Effects of cyber attacks on ac and high-voltage DC interconnected power systems with emulated inertia

: The high penetration of renewable energy resources and power electronic-based components has led to a low-inertia power grid which would bring challenges to system operations. The new model of load frequency control (LFC) must be able to handle the modern scenario where controlled areas are interconnected by parallel AC/HVDC links and storage devices are added to provide virtual inertia. Notably, vulnerabilities within the communication channels for wide-area data exchange in LFC loops may make them exposed to various cyber attacks, while it still remains largely unexplored how the new LFC in the AC/HVDC interconnected system with emulated inertia would be affected under malicious intrusions. Thus, in this article, we are motivated to explore possible effects of the major types of data availability and integrity attacks—Denial of Service (DoS) and false data injection (FDI) attacks—on such a new LFC system. By using a system-theoretic approach, we explore the optimal strategies that attackers can exploit to launch DoS or FDI attacks to corrupt the system stability. Besides, a comparison study is performed to learn the impact of these two types of attacks on LFC models of power systems with or without HVDC link and emulated inertia. The simulation results on the the exemplary two-area system illustrate that both DoS and FDI attacks can cause large frequency deviations or even make the system unstable; moreover, the LFC system with AC/HVDC interconnections and emulated inertia could be more vulnerable to these two types of attacks in many adversarial scenarios.


Introduction
In the modern power systems, there is an increasing attention on the integration of renewable energy resources (RES), energy storage devices, and high voltage direct-current (HVDC) links. In order to support frequency control in these low-inertia systems, the recent trends of research are oriented in proposing different virtual inertia emulation approaches [1][2][3]. To meet the changes, the conventional control scheme such as the load frequency control (LFC) is also adapting to handle the new scenario where controlled areas are interconnected by parallel alternating-current (AC) and HVDC transmission lines and energy storage systems (ESS) are added for emulating virtual inertia. On the other hand, this transformation has introduced a high dependence on data communications, as the control loops involved in the new LFC would use communication networks such as the supervisory control and data acquisition (SCADA) system to transmit measurements and control data. However, the communication channels in the SCADA network for data exchange, especially the ones for wide-area measurements, are usually unprotected, leaving the LFC system more exposed to cyber threats [4][5][6]. In fact, it has been reported that the conventional LFC loops of multi-area systems with pure AC interconnections can be vulnerable to a large number of malicious intrusions [7,8]. Furthermore, a deliberate attack targeted on the LFC system can have a direct effect on the system frequency and further cause severe damages to the stability and economical operation of the grid [9].
Different from the conventional LFC, in the context of modern power systems with AC/HVDC interconnections and emulated inertia by the ESS, more controllable resources would be added in the new LFC system to enable an improvement of the dynamical response. Furthermore, having more controllable devices also increases the vulnerability to cyber attacks. Though the cyber security concerns of conventional LFC in the normal AC system have been given considerable attention, it remains insufficiently answered how the new LFC in the hybrid AC/DC grid behaves under different cyber attacks. In general, each attack can be viewed in light of corrupting one (or multiple) of the following aspects of data; confidentiality, integrity, and availability Pan2017a. From the perspective of attack impact on the physical power system, the data integrity and availability attacks are more of interest for cyber security analysis. In fact, it has been reported that both data availability and integrity attacks can corrupt the conventional LFC system; see the related work in the following subsection. Thus, in this article, we are motivated to explore the effects of the typical data availability and integrity attacks-Denial of Service (DoS) and false data injection (FDI) attacks-on the new LFC considering AC/HVDC interconnections and the matter of virtual inertia. Here, the DoS and FDI attacks are mainly considered as they are major types of data availability and integrity attacks. For the DoS attack, it is one of the major threats against the availability of data [10]. The FDI attack is also known as a major class of integrity attack. Moreover, recent incidents, like the 2015 Ukraine blackout caused by hackers, have implied the feasibilities of DoS and FDI attacks on the smart grid devices of the real world [11]. Notably in this end, we have known that a DC grid has a low tolerance to a fault; we would also like to know how the new elements of HVDC link and inertia emulation module by ESS would affect the dynamic behavior of LFC under an intentional DoS or FDI attack.

Related Work
The LFC is known as a typical automatic closed-loop system that maintains the grid frequency and scheduled tie-line power between controlled areas by tuning the setpoints of generators for active power output, based on the wide-area transmitted measurements [12]. Research activities have been carried out to look into the attack impact on conventional LFC systems with pure AC transmission lines. In the early work of the authors of [13], effects of data integrity attacks on the operating frequency stability of LFC are introduced. Then, it is demonstrated in [7] how different FDI attacks on the LFC loop can affect the system frequency and electricity market operation. The work in [14] introduced a systematic method, based on reachability, for evaluating the impact that an FDI attack can have on the LFC system. Experimental tests of various cyber attacks on LFC using Cyber-Physical Security Testbeds can be found in [8]. In [15], the modeling language Modelica is introduced to support impact assessment of FDI attacks on the LFC. There are also some studies that have started to explore the effects of data availability attacks on LFC loops. The work in [16] illustrates that DoS attacks are able to make the dynamics of a LFC system unstable. The work in [17] focuses on the impact of time-delay attacks on the dynamic behavior of a multi-area LFC, indicating that such an availability attack can be more harmful in the area where there are load changes. Other related research is about communication delay or packet loss in the LFC system. For instance, a linear discrete-time model that includes the effects of different communication delays in the LFC model is proposed in [18] to explore the stability issues. Similar studies on communication delay/packet loss in conventional LFC models of normal AC systems can be found in [19][20][21].
The conventional LFC models have been modified to adapt to the reformulation of traditional power systems [22]. One of such aspects is about the deployment of HVDC transmission lines between controlled areas [23,24]. Besides, new functionalities are added in the frequency control to consider the matter of virtual inertia emulation [25,26]. In the pioneering work in [27], a method for evaluating the effects of virtual inertia on the dynamic behavior of a two-area LFC system is developed. As mentioned earlier, widespread application of communication networks in the LFC-related loop could make it vulnerable to various cyber attacks. However, as far as we know, there is still a lack of studies on the cyber security research for the new LFC system in the hybrid grid with AC/HVDC interconnections and emulated inertia by storage devices. The following references have started to evaluate the attack impact on the part of HVDC system control or the inertia emulation process; however, none of them have focused on the overall LFC loop considering new elements of HVDC links and emulated inertia by ESS. The work in [28] has studied the effects of cyber attacks on the dynamic voltage stability of a HVDC system. The authors of [29] try to evaluate the impact of cyber attacks on the HVDC transmission oscillation damping control. The work in [30] demonstrates the risk/impact of a cyber-physical attack in which loads providing emulated inertia control services are attacked. The work in [31] has interpreted the effects of FDI attacks on the LFC of a low-inertia power system. Our recent work in [32] aims to propose a comprehensive framework for vulnerability and impact analysis of stationary FDI attacks on the hybrid AC/DC grid. To conclude, research efforts are still needed to evaluate the effects of different types of data integrity and availability attacks on the LFC system with new elements of HVDC link and also ESS for virtual inertia.

