Secure State Estimation with Asynchronous Measurements for Coordinated Cyber Attack Detection in Active Distribution Systems

Abstract

Coordinated cyber attacks tamper with measurement data to disrupt the situational awareness of active distribution systems. Various sensors report measurements asynchronously at different rates, which introduces challenges during state estimation. In addition, this forces cyber intruders to exert greater effort to compromise multiple communication channels and launch coordinated attacks. Therefore, multi-channel and asynchronous measurements could be harnessed to develop more secure cyber defense strategies. In this paper, a prediction-correction-based multi-rate observer is designed to exploit the value of asynchronous measurements for the detection of coordinated false data injection (FDI) attacks. First, a time-function-dependent prediction-correction strategy is proposed to adjust the sampling interval for each sensor’s measurement. Then, an observer is designed based on the trade-off between estimation error and the optimal period of the most recent sampling instant, with the convergence of estimation error with the maximum permitted sampling interval. Moreover, the conditions for exponential stability are developed using the Lyapunov–Krasovskii functional technique. Next, a coordinated FDI attack detection strategy is developed based on the dual nonlinear minimization problem. The proposed attack detection and secure state estimation strategies are tested on the IEEE 13-node system. Simulation results show that these schemes are effective in enhancing attack detection based on asynchronous measurements or compromised data.

1. Introduction

In active distribution systems, different sensors and measurement devices (e.g., phasor measurement units (PMUs), smart meters, DERs, and SCADAs) can provide multiple types of sensing information in time and space [1]. The varying sampling rates of these devices can produce asynchronous measurements. However, existing state estimation methodologies are not designed to utilize these asynchronous data [2]. In this context, efficiently utilizing multi-sensor information remains a key challenge for distribution system operation and control. On the other hand, the diverse and open nature of communication networks heightens the vulnerability of distribution system state estimation to cyber attacks [3]. Thus, attackers aim to penetrate communication networks and maintain deception through falsified states long enough to cause severe and unforeseen damage to the physical system. Recently, coordinated false data injection (FDI) attacks have drawn a lot of attention and have severely damaged power systems [4]. For example, BlackEnergy Malware attacked 60 substations of the Ukrainian electricity network in 2015, resulting in a three-hour power outage in western Ukraine. The 2017 incident at a U.S. nuclear power plant and the 2019 power outages in Venezuela show that cyber attacks are a serious threat to the secure operation of power systems [5]. Additionally, hackers launched a denial-of-service (DoS) attack against the American grid using firewall flaws in 2019 [6], which prevented grid operations from monitoring power networks in the states of Wyoming, Utah, and California.

The hypothesis of our research is that we can utilize asynchronous measurements to detect coordinated cyber attacks. It is reasonable to assume that it is almost impossible (or, if possible, very costly) for attackers to compromise multiple different communication channels. Therefore, the motivation of this paper is to exploit multi-channel information for intrusion detection. A few studies on asynchronous measurements and cyber attacks have been reported in the literature, which are briefly summarized below.

First, considering multiple sensors and asynchronous measurements, the authors of [7] developed an optimization-based fusion estimation method for sensor attacks. Dealing with joint FDI attacks, a multiple-state estimation algorithm [8] was established by using a game–theoretic technique. In an online setting, a round-based synchronization mechanism approach was introduced in [9] to estimate asynchronous measurements. In the case of asynchronous measurements with various types of noises, the authors of [10] proposed a suboptimal distributed consensus filter method. Subject to asynchronous modes and energy-limited DoS attacks, non-fragile $H_{\infty }$ asynchronous control was proposed based on a hidden Markov model [11]. Corresponding to aperiodic asynchronous measurements, the authors of [12] developed a hybrid observer using a sum-of-squares decomposition approach. A matrix-weighted fusion estimation algorithm was developed in [13] with multiple asynchronous sampling sensors. Based on the contextualization of asynchronous discrete-time measurements, an LMI-dependent time-varying observer was presented in [14].

Several studies have analyzed the impact of cyber attacks on active distribution system state estimation, primarily addressing individual attacks [15]. While each weak component or communication channel is vulnerable to hostile FDI attacks, coordinated FDI attacks can simultaneously target multiple interconnected components or channels, posing a far greater threat to distribution grids [16]. However, there has been a lack of investigation into security issues under coordinated FDI attacks, possibly due to the challenge of properly mathematically modeling the couplings of attack sequences [17]. These factors motivated us to conduct a thorough investigation of coordinated FDI attacks, leverage hidden information from asynchronous measurements, and develop intrusion detection methods grounded in the distributional characteristics of the system state estimation framework.

Despite recent advances, notable gaps continue to exist in the areas of state estimation and cybersecurity for active distribution systems. Specifically, many existing approaches fail to account for asynchronous observations with varying data rates. Consequently, even when measurement data are considered, these approaches lack the capability to detect coordinated FDI attacks. As a result, we pinpoint three major research gaps, which can be summarized as follows:

• The problem of asynchronous measurements in active distribution systems is not sufficiently addressed by current state estimation techniques.
• Conventional secure observer design does not integrate prediction correction functionality and is not capable of dealing with both cyber attacks and asynchronous measurements.
• Current approaches to FDI attack detection often focus on random FDI attacks and do not consider coordinated attacks across multiple devices.

Built upon the works in the literature and the research gaps, this paper further advances the technique and makes the following contributions:

• As a first attempt, a secure state estimation is developed for an active distribution system, where measurement output data are asynchronous and vulnerable to coordinated FDI attacks. In this approach, a sensor time function is proposed to illustrate the asynchronous samplings of measurement devices. Next, in order to adjust the length of the sampling interval of each sensor, we advance the prediction correction algorithm by utilizing the Levenberg–Marquardt strategy and Newton’s method.
• In contrast to traditional secure observer designs, this work introduces a multi-rate observer that leverages a sensor time function and prediction correction outputs to estimate asynchronous and compromised measurements.
• This scheme introduces an attack detection method by using a dual nonlinear optimization approach to automatically filter out possible coordinated FDI attacks.

