Cyber Threats to Smart Grids: Review, Taxonomy, Potential Solutions, and Future Directions

: Smart Grids (SGs) are governed by advanced computing, control technologies, and networking infrastructure. However, compromised cybersecurity of the smart grid not only affects the security of existing energy systems but also directly impacts national security. The increasing number of cyberattacks against the smart grid urgently necessitates more robust security protection technologies to maintain the security of the grid system and its operations. The purpose of this review paper is to provide a thorough understanding of the incumbent cyberattacks’ inﬂuence on the entire smart grid ecosystem. In this paper, we review the various threats in the smart grid, which have two core domains: the intrinsic vulnerability of the system and the external cyberattacks. Similarly, we analyze the vulnerabilities of all components of the smart grid (hardware, software, and data communication), data management, services and applications, running environment, and evolving and complex smart grids. A structured smart grid architecture and global smart grid cyberattacks with their impact from 2010 to July 2022 are presented. Then, we investigated the the thematic taxonomy of cyberattacks on smart grids to highlight the attack strategies, consequences, and related studies analyzed. In addition, potential cybersecurity solutions to smart grids are explained in the context of the implementation of blockchain and Artiﬁcial Intelligence (AI) techniques. Finally, technical future directions based on the analysis are provided against cyberattacks on SGs. A novel improved watermarking technique is proposed to detect active replay attacks to smart grids. The suggested scheme makes use of the set-theoretic model predictive control framework to create a control input that can be securely and steadily connected to the utility grid for an a priori known number of steps, as and when they are needed. Results indicate that the watermarking technique efﬁciently detects the replay attack.


Introduction
Smart grid technology has been introduced to enhance the existing electricity systems with modernization. There are various energy management and operations techniques induced in smart grid technologies in order to obtain their peak benefits. These management and operations techniques include the deployment of smart meters and applications at consumers' premises, whereas smart inverters, a production-grade meter, generators to produce renewable energy, and various energy-efficient resources are installed at the grid center. According to [1], the market size for global substation automation was predicted to be USD 39.9 billion in 2021. If it expands at the same pace, the estimated size will rise to USD 54.2 billion by the end of 2026. This growth contributes to various prominent factors, including development projects related to power grid technologies, since the electricity is produced from renewable resources ultimately contributes to cheap costs for renewable energy generators. In order to meet the growing electricity demands, new green energy sources such as hydropower, geothermal heat, wind, solar radiation, fuel cell, bioenergy, ocean energy, and nuclear fission are attached to existing electricity distribution structures [2]. Although renewable energy is embedded in nature, it is still impacted by various conditions including humidity, wind speed and direction, ambient temperature, and geographical area. For example, solar energy is affected by cloud cover, ambient temperature, and irradiance. Similarly, hydropower generation is affected by climate change, i.e., change

Overview of Smart Grid Infrastructure
A smart grid is an intelligent transformation of the traditional physical grid. Relying on advanced sensing, communication, and decision-making technology to achieve safe, efficient, and environmentally friendly transmission and power demand is the goal of the smart grid. Although the smart grid has entered the commercial stage, different countries, organizations, and institutions have given inconsistent explanations for the connotation of this term.
• SmartGrid.gov: like the Internet, the Smart Grid will consist of controls, computers, automation, and new technologies and equipment working together, but in this case, these technologies will work with the electrical grid to respond digitally to our quickly changing electric demand [11]. • National Institute of Standards and Technology (U.S. Department of Commerce): The smart grid is a planned nationwide network that uses information technology to deliver electricity efficiently, reliably, and securely. It has been called ''electricity with a brain", "the energy internet", and "the electronet". A more comprehensive definition we use at NIST is a modernized grid that enables bidirectional flows of energy and uses two-way communication and control capabilities that will lead to an array of new functionalities and applications [12]. • Grid 2030: Grid 2030 is a fully automated power delivery network that monitors and controls every customer and node, ensuring a two-way flow of electricity and information between the power plant and the appliance, and all points in between. Its distributed intelligence, coupled with broadband communications and automated control systems, enables real-time market transactions and seamless interfaces among people, buildings, industrial plants, generation facilities, and the electric network [13]. • The Office of Electricity: An automated, widely distributed energy delivery network, the Smart Grid will be characterized by a two-way flow of electricity and information and be capable of monitoring everything from power plants to customer preferences to individual appliances. It incorporates into the grid the benefits of distributed computing and communications to deliver real-time information and enable the nearinstantaneous balance of supply and demand at the device level [14].
Although these explanations are different, it is found that the smart grid usually contains three components, namely hardware, software, and interaction-based flow. As shown in Table 1, the hardware includes substations, transformers, meters, etc., in the traditional power grid, as well as sensors, automatic controllers, etc., for intelligent interaction, which are physical components in the smart grid. The software is used in the power grid hardware to realize the functions of intelligent dispatching, intelligent defense, intelligent energy storage, and so on. Networked software also plays an important role in the construction of the smart grid to realize timely and effective interaction to provide better service. Their application makes the grid no longer a closed system, but a combination of factors to achieve smarter generation, transmission, and use of electricity. Interaction-based flows mainly include electrical energy, data generated by hardware and software, and various networks for data exchange. According to the purpose of flow, they can be divided into power flow, data flow, control flow, information flow, etc. They can flow between various components of the power supply system, providing more intelligent and refined services between the power supply department and users than the traditional power grid. • Internet Technology (IT) and Operational Technology (OT): IT provides conditions for the two-way interaction and sharing of information flow in the smart grid. Due to the openness of the protocol, the information collected from different components of the power grid can be circulated conveniently. The advanced technologies such as wireless communication, satellite communication, and laser communication provide diverse and accurate information acquisition and transmission services for the smart grid.To realize the high integration of the industrialization process and information construction, the smart grid needs the help of OT. OT and IT are two different concepts, and this difference is reflected in the operation, technology, and management of the system [15]. The core idea of OT is to effectively transform the long-term accumulated manual experience into an applicable knowledge system for computers and other equipment, and build the automatic operation and management process of the power grid [16]. • Supervisory Control and Data Acquisition (SCADA): SCADA is widely used in the power system to realize the monitoring and control of field equipment [17]. In this system, the remote terminal unit (RTU) and feeder terminal unit (FTU) provide strong support for data acquisition, control, regulation, feedback, alarm, and other operations.
With the continuous development of the computer industry, SCADA began to combine new technologies such as expert systems, artificial intelligence, deep learning, and knowledge inference to improve the linkage ability of all parts of the power grid [18]. However, the growth of remote accessibility between systems has compromised the security of SCADA [19]. • Cyber-Physical Systems (CPS): Realizing the deep convergence of physical space and cyberspace is the ultimate goal of CPS. During the construction of the power grid, physical space contains a variety of infrastructure related to power systems, such as power generation equipment, substation equipment, transmission equipment, and electrical equipment. Ning et al. [20] pointed out that arithmetic logic unit (ALU) with computing function, various devices used for storage, gateways/routes used for data transmission belongs to things that appear together in cyberspace. They can transform things in traditional physical space to make them have the ability of perception, computing, and communication [21]. • Internet of Things (IoT): Using sensor network, radio frequency identification technology (RFID), intelligent embedding technology, and other means, it is possible to take the network as the carrier to build a things-centered information interaction network, that is, IoT. Compared with CPS, IoT aims to realize the ubiquitous connection between physical space and cyberspace, to realize the intelligent management of things. Since power generation, transmission, and final power consumption require the cooperation and linkage of different components in the power grid, the effective management of each component is an important measure to achieve intelligence. In the process of construction and the improvement of the smart grid, the data sharing and management mechanisms of the system also need to solved in terms of perception, transmission, and application, so that they can be realized by relying on the three layers including the sensing, network, and application layer architecture of the IoT. • Fog/edge computing: With the development of micro miniaturization, low power consumption, intelligence, high integration, and networking of sensors, fog computing and edge computing have become important technologies that can be applied in the construction of distributed smart grids [22]. At present, the transformation of the smart grid is developing towards decentralization and distribution. Compared with the current highly centralized power system, this scheme has the advantage of, in case of failure or other accidents, being able to theoretically reduce the scope and scale of influence. • Internet of Energy (IoE): The goal of IoE is to transform the electricity-related infrastructure of existing energy producers and suppliers, making them digital, automated, and intelligent. Such transformation is a necessary basis for building a smart grid [23]. The development of IoE relies on IoT, which can help accelerate the transformation of traditional power grids to smart grids. The purpose of IoE construction is to make energy production more environmentally friendly [24], energy utilization more efficient, energy consumption reduced, and energy cost more economical.
No matter what computer technologies are used to build a smart grid, their essence is a program composed of code. Due to the lack of strict test management and security certification, these technologies may have loopholes and backdoors. Once these defects are exploited by attackers, they will seriously threaten the integrity of smart grid operation. Malicious attacks on the smart grid may cause power outages, affect users' normal production and life, or lead to social unrest and even international disputes. Therefore, it is very important to predict risks in advance [25], ensure the stability of smart grid operation, reduce the risk of cyberattacks, and effectively protect data privacy.

