Robust Load Frequency Control in Cyber-Vulnerable Smart Grids with Renewable Integration

Abstract

Frequency regulation (FR) constitutes a fundamental aspect of power system stability, particularly in the context of the growing integration of intermittent renewable energy sources (RES) and electric vehicles (EVs). The load frequency control (LFC) mechanism, essential for achieving FR, is increasingly reliant on communication infrastructures that are inherently vulnerable to cyber threats. Cyberattacks targeting these communication links can severely compromise coordination among smart grid components, resulting in erroneous control actions that jeopardize the security and stability of the power system. In light of these concerns, this study proposes a cyber-physical LFC framework incorporating a fuzzy linear active disturbance rejection controller (F-LADRC), wherein the controller parameters are systematically optimized using the quasi-opposition-based reptile search algorithm (QORSA). Furthermore, the proposed approach integrates a comprehensive cyberattack detection and prevention scheme, employing Haar wavelet transforms for anomaly detection and long short-term memory (LSTM) networks for predictive mitigation. The effectiveness of the proposed methodology is validated through simulations conducted on a restructured power system integrating RES and EVs, as well as a modified IEEE 39-bus test system. The simulation outcomes substantiate the capability of the proposed framework to deliver robust and resilient frequency regulation, maintaining system frequency and tie-line power fluctuations within nominal operational thresholds, even under adverse cyberattack scenarios.

1. Introduction

The evolution of the modern power grid into a smart grid framework has been driven largely by the increasing integration of renewable energy sources (RES) and electric vehicles (EVs) [1,2]. These advancements offer significant benefits in terms of sustainability and energy efficiency but also introduce unprecedented challenges in maintaining grid stability. Among the critical tasks in smart grid operations, load frequency control (LFC) plays a central role by ensuring that the balance between power generation and consumption is dynamically preserved, thus maintaining system frequency within acceptable limits [3,4,5]. The integration of EVs, especially through vehicle-to-grid (V2G) technologies, further enhances frequency regulation capabilities by allowing bidirectional power flows that can respond flexibly to grid demands [6]. However, the stochastic nature of renewable generation and the unpredictable load behavior introduced by widespread EV adoption create complex control challenges that demand advanced, adaptive solutions.

Parallel to these operational challenges, the reliance of smart grids on cyber-physical infrastructures has introduced significant cybersecurity vulnerabilities. Communication systems that link sensors, controllers, and control centers are particularly susceptible to cyberattacks such as false data injection (FDI) attacks [7]. FDI attacks corrupt the authenticity of transmitted measurements, leading to incorrect control actions that severely impair the frequency regulation mechanism, threatening the secure and reliable operation of the smart grid [8].

Although numerous strategies have been proposed to detect and mitigate cyberattacks in traditional grid setups—including observer-based methods [9], resilient control schemes [10], and deep learning models [11,12]—most of these efforts focus on isolated attack types and are rarely evaluated under the complex dynamics introduced by RES and EV integration. Notably, the majority of previous studies have concentrated on conventional power systems [13], often overlooking the specific vulnerabilities and dynamic behaviors of smart grids enriched with renewable sources and V2G infrastructure.

To address these gaps, this work presents a novel approach for cyberattack detection and mitigation in smart grids, specifically targeting FDI attacks under realistic networked smart grid (NSG) scenarios. We employ a wavelet transform—long short-term memory (WT-LSTM)-based technique to enhance the detection and prediction of malicious impacts on the area control error (ACE) signal—a key indicator of frequency deviations. Unlike conventional detection methods that mainly utilize spatial information from single time instances, our approach captures temporal correlations across multiple system states by leveraging wavelet singular entropy (WSE) features. Moreover, the LSTM-based model predicts the system’s healthy behavior during attack phases, enabling more robust mitigation. The WT-LSTM framework is broadly adaptable to other cyber-physical systems (CPS) such as the following:

• water distribution systems (e.g., SCADA-based flow control);
• natural gas pipelines (e.g., pressure and flow regulation);
• district heating or HVAC networks.

These systems, like power grids, exhibit

• spatiotemporal dependencies (pressure, flow, demand over time);
• vulnerabilities to FDI, DoS, replay attacks;
• telemetry data suitable for wavelet decomposition and forecasting.

To facilitate real-world adoption of frameworks like WT-LSTM in critical infrastructure, the following regulatory/policy shifts are essential:

• Standards and Certification: Update NERC CIP and IEC 61850 standards [14] to recognize AI/ML-based intrusion detection systems (IDS) alongside traditional rule-based FDD. Establish benchmarks and certification bodies for AI-based anomaly detection tools to ensure reliability and explainability.
• Cybersecurity Incentives: Encourage utility participation through regulatory sandboxes where new detection technologies can be piloted without financial or compliance risks. Introduce financial incentives or tax credits for adopting certified AI-driven cybersecurity tools.
• Data-Sharing Policies: Enable secure, anonymized telemetry sharing across utilities to improve the training of generalized AI models while preserving privacy and compliance. Mandate event logging and incident sharing (e.g. DOE Cybersecurity Risk Information Sharing Program—CRISP) to build resilient AI threat models.
• Interoperability Requirements: Ensure detection frameworks can integrate with existing energy management systems (EMS), SCADA platforms, and digital twins through open APIs or OPC-UA/MQTT protocols.

