Modeling and Fault Propagation Analysis of Cyber–Physical Power System

: In cyber–physical power systems (CPPSs), the interaction mechanisms between physical systems and cyber systems are becoming more and more complicated. Their deep integration has brought new unstable factors to the system. Faults or attacks may cause a chain reaction, such as control failure, state deterioration, or even outage, which seriously threatens the safe and stable operation of power grids. In this paper, given the interaction mechanisms, we propose an interdependent model of CPPS, based on a characteristic association method. Utilizing this model, we can study the fault propagation mechanisms when faulty or under cyber-attack. Simulation results quantitatively reveal the propagation process of fault risks and the impacts on the CPPS due to the change of state quantity of the system model.

. Architecture of cyber-physical interdependent network.

Interdependent Model of Cyber-Physical Power System
According to Figure 1, the cyber-physical interdependent network can be divided into three sub-networks: power network, cyber network, and coupled network. In this section, each of the subnetworks is firstly modeled. By utilizing the incidence matrix to combine three sub-networks models, we propose an integrated model of the cyber-physical power system. The detailed modeling descriptions are presented below.

Interdependent Model of Cyber-Physical Power System
According to Figure 1, the cyber-physical interdependent network can be divided into three sub-networks: power network, cyber network, and coupled network. In this section, each of the sub-networks is firstly modeled. By utilizing the incidence matrix to combine three sub-networks models, we propose an integrated model of the cyber-physical power system. The detailed modeling descriptions are presented below.

Modeling of the Power Networks
As previously mentioned, the power networks we modeled are based on the DC power flow. The cyber networks only have impacts on the power injections at buses and the power flows in branches. The power injections at power buses can be modeled as: where P is a vector of the power injections at buses, B is the node susceptance matrix of a power grid, and θ is a vector of the phases at all buses. The power flows in power branches are written as: where F is an antisymmetric matrix of the power flows in branches, A denotes a square matrix in which all elements are 1, diag(θ) represents a diagonal matrix with the elements of θ on the main diagonal, and '•' represents Hadamard product. Combining Equations (1) and (2), we have where diag(P) represents a diagonal matrix with the elements of P on the main diagonal. The diagonal elements of P power denote the power injections at buses and other elements denote the power flows in branches. Operation data of the physical system include topology information besides power information. The relations between two buses in the power network are expressed by: where a p ij = 1 indicates bus i and bus j are connected, otherwise a p ij = 0. Moreover, according to the aforementioned architecture described in Figure 1, in a highly intelligent power system, each of the electric devices is equipped with sensors and processors. Sensors collect the power information from the physical system and processors send various operating commands to the physical system. The sensor nodes are represented as: c s11 c s12 · · · c s1n c s21 c s11 · · · c s2n . . . . . . . . . . . .
where each element of C s equals 0 or 1. Specifically, if bus i is equipped with a sensor, c sii = 1, or else c sii = 0. If the branch (i,j) with i j is equipped with a sensor, c sij = c sji = 1, or else c sij = c sji = 0.
where each element of Pc equals 0 or 1. Specifically, if bus i is equipped with a processor, p cii = 1, or else p cii = 0. If the branch (i,j) with i j is equipped with a processor, p cij = p cji = 1, or else p cij = p cji = 0.

Modeling of Coupled Networks
We suppose that the transmitted data are unchanged between sub-networks. According to the definition of uplinks and downlinks in the preceding section, as the physical system is fully coupled with the cyber system, the uplinks in the coupled network are where the physical information collected from sensors in the physical system are transmitted to cyber nodes in the cyber system. Simultaneously, the downlinks in the coupled network are where the operation commands sent from cyber nodes in the cyber system are transmitted to processors in the physical system.
To depict if there are uplinks between physical systems and cyber systems, a matrix O up is: where each element of O up equals 0 or 1. More precisely, if there is an uplink between the sensor of bus i and a cyber node, O uii = 1, or else O uii = 0. If there is an uplink between the sensor of the branch (i,j) and a cyber node, O uij = O uji = 1, or else O uij = O uji = 0. The downlinks in the coupled system can be expressed by: where each element of O down equals 0 or 1. More precisely, if there is a downlink between the processor of bus i and a cyber node, O dii = 1, or else O dii = 0. If there is a downlink between the processor of the branch (i,j) and a cyber node,

