Expected Failure Method and Its Analysis for Safety Evaluation in a Cyber-Physical Power System

With the development of communication technology, power and information systems have become deeply coupled and have become the most massive and complex cyber-physical power systems (CPPSs), resulting in certain risks to the safe operation of power systems. In this paper, a CPPS security assessment method based on the expected failure method and considering combined information attacks is proposed. Due to the large number of nodes in modern information systems, enumerating all possible combinations of system failures for evaluation and analysis is unrealistic. By considering the topological relationship of the CPPS and the electrical properties of coupled physical nodes, the idea of first screening information nodes is proposed in this paper to filter the information nodes. The impact of combined information attacks on the expected physical fault handling process is analyzed, and a safety evaluation index for the distribution network is provided. In addition, the proposed method is applied to the IEEE-118 system and compared with previous evaluation methods to verify its effectiveness.


I. INTRODUCTION
With the development of communication technology, the modern power system has gradually evolved into a cyber-physical power system (CPPS) [1], in which the information network and the physical network are deeply integrated. Compared with traditional power systems, modern CPPSs can perceive and analyze the operating status of the power system and have more advantages in optimal power flow distribution, fault handling and recovery, and voltage and load control [2], [3], [4]. However, the deep integration of the power and communication systems also brings new threats to the safe operation of the power system [5], and cyberattacks are one of the main threats facing smart grids. Additionally, cyberattacks against power grid information systems have recently become more frequent, such as the The associate editor coordinating the review of this manuscript and approving it for publication was Vahid Vahidinasab .
Stuxnet worm attack on the Iranian nuclear power plant network [6], the Ukrainian blackout [7], and the 814 blackout in the United States and Canada. The Iranian Stuxnet worm attack was a single cyberattack, i.e., an attack on a single information node, and its impact and scope were relatively small. The power outage in Ukraine was a combined information attack, i.e., a simultaneous launching of different types of network attacks on multiple information nodes, resulting in paralysis of multiple substations in Ukraine and power outages for hundreds of thousands of people [8]. These two events show that combined information attacks pose a more serious threat to the safe operation of power systems. However, most CPPS research has primarily been aimed at single cyberattacks. Therefore, carrying out research on combined information attacks is necessary.
Currently, the expected failure method [9], [10], [11], [12], [13] is usually used in power system stability control and fault screening research in the power field [14]. However, there are fewer applications in CPPS safety assessment of a distribution network. Reference [13] is based on the expected failure method, starting from the perspective of the cyber-physical combination of expected failures to evaluate the safety of the CPPS in the distribution network. This method has two flaws: First, the establishment of the combined fault set is based on the enumeration method, which considers all the communication paths through which the fault information is uploaded and issued. Since the information nodes in each path are set to fail one by one to construct the information-physical combined fault set, when the number of nodes in the network increases, the number of enumerated faults exponentially increases. As a result, the efficiency of this evaluation method is greatly affected by the scale of the system. Second, the expected failure type is too unvarying since it is simply the failure of a single information node.
However, the real forms of network attacks actually include false data injection (FDI) attacks [15], denial of service (DoS) attacks [16], and delay attacks [17]. Furthermore, the blackout in Ukraine can be confirmed to have actually originated from combined information attacks, which have a more serious impact on the power grid. Therefore, the expected failure method has low applicability to a power grid. Based on the above analysis, a new CPPS security evaluation method for distribution networks is proposed, and it is based on the expected failure method and considers combined information attacks. The main contributions of this paper are as follows: • Critical node identification ideas are applied to expected failure methods. To solve the problem of the low efficiency of enumeration screening, the information node to be attacked is screened at the beginning. Based on the topological characteristics of the information node and the electrical characteristics of the coupled physical node, an information node screening algorithm is proposed to filter out the key information nodes, which greatly reduces the number of combined failures that need to be enumerated. In addition, to verify the rationality of the screening method, the traditional betweenness and the classical node deletion sorting method are used for comparison in simulations.
• More than one type of attack is considered in this paper. In terms of fault types, based on the physical fault isolation process, the situation in which multiple information nodes are simultaneously attacked is considered, and it is assumed that the attack types are DoS and FDI attacks. This method fills the gap in the application of expected failure methods to combined information attacks.
• The approach is more applicable to modern power systems. The traditional failure prediction method lacks the analysis of multi-information physical failure, The proposed method compensates for this defect. It is less restricted by the system scale after the fault screening algorithm and can be used for safety assessment of modern complex power systems. This method is applied to the analysis the IEEE-118 system, and the feasibility and effectiveness of the evaluation method are evaluated.

