Cross-Space Risk Assessment of Cyber-Physical Distribution System Under Integrated Attack

Assessing cross-space risk of cyber-physical distribution system under integrated attack is investigated in this paper. Firstly, a hierarchical structure of cyber-physical distribution network according to IEC 61850 is established and a deliberate attack scenario with limited adversarial knowledge and stealth requirement is developed based on a general linear model for state estimation. Then, we formulate two optimization problems to describe the attack implementation and propagation process and obtain the likelihood of attacks including a robust solution and a risk solution in a fuzzy Bayesian network (BN). On this basis, a physical impact metric is defined as the integrated deviation of system states and measurements. Thus, the cross-space risk assessment can be performed. Finally, the simulation results of case studies demonstrate that the proposed method is effective and provides a broad and clear view of cyber-physical distribution system security situation.


I. INTRODUCTION
Distribution network is a critical part of smart grid which meets the increasing requirement of supply reliability, operation cost-effectiveness and renewable energy consumption by employing advanced information and communication technology (ICT). In addition, it is also the core object of the Electric Internet of Things construction. With the broad-scale sensing and communication networks, distribution network has become one of the largest cyber-physical systems. Since the distribution network directly faces users, its importance is self-evident. Unfortunately, with the introduction of intelligent electronic devices (IEDs) and open communication systems, there are conspicuous security risks in cyber system and they can be further transmitted across spaces to disrupt physical system and cause far reaching impacts [1]. Many real-world events have confirmed this, including the deliberate cyber-attacks on Ukrainian power grid in 2015 [2], Israel Outage in 2016 [3] as well as Venezuela Blackout in 2019. As mentioned above, a clear understanding of the security situation of distribution network is extremely important.
The associate editor coordinating the review of this manuscript and approving it for publication was Bin Zhou .
Considering the demand of extensive interconnection and intelligent interaction for the future smart grid, IEC61850 based distribution automation system (DAS) is believed to be one of the most promising development directions. However, IEC 61850 standards do not cover corresponding security functions and hence IEC 62351 is used as complement responsible for related data and communication security in power system. But there is still a long way for this standard to be mature enough to guide large-scale engineering application of the 61850-based smart grid due to the following key problems, i.e., 1) real-time requirements for security protection; 2) security key distribution and management mechanism; 3) compatibility with substation configuration language (SCL). Thus, the security risks and threats of mentioned system mainly come from two aspects. First, unlike substation operating in an enclosed space which is physically isolated, distribution network covers a wide area and a large number of remote-control devices. Once terminal equipment lacks effective protection, it can easily become a starting point for adversaries to initiate attacks. On the other hand, IEC 61850 standards stipulate that SV/GOOSE/MMS data packets are transmitted in plaintext, which lacks effective encryption methods and VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ therefore causes security risks [4]- [6], i.e., i) the messages in IEC 61850 standards contain many security vulnerabilities since they focus on solving interoperability between different IEDs and realizing data sharing while not too much attention was given to security; ii) the MMS protocol lacks identity authentication and access control mechanisms and uses plaintext for transmission. Related vulnerabilities, e.g., overflow vulnerability, can cause equipment shutdown or to go offline; iii) SV and GOOSE messages are encoded by ASN.1 without encryption to meet the high requirements for real-time performance, thus the data may be tampered, copied and tapped. With the rapid development of smart grid, the cybersecurity issues of IEC 61850 based distribution network will become more prominent and urgent for both academy and industry [7]. Considering the high dependence with cyber system, attack paths and targets of adversaries, the cyber-attack on distribution network is a cross-space behavior. Consequently, the corresponding risk assessment must naturally cross the cyber-physical space. This paper makes it clear that the cross-space risk assessment is a process of possible cybersecurity threats identification and potential physical loss evaluation, which plays a vital role in guiding cyber vulnerability reducing and system resilience enhancing. This paper exactly focuses on establishing