Modeling of Cyber Networks
Cyber network modeling includes cyber node modeling, the uplink of cyber system modeling, downlink of cyber system modeling and the control center modeling. According to the aforementioned framework, each of the cyber nodes is connected to each of the physical nodes one by one.
The operation states of cyber nodes are described by: Energies 2020, 13, 539 6 of 22 where each element of C n equals 0 or 1. More precisely, if a cyber node connected to bus i is in the normal operation state, c nii = 1, or else c nii = 0. If a cyber node connected to the branch (i,j) is in the normal operation state, c nij = c nji = 1, or else c nij = c nji = 0. Similar to the definition of uplinks and downlinks in the coupled network, we define the uplinks in the cyber system as the physical information collected from cyber nodes uploaded to the control center. Analogously, the downlinks in the cyber system are the operation commands sent from the control center downloaded to processors.
The uplinks between cyber nodes and the control center are given by: where each element of T up equals 0 or 1. More precisely, if there is an uplink between the control center and a cyber node connected to the sensor of bus i, then t uii = 1, or else t uii = 0. If there is an uplink between the control center and a cyber node connected to the sensor of the branch (i,j), then t uij = t uij = 1, or else t uij = t uij = 0. The downlinks in the cyber system are depicted by: where each element of T down equals 0 or 1. More precisely, if there is a downlink between the control center and a cyber node connected to the sensor of bus i, then t dii = 1, or else t dii = 0. If there is a downlink between the control center and a cyber node connected to the sensor of the branch (i,j), then t dij = t dji = 1, or else t dij = t dji = 0. The control center is the core node of the cyber system and provides guarantees for the security and stability of the physical system. Based on the monitoring data of the physical system collected from sensors, the control center analyzes the operation state of the physical system, then calculates the power flow of the physical system, finally making the optimal control decision on the basis of the state of the whole cyber-physical power system, and sends control commands to processors.
The monitoring data received from the physical system mainly includes power flows and topology information of the physical system, which are defined as C r p and C r b respectively. The C r p and C r b can be calculated using The commands sent from the control center mainly contain the control commands for buses and branches, which are defined as C s p and C s b . The C s p is Energies 2020, 13, 539 where c s pii is the change of power for bus i. To be more specific, if c s pii > 0, it is the command that the output should be increased for the generator connected to bus i, or else it is the command that the output should be decreased for the generator connected to bus i.
The C s b can be handled conveniently by: where c s bij is the adjustment of the breaker's condition for the branch (i,j). We stipulate that if c s bij = c s bji = 1, then the breaker of the branch (i,j) is closed. If c s bij = c s bji = 0, the breaker of the branch (i,j) is open.

Integrated Model of Cyber-Physical Interdependent Networks
The equations of each sub-network are used only for calculating the operation state of the internal network individually, which cannot reflect the real-time interaction between power networks and cyber networks. By incorporating the characteristics of three sub-networks, the integrated model of the interdependent network is computed by: where and H is the generalized decision function of the control center, P s is the revised power injection matrix of power network, A s is the revised incidence matrix of the power network, P s b is a revised vector of the power injections at power buses, B r is a revised admittance matrix, θ r is a revised vector of the phases at all buses and F r is a revised power injections in power branches.

Fault Propagation Mechanism Analysis in CPPS
For the CPPS system, any faults or attacks may cause control failure or even widespread blackouts, which bring negative effects on the reliability and safety of system operations. It is essential to analyze the propagation paths of cascading faults for providing safe operation.
The fault propagation of the power system can be evaluated by the N − 1 method, which scans all possible electrical property failures and analyzes the cyber-physical system responses corresponding to each physical fault. Likewise, this idea can be implemented equally to cyber fault propagation analysis. In cyber systems, cyber faults are mainly caused by cyber-attacks, which lead the system to generate improper control commands that affect the physical system. Utilizing the interdependent model of CPPS detailed in the last section, we analyze the faults from three sub-networks respectively and investigate the CPPS system states under each fault in this section.

Fault Propagation Mechanisms from the Cyber System Faults
The characteristics of the cyber system are determined by the cyber transmission channel modeling and system topology. More recent studies have shown that the weak links of the cyber system mainly including cyber nodes and cyber channels are quite vulnerable to cyber-attacks. Thus, in terms of the targets of cyber-attacks, the fault propagation can be divided into two categories, which are cyber-attacks on the cyber nodes as well as cyber-attacks on the cyber transmission channels. As a result, we need to analyze these two types of fault propagation respectively.

