Cyber Security in Control of Grid-Tied Power Electronic Converters - Challenges and Vulnerabilities

—Grid-tied power electronic converters are key enabling technologies for interfacing renewable energy sources, energy storage, electrical vehicles, microgrids, and high-voltage dc transmission lines with the electrical power grid. As the number of power converters in modern grids continually increases, their monitoring and coordinated control in a way to support the grid have become topics of increased practical and research interest. In connection with this, latest standards have also deﬁned a mandatory set of control parameters for grid-tied converters, which should be adjustable by a remote entity that sends commands through a communication network. While such a remote control capability allows many new control functions in grid-tied converters, it also renders them vulnerable to cyber-attacks. The aim of this article is ﬁrst to shed light on the portions of the power converter control systems that are vulnerable to cyber-attacks. Next, typical cyber-attacks are overviewed by considering different applications of the grid-tied converters. Further, the impact of different types of cyber-attacks on grid support functions is studied. Finally, this article is concluded with summary and recommendation for further research.

Abstract-Grid-tied power electronic converters are key enabling technologies for interfacing renewable energy sources, energy storage, electrical vehicles, microgrids, and high-voltage dc transmission lines with the electrical power grid.As the number of power converters in modern grids continually increases, their monitoring and coordinated control in a way to support the grid have become topics of increased practical and research interest.In connection with this, latest standards have also defined a mandatory set of control parameters for grid-tied converters, which should be adjustable by a remote entity that sends commands through a communication network.While such a remote control capability allows many new control functions in grid-tied converters, it also renders them vulnerable to cyber-attacks.The aim of this article is first to shed light on the portions of the power converter control systems that are vulnerable to cyber-attacks.Next, typical cyber-attacks are overviewed by considering different applications of the gridtied converters.Further, the impact of different types of cyberattacks on grid support functions is studied.Finally, this article is concluded with summary and recommendation for further research.

I. INTRODUCTION
O NE of the most important global technological goals in this century is to realize carbon-neutral electrical power systems.This will not only reduce the pollution and global warming effects but will also decrease the overall societal dependence on insecure supply of fossil fuels.Large-scale adoption of renewable energy sources (RES) like wind and photovoltaics (PV), energy-storage systems (ESSs), electrical vehicles (EVs), and high-voltage dc (HVDC) transmission systems is seen as crucial initiatives to reach this goal [1].
Grid-tied voltage-source converters (VSCs) play a key role in this scenario, since they serve as the most common The authors are with the Department of Energy Technology, Aalborg University, 9220 Aalborg, Denmark (e-mail: sssa@et.aau.dk;tdr@et.aau.dk;fbl@et.aau.dk).
Color versions of one or more of the figures in this article are available online at https://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/JESTPE.2019.2953480energy-conversion interfaces between these technologies and the electrical power grid [2].It is also worth mentioning that VSCs enable the formation of intelligent microgrids (MGs), which are seen as intermediate aggregation entities that can either operate in the stand-alone mode or facilitate the largescale integration of distributed energy resources in the gridtied mode [3], [4].However, as the number of VSCs in renewable-based power grids increases, their influence on the performance of such grids also becomes more pronounced.
With the grid modernization being carried out swiftly, multiple VSCs are being integrated into the existing utility network to yield grid-supportive services.Further, with the ever-increasing convenience of remote control capabilities using information communication technologies (ICTs), the flexibility of operation and robustness of control of the VSCs have greatly improved.The integration of these facilities has actually led to a plight, which creates a direct tradeoff between efficiency, reliability, and security for a larger interconnected network of VSCs.In fact, such large-scale monitoring using supervisory control and data acquisition (SCADA) makes it highly susceptible to malicious intrusions.Moreover, the reliability factor involved with the deep integration of the communication layers to achieve coordination also plays a vital role in new security concerns.Such threats ranging from thefts and cyber-attacks may result in system shutdown, cascaded failure, damage to the consumer loads, endangered energy market operation, and so on [5].Many cyber accidents of power blackouts in Brazil have been reported in [6], such as the SQL Slammer worm attack, the Stuxnet attack, and various industrial calamities.Furthermore, it has been claimed in the McAfee Report [7] that 80% of the utility companies have undergone at least one denial-of-service (DoS) attacks in their communication network with 85% of units' data infiltrated by an adversary.As the most prominent mode of communication in smart grids is wireless, IT security clients are managing various data protection plans to handle the unreliability of datatransmission systems.However, intelligently modeled cyberattacks with plentiful system information create disparity in securing the electric grid, as they easily bypass the model verification tests [8].It emanates additional vulnerabilities in the smart grid from a control system perspective, albeit the newly IT secure verification methods.Intelligent attacks often target the physical layer to maneuver the system stability as concealed disorder and uncertainties.Accounting a considerable timescale separation of control stages of a VSC under a value of no more than 0.1 s, this mandates the detection of cyber-attacks in a timely manner to avoid unnecessary system casualties.Apart from the said casualties, it also breaches confidentiality and optimality of system operation almost immediately on the one hand.On the other hand, as the penetration of intelligent attacks goes on in a stealth manner, which goes undetected by controltheoretic solutions, the attacker may initiate the attack during slightly alarming conditions to arrange an extreme case of system shutdown.Such cases are brought into perspective, considering planning alternatives and power back-up options.Hence, appropriate design of reliable, resilient, and intelligent control methodologies for VSC needs to be the current focus to tackle such critical security issues.
For the purpose of better understanding of security problems in power electronics-based cyber-physical systems, this article discusses the following.
1) Control and operational challenges faced by the VSCs used in different applications due to cyber-attacks.2) A brief overview of the vulnerabilities in the control and cyber layer of the VSCs (in the grid-connected and standalone modes) is provided.Further, more aspects on how it disorients their operation from the state of normalcy are detailed.3) Directions and viewpoints, especially in the design of resilient control formulation for the VSCs.The rest of this article is organized as follows.Typical structure of a power electronics-based system with a detailed overview on their various roles is presented in Section II.The impact and vulnerability analysis of the control, communication, and physical layer used to handle VSCs are revealed in Section III.Further, the challenges faced due to cyberattacks for different VSC applications are demonstrated using few case studies in Section IV.Finally, the conclusions and recommendations for future research are given in Section V.