II. MODELING OF EXPECTED COMBINED ATTACKS A. CPPS MODELING OF DISTRIBUTION NETWORKS
The structure of a node power network can be represented by G = (V P , E P , H P ), where V P is the set of all nodes in the grid, E P is the set of transmission lines in the network, and H P is the grid correlation matrix. A node information network is represented by C = (V C , E C , H C ), where V C is the set of information network nodes, E C is the set of links and H C is the correlation matrix of the information network; both networks are bidirectional networks, propagating the flow of energy and information. The connection relationship between nodes in a CPPS network can be represented by an adjacency matrix A.
where a ij indicates whether there is an edge between nodes; if an edge exists, this value is 1, and it is 0 otherwise. D m×n and I n×m represent the dual network coupling matrix.  Figure 1 shows a structural diagram of the CPPS, in which the information network is divided into a core layer, a transport layer and a monitoring layer. The physical network is composed of various electrical components. The secondary equipment network is directly connected to the grid to monitor the operating status of the power system in real time, upload the grid data to the control center via the transmission network, analyze the status of the power system, and adjust the power system in real time.

B. COMBINED INFORMATION ATTACK MECHANISM
For CPPSs, the main targets of DoS attacks are the transmission nodes and monitoring nodes in the information network. By constantly sending forged data packets, the resources of the information node are exhausted, the information node is paralyzed, and the information flow transmission is blocked. It is assumed that when an information node suffers a DoS attack, the node completely fails [18]. In addition, we assume that the node cannot be repaired. Furthermore, the matrix that denotes the node states after the DoS attack is named Z DoS .
VOLUME 10, 2022 where Z ci indicates whether a node has experienced a DoS attack; Z ci = 1 indicates that node i has been attacked, and Z ci = 0 indicates that node i is operating normally. FDI attacks tamper with the monitoring data, which affects the state estimation process of the control center and causes the state estimator to output the wrong value to the system operator, which may lead to the wrong control decision [19], [20]. Additionally, it is assumed that the attacker is allowed to completely control the information node; that is, the monitoring data or instructions of the node can always be tampered with. The network state matrix Z FDI after an FDI attack is where Z di indicates whether a node has experienced an FDI attack, with Z di = 2 indicating that node i has been attacked and Z di = 0 indicating that node i is operating normally. When a DoS attacks a communication device, it will continue to occupy a large bandwidth for sending fake data packets, which hinders normal data transmission. If the fake data packet contains FDI information, and the dispatch center accepts and trusts the data, one piece of communication equipment will be subjected to both DoS and FDI attacks. After a communication devices experiences a DoS attack and an FDI attack simultaneously, the network state matrix Z DF is: where Z ei indicates whether the node has experienced both DoS and FDI attacks, Z ei = 3 indicates that node i has been attacked, and Z ei = 0 indicates that the node is operating normally. Due to the high security level of control center nodes and the low success rate of malicious attacks, this article considers only the situation in which the transmission and monitoring nodes are attacked; that is, DoS and FDI attacks are carried out on multiple information nodes simultaneously. The network state matrix can be expressed as Since different types of attacks are assumed to be launched against different nodes, the nodes have three states at this time, which can be expressed as 1, node i is attacked by a DoS, 2, node i is attacked by an FDI, 3, node i is attacked by a DoS and an FDI, 0, node i is running normally.

