratic form fi (pi ) = ai (pi )2 + bi pi . The constant
g
to a DIA, λ(P̄m,t ), the corresponding marginal price, and cost parameter is neglected here owing to our focus on the
g
f (P̄m,t ), the corresponding generation cost. Since the defender economic benefit due to cyber attacks, which is not impacted
is unaware of which electric utility launches the DIA, the max- by the constant cost. The cost parameters and locations of
imum payoff Bat of all the electric utilities in the system can the distributed generators are given in Table II. The active
be taken as the attacker’s payoff: and reactive power capacities of the generators are all set as
0.3 MW and 0.2 MVar, respectively. The main grid is con-
Bat = max Bam,t = max Bmax m,t − Bm,t .
0
(33) sidered as a generator in microgrid G1 , whose cost is set as
m m
600 $/MWh. It should be noted that this cost is not shared
The corresponding optimal defending strategy sdt for the with other microgrids in the consensus-based AC OPF model.
defender at time t should then be: The iteration tolerance δ and the penalty parameter ρ are
Ca respectively set as 10−4 and 10.
sdt = 1 − . (34) The generation dispatch result without attack is first calcu-
Bat
lated to establish the baseline for the following case studies.
Note that, in the above analysis, we have dealt with economic- The simulations are carried out using MATLAB 2019 run-
driven DIAs. As for malicious attacks, the benefit Bat ning on a personal computer with the Intel Core i5 processor
depends on the attacker’s self-perception, and is difficult to and 8 GB RAM. For the test system, the generation dispatch
quantify; these attacks are therefore not considered here. result without attack is {0.144, 0.109, 0.1, 0.1, 0.1} MW
Furthermore, we have only considered the cases where the and {0.129, 0.114, 0.179, 0.179, 0.179} MVar. The imported
attacker is one of the generating utilities rather than the active and reactive power from the main grid are 2.917 MW
microgrid controllers in the system. If the microgrid con- and 1.13 MVar, respectively. The active and reactive power
trollers were to themselves instigate attacks, the proposed flow on junction nodes 118, 119 and 120 are {1.125,
mitigation strategy fails as the neighbors cannot access the 1.546, 0.611} MW and {0.233, 0.409, 0.341} MVar, respec-
true information. Under such a circumstance, other miti- tively. The residues over the iterations are shown in Fig. 6,
gation strategies, such as the neighborhood-watch mecha- which reach the required tolerance in about 100 iterations.
nism [10] can be leveraged to validate the trustworthiness of The execution time is 111.6 s for 120 iterations. However,
the exchanged information. since the run-time per iteration is hardware dependent, the
Fig. 6. Variation of the primary and dual residues of the ADMM during the
iteration process. Convergence occurs when the residues become lower than
the termination criterion.
Fig. 8. Overall increase in economic benefit for G3 and G4 due to DIAs on
nodes 118 and 119. The grey boxes indicate that the selected combination of
power flow manipulations violates the security constraints.
price inside G4 increases from 600 $/MWh to 700 $/MWh; the

total income also increases from 180 $/h to 420 $/h. Hence,
the utility in G4 gains an additional profit of 45 $/h, which
is 300% higher. However, the revenue of the main grid is
decreased by 180 $/h.
For the second case study, assume that the electric utility in
G3 also wishes to increase its output to 0.2 MW to gain more
profit, while the electric utility in G4 retains its prior attack-
ing strategy. Specifically, the electric utility in G3 attacks the
active power measurement on its junction node 119 by sending
out false information P̂3 = −1.155 MW during each iteration
to the neighboring microgrid G1 and −P̂3 to microgrid G3 .
The active power flow of G4 on node 119 over the itera-
tions is presented in Fig. 7(b). The total generation cost of
G3 increases from 58.85 $/h to 118 $/h. However, since the
electricity price inside G3 also increases from 600 $/MWh to
700 $/MWh, the total income of generators increases from
65.4 $/h to 140 $/h. Hence, the electric utility in G3 gains an
excess profit of 15.45 $/h, which is 236% higher than before.