Research Method
In previous years, smart grid research attracted many scholars and the growth of publications has been exponential, as presented in Figure 3. We searched keywords such as "smart grid", "cyber threats", "cyberattacks", and "vulnerabilities" with the conjunction (AND) and disjunction (OR) operators to retrieve the exact studies. Furthermore, we have included more keywords such as blockchain, Machine Learning (ML), and Deep Learning (DL) in order to define the potential solutions against smart grid security attacks. Finally, relevant studies are included from top research databases such as IEEE, SpringerLink, ACM, ScienceDirect, and MDPI. Year-wise publications with the search string "smart grid" AND "cyber threats" OR "cyberattacks" OR "vulnerabilities" on Google Scholar.

Our Contribution
This paper examined the smart grid threats that covered the two core domains: the intrinsic vulnerability of the system and the external cyberattacks. Furthermore, it presents the comprehensive thematic taxonomy of cyberattacks to smart grids with attack strategies and countermeasures. To detect and prevent cybersecurity attacks on the smart grid, AIand blockchain-based techniques are elaborated. Additionally, researchers need a greater understanding of smart grid security in terms of future directions.

Organization of Paper
The remainder of this paper is organized as follows. In Section 2 we elaborated the vulnerabilities of smart grids. Section 3 described the global review of cyberattacks on smart grids. Section 4 presented the thematic taxonomy of cyberattacks on smart grids. In Section 5 potential solutions are investigated for cybersecurity in smart grids. Section 6 provides the future research directions. Finally, Section 7 concludes the paper.

Vulnerabilities of Smart Grids
Vulnerability is defined by CVE (Common Vulnerabilities and Exposures) as ''a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability. Mitigation of the vulnerabilities in this context typically involves coding changes but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)" [12].
Modern smart grids have evolved into a complex technical system that integrates physical networks, information technology (IT), and operational technology (OT), and interoperates and interacts with many other related critical infrastructures. All vulnerabilities [26] embedded in the grid system, even those of external systems interconnected with the grid system, have a direct and indirect impact on the security of the grid. Vulnerability is a major part of the threats to smart grids, and can potentially lead to various consequences, such as power outages, power losses, economic damages, etc.

Vulnerabilities in Physical Components
A smart grid consists of various components, including hardware, software, and management systems. All of these components harbor some vulnerabilities, such as:

1.
Inadequate physical access control systems, e.g., inadequate camera surveillance, and inadequate surveillance at unmanned sites; 2.
Inadequate physical security for DERs at remote locations; 3.
Internal redundancy constraints within the substation; 4.
Inadequate monitoring of long lines; 5.
Obsolete components and long replacement times for damaged equipment; 6.
Inadequate filtering of electromagnetic pulses near the smart grid system; 7.
Poor physical environment of grid operation.
These potential risks are traditional problems that also originate from natural or man-made physical damage [27], and there are also many proven means and methods of protection. However, these physical vulnerabilities have the potential to facilitate a possible coordinated cyberattack, a combination of local and adversary cyberattacks.

Vulnerabilities in IT/OT
Information technology (IT) and operational technology (OT) networks have historically operated independently. Electric utilities have relied on IT to automate business functions such as daily management, billing, customer service, and accounting, while OT has focused primarily on managing electric grid operations such as power distribution, and critical energy infrastructure management. Advances in IT/OT have led to the ability of connected substations that can work together with little or no human interaction. As more and more smart devices are integrated into smart grids, it is becoming increasingly challenging to keep the grid secure. This connectivity between IT and OT is changing the philosophy and approach to the cybersecurity of smart grids. However, at the same time all the vulnerabilities that IT/OT possesses become a threat component to the overall grid system.

1.
Vulnerabilities in Hardware and Software Smart grids consist of a large number of different smart hardware and software, especially networked devices. Any vulnerability in this hardware and software can lead to corresponding cyberattacks [28]. These devices include: The reported vulnerabilities in National Vulnerability Database (NVD), Vulnerability Database (VULDB) [29], and CVE Details [30] demonstrate the increasing vulnerabilities in the hardware/software of smart grid and general software [31]. The CVE and CVSS show the long-term trend of increasing vulnerabilities on smart grid devices and combined software [30,32]. The vulnerability of these smart grid devices with intelligent operation and networking capabilities is growing rapidly, not only because of more vulnerabilities in the new devices but because of evolving smart grid systems, newer smart grid operating environments, and expanding applications and services.  [33]. These vulnerabilities also facilitate various communication and network-based attacks [26,34].
The communication in the OT part lacks sufficient security design to protect the data communication within OT components and with the IT components. This is primarily a weakness of smart grids that is hard to fix in the short term. Replacing technologies and devices and improving OT can take quite a long time. The vulnerability in IT communication is not new, but it is a channel that connects the external attacker with the internal OT.

Vulnerabilities in Data Management
Current smart grid data management faces the problem of data aggregation quality, security, compliance control, common scope, and efficiency of the management mechanism. A large amount of data is generated and transferred between different entities. Accurate and consistent incoming data streams such as grid operation, weather forecasts, and business data allow operators to control and monitor the grid system. Such information is very important to avoid sudden and unexpected power supply disruptions and to maintain the quality of grid services and business. In addition, such big data can also be used for grid operations, alarms, demand forecasts, generation estimates, price adjustments, etc. The data collected tend to be quite large, as multiple smart grid domains are involved in the process. There is also a regulatory requirement to provide accurate data as frequently as possible, which is challenging. However, there are many vulnerabilities in the long chain of data collection, analysis, processing, maintenance, and security in the cyber environment. Most smart grids are not prepared to maintain data security and privacy management. The vulnerability is demonstrated by the inadequate CIA triad (confidentiality, integrity, and availability) for data and the protection of services [5,8] and the lack of specific protection technology for smart grid domain data, such as generated data from the field device data, SCADA, grid operational data, and transaction data, etc.

Vulnerabilities in Services and Applications
Access to OT data and IT data enables the rapid transformation of physical data into actionable information that enables advanced asset management platforms, distributed energy management systems, and distribution grid applications. The applications have led to some amazing benefits for asset-rich substations. Inter-connectivity leads to faster data exchange between devices, enabling automation of substation protection and control systems and providing operational benefits. Smart grids can provide quite a number of applications and services for electricity trading, electricity services, electricity convergence, and various customer services. All these digitization-based services rely on grid operation, grid communication, data collection, and application process analysis.
There are some inherent vulnerabilities in information technology system applications, which are greatly expanded in scale on the smart grid and extend to all aspects of applications and services [35,36], which include:

1.
Lack of patching policy and regular updates, e.g., unpatched software and systems; 2.
Use of outdated operating system versions; 6.
Inadequate AAA: authentication (to identify), authorization (to grant permission), and accounting (to log an audit trail); 7.
Poor grid isolation from the Internet; 8.
Lack of intrusion detection systems for OT; 9.
Inadequate malware detection and defense for OT; 10. Unreliable technology provider for those OT devices; 11. Inadequate compatibility with legacy systems and legacy devices.
All these vulnerabilities seriously disrupt the regular functions and services of smart grids.

