Cyber-Physical Attack Conduction and Detection in Decentralized Power Systems

The expansion of power systems over large geographical areas renders centralized processing inefficient. Therefore, the distributed operation is increasingly adopted. This work introduces a new type of attack against distributed state estimation of power systems, which operates on inter-area boundary buses. We show that the developed attack can circumvent existing robust state estimators and the convergence-based detection approaches. Afterward, we carefully design a deep learning-based cyber-anomaly detection mechanism to detect such attacks. Simulations conducted on the IEEE 14-bus system reveal that the developed framework can obtain a very high detection accuracy. Moreover, experimental results indicate that the proposed detector surpasses current machine learning-based detection methods.


I. INTRODUCTION
Expansion of power systems over large geographical areas has made it challenging to implement centralized processing methods [1]. Extending the power system to a wide area requires a complex and extensive network for centralized operation and near real-time processing of the collected measurements [2], [3]. This has accelerated the move towards distributed operation [4]. We specifically focus on distributed state estimation (DSE) in this work. In DSE, the grid is divided into many smaller areas, and each area independently collects measurements from its nodes and estimates the per-area system state. The power grid's overall state is computed by exchanging the per-area system state through an iterative process [5]. Given the growing interest in DSE, understanding its potential vulnerabilities is essential. Cyberattacks against DSE can cause serious consequences, e.g., cascading failures [6].
The associate editor coordinating the review of this manuscript and approving it for publication was Jahangir Hossain .

A. RELATED WORK
A data integrity attack against the DSE was proposed in [6] wherein the communication infrastructure used to convey information between different areas is compromised. Authors of [7] proposed a data integrity attack on the generation units and the controllable loads. The attacker requires access to sensors, actuators, and unsecured loads in only one area of a distributed network. Common cyber vulnerabilities in distributed power systems were discussed in [8] and the impact of cyber attacks on microgrids was presented. Reference [9] focused on time delay attacks against DSE to destabilize the system.
Several works have been done to detect the cyber-attacks on DSE to protect them against such attacks. [6] proposes a denial of service (DoS) attack detection technique based on the development of mean squared disagreement across areas and a mitigation mechanism based on individual areas' opinions about the attack point. The paper [10] focuses on the distributed state estimation security against DoS attacks. In [11], the distributed resilient filtering challenge for a distributed power system subject to DoS attacks is addressed. VOLUME 10, 2022 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ False data injection attack (FDIA) [28] is the most commonly used attack in the cybersecurity of the power systems. In this type of attack, some values are added to the measurement vector so that the bad data detection (BDD) algorithm does not differentiate between normal and manipulated values. A novel DSE approach in networked DC microgrids is presented in [12] to detect the FDIA in the microgrid control network. In the context of DC microgrids, a Kullback-Liebler divergence-based criterion is proposed in [13] to detect the attacks to control the unit of distributed energy resource. A series of papers in this area carried out state estimation and detection together [14]- [18]. In [14], a fully distributed dynamic state estimation algorithm using phasor measurements unit (PMU) data, which is jointly designed with a novel attack detection scheme to limit communication overhead, is presented. The authors of [15] addressed the challenge of joint attack detection and state estimation by using hybrid Bernoulli random set densities to aggregate prior information about signal attacks and system status. The subject of [16] is distributed anomaly identification and reliable estimation of networked cyber-physical systems against FDIAs and jamming attacks. A secure DSE algorithm via consensus-based distributed non-convex optimization protocols is developed in [17]. In [18], an optimal filter and graph theory have been used to develop a distributed state estimation algorithm for a power distribution system integrating several synchronous generators, which have been modeled as a state-space framework. In [19], authors proposed a penalty-based adaptive estimating approach for distributed power systems under FDIAs that can dynamically modify the penalty parameter depending on the area and boundary bus errors.The authors in [20] have used a nonlinear input observer to propose a distributed detection method against FDIAs. Reference [21] compares centralized and decentralized detection methods. In recent years machine learning has become widely used in all areas, including attack detection algorithms. As a well-known work, the authors in [22] recontextualized the intrusion identification issue as a machine learning issue and analyzed the performance of various learning methods for various attack scenarios. In [23], a detector based on the generalized likelihood ratio is established for cyberanomalies. [24] proposes an unsupervised method for the detection of distributed false data injection attacks. However, it could be used offline and could not be utilized in real-time mode for power systems.