The structure of the remainder of this paper is as follows: Section 2 introduces the concept of asynchronous measurements and coordinated FDI attacks in an active distribution system. Section 3 introduces the methodology of prediction-correction-based multi-rate observer. Then, Section 4 describes the attack detection approach. Simulation results and analysis are presented in Section 5, and Section 6 summarizes the conclusions.

2. Problem Formulation

Maintaining secure state estimation in active distribution systems has become increasingly challenging due to two major issues: the diversity of measurement sources and the growing vulnerability to cyberattacks. First, different sampling rates are applied to asynchronous data streams generated by various measuring devices. Moreover, these data are susceptible to coordinated false data injection (FDI) attacks that can mislead operators and disrupt system operation. This section introduces coordinated FDI attacks and asynchronous measurements.

2.1. Asynchronous Measurements

In an active distribution system, different measurement devices have different sampling rates. For example, PMU normally sends each measurement per second, SCADA collects each measurement per 2–5 s, AMI normally sends measurements once every 15 min, and economic billing devices send measurements about 5–20 times per hour. As shown in Table 1, there are different devices available in active distribution systems, such as PMU, SCADA, advanced metering infrastructure (AMI), economic billing, and distributed energy resource (DER). $\mathbf{SE}$ represents state estimation for different types of devices. X represents a measurement that is present from a particular device, while 0 represents an absent measurement at any time step. This conceptual structure is defined as the asynchronous measurement of an active distribution system.

Table 1. Asynchronous measurements in active distribution systems. The red column ($t_{k+1}$) indicates the time step when all devices fail to send measurements to the DSO.

Device	${\mathit{t}}_{\mathit{k}}$	${\mathit{t}}_{\mathit{k}+1}$	${\mathit{t}}_{\mathit{k}+2}$	${\mathit{t}}_{\mathit{k}+3}$	${\mathit{t}}_{\mathit{k}+4}$	${\mathit{t}}_{\mathit{k}+5}$	SE
PMU	X	X	X	X	X	X	SE #1
SCADA	X	0	X	0	X	0	SE #2
AMI	X	0	0	0	X	0	SE #3
Economic billing	0	0	X	0	0	0	SE #4
DER	0	X	0	X	0	0	SE #5

In practical applications, the majority of measurement devices cannot send measurements in real time. Therefore, the state estimation system runs only once every 15 min in a distribution network, which creates a major challenge for real-time situational awareness. This paper considers three types of measurements and operation devices: PMUs, which can measure complicated voltages and power injections; smart meters, which can measure voltage magnitudes; and power injections. On the other hand, DER does not act as a measurement device like a PMU or smart meter, but it has monitoring functions (e.g., inverter parameters, SOC, and power output) that can provide operational data.

In general, there are large gaps in the time between measurements and operational data from PMUs, smart meters, and DERs. As a result, we consider a scenario where only a portion of the sensors provides data to the system operator at time $t=t_1,t_2,\dots$, which may not be uniformly distributed. Therefore, without loss of generality, it is assumed that measurements are taken in intervals $t=1,2,\dots$ from a selection of buses, represented by $\mathbf{C}$. They are compiled in the measurement vector $y\left(t\right)$, modeled as $y\left(t\right)=\mathbf{C}x\left(t\right)$. Here, $y\left(t\right)$ is the output of the active distribution system, $x\left(t\right)$ is the state variable, and $\mathbf{C}$ is the output matrix. Consideing the time-varying situation, the communication graph $\mathcal{G}$ and the system connected matrix $\mathbf{C}$ are induced by the communication graph. By limiting communication to the edge set $\mathcal{E}$, the prediction correction algorithm and multi-rate observer can be deployed in an active distribution system. In order to simplify the calculation, but without loss of generality, it is assumed that grid operators collect the same amount of measurement and operational data at each sampling interval, i.e., for all t, $\left|\mathbf{C}\right(t\left)\right|=\mathbf{C}$ [18]. The selection matrix $\mathbf{C}$ chooses the elements collected at timestamp t. Individual parts of the selection matrix depend on the collection of buses measured in $\mathbf{C}:=\{s_1,\dots ,s_S\}$. Thus, we can write $\mathbf{C}={\left[\begin{array}{ccc}{\mathbf{C}}_{s_1}^{\top }& \dots & {\mathbf{C}}_{s_S}^{\top }\end{array}\right]}^{\top }$.

2.2. Coordinated FDI Attacks

FDI attacks occur when adversaries intentionally alter sensor measurements in a deceptive manner, leading to undetectable errors in the estimation of state vectors and corresponding system outputs. In this paper, coordinated FDI attacks are defined based on the attack area as shown in Figure 1.

Figure 1. An example of coordinated FDI attacks: (a) two FDI attackers inject falsified values in bus 3 and bus 4 coordinately; (b) green bar shows stealthy FDI attacks and red bar shows non-stealthy coordinated attacks.

As shown in Figure 1a, FDI attacker 1 launches at bus 3 and FDI, attacker 2 launches at bus 4, assuming both have the same coordinated objective, which is to destroy the performance of the lines between buses 2–3 and buses 4–5. In addition, when FDI attacks occur at multiple points in the grid, the affected regions can influence nearby unaffected areas, allowing the attack’s impact to spread through the entire network. In this paper, a new class of coordinated FDI attacks is defined, where the duration of attacks is considered as shown in Figure 1b. Mathematically, it can be formulated as

$$\begin{array}{c}\hfill y\left(t\right)=\mathbf{C}x\left(t\right)+{\mathbf{a}}_{\mathrm{co}}\left(t\right)\end{array}$$

(1)

where ${\mathbf{a}}_{\mathrm{co}}\left(t\right)$ represents the coordinated FDI attack vector.