Contributions and Paper Organization
In this article, we study the impact of different cyber attacks on the LFC system equipped with AC/HVDC transmission lines and bulk ESS. Two major types of data availability and integrity attacks-DoS and FDI attacks-are introduced and explored. The FDI attack scenario has been introduced in our previous work [32], where only the stationary FDI attack is considered. In this article, we move a step forward to include the dynamic (time-variant) FDI attack. We propose optimal strategies that the attacker can exploit to launch DoS or FDI attacks to corrupt the system stability. Our contributions are reflected through three aspects: (i) We have enabled to model the studied LFC system under DoS attacks as a switched linear system. Then theoretical results are obtained for switching strategies that an advanced attacker could exploit to make the targeted system unstable.
(ii) The FDI attack scenario is extended to include the dynamic FDI attack. The optimal FDI attacks that can be stealthy and disruptive are characterized by optimization programs. Particularly, we introduce a type of dynamic FDI attack called zero-dynamics attack that can remain stealthy with respect to an arbitrary anomaly detector, if certain conditions are met. (iii) A comparison study is performed especially in simulation part to learn DoS and FDI attacks on different LFC models of normal AC system, AC/DC system and AC/DC system with virtual inertia. To be noted in the end, to the best of our knowledge, it is the first time that the DoS attack and the dynamic FDI attack are introduced and learned in the context of new LFC considering a hybrid AC/DC grid with virtual inertia.
The structure of this article is as follows. In Section 2, we show how the conventional LFC system model is adapting to handle the modern scenario where controlled areas are interconnected with AC/HVDC links and there is emulated inertia by ESS. Section 3 focuses on DoS attacks which corrupt the availability of the wide-area measurements data. We enable modeling of the LFC system under DoS attacks as a switched linear system and the switching strategy to make the system unstable is proposed. The dynamic FDI attacks are introduced and studied in Section 4 where the optimal stealthy and disruptive FDI attacks are characterized by optimization programs. In Section 5, we provide simulation results and discussions, and conclusions are drawn in Section 6.

LFC Modeling in the Hybrid AC/DC System with Virtual Inertia
We present the LFC system modeling in this section. The Kundur model in [33] is used to represent a general interconnected power system. Here, we highlight the difference between the test system of this article and the original Kundur model in [33]. First, to meet the changes in modern scenarios, the test system is equipped with AC/HVDC transmission lines and inertia emulation capabilities by ESS, based on the work in [27]. The block diagram of the system is shown in Figure 1, where two areas, four generation units (GENs), and two load demand centers are involved, and converters are installed for controlling the HVDC link and the added ESS. Second, the system model used in this paper is modified to be suitable for LFC or automatic generation control (AGC) analysis. We consider the LFC because, as mentioned in Section 1, the high-level control of LFC with a relatively slow dynamical response would rely more on communication networks such as the SCADA system to transmit measurements and control data, while such a system is known to be vulnerable to various attacks, as reported in [4][5][6]. From the perspective of system modeling, considering the timescale of LFC, it is generally a linearized model with certain levels of abstraction that simplify some elements of the initial detailed Kundur model. We show the details of the system model in the following. To be noted, we assume that the channel for control signals is equipped with advanced encryption techniques and thus not attacked.

The Conventional LFC Structure
The LFC loop is a typical high-level control application. To regulate the power grid frequency, the LFC module in each controlled area receives wide-area measurements of frequency and tie-line power and sends control signals of set points for the output power of the participating generators in that area (e.g., GEN 1 and GEN 2 in Area 1 of Figure 1). To understand the LFC concept, we first introduce an area control error (ACE) signal as follows, where β i , ∆ω i , and ∆P tie ij are the frequency bias factor, the frequency deviation of Area i, and the net tie-line power flow variation between Area i and Area j, respectively; for a two-area power system, like the one in Figure 1, ∆P tie ij = −∆P tie ji . Thus, for a normal AC system where there are only pure AC transmission lines, let ω 0 be the nominal value of frequency, and we have To be mentioned, the ACE value in (1) defines the frequency to restore and the power to compensate in the event of load-generation imbalance.
As noted earlier, the LFC system is a high-level control application, and we pay more attention to the collective performance of all generators [33]. Then, we can do certain levels of abstraction and suppose that each area consists of equivalent governors, turbines, and generators. The dynamics of each area is represented by a linearized model. In this regard, the frequency dynamics of Area i in the two-area system can be described in the Laplace domain, where K p i and T p i are the system gain and the time constant, respectively. The gain K p i is related to the damping coefficient. The time constant T p i is associated with both the equivalent inertia and the damping. ∆P m i,g is the output power of each participated generator in Area i, and G i denotes the number of these generators. ∆P d i represents the total load variation in Area i. For the variables ∆P m i,g and ∆P tie,AC , we have where R i,g is considered as droop for each participated generator in Area i. T ch i,g is the time constant of the whole turbine-governor unit (we assume that each dynamic generator model consists of its turbine-governor model). ∆P agc i denotes the AGC signal generated by the LFC control loop in Area i. φ i,g is an area participating factor satisfying ∑ G i g=1 φ i,g = 1. T AC i,j is the coefficient for the power flow on the AC transmission line between these two areas.
The AGC signal ∆P agc i is used to regulate the set points of participated generators for active power output. The goal is to guarantee that the system frequency restores to nominal value in a load-generation imbalance event. Meanwhile, the tie-line power flow between controlled areas should act as the scheduled one. Here, ∆P agc i is generated by an integral control law, with the inputs of frequency deviations and tie-line power flow variations as parts of the ACE signal, that is, where K I i is the integral gain of the AGC controller and ACE i is the ACE of Area i mentioned in (1).
In the following, we show how the conventional LFC model adapts to meet the changes of parallel AC/HVDC links and the matter of inertia emulation.