Cyber-Attacks on Cyber Nodes
The cyber-attacks on cyber nodes in CPPSs refer to the damage to the local system due to the access rights of the cyber system obtained by an attacker, or the intentional destruction of equipment because of manual misoperation.
Cyber node failures are equivalent to unlinking cyber nodes, which will result in the control center not being able to obtain the operating status of the power grid in a timely manner and sense the potential operational risks. The detailed descriptions for cyber-attacks on the cyber nodes are presented below.
The cyber node attack matrix is built as: where all the elements in G n equal 0 or 1. More specifically, g n ii is 0 if there exists a cyber-attack on the cyber node connected to bus i. g n ii is 1 if the cyber node connected to bus i is in the normal operation state. g n ij and g n ji are 0 if there exists a cyber-attack on the cyber node connected to the branch (i,j). g n ij and g n ji are 1 if the cyber node connected to the branch (i,j) is in the normal operation state. After cyber-attacks on cyber nodes, the integrated calculating modeling in the interdependent network will be:

Cyber-Attacks on Cyber Channels
The cyber-attacks on communication transmission channels refer to when an attacker attacks the cyber network channels continuously and actively to disrupt communication availability and compromise the integrity of data, which leads to transmission channel blocking or channel data tampering. Depending on the different means of attacks, the cyber channel attacks mainly include denial of service attacks (Dos attacks) and false data injection attacks (FDI attacks). Then we need to quantitatively analyze the impacts of these two types of cyber channel attacks on the cyber system respectively.
1. Denial of service attack The Dos attack is a resource exhaustion attack that sends numerous useless requests to exhaust the resources of the attacked object, such as network bandwidth, making the control center unable to communicate with the cyber nodes and information cannot be received or delivered normally, which can even result in data loss. Consequently, the analysis of the operation state and dispatching control of the control center is affected, thereby threatening the safe operation of the CPPS. In order to explain the influences of Dos attacks in more detail, we will separately analyze the Dos attacks on uplink and downlink below.
The uplink Dos attack matrix is modeled as: where all the elements in G d up equal 0 or 1. More specifically, g d uii is 0 if there is a Dos attack on an uplink between the control center and a cyber node connected to bus i. Otherwise, if this uplink is in the normal operation state, g d uii is 1. g d uij and g d uji are 0 if there exists a Dos attack on an uplink between the control center and the cyber node connected to the branch (i,j). Otherwise, if this uplink is in the normal operation state, g d uij and g d uji are 1. The downlink Dos attack matrix is denoted by: where all the elements in G d down equal 0 or 1. More specifically, g d dii is 0 if there is a Dos attack on a downlink between the control center and a cyber node connected to bus i. Otherwise, if this downlink is in the normal operation state, g d dii is 1. g d dij and g d dji are 0 if there exists a Dos attack on a downlink between the control center and the cyber node connected to the branch (i,j). Otherwise, if this downlink is in the normal operation state, then g d dij and g d dji are 1. After the Dos attacks, the integrated calculating modeling in the interdependent network will be changed and can be derived from:

