Professional Documents
Culture Documents
A Two-Stage Kalman Filter For Cyber-Attack Detection in Automatic Generation Control System
A Two-Stage Kalman Filter For Cyber-Attack Detection in Automatic Generation Control System
1, January 2022
Abstract—
—Communication plays a vital role in incorporating the usage of internet connectivity, the power system is sus‐
smartness into the interconnected power system. However, his‐ ceptible to cyber-attacks. Cyber-attack is one of the greatest
torical records prove that the data transfer has always been vul‐ challenges that destabilizes the economic development of na‐
nerable to cyber-attacks. Unless these cyber-attacks are identi‐
fied and cordoned off, they may lead to black-out and result in
tions. In the event of a cyber-attack, the transmitted data is
national security issues. This paper proposes an optimal two- either corrupted or blocked, which leads to huge financial
stage Kalman filter (OTS-KF) for simultaneous state and cyber- losses and creates chaos in the power system. Several events
attack estimation in automatic generation control (AGC) sys‐ of cyber-attacks on the power system are recorded in history
tem. Biases/cyber-attacks are modeled as unknown inputs in the [3]. Cyber-attacks on dynamic state estimation, automatic
AGC dynamics. Five types of cyber-attacks, i.e., false data injec‐ generation control (AGC), electricity market crisis, and sta‐
tion (FDI), data replay attack, denial of service (DoS), scaling, bility and security issues are some of the examples of cyber-
and ramp attacks, are injected into the measurements and esti‐
attacks in the power system [4]-[9]. The idea of cyber-attack
mated using OTS-KF. As the load variations of each area are
seldom available, OTS-KF is reformulated to estimate the states is illustrated in Fig. 1, where the hacker attacks the commu‐
and outliers along with the load variations of the system. The nication system, injects false data, and misguides the central‐
proposed technique is validated on the benchmark two-area, ized monitoring and control system. It is possible to hack
three-area, and five-area power system models. The simulation communication data at various levels such as weather predic‐
results under various test conditions demonstrate the efficacy of tion, generation, load scheduling, etc.
the proposed filter.
Load center
Index Terms— —Cyber-security, automatic generation control
(AGC), load frequency control, false data injection, cyber-at‐ Transmission line
tack detection.
od, which happens in the case of DoS attack. Even though Kalman filter is a powerful means for estimating the
several measures are taken to avoid these cyber-attacks, ad‐ states of the power system in a noisy environment. Owing to
vanced hacking systems have been developed. Hence, the its advantages, many variants of the Kalman filter have been
manipulated/jammed data must be detected, and proper correc‐ developed in the literature. However, its performance deterio‐
tive measures are to be taken to mitigate serious issues in the rates when an accurate plant model is not available or when
smart grid. there exists bias or failure of the sensor. The optimal two-
AGC is a mechanism for regulating the load frequency in stage Kalman filter (OTS-KF) is a variant of the Kalman fil‐
power systems by transmitting the data of frequency and tie- ter for estimating the states even in the presence of random
line power deviations using communication channel IEC bias [27]. In this paper, an OTS-KF is proposed for cyber-at‐
6150. A control signal that regulates the position of governor tack detection, which is reformulated to suit cyber-attack de‐
valve is developed based on area control error in the central‐ tection and mitigation in a multi-area power system. The cy‐
ized control unit, and is transmitted to each generation unit. ber-attacks are considered as unknown inputs in the dynamic
When the intruder attacks the AGC, it may lead to frequency model. An OTS-KF is designed for estimating the states and
instability as well as financial loss. The intrusion detection cyber-attacks on the power system. The OTS-KF is a two-
in power system is broadly classified into three categories. stage algorithm in which state estimation and bias estimation
The first category is based on model-based intrusion detec‐ filters run in parallel. Kalman filter based bias estimation al‐
tion. In this method, an observer is designed based on the gorithms in the literature assume the load variations in each
power system model, which is useful for the cyber-attack de‐ area to be measurable. However, because of the integration
tection in power systems [10] - [14]. The second category is of renewable energy systems into the power system, the net
based on machine learning techniques through which the in‐ load variations affecting the load frequency are seldom avail‐
trusion detection is achieved [15]-[18]. Likewise, the last cat‐ able [28]. Hence, the load variations are considered as un‐
egory is a hybrid method, which is a combination of model- known inputs and a modified OTS-KF algorithm is devel‐
based method and artificial intelligence [19], [20]. A combi‐ oped. The proposed technique is validated for five types of
nation of residue and forecasting error is applied in [19] for cyber-attacks on the benchmark two-area, three-area, and
the detection of data manipulation. The cyber-attacks on the five-area power system models.
