Dynamic State Estimation of Generators Under Cyber Attacks

Accurate and reliable estimation of generator's dynamic state vectors in real time are critical to the monitoring and control of power systems. A robust Cubature Kalman Filter (RCKF) based approach is proposed for dynamic state estimation (DSE) of generators under cyber attacks in this paper. First, two types of cyber attacks, namely false data injection and denial of service attacks, are modelled and thereby introduced into DSE of a generator by mixing the attack vectors with the measurement data; Second, under cyber attacks with different degrees of sophistication, the RCKF algorithm and the Cubature Kalman Filter (CKF) algorithm are adopted to the DSE, and then the two algorithms are compared and discussed. The novelty of this study lies primarily in our attempt to introduce cyber attacks into DSE of generators. The simulation results on the IEEE 9-bus system and the New England 16-machine 68-bus system verify the effectiveness and superiority of the RCKF.


I. INTRODUCTION
In the operation of a power system, it is of critical importance to obtain accurate and reliable dynamic state vectors in real time for monitoring and controlling of a generator [1][2][3].As a typical cyberphysical system, power systems have emerged and been in operation for more than a hundred years, but the increasing number of cyber attacks, natural disasters, and reliance on communication control has led to new sources of failure and cascading failure.In addition, with the large-scale integration of renewable energy and new power electronics, the uncertainty of power systems has also increased [4][5][6].All these changes have brought new challenges to maintaining safe and reliable operation of the system.At the same time, the successful use of phasor measurement units (PMUs) provides new means for power system state estimation, stability assessment, and control [7,8].
The term "dynamic state estimation" (DSE) dates back to the 1970s [9].The Kalman filtering method was previously used to estimate the state of power systems.Recently, there have been many studies on state estimation based on electromechanical transients [10][11].Various nonlinear filtering methods have been utilized for the DSE of generators.For example: Particle Filter (PF) [12][13], extended Kalman filter (EKF) [14][15], unscented Kalman filter (UKF) [16][17], cubature Kalman filter (CKF) [18][19].In general, UKF is superior to EKF in terms of estimated performance; in fact, the specific results depend on the distribution of sigma points and the state dimension.
Today's power systems are facing increasingly serious cyber threats, among which false data injection (FDI) and denial of service (DoS) attacks are two typical attacks among them.The FDI attack considers measurement equipment as an attack object in power systems and has the ability to avoid bad data detection, which deviates the actual estimate from the normal value.In the operation and monitor of power systems, FDI attacks worsen online security assessment of power systems.In terms of economic benefits, FDI attacks can affect the normal dispatching plan of power systems, increase the operating cost of the system, and may even cause a large-scale blackout accident due to the wrong scheduling plan resulting from the attacks.On December 23, 2015, the large-area blackout in Ukraine was a real case of FDI attacking the power system [20].As another typical cyber attack, the DoS attack aims to continuously transmit the forged data packets on the communication channel of cyber, so that the communication channel connecting the control center and the remote terminal is not working properly.The information can't be delivered normally, resulting in the loss of the data packet and erroneous estimation results.Therefore, these cyber attacks pose a significant threat to the normal operation power systems.
In recent years, cyber attacks have become a hot topic in power system studies.In [21], a detection model based on extreme learning machine was proposed to test and identify FDI attacks.A DSEbased risk mitigation strategy was presented for eliminating threat levels from cyber attacks in [22].Furthermore, reference [23] developed a hybrid filtering algorithm to deal with the attacks of power systems by considering the influence of PMU.In [24], from the perspective of the attacker, the FDI attack based on the DC power flow model for state estimation was proposed.The principal component analysis method and the sparseness of the attack matrix were used to study FDI attacks [25,26].Moreover, in [27], the influence of Kalman filter based on model uncertainty and malicious cyber attacks on the dynamic estimation of power systems was studied.Reference [28] showed that the attacker constructs an undetectable attack vector for AC state estimation by studying in a special region of the system.In terms of detection of the FDI attack, a shortterm state prediction method was proposed in [29].For the DoS attacks, the references of [30][31][32][33] are as follows: A special DoS attack mode for the performance of a cyber-physical system was proposed in [30].The best DoS attack plan and scheme based on the cost function was studied in [31].Besides, in [32], the remote state estimation of cyber-physical systems under DoS attacks based on signal interference was researched.For the general system, the algorithm about attack power allocation was proposed in [33].In summary, in the field of state estimations, the existing methods only consider the inclusion of cyber attacks in the power flow model.To the best of authors' knowledge, until now no study in the literature has reported the DSE of generators under cyber attacks.
In this paper, an RCKF-based DSE method is proposed for generators under cyber attacks.First, the FDI and DoS attacks are modelled and thereby introduced into the DSE by mixing the attack vectors with the measurement data; second, the RCKF algorithm and the CKF algorithm are adopted to the DSE under cyber attacks, and then the two algorithms are compared and discussed.The main contributions of this paper are as follows: (1) This work is the first attempt to perform dynamic state estimation of generators under cyber attacks.Two types of cyber attacks, namely FDI and DoS, are modelled and for the first time introduced into DSE of a generator.
(2) Under cyber attacks with different degrees of sophistication, the RCKF algorithm and the CKF algorithm are adopted to the DSE of generators, and then the two algorithms are compared and discussed.
(3) The simulation results on the IEEE 9-bus system and the New England 16-machine 68-bus system verify the effectiveness and applicability of the RCKF under different attacks.Furthermore, the results also demonstrate that the RCKF performs better than the CKF in the presence of cyber attacks.
The rest of this paper is organized as follows: the generator model is described in Section II.Section III introduces the modelling of attack models.Section IV gives the detailed RCKF-based DSE of generators under cyber attacks.Section V demonstrates simulation results on two IEEE test systems, and finally, the conclusions are drawn in section VI.