However, the dispatch results are no longer optimal due to the
attack. To determine the impact of the extent of the attack on
Fig. 7. Iteration process of active power flow with and without DIA: (a) Node the attackers’ profits, different pairs of DIAs are simulated on
118; (b) Node 119; (c) Node 120. nodes 118 and 119, and the results are presented in Fig. 8. It
can be observed that the attacks artificially reducing the power
flows invariably result in additional profit for the utilities in
iteration number is henceforth used to represent the execution G3 and G4 . However, the attack needs to be carefully designed
process. to avoid causing infeasible solutions.
In the third case study, assume that the electric utility in G2
A. Attacking Consensus-Based AC OPF wishes to increase its output from 0.144 MW to 0.244 MW to
1) Economic-Driven Attack: The following case studies gain more profit, while the electric utilities in G3 and G4 retain
demonstrate the impact of economic-driven attacks. In the their attacking strategy. Specifically, the electric utility in G2
first case study, assume that the electric utility in G4 wants attacks the active power information on its junction node 120
to increase its generation output to gain more profit. It fol- by sending out false information P̂2 = −0.511 MW during
lows the strategy of attacking active power flow on its junction each iteration to the neighboring microgrid G1 and −P̂2 to
node 118 by sending out false information P̂4 = −0.825 MW microgrid G2 . The active power flow of G1 on node 120 during
during each iteration to the neighboring microgrid G3 and the iterations is presented in Fig. 7(c). The marginal price
−P̂4 to microgrid G4 , instead of the true value of 1.125 MW. within the microgrid G2 is increased to 704 $/MWh. Hence,
The active power of G3 on node 118 during the iterations the profit of electric utility in microgrid G2 is increased from
of the attack is shown in Fig. 7(a). Due to the attack, the 10.8 $/MWh to 31 $/MWh, which is 187% higher than the
active power flow on node 118 reduces from the 1.125 MW normal operation status.
to 0.825 MW, and the dispatched active power output for In the fourth case study, we examine the possibility of
each of the three distributed generators in G4 increases from attacking reactive power information to impact the active
0.1 MW to 0.2 MW. As a result, the total generation cost of G4 power flow. Here, the minimum power factor of generators
increases from 165 $/h to 360 $/h. Meanwhile, the electricity is taken as 0.85 [30]. By falsifying the information of reactive
TABLE III
F INAL R ESULT G IVEN BY ADMM A LGORITHM
U NDER D ISRUPTIVE DIA S
power shared between microgrids G1 and G2 as 0.32 MVA,

the generator in G2 needs to supply 0.15 MVA reactive power
to satisfy load demand. Due to the power factor constraint,
the active power generation in microgrid G2 is falsified from Fig. 9. Iteration process with and without mitigation of DIAs: (a) Power
flow on nodes 118 and 119 under economic-driven attack; (b) Primary residue
0.144 MW to 0.244 MW. The marginal price within the and dual residue under the disruptive attack on node 118.
microgrid G2 is increased to 704 $/MWh. Hence, the profit
of electric utility in microgrid G2 is 187% higher than the
normal operation status, which is a similar result to the third iterations (here, taken as 10). Suppose that the electric utilities
case. in G3 and G4 both want to increase their respective generation
2) Disruptive Attack: The attacker can render the OPF outputs and start attacking the active power flow information
solution infeasible by attacking the active and reactive power on nodes 118 and 119 from the 11-th iteration onwards.