This paper extends prior work by assessing the combined effects of cyberattacks in a modified IEEE 39-bus system testbed integrated with solar and wind generation. To the best of our knowledge, this is the first attempt to deploy a WT-LSTM framework for defending the load frequency regulation system of an NSG against FDI attacks, thereby significantly improving the system’s resilience against evolving cyber threats.

This paper offers the following key contributions:

• A fuzzy rule-based LADRC (F-LADRC) scheme is proposed for frequency regulation (FR) under stochastic load conditions, with controller parameters optimized using the quasi-opposition-based reptile search algorithm (QORSA).
• A modified IEEE 39-bus system incorporating renewable energy and electric vehicles is developed to simulate and analyze the impact of cyberattacks.
• A novel cyberattack detection and mitigation framework is introduced, combining wavelet transform (WT) for feature extraction and long short-term memory (LSTM) networks for predictive analysis, targeting false data injection (FDI) and time delay attacks (TDA).

The paper is structured as follows: Section 2 details the problem formulation; Section 3 describes the control strategy; Section 4 discusses the cyberattack detection and mitigation model; Section 5 presents the experimental results; and Section 6 concludes the study.

2. Problem Formulation

2.1. Frequency Regulation in Smart Grids

A modified IEEE 39-bus system is considered as the proposed testbed for analysis. The testbed is regarded as a three-area system, as shown in Figure 1, while a single line diagram of the same is depicted in Figure 2. The installed capacity of the power system $\left(\tilde{A}\in {\tilde{a}}_1,{\tilde{a}}_2,{\tilde{a}}_3;{\tilde{a}}_1:area-1,{\tilde{a}}_2:area-2,{\tilde{a}}_3:area-3\right)$ is ${\tilde{a}}_{1,cap}={\tilde{a}}_{2,cap}=1750$ MW and ${\tilde{a}}_{3,cap}=2000$ MW, where ${\tilde{a}}_{i,cap}$ is the capacity of the ith control area. Electric vehicles (EV) as energy storage devices (ESD) and thermal generators with governor dead band (GDB) (Fourier coefficients $N_1=0.8,N_2={\displaystyle \raisebox{1ex}{$-0.2$}\!\left/ \!\raisebox{-1ex}{$\pi $}\right.}\left.\right)$ and a generator rate constraint (GRC = 3% per minute) are connected in each area. Additionally, ${\tilde{a}}_1$ includes a solar PV (SPV) farm, while ${\tilde{a}}_3$ contains a wind farm. The linearized LFC model of the NSG system [11] is shown in (1).

$$\left\{\begin{array}{c}\stackrel{.}{x}(t)=Ax\left(t\right)+Bu\left(t\right)+Dd\left(t\right)+w\left(t\right)\\ y\left(t\right)=Cx\left(t\right)+v\left(t\right)\end{array}\right.$$

(1)

$$\begin{array}{l}A=\left[\begin{array}{ccccc}0& {\displaystyle \frac{1}{2H_{ti}}}& 0& {\displaystyle \frac{1}{2H_{ti}}}& {\displaystyle \frac{1}{2H_{ti}}}\\ 0& {\displaystyle \frac{-1}{2T_{WTGi}}}& {\displaystyle \frac{1}{T_{WTGi}}}& 0& 0\\ {\displaystyle \frac{-1}{R{T}_g}}& 0& {\displaystyle \frac{-1}{T_g}}& 0& 0\\ 0& 0& 0& {\displaystyle \frac{-1}{T_{EVi}}}& 0\\ 0& 0& 0& 0& {\displaystyle \frac{-1}{T_{SPVii}}}\end{array}\right]\\ B=\left[\begin{array}{ccc}0& 0& 0\\ 0& 0& 0\\ {\displaystyle \frac{1}{T_{gi}}}& 0& 0\\ 0& {\displaystyle \frac{1}{T_{EVi}}}& 0\\ 0& 0& {\displaystyle \frac{1}{T_{SPVi}}}\end{array}\right]\\ C=\left[\begin{array}{ccccc}1& 0& 0& 0& 0\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\end{array}\right]\\ D={\left[\begin{array}{ccccc}{\displaystyle \frac{-1}{2H_t}}& 0& 0& 0& 0\\ 0& 0& 0& {\displaystyle \frac{-1}{T_{EV1}}}& 0\end{array}\right]}^T\end{array}$$

(2)

$$x\left(t\right)={\left[\begin{array}{ccccc}\Delta f_i& \Delta P_{WTGi}& \Delta X_{Gi}& \Delta P_{EVi}& \Delta P_{SPVi}\end{array}\right]}^T$$

(3)

$$u={\left[\begin{array}{ccc}0& \Delta u_{EVi}& 0\end{array}\right]}^T$$

(4)

$$d={\left[\begin{array}{cc}{d}_1& d_2\end{array}\right]}^T$$

(5)