AGC system are modeled as unknown inputs and are esti‐ The major contributions of this paper are as follows.
mated using an unknown input observer in [21]. The pro‐ 1) This paper proposes an OTS-KF for cyber-attack detec‐
posed method has a promising performance with smaller tion on the AGC system. In the first stage, the states are esti‐
load forecasting error. However, in the case of large errors mated under bias-free (attack-free) condition; while in the
in load or renewable energy forecasting, the performance of second stage, the biases (attacks) are estimated.
this method is compromised. A stochastic unknown-input ob‐ 2) Because of the integration of small- and medium-scale
server-based intrusion detection technique is proposed in renewable energy systems into the power system, there is a
[22]. The residue of the Kalman filter is a useful tool in esti‐ huge gap between functional planning and operations. As a
mating cyber-attacks. Cyber-attacks are identified if the resi‐ result, continuous load monitoring is challenging. The load
due is higher than the threshold [10]. However, it is quite te‐ fluctuations are considered as new unknown inputs.
dious to select an optimal threshold under load disturbances. 3) The proposed OTS-KF is modified to estimate net de‐
The detection based on dynamic watermarking algorithm is mand and cyber-attacks.
proposed in [23]. A game-theory approach for the identifica‐ 4) The performance of the proposed OTS-KF is evaluated
tion of intrusion is proposed in [24]. In [25], a graphical ap‐ for various cyber-attacks such as FDI, DRA, DoS, scaling,
proach is proposed to identify vulnerable networks prone to and ramp attacks.
the cyber-attacks, and to sectionalize them to avoid any glob‐ The remainder of this paper is organized as follows. Sec‐
al effect due to any local manipulations. In [26], a large- tion II briefly introduces the modeling of AGC with cyber-at‐
scale power system is linearized and a two-stage estimator is tack. Section III elaborates on various types of cyber-attacks
proposed to deal with the scalable state estimation of the and their detection using a two-stage Kalman filter algo‐
complex non-linear system when the measurement data are rithm. Section IV describes the application of OTS-KF in cy‐
abundant but cannot be trusted. ber-attack estimation with and without load measurement.
Statistical methods are ineffective in detecting coordinated Section V details the simulation results for various types of
cyber-attacks and/or when the attacker has full knowledge of cyber-attacks. Finally, concluding remarks are given in Sec‐
the system dynamics. Machine-learning-based detection has tion VI.
two major challenges. The first is that these algorithms can‐
not quantify the cyber-attacks. The second is that the perfor‐ II. SYSTEM MODELING
mance of these methods may be severely affected in the The power system is highly nonlinear and distributed
presence of measurement noise. Further, for effective cyber- where the load frequency is regulated by using AGC. For
attack detection and mitigation, real-time load data are re‐ the design of the controller, power system dynamics are lin‐
quired, which may not be feasible due to the load uncertain‐ earized at an operation point. The linearized model of a two-
ties. In the absence of accurate load data, the detection relies area power system is considered as a plant to design the pro‐
on load forecasting data, and hence, the errors in load fore‐ posed filter.
casting may adversely affect the performance of the detec‐ The plant dynamics are shown in (1)-(9), and the dynam‐
tion process. ics of the AGC are represented in the state-space form [18],
52 JOURNAL OF MODERN POWER SYSTEMS AND CLEAN ENERGY, VOL. 10, NO. 1, January 2022
[19] as (10) and (11). change in load demand; T Ti is the time constant of turbine;
D1 1 1 1 T Gi is the time constant of governor; B i is the frequency bias
Dḟ 1 (t) = - Df (t) + DP g1 (t) - u (t) - DP 12 (t) factor; R i is the speed regulation coefficient; P s is the syn‐
2H 1 1 2H 1 2H 1 1 2H 1
chronizing power coefficient; K Ii is the integral control con‐
(1)
stant; H i is the inertia; D i is the frequency sensitivity load co‐
1 1 efficient; i = 1, 2; x is the state vector; y is the measurement
DṖ g1 (t) = - DP g1 (t) + DX g1 (t) (2) vector; u is the input vector; v is the measurement noise;
T T1 T T1
and w is the process noise.