II. CYBER-PHYSICAL ARCHITECTURE OF POWER ELECTRONIC CONVERTERS
A typical architecture of an individual ac grid-connected voltage-source-converter system is shown in Fig. 1.The overall power conversion chain consists of several stages, i.e., the input stage, the input-side power-converter stage, the dc voltage stage, the grid-tied VSC stage, the ac grid stage, and the cyber stage.This type of power electronic architecture is most commonly used for interfacing RES like wind and PV [9], ESSs [10], and EV-charging infrastructure with the electric power grid [11].With the aim to improve the resiliency and robustness of the smart grids, it is expected that in the nearfuture individual VSC systems will be interconnected together through communication links into a singular all-inclusive cyber-physical smart grid.The aforementioned control stages are briefly described in the following.

A. Physical Stage
The exemplary input power sources/sinks are located on the far-left-hand side of Fig. 1.Some units in the input stage such as a grid or an ESS can either inject or absorb the electric power.
The power exchange between the input side and the intermediate dc stage is regulated by the input-side converters.These converters process the power exchange between the input stage and the dc voltage stage.Further, the dc stage serves as a power buffer between the input and the ac stage.It can also operate independently of the ac stage, e.g., as a dc microgrid [12].To integrate the sources from the input stage into the grid, the grid-tied VSC serves as an interface between the dc-link stage and the ac electric power grid.
Their output is connected through the interface filter to an ac electrical power grid, an ac microgrid, or standalone ac loads, as shown in Fig. 1.Based on its interconnection with different ac stages, various standards are applicable.For an electric grid, the primary concern lies with the regulation of the grid current with high-power qualitative signatures during transients (voltage sags, swells, and unbalances) [13].Recently, an increasing number grid-ancillary services related to grid voltage and frequency support are also required [13].On the other hand, their performance in an inertia-less autonomous system (e.g., microgrids) is essentially governed using sharing capabilities for active and reactive power, harmonics during steady state as well as transients, and so on.These objectives are met owing to the primary control associated with the abovementioned quantities, which will be discussed later in this article.

B. Cyber Stage
We assume that smart grid as a whole comprises of numerous VSCs described in the previous section.They, together with conventional synchronous generators, jointly regulate the grid, and each of these units is termed an agent for an exemplary portion of a smart grid with interconnected VSCs.
A communication network connects the sensors and the controllers coexisting in the smart grid.Each agent communicates in two ways: 1) to a central controller and 2) among each other in a distributed manner.A pictorial description of both the cyber structures is provided in Fig. 2, where the dotted lines represent the flow of information.Since the control objectives are highly vulnerable to single point-of-failure in a centralized network, as shown in Fig. 2(a), the distributed control philosophy [14] in Fig. 2(b) is prominently used for power electronics-based cyber-physical systems to enhance reliability and scalability.
Every agent has a distributed controller that processes data from the local and neighboring agents, as well as from other remote sites.These data are normally obtained by phasor measurement units (PMUs), which comprise of dynamic-voltage phasors.Communication between the PMUs and the local controllers can be achieved in a centralized fashion, where measurements from all the agents are collected centrally for processing and decision-making.The most prominent method of coordination between agents in the SCADA system is usually employed [15] to alleviate monitoring in smart grid networks.If the number of agents is high, this approach not only requires significant communication resources but also is prone to potential cyber-attacks.Other option, commonly referred to as decentralized control, refers to a scheme where only local measurements are used.While the communication infrastructure is completely avoided here, control capability is limited.As already explained above, a distributed control paradigm introduces flexibility, since the computational resources are uniformly dispersed across the system to achieve coordination.Hence, low-bandwidth communication channels can be employed to achieve the same function.Though it provides an obvious criterion for the assessment of intrusion attempts, vulnerability to cyber-attacks cannot be necessarily guaranteed for coordinated attacks [16], [17].This can be explained owing to the insufficient information present in each node, which does not serve as adequate global information for the detection of cyber-attacks.
Considering the control layer, a brief overview of the control functions of the ac-grid-tied VSCs in accordance with their time scales is presented in Fig. 3.It can also be noted that some control loops in Fig. 3 are depicted next to each other, which indicates that they are operated simultaneously (e.g., active damping and ac current control [18], dc-link voltage control and synchronization [19], or a fault-ride through virtual impedance/admittance control [20]).More discussion on the secure and vulnerable control layers of VSC will be carried out in Section IV after providing a brief theory on cyber security.

C. VSC Roles
VSC roles in renewable-based power systems and microgrids can be divided into three main categories, i.e., gridfeeding, grid-forming, and grid-supporting [21].These roles are discussed in more detail below.