III. EVALUATION MODEL ESTABLISHMENT A. PHYSICAL FAILURE SET CONSTRUCTION
The construction of the physical fault set is based on sequential faults of grid nodes. A fault isolation strategy is developed according to the location of the fault node. As shown in Figure 2, the fault is located on node 3, and the secondary equipment located on nodes 1, 2, 4, and 5 detects the fault information, uploads the data to the information network, and sends an instruction to disconnect the switches of these 4 lines to isolate the fault. In this manner, the physical expected failure set F is established.
where f pi represents physical node i failure.

B. INFORMATION FAILURE SET CONSTRUCTION 1) FIRST SCREENING
When the information network is too complex, the use of enumeration to traverse all communication paths and record all the nodes in them is very time consuming. Therefore, based on the topological characteristics of information nodes and the electrical characteristics of coupled physical nodes, a calculation formula for the intial screening of information nodes is proposed. First, based on the CPPS adjacency matrix model of distribution network, the information side takes the link utilization as the weight, and the physical side takes the transmission line impedance as the weight. The importance of the physical node I P (v i ) is where α(G p ) represents the condensation degree of physical network, and α(G p ) represents the condensation degree after node shrinkage [21]. I P (v i ) is obtained by normalization: where v i represents the nodes in the network. Similarly, the normalized importance degree of information network nodes I c (v i ) can be obtained. Second, according to the interdependence relationship between information and physical networks, the dependency adjacency matrix F P−c is constructed to represent the influence of communication on power grid. Based on the dependence theory, the node importance degree where u j represents the dependent edge of communication node i. At the same time, the rationality of the scheme in this paper is verified by the supplementary comparison scheme of the PE index. The PE index is used to find key nodes based on the node removal method [22]. The formula of the importance index PE is: where dE and dP represent the change in network efficiency and change in load capacity after removing the communication node i, respectively. C o is the normalization coefficient derived from practical experience, C o = 7.74, PE ∈ (0, 1). The relative importance of each node is obtained by passing the values through different node-filtering methods. The information nodes are sorted according to their values from large to small. Furthermore, according to the network scale and user requirements, set C attack of the information nodes to be attacked is determined.

2) INFORMATION FAILURE SET ESTABLISHMENT
After obtaining set C attack with m elements, considering that n nodes are attacked at the same time, there are l combinations, and the calculation formula is as follows: The network state matrix is recorded after each combined attack, and the node state for each attack is recorded according to the values 0, 1, 2, and 3 in matrix Z . An FDI attack on node j is denoted as F j , and a DoS attack on node k is denoted as D k . The information failure set is denoted as where C s (i) represents an information attack combination.

C. CONSTRUCTION OF THE COMBINED FAULT SET
In this paper, the complexity of the information network is considered relatively high, and the average degree of each node is greater than 2; that is, a node is connected to at least two edges so that disconnecting one of the edges will not affect the upload and delivery process. According to reference [13], the depth-first traversal algorithm shows that all paths between any two nodes will traverse all nodes; that is, the information fault combined with each physical fault covers all the nodes in the information network. Clearly, the scale of this fault set is very large, and it is of little significance. The information fault is combined with the physical fault to obtain the combined fault, and it is stored in the collection H (i): where H (i) represents a cyber-physical combined failure. A flow chart for establishing the combined fault set is given in Algorithm 1. Under a DoS attack, the communication device denies service, which leads to a change in the transmission path of the system status information from the physical side, and thus affects the data transfer time. This leads to the considerable and controllable performance degradation of the dispatch center. Accordingly, the DoS attack mechanism considered in this paper is as follows. The attacked communication node is permanently invalid, causing the communication path of some nodes to change. The information delay rate is calculated according to the new and original paths. The calculation formula of the delay rate is expressed as