In the microgrid system, the state vector x(t) represents various parameters, including frequency deviation Δf, the output power of the WTG as ΔP_WTG, the incremental valve position of the governor ΔX_G, and the output powers of the EV and SPV as ΔP_EV and ΔP_SPV, respectively. Additionally, the microgrid input control u(t) and disturbance signal d(t) = [d₁(t) d₂(t)] play vital roles. The disturbance signal includes wind power perturbation ΔP_WTG and solar power fluctuation ΔP_SPV. The control output signal is denoted as y(t). The equivalent inertia of the NSG is represented as 2H_t, and the equivalent EV dynamics are modeled using time constant T_EV, with control inputs Δu_EV subjected to mechanical limits such as power ramp rate δ_e, power increment μ_e, and controllable energy limits E_max and E_min.

Table 1. IEEE 39-bus parameters.

Parameter	Symbol	Value
Governor constant	Tg1, Tg2, Tg3	0.15, 0.10, 0.10
Turbine constant	Tt1, Tt2, Tt3	0.30, 0.30, 0.30
Droop constant	R1, R2, R3	0.05, 0.05, 0.05
Frequency bias factor	B1, B2, B3	30, 28, 34
Inertia constant	M1, M2, M3	35.8, 26.4, 34.5
Damping coefficient	D1, D2, D3	10, 8, 14
Area capacity factor	a12, a23, a31	1.33, 1.00, 0.75

and Appendix A provide the relevant NSG parameters. A detailed explanation of the NSG control structure is discussed in the next section.

2.2. Cyberattack Approaches Employed in the Smart Grid LFC System

Due to the secondary LFC layer’s greater vulnerability than the primary LFC layer, cyberattacks frequently try to insert misleading data into the communication channel. The state-space equations that take into account cyberattacks and time-varying delays are then developed. The LFC system aims for no variation in the area control error (ACE) and frequency.

(i)

FDIA Model

By misrepresenting the dynamic state estimation or deceiving the power system operators, an FDIA can jeopardize the power systems’ efficient and safe functioning. FDIAs have drawn particular attention recently because they can bypass the established faulty data detection (FDD) method. In this article, stealthy and scaling FDIA attacks have been considered.

(a)

Stealthy FDIA model: Originally put forth in [15], and according to the literature, FDIA targeting state estimation can bypass conventional FDD thanks to the following theorem.

Theorem 1. 

Define x as the measurement vector that can pass the BDD. The measurement vector under FDIA is x_a = x + a. When a_n is a linear combination of the Jacobi matrix J, that is, a = J_c, the x_a can also avoid the FDD. Traditional FDD detects erroneous data by using threshold values. When the residue res is less than the specified threshold value, the power system operators believe there are no attacks. Even with FDIA, the res will not change in this situation because as per (6).

$$re{s}_a={‖x_a-J{z}_a‖}_2={‖x+a-J(z+c)‖}_2={‖x-Jz‖}_2=res$$

(6)

It is important to note that the stated threshold value is determined by the power system’s structure and parameters, which can be depicted by the linear and nonlinear constraints shown in (7) and (8).

$${\left[\begin{array}{cccc}P& Q& p& q\end{array}\right]}^T=J{\left[\begin{array}{cc}V& \theta \end{array}\right]}^T$$

(7)

$$\left\{\begin{array}{c}\underset{¯}{P}\le P\le \overline{P}\\ -\overline{p}\le p\le \overline{p}\\ -\overline{q}\le q\le \overline{q}\end{array}\right\}$$

(8)

According to the literature [16], attackers can conduct a stealthy FDIA using fractional power system information. The FDIA only targets a certain attacking location. This reduces the expense and difficulty of a cyberattack and makes it easier to carry out. Algorithm I can generate an FDIA for a power system after obtaining the system’s partial structure and characteristics (e.g., bus voltage, upper and lower limits).

Attackers provide an attack vector $\left[\begin{array}{cc}{V}_a& {\theta }_a\end{array}\right]$ by limiting the power flow and alarm threshold. The attacked frequency deviation $\Delta f_a$ is calculated by taking the derivative of the input phase angle $\Delta {\theta }_a$ in relation to a synchronous phasor rotating at the nominal frequency. The attacking tie-line power deviation $\Delta P_{tie-a}$ is calculated as follows (9):

$$\Delta P_{tie-a}=\left[\begin{array}{cc}{\displaystyle \frac{\partial p}{\partial V}}& {\displaystyle \frac{\partial p}{\partial \theta }}\end{array}\right]{\left[\begin{array}{cc}{V}_a& {\theta }_a\end{array}\right]}^T.$$

(9)

(b)

Scaling attack FDIA model: The model entails the process of multiplying real measurements by a constant, causing them to increase or decrease, depending on the scaling attack parameter. The three possible assault targets for scaling and exogenous events, together with their ACE formulations, are shown below.