an effective and objective cross-space risk assessment method. Generally, quantitative risk assessment is preferred because it can provide accurate reflections of system security situation while qualitative methods cannot. The total risk of cyberattacks is defined as the likelihood of attack multiplied by the potential attack impact [8]. Consequently, the research is also carried out from the above two aspects, i.e., the propagation of cybersecurity risk and impact evaluation. For the former one, numerous models have been introduced in recent years, including Bayesian network (BN) [9], Petri net [10], attack tree [11], attack graph [12] and fault tree [13], etc. However, the shortcomings are also obvious, i.e., i) it is difficult to obtain a large amount of cyberattack prior knowledge due to limited corresponding data; ii) it is hard to capture the time-varying characteristics of components and systems since the models are intrinsically static; iii) the attack scenario setting is relatively simple. Undoubtedly, much effort has been performed to address these issues, e.g., reference [14] proposed a fuzzy probability BN for modeling risk propagation to overcome the limitation of historical data. Unfortunately, there is accuracy loss to some degree when mapping from linguistic probability to conditional probability. In [15], a hierarchical Bayesian reliability model was developed to integrate historical data and real-time data for dynamic risk assessment while it may not be suitable for cyber-physical systems. The insufficient cyberattack data is not enough to support the establishment of the mentioned model. Reference [16] defines the cyber-to-physical risk as the physical impact of cyberattacks and presents a cyber to physical dynamic risk assessment method with BN and stochastic hybrid system (SHS) model. However, the complex attack scenarios are not considered in this model and it is assumed that the adversary possesses the full knowledge of the system.
As for the impact evaluation, the researchers can be essentially divided into two categories. One only focuses on cyber system risk assessment. For example, reference [17] uses complex network statistical features to assess the risk of smart grid related to cyber network malfunction and latency. Reference [18] develops a cyber-physical security assessment metric for microgrid by integrating all the resiliencyrelated factors with Fuzzy Choquet Integral. The other one usually constructs many physical impact metrics. Taking reference [19] as an example, it proposes an impact metric by combining the production loss, incidence loss and economic loss from a perspective of asset. However, the cyberphysical interaction is ignored and the same problem also exists in [20] and [21].
To fill the gaps of the above-mentioned methods, this paper presents a novel method with fuzzy BN and system state estimation to quantify the cross-space risk for IEC 61850 based cyber-physical distribution system. Here, we consider the core links of cyber-physical interaction, i.e., actuators and sensors, to establish a general linear state estimation model for the system. Meanwhile, deliberate attack scenarios are set up, i.e., i) coordinated attacks between actuators and sensors; ii) combined attacks for data integrity and availability. The main contribution is three-fold: 1) This paper proposes a probabilistic indicator to characterize the availability of vulnerabilities and input it to the fuzzy BN as the prior probability. We establish a NP-Hard problem from the perspective of adversary which take two factors into consideration, i.e., i) the limited system knowledge that adversary possesses; ii) the necessity of attacks to keep stealth.
2) To quantify the likelihood of attacks, this paper conducts a risk probability interval with the robust and risk solutions by formulating a linear optimal problem with the fuzzy conditional probability table given by experts and scholars. It is meaningful to formulate security strategies more flexibly according to risk preferences.
3) To objectively assess the cross-space risk which is defined as the physical impact of cyberattacks [16], this paper proposes a physical impact metric which calculates and integrates the deviation of system states and measurements with a general linear state estimation model. The marginal effect of the attack is fully revealed which provides a broader and clearer insight of the system security situation.
The rest of this paper is organized as follows. Section II presents the IEC61850-based cyber-physical distribution system model and the integrated attack model with limited adversarial knowledge. Section III proposes the computational methods to describe the implementation and propagation process of attacks in a fuzzy BN. Section IV quantifies the cross-space risk by proposing a physical impact metric which integrates the system states and measurements biases. In Section V, a series of numerical experiments are conducted and further illustrations are presented. Finally, the concluding remarks are given in Section VI.