Algorithm 1 Combined Fault Set Establishment Process
When the delay rate exceeds the threshold of 0.6, the circuit breakers of adjacent lines cannot isolate the fault in time, resulting in physical fault propagation. If the system does not have new communication paths, physical failures will proliferate. Under an FDI attack, the communication node uploads false data, and the default false data range is within the trusted data range of the dispatch center. Therefore, the dispatch center will change the power generation output, which will cause the line to be overloaded and expand the fault. Accordingly, the FDI attack mechanism of this paper is as follows: The attacked communication node only causes the failure scope of the physically faulty node to propagate to the neighbor nodes and does not hinder other data transmissions.
Under the simultaneous DoS and FDI attacks, the communication equipment will not be able to transmit normal data and will transmit false data at the same time. If this VOLUME 10, 2022 information is trusted by the dispatch center and the dispatch command is issued accordingly, the physical failure that has already occurred will expand. Accordingly, the simultaneous DoS attack and FDI attack mechanism in this paper is as follows: the attacked communication node is permanently disabled, and the failure of the original physical node is propagated to adjacent nodes. Different from simply superimposing the faults caused by separate FDI and DOS attacks, in the subsequent process, whenever the shortest path for the transmission of new physical fault isolation information includes this communication device, the probability of physical fault expansion is 100%. Figure 2 shows that the physical fault isolation strategy is divided into two stages, fault information upload and instruction issuance, and in this process, the transmission path of the information flow is considered the shortest path. Selecting an element in H (i), the physical fault is f pi , and the information fault is C s (i). Based on the fault isolation process of f pi , its neighboring nodes monitor the fault information, upload it to the control center, and wait for the instruction to disconnect the switch to isolate the fault. The node set of the shortest path for uploading physical fault information and issuing instructions to the isolation switch is J . If (i, j) ∈ C s (i) ∩ J = ∅, it indicates that the uploading and issuing process is hindered, and the uploading or issuing process fails. For example, in the CPPS model of the distribution network shown in Figure 3, the combined fault is set to f p1 + F 4 + D 2 ; that is, the physical node is faulty, and information nodes 4 and 2 are subjected to FDI and DoS attacks. According to the damage mechanism of the physical network, the failure propagation process is as shown in Table 1, and a fault isolation strategy can be developed. Specifically, b and g are determined to be faulty after detecting the fault information and uploading it to the control center, and a disconnection instruction is issued to D ab and D ag ; the shortest transmission paths in the upload and delivery process include nodes 2 and 4. Since the DoS attack acts on the No. 2 node and there is no other path through for uploading the fault, the information transmission is blocked, resulting in the refusal of the isolation switch, and the fault range is expanded to b and g. Since the FDI attack acts on node 4, the physical fault is directly propagated to b, g.

2) FAULT SCOPE EXPANSION MECHANISM
In the subsequent process of physical fault diffusion, whenever the shortest path for information transmission passes through node 2, it is necessary to determine whether there are other paths to the dispatch center. If there are no other paths, it is necessary to determine the information delay rate. If the delay rate exceeds the threshold, the physical isolation of the fault fails, and the failure expands further. Whenever the shortest path of information transmission passes through node 4, it can still communicate with the dispatch center normally. After spreading twice, the fault is removed, and nodes a, b, g and d are finally removed.

3) SAFETY EVALUATION METRICS
To comprehensively evaluate the damage degree of the distribution network, based on the electrical and topological characteristics, safety is evaluated from two perspectives: the degree of system loss and the connectivity of the power grid, which include the degree of system loss P lost , the degree of expansion of the fault area P area and the power grid connectivity E power .
where ω represents the set of all faulty nodes; V p is the set of power network nodes; p i , p j represent the power of physical nodes i, j; s i , s j represent the power generation of physical nodes i, j; and H (m) represents the type of combined fault. Moreover, the degree of loss in nonfaulty areas is proposed. The impact of combined faults on the nonfaulty areas of the physical network is analyzed, and the power grid is quantitatively evaluated. P lost (m) is defined as the system loss degree for the combined fault m, and P lost (i) is the loss degree for the original fault i.
The damage degree of the physical network is analyzed from the topological structure, and the initial connectivity of the power network is defined as E conn (N ). After the attack process is completed, the network connectivity is E conn (N − ω), and the calculation formula is expressed as the specific formula of E conn (N ) is expressed as where N is the number of power nodes, d ik is the shortest path from power node i to power generation node k, W is the power generation node set of power nodes, and U is the power node set.