• Assault on the frequency measurement data of the kth area may be described as (10).

  $$AC{E}_k^{*}(t)=AC{E}_k(t)+(1+\chi )\Delta f_k(t)$$

  (10)
• Assault on the tie-line measurement data between kth and lth areas may be described as (11).

  $$AC{E}_k^{*}(t)=AC{E}_k(t)+(1+\chi )\Delta P_{tiek,l}(t)$$

  (11)
• Assault on ACE measurement data may be described as (12)

$$AC{E}_k^{*}(t)=(1+\chi )AC{E}_k(t)$$

(12)

where $AC{E}_k(t)$ is the ACE data before attack, $\chi \in \left[0,\infty \right]$ is the scaling factor and $AC{E}^{*}{}_k(t)$ is the actual/attacked ACE.

The assumption that attackers possess knowledge of partial system parameters—such as the Jacobian matrix—is indeed critical to the feasibility of stealthy FDIA, and its realism depends on the security posture of the specific power system in question.

In practice, while complete knowledge of system parameters may be challenging for attackers to obtain, partial or approximate knowledge is increasingly plausible due to the following:

• Publicly available data: many utilities and independent system operators (ISOs) publish planning and operational data (e.g., one-line diagrams, base load/generation profiles, system operating conditions) that can be exploited by sophisticated attackers to estimate system topology or parameters.
• Insider threats: employees or contractors with legitimate access to SCADA or EMS systems may inadvertently or maliciously leak sensitive information such as Jacobian structures or model parameters.
• Reconnaissance and machine learning: attackers can perform probing attacks and use system responses to learn the Jacobian structure over time using statistical or machine learning techniques.
• Prior research: this assumption is consistent with the prevailing literature on stealthy FDIAs, such as in subsequent studies, where even partial or estimated Jacobian information can be sufficient to bypass conventional bad data detection (BDD) mechanisms.

3. Design Methodology of the Proposed Adaptive Fuzzy-LADR Controller

The LADRC is a model-based controller that generates the control signal using a linearized model of the system. The controller includes a disturbance observer, which estimates the impacts of disturbances, and a compensator, which cancels these disturbances [17]. By continually updating the disturbance estimate and changing the control signal, the LADRC can provide resilient performance even in the face of disturbances and model errors. It provides rapid and precise reactions to disturbances as well as disturbance rejection even in the face of nonlinearities, uncertainties, and measurement noise [18]. The LADRC is a compelling alternative to classic load frequency controllers, providing superior performance and resilience for modern power systems.

3.1. Proposed Control Strategy

Consider the following typical second-order system (13):

$$\ddot{c}=bu+f(\dot{c},c,d)$$

(13)

where u is the regulatory input, b is process specification, f is net interference, and d is external disturbance. LADRC offers a substantial advantage in that the interruption does not need to be statistically modeled. As a result, if system modeling is not possible, the disruption can also be denied. The state-space equation of the second-order system described in (14) is as follows:

$$\left\{\begin{array}{c}{\dot{x}}_1=x_2\\ {\dot{x}}_2=b_{0}u+x_3\\ {\dot{x}}_3=h\\ c=x_1\end{array}\right.$$

(14)

where $x_1=c$, $x_2=\dot{c}$, $x_3=f(\dot{c},c,d)$, and $h\dot{=}\dot{f}(\dot{c},c,d)$. In this context, we take an extended state to be x₃ for the disturbance f. The goal is to develop a system observer that evaluates the system’s states. This knowledge is used to create a control law that reduces the error caused by the disturbance, thereby rejecting it. The observer can be defined as (15)

$$\left\{\begin{array}{c}\dot{v}=A_{0}v+B_{0}u+L_0(c-\widehat{c})\\ \widehat{c}=C_{0}v\end{array}\right.$$

(15)

where, $A_0=\left[\begin{array}{ccc}0& 1& 0\\ 0& 0& 1\\ 0& 0& 0\end{array}\right],B_0=\left[\begin{array}{c}0\\ b_0\\ 0\end{array}\right],C_0=\left[\begin{array}{ccc}1& 0& 0\end{array}\right]$ are the canonical form of integrators. $\widehat{c}$ is the estimated signal of c and b₀ is the estimated rate that can be calculated from the plant transfer function. $v={\left[v_1,v_2,v_3\right]}^T$ is the intended value of $x={\left[x_1,x_2,x_3\right]}^T$. The observer gain vector $L_0={\left[{\mu }_1,{\mu }_2,{\mu }_3\right]}^T={\left[3{\upsilon }_0,{\upsilon }_0,2{\upsilon }_{0}3\right]}^T$ is derived using the pole-placement method. The estimated state observer (ESO) can be formulated as (16)

$$\left\{\begin{array}{c}{\dot{v}}_1=v_2+{\upsilon }_1(c-v_1)\\ {\dot{v}}_2=v_3+{\upsilon }_2(c-v_1)+b_{0}u\\ {\dot{v}}_3={\upsilon }_3(c-v_1)\end{array}\right..$$

(16)

In this case, the observer estimates the overall perturbance level as thrice the original. Following that, disruption can be avoided by developing an appropriate control law. The control law can be stated as follows (17):

$$u={\displaystyle \frac{(-\widehat{f}+u_0)}{b_0}}.$$

(17)

