Electric Power Grid Resilience to Cyber Adversaries: State of the Art

The smart electricity grids have been evolving to a more complex cyber-physical ecosystem of infrastructures with integrated communication networks, new carbon-free sources of power generation, advanced monitoring and control systems, and a myriad of emerging modern physical hardware technologies. With the unprecedented complexity and heterogeneity in dynamic smart grid networks comes additional vulnerability to emerging threats such as cyber attacks. Rapid development and deployment of advanced network monitoring and communication systems on one hand, and the growing interdependence of the electric power grids to a multitude of lifeline critical infrastructures on the other, calls for holistic defense strategies to safeguard the power grids against cyber adversaries. In order to improve the resilience of the power grid against adversarial attacks and cyber intrusions, advancements should be sought on detection techniques, protection plans, and mitigation practices in all electricity generation, transmission, and distribution sectors. This survey discusses such major directions and recent advancements from a lens of different detection techniques, equipment protection plans, and mitigation strategies to enhance the energy delivery infrastructure resilience and operational endurance against cyber attacks. This undertaking is essential since even modest improvements in resilience of the power grid against cyber threats could lead to sizeable monetary savings and an enriched overall social welfare.


I. INTRODUCTION
SMART GRIDS have transformed the monitoring, control, and operation of bulk power grids via modern communication, signal processing and control technologies. While the smart grids allow for power networks to be effortlessly and wide-area monitored, the widespread deployment of modern information and communication technologies (ICTs) engenders a significant security concern and vulnerability to malicious cyber attacks: adversaries which may alter the underlying physical systems and processes, thereby potentially compromising the national security [1]- [3]. With the extensive integration of cyber infrastructure in smart grids is formed an expanded attack surface characterized by intensi-The associate editor coordinating the review of this manuscript and approving it for publication was Francesco Tedesco . fied complexity, heterogeneity and number of resources [4] (see Figure 1). This is evidenced by the frequency, complexity, and severity of cyber attacks targeting several key power system operational functions such as automatic generation control (AGC), state estimation (SE), and energy management systems (EMS) which have been globally observed to be on the rise in recent years [5]. Cyber attacks are malicious intrusions triggered by disrupting the cyber layers of the communication systems in the power grid. There are generally four types of attacks that the power grid may be vulnerable to: physical-only, cyber-only, cyber-enabled physical and physical-enabled cyber attacks [6]. Disruptions appear when either the system operator makes a detrimental error based on compromised sensor measurements or the power grid is remotely or directly controlled by a malicious intruder [7]. An intruder may be motivated to initiate a cyber attack for many reasons including financial benefits, large blackouts, or a combination of both [8]. The gravity of the attack is dependent on the resources the attacker has access to and the knowledge he/she possesses on the system topology. The more accurate model the attacker has access to, the larger the deception attack that can be executed undetected [9]. Attackers may take advantage of their knowledge of the grid and launch coordinated attacks to critical substations in the network which may eventually cause brownouts/blackouts with significant techno-economic consequences [10]. From a realization perspective, a cyber attack can be considered measurebased or control-based. A measure-based cyber attack targets the tie-line flows and frequency measurements, i.e., the measurements PL45, PL69 and the system frequency being sent to the control center. A control-based cyber attack targets the area control error (ACE) values once they are sent from the AGC algorithm and before they arrive the designated substations. An attack can send the opposite-direction ramping commands to the generating units. Modifications to the ACE signals (e.g., a sign change of the ACE value) can lead to the generation ramping-up for load reduction and vice-versa [11].
Historically, there were reported incidents in which power systems and industrial control systems (ICS) had their systems cyber compromised. In the United States, the power grid was penetrated in 2009 by cyber spies and a key infrastructure was compromised by an undetected intrusion: Siemens supervisory control and data acquisition (SCADA) systems were attacked by computer worm Stuxnet. In 2010, Stuxnet was able to infiltrate Iran's Natanz nuclear fuel-enrichment facility which was a part of Iran's nuclear development project [12], [13]. In 2003, a cyber-attack penetrated a computer network at the Davis-Besse nuclear power plant located in the US [13]. There have also been reports that an experimental cyber attack was launched by researchers which caused a generator malfunction and self-destruct [14]. Energy theft is another common cyber attack practice in which the electric power is misused or ''stolen'' by a malicious intruder. Reports reveal that the United States loses ∼ $6 billion due to energy theft alone while it accounts for ∼ $25 billion loss by the electric companies globally [15]. Even advanced metering infrastructure (AMI) platforms, which are used to moderate the power flows in the grid, have been compromised and abused for energy theft. In 2009, the FBI reported a wide and organized energy theft scheme which may cost a utility company up to $400 million annually following the deployment of AMIs [16], [17]. One major known attack was the cyber attack that occurred on the Ukrainian power grid, happened on December 23rd, 2015, where a third party from Russian security services illegally entered the SCADA systems and computers, and ultimately caused a blackout with massive consequences: a service outage that left 225,000 customers without electricity for 2-6 hours [18]. Such blackouts are detrimental in that they cause financial losses and disruptions in all aspects of our everyday life [19]. Hence, VOLUME 8, 2020 characterization, modeling, and assessment of the power grid cyber vulnerability and designing solutions to protect the grid and enhance its resilience against cyber adversaries is essential. This is because even modest improvements in resilience of the power grid against cyber threats (through advanced monitoring, efficient threat detection, and recovery algorithms) could lead to sizeable monetary savings and an enriched overall social welfare. More critically, it could help reduce undesirable social, psychological, and physical outcomes associated with the prolonged power outages resulting from cyber intrusions, e.g., premature death, injury, social unrest, etc.