LFC for AC/HVDC Interconnected System
Next, we consider the scenario where the controlled areas now are interconnected by AC/HVDC transmission lines. There are usually two converters in the HVDC system: one converter controls the active power flow, and the other one would be responsible to control the level of DC link voltage [27]. Here, we introduce the concept of Supplementary Power Modulation Controller (SPMC) to model the effects of HVDC link on the dynamic performance of the overall LFC loop. Note that the dynamics of fast transient HVDC power electronic parts is neglected when we analyze the dynamic effects of the HVDC link on LFC. This is because of the fact that the time constant of electronic parts is much smaller than that of mechanical parts in the analysis of dynamic behavior of the power system.
As a high-level supervisory control loop, the SPMC is able to improve the performance of the power system when there are load changes. To construct the SPMC, one needs the frequency deviations in each area, i.e., ω i and ω j , and the power flow variations in the AC line, i.e., ∆P tie,AC . Then, the HVDC link generates the desired DC power based on the output of SPMC, by changing the duty cycles of converters. The SPMC strategy as a damping controller can be expressed as where ∆P DC re f denotes the reference of the DC power; K i , K j , and K AC represent control gains; and T DC denotes the time constant of the HVDC link. According to the work in [27], the proper time response of this kind of supervisory controller could range from 100 ms to 500 ms. Here, we assume that T DC is 100 ms. In (8), ∆P DC is the generated power by the HVDC link. Then, the deviations of total tie-line power flows on both AC and HVDC transmission lines become Note the difference between Equations (9) and (2) which is for the normal AC system. Then, considering the new added DC power in the total tie-line power flow variation, the ACE signal of each area now needs to be adjusted to

LFC for AC/HVDC System with Emulated Inertia by ESS
In this part, we continue to model the LFC in the test system equipped with not only AC/HVDC transmission lines but also bulk ESS for inertia emulation. Note that a virtual inertia could be emulated by the added bulk ESS to improve the inertia response of conventional generators to load variations. In this article, the inertia emulation is realized by derivative control. Then, the emulated power from ESS for Area i can be written as where T ESS i denotes the time constant of the derivative control loop and J em i is the control gain representing the emulated inertia. We can see that the above derivative control loop calculates the rate of change of frequency (ROCOF). To be highlighted, instead of wide-area frequency data for the supervisory AGC and SPMC loops in the proceeding, only the local frequency information would be used for a relatively faster response in the derivative control-based inertia emulation. The selection of control gain J em i is based on an iterating tuning approach where the frequency deviations are minimized; we refer to the work in [34] for details. Considering that the derivative control loop could be sensitive to the noise, one may add a low-pass filter to the model to eliminate the effects of noise [32] (here we consider the filter's effects through the time constant T ESS i ). The storage part of ESS will remain charged during normal operation, and it starts to help the system once contingencies occur. Note that the ESS mainly works for a short period of time (2 s to 5 s) to emulate inertia. In the end, adding the emulated active power from ESS and also the power modulated by the HVDC link in Section 2.2, the Equation (3) of frequency dynamics in Area i will be changed to

LFC System Model in the State-Space Form
As shown in Figure 1, the wide-area measurements are mainly frequencies in the two areas and power flows on both AC and HVDC lines. These measurements would act as inputs for supervisory controllers in LFC, i.e., the AGC and SPMC loops; recall Sections 2.1 and 2.2. For the virtual inertia emulation part, it uses local frequency information only for a relatively faster response, as indicated in Section 2.3. Given the above explanations and the system descriptions in Sections 2.1-2.3, the open-loop LFC model for the test two-area system interconnected by AC and HVDC transmission lines and equipped with added ESS can be compactly described by a continuous-time state-space form: where the state vectorx, the control input vector u, the disturbance input vector d, and the output vectorȳ of wide-area measurements can be expressed as We note that the control input vector u consists of control signals from supervisory AGC and SPMC controllers. Besides, the disturbance input vector d corresponds to load changes in each area.
The matricesĀ c ,B c,u ,B c,d , andC in (13) are constant with appropriate dimensions. For a better illustration of the system state matrixĀ c , we use the following expression, . Each sub-matrix ofĀ c is presented in Equation (15). In addition, the system input matricesB c,u andB c,d that relate control signals and load changes to the system states are given in (16) and (17), respectively. We omit the detail of the output matrixC in (13) as its formulation is straightforward considering that the output vectorȳ corresponds to wide-area measurements of frequency in each area and power lows on both AC and HVDC transmission lines. In the end, the parameters of the two-area system and also associated control loops, i.e., the parameters appeared in Equations (1)- (12) for LFC purpose, are referred to Table 1, based on the work in [27]. Table 1. Parameters of the two-area system and associated control loops.

Parameters
Area 1 Area 2 GEN 1 GEN 2 GEN 3 GEN 4 As mentioned, it is easy to observe that the open-loop LFC models for the normal AC system and the AC/DC system, but without inertia emulation functionalities, can also be derived in the form of (13). For instance, for the conventional LFC structure in a normal AC system, there would be no such state variables of ∆P DC 1,2 , ∆P ESS 1 and ∆P ESS 2 . Besides, the variable ∆P DC re f related to the control input of DC link is not included in u, and there is no wide-area measurement for the DC power flow in the output vectorȳ. Before looking into the effects of cyber attacks, we first validate the LFC system models. To do that, as a common approach, we launch a step load change for the input of the system. The load change happens in Load 1 of Area 1 at t = 5 s with an increase of 0.03 p.u. Figure 2 provides the results of frequency deviations in both areas. It is easy to observe that the expansion of the interconnected system using HVDC link and especially the strategy of inertia emulation can help in improving the LFC system dynamics. The improvements are significant in damping frequency oscillations in a load change, which indicates a good performance when the overall LFC system model is equipped with HVDC link by SPMC control and also ESS for virtual inertia emulation.

DoS Attacks on the AC/DC Multi-Area LFC System with Virtual Inertia
In this section, we study the effects of data availability attacks on the LFC system developed in the previous section. The DoS attack is mainly considered as it is one of the major threats against the availability of data [10]. In a DoS attack, it typically causes periods of time at which the communication is not possible, thus preventing measurements or control data from reaching the respective destinations [35]. To launch DoS attacks, there are many strategies that an attacker can exploit. For instance, the attacker can jam the communication channels, compromise devices and prevent them from sending data, attack the routing protocols, and flood the network traffic [36]. To be illustrative, one can consider a man-in-the-middle (MITM) attack scenario on the communication channels between the substations and the control center. Then, the attacker is capable of interfering with the transmitted measurements using the MITM tool to block the measurements, either by attacking the routing scheme or flooding the network traffic [37]. In this article, we aim to model DoS attacks on the developed LFC mathematical model in Section 2 such that the behavior of data absence caused by DoS attacks is considered in the modeling process. We refer to the work in [10] for the specific strategies for launching such DoS attacks.

The Test LFC System under DoS Attacks
First, we need to modify the LFC system model developed in Section 2 to include DoS attacks into the control loop. As illustrated in Figure 1, we consider the attack scenario where communication channels for the transmission of wide-area measurements are attacked by DoS. To help in model analysis, one needs to modify the state-space representation in (13) by defining the following new "virtual" state and output vectors, where ACE i is the integration of the ACE signal in Area i. Note that ACE i in y is a virtual variable and the practical wide-area measurements in the output vector y are frequencies (∆ω i ) and AC/DC power flows (∆P tie,AC , ∆P DC ). Then, the integral action in the supervisory AGC loop can be transformed into a static output feedback control problem [20]. We still use definitions of input vectors u and d in (14). Then, we can obtain the following "modified" dynamic model for the test LFC system interconnected by AC/HVDC links and equipped with bulk ESS, by considering the "virtual" state vector x and output vector y in (18), Note that now u represents the input signal from the resulted static output feedback control in the above open-loop LFC system model of (19).
By using the "virtual" output vector y in (18), the static output feedback control process can be expressed as u = Ky where K is the gain of the static output feedback control and we can have For the matrices A, B c,u , B c,d , and C in the model (19), it is easy to derive their formulations based onĀ c ,B c,u ,B c,d andC given in the original open-loop LFC model in Section 2.4.
In a realistic framework, the wide-area measurements are applied to the supervisory AGC and SPMC controllers in discrete-time samples. Thus we would like to express the dynamic LFC system model in a discrete-time framework. To do that, (19) needs to be discretized. Taking a sampling period T s , we have the following discretization results for a zero-order hold (ZOH) [38], To be noted, (21) can be explained as the analytical solution of the ZOH discretization. Then, after discretization of (19), the discrete-time version of the open-loop LFC model for the two-are system equipped with AC/HVDC transmission lines and bulk ESS can be described by As noted earlier, vulnerabilities within the wide-area communication network (e.g., SCADA system) may allow cyber attacks. In this section, we focus on the following DoS attack scenario; the adversary has compromised the communication channels of wide-area measurements, preventing these measurements from being transmitted to the control center for power modulation (i.e., supervisory AGC and SPMC loops); recall Figure 1. According to the authors of [39], it is reasonable to assume that the channel for AGC and SPMC control signals is equipped with advanced encryption techniques; therefore, we mainly focus on the uploading channels of wide-area measurements instead of control signals on the feedback loop. As stated in Section 2.3, we know that the control loop of inertia emulation is using local information only and thus not attacked directly by DoS. Due to the DoS attack, the missing measurements are typically replaced with the last received ones. By properly designing the DoS attack sequences, the attacker can corrupt the normal operation of the controllers and consequently the involved physical system, e.g., the system stability. We show such effects of DoS attacks in what follows. According to the authors of [16], the DoS attack on the output vector y can be treated as a switching on/off event. Letỹ denote the output vector under DoS attacks, and the control signal becomes We also consider that the controllers are equipped with ZOH. Hence the wide-area measurements in the LFC loop under DoS attacks can be further expressed as where S 1 and S 2 are "positions" indicating whether the wide-area measurements are under DoS attacks or not,x is an introduced auxiliary vector that satisfies where j indicates the switch position such that j = 1 for position of S 1 (no DoS attacks), and j = 2 for position of S 2 (under DoS attacks), and the corresponding matrices are Remark 1 (DoS attacks on "selected" measurements). In the attack scenario above, we can observe that all the system outputs are assumed to be attacked by DoS; see (24). This is mainly for the simplicity of illustrating the formulations of closed-loop system matrices. However, the developed framework can subsume the scenario where only part of measurements are attacked. One can introduce diagonal matrices with the elements of binary vectors sitting on the main diagonals to indicate which wide-area measurement is under a DoS attack. For instance, let us introduceỹ[k] = P 1,m Cx[k] + P 2,m Cx[k − 1] for the switch position S 2 when the m-th measurement is attacked by DoS, and P 1,m , P 2,m are such diagonal matrices that characterize the "position" of the attacked measurement.

Stability of the Test LFC System under DoS Attacks
In the following, we show how the DoS attacks can affect the stability of the closed-loop LFC system in the hybrid AC/DC grid with emulated inertia. We have modeled the LFC under DoS attacks as a switched linear system in the proceeding. The stability issue of a switched system has been extensively investigated; one look in [21,40] for a detailed analysis. From the viewpoint of an attacker, the whole system may be made unstable by choosing a proper switching strategy.
To study the stability of the test system in (26), let us consider a scenario where the loads keep constant, namely, d[k] = 0 for all k ∈ N. The following Lemma 1 indicates that there exist possible switching strategies that the attacker can exploit to launch DoS attacks to make the underlying two-area LFC system unstable.

Lemma 1.
We introduce a constant 0 ≤ λ ≤ 1. Then, the switched linear system of (26), where Φ i ∈ {Φ 1 , Φ 2 }, is unstable, if there exists λ such that the equivalent system with system matrix Φ λ 1 Φ has an eigenvalue with magnitude outside the unity circle.
Proof of Lemma 1. Let us introduce a time interval [T 0 , T d ) and n T = T d − T 0 . Similar to the work in [16] (Theorem 2), we can assume that the test system operates normally from T 0 , i.e., the switched linear system of (26) with Φ i ∈ {Φ 1 , Φ 2 } stays at Φ 1 for a time period of λn T . Then, afterwards, the test system is attacked by DoS and (26) stays at Φ 2 for a time period of (1 − λ)n T . In the end, the state of the test LFC system at T d would become Let us define Φ(λ) We will have z[T d ] = (Φ(λ)) n T z[T 0 ]. Thus the switched linear system of (26) would be unstable, if its "equivalent" system matrix Φ(λ) has eigenvalues with magnitude outside the unity circle.
Based on Lemma 1, we can see that if an advanced attacker can choose a proper constant λ, it may make the closed-loop LFC system for the AC/HVDC interconnected power system with emulated inertia unstable. To be noted, here we mainly consider the optimal DoS attack strategy that can corrupt the system stability, and thus the attacker is assumed to be with extensive attack resources to corrupt multiple wide-area measurements and also full knowledge of the underlying system (e.g., the parameters of the test system in (22)). Besides, the mitigation and detection schemes that the power systems are usually equipped with are not included in the framework of this article; we leave the possible complex "interactions" between DoS attacks and mitigation/detection schemes in the LFC system for the future work.

FDI Attacks on the AC/DC Multi-Area LFC System with Virtual Inertia
Vulnerabilities within the communication channels for wide-area measurements may also make the test LFC system exposed to data integrity attacks. FDI attack, known as a major class of integrity attack, can modify the values of measurements to corrupt the normal operation of controllers and further the physical system. Then next we study FDI attacks on the test LFC system in the hybrid AC/DC grid with virtual inertia. We extend our previous work [32] to include both stationary and dynamic FDI attacks in this article. Particularly, we show a specific type of dynamic FDI attack that can remain stealthy with respect to an arbitrary anomaly detector, while in the mean time cause severe damages to system frequency stability.

The Test LFC Sytem under FDI Attacks: Basics
As noted in Section 3.1, in this article we focus on the attack scenario where the uploading communication channels of wide-area measurements are attacked. Thus, the system output after FDI corruptions would becomeỹ where f [·] ∈ R n f represents the FDI attack signal, T f denotes the FDI attack period, and D f characterizes the part of measurements that are attacked by FDI. Again, as illustrated in Figure 1, FDI attacks on wide-area measurements would mainly corrupt the supervisory AGC and SPMC controls as these loops use the wide-area measurements as the controller inputs, which also implies that the virtual inertia emulator is not compromised directly by FDI. Based on (22) and (29), the closed-loop model of the test LFC system under FDI attacks can be expressed as where A cl := A + B u KC and B f := B u KD f . We can see that the corruptions on the supervisory control loops by FDI attacks would further affect the involved physical system. To illustrate the attack strategy that an FDI attacker can exploit to be disruptive to the LFC system, let us start from the stationary FDI attack scenario where the attack occurs as a constant bias injection on wide-area measurements during the attack period, i.e., f [k] = f for k ∈ T f and f is a constant vector while f [k] = 0 for k / ∈ T f . We say such attack is "stationary" as the attack value remains unchanged during the attack period. As a typical FDI scenario, the stationary FDI attack has been studied in a large amount of literature work [12,39,41]. According to the number of manipulated wide-area measurements, stationary FDI attacks can be classified into two types in general, i.e., univariate attack (n f = 1) and multivariate attack (n f > 1).
Similar to the advanced DoS attack which aims to corrupt the system stability with an optimal strategy, an intelligent FDI attack with full system knowledge also would seek to maximize its impact on the targeted LFC system. To evaluate the attack impact, the indices of maximum frequency deviation (MFD) and steady-state frequency deviation (SSFD) for frequency stability are commonly deployed. In the univariate FDI attack scenario, intuitively, the attacker would prefer a larger constant bias injection to have the maximum impact from the perspective of MFD or SSFD. However, a large constant injection may also trigger data quality alerts. In general, data quality alerts would be triggered if the calculated ACE in the control center exceeds 0.05 p.u., according to the grid code in [7].
In order to have enough attack impact and remain undetected with respect to data quality checking programs, an adversary may have to compromise multiple wide-area measurements with vast attack resources to launch multivariate stationary attacks. Let us still consider an intelligent attack scenario where the attacker is also equipped with full knowledge of the underlying system (i.e., all the system parameters in Section 2 and possible data quality checking programs). Then, the multivariate attack can choose an appropriate injection of f . In the following, we characterize the optimal strategy for stationary FDI attacks where the attacker aims to have enough attack impact and remain undetected from the data quality checking program, and in the mean time try to compromise as less measurements as possible. This strategy can be described by the optimization program, where · 0 is the zero vector norm that quantifies the number of non-zero elements in the vector.
The attack values which reflect the attack targets on impact and undetectability are taken from the set F := { f ∈ R n f : b min ≤ F f f ≤ b max } where the vectors b min , b max ∈ R n b and the matrix F f ∈ R n b ×n f are scenario-specific and should be taken based on the criterion reflected in different national grid codes. For instance, to be disruptive of attack impact, the (absolute) MFD value should reach 0.8 Hz, as a possible load shedding scheme could be triggered when the frequency decreases to 59.2 Hz; we refer to our previous work in [32] for a detailed discussion on the selections of b min , b max and F f . In (31), f (i) denotes the i-th FDI on the measurement that the attacker has already been able to compromise; this constraint is to make (31) feasible [37]. The last constraint in (31) is introduced to show that some protected measurements in the set P could not be attacked. By using a so-called big M approach in [37], the problem of (31) can be translated into a mixed integer linear program (MILP). A MILP can be usually solved by a solver like CPLEX. The obtained index α i in the optimal attack strategy of (31) in some sense can also access "how hard" it is for the attacker to attack the test LFC system with significant impact and also undetectability, and it is of interest to both the attacker and the system operator: if α i is large, it requires extensive coordinated attack resources by the attacker to accomplish; if α i is small, some of the measurements are critical as they require fewer corruptions to be altered.

A Type of Stealthy FDI Attack on the Test LFC System: Zero-Dynamics Attack
For the stationary FDI attacks above, though the intelligent ones with enough system knowledge and vast attack resources can remain undetected from data quality checking programs, advanced detection schemes can still be developed to reveal their occurrence. In [32], we have proposed an anomaly detector for the detection, isolation, and even recovery of both stationary univariate and multivariate FDI attacks. In this subsection, we further explore the possibility of a type of FDI attack that can be stealthy with respect to arbitrary anomaly detectors. This comes to a type of dynamic (time-variant) FDI attack called zero-dynamics attack. Within a zero-dynamic attack strategy, the attacker can make the system outputs zero but drive the state (e.g., frequency of each area) trajectory of the underlying system (i.e., the test LFC system interconnected by AC/HVDC transmission lines and equipped with ESS for inertia emulation) to a possible unsafe set (e.g., the MFD defined in the previous subsection reaches a certain value that can mislead to wrong system operations). As the system outputs also act as inputs to an arbitrary anomaly detector, the diagnostic signal of the anomaly detector would not be able to trigger alerts for this type of attack when the system outputs are zero. To formalize the attack scenario, we introduce the following definition based on the work in [42]. That is to say, one cannot decouple such an FDI attack from the system outputs, and therefore it can not be detected by an arbitrary anomaly detector. It has been shown in [42] that the attack sequence that makes the outputs identically zero for all k ∈ T f is given by where z 0 is the system zero and f 0 is the corresponding input zero direction. Considering the LFC system model in (30) under FDI attacks, such a signal f [·] in (32) can be checked by using the Rosenbrock system matrix and correspondingly the input zero direction for a system zero z 0 ∈ C can be obtained, according to the work in [42]. This can be written as It can be observed that f [k] = z k 0 f 0 is a zero-dynamics attack if and only if there exists x 0 ∈ C n x and d 0 ∈ C n d that satisfies (33). This implies that the zero-dynamics attack f [k] = z k 0 f 0 is stealthy only if there is a simultaneous disturbance signal d[k] = z k 0 d 0 and initial state x[0] = x 0 . Note the fact that the disturbance signal in the LFC system model of (30) represents load changes. Thus it may be infeasible for the case d[k] = z k 0 d 0 in practice. However, one can consider a scenario where the loads keep constant while a zero-dynamics attack f [k] = z k 0 f 0 is launched by the attacker to make system outputs zero. Such a zero-dynamics attack can be obtained from the following equation, If there exist solutions to (34), then the zero-dynamics attack exists and the system operator would also be misled to believe that there is no load change and hence the system outputs are zero, while, in fact, the dynamic FDI attack may have driven the system states of frequencies in both areas to unsafe sets. Notably, if the test system (30) is assumed to be with zero initial state and there exists a large difference between x 0 from (34) and zero initial condition, then the zero-dynamics attack from (34) may be detectable especially in the beginning period of the attack sequence [42].
To this end, similar to the case of stationary FDI attack, we can also consider an intelligent attack scenario where the attacker tries to compromise as less measurements as possible, which would lead to the following optimization program, One can also let |z 0 | ≥ 1 in (35) such that the attack signal can be persistent (if |z 0 | < 1, the attack signal will asymptotically vanish to zero). We also add the last constraint about f 0 (i) to make (35) feasible. In general, similar to (31) for a stationary FDI attack, (35) is a combinatorial problem and is hard to solve. However, it can have simple solutions if there is finite number of system zeros of z 0 . For instance, if there is a single z 0 , then the null-space of P(z 0 ) has dimension 1, and there is only one unitary vector [x 0 , f 0 ] that is the solution to (34). If the null-space of P(z 0 ) has dimension n, then there are n unitary vectors that are solutions to (34). A linear combination of these n unitary vectors is also a solution, and similar to (31), one can use big M method to translate (35) into a MILP problem which can be solved by the solver CPLEX.

Simulation Results
In this section, we evaluate the effects of these two types of data integrity and availability attacks-DoS and FDI attacks-on the test LFC system through simulations. As shown in Figure 1, the two-area system is interconnected with AC/HVDC transmission lines and equipped with bulk ESS for inertia emulation. The parameters of the two-area system and also associated control loops, i.e., the parameters appeared in Equations (1)- (12), are referred to Table 1 in Section 2.4. Then, the matrices involved in the original state-space model of (13) for the two-area LFC system can be obtained through (15) to (17). In particular, we are interested in the difference between effects of these two types of data integrity and availability attacks on the LFC models of the following studied systems in this article: • Normal AC system. • AC/DC interconnected system. • AC/DC interconnected system with virtual inertia.
From Section 2, we have seen that the LFC model in the system interconnected by AC/HVDC lines and equipped with ESS has more controllable devices, comparing with the one in the normal AC system. Intuitively, an attacker can manipulate more vulnerable measurements as it can attack frequencies of both areas and also power flows on both AC and HVDC transmission lines. Furthermore, the DoS and FDI attacks on all of these measurements would affect not only the supervisory AGC loop but also the SPMC for power modulation in control center. Thus, in this section, we perform a comparison study through simulations to explore the difference of attack impact on these three LFC system models.

DoS Attack Results
We start with DoS attacks. In Section 3.2, we have introduced a constant λ ∈ [0, 1] such that if an advanced attacker can choose a proper λ, the "equivalent" closed-loop LFC system under DoS attacks on measurements (with system matrix Φ(λ) ) can be made unstable. From the proof of Lemma 1, we would note that the smaller λ is, the earlier the DoS attack occurs. Then, we let γ m denote the maximum real part of eigenvalues of Φ(λ) To study how the DoS attack would affect the stability of the underlying LFC systems, we compute γ m with λ ranging between 0 and 1 for the three LFC system models. The results are shown in Figure 3. It can be seen form Figure 3 that γ m > 1 when λ is close to 0 for all of these systems, which implies that there exists an eigenvalue with magnitude outside the unity circle and the systems are unstable. With the increase of λ, γ m may decrease and be smaller than 1 later. This result is straightforward since the LFC systems become unstable more easily when DoS attacks occur at an early period. For the LFC of normal AC system, γ m < 1 when λ ≥ 0.6. For AC/DC system, γ m < 1 when λ ≥ 0.33. For AC/DC system but with virtual inertia, γ m is around 1 when λ is small, and is smaller than 1 when λ ≥ 0.53.  Figure 4, the DoS attacks occur at t = 1 s, which is before the load change. It can be observed that there are large steady-state frequency deviations (SSFDs) because the controller is attacked by DoS completely. For Case 2 in Figure 5, the DoS attacks occur right after the event of step-load change and we still see large SSFDs. Comparing the results of Figures 4-6, it is reasonable to conclude that from the viewpoint of the attacker, it is optimal to launch DoS attacks as early as the dynamics of the LFC system does not converge. When the attacks occur in a late stage, the DoS attacks might not have big impact; see the results of Case 3 where λ = 0.4. It can be also expected that as long as the LFC system dynamics has converged, the DoS attacks would not have effects any more. When looking into the frequency deviations of the three system LFC models in Figures 4 and 5, we can also see that the impact of early DoS attacks on the LFC models of normal AC system and AC/DC system but without virtual inertia can be more significant from the perspective of SSFD, comparing with the one of the AC/DC interconnected system with virtual inertia. This is due to the fact that the control loop of inertia emulation is not attacked directly by DoS as it is using local frequency information only, while the DoS attacks are mainly on measurements for supervisory AGC and SPMC loops. The emulated inertia still works to damp frequency oscillations even during these DoS attacks. However, as shown in Figure 6, for the DoS attacks that occur at t = 12 s, there would be a larger SSFD in the LFC of the system with AC/HVDC transmission lines and virtual inertia. This is because the ESS is mainly used for a short period of time (2 s to 5 s) to emulate virtual inertia (recall Section 2.3), while the load step event starts from t = 5 s. To conclude, the frequency dynamics of the LFC system under DoS attacks would become worse comparing with the scenario where there is no DoS attack, while the effects of DoS attacks (quantified by attack impact index, e.g., SSFD) on the three LFC system models of this article depend to the time that the DoS attack occurs.

FDI Attack Results
Next, we evaluate the effects of FDI attacks on the three LFC system models. To begin with, stationary univariate and multivariate attacks are launched. The frequency deviation results under a univariate attack on the frequency measurement of Area 2 are shown in Figure 7. We can see that regarding the attack impact index of MFD (maximum frequency deviation) during the transients, there would be a larger MFD in the LFC of the system interconnected by AC/HVDC lines and equipped with ESS to emulate inertia. This observation is consistent with the result of [32], and we refer to [32] for a more detailed analysis of univariate attacks on the other wide-area measurements (e.g., frequency of Area 1, AC/DC power flow). Then, we move to stationary multivariate attacks where multiple measurements are attacked simultaneously to be disruptive and undetectable (with respect to data quality checking programs). The optimal strategies for these attacks can be obtained from (31) by solving the resulted MILP using the solver CPLEX. It turns out that a multivariate attack (α i = 2) that can attack power flows on both AC and HVDC lines with a attack magnitude vector f = [0.44 − 0.39] (in p.u.) is able to disrupt the LFC system and avoid data quality alarms. The frequency deviations under this multivariate attack are shown in Figure 8. The MFD of Area 1 in the AC/DC interconnected system with emulated inertia arrives at −0.8 Hz after the occurrence of multivariate attack, which may mislead wrong system operations of load shedding. To be noted, when solving solving (31) for the normal AC system, there is no such kind of multivariate FDI attack that can have enough impact regarding the index MFD but remain undetected from data quality checking programs. From the observations above, the inertia emulation functionality plays a key role in affecting the dynamic behavior of the test LFC system under FDI attacks. Due to the frequency variations caused by FDI attacks on supervisory controls, the inertia emulator is also being "misled" as it calculates rate of change of frequency (ROCOF) from local frequency information in its derivative control loop (recall Section 2.3), which in turn would contribute to a larger MFD.  The stationary FDI attacks above can be detected by an advanced anomaly detector. However, as illustrated in Section 4.2, the so-called zero-dynamics attack can lead to zero system outputs and thus remain hidden with respect to arbitrary anomaly detectors. To the end, we move to the simulations of such an attack scenario. From the calculations of system zeros, we see that for the LFC of normal AC system, there are four system zeros (0.5850, 0.5908, 0.6927, 1) of real values and correspondingly four unitary vectors that are solutions to (34). For the LFC of AC/DC system but without virtual inertia, there are five system zeros (−0.0250, 0.5856, 0.5908, 0.8087, 1) of real values and correspondingly five unitary vectors that are solutions in the null-space of P(z 0 ). For the LFC of AC/DC system with virtual inertia provided by ESS, there are eight system zeros (−0.0622, 0.5846, 0.5908, 0.6008, 0.6661, 0.9332, 0.9779, 0.9920) of real values and correspondingly 8 unitary vectors.
To compare the three LFC system models under zero-dynamics attacks, first we let f 0 (i) in (35) be the injection on the AC power flow measurement with a value of 0.5 p.u. and solve (35) for all the LFC systems. Figure 9 depicts the state trajectory of frequency under the resulted zero-dynamics attacks on the normal AC system and the AC/DC system with emulated inertia. We can observe that the zero-dynamics attack is able to drive the state of frequency in the LFC of the system interconnected by AC/HVDC lines and equipped with ESS to outside the safe set; see Figure 9b where the MFD can reach a certain value to mislead wrong system operations of load shedding. Besides, we can notice that different from the stationary univariate/multivariate attack, the false data injections in the zero-dynamics attack are "dynamic" (time-variant) and coordinated to remain stealthy to an arbitrary anomaly detector. To be noted, in the zero-dynamics attack scenario, the operator believes that there are no load changes as the system outputs are "made" zero by attacks, while the system states of frequencies in both areas have been driven to unsafe sets. This implies that the zero-dynamics attack can cause severe damages to the system frequency stability. Similarly, Figure 10 shows the state trajectory of the AC/DC system and AC/DC system with virtual inertia under zero-dynamics attacks where f 0 (i) in (35) is the injection on the DC power flow measurement with a value of 0.5 p.u. (the normal AC system is not attacked in this scenario as it does not have DC power flow measurement). The zero-dynamics attack can still result in large (frequency) state deviations especially in the context of LFC in a hybrid AC/DC system with virtual inertia. Notably, the impact index MFD would be made more large under such zero-dynamics attack if one increases the initial attack value of f 0 (i) in (35). To conclude, the stealthy zero-dynamics attack can be very impactful to the LFC systems when the loads are constant during a specific time period and the null-space of P(z 0 ) has multiple dimensions. Besides, the LFC model considering the added elements of HVDC link and ESS for virtual inertia can be more vulnerable to such attacks when the three LFC system models have the same initial attack value of f 0 (i) in (35).

Discussions
In this article, both DoS and FDI attacks are studied in the new LFC considering AC/HVDC links and inertia emulation module by added ESS. From the results above, we see that the LFC system with AC/HVDC interconnections and emulated inertia could be more vulnerable to the two types of attacks in many adversarial scenario. Here we provide a brief discussion on how these attacks can be detected.
The DoS attacks are trivially detectable as the absence of data can be treated as an anomaly [42]. However, they can also be misdiagnosed as a poor communication network condition. To detect such attacks, one may utilize the statistical properties of the missing data: we can assume that, under normal conditions, each wide-area measurement may be missing with a given small probability. Then, the Bernoulli distributed random variables can be introduced to indicate whether the measurements data are available or not, and one can differentiate between cases of low probability of missing data under normal conditions, versus cases where missing data occurs with higher probability due to DoS attacks.
For the FDI attacks, it is relatively easier to reveal the occurrence of the stationary ones. For instance, in our work [32], we have proposed a detector with adjustable design variables to have a fast response in the inertia context when the stationary FDI attacks occur. One can also detect the multivariate stationary attack which is equipped with vast attack resources and full knowledge of the targeted system, by designing a bank of detectors where each of them is responsible to detect a particular FDI intrusion. When it comes to the extremely powerful dynamic attack, the detection task becomes much more difficult. The zero-dynamics attack could keep stealthy to an arbitrary detector if certain conditions are satisfied. However, it is noteworthy that this is a rather conservative viewpoint, and for attacks not satisfying all the conditions in Section 4.2, one can still have a successful detection. To this end, we note that many of attacks discussed in this article could trigger alerts on communication network specific measures (e.g., Intrusion Detection System). This give us opportunities to design cross-domain detection schemes to improving the overall cyber attacks detection.

Conclusions
In this article, we aim to explore the effects of two major types of data integrity and availability attacks-DoS and FDI attacks on the new LFC system that could be equipped with AC/HVDC transmission lines and also ESS for inertia emulation in the modern scenarios. We have modeled the test LFC system under DoS attacks as a switched linear system, and theoretical results are provided for switching strategies that an advanced DoS attacker can exploit to make the system unstable. For the FDI attack scenario, both stationary and dynamic FDI attacks are studied and their optimal strategies to achieve attack impact and undetectability are proposed. Particularly, the zero-dynamics FDI attack is introduced, and we show that it can remain stealthy with respect to arbitrary anomaly detectors and drive the system states of frequencies to unsafe sets. We hope that our work provides inspirations for moving in that direction: the complexity of the attack scenario and also the modern power system itself has introduced more challenges in the system operation.
In addition to theoretical results, a comparison study is performed by simulations on the exemplary two-area system to learn DoS and FDI attacks on three different LFC system models. The numerical results illustrate that in many adversarial scenarios, the LFC system with AC/HVDC transmission lines and added ESS can be more vulnerable to the cyber attacks of this article. In particular, the inertia emulation part is key to the performance of LFC system dynamics under both types of DoS and FDI attacks. This requires more advanced mitigation or detection schemes in the context of LFC system with new elements of HVDC link and inertia emulation block. We have a discussion above on a possible detection scheme as we can envision, and we leave it for future work.
Funding: This research received no external funding.

Conflicts of Interest:
The authors declare no conflicts of interest.

Abbreviations
The following abbreviations are used in this manuscript.

LFC
Load frequency control HVDC High-voltage direct-current AC Alternating-current