flows or voltage information on any of the junction nodes in As a result, the cyber layer data beginning from the 11-th
the distribution system by sending falsified information that is iteration becomes incorrect. The iterations proceed with the
out of the security range. For example, the attacker may send attack undetected until the 20-th iteration, at which point the
out the manipulated value P̂4 during each iteration that is out controllers detect the disparity between the information from
of the security region K4 = [−1.445, −0.545] MW. As a case the cyber and physical layers. Consequently, the controllers
study, by sending out false information P̂4 = −0.5 MW to of G1 and G3 discard the cyber layer data and restart their
microgrid G4 , the ADMM algorithm will not converge because iteration processes from the 11-th iteration using the physical
the power balance constraint in G4 is violated. As can be seen layer information instead. As can be seen from Fig. 9(a), had
from Table III, the summations of the active power injections there been no mitigation strategy, the active power flow on
on the junction nodes are no longer zero. Similarly, if the nodes 118 and 119 would have converged to 0.825 MW and
attacker wants to cause an infeasible solution by attacking 1.155 MW respectively, rather than 1.125 MW and 1.546 MW
reactive power, they may send out the false information Q̂2 as before the attack. With the proposed mitigation strategy,
out of the security region K2 = [−0.47, −0.27] MVar dur- however, the power flows return to the correct value. Note
ing each iteration. Hence, by sending out false information that the time taken for each iteration in the post-attack sce-
Q̂2 = −0.25 MVar to microgrid G2 , the ADMM will not nario would be longer due to the use of the low bandwidth
converge either. The resulting reactive power flows on three PLC for achieving consensus.
junction nodes for this case are shown in Table III. If the Finally, we consider a disruptive attack where the attacker
attacker wants to cause infeasible solutions by attacking volt- manipulates the active power flow on node 118 after the 11-th
age, they may send out the false information V̂4 during each iteration. As is evident from Fig. 9(b), if the attack is unde-
iteration, e.g., 0.95 p.u., then the voltages determined by the tected, then the primary and dual residues become divergent.
AC OPF on the junction nodes will not be identical, violating In contrast, leveraging the physical layer data, the residues can
Kirchhoff’s law. be recovered successfully, ensuring convergence.
B. Mitigation Strategy Based on PLC C. Defending Strategy Based on Game Theory Analysis
We now demonstrate the use of the Lorenz system-based We now demonstrate how the optimal defending strategy
method to detect possible attacks on the physical layer. As can be decided during the operation day based on the result
described in Section IV, this mechanism involves the detec- of Stackelberg game theory analysis. The load curve in p.u.
tion of encryption signals in the data transmitted through PLC. during 24 hours is taken from [31]. For simplicity, the load
With the detection of the encryption signal, the information at each bus is assumed to vary at the same ratio during each
from the physical layer can be used to validate the information operation period of the day. The ADMM algorithm is exe-
from the cyber layer, once every predetermined number of cuted for each hour based on the load demand to estimate
power and voltage information. To deal with such attacks, a

PLC-based mitigation strategy was proposed, wherein accurate
information from the physical layer can be used to supplement
the inaccurate data from the cyber layer following an attack.
To verify the authenticity of the physical layer information,
a Lorenz system-based encryption mechanism was proposed
that can reliably detect possible attacks. Simulation results
show that this mechanism is able to successfully detect attacks
within one iteration of the consensus-based AC OPF. Finally,
based on the Stackelberg game theory, we demonstrate that the
incorporation of the PLC-based detection scheme can effec-
tively dissuade attackers by reducing their expected payoff to
zero.
A PPENDIX A
Proof of Proposition 1: We first prove that the ADMM will
converge to the manipulated value −P̂n . Since the falsified
information −P̂n ∈ Km , the optimization problem of each
Fig. 10. Calculating the optimal defending strategy during the operation microgrid described in (12) is feasible and will converge to
day: (a) Maximum payoff for potential attackers; (b) Distribution of optimal
defending strategy sdt . The upper bound shows the case with Ca equals to a certain optimal value p . According to [21], the following
50 $/h, the lower bound shows the case with Ca equals to 125 $/h. The three inequalities hold:
values within the bar correspond to the 25% and 75% quartiles. 2 2

Lk ≤ Lk − ρ rk − dk (35)
2 2
T T
the maximum payoff Bat that can be obtained by electric pk − p ≤ −ρ yk rk + dk −rk − zk + z (36)
utilities through DIAs. As shown in Fig. 10(a), the payoff
p − pk ≤ −ρ y rk
T
is highest (120 $/h) between 7 a.m. and 8 p.m., and lowest (37)
(72 $/h) between 2 a.m. and 5 a.m. This is because the higher where yk = [ξ k ; μk ] and zk = [S̃k ; V̄ k ], and Lk is the
load demand from 7 a.m. and 8 p.m. leaves a larger space for Lyapunov function representing the distance of yk and zk to
the electric utilities to increase the output of their generators their respective optimal values y and z . Further, pk is the
through DIAs. The maximal payoff is also stable in this time objective of the AC OPF at the k-th iteration and is equal
period as it is limited by the generators’ maximum output lev-
to i f i (pg ). By accumulating the inequality (35) of each
i,k
els. Given the maximum payoff values, the optimal defending iteration, the following inequality can be obtained:
strategy sdt under different attacking costs is determined as
∞
shown in Fig. 10(b). The cost Ca for the attackers can be 2 2
ρ rk + dk ≤ L0 (38)
estimated by the defender through simulation or experiment, 2 2
k=0
and here, assumed to be distributed uniformly between 50 $/h
and 125 $/h. The optimal defending strategy sdt is the highest Since L0 is finite, it can be obtained that limk→∞ rk 22 = 0
when Ca is the lowest (50 $/h) and is lowest when Ca is the and limk→∞ dk 22 = 0. Since,
highest (125 $/h). Moreover, when the cost equals 125 $/h, it
Skn + Ŝn k
becomes higher than the maximum payoff Bat , the expected r = S̄ , Ṽ =
k k k
, Ṽ (39)
net revenue for the attackers is negative, leading to sdt = 0. 2
Overall, to cover the entire range of Ca , a simple defending
strategy sdt can be taken as 0.6 from 7 a.m. to 8 p.m., and 0.5 then limk→∞ Skn = −Ŝn and limk→∞ Pnk = −P̂n , which
from 10 p.m. to 5 a.m. Then, the attackers’ expected payoff means that the active power flow on the junction node n
will always be negative, meaning that the attackers tend not will converge to the falsified information −P̂n . We also prove
to launch DIAs. that the optimal value is varied due to the attack. Since
limk→∞ rk 22 = 0 and limk→∞ dk 22 = 0, it can be con-

cluded from (36) and (37) that p = limk→∞ i∈Gm fi (pi ).
g,k
VII. C ONCLUSION Since the imported power is reduced due to the manipulated
This paper presented two practically feasible DIAs on value P̂m , generators will generate more power to satisfy load
AC OPF. While economic-driven attacks aim to disrupt the demand and p is increased. Hence, the solution under attack
information flow to increase the power references for certain is suboptimal.
generators over others, disruptive attacks are tailored to prevent Proof of Proposition 2: The proposition can be readily
the convergence of the AC OPF by exceeding the security proved by contradiction. Assume that the ADMM algorithm
limits. Case studies were presented demonstrating that for AC will still converge such that (limk→∞ Skn , limk→∞ Vnk ) ∈ Km .
OPF, a malicious entity can disrupt the system operation by According to [21], we have limk→∞ rk 22 = 0. Hence,
attacking not only the active power flows but also the reactive limk→∞ (Skn + Ŝn ) = 0 and limk→∞ Vnk = V̂n . However, since
(−Ŝn , V̂n ) ∈
/ Km , and limk→∞ Skn and limk→∞ Vnk are not in ACKNOWLEDGMENT
Km either, which contradicts our initial assumption. Hence, This research was conducted at the Future Resilience
the final solution of ADMM is infeasible. Systems at the Singapore-ETH Centre, which was estab-
lished collaboratively between ETH Zurich and the National
A PPENDIX B Research Foundation Singapore.
The mathematical model of standard Lorenz system is:
⎧ R EFERENCES
⎨ ẋ = σ(y − x) [1] C. Liu, M. Zhou, J. Wu, C. Long, and D. Kundur, “Financially moti-
ẏ = r 1 + g(t) x − y − xz, (40) vated FDI on SCED in real-time electricity markets: Attacks and
⎩
ż = xy − bz mitigation,” IEEE Trans. Smart Grid, vol. 10, no. 2, pp. 1949–1959,
Mar. 2019.
[2] G. Raman, B. AlShebli, M. Waniek, T. Rahwan, and J. C.-H. Peng,
where σ , r and b are the parameters of Lorenz system, with “How weaponizing disinformation can bring down a city’s power grid,”
g(t) = 0. However, if g(t) = β cos(ωt), then according to [27], PLoS One, vol. 15, no. 8, 2020, Art. no. e0236517. [Online]. Available:
the three variables (x, y, z) can be decomposed into two parts: https://dx.plos.org/10.1371/journal.pone.0236517
[3] “Cyber Attack On U.K. Electricity Market Confirmed.” [Online].
a slowly varying part (X, Y, Z) and a small but fast varying Available: https://www.infosecurity-magazine.com/news/uk-power-grid-
part (x, y, z) which oscillates around the slowly varying biz-suffers-outage/ (Accessed: Sep. 30, 2020).
part. [4] A. S. Musleh, G. Chen, and Z. Y. Dong, “A survey on the detection
⎧ algorithms for false data injection attacks in smart grids,” IEEE Trans.
⎨ x = X + x, x X Smart Grid, vol. 11, no. 3, pp. 2218–2234, May 2020.
[5] S. Tan, W. Song, M. Stewart, J. Yang, and L. Tong, “Online data integrity
y = Y + y, y Y (41)
⎩ attacks against real-time electrical market in smart grid,” IEEE Trans.
z = Z + z, z Z Smart Grid, vol. 9, no. 1, pp. 313–322, Jan. 2018.
[6] Y. Liu and G.-H. Yang, “Event-triggered distributed state estimation for
The fast varying part (x, y, z) is assumed to be very small cyber-physical systems under DoS attacks,” IEEE Trans. Cybern., early
access, Sep. 10, 2020, doi: 10.1109/TCYB.2020.3015507.
compared to (X, Y, Z) and their mean value (x, y, z) [7] Y. Zhang, Y. Xiang, and L. Wang, “Power system reliability assess-
will vanish during an oscillation period. Substituting (41) ment incorporating cyber attacks against wind farm energy management
into (40), averaging over an oscillation period and neglecting systems,” IEEE Trans. Smart Grid, vol. 8, no. 5, pp. 2343–2357,
Sep. 2017.
the high-order items, the following equations can be obtained: [8] N. Rahbari-Asr, Y. Zhang, and M.-Y. Chow, “Consensus-based dis-
⎧ tributed scheduling for cooperative operation of distributed energy
⎪
⎪ Ẋ = σ (Y − X)
⎪
⎪
resources and storage devices in smart grids,” IET Gener. Transm.
⎨ Ẏ = rX − Y − XZ + rβx cos(wt) Distrib., vol. 10, no. 5, pp. 1268–1277, 2016.
Ż = XY − bZ (42) [9] H. Pourbabak, J. Luo, T. Chen, and W. Su, “A novel consensus-based
⎪
⎪ distributed algorithm for economic dispatch based on local estimation of
⎪ ẋ = σ y
⎪
⎩ power mismatch,” IEEE Trans. Smart Grid, vol. 9, no. 6, pp. 5930–5942,
ẏ = rXβ cos(wt) Nov. 2018.
[10] J. Duan, W. Zeng, and M.-Y. Chow, “Resilient distributed dc optimal
By eliminating x and y in (42), (18) can be obtained. power flow against data integrity attack,” IEEE Trans. Smart Grid, vol. 9,
no. 4, pp. 3543–3552, Jul. 2018.