II. GENERATOR MODEL
Generally, in the process of estimating the state of power systems, the system equations and the measurement equations are concentrated in the following equation [1-3, 22, 27, 31-34] 1 where x represents the state vector, u refers to the control vector, and z is the measurement vector; f and h are the state equation and the measurement equation, respectively; v and w are system deviation and measurement deviation respectively, which obey the normal distribution with the mean 0 and the variance matrices The fourth-order transient model of a generator is shown as follows [1,2,22,27,34]: ' 0 q T and q i are respectively qaxis transient time constant and q-axis output currents, respectively; q X and ' q X are respectively q-axis reactance and q-axis transient reactance.
Measurement vectors include  ,  and q X .The measurement equation is listed as follows [1,3] where z  and z  are the measurements of the rotor speed and the rotor angle, respectively.z e P denotes the measurements of the electromagnetic power of a generator.U and  are the magnitude and phase angle of the generator terminal voltage [1].
The measurement noise covariance matrix where In the DSE of a generator, the state vector, the measurement vector, and the control vector are specifically shown as [1,29]  The exciter model is shown as follows: represents the nonlinear relationship between the state vector and the measurement vector, and e denotes the measurement error.
Take the function h 1 () as an example, Taylor's formula is used to extend h 1 ().Since the state vectors of generators can't change suddenly during the electromechanical transient process, the high-order parts of h 1 () are too small and can be ignored.Therefore, the linearized measurement equation is obtained as follows: e is a constant matrix.Thereby, ( 7) can be further expressed as follows: z Hx e  (10) where H is the Jacobian matrix, e is regarded as the new measurement error.In this study, by substituting (3) into (11), the matrix H can be obtained as where 1 Bad data that often occurs with a large terrible impact on the results of state estimation The application of the residual equation can largely eliminate the influence of bad data [29].
The residual between z and its estimated vector is given by the following equation [28]: r z z  (13) where () z h x  represents the estimated vector of z.According to the definition of the residual, Eq. ( 13) can be rewritten as follows [20,21,24,25]: is used to represent the false data injected by the attacker in the measurement vector, the actual measurement vector is represents the error vector that is brought into by the FDI attack in the state vector, the elements of it are randomly generated by a Gaussian random variable with different variances, and the estimation of state vector becomes ˆâ x x c  [25].According to (14), the measurement residual is obtained as [15] ˆ() Obviously, a Hc  is a sufficient condition for (16).ˆâa r z Hx z Hx     Eq. ( 16) suggests that the residual values before and after the FDI attack are equal, and then the residual-based bad data detection is unable to identify the false data.Consequently, the FDI attack is successfully applied to the measurement vector when the attack is modelled as a Hc  .In this case, the measurement vector under the attack has a larger deviation from the true vector, which will undermine the safe and stable operation of generators [28].
If the errors of attack vectors are taken into account, the residual values before and after the FDI attack are not equal [29].Then the following formula is obtained: ˆˆâ However, if the residual value of the measurement data is less than the detection threshold in the detection process, the FDI attacks are still successfully hidden.Furthermore, the detection threshold B J is determined by superimposing a certain redundancy on the normal maximum estimated deviation.The formula of the detection is as follows: ˆâ Thus, if a z satisfies ( 18), the FDI attacks can be implemented to the DSE of generators.

