Preventive Dispatch Strategy Against FDIA Induced Overloads in Power Systems With High Wind Penetration

The penetration of renewable energy generations, e.g., wind power, not only introduces the randomness and fluctuations into power system operations but also increases the possibilities of cybersecurity issues. Among them, false data injection attack (FDIA) can access and falsify the readings of smart meters, which would impede the functionalities of power systems. In this paper, we first set up an evaluation model to identify the set of high-risk lines by investigating the relationship between FDIA and wind power uncertainty. Then, for a power system with a high wind penetration, a tri-level preventive dispatch strategy is proposed to ensure the system security even under the worst-case of FDIA. It is demonstrated that the impacts of FDIA can cause more serious security issues as the wind penetration level increases. The effectiveness of the proposed tri-level preventive dispatch strategy in mitigating the FDIA caused overloading risk is validated using the IEEE 118-bus system.


I. INTRODUCTION
With the growing penetration of renewable energy resources, advanced information and control infrastructures, current power systems integrate multi-source electrical networks and multiple information networks [1]- [3]. The rapid increasing penetration of wind power helps significantly alleviate potential energy and environmental crises. The proportion of wind power output reached more than 30% of electricity demand in Iowa and South Dakota in 2016 [4]. In 2018, the total installed capacity of wind power in the world achieved approximately 591.55GW, and China accounted for more than 35% [5]. Furthermore, the Global Wind Energy Council (GWEC) expects that a quarter of the world electricity can be provided by renewable energy in 2035 [6]. Also, the advanced information and communication technologies are widely adopted for enhancing power system efficiency, which inherently induces potential cyber vulnerabilities. Here, this paper aims to address the cybersecurity issues in power systems with high wind penetration.
In recent years, cyber-attacks pose a great threat to the secure operation of power systems, and the recent cyber The associate editor coordinating the review of this manuscript and approving it for publication was Ning Kang . events proved the plausibility of the cyber-attacks against power grids in real life. In 2015, a massive power outage occurred in Ukraine's power grid caused by an automatic malware cyber-attack [7]. In July 2017, a nuclear power plant in the United States was attacked by digital attacks from cyber hackers [8]. Also, cyber-attackers invaded the Irish power grid by breaking the routers and illegally obtaining some communication information from the company in August 2017 [9].
These cyber-attack incidents and the corresponding severe impacts have raised extensive concerns about the emerging cybersecurity threats in smart grids. Great efforts have been committed to research on false data injection attacks (FDIA). The FDIA can distort the meter measurements by injecting a set of predetermined false data in a concealed fashion by bypassing the existing bad data detection (BDD) [10]. The set of contaminated measurements can mislead the decision-making of the control center, which would cause transmission line overloads [11], [12] and even cascading failures [13] in the system. In [11], an optimization model was proposed for determining the worst-case of cyber-overloading attacks. Reference [12] proposed a model to minimize the number of attacked measurements while maintaining transmission line at a high loading level. In [13], a multi-stage screening model was proposed to identify the severe cascading failures. Reference [14] demonstrated that the adversaries with imperfect information can also launch effective false data injection attacks in electricity markets. Moreover, reference [15] revealed that attackers can earn profits from the electricity market by modifying the load and generation distribution. It indicates that wind power and load can be tampered to launch a combination attack, and the uncertainty of wind power would make tampered data more difficult to be detected. Some detection methods considering the spatiotemporal patterns of load and wind power have been studied in [16], [17]. However, these existing approaches only consider the variable wind power as uncertainties while ignoring the potential cyber risks. No corresponding preventive dispatch strategy has been proposed to mitigate the combined risk of FDIA against loads and forecasted wind power data.
The operator uses the forecasted loads and wind power as the input data of the security constraint economic dispatch (SCED) model to obtain the dispatch solution. Then, the accuracy of the forecasted wind power would impact the system security. If the predicted wind power outputs are maliciously modified, the improper decision-making might result in severe power system security issues. It is revealed that wind power can cause system security problems, e.g., line overloads [18], [19]. Recently, reinforcement learning is applied to improve the accuracy of FDIA detection and wind power prediction [20]- [22]. However, these methods fail to reduce the cyber security risk, in which wind power data may be tampered. The predicted wind power data is usually transmitted remotely from the wind farm to the control center in plaintext, while the defense measures during the data transmission process is insufficient. In 2017, researchers at the University of Tulsa conducted penetration tests on five wind farms, and all these wind farms failed to withstand hackers [23].
However, all the existing literature [10]- [19] ignored the factor that wind data could be tampered, and most of them studied the FDIAs and forecasted wind power separately. This is not consistent with the real situation in the power grid, because renewable energy is highly integrated into the power system. In [24], a cyber-security corrective dispatch scheme was proposed to mitigate the line overloads caused by FDIAs while the impact of wind power was not considered. Different from the existing work, this paper aims to investigate the combined risk of FDIA against loads and forecasted wind power data in the power system with high wind penetration (denoted as FDIA-DW) by answering the following questions: 1) Will the risk level of the system be significantly underestimated without considering the FDIA against forecasted wind power? And will the penetration of wind power cover the risk of FDIA? 2) How to adjust the dispatch strategy to mitigate the FDIA caused overloading risks in power systems with high wind power penetration? These questions motivate us to propose an evaluation model and develop a preventive dispatch strategy as effective countermeasures. Noting that the focus of this paper is not to study the FDIA attack and then the attack mechanism of an FDIA is the same as that in the existing literature. The main contributions of this paper are summarized as follows: 1. We take the first attempt to analyze the risk of wind power be tampered, and investigate the risk of FDIA-DW in the system with high wind penetration by formulating an evaluation model of line overloads.
2. We demonstrate that the relationship between the FDIA-DW and the penetration level of wind power is not a simple linear one, and show that the high integration of wind power could cover the risk of FDIA.
3. We propose a tri-level preventive dispatch for mitigating the FDIA-DW caused transmission line overloads with considering the worst-case. A Benders-like decomposition method is proposed to solve the tri-level model. 4. We demonstrate that the proposed preventive strategy can effectively eliminate the line overloading risk by determining a cost-efficient strategy.