False data injection attack
The FDI attack is an attack that injects erroneous data, such as incorrect monitoring data, on the uplinks or illegal tampering with data, such as grid control commands, on the downlinks, which hinders the reliability and accuracy of normal data exchange in the physical system. The ultimate goal of the FDI attack is to make the control center misunderstand the physical system state and then employ the wrong strategy, which affects the normal dispatching control of the physical system. We will separately analyze the FDI attacks on uplinks and downlinks below.
(1) FDI attacks on uplinks: As previously mentioned, the monitoring data that the control center will receive include two different types of information, namely power flow and topology information of the physical system. The uplink power injection attack matrix is represented by: where the main diagonal element g f p uii is 0 if there is not a power injection attack on an uplink between the control center and a cyber node connected to bus i. The elements g f p uij and g f p uji are 0 if there is not a power injection attack on an uplink between the control center and the cyber node connected to the branch (i,j). On the contrary, if there is a power injection attack on an uplink between the control center and a cyber node connected to bus i, the element g f p uii is: where λ 1 is the false uplink power information that the control center will receive, which represents the attackers' desired uplink power injection attack effect. Analogously, if there is a power injection attack on an uplink between the control center and the cyber node connected to the branch (i,j), the elements g f p uij and g f p The uplink topology injection attack matrix is signified by: where λ 2 is the false uplink topology information that the control center will receive, which represents an attacker's desired uplink topology injection attack effect. λ 2 = 0 means that the breaker is altered to open by the attacker and λ 2 = 1 means that the breaker is altered to close by the attacker.
(2) FDI attacks on downlink: As previously mentioned, the control commands sent from the control center mainly contain the change of power for buses and adjustments of the breaker's condition for branches.
The downlink power injection attack matrix is expressed by: . . .
down is 0 if there is not a power injection attack on a downlink between the control center and a cyber node connected to bus i. On the contrary, if there is a power injection attack on a downlink between the control center and a cyber node connected to bus i, then the element g f p dii is: where η 1 is the false downlink power, which is the change of power for bus i altered by the attacker. The downlink topology injection attack matrix is written as: where the main diagonal elements in G f t down are 0. The elements g f t dij and g f t dji are 0 if there is not a topology injection attack on a downlink between the control center and the cyber node connected to the branch (i,j). Otherwise, if there is a topology injection attack on this downlink, the elements g where η 2 is the false downlink topology information that represents the attackers' desired downlink topology injection attack effect. η 2 = 0 means that the breaker is altered to open by the attacker and η 2 = 1 means that the breaker is altered to close by the attacker. After the FDI attacks, the integrated calculating modeling in the interdependent network can be formulated as: (48)

Power Branch Fault
Since the operation modes of the power system are constantly changing, the node susceptance matrix of the power network will also change accordingly. If the node susceptance matrix is reconstructed for the changed network, the amount of calculation will be increasing dramatically. However, the change of power in a branch only has impacts on the self-admittance of the buses on both sides of the branch and the mutual admittance between two buses. As a result, it is unnecessary to rebuild the node susceptance matrix corresponding to the new operating condition. A new matrix can be obtained by simply modifying the original susceptance matrix.
As for Equation (1), when a fault occurs in the branch (i,j) between bus i and bus j, causing a break in that branch, it is equivalent to adding a branch with susceptance of bij between bus i and bus j. In this case, the number of buses and dimension of node susceptance matrix is unchanged. On the contrary, some elements in the susceptance matrix need to be modified. The self-susceptance increments of bus i and bus j are described by: where ∆B ii and ∆B jj are the self-susceptance increments of bus i and bus j respectively. The mutual susceptance increments between bus i and bus j are signified by: where ∆B ij and ∆B ji are the mutual susceptance increments between bus i and bus j. According to Equations (49) and (50), the self-susceptances of bus i and bus j will be changed: where B ii and B The modified mutual susceptances between bus i and bus j are: where B Hence, the node susceptance admittance matrix is modified as: where B b f is the susceptance matrix after branch faults, B (0) is the original susceptance matrix, ∆B is the increment matrix of susceptance.
After the branch faults, the power network modeling will be determined by: P power (Br) = F(Br) + diag(P(Br)),

Bus Fault
Once a bus fault occurs, the branches connected to this bus will be broken, which causes the disconnection with the whole power network. As a result, the topology structure of the power network is altered. In this case, the node susceptance matrix of this power network needs to be reconstructed for the changed topology.
We set the power network has N bus, and bus i in this network is connected to bus j as well as bus k. If bus i has a fault, its corresponding elements in the node susceptance matrix need to be modified. Specifically, if the dimension of the admittance matrix decreases to N − 1, then the elements of the ith column and ith row in the susceptance matrix need to be removed. This is except for bus i, as those buses connected to bus i need to be modified. According to the assumption before, the self-susceptance increments of bus j and bus k are represented as: where b ij (0) is the original mutual susceptance between bus i and bus j, b ik (0) is the original mutual susceptance between bus i and bus k, ∆B kk is the self-susceptance increment of bus k. According to Equations (58) and (59), the modified self-susceptances of bus j and bus k are calculated as: Therefore, the node susceptance matrix is modified as: where B u f is the admittance matrix after bus faults. After the bus faults, the power network modeling will be obtained by: P power (Ur) = F(Ur) + diag(P(Ur)).

Fault Propagation Mechanisms from the Coupled System Faults
In the coupled network, coupled branches have a significant influence on the function of the whole interdependent network. The existence of coupled branches causes a single network to have different characteristics. The coupled system faults are mainly coupled branch faults. The coupled branch faults are equivalent to that of the coupled branches that are disconnected. As discussed in the previous section, coupled branches contain two types of branches, namely uplink coupled branches and downlink coupled branches. The uplink coupled branches are the topology connection between sensors and cyber nodes. The downlink coupled branches are the topology connection between cyber nodes and processors. In order to explain the impact of the coupled branch faults in more detail, we will separately analyze the coupled branch faults on uplinks and downlinks below.
The uplink coupled branch fault matrix is listed as: where all the elements in F c up equal 0 or 1. More specifically, f c uii is 0 if there is a fault on an uplink between a cyber node and a sensor connected to bus i. Otherwise, if this uplink is in the normal operation state, f c uii is 1. f c uij and f c uji are 0 if there exists a fault on an uplink between a cyber node and a sensor connected to the branch (i,j). Otherwise, if this uplink is in the normal operation state, f c uij and f c uji are 1.
The downlink Dos attack matrix can be equivalently represented by where all the elements in F c down equal 0 or 1. More specifically, f c dii is 0 if there is a fault on a downlink between a cyber node and a processor connected to bus i. Otherwise, if this downlink is in the normal operation state, f c dii is 1. f c dij and f c dji are 0 if there exists a fault on a downlink between a cyber node and a processor connected to the branch (i,j). Otherwise, if this uplink is in the normal operation state, f c dij and f c dji are 1. After the coupled branch faults, the integrated calculating modeling in the interdependent network should be determined by: Energies 2020, 13, 539 14 of 22

Case Study
In this section, we will construct an interdependent model and propose some scenarios to demonstrate the effectiveness and superiority of fault propagation mechanism.
We take the IEEE-9 node system as an example, the structure and coupled cyber network of which is illustrated in Figure 2. Since the nine-bus power system is small and structurally symmetrical, this power network can be regarded as a unique region. In order to facilitate the analysis, it is essential to number the nodes. Bus numbers in the power network are from Bus 1 to Bus 9 and breaker numbers are from D1 to D9, which are the blue numbers in Figure 2. The corresponding cyber node numbers of buses and breakers are from I 1 to I 20 , which are the yellow numbers in Figure 2. Moreover, the I in the cyber network represents the control center node, which is the brown number in Figure 2.

Case Study
In this section, we will construct an interdependent model and propose some scenarios to demonstrate the effectiveness and superiority of fault propagation mechanism.
We take the IEEE-9 node system as an example, the structure and coupled cyber network of which is illustrated in Figure 2. Since the nine-bus power system is small and structurally symmetrical, this power network can be regarded as a unique region. In order to facilitate the analysis, it is essential to number the nodes. Bus numbers in the power network are from Bus 1 to Bus 9 and breaker numbers are from D1 to D9, which are the blue numbers in Figure 2. The corresponding cyber node numbers of buses and breakers are from I1 to I20, which are the yellow numbers in Figure 2 I12   I3   I8  I9  I18   I15  I5  I13  I4  I14  I6   I16  I10   I1   I  Since the IEEE 9-node system fails to provide the power transfer limit of the line, we set the initial load rates of all the lines in the power system at 45% for the sake of analysis. Furthermore, Bus 1 is set as the balance bus.
According to the modeling methods in Section 3, s C , c P , up O , down O , n C , up T and down T can be modeled as: Figure 2. Three-generator nine-bus power system and its cyber system.
Since the IEEE 9-node system fails to provide the power transfer limit of the line, we set the initial load rates of all the lines in the power system at 45% for the sake of analysis. Furthermore, Bus 1 is set as the balance bus. According to the modeling methods in Section 3, C s , P c , O up , O down , C n , T up and T down can be modeled as: (72) In terms of the electric parameters of the IEEE-9 node system, when the CPPS operates normally, the original power flow distribution is: (73)

Case 1
For the better description of the current system state and the system state which may be triggered at the next moment, the finite-state machine is introduced to simplify the logical description. We firstly analyze the fault propagation paths under the power branch fault and design the system state machine as shown in Figure 3.
In terms of the electric parameters of the IEEE-9 node system, when the CPPS operates normally, the original power flow distribution is:

Case 1
For the better description of the current system state and the system state which may be triggered at the next moment, the finite-state machine is introduced to simplify the logical description. We firstly analyze the fault propagation paths under the power branch fault and design the system state machine as shown in Figure 3.