Vulnerabilities in Running Environment
The smart grid operating environment includes many levels, from technology to society, people, ethics, politics, national policy, and the international environment [35,37]. Therefore, the typical vulnerabilities for the grid operating environment include many non-IT aspects, such as:
Weak controls on legal, social, and ethical aspects; 3.
Non-compliance with national and international regulations; 6.
Most of the above vulnerabilities should be addressed with both technical and nontechnical solutions, such as improving cybersecurity awareness, sufficient professional training, and continuous monitoring of the entire operating environment of the smart grid. Since the smart grid is a typical critical infrastructure, the system could be more targeted by attackers in troubled environments. Therefore, the political and international background should not be ignored.

Vulnerabilities in Evolving and Complex Smart Grids
The expanding and evolving smart grids are integrating more and more IEDs (Intelligent Electronic Devices) and components, bridging to different network systems, supporting more and more applications and services, and interacting with other critical infrastructures. This makes smart grids a typical SoS (system of systems). Any vulnerability in any part of the complex systems puts the smart grid at risk, and the dynamics and complexity make vulnerability detection and remediation even more challenging [38,39].
The vulnerability identification, detection, and remediation should be managed systematically and need to combine with the cyberattack analysis. Most of the cyberattacks make use of the vulnerabilities in a smart grid system, in particular the vulnerability in those networked devices and components.
Smart grid security is not just about building networks that are defensible (i.e., can withstand any threat). A more logical approach is to have an efficient network vulnerability management, that can adapt quickly to changing conditions while minimizing damage to smart grids. The main tasks for vulnerability management are as follows: 1.
Identify and detect as many and as complete vulnerabilities as possible at all levels of the system, as any undiscovered vulnerability can lead to potential security risks. The security of the smart grid is determined by the weakest part, not by the strongest part.

2.
Repair or remove system vulnerabilities as soon as possible. Once vulnerabilities exist and are discovered, hidden threats must be eliminated as quickly as possible. Many cyberattacks exploit zero-day vulnerabilities. 3.
Vulnerability aggregation. The final vulnerability of the system is not simply a collection of vulnerabilities. It is necessary to clarify the physical, logical, and functional dependencies between them and figure out their aggregation rules. This enables a complete understanding of the system vulnerability of smart grids.

4.
Automated discovery and analysis of system vulnerabilities are necessary. The smart grid system contains various vulnerabilities, and it is difficult to find all vulnerabilities manually with exhaustive methods and analyze them in time. Automated methods need to be developed to support vulnerability detection, analysis, and management.

5.
Vulnerability analysis and attack matching. All cyberattacks exploit one or more vulnerabilities in a system. A clear map of vulnerabilities and attacks is very helpful in defending and protecting system security. 6.
It is necessary to create a systematic plan with countermeasures to address the vulnerabilities. A single point of failure or weak point of failure is always a challenge to a smart grid.

Global Review of Cyberattacks to Smart Grids
Due to the high dependence of the smart grid on computer networks and other related technologies, cyberattacks will interfere with the normal operation of power systems. In addition, power production, transmission, and application are closely related to the industry, agriculture, medical treatment, and other aspects. Once the power grid is attacked, it will cause immeasurable losses to normal production and life. Table 2, summarizes the serious smart grid attack and destruction events worldwide between 2010 and July 2022 and briefly describes the impact and consequences of the events.
Summarizing the above attacks against smart grids, it is found that the reasons for these losses mainly include two aspects, namely, the vulnerability of the smart grid and cyberattacks launched by exploiting vulnerabilities. Unreasonable smart grid structure, no safety-certified application software, and untimely maintenance of software and hardware may leave potential safety hazards for the normal operation of the smart grid. The construction, use, and maintenance of these smart grids may also not strictly adhere to the five aspects of cybersecurity risk management, namely identify, protect, detect, respond, and recover. Once these vulnerabilities are discovered by attackers and used illegally, the power system may suffer severe damage. Currently, cyberattacks launched by exploiting smart grid vulnerabilities mainly use ransomware and malware.
By encrypting sensitive data of the power sector, users, and even partners, the attacker achieves the purpose of extorting the power company. Except for ransomware developers, the power sector has almost no ability to decrypt these files. For general computer systems, ransomware mainly achieves intrusion through vulnerabilities, emails, and unsafe links to web pages. The internal IT network was temporarily blocked, resulting in a temporary interruption of customer service activities.
[54] For the local area network of the electric power department that stores a large amount of sensitive data, the probability of ransomware intrusion through vulnerabilities is far greater than that of emails and unsafe links. In addition to demanding a huge ransom from the power company, ransomware may also cause interruption of normal user services and even serious consequences of not being able to supply electricity.
As national infrastructures, the power grid has become an important target for network confrontations between countries and hacker sabotage. Therefore, malware targeting the smart grid is also constantly evolving. Under the premise of being as concealed as possible, this malware is dedicated to increasing the intensity and scope of damage to the grid. Some malware can run in the power grid control system in a hidden way. By interfering with the power distribution function of the system, it causes uneven power distribution, wastes power resources, and reduces energy utilization. In addition, malware can cause the substation to lose the connection with the control center to achieve the purpose of cutting power transmission, which may cause paralysis of production, transportation, and medical care. A more serious situation is that if malware invades nuclear power plants and control key functions such as operating nuclear reactors, there may be casualties and even social conflicts.

Thematic Taxonomy of Cyberattacks to Smart Grid
The exploration of cyberattacks on smart grids has so far predominantly relied on false data injection attacks (FDIAs), denial of service (DoS) attack, data framing attacks (DFA), man-in-the-middle (MiTM) attack, load altering attacks (LAAs), false command injection attack (FCIA), load redistribution attack (LRA), coordinated cyber-physical topology (CCPT) attacks, replay attack, etc., as presented in Figure 4. These diverse kinds of cyberattacks accentuate and exploit different vulnerabilities in power grids with different attack intents and strategies. Furthermore, deep integration of information systems into power physical systems leads to severe threats such as malware attacks and so on.

False Data Injection Attack
False data injection attacks (FDIAs) were first developed in [58], aiming to masterly interfere with the meter measurements and invisibly influence the result of state estimation (SE), posing a serious threat to smart grid security. Furthermore, FDIAs are capable of evading the bad data detection (BDD) mechanism of the smart grid. In the past decade, FDIAs on smart grid systems received noticeable attention due to their influences. With the tremendous proliferation of cyber-physical systems, FDIAs are broadly gaining illegal profit by tampering with data and destroying the stability of electric power grids [59]. The SCADA system employed the state estimation to measure data and utilized estimated states, i.e., phase angle and bus voltage for stability analysis of transmission as well load shedding. Moreover, at the control center, an energy management system (EMS) is implemented to determine that the smart grid operating normally in terms of results on state estimation. Ultimately, the correctness of state estimation affects the working and stability of smart grids. As a result, state estimation is critical to the consistent control and operation of smart grids.
Nevertheless, state estimation is susceptible to a variety of cyber-physical attacks, the most challenging of which are false data injection attacks (FDIAs). FDIAs are skilled in fudging network topology in order to deceive the control center, disrupt the electricity market to gain revenue, and cause havoc in power grid applications such as the SCADA system and the phasor measurement unit (PMU). The implications of FDIAs on smart grids have been studied in a number of publications, including [60][61][62]. In the work of [60], authors investigated that FDIAs can successfully launch the branch outage sequence which disrupts the various branches concurrently and ultimately fallouts in sequential outages. Similarly, Liu et al. [61], investigated that FDIAs were able to disguise the line outage through troublesome PMU data-dependent outage detection. Furthermore, Tan et al. [62], elaborated that FDIAs lead to smart grid frequency expedition, blackouts, and damage the electric equipment. Consequently, various detection methods are developed against FDIAs detection such as deep learning, Kullback-Leibler distance, sparse optimization, colored Gaussian noise, spatio-temporal correlations, Kalman filter, and blockchain are presented in Table 3. Table 3. Methods and countermeasures to defend against FDIA.