IV. EXAMPLE ANALYSIS A. SCENE CONSTRUCTION
According to the typical binary heterogeneous structure of CPPS and the scale-free characteristics of the information space, this paper selects the following model to analyze and verify the method: for the physical side and the information side, the standard IEEE-118 node power network data and the scale-free network based on the complex network are used respectively, and the CPPS dependent network model is established by one-to-one coupling through the adjacency matrix. The three information nodes with the highest degree are selected to be connected to the three dispatch centers,and a power grid correlation matrix H P , information network correlation matrix H c and dependency matrix D are generated. Finally, a three-layer distributed cyber-physical power system represented by the hybrid matrix A is formed, as shown in Figure 4.

B. SIMULATION DESIGN
The priority of the information streams uploaded to the control center nodes is defined to be the same; that is, the 3 control center nodes analyze the information flow, and when 2 or more of them receive the same information flow, the information is ''true'', whereas it is ''false'' otherwise.
To verify the rationality of the information combination fault screening mechanism, this article also uses the traditional betweenness sorting algorithm to filter the information nodes to be attacked, and the node betweenness is defined as the ratio of the number of shortest paths through a node to the total number of all shortest paths in the network. It usually indicates the importance and influence of the node in the entire network. Table 2 presents the results of the betweenness sorting algorithm, node deletion algorithm and the algorithm in this paper as well as the data for the first 10 nodes. According to Table 2, there are differences in the three sorting results. The reason is that the betweenness sorting algorithm starts from the topological structure of the information network. Compared with the betweenness sorting method, the node deletion method considers the change in the active power of the power grid and the change in the network efficiency of the entire network after the deletion of the information node. This algorithm considers the electrical parameters to a certain extent but ignores the heterogeneity of the complex network. The difference is that the algorithm in this paper starts from the CPPS interdependence theory, combines the network topology parameters and electrical distribution parameters, and uses the coupling characteristics between networks, which can better reflect the impact of the physical domain on the information domain.
The fault screening and evaluation of combined faults is mainly based on the characteristics of the physical network, so the screening algorithm in this paper takes the influence of the physical domain into greater consideration. There are control center nodes in the screening results, but this article does not consider the situation of the control center being attacked, thus, the control center nodes are replaced in the results. Below, the specific manifestations of the differences between the two screening algorithms are explored, the screening results are simulated and analyzed, and the impact on the physical network topology and electrical characteristics is studied.