B. DoS ATTACK
The essence of DoS attacks is the process of packet (i.e., measurement data) loss.At present, there are usually two types of modelling for the characteristic of packet loss.The first one is described by the Bernoulli distribution [31], while the second is described by the Markov model [33].Taking into account the characteristics of the memoryless Bernoulli process in DoS attacks, the first method is here chosen to model DoS attacks.
When an attacker initiates d consecutive DoS attacks, it may result in successive loss of packets.For example, while the measurement data at the (k-d)th moment is successfully transmitted, the attacker launches an attack at the next moment.The period of consecutive attacks is from the (k-d+1)th moment to the kth moment, and up to d packets are lost during this period.Then, the Bernoulli distribution is used to depict the packet loss characteristics caused by DoS attacks.In order to describe the transmission of the measurement data 11 , ,..., , . Define the row matrix , the elements in this matrix can be expressed as follows [30][31][32][33]: where k  is the state matrix of measurement vector transmission, () id  ), representing the transmission state of the measurement   denotes the probability of packet loss.And thereby, the measurement data actually received by the state estimator under DoS attacks can be indicated as: (1) (2) ...
( 1) where ' k z denotes the measurement data under the DoS attack.

A. CUBATURE KALMAN FILTER
The spherical cubature and the Gaussian quadrature rules are utilized to estimate the probability density functions of the state space and the measurement space in CKF.Fig. 3 shows the basic structure of the DSE for generators based on the CKF.The specific process includes the following two stages [1]: (1)Forecasting stage At this stage, U and  are all available from PMUs.
Decouple the generator from the system, and then obtain the predicted values of state vectors at moment k+1 by the state equation and the state vectors of at moment k, which is shown as follows: where kk P denotes the estimation error variance matrix of the state vector at moment k obtained from moment k-1; (2)Filtering stage The predicted values of the state vectors at the forecasting stage are calculated by the measurement vector 1 k z  , and thereafter obtain the estimation of the state vectors at moment k+1.The specific process is as follows:   where

B. ROBUST CUBATURE KALMAN FILTER
Accurate system models and noise statistics are prerequisites for the traditional CKF for obtaining a good estimate.In this paper, the generator model is assumed to be accurate.However, due to environmental factors, bad data inevitably appears in PMU measurement vectors, causing the measurement error variance matrix 1 k R  to be inconsistent with the actual error.This leads to that the CKF is unable to complete the accurate correction of the predicted values in the filtering stage.
By combining the robust M estimation theory and the CKF, the RCKF has the on-line adjustment capability for measuring noise statistics.By using the RCKF, accurate state estimation results can still be obtained even if the measurements contain bad data.
The basic process of the RCKF is generally the same as that of the CKF except for (31) and (32).Specifically speaking, the measurement error variance matrix before correction is replaced by the corrected measurement error variance matrix in (31).
1 k R  is the measurement error variance matrix before correction, 1 k R  is the corrected measurement error variance matrix according to the following formula: where P is the equivalence weight matrix.In this work, the Huber method is used to calculate the equivalence weight matrix P [1], which is given by ' , , '   is the mean square error of r m .C is a given constant (ranging from 1.3 to 2.0), and it is here taken as 1.5 through the try-and-error method.These vectors are expressed as [1]: () where ,1 zz k k P  is the measurement error variance matrix before correction.
In the process of the RCKF-based DSE of generators, x  obtained in the forecasting stage remains unchanged.In this regard, this paper proposes an attack identification strategy, which is as follows: ˆˆ,The attack can be identified ˆˆ, The attack cannot be identified during the period of the normal estimation.