1) Grid-Feeding Unit:
The function of a grid-feeding VSC is to inject a specified amount of current into the grid.Therefore, they can be represented as current sources, as shown in Fig. 4(a).From the implementation point of view, they typically comprise an outer dc voltage control loop, a dedicated synchronization unit, and an inner current control loop with embedded active or passive damping [22].For generating the current reference, outer power controllers can also be used to supplement the dc voltage controller.
2) Grid-Forming Unit: The function of the grid-forming VSCs is to regulate the local voltage.Therefore, it can be represented as an ideal voltage source, as shown in Fig. 4(b).Due to its stiff voltage regulation, this type of units can be considered as a master in the system that defines the local ac grid.Therefore, the grid-forming VSC does not need to have any power-sharing capabilities and dedicated synchronization.From the implementation standpoint, grid-forming VSCs are typically realized by an outer voltage loop and an inner current loop [23].This functionality is typically employed as a basic philosophy in stand-alone applications, such as microgrids [24].
Usually, for paralleled VSCs in stand-alone microgrids, a primary control law is employed for both active and reactive power to align the frequency ω * and voltage references V * , respectively, for synchronization using where ω ref , V ref , and P * and Q * are the global frequency, voltage, active power reference, and reactive power reference, respectively.Moreover, m p , n q , P, and Q denote the active power droop, reactive power droop, measured active power, and reactive power, respectively.
3) Grid-Supporting Unit: As opposed to the first two categories, grid-supporting VSCs involve a broader spectrum of control functionalities, from grid voltage/frequency support, active/reactive power sharing to virtual inertia, and impedance/admittance emulation.

III. IMPACT AND VULNERABILITY ANALYSIS OF CYBER-ATTACKS ON CONTROL OF VSCS A. Cyber Security
With the proliferation of communication technologies, cyber disturbances are becoming a reality.As already witnessed in numerous real-world examples, such disturbances can significantly affect the performance of smart grids.With a fast increase in the penetration of VSC technologies, their impact on the system is reaching a point where the impact of cyber-attacks cannot be ignored.In particular, researchers focused on designing secure control methodologies apart from the traditional encryption-based techniques.In general, spoofing attacks can be caused on sensors and communication links, where the signals are interrupted, quantized, or coerced.To name a few, false data-injection attacks (FDIAs) are caused by the injection of auxiliary signals or changing the content in the measurements reported by the sensors [25].When a similar activity is recognized in the communication links, it is commonly referred to as the man-in-the-middle (MITM) attack [26].Moreover, jamming of signals can also be caused to interrupt the transmission of signals, which is commonly known as the DoS attack [27].These are some of the prominent attacks that have participated in the real-time applications.More details on other critical intrusion approaches, which are the subsets of the abovementioned attacks, can be found in [28].
To familiarize with the said intrusion approaches, cyberattacks can be conducted on sensors, smart meters, and load aggregators in an active distribution network to dismantle system objectives, such as frequency regulation-based ancillary services, voltage stability, power flow management, and so on.Further, any adversarial outbreak into the cyber channels using various techniques, such as jamming the flow of information, altering the communicated measurements, and deactivating cyber link(s), can instill system shutdown.The cautious nature of such attacks depends on various factors such as the degree of system information acquired by the attacker and the ability of the attacker to penetrate into the system particulars.
Accounting the implementation of these control layers in real-time processors, intrusion into the control layer only allows the access to the reference set-points (dc-link voltage and frequency) during run-time instead of the inner control layers.As the inner loops are compiled into the read-only memory (ROM) section of the processor, intrusion into the sensor values cannot dissemble the system operation.However, the system dynamics will vary when the references are changed to trigger the instability or activation of the protection layer.Mathematically, this can be explained using the statespace representation of the i th VSC for ∀i ∈ N, where T with the state parameters denoted by grid voltage, grid current, active power, reactive power, and dc voltage, respectively; and the input consisting of the reference parameters of frequency, dc voltage, active power, reactive power, and inverter voltage for the i th VSC, respectively.Further, } is a null vector, then the system response is unbiased.To detect the presence of cyber-attack elements, a residual signal r : R ≥0 → R P test can be followed.
It is worth notifying that ξ i is not a design parameter, as it completely depends on the intent of the attacker.
Remark 1: The nature and magnitude of the attack signal can be bounded/unbounded, and is completely dependent on the motive of the attacker.However, the design of corrective control measures to ensure a resilient system is always done regardless of the nature of the attack.
To detect attacks using a centralized attack-detection filter based on a modified Luenberger observer, the estimated dynamics of the i th VSC with known initial states x(0) can be given by where xi (t) denotes the estimated states.Further, xi (0) = x i (0) and the output injection matrix , where r is an infinitesimal value.It is intuitive from Fig. 5 that the normal residual test is passed for the violet trajectory, since the residual value remains within the threshold r .Detailed proof can be referred from [8].
Otherwise, it can be concluded that an attack element is present in the i th VSC.As such attacks cause a change in the system response due to altered model, the residual element overshoots out of the shaded circle in Fig. 5 with radius r .Hence, any physical disturbances such as load change, faults, and line outage will always obey Remark II, since the model dynamics will always be unaltered using the unbiased measurements during these disturbances.
On the other hand, the inner control loops are resilient to cyber-attacks as they operate with a tracking objective for each state.It is worth notifying that the inner control loop is resilient to cyber-attacks only when the outer control loop is unattacked, as shown in Fig. 3. Since the secondary control layer exploits communication to alter the references for the outer control loop, any bad data injection into the upper control layer (highlighted with red in Fig. 3) will disorient stability or cause system shutdown.The shutdown is usually caused due to the unintentional activation of over-voltage and over-current protection layers.
Extending this theory for interconnected VSCs, the artificial dynamics created by the attack element can be nullified in (3), only when ( 5 ) holds true.Further, these attacks in the attack set can be categorized as undetectable from the monitors, if and only if x ∈ R N such that ||s I − A|| 0 + ||Cx|| 0 = φ, where || = φ.Such attacks are commonly termed coordinated attacks, since they easily bypass the attack filters in (4).Using (5), it can be extended that the control inputs can be manipulated either in the controller or on the communication link(s) by an external entity.As the cyber and control layers are closely coupled, the susceptibility to cyber-attacks aggravates for an interconnected system of VSCs.With an increase in the attack-vulnerable points, the ancillary support provided by the interconnected VSCs can be easily misled, leading to system collapse.Such consequences eventually cause technoeconomic catastrophes by maligning the electric network with the injection of false data attack vectors into the cyber-physical layer.Hence, a detailed vulnerability analysis on the control of VSCs due to cyber-attacks has been studied in detail in the following section.