II. EVALUATION MODEL OF THE RISK OF FDIA
In this section, we first study the mechanism of FDIA-DW induced overloads. Then, we formulate a linear programming model to evaluate the risk of line overloads.

A. PRINCIPLE OF FDIA-DW INDUCED OVERLOADS
The dispatch strategy (such as thermal power output P g and wind power P w ) is usually determined by the SCED model. In Fig.1, in the absence of cyber-attacks, the power flow F is calculated based on the predicted wind power P w and load data D, and the power flow F also satisfies the system security constraints. However, the predicted data of wind power outputs and loads may be tampered by attackers. In such circumstances, the power flow F will be modified and the security constraints might be violated. In Fig.1, the power flow F (red font) represents the false power flow due to the false data injections of P w and D.
On one hand, the load data D can be maliciously modified. Liu et al. [11] first studied the principle of FDIA and revealed that an attacker can construct an attacking vector that can avoid being detected by the state estimator. The false data induces the control center to make the incorrect dispatch strategy that causes severe line overloads. To bypass the BDD, the attacking vector is usually limited to a certain range and designed as a vector with a sum of zero [24], stated as: Constraint (1.1) ensures the power balance in the system, and constraint (1.2) limits the attacked level for each measurement. A larger value of ε represents a more serious attack.
In the presence of attacking vector D, the original power flow will be modified and rewritten as: where F r represents the line flow limit vector. Since the true load vector is D, and the true line flow F 0 is: Introducing (1.5) to (1.3), there is: By introducing (1.6) to (1.4), we have: In (1.7), the upper and lower bounds of the true power flows can exceed the line flow limit vector F r due to the false data SF · KD · D. This implies that the attacker can construct the attacking vector D to cause the target lines to be physical overloads.
On the other hand, due to the proliferation of wind power in power systems, the prediction errors may also cause some line overloads [18], [19]. Moreover, the predicted wind power data might be tampered due to the insufficient cybersecurity defense resources in current wind farms. Besides, the tampered wind data are difficult to be detected because of the strong stochastic and variable nature of wind power. The variation of wind power in 10 minutes can reach 20% in 2009, which provides natural coverage to the injected false data of the predicted wind power [25], [26].
However, the existing FDIA studies failed to consider the data attacks targeting the forecasted wind power P w , and the cyber risk might be underestimated. Here, we will investigate the cyber risk of a power system with high wind penetration by considering the FDIA targeting loads and predicted wind power data. Fig.2 illustrates the principle of the FDIA-DW induced line overloads.
Based on (1.3), assuming that there is another attacking vector P w injected into the predicted wind power, the true line flow F 0 is stated as: Accordingly, constraint (1.7) is rewritten as: 2) indicates that the true power flow vector F 0 could exceed the line flow limit vector F r due to the false data SF · KD · D and SF · KP · P w . The FDIA will cause more serious line overloads in the power grid when the attacks against wind power data are considered. The FDIA-DW caused overloading level will be analyzed by construing the corresponding evaluation model in the next subsection.