1 1 1
DẊ g1 (t) = - Df (t) - DX g1 (t) + ACE 1 (t) (3)
R 1 T G1 1 T G1 T G1 III. CYBER-ATTACK MODELING AND DETECTION
AĊ E 1 (t) = -K I1 B 1 Df 1 (t) - K I1 DP 12 (t) (4) This section focuses on the effects of cyber-attacks on the
power system, the capabilities of attacker and defender, and
D2 1 1 1 cyber-attack modeling and detection.
Dḟ 2 (t) = - Df (t) + DP g2 (t) - u (t) + DP 12 (t)
2H 2 2 2H 2 2H 2 2 2H 2
A. Effect of Cyber-attacks
(5)
As discussed in Section I, cyber-attacks are resorted with
1 1 two goals: network destabilization and financial disruption.
DṖ g2 (t) = - DP g2 (t) + DX g2 (t) (6)
T T2 T T2 The destabilization of power system may be instigated by
1 1 1 terrorist groups (on a larger scale), governments in conflict
DẊ g2 (t) = - Df 2 (t) - DX g2 (t) + ACE 2 (t) (7) (in the case of interconnected grids), or resentful individuals
R 2 T G2 T G2 T G2 (on a smaller scale). The goals of the attackers can be either
AĊ E 2 (t) = -K I2 B 2 Df 2 (t) + K I2 DP 12 (t) (8) to disrupt the industrial activity or to gain access to secured
areas. These players eavesdrop for a long period of time to
DṖ 12 (t) = P s Df 1 (t) - P s Df 2 (t) (9) gain knowledge of the power system parameters to inflict
the maximum damage. These types of cyber-attacks are rare,
ẋ = A o x + B o u + w (10) but if successful, will lead to devastating results. However,
y = Cx + v (11) the intention to affect market operations, mostly done by
market operators or insiders, can be more frequent and
where x = [ Df 1 DP g1 DX g1 ACE 1 Df 2 DP g2 DX g2 ACE 2 DP 12 ] ;
T
{
ê ú i
Cx k + v k k<τ
ë0 0 0 0 1 0 0 0 0 û yk = (12)
quency; DP gi is the change in power output of generator; Cx k + b k + v k k ³ τ
DX gi is the change in valve position of governor; ACE i is the where the subscript k represents the value at a given discrete-
area control error; DP 12 is the line power deviation; u i is the time instant k; b is the bias/attack vector added to the measure‐
TUMMALA et al.: A TWO-STAGE KALMAN FILTER FOR CYBER-ATTACK DETECTION IN AUTOMATIC GENERATION CONTROL SYSTEM 53
ments; and τ is the instant at which attackers becomes active. P͂ kx + 1/k = AP͂ k/k
x
AT + W x + r k P k/k
b
r kT - ξ k + 1/k P kb+ 1/k ξ kT+ 1/k (22)
2) DoS Attack
( )
-1
The intruder identifies a weak node or receiving node, and K͂ kx+ 1 = P͂ kx + 1/k C T CP͂ kx + 1/k C T + V (23)
pumps in huge amounts of data packets so that the communi‐
cation is jammed between the measuring device and control ( )
P͂ kx + 1/k + 1 = I - K͂ kx+ 1 C P͂ kx + 1/k (24)
center for a certain period of time. The DoS attack is mod‐
eled as: x͂ k + 1/k + 1 = x͂ k + 1/k + K͂ kx+ 1 ( y k + 1 - Cx͂ k + 1/k ) (25)
{
Cx k + v k k < τ where r k is the bias coefficient matrix; W is the process- x
yk = {
Cx k + v k k < τ
λCx k + v k k ³ τ
(15)
P kb+ 1/k + 1 = ( I - K kb+ 1 H k + 1/k ) P kb+ 1/k
(
b̂ k + 1/k + 1 = b̂ k/k + K kb+ 1 ( y k + 1 - Cx͂ k + 1/k ) - H k + 1/k b̂ k/k )
(29)
(30)
where λ is the scaling factor.
5) Ramp Attack where W b is the bias-noise covariance matrix; and H k + 1/k is
The attacker injects false data that increases with time. the estimation matrix at the k th instant.