B. Vulnerability Analysis of Cyber-Attacks on Control of VSCs 1) Grid-Forming Control for VSCs:
A conventional control structure for the grid-forming VSCs is shown in Fig. 4. As already explained, grid-forming VSCs regulate voltage and frequency locally.To synchronize with other ac sources, the general philosophy is to align primary droop control locally using the available measurements.From a cyber-space perspective, this decentralized arrangement is considerably safe, as it is difficult for the attackers to access the physical layer.Moreover, suitable physical-layer security alternatives, such as beamforming, are commonly used these days [29].However, decentralized control philosophies suffer from an operational point of view in matching the commercial regulatory standards [30].This drawback has been conceived usually by a secondary controller using the information from other VSCs.Referring to the cyber structure from Section II-B, distributed or centralized secondary control architectures can be imposed on the primary control law to compensate for the offsets.However, this leaves a large vulnerable space for the attackers to locate the attacked data either into the sensors, the communication link, or the controller.Below are some of the common methods of intrusion approaches to manipulate each component: 1) Sensors: The sensors' data are usually manipulated by the penetration of the adversary inside the control platform.This penetration can be easily achieved by Trojan Horse [31] to use remote systems as host.The sensor output from the acquisition panel is usually within the signed 15 V.To calibrate it against the actual measurement, acquisition gains using a linear plotting theory is used.The attacker usually attempts on changing the acquisition gains, which creates a bias in the reported measurements.2) Communication Links: The communicated data can be manipulated either inside the controller or in the communication stage involving a router/encoder/decoder.There are several ways in which the transmitted data can be manipulated, such as authorization violation, interruption of transmission of signals, illegitimate opening of information logs, replaying the transmitted information from the past, and so on.3) Controller: As mentioned already, the controller can be illegitimately accessed using Trojan Horse to change the reference input(s) used either in the outer control loop or in the secondary controller for the control of VSCs.2) Grid-Feeding and Supporting Control for VSCs: Gridfeeding control for VSCs is basically employed to inject active and reactive power into the grid-forming units.This philosophy is mostly used in grid-connected applications for integrating RES [3].To ameliorate grid-supportive services, the desired control inputs are added to the overlaying gridforming controller, as shown in Fig. 7.As detailed in the previous section, the reference input v dcref or the sensor v dc is usually vulnerable to cyber-attacks, which allows the attacker to either limit or increase the power flow from VSCs, thereby creating a stability/coordination issue in the network.Moreover, the outputs of the grid-supportive services P gss and Q gss can also be compounded with false data to misinform the controlled units.The vulnerable points of attack in the control of grid-forming and grid-feeding VSCs are summarized in Table I.It is worth notifying that the measurements/references, denoted as x j , are transmitted by other units to the upper-level control responsible either for grid-supportive services or for secondary control objectives.
Using the vulnerable hotspots in control systems for the VSC, the challenges faced due to cyber-attacks in different fields have been studied in detail to project system outage, nonoptimal operation, economic feasibility, instability, consumer discomfort, and so on.

IV. GRID-SUPPORTIVE SERVICES BY MULTIPLE VSCS:
CHALLENGES FROM CYBER-ATTACKS In the previous section, the vulnerable points of cyberattack in the control of VSCs have been briefly discussed.Building upon the said theory for conventionally modeled cyber-attacks, this section will introduce the challenges faced by single/multiple VSCs in different fields due to cyber-attacks to meet the grid-supportive services.It is worth notifying that the reference frequency f * for all the considered cases in this article is equal to 50 Hz.As a consequence, ω * = 314.16rad/s.

TABLE I VULNERABLE POINTS IN CONTROL STAGES OF DIFFERENT VSC TYPES
Moreover, since the focus of this article is based only on evaluating different control principles of VSCs in the presence of cyber-attacks, each attack scenario is carried out considering the system and control parameters from the article(s), which are consistently highlighted in the caption of results of the respective case study.