B. EVALUATION MODEL OF LINE OVERLOADS
Normally, in an FDIA, the meter reading of a thermal generator cannot be easily falsified due to the strong communication between the control center and power plants. But the predicted wind power value can be injected by false data P w . Specifically, stealthy adversaries can elaborately construct the false data combining P w with D for deteriorating power system security.
This motivates us to think about the following questions: 1) Can the FDIA-DW cause more serious security problems, and if so, how to evaluate the corresponding impacts? 2) What is the deep relationship between an FDIA and wind power uncertainty? 3) Will does a higher wind power integration aggravate the FDIA impacts on system security? To answer these questions comprehensively, we formulate a linear programming model to assess the risk of line overloads caused by the FDIA-DW, which are stated as follows: where the values ofP g ,P w andD are calculated using the traditional SCED model. The objective (3.1) represents the maximum overloading level for each line in the system caused by the FDIA-DW. Constraint (3.2) ensures the system power balance under FDIAs, and constraints (3.3) and (3.4) limit the attacked range of loads and wind power. Equation (3.5) represents the true power flow on each line. Here, the parameters ε and δ represent the attacking magnitude for loads and predicted wind power, which will be discussed in Section V. Normally, a high accuracy wind power forecasting corresponds to a small value of δ, and a low accuracy wind power forecasting corresponds to a larger value of δ. This is because if the prediction accuracy of wind power is low, P w is more likely to be mistaken as caused by the prediction error of wind power, rather than malicious tampering by the attacker. On the other hand, if the value of δ is equal to 0, the constraints (3.2), (3.3) and (3.4) will become the traditional FDIA constraints (3.2) and (3.3). In this situation, this evaluation model can calculate the maximum overloading level for each line caused by the traditional FDIA, which will be used as a benchmark to compare the risks caused by FDIA-DW in Section V.
Based on the evaluation model, we can determine the maximum overloading level in the worst-case of FDIA-DW. Also, we can analyze the deep relationship between the cyber risk and wind power penetration level, as presented in Section V. In the next section, we will discuss how to adjust the dispatch strategy for mitigating the security problems.

III. MATHEMATICAL FORMULATION OF THE PREVENTIVE DISPATCH MODEL
In this section, we will first study the principle of the preventive dispatch strategy. Then, a tri-level optimization model is formulated in subsection B for effectively mitigating the FDIA-DW caused line overloads.