II. MODELS OF CYBER-PHYSICAL DISTRIBUTION SYSTEM AND INTEGRATED ATTACK
In this section, a hierarchical structure of cyber-physical distribution network according to IEC 61850 is established and its cybersecurity characteristics are analyzed here. Then, a complex attack scenario is considered and modeled. According to the difference in devices and functions, the cyber-physical distribution network can be divided into three layers, i.e., the backbone layer, the access layer and the terminal layer. As shown in Fig. 1, the backbone layer is a pure cyber system, including the master distribution station system, supervisory control and data acquisition (SCADA) system and management information system (MIS), etc. The terminal layer is dominated by the distribution primary system, including circuit breaker (CB), section switch, voltage and current transformers, etc. Note that, the terminal layer contains the entire distribution primary system which includes power source, loads, primary devices, etc. However, we only point out the nodes for cyber and physical interaction, namely actuators and sensors, for the sake of simplicity. The access layer is the information hub of the entire system, as well as the core part of the interaction between information flow and energy flow. It can realize the fault diagnosis, isolation and recovery of the distribution network within the corresponding jurisdiction. Meanwhile, it is also the focus of this paper. In order to analyze the system structure of the access layer, i.e., slave distribution station in more detail, this paper constructs the corresponding automation system model according to the IEC61850 standards modeling method, and further divides the access layer into process level, bay level and station level. The data exchanged between the process level and the bay level includes two types. One is the real-time sampling data of voltage and current transformers, which are transmitted from bottom to top through the merging unit (MU); the other is the control data transmitted from top to bottom, e.g., tripping signal and switch position. The abovementioned data are transmitted through the SV protocol and the GOOSE protocol, respectively. Data exchanged between bays, e.g., blocking control, is transmitted by GOOSE protocol or private protocol. The data exchanged between the bay level and the station level, e.g., protection settings, telemetry, etc., is transmitted through the MMS protocol. So far, the security concerns of the IEC 61850 standards mentioned above are all reflected in this model. According to the model proposed in this paper, the attack can be launched from two perspectives. For an attack initiated from the top of the model, it generally constructs fake instructions by modifying the key parameters of the CBs or segment switches configuration files, and causes the mistake action and rejecting action of above-mentioned devices. Thereby, the distribution network would be disrupted and fall into trouble. This type of attack can usually be divided into three steps, i.e., 1) using security vulnerabilities of the monitoring host and remote interface to obtain corresponding control authority; 2) using protocol or message vulnerabilities to continuously penetrate and reach related IEDs; 3) interfering or destroying the normal function of IEDs to make the controlled physical devices run in an undesirable state, and disrupt the normal operation of the distribution network. On the other hand, if the attack begins with the power transformers which locate at the bottom of the model, it usually makes the real distribution network states invisible to the control center by tampering and interrupting the sensor data. Consequently, the issued control command will inevitably deviate from the actual demand which leads to the destruction of the distribution network.