In real systems, adversaries can falsify data from PMUs, smart meters, and DERs simultaneously across different nodes, aiming to launch coordinated FDI attacks that degrade system performance over a specific period of time.

3. Methodology

In this section, a multi-rate observer based on the prediction correction algorithm is introduced to utilize the asynchronous measurements for coordinated FDI attack detection. As shown in Figure 2, there are four major blocks in the control framework. First, the sensor unit receives the control signals of distribution grids at different sampling rates. Then, these control signals are sent to the prediction correction unit, where the sampling interval is adjusted to enable all signals within the observer interval. Next, the multi-rate observer unit takes both the adjusted signals and the asynchronous measurements to perform the state estimation. Finally, the attack detection unit receives the estimated states and applies a dual nonlinear optimization method to detect coordinated FDI attacks. The details of each unit are presented as follows.

Figure 2. Proposed framework of prediction-correction-based observer design.

3.1. Prediction Correction Algorithm

The objective of the prediction correction algorithm is to adjust the sampling intervals of all sensors so that they are synchronized within the observer period at each synchronization time, i.e., $t_k^1,t_k^2,t_k^3$. The time interval is adjusted by the prediction correction algorithm. The sampling time (t) has a length between the $i^{th}$ sensor’s consecutive intervals $s_k^i$ and $s_{k+1}^i$, as shown in Equation (2).

$$0<ϵ<s_{k+1}^i-s_k^i<{\tau }^i,\forall k\in \mathbb{N}$$

(2)

$$t\in (s_k^i-s_{k+1}^i)$$

(3)

where $ϵ$ is the time interval between consecutive samples.

Figure 3 shows that multi-time function-based sensors are considered, where each sensor maintains a particular time series. For example, sensor 1 has a square, sensor 2 has a sawtooth, and sensor 3 has a triangle function. The green and red lines represent the next sampling and sampling interval, respectively. It is shown that the data are sampled by multiple sensors at distinct rates and are corrupted by coordinated FDI attacks. Asynchronous measurements can occur at any time within the upper and lower constraints, with sample rates ranging from the maximum to the minimum rates. The vertical black arrows represent measurement arrivals from different sensors at distinct sampling instants within the same control period.

Figure 3. Adjustable sampling period with prediction correction algorithm.

In the following, a prediction step is introduced to deal with the objective; thus, the Levenberg–Marquardt algorithm can be written [19] as

$$\begin{array}{cc}\hfill {\widehat{x}}_{p+1}^{k+1}={\widehat{x}}_p^k& -[{\nabla }_{xx}{f}^{\left(k\right)}\left(x^{\left(k\right)}\right){\nabla }_{xx}^T{f}^{\left(k\right)}\left(x^{\left(k\right)}\right)\hfill \\ \hfill & +{\Lambda }_{p}I{]}^{-1}{\nabla }_{xx}{f}^{\left(k\right)}\left(x^{\left(k\right)}\right)f^{\left(k\right)}\left(x^{\left(k\right)}\right)\hfill \end{array}$$

(4)

where $x^{\left(k\right)}$ is the output solution, ${\nabla }_{xx}$ is the Hessian of function $f^{\left(k\right)}\left(x^{\left(k\right)}\right)$, ${\Lambda }_p$ is the damping factor at iteration p, and I is the identity matrix.

Remark 1.

The advantage of adopting the Levenberg–Marquardt algorithm is that the prediction process converges faster than the noisy gradient descent algorithm. Also, in the presence of coordinated FDI attacks, it can handle the compromised system model with multiple free parameters that are not precisely known, which is preferable for application in intrusion detection.

We use the Levenberg–Marquardt method in the prediction step because it works as trust-region control by combining the Gauss–Newton and gradient descent algorithms. A crucial function of the damping factor ${\Lambda }_p$ is to avoid divergence with compromised data. Therefore, it makes the algorithm robust in the presence of coordinated FDI attacks and can direct the state estimation process toward a feasibility region.

After the prediction step, it is necessary to refine the estimate using Newton’s method because it achieves quadratic convergence and is highly efficient when estimation is near the true value. In the correction phase, Newton method [20] is applied as

$$\begin{array}{cc}\hfill {\widehat{x}}_{c+1}^{k+1}={\widehat{x}}_c^{k+1}-{\nabla }_{xx}^2{f}^{(k+1)}& {\left(x^{(k+1)}\right)}^{-1}\hfill \\ \hfill & {\nabla }_x{f}^{(k+1)}\left(x^{(k+1)}\right)\hfill \end{array}$$

(5)

for $c=0,1,\dots C-1$, where C is the predetermined number of Newton’s steps; ${\nabla }_x$ is the gradient of function.

In the following, correction step (5) converges to the sampled trajectories $x(\ast ,t)$ within an asymptotic boundary under standard limits on the time step size. Consider the sequence that the prediction correction algorithm develops and assume that coordinated FDI attacks are successful. This algorithm is applied to solve the optimization issue, i.e., to adjust the sampling interval. Let m be the strong convexity constant for convergence. Thus, the underlying variables are defined as ${\varrho }_{\mathrm{P}}^P$ and ${\varrho }_{\mathrm{C}}^C$. At the synchronization time, choose a step size such that $\alpha <{\displaystyle \frac{2}{W}}$, $\zeta <{\displaystyle \frac{2}{W}}$, where W is the Lipschitz constant [21]. The contraction property for prediction correction steps [22] verify

$$\begin{array}{c}\hfill m<{\displaystyle \frac{2W\left[{\varrho }_{\mathrm{C}}^C({\varrho }_{\mathrm{P}}^P+1)\right]}{1-{\varrho }_{\mathrm{P}}^P{\varrho }_{\mathrm{C}}^C}}\end{array}$$

