Resilient Consensus Control Design for DC Microgrids against False Data Injection Attacks Using a Distributed Bank of Sliding Mode Observers

This paper investigates the problem of false data injection attack (FDIA) detection in microgrids. The grid under study is a DC microgrid with distributed boost converters, where the false data are injected into the voltage data so as to investigate the effect of attacks. The proposed algorithm uses a bank of sliding mode observers that estimates the states of the neighbor agents. Each agent estimates the neighboring states and, according to the estimation and communication data, the detection mechanism reveals the presence of FDIA. The proposed control scheme provides resiliency to the system by replacing the conventional consensus rule with attack-resilient ones. In order to evaluate the efficiency of the proposed method, a real-time simulation with eight agents has been performed. Moreover, a verification experimental test with three boost converters has been utilized to confirm the simulation results. It is shown that the proposed algorithm is able to detect FDI attacks and it protects the consensus deviation against FDI attacks.


Introduction
In recent years, distributed control has received considerable attention due to its high efficiency, simplicity, and reliability. DC microgrids can be represented as a distributed system, and therefore, distributed control techniques are widely utilized to control these systems. However, due to the nature of distributed networks and also advances in cyber attack methods, these systems are vulnerable to malicious attacks. One of the positive points for these systems is the versatility of a wide range of DC sources, which allows these sources to be used simultaneously in a microgrid [1][2][3][4]. Small energy sources such as solar photovoltaics, fuel cells, batteries, and other renewable energy sources (RESes) [3] mainly have low output voltage and need to boost converters to increase the voltage levels up to the network reference. The most popular control techniques used to regulate the voltage are back stepping [5], sliding mode control (SMC) [6,7], model predictive control (MPC) [8,9], and passivity-based control [10]. These methods have the advantages of robustness, stability, optimality, and flexibility [11].
In a microgrid, for supply distributed and different types of loads, we need distributed networked RESes with two features; all must be grid-connected and operate autonomously [12]. In these cases, designing a distributed control law to reach an agreement between all nodes regarding certain constraints that depends on the state of all agents is named a consensus algorithm [13]. Decentralized and distributed controls are two main keys for consensus problems [14].

1.
Compared to previous studies such as [12,22], the proposed approach develops a bank of robust observers for each agent that makes the detection and isolation of the false data injection attacks feasible. Therefore, by eliminating the effect of the attack in the consensus law, a resilient control is achieved. 2.
The controller and observers are designed based on robust approaches, which is very important in practical applications. It is shown that consensus is successfully achieved even in the presence of cyber attacks, while the modeling uncertainty is considered.

3.
A resilient consensus law is proposed to remove the false data injection attacks from the agreement procedure. 4.
The practical efficiency of the proposed method is evaluated in an experimental testbed that is close to real-world applications. To this aim, a complex real-time hardware test is performed by MATLAB, Simulink real-time (XPC-Target), LAN communication, FPGA and Microblaze coding, control board design, and three DC-DC boost converters.
The remaining structure of this article is as follows. In Section 2, the basic concepts for graph theory, consensus protocol, and the microgrid model are presented. A model for the communication link attacks is provided in Section 3. Sliding mode controller and observers are designed in Section 4. The proposed resilience consensus law is developed in Section 5. Simulations and experimental validation are presented in Sections 6 and 7. Finally, the paper is concluded in Section 8.

Graph Theory
In this section, some basic definitions of graph theory are reviewed. A graph is a set of nodes that are connected to each other by several links. It is noted as G = {V, E, A} that represents information flow between the nodes in the network; V = {v 1 , . . . , v n } is the set of network nodes, where n is the number of nodes, E ⊆ V × V is the set of network links, and A = [a ij ] is the adjacency matrix that a ii = 0, 0 < δ ≤ a ij < 1, where δ is a lower bound for gain of adjacency matrix links. If node i has access to the states of node j, it means there is a link between them, which is denoted by e ij = (v i , v j ) ∈ E. The neighbors of node i are denoted by N i = {j ∈ V : (i, j) ∈ E, i = j}, which can communicate with node i. L = [l ij ] n×n ∈ R n×n is the Laplacian matrix, where l ii = ∑ n j=1,i =j a ij and (l ij = −a ij for i = j). The eigenvalues of the Laplacian matrix can be ordered as λ 1 < λ 2 < . . . < λ n , where λ 2 is called the algebraic connectivity of the graph. A graph is connected if only its algebraic connectivity is positive: λ 2 > 0. In a connected graph, agreement will be met, if the condition lim t→∞ x i (t) − x j (t) = 0, ∀i, j = 1, . . . , n, is established [30,31].