Various studies have investigated the impact of cyber attacks against different day-to-day operation and control mechanisms in power grids, including but not limited to state estimation (SE), electricity markets, power system protection, renewable forecasts, and power system dynamics and control [1], [2], [20]- [31], among many others. A cyberresilient power grid entails fault tolerance, fast response, recovery and reliability. Ensured resilience of the power grids against extremes does not only reduce the volume of outages, but also ensures that the grid timely responds to a variety of cyber catastrophes and man-made faults [32]. In the case of power transmission systems, difficulty in maintaining system security arises in that intelligence is only applied and available locally by protection systems and by central control through SCADA systems. In some cases, the central control system is slow to respond to cyber attacks and the protection systems are limited to a few local components [33]. There are many methods to model a cyber attack: an Unmanned Aerial Vehicle (UAV) trajectory plot can model the different paths it can take based on the type of the cyber attack and the impact the attack imposes on the power grid [34]. Attack trees can be devised to model many types of cyber attack scenarios encompassing all possible approaches an attacker may take [15], [35] or other methods such as Markov decision process (MDP) to enumerate all possible attack scenarios [36]. In order to model a control system, however, a graph-based topological network model or graph theory is proposed for a target control system. Integrated with logical connection information, it permits the implementation of a simple Prolog-based expert system to represent a device visibility path and allows assessment of the device vulnerability [37]. A classical mathematical model to describe the power transmission grid is commonly referred to as the structure-preserving power network model. It consists of dynamic swing equations for generator rotor dynamics and algebraic load-flow equations for power flow through network buses [22].
Aiming at reporting the existing state of knowledge on the topic, this paper is structured as follows: a background on cyber attacks including definitions, potential attack surfaces, and the impacts on bulk power grids are presented in Section II. Section III discusses the power grid resilience to cyber attacks and how the smart grid cyber layer should be characterized to resist cyber threats, ensuring the operational endurance and resilience. Section IV reviews some protection mechanisms in power systems against cyber adversaries to prevent failures, followed by Section V where mitigation solutions are reviewed. The paper will be concluded in Section VI with several concluding remarks.

II. CYBER ATTACKS: MODELING AND CLASSIFICATION
In this section, the root causes of cyber attacks and the attack surfaces are firstly reviewed to overview where in power grid such threats would emerge. The impacts of cyber attacks on power systems are next discussed, considering the technical failures and the consequent effects of triggering events.

A. CYBER ATTACK ROOT CAUSES AND SURFACES
The smart grid is a hybrid of power and communication systems, the latter of which renders vulnerabilities which can be compromised during a cyber attack; these vulnerabilities are confidentiality, integrity and availability (CIA) [38]. In today's standards, the power grid is characterized as a cyber-physical system (CPS) shown in Figure 2, which contains physical, sensor/actuator, network, control, and information layers. Manipulation of each layer is possible but does not necessarily mean an intrusion detection component or system needs to be applied in all layers. Information flows in between all layers as they operate only in tandem [39]. Cyber attacks appear in many different forms, where its most basic definition is man-made manipulation of the power grid and redirecting power flow to where it is unassigned by the network operator (see Table 1). As different interoperability layers of smart grids including physical, function, and business layers are interconnected through communication layer to exchange information, attack surfaces are wider than those listed in Table 1. However, in this table, the most common surfaces which have potential to be attacked in existing modern power systems are reviewed as a basis to identify the domain and the type of common attacks.
Some of the main common attacks are denial of service (DoS), false data injection attack (FDIA), energy theft [17], insertion of malware or worms, as well as physical damage of the power grid such as causing equipment to self destruct [14], [35], [40].
• DoS attacks are often realized when the attacker jams the communication channels, compromises the electronic devices, and attacks the routing protocols which ultimately lead to delays and congestion in the communication channels. Generally, a DoS attack restricts a legitimate user's access to the services and resources by flooding the communication network with unnecessary traffic [12], [41].
• FDIA scenarios are realized when an attacker injects false data, usually on a communication line between the field sensors and the control center, with the intent to deceive the network operator and even disturb the SE processes [8], [13]. FDIAs may result in a wide variety of outcomes depending on the intruder's intention, some of which include energy theft, miscalculation of locational marginal prices (LMP) for illegal market profits, and physical damage upon the network. FDIAs can affect the LMPs by misleading the SE which then adversely affects the contingency analysis procedures [42].