B. DESCRIPTION OF SYSTEM STATE AND INTEGRATED ATTACK MODEL
Although the attack can be performed from different perspectives, the ultimate goals are either actuators or sensors. In addition, they are the crucial nodes of the interaction between cyber and physical system. Therefore, to reveal the essential features of cyber-physical interaction and cyberattacks, it is reasonable to establish the attack model and describe the state of the system after being attacked from these two types of devices. First, for the purpose of simplicity, given the preliminary hypothesis that both the state-transition function and measurement function are linear, the distribution network state can be described as follows [22], [23]: where x t ∈ R n represents the system state vector, e.g., voltage magnitudes and phase angles; f t ∈ R n represents the control vector; z t ∈ R m represents the measurement vector, including pseudo-measurements, current phasors, etc.; u t ∈ R n represents system inputs; δ t ∈ R n represents the additional inputs by using Holt's linear smoothing method; A ∈ R n×n represents the transition matrix; B ∈ R n×n represents a nonzero diagonal matrix; H ∈ R m×n represents the system model matrix; ω t and υ t are usually zero mean Gaussian noise with covariance matrices W t and V t , respectively. In addition, common attack methods also include data integrity attacks and availability attacks. Taking the integrity attack on sensors as an example first. The adversary would try to modify the measurement vector z into z attack_int by injecting false data ζ z (subscript is omitted for easier reading) [24]: Considering that a successful attack requires the corrupted measurements to keep stealth to the bad data detection scheme which is built in energy management system (EMS), the attack vector ζ z should follow ζ z = Ha. Thus, the measurement vector with integrity attack z attack_int can be written as: In practice, the data availability attacks, e.g., DoS attacks and jamming attacks are favored by attackers since the required resources are relatively few. Here, we introduce the availability attacks to sensors: where ξ z ∈ {0, 1} m and ξ z (i) = 1 represents that measurement i is unavailable. Note that, it is reasonable to assume that the availability attack would not trigger alerts in bad data detection because data loss is common for SCADA system. Similarly, the attacks on the actuator can be described as: Note that, the attack vector ζ x follows ζ x = Bb. In addition, the attack expression methods of actuator attacks and sensor attacks, i.e., the attack models are similar, but the attack paths are different. The actuator attacks are initiated from top to bottom and will directly affect the state of the distribution system with the actuator malfunctions or refusal to move. But the sensor attacks will first affect the system measurement data, and then make the actuator malfunctions or refuses to move due to the inability to obtain the real state of the system.
The current advanced cyber-attacks have evolved from a single target and attack method to a diversified development. In order to get closer to engineering reality, this paper sets up an attack scenario which integrates the attack targets, i.e., actuator and sensor with the attack methods, i.e., integrity attack and availability attack all together. The integrated attack model is shown as follows: Eq. (9) and (10) are built under a nature assumption that the adversary possesses full system knowledge, i.e., the topology of distribution network, the branch parameters, etc. In other words, details of the control matrix B and system matrix H have been known to the adversary. However, it is impossible for most cases due to well protection of system data in control center. Consequently, we can introduce the limited adversarial knowledge attack models by coupling parts of system model uncertainty B and H. The integrated attack model is modified and shown as follows: where B and H represent the control matrix and system matrix, respectively, both are possessed by the adversary with limited knowledge.

III. CYBERSECURITY RISK PROPAGATION
This section develops the details of the cyberattack implementation and propagation process in cyber-physical distribution network which contains the availability of vulnerabilities and cybersecurity risk propagation.

A. THE AVAILABILITY OF VULNERABILITIES
Here, we define a successful attack or vulnerability exploitation is to compromise the measurement or control vector without triggering alerts in bad data detection. Therefore, the contradiction between attack stealth and resources saving always exists for adversary. From the perspective of the adversary, the security of the target system can be described as the ratio of the minimum consumption to the maximum consumption of launching a successful attack. The higher this value, the lower the security of the target system and the higher the availability of the corresponding vulnerabilities.
To this end, this paper proposes a metric to quantify the availability of vulnerabilities and input it to the fuzzy BN as the prior probability: where |·| represents the number of elements in attack vectors which equals to either the number of elements in the system state vector or the measurement vector; · 0 represents the number of non-zero elements in attack vectors; χ represents the maximum consumption for a successful attack which is a constant in given system scenario; γ represents the minimum consumption for a successful attack which means the number of elements in measurement and control vectors that should be corrupted to keep stealth. P (Vul) represents the availability of vulnerabilities. With the limited attack resources and stealth requirement, γ can be given by: where α max and β max represent the maximum attack magnitude for measurements; represents the set of attacked measurements; represents the set of pseudo-measurements which cannot be attacked; represents the total attack magnitude, i.e., the total attack resources. The mentioned problem is known as NP-hard to which is usually difficult to find accurate solutions. Thus, many heuristic algorithms are used to find approximate solutions, such as simulated annealing algorithm, while optimal greedy algorithm is also often used. In addition, it can be simplified by adding constraints to specific problems. In this paper, the big M method is performed to transform it as follows: H (l, :) a = 0, ∀l ∈ (34) q (i) ∈ {0, 1} , ∀i ∈ {1, 2, · · · , n} (35) r (j) ∈ {0, 1} , ∀j ∈ {1, 2, · · · , m} (36) ξ x (g) = {0, 1} , ∀g ∈ {1, 2, · · · , n} (37) ξ z (k) = {0, 1} , ∀k ∈ {1, 2, · · · , m} (38) where q (i) = 1 and r (j) = 1 represent the integrity attack on control and measurement vectors, respectively.