Conventional Consensus Protocol
In a network of agents, reaching an agreement between nodes is called consensus. In general, each node is modeled as A dynamic graph is shown by (G, x), where G is the graph topology and x is agents' states that are described by (1). The consensus problem is described by finding a way to guide agents' states to an agreement. In a simple and ideal multi-agent system, u i (t) depends on the states of neighbors that are compared and gained. This is expressed as: The neighbors of node v i are denoted by in which m is the number of neighbors. The consensus protocol is using a function for u i = f c (x i , x j∈N i ), which causes asymptotically an stable agreement. It is the main goal in the consensus problems. In general, a consensus rule with a variable topology graph, communication time delay, and asynchronous update for agreement is where a ij (t i ) is an entry of the adjacency matrix A that may change by time and is related to the edge of E ij , τ ij < τ is the bounded delay related to the edge E ij at time t i , t j ≤ t i is the update time for Agent j , which shows that the update time for any agent may be different. By (3), each agent state goes to the neighbors' states and the graph reaches consensus lim t→∞ ∑ j∈N i x i (t) − x j (t) = 0.

DC-Microgrid Dynamic
The aim of this section is to introduce a typical model for a DC-DC boost converter in a state space approach. A typical DC-DC boost converter circuit is depicted in Figure 1. In this figure, V in is the battery voltage, r is the sum of inductor resistance and battery resistor, L is an inductor, sw is an ideal switch, D is an ideal diode, C o is the capacitor, and R is the load. The i L is the inductance current that is considered as a state x 1 and V c is the voltage of the capacitor or output voltage considered as a state x 2 . Based on Kirchhoff's laws for the ON and OFF states of the switch, two models are given. These two models alternate with switching frequency periods.
Due to the fact that the switching frequency is very high and the rising time and falling time of the switch is very small, the average model for the converter can be used. According to the duty cycle of switch operation (switch is ON for d and OFF for (1 − d) in any period), the non-linear average model of the DC-DC boost converter is presented in (4) and the linear time-variant state space is presented in (5).
where x ∈ R n is the state vector, y ∈ R p is the output vector, u ∈ R q represents the known inputs, and the r term is intended to take into account the voltage drop that is caused by the battery current. It is assumed that A i , B i , and C i are known matrices with appropriate dimensions. For power balance in the steady state, it is:

Cyber-Physical Attack Model
In the microgrids, two features are very important; first, a global voltage reference exists, which must be followed by all the network nodes, and the second is that all the network nodes must follow the neighboring nodes. With these two requirements, the goal of the network, which is a uniform and homogeneous voltage distribution, is achieved. Because the microgrid consensus is based on interaction and communication within the network, the microgrid consensus is always under threat. Despite all the security and encryption in communications, there are always some attacks aimed at systems by destabilizing goals; thus, the agents must be sensitive to these attacks. In this case, it is assumed that attacks are performed by injecting false data into the output voltage information that transmits between agent neighbors in the network.
For cyber-link attacks in the ith controller, the attacked value can be modeled as where k at indicates the attack vector that expresses the existence of an attack, f at ij (t) denotes the attack function in communication link ij, T ij at > 0 is the initial time of attack, y i is the real voltage output of Agent i, and y at ij represents the attacked value that Agent j receives through the communication link about Agent i. For example, according to Figure 2, the communication data from Agent i to Agent j are attacked and the voltage data delivered to Agent j are false.  This malicious data lead to an incorrect consensus for the microgrid. For different types of attacks, the f at ij (t) can take different functions [32]: for FDIA, f at ij (t) can take any function of time; for a reply attack, it can be f at , which blocks the link by preventing some or all data transmission over the communication link, and for a stealth attack, all data vectors may be replaced with malicious data in such a way that observers cannot find any deviation compared to the system model.

Observer-Based Attack Detection
To reach a correct consensus in a DC microgrid network, the communication data between the neighboring agents must be correct. If only one piece of the communication data within the network is attacked, the network will reach a false consensus around this value. Therefore, each agent must prevent the influence of defective data. Moreover, because of model parameters' uncertainty due to factory tolerance, derating, temperature sensitivity, and others, the model is not accurate and control needs to implement a robust strategy. In this paper, a sliding mode controller is proposed to control the converter, and a sliding mode observer (SMO) is proposed to detect the presence of the attack in the received data. To reach consensus in the proposed method, in addition to the conditions mentioned in the graph theory, each agent must be connected to the n + 1 neighbors, where n is the maximum number of attacks in time. This is because, if n attack occurs at the same time, at least a healthy link is needed to achieve consensus.

Sliding Mode Control
The challenge for the boost converter is to design a control law for the duty cycle u(t) ∈ [0, 1] to regulate the output voltage lim t→∞ x 2 (t) = x d 2 (x d 2 is the desired output voltage), while the battery voltage E is uncertain and bounded with ∆E < ζ. For this goal, a sliding mode control is designed. The boost converters represent non-linear dynamics with nonminimum phase characteristics [6]. Therefore, the voltage regulation using the switching function S = x 2 − x d 2 is not acceptable, though it causes the output voltage to be equal to the desired value. This voltage sliding surface results in an unstable zero dynamic in the inductor current in the sliding motion [33]. According to the relation between position and velocity control, the dynamic of the current is much faster than the output voltage. Theorem 1. Consider the system defined in Equation (4). For this system, there exists a distributed sliding mode controller that keeps the microgrid voltages in an asymptotically stable agreement.
Proof. Design the distributed sliding mode controller for each agent where S is the sliding surface that is shown in Equation (9), sgn is the sign function, k is the gain for sign function, and u eq is the equal control law that is derived in Equation (11).
To improve the stability of the mentioned sliding mode control, S is the state variable trajectory and is described as where the voltage error has been defined asx 2 = x 2 − x d 2 and λ 1 , λ 2 , λ 3 are sliding coefficients. The time derivative of the switching function iṡ where x d 2 is assumed to be constant, which is calculated by the consensus algorithm in Equation (3). In order to attend to the dynamics of the sliding surface, the time derivative of the sliding surface is investigated. The purpose of this rule is to ensure that, for any initial values, the states will reach the sliding surface. This equation expresses that if we are not on the sliding surface, the path S is an absorbing path to the sliding surface. It is found fromṠ = 0 that The u eq value is calculated for the nominal parameters of the model, and according to the uncertainties of the model, another component must be added to the input to be robust. According to Equation (8), for finding the range of k values, the stability condition of the sliding mode controller is SṠ ≤ −η|S|. For achieving finite-time convergence,

Sliding Mode Observer Attack Detector
Observers are dynamic systems that are used to estimate the system states based on the measurements of system inputs and outputs [34]. The estimation occurs when we do not have access to some state variables or we face a fault detection problem. In order to design an observer for the non-linear systems or with parametric uncertainty and perturbation, the sliding mode observers are proposed. It is appropriate for robust estimation, accurate tracking, limited time convergence, and fault detection. In this paper, we convert a non-linear DC-DC boost converter problem to a time-varying linear problem by the assumption that we know the duty cycle values. According to Figure 3, if we have access to the duty cycle d, the non-linear model for the boost converter can be replaced with a linear time-varying model. By this definition, nothing changes for the system dynamics, and we can use a linear sliding mode observer for this problem.  In the systems where software controls the process (usually, digital control systems execute some software), the safety of software cannot be measured and proven. In control and automation processes, due to the use of software, one of the approaches that is recommended to increase the safety of the systems is the use of different methods and algorithms for one process to increase the redundancy and security of the system. For this reason, with respect to matters of security and safety, it is recommended to use observers that have a completely different structure from the controllers in order to diagnose attacks and faults; if possible, the implementation methods for controller and observer must be different. The difference in the structure of controller and observer results in the fact that the smallest incompatibilities can be easily detected and catastrophic failures can be prevented.
For the observer, if we consider the system input as d, the system is modeled nonlinearly, and if we consider the system input as v in = E, the system becomes a linear system whose dynamic varies with time. This assumption is correct because the values of these two parameters are always available. Considering these cases, the system state equations can be written as (5).
In order to design an observer, the pairs (A,C) must be observable. Therefore, we form the visibility matrix as If the matrix Q is full rank, the system is fully observable. A matrix by dimension of 2 × 2 has full rank if its determinant is non zero. Thus, This value for d = 1 is always the opposite of zero. Given that 0 < d < 1 (in the simulation and experimental tests in this paper, d is about 0.3), this assumption holds. Therefore, the system is completely observable. In the following, we will estimate the system states by using the proposed observer structure. (15) where S is the sliding surface,x ij is an estimation for x ij , A ij , B ij , C ij are the observer matrix, u ij is the input voltage for the boost converters (V in ). It describes the input voltage of the ith converter, which is used in the observer of Agent i, where this observer is located in Agent j, and Gv is a term for robustness. In this problem and for a new matrix definition, we have and soẋ According to (15), for the observer, we have By calculation of estimation error as follows, we have Thus, we haveė 1 = A 11 ij e 1 + A 12 ij e y + βv e y = A 21 ij e 1 + A 22 ij e y + γv + k atḟ at ij (20) There are two constraints for sliding mode control: firstė y = 0 to stabilize the error dynamic, and when we are on the sliding surface, e y = 0 must hold, so: In order for e 1 to be stable, must be stable, and then the error tends to zero. Therefore, by selection of β and γ, the error dynamics will be stable. The effect of an attack is F at ij = − βk at γ f at ij , where the derivation of it appears in the derivation error of state estimation.

Resilience Consensus Law
In order to achieve consensus when the system is faced with cyber attacks, the consensus law must be revised. The consensus law that is proposed in Equation (3) will be changed to the following equation. The outcomes of the attack observers are now incorporated into the consensus law as a result of this modification. Therefore, the attacked channels will be removed from the consensus protocol.
where x d 2i is the desired output voltage for Agent i and Tr(x) is a threshold function.

Simulation and Results
In this section, the efficiency of the proposed method has been validated via Simulink real-time (SLRT) simulations. The case study is a network of eight DC-DC boost converters with the non-linear dynamics that are linked as shown in Figure 4A. In this simulation, an attempt is made to choose a graph that considers different modes of connection. In general, the consensus is achieved faster if there are few links between agents; however, it leads to lower reliability as well as more vulnerability to cyber attacks. The coordinating algorithm to achieve consensus becomes more complicated when a large number of communication links is devoted to the agreement process-that is, when the connectivity order of the graph is high, even though it results in greater reliability. Moreover, when the number of participating agents increases, a more complex coordinating algorithm is required. Different components, i.e., sensors and communication links, may be targeted by attackers. The speed of the attack propagation and the scale of the impact will differ; for example, aiming at agents with more connections will result in a faster and greater deviating effect on neighbors. To address this issue, in the proposed algorithm, the communication link that has been attacked is detected, and neglected from the agreement process. On the other hand, aiming at the input communication link of the agent with more neighbors has less effect on the overall graph since it has been removed from the agreement and there are still more inputs to achieve the goal. From a security viewpoint, a large number of connections is desirable because the attack impact is less and the attack is more likely detected. Therefore, for the proposed method, which is based on neglecting malicious input links, a large number of connections is more appropriate. To show the ability of the proposed method, a proper scenario is considered in which agents communicate with a maximum of four neighbor agents. The goal of this paper is to achieve consensus in the output voltage of decentralized converters in the presence of FDIA. In the simulations, the parameters of converters are E = 200 V, r = 1 Ω, C = 2.2 mF, L = 2.2 mH, the load resistance R = 60 Ω and the voltage reference is V re f = 315 V. The parameters of the sliding mode controller are λ 1 = 1, λ 2 = 2000, λ 3 = 0.5 and the parameters of the observer are γ = 1 and the error pole is −600. To draw a comparison between conventional controllers and the proposed algorithm, two simulation scenarios are performed as follows.
First scenario: All the agents and communication links are healthy. The communication links are with [1, 2, 3, 1, 1, 2, 1, 2] sample delay and they are synchronous. In the time stamp of 0.5 s, an FDIA occurs over the communication link from Agent 2 to Agent 3. As shown in Figure 5, the output voltage of Agent 2 which is delivered to Agent 3 is different from the real output voltage of Agent 2 due to a cyber attack that injects a false datum into the communication link L 23 . Thus, the observer which is located in Agent 3, and estimates the states of Agent 2, follows the attacked voltage, which is different from the real output voltage of Agent 2. Figure 5 is shown for a better understanding of what is happening. This figure explains the attack effect on the communication data, which shows that when the output voltage of Agent 2 is at the steady state (blue color), an attack occurs at 0.5 s and the reported voltage over the communication link deviates from the output voltage of Agent 2 (red color). Therefore, the observer of Agent 2 that is located in Agent 3 follows the attacked value.
As shown in Figure 6, by the conventional consensus control law, agreement deviates from the normal condition and the FDIA cyber attack is successful. According to this figure, the output voltages of all agents will deviate because all of them are connected to each other by the communication links. In this scenario, when Agent 3 receives the wrong data, the controller regulates its output voltage to a false value, and this false value is sent to the other agents over the communication links.

Second scenario:
This scenario is the same as the first one, except that the consensus algorithm that is used to detect the attack is based on the developed algorithm in this paper. As shown in Figure 7, the voltages will reach consensus again immediately after the attack has occurred. Therefore, according to Figure 7, it is clear that the consensus will not deviate from FDIA cyber attacks and the consensus process will be performed properly in the presence of this type of attack. As shown in this figure, the attack at Agent 3 affects the other agents. The proposed algorithm detects the source of the attack using residuals from the observer banks, and removes the attacked communication links from the consensus process. Therefore, it is shown that the proposed algorithm has resiliency or attack-tolerant control abilities.

Experimental Results
In order to validate the results, an experimental prototype with three agents is prepared according to the graph shown in Figure 4B and the hardware shown in Figure 8. Due to limited laboratory equipment, the number of agents is reduced to three, and the main reason is that the control board does not support more than three channels. However, a different control board with more channels can be utilized for practical implementation. Moreover, due to the fact that the laboratory power supplies have limited output voltages which are less than 30 volts, the operating voltage is reduced. However, it is worth noting that the nature of the experimental test is not different from the simulations.
This test-bench consists of: a development computer for FPGA and Microblaze programming by Xilinx-ISE and Xilinx-SDK softwares with a JTAG Xilinx programmer; a host computer to generate MATLAB codes, boot the target computer over the network, set-up and logging data from the target computer; a target computer that is booted by the Simulink real-time kernel and runs the tolerant consensus algorithm in real-time and communicates (Ethernet-UDP) with FPGA; a Spartan 6-based FPGA control board that is a controller and logger for the boost converters in an independent and very fast structure; three boost converters that are placed at the graph nodes and supply the hmic loads; three boost power supplies to supply the converters; three ohmic loads for three agents; three transmission ohmic loads between the agents to simulate the transmission power losses and a 100 Mbps Ethernet switch for connection between agents, host computer, and the target computer. In general, this testbed consists of three boost converters that are tied in a physical ring-bus network and a communication network. In order to implement three independent control loops for three agents, an FPGA Spartan 6 based board is used. This processor is connected to the target computer via a LAN-UDP connection link. For ease of programming and debugging, some local control loops are implemented in the Microblaze Xilinx-SDK environment. Boost converters are a 150 watt commercial type with a maximum operating voltage of 36 volts. Each agent consists of an ohmic load of 23 Ω, a boost converter with an efficiency of about 90%, a power supply with a voltage output about 17 volts, and 5 Ω transmission lines. The consensus control algorithm is implemented in the MATLAB software using Simulink real-time. Simulink and FPGA data are exchanging via the LAN connection link with 1 and 10 kHz times updates.
DC-Source1,2,3 FPGA-Controller Target Boost1,2,3 Load1,2,3 Host Dev.Soft. According to Figure 9, the false data injection attack is aimed at the communication link L 23 between t = 1 and t = 2 s. It is shown that for the conventional consensus algorithm, the output voltages of the converters deviate and consequently the consensus mechanism also is violated. Therefore, the conventional consensus algorithms are vulnerable in the presence of attacks. The attack occurs by injection of a fast ramp voltage from 24 to 28 volts into the L 23 communication channel. Due to the fact that the converters are connected to each other through the 5 Ω power transmission lines, in practical applications, and in this experimental test, the output voltage measurement for each agent is affected by the other agents, and the voltage distribution is not ideally distorted. According to this figure, the maximum deviation is related to Agent 3, which is directly attacked. It is observed that after the end of the attack time, the consensus returned to its normal behavior. Figure 10 also shows that with the proposed algorithm, the effect of the attack is eliminated and the consensus for the graph will occur correctly. This figure shows that the proposed tolerant consensus is resilient in the presence of the FDI attacks. It is shown that using the proposed algorithm after the attack has occurred, the attack is successfully detected and isolated, and then the attacked channel is removed from the consensus process to achieve the agreement. This amount of deviation at the start of the attack is shown in Figure 10, which is actually due to the fact that the detection process and the control loops are running in parallel. The cost that this method imposes on the system is the requirement of a larger computational burden compared to the conventional method, and also this method needs to know the model of each agent. It is worth noting that these costs are not comparable with the damages that may result due to cyber attacks.

Conclusions
In this study, an observer-based resilient control method was proposed to reach the consensus in a DC microgrid. In this microgrid, each agent is a battery-based boost converter and, at an unknown time, a false data injection attack appears. In order to control the voltage for each agent, the sliding mode control method has been used. To estimate the states of the neighboring agents, a bank of sliding mode observers has been proposed, which is organized to detect the attacks. If the states of the observers are not compatible with the communication data, the adjacency matrix will be modified with the correction values applied by the observers. The efficiency of the proposed method has been investigated by using simulations and experimental results. As a suggestion and continuation of the work in this paper, it is recommended that this method be extended for resiliency against stealth attacks. According to the results, it has been shown that by using the proposed method, the DC microgrid network will be resilient against false data injection attacks and the consensus will not deviate.