• Insertion of malware or worms can range in different types from malicious software which runs in backgrounds to slow down the operations of the electric utility computers to insertion of Trojan software to steal practical security certificates [40].
Cyber intrusion does not necessarily have to occur in the power system itself since it can originate from separate systems that interact frequently with the grid such as electric vehicle supply equipment (EVSE) [43]. In [40], a malware attack model is able to attack the electric vehicle (EV) infrastructure and its communication systems when EVs are plugged in for charging. In some instances, attacks can be undetectable such as malicious data injection attacks that alter the values of measurements without being detected, which may result in serious consequences [44].
From an engineering perspective, there is an opportunity for cyber attacks in smart power grids due to the proliferation and reliance on distributed advanced metering infrastructure (AMI) [45], intelligent electronic devices (IEDs) [46]- [56], and wireless and/or off-the-shelf communications components and systems across the power network. Such cyber infrastructure increases the system connectivity and autonomous decision-making by employing standardized information protocols that often have (or will have in the future) publicly documented vulnerabilities. Motivations for cyber attacks also abound. Market deregulation and privatization of the energy industry has increased the competition among energy providers to enhance consumer-centricity. Threats also exist in the form of dissatisfied utility insiders, electricity consumers, and cyber terrorists.

B. IMPACTS OF CYBER ATTACKS ON POWER GRID
Control systems are becoming more vulnerable as they get overwhelmingly coupled with modern information and communication technologies and the physical controllers in a CPS [57]. The critical equipment and systems which can be mainly affected or exploited during an attack are in the energy management systems (EMS) in transmission networks or distribution management systems (DMS) in distribution networks. Such platforms collect data from remote and distributed meters and sensors across the network and generate estimates of the system states at the intervals of roughly 15 minutes [46]- [51], [53], [55]. When false meter data is injected through a cyber attack, the EMS or DMS functions at the control center will be misled by the state estimators which may potentially make erroneous decisions on contin- gency analysis, power dispatch, and even billing actions [14]. The smart grid offers synchrophasor-based cyber security, which entails a CPS system that provides real-time data to the EMS in order to manage (monitor and control) the physical network [58]- [61]. However, the latest synchrophasor devices, e.g., phasor measurement units (PMUs), as well as digital fault records (DFRs) and protective relays with PMU functionality are susceptible to a wide range of errors [53], [60] including cyber attacks; this is even further challenging considering the fact that such equipment are intertwined with a large number of legacy devices that have little or no protection against cyber attacks [62]. In [34], the CPS security is analyzed where a deception attack compromises sensors, actuators and both sensors and actuators. The probability of FDIA to be launched successfully usually depends on two assumptions: (i) the attacker has control over some sensor nodes and (ii) the attacker has complete knowledge of the system or its exact topology at all moments during the attack [63]. Generally, the highest impact of an attack is realized when an intruder gains access to the supervisory control access points of SCADA systems and launches control actions [64]. The attacker may compromise raw data measurements which causes undetected errors to factor into estimates of state variables such as bus voltage angles and magnitudes. This can occur when the attacker takes advantage of small errors tolerated by SE algorithms. Ultimately, this severely threatens power system security [13]. Disturbances in SE can lead to increases in state estimates mean square errors (MSE) and changes in the real-time electricity market prices. The effect of invalid MSE can lead to network operators making wrong decisions and the changes in real-time electricity market prices can benefit only the attacker. [65]. With FDIAs, the power grid can suffer economic attacks, load redistribution attack, or energy deceiving attack. An economic attack is a type of FDIA which can affect operations of the deregulated electricity market which is comprised of two markets: the day-ahead market and the real-time market. An attacker can manipulate market prices for power and get monetary gains. A load redistribution attack is an attack which can affect power grid operation by attacking the security-constrained economic dispatch (SCED). The purpose of SCED is to minimize the total system operation cost; however, when the raw measurements are manipulated by an attacker, the SCED will result in an overload of the lines that will remain unnoticed by the system operator and ultimately causes large physical damages to the power grid. An energy deceiving attack affects the distributed energy routing process; essentially this is a scheme to determine the optimal energy routes for load demand or generation. When measured data has been tampered, it can cause erroneous energy demand or supply messages to initiate [13]. Overall, cyber attacks can impact four main aspects of the bulk power systems which are SE, AGC, voltage control, and energy market. FDIAs deceive the system operators to believe that the current operating conditions are secure both physically and economically when they actually are not [42], injection of false data can affect the stability and security of the system [66]. Spatiotemporal cyber-state correlations can be used to detect the FDIA. Potential anomalies can be detected by monitoring the temporal consistencies of the spatial correlations between state estimations [67].