B. CYBERSECURITY RISK PROPAGATION
The BN which describes variables and their conditional dependencies with a directed acyclic graph is widely used as propagation model for cybersecurity risk. Given a set of variables Y = {Y 1 , Y 2 , · · · , Y N } which are the Logical Nodes (LNs) [25] in this paper, the joint probability distribution of Y is shown as follows: where π i represents the parent set of Y i ; Y i has two states, i.e., T for attack success and F for attack failure. Note that, each LN represents the smallest part of a function that exchanges data and may reside logically in one or more physical devices. An example of LNs data exchanging for a typical function is shown in Fig. 2 and more details can be found in [25]. As it can be seen from Fig.2, BN is not suitable for cybersecurity risk propagation modeling directly in IEC 61850 based cyber-physical distribution system since the following issues have not been solved, i.e., i) the complexity of exact inference in BN increases exponentially with the topology of network; ii) the insufficient accurate prior knowledge about risk propagation cannot support for estimation of conditional probability table.
Therefore, this paper presents a fuzzy BN to conduct a fuzzy conditional probability. Specifically, it contains the following steps.

1) DETERMINING A GROUP OF LINGUISTIC PROBABILITIES
The set of linguistic probabilities contains words, e.g., high, neutral, low, etc. which imply fuzzy probabilities and can be represented as S = {s 1 , s 2 , · · · , s M } , ∀s m ∈ s m ,s m . Particularly, the certainty decreases as the subscript increases. VOLUME 9, 2021

2) DETERMINING THE DEGREE OF MEMBERSHIP
The degree of membership for Y i locating at the m_th linguistic probability can be represented as φ im (Y i ). To obtain the degree of membership, we need to build an expert team with more than 10 people [14] to define the linguistic probabilities for each LN. Thus, the degree of membership for Y i can be calculated by: where N um s m represents the number of experts who select linguistic probability s m ; Num total represents the total number of experts.

3) OBTAINING THE FUZZY CONDITIONAL PROBABILITY
To avoid the information loss during the procedure of mapping the fuzzy conditional probability to the crisp conditional probability, this paper proposes the following linear optimization model to obtain the upper and lower bounds of the fuzzy conditional probabilities: Consequently, we can obtain the upper and lower bounds of the joint probability with: Here, we defineP (Y ) as the robust solution which refers to the most severe result of risk assessment once the physical impact is fixed and the highest level of security protection measures should be taken. In addition, P (Y ) is defined as the risk solution that refers to the lightest assessment result and corresponding protection measures. With the interval of attack likelihood, the system risk can be reflected more comprehensively, and security protection strategies can be formulated more flexibly according to risk preferences.

IV. CROSS-SPACE RISK ASSESSMENT
The quantitative risk is generally assessed as the likelihood of attack multiplied by the potential attack impact [26]. This paper further clarifies that the cross-space risk assessment is the potential impact in physical space under cyberattacks which are initiated from cyber space, which can be shown as follows: where P (Y ) represents the likelihood of cyberattacks; L (Y ) represents the potential impact in physical space under cyberattacks.
The system state information and measurements are further applied to conduct optimal control strategies, that means they would affect the further operations of the system. Once the attacks take place and succeed, the system state and measurements get perturbed. Thus, we design an impact metric which is a function of the deviations on these two indices. First of all, we consider the deviation on measurements.
whereẑ attack represents the estimated measurement vector under an integrated attack; z represents the measurement vector without attack. Generally, for Eq. (2), the estimation resultsx andẑ can be obtained with weighted least squares (WLS) criterion which are shown as follows: The system state vector under the integrated attack, i.e., x attack can be described as follows: Thus, the deviation of measurement vector can be obtained by substituting Eq. (52) -(53) into Eq. (49).
Similarly, we can derive the deviation of the system state vector with the above-mentioned method. However, we need to rewrite Eq. (9) first since the focus is on the control vector: Then, the modified deviation of system state vector can be developed as follows: Finally, to take physical impacts from both actuators and sensors into consideration, this paper integrates ψ z and ψ x through Eq. (2): The expected value of ε is: Furthermore, we define the physical impact metric as the 2-norm of E (ε) under the integrated attack: Specifically, with the given information, model and inference, the cross-space risk assessment procedure under integrated cyber-attacks has been summarized and the pseudo-code is presented below.

