Stability Analysis of the Cyber Physical Microgrid System under the Intermittent DoS Attacks

Recent research has demonstrated the vulnerabilities of cyber physical microgrid to different rates of denial-of-service (DoS) attacks, which send internal requests to degrade the victim’s performance. However, the interaction between the attacks and the security of microgrid remains largely unknown. In this paper, we address two fundamental questions: (1) What is the impact of intermittent DoS (IDoS) attacks on the security of cyber physical microgrid and (2) how can we analyze the stability of the cyber physical microgrid under IDoS attacks? To tackle these problems, we firstly model the cyber physical microgrid system considering the IDoS attacks on the network server. Based on the model, the interaction between the cyber system and the physical system is analyzed. Then, the impacts of IDoS attacks on the security of the cyber physical microgrid system are studied. It shows that the attack may lead to the system level oscillation with the information variation during the attack period. Therefore, a risk assessment method is proposed to investigate the stability of the cyber physcial microgrid system under IDoS attacks. Lastly, the proposed methodology is verified by simulation results.


Introduction
In a microgrid system, the computing system, communication network and electric power physical system are integrated to form a multi-dimensional and heterogeneous complex system of real-time sensing, dynamic control and information service.Microgrid system usually consists of various distributed generations (DGs), storage devices and loads.It can operate in a grid-connected mode or an island mode, and smoothly switch between the two modes [1][2][3].Recently, microgrid is considered as one of the most promising forms of smart grid [4][5][6].From a grid point of view, microgrids can be viewed as control entities within the power system.From the customer's point of view, microgrids and traditional low-voltage distribution networks provide heat and power requirements [7].By aggregating loads and multiple distributed energy resources, and renewable energy sources, the microgrid system has several main advantages: increasing the energy penetration of renewable energy sources, providing better energy supply in remote areas, and balancing power at the local level [8].
The stability and security are the prerequisites and constraints of the economic optimization of the microgrid [9,10].Since the microgrid system has various types of components and complex characteristics, it is necessary to consider more factors, such as power balance, optimization, and rated value, which may affect the stability and the security of the microgrid.The problems associated with the inherent uncertainties such as time delays, packet losses, and cyber attacks have been extensively investigated in the microgrid [11,12].The cyber physical security issue has attracted increasing attention.Several works indicated that the dynamic performance of frequency control was affected by communication delays [13].In [14], security vulnerabilities and some solutions were discussed for DC microgrids.Literature [15] introduced the fact that cyber attacks on the microgrid protection systems may mimic real faults, cause component failure, and disable the communication links.Those existing cyber vulnerabilities may allow an attacker to impact the cyber physical infrastructure network [16].
Microgrids take advantage of Information and Communication Technologies (ICT) to enable enhanced system monitoring and control.In order to fully realize the operation of microgrids, it is necessary to expand the cyber network inter-connectivity so that information may flow securely between the different domains in the microgrids.In recent years, different kinds of cyber threats or cyber intrusions have become challenging issues in power systems [17].In 2015, the Ukrainian power grid was attacked by the cyber attackers, which was considered the first cyber attack event causing power blackouts [18].Literature [19] proposed a communication network of the SCADA (Supervisory Control and Data Acquisition) system with advanced communication technologies.They applied a trust-based intrusion detection and prevention (IDP) technology built on a monitoring, detecting, and rehabilitation (MDR) approach for cyber security analysis.By further understanding the dynamic nature of the network under cyber-attacks, literature [20] used an improved SCADA model equipped with IDP technology to enhance the cyber security of the communication network in a residential microgrid.
The National Institute of Standards and Technology (NIST) No. 7628 report has pointed out that three elements of network security are confidentiality, integrity, and availability (CIA) [21].The cyber attacks broadly refer to the malicious attacks that destroy the CIA security target of network.The cyber attacker typically attempts to track the behavior of the communication system through exploiting the security vulnerabilities of network infrastructures.Then, the control rights of the system can be obtained without permission, which may affect the normal operation of power system.
Several models were established to analyze power system security operation under attacks, such as Petri net theory [22] and attack tree model [23].Petri net modeling is good at a description of the attack process, as well as the relationship between the states of conversion [24].However, the simple Petri net model is not suitable for modeling multiple concurrent attacks.A colored Petri net and the time Petri net model need to be studied further.To enhance network protection against cyber attacks, a four-way handshake mechanism was proposed to establish a secure connection in communication [25].
Cyber attacks mainly include DoS attacks, error data injection attacks, malware and virus attacks.A DoS attack is a resource-exhausting attack that exploits the flaws of network protocol/software or sends a lot of useless requests to exhaust the resources of attacked objects, so that the server or communication network cannot provide normal services [26].In the power system, DoS attacks exist in different network layers with different types.DoS attacks may occupy the bandwidth resources and make the normal users unavailable for receiving quality services.Traditionally, DoS attacks can be easily checked by the network monitors for their high sending rates.However, there exist some kinds of intermittent DoS (IDoS) attacks that are difficult to be detected due to their low average sending rates of intermittence.The IDoS attacks, unlike the flooding-based DoS attacks, send out high-volume requests at regular intervals to occupy the normal information transmission.They occupy the communication bandwidth and disturb the information transmission.
In this paper, the cyber physical microgrid system is modeled considering an IDoS attack on the network services.The interaction between the cyber system and the physical system is analyzed.The effect on cyber physical microgrid system is studied under the IDoS attack.The cyber security of the system is investigated with the proposed risk assessment method.The cyber physical microgrid simulation results are illustrated to show the effectiveness of the theoretical analysis method.

IDoS Attack in a Cyber Physical Microgrid
In this section, we illustrate the impact of the IDoS attack on a cyber physical microgrid system, and analyze the system characteristics during each attack scenario.Can the physical microgrid system remain stable under the IDoS attack?What is the state of the cyber physical microgrid system under the IDoS attack?

Intermitent DoS Attack Definition
Generally, the information flows are transmitted to the control center through the network servers, then are transformed into physical energy flows through a state estimator under the measure monitors, and are then finally delivered to the corresponding circuit breakers or actuators in the microgrid system.In addition, the normal request received by the cyber network is composed of a large number of data packets transformed by acquired power voltage, power and other energy values of power nodes.These data packets are collected by a variety of smart meters in the actual microgrid operation.Once the IDoS attack is initiated, the attacker could dynamically adjust the number of normal requested service replicas through changing the arrival rate of the burst sequence pulses with ineffective requests.
In this section, an IDoS attack is defined as a burst of request queues R sent to the network server with an arrival rate γ a over a short period of time τ.For simplifying the discussion, we assume that the IDoS attack pulse is denoted as a Dirac signal with an arrival rate γ a and then the information request R = γ a τ.An IDoS attack can impulse the interval pulses, and it is supposed that the IDoS attack pulses are imposed between a period of time T. Therefore, the IDoS attack can be modeled as a sequence of a signal impulse.If the attack pulses have the same arrival rates, the IDoS attack pulses reveal like a sequence of the signals: γ a τδ(t − T k ), where T k is the arrival time of the kth pulse.
Considering the communication availability, we assume that the arrival rate of normal requests and attack requests are constants γ n and γ a , respectively.Consequently, the arrival rate of requests can be described as:

Modeling of the IDoS Attack in the Cyber Network
Figure 1 illustrates the interaction between cyber network and physical network in microgrid under an IDoS attack [27,28].In the cyber network, the network server is modeled by three components to transmit information: the admission controller C1, the network server S1, and the feedback measurements F1.In the physical network, the microgrid system is modeled by the admission controller C2, the physical system S2 and the feedback measurements F2.The interaction operation between cyber network and physical network are mainly transmitted through the measure monitors M1 and M2.We use the controllers to adjust the error signal (e1, e2) from a set of input values (X 1 , X 2 ) to reach the reference objectives.
We assume that the IDoS attack pulse is denoted as a Dirac signal with an arrival rate γ a .The actual information utilization ρ(t) is related to the n(t), and the number of network logged requests n(t) is affected by the arrival rate of information requests involving the IDoS attack pulses.When ρ(t) is deviated to the desired information utilization, the admission controller is employed to adjust the utilization deviation.Therefore, the system dynamic state can be described by the information utilization ρ(t), the number of the network logged requests n(t) and the admission rate α(t) as follows: where ρ * is the utilization objective; K 1 and K 2 are proportional integral (PI) controller parameters; and A, B, C and D are the coefficients of utilization curve.Referring to the multiplicative-increase and multiplication-decrease policy, the number of requests admitted at time t can be given by the multiplication of admission ratio ( ) and the attack pulse parameter ( ).When an IDoS attacker transmits the intermittent pulses on the internet server, the actual information admission speed decreases, and the requests from normal users may be logged.
If ( ) is larger than the server utilization limit , the thrashing index w is used to multiply constant service rate index to represent the severity of degradation in service.Therefore, the evolution of the number of the network logged requests n(t) can be expressed as: Equations ( 2)- (4) show the relationship between the number of pending requests n(t) and the server utilization ( ).In the normal state, the normal information requests are × t×Pr(H/T) when equals , where H is the arrival information, Pr is the probability and is the normal utilization in a period of time T. If there exist the attack, the actual information requests are ( ) × ′ × ( / ′), where ( ) is the utilization in a period of time ′.To transmit the same information, the requests are the same as × t × Pr(H/T) = ( ) × ′ × ( / ′).Then, we can get the time value . Thus, the information delay can be described as Δ as the difference between t' and t.
The vulnerabilities of the cyber network under IDoS attacks are assessed when the periodic bursts of requests per second are sent over a short time duration in a period of time.
During the period of an IDoS attack pulse, the relationship of system state and the parameters of the attack is shown in Figure 2. The network server moves under different stages on the information utilization deviations when an attack pulse occurred at t = 0 s.Referring to the multiplicative-increase and multiplication-decrease policy, the number of requests admitted at time t can be given by the multiplication of admission ratio α(t) and the attack pulse parameter γ(t).When an IDoS attacker transmits the intermittent pulses on the internet server, the actual information admission speed decreases, and the requests from normal users may be logged.
If ρ(t) is larger than the server utilization limit ρ 0 , the thrashing index w is used to multiply constant service rate index µ to represent the severity of degradation in service.Therefore, the evolution of the number of the network logged requests n(t) can be expressed as: Equations ( 2)- (4) show the relationship between the number of pending requests n(t) and the server utilization ρ(t).In the normal state, the normal information requests are ρ w ×t×P r (H/T) when γ equals γ n , where H is the arrival information, P r is the probability and ρ w is the normal utilization in a period of time T. If there exist the attack, the actual information requests are ρ (t) × t × P r (H/T ), where ρ (t) is the utilization in a period of time T .To transmit the same information, the requests are the same as ρ w × t × P r (H/T) = ρ (t) × t × P r (H/T ).Then, we can get the time value t = ρ w ×t×P r (H/T) ρ (t)×P r (H/T ) .Thus, the information delay can be described as ∆t as the difference between t and t.The vulnerabilities of the cyber network under IDoS attacks are assessed when the periodic bursts of requests per second are sent over a short time duration in a period of time.
During the period of an IDoS attack pulse, the relationship of system state and the parameters of the attack is shown in Figure 2. The network server moves under different stages on the information utilization deviations when an attack pulse occurred at t = 0 s.Once an attack pulse arrives, the server may move through three different stages before returning to the steady state: the arrival stage, the sustaining stage and the restoration stage.The arrival stage starts after the arrival of an IDoS attack pulse.During this stage, the utilization ( ) ≥ * and the admission rate decreases.When ( ) is lower than * , the server enters the sustaining stage during which the admission rate keeps decreasing.In the restoration stage, the admission rate and the utilization rate restore to the steady state.
Arrival Stage: When an attack pulse arrives, the system responses from the initial state with normal utilization ( ).The system state is characterized by the arrival rate of the requests.If ( ) < * , the controller detects the abnormal deviation and starts to control the process to interrupt this stage.Sustaining Stage: At the beginning of this stage, because ( ) < * , ( ) stops decreasing and begins increasing.Consequently, ( ) keeps on decreasing.The evolution of the system state is controlled by the admission controller.If ( ) stops decreasing, the sustaining stage ends and then the system enters the restoration stage.
The variation of information requests lies in the system parameters and different conditions.If the pulse intermittent time is longer than the arrival stage, the controller stops attacking process, and the network sustains to recover from the network log time.If the pulse intermittent time is smaller, the network logged request decreases and the controller recovers the state automatically.
Restoration Stage: When the utilization rate stops decreasing, the system enters the restoration stage.The stage ends when the utilization reaches the desired value.
We illustrate the effect of an IDoS attack in these three stages.We use t1, t2 and t3 to denote the durations of these stages.Figure 2 demonstrates the admission rate's trajectory in the presence of the different kinds of IDoS attacks.If the attack duration time < 1, a new attack pulse reaches during the arrival stage.The next attack pulse arrives, while the admission rate continues decreasing and the number of logged requests also decreases because less requests are admitted.If < 1 holds for all of the attack pulses in extreme modes, ( ) will be kept at zero when the flooding-based IDoS attack occurs.Such kind of attack is not efficient because the majority of the attack requests will be detected and dropped.Therefore, the process can be continued to evolve as 1 < < 2.
If 1 + 2 < < 1 + 2 + 3, the next attack pulse arrives when the system is in the sustaining stage.In this case, the trajectory covers in these three stages.However, the admission rate cannot be restored to a desired one because the attack pulses occur in a short internal, which hampers the control process.
If > 1 + 2 + 3, the evolution of the system involves all four stages: the arrival stage, the sustaining stage, the restoration stage and the steady stage.We can compute the time it takes for the Once an attack pulse arrives, the server may move through three different stages before returning to the steady state: the arrival stage, the sustaining stage and the restoration stage.The arrival stage starts after the arrival of an IDoS attack pulse.During this stage, the utilization ρ(t) ≥ ρ * and the admission rate decreases.When ρ(t) is lower than ρ * , the server enters the sustaining stage during which the admission rate keeps decreasing.In the restoration stage, the admission rate and the utilization rate restore to the steady state.
Arrival Stage: When an attack pulse arrives, the system responses from the initial state with normal utilization ρ(t).The system state is characterized by the arrival rate of the requests.If ρ(t) < ρ * , the controller detects the abnormal deviation and starts to control the process to interrupt this stage.
Sustaining Stage: At the beginning of this stage, because ρ(t) < ρ * , α(t) stops decreasing and begins increasing.Consequently, ρ(t) keeps on decreasing.The evolution of the system state is controlled by the admission controller.If ρ(t) stops decreasing, the sustaining stage ends and then the system enters the restoration stage.
The variation of information requests lies in the system parameters and different conditions.If the pulse intermittent time is longer than the arrival stage, the controller stops attacking process, and the network sustains to recover from the network log time.If the pulse intermittent time is smaller, the network logged request decreases and the controller recovers the state automatically.
Restoration Stage: When the utilization rate stops decreasing, the system enters the restoration stage.The stage ends when the utilization reaches the desired value.
We illustrate the effect of an IDoS attack in these three stages.We use t1, t2 and t3 to denote the durations of these stages.Figure 2 demonstrates the admission rate's trajectory in the presence of the different kinds of IDoS attacks.If the attack duration time τ < t1, a new attack pulse reaches during the arrival stage.The next attack pulse arrives, while the admission rate continues decreasing and the number of logged requests also decreases because less requests are admitted.If τ < t1 holds for all of the attack pulses in extreme modes, α(t) will be kept at zero when the flooding-based IDoS attack occurs.Such kind of attack is not efficient because the majority of the attack requests will be detected and dropped.Therefore, the process can be continued to evolve as t1 < τ < t2.
If t1 + t2 < τ < t1 + t2 + t3, the next attack pulse arrives when the system is in the sustaining stage.In this case, the trajectory covers in these three stages.However, the admission rate cannot be restored to a desired one because the attack pulses occur in a short internal, which hampers the control process.
If τ > t1 + t2 + t3, the evolution of the system involves all four stages: the arrival stage, the sustaining stage, the restoration stage and the steady stage.We can compute the time it takes for the admission rate to recover and the number of rejected requests according to the above admission control model.
The contents of arrival packets are scrutinized by the Intrusion detection system (IDS) to find any suspicious activity.Most of the new IDoS attacks mimic the legitimate web service traffic, which leaves the traditional methods that are ineffective in detecting intrusions.Generally, the IDoS attacks typically last for 1 h sending ineffective requests to drop off legal internet services.Because the server may move through three different stages that have different duration times t1, t2 and t3 before returning to the steady state, the average rates of requests under attacks may change with intermittent pulse interval τ.If τ < t1, α(t) will be kept at zero when the flooding-based IDoS attack occurs in extreme modes.Such kind of attack is not efficient because the majority of the attack requests will be dropped.Therefore, for a complete IDoS attack, the time interval τ satisfies t1 + t2 < τ < t1 + t2 + t3.
The established microgrid model under IDoS attack illustrates the interactions between cyber network and physical network.To understand dynamic behavior that the network, in response to the erratic load, offered by legitimate requests, we tend to obtain static properties through aggregations over time scales that are long enough to hide the transients of adaptation.Therefore, the usual rate of normal requests refers to a point in time when the number of arrival requests composed of a large number of data packets are normal for the admission controller in the web server to allow a large percentage of all requests to go through.That is, the microgrid system operates in steady state.
Once the system suffers from an IDoS attack, a surge in arrival demanded requests with a short period of time would push the system into overload.This, in turn, would result in the admission controller shutting off subsequent legitimate requests for a long time.Given the fact that under overloaded conditions, the system operates in an inefficient region (e.g., due to thrashing).If the system "recovers" from the ill-effects of this unsuspected surge in demand, an attacker would simply repeat the process with intermittent time interval.Although simplistic, this behavior illustrates the exploited adaptation strategies by adversaries to reduce system stability.
Given the admission rate α(t) and arrival rate γ(t) vary at time t, the number of requests admitted into a web server at time t is m(t) = α(t)γ(t), rather than the actual amount of arrival information requested R = γ a τ over a short period of time τ.Considering the average service time T S and the time on the round trip of subsequent data packets T RTT , maximal simultaneous processing requests number is [n(t) • T RTT T S + n(t)].Therefore, the boundary conditions for the impulses that could cause IDoS attacks are that: (1) the web server reaches the maximum number of requests that can process; (2) the intermittent stimulus impulses block the communication channel, which greatly reduces the number of legitimate requests; (3) repeated attacks to the server over a long time make it overloaded, which causes the system oscillation due to an inefficient information transmission, i.e., communication delay.

Modeling of the Microgrid System under IDoS Attack
The microgrid can integrate various kinds of distributed energy resources (DERs) such as photovoltaic arrays, wind turbines and batteries to supply loads more efficiently.The physical microgrid system consists of DERs, DC-AC inverters, filters and the local loads.Each DER unit supplies the loads connected on the point of common coupling (PCC) node.The integrated scheme of the cyber physical microgrid system is shown in Figure 3.
In the existing cyber physical microgrid (Figure 3), the communication requirements of the physical microgrid are supported by the network in the cyber system [29].The data deliveries between utility grids and control centers involving fuel cell (FC), battery (BT), photovoltaic array (PV), and Load are dedicated in the independent cyber network, as shown in Figure 4.In Figure 4, smart meters S i conduct real-time acquisition of the relevant ith DER and load nodes' power measurement data.
Formed information packets are transmitted to the control center (CC) after monitoring and processing module.These data packets are transformed into control instructions for each electrical device in the microgrid based on the real-time optimized operation target.Once the network server suffers from an IDoS attack, the information transmission channels are blocked, and the affected execution controller C i cannot receive commands in a timely manner due to the communication delay that cause improper switch action for the breaker B i .
Energies 2017, 10, 680 7 of 15 measurement data.Formed information packets are transmitted to the control center (CC) after monitoring and processing module.These data packets are transformed into control instructions for each electrical device in the microgrid based on the real-time optimized operation target.Once the network server suffers from an IDoS attack, the information transmission channels are blocked, and the affected execution controller Ci cannot receive commands in a timely manner due to the communication delay that cause improper switch action for the breaker Bi.For one DER and converter transmission line (Figure 5), according to Kirchoff's voltage law and Kirchoff's current law, the following set of equations is obtained: Then, the ith DER unit can be described as follows: DER i: .
where x i (t) are state vectors; u i (t) are input variables; w i (t) is the disturbance transmitted from the cyber network; and A i , B i , and D i are the coefficient parameters.
Energies 2017, 10, 680 8 of 15 For one DER and converter transmission line (Figure 5), according to Kirchoff's voltage law and Kirchoff's current law, the following set of equations is obtained: Then, the ith DER unit can be described as follows: where ( ) are state vectors; ( ) are input variables; ( ) is the disturbance transmitted from the cyber network; and , , and are the coefficient parameters.In a microgrid system, DERs are very dispersive and loosely connected to each other, so even two adjacent DERs are generally far away.When the control signals that come from adjacent DER unit are transmitted through the transmission line, communication delay is unavoidable.Under an IDoS attack, the information effect on communication delay can vary from tens to several hundred milliseconds or more.The extensive of information error would deteriorate the device performance.If the operation of the jth DER unit is affected by the IDoS attack, the time delay should be taken into consideration.
Therefore, the ith DER unit is re-described in the following form: where is the information transmission time delay between the ith DER and the jth DER; and and are the coefficient parameters when the delay-dependent controllers exist.

Risk Assessment in the Microgrid
The risk assessment method is proposed in order to evaluate the security of the cyber physical microgrid system.If the risk assessment index is violated, the operation modes of DERs need to be changed to the optimal power mode in a microgrid system.
Using the Monte Carlo simulation method, the probability stochastic process is established, and the index is calculated by probability sampling and the characteristic statistics method.Taking into account the operation parameters of the multivariate normal distribution system, the characteristics of the state probability distribution of the network are studied based on the uncertainty of the power network load and its operating parameters.Furthermore, the probability value of element failure is calculated by using the theory of Poisson distribution.
The risk assessment index and the corresponding severity are determined according to the result of the failure state of the element.The impact factor for the attack upon the system is determined by the utilization ratio and loading level.Especially, the loss of load (LOL) is quantified for a In a microgrid system, DERs are very dispersive and loosely connected to each other, so even two adjacent DERs are generally far away.When the control signals that come from adjacent DER unit are transmitted through the transmission line, communication delay is unavoidable.Under an IDoS attack, the information effect on communication delay can vary from tens to several hundred milliseconds or more.The extensive of information error would deteriorate the device performance.If the operation of the jth DER unit is affected by the IDoS attack, the time delay should be taken into consideration.
Therefore, the ith DER unit is re-described in the following form: DER i: .
where τ ij is the information transmission time delay between the ith DER and the jth DER; and A ij and D i are the coefficient parameters when the delay-dependent controllers exist.

Risk Assessment in the Microgrid
The risk assessment method is proposed in order to evaluate the security of the cyber physical microgrid system.If the risk assessment index is violated, the operation modes of DERs need to be changed to the optimal power mode in a microgrid system.
Using the Monte Carlo simulation method, the probability stochastic process is established, and the index is calculated by probability sampling and the characteristic statistics method.Taking into account the operation parameters of the multivariate normal distribution system, the characteristics of the state probability distribution of the network are studied based on the uncertainty of the power network load and its operating parameters.Furthermore, the probability value of element failure is calculated by using the theory of Poisson distribution.
The risk assessment index and the corresponding severity are determined according to the result of the failure state of the element.The impact factor for the attack upon the system is determined by the utilization ratio and loading level.Especially, the loss of load (LOL) is quantified for a disconnected physical node.The impact level is assigned with a ratio to the power that denotes the loss of load and total load, respectively.To determine the value P LOL , we can start with the value of the physical node and gradually increase the loading level of the entire system.This process continues until the power flow diverges.We propose the calculation formula of the security risk assessment index based on the quantification principle of the risk evaluation.It can be described by where p vul is the possibility of the infrastructure vulnerability to transmit the cyber attacks.P LOL P TL is the quantitative potential impact on the distribution system operation caused by cyber attacks.The security risk assessment index R can reveal the security risk of the system under attacks on a smart metering node.

Simulation Results
We carry out extensive experiments to evaluate the IDoS attacks in the cyber system.If the physical microgrid is affected by the network logged system, the information disturbed with variable time delay is occurred.The physical microgrid system under attacks is modeled as the continuous mathematical system under variable time delays in different information routes.
In Figure 6a, the IDoS attack starts at time 0 second for a duration of time 40 s and repeats every T = 50 s.The attack occurs at the period of time between 0 and 200 s.We evaluate such an effect by launching an IDoS attack with γ(t) = 2000 requests per second and a wide range of attack periods about hundreds of seconds.It is assumed that γ(t) requests are high enough to force the network server to decrease the utilization.
In the experiments, the attacker sends either periodic pulses or random pulses.Figure 6b illustrates that the utilization decreases in the attack period.It shows that the server has a long time to recover its admission rate and consequently takes in more normal requests.Hence, if an attacker wants to gain more profit, he would use the attack period in high intensity.It is clear that the admission rate drops to below 0.5 from its steady-state value of 0.89.
If the attack pulse time is smaller than t1 + t2, the trajectory of the admission rate involves mainly two stages: the sustaining stage and the restoration stage.If the (k + 1)th attack pulse arrives when the system is in the restoration stage, the trajectory involves the sustaining stage and the restoration stage.However, the admission rate cannot restore to the desired state during the attack period.
When the system operates normally, the IDoS attack would push the system into thrashing, causing a decline in the admission rate and hence a denial of service to the requests lasts during the dynamic periods.Under normal workload conditions, the memory utilization is normal, and the admission ratio is among 0.8-0.9.If normal requests are injected when the IDoS attack is initiated, the system is pushed into thrashing since those insignificant attack requests consume a lot of memory in the server.This inefficient period lasts during 200 s, until the admission controller recovers to admit all legitimate requests.
If the attack pulse time is between 0 to 500 s, which is longer than t1 + t2 + t3, the evolution of the system involves all the stages in Figure 6b, and the admission rate can reach the steady values when ρ = ρ * .During the attack period, the normal requests are injected causing the same scenario to repeat.The attack request has caused denial of service for normal legitimate requests.
The utilization variation also depends on the different admission controller parameter K, as well as the degradation in the service rate µ with values w.It reflects the sensitivity of the controller to the error eradiation.In practice, the information communication delay will slow down the controller reactions and cause vulnerability to the microgrid.The cyber physical microgrid (Figure 3) is simulated under normal operating conditions.To evaluate the performance of the microgrid, the parameters of the DERs are given in Table 1.If the communication network is normal, the control signal can be correctly transmitted from the cyber system to the power system.The simulation results are shown in Figure 7.After a brief startup time, the output power of each power supply tends to be stable.The cyber physical microgrid (Figure 3) is simulated under normal operating conditions.To evaluate the performance of the microgrid, the parameters of the DERs are given in Table 1.If the communication network is normal, the control signal can be correctly transmitted from the cyber system to the power system.The simulation results are shown in Figure 7.After a brief start-up time, the output power of each power supply tends to be stable.The simulation results illustrate the effectiveness of system analysis process.When the system is under an IDoS attack, the data packet has an oscillated loss rate, the control signal cannot be correctly transmitted to the power system.The simulation results are shown in Figure 8.The output power of the two battery packs will oscillate and become unstable.If the communication rate drops to a certain extent under the IDoS attack, the physical microgrid is affected by communication congestion.Figure 9 shows that the power system cannot receive the control signal of the information system in time, and the output power of the battery packs will oscillate and be unstable.
In order to evaluate the effect of attacks on the physical system, an improved IEEE 33 node distribution system including DERs is simulated to analyze the validity of a proposed risk assessment approach (Figure 10).More specifically, the DERs are added at the 11 and 17 nodes to supply power to the distribution lines.Moreover, the nodes 3 and 22-27 are defined as the key loads, nodes 28-31 are treated as interruptible loads, and the rest of the load nodes are regarded as common loads.For an attacker aiming to make the system operation status available by controlling one node, the metric of would be the successful transmission possibility of attack information.We test the cases in The simulation results illustrate the effectiveness of system analysis process.When the system is under an IDoS attack, the data packet has an oscillated loss rate, the control signal cannot be correctly transmitted to the power system.The simulation results are shown in Figure 8.The output power of the two battery packs will oscillate and become unstable.The simulation results illustrate the effectiveness of system analysis process.When the system is under an IDoS attack, the data packet has an oscillated loss rate, the control signal cannot be correctly transmitted to the power system.The simulation results are shown in Figure 8.The output power of the two battery packs will oscillate and become unstable.If the communication rate drops to a certain extent under the IDoS attack, the physical microgrid is affected by communication congestion.Figure 9 shows that the power system cannot receive the control signal of the information system in time, and the output power of the battery packs will oscillate and be unstable.
In order to evaluate the effect of attacks on the physical system, an improved IEEE 33 node distribution system including DERs is simulated to analyze the validity of a proposed risk assessment approach (Figure 10).More specifically, the DERs are added at the 11 and 17 nodes to supply power to the distribution lines.Moreover, the nodes 3 and 22-27 are defined as the key loads, nodes 28-31 are treated as interruptible loads, and the rest of the load nodes are regarded as common loads.For an attacker aiming to make the system operation status available by controlling one node, the metric of would be the successful transmission possibility of attack information.We test the cases in If the communication rate drops to a certain extent under the IDoS attack, the physical microgrid is affected by communication congestion.Figure 9 shows that the power system cannot receive the control signal of the information system in time, and the output power of the battery packs will oscillate and be unstable.
In order to evaluate the effect of attacks on the physical system, an improved IEEE 33 node distribution system including DERs is simulated to analyze the validity of a proposed risk assessment approach (Figure 10).More specifically, the DERs are added at the 11 and 17 nodes to supply power to the distribution lines.Moreover, the nodes 3 and 22-27 are defined as the key loads, nodes 28-31 are treated as interruptible loads, and the rest of the load nodes are regarded as common loads.For an attacker aiming to make the system operation status available by controlling one node, the metric of p vul would be the successful transmission possibility of attack information.We test the cases in which the IDoS attack impacts different nodes and calculate the risk assessment index.The simulation results are shown in Figure 11.The risk assessment index R reveals the node security under attacks and the aggressiveness of the attacker in Figure 11.From the distribution of results, we can obviously see that the security risk evaluation index of the DER nodes are lower than that of other load nodes.Due to the relative load node, DER nodes are configured with more perfect monitoring equipment or located in the key position of the system with more output.As the attacker generally has difficulty succeeding with the target attack, the successful delivery possibility is relatively low.Under the condition that the real-time load control makes the difference of load shedding smaller, the security risk index values of DER nodes are lower.With regard to load nodes, we can see an attacker whose goal is to maximize system control ability may make his target be nodes 25 or 32.Although node 25 is a key load node, it has lower importance and higher risk than other nodes for being the end of the radial structure of the system.As node 32 is a common load node, its security is also relatively low because of its location near interruptible loads.Thus, both of them may be vulnerable to attack and result in making the stable operation of the system a higher security risk.Thus, a large index reflects the high level of aggression.
Solid-Oxcide Fuel Cell PVarray Time(s)   The risk assessment index R reveals the node security under attacks and the aggressiveness of the attacker in Figure 11.From the distribution of results, we can obviously see that the security risk evaluation index of the DER nodes are lower than that of other load nodes.Due to the relative load node, DER nodes are configured with more perfect monitoring equipment or located in the key position of the system with more output.As the attacker generally has difficulty succeeding with the target attack, the successful delivery possibility is relatively low.Under the condition that the real-time load control makes the difference of load shedding smaller, the security risk index values of DER nodes are lower.With regard to load nodes, we can see an attacker whose goal is to maximize system control ability may make his target be nodes 25 or 32.Although node 25 is a key load node, it has lower importance and higher risk than other nodes for being the end of the radial structure of the system.As node 32 is a common load node, its security is also relatively low because of its location near interruptible loads.Thus, both of them may be vulnerable to attack and result in making the stable operation of the system a higher security risk.Thus, a large index reflects the high level of aggression.
Solid-Oxcide Fuel Cell PVarray Time(s) The risk assessment index R reveals the node security under attacks and the aggressiveness of the attacker in Figure 11.From the distribution of results, we can obviously see that the security risk evaluation index of the DER nodes are lower than that of other load nodes.Due to the relative load node, DER nodes are configured with more perfect monitoring equipment or located in the key position of the system with more output.As the attacker generally has difficulty succeeding with the target attack, the successful delivery possibility p vul is relatively low.Under the condition that the real-time load control makes the difference of load shedding smaller, the security risk index values of DER nodes are lower.With regard to load nodes, we can see an attacker whose goal is to maximize system control ability may make his target be nodes 25 or 32.Although node 25 is a key load node, it has lower importance and higher risk than other nodes for being the end of the radial structure of the system.As node 32 is a common load node, its security is also relatively low because of its location near interruptible loads.Thus, both of them may be vulnerable to attack and result in making the stable operation of the system a higher security risk.Thus, a large index R reflects the high level of aggression.

Conclusions
In this paper, we exposed microgrid security to IDoS attacks aiming at the physical system.Assuredly, the sustainability time of the general IDoS attack was affected by many factors, such as the individual knowledge and skills of the attackers, the strength of the security detection mechanism in the target system and the selection of potential attack points, etc.In order to more clearly explain the influence of communication delay caused by attacks on the stability of the microgrid, we assumed that the IDoS attack pulse was denoted as a Dirac function signal with an arrival rate, which is an instantaneous attack, and the arrival rate was set to be constant during each of the instances.As different stages may be affected by the duration of the attack, different IDoS attacks could cause varied degrees of communication delay on the system operation.
The impacts of the IDoS attacks were analyzed and proved to have the ability to force the system to oscillate along with the attacks.Since both the oscillation of steady state error and deviation of the desired steady state can affect the physical microgrid operation, the dynamic security of the microgrid system was analyzed under IDoS attacks.A risk assessment method of the cyber physical microgrid system was proposed in order to investigate the interactions.Finally, the experimental results were shown to verify system operating characteristics.In future work, we will research the frequency and voltage variations deeply, considering the effectiveness and the cost of the attacks.

Conclusions
In this paper, we exposed microgrid security to IDoS attacks aiming at the physical system.Assuredly, the sustainability time of the general IDoS attack was affected by many factors, such as the individual knowledge and skills of the attackers, the strength of the security detection mechanism in the target system and the selection of potential attack points, etc.In order to more clearly explain the influence of communication delay caused by attacks on the stability of the microgrid, we assumed that the IDoS attack pulse was denoted as a Dirac function signal with an arrival rate, which is an instantaneous attack, and the arrival rate was set to be constant during each of the instances.As different stages may be affected by the duration of the attack, different IDoS attacks could cause varied degrees of communication delay on the system operation.
The impacts of the IDoS attacks were analyzed and proved to have the ability to force the system to oscillate along with the attacks.Since both the oscillation of steady state error and deviation of the desired steady state can affect the physical microgrid operation, the dynamic security of the microgrid system was analyzed under IDoS attacks.A risk assessment method of the cyber physical microgrid system was proposed in order to investigate the interactions.Finally, the experimental results were shown to verify system operating characteristics.In future work, we will research the frequency and voltage variations deeply, considering the effectiveness and the cost of the attacks.

Figure 1 .
Figure 1.The interaction between the cyber network and the physical network in a microgrid.

Figure 1 .
Figure 1.The interaction between the cyber network and the physical network in a microgrid.

Figure 2 .
Figure 2. The duration stage of an IDoS attack pulse occurred at t = 0 s.

Figure 2 .
Figure 2. The duration stage of an IDoS attack pulse occurred at t = 0 s.

C y b e r s y s t eFigure 3 .Figure 4 .
Figure 3. Integrated scheme of the cyber physical microgrid.

Figure 4 .
Figure 4.The network diagram of the integrated cyber physical microgrid system.

Figure 5 .
Figure 5. Structure of a DER unit.

Figure 5 .
Figure 5. Structure of a DER unit.

Figure 7 .
Figure 7.The output power under normal operating condition.

Figure 8 .
Figure 8.The output power of the two battery packs with data packet losses.

Figure 7 .
Figure 7.The output power under normal operating condition.

Figure 8 .
Figure 8.The output power of the two battery packs with data packet losses.

Figure 8 .
Figure 8.The output power of the two battery packs with data packet losses.

Energies 2017 ,
10, 680 12 of 15 which the IDoS attack impacts different nodes and calculate the risk assessment index.The simulation results are shown in Figure 11.

Figure 9 .
Figure 9.The output power of the two battery packs with information congestion.

Figure 10 .
Figure 10.IEEE 33 distribution system with DER units.

Figure 9 .
Figure 9.The output power of the two battery packs with information congestion.

Figure 9 .
Figure 9.The output power of the two battery packs with information congestion.

Figure 10 .
Figure 10.IEEE 33 distribution system with DER units.

Figure 10 .
Figure 10.IEEE 33 distribution system with DER units.

Figure 11 .
Figure 11.The security risk index in the improved IEEE 33 distribution system.

Table 1 .
The parameters of the DERs.

Table 1 .
The parameters of the DERs.