C. SOLUTION PROCESS
As shown in Fig. 4, the RCKF-based solution process is described as follows: 1) Construction of the state and measurement equations: Based on the estimation vector ˆk x at moment k, the state equation of a generator is constructed.Assuming that the magnitude and phase angle of the generator terminal voltage ( , ) U  are available from PMUs, the measurement equation of a generator is thereby constructed.
2) Modelling of cyber attacks: The Jacobian matrix H is obtained from (14).For the FDI attack, the attack vector is obtained through multiplying the Jacobian matrix by the error vector of state vector obeying Gaussian distributions with different standard deviations.
(2) Regarding the DoS attack, the transmission state matrix k  obeying the Bernoulli distribution is established.
3) Implementation of cyber attacks: On the basis of the predicted values of state vectors, the FDI attack vectors are implemented to the measurement vectors 1 k z  , and then they are detected via the bad data detection.For the DoS attack, the measurement vector under the attack is formed by multiplying the elements of the matrix k  by the corresponding elements of the measurement matrix.
4) Estimation results: In the filtering stage of the RCKF, the estimated values at moment k+1 under attacks are obtained according to ( 27) ~ (35).And thereby, based on the estimated values, the mechanical torque is calculated by the governor.At the same time, the estimation results need to be tested for the attack identification.After that, perform the DSE based on the RCKF until the simulation is finished.

A. SIMULATION SETTINGS
All simulations have been performed under the MATLAB environment on a desktop PC equipped with Intel Core i5-4590 3.3GHz CPU and 8 GB RAM.Note that in this study, PMU data are simulated through detailed numerical simulations via the power system toolbox (PST).
The simulation data are listed as follows: 1) The sampling rate is assumed 50 samples/s; 2) The simulation time step is set to 0.02 s; 3) The standard deviations of the rotor angle and the rotor speed are respectively 2° and 0.1%; 4) The standard deviations of the phase angle and amplitude of terminal voltages are 0.1° and 0.1%；5) A PMU is equipped at the terminal of each generator [1,27].

B. EVALUATION INDEX
To compare the estimation results, three different indices are defined as follows [1], [2]: where ˆi x and it x are respectively the estimated value and the true value, iz x represents the measurement value, N denotes the number of sampling points.The evaluation index 1  can measure the filtering performance of the same state estimation method under different cyber attacks; 2  can evaluate the filtering performances of different state estimation methods under the same cyber attack; 3  can quantitatively evaluate the estimation results for any estimation method under any attack.

C. IEEE 9-BUS SYSTEM
This system contains 3 generators, 3 transformers, and 9 buses.The fault settings are as follows: a three-phase short-circuit fault occurs at bus 4 at t=1.2s, then the fault is cleared at t=1.5s.The entire simulation process lasts 20s.For ease of analysis without loss of generality, generator 1 is taken as an example to examine the performances of the RCKF algorithm.Here, the detection threshold of the bad data detection is set to 2.1 J B  through simulations, since all injected false data can just pass the detection while bad data can be detected in this situation.

1) SIMULATION RESULTS UNDER FDI ATTACKS
In terms of FDI attacks, according to the error vector of the state vector, three attack scenarios are designed, as shown in Table I [25].From Figs. 6-11, it can be observed that the estimation results of the RCKF are very close to the true values in the attack period from t=4s to 12s.This result verifies the effectiveness of the RCKF under FDI attacks.Furthermore, the estimated results of the RCKF are closer to the true values than those of the CKF, which suggests that the filtering ability of the RCKF is better than that of the CKF.
The estimation indices of generator 1 in the scenarios are shown in Table II. is concerned, under attack scenario 1, the filtering accuracies of the RCKF are respectively 19% and 7.3% higher than those of the CKF for the rotor angle and the rotor speed; under attack scenario 2, the filtering accuracies of the RCKF are increased by 28% and 27% compared with those of the CKF; under attack scenario 3, the filtering accuracies of the RCKF are increased by 91.8% and 84% compared with those of the CKF.(3) Regarding the index 3  , the index values of the RCKF are less than those of the CKF.In general, the effectiveness of the RCKF is verified under different FDI attack scenarios.The superiority of the RCKF under these scenarios compared with the CKF is also confirmed.