V. CASE STUDY
In this section, we apply the proposed cross-space risk assessment method to IEEE33-node system [27] and validate its effectiveness. The conducted simulations respect to the following preliminaries: i) The CBs and section switches on a feeder line are controlled by the same slave distribution station, and the corresponding control logic of all switch devices is the same; ii) measurements are placed on each bus; iii) buses 4,9,14,19,23,26,31 are treated as zero-injection buses which possess pseudo measurements and cannot be attacked. Specifically, the topology of test system is shown in Fig. 3. The adversary can obtain the exact system topology while the line parameters are under different uncertainty.
Here, the slave distribution station 1 is selected as the attack object.

A. THE AVAILABILITY OF VULNERABILITIES
To quantify the availability of vulnerabilities of IEC 61850 based distribution network under integrated attack, this  paper determines the γ with Eq. (28) -(40) first and the simulation results are shown in Fig. 4. It can be seen from Fig. 4, given a degree of uncertainty, the availability of vulnerabilities increases with the attack magnitude. For instance, it is enhanced from 0 to 63.08% when the attack magnitude is increased from 0 to 600 under the fixed uncertainty 0%. Note that, the attack magnitude is dimensionless. In addition, no matter how the uncertainty degree changes, the availability of vulnerabilities always possesses the positive relationship with the attack magnitude which is not against intuition and illustrates the proposed method is effective. Besides, this paper also develops case studies under different degrees of uncertainty. The results show that once the attack magnitude is fixed, the availability of vulnerabilities reduces with the heightened uncertainty. In other words, the limited system knowledge will reduce the adversary's ability to attack. Here, we also find another interesting phenomenon, i.e., there is an obvious turning point in the rise of the availability of vulnerabilities. In other words, when the attack magnitude is less than a certain value, the attack effect is relatively poor due to the insufficient attack resources. The availability of vulnerabilities rises slowly.
But once the attack magnitude rises to a certain level, the flexibility of attack resource allocation becomes higher. To this end, the better the attack effect, the higher the availability of vulnerabilities rises. Moreover, as the uncertainty of the system rises, this turning point continues to move toward the direction of increasing attack magnitude. In other words, a higher magnitude attack is needed to compensate for the impact, i.e., the uncertainty of the system weakens the adversary's ability to attack. Thus, the effectiveness of proposed method for quantifying the availability of vulnerabilities is further validated.

B. LIKELIHOOD OF ATTACK IN FUZZY BN
With the attack graph which is given in Section III, this part calculates likelihood of cyber-attack in fuzzy BN. Firstly, the full names and symbols of LNs are shown in TABLE 1. The prior probabilities are conducted in part. A, i.e., the availability of vulnerabilities. In addition, this paper summaries the evaluation results of 12 experts and scholars in the field on the association relationship of LNs in IEC 61850 based slave distribution station. The fuzzy conditional probabilities are shown in TABLE 2. Note that, 0 represents attack failure while 1 represents attack success. Specifically, the fuzzy conditional probabilities are calculated by the optimization model of Eq. (43) -(46) with the given evaluation results. Then, the robust and risk solutions of joint probabilities are conducted with Eq. (47) -(48). The risk probability intervals under different attack magnitudes and system uncertainties are shown in Fig. 5. It can be seen that as the attack magnitude increases, both robust solution and risk solution of attack likelihood show a significant upward trend under a given system uncertainty. Secondly, as the system uncertainty rises, the likelihood of attack gradually develops in a direction that is beneficial to the defender and shows a downward trend. In addition, Fig. 5 shows that the increase of attack resources which is reflected in the increase of attack magnitude will significantly enforce attack flexibility to lead to the expansion of the risk probability interval, which is not conducive to the defender to make protection decision. The consistency of the results in multiple simulations shows that the method to calculate the likelihood of attack based on the fuzzy BN proposed in this paper is effective.
Furthermore, in the case of a given attack magnitude, the width of the risk probability interval is negatively  correlated with system uncertainty. That is to say, the less system knowledge the adversary possesses, the better it is for the defender to recognize the security situation of the system. This conclusion is consistent with the aforementioned experimental results, and further proves the effectiveness of the method proposed in this paper.