State 5 (time T + 4)
The whole system comes to a new stable state UDT = 1
First turning into state 1 in Figure 3, the system operates normally as illustrated in Figure 2 at time T. Assuming that a fault occurs on the branch (6,9), state 1 enters into state 2. In state 2, the breaker of the branch (6,9) trips at time T + 1 by reason of the branch fault, which leads to the power flow on each branch being redistributed. After the power flow redistribution, the breakers of branch (4,6) and branch (8,9) trip because of overload. After execution, state 2 enters into state 3 As shown in Figure 3, P power re f and A p re f represent power flow and topology information when the physical system operates in a steady state. Br (6,9) represents a fault that occurred in the branch (6,9). The DDT is defined as uplinks of the cyber-physical coupled network in steady operation. If the uplinks of the cyber-physical coupled network operate in steady state, then DDT = 1, or else DDT = 0. The UDT is defined as downlinks of the cyber-physical coupled network in steady operation. If the downlinks of the cyber-physical coupled network operate in a steady state, then UDT = 1, or else UDT = 0.
First turning into state 1 in Figure 3, the system operates normally as illustrated in Figure 2 at time T. Assuming that a fault occurs on the branch (6,9), state 1 enters into state 2. In state 2, the breaker of the branch (6,9) trips at time T + 1 by reason of the branch fault, which leads to the power flow on each branch being redistributed. After the power flow redistribution, the breakers of branch (4,6) Energies 2020, 13, 539 16 of 22 and branch (8,9) trip because of overload. After execution, state 2 enters into state 3 unconditionally. At time T + 2, the sensors of branch (6,9), branch (4,6) and branch (8,9) upload breaker information. If DDT = 1, then state 3 enters into state 4. In state 4, the control center will make decisions and send control commands after receiving the correct physical system information at time T + 3. The control commands include cutting off 40 MW in generation 3, load shedding 40 MW, and reclosing breaks of branch (4,6) as well as branch (8,9), which are C s p (3, 3) = −40, C s p (6, 6) = 40, C s p (4, 6) = C s p (6, 4)= 1 and C s p (8,9) = C s p (9, 8)= 1. If DDT = 1 and UDT = 1, then state 4 enters into state 5. In state 5, the physical system will come to a new stable state, as shown in Figure 4, after receiving the correct control commands at time T + 4. The power flow transferring from state 1 to state 5 in Figure 3 are given in Table 1. . If DDT = 1 and UDT = 1, then state 4 enters into state 5. In state 5, the physical system will come to a new stable state, as shown in Figure 4, after receiving the correct control commands at time T + 4. The power flow transferring from state 1 to state 5 in Figure 3 are given in Table 1.

Case 2
In case 2, we analyze the fault propagation paths under the power node fault and design the system state machine as shown in Figure 5.

State 3 (time T + 2)
The sensors of bus 6 and branch (8,9) upload the disconnection information to control center DDT = 1

Case 2
In case 2, we analyze the fault propagation paths under the power node fault and design the system state machine as shown in Figure 5.
First turning into state 1 in Figure 5, the system operates normally, as shown in Figure 2, at time T. Assuming that a fault occurs on bus 6, which is represented by Bu(6,6), state 1 enters into state 2. In state 2, bus 6, branch (4,6) and branch (6,9) disconnect at time T + 1 on account of the bus fault, which leads to the power flow on each branch being redistributed. After the power flow redistribution, the breaker of the branch (8,9) trips due to overload. After execution, state 2 enters into state 3 unconditionally. At time T + 2, the sensors of bus 6 and branch (8,9) upload disconnection information. If DDT = 1, then state 3 enters into state 4. In state 4, the control center will make decisions and send control commands after receiving the correct physical system information at time T + 3. Those commands include cutting off 25 MW in generation 1 and generation 2, cutting off 40 MW in generation 3, and reclosing the break of branch (8,9), which is C s p (1, 1) = −25, C s p (2, 2) = −25, C s p (3, 3) = −40 and C s p (8,9) = C s p (9, 8)= 1. If DDT = 1 and UDT = 1, then state 4 enters into state 5. In state 5, the physical system will come to a new stable state, as shown in Figure 6, after receiving the correct control commands at time T + 4. The power flow transferring from state 1 to state 5 in Figure 5 is given in Table 2.