B. PROBLEM MOTIVATION & CONTRIBUTIONS
Existing work neglect that in an interconnected power system composed of several control areas, boundary buses lose some of the redundant measurements since each area works more independently than in the centralized mode. This can negatively affect the security of boundary buses leading to cyber-attacks. In this work, we take advantage of the reduced redundancy to propose a coordinated FDIA to disrupt the DSE. We consider an attacker who can manipulate measurements of different areas simultaneously. Specifically, by focusing on the boundary buses of neighboring areas, we introduce a distributed FDIA on the DSE. In the proposed attack, the attacker targets one of the boundary buses and injects false data into all measurements of that bus, causing an error in its estimated state. It is shown that the attack must be conducted separately in each area but simultaneously to bypass BDD methods implemented in a distributed manner such as the robust DSE [5]. Moreover, it can be proved that if the injected measurements of each area are equal, the attack can also circumvent the convergence-based detection methods (e.g. [6]) (see the illustrative example in Section III-B). Moreover, to detect the attack, we utilize deep learning techniques to develop a real-time intelligent attack detection that captures the temporal correlation in power systems between consecutive time slots to differentiate malicious measurements from the normal ones. The main contributions of this paper are listed as follows.
1) We design a distributed FDIA that can bypass the current robust distributed estimator as well as the convergence-based detection method. 2) We then formulate a deep learning-based algorithm to capture the temporal correlation in power system measurements and detect the introduced attack. 3) We provide a comparison between the conventional classification algorithms and the carefully designed framework. The rest of the paper is organized as follows: The model of multi-area power system and the manner of state estimation carried out on it are explained in Section II. Section III presents the conducted distributed FDI attack and how it circumvents existing detectors. A deep learning-based framework is developed in Section IV to detect the proposed attack. Section V discusses the numerical results of the attack and the detection method, and Section VI concludes the paper.

II. SYSTEM MODEL
The power system model used in this paper, along with the distributed state estimation (DSE), is described in this section. Assume an interconnected power grid with K area where in each area, a nonlinear connection between M k samples denoted by z k and N k states denoted by x k exists as shown in (1). In this equation, h k (.) is the function vector that defines interconnections between measurements and system states, and w k represents the vector of measurement error of area k.
If the estimation method vector of area k is represented by f k (x k ; z k , h k (x k )), the following optimization problem can be solved to estimate the states of each area , that could be expanded to estimate all network state variables in a centralized mode as fol- The boundary buses are buses that belong to more than one area. In other words, their state variables fall into the set of state variables of at least two areas, which we call neighboring areas. These areas are included in x of (II). It is essential to gain a dependency on boundary busses in order to achieve a distributed state estimation. Neighboring areas must thus share the state variable of their boundary buses. A constraint for boundary buses of each of the two adjacent areas is established, and system states of both adjacent areas are made equivalent to reaching the following optimization problem.
x k ,k ) denotes the system state-variable vector shared by area k and k and N k represents the adjacent areas of region k. x k,b denotes the state-variable vector shared between area k and its neighbouring areas. In order to have a fully DSE, the optimization problem (II) should be arranged so that techniques for distributed optimization problems like the alternating direction method of multipliers (ADMM) [26] can be used. For doing this, Lagrange multipliers v k,k are proposed for the constraints of (II) [5]. To solve this, an iterative strategy is introduced as follows.
k is the Jacobian of function vector f k , D k represents a diagonal matrix in which element d i,i counts the regions sharing state i of x k , U x k is a diagonal matrix in which element u i,i is inverse of d i,i , and non-diagonal elements are zero. In addition, Y k,k defines the dependencies between x k and x k,k and y i,j element of Y k,k equals to one if state variable i of x k conforms to the element j of x k,k ; otherwise, y i,j will be zero. Similarly, Y k,b (or Y b,k ) is a matrix that depicts the relationships between x k and The DSE converges when the difference between the predicted values of two consecutive iterations of the ADMM algorithm is less than a predetermined threshold. Then we is the stopping iteration and is known as the convergence threshold. For more information about the application of the ADMM method on nonlinear models of power systems, interested readers can refer to [27].

III. ATTACK DESCRIPTION
This section begins with a quick overview of the detection methods for attacks on the distributed estimators is presented. After that, the proposed distributed false data injection (FDI) attack is explained.

A. CYBERSECURITY OF DSE
Amongst attacks on DSE, the technique presented in [6] is chosen for description and analysis. The intruder in [6], by hampering the DSE from converging, reaches his or her goal for disabling the DSE. For this, the intruder compromises the telecommunications systems of zone k a ∈ K so that he/she can manipulate some of the inputs to the DSE (e.g. system states x (t) k,k a and x (t) k a ,k exchanged among k a and its neighboring areas k ∈ N k a ). Vector a (t) k,k a (equals to a (t) k a ,k ) represents the attack on the state variables exchanged between areas in k ∈ N k a and area k a (specifically, from k a to set k) at iteration t. Then, the consequent debased state variables can be denoted as a vectorx As stated in [26, Appendix A, p. 106-110], ADMM converges when the following conditions are met: ∀k ∈ K, f k (x k ; z k , h k (x k )) function be acceptable, convex, closed and also the augmented Lagrangian is possessed a saddle point, where By considering the conditions, when the iteration counter t is increased and the DSE gets closer to the saddle point (i.e. solution), it is expected that the difference in the systems states of different regions k and k (and all the other neighbors) is reduced. Regarding this, a convergencebased algorithm to catch cyber-anomalies on the DSE can be extended by calculating mean squared disagreement (MSD) for regions k and k at the tth step as follows in which, number of component in k,k . When the ADMM convergence requirements are met, a convergence issue (an attack) occurs, but for large values of t, there exists some k and k ∈ N k where sup{d then there is a convergence issue (an attack).

B. THE PROPOSED DISTRIBUTED FDIA
This subsection presents the theoretical explanation of the developed distributed FDIA. The attack vector is designed to prevent the convergence of DSE to the correct estimation. The goal is accomplished utilizing neighboring areas' boundary buses. The FDIA proposed in this section is implemented such that, in addition to the centralized ones, it passes decentralized bad data detectors. Meanwhile, it can be unidentifiable after applying the convergence-based attack detection VOLUME 10, 2022 methods. The attacker is expected to have full information on the power system which means that ∀k ∈ K areas, measurements vector z k and the measurements to states mapping vector function h k (x k ) are known to the attacker. To implement a nonlinear attack, the attacker must know the estimated value of each state variable. Let us assume that the set of boundary buses targeted by the attacker is represented by B a . This set is the joint of all neighbors shown as K a . If the attacker aims to orchestrate an attack by injecting a value into the target buses' state, she/he must simultaneously launch K a = |K a | separate FDI attacks (one attack in each area). More specifically, if the boundary buses targeted by the attacker via area i ∈ K a are represented as x a and the vector added to the corresponding system state vectors is denoted as c i , a i represents the attack vector injected into the measurements of area i.
It must be emphasized that while in each area i, the vectors a i are injected separately to the vector of measurements z i , this happens simultaneously and on a unified observation of samples. If procedures of [29] are followed, it can be proved that the proposed FDIA can pass the bad data detectors. For this purpose, first and foremost, a look at the robust DSE [5] is taken as a distinguished instance of detectors of these types. For each area k ∈ K, unknown vectors o k are required to denote possible bad data in z k . In each area k, o k variable vectors alter the estimation function f k (x k , o k ; z k , h k (x k )); since these vectors only belong to region k (not shared with the neighbors) and conform to the measurements, z k −o k notation is used for them in DSE equations. Two other equations are required to update o k in the robust DSE as follows [5].
. After reformulating (1) as explained before, we have which is solved by using the iterative normal equation method with the first order optimality condition −2H in which H k is the Jacobian matrix derived from the function vector h k that its m × nth entry is equal to ∂h m ∂x n . After the attack was carried out, the unchanged value of o i vector holds if the following is met: So, with replacing (7) and (8) in the equation (13) and some simplifications, we have: where attacked o i is represented by o a i . Above equations demonstrate that o k will not alter after the attack, so the FDIA proposed here can circumvent the robust DSE. However, additional conditions explained in [6] are required for this. These conditions are as follows.
Proposition: Assume that the distributed FDI attack described above is carried out successfully. When the distance between the items with non-zero values of c i vectors, corresponding to the system states of buses in B a , is lower than the predetermined value , the FDIA can circumvent the convergence-based detection technique proposed in [6].
Proof: Let us show the MSD between every two regions i and j of K a in iteration t prior to the conduction of attack as: Now suppose an attack is injected in such a way that the distance between the non-zero elements of c i and c j for every distinct {i, j} ∈ K a is lower than (i.e. the predetermined threshold of convergence). Thus, after the attack, the MSD equation could be shown as accordingly, if for each pair {i, j} ∈ K a , x i,j value remains unchanged after this attack and consequently, FDIA can get through the method proposed in [6]. A point needs to be made clear here: ∀i ∈ K a , it is not required that the non-zero elements of c i vectors have the same value, but only, the distance between the elements of c i vectors, ∀i ∈ K a which correspond to a determined bus in B a have to be lower than . As one will see in Section V, 10% incremental and decremental attacks are simulated.
Illustrative Example: Assume that z 1 and z 2 , the normal measurements for areas 1 and 2, respectively, bypass the distributed BDD (robust DSE) in [5]. The manipulated measurements z a 1 = z 1 + a 1 and z a 2 = z 2 + a 2 for the areas 1 and 2, respectively, can bypass the distributed BDD if a 1 = h 1 (x 1 + c 1 ) − h 1 (x 1 ) and a 2 = h 2 (x 2 + c 2 ) − h 2 (x 2 ), in whichx 1 andx 2 are the estimated values of state vectors of area 1 and 2, respectively. Now, if the distance between the components of vectors c 1 and c 2 be lower than the threshold value introduced in [6], the FDIA will get through the detection method proposed in [6]. This description can be extended to boundary buses with over two adjacent areas.
For the bus number 5 in the system presented in Fig. 1 and for attack size α, c 1 and c 2 are vectors of size 6 × 1 and 12 × 1 where the non-zero vectors relevant to bus number 5 equal to α. Vector a 1 has size 10 × 1 where its components representing the voltage value of bus number 5 and line currents (1,5) and (2,5) are not zero. In addition, a 2 is a 14 × 1 vector which its elements corresponding to the line current (4,5) is non-zero. The size of other vectors of test system are brought in Table 1. If we obtain the average of estimates, the distance between the estimated values for the voltage of bus 5 calculated based on area 1 is 1.062018326 and through area 2 is 1.062018324 which is much lower than the in [5] (10 −3 ). This case is also observed for the voltage angle of 5th bus over the zones 1 (0.109613) and 2 (0.109614).

IV. DEEP LEARNING-BASE DETECTION METHOD
Decentralized bad data detection methods are shown vulnerable to the proposed distributed FDIA based on section II. The issue with the state estimation and convergence-based detection methods is that a power system's temporal pattern is not observed and depends only on the specified topology and measurements. Therefore, if a detection method can be designed, which can predict based on the measurement history, it can not be easily circumvented. Recurrent neural networks (RNNs) offer such potentiality. RNN is an ideal candidate because of its established ability to learn contextual connections in terms of its success in machine translation and speech recognition [30]. This section summarizes several key ideas for RNNs and long short-term memory (LSTM) block structure.

A. THE LSTM MODEL
Compared to conventional feedforward neural networks assuming inputs/outputs are mutually independent, RNNs are a particular type of neural networks that use sequential information to forecast the output [30]. The temporal correlations between previous and current knowledge can be defined in RNN models. This implies that, with the issue of time series, the decision taken by the RNN at stage t − 1 could have an impact on the decision taken at a later time step t. This feature of RNNs is ideal since there is a temporal correlation in power systems between consecutive time slots. Utilizing this characteristic, in this section, a real-time FDIA identification mechanism is proposed using recent advances in RNNs.
RNNs are trained by Backpropagation Through Time (BPTT) Algorithm by adjusting the weights of the network [31]. BPTT expands the Backpropagation Learning (BPL) Algorithm over a time series in which the gradient of each output is calculated by both current and prior steps. However, RNN is limited in learning long-term dependency due to gradient loss or explosion problems, as the gradients back propagated over certain steps [32], [33]. In order to avoid the vanishing gradient and allow RNN to learn the longterm dependency, a variant of RNN known as long short-term memory (LSTM) architecture has been introduced by [34]. It has been the most effective implementation of the RNN and has achieved tremendous prominence in many subsequent applications and usually outperforms the conventional RNNs.
Reference [35] has carried out an in-depth review of LSTM's overall structure and recent development. We follow a naming convention identical to [35] to present the idea of the LSTM briefly. To remember long-time temporal dependencies, LSTM describes and retains an internal memory cell state C during the whole life cycle as the most important LSTM system component. Besides the memory cell state, the LSTM architecture also defines input node g c , input gate i g , output gate o g , and forget gate f g . The following equations give the formulations of an LSTM block: where TS(t) is input sequence for an LSTM at time point t; W gq , W iq , W fq , W oq , W gh , W ih , W fh , W oh indicate the correlation weight matrices between the corresponding inputs of the network activation functions; h(t) displays the LSTM module outputs at step t; represents element-wise multiplication; b g , b i , b f , and b o are biases of corresponding nodes and gates; φ(x) indicates the tanh function, and σ (x) is the sigmoid activation function.

B. THE LSTM BASED ATTACK DETECTOR
In a power system, measurements and state vectors could be classified as long temporal sequences. Therefore, in the proposed FDIA detector, LSTM architecture is adopted to carefully design a real-time deep learning-based attack detection framework. Specifically, the proposed detection mechanism works as a sequence classifier to discriminate attacks from normal measurements by learning the temporal data correlation of a sequence of input data. In this paper, system states are selected as the inputs to our attack detector. This means that we used a minimal set of features to find attacks. Given a set of samples S and labels Y (normal versus attack), the proposed method's objective is developing a learning function S → Y that maps the feature to its corresponding label and classifying the measurements into two classes, normal and tampered. Therefore, the output of the proposed FDIA detector is as follows: To carefully develop an LSTM based FDIA detector, we need to meticulously tune its hyper-parameters, namely, the input layer's number of neurons, number of LSTM hidden layer(s), number of fully-connected (dense) layers, and the number of neurons in the output layer, to obtain an acceptable attack detection accuracy. The structure of the employed model for constructing attack detection is shown in Fig. 2. The input layer is in charge of obtaining observations from the dataset and delivering them to the first hidden layer for analysis. Non-linear relationships between data are represented in the LSTM hidden layers. To properly classify a system with increasingly intricate relationships, it is necessary to add more hidden layers. The dense layers take data from the previous hidden layer and calculate the likelihood of samples belonging to each class. Lastly, the output layer gets the probabilities of the final fully-connected (FC) layer and assigns samples labels. Based on observations from many experiments, the constructed model comprises one Dense layer with 11 neurons, three LSTM hidden layers, and 28 neurons for the input layer.
Other parameters are required to be tuned in this LSTM model to ensure that FDIA detector achieves a promising detection accuracy. These parameters are dropout and sequence length. Dropout is a regularization method for neural networks to minimize the risk of overfitting [36]. The sequence length specifies the number of samples that should precede the existing observation when it is entered into the LSTM. In the constructed LSTM, dropout is applied at a 40% ratio and the sequence length is set to 3 since it provides the best results based on many conducted experiments. It is also worth noting that Adam optimizer [37] is utilized to define optimum values of the learning parameters of the constructed LSTM model, i.e., the values for the correlation weight matrices in (20)- (25). Finally, since the LSTM is sensitive to data scale, all inputs should be scaled to the range of (0, 1) before the system states enter the proposed model's input layer.

C. MEASURES
F-Measure is used to validate the developed LSTM RNN-based FDI detector. The F-Measure is calculated in the following manner [38]: where R e is the recall and P r is the precision, which are determined in the following manner: where true positive (TP) represents the number number of correctly recognized attack measurements, false positives (FP) represents the number of incorrectly observed attacks, true negative (TN) represents the proportion of successfully identified normal findings, and false negative (FN) represents the number of overlooked attack vectors. The F-Measure value 1 shows that every sample labeled as normal is truly normal, and each observation designated as an attack is genuinely a manipulated one.

V. NUMERICAL RESULTS
The developed distributed state estimator, attack and detection method are numerically tested using MATLAB and PyTorch in this section. IEEE 14-bus system is used as a benchmark for completing the simulations. The test system's load data is derived from the New York independent system operator (NYISO) over a period of two days. Parameters' values and the system's states are obtained using MATPOWER [39]. As depicted in Fig. 1, the IEEE 14-bus grid is partitioned into 4 areas; buses 1, 2, and 5 are in area 1, buses 3, 4, 7, and 8 are in area 2, buses 6, 11, 12, and 13 are in area 3, and buses 9, 10, and 14 are in area 4. Boundary buses are marked in red. The state vector contains the magnitude and phase angles of all bus voltages. Measurements consist of PMU recordings on 6 bus voltages (circles in Fig. 1) and 17 line currents (squares in Fig. 1), expressed in rectangular coordinates too. The measurement noise is modeled as a zero-mean Gaussian with a standard deviation of 0.02 and 0.05. It is noteworthy that the current measurements on tie-lines connected to the boundary buses specify each area's actual range. In this regard, according to Fig. 1, it is specified using the gray dashed lines that the actual

A. DSE AND DETECTION METHODS
The developed distributed FDIA is employed on each of the test system's boundary buses and multiple buses 5 and 11 in order to assess its effect. Furthermore, a coordinated attack on two border buses is also modeled. The magnitude of attack is always 0.1 of the real measurement of the manipulated variable. In particular, two injection quantities of 90% and 110% of the true value are simulated for each attacked state variable. 90% signifies that the modified state variable has been set to a value that is 10% less than the true value. 100 random DSE and attack scenarios are conducted, and the average standard deviation of state variables are calculated throughout these runs. As described in the III-B, the suggested attack is capable of evading the bad data detectors of [5]. Figure 3(a)-(b) shows the per-area estimate error relative to the genuine data in the normal condition and attack to two buses 5 and 14, respectively. It should be mentioned that where areas are operated independently, none of their operators is capable of obtaining neighborhood-specific area errors and consequently, the graphics shown here can not be used to detect an attack. In addition to decentralized BDD methods, as shown in Sec. III-B and numerically made plain in that section as an illustrative example, the developed attack could circumvent  the convergence-based detection techniques. Convergencebased detection approaches, as detailed in [6], identify an assault by monitoring oscillations in the development of MSD. In each of the attack cases, this index is examined, and it is found that it is zero for targeting buses 14 and 11. The MSD diagrams for the coordinated attack to buses 5 and 14 over the iterations are shown in Fig. 4. As it is evident from this diagram, the MSD has no oscillation and by increasing the iterations, It eventually reaches zero or a particular value.

B. PROPOSED DETECTION METHODS
Tables 1 and 2 present the detailed results of the proposed method over different attack scenarios. As one can see, the proposed method is compared with the conventional machine learning-based FDIA detectors including C4.5, Adaboost with C4.5-based classifier, multilayer perceptron, Naive Bayes, and Random Forest [38]. For the proposed LSTM-based FDIA detector, the dataset was divided for the training and test sets. The ratio for the training set is 70%, the ratio for the testing set is 30%. For the training set, we used a 80% -20% train-validation pattern. For other classification methods, we used tenfold cross-validation. Table 1 presents the results for the validation accuracy of the proposed method and the training accuracy of other algorithms. Table 2 presents the results of applying the developed models on the test dataset. As can be seen from the results, the proposed method is superior to other methods in detecting attacks on phase angles while for voltage magnitudes, all methods have been able to detect all attacks. This is because the variance of changes in the phase angles is much more than voltage magnitudes. In other words, the data distribution change in voltage magnitudes is not too much to make any manipulation easier to detect.

VI. CONCLUSION
While emphasizing the importance of boundary buses in multi-area power systems, a distributed FDIA has been developed in this paper. It has been shown that the developed attack strategy can bypass distributed BDD methods and convergence-based detection ones. The first is provided by attacking the state of boundary buses through all corresponding measurements of those buses in neighboring areas, and the latter is achieved by equalizing the injected values by each area. Afterward, an LSTM-based framework is carefully designed to detect FDIA, which considers the temporal dependency of consecutive system states. Numerical results showed that the proposed method could gain excellent detection accuracy and deliver remarkable accuracy improvements to existing FDIA detectors.
MOSTAFA MOHAMMADPOURFARD received the Ph.D. degree from Shiraz University. He is currently a Marie Skłodowska-Curie Fellow at Istanbul Technical University and an Assistant Professor with the Sahand University of Technology. His research interests include power system cyber-security, machine learning, E-government, and computer security, with an emphasis on human factors and science for policy.