A. Frequency Response and Wide-Area Damping Control
As introduced before, grid-frequency control can be supported by the VSC local control system.In fact, modern grid codes require converters to stay connected and to continue exchanging the power with the grid under moderate frequency deviations and the rate of change of frequency (ROCOF) [13].Moreover, VSCs must be equipped by static frequency-power droops to adapt to frequency variations continually.The implementation of such static frequency-power droop functions can be done as an outer controller with respect to the virtual impedance loop [32], [33] using where k p is the frequency-power droop.Moreover, ω m , P out , P * , and ω * denote the primary frequency control output, measured active power, active power reference, and reference for grid frequency, respectively.Although it provides reduced frequency nadir, the static frequency-power droop characteristic does not increase the inertia of the system.In this context, virtual inertia emulation controllers have been increasingly proposed as viable substitutes for static droop controllers [34]- [36].It has been shown in [37] that both controllers have identical steady-state performance, but virtual inertia has additional swing-equation-type dynamics that allows reduced ROCOF, as follows: where J , D, and ω g are the inertia, damping constants, and measured phase-locked loop (PLL) grid frequency, respectively.If these constants are set to zero, (7) becomes equivalent to (6).An exemplary implementation of the virtual inertia emulator in the outer control loop coupled with the filter voltage-controlled VSC in the inner loop is shown in Fig. 8.Moreover, in (7), only local measurements are used to emulate the synthetic inertia.However, it has been shown that improved damping of frequency oscillations can be achieved by supplementing the local control law with measured variables from other locations in the system [38] where u c the supplementary control signal that can be defined as follows: Here, α i is a tunable parameter, while ω is the average frequency in a given cluster of VSCs that can be computed either in a centralized or in a distributed way.In this way, the ancillary features provided by the networked VSCs can be an asset to the management and stability of power networks.A brief overview on the impact of cyber-attacks on ancillary services is provided in Fig. 9. Owing to the frequency response from the VSCs, such as EV-charging parks, the increase/decrease in the active power setpoint corresponding to the change in grid frequency (from 50 to 49.5 Hz at t = 0.12 s) can be manipulated by the following FDIAs: 1) controller attack on frequency (ω) and 2) sensor attack on the dc voltage sensor.These FDI attacks are basically carried out using the intrusion approach into the controller [as explained in Section III-B] by adding a dc bias to the sensed measurement v dc via the data acquisition unit or to ω obtained via PLL, thereby manipulating the control theory with illegitimate measurements.It can be seen in Fig. 9 that the virtual inertial response under attacks is subjected to further dip in dc voltages, thereby leading to a decrease in active power generation.Assuming a uniform virtual inertial response-based control strategy for interconnected VSCs, any false data intrusion into frequency/dc voltage contravenes the system objectives to provide grid supportive services and may even lead to instability.

B. Coordinated Voltage and Reactive Power Control
Large-scale integration of RES owing to their intermittent nature often cause violation of voltage-regulatory limits [39].Such violation may lead to disconnection of VSCs and possibly voltage-stability problems [40].Several local voltage control strategies for the VSCs are discussed in [41] and [42].However, an optimal operation is achieved only by tuning the local parameters centrally with a day-ahead prediction of RES and load profile.Moreover, the day-ahead forecasting error could go large leading to uncoordinated control in many cases.To address these issues, robust multistep voltage control mechanisms [43], [44] have been devised to provide reactive power support from VSCs under such scenarios.Basically, these control mechanisms for local reactive power support operate to minimize tap changes of an on-load tap changer (OLTC) based on the minimum and maximum voltage setpoints.Another primary goal is to limit the voltage fluctuation inside a narrow band.
The prediction of node voltage in a distribution network considering the sensitivities of voltage with respect to reactive power Q, active power P, and the number of tap changes N p can be done using where P pv is a vector of predicted change in PV power at various PV locations, whereas Q pv and V p are the control variables to arrest the node voltage within the targeted limits.Considering a maximum reactive power limit for each VSC of 0.436 p.u. for voltage ranging between [1, 1.05] p.u., the objective function to maintain the voltages under specified limits using the control variable u can be given by min where R is a diagonal weight matrix to penalize the desired control variable.
A case study is done in Fig. 10 to analyze the steadystate voltage stability when false data are injected into the bus voltage of one of the nodes.An 11-kV U.K. General Distribution System (UKGDS) [45] is employed as the test distribution network to analyze the impact of centralized voltage-regulatory schemes.Since day-ahead PV forecasting may introduce a large error in the case of uncertain events, robust voltage-control mechanisms have been devised to handle these uncertainties.As per the grid code compliance, PV-based VSC systems start providing reactive power as an immediate solution to voltage recovery within the hard bound limits.However, compromised voltage measurements from each node represent a biased depiction of the reactive power requirements.
As shown in Fig. 10(a), when an attack of 0.04 p.u. is injected into the voltage measurement in bus 1175, the reactive power from each VSC increases, which results in an increased average voltage profile as compared with the unattacked scenario in Fig. 10(b) and (d).Under worse circumstances of large false data injected into the system, it may diverge outside the maximum voltage threshold, leading to unnecessary operation of OLTCs.Moreover, it leaves out the available reactive power reserve with interconnected VSCs, which are primarily assigned for voltage support as per grid-code compliance.On the other hand, a coordinated set of attack can also be modeled, which passes bad data detection test, such that the network operator is unaware of the presence of any attack elements.These attacks may reduce the optimal efficiency of the distribution system, leading to overutilization of back-up resources.