As a result, the original plant is converted into a very rudimentary form, as depicted below (18):

$$\ddot{c}=(f(\dot{c},c,d)-\dot{f})+u_0\approx u_0.$$

(18)

The simpler union for u0 is essential and the PD controller is as follows (19):

$$u_0=k_p(r-v_1)-k_d{v}_2-v_3$$

(19)

where the ACE is used as the reference value r and k_p, and k_d are proportional and derivative control parameters, respectively. According to [17], controller and observer gains are linear functions of their respective bandwidths. Because of this, the term linear ADRC can be understood as $k_p={\upsilon }_c^2$, $k_d=2{\upsilon }_c$, $L_0={\left[{\mu }_1,{\mu }_2,{\mu }_3\right]}^T$ where µ₁, µ₂ and µ₃ are observer gains, and υ_c and υ₀ are the controller and observer bandwidths, respectively, which must be tweaked in this situation. Suppose the transfer function of the plant is (20)

$$T_P(s)={\displaystyle \frac{{\rho }_m{s}^m+{\rho }_{m-1}{s}^{m-1}+\mathrm{....}+{\rho }_0}{{\sigma }_n{s}^n+{\sigma }_{n-1}{s}^{n-1}+\dots +{\sigma }_0}}$$

$$\rho ={\displaystyle \frac{{\rho }_m}{{\sigma }_n}}.$$

(20)

The value of ρ₀ is considered to be slightly greater than the value of ρ. Figure 3 depicts the proposed controller. In the corresponding area, the controller’s input has been labeled as an area control error (ACE). The LADRC output response can be represented as (21)

$$u_1={\displaystyle \frac{(-\widehat{f}+u_0)}{b_0}}.$$

(21)

A fuzzy logic controller (FLC) before the LADRC controller adjusts the controller coefficients to improve performance in diverse loading scenarios [19]. Figure 4 shows F-LADRC controller input and output membership functions. As shown in Figure 4 for controller inputs and outputs, seven membership triangular-type functions were applied, with verbal abbreviations SN and SP indicating small negative and positive changes, MN and MP indicating medium negative and positive changes and Z indicating zero changes. Additionally, two trapezoidal membership functions with the abbreviations LN and LP indicate large negative and positive changes. Membership function design affects FLC performance. The suggested approach improves controller performance by selecting the coefficients of the proposed controller. Figure 5 shows the suggested controller’s fuzzy rule.

The narrow range of UT in Figure 5 is intentional and reflects the fine-tuned nature of the fuzzy-linear active disturbance rejection controller (F-LADRC). The UT (control output) is designed to make smooth and gradual adjustments, thereby ensuring system stability and reducing overshoot and control effort.

This narrow range is particularly suitable in the context of load frequency control (LFC), where abrupt changes in control input can cause undesirable oscillations and instability in power system frequency. The fuzzy rules are designed to provide small corrective actions based on the ACE (area control error) and DACE (derivative of ACE), allowing for a more robust and adaptive response to system disturbances.

The fuzzy LADRC introduces additional computational overhead compared to traditional PID and I-PD controllers due to two primary components:

• Fuzzy logic inference: The fuzzy controller requires the evaluation of membership functions and rule bases in real time. However, the inference mechanism used in our implementation is based on a Mamdani-type system with a small number of rules (typically fewer than 10), and triangular membership functions. This keeps the computational load relatively low and suitable for real-time execution on standard microcontrollers or DSP platforms.
• Extended state observer (ESO): The LADRC framework includes an ESO for disturbance estimation, which involves solving a set of differential equations. This is computationally light and requires only a few arithmetic operations per control cycle.

To quantify this, we implemented the fuzzy LADRC on the MATLAB/Simulink platform (v2020a) and observed that it required approximately 12% more computation time per control cycle compared to a PID controller. However, this increase is marginal and remains well within the real-time execution capabilities of typical embedded systems used in LFC applications.

The proposed detection framework leverages the fuzzy LADRC (linear active disturbance rejection controller) which incorporates an extended state observer (ESO) to estimate and reject both matched disturbances and injected anomalies. How it handles differentiation is described below:

• Natural disturbances (e.g., load changes) typically align with the system’s physical model and occur within expected bounds. The ESO within LADRC adapts to such changes as part of the normal control behavior.
• FDI attacks, especially scaling-type injections, introduce structured deviations that do not conform to the model dynamics or expected measurement residuals over time. The LADRC’s ESO detects these as unmodeled disturbances, and the fuzzy adaptation enhances sensitivity by adjusting gains dynamically.

Additionally, the fuzzy layer distinguishes contextually between rapid, model-conforming fluctuations and sustained, structured anomalies, making the controller more selective and robust against false alarms due to natural events.

3.2. Proposed Optimization Algorithm

In the field of load frequency control (LFC), a wide range of optimization algorithms have been employed for the systematic tuning of controller parameters. In this study, a novel optimization framework, termed the quasi-oppositional reptile search algorithm (QORSA), is adopted to optimize the parameters of the proposed F-LADRC controller. The reptile search algorithm (RSA) is a population-based, gradient-free metaheuristic inspired by the cooperative hunting and social behaviors of crocodiles [20]. It features a two-stage process comprising an exploration phase, mimicking the encircling of prey, and an exploitation phase, reflecting the focused hunting behavior, both designed to efficiently converge to the global optimum.

To further enhance the convergence rate and global search capability, the quasi-oppositional learning strategy is incorporated. This approach generates quasi-opposite solutions corresponding to each population member, thereby improving the algorithm’s ability to avoid local minima and accelerating overall convergence. The procedural steps of the proposed QORSA [21] are depicted in Figure 6.

3.3. Examination of Designed Controller’s Effectiveness

The effectiveness of the proposed controller is evaluated by comparing its performance against several established controllers on a modified IEEE 39-bus system, as shown in Figure 2. Controller parameters are optimized using the QORSA with results summarized in

Table 2. Optimized controller parameters.

Controller Parameter	PID	TID	I-PD	LADRC	F-LADRC
Area-1
KP1	0.58	-	0.28	-	-
KI1	0.66	0.14	0.21	-	-
KD1	0.45	0.64	0.32	-	-
KT1	-	0.12	-	-	-
b1	-	-	-	8.62	4.51
w1	-	-	-	1.38	1.47
Area-2
KP2	0.61	-	0.41	-	-
KI2	0.54	0.19	0.11	-	-
KD2	0.24	0.27	0.17	-	-
KT2	-	0.37	-	-	-
b2	-	-	-	8.14	4.11
w2	-	-	-	1.44	1.36
Area-3
KP3	0.81	-	0.24	-	-
KI3	0.35	0.15	0.29	-	-
KD3	0.14	0.13	0.13	-	-
KT3	-	0.22	-	-	-
b3	-	-	-	9.63	5.19
w3	-	-	-	1.61	1.57

. Random load disturbances (Figure 7a) and renewable generation profiles for PV and wind (Figure 7b) are utilized to test system dynamics. As illustrated in Figure 8, the proposed controller demonstrates superior dynamic performance compared to conventional LADRC-based methods.

3.4. Sensitivity Analysis

In this case, the proposed control strategy is analyzed under ±20% uncertainty in Tr and +20% uncertainty in Tg ± 20% to the system parameters. Based on the system dynamics shown in Figure 9, it can be deduced that the system is robust as it has shown low sensitivity to parameter variations.

4. Proposed Cyber-Threat Detection and Mitigation Model

The proposed cyber-threat detection and mitigation (CDM) model includes a wavelet-LSTM system (W-LSTM). The wavelet transform-based model detects anomalous frequency deviation data while LSTM is used as a mitigator for the prediction of frequency deviation data during the attack phase.

4.1. Wavelet-Based Attack Detector

The Haar wavelet transform, known for its simplicity and low computational complexity, provides an efficient means of analyzing the local features of a signal. It decomposes a time-domain signal into approximation and detail components at different scales, thereby revealing sudden changes and anomalies often hidden in the raw measurements.

Among the various wavelet tools available, the Harr wavelet is considered the simplest one, and it is denoted as (22)

$$haar(2^r+\omega ,\theta )=\left\{\begin{array}{c}\sqrt{2^r};\omega /2^r\le \theta \le \left(\omega +0.5\right)/2^r\\ -\sqrt{2^r};\left(\omega +0.5\right)/2^r\le \theta \le \left(\omega +1\right)2^r\\ 0;otherwise\end{array}\right..$$

(22)

Now, if $\omega =0$ and $2^r=1$, then the Harr wavelet is (23)

$$\Lambda (\theta )=\left\{\begin{array}{c}1;0\le \theta \le 0.5\\ -1;0.5\le \theta \le 1\\ 0;otherwise\end{array}\right..$$

(23)

In the context of FDI detection, the ACE signals are subjected to the Haar transform. Under normal operating conditions, the detail coefficients remain bounded within a predictable range. However, the occurrence of an FDI attack induces abrupt distortions, resulting in a sudden rise in the magnitude of detail coefficients.

To detect these anomalies, a dynamic threshold $\Gamma$ is established based on the statistical properties of the detail coefficients during normal operation (24)

$$\Gamma ={\mu }_D+\alpha {\sigma }_D$$

(24)

where μ_D and σ_D denote the mean and standard deviation of the detail coefficients, respectively, and α is a tunable sensitivity parameter.

An FDI attack is flagged when (25)

$$\left|D_j\left(k\right)\right|>\Gamma$$

(25)

for any coefficient at any decomposition level.

The parameter α in (24) serves as a sensitivity factor for the dynamic threshold where μ_D and σ_D denote the mean and standard deviation of the detail coefficients, respectively, and α is a tunable sensitivity parameter.

Calibration process: α was tuned empirically through a grid search over the range [1.5, 4.0] using historical ACE data under both normal and attack conditions. The optimal value was selected based on minimizing the following cost metric:

Cost = FPR + FNR

where FPR = false positive rate and FNR = false negative rate. A value of α = 3.0 was found to provide a strong balance, yielding >95% detection accuracy with a false positive rate below 3% across scenarios tested.