Another way an intruder can affect the communication network is by attempting to connect and dial up to a remote terminal unit (RTU) or an IED which can allow them to wiretap telecommunications, perform a local-area network (LAN) or wide-area network (WAN) transmission shown in Figure 3. They could also attack the corporate information technology (IT) systems and gain backdoor access to the interconnected EMS or SCADA systems; internet service providers (ISP) and telecommunications are other sources they can attack. Some electric utility providers are dependent on corporate IT systems and this is how their interconnected SCADA systems greatly intensify the vulnerability of the electric power grid [37]. Similarly, AMI systems can be attacked. AMI includes smart meters, customer gateways, AMI communication network and head-end; AMI is considered a fundamental technology of smart grids for making two-way communications along with various other functions. However, there have been several potential vulnerabilities with AMI specifically the insertion of malicious software and disabling of metering systems [38].
Cyber attacks and intrusions can occur multiple times from a single origin and spread to different areas. A typical example is electric vehicle charge stations (EVCS) [43], [68]- [72]: when a consumer charges its EV at multiple stations, it is likely that malware can spread due to vehicle-to-infrastructure and EVSE communications. Essentially, an attack on an EV may spread to the power grid infrastructure starting from the EVSE and all the way up to the utility systems [40]. The integration of transportation and power systems may leave many open doors for hackers, especially in the interconnected environment, i.e., the EV infrastructure, including EVs, EVSE, meters and other roadside infrastructures and when deeply integrated with critical infrastructure systems [73]- [75].

III. POWER GRID RESILIENCE TO CYBER ATTACKS
The concept of resilience has become a well-researched topic in recent years as it mainly drives the swift detection and effective mitigation of the power grid against highimpact low-probability (HILP) events [76]- [78]. The word ''resilience'' is originated from the Latin word ''resilire'', reflecting ''the ability to rebound'' [32]. Power system resilience in the face of the devastating natural-driven HILP events has been studied widely in the literature [76]- [97]. The past research defines, quantifies, and categorizes the concept of resilience in many different ways. For instance, the National Infrastructure Advisory Council (NIAC) proposed a universal definition of infrastructure resilience in 2010: ''the ability to reduce the magnitude and/or duration of disruptive events. The effectiveness of a resilient infrastructure depends on its ability to anticipate, absorb, adapt to and/or rapidly recover from a potentially disruptive event'' [98]. In a similar attempt, [99] defines resilience as the system's ability to withstand the main interruption within acceptable degradation parameters and to recover within an acceptable time and composite risks and costs. An alternative definition of resilience is the ability to prepare for and adapt to changing conditions, featured with robustness and fast recovery [100]. The last but not the least interpretation of resilience could be the system's ability to prepare and plan for, absorb, recover from, and more successfully adapt to adverse events [101].
The power grid is required to supply the electric power continuously and reliably to end-users in general and critical lifeline infrastructures (e.g., water networks, oil and gas systems, communication systems, transportation networks, etc.) and mission-critical services (e.g., health sector, defense bases, etc.). The electric sector's approach to the protection of the grid critical infrastructure is generally known as ''defense-in-depth'', which contains prevention, preparation, response, and recovery for an inclusive range of credible hazards to electric grid operations. Resilience in power grids entails accurate threat detection, infrastructure vulnerability monitoring, and timely response and recovery (see Figure 4). Both ''long-term'' and ''short-term'' strategies for enhancing the grid resilience against extreme conditions have been addressed in the literature. In the former, enhancing the grid structural resilience is primarily the focus of concern and suggestions are toward deployment of the ''grid hardening'' plans through reinforcement, preventive maintenance of the critical assets, vegetation management, efficient allocation of flexible energy resources (e.g., storage units), etc. In the latter, improving the operational resilience is targeted through fast emergency response and remedial actions, defensive islanding, use of the micro-grids, etc.
The IT employed in industrial control systems (ICS) is cyber-vulnerable in general and can potentially impose direct impacts on the physical power grids. CPS will be the core component of many critical infrastructures, yet vulnerable to random failures and cyber attacks. Hence, it is critical to design, develop, and implement ICS and CPS with resilient cyber defense systems [12], i.e., integrating robust intrusion detection systems (IDS) to ensure the power grid resilience with countermeasures being taken effectively [39]. Energy theft is an important concern relating to smart grid implementation; while the implementation of AMI is used to mitigate energy theft, penetration tests have uncovered several vulnerabilities with smart meters [15], [17]. Deregulation of the electric power industry has unbounded generation and transmission systems which, in turn, allows for a broad range of participants to make decisions in the power sector. This is critical as an attack on the SCADA systems can disrupt and damage critical infrastructural operations, contaminate the ecological environment, cause major economic losses and, and even more dangerously, claim human lives [102]. In presence of all these challenges and vulnerabilities and the intensified number of access points and functionalities to tamper with [103] in highly-complex cyber-physical power grids, new strategies are needed to secure the entire network against malicious cyber intrusions [3], [59], [97], [104], [105].