C. Optimal Energy Management
Energy management system (EMS) is an effective mechanism to handle the generation profiles of different sources while attaining their economical benefits [46], [47].To date, generation dispatching is usually carried out in a centralized manner to minimize the operational cost using hierarchical stages of optimization including, integer programming [48], artificial intelligence-based techniques [49], and so on.To achieve more flexibility in control under issues such as transmission delay and information failure, distributed controllers with robust performance toward cyber layer imperfections have been preferred in recent times [50].As opposed Fig. 10.Impact on UKGDS {test system can be found in [45]} due to false data injection on bus voltages in bus 1175 [43], [44].to longer time scales with static demand input in the centralized scheme, distributed dispatching allows online actions for every load change in real time [51].As a result, it improves the economic profile for optimal utilization of resources.
The active power control in each VSC is augmented with frequency restoration to minimize the generation cost for economic operation.To this end, we consider the general quadratic cost function for each DG to provide the operational cost, given by where a i , b i , and c i are the cost coefficients of the i th VSC.Following the generation-demand balance equality constraint, the objective of optimal load sharing is to minimize the total cost of all DGs using min C(P) s.t.
where P D , P min i , and P min i denote the total demand in the microgrid, and the minimum and maximum active power for the i th DG, respectively.Further, (13) can be solved using its associated Lagrange function as where λ i is the Lagrangian operator.Differentiating (15) with respect to P i using the first-order optimality condition, we obtain the incremental cost as To minimize the total generation cost subject to the equality constraints, it is required that the incremental cost of each VSC to be equal [52], which is carried out using a power correction term P i , given by In (17), each agent is represented by a node and a communication digraph through edges using an adjacency matrix A = [a i j ] R N×N .The communication weights are given by where E is an edge connecting two nodes, with x i and x j being the local and neighboring nodes, respectively.The final active power reference for each DG can be designed by adding (17) to P * to achieve the desired optimal response.To increase the generation cost, any adversarial false data in the cooperative ED optimization model are categorized as a data integrity attack (DIA).Such an attack alters the power flows with respect to the optimal solution.Basically, by using the DIA, the local incremental cost λ i is updated in every iteration using where u a λ i is an exogenous attack input in the i th VSC.This can be done by changing the cost parameters in the local VSC using where a i and b i denote the positive quantities, when added to the cost parameters in ( 16) increase the generation cost per unit power and fixed cost, respectively.From the perspective of an adversary, the goal is to increase the generation cost by hacking critical parameters and leading to a reduction in the energy efficiency of the system [53].Such attack vectors will create economic loss for the operator.In the context of a cooperative real-time ED, the final state of convergence ensures unbiased operation inside the constrained optimization space.
To provide with the basic understanding of such attacks, a case study on a microgrid with N = 4 VSCs in Fig. 6 is done using a DIA with an increase in the cost parameters of unit 2. It can be seen that the system states achieve consensus despite the presence of DIA.The realism behind its operation under such attacks is unknown considering a particular agent, since adequate information on the total active power demand is not centrally available.Moreover, it can be seen in Fig. 11(c) that the steady-state value of the incremental cost initially upon attacks is raised by 0.85 $/W at t = 1 s as compared with the normal unattacked scenarios shown in Fig. 11(b) and (d).It clearly suggests that minimization of ( 13) is violated under attacks for the same loading condition.Hence, the abovementioned case study raises serious concerns on detecting and mitigating such attacks in the cooperative microgrid, since the local neighborhood error in (17) converges to zero.As a result, from a technoeconomic perspective, such attacks cause reduction in energy efficiency.

D. Distributed Active Power Sharing in Autonomous Microgrids
Using a setup of N = 4 grid-forming VSCs shown in Fig. 6, a man-in-the-middle (MITM) attack is conducted on ω 2 by injecting an attack element of 8 rad/s into the outgoing communication links from Unit II.Following the cooperative synchronization law in autonomous microgrids [50], frequency restoration and average voltage regulation are the two objectives, which govern stability.Using the active power primary control law for grid-forming VSCs [3], the active power among the DGs is shared equally for the equal active power droop m p .However, due to the injection of false data into ω 2 of 8 rad/s at t = 2.5 s in Fig. 12, the synchrony is disturbed leading to instability.Hence, such attacks can lead to shutdown of small stand-alone powerhouses such as microgrids, thereby affecting its operation.

E. Cyber-Attack in VSC-Based HVDC Stations
With the increasing demand, the evolution of microgrids is surfacing to facilitate the integration of RES.However, power extraction from RES depends on a lot of suitable socioenvironmental factors, such as temperature, area of installation, wind, and so on.Under implausible circumstances, transmission of power has been made possible using HVDC by means of twolevel VSCs.More details on the multipolar and multilevel topologies of VSCs used for HVDC transmission can be found in [54].As compared with the line-commutated HVDC solution [55], VSC-HVDC provides many features such as independent control of active and reactive power with black start capability.The control philosophy of VSC-HVDC is quite commonly a set of grid-feeding VSCs with one station following P − Q control, whereas the other station with dc voltage regulation.
To demonstrate the impact of cyber-attacks in 200 MVA, ± 100-kV VSC-based HVDC, an FDI attack is injected into the dc voltage sensor in station II at t = 0.85 s in Fig. 13.As soon as the attack is initiated, dc voltage drops to 0.9 p.u., which creates oscillatory instability for the same droop value.Hence, such attacks raise critical concerns of stability.More-  over, it could lead to the activation of protection devices installed in both HVDC stations.