[11] J. Duan and M.-Y. Chow, “A novel data integrity attack on
A PPENDIX C consensus-based distributed energy management algorithm using local
information,” IEEE Trans. Ind. Informat., vol. 15, no. 3, pp. 1544–1553,
Proof of Proposition 3: The proof is based on the definition Mar. 2019.
of the equilibrium, i.e., no player can benefit by unilaterally [12] Y. Liu, H. Xin, Z. Qu, and D. Gan, “An attack-resilient cooperative con-
trol strategy of multiple distributed generators in distribution networks,”
changing its strategy [32]–[35]. IEEE Trans. Smart Grid, vol. 7, no. 6, pp. 2923–2932, Nov. 2016.
First, we show that (S∗a , S∗d ) is an equilibrium. If the defender [13] C. Zhao, J. He, P. Cheng, and J. Chen, “Analysis of consensus-based
changes its strategy and the attacker retains its strategy S∗a , distributed economic dispatch under stealthy attacks,” IEEE Trans. Ind.
Electron., vol. 64, no. 6, pp. 5107–5117, Jun. 2017.
the expected cost of the defender will be augmented, as illus- [14] J. Ni, K. Zhang, X. Lin, and X. S. Shen, “Balancing security and effi-
trated by (29). On the other hand, if the defender retains its ciency for smart metering against misbehaving collectors,” IEEE Trans.
strategy S∗d and the attacker changes its strategy, i.e., launch- Smart Grid, vol. 10, no. 2, pp. 1225–1236, Mar. 2019.
[15] S. Sahoo, J. C.-H. Peng, A. Devakumar, S. Mishra, and T. Dragičević,
ing the attack with a probability greater than zero, then the “On detection of false data in cooperative DC Microgrids—A discor-
expected payoff of the attacker will become strictly nega- dant element approach,” IEEE Trans. Ind. Electron., vol. 67, no. 8,
tive, as illustrated by the attacker’s objective function (25). pp. 6562–6571, Aug. 2020.
[16] S. Sahoo and J. C.-H. Peng, “A Localized event-driven resilient mech-
Therefore, (S∗a , S∗d ) is an equilibrium. anism for cooperative microgrid against data integrity attacks,” IEEE
Next, we show (S∗a , S∗d ) is the unique equilibrium. Suppose Trans. Cybern., vol. 51, no. 7, pp. 3687–3698, Jul. 2020.
there exists another equilibrium (S+ a , Sd ) = (Sa , Sd ). If Sd =
+ ∗ ∗ +
[17] S. Galli, A. Scaglione, and Z. Wang, “For the grid and through the grid:
The role of power line communications in the smart grid,” Proc. IEEE,
S∗ but S+ = S∗ , the attacker will switch its strategy from
d a a
vol. 99, no. 6, pp. 998–1027, Jun. 2011.
S+a to Sa to avoid a strictly negative expected payoff. On the
∗ [18] X. He, R. Wang, J. Wu, and W. Li, “Nature of power electronics and inte-
other hand, if S+ d = Sd , the corresponding expected cost of Sd gration of power conversion with communication for talkative power,”
∗ + Nat. Commun., vol. 11, no. 1, pp. 1–12, 2020.
is greater than the cost of S∗d , as illustrated by (29). Hence, [19] S. Z. Tajalli, T. Niknam, and A. Kavousi-Fard, “Stochastic electricity
the defender can always change from S+ d to Sd for a lower social welfare enhancement based on consensus neighbor virtualization,”
∗
cost, regardless of the attacker’s strategy. Both two scenarios IEEE Trans. Ind. Electron., vol. 66, no. 12, pp. 9571–9580, Dec. 2019.
[20] M. Farivar and S. H. Low, “Branch flow model: Relaxations and
of (S+ a , Sd ) conflict with the definition of equilibrium, which
+ Convexification—Part I,” IEEE Trans. Power Syst., vol. 28, no. 3,
completes the proof. pp. 2554–2564, Aug. 2013.