2) SIMULATION RESULTS UNDER DOS ATTACKS
According to the packet loss rate of DoS attacks, four attack scenarios are designed, as shown in Table III [31].From Figs. 12-19, ones can observe that in the attack period from t=4s to 12s, the attack frequency changes with the decrease of the packet loss rate, and the estimated values of the RCKF are much closer to the true values than those of the CKF.Based on these results, the effectiveness and superiority of the RCKF are verified under DoS attacks.
The state estimation indices of generator 1 are shown in Table IV.

D. NEW ENGLAND 16 MACHINE 68 BUS SYSTEM
This system consisting of 16 synchronous generators, 68 buses, and 86 lines is a well-known test system in the field of state estimation [1,27].Taken as generator 1 as an example, a three-phase short-circuit fault occurs at bus 6 at t=1s and then is removed at t=1.2s.The simulation lasts 10s and the detection threshold is here set to 1.6 J B  using the same approach as that in the previous IEEE 9-bus test system.From Figs. 21-26, it can be seen that the estimated values of the RCKF are significantly closer to the true values than those of the CKF in the attack period from t=4s to 8s.This verifies the effectiveness and applicability of the RCKF under three FDI attack scenarios for the larger system.And it also proves that the RCKF is better than the CKF in terms of the filtering ability.
The estimation indices of generator 1 are shown in Table VI. , the values of the RCKF are always less than those of the CKF under three attack scenarios.These phenomena suggest that the filtering performance of the RCKF is still better than that of the CKF in the larger system.

2) SIMULATION RESULTS UNDER DOS ATTACKS
Similar to the FDI attacks, the settings of the DoS attack scenarios in this system are as same as those in the IEEE 9-bus system.
Figs. From Figs. 27-34, it can be observed that the estimated values of the RCKF are still close to the true values with the different packet loss rates in this system.This verifies the effectiveness and adaptability of the RCKF under DoS attacks in the larger system.Moreover, it can be seen from these figures that the filtering ability of the RCKF is significantly superior to that of the CKF under DoS attacks.
The estimation indices of generator 1 are shown in Table VII.From the test results on the above two systems, it can be seen that the filtering performance of the RCKF is superior to that of the CKF.The reason for this phenomenon is that the consequence of cyber attacks essentially is to introduce a large number of errors to the measurement data, and the RCKF can eliminate the errors while the CKF does not have this ability.

E. COMPARISON OF COMPUTATIONAL EFFICIENCY
In order to reasonably evaluate the computational efficiency of the RCKF under cyber attacks, the calculation times using the CKF and the RCKF are shown in Table VIII.Table VII shows that the RCKF can accurately estimate dynamic states of generators in real time.Since the RCKF uses the M estimation theory to eliminate measurement errors caused by cyber attacks, its calculation time is slightly longer than that of the CKF, but it is still within a reasonable range.Consequently, the computational times demonstrate that RCKF has the potential to perform DSE of generators or even power systems in real-world applications.

VI. CONCLUSION
This paper investigates the dynamic state estimation of generators under cyber attacks.First, attacks are modelled and thereby introduced into the DSE of generators; and then, the RCKF algorithm is adopted to dynamic states of generators under cyber attacks with different degrees of sophistication.To the best of the authors' knowledge, this is the first study that investigates the DSE of generators under cyber attacks.Based on the test results on two IEEE test systems, the following conclusions can be drawn: (1) The RCKF is capable of effectively performing the DSE of generators in the presence of cyber attacks; (2) Furthermore, the filtering performance of the RCKF is significantly better than that of the CKF.(3) For a DSE algorithm such as the CKF that is not capable of addressing cyber attacks, the estimation performances of the algorithm may be seriously deteriorated under attacks.
In our future work, more types of cyber attacks will be introduced into the DSE of generators.In addition, the adopted method might be extended to address other power system state estimation issues.

R
are the system and measurement noise variance matrices, k is the moment.

E
is the d-axis transient voltage of a generator; ' q E is the q-axis transient voltage of a generator;  is the rotor speed; J T is the inertia time constant; m T represents the mechanical torque.f E is the field voltage; e T represents the electromagnetic torque; D represents the damping coefficient;  is the rotor angle.' d-axis transient time constant and d-axis output currents; d X and ' d X are d-axis reactance and daxis transient reactance; : : FIGURE 1. Governor modelwhere

P
the cubature points of forecast values of the measurements; 1 ˆkk z  is the forecast values of the measurements obtained by the weighted summation of  is the updated estimation error variance matrix of state vectors at moment k+1.


denote a diagonal and non-diagonal element.Since the measurement error variance matrix in the DSE of generators is a diagonal matrix, the nondiagonal elements , mn  are taken as zero.r m is the corresponding residual component of measurement vectors m z , while m r is the corresponding standard residual component. m

1 ˆkk x  and 11 ˆkkx
 are approximately equal before attacks.When attack vectors are implemented into the measurement vectors, 11 ˆkk x  obtained in the filtering stage will change.But at this time, 1 ˆkk

1  2  3 
the state estimation indices of generator 1 based on the two algorithms under three DoS attack scenarios.From Table IV, it can be seen that: (1) For the RCKF, the values of are almost unchanged in three different attack scenarios.(2) For index , under attack scenario 1, the values of the CKF are respectively 251 and 471 times that of those of the RCKF about the rotor angle and the rotor speed; under attack scenario 2, the values of the CKF are respectively 254 and 446 times that of those of the RCKF; under attack scenario 3, the values of the CKF are respectively 257 and 416 times that of those of the RCKF; under attack scenario 4, the values of the CKF are respectively 265 and 386 times that of those of the RCKF.(3) For the index , the index values of the CKF are greater than those of the RCKF.In short, the of the RCKF under DoS attacks is verified and the superiority of the RCKF compared with the CKF under DoS attacks is validated.

FIGURE 20 .
FIGURE 20.New England 16-machine-68-bus system1) SIMULATION RESULTS UNDER FDI ATTACKSIn order to facilitate comparative analysis, the settings of the FDI attack scenarios in this system are shown in TableV:

1  2  3  2  and 3 
, the index values of the rotor angle and the rotor speed obtained by using the RCKF are basically unchanged under different attack scenarios, which validates the performance of the RCKF for the larger system under DoS attacks.(2) For index , the index values of the rotor angle and the rotor speed obtained by the CKF are respectively 454 times and 13466 times higher than those of the RCKF under scenario 1; under scenario 2, the index values of the CKF are respectively increased by 454 times and 12932 times compared with those of the RCKF; under scenario 3, the index values of the CKF are respectively increased by 448 times and 12043 times compared with those of the RCKF; under scenario 4, the index values of the CKF increased by 456 times and 11622 times compared with those of the RCKF.(3)In terms of index , the index values of the RCKF are always less than those of the CKF under the four scenarios.The results on the above indices suggest that the RCKF significantly outperforms the CKF under DoS attacks.

Table III ,
DoS-scenarios 1-4 respectively indicate that in four attack scenarios, the packet loss rate of the measurement data is 1, 0.95, 0.85 and 0.75.Figs. 12, 14, 16 and 18 show the estimated results of the generator's rotor angle under four DoS attack scenarios.Figs. 13, 15, 17 and 19 show the estimated results of rotor speed under these DoS attack scenarios.

Table V
(1)es the state estimation indices of generator 1 based on the CKF and the RCKF under three FDI attack scenarios.From Table V, it can be observed that:(1)In the New England 16-machine 68-bus system, for the index 1 , the values of the rotor angle of the RCKF are respectively only increased by 0.9% and 0.7% with the diversification of attack scenarios, the values of the rotor speed of the RCKF don't change significantly.(2)In terms of the index 2 , the values of the CKF about the rotor angle and the rotor speed are 26.4% and 72.6% higher than those of the RCKF under attack scenario 1; under attack scenario 2, the values of the CKF are increased by 96.4% and 97.5% compared with those of the RCKF; under attack scenario 3, the values are increased by 98.8% and 98.9%.(3) For the index 3

27. Rotor angle under DoS-scenario 1
27, 29, 31 and 33 show the estimated results of the rotor angle under different DoS attack scenarios.Moreover, Figs. 28, 30, 32 and 34 show the estimated results of the rotor speed.

Rotor speed under DoS-scenario 4
Table VI gives the state estimation indices of generator 1 based on these two algorithms under three DoS attack scenarios.From Table VI, it can be seen: (1) Regarding index