Reference
Key Method Explanation [63,64] Deep learning Authors proposed the deep-learning-based locational detection (DLLD) framework to detect the location of FDIAs in real time. The DLLD framework is combined with regular bad data detector (BDD) and convolutional neural network (CNN) to eliminate low-quality data and to record the inconsistency in electricity flow due to FDIAs, respectively. Similarly, a false data detector (FDD) concatenates with CNN to detect fake information and co-occurrence dependency of electric flow. From both research and experimental results, this method performs efficiently under attack conditions. [65] Kullback-Leibler distance A joint transformation scheme is implemented to detect the FDIAs in real time. The presented method is assembled on the dynamics of measurement variations. Furthermore, Kullback-Leibler distance is used to determine the variance between probability distributions resulting from measurement variations. For validation purpose, the method is evaluated by IEEE 14-bus system under attack and provided great detection probability. [66] Sparse matrix separation In sparse matrix separation, in-depth analysis is performed based on the attack properties to detect FDIAs, as it can block the transmission lines and infringes financial benefits with stealth. Through the sparse matrix mechanism, the compromised matrix and normal measurement matrix are detected and recovered from the corrupted measurement matrix. [67] Colored Gaussian noise With the implementation of colored Gaussian noise, the detection of FDIAs is made possible and tested on independent component analysis (ICA), which relates to the unobservable FDIAs scheme. Furthermore, the performance of the attack detector is evaluated on the IEEE 30-bus power system, benchmarked to traditional Gaussian noise detector. [68] Spatio-temporal correlations A Spatio-temporal detection method is to detect and evaluate the false data injection attacks. The temporal and spatial correlation are examined through cubature Kalman filter and Gaussian process regression, respectively. Both are applied to record the dynamic properties of state vector. After that, deep CNN is trained to investigate the system is under FDIAs or not. Consequently, performance shows 99.84%-100% accuracy. [69] Kalman filter With the combination of Kalman filter and recurrent neural network (KFRNN), an effective scheme is presented to detect FDIAs in smart grid. At the first stage, Kalman filter and RNN are applied for state prediction to fit linear and nonlinear data features, respectively. The second stage used the fully connected layer and back propagation (BP) to adaptively concatenate the outcomes of two base learners. Moreover, dynamic threshold is measured to identify the occurrence of FDIAs with the fitting Weibull distribution of the sum of square errors (SSEs) within the observed and the predicted measurements. [70] Blockchain As information is switched between independent system operation (ISO) and under-operating agents, an FDIA is generated to check the security level. Attack results in loss of network stability and economic loss to the operator. For this purpose, a blockchain-based secure architecture is developed to switch data between ISO and under-operating agents. Finally, the achieved results prove the effectiveness of blockchain in order to improve the social welfare for power system users.

Denial-of-Service Attack
Smart grid cybersecurity conforms to the availability to access power, associated information, and communication structures. In this context, a cyberattack denial-of-service (DoS) targets the availability of power and compromises reliable access in a timely manner to the smart grids [71,72]. It is prevalent because, despite its simplicity, an effective DoS attack can induce significant disruption. A DoS attack consists of either (1) flooding to overwhelm the device or channel with data, (2) manipulation of vulnerabilities or anomalies in protocols and systems or (3) both. Moreover, DoS attacks are generated through a number of dispersed individuals such as a botnet known as distributed denialof-service (DDoS). However, the smart grid definition relates to guaranteeing access to enough power. Hence, a DoS attack on the smart grid attacks the availability of traditional use of power, denies control of communication, computing, and information systems, compromises the data integrity, and includes the denial of power itself. Consequently, any of these DoS attacks in the Smart Grid domain can result in a trickling blackout, leaving thousands, if not millions, of consumers without electricity for extended periods of time [73]. DoS attacks disrupt internet traffic and have formally cost billions of dollars around the world. With the proliferation of networking of smart grid system, DoS attacks cause major power breakouts and lead to quite harmful consequences. In smart grids, there is a set of measurement devices including smart meters, smart appliances, data aggregators, a phasor measurement unit (PMU), a remote terminal unit (RTU), intelligent electronic devices (IEDs), programmable logic controllers (PLCs), etc. On these devices, various vulnerabilities are exposed to attack the DoS as the adoption of internet standard protocols. Furthermore, security in smart grids is overlaid which leads to numerous flaws in cybersecurity. For instance, numerous utility companies do not reportedly categorize the PMU networks as critical cyber assets, which may contribute to a structural and underlying lack of competence against cyberattacks, particularly DoS variants [74]. Similarly, the impact of a DoS attack can range from minor to severe, jeopardizing the service's availability and integrity. Moreover, this causes power line failures as well as financial loss [75]. Consequently, various detection methods are developed against DoS attack detection such as the deployment of honeypots, machine learning, data-driven software-defined networking (SDN) deep learning, and Blockchain, which are presented in Table 4. [77] Data-driven The dynamic states of components subjected to DoS attacks are predicted using a data-driven scheme based on relationships between the state of the attacked modules and the rest of the components of a system before the DoS attack. It is possible to determine the time-series data for PMUs under DoS attack using interrelations among the PMU time-series, even when the attack size is quite large.
[78] Software defined Networking (SDN) A software-defined networking (SDN) approach is implemented with light-weight entropy-based method to detect low rate and high-rate DDoS attack. Through the adaptive threshold scheme, the highest detection rate is achieved. [79] Deep Learning and Blockchain In order to achieve consensus in energy network a practical Byzantine fault tolerance (PBFT) algorithm is employed within blockchain framework. Furthermore, to detect DDoS TCP (transmission control protocol) and DDoS UDP (user datagram protocol) attack, a deep learning algorithm recurrent neural network (RNN) is implemented. [80] Intrusion Detection and Prevention System (IDPS) IDPS guarantees confidentiality, integrity and availability (CIA). IDS aims to analyze the security events and identify malicious activities. In smart grids, IDPS can be applied on entire SG or AMI, SCADA, subsation and synchrophasor.

Data Framing Attacks
Smart grid security has attracted the attention of the research community towards data framing attacks (DFA). DFA has an objective to misguide the control center regarding the origin of a state attack. It was originally presented in the work of [81] as a DC model, and after that was protracted to the AC model [82]. In comparison with FDIAs, DFA does not anticipate passing the bad data detection (BDD). The malicious measurements lead to bad data which are investigated due to minor errors or malicious attacks. Furthermore, the validation process of topology and meter data is known as BDD. However, it tries to mislead the bad data identification and removal (BDIR) to separate the benign measurements from malicious data and keep them in the system which finally creates a perturbation. Furthermore, BDIR removes the benign data and provides results in inaccurate state estimation. Hence, the effective detection of data framing attacks is suggestively important for smart grid operation and control. In the study of [83], the authors implemented machine learning (ML) to detect data framing attacks. The detection of DFA is conducted through the classification method, and classification is performed between secure data and bad data with the support vector machine (SVM) algorithm. Eventually, results are evaluated on the 118-bus IEEE test system and SVM successfully detects the data framing attack.