Long-lasting sensor faults can be modeled in a similar way. 3) Coupling Terms
{
Cx k + v k k<τ r k = Aξ k/k + F (31)
yk = (16) ξ k + 1/k = r k P k/k
b
P kb+-1/k
1
λCx k + b k k + v k k ³ τ (32)
H k + 1/k = G + Cξ k + 1/k (33)
D. OTS-KF
Consider a linear invariant discrete system of the form: ξ k + 1/k + 1 = ξ k + 1/k - K͂ x
k+1 H k + 1/k (34)
x k + 1 = Ax k + Bu k + Fb k + w k (17) H k + 1/k + 1 = G + Cξ k + 1/k + 1 (35)
y k = Cx k + Gb k + v k (18)
IV. APPLICATION OF OTS-KF IN BIAS/CYBER-ATTACK
where F and G are matrices of suitable dimensions. An OTS-
KF is proposed by Daroach and Keller. The filter has two DETECTION
major functions: one is to estimate the states of the system
A. With Load Measurement
under bias/cyber-attack-free condition, and the second is to
estimate the bias/cyber-attack. This filter is an extension to The dynamics of AGC in the absence of outliers are given
the Kalman filter where state estimation and cyber-attack es‐ in (10) and (11). Figure 2 depicts the two-area power system
timations run in parallel. Similar to the Kalman filter, OTS- model with potential cyber-attack points.
KF includes the basic steps of initialization: prediction and Three possible cyber-attacks are considered: ① cyber-at‐
updating. The processes of OTS-KF state estimation and bi‐ tack on frequency measurement in area 1; ② cyber-attack
as estimation are as follows: on frequency measurement in area 2; ③ cyber-attack on tie-
line power measurement.
x̂ k + 1/k + 1 = x͂ k + 1/k + 1 + ξ k + 1/k + 1 b̂ k + 1/k + 1 (19)
The dynamics of AGC are modified by including above-
P kx + 1/k + 1 = P͂ kx + 1/k + 1 + ξ k + 1/k + 1 P kb+ 1/k + 1 ξ kT+ 1/k + 1 (20) mentioned cyber-attacks as given in (36) and (37).
where x̂ k + 1/k + 1 is the estimated state vector; x͂ k + 1/k + 1 is the cy‐ AĊ E 1 = -K I1 B 1 Df 1 - K I1 DP 12 - K I1 B 1 b 1 - K I1 b 3 (36)
ber-attack-free estimated state vector; b̂ k + 1/k + 1 is the estimated AĊ E 2 = -K I2 B 2 Df 2 + K I2 DP 12 - K I2 B 2 b 2 - K I2 b 3 (37)
bias/attack vector; P kx + 1/k + 1 is the estimated error covariance
matrix of x̂ k + 1/k + 1; P͂ kx + 1/k + 1 is the estimated error covariance where b 1 and b 2 are the biases/cyber-attacks in frequency
matrix of x͂ k + 1/k + 1; P kb+ 1/k + 1 is the estimated error covariance measurement in areas 1 and 2, respectively; and b 3 is the bi‐
matrix of b̂ k + 1/k + 1; and ξ k + 1/k + 1 is the result matrix of cou‐ as/cyber-attack in tie-line power measurement.
pling. The subscript k + 1/k + 1 indicates the updated value at The state-space representation in (10) and (11) is modified
the (k + 1)th instant. accordingly as:
1) Bias/Cyber-attack-free Estimation ẋ = A o x + B o u + F o b + w (38)
x͂ k + 1/k = Ax͂ k/k + Bu k + r k b̂ k/k - ξ k + 1/k b̂ k/k (21) y = Cx + G o b + v (39)
54 JOURNAL OF MODERN POWER SYSTEMS AND CLEAN ENERGY, VOL. 10, NO. 1, January 2022
ë û ë û
eters used for simulation are given in Appendix A.
and b̂ 0 are the states, biases, and their estimated values, respective-
A. With Load Measurement
ly; and E is the expected value
while k > 0 1) FDI Attack
2 Predict the states and bias/cyber-attack using (21) and (26) To evaluate the performance of the proposed filter, we de‐
3 Calculate the gains using (23) and (28) and the coupling terms using velop a random cyber-attack signal, which is a combination
(31)-(35) of step and ramp signals added to the tie-line power devia‐
4 Update the states and bias/cyber-attack signals using (25) and (30) tions. Figure 3 depicts the actual and estimated cyber-attack
k=k+1 signals with random FDI using the OTS-KF.
end while 2) DoS Attack
5 Display states and cyber-attack signals For cyber-attack generation, we assume that the communi‐
cation channel is blocked from 1 s to 10 s, and the central‐
ized monitoring and control unit has no idea of actual mea‐
B. Without Load Measurement surements. DoS attack can be viewed as an FDI attack with
The load connected to the power system is stochastic and the bias signal as the inverse of the missing signal. The actu‐
continuously varies with time. With the injection of stochas‐ al and estimated tie-line power deviations are illustrated in
tic renewable energy into the power system, the net demand Fig. 4.