(6)

According to [23], the quantity of correction steps is then determined as

$$\begin{array}{c}\hfill C_{\mathrm{step}}>⌈{\displaystyle \frac{-log\left({\varrho }_{\mathrm{P}}^P(1+\frac{2W}{m})+\frac{2W}{m}\right)}{log\left({\varrho }_{\mathrm{C}}^C\right)}}⌉.\end{array}$$

(7)

3.2. Multi-Rate Observer

In order to estimate the state ${\widehat{x}}_{\gamma t}$ between two successive measurements, the multi-rate observer is constructed based on the output state ${\widehat{x}}_c$ of the prediction correction algorithm. Considering system matrix $\mathbf{A}$, control matrix $\mathbf{B}$, and control input $u\left(t\right)$, the observer gain L is defined as follows [24]:

$$\begin{array}{c}\hfill {\dot{\widehat{x}}}_{\gamma t}\left(t\right)=\mathbf{A}{\widehat{x}}_{\gamma t}\left(t\right)+\mathbf{B}u\left(t\right)-L\left(y\left(t\right)-\mathbf{C}{\widehat{x}}_{\gamma t}\left(t\right)\right)\end{array}$$

(8)

The observer gain matrix L is designed in such a way that the estimation error dynamics remain stable with asynchronous measurements and coordinated FDI attacks. For this, L is chosen in practice such that the eigenvalues of the augmented error system fall in the left-half plane to ensure the exponential convergence of the estimation error.

Next, the estimated states and control input can be used to calculate the observer outputs in the following format:

$$\begin{array}{c}\hfill {\rho }^i\left(t\right)=t-s_k^i\end{array}$$

(9)

where ${\rho }^i\left(t\right)$ is the sensor’s time function.

However, the observer is not required to retain estimated states during the entire period. Thus, interval $[t,t-T]$ is considered.

$$\begin{array}{c}\hfill T={\max }_i{\tau }^i,i\in \{1,\dots ,m\}\end{array}$$

(10)

The concept of estimation error includes

$$\begin{array}{cc}\hfill e\left(t\right)& =x_{\gamma t}-{\widehat{x}}_{\gamma t}\hfill \\ \hfill & ={\left[\begin{array}{ccc}{e}^{\mathrm{T}}(t-{\rho }^1\left(t\right))& \dots & e^{\mathrm{T}}(t-{\rho }^m\left(t\right))\end{array}\right]}^{\mathrm{T}}\hfill \end{array}$$

(11)

where $\rho \left(t\right)$ is used to denote the period since the last sample instant for each sensor.

$$\begin{array}{c}\hfill \rho \left(t\right)=\underset{i}{min}{\rho }^i\left(t\right),i\in \{1,\dots ,m\}\end{array}$$

(12)

For each sensor, the maximum permitted sample interval ${\tau }^i$ can be expressed as

$$\begin{array}{c}\hfill 0\le {\rho }^i<{\tau }^i\end{array}$$

(13)

Let us characterize an appropriate vector space of function $\mathcal{W}([-T,0],{\mathbb{R}}^{n_x})$ in order to demonstrate the stability of the estimation error. Thus, the function $e_t\in \mathcal{W}$ can be defined as follows:

$$\begin{array}{cc}& e_t\left(s\right)=e(s+t),0\ge s\ge -T\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill & \left|\right|e_t{\left|\right|}_{\mathcal{W}}=\underset{s\in [-T,0]}{max}\left|e_t\left(s\right)\right|+{\left[{\int }_{-T}^0{\left|{\dot{e}}_t\left(s\right)\right|}^2\mathrm{d}s\right]}^{{\displaystyle \frac{1}{2}}}\hfill \end{array}$$

(15)

Then, the augmented system is defined as follows:

$$\begin{array}{cc}\hfill {\dot{\widehat{x}}}_{\gamma t}\left(t\right)=& \mathbf{A}{\widehat{x}}_{\gamma t}\left(t\right)+\mathbf{B}\overline{u}\left(t\right)-L\left(\overline{y}\left(t\right)-\overline{\mathbf{C}}{\widehat{\overline{x}}}_{\gamma t}\left(t\right)\right)\hfill \end{array}$$

$$\begin{array}{c}\hfill =\mathbf{A}{\widehat{x}}_{\gamma t}\left(t\right)+\mathbf{B}\overline{u}\left(t\right)-L\overline{\mathbf{C}}\overline{e}\left(t\right)\end{array}$$

(16)

$$\begin{array}{cc}\hfill \dot{\overline{e}}\left(t\right)=& \mathbf{A}\overline{e}\left(t\right)+L\overline{\mathbf{C}}\overline{e}\left(t\right)\hfill \end{array}$$

(17)

where

$$\begin{array}{cc}\hfill {\widehat{\overline{x}}}_{\gamma t}\left(t\right)=& {\left[\begin{array}{ccc}{\widehat{x}}_c^{\mathrm{T}}(t-{\rho }^1\left(t\right))& \dots & {\widehat{x}}_c^{\mathrm{T}}(t-{\rho }^m\left(t\right))\end{array}\right]}^{\mathrm{T}},\hfill \\ \hfill \overline{e}\left(t\right)=& {\overline{x}}_{\gamma t}-{\widehat{\overline{x}}}_{\gamma t}\hfill \end{array}$$

In the augmented system in Equations (16) and (17), the value ${\rho }^i\left(t\right)$ for each sensor i shows how much time has passed since its last measurement arrived. This time is used in ${\widehat{\overline{x}}}_{\gamma t}\left(t\right)$, where ${\widehat{x}}_c^{\mathrm{T}}(t-{\rho }^i\left(t\right))$ represents the most recent available data from sensor i. In this way, the augmented system collects the latest information from all devices. Then, the estimation error $\overline{e}\left(t\right)$ is constructed by using this time state. Finally, when a new measurement comes in, the corresponding ${\rho }^i\left(t\right)$ is reset to zero. This keeps the augmented system consistent with the actual arrival of data.

