Cyber-Security Constrained Placement of FACTS Devices in Power Networks From a Novel Topological Perspective

Optimal placement of flexible AC transmission systems (FACTS) devices and the cyber-security of associated data exchange are crucial for the controllability of wide area power networks. The placement of FACTS devices is studied in this paper from a novel graph theoretic perspective, which unlike the existing approaches, purely relies on topological characteristics of the underlying physical graphs of power networks. To this end, the maximum matching principle (MMP) is used to find the set of required FACTS devices for the grid controllability. In addition, the cyber-security of the most critical data related to the FACTS controllers is guaranteed by introducing the concept of moderated-<inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula>-security where <inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula> is a measure of data obscurity from the adversary perspective. The idea of moderated-<inline-formula> <tex-math notation="LaTeX">$k$ </tex-math></inline-formula>-symmetry is proposed to facilitate the arrangement of the published cyber graph based on a permutation of nodes within the symmetry group of the grid, called generator of automorphism. It is then verified that the published cyber-graph can significantly obscure the data exchange over the cyber graph for adversaries. Finally, a similarity is observed and demonstrated between the set of critical nodes attained from the symmetry analysis and the solution of the FACTS devices placement that further highlights the importance of symmetry for the analysis and design of complex power networks. Detailed simulations are applied to three power networks and analyzed to demonstrate the performance and eligibility of the proposed methods and results.

The associate editor coordinating the review of this manuscript and approving it for publication was Yang Li . PARAMETERS α sh Angle of shunt VSC. β The bus voltage angles. δ i The angle of voltage of node i. γ sh Conversion ratio signal. σ An automorphism or a Permutation. A Adjacency matrix. D Degree matrix. E The set of edges. E c The set of critical edges. F The determining set attained from Gen(F). G Graph. G k The released graph. The set of generators that moves v l . p Multiplicity of critical node in Gen(G).

P ac
Active power on AC side. P ij Active power flow between nodes i and j. q The size of disjoint generators.

Q ij
Reactive power flow between nodes i and j. S Determining set.

I. INTRODUCTION
The imbalance between reactive power at the generating side and the network demand causes voltage instability. The wide area active compensation devices, collectively known as flexible AC transmission systems (FACTS) devices ( [1]- [9]) are power electronic based equipment which play a vital role in enhancing the power system controllability and power flow capability. The importance of FACTS devices for the grid operation raises serious concerns about the cyber-security of data exchange over these controllers as the false data injection to one of the critical FACTS devices can lead to cascading failure in the grid [10]. In this paper, these two problems are addressed from a novel topological perspective.

A. STATE OF THE ART
The optimal placement of FACTS devices is a common yet important research topic in literature and has been investigated via various approaches. These include (1) conventional methods (such as indexing [11], controlling [12], residue analysis [13], numerical optimization [14], sensitivity [15], and eigenvalue [16]), (2) optimization methods (such as optimal power flow [17], linear programming [18], dynamic programming [19], mixed integer programming [20], stochastic load flow [21], and adaptive control law [22]), (3) artificial intelligence techniques (such as Monte Carlo simulation [23], artificial bee colony [24], artificial neural network [25], symbiotic organism search algorithm [26], fuzzy systems [27], and particle swarm optimization [28]), (4) hybrid techniques (such as hybrid of bee colony and neural networks [29], hybrid of genetic algorithm and fuzzy systems [16], mixed optimal power flow and particle swarm optimization [30], mixed bee colony and optimal power flow [31], and hybrid of fuzzy systems and Lyapunov theory [32]), and (5) other approaches (such as energy approach [33], active control [34], graph search algorithms [35], whale optimization [36], Gray Wolf optimizer [37], salp swarm optimizer [38], Grasshooper optimization [39], ant lion optimization [40], and spider monkey optimization [41]). At the same time, cyber-security has been one of the hot topics related to the management, operation, and control of power systems [48]- [51]. The reliability of wide area controlled (WAC) power systems highly depends on the security of the underlying communication networks. Information exchange via cyber graph is one of the underpinning platforms of all networks including power networks and smart grids that has significant role in grid control and operation. The interplay between power systems and the underlying communication platforms raises various security concerns about attacks from adversary agents. Thus the important grid information such as the data associated with the critical transmission lines, generation units, and the locations of FACTS devices must be hidden or obscured for adversary agents.
Due to its significant impacts on various aspects of network, graph topology has drawn the attention of engineering communities including power system community during the last two decades. The role of network topology is investigated for a few power system problems such as synchronization [43], flexibility of transmission lines for day-ahead scheduling [44], and the patterns of attacks to power networks [45]. Recently, graph symmetry, described by automorphism groups, has been leveraged in literature to address important network behaviors such as its controllability [61], robustness [58], and synchronization [46]. It has been verified that symmetry is an obstruction to controllability [61] meaning that systems with larger number of automorphisms require more driver nodes to satisfy the network controllability. In contrast, network robustness can be improved by increasing the network symmetry (or the size of automorphism group) [58]. Also, power networks with high symmetry are more resilient towards desynchronization propagation [47].
Early applications of symmetry in security emerged in the computer science community targeting the cyber-security of social networks ( [52]- [54]) by proposing the concepts of k-symmetry, k-isomorphic, and k-automorphic. In fact, these studies found that releasing a permuted graph by an automorphism or isomorphism instead of original cyber graph makes it difficult for adversary agents to distinguish their targets.
During the last decade, the applications of automorphisms in cyber-security, categorized under the concept of ''security via obscurity'', have been the main focus when implementing the symmetry characteristics for investigating the networks' cyber-security. However, the use of symmetry gives rise to some practical challenges. Computing and sweeping over all automorphisms to find the set of nodes with maximum multiplicities for a large network is a computationally challenging task. Moreover, important questions arise when identifying priorities for design and protection: Which cyber components, if compromised, can lead to significant power delivery disruption? What grid topologies are inherently robust to classes of cyber attack? Is the information available through advanced cyber infrastructure worth the increased security risk?
k-isomorphic graphs can be attained only by adding/ deleting many edges through some modification algorithms (for example see [52]- [55]). Satisfying k-automorphism for a real world network imposes many modifications on the original network which compromises its cost efficiency. In k-symmetry it is enough that k distinct mappings exist where for each node the set of k automorphisms may be different. In practice, it is not computationally efficient to impose such modifications. Furthermore, for k automorphisms, the same set of k automorphisms have to be applied to all nodes. This makes k-automorphism an even more difficult property to satisfy. In k-isomorphism, in addition to the above issues, connections among sub-graphs are deleted in the released graph. This, in turn, causes the loss of data utility in the published graph.

B. RESEARCH GAPS AND CONTRIBUTIONS
Although the placement of FACTS controllers has been widely studied during the last decade, no study has considered the possible impacts of network topology on the solutions. Moreover, the majority of the existing approaches have computational issues such as intractable nature of optimization techniques [17]- [25] which is caused by the lack of an analytical, non-heuristic, or systematic approach for finding the solution. In addition, the cyber-security of FACTS devices have not been investigated in literature. In this paper, an analytical approach for the placement of FACTS controllers is proposed based on the topological characteristics of the network which does not suffer from the computational issues. To this end, the maximum matching principle is implemented which is a mechanism to find the set of unmatched nodes that are considered as the set of driver nodes which are able to drive the states of system from any initial state to any desired state in reasonable time (network controllability). The controllability of the complex networks (CNs) is then attributed to the number of required driver nodes for full state controllability [42].
In this paper, the placement of FACTS controllers is constrained to the controllability of the power grid. By realizing the power grid as a complex network, the grid controllability is attributed to the number of required driver nodes for full state controllability. The FACTS controllers act as these driver nodes which can be found by performing the maximum matching principle on the physical graph of power systems. To overcome the computational issues related to computing the whole set of automorphisms, we adapt a symmetry benchmark according to a set of elementary automorphisms, known as generators of automorphisms. It will be verified that all essential symmetry characteristics can be realized via this set which has a significantly smaller size than automorphism groups and it is computationally effective to calculate and sweep over them. In addition, the graph symmetry is implemented to find the most critical components of power system in terms of their impact on the network controllability. Nodes with bigger multiplicities in the automorphism group, or in generators of automorphisms, are considered as the most critical nodes. The computation of the symmetry groups and the associated computation complexity are discussed in details. Throughout simulation, it is observed that the set of critical nodes identified by symmetry analysis is a subset of unmatched nodes corresponding to the locations of FACTS controllers. This overlap further reveals the importance of symmetry in power network analysis and synthesis.
This study proposes an approach to secure the critical elements of power networks via obscuring the published graph of the grid and, in turn, reducing the chance of distinguishing and manipulating the critical data of FACTS devices by adversaries. This has been accomplished via introducing a new concept, namely moderated-k-security, which provides new necessary and sufficient conditions for obscuring the network critical data.
The rest of the paper is organized as follows. In Section II, a topology-based solution to the placement of FACTS controllers is presented using the maximum matching principle. The cyber-security of the critical data of the network including the data exchange between FACTS controllers is addressed in section III using the concept of symmetry groups. The simulation is carried out on the 49-bus, 274-bus, and 1, 176-bus systems in section IV and the effectiveness of the proposed approaches are verified.

II. A TOPOLOGICAL APPROACH TO THE PLACEMENT AND CONTROL OF FACTS DEVICES IN POWER NETWORKS
In this section, we look at the placement of FACTS devices from a controllability perspective. To this end, the problem of FACTS placement is transformed to the problem of finding the number and locations of the required FACTS devices that can structurally control the system. First, some preliminaries on graph theory and symmetry are reviewed and then the main result of this section is presented.

A. PRELIMINARIES ON GRAPH THEORY AND SYMMETRY GROUPS
A graph G is a composition of a set of nodes V and edges E denoted by G(V, E). Two nodes are adjacent if there is an edge between them. The size and order of G are denoted VOLUME 8, 2020 by |V| and |E|, respectively. An adjacency matrix A is a square |V| × |V| whose elements a ij indicate the connection between every pair of nodes within the graph. a ij = 1 if there is an edge between nodes i and j, otherwise a ij = 0. The degree matrix D is a diagonal matrix whose diagonal elements d ii is equal to the number of nodes connected via an edge to node i. The Laplacican matrix L is defined as L = D − A. A permutation σ of a set of ordered nodes V is a rearrangement of its members into a sequence. The order of σ is the smallest positive integer m such that σ m = ε where ε is the identity (also known as trivial) permutation. The composition of two permutations σ 1 and σ 2 , denoted by σ 1 • σ 2 is the point-wise product of them. If a node is rearranged by a permutation it is called a moved node by that permutation, otherwise it is a fixed node. The set of all permutations that rearrange a node v l is denoted by Mov v l . Two permutations σ 1 and σ 2 are disjoint if each moved node by σ 1 is fixed by σ 2 , or equivalently, every moved node by σ 2 is fixed by σ 1 , otherwise, σ 1 and σ 2 are joint permutations.
Proposition 1: If a node is rearranged by a permutation σ on G, it can not be fixed by the composition of σ and its disjoint permutations on G.
Proposition 2: If a node is fixed by a set of disjoint permutations, it can not be moved by the compositions of these disjoint permutations.
Automorphism group is a quantified notion of symmetry. Under the act of an automorphism, a graph can be mapped to itself without changing the graph adjacency or Laplacian matrices. It can be mathematically described as a permutation σ for which {i, j} ∈ E(G) if and only if σ (i), σ (j) ∈ E(G). The set of all automorphisms of G and its size are denoted by Aut(G) and |Aut(G)|. Automorphism groups can be built up from a set of elementary automorphisms called generators of automorphisms Gen(G) (See Appendix A). Once the whole set of generators are determined, the automorphism group can be constructed from the compositions of all generators and automorphisms of order m up to generating unique permutations. Throughout this paper, σ and ϕ are used to indicate an automorphism and a generator of automorphism, respectively. The symmetry elements, including Aut(G) and Gen(G), are computed in Sage (System for Algebra and Geometry Experimentation).

B. CN CONTROLLABILITY IMPLICATIONS FOR PLACEMENT OF FACTS DEVICES
The above preliminaries on graph theory and symmetry will be used later in this paper. Now, the necessary conditions for controllablity by means of a set of FACTS devices are presented using the maximum matching principle which can be implemented for finding the number of required FACTS devices in the next section. The necessary conditions for uncontrollability of a pair of system matrices (A, B) is related to a the determining set [57] which can be attained from the symmetry group.
Definition 3: A subset S of the vertices of a graph G is called a determining set if whenever g, h ∈ Aut(G) so that g(s) = h(s) for all s ∈ S, then g = h. Equivalently, a subset of nodes of a graph G is called a determining set S if every automorphism of G can be uniquely determined by its action on the nodes of S.

Corollary 4 [61]: A necessary condition for controllability of the pair (A(G), B(S)) is that S is a determining set.
Lemma 5 adapts the necessary conditions for controllability attained in [61] to the context of power networks where the FACTS controllers act as the so called driver nodes.
Lemma 5 [57]: Assume that the adjacency matrix A of the graph of power network G is diagonalizable and symmetry preserving. Then the pair of system matrices (A, S), where S and |S| are the associated determining set and its size, respectively, is uncontrollable if G admits a nontrivial automorphism σ which fixes the input set S, i.e., σ (i) = i for all i ∈ S.
A straightforward result of the Lemma 5 is stated in the proposition 6.
Proposition 6: The necessary condition for controllability of (A, S) is that for all σ i ∈ Aut(G) there is at least one node v l where v l ∈ Mov(Aut(G)). The above proposition simply means that at least one moved node of each automorphism must belong to the determining set S in order to satisfy the controllability of (A, S). Although Lemma 5 or Proposition 6 can theoretically be used to examine the controllability of power networks, in practice, checking the whole set of automorphisms for medium and large networks is not computationally effective. In [58], the size of automorphism group of US power grid is computed which is equal to 5.1851×10 152 . Clearly, this is a big computation burden to calculate the determining set S by computing all automorphisms and sweeping over them. In contrast, if we attain the determining set from the generators of automorphisms, which is significantly a smaller set than automorphism group, then the determining set can be effectively computed using the conventional processing tools.
Lemma 7: Assume that A is diagonalizable and symmetry preserving, F is a determining set (for which if the generators of automorphisms ϕ 1 , ϕ 2 ∈ Gen(G) so that ϕ 1 (f ) = ϕ 2 (f ) for all f ∈ F then ϕ 1 = ϕ 2 ), and J is the set of all possible unique compositions of generators of order m with at least one joint node. The pair of system matrices (A, F) is uncontrollable if there exists at least one generator of automorphism ϕ j , where ϕ j = ε, for which ϕ j (i) = i for all i ∈ S. Moreover, the necessary conditions for controllability of the power system using the FACTS devices corresponding to the nodes in F are Proof: Using the proof by contradiction, we assume that if there is a generator ϕ j for which ϕ g (i) = i for all i ∈ S then the pair (A, F) is controllable. This means . This contradicts the condition of Lemma 5. For the second part of the proof, we have to verify that the determining set or the locations of FACTS devices attained in F must satisfy the conditions 1-3. The composition of joint generators may fix an unfixed node by one or some of them. Condition 1 thus excludes the joint nodes from F as it might be fixed in a composition and does not emerge in the resulted automorphisms. Hence, another node in those generators containing joint nodes must be included in F. On the other hand, if all moved nodes of a generator are joint nodes, then all nodes must be included in F, i.e., ∀v l ∈ ϕ g , F(v l ) = v l , as some of these nodes might be fixed by the composition (condition 2). Condition 3 considers the case where the composition is a product of disjoint generators. In this case, selecting one node from each generator will generate a set of nodes that necessarily satisfies the condition of being a determining set for the corresponding set of automorphisms. This is because the composition of disjoint generators does not fix a moved node by each of generators. This verifies that S ⊂ F which means the determining set attained from generator set contains all moved nodes by S.
Lemma 7 facilitates using generators of automorphisms instead of automorphism group in order to find the determining set. According to Lemma 7, the whole set of FACTS devices can be attained effectively from the set of generators of automorphisms. However, Lemma 7 only provides the necessary conditions for controllability. To attain the sufficient condition for controllability of power systems, we use the maximum matching principle.
Definition 8: A matching, M , of G is a subset of edges of E such that no node in V is adjacent to more than one edge in M , or intuitively, no two edges in M share a common node. A matching M is called maximum matching if for any other matching M , |M | ≥ |M |. In [56], the CN controllability is addressed by maximum matching principle where the set of all unmatched nodes are considered as driver nodes. In our problem setup, the set of FACTS devices can be considered as the set of required driver nodes for full controllability of power network. Once the maximum matching algorithm is implemented, all unmatched nodes must be considered as the locations of FACTS devices.
Using the maximum matching principle, the set of required FACTS devices for full controllability of power network can be attained. The simulation results on 49-bus and 274-bus systems in section IV confirm the effectiveness of using maximum matching principle for the placement of FACTS devices. Lemma 7 is also assessed in the simulations where it is observed that the number and locations of FACTS devices attained from MMP and Lemma 7 are very similar.

C. MODELING OF THE SHUNT FACTS DEVICES IN POWER NETWORKS
Once the number and locations of the required FACTS devices are determined, a dynamic control strategy can be implemented to improve the power flow capabilities. Note that there are various types of FACTS devices which we do not intend to explore as the main focus of this paper is on the proposed approaches for placement of FACTS devices (Section II) and securing them (Section III) from the novel topological perspectives.
The power flow equations can be written as where V i and V j are the voltage magnitudes at buses i and j, X ij is the reactance of the line between buses i and j, and δ i − δ j is the angle difference between phasor voltages V i and V j . We have used the shunt voltage-source converter (VSC) FACTS devices in two control modes: voltage magnitude control mode and var control mode. The dynamic model of a shunt VSC FACTS devices is shown in Figure 1.a and its balanced positive sequence model is shown in Figure 1.b where V i , i = 1, 2, 3 is the bus voltage, and Z 1 and Z 2 are the line impedances. Also, γ sh and α sh are conversion ratio signal to control the shunt converter voltage magnitude and the angle of the shunt VSC measured with respect to β of the shunt bus voltage phasor V . The dynamic model of shunt VSC with PID (proportional integrative derivative) controller in voltage magnitude mode and VAR control mode are shown in Figure 2.a and 2.b, respectively. The voltage magnitude V m and the angle of the VSC voltage are determined from the control signal generated by a PID controller. In voltage magnitude control mode, by fixing k dc to a constant, the VSC voltage magnitude changes in response to changing the capacitor voltage. The bus voltage V 1 is regulated compared to setpoint voltage V ref using outer control loop consisting an integrator with a gain which results in a droop α. The outer loop generates a reactive current I * sh which acts as the setpoint for the inner control loop. Finally, the shunt reactive current I * sh is compared to real I sh via the inner PID loop and a low-pass filter. The VSC voltage angle α can then be computed from the bus voltage angle β. In VAR control mode, the shunt reactive current setpoint I sh is directly VOLUME 8, 2020 determined (without an outer loop) and compared with real I sh to trigger the PID controller.
The inserted voltage by VSCs can be approximated as where V dc and k m are the capacitor terminal voltage and the conversion ratio between the dc-side and ac-side voltages, respectively. From Figure 1.b, the line current I s can be written as and the active power that can be injected to the system is and the reactive power injected to the system is equal to When the system is oscillating, the control signal is not zero and the capacitor C will exchange reactive power with the power system which results in increasing or decreasing the capacitor voltage V dc following the equation where I dc is the capacitor current. After transition time, the control signal converges to zero and, as a result, the energy exchange between the capacitor and power system converges to zero. With an ideal VSC model, the active power on its ac and dc sides are equal (P ac = V dc I dc ). Thus we can write The dynamic model of power system can then be constructed by interfacing the dynamic model of FACTS device with other network components attained from the Kirchhoff electrical equations in order to analyze the power flow.

III. THE MODERATED k-SECURITY APPROACH FOR OBSCURING THE CRITICAL NETWORK DATA FOR ADVERSARIES
In this section, the cyber-security of critical elements of power grid is addressed using a graph theoretic property, i.e., graph symmetry. In discrete algebra, the graph symmetry is quantified using the automorphism group. It is verified that graph symmetry has a significant role in determining the controllability of the underlying network [61]. In fact, symmetry is an obstruction to controllability. The higher the number of automorphisms, the more symmetric is the network and, in turn, more driver nodes are required for full state controllability. These driver nodes, in the context of power networks, are the well known FACTS devices ( [8], [9], [16], and [18]) or wide area controllers ( [64], [65]).

A. DEFINITIONS AND PROPOSED THEOREMS
A notion of symmetry, k-symmetry, is leveraged here to make the critical nodes/edges indistinguishable by adversary agents. Necessary and sufficient conditions for security are attained and a novel algorithm is proposed for cyber-security constrained placement of FACTS devices. The bigger the symmetry group, the more symmetric the underlying graph is. On the other hand, symmetry is an obstruction to controllability [61] meaning a bigger number of FACTS devices are required when the network is more symmetric. We compute the symmetry index (Aut(G) or Gen(G)) before and after removing a node possessing a FACTS device as a measure of how critical is this node. This index is computed in simulation section for 49-bus and 1, 176-bus systems. Now, we leverage on the concept of k-security to obscure the identification of critical elements of power grid.
Definition 9 [55]: Let G k be the released version of G. The set of critical nodes V c of G is k-secure if the adversary cannot distinguish it from G k with a probability greater than 1/k. The set of critical edges E c of G is k-secure if the adversary cannot distinguish them from G k with a probability greater than 1/k. Now, we introduce the concept of moderated-k-symmetry which will be used in Theorem 11 to adapt an approach for securing the most critical elements of the power grid.
Definition 10: A graph G satisfies moderated-k-symmetry if for the finite set of nodes v l there exists k − 1 distinct Proof: If G is moderated-k-symmetric, then for every critical node v c there are k − l distinct mappings that preserve the network structure after permuting v c . For any accessible structural information G k for the adversary targeting node v c there are at least k distinct nodes that act the same structural role as v c . Hence, the adversary cannot distinguish v c with a probability greater than 1/k. Subsequently, for a successful attack on an edge, the adversary needs to identify the end nodes of the targeted edge. Hence the probability of identifying an edge is equal to 1/k × 1/k = 1/k 2 .
Theorem 11 can be used to secure the cyber graph of the power network by releasing a permuted graph to the public. However, the approach is not optimal as usually not all critical nodes are permuted by the k number of automorphisms in Aut(G). We have improved this approach by relating the concept of moderated-k-security to the case where only the critical nodes are needed to be secured. Moreover, the automorphism groups typically have a gigantic size for medium and large networks [58] and it is not possible to compute and sweep over all of them. Theorem 12 resolves these issues by leveraging on the symmetric characteristics of generators of automorphisms.
Theorem 12: Assume that the adjacency matrix of G is diagonalizable and symmetry preserving, b is the indicator vector associated to the set F containing |F| number of FACTS devices, and G P is the published network to the public. Having access to G P , the adversary cannot distinguish the critical nodes and edges of the network with the probabilities greater than 1/(p(1 + q) − 1) and 1/(p(1 + q) − 1) 2 , respectively, where p and q are the multiplicities of the critical node/s in Gen(G) and the size of disjoint generators denoted by |Gen dis (G)|.
Proof: Assume A is the adjacency matrix associated with G P . Since G P is the permuted graph of G under an automorphism σ l , and σ l ∈ Aut(G), we can write A = A which simply means that the adjacency matrix of the published graph is preserved under mapping that generates G. Given The above equation can be written as Therefore the multiplicity of critical nodes in Gen(G P ) is at least p(1 + q). Then the immediate result, according to Theorem 11, is that the network is moderated-k-secure where k = p(1 + q) − 1.

B. PROPOSED ALGORITHM FOR LOCATING AND SECURING CRITICAL FACTS DEVICES
Associating the cyber-security to p and q in Theorem 12 guarantees conservative bounds on the probabilities of recognizing the critical elements. The reason for this is that conditions of Theorem 12 are derived assuming that all compositions of automorphisms moving a critical node with joint generators and mediators will fix the joint nodes, which, in practice, is a very rare possibility. In fact, since the size of automorphism group is very big compared with generator set, the probabilities of recognizing the critical nodes and edges are far less than 1/(p(1 + q) − 1) and 1/(p(1 + q) − 1) 2 , respectively. This means that the probability of recognizing the critical elements is lower than the bounds guaranteed by Theorem 12. The proposed symmetry-based approach for identifying and protecting the critical data of the cyber networks is summarized in the Algorithm 1.

Algorithm 1 An Algorithm for Finding and Securing the Critical FACTS Devices
Input: The graph G of the power network Output: The number and locations of FACTS devices and the cyber-secured topology of the power network 1: Perform the maximum matching procedure on the graph of power network to attain the set of unmatched nodes. 2: Assign a FACTS device to each unmatched node. 3: Compute the adjacency matrix A of the network 4: Compute Gen(G) from A using Sage. 5: Find the set of FACTS devices F with maximum multiplicity in Gen(G). 6: for i=1:|F| do 7: Remove the FACTS device number i. 8: Compute the symmetry index (Aut(G) or Gen(G)) after removing the FACTS device number i. 9: end for 10: Sort all values of |Aut(G)| or |Gen(G)| attained in steps 6-9 from the highest to the lowest value in a vector z which will be correspondent to the critical FACTS devices from highest to the lowest critical device. 11: The lowest amount of |Aut(G)| or |Gen(G)| corresponds to the most critical node identified in Step 1. 12: Order the critical elements in a vector e r from maximum critical to the minimum critical element. 13: Determine the generator ϕ that moves the most critical nodes. 14: Attain the cyber-secured graph under the act of ϕ attained in Step 13.

C. DISCUSSIONS
In this paper, the placement of FACTS devices is pursued using the network topology. The physical parameters of the power systems are then used to analysis the power flow with fixed FACTS controllers. As the network size increases, the proposed approach is more effective since the typical network symmetry group is bigger and the nodes with maximum multiplicities in generators of automorphisms are more effective in determining the number of required FACTS devices. Furthermore, for large symmetry sizes, the associated vast obscurity can be realized by further reducing the probability of distinguishing the most critical nodes of the grid. In a similar manner, the proposed approach for identifying the critical nodes can be used to identify the critical edges. We do this by (a) removing the edges with at least one end connected to a FACTS controller with maximum multiplicity in Gen(G), and (b) following steps 3-12 for edges instead of FACTS devices.  [66] for power flow analysis: Bus number, bus voltage magnitude |V | in volts, angle of bus θ , net active power of the bus P n in MW, and the net reactive power of the bus Q n in MVar.
A novel advantage of the proposed methodology is that the symmetry concept is inherent in the graph of the network; therefore, no manipulation is required as we only leverage on an intrinsic property of the network. The impacts of symmetry on the number and locations of FACTS devices and their roles in the security of the underlying cyber graph motivate the consideration of symmetry characteristics of the grid in developing the existing networks or constructing new networks. Embedding the asymmetrical structures makes the system more controllable which, in turn, reduces the number of required FACTS devices which leads to more security realization.
The critical elements of the grid can be identified using the proposed symmetry analysis. It will be observed in simulations of section IV that these critical nodes are usually the same nodes that are selected as the locations of FACTS controllers. This is quite interesting as the locations of FACTS controllers are at the unmatched nodes attained from the maximum matching principle while the critical nodes are attained from a totally different technique, i.e. nodes with maximum multiplicities in the symmetry groups are identified as critical nodes. This re-emphasizes the role of symmetry for explaining the emergent behavior of a complex power network.
The proposed cyber-security approach is implemented after placement of the FACTS devices. It obscures identifying the data associated to FACTS devices by leveraging on the symmetry characteristics of the grid. In fact, the proposed security approach only deals with the cyber graph and has no compromising implication for the physical graph of power network. Thus the approach does not compromise the original functionalities of the FACTS devices. However, the placement result can, to some extent, impact on the level of cyber-security. This is because the symmetry characteristics of the set of FACTS devices might be slightly different for different configurations of FACTS devices in the grid. This difference is not significant since the majority of FACTS devices are placed at the locations of driver nodes identified from symmetry analysis.

IV. IMPLEMENTATION OF THE PROPOSED CYBER CONSTRAINED PLACEMENT OF FACTS CONTROLLERS ON THREE POWER NETWORKS
The proposed topology-based approach for placement, control, and securing FACTS devices is implemented for the small 49-bus, moderate 274-bus, and a large 1,176-bus systems of references [66], [67], and [68], respectively. For the 274-bus and 1,176 bus systems, the emphasis is on the effectiveness of the proposed approach for obscuring the critical data for moderate/large networks.

A. SIMULATIONS AND ANALYSES OF 49-BUS SYSTEM
The physical graph of the 49-bus system with 59 transmission lines is shown in Figure 3. There are 9 generation buses where all of them are load buses as well. The rest of buses are considered as load buses. The physical parameters of 49-bus system including the voltage magnitude and angle, active, and reactive power of all 49 busses are presented in Table 1. The line parameters for each of 59 transmission lines are presented in Tables 2 where |V |, θ, R, X and B are the bus voltage magnitude in volts, angle of bus voltage in degree, line resistance in ohms ( ), line reactance in ohms ( ), and capacitive susceptance in siemens (s), respectively. The conductance is considered zero at all lines. The maximum matching principle is implemented on the graph of the 49-bus system and the matched edges are illustrated with red lines in Figure 4. Implementing the MMP has resulted in 7 unmatched nodes at locations 4, 9, 10, 24, 25, 47 and 48 which, according to the maximum matching principle adapted in Section III, can be considered as the locations of FACTS devices. Therefore, seven series VSC FACTS controllers with 100-MVA rating at a voltage of 1 p.u. are located at the determined locations ( Figure 4). The power flow transmission is analysed in MAT-LAB using Newton Raphson algorithm to solve for a vector of bus voltage magnitudes and angles. The parameters of PID controller are selected after trial and error. The proportional coefficient is k p = 0.3, the integrator coefficient is k i = 0.5, and the derivative parameter is k d = 0.05. The power flow analysis of 49-bus system is performed in MATLAB by interfacing the 7 shunt VSC-FACTS devices with the network. The network parameters including the line/bus voltage, angle, and apparent power before and after adding the FACTS controllers are presented in Figure 5. The Newton Raphson algorithm has reached the solution after 28 iterations. The bus voltage magnitudes of all busses before and after using the FACTS controllers are illustrated in Figure 5 [66] for power flow analysis: line number as ''l : i − j '' where l is the line number and i and j are the the nodes at two ends of the line number l , line resistance R in ohms ( ), reactance X in ohms ( ), and capacitive susceptance B in siemens (s). before and after using FACTS controllers are 3, 052 MW and 3, 153 MW, respectively. Equivalently, there is 101 MW power flow increase with using FACTS controllers. Also the line power losses for all 59 transmission lines before and after placing the FACTS controllers are shown in Figure 5.c. The sum of power losses has been reduced from 8.65 MW to 7.08 MW indicating an overall improvement of over %18.
To secure the data exchange between FACTS controllers using the proposed topological approach, first the cyber graph of the 49-bus system is adapted from its physical graph as shown in Figure 4. The size of Aut(G) for this network is computed in Sage and is equal to 144 (More explanation about computing the symmetry characteristics of the graph is presented in Appendix A). Although this is not a significantly large number and we can effectively compute the determining set by sweeping over all automorphisms, but we proceed with Gen(G) instead to adhere to the proposed approach of this paper. Later, for larger networks (274-bus and 1, 176-bus systems), it will be shown that we can not sweep over the corresponding automorphism groups due to their gigantic sizes. The generators of automorphisms Gen(G) of 49-bus system are computed in Sage as Gen(G) = {ε, (1, 4), (9, 10), (10,11), (24,25), (47,48)} and illustrated inside the dashed loops in Figure 4 (See Appendix A for calculating Gen(G)). The necessary VOLUME 8, 2020 To investigate the cyber-security of FACTS devices, we first construct the cyber-graph of the network based on the available physical graph. The cyber graph is illustrated in Figure 4. The cyber-security of the most critical nodes of 49-bus system can be investigated using Theorem 12. The maximum multiplicity of the critical nodes in Gen(G) is 2, i.e., p = 2, and the number of disjoint generators is 4. Therefore, by publishing a permuted network instead of the original network, the probability of the critical nodes and edges being recognized by an adversary is not greater than 1/9 and 1/81, respectively. It should be noted that under this permutation, the actual obscurity for adversary agent is even more than these values. This is because the maximum multiplicities of nodes in Aut(G) is 96 and the number of disjoint automorphisms is 4. Thus the actual probability of distinguishing the FACTS devices is less than 1/385. However, for networks with bigger sizes, it is not feasible to compute the whole set of automorphisms and we have to rely on generators of automorphisms. This is verified via the simulation results on the next two networks, 274-bus and 1, 176-bus systems.

B. SIMULATIONS AND ANALYSES OF 274-BUS SYSTEM
We perform simulations for the 274-bus system to better clarify the advantages of the proposed approaches for larger networks. Since the networks' parameters such as the impedances of the lines are not available for these two networks, we have not investigated the impacts of the proposed FACTS placement. We only determine the locations of FACTS controllers, the cyber-security, and the symmetry analysis for these networks. The FACTS placement impacts can be investigated in the same way as performed on the 49-bus system.
The 274-buss system is the equivalenced representation of US power grid [67] which has 274 nodes and 1, 338 edges as illustrated in Figure 6. The number of automorphisms of this network is 28, 311, 552. Therefore, it is not computationally effective to sweep over this huge number of automorphisms. However, the size of Gen(G) for this network is very small compared to automorphism group and is equal to 23. The maximum matching principle is implemented on this network  and matched edges are identified (A portion of these matched edges are denoted by red lines in Figure 6). This has resulted in 20 unmatched nodes that are selected as the locations of FACTS devices. Since it is not possible to compute the maximum multiplicities of nodes in Aut(G) we compute the multiplicities of nodes in Gen(G). The maximum multiplicity of nodes in Gen(G) for 274-bus system is 1 and the size of disjoint generators is 21. It follows from Theorem 12 that p = 1 and q = 21. Correspondingly, the probabilities of the critical nodes being recognized when the adversary has access only to a permuted version of 274-bus network is no greater than 1/(1.(1 + 21) − 1) 0.047. Similarly, the probability of identifying the critical edges, assuming one end at the critical node, is not greater than 1/(1.(1 + 21) − 1) 2 0.002.

C. SIMULATIONS AND ANALYSES OF LARGE 1,176-BUS SYSTEM
We also examine the security of the 1, 176-bus system [68] which has 1, 176 nodes and 18, 552 edges. The number of automorphisms of this network is approximately 10 259 . Clearly, it is computationally prohibitive to generate the whole set of automorphisms and then compute the maximum multiplicities of nodes within the set. However, the size of Gen(G) for this graph is 377. We performed the MMP on this network and identified 437 unmatched nodes which are then considered as the locations of FACTS devices. The maximum multiplicity of the most repeated nodes in Gen(G) is 4 and the size of disjoint generators is 237. Following the conditions of Theorem 12, the probability of recognizing the VOLUME 8, 2020 data associated to the FACTS devices and the critical edges in 1, 176-bus system are 10 −3 and 10 −6 , respectively. Due to space limitations, it is not possible to illustrate the graph of 1, 176-bus system.
The simulation results are summarized in Tables 3-4. As can be observed in Table 4, there is an overlap between the nodes in determining set and the set of nodes that are considered as the locations of FACTS controllers by MMP. For the 49-bus, 274-bus, and 1, 176-bus systems, these overlaps are %66, %38, and %42, respectively. Although all nodes in determining set are not selected as the locations of FACTS controllers, yet it is inline with Lemma 7 since for every node in determining set which is not selected as a FACTS controller there is an alternative node belonging to F and within the same generator of automorphism which plays a same structural role in the network and, as such, can be alternatively selected as the location of FACTS controllers. For example, in 49-buss system, node 1 is in determining set but is not in F. As demonstrated in Figure 4, nodes 1 and 4 belong to a same generator of automorphism and, according to Lemma 7, a necessary condition for controllability is that only one of these nodes must be included in the set of FACTS controllers. This further highlights the importance of symmetry in explaining some aspects of the network behavior.

V. CONCLUSION
The placement of FACTS devices in power systems with the consideration of cyber-security of associated data exchange is addressed from a CN controllability perspective based on advanced topological techniques which, unlike the conventional methods, has no computational impediments. The proposed solution is attained using: i) the concepts of MMP and moderated-k-security to guarantee the cyber-security of the most critical data related to the FACTS controllers., ii) the idea of moderated-k-symmetry to arrange the published cyber graph based on generators of automorphisms that will significantly obscure the data exchange over the cyber graph for adversaries, and iii) the similarity between the set of critical nodes attained from the symmetry analysis to enhance the FACTS placement solution. The proposed solution procedure is implemented on the modified small 49-bus, moderate 274-bus, and large 1,176-bus systems. The power flow analysis of 49-bus system shows that the voltage magnitudes of all buses have increased by reaching to near 1 p.u. and the active power flow over the transmission lines has increased by %3 while the total power losses has decreased by %18 due to reactive compensation by FACTS controllers. In addition, the most critical data of the cyber graph is attributed to data exchange between FACTS controllers. This is in line with the verified importance of these controllers for the whole network performance. The cyber-security of these controllers are then addressed by obscuring the data exchange throughout the nodes assigned as the locations of these controllers. To this end, the network symmetry is leveraged to identify the set of permutations within the symmetry group for which the most critical nodes corresponding to the locations of FACTS controllers are permuted. It is verified in the paper that publishing any of the graphs associated to the network structure mapped by one of these permutations can significantly obscure the source of critical data for adversaries.
Throughout the simulations, an overlap is observed between the set of nodes in determining set and the set of nodes assigned as the locations of FACTS controllers by MMP. This further reveals the importance of symmetry in power network analysis. Therefore, another novel contribution of this paper is that finding the set of driver nodes for a power system can be translated to finding the set of nodes with highest repetitions in the symmetry group. Potential forthcoming research directions may be on: i) considering the network topology while addressing future expansions of the existing networks or constructing a new network, and ii) expanding the proposed approach to also address sizing of FACTS devices.

APPENDIX A COMPUTATIONAL CLARIFICATION
In this appendix, the computation process of the proposed approaches are explained. First, we clarify how to compute MMP in MATLAB and then the symmetry analysis is discussed in Sage.

A. COMPUTING THE MATCHED EDGES AND UNMATCHED NODES OF MMP
The required data for performing MMP is the adjacency matrix of the network. Once the adjacency matrix of the underlying graph of the network is constructed in MAT-LAB, we can attain the full set of matched edges using the command

maximal_matching(A)
which uses a matching function in MATLAB. In all our case studies, MATLAB was able to compute the whole set of matched edges and unmatched nodes in a few seconds. Thus finding the locations of FACTS devices (or unmatched nodes) does not impose a big computation burden.

B. CALCULATING THE SYMMETRY GROUPS
The previous studies (for example [61]) rely on computing the automorphism group to identify the determining set (which can be used to find the set of driver nodes) while the proposed approach of this paper is based on computing the generators of automorphisms. The computational advantage of the proposed approach can be distinguished simply by comparing the size of automorphism groups with the size of generators of automorphisms. For the small grid of 49-bus system, it is shown in section IV.A that there are only 144 automorphissms and it is possible to compute and sweep over this range. However, for the moderate 274-bus system, and the large 1, 176-bus system, it is shown that the sizes of the corresponding automophism groups are 28, 311, 552 and 10 259 , respectively. Therefore, it is not computationally effective to compute these sets and sweep over them. In addition, the large number of automorphisms makes it very difficult, if not impossible, to find the critical nodes as it needs to compute all automorphisms and then sweep over them to find the set of nodes with maximum multiplicities in Aut(G). However, the novel approach of this paper addresses these computational issues by adapting generators of automorphisms instead of automorphism groups. As indicated in sections IV.B and IV.C, the number of generators of automorphisms for 274-bus is 23, and for 1, 176-bus systems it is equal to 381. Clearly sweeping over these small sets of generators is more computationally effective than sweeping over the very large number of automorphisms associated with theses systems. There are effective algorithms, such as those in [63] for computing the automorphism group but, in general, the algorithms for calculating automorphism group and elementary automorphisms are well-known and rather trivial. These algorithms are built in some commands in SageMath or similar computing tools. Once the underlying graph is constructed in Sage, computing the automorphism group and the elementary automorphisms can be easily done using the following commands: > G.automorphismgroup().list()#Computing Aut(G) > G.gens() #Computing Gen(G).
However, for moderate/large scale networks, the first command will not result in the list of automorphisms. Only the cardinality of automorphism group can be computed using the following commands: > A = G.automorphismgroup() > A.cardinality().