TUMMALA et al.: A TWO-STAGE KALMAN FILTER FOR CYBER-ATTACK DETECTION IN AUTOMATIC GENERATION CONTROL SYSTEM 55
TABLE I
6
m
10 3 4 5
al
1 2
Time (s)
Cyber-attack signal or
0.20
0
-0.005 0
6
5 30
-0.010 Sig 4 3 20
nal
num 2 1 10 (s)
-0.015 ber 0 Time
-0.020
Fig. 6. Actual and estimated cyber-attack signals and load changes.
-0.025
0 5 10 15 20 25
Time (s) 2) Three-area Power System
Fig. 4. Actual and estimated tie-line power deviations. Now the proposed filter is validated on a three-area power
system model [28] assuming that the tie-line measurements
3) DRA are prone to cyber-attacks. We have considered six operation
To generate this cyber-attack signal, we have simulated scenarios:
the system for a step change of 0.15 p.u. load demand, and 1) Scenario 1: FDI on tie-line with constant load change
the frequency measurements are saved into the workspace. in area 1.
The saved frequency variations are injected as a cyber-attack 2) Scenario 2: FDI on tie-line with continuous load
signal under a non-load condition. The actual and estimated change in area 1.
DRA signals are shown in Fig. 5. 3) Scenario 3: tie-line power deviations scaled to 1.2
times the actual value.
4) Scenario 4: ramp attack on tie-line power deviations.
5) Scenario 5: multiple attacks on the tie-line power devia‐
signal (10-3 p.u.)
5
Cyber-attack
tions.
0
6) Scenario 6: multiple load changes with random FDI at‐
-5
tack on tie-line power measurements.
-10
3 The simulated results for the first two scenarios are depict‐
Estimated 30
Sig 20 ed in Fig. 7. The tie-line power deviations with and without
nal 2 Actual
num 10
e (s) cyber-attack as well as the estimated tie-line power deviation
ber 1 0 Tim with the proposed method for scenario 3 are shown in Fig. 8.
Fig. 5. Actual and estimated DRA signals.
signal (10-3 p.u.)
10 0.05
Load change
Cyber-attack
5
1) Two-area Power System 0.03
The modern power system is a combination of convention‐ 0.02
0 5 10 15 20 25 0 5 10 15 20 25
al energy systems and renewable energy systems. As renew‐ Time (s) Time (s)
able energy systems are stochastic, the net demand affecting (a) (b)
the frequency variation on each area at every instant is sel‐
signal (10-3 p.u.)
10 0.10
Load change
Cyber-attack
Δf (Hz)
-0.02
-0.04
It can be observed that except for low values of tie-line -0.06
-0.08
power deviations, the estimated signal tracks the actual sig‐ 0.04
change
nal. Long-lasting sensor failures are quite difficult to detect
(p.u.)
Cyber-attack Load
0.02
and adversely affect the system performance. These faults 0
and ramp attacks are identical in terms of their behaviors. 0.01
The system is simulated with a ramp attack. The estimated
signal
(p.u.)
0
and actual cyber-attack signals with ramp attack are depicted -0.01
in Fig. 9. 0 5 10 15 20 25 30
Time (s)
Area 1; Area 2; Area 3
Cyber-attack signal (10-4 p.u.)
8
Estimated
Actual Fig. 11. System response for scenario 6 including changes in frequency
6
signals, load, and actual and estimated cyber-attack signals.
4
0.01
2
0
0
Δf1 (Hz)
-0.01
-2
5 10 15 20 25 30 35 40
Time (s) -0.02
Without random FDI
With random FDI
Fig. 9. Actual and estimated cyber-attack signals with ramp attack. -0.03
-0.04
The proposed filter is evaluated for multiple attacks. Fig‐ 0 5 10 15 20
Time (s)
ure 10 shows the efficacy of the proposed method. Figure 11
illustrates the frequency deviations in all three areas for a Fig. 12. Frequency deviations with and without random FDI.
random FDI attack with load changes. The actual and esti‐
mated load changes and cyber-attack signal are also shown
Frequency deviation
0
in Fig. 11. Even the cyber-attack signals with small magni‐
(10-3 p.u.)