A. THE PRINCIPLE OF THE PREVENTIVE DISPATCH STRATEGY
To address line overloads caused by the FDIA, a preventive dispatch strategy is proposed in this paper, whose principle is discussed below.
The proposed preventive dispatch strategy employs the corrective action, which offers a cost-efficient strategy for mitigating the risk of potential FDIA-DW. In Fig.3, S0, S0', and S1 represent the base case, preventive case, and cyber case, respectively, where the operating states X0, X0 , and X1 represent the corresponding optimal operation status of each case. The arrows describe the corrective action, which represent post-contingency control adjustments for eliminating controllable contingencies. The principle of the proposed preventive dispatch strategy is illustrated in Fig.3. In normal conditions, the power system operates on the optimal state X0 determined by the SCED model. If the power system is attacked by an FDIA-DW, the system fails to shift from states X0 to X1 because some security constraints would be violated. Therefore, the proposed preventive dispatch strategy is applied to find a sub-optimal state X0 , which can ensure that the system can be successfully transferred to state X1 while satisfying the security constraints even when the worst-case attack scenario occurs. Then, the risk of line overloads caused by the FDIA-DW is mitigated effectively. Here, the generator ramping constraint should be satisfied from state X0 to state X1, which is stated as: where P X0 g and P X1 g represent the generations under states X0 and X1, respectively, and R g represents the ramping limit vector of generators.
According to the mechanism of the preventive dispatch strategy, we can formulate a tri-level optimization model to mitigate line overloads caused by the FDIA-DW. Fig.4 shows the relationships between each level.
Upper: The upper level determines the proposed preventive dispatch strategy (P g , P c g , and P w ) for the system with high wind penetration. Then, the values of P c g and P w are transferred to the middle and lower levels. Mid: In the middle level, the worst-case scenario of the FDIA is identified to maximize the overloading level. The values of D, P w in the worst-scenario will be delivered to the lower level. Lower: The lower level calculates the true line power flow based on P c g and D, P w determined by the upper and middle levels. The obtained maximum overloading level u will be sent to the upper level for updating the preventive dispatch strategy.

B. FORMULATION OF TRI-LEVEL MODEL
The mathematical formulation of the proposed preventive dispatch strategy is formed as follows: The generation cost function (5.1) is minimized in the upper level by determining the optimal dispatch strategy under the preventive case. Constraints (5.2) and (5.3) are the power balance equations for two different operating states X0 and X1, as shown in Fig.3. The power flow on each line is determined by (5.4) under the preventive case. Constraint (5.5) represents the generator ramping limit from states X0 to X1. Constraint (5.6) limits the lower and upper bounds of wind power integrated into the power system. Constraints (5.7) and (5.8) limit the bounds of the generation vectors for two different operating states. Constraint (5.9) gives the limitation of the line flow vector under the preventive case. Constraint (5.10) ensures the maximum overloading level u in the system would not beyond the threshold u limit even under the worstcase. Since the purpose of this model is to eliminate high-risk overloading lines in the system, the threshold u limit is set as 1.4 in this paper [27].

2) MID-LEVEL
The objective (5.11) is to maximize the overloading level u by identifying the worst-case scenario of the FDIA-DW. Constraints (5.12) and (5.14) limit the ranges of the attacking vector D and P w , and constraint (5.14) limits the power balance even under the cyber-attack. The values of D and P w are sent to the lower level.

3) LOWER-LEVEL
Based on the values of P c g , P w and D, P w obtained from the upper and middle levels, the true line flow is calculated using (5.16) and (5.17), and the maximum overloading level u is captured in the lower level. Using the proposed tri-level model, we can find an optimal preventive dispatch strategy, which avoids overloading lines even under the worst-case of the FDIA-DW.

IV. SOLUTION METHOD FOR THE TRI-LEVEL MODEL
Here, a Benders-like decomposition method is utilized to solve the proposed tri-level preventive model in subsection A, and the detailed algorithm for solving the optimization problem is presented in subsection B.