The potential for achieving power system resilience depends highly on how preventive and corrective maintenance strategies are planned and implemented componentwise [106]- [111] and system-wide [112]- [126] as well as where and how the security measures and systems are deployed. Incorporating data and cyber infrastructure to the power grid exposes the system to many cyber security threats. The smart grids of the future with massive renewable resources and an expanded uncertainty set [127]- [129] will inherit not only the vulnerabilities of advanced communication systems but also the vulnerabilities of the legacy power system. Security mechanisms should be designed into the power grid with the goal of reducing vulnerabilities and mitigating their consequences [130]. Anomaly detection and root-cause analysis are essential for building resilient CPS since the grid may not know how to counteract the damage if it does not know what caused the damage. Accurately detecting anomalies and isolating their causes is important for applying appropriate proactive and preventive measures [57], [41], [66].

IV. CYBER ATTACK PROTECTION
Most methods for detecting cyber intrusions rely on outdated techniques that are originated from the IT domain and adopted in smart grids in an insufficient manner. Typically, the inherited techniques from power experts mainly focus on existing types of attacks, e.g., load redistribution [131], distributed DoS [132], etc. Real-time cyber vulnerability assessment in power systems brings new challenges due to the fact that the conventional techniques for cyber intrusion detection in dynamic power systems are computationally demanding to be applied in real-time.
Fundamentally, there are two types of attack detection and identification strategies widely researched in the literature: static and dynamic. Dynamic detection and identification outperform its static counterpart while possibly using fewer measurements. With a comprehensive assessment of the limitations in both static and dynamic detection and identification techniques, [22] proposes a provably-valid dynamic detection and identification procedure borrowing tools from the geometric control theory domains: the tools are comprised of geometrically designed residual filters. Cyber attack detection can be performed using relevant and high-fidelity data. Spotting slight anomalies in PMU data helps identify unobservable cyber attacks which can not be detected by existing technologies. In [133], a convex optimization-based decomposition approach utilizes the low-ranking property of PMU data to formulate an unobservable cyber attack identification problem as a matrix decomposition problem where the observed data matrix is the sum of the low-ranking PMU data and a linear projection of a column-spare matrix. The majority of the existing attack detection methods use measurements at one-time instance and only explore the spatial correlations whereas the convex-optimization decomposition method in [133] exploits the temporal correlations as well and can identify unobservable cyber-data attacks even when the system is dealing with the aftermath of disturbances.
Strategies to detect cyber intrusions are plentiful and endless since there is an expanded set of cyber attack surfaces and vectors to be able to manipulate the grid towards an intruder's favor. In [19], a new network-based cyber intrusion detection system (NIDS) uses multi-cast messages in substation automation systems (SASs) to monitor anomalies and malicious activities of multi-cast messages which are based on IEC 61850, generic object-oriented substation event (GOOSE) and sample value (SV). NIDS detects discrepancies and intrusions which violate the predefined security rules by using a specification-based algorithm. To detect energy theft, another common challenge in power systems, [17] uses normal and malicious data of consumer consumption patterns and a consumption pattern-based energy theft detector (CPBETD). This tool combined with the application of a Support Vector Machine (SVM) anomaly detector allows the algorithm to use silhouette plots to identify different distributions in the dataset and relies on distribution transformer meters to detect nontechnical loss (NTL) at the transformer level. In order to detect cyber intrusions in the system, it is essential to classify it for identification. Effective techniques to classify cyber attacks or anomalies are using SVMs and a variety of machine learning algorithms.
Detecting intrusions through the entire sector of the power network is challenging; in [134], a proposal of grouping network buses and designing filters for detection and isolation of faults addresses a feasible detection mechanism. In addition to grouping network buses, [134] suggests using the swing equation to model the power network which can be used in tandem with grouping power buses. Investigating system models and security requirements of AMIs to present an attack tree based threat model for AMI has shown an improvement in the detection accuracy and detection speed of intrusions in [15].
While cyber attacks may become prominent in the future, there are normal fault contingencies which occur in the system on a daily basis driven by environmental stressors and equipment failures. The system needs to be able to differentiate the difference between an intrusion attack and a natural discrepancy. In [135], a devised algorithm is implemented to accurately detect and locate faults in power systems in addition to identifying bad data using weighted least absolute value (WLAV). WLAV has the ability to reject bad data to reduce dimensionality. A Bayesian framework can also be utilized to unify different approaches of network detection based on random diffusions and algorithms which are based on network's spectral properties [136]. This algorithm detects threat networks using partial observations which can be optimal in the Neyman-Pearson sense and prepares the system for cyber intrusion attacks should they are launched in the future. A data-driven algorithm for online power grid topology change identification with PMUs is suggested in [58], where the proposed machine learning algorithm can differentiate the various types of faults in power grids and the topology switching actions initiated by the system operators or attackers.