F. Impact of Cyber-Attack on Wind Farms 1) Role of STATCOM:
As potentially large installations of VSCs in grid-tied applications include wind farm, many robust and reliable control strategies have been designed to extract maximum output [56].However, traditional wind farms with squirrel-cage induction generators (SCIGs), where its stator is directly connected to the grid, need large capacitor banks for reactive power to be absorbed by the IGs.If the reactive power requirement increases, it is withdrawn from the grid.Since the wind farms are usually connected to a 25-kV distribution network, excess withdrawal of reactive power deteriorates the voltage profile.To prevent this, static compensators (STATCOMs) are usually connected at the PCC to provide reactive power support to the wind farm [57].
To exploit the underutilization of STATCOM, a false data injection attack is initiated in the ac voltage sensor at t = 12 s, as shown in Fig. 14.As ac voltage measurement reports a false bias as an undervoltage scenario, reactive power injection from the grid increases.As a result, the STATCOM with 3% droop setting starts absorbing the reactive power.Moreover with an L-G fault on the line at t = 15 s, the peak reactive power demand from STATCOM under normal and attacked conditions varies as a matter of grid code for fault ride through the capability of every grid-connected unit [58].
2) Role of Grid Side Converter in DFIG: With enhanced control flexibility, the DFIG technology allows extracting maximum energy from the wind for low speeds by optimizing the turbine speed while regulating the mechanical stress on the turbine.Moreover, the active power capacity is also increased by 40% as a virtue of the ac/dc/ac bridge using two back-to-back VSCs [59].The function of the rotorside converter (RSC) is to extract maximum power from the  IG based on the power-tip speed ratio graph [60].Following this stage, the grid-side converter (GSC) regulates the dc voltage to wheel the power from the RSC into the grid.
Using the predefined set of vulnerable points in Table I, the dc voltage sensor is attacked with a large value of 400 V at t = 10 s in Fig. 15.As the dc voltage reaches 1600 V, it ultimately affects the control dynamics in the GSC, which leads to tripping owing to the overvoltage threshold.Hence, simpler attacks on the outer layer control loop can lead to shutdown or tripping of a large renewable generating unit, thereby challenging the reliability of operation.

G. Cyber-Attack in Home Management System
With increased utility tariff rates, a battery-empowered residential unit is a mandate requirement for grid-supporting units to enhance reliability under grid outage scenarios.Hence, proper power management using batteries is usually monitored and controlled by a centralized home energy management system (HEMS) [61].The battery is basically connected as an auxiliary source, which is programed to charge when there is surplus power from PV or discharge when there is excess load.This greatly reduces the power utilization from the grid to deliver monetary benefits to the community.However, intrusion into the active generation profile of any source/load may disorient the control objective.This has been briefly shown in Fig. 16, where the load profile is manipulated using an MITM attack.With the initialization of the attack, the battery stops responding to the surplus/deficient power locally.As a result, the grid power profile changes accordingly leading to nonoptimal solution.

H. Voltage Regulation by DSTATCOM
To manifest practical scenarios of cyber-attacks in power electronics-based systems, a real-time simulation is carried out in an OPAL-RT simulator OP5600 to demonstrate how cyber-attacks on ac voltage measurement disorient the voltage regulation control action by a DSTATCOM (distribution static compensator), as shown in Fig. 17 [62].Fig. 18 shows the conceptual diagram of the real-time simulation process, where the RT-LAB software is used as the interface between the MATLAB and the real-time OPAL-RT simulator.The MATLAB/SimPowerSystems model is loaded on to OPAL-RT through the RT-LAB, and the real-time data are obtained conversely.To reduce the computational burden for each core, the model is split into three subsystems, i.e., a subsystem comprising of the physical layer (power unit), a subsystem comprising of a control layer for the real-time simulation, and further a subsystem including console units to display realtime measurements.As shown in Fig. 18, the cyber-attack is conducted on the control unit, which affects the system operation.In this way, an adversary can potentially penetrate into the host control unit to alter the actual controller by injecting false data and disregard the normal operation.As shown in Fig. 17, a DSTATCOM is used to regulate voltage on an 11-kV distribution feeder connected to unbalanced and reactive power loads by either absorbing or generating reactive power.The DSTATCOM is programed to provide reactive power support to regulate voltage when it increases/decreases by ± 6%.When simulated under real-time environment in Fig. 18, it can be seen that the DSTATCOM responds normally in Fig. 19(a) by absorbing and generating reactive power into the network with decrease and increase in voltage at t = 0.1 and 0.2 s, respectively.However, when an attack element of 0.1 p.u. is introduced into the control system at t = 0.2 s, it can be seen in Fig. 19(b) that the reactive power generated for both cases is considerably different.In fact, when the voltage is restored back to normal at t = 0.3 s, DSTATCOM continues to inject reactive power into the network, which will lead to overvoltage conditions.Further, this attack impedes overutilization of resources, as shown in Fig. 19(c).To counter such attempts, the conventional stateestimation technique is exploited using (3)-(4) to extract the residual element, thereby indicating a significant change in the model parameters to confirm the presence of an attack.This has been clearly shown in Fig. 19(d), where the residual element goes out of bounds r to indicate the presence of an attack element in either of the vulnerable points (highlighted in Table I).
Usually, in practical cases, such security mechanisms will be implemented on the top of the existing controller to study the observability.As soon as the presence of attack is confirmed,  the preattack measurement(s) will be held to operate using the last unbiased set-point [63].This is the most simple counthat can be applied to power-electronics systems, which can assure system recovery milliseconds.It should be that the abovementioned criteria are limited to the magnitude of attack with varying performance.to completely remove the attack element from control system, resilient control strategies need to be developed for power electronic systems such that it resilient robust operation to tackle all security concerns in power electronicsbased systems [64], [65].
Finally, to accommodate the basics impact due to all the discussed cyber-attacks, the attack methodologies on difgrid supportive services by VSC-based systems are overviewed in Table II.As evident the system impact and behavior in Table II, a generalized attack detection mitigation strategy needs to be developed to provide a resilient networked control norm.Moreover, system observability needs to be accommodated a cyber-attack resilient control mechanism to alleviate security in the modern electric grid.