A. DECOMPOSITION FORMULATION FOR THE PROPOSED MODEL
For the sake of brevity, the proposed preventive dispatch strategy model can be written as the following compact form: where x and y represent all the variables in the upper and middle levels, respectively. And λ represents the vector of Lagrange multipliers of constraint (6.7). A and G represent the coefficient matrix of variable x in upper and lower levels. E and H represent the coefficient matrix of variable y in middle and lower levels, z represents the variables in the lower level. Based on the duality theory method [24], the middle and lower levels for a givenx can be rewritten as: Then, the primal problem (6) can be relaxed as: (Gx + Hy 1 + z) T λ 1 ≤ u limit (8.3) (Gx + Hy 2 + z) T λ 2 ≤ u limit (8.4) . . .
(Gx + Hy i + z) T λ i ≤ u limit (8.5) where i is the number of Benders-like cuts and 0 ≤ i < K . Next, we study the method for generating the Benders-like cut. Without loss of generality, we can write the general form of the Benders-like cut as: The lower level in the proposed tri-level model is stated as: s.t. 1u ≥ SF · KP · P c g + P w + P w − KD · (D + D) ./F r γ  where ''./'' represents an element-wise division operator, γ and γ are the Lagrange multipliers.
where ''. * '' represents an element-wise product operator, and ϕ = P w ./P w represents the ratio of P w to the wind power vector P w . And P w is delivered from the upper-level at the same iteration. D represents the attacking load vector. Constraint (11) represents the generated Benders-like cut in the proposed preventive model. According to Theorem 2 in [24], we can set γ and γ as binary variables without changing the solution of the tri-level model.
The primal tri-level problem (6) can be solved by iteratively solving the master problem (8) with the Benders-like cuts. First, problem (8) without any cuts is solved, and then problem (7) is solved based on the resultx from problem (8). If the objective value of problem (7) does not satisfy constraint (6.3), a new Benders-like cut will be generated and added into problem (8). The iteration process continues until the objective value of problem (7) is less than the threshold u limit . Note that problems (8) and (7) are linear programming and mixed integer linear programming, which can be directly solved by the CPLEX solver.

B. THE SOLUTION ALGORITHM OF THE TRI-LEVEL MODEL
In Fig.5, the solution algorithm for the proposed tri-level preventive model can be summarized as below:

V. CASE STUDY
In this section, we test the proposed evaluation model and preventive strategy on several IEEE testing systems. All the initial data come from MATPOWER 6.0 [28]. Simulations are carried out on a 3.9GHz personal computer with 8GB of RAM. The algorithm is solved by CPLEX.

A. SIMULATION SETTINGS
In this paper, 20 wind farms are added into the IEEE 118bus system as listed in Table 1. Similar to [29], we add a wind generator every 7 buses for the first 15 wind generators, and add a wind generator every 5 buses for the other 5 wind generators. Based on the widely used piecewise-linear windturbine-power curve [30], the actual wind power outputs of these 20 wind farms are calculated according to 20 different historical wind speed datasets, which are obtained from Algorithm of the Tri-Level Model Step 1: Data initialization. Set the number of iteration i = 0. Initialize the set of Benders-like Cuts as an empty set, CUT = ∅.
Step 2: Solve the problem (8) with set CUT, determine a preventive dispatch strategy, which includes the generation under the preventive-case (P g ), cyber-case (P c g ) and wind power outputs (P w ).
Step 3: Based on the obtained P w in Step 2, construct the worst-scenario of the FDIA ( D and P w ) according to constraints (5.12)-(5.14).
Step 4: Calculate the true line flow under the worst-scenario determined in Step 3 for capturing the maximum per-unit line flow u based on the results of P c g and P w .
Step 5: Check if u ≤ u limit . If not, generate a new Benders-like cut based on constraint (11), and add the new Bender-like cut into set CUT and go to Step 2. If satisfied, the iteration process stops.

different stations in the China Meteorological Information
Center [31]. The parameters of 'cut-in', 'cut-out', and 'maximum output' of method [30] are set as 1.0m/s, 14m/s, and 2.0MW for each wind turbine in this paper. It is assumed that each wind farm has 100 wind turbines and its maximum wind power output is 200MW. In Table 1, the buses of the installed wind farms and the total predicted wind power P r w are given. The total number of loads is set to 5000MW in this paper, which is allocated to each load bus.
As mentioned in Section II.B, based on the ERCOT data [26], the variation of wind speed in 10-min can reach 20% in 2009. Then, the value of δ is set as 25% and the parameter of ε is set as 25% in this paper.