C. SIMULATION ANALYSIS
After constructing the cyber-physical combined fault set, based on the impact of the combined faults on the electrical characteristics and topological structure of the power grid, the six combined faults with the greatest threat are screened out. The degree of system loss obtained by the three algorithms is shown in Figure 5, and the fault combination is shown in Table 3. Figure 5 shows that most of the physical nodes coupled with the information nodes obtained by the algorithm in this paper are the key nodes of the physical network, including hub nodes, heavy load nodes, and large generator set nodes. When a coordinated information attack occurs, the coupled physical node directly fails, its adjacent line switch refuses to operate, and the scope of the fault expands. The traditional betweenness sorting method considers only the topological importance of nodes and ignores the topological importance and electrical characteristics of coupled physical nodes. Therefore, the evaluation results do not reflect the most severely damaging combination fault. Additionally, the PE algorithm does not fully consider the characteristics of the interdependent network, so the resulting  information-physical combination failure is not the most serious. The evaluation algorithm in reference [13] considers only the failure of a single information node. When the information network is sufficiently complex, the failure of a single information node will not seriously affect the operation of the system. According to Table 3, physical faults are nodes with high power generation and heavy loads, while information faults are information nodes directly coupled to them, and the evaluation results are not of high reference value.
The analysis of the influence of different screening mechanisms on the propagation of physical faults is shown in Figure 6 and Table 4, considering the relationship between the original physical fault load and the physical load that must be lost, and the figure shows that the combined faults obtained by the screening algorithm in this paper have a greater impact on the nonfaulty area. This is because the other three algorithms implement a single idea of information fault screening and do not consider the overall nature of the CPPS. It can also be seen from the figure that the betweenness algorithm considering the network structure is not always less influential than the PE algorithm considering the network efficiency and electrical parameters. At the same time, the result of the betweenness sorting algorithm is different from that of reference [13]. Although the betweenness sorting algorithm considers that two nodes are attacked, the impact of certain combinations is not as great as the failure of a single information node. Because the algorithm in reference [13] uses deep traversal, the most impactful combination can be found according to different evaluation indicators, while the betweenness sorting algorithm considers only the topological characteristics of the information network, which is more limited. The algorithm in this paper considers three network characteristics simultaneously, so it has better accuracy than the other two algorithms.
To study the impact of information-physical combined faults on the topology of the physical network, the connectivity impact diagram and combined fault set are given, as shown   in Figure 7 and Table 5. The histogram shows that the combined faults selected by the algorithm in this paper have a greater impact on the topology of the power system than those selected by the other two algorithms. This is because the topology of the physical network is considered when constructing the set of information nodes to be attacked. The larger the set is, the worse the connectivity of the network, and the higher the topological importance of disconnected physical nodes. The combined fault set based on the betweenness sorting method considers only the topological importance of information nodes unilaterally and ignores the topology of the physical network, so the combined faults with the greatest impact are not obtained. Based on the PE sorting algorithm, because the PE parameters include the influence of deleting information nodes on the performance of the entire network, the combined faults screened out from this are better than those obtained from the betweenness sorting algorithm. However, the PE algorithm simply adds the network efficiency and electrical load parameters after weighting, which does not fully reflect the coupling characteristics between the two networks. Therefore, compared with the algorithm in this paper, the impact on the network efficiency changes is small. Reference [13] did not consider the topological structure or electrical characteristics. By traversing all information and physical nodes, a combined failure set is obtained. The combined faults selected by this method are the nodes with a larger node degree in the power grid and the information nodes coupled with them, and for a complex CPPS, the failure of a single physical node and information node will not have a major impact on the system topology.
Comparisons of Table 3, 4 and 5 show that when the evaluation objects are different, the combined fault sets obtained by the screening algorithm in this paper are basically the same, whereas those obtained by the betweenness sorting algorithm and the algorithm in reference [13] are completely different, which demonstrates that the algorithm in this paper can maintain high applicability when the evaluation index varies.

V. CONCLUSION
In this paper, a safety evaluation model for a CPPS is constructed through an expected failure analysis method, and the impact of multi-information physical failures on the CPPS is clarified. Compared with the traditional betweenness method and the classic node deletion method, the effectiveness of the method proposed in this paper for screening information fault nodes is demonstrated. Moreover, we found that compared with the single information physical fault analysis method, the multi-information physical fault will cause multiple damages to the system, which can better reflect the situation of the actual power system. In the future, supplementing new fault scenarios, specifying power flow and information flow models, and optimizing information node screening methods will help to achieve more accurate CPPS safety assessments.
YAN WANG received the bachelor's degree in electrical engineering and automation from the Anhui Institute of Information Technology, in 2020. He is currently pursuing the master's degree with Yunnan Minzu University, Kunming, China. His main research interests include smart grids and cyber-physical power systems.
CHENGCHENG FENG received the bachelor's degree in automation and electrical engineering from Luoyang Normal University, in 2020. He is currently pursuing the master's degree with Yunnan Minzu University, Kunming, China. His main research interests include protection and risk analysis of cyber-physical power systems.