Cost-E ﬀ ective Placement of Phasor Measurement Units to Defend against False Data Injection Attacks on Power Grid

: This study presents the phasor measurement unit (PMU) placement strategy in the presence of false data injection attacks which is one of the most serious security threats against power grid. It is focused on applications related to supervisory control and data acquisition (SCADA) systems where measurement data can be easily corrupted by adversaries without getting caught by the system. To safeguard power grids against malicious attacks, procedures have been proposed to facilitate the placement of secure PMUs to defend against false data injection attacks in a highly cost-e ﬀ ective way. It has formulated a method of identifying measurements that are vulnerable to false data injection attacks. It was discovered that a weak power grid can be transformed into a robust power grid by adding a few PMUs at vulnerable locations. Simulations on the IEEE standard test systems demonstrate the beneﬁts of the proposed procedure.


Introduction
Cyber attacks are increasingly seen as a tremendous threat to modern power grid. As supervisory control and data acquisition (SCADA) systems become more interconnected, the connection between the power network and the Internet-connected management network makes them highly vulnerable to intrusions. The hackers may have already infiltrated the grid and left malicious code, causing serious security concerns. For example, in connection with the Northeast blackout of 2003, the first malicious software code known specifically to target SCADA systems were reported to have tried to infect thousands of remote terminal units (RTUs) [1]. On 23 December 2015, a synchronized and coordinated cyber attacks damaged three Ukrainian power distribution companies, causing power outages to approximately 225,000 customers over several hours [2]. This worm-like behavior exacerbates the problem if a compromised system can cause extensive damage to the power grid as well as other critical infrastructures.
The restructuring of the power industry has transformed state estimation from important applications to critical applications. It is a key feature of modern energy management systems (EMS), which must provide a complete, consistent and accurate database as input to all other online applications, including contingency analysis, optimal power flow and economic dispatch. The control center analyses information from different measurements and estimates the current system operating conditions. The conventional state estimator uses a set of measurements to estimate the bus voltage phasor on the power grid. To date, these measurements were obtained only through the SCADA systems, which collects real-time measurements from RTU installed at the substation [3].
One may add any type of measurement that will improve measurement redundancy and bad data detection; however, adding a phasor measurement unit (PMU) will potentially make the most

Related Works
To date, the aim of PMU placement has been to minimize the number of PMU installations while ensuring the full observability of power grid [11]. Ahmadi et al. [12] proposed a binary particle swarm optimization that tries to minimize the number of PMUs needed for full observability, with or without the existence of conventional measurements. Emami et al. [13] proposed a branch PMU placement method for full observability taking into account PMU failures. Korkali et al. [14] formulated a mixed ILP algorithm for network observability considering a specified channel capacity for the candidate PMUs. The research studies mentioned above focused on finding the minimum number of PMUs for the full observability of a network in various situations. However, these studies did not consider cyber security issues. These methods may fail in the presence of intelligent cyber attacks.
Cyber attacks against SCADA systems can affect the state estimation results and lead to more misleading operations and control functions, which can have catastrophic consequences. The possible attacks shown in [15] can be denial-of-service (DoS) attacks on the RTUs, deception attacks on the data passed over the communication network or attacks directed to the SCADA master over a local area network (LAN). Some of the literature has already mentioned these problems such as false data injection attacks, security constrained control and replay attacks [16,17]. Human-made false data injection attacks against power grid state estimation was the first study by Liu et al. [17]. It was shown [17] that a malicious attacker can manipulate the state estimate while avoiding bad data detection. The attacker's goal was either random or targeted false data injection attacks. Various practical false data injection attack detection algorithms have been designed as follows. Kosut et al. [18] assumed that they used a graph-theoretic approach to launch a stealthy false data injection attack. In [18], a computationally Energies 2020, 13, 3862 3 of 15 efficient algorithm was derived to detect false data injection attacks using the generalized likelihood ratio test. Huang et al. [19] proposed cumulative sum (CUSUM)-based quickest detection (QD) that represents a tradeoff between the attack detection speed and performance. Recently, Bobba et al. [20] and Kim et al. [21] investigated the use of a minimum set of meters to mitigate cyber attacks using heuristic algorithms. These approaches were used for a greedy algorithm. To achieve perfect protection in the method proposed in [20], it is necessary and sufficient for the operator to protect some meters that are chosen such that the submatrix of power network Jacobian matrix according to these meters has numerically full rank. Unfortunately, perfect protection is generally difficult in practice because the number of state variables in a power grid is typically large. In addition, Kim et al. [21] proposed a greedy algorithm that strategically identifies the measurements to be protected to increase the number of vulnerable meters for cyber attacks. The above strategy does not consider the impact of random or targeted attacks on given power grid. Furthermore, the proposed iterative greedy algorithm has heavy computational burden and it does not converge to global optimum. Hug et al. [22] proposed AC state estimation and presented techniques for performing a hidden false data injection vulnerability analysis. Mehdi et al. [23] proposed a novel bad data detection to identify false data injection attacks on the power system state estimation. This paper introduces and evaluates a novel false data injection attack detector by introducing nonlinear autoregressive exogenous (NARX) neural network and its prominent features to provide an attractive predictor engine to estimate of the states.