Case 2
In case 2, we analyze the fault propagation paths under the power node fault and design the system state machine as shown in Figure 5.

State 3 (time T + 2)
The sensors of bus 6 and branch (8,9) upload the disconnection information to control center DDT = 1

State 4 (time T + 3) State 5 (time T + 4)
The whole system comes to a new stable state UDT = 1 (1) bus 6, branch(4,6) and branch (6,9) disconnection (2) power flow redistribution (3) branch (8,9) overload (4) A p (8,9)  decisions and send control commands after receiving the correct physical system information at time T + 3. Those commands include cutting off 25 MW in generation 1 and generation 2, cutting off 40 MW in generation 3, and reclosing the break of branch (8,9), which is enters into state 5. In state 5, the physical system will come to a new stable state, as shown in Figure  6, after receiving the correct control commands at time T + 4. The power flow transferring from state 1 to state 5 in Figure 5 is given in Table 2.  I12   I3   I8   I9   I18   I15   I5   I13   I4  I14  I6   I16  I10   I1   I

Case 3
In case 3, we analyze the fault propagation paths under the cyber system faults and design the system state machine as shown in Figure 7.

Case 3
In case 3, we analyze the fault

State 5 (time T + 4)
The whole system comes back to the original stable state UDT = 1

State 6 (time T + 4)
(1) branch (8,9) cannot receive the command (2)breakers of branch (4,5), branch (6,9) and branch (5,7) reclose (3)The whole system comes to a stable state First turning into state 1 in Figure 7, the system operates normally, as shown in Figure 2, at time T. Assuming that an FDI attack occurs on the downlink between the control center and the cyber node connected to branch (5,7), which is represented by (7,5) (5, , state 1 enters into state 2. In state 2, the breaker of the branch (5,7) trips at time T + 1 by reason of the FDI attack, which leads to the power flow on each branch being redistributed. After the power flow redistribution, the breakers of branch (4,5), branch (6,9) and branch (8,9) trip because of overload. After execution, state 2 enters into state 3 unconditionally. At time T + 2, the sensors of branch (5,7), branch (4,5), branch (6,9) and branch (8,9) upload breakers information. If DDT = 1, then state 3 enters into state 4. In state 4, the control center will make decisions and send control commands after receiving the correct physical system information at time T + 3. Those commands include reclosing the breaks of branch (5,7), branch (4,5), branch (6,9) and branch (8,9), which are (

Case 4
In case 4, we analyze the fault propagation paths under the coupled system faults and design the system state machine as shown in Figure 8.  In case 4, we analyze the fault propagation pat