4.2. Long Short-Term Memory

While early detection of false data injection (FDI) attacks is critical and timely, accurate mitigation is equally important to preserve the operational stability of load frequency control (LFC) systems. To this end, a long short-term memory (LSTM) neural network is employed in this study for the real-time reconstruction and correction of compromised signals, ensuring continued reliable control performance, even under cyberattack scenarios.

LSTM networks, a variant of recurrent neural networks (RNNs), are particularly adept at learning complex temporal dependencies due to their unique gating mechanisms, which mitigate the problems of vanishing and exploding gradients commonly encountered in traditional RNNs. Their ability to capture both short-term and long-term correlations in sequential data makes them highly suitable for modeling the dynamic behavior of power system signals such as ACE.

An LSTM layer is composed of several interconnected LSTM units that generate the cell vector $c_t\in {\Re }^n$ based on inputs x_t, h_t−1, and c_t−1. The generation of the cell vector c_t involves employing specific operations (26).

$$\begin{array}{l}{d}_t=\lambda \left(G^d{x}_t+J^d{h}_{t-1}+{\varsigma }^d\right)\\ f_t=\lambda \left(G^f{x}_t+J^f{h}_{t-1}+{\varsigma }^f\right)\\ o_t=\lambda \left(G^o{x}_t+J^o{h}_{t-1}+{\varsigma }^o\right)\\ g_t=\tanh \left(G^g{x}_t+J^g{h}_{t-1}+{\varsigma }^g\right)\\ c_t=f_t\otimes c_{t-1}+i_t\otimes g_t\\ h_t=o_t\otimes \tanh \left(c_t\right)\end{array}$$

(26)

The LSTM layer utilizes element-wise activation functions, namely, $\lambda \left(.\right)$ for the sigmoid function and tanh(·) for the hyperbolic tangent function. Additionally, it incorporates element-wise product representation. The variables $d_t\in {\Re }^n$, $f_t\in {\Re }^n$, and $o_t\in {\Re }^n$ represent the input gate, forget gate, and output gate, respectively. For each of these gates, parameters $G^k$, $J^k$, and ${\varsigma }^k$ (where $k\in d,f,o$) are used to facilitate their respective functions.

The LSTM-based cyber threat mitigation framework, illustrated in Figure 7, employs a hierarchical structure comprising three sub-networks. Two sub-networks predict frequency deviations for each control area, utilizing as input the current frequency and input power. Temporal dependencies are captured via LSTM layers, followed by fully connected layers with ReLU activations for actuator temperature prediction. The third sub-network processes historical joint-angle states through a similar LSTM-FC-ReLU pipeline, whose outputs are fused with the frequency deviation predictions to form a comprehensive system response model.

The LSTM-based mitigator is trained using multi-area ACE data, allowing it to learn temporal and spatial dependencies among different control areas. This enables the model to achieve the following:

• Capture correlated behaviors: for example, simultaneous ramp FDIAs across interconnected areas will cause synchronized anomalies in ACE patterns, which the LSTM can recognize through learned temporal patterns.
• Predict cross-area ACE values: during attacks, the LSTM estimates the expected ACE signal based on the joint evolution of all areas. Deviations between the predicted and actual ACE help isolate and suppress anomalous inputs.
• Activate a mitigation mechanism: when a correlated attack is detected, the LSTM-predicted ACE acts as a surrogate signal for controller input, ensuring continuity of control. Additionally, its training includes mixed-scenario datasets with uncorrelated and correlated attacks, improving generalization.

Model performance is quantified using the root mean squared error (RMSE), defined as (27).

$$RMSE=\sqrt{{\displaystyle \frac{1}{N}}{\displaystyle {\sum }_{i=1}^N\left(AC{E}_{i,measured}-AC{E}_{i,estimated}\right)}}$$

(27)

The WT-LSTM framework can detect hybrid attacks insofar as they induce anomalies in ACE or system dynamics.

FDI-DoS typically leads to

• missing or delayed data packets;
• sudden communication drops.

These disruptions manifest as abrupt changes or irregular gaps in ACE/tie-line signals. The Haar transform will spike under such conditions, and LSTM prediction errors will increase due to divergence from learned patterns—triggering detection.

Zero-Day Exploits: While unknown in structure, zero-day attacks still impact system behavior. Because our detection relies on data-driven behavioral deviation rather than known signatures, it can flag unknown patterns that deviate from normal learned dynamics. That said, distinguishing malicious zero-day behavior from rare but benign events (e.g., generator trips) remains an open challenge and may require integration with physical redundancies or cyber-forensics.

The proposed framework relies on ACE signal patterns, not the specific source of generation.

Both hydro and geothermal plants exhibit different dynamics (e.g., longer ramp times for hydro), but the WT-LSTM approach adapts because

• training is based on local historical ACE data;
• LSTM captures temporal dependencies, irrespective of the underlying source.

We anticipate that retraining the LSTM on data from hydro/geothermal-integrated grids would maintain its effectiveness.