A. FDIA DETECTION
The FDIA problem is viewed as a matrix separation problem and two methods which are presently employed to solve this problem are nuclear norm minimization and low rank matrix factorization. These methods can recover lost or missing data in addition to detecting malicious attacks in the power grid. FDIA happens when an attacker injects false data, usually on a communication line between sensors and the control center with the intent to deceive the network operator and even disturb the SE processes [8], [13]. Reference [137] presents an approach using observer nodes to detect and isolate cyber attacks on network nodes and those on the communication links between the nodes. In order to minimize the computational complexity, observer nodes are reduced, while the observability of the system is not compromised. A perturbation-based approach is employed in [44] for detecting both fault-induced and maliciously-injected bad data in the power grid. This method probes the system by applying known perturbations and measuring the values elsewhere to find unexpected responses in terms of measurement values. [138] presents a mechanism for false data detection which notices the intrinsic low dimensionality of temporal measurements in power grids as well as the sparse nature of the FDIAs. Several research efforts discussed methods of building and detecting such an attack. Successful implementation of FDIAs commonly requires full knowledge of the network topology. [139] proposed a form of an attack without having complete information of the network topology. This can be done by using the kernel-independent component analysis to map the restricted data into a new Jacobian matrix, through which the undetectable attack is modeled [139]. [140] proposed an extreme learning machine (ELM) technique based on one-class-one-network (OCON) framework to detect any cyber threat on the AC state estimation. FDIA attacks are detected using Kullback-Leibler Distance in [141], where the accuracy of the detection mechanism is influenced by the predefined thresholds. A novel false data detection technique based on the separation of nominal power grid states and anomalies is discussed in [138]. [142] used an algorithm to ensure shorter decision time and a more promising FDIA detection accuracy by tracking the unfamiliar parameters and process multiple measurements at the same time.
Even though these techniques can prevent the system from FDIAs to some extent, smart intruders may be still able to damage the PMU (or RTU) measurements in power grids and bypass the bad data detection (BDD) mechanisms in SCADA systems and wide-area measurement system (WAMS) plat-forms [14], [143]- [153] (see Figure 5). This can be accomplished through manipulated measurements and injecting artificially generated data to the basic measurements in power grids [154]- [157]. An FDIA detection mechanism in smart meters is modeled in [158]. Correlation between the power system components and detection methods against smart grid intrusions is proposed in [67]. An efficient approach to protect the power system from FDIA is by implementing precautions in advance [159]- [162]. Robust SE algorithms against FDIA based on Markov chain theory and Euclidean distance metric are introduced in [163]. [26] modeled the FDIAs with multiple adversaries against one defender implemented in the smart grid. A game theoretic approach is used in [30] to study the interactions between the defender and the attacker in CPS. DoS attacks, random attacks, and FDIA intrusions are detected in [164] using Kalman filter by estimating the variables of the state processes and feeding them to either the χ 2 detector or euclidean detector. In order to detect the injected bad data by PMUs, [165] introduced a distributed host-based collaborative detection method using a conjunctive rule based majority voting algorithm to detect such an attack.

B. PHASOR MEASUREMENT UNIT PROTECTION
In order for protocols and measurements to be true, exact, and valid at all times with robustness against any external changes, they need to be protected in smart grids. Protecting a set of basic key measurements and having PMU based protection mechanisms or secure PMU equipment [7], [13], [58], [133] can retain the fidelity of the measured data and accurate state estimates in a wide variety of smart grid applications using such measurements. When a set of measurements is protected, an attacker can not inject unobservable attacks without hacking into the protected units [133] and allowing themselves to be noticed. A distributed intrusion detection system can be deployed for smart grids to pinpoint cyber intrusions. This system contains an analyzing module (AM) and an intelligent module which communicates between three different cyber layers of home area network (HAN), the neighborhood area network (NAN) and the widearea network (WAN) [38], [43].
It is estimated that in order to achieve a full power system observability, one typically needs to install PMUs at around one-third of the network buses; nevertheless, it is recognized that this is difficult and costly to achieve in the near future [166]. Therefore, one will have to estimate the state of the system with a hybrid of both PMUs and conventional measurements. This practice essentially leads to careful selections of PMU placement strategies in the power grid in order to minimize the SE errors. [166] optimizes PMU placement to increase the SE accuracy using an algorithm that is related to key property and submodularity which contributes to efficient greedy algorithms. An optimal PMU placement problem is interpreted as an optimal experiment design problem with a class of optimality criteria. In particular, the greedy PMU placement algorithm achieves at least 63 % of the optimal total variance reduction for typical power systems. Perform-VOLUME 8, 2020 ing a vulnerability assessment is critical to ensure that power infrastructure cyber security is systematically evaluated. This proposed framework provides a measure to quantify system vulnerability and a planning tool to assist system analysts to identify bottlenecks in the system where improvements are most effective [64]. Similarly, a novel vulnerability measure is introduced in [154] to compare and prioritize different grid topologies against FDIAs with incomplete information of the grid's topology. This measure can potentially help build power grids that are less vulnerable against practical FDIAs when the attacker has limited information and launches an imperfect attack. In [3], discussions on how optimal placement of PMUs throughout the power network may lead to very accurate SE are provided. PMUs also provides advanced mechanisms in detecting stealthy attacks. Rerouting the topology of the power grid intensifies the complexity of the grid topology and is used as a defense mechanism against FDIAs which are undetectable via conventional means [63]. References [63], [152], [167]- [173] suggest that leveraging defensive circuit breakers and simultaneously applying grid re-configuration practices can enhance the overall network efficiency, reliability, and security. This is achieved at minimum cost and by harnessing the network built-in flexibility only. Nevertheless, additions of circuit breakers may not be a viable security measure if the attacker has compromised a large set of sensor nodes and knows a large portion of the grid topology. In [58], advanced wavelet transform and machine learning analytics are embedded in existing PMUs, devices with PMU functionalities, or as a stand-alone sensor in power grids that can detect the malicious changes in network topology by an attacker (unwanted line switching operations). The waveform features corresponding to different topology changes are extracted as shown in Figure 6 which were used to detect and classify the associated line switching actions characterized through commutation jamming and/or FDIA scenarios.
Implementing different techniques to reduce the number of simulations and achieve a quicker SE allows for early event detection. This provides an opportunity for the network operators to be prepared for the potential adversarial cyber attacks since there will be additional time saved for the optimal response to be deployed (see Figure 7). Using a Principal Component Analysis (PCA) based dimensionality reduction of PMU data allows for raw data blocks to be processed quicker, thereby realizing an early detection of cyber disruptions [174], [175]. Similarly, [133] uses an unobservable cyber attack identification as a matrix decomposition problem which contains a sum of low-ranked matrices with a linear projection of a column-sparse matrix. Since low-dimensional structure of PMU data matrix is recently observed, the matrix decomposition problem has attracted more attention and has wide spread applications such as internet monitoring, medical imaging and image processing [133]. In [176], a similar technique is proposed which reduces the simulation run-time by incorporating Importance Sampling which is used to speed up simulations several orders of magnitudes compared to the standard simulation practices. This essentially increases the efficiency of simulations associated with Markovian models on highly dependable dynamic systems.

C. DETECTION USING MACHINE LEARNING
Machine learning and artificial intelligence techniques are more recently proposed and applied in power systems to identify disturbances and detect cyber attacks even through deception [62]. Recent advancement in deep learning (DL), a subcategory of machine learning that uses artificial neural networks to extract accurate features from raw data, brings about new solutions for data-driven attack detectors. In fact, DL approaches use feature learning techniques to extract novel features (aka signatures) in an unsupervised, selfguided manner. Given a set of measurement data, with raw features as the input, DL tries to crate and refine a set of algorithms to reproduce the same data set as the output. The generated algorithms try to minimize the difference between the input and the output so that the original data can be recovered directly from the generated features [97].
A machine-learned framework is created in [177] and refined with unsupervised feature learning to detect different types of cyber attacks in power systems. Stacked autoencoder-based unsupervised feature learning is proposed to capture useful and rich patterns hidden in the data to recognize the cyber attack, and achieve competitive results compared with detectors relying on detailed system information and human expertise. In [41], research was done to combine SVM with a variety of machine learning algorithms to find the most promising algorithm which can detect an adversarial intrusion. A robust spam filtering method is introduced in [178] using a hybrid method for rule-based processing and back-propagation neural network. In [179], different types of deep learning mechanisms, e.g. ANN, decision trees, etc., are tested to assess the cyber security of a particular IEEE test system. Reference [180] introduced a new model for malicious code detection using a new hybrid DL model. A decision support tool is proposed in [62] which enables power system operators to classify various types of attacks. In this paper, different types of classification algorithms are considered, e.g., OneR in which the optimal feature and rule is extracted based on the simplistic method [181], NNge which is a nearest-neighbor-like algorithm that classifies samples by comparing them to those which already have been observed and comparing the new examples to their surrounding data points [182], Random Forests which is an ensemble of tree predictors where each tree casts a vote for the most popular class on the input of a new instance [183]. In [184], an extended version of deep belief network (DBN) called conditional DBN (CDBN) was proposed to analyze the sequential PMU data in real-time and detect the existence of information corruption using auto-regressive (AR) data modeling scheme. In [185], the efficiency of the DL-based cyberphysical approach for FDIA detection is demonstrated. The proposed approach addresses both cyber (e.g., information corruption) and physical disruptions. Reference [186] used a scenario-based sparse cyber-attack model with incomplete network information to detect the possibility of data manipulation. In this paper, the results demonstrated that the proposed approach not only requires less assumption on system topologies and attack types, but also verifies the high detection accuracy of the adopted DL. Reference [187] compared the performance of three different DL approaches: (i) gradient boosting machines (GBM), (ii) generalized linear modelings (GLM), and (iii) distributed random forests (DRF). The numerical results justified that DL-based approaches can accurately detect FDIA scenarios against SE algorithms. Reference [8] proposed two DL techniques for FDIA detection in smart grids. The first model uses the multivariate Gaussian semi-supervised learning while the second model uses a measurement-based deviation analysis algorithm. Both models are used to identify anomalies in transmission networks. In [188], a new detection framework was proposed to develop a density ratio estimation (DRE) technique: an efficient countermeasure against cyber-attacks. Reference [189] proposes a DL-based model for FDIA detection in smart meter data utilizing a state vector estimator (SVE) and a DLbased identification (DLBI) algorithm. The model uses the historical data and tries to recognize a pattern to identify FDIA scenarios in real-time.

V. IMPACT MITIGATION AND RESTORATION
In industrial applications, strengthening industrial control systems (ICS) will protect different classes of infrastructure such as utilities and oil and gas facilities. The ICS is strengthened by designing an intrusion detection system contained VOLUME 8, 2020  in the cyber layer with a controller at the physical layer dynamic system [12]. Having a resilient smart grid entails both accurate and swift attack detection and timely response and recovery. This goal can be achieved by having distributed control agents that facilitate both attack detection and system recovery through iterative local processing and message transmission. These control agents are distributed across the grid, thereby characterizing distributed intelligence mechanisms [46], [58], [59], [104], [190]. Limitations by a lack of information about cyber attacks can be partially removed by future research and development of the advanced testbeds for comprehensive testing and evaluations. Test beds are extremely useful tools for thorough evaluation of mitigation and economic strategies in response to cyber vulnerabilities [46], [53], [64].
Modeling vulnerabilities in power grids are critical for its survival under adversarial attacks. In order to create a network topology model of vulnerabilities, device visibility and device vulnerability need to be defined and quantified. The concept of device visibility path, with the use of a small Prolong application to assess the vulnerability level of a hypothetical target device, can help map the cyber vulnerabilities within a system, thereby enabling opportunities to fortify the network security where needed [37]. A model-based IDS for home area networks (HAN) is suggested in [130] by identifying the security challenges in HAN first and determining next how a Bayesian network intrusion detection system can be used in future HANs. In order to determine the IDS requirements for HAN, examination of the existing types of IDS is needed; there are signature IDS, anomaly-based IDS, and specification-based IDS, as in the following: • Signature-based IDS usually has a database of predetermined attack patterns, known as signatures, and detects the intrusions by comparing the system behavior with these signatures.
• Anomaly-based IDS detects malicious activities with regards to deviations from statistically normal behavior in the system.
• Specification-based IDS also recognizes intrusions with regards to deviations from normal behaviors of the system. However, instead of statistical measurements, normal behaviors are characterized based on manually extracted specifications of the system. Characterization of irreducible attacks or observable attacks with the compromise of two power injection meters is performed in [7] with the use of an efficiently designed algorithm to group all observable attacks. In addition, the deployment of secure PMUs is approached as a countermeasure against unobservable attacks. When cyber attacks occur, parts of the system will be compromised and it is important to isolate them quickly while ensuring a sufficient supply of power (through available equipment) to the system load points and mission-critical systems and services [40], [85], [88]. Reference [40] claims that EVs mobility contributes to attack propagation. Therefore, when an attack spreads via EVs, a mixedinteger linear programming (MILP) optimization problem is suggested that minimizes the risk of attack propagation while considering the EV loads, EV threat levels and demand profile in power distribution system (see Figure 8). In such a CPS ecosystem of EVs, isolating the compromised systems will mitigate the effect of a malware or worm while continuing to supply the services to the customers.
In order to mitigate the detrimental consequences of an adversarial cyber attack, one first step is to identify the attack itself. Classifying the attack and giving it an identity allows operators to understand what they are dealing with. In [62], different machine learning classifying algorithms were tested in order to determine the viability of using machine learning as a decision support for system operators; the results demonstrated in Figure 9 show that it is a viable approach but more research is needed for deployment in an operational environment and practical settings.

VI. CONCLUSION
This paper offers a detailed and comprehensive description of the links between the adversarial cyber attacks and power grid resilience, off-the-shelf cyber intrusion detection techniques, and what systems are or could be in place to protect the smart power grids against malicious cyber attacks. The mechanisms through which cyber attacks can impact the bulk power grid are reviewed to understand where and how to enhance and reinforce countermeasures to mitigate the attack consequences. Although there is a variety of cyber detection and protection methods already in place, this review highlighted the importance of considering cyber attacks in planning for resilience in power grids: strategies that entail both grid hardening practices for structural resilience as well as procedures for operational resilience; this is due to the recently more-frequent realization of emerging threats with no or very few similarities to those formerly-experienced incidents. While there might be found additional methods for detection, protection and mitigation against cyber attacks than those listed in this review and there will certainly be new schemes and measures in the future, this survey aimed to collect the state-of-the-art already-investigated or implemented solutions to provide a basis for future research and developments. Implementation of these various methods on testbeds and real-world environments will finally allow for improvements in monitoring, protection, mitigation, and resilience of the smart power grids against the looming threats of cyber adversaries.