-15
10 Estimated 8 Estimated 400
Actual Actual 300
8 6
200
Tim
6 4 100
e(
0.03 0.04
0.02
s)
4 2 0 0.01 )
agnitu de (p.u.
Cyber-attack m
2 0
Fig. 13. Influence of cyber-attack signal on frequency deviations.
-2
0 20 40 0 20 40
Time (s) Time (s)
(a) (b) In addition, we have considered a simultaneous load
change in area 1 while the tie-line power deviations in area
Fig. 10. Actual and estimated cyber-attack signals with multiple attacks.
(a) Tie-line 1. (b) Tie-line 2.
4 are subjected to cyber-attacks. In the five-area system,
there are ten unknown inputs, where five represent load
changes and the rest represent the cyber-attack signals. Fig‐
C. Five-area Power System ure 14 shows the load and cyber-attack estimations in five-
The proposed dynamic cyber-attack estimation procedure area power system. The proposed algorithm is superior in de‐
is also applied for the benchmark five-area power system tecting even small load changes, as shown in Fig. 14. Fur‐
model that is widely used in literature for load frequency ther, it can be observed that the operator can easily identify
studies [30], [31]. We have assumed that the tie-line power vulnerable measurements that are attacked in area 4.
TUMMALA et al.: A TWO-STAGE KALMAN FILTER FOR CYBER-ATTACK DETECTION IN AUTOMATIC GENERATION CONTROL SYSTEM 57
| b1b? 1| (10-4)
V=V0
attacks. It improves the frequency stability during the cyber- 1.0 V=10V0
attack. Once the cyber-attack is quantified using the OTS- 0.5
KF, the attack component of the measured signals is re‐
0 5 10 15 20
moved from the vulnerable measured signals. In Fig. 15, it Time (s)
is shown that the proposed OTS-KF can effectively mitigate (a)
x
3 W x=W 0
| b1b? 1| (10-5)
a ramp-down attack. The proposed algorithm could quantify x x
2 W =10W 0
the cyber-attack and could successfully mitigate it within the
1
time constraints of the system. Without it, the chances of the
system getting out of synchronism may increase. 0 5 10 15 20
Time (s)
(b)
Load change
(10-4 p.u.)
20 Estimated Fig. 16. Estimation error in presence of measurement noise covariance and
10 Actual process noise covariance. (a) Actual and unknown measurement noise cova‐
0
6 5 4 riance. (b) Actual and unknown process noise covariance.
400 500
Area n 3 2 1 0 100 200 300 )
umber Time (s Cyber-attack detection, estimation, mitigation, state estima‐
(a)
tion, and load data independence are the main features of the
signal (10-3 p.u.)
Cyber-attack
3
Estimated proposed idea. Cyber-attack detection based on the residual
2
1 Actual function of the unknown input observer is proposed in [10].
0
6 5 4
However, an attacker with adequate system knowledge can
500
Area n 3 2 1 0 100 200 300
400 insert small amounts of bad data and circumvent the detec‐
umber e (s )
Tim tion system. The approach proposed in [19] relies on load
(b)
forecasting data. However, with the increased penetration lev‐
Fig. 14. Load and cyber-attack estimations in five-area power system. (a) els of stochastic renewable energy, there is a huge gap be‐
Load estimation. (b) Cyber-attack estimation. tween planning and dispatch. Since this method is a statisti‐
0.02
cal method, the load forecasting error may severely affect
the performance of the algorithm during a cyber-attack. Cy‐
0
ber-attack estimation based on the unknown input observer
-0.02
After mitigation proposed in [21] has shown consistent performance only in
Δf1
-0.04 Without mitigation the presence of online load data. Nevertheless, in the ab‐
-0.06 Actual sence of load data, this approach must rely on the load fore‐
-0.08
0 10 20 30 40
casting data. Estimation error with load forecasting error in
Time (s) load data may lead to false cyber-attack alarms as illustrated
Fig. 15. Frequency change in area 1 with ramp attack mitigation.
in Fig. 17.
2.5
E. Further Discussion: Filter Sensitivity to Process and 2.0
| b1b? 1| (10-3)