3.3. Stability Condition

Now we can denote the inequality conditions in order to establish the exponential stability of the estimation error of the multi-rate observer. Take into account the augmented linear dynamic system (16) for the distribution system and an estimated error (17) for a multi-rate observer. Considering the problem of asynchronous measurements and coordinated FDI attacks, the estimation error is globally, uniformly, and exponentially stable, including a rate of decay (≥$\alpha /2$), with the following augmented vector $\psi \left(t\right)$, which is considered to facilitate the analysis of $t\in [t_n,t_{n+1})$.

$$\begin{array}{c}\hfill \psi \left(t\right)={\left[\begin{array}{ccc}{e}^{\mathrm{T}}\left(t\right)& {\overline{e}}^{\mathrm{T}}\left(t\right)& e^{\mathrm{T}}\left(t_n\right)\end{array}\right]}^{\mathrm{T}}.\end{array}$$

(18)

Consequently, $\dot{e}\left(t\right)$ can be redefined based on (18) as follows:

$$\begin{array}{c}\hfill \dot{e}\left(t\right)=\psi \left(t\right)\left[\begin{array}{ccc}\mathbf{A}& L\overline{\mathbf{C}}& 0\end{array}\right].\end{array}$$

(19)

There exists at least one period $(t_{n^{\prime }},t_{n^{\prime }+1})$, $n^{\prime }\in \mathbb{N}$, with a distance greater than $ϵ/m>0$ for any period that traverses an interval longer than $(m+1)T$. In at least one interval $(t_n,t_{n+1})$ with a nonzero value, this makes the final inequality stringent because it conforms to the result of (20). Then, by using Lyapunov–Krasovskii functional [25], Equation (19) satisfies the following inequality conditions:

$$\begin{array}{cc}\hfill \left|e\right(t\left)\right|\le & \sqrt{\left(V(t,e_t)/c_1\right)}\le \sqrt{\left[V(0,e_0)\exp \left(-\alpha t\right)\right]/c_1}\hfill \\ \hfill \le & \left|\right|e_0{\left|\right|}_{\mathcal{W}}\exp \left(-{\displaystyle \frac{\alpha }{2}}t\right)\sqrt{\left({\displaystyle \frac{c_2}{c_1}}\right)}.\hfill \end{array}$$

(20)

where $V\left(t\right)$ is the Lyapunov function candidate with ${lim}_{t\nearrow t_n}V(t,e_t)=V(t_n^{-},e_{t_n^{-}})$ and $V(t_n^{-},e_{t_n^{-}})\ge V(t_n,e_{t_n})$; $\alpha >0$; $c_1$ and $c_2$ are positive scalars.

There is a finite number of sample intervals $t_n$, $n\in \mathbb{N}$, for any interval of time with a duration less than $ϵ$, as in (2). Thus, the Zeno phenomenon is not present. However, it can be concluded from (20) that, with an overshoot less than $\sqrt{c_2/c_1}$ and a decay rate greater than $\alpha /2$, the estimation error is exponentially stable.

4. Attack Detection Method

The observer state estimation may suffer from significant performance deviations due to coordinated attacks. Thus, aggregating these facts, the absolute variation for the state variables of the considered system is constructed as follows:

$$\begin{array}{c}\hfill \left({\underline{x}}_{\gamma t},{\overline{x}}_{\gamma t}\right)=\left(x_{\gamma t}-\Delta {\underline{x}}_{\gamma t},x_{\gamma t}+\Delta {\overline{x}}_{\gamma t}\right)\end{array}$$

(21)

where ${\overline{x}}_{\gamma t}$ and ${\underline{x}}_{\gamma t}$ are the upper and lower bounds for the observer state variable, respectively. $\Delta {\overline{x}}_{\gamma t}$ and $\Delta {\underline{x}}_{\gamma t}$ are the deviations of the upper and lower limits for the observer state variable, respectively. Since the optimal operating level is represented by $x_{\gamma t}$, the estimated state ${\widehat{x}}_{\gamma t}$ is defined as

$$\begin{array}{c}\hfill {\widehat{x}}_{\gamma t}\in \left\{\begin{array}{cc}{\Omega }_N,\hfill & \mathrm{if}{\widehat{x}}_{\gamma t}\in \left({\underline{x}}_{\gamma t},{\overline{x}}_{\gamma t}\right)\hfill \\ {\Omega }_A,\hfill & \mathrm{otherwise}\hfill \end{array}\right.\end{array}$$

(22)

where ${\Omega }_A$ is the abnormal state, and ${\Omega }_N$ is the normal state. ${\widehat{x}}_{\gamma t}$ represents the estimated state obtained from the observer. Finally, the proposed attack detection strategy based on a dual nonlinear minimization problem [26] is modeled as follows:

$$\begin{array}{c}\hfill \mathrm{Objectives}:\\ \hfill \left[\Delta {\underline{x}}_{\gamma t},\Delta {\overline{x}}_{\gamma t}\right]& =\left[min{\overrightarrow{e}}_{\gamma }^T\Delta {\overrightarrow{x}}_t,min-{\overrightarrow{e}}_{\gamma }^T\Delta {\overrightarrow{x}}_t\right]\hfill \end{array}$$

(23)

$$\begin{array}{c}s.t.\\ \text{\hspace{1em}Constraints}:\text{ equality}\end{array}$$

$$S_i^p=P_i^p+j{Q}_i^p$$

(24)

$$\begin{array}{cc}\hfill P_i^p=& |V_i^p|\sum _{k=1}^n\sum _{m=a}^c|V_k^m|\hfill \\ \hfill & \left[G_{ik}^{pm}cos{\theta }_{ik}^{pm}+B_{ik}^{pm}sin{\theta }_{ik}^{pm}\right]\hfill \end{array}$$