The WT-LSTM method trades slightly higher computational effort for greater robustness and adaptability, especially under nonlinear, coordinated, or data-driven attacks, which model-based approaches may not capture effectively (

Table 3. Comparison table for WT-LSTM and model-based observers.

Aspect	WT-LSTM Framework	Model-Based Observers
Detection Accuracy	High accuracy for nonlinear/time-varying anomalies; learns from data patterns	Moderate-to-high accuracy but sensitive to model mismatches
Adaptability	Easily adaptable to changing operating conditions (retrainable)	Fixed structure; needs re-tuning under system changes
Robustness to Noise	Haar wavelet preprocessing improves robustness	Kalman filters may degrade under unmodeled noise
Model Dependency	Model-free (requires only historical ACE data)	Requires accurate system modeling and parameters
Computation	Moderate (20–25 ms latency)	Very low (1–5 ms) but may lack generalization

).

Blockchain frameworks are more suited for forensic-level verification and data integrity, whereas WT-LSTM is designed for real-time detection and mitigation. The two can be complementary, not competing (

Table 4. Comparison table for WT-LSTM and blockchain-based approaches.

Aspect	WT-LSTM Framework	Blockchain-Based Approaches
Detection Latency	~25 ms per sampling interval	High (seconds to minutes due to consensus delays)
Resource Usage	Requires only local computation and storage	High storage/computation due to distributed ledger overhead
Scalability	Scalable to many areas with parallel LSTM units	Limited by network and consensus bottlenecks
Security Focus	Detects anomalies in real-time ACE behavior	Ensures data integrity and non-repudiation, but not real-time detection
Implementation Complexity	Moderate (data + neural model)	High (smart contracts, cryptographic protocols, node trust)

).

5. Results

The proposed control strategy is evaluated on a modified IEEE 39-bus system with three areas. Key system parameters, such as inertia, damping, droop coefficients, and time constants, are listed in Table 1, with values based on a 100 MVA base. Frequency deviations result from uncertain power inputs, including uncontracted loads, PV, and wind. The control scheme addresses both primary and secondary frequency regulation (FR) while accounting for cyber threats disrupting communication between the FR controller and EVs.

Simulations are run in MATLAB 2020a on a Windows 11 platform with an HP Intel i7-6700K CPU and 8 GB RAM, Gurugram, India. To test the scheme’s effectiveness, FDI attack scenarios are considered, with disturbances from wind, PV, and uncontracted loads (15 MW, 10 MW, 4 MW). Each area is modeled with 40,000 EVs, contributing ±10 kW, with 5% participation in FR. The simulations cover the three following scenarios:

• S1: normal operation without an attack.
• S2: FDI attack without cyber defense.
• S3: FDI attack with the proposed detection and mitigation system.

Case-1: FDI Attack

The proposed cyber defense and mitigation (CDM) system’s effectiveness is evaluated during a false data injection (FDI) attack targeting the area control error (ACE). The attack is applied sequentially to each region of the smart grid over a set time period.

Three distinct types of scaling FDI attacks are simulated within the system. These attack scenarios involve scaling factors in the form of white noise, sine waves, and ramp functions, as depicted in Figure 10. The wavelet-based detector identifies the malicious data injected during the attack through wavelet decomposition, as shown in Figure 11. Additionally, the LSTM-based predictor is employed to generate a mitigated signal during the attack, with results illustrated in Figure 12.

The combined wavelet transform (WT) + LSTM detection and mitigation pipeline introduces an average processing latency of approximately

• WT transform and thresholding: ~5 ms;
• LSTM prediction (1-step ahead): ~15–20 ms on a standard CPU (Intel i7, 2.8 GHz);
• Total latency: ~20–25 ms per sampling interval.

Given that typical load frequency control (LFC) systems operate on 100–200 ms sampling intervals, this latency is well within the real-time control bounds and is thus acceptable for deployment in primary or secondary control loops.

To ensure low-latency operation, the LSTM was designed with a compact architecture (two hidden layers, thirty-two units) and optimized using a batch size = 1 inference.

The attack profiles in the simulations were chosen based on the following rationale:

• Durations: each attack spans 5–15 s to capture the transient response, which is the most critical window for LFC and detection systems.
• Intensities: scaling factors and signal amplitudes (e.g., 10–30% of nominal ACE or tie-line power) were selected to remain stealthy (i.e., bypass threshold detection), while still significantly perturbing system dynamics.

These were designed to reflect realistic yet challenging adversarial conditions, inspired by past FDIA studies and aligned with cyber-threat scenarios.

6. Conclusions

This paper has presented novel contributions focusing on the detection and mitigation of FDI attacks on area control error (ACE). To address the variability of load demands and RES, a robust frequency regulation (FR) mechanism was designed. A fuzzy logic rule-based linear active disturbance rejection control (F-LADRC) system was proposed to optimize transient and steady-state responses, ensuring precise control. To further enhance performance, the QORSA optimization algorithm was employed, improving controller efficacy and system stability. In response to rising cyber threats in smart grids, a strategy leveraging wavelet-based detection identified FDI-induced frequency deviations. An LSTM network was then used to forecast corrective signals by analyzing historical attack data.