Preliminaries
This section introduces the power system model, theory of state estimation and basic principles of the false data injection attacks.

System Assumptions
In this study, it is assumed that:

•
Given power grids consist of active power flow measurements at all branches on both ends; • A simplified linearized approximation model is considered; • A PMU placed at a given bus can measure both the voltage and current phasor at all branches present at that bus; • The measurements obtained by the PMUs are secure since the PMU networked system has been designed for secure data transfer.

Active Power Flow Model
The given power grid has n buses. Only the model consisting of active power flows P ij and bus phase angles θ i (where i, j = 1, . . . , n) is considered. Assuming that the resistance in the transmission line connecting buses i and j is small compared to its reactance, the active power flow model can be considered as follows [24]: where V is a voltage magnitude and X is a reactance.

State Estimation
In this chapter, the state estimation problem is considered to estimate n phase angles given a set of active power flow measurements m. It assumes that the voltage level of each bus and the reactance of each transmission line are known.
For a given power grid, the linear approximation model for the active power flow measurements and bus phase angles can be expressed in the following form [17]: where z is active power flow measurements vector (m × 1); H is constant Jacobian matrix (m × n); x is bus phase angle vector (n × 1); and e is measurement error vector of independent zero-mean Gaussian variables with covariance matrix R, N ∼ (0, R), R = diag σ 2 1 , σ 2 2 , . . . , σ 2 m where σ is the variance of meter error.
If the measurement error follows a standard normal distribution and m > n, which means the system is over-determined, the estimation problem can then be solved as follows.
In general, bad data processor incorporated into state estimation is beneficial for power system application functions. However, bad data detection is closely related to the measurement redundancy, which means false data appearing in non-redundant measurements cannot be detected. This fact will be discussed in more detail in the Section 4.

False Data Injection Attacks: Basic Principle
The authors of [17]  H T where P is a so-called projection matrix. If the attacker can compromise specific k meters, where k > m − n, then there always exist attack vectors a = Hc such that a 0. In the control center, the measurement residual r (the difference between the observed values and the estimated values) is calculated as follows.
If the residual r is larger than expected, an alarm is triggered, and invalid data are identified and eliminated. However, an attacker can access to information of H and launch a false data injection attack on the power grid to ensure that the corrupted state is not detected by the measurement residual test.

Identification of Vulnerable Locations to False data Injection Attacks
This section proposes a method to identify the vulnerable locations to false data injection attacks, especially sparse attacks with uncertain information. The model was designed assuming that the attacker has (1) perfect or (2) imperfect knowledge of the power grid. It then presents the evaluation metrics for construction of false data injection attacks.