Man-in-the-Middle (MITM) Attack
The man-in-the-middle (MiTM) attack in the smart grid system sniffs or interrupts the communication between field devices or field devices or the Supervise Control and Data Acquisition (SCADA) system and controller. Additionally, MiTM attacks are launched to alter the information swapped at Modbus TCP communication channel. Furthermore, MiTM attackers can save as well as read the transferred messages [84]. The three main objectives of the MiTM attacks on smart grids are: (1) interrupt or reserve the measurement; (2) modify the smart meter data; and (3) alter the network traffic by an attacker [85]. In [86], the facts show that 95% of HTTPS servers are susceptible to MiTM attack, in which attackers act as a legitimate source at the destination point and are masked as the source's genuine destination. SCADA is the core component of the smart grid network that is used to deal with numerous infrastructures and plays a crucial role for electricity companies and process firms consisting of the water, gas, oil, and power sectors, etc. Some researchers [87] launched an MiTM attack on SCADA communication that utilized the International Electrotechnical Commission (IEC 60870-5-104) protocol. On the SCADA, a packet assessment technique is employed for the detection of MiTM attacks, and it relies on the address resolution protocol (ARP) poisoning approach. Additionally, security vulnerabilities in the remote terminal unit (RTU) are analyzed by generating the MiTM attack on it. As advanced metering infrastructure (AMI) in the smart grid automatically records the reading of power utilization with communication medium, it is also vulnerable to MiTM attack. Besides, Modbus transmission control protocol/internet protocol (TCP/IP) is broadly used in smart grid systems [88]. However, attacks on the Modbus TCP/IP exploit the smart grid [89]. In this context, the authors of [90] analyzed the security extortions of MiTM attack on the AMI and concentrate on the vulnerabilities in Modbus TCP/IP protocol, which is implemented through AMI for communication purposes. Consequently, various detection methods are developed against MiTM attack detection such as machine learning, physical unclonable functions (PUF) authentication, and intrusion detection system (IDS), which are presented in Table 5.

Load Altering Attack
Load-altering attacks (LAAs) alter the power usage of targeted loads with the goal of having line overloading. LAAs have employed two techniques such as direct hacking of load and indirect load modification through exploitation. For instance, incorrect price information is broadcasted to the clients in terms of demand-side management methods. Power loads are required to manage in a cost-efficient way and protect in order to evade circuit overflow [94]. LAAs are categorized into dynamic load-altering attacks (DLAAs) and static load-altering attacks (SLAAs). Authors [95] demonstrated the DLAAs, which have the worst impact in variations of load through directing the attack load in form of a closed loop. The SLAAs comprise the erstwhile manipulation of the load, whereas in DLLAs attacker modified the amount of load as goes on to monitor a certain trajectory [96]. In comparison with SLAAs, DLAAs are more severe, the attacker needs to observe the certain electricity frequency and modify the load in reaction to the instabilities of the signal. In the market [97], frequency measuring sensor devices are available and can be deployed at any smart grid system. However, these devices are already in use to measure the sensitive frequency loads [95,98]. Due to LAAs, unexpected and sudden manipulation of power grids is increased. Further, this leads to the high operational cost of smart grids and sometimes causes unsafe frequency trips. The under the frequency load shedding (UFLS) mechanism in the smart grid is used to cope with large-scale shutdowns. However, LAAs remain efficient at damaging the power grid system in terms of partition and holding the load shedding schedule [99]. Accordingly, a few detection methods against LAAs such as observer-based, adaptive fading Kalman filter (AFKF), and model-free defense framework are discussed in Table 6. Table 6. Methods and countermeasures to defend against LAA Attack.

Reference Key Method Explanation
[100] Observer-based detection The power system is subjected to attack under the DLAA as two vulnerable loads are proposed to examine the effectiveness of attacks on the system. After that, a robust observer mode is designed to detect load frequency with residual signal generation. Consequently, evaluation done through three generators and six buses of the power system to show the feasibility of detection. [101] Adaptive Fading Kalman Filter (AFKF) In order to detect DLAA, a smart grid model is proven, then adaptive fading Kalman filter (AFKF) is established to predict the state of smart grid. Gaussian noise of the smart grid is removed through AFKF to achieve accurate state modification curve. Furthermore, Euclidean distance ratio, which is a detection algorithm, is presented based on the AFKF. Hence, amplifying the invisible DLAA by Euclidean distance ratio enhances the DLAA detection acuteness, particularly in terms of weak DLAAs. [102] Model-free defense framework A unique defense strategy based on the model-free technique is presented for load frequency control (LFC) system. The defender has an objective to learn diverse LAAs and achieved learned evidence for attack attenuation as an active defense (AD). Moreover, a model-free passive defense (PD) proposed where the defender tolerates a load-altering attack through improving the system redundancies. As a result, both AD and PD techniques work effectively and are evaluated on IEEE benchmark systems.

Malicious Command Injection Attack
In power grids, the phase shifting transformers or phase shifters are utilized to control the flow of electricity. Phase shifters are implemented to prevent the congestion of electricity in transmission lines and implement the regulation on the bases of contractual compulsions. In an automated power grid system phase shift commands are transmitted through SCADA system. Accordingly, this situation is invisibly susceptible to cyberattacks. Both kinds of commands are sent from phase shift such as benign and malicious. In case of malicious commands lead to severe damage, surplus transmission lines, disconnection of power, and huge financial loss by unsettling the cross-network interchange [103]. Furthermore, SCADA can initiate malicious commands masked in the legitimate form to launch physical perturbations [104]. Additionally, [105], another related attack, tap change commands, has also been investigated in smart grids. The transformer taps are extensively utilized to control the bus voltage in a communication network. Such attacks adversely damage the system operation and strike for fabrications. The adversary can exploit the SCADA system, modify the measurements, and hide the malicious command injection attack. Furthermore, malicious transformer taps modify the command injection attack where the transformer taps are frequently altered through on-load tap changers (OLTC) to meet a set of indicated voltages. Accordingly, a few detection methods against MCIA, such as the long short-term memory (LSTM) network-based method and the lightweight index algorithm beat bad data detection (BBDD) method are discussed in Table 7. Table 7. Methods and countermeasures to defend against MCI Attack.

Reference Key Method Explanation
[106] Long Short-Term Memory (LSTM) network-based For the detection of malicious code from smart meters, a long short-term memory (LSTM) network-based technique is proposed on the side channel of power utilization of CPU or MCU. The evaluation done on the real-case smart meters and achieved results shows the efficiency with an accuracy of 92%. [105]

Light-weight index Algorithm
A light-weight algorithm is proposed that has the capability to detect the occurrence of stealthy malicious tap modified commands. The algorithm is developed on the intuition bases in which attacks related to false data and commands only affect the measurement and estimation of particularly designated variables instead of all of them. The algorithm relies on the branch current to the voltages of end nodes of the tap modifying transformers.
[103] Beat bad data detection A detection algorithm is capable of detecting the existence of anomalous phase shifts in the response of cyberattacks. The algorithm is established on detection features and particularly includes the four indices based on branch ratio and injection currents to terminals. Moreover, reference values are counted at the phase shift selection with the evaluation of discrete indices.

Load Redistribution Attacks
The authors of [107] introduced the load redistribution (LR) attacks that relate to the state estimation-false data injection attacks (SE-FDIAs) in which the measurement of load buses and electricity flows are corrupted, whereas the demand for total power is not modified. Hence, this influence of the attack is a load redistribution (LR) through the network. Additionally, LR causes financial loss and other physical damages, i.e., tripping of lines or direct attacks on lines. For instance, LR can hack the solution of the SCED (security-constrained economic dispatch) problem in which the operator utilized the finest dispatched generator and resolve load shedding. Similarly, the two types of LR attacks are: (1) immediate LR attack, which hacks the SCED problem in order to exploit the operational cost due to load shedding; and (2) delayed LR attack, which hacks the SCED to implement the solution in terms of tripping of lines. Accordingly, detection methods against LRA such as nearest neighbor-based detection scheme, support vector model, and machine learning-based approach are elaborated in Table 8.