1) CASE 1. OVERLOADING ASSESSMENT
In this case, the evaluation model is used to calculate the maximum line overloading level in the worst-case of FDIA-DW. The simulation results are shown in Table 2 and Fig.6. Column 'R w ' represents the different penetration levels of wind power in the system. And when R w equals 1.0, the wind power is the data listed in Table 1. Columns 'FDIA-D' and 'FDIA-DW' represent the results of the FDIA against only load data (FDIA-D) and the FDIA against loads and wind power (FDIA-DW), respectively. Fig.6 gives the number of overload lines (bars in Fig.6 using the right Y-axis) and the maximum overloading level in the system (fold lines using the left Y-axis) in different cases, and the detailed results are given in Table 2.
In Table 2 and Fig.6, the maximum overloading level '|F l | /F r l ' of the 'FDIA-DW' case is always higher than that of the 'FDIA-D' case, and the total number of overload lines of the 'FDIA-DW' case is also no less than that of the 'FDIA-D' case. When R w is 1.0, there is only line 54 overloaded in the case 'FDIA-D', and the maximum overloading level in case 'FDIA-D' is 1.16. Comparatively, the total overload lines in case 'FDIA-DW' is 8 and the maximum overloading level is 1.66, which are much larger than those in case 'FDIA-D'. Under such a situation, if the operator fails to take into account the combined effects of the FDIA-DW, the overloading risk will be significantly underestimated.
According to [27], when the overloading level of a line is greater than 1.4, this line is likely to be tripped. In Table 2, these lines (whose maximum overloading levels are greater than 1.4) are denoted as high-risk lines that are highlighted in red. In Table 2, the number of high-risk lines of case 'FDIA-DW' is usually larger than that of case 'FDIA-D', especially when R w ranges from 1.0 to 1.5.
The attacker can launch serious FDIAs to increase the risk of cascading failures by overloading some high-risk lines in the system. If we neglect the risk that wind power data might be tampered, the risk of FDIA will be underestimated and some high-risk lines will not be identified, which would make the power system vulnerable to potential FDIAs.
With the increasing wind power penetration level (R w ranges from 1.0 to 1.5), the total number of the overloaded lines and maximum overloading level of case 'FDIA-D' are small. More importantly, the risk of line overloads in case FDIA-D will become less when the high penetration level of wind power increases. This phenomenon implies that the high integration of wind power will cover the risk of FDIA. In other words, the cyber risk of a high-wind-penetrated power system might be small if we only consider the FDIA against load data (i.e., FDIA-D), but the true risk in case FDIA-DW might be very large. In this situation, the cyber risk will be significantly underestimated, which necessitates the consideration of the FDIA against both load and wind power data, i.e., FDIA-DW.
In Table 2 and Fig.6, it is observed that 1) The maximum overloading level does not necessarily increase with the increase of wind power, which implies that the relationship between the FDIA-DW and the penetration level of wind power is not a simple linear one. And the maximum overloading level of all cases always appears when the value of R w is 0.7, which implies that a small FDIA-DW could cause a serious security problem even when wind power penetration is not high. 2) The maximum overloading level usually occurs on line 54, and such phenomenon motivates us to pay attention to a few high-risk lines, which will be discussed in the next case.