(25)

$$\begin{array}{cc}\hfill Q_i^p=& |V_i^p|\sum _{k=1}^n\sum _{m=a}^c|V_k^m|\hfill \\ \hfill & \left[G_{ik}^{pm}sin{\theta }_{ik}^{pm}-B_{ik}^{pm}cos{\theta }_{ik}^{pm}\right]\hfill \end{array}$$

(26)

$$\begin{array}{cc}\hfill L_i=& L_i^{max}\ast T_i^p\hfill \end{array}$$

(27)

$$\begin{array}{l}\text{Constraints}:\text{ inequality}\end{array}$$

$$\begin{array}{cc}\hfill P_{Gi}^{min}& \le P_{Gi}\le P_{Gi}^{max}\hfill \end{array}$$

(28)

$$\begin{array}{cc}\hfill Q_{Gi}^{min}& \le Q_{Gi}\le Q_{Gi}^{max}\hfill \end{array}$$

(29)

$$\begin{array}{cc}\hfill I_{i\_j}^p& \le I_{i\_j,max}^p\hfill \end{array}$$

(30)

$$\begin{array}{cc}\hfill V_{i,min}^p& \le V_i^p\le V_{i,max}^p\hfill \end{array}$$

(31)

$$\begin{array}{cc}\hfill {\delta }_{i,min}^p& \le {\delta }_i^p\le {\delta }_{i,max}^p\hfill \end{array}$$

(32)

where ${\overrightarrow{e}}_{\gamma }^T$ is the vector with value of 1 for the j-th element and 0 for other elements, $\Delta {\overrightarrow{x}}_t$ is the outer variation in the observer state in the upper and lower directions, and $S_i^p$ is the total power injection in phase p (p ∈ set of phases A, B, and C) in node i. $P_i^p$ and $Q_i^p$ are the active and reactive powers, respectively; ${\theta }_{ik}^{pm}$ is the voltage angle difference between the p and m phases; $B_{ik}^{pm}$ and $G_{ik}^{pm}$ are the reactive and real parts of the admittance matrix; $T_i^p$ is a binary variable; $L_i$ is the fixed load; $L_i^{max}$ is the maximum load. For non-equality constraints, $P_{Gi}^{min}$ and $P_{Gi}^{max}$ are the limits of generator real power $P_{Gi}$; $Q_{Gi}^{min}$ and $Q_{Gi}^{max}$ are the limits of generator reactive power $Q_{Gi}$; $I_{i\_j}^p$ and $I_{i\_j,max}^p$ are the line limits; $V_{i,min}^p$ and $V_{i,max}^p$ are the limits of voltage magnitude $V_i^p$; ${\delta }_{i,min}^p$ and ${\delta }_{i,max}^p$ are the limits of voltage angle ${\delta }_i^p$.

Remark 2.

The dual nonlinear optimization problem (23)–(32) is dependent on the state variables in (23) and decision variables in (24)–(32). The optimal detection objective (23) maximizes the normal deviation of all states subject to coordinated FDI attacks. Two types of constraints, i.e., equality and inequality, comprise the operating constraints, power balance constraints, load, and injection constraints. The goal is to maximize the estimation error between the estimated and true states, while taking into account the limitations imposed by the attack vector. This requires consistently solving the dual problem to update the Lagrange multipliers [27] and find the optimal state estimates and attack vectors while guaranteeing convergence to the best solution.

5. Simulation Results and Discussion

The proposed method was tested on the IEEE 13-node test feeder [28]. The algorithm code is accessible to everyone from a GitHub repository [29]. As shown in Figure 4, there are four attack regions, including attack region 1 {611C, 652A, 684AC, 671AC}. attack region 2 {645BC, 646BC}, attack region 3 675ABC, 692AC, 671ABC}, and attack region 4 {650HBC, 650LBC, 632BC, 645BC, 646BC, 633BC, 671BC}. The compromised nodes are 611C, 684AC, 646BC, 675ABC, and 633BC. Accordingly, Table 2 shows the state variables of the IEEE 13-node system in the normal state and attacked state (red). The table represents the steady-state normal measurement states at nodes 646, 645, 632, 611, 633, 684, and 692. We injected false data for voltage and angles at different nodes. The third column highlighted in red presents the compromised voltages and angles at phases A, B, and C.

Figure 4. IEEE 13-node distribution system with coordinated FDI attacks.

Table 2. Attacked states for different nodes of IEEE 13-node system.

State Variable	State (Normal)	State (Attack)
$V_{646}^B$	2.3537/0.9875	2.1785/0.7897
$V_{645}^C$	2.3647/0.9859	2.0746/0.8604
$V_{632}^A$	3.1964/1.1353	3.7656/1.5096
$V_{632}^B$	3.5427/1.1968	3.2463/1.0964
$V_{632}^C$	3.4367/1.1652	3.1232/1.0198
$V_{611}^C$	4.6547/1.4879	4.8965/1.6546
$V_{692}^A$	4.3685/1.4052	4.1785/1.2675
$V_{692}^B$	4.8951/1.4676	4.0879/1.1454
$V_{692}^C$	2.9763/1.0696	2.6786/1.0276
${\theta }_{646}^B$	1.125 deg	1.564 deg
${\theta }_{645}^B$	1.057 deg	0.921 deg
${\theta }_{632}^A$	3.005 deg	3.215 deg
${\theta }_{633}^A$	3.261 deg	3.043 deg
${\theta }_{684}^C$	2.244 deg	2.297 deg
${\theta }_{611}^C$	2.736 deg	2.976 deg
${\theta }_{692}^C$	1.485 deg	1.536 deg

5.1. Estimation Error of Multi-Rate Observer

We inspect the norm of the average power injection estimation error $\left|\right|S-\widehat{S}\left|\right|/\left|\right|S\left|\right|$, as represented in Figure 5. Under coordinated FDI attacks, the error goes to the origin at different values for the prediction correction parameter $\beta$. It is observed that the error converges more quickly to the origin when $\beta =0.1$. But, the blue curve shows larger oscillations. In contrast, when $\beta =0.001$, the yellow curve represents a smoother response. This trend demonstrates a definite trade-off between stability and accuracy in $\beta$ adjustment. Recent research on attack detection and resilient state estimation in power systems has revealed similar results. For example, Liu et al. [30] showed that proper design of control gain and observer gain improves robustness against unknown FDI attacks in microgrids. On the other hand, Lv et al. [31] showed that poor parameter selection can considerably increase estimation errors during cyber attacks.

Figure 5. Average power injection estimation error under coordinated FDI attacks.

Next, we observe the norm of the average voltage estimation error $\left|\right|V-\widehat{V}\left|\right|/\left|\right|V\left|\right|$ under coordinated FDI attacks, which are reported in Figure 6. It is observed that the norm of the average error becomes negative under different parameter value ($\beta$) and maintain to be within a bound ($\le -1$). It is clear that the error gradually decreases, but remains bounded below $-1$. This behavior indicates stability in the presence of coordinated FDI attacks. However, when $\beta =0.1$, the blue curve shows that the error converges more quickly with low oscillations. In contrast, when $\beta =0.001$, the yellow curve shows a smoother trajectory. However, in this case, the response needs more time to settle. According to other recent research [32], transient stability in the face of cyberattacks depends on bounded error convergence. Overall, this result confirms that careful selection of parameters improves robustness of secure control design in a smart grid network.

Figure 6. Average voltage estimation error under coordinated FDI attacks.

5.2. Attack Detection Result

The results of the proposed estimation algorithms are summarized in Table 3. The first column represents active and reactive power at different nodes. The second column shows normal power flow without any attacks, and the third column shows the obtained measurements without any estimation method. By using the proposed algorithms, we found compromised measurements in the fourth column. The differences listed in the fifth column show that the compromised measurements fluctuate more than $25\%$ compared to the normal value. This demonstrates that the combination of a prediction correction algorithm, a multi-rate observer, and an optimization method successfully handles asynchronous measurement as well as detects attacked measurements.

Table 3. Power flow measurements with and without attacks using our proposed method.

Measurement	Power Flow (Normal)	Power Flow (Attack)	Our Method (Attack)	Difference (%)
$P_{684-671}^A$ (kW)	−323.97	−325.36	−416.75	∼29.24
$P_{684-652}^A$ (kW)	−123.81	−126.93	−157.44	∼28.01
$Q_{684-671}^A$ (kVAR)	−216.43	−217.43	−272.43	∼26.76
$Q_{684-652}^A$ (kVAR)	82.84	84.87	105.21	∼27.75
$P_{684-671}^B$ (kW)	−167.83	−167.85	−220.88	∼32.18
$P_{684-611}^C$ (kW)	167.83	167.88	223.84	∼26.54
$Q_{684-671}^B$ (kVAR)	−174.65	−176.43	−234.54	∼34.54
$Q_{684-611}^C$ (kVAR)	−232.56	−236.43	−320.32	∼36.65
$P_{652-684}^A$ (kW)	−102.98	−105.43	−135.54	∼34.28
$P_{671-684}^A$ (kW)	362.54	365.32	482.43	∼34.16
$Q_{652-684}^A$ (kVAR)	−143.54	−144.78	−188.33	∼31.36
$Q_{671-684}^A$ (kVAR)	−158.76	−161.35	208.56	∼32.65
$P_{611-684}^C$ (kW)	168.34	169.56	212.98	∼29.65
$P_{611}^C$ (kW)	121.25	122.25	161.32	∼28.54
$Q_{611-684}^C$ (kVAR)	84.56	87.54	105.64	∼26.44
$Q_{671-684}^C$ (kVAR)	−76.32	−79.84	−96.65	∼27.72
$P_{652}^A$ (kW)	453.45	455.67	580.43	∼31.42
$Q_{652}^A$ (kVAR)	456.76	458.98	574.54	∼26.43
$P_{611}^C$ (kW)	165.34	167.65	221.32	∼32.43
$Q_{611}^C$ (kVAR)	259.24	261.33	339.43	∼31.54
$P_{611-684}^A$ (kW)	1058.43	1061.23	1365.55	∼28.97
$Q_{611-684}^A$ (kVAR)	481.84	483.43	610.87	∼27.54
$P_{671}^C$ (kW)	1047.07	1049.93	1399.01	∼33.62
$Q_{671}^C$ (kVAR)	323.42	224.98	436.617	∼35.21

This trend is further elaborated and demonstrated in Table 4, which shows the estimation of multi-rate asynchronous measurements under coordinated FDI attacks. The first column shows that measurement devices (PMU, SM, and DER) are placed at nodes 650H, 632, 645, 671, 675, 684, 652, and 611. Then, 44 time steps are observed, and power measurements are obtained. At node 650H, PMU measurements are obtained from time step $t_k$ to $t_{k+43}$. At $t_{k+2}$, the active power measurement deviates from the approximate normal value of 182 kW to 236.71 kW. At node 632, smart meter measurements are observed, and the deviations are found from time steps $t_{k+2}$ to $t_{k+41}$. Similarly, at node 675, DER is placed, and a deviation in measurements occurs from time $t_{k+2}-t_{k+41}$, which clearly shows that the measurements are compromised.

Table 4. Power flow measurements at different nodes over time. Red values indicate anomalies detected.

Node	${\mathit{t}}_{\mathit{k}}$	${\mathit{t}}_{\mathit{k}+1}$	${\mathit{t}}_{\mathit{k}+2}$	${\mathit{t}}_{\mathit{k}+3}$	…	${\mathit{t}}_{\mathit{k}+41}$	${\mathit{t}}_{\mathit{k}+42}$	${\mathit{t}}_{\mathit{k}+43}$
650H (PMU)	182.82 kW	182.83 kW	236.71 kW	234.64 kW	…	239.65 kW	182.81 kW	182.82
650L					…
632 (SM)	382.00 kW		488.60 kW		…			382.00
645 (PMU)	−161.48 kW	−161.48 kW	−202.38 kW		…	−161.48 kW	−161.48 kW	−161.48
646					…
633					…
634					…
671 (PMU)	−167.83 kW	−167.82 kW	−216.89 kW	−215.71 kW	…	−167.83 kW	−167.84 kW	−167.82
692					…
675 (DER)		161.75 kW		161.75 kW	…
684 (SM)	123.81 kW			154.70 kW	…		123.81
652 (DER)	82.59 kVAR			104.48 kVAR	…			82.59
611 (PMU)	165.91 kW	165.91 kW	210.80 kW	204.82 kW	…	165.91 kW	165.91 kW	165.91
680					…

The proposed approach is applied to detect coordinated FDI attacks. It is observed that the voltage attack happens at nodes 646, 645, 632, 611, and 692, and the angle attack is launched at nodes 646, 645, 632, 633, 684, 611, and 692, as shown in Table 2. We obtain measurements of falsified data based on the analytical solution of a dual nonlinear minimization problem, which maximizes the deviations of power and voltage. By running the dual nonlinear optimization method, the fluctuation in attacked measurements is clearly shown, where the compromised measurements are usually undetectable without the dual nonlinear minimization approach.

We observe certain limitations in this proposed secure estimation process. First, active distribution system modeling considering asynchronous measurement is difficult in a simulation platform, for example, in the Simulink model with the IEEE 13-bus feeder. Furthermore, a real active distribution system is large and consists of nonlinearity and uncertainty, which are not straightforward to consider in a simulation model. Second, it is quite difficult to validate the proposed controller for a real complex system, considering asynchronous measurements and coordinated cyber attacks because it is challenging to solve a linear minimization problem in real-time implementations.

5.3. Limitations and Future Work

The proposed algorithm is built with a set of well-defined classes that expose clear interfaces for each task, i.e., linear system modeling, asynchronous measurements, and coordinated cyber attacks in the system. Then, a secure observer state is used as the input to the optimization that acts as an attack detector. Such a hypothetical idea for an algorithm has some limitations in terms of modeling, scalability, and data realism. Initially, the algorithm uses a sensor time function to explicitly address heterogeneous sampling. With a multi-rate observer with Lyapunov–Krasovskii guarantees, a prediction step based on the Levenberg–Marquardt algorithm, a corrective step based on the Newton technique, and the asynchronous field behavior are effectively produced in a common simulator, which is challenging. The most important fact is that the real feeder is subject to uncertainty and is large and unbalanced, which are not trivial to encode. Second, the coordinated FDI detector utilizes a dual nonlinear minimization approach that must be solved repeatedly. During multi-device dropouts, larger networks need a time budget for solving constrained issues. Third, even though our research shows that coordinated cyberattacks on voltage magnitudes, angles, and targeted areas on the IEEE-13 feeder can be detected, they still need to be carefully examined and verified using utility-grade datasets.

In future work, we intend to implement three distinct extensions as follows: (i) Scalability and fidelity of physics: We will use full AC power-flow models in place of simplified equivalents. These will feature comprehensive representations of transformers and regulators, including thermal limits and current. The test systems will also be expanded to larger unbalanced feeders, including the IEEE 34-, 37-, and 123-bus networks with distributed energy resources. (ii) Runtime robustness: we will incorporate event-triggered control features with optimization solutions. In addition, we will consider adaptive gains to track operating-point drift, such as load or voltage changes in a power grid. (iii) Data-driven resilience and validation: To provide defense-in-depth against coordinated cyber attacks, we will utilize estimation residuals with cyber logs. The multifaceted operation for adversarial and missing data is performed using distributionally resilient optimization techniques. Tests in the field and with hardware-in-the-loop will be used to assess false-alarm trade-offs, ROC/AUC performance, and latency. Creating a deployable pipeline for secure state estimation in the presence of asynchronous and multi-rate measurements is the objective.

6. Conclusions

This paper proposes a secure state estimation design with asynchronous measurements for active distribution systems, considering coordinated FDI attacks. The estimator is developed with a combination of a multi-rate observer, along with a sensor time function and a prediction correction algorithm. The proposed approach has two attractive characteristics: (1) the approach manages asynchronous measurements in a distribution network, and (2) the detection unit of this proposed framework uses a dual nonlinear optimization method to perform coordinated FDI attack detection. The case study shows that this double estimation (prediction correction and observer) approach can provide secure estimation results. Overall, the proposed estimation process includes two important features, i.e., integrating a multi-rate observer with a prediction correction method. The predictor phase utilizes the Levenberg–Marquardt algorithm to make robust estimations in the presence of coordinated FDI attacks. In addition, the corrector phase refines estimates with Newton’s method to facilitate the prediction of the near-true value of asynchronous measurements. Finally, the secure estimator approach is validated with the IEEE 13-bus feeder, considering bounded sampling intervals and a coordinated FDI attack model.

Future work could be extend to systems larger than 13 busses, for instance, the IEEE 34-bus distribution system with voltage regulators. An unbalanced IEEE 37-bus test feeder could be used with DER integration and cyber attack studies. In addition, considering unbalanced loading with power, impedance, and current, we could utilize a 123-bus feeder to evaluate real-time performance. Furthermore, to improve robustness, observers could utilize a learning-based approach, for example, physics-informed learning that can learn both Kirchhoff’s laws and data measurements.