[21] S. Boyd, N. Parikh, E. Chu, B. Peleato, and J. Eckstein, [28] G. Raman, J. C.-H. Peng, and T. Rahwan, “Manipulating residents’
“Distributed optimization and statistical learning via the alter- behavior to attack the urban power distribution system,” IEEE Trans.
nating direction method of multipliers,” Found. Trends Mach. Ind. Informat., vol. 15, no. 10, pp. 5575–5587, Oct. 2019.
Learn., vol. 3, no. 1, pp. 1–122, 2010. [Online]. Available: [29] “Resources PES Test Feeder.” [Online]. Available: https://site.ieee.org/
http://www.nowpublishers.com/article/Details/MAL-016 pes-testfeeders/resources/ (Accessed: Sep. 30, 2020).
[22] C. Feng, Z. Li, M. Shahidehpour, F. Wen, W. Liu, and X. Wang, [30] Transmission Code, Energy Market Authority, Singapore, Jan. 2014.
“Decentralized short-term voltage control in active power distribu- [31] Y. Yang, M. Bao, Y. Ding, H. Jia, Z. Lin, and Y. Xue, “Impact of down
tion systems,” IEEE Trans. Smart Grid, vol. 9, no. 5, pp. 4566–4576, spinning reserve on operation reliability of power systems,” J. Mod.
Sep. 2018. Power Syst. Clean Energy, vol. 8, no. 4, pp. 709–718, Jul. 2020.
[23] W. Zheng, W. Wu, B. Zhang, H. Sun, and Y. Liu, “A fully distributed [32] Y.-Q. Wang, “Commodity Taxes under fiscal competition: Stackelberg
reactive power optimization and control method for active distribu- equilibrium and optimality,” Amer. Econ. Rev., vol. 89, no. 4,
tion networks,” IEEE Trans. Smart Grid, vol. 7, no. 2, pp. 1021–1033, pp. 974–981, 1999.
Mar. 2016. [33] S. K. Das, K. Kant, and N. Zhang, Handbook on Securing
[24] A. Majumder and J. Caffery, Jr., “Power line communications,” IEEE Cyber-Physical Critical Infrastructure. Waltham, MA, USA: Elsevier,
Potentials, vol. 23, no. 4, pp. 4–8, Oct./Nov. 2004. 2012.
[25] T. Liu et al., “A dynamic secret-based encryption scheme for smart [34] N. Liu, X. Yu, C. Wang, and J. Wang, “Energy sharing man-
grid wireless communication,” IEEE Trans. Smart Grid, vol. 5, no. 3, agement for microgrids with PV prosumers: A Stackelberg game
pp. 1175–1182, May 2014. approach,” IEEE Trans. Ind. Informat., vol. 13, no. 3, pp. 1088–1098,
[26] J. N. Blakely, M. B. Eskridge, and N. J. Corron, “High-frequency chaotic Jun. 2017.
Lorenz circuit,” in Proc. IEEE SoutheastCon, 2008, pp. 69–74. [35] M. Yan, M. Shahidehpour, A. Paaso, L. Zhang, A. Alabdulwahab,
[27] C.-U. Choe, K. Höhne, H. Benner, and Y. S. Kivshar, “Chaos suppres- and A. Abusorrah, “Distribution network-constrained optimization of
sion in the parametrically driven Lorenz system,” Phys. Rev. E, Stat. peer-to-peer transactive energy trading among multi-microgrids,”
Phys. Plasmas Fluids Relat. Interdiscip. Top., vol. 72, no. 3, 2005, IEEE Trans. Smart Grid, vol. 12, no. 2, pp. 1033–1047,
Art no. 36206. Mar. 2021.

Resilient Consensus-Based AC Optimal Power Flow Against Data Integrity Attacks Using PLC

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Resilient Consensus-Based AC Optimal Power Flow Against Data Integrity Attacks Using PLC

Uploaded by

Copyright:

Available Formats

3786 IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO.