A Hybrid Cyber Attack Model for Cyber-Physical Power Systems

Over the past decade, the cyber security of power systems has been widely studied. Most previous studies have focused on cyber physical attacks, and barely considered one typical cyber attack: availability attack. We propose a hybrid attack model and apply conventional state estimation processes to study cyber attacks on power grids in this paper. The proposed model considers both integrity attack and availability attack simultaneously. Compared with the particular attack, namely, false data injected attack, we analyze their consequences to power systems in the events of false negatives attack and false alarm attack. The results show that the hybrid attack can confuse the control center by manipulating the integrity and availability of measurements. More importantly, we evaluate the hybrid attack with different values of the cost ratio between integrity and availability attacks, and then verify that the hybrid attack can achieve the same goal with a reduced cost.


I. INTRODUCTION
The advent of information and communication technology has made modern power systems smarter and more efficient through deployment of computer-based control and monitoring.Modern power systems are thus cyber-physical power systems (CPPS).Although the coupling of these two networks brings some convenience, the power system is more vulnerable to intricate cyber environment, which puts the CPPS at the risk of cyber attacks [1], [2].In general, external attacks on CPPS can be divided into physical attacks, cyber attacks and cyber-physical attacks (also called coordinated attacks).
Physical attacks, such as disrupting power substations and cutting the transmission lines, always cause massive damage to infrastructure.The physical attack is also called a terrorist threat problem and has subsequently been the subject of a lot of research [3]- [5].Cyber attacks always target the supervisory control and data acquisition (SCADA) system, and perturb the data transmission process or even garble the data.For example, in 2015, the Ukraine blackout, initiated The associate editor coordinating the review of this manuscript and approving it for publication was Zhiyi Li .by the planting of a computer malware (called BlackEnergy), caused inconvenience to many people and incurred considerable economic losses [6].Thus, to ensure that a CPPS operates safely and reliably in cyber environment, according to the basic attributes of information security [7], there are three requirements for the handling of data in CPPS: 1) Integrity is to ensure that the data is reliable and authentic; 2) availability is to ensure that the data can be delivered safely and in a timely way; and 3) confidentiality is to ensure that the contents of the data are not illegally leaked.According to these three requirements, three kinds of cyber attacks can be conducted.
• Integrity includes maintaining trustworthiness of data and prevents data from being tampered illegally throughout the process [8]- [10].From this view, a classic integrity data attack, called false data injection attack (FDIA), has become a recent research hotspot.FDIA was initially intended to disrupt state estimation (SE) in the SCADA system.It has been pointed out [11] that the attackers can successfully inject specific data to original measurements, and at the same time pass the Bad Data Detector (BDD).Moreover, the analysis of estimation errors due to FDIA attacks has illustrated that the damages caused by FDIA could be large even when very few measurements have been compromised [12], [13].FDIA can also perturb the electricity market by affecting power dispatching, resulting in making a huge profit or bringing a bigger burden to power systems [14], [15].Furthermore, some studies of the physical impact of FDIA have shown that the attackers aim to cause line overloading in the power system [16].
• Availability ensures data to be timely accessed by the control center.Availability attacks, also called denialof-service (DoS) attacks, are attacks that try to block or delay the data delivery in CPPS.Liu et al. [17] studied the influences of DoS attacks on load frequency control of smart grids.The delay of these critical messages can also result in catastrophes for power systems.For example, in the case of substation trip protection, if an attacker successfully delays the transmission of a protection message, it will cause serious damage to other power equipment [18].Thus, the goals of DoS attacks are not only to interrupt resource access, but also to violate the timing requirements of critical messages exchange.
• Compared with the above two requirements, attackers targeting to compromise confidentiality have no intention to modify or delay the transmitting data.Instead, they eavesdrop on communication channels to get the information they need, such as a customer's account or electricity consumption.Typical methods include wiretappers [19] and traffic analyzers [20].In reality, the attackers may combine physical and cyber attacks to realize coordinated attacks.Li et al. formulated the coordinated attacks as a bilevel model [21], and extended this idea with incomplete network information [22].Deng et al. proposed replay and optimized coordinated attacks [23].In these works, coordinate attacks considering physical lines disconnection and false data were considered to evaluate the attack influences.Also, load frequency control was studied by a coordinated attack model in [24].In response to the huge threat of cyber-physical attacks, many researchers have proposed corresponding countermeasures [25], [26].
However, the above coordinated attacks do not consider the availability attacks.In fact, the availability attacks seriously threaten the operation of CPPS.The main reason is that SCADA systems are always more vulnerable to availability attacks, and attackers may prefer to perform availability attacks with limited resource.In order to further enrich the diversity of cyber attacks, the attacker will consider not only the cooperation between the cyber attack and the physical attack but also the cooperation between the availability attack and the integrity attack.Inspired by the above ideas, as shown in Fig. 1, the hybrid attack model considers both integrity and availability attacks.Furthermore, compared with FDIA, the consequences of the hybrid attack on CPPS are analyzed in terms of the attack cost.The key contributions of this paper are as follows.First, the model of hybrid cyber attack is proposed.Unlike previous studies where only one kind of attack is considered, the hybrid attack model considers both integrity and availability attacks simultaneously.The model thus extends the application of cyber attacks significantly, and promotes the analysis of different attack situations under a unified model rather than multiple cyber attack models.Then, based on the proposed model, we examine the consequences of hybrid attack in two common scenarios.By injecting a valid attack vector, attackers can mislead the control center and develop a serious threat or damage to power system operations.Finally, a metric is proposed to quantify the cost of attacks, and found that the proposed attack model can do the same harm to the power system with less resource.
The rest of this paper is as follows.Section II gives the model of cyber attacks, including the mechanism of SE, BDD, FDIA, availability attack, and the hybrid attack model.In Section III, a simple and efficient heuristic differential evolution algorithm is used to find all parameters of the attack model.Then, the consequences of hybrid attack under two scenarios and the attack cost are studied in Section VI.Finally, Section V concludes the paper.

II. THE MODEL DESCRIPTION
In this section, the mechanisms of state estimation and bad data detection are introduced firstly.Then the mathematical model of attack models is given, including the FDIA model, the availability attack model and the hybrid attack model.

A. STATE ESTIMATION
According to a series of meter measurements, the SE process estimates the state variables, such as the voltage on each bus or power flow on each line.Such estimated variables are those parameters that show the running conditions of the power system in a period of time [27].In this paper, we consider a power system with n buses and m transmission lines.Each transmission line is equipped with a meter to measure its power flow.The SE problem is to estimate the state variable x = (x 1 , x 2 , . . ., x n ) T based on the meter measurements z = (z 1 , z 2 , . . ., z m ) T , under the measurement noise n = (n 1 , n 2 , . . ., n m ) T which follows the Gaussian distribution N (0, σ 2 ).Thus, the linear state estimation is based on the VOLUME 8, 2020 following approximation model [11].
where H is the Jacobian matrix.Then, the estimated system state x is given by where Bad data detection (BDD) can detect measurement errors and prevent bad data from passing through the whole system.To achieve this in the DC power model, when W = I, the error between estimations and measurements should satisfy where τ is a pre-determined significance level.
In order to make the symbol in the rest of this paper simple, the largest normalized residual (LNR) is used to denote the error residual, i.e., LNR = z − Hx .

C. FALSE DATA INJECTION ATTACK MODEL
In the false data injection attack (FDIA) model, attackers can enable bad data to evade detection by injecting a set of altered measurement data with the satisfaction of eq. ( 3).With this in mind, attackers should carefully design the attack strategy to deceive the BDD to avoid being detected.A non-zero vector z is defined as an attack vector that is injected into the original measurement data z.Thus, the new LNR value can be represented as If the FDIA vector follows z = H x, attackers can keep the LNR unchanged by injecting bad data into meter measurements.
Theoretically, if attackers can fully acquire the information of the whole system configuration (i.e., the topology of grid, running states, mechanism of state estimation algorithm and bad data detection method, etc.) and has the ability to manipulate all meter measurements, it can be conceptually capable of launching a valid attack strategy by injecting a conditional vector.Thus, the mathematical model of FDIA can represent as following [11] min z 0 (5) Here, the goal is design an attack strategy with the lowest cost.
In other words, the number of non-zeros in z is as small as possible, indicating the fewest meters has been manipulated.
Constraint (6) shows that the vector of received measurement is changed as z bad by injecting the attack vector z.Constraint (7) guarantees that malicious data will not be detected by BDD.Constraint (8) guarantees that the injected vector is non-zero.Finally, constraint (9) means that the estimated error on manipulated measurements should be within the preset thresholds.

D. AVAILABILITY ATTACK MODEL
For a large SCADA system, missing data and failing remote terminal units are common [29].When certain measurements are missing, a traditional solution in SCADA is to use the rest of data or predictive data before the system becomes ''unobservable''.In this paper, it is assume that the SE uses the rest of data to estimate the state of power system when the availability attacks happen.The availability attack vector is denoted as d ∈ {0, 1} m in which d(i) = 1 corresponds to measurement i being unavailable.Similar to FDIA, the model for the rest of measurements and the variable of system states can be represented as where

E. HYBRID ATTACK MODEL
As mentioned above, there are two main kinds of cyber attacks, namely, integrity attack and availability attack.Previous studies have rarely considered these two kinds of cyber attacks simultaneously.However, the rapid development of CPPS has posed security threats from both of these two attack methods, which can be launched individually or cooperatively.Here, the proposed hybrid model considers both integrity and availability attacks.The goal of the hybrid attack is to modify some measurements and to make some of other sets of measurements unavailable to SE so that the received bad data can pass through BDD.Similar to FDIA, if the attack vector satisfies z = H d x, the hybrid attack can also be launched with stealth.The minimum number of measurements that need to be modified or blocked by attackers is adopted as objective of the hybrid attack as, i.e., min z 0 + d 0 (11) This hybrid attack model can be considered as being based on the FDIA model with the availability attack incorporated at the same time.

III. SOLUTION ALGORITHM
Intelligent algorithms are usually used to solve the non-convex optimization problems.In this paper, the differential evolution (DE) [30] is adopted to find the solution of the hybrid attack model.In the population of NP m-dimensional vectors, i.e., X i,t = {x 1 i,t , . . ., x m i,t }, i = 1, . . ., NP, the DE algorithm can achieve the optimal solution through the mutation, crossover and selection operation.The detailed algorithm steps are described below.

A. INITIALIZATION
In order to make the initial population cover all possible solutions as much as possible, each value of individual should be within the range of the given minimum and maximum parameter bounds X min = {x 1 min , . . ., x m min } and X max = {x 1 max , . . ., x m max }.For example, the initial value of the jth parameter in the ith individual at generation t = 0 is generated by where j = 1, 2 . . ., m and rand(0,1) represents a uniformly distributed random variable within the range [0, 1].

B. MUTATION OPERATION
After the population is initialized, for each individual X i,t also called the target vector, DE randomly selects the other three individuals to generate the mutation vector Y i,t = {y 1 i,t , y 2 i,t , . . ., y m i,t } by the mutation strategy, i.e., Y i,t = X r i The indicators r i 1 , r i 2 and r i 3 are three integers randomly generated within the interval [1,NP], which are also different from index i.These indicators are randomly generated once for each mutant vector.The scaling factor F is a positive control parameter for scaling the difference vector.

C. CROSSOVER OPERATION
After the mutation, each pair of the target vector X i,t and its corresponding mutant vector Y i,t is cross-processed to generate a trial vector: U i,t = {u 1 i,t , u 2 i,t , . . ., u m i,t }.In the basic version, DE employs a uniform crossover defined by In the above equation, the crossover rate C r is a user-specified constant that controls the proportion of parameter values copied from the mutation vector in the range [0, 1).j rand is an integer randomly selected within the range [1, m].if rand j [0, 1) ≤ C r or j = j rand , the binomial crossover operator copies the jth parameter of the mutant vector to the corresponding element in the trial vector U i,t .Otherwise, it will be copied from the corresponding target vector X i,t .Thus, the selection operation can be expressed as The above 3 steps (from step B to step D) are iterated generation after generation until the objective value is unchanged or the total number of generations reaches a preset number.

IV. SIMULATION RESULTS AND DISCUSSIONS
In this section, we study how the hybrid attack affects the modified IEEE tested systems [31].In a power system, each transmission line is equipped with a meter to measure its real power flow.The SE problem estimates the variable x = [θ , V ] with θ and V representing the phase angle and voltage magnitude of bus.In order to compare with the FDIA model in [11], the threshold τ = 70.993used in [11] is also adopted in this paper.The maximum power allowed through the transmission lines is set as 2 p.u..It is worth noting that once the transmission capacities are fixed, the appropriate attack vector can always be found to meet the specific attack scenario.The different setting of the maximum power of transmission lines only affects which lines are overloaded, but the qualitative results drawn in this paper do not change.All simulations are implemented on MATLAB using MatPower [32].Table 1 gives the DE parameter setting for simulations.In this paper, the target of attackers is to confuse the control center.In the static security assessment (SSA) module, if the power flow of a transmission line exceeds its corresponding capacity, the SSA will immediately show an insecure signal.The system dispatcher will take corresponding emergency protection operation, such as generator rescheduling or load shedding.If there are no overloaded lines, the SSA will show a secure situation.In this case, the system dispatcher does  not need to take any protection.Since there are two possible actual running states and two possible assessment results, there are totally four scenarios for SSA when applying the hybrid attack to SE, as shown in Fig. 2: 1) The SSA reports a secure situation, while the actual situation is insecure; 2) The SSA reports an insecure situation, while the actual situation is secure; 3) The SSA reports an insecure situation, while the actual situation is insecure; 4) The SSA reports a secure situation, while the actual situation is secure; Obviously, scenarios 3 and 4 are the correct ones we want.However, if an attack takes place, the scenario 1 or 2 may happen.They are called false negatives attack (FNA) and false alarm attack (FAA), respectively.Specific scenarios are described as follows.

A. FALSE NEGATIVES ATTACK
We assume that an open circuit fault takes place as an initial disruption and causes an overload situation.Under this condition, the SSA should report an insecure signal.However, if a valid attack vector is injected at this time, it is possible that BDD will not detect the measurement modified, and SSA will show a secure signal based on false data.As a result, the system will not take any necessary action, which may lead to widespread power outage.The mathematical model of this scenario is where constraints ( 23) and ( 24) are the network equations with P ij and i representing the power flows on transmission line (i, j) and bus i, respectively; θ i and θ j are the phase angles on nodes i and j; θ ij = θ i −θ j .V i and V j are voltage magnitudes on nodes i and j; G ij and B ij are the real and imaginary parts of admittance matrix on line (i, j).Constraints ( 25) and ( 26) give the upper and lower bounds of transmission lines and buses, respectively.
The situation results for IEEE 39-bus and IEEE 57-bus systems are shown in Figs. 3 and 4, respectively.Taking IEEE 39-bus for example, we assume that the initial open circuit fault takes place at the 30th transmission line.Due to the fault, the power flow will be redistributed, causing the actual power flows on transmission lines 3 and 25 overloaded, shown as red bars in Fig. 3.When the system is not being attacked, the system has the same power distribution due to an initial open circuit fault (causing the certain transmission lines overloaded), and the SSA will immediately inform the power dispatcher of this insecure situation and take corresponding emergency action timely.However, by applying the integrity attack (FDIA in Fig. 3(a) or hybrid attack in Fig. 3(b)) to the measurements, the overloading situation can be manipulated to be within the bounds, shown as green bars in Fig. 3.It looks like that no line is overloaded anymore.Consequently, the control center will not detect the overloading.The same qualitative results can also be found in IEEE 57-bus, as shown in Fig. 4.

B. FALSE ALARM ATTACK
For false alarm attack, the normal situation is maliciously reported as a transmission line overload case.Attackers inject an appropriate fake data that deceives BDD and confuses ∃P ij > P ij max (31) where constraint (31) indicates that the SSA mistakenly concludes based on the modified measurement data that there is overloading on at least one transmission line.
As for simulation, as shown as in Figs. 5 and 6, we study how FAA affects the power system in both IEEE 39-bus and IEEE 57-bus systems.We take IEEE 39-bus for example, the red bars in Fig. 5 represent as the estimated power flow measurements of transmission lines before the attack.Then, by launching the cyber attack (FDIA in Fig. 5(a) or hybrid attack in Fig. 5(b)) to the measurements, attackers create fake overloading situations, shown as the green bars in Fig. 5.We can find that the SSA will show an insecure situation, even if there is no transmission line actually overloaded.
Upon receiving the insecure signal sent by SSA, the control center will act unnecessarily, such as rescheduling and performing load shedding.Such actions incur extra cost and do not make meaningful contributions.

C. COST OF CYBER ATTACKS
In this section, the costs of integrity and availability attacks are introduced into the above models.Suppose C I and C A are the costs of the integrity and availability attacks required to manipulate one measurement, respectively.Then, the total cost of hybrid attack is In order to compare the costs of integrity and availability attacks, we use a normalization method to quantify the relative sizes of C I and C A .
where λ is the cost ratio between the availability attack and integrity attack, namely, λ = C A /C I .Thus, with the consideration of cost, the objective function of hybrid attack becomes It is worth noting that the cost of the hybrid attack is related not only to the number of manipulated meters, but also to the cost of each meter.Taking Table 2 as an example, λ = 1 indicates that the cost of the integrity and availability attacks are the same.It can be seen that the hybrid attack requires less manipulated meters to achieve the same attack purpose than FDIA does under different attack scenarios.Finally, we study how the optimal cost changes as a function of λ in a power system.From Fig. 7, whatever the case is, the cost of the hybrid attack increases with an increase    of λ.However, when λ is large enough, the cost becomes constant.This trend can be explained as following.When λ is small, availability attack takes a relatively smaller share of the total cost.Therefore, the availability attack will be the main approach in the hybrid attack framework, and the total cost is lower than that of FDIA.However, as λ increases, the cost of availability attack begins to dominating.Thus, a hybrid attack tends to use less availability attack to save cost.When λ is large enough, the most efficient way to conduct hybrid attack is thus to utilize FDIA solely.As a result, the cost of the hybrid attack will be the same as that of FDIA.It is worth mentioning that, no matter what value λ is, the cost of hybrid attacks is always lower than or equal to that of FDIA.In other words, from the perspective of attackers, the attackers can achieve the same goal with less cost.

V. CONCLUSION
In this paper, we constructed a hybrid cyber attack model, which combines integrity attack and availability attack.Deploying hybrid attack can effectively avoid being detected by the control center, and hence cause confusion that incurs potential damages to the system.We analyze two serious attack scenarios, namely, false negative attack (FNA) and fake alarm attack (FAA).The proposed model effectively captures the enhanced effectiveness and reduced cost of the hybrid attack, providing an effective tool to study more intricate cyber-physical power systems, and to evaluate different attack strategies with limited sources.In addition, the model also reveals the design requirements for more effective detection mechanisms and resource allocation schemes for future cyber-physical power systems.

FIGURE 1 .
FIGURE 1.The schematic diagram of the hybrid cyber attack.

D
. SELECTION OPERATION If a value exceeds its bound in the newly generated trial individual resulting from the mutation and crossover operations, a new trial individual needs to be re-generated until all the values are within the upper and lower bounds.The algorithm then calculates the objective function values of all the trial individual and its corresponding target individual, i.e., O(U i,t ) and O(X i,t ), in the current population.If the objective function value of the trial individual is greater than the corresponding target individual, the target individual will retain to the next generation population.Otherwise, the trail individual will replace the corresponding target individual and enter the operation of the next generation population.

FIGURE 2 .
FIGURE 2. Overview of the objectives of cyber attack in CPPS.

FIGURE 3 .
FIGURE 3. False negatives attack on IEEE 39 bus.Results with and without (a) FDIA attack and (b) hybrid attack.Red bars and green bars represent the power flows of transmission lines before and after the attack, respectively.Dotted lines show upper and lower bounds.

FIGURE 4 .
FIGURE 4. False negatives attack on IEEE 57 bus.Results with and without (a) FDIA attack and (b) hybrid attack.Red bars and green bars represent the power flows of transmission lines before and after the attack, respectively.Dotted lines show upper and lower bounds.

FIGURE 5 .
FIGURE 5. Fake alarm attack on IEEE 39 bus.Results with and without (a) FDIA attack and (b) hybrid attack.Red bars and green bars represent the power flows of transmission lines before and after the attack, respectively.Dotted lines are their upper and lower bounds.

FIGURE 6 .
FIGURE 6. Fake alarm attack on IEEE 57 bus.Results with and without (a) FDIA attack and (b) hybrid attack.Red bars and green bars represent the power flows of transmission lines before and after the attack, respectively.Dotted lines are their upper and lower bounds.

TABLE 2 .
Compromised measurements of FDIA and the hybrid attack when λ = 1 under two specific scenarios in two IEEE benchmark system.

FIGURE 7 .
FIGURE 7. Optimal attack cost versus the cost ratio λ under hybrid attack.Dotted lines are the cost of FDIA under corresponding attack situations.