C. CROSS-SPACE RISK ANALYSIS
To validate the effectiveness of the proposed cross-space risk assessment method and analyze the system security situation, this part calculates the system risk range with Eq. (66) and (48). Firstly, we develop the system cross-space risk assessment under 0% system uncertainty and the result is shown in Fig. 7.
It can be seen from Fig. 7 that the risk of system is increasing with the attack magnitude and the risk range is larger as well. The overall system security situation is developing in a direction that is not conducive to defenders. This validates that the proposed method is effective. Specifically, the risk situation of system can be divided into three stages, i.e., i) When the attack magnitude is between 0 to 240, the system risk rises slowly due to the limited attack resources and robustness of system. The adversary can only cause less damage to the control and measurement vectors; ii) The system risk rises significantly faster while the attack magnitude is between 240 to 450 which illustrates that the adversary can flexibly allocate attack resources when they are relatively abundant and the control and measurement vectors are compromised in a large area; iii) The system risk growth slows down when the attack magnitude is greater than 450 due to the marginal effect of attack because the control and measurement vectors are already perturbed significantly. It is difficult to increase the system risk further linearly even if the attack magnitude is reinforced.
Moreover, this paper also conducts the system cross-space risk assessment under different system uncertainties and the results are shown in Fig. 8. The positive correlation between system risk and attack magnitude is always the same while the system uncertainty changes. At the same time, the risk growth rate is also slow first and then become fast, and the turning point moves in the direction of increasing attack magnitude as the uncertainty of the system rises. In summary, the cross-space risk assessment method for IEC 61850 based cyber-physical distribution system proposed in this paper is  effective and can clearly reveal the relationship between system risk and attack resources and their dynamic development trend.

VI. CONCLUSION
This paper establishes a cross-space risk assessment method with fuzzy BN and system state estimation for IEC 61850 based cyber-physical distribution system and takes the integrated attack and limited adversary knowledge into consideration. The simulation results show that the system crossspace risk is positively correlated with attack magnitude and negatively correlated with system uncertainty, i.e., the limited adversary knowledge, and the proposed method is effective. Furthermore, with the proposed method, the marginal effect of the attack is fully revealed which provides a broader and clearer perspective to help the defender to understand the system security situation. Third, by developing the risk range which is composed by the robust and risk solutions proposed in this paper, the defender can formulate security strategies more flexibly according to risk preferences. Future work will focus on building a hardware-in-the-loop simulation platform to further verify the effectiveness of the proposed method.
JIE YANG received the B.S. and M.S. degrees in electrical engineering from Central South University, Changsha, China, in 2015 and 2018, respectively. He is currently pursuing the Ph.D. degree with the College of Electrical Engineering, Zhejiang University.
His research interests include smart grid cyber security and smart grid reliability.
YIHAO GUO received the B.S. degree in electrical engineering from Wuhan University, Wuhan, China, in 2017. He is currently pursuing the Ph.D. degree with the College of Electrical Engineering, Zhejiang University, Hangzhou, China.
His research interests include cyber physical power systems and power system operation.
CHUANGXIN GUO (Senior Member, IEEE) received the B.S., M.S., and Ph.D. degrees in electrical engineering from the Huazhong University of Science and Technology, China, in 1992China, in , 1994China, in , and 1997 His research interests include integrated energy system optimization and blockchain technology. VOLUME 9, 2021