Reference
Key Method Explanation [108] Nearest neighbor-based detection scheme To detect the load redistribution attack, nearest neighbor-based detection method is proposed and scaled from a small to a large system with promising constant detection performance. A sensitive analysis as well as broad testing is conducted on the LR attack with unsystematic anomalies load changes. Furthermore, through the statistical method, the attack is localized, and the probability of each load under attack is uncovered. [109,110] Machine learning Based Three types of machine learning algorithms such as nearest neighbor, support vector machines (SVM), and replicator neural networks are employed as anomalies detectors to detect cyberattacks that malevolently redistribute loads by transforming the measurements.
These anomaly detection algorithms are tested with realistic historic datasets collected from PJM zonal data mapped [111]. Results presented that among the three, the nearest neighbor algorithm worked efficiently and reduced the computational cost. Similarly, LR attacks are detected via multi-output support vector regression (SVR) which worked as a load predictor and later applied the SVM.

Coordinated Cyber Physical Topology Attacks
Coordinated cyber physical topology (CCPT) attacks are more dangerous to smart grids instead of purely physical or cyber topology attacks. CCPT attacks are categorized into physical topology and cyber-topology attacks [69]. In a physical topology attack, the attacker trips the transmission line, whereas in a cyber topology attack, the attacker misleads the control center, masks the outage signal of tripped line in the cyber layer, and generates a forged outage signal for another transmission line. Finally, the precise goal of the coordinated topology attack is to burden the critical line by deceiving the control center into making the wrong dispatch [112,113]. Furthermore, two types of unobservable cyberattacks on topology [114] are also investigated such as line-maintaining and lineremoving. In the case of a line-maintaining attack, the adversary can modify measurements and line status data to make it appear that a line that is not in the system is now shown as lively at the control center through SCADA information; the reverse is accomplished by a line-removing attack. The adversary has the ability to modify the topology data or both state as well as topology data in line-removing and line-maintaining attacks. Another type of attack [112], state-preserving CCPT attacks, are examined, in which topology data are altered, whereas the states of the power system remain persistent. However, in [113] a more comprehensive consequence of CCPT attacks is established, where mutual topology and states can be altered. Researchers in [115] analyzed the vulnerabilities of the smart grid system to CCPT attacks. Despite that, future research directions demand defensive techniques and countermeasures against coordinated topology attacks.

Replay Attack
A replay attack (RA) is generated via stealing the information on a wireless communication network and mimicking it as a legitimate sender to deploy the stolen information to fabricate original information. This type of attack relies on historic data and creates trouble for the supervisor to notice the attack. Consequently, the attack leads to disturbing the power flow and time delays diverging frequencies. From an attacker's point of view, a replay attack can deliberately jam the system and is fully able to disrupt the diverse processes [116]. Stuxnet virus is used to launch the replay attack, which accessed the SCADA system that controls centrifuges. Accordingly, the centrifuge control system was modified and destroyed approximately 1000 centrifuges [117]. In the literature, a method for reflecting the replay attacks is proposed by adding some deliberate noise to control input, but it did not work well [118]. Another study [117] dynamically set the timing of accumulation of noise to the control input created on game theory. Accordingly, detection methods against RA such as nearest neighbor-based detection scheme, support vector model, and machine learning-based approach are elaborated in Table 9. Table 9. Methods and countermeasures to defend against replay Attack.

Reference
Key Method Explanation [119] Bargaining game Replay attacks apparently threaten the smart grid system and need to be detected early. A Kalman filter is utilized to state the fault diagnosis matrix and then noise and control signal are included to present the properties of replay attack detection. Furthermore, based on the bargaining game method, noise is added to the control input with the knowledge of control performance and detection accuracy. At the end, through simulation, the efficiency of the proposed method is validated.
[120] Support vector machine (SVM) A data-driven approach is presented in which learning from classifier a labelled dataset is used, i.e., power state, to detect replay attack states from useful normal states. The support vector machine (SVM) is implemented as an ML classifier. To evaluate the effectiveness of the approach, IEEE bus systems are utilized and high detection accuracy is achieved.  [121] Watermarking Technique A novel improved watermarking technique is proposed to detect active replay attacks to smart grids. The suggested scheme makes use of the set-theoretic model predictive control framework to create a control input that can be securely and steadily connected to the utility grid for an a priori known number of steps, as and when they are needed. Results indicate that the watermarking technique efficiently detects the replay attack.

Reference Key Method Explanation
[122] Proactive Intrusion Detection and Mitigation System (PIDMS) PIDMS analyzes the both cyber and physical data streams in parallel in order to detect intrusion and implement the proactive response. Furthermore, PIDMS comprises ML algorithms and network IDS.

Malware Attacks
Cyberattacks on smart grid systems comprise malware attacks, including the Trojan horse malware Blackenergy, Stuxnet, and WannaCry Ransomware. In December 2015, an electricity outbreak occurred in Ukraine's Ivano-Frankivsk city, targeting the power grid as a cyberattack and affecting 80,000 people with a blackout. Consequently, it was found that this cyberattack was generated by using phishing email and BlackEnergy Trojan horse [123]. It has the ability to delete data, damage hard drives and control the systems. In the work of [44], authors address that defense against BlackEngery is not fully assured. However, applying certain precautions can reduce the risk of attack in the future. These precautions include methods such as following the antimalware, updating the firewall configurations, and upgrading the security patches as well. Furthermore, the implementation of Sandboxes can offer protection to test the applications and documents. However, these solutions are not suitable to apply to larger-scale companies. Similarly, another malware attack known as Stuxnet [124] exploits the SCADA system. Stuxnet can influence the programmable logic controllers (PLCs), which enabled it to penetrate inside the control system of an Iranian power plant. As a result, an upsurge in the rotation speed was caused, and the nuclear fuel was rapidly disrupted.

Other Cyberattacks
Other kinds of cyberattacks on smart grid systems include GPS spoofing attacks, zero dynamics attacks, and time synchronization attacks (TSA). In [125], authors elaborated on the TSA that disrupts the measurements collected from the grid. Furthermore, it leads to transmission line fault and voltage instability. Additionally, zero dynamics attacks consider the internal behavior of the grid system to control it maliciously and provide zero output. In order to generate a zero dynamics attack, a signal can be injected into the system to diverge the internal state, which is not noticeable from the mere observation [126]. Another cyberattack [127,128], a global positioning system (GPS) spoofing attack, in which PMU receives the GPS signals from diverse resources, is instigated in two ways. The first way is deceptive jamming, in which the attacker tries to mislead the receiver by transferring a fake GPS signal similar to the real one. The second way is known as repeater jamming, in which the attacker spoofs the GPS receivers by depending on the real signals captured frequently. In the work [128], the authors introduced the capsule neural network (CapsNet) to detect the GPS spoofing attack. CapsNet utilized the historical measurements from the smart grid system to train the model. Furthermore, temporal and spatial features are extracted and effectively separate the malicious and normal data.

Potential Solutions for Cybersecurity in Smart Grid
In this section, potential solutions against cyberattacks to smart grids are discussed comprehensively in terms of blockchain technology and artificial intelligence (AI) techniques including machine learning (ML) and deep learning (DL).

Blockchain Based Cybersecurity Techniques in Smart Grid
Blockchain technology has the capability to be applied in smart energy systems to selfregulate, mitigate cyberattacks, and manage the transactions and contracts. In traditional power systems, an attack is launched successfully if attackers tamper with the meter record, replace the data packages, make fraudulent energy trading payments, and hack the control center. However, blockchain provides solutions against smart grid cyberattacks: in Figure 5, the integration of blockchain in a smart grid is presented to pay the electricity purchase bill in a trustworthy and fair manner. In Table 10, a summary of works in the literature that aim to detect attacks based on blockchain for cybersecurity in smart grids including various features i.e., objective, type of attack, solution, consensus algorithms, deployment of Smart Contracts (SCs) and performance evaluation parameters is presented.
Kumari et al. [129], presented the ArMor to detect the malicious activities from AMI and SM based on the blockchain in smart grids. The integrity issues related to FDI attack and smart meter failures are successfully detected. In [130], a decentralized system is presented based on the Ethereum blockchain to mitigate the SPoF issue and DDoS attack. Authors [79], introduced the blockchain-based method for privacy preservation of energy exchange in smart grids. The PBFT consensus algorithm is deployed in blockchain based smart grid system. In [131], a decentralized scheme is presented based on the Bayesian inference to detect replay attacks and provides the regional data privacy. In [132], consensus-based method is proposed to increase the protection level of smart grid systems against cyberattacks.
Similarly, the authors of [133] exploit the blockchain to build trustworthy environment for smart grid components. The miners verify the transactions through investing their computational resources. GarliChain [134] is presented to solve the issue of anonymity and client's privacy during energy transfer in smart grids with the combination of garlic routing and blockchain. Furthermore, FeneChian [135], is introduced as blockchain-based energy trading scheme for better management, transparency, and verifiability in industrial IoT. All energy transfer transactions are done in an immutable nature with the protection of the client's rights. Reijsbergen et al. [136] designed a realistic threat model against a compromised smart grid to detect FDI attacks and provide an incentive for useful data upload that otherwise penalized operators if data were found to be malicious or incomplete. To propose a data analytics scheme, to identify malicious behavior in the SG system.
FDIA and SM failure ARIMA and blockchain-based schemes to classify attacked/non-attacked, and reward to utility provider to deal with malicious activity.
-Ethereum Remix IDE Prediction accuracy, latency, and data storage cost [130] Aim to control the smart meter attacks, protect them from unauthorized access and DDoS attacks.