V. CONCLUSION AND FUTURE SCOPE OF WORK
In this article, the challenges and vulnerabilities associated with the control of modern grid-tied power converters due to cyber-attacks have been analyzed from the system standpoint.
first, basic local control principles used for VSCs in different fields and applications have been revised.Then, an overview of potential attacks and their impact on interconnected converters have been provided.A detailed tutorial on the vulnerable points in the control and communication layers used for the control of VSC is provided.Using these attack models as a proof of concept, many test cases considering VSCs in various fields, such as DFIG, HVDC, STATCOM, DSTATCOM, and microgrids, are performed to demonstrate the consequences of cyber-attacks.It has been demonstrated that cyber-attacks with minimum sophistication can result in system shutdown, and cause instability and potential damage to the consumer appliances.To address these concerns, attackresilient control strategies need to be devised to mitigate the impact of cyber-attacks on the electrical grid as a future scope of work.The design of resilient strategies requires appropriate understanding of the control and the protection layer.From an ideal point of view, eliminating the communication channel to promote localized control strategies would facilitate the security of the power electronic converters.However, this idea propels as an overstatement from the performance perspective.Hence, it is important to restrict the cyber-physical interactions to a minimum synergy by targeting a manageable tradeoff with system performance.Robust and resilient control strategies using watermarking [66] and model-verification techniques [67] could be an asset to infiltrate such cyber-attacks in real time.Accommodating these view-points, the development of resilient technologies and preparing a line of defense against the cyber-attacks are a new goal to enhance the security and reliability of the dominant power electronic converters in the electric grid.

Fig. 1 .
Fig. 1.Control and physical stages in an individual grid-tied VSC system.

Fig. 3 .
Fig. 3. Conventional control structure for the two-level VSC-secure and vulnerable control layers against cyber-attacks.

Fig. 5 .
Fig. 5. Attack-detection filter law-trajectories outside r denote the presence of cyber-attack.

Fig. 6 .
Fig. 6.Basic V − f control of grid-forming VSCs: black and red dotted lines represent the communication layer and attack elements injected into sensors/communication link, respectively.

Fig. 7 .
Fig. 7. Basic P − Q control of grid-supportive VSCs: black and red dotted lines represent the communication layer and attack elements injected into sensors/communication link, respectively.

Fig. 8 .Fig. 9 .
Fig. 8. Application of a virtual inertia emulator combined with reactive power support in the outer loop.Since these outer loops generate the filter voltage reference v * f αβ , this VSC can be categorized as a unit with filter voltage control.
Fig.10.Impact on UKGDS {test system can be found in[45]} due to false data injection on bus voltages in bus 1175[43],[44].(a) Voltage of each node under attack.(b) Voltage of each node under normal conditions.(c) Reactive power from each VSC under attack.(d) Reactive power from each VSC under normal conditions.

Fig. 11 .
Fig. 11.Comparative evaluation of active power and incremental cost of DGs under no attack and DIA attack [51]-change in cost parameters causes a drift in the convergence of incremental cost λ, causing a nonoptimal operation.(a) Active power of all DGs under attack.(b) Active power of all DGs under normal conditions.(c) Incremental cost of all DGs under attack.(d) Incremental cost of all DGs under normal conditions.

Fig. 12 .
Fig. 12. Cyber-attack on the communication channel of Unit II [50]synchrony among VSCs is disturbed leading to instability.

Fig. 14 .
Fig. 14.Performance of an SCIG-based wind farm under normal conditions and attack: reactive power requirement from the grid increases unnecessarily due to FDIA on ac voltage [57].(a) AC voltage at the PCC.(b) Reactive power demand of each WT.(c) Reactive power from grid.(d) Reactive power from STATCOM.

Fig. 15 .
Fig. 15.Impact of FDIA on the dc voltage sensor in GSC of DFIG [59]: overvoltage protection above 1600-V dc, resulting into tripping.(a) Generated active and reactive power from DFIG.(b) DC voltage and speed.

Fig. 16 .
Fig. 16.Impact of MITM attack in centralized home management system [61]: unnecessary scheduling from grid leading to increased consumer expenses.(a) Active power profile under normal conditions.(b) Active power profile under MITM attack.

Fig. 17 .
Fig. 17.Basic voltage regulatory control mechanism for DSTATCOM in the presence of unbalanced and reactive loads.Red dotted lines represent the attack element into the voltage control layer.

Fig. 18 .
Fig. 18.Real-time setup to demonstrate practical feasibility and impact of cyber-attacks to disregard voltage regulation by DSTATCOM.

Fig. Performance of under
Fig. Performance of under normal conditions and attack: reactive power provided by DSTATCOM increases unnecessarily due to FDIA on ac voltage leading to overutilization of resources [62].(a) PCC voltage and current by DSTATCOM in the absence of attack.(b) Reactive power from DSTATCOM in the presence and absence attack.(c) PCC voltage and current by DSTATCOM the presence of attack.(d) Residual signal to indicate possibility of cyber-attack and normal disturbances [calculated (4)].

TABLE II OVERVIEW
OF CYBER-ATTACKS ON GRID SUPPORTIVE SERVICES BY VSC-BASED SYSTEMS