State 4 (time T + 3) State 5 (time T + 4)
The whole system comes back to the original stable state UDT = 1 State 6 (time T + 4) (1) branch (4,6) cannot receive the command (2)breakers of branch (7,8) and branch (8,9) reclose (3)The whole system comes to a stable state First turning into state 1 in Figure 8, the system operates normally, as illustrated in Figure 2 at time T. Assuming that the breaker of branch (7,8) suddenly trips, which is represented by B t (7,8), state 1 enters into state 2. In state 2, due to the breaker trip, the power flow on each branch will redistribute at time T + 1. After the power flow redistribution, the breakers of the branch (4,6) and branch (8,9) trip because of overload. After execution, state 2 enters into state 3 unconditionally. At the time T + 2, the sensors of branch (7,8), branch (4,6) and branch (8,9) upload the breakers information. If DDT = 1, then state 3 enters into state 4. In state 4, the control center will make decisions and send control commands after receiving the correct physical system information at time T + 3. Those commands include reclosing breaks of branch (5,7), branch (4,5), branch (6,9) and branch (8,9), which are ( Figure 2 after receiving the correct control commands at time T + 4. If there is a coupled fault on a downlink between a cyber node and a processor connected to the branch (4,6), which is represented First turning into state 1 in Figure 8, the system operates normally, as illustrated in Figure 2 at time T. Assuming that the breaker of branch (7,8) suddenly trips, which is represented by B t (7,8), state 1 enters into state 2. In state 2, due to the breaker trip, the power flow on each branch will redistribute at time T + 1. After the power flow redistribution, the breakers of the branch (4,6) and branch (8,9) trip because of overload. After execution, state 2 enters into state 3 unconditionally. At the time T + 2, the sensors of branch (7,8), branch (4,6) and branch (8,9) upload the breakers information. If DDT = 1, then state 3 enters into state 4. In state 4, the control center will make decisions and send control commands after receiving the correct physical system information at time T + 3. Those commands include reclosing breaks of branch (5,7), branch (4,5), branch (6,9) and branch (8,9), which are C s p (7, 8) = C s p (8, 7)= 1, C s p (4, 6) = C s p (6, 4) = 1 and C s p (8,9) = C s p (9, 8)= 1. If DDT = 1 and UDT = 1, then state 4 enters into state 5. In state 5, the physical system will come back to the original stable state in Figure 2 after receiving the correct control commands at time T + 4. If there is a coupled fault on a downlink between a cyber node and a processor connected to the branch (4,6), which is represented by F c down (4, 6) = F c down (6, 4) = 0, then state 4 enters into state 6. In state 6, the branch Energies 2020, 13, 539 20 of 22 (4,6) cannot receive the command at time T + 4, which means that the breaker of branch (4,6) cannot reclose. The breakers of branch (7,8) and branch (8,9) reclose so that the whole system comes to a stable state. If there is a coupled fault on a downlink between a cyber node and a sensor connected to the branch (4,6), which is represented by F c up (4, 6) = F c up (6, 4) = 0, then state 3 enters into state 7. In state 7, the control center will make decisions and send control commands after receiving the physical system information, except for the breaker information of branch (8,9) at time T + 3. Those commands include reclosing the breaks of branch (5,7), branch (4,5), and branch (6,9), which are C s p (7, 8) = C s p (8, 7)= 1 and C s p (8,9) = C s p (9, 8)= 1. State 7 then enters into state 6. The power flow transferring from state 1 to state 6 is given in Table 4.

Discussion and Conclusions
This paper focuses on fault propagation in cyber-physical power systems, and presents an interdependent model and fault propagation mechanism analysis for the CPPSs. In terms of the interdependent theory, a framework of cyber-physical interdependent network that takes into account the communication transmission process is first proposed. Based on the system steady state and power flow equations, the modeling process is divided into three parts, which are the power networks, the cyber networks, and the coupled networks. Through effectively associating the power networks with the cyber networks, the integrated model of cyber-physical interdependent networks based on the multi-characteristics association method is proposed to explain the association relationship between power networks and cyber networks.
By analyzing the different locations of faults or attacks and defining the faults and attack matrixes, the parameterized characterization method of fault propagation in CPPS is proposed. To illustrate the theoretical approach presented in the paper, we take a CPPS model consisting of IEEE 9-bus system as an example to quantitatively deduce and analyze the risk propagation process of the faults or attacks in CPPSs.
The modeling and fault propagation analysis of CPPSs proposed in this paper has the following characteristics: In the proposed model, the power network is modeled based on the DC model and the control center of cyber network generates decisions as well as controls the power and topology, which forms a closed loop. The CPPS modeling comprehensively considers the topology and electric characteristics, which meets the properties of power networks more adequately when compared with the model based on the complex network. The CPPS modeling takes into consideration the direction of information flow, which is more suitable for the power dispatching automation system. On the basis of the system steady state and power flow calculation, the proposed analysis method has low computational complexity when the topology of CPPSs is varied. Moreover, the formulations of the effects of typical faults under the integrated model framework can be implemented, which provides a new solution for the quantitative analysis of the impact of different types of faults on the CPPSs. However, the modeling is based on DC instead of AC power flow. In addition, due to the simplicity of the test system, the power system comes to a steady state by power flow calculating no more than twice, which means that the risk communication process ends early. In the future, we will study the modeling approach in a larger scale system by AC power flows and compare their differences.
As for implementation potentials, we need to consider more communication factors and faults, such as the impact of different communication delays on the CPPSs. The real-time co-simulation scheme based on power system simulation software and communication system simulation software will be studied.