DDoS
A decentralized architecture based on the blockchain in a distributed and trustworthy manner to deal with DDoS attacks.
-Ethereum Truffle framework Flexibility, security and cost effectiveness [79] Aim to detect the network attacks and fraudulent transactions in smart grids.

Network attacks and fraudulent transactions
A blockchain-based scheme to achieve privacy with short signature, hash function for the exchange of energy between nodes and RNN for attack detection.

Coordinated replay attacks
Decentralized mechanism that relies on Bayesian inference with Ethereum-based blockchain.

PoA Geth-based Solidity
Computational performance and accuracy [137] To build the mechanism against PMU as it is susceptible to cyber-attacks due to their reliance on the GPS.

FDIAs
Consensus-based approach to improve the self-defensive capabilities of smart grids against cyberattacks.
---Successful attack capability and probabilities [133] Detect the manipulation of meters' measurements that causes flawed decisions to be made in energy systems FDIAs Implementation of transparent public Blockchain-based SG data security ---Accuracy, RMSE, MAE, and F1 score [134] Aim to solve the anonymity and privacy problem of consumers SPoF and lack of trust Implementation of garlic routing and consortium blockchain for privacy preservation during energy transfer in SGs.

PoA --
Computational cost and path selection probability [138] To detect the identity-based security loop holes in the smart grid Data manipulation and identity theft attacks Blockchain-based identification and authentication technique to prevent identity theft and masquerading.
-Hyperledger -Validation of the node in log(n) [135] Mitigate the cheating attack initiated by energy sellers, i.e., an energy seller refuses to transfer the energy to customer who already paid money.

Malicious energy purchasers
Blockchain-based energy trading scheme to assure the verifiable fairness of energy transfer. PBFT Ethereum, Ethereum-Wallet and Geth -Computational cost [136] Goal to design the secure SGs against FDI attacks FDI attack Blockchain based incentive method to reward operators for uploading authentic data and penalize if data is missing or malicious.
Round robin Hyperledger Fabric Go language Anomaly detection rate

Artificial Intelligence Based Cybersecurity Techniques in Smart Grids
The artificial intelligence (AI) techniques in the smart grid for providing security are becoming more apparent. AI techniques have an ability to improve the reliability and robustness of smart grid systems. In this section, we presented the deep learning (DL)-and machine learning (ML)-based cybersecurity technique against smart grids attacks.

Deep Learning Based Cybersecurity Techniques in Smart Grids
Deep learning models comprise complex training tools developed to provide meaningful feature extractions when it is difficult in conventional methods due to the curse of dimensionality [139]. In context of cybersecurity in SGs, a wide range of deep learning methods have been implemented. In Figure 6, a general structure of the convolutional neural network (CNN) is depicted with two convolutional layers, two pooling layers, one hidden, fully convolution and output layer which is adopted in smart grids. However, in Table 11, multiple deep learning algorithms such as Recurrent Neural Networks (RNN), Artificial Neural Network (ANN), Deep Neural Network (DNN), etc., have been implemented in the literature to detect cyberattacks against smart grids. The authors of [69] presented the Kalman filter and recurrent neural network (KFRNN)based technique to detect FDIA. The dynamic threshold is measured to detect the FDI attack. In [140], a detection technique is presented against FDIA that takes the input and output signals of a power-to-gas (PtG) and gas-fired generation (GfG) facility scheduler. Furthermore, hybrid neural network is implemented to detect FDIA without labeling the training data. Similarly, the authors of [141] detected the cyberattacks by implementing the deep learning techniques and targeted the IEC 61850 communication protocols. Yao et al. [142], introduced the energy theft detection framework as well as privacy preservation of energy in smart grid and CNN and Paillier algorithm. In the work of [143], authors presented the intrusion detection system (IDS) for IEEE 1815.1-based power system. A bidirectional RNNbased deep learning algorithm is employed to detect anomalies and verify the presented technique by testing various attacks, i.e., malware attack, FDI, and disabling reassembly (DR) attacks.
Siniosoglou et al. [144], introduced the IDS named as MENSA (anoMaly dEtection aNd claSsificAtion) based on the GAN architecture to detect anomalies and classify the Modbus and Distributed Network Protocol 3 (DNP3) attacks. He et al. [145], proposed the DL-based neural network model to detect FDI attack in terms of bypass the state estimation and causes for congestion of transmission lines in SG. In addition, researchers [146] exploited the ensemble-based DL method to identify the false readings. A couple of DL models are trained based on the samples derived from sliding window of the readings. Finally, best model is used in ensemble-based detector to identify the false readings. Moreover, researchers [147] introduced the DNN-based classification method for energy theft detection in smart grids. Through Bayesian optimizer, the hyperparameters are optimized, improving the performance of energy theft detection.

Machine Learning-Based Cybersecurity Techniques in Smart Grids
Machine learning (ML)-based techniques are implemented in smart grids for providing mitigation and detection against cybersecurity attacks. The authors of [148] also implemented ML techniques to forecast electricity prices; however, we analyzed the ML techniques that are applied to detect the cyberattacks on smart meters that causes huge electricity cost. In Figure 7, we present the general framework adopted in smart grid. ML starts from the pre-processing of the dataset, and then features are extracted through Principal Component Analysis (PCA), kernel principal component analysis (KPCA), and Joint Mutual Information Maximization (JMIM) etc. After the extraction and selection of features, ML algorithms are applied and the model training is started; finally, based on the trained ML model, the results are achieved. In Table 12, a summary of ML algorithms applied in smart grids to detect cybersecurity attacks is elucidated. Ashrafuzzaman et al. [149] presented a machine learning-based technique to detect FDI attacks on state estimation. The ensemble learning is implemented with supervised and unsupervised classifiers to minimize the effect of the dimensionality reduction. In the work of [150], the authors analyzed the difference between physical grid and data manipulation change. The historical data are analyzed under concept drift with data distribution changes and computed through PCA. Lastly, K-NN algorithm is applied to show the effectiveness of presented scheme and achieved the highest accuracy. Furthermore, researchers [151] proposed the extremely randomized trees (ERT) algorithm with kernel principal component analysis (KPCA) to detect stealthy cyber-attacks. In the work of [63], authors employed the SVMLDT to detect the anomalies in smart grid. Moreover, adaptive load rejection scheme is implemented to mitigate the DoS attacks as well as remedial strategies are adopted accordingly under-attack situations.
Another anomaly detection and mitigation framework [152] is proposed, considering multiple data integrity attacks, i.e., pulse,ramp, replay-trip and replay attacks. Consequently, the ML algorithms such as KNN and DT are applied for attack classification and show accuracy of 96.5%. Similarly, in [153], a cyber-physical anomaly detection system (CPADS) is introduced in order to detect communication failure and data integrity attacks. The ML algorithm DT is applied with variational mode decomposition (VMD) to build a classification model. CPADS are evaluated on standard IEEE 39 bus system and measured performance. In addition, researchers [154,155] detected the FDI attacks based on the ensemble and extreme learning machines. In [154], optimized feature sets are extracted to label the behavior of FDIA and a focal-loss-lightGBM (FLGB) ensemble classifier is developed to detect FDIA automatically. To improve the performance of extreme learning machines (ELMs), Gaussian random distribution is deployed to initialize the weights [155]. A hierarchical clustering method is proposed in order to detect the FDI and DoS attacks, which interrupts the state estimation process. The DT algorithm is implemented to remove the threat and Kalman filters are used to provide speedy and accurate process [156]. Likewise, the authors of [157] detected the FDI attacks based on the ML methods such as visualization, classification, and clustering.