Identification Method of Vulnerable Locations
Let's denote the attacker's understanding of the matrix H as where Y is an (m × m) diagonal matrix of branch admittance information and A is an (m × n) connectivity binary information matrix. If an attacker has perfect information, the attack vector a can be configured in the following form.
However, if the attacker does not know the branch admittance information, then he or she can assume Y = I and obtain the attack vector a (I is identity matrix).
Energies 2020, 13, 3862 A set of most valid targeted attack vectorã can be defined if there exist such attack vectors that a basis of nullspace (or kernel) of B and a basis of null space of B are the same. Theorem 1. The most valid targeted attack vectorã always exists when an attacker knows the perfect power grid topology and the imperfect power grid topology.
where a and a are the basis set of nullspace of B and B , respectively. Im(H) and Im(A) are the image or range space, which is equivalent to have a = Hc and a = Ac, respectively, for some c 0.
Proof of Theorem 1. Let Y ∈ R m×m be a matrix describing a linear map between two spaces H ∈ R m×n and A ∈ R m×n , i.e., Y : If the attacker does not know the structure of matrix Y, s/he will have difficulty finding attack vector a . However, s/he can easily construct the most valid targeted attack vectorã since Y = diag y 11 , y 11 , y 22 , y 22 , . . . , y mm , y mm , where y denotes admittance values, for some y 0. Here the focus is on the most valid sparse targeted attacks that require the coordination of a small number of meters. In fact, false data injection attacks on a large numbers of meters are improbable because the attacker has limited resources. If all branches on both-ends are metered, there are standard forms that characterize all of the most valid 2-sparse targeted attacks. Therefore, the attack vectorã can be obtained through the inverse matrix of Y.
An example 5-bus system is introduced to explain Theorem 1 in the next section.

Example 5-bus System
For example, in the power grid model shown in Figure 1, the following model is obtained in which the measured values consist of active power flows at all branches on both ends. It should be noted that the system observability is independent of the operating state of the system, as well as the branch parameters. If the attacker does not have perfect power grid topology information, then he or she can be assumed that matrix Y is the identity matrix [25].
Energies 2020, 13, 3862 where x = (θ 2 , θ 3 , θ 4 , θ 5 ) T and θ 1 is a reference bus phase angle. The reference bus is normally excluded from the states and the corresponding column does not exist in matrix A. Here A T A is invertible, and it can estimate the phase angles in the power grid. Now, matrix B becomes Energies 2020, 13, x FOR PEER REVIEW 6 of 15 Matrix ′ represents the most vulnerable measurements, i.e., column 9 and 10 that means meter measurements in branches 2-5, are sensitive to valid targeted attack. Ideally, the attacker would like to use as few meters as possible to reduce the cost of an attack. As discussed in [17], the attack vector contains corrupted values to be added to the real measurement . The attacker's goal is to fool the EMS into thinking that a particular power flow measurement is = + . The attacker needs to find a most valid targeted attack vector ̃ such that ′̃= 0. For example, the attacker represents ̃ as ̃= (0,0,0,0,0,0,0,0,1, −1,0,0) .  Matrix B represents the most vulnerable measurements, i.e., column 9 and 10 that means meter measurements in branches 2-5, are sensitive to valid targeted attack. Ideally, the attacker would like to use as few meters as possible to reduce the cost of an attack. As discussed in [17], the attack vector a contains corrupted values to be added to the real measurement z. The attacker's goal is to fool the EMS into thinking that a particular power flow measurement is z a = z + a. The attacker needs to find a most valid targeted attack vectorã such that B ã = 0. For example, the attacker representsã as It uses branch reactance to indicate the real power grid topology to evaluate whether such attacks are successful.

Impacts of Adding a PMU on Power Grid
Like an earlier example, assuming the voltage magnitudes |V i | = 1, reactances X ij = 1 and no shunt lines for the power grid in Figure 1, the PMU is installed on bus 5 to obtain the following augmented model: where A aug is augmented Jacobian and A pmu is rows correspond to the phasor measurements. The augmented measurements are the phase angle in bus 5 and the current flowing from branch 5 to 2. Then the matrix B aug of the augmented model becomes: 0.0506 · · · −0.0127 0.0127 · · · 0.0127 0.1899 · · · 0.2025 −0.2025 · · · −0.2025 −0.0633 · · · 0.2658 −0.2658 · · · 1.7342 In the example above, the attacker cannot always generate valid attack vectors to inject the arbitrary errors into the state variable estimate in the case of a false data injection attack.
Therefore, the possibility of generating valid targeted attack vectors is primarily of interest and shows how likely the attacker can find such attack vectors to attack power grid with or without PMUs.
Based on the evaluation objective, it uses the following evaluation metrics: the probability that the attacker can successfully construct an attack vector given the specific meters. Figure 2 shows the relationship between the success probability and the percentage of specific meters to compromise in the example 5-bus system with/without PMU. In the "no PMU" case, an attacker would need to compromise about 10% or more of the meters to get the probability to construct an attack vector. In the "PMU at bus 5 (bus 5 is a vulnerable bus with 1 conventional meter)", an attacker needs to compromise about 35% or more of the meters. When an attacker targets a vulnerable location, s/he only needs to compromise a few meters (about less than 10%). Thus, the power grid is secured against the targeted attacks when the PMU is installed at bus 5 rather than the other buses. compromise about 10% or more of the meters to get the probability to construct an attack vector. In the "PMU at bus 5 (bus 5 is a vulnerable bus with 1 conventional meter)", an attacker needs to compromise about 35% or more of the meters. When an attacker targets a vulnerable location, s/he only needs to compromise a few meters (about less than 10%). Thus, the power grid is secured against the targeted attacks when the PMU is installed at bus 5 rather than the other buses.

Proposed PMU Placement Algorithm Considering Cyber Security Constraint
This section presents an optimization problem whose objective is to place a minimal number of PMUs at best locations so that all nonredundant measurements are transformed into redundant ones. An integer linear programming (ILP)-based algorithm for the PMU placement has been modified to determine optimal PMU locations to ensure full observability under cyber security constraint. The proposed ILP-based optimization problems are: where : total number of buses; 1: vector whose entries are all equal to 1; : binary information matrix of connectivity between all buses with/without conventional meters; : binary information matrix of connectivity between vulnerable buses identified by the matrix ; : binary (0/1) vector.

Proposed PMU Placement Algorithm Considering Cyber Security Constraint
This section presents an optimization problem whose objective is to place a minimal number of PMUs at best locations so that all nonredundant measurements are transformed into redundant ones. An integer linear programming (ILP)-based algorithm for the PMU placement has been modified to determine optimal PMU locations to ensure full observability under cyber security constraint. The proposed ILP-based optimization problems are: min n i w i (20) sub ject to A O X ≥1 where n: total number of buses; 1: vector whose entries are all equal to 1; A O : binary information matrix of connectivity between all buses with/without conventional meters; A S : binary information matrix of connectivity between vulnerable buses identified by the matrix B; X: binary (0/1) vector.
Equation (20) expressed the full observability and cyber security constraints, respectively. Thus, the solution X of the proposed optimization problem will provide the robust placement of PMUs which will eliminate all vulnerable locations for targeted attacks.
In order to take cyber security into account, while placing the PMUs in the power grid for full observability, the power grid can be considered as a graph comprising of G(V, E) where V and E represent buses and branches, respectively. The vulnerable branches can be seen as events resulting in a graph with vulnerable buses. Based on the above concept, a procedure for incorporating cyber security into a topological observability based PMU placement algorithm is developed. The proposed procedure can be explained with the help of the ILP-based PMU placement algorithm. The benefits of this new configuration are that the system will no longer be vulnerable to targeted attacks and the number of PMUs can be reduced.
The proposed ILP-based PMU placement algorithm is summarized as follows: (1) Identify rows of min P l 0 in the matrix P; (2) Identify a l if and only if ba l = 0; (3) Find the full observability constraint; (4) Find the cyber security constraint; the cyber security constraint in the proposed ILP algorithm is modified by determined vulnerable locations; (5) The total solution is obtained by the proposed ILP algorithm.

Simulation Results
To validate the proposed procedure introduced above, we have performed simulations on IEEE 14-bus, 30-bus and 118-bus systems. Configuration data of the test systems obtained from the MATPOWER package was used [26]. In each test system, the state variables were the phase angles of its own buses, and measurements were active power flows at all branches on both ends, given the conventional meters.

IEEE 14-Bus System
The placement of secure PMUs by the proposed method was considered. Figure 3 shows the IEEE 14-bus system. The IEEE 14-bus system consists of 14 buses, 20 branches and 5 generators with reference bus B1.
which will eliminate all vulnerable locations for targeted attacks.
In order to take cyber security into account, while placing the PMUs in the power grid for full observability, the power grid can be considered as a graph comprising of ( , ℰ) where and ℰ represent buses and branches, respectively. The vulnerable branches can be seen as events resulting in a graph with vulnerable buses. Based on the above concept, a procedure for incorporating cyber security into a topological observability based PMU placement algorithm is developed. The proposed procedure can be explained with the help of the ILP-based PMU placement algorithm. The benefits of this new configuration are that the system will no longer be vulnerable to targeted attacks and the number of PMUs can be reduced.
The proposed ILP-based PMU placement algorithm is summarized as follows: (1) Identify rows of min‖ ‖ 0 in the matrix ; (2) Identify if and only if = 0; (3) Find the full observability constraint; (4) Find the cyber security constraint; the cyber security constraint in the proposed ILP algorithm is modified by determined vulnerable locations; (5) The total solution is obtained by the proposed ILP algorithm.

Simulation Results
To validate the proposed procedure introduced above, we have performed simulations on IEEE 14-bus, 30-bus and 118-bus systems. Configuration data of the test systems obtained from the MATPOWER package was used [26]. In each test system, the state variables were the phase angles of its own buses, and measurements were active power flows at all branches on both ends, given the conventional meters.

IEEE 14-Bus System
The placement of secure PMUs by the proposed method was considered. Figure 3 shows the IEEE 14-bus system. The IEEE 14-bus system consists of 14 buses, 20 branches and 5 generators with reference bus B1. Thus, 4 PMUs are required for full observability under cyber security achievement without conventional meters. In the case of full observability under cyber security with conventional meters, 1 required PMU could be obtained. Checking the redundancy of matrix in this system, it could Thus, 4 PMUs are required for full observability under cyber security achievement without conventional meters. In the case of full observability under cyber security with conventional meters, 1 required PMU could be obtained. Checking the redundancy of matrix B in this system, it could obtain vulnerable locations B7 and B8 in branch 7-8. The placement of a secure PMU at bus 8 made the power grid completely secure from false data injection attacks because the matrix B has a full degree of redundancy, i.e., all B l 0 = 40. For evaluation, the metrics of probability of finding attack vectors are shown in Figure 4. obtain vulnerable locations B7 and B8 in branch 7-8. The placement of a secure PMU at bus 8 made the power grid completely secure from false data injection attacks because the matrix has a full degree of redundancy, i.e., all ‖ ‖ 0 = 40. For evaluation, the metrics of probability of finding attack vectors are shown in Figure 4.  Table 1. Table 1. PMU placement to ensure cyber security with/without conventional meters in IEEE 14-bus system.

Given Topology Number of Required PMU PMU Placement
Without Meters 4 B2, B6, B7, B9 With Meters 1 B8 Figure 5 shows the IEEE 30-bus system. The IEEE 30-bus system consists of 30 buses, 41 branches and 6 generators with reference bus B1.  Table 1.  Thus, 10 PMUs are required for full observability considering cyber security achievement without conventional meters. In the case of full observability considering cyber security with conventional meters, 3 required PMUs could be obtained. Checking the redundancy of matrix in this system, it could obtain vulnerable locations, B9, B11, B12, B13, B25 and B26. The secure PMU  Thus, 10 PMUs are required for full observability considering cyber security achievement without conventional meters. In the case of full observability considering cyber security with conventional meters, 3 required PMUs could be obtained. Checking the redundancy of matrix in this system, it could obtain vulnerable locations, B9, B11, B12, B13, B25 and B26. The secure PMU candidate placement sets are (B9, B12, B25), (B9, B12, B26), (B11, B13, B26), (B9, B13, B25), (B9, B13, B26), (B11, B12, B25), (B11, B12, B26) and (B11, B13, B25). The placement of PMU at buses (B11, B13, B26) made the power grid completely secure from false data injection attacks because matrix has a full degree of redundancy, i.e., all ‖ ‖ 0 = 82. For evaluation, the metrics of the probability of finding attack vectors are shown in Figure 6.  The proposed ILP solution results are summarized in Table 2.  Figure 7 shows the IEEE 118-bus system. The IEEE 118-bus system consists of 118 buses, 186 branches and 54 generators with reference bus B1.

IEEE 30-Bus System
As a result, 32 PMUs are required for full observability considering cyber security achievement without conventional meters. In the case of full observability considering cyber security with conventional meters, 7 required PMUs could be obtained. Checking the redundancy of matrix B in this system, it could obtain the following vulnerable locations, B8, B9, B10, B12, B68, B71, B73, B85, B86, B87, B110, B111, B112, B116 and B117. The placement of PMUs at buses (B10, B73, B87, B111, B112, B116, B117) makes the power grid completely secure from false data injection attacks because matrix B has a full degree of redundancy, i.e., all B l 0 = 372. For evaluation, the metrics of probability of finding attack vectors are shown in Figure 8.  Figure 7 shows the IEEE 118-bus system. The IEEE 118-bus system consists of 118 buses, 186 branches and 54 generators with reference bus B1. As a result, 32 PMUs are required for full observability considering cyber security achievement without conventional meters. In the case of full observability considering cyber security with conventional meters, 7 required PMUs could be obtained. Checking the redundancy of matrix in this system, it could obtain the following vulnerable locations, B8, B9, B10, B12, B68, B71, B73, B85, B86, B87, B110, B111, B112, B116 and B117. The placement of PMUs at buses (B10, B73, B87, B111, B112, B116, B117) makes the power grid completely secure from false data injection attacks because matrix has a full degree of redundancy, i.e., all ‖ ‖ 0 = 372. For evaluation, the metrics of probability of finding attack vectors are shown in Figure 8. The proposed ILP solution results are summarized in Table 3.

Conclusions
In this paper, the problem of sparse targeted false data injection attacks on meters of power grid was introduced and it shown that these cyber attacks could lead to incorrect the state estimation results. The attacker can take advantage of the configuration of a power grid to launch targeted attacks that bypass the existing bad data detection methods. To defend against these attacks, procedure was proposed to identify vulnerable locations from the projection and residual sensitivity matrix and the ILP algorithm was used to formulate the problem of secure PMU placement under both full observability and cyber security constraints. The proposed method can be used in the design The proposed ILP solution results are summarized in Table 3.

Conclusions
In this paper, the problem of sparse targeted false data injection attacks on meters of power grid was introduced and it shown that these cyber attacks could lead to incorrect the state estimation results. The attacker can take advantage of the configuration of a power grid to launch targeted attacks that bypass the existing bad data detection methods. To defend against these attacks, procedure Energies 2020, 13, 3862 14 of 15 was proposed to identify vulnerable locations from the projection and residual sensitivity matrix and the ILP algorithm was used to formulate the problem of secure PMU placement under both full observability and cyber security constraints. The proposed method can be used in the design of any power grid topology for cyber security under various conditions. Finally, we demonstrated on the IEEE bus systems that our method is more secure and economical for defense against sparse targeted false data injection attacks. These results can be helpful in building power grid that are less vulnerable to false data injection attacks. In summary, the main contributions of this study are the following: (1) Identification of vulnerable locations when an attacker has perfect or imperfect knowledge about the topology of power grid; (2) Suggestion of evaluation metrics to prove vulnerable locations; (3) Development of an integer linear programming-based algorithm considering both full observability and cyber security constraints.
The proposed method is expected to contribute to defending the power grid against the false data injection attacks as a low-cost and highly efficient protection strategy.
Future research topics include the cyber security of state estimation using AC power flow model and anomaly detection techniques to defend against false data injection attacks in power grid, such as a data-driven approach. In addition, these studies for cyber attacks and defenses can be extended to wide area measurement systems (WAMS) or micro grid linked to distributed generations and storage such as photovoltaic panels and plug-in electric vehicles.
Funding: This research received no external funding.