2) CASE 2. PREVENTIVE DISPATCH STRATEGY
This case aims to validate the effectiveness of the proposed preventive dispatch strategy in mitigating FDIA caused overloading risks. Here, the values of δ and ε are both set as 25%, and the value of u limit is set as 1.4. Without loss of generality, the power flow limit of line 2 is changed to 500MW.
First, we use the IEEE 118-bus system to test the proposed tri-level preventive model under different R w on this case (case B1). The results of case B1 are shown in Fig.7, and the left Y-axis and right Y-axis represent the total generation costs ($/h) and the total wind power (MW), respectively. The curves of 'C0' and 'CP' in Fig.7 represent the generation costs under the based-case (the upper-level model without constraint (5.10)) and preventive-case (the whole tri-level model). And curves of 'PW' and 'SPW' represent the total wind power P w and the total predicted wind power P r w , and these two lines use the right Y-axis.
In Fig.7, when R w ranges from 0.0 to 0.8, the generation cost (CP) of the preventive-case is nearly the same as the cost (C0) of the based-case. The cost (CP) is much larger than the cost (C0) when R w ranges from 0.9 to 1.5, while the total wind power output PW grows slowly. This implies that the system needs curtail some wind power for ensuring the system security when wind penetration is relatively high. However, this is not the fact what the operator expects, because even though the combined risk of FDIA-DW is eliminated by this preventive dispatch, the cost (CP) of the preventive dispatch is much higher than the cost (C0) of the base-case.
By revisiting the analyses in case A, the maximum overloading level usually occurs on line 54. Does this high-risk line, which is easily overloaded by the FDIA-DW, affect the integration of wind power? This motivates us to establish case B2, in which case the power flow limit of line 54 is increased to 500MW. The results of this case are shown in Fig.8, and the detailed results are given in Table 3.
In Figs.7 and 8, the generation cost (CP) in case B2 is always no larger than that in cases B1. The generation cost (CP) of the preventive-case is nearly the same as the cost (C0) of the based-case for each R w . The total wind power (PW) of the preventive-case is almost equal to the total predicted wind power outputs (SPW), which indicates that the system can guarantee the security of the system under the FDIA-DW while without curtailing too much wind power. Then, we can conclude that line 54 is a key line of the IEEE 118-bus system, which should be strengthened in advance to  ensure a more secure and economical operation of the power system.
In addition, in Table 3, the cost of CP is the same as that of C0 when R w ranges from 0.0 to 1.3. And the cost of CP is slightly higher than the cost of C0 for other values of R w , the largest difference is 390 ($/h) when R w is 1.5. The maximum abandoned wind power is 31.6MW when R w is 1.5, which implies that the system can accommodate wind power effectively. Column 'CUT' denotes the number of the Bender-like cuts (number of iterations) added into the master problem (8), and the largest value of CUT is 5, which means that the proposed decomposition method is capable of obtaining the optimal solution to the tri-level preventive model after a few iterations. It is demonstrated that the proposed tri-level preventive dispatch strategy can ensure the power system security in a cost-efficient fashion.

3) CASE 3. SOLVING TIME
In this section, we further verify the computational efficiency of the proposed preventive dispatch model using an IEEE 300-bus system and an IEEE 2383-bus system. Similar to [29], we add a wind generator every several buses in each system. The results are presented in Table 4, where 'NL' represents the total number of transmission lines of each power system, and 'CUT' and 'TIME' represent the number of the Bender-like cuts (number of iterations) added into the master problem (8) and the total solving time, respectively. For the IEEE 118-bus system, the solving time is only 0.78 seconds, and the CUT is 2. For the IEEE 300-bus system, the solving time is only 3.54 seconds, and the CUT is 4. For the IEEE 2383-bus system, the number of iterations is 1, and the solving time is 136.72 seconds, much less than 15 minutes (i.e., the time scale of SCED). These results demonstrate that the proposed solving method can find the optimal solution by adding a few number of CUTs and feature a high scalability for handling large-scale power systems.

VI. CONCLUSION AND FUTURE WORK
In this paper, we reveal that the FDIA can cause much more serious security problems in the presence of high wind penetration, where the variable wind power would make FDIA more difficult to be detected. Hence, we propose a tri-level preventive dispatch strategy for ensuring the power system security cost-effectively even under the worst-case of the FDIA-DW.
Extensive case studies are presented to validate the effective of the proposed tri-level preventive model in mitigating the FDIA caused line overloading risks. In our future work, a fast screening method will be developed to identify the set of key lines that are strongly related to the overloading risk under the FDIA against both loads and wind power.