Emerging Technologies and Future Research Directions
From the above discussion in different parts of the papers, smart grids are vulnerable to cyberattacks. Similarly, some papers have discussed the safety and associated vulnerabilities in smart grids. As a result, the security and privacy can be enforced by inducing wide range of tools and technologies. To improve the security measures of smart grids, it is recommended to analyze the cyberattacks with their dynamic nature, attack mechanism, and the key factors of cyberattacks on smart grids. This analysis enforces the discovery of new types of attacks and vulnerabilities which can ultimately strengthen the smart grids following a more resilient and robust system. In this section, we will discuss various future research directions and opportunities to obtain the advanced secure smart grid systems.

•
Communication infrastructure in smart grid security: The network and communication model should be strengthened through advanced security measures which should be imposed during data collection and interchange phase. Furthermore, the vendors should follow the standards to make use of distribution devices in the communication phase to avoid interoperability issues. Consequently, the providers/vendors can build their protocols as open-source so that other vendors should anticipate in existing code and follow the same standard while manufacturing their own security tools. Being open-source, bug fixes and security vulnerability checks can also be easily verified and corrected as the community is taking part in the development and testing process. As a result of this collaboration, the security product will support the implementation of security tools by default in the communication network of the smart grid, which will ultimately enforce the standard security policies available on all devices that are participating in the grid communication network. • High-level security algorithms to detect attacks: For implementing more enhanced security mechanisms, extra effort is required to target higher-level algorithms or data structures. As a result, the current state estimator algorithms cannot identify improper/defective data using the existing detection techniques available in the FDIAs, therefore high-level security data structures and algorithms are needed. For instance, apart from the existing bad data detection steps, if the SCADA system consists of other security modules, which are solely used to diagnose the false positive rates with the help of new regulation, it would better harden the security breaches by the attackers. Consequently, the additional work is required to enrich the impact analysis of FDIA on the distribution and use side, respectively. Apart from transmission systems, the distribution end can also be affected by showing false meter readings and fake topology information. Similarly, the meters installed at user premises that are used to transmit user consumption measures can also be hacked and manipulated. As a result, the load management and demand side management security measures should keenly be focused in the future. • Federated learning in smart grids: Currently, federated learning (FL) is appealing as a privacy-preserving paradigm as it trained the AI models in a collaborative manner by inviting underlying devices. The privacy of each device is protected by localizing the training of model in comparison with ML where raw data are sent to the main server [158]. FL applications for the smart grid include electric load forecasting, energy demand prediction, and data privacy of a large power system. In addition, federated learning has been successfully implemented in various fields, i.e., health care, smart cities, transportation, finance, visual object detection, next-word prediction, and so on. Similarly, in [159] authors applied FL to share the private energy data of users in smart grid to achieve privacy and efficient communication. However, FL surface is also facing challenges and is prone to cybersecurity attacks mentioned by various researchers [160,161]. Before the implementation of FL into smart grid, it is necessary to consider robust security measures in the future. • Blockchain technology for securing smart grids: As blockchain technology is still immature, case-by-case analysis of regulatory frameworks in terms of security is necessary. The electricity flowing through the wires to the home is similar as it passes by a burning coal or a solar array. Therefore, authenticating and tracing the energy source is a huge challenge. The embedded security features in blockchain technology can be emerged with the smart grids to enforce efficient and secure power transmission and management. As blockchain technology implements security using public/private key encryption methods with key access, everyone who tries to breach the system would encounter authentication through a secure credentials system in order to access system's operational resources over the network. Consequently, the blockchain technology is an essential approach to make power grid safe if the access key codes are kept secure and safe. Overall, in order to prevent malicious attacks and make hacking more difficult for intruders, secure and efficient smart cities must be used as backbone. Furthermore, blockchain features such as the immutability and decentralization of data lead to permanent storage; hence, one must be careful when implementing smart contracts, as any malfunction or misconduct can be observed within the system [162]. • Big data integration in smart grids: The big data (BD) collected from smart grids is key information that could be extensively beneficial for different smart grid applications, such as load profiling and demand response. However, a security vulnerability in decision-making techniques may cause the unauthorized gain of full access to a customer's data. On the other hand, a secure approach for decision making can provide enormous satisfaction to all the stakeholders, i.e., utility providers and consumers. The prospective research in big data is diverse when used in smart grids. Big data supports various solutions to the directional flow of data/information and analyzing and processing that information. Similarly, with the big data solutions, demand-side management has become a crucial activity for managing the stockholders in power systems. As a result, the learned behaviors of consumer actions and power consumption can enormously help to demand response activities on the customers' end, which is also known as consumer behavior predictions. • Smart grid security with AI and 5G: Major changes have been posted on smart grids through the latest technologies introduced by AI and 5G. Indeed, 5G and B5G (Be-yond5G) technology would be a powerful tool to govern high-speed and reliable communication to perform real-time grid monitoring via Internet of things (IoT). However, with the advent of this technology, new challenges are ahead [163]. AI and Machine learning algorithms are promising options to intelligently operate the network with reliability, network efficiency, robustness goals, and can obtain the Quality of Service (QoS) demands as expected. Enriched historical data are required to train model in order to ensure the model's accuracy and mitigate the over/under fitting issues of AI model in smart grid. Furthermore, it should provide the guarantee of controlling the decisions of AI models to align with the cybersecurity constraints of power systems. • Cyber resilience of smart grid SoS: The entire smart grid network is considered as a system of systems (SoS) that integrates the legacies, new systems, and produces new goals beyond the distinct systematic competencies. Any breakdown occurred in the smart grid subsystem will have an impact on the entire smart grid system of systems. The implementation of a secure smart grid system of systems is now essential and a high research priority. To address this challenge, in the future extended Bayesian model can be developed, and utilize the analysis techniques, i.e., information theory, to improve the overall smart grid resilience system. Furthermore, the time-dependent dynamic Bayesian model can be integrated to observe the system performance and uniformity of the model with the passage of time [164].

Conclusions
Cyber threats targeting smart grid security are a critical issue and face several challenges from a multitude of attacks. In this paper, the smart grid threats covered the two core domains: the intrinsic vulnerability of the system and the external cyberattacks. Smart grid vulnerabilities are elaborated in all aspects, including their components; data management, services, and applications; running environment; and evolving and complex smart grid vulnerabilities. Furthermore, we included a global review of cyberattack incidents witnessed against smart grids between 2010 and July 2022 with diverse characteristics such as attack location, range, type of attack, and consequences. The in-depth thematic taxonomy of cyberattacks on smart grids is investigated with state-of-the-art approaches presented with their attack strategy, consequences, and detection methods. Furthermore, potential solutions for cyberattacks on smart grids are discussed expansively in terms of blockchain technology and artificial intelligence (AI) techniques. Though the aforementioned solutions effectively detect cyberattacks over smart grids, however, a couple of challenges-particularly fake topology information, identification of defective data, security vulnerabilities, integration of big data, blockchain, and so on-still endure. Therefore, from the perspective of emerging technologies, future research directions are provided for the robust cybersecurity of smart grids against erudite cyberattacks, as new attack tactics are endlessly exposed.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript: