Optimized Defense Resource Allocation for Coupled Power-Transportation Networks Considering Information Security

Abstract

Electric vehicle charging stations (EVCSs) are critical interfaces between urban mobility and distribution grids and are increasingly exposed to false data that can mislead operations and degrade voltage quality. This study proposes a defense-planning framework that models how cyber manipulation propagates to physical impacts in a coupled transport–power system. The interaction is modeled as a tri-level defender–attacker–operator problem in which a defender hardens a subset of charging stations, an attacker forges measurements and demand, and an operator redispatches resources to keep the system secure. We solve this problem with a method that embeds corrective operation into the evaluation and uses improved implicit enumeration (IIE) with pruning to identify a small set of high-value stations to protect with far fewer trials than an exhaustive search. On a benchmark feeder coupled to a road network, protecting a few traffic-critical stations restores compliance with voltage limits under tested attack levels while requiring roughly an order of magnitude fewer evaluations than complete enumeration. Sensitivity analysis shows that the loss of reactive power from PV inverters (PV VARs) harms voltage profiles more than an equivalent reduction in distributed storage, indicating that maintaining local reactive capability reduces the number of stations that must be hardened to meet a given voltage target. These results guide utilities and city planners to prioritize protection at traffic-critical EVCSs and co-plan local Volt/VAR capability, achieving code-compliant voltage quality under adversarial conditions with markedly lower planning effort.

1. Introduction

EVCSs sit at the interface of transportation and distribution networks; they coordinate and control the load scheduling and energy management via real-time telemetry and control, but this information and communication technology reliance also makes them prime targets for cyberattacks [1,2,3,4,5].

Prior work examines multiple attack vectors against EV charging infrastructures. Refs. [6,7,8] analyze security protocols for authentication, privacy, and billing between EVs and charging stations; Ref. [9] compares defenses against denial-of-service attacks; and Refs. [10,11,12,13,14] develop deep reinforcement learning methods for detecting false-data-injection attacks (FDIAs) on EVCS. Beyond data theft, attacks can manipulate charging and discharging behavior and thereby affect grid operations [15]. For example, Refs. [16,17] show that rapid switching at charging stations can induce inter-area low-frequency oscillations, potentially precipitating generator trips and cascading failures. Ref. [18] demonstrates botnet-driven load-altering attacks that aggregate megawatt-level charging demand, while Ref. [19] shows that phishing via text messages can concentrate charging and cause a supply–demand imbalance. Ref. [20] reports market manipulation by falsifying demand forecasts; Ref. [21] presents a comprehensive analysis of FDIA impacts on distribution system stability; Ref. [22] proposes a real-time, data-driven active-defense framework for false-data mitigation in power cyber-physical systems. For broader context and terminology, see recent surveys of cyberattacks and defenses in EV ecosystems [23] and system-theoretic views of cyber-physical attacks in smart grids [24].

However, much of this literature remains attack-centric: it stresses disruptive effects yet often omits the operator’s endogenous corrective dispatch when quantifying physical consequences, which can overstate risk. Conversely, when planning or coupling studies, uncoordinated distributions of EV charging loads and traffic flows in coupled transport–power systems [25] often model siting/sizing or transport–power interactions without an explicit security layer, offering limited guidance on where to invest scarce protection resources. Relying solely on post-attack corrective actions is therefore insufficient; proactive defense resource allocation prior to attacks is critical for secure and stable operation.

Defense-oriented formulations have emerged in recent years; for example, Bayesian adaptive risk-assessment frameworks for allocating cyber defenses under resource constraints [26]; tri-level defense–attack–defense (DAD) models for substations [27,28,29]; cyber-physical attack–defense games with hierarchical defense policies [30,31]; and bi-level cyber-defense optimization with alternative equilibrium models [32]. Yet these strands pay limited attention to distribution networks with large-scale EV integration and to EVCS-centric transport–power coupling, where traffic-driven charging demand co-evolves with grid physics, including intercity highway charging-network planning under time-expanded user equilibriums [33].

Recent studies further clarify the landscape and help position our contribution. Refs. [34,35] formulate a tri-level DAD model for grid-side resource allocation; while methodologically related, they targets bulk-system generation/protection and do not preserve EVCS-driven transport–power coupling or distribution-level voltage-quality tracking. Ref. [36] focuses on frequency stability under FDIAs and proposes defense policies; our scope is steady-state voltage quality under EVCS-centric threats, with frequency-oriented extensions left for future work. Ref. [37] provides broader context by systematizing charger-side threats, defense mechanisms, and available datasets for EV charging systems.

In addition, Ref. [38] addresses protection-layer coordination against relay-setting manipulation but does not explicitly include EVCS-driven coupling or voltage-quality metrics; Ref. [39] studies resilience via line hardening and communication routing under renewable/communication constraints, without allocating defenses for EVCS-centric FDIAs or linking outcomes to voltage quality; Ref. [40] analyzes mobility-platform vulnerabilities with city-scale data and is attack/impact-centric rather than defense-allocation oriented; Ref. [41] models EV-side false data that bias demand/market signals in distribution systems, typically without an endogenous corrective-dispatch layer or defense-planning stage; and Ref. [42] probes attacks on reinforcement-learning-based charging coordination and proposes a countermeasure, but does not provide a joint defense–attack–correction (DAC) optimization with transport–power coupling or distribution-level voltage-quality tracking.

We develop an operation-aware, defense-oriented framework for EVCS-centric FDIAs that keep transport–power coupling explicit, unifies defense, attack, and corrective operation, and offers a like-for-like baseline against complete enumeration under identical settings, achieving the same solution quality with roughly an order of magnitude fewer evaluations of candidate hardening sets.

The present study contributes the following key innovations:

(1)

We formulated a tri-level DAC model as a Stackelberg game, casting cybersecurity planning in coupled transport–power networks as multi-agent sequential decision-making.

(2)

We designed a hybrid KKT-reduced solution framework that combines KKT optimality conditions with IIE to tackle the computational challenges of tri-level optimization.

(3)

We adopted three evaluation metrics—maximum voltage deviation (MVD), root-mean-square (RMS) voltage deviation, and voltage qualification rate (VQR)—to quantify the synergy between defense allocation and corrective operation, with effectiveness validated in simulation studies.

2. A Tri-Level Defense–Attack–Correction Optimization Formulation in a Stackelberg Framework

This paper adopts a Stackelberg game framework to characterize the sequential decision-making of the defender, the attacker, and the system operator (scheduling center), as illustrated in Figure 1. The hallmark of this framework is its sequential structure and information asymmetry: the defender acts as the leader, anticipating the attacker’s best response, while the attacker plays the follower.

As the Stackelberg leader, the defender strategically allocates scarce protection resources to harden critical nodes, such as EV charging stations, so that EV charging behavior cannot be manipulated by adversaries. These resources include software-based protection and financial budgets, among others.

As the follower, the attacker selects targets and devises attack strategies subject to its own resource constraints, which may include technical expertise, network access rights, and financial capital.

When an FDIA occurs, the system operator performs corrective dispatch based on the current operating state, adjusting PV and DESS outputs, among other controls, to stabilize bus voltages and ensure secure system operation.

3. Formulation

3.1. Objective

The decision problems of the defender, the attacker, and the scheduling center have the same objective function, and the objective function of the optimal allocation model of distribution network defense resources for charging information security can be expressed as follows:

$$\underset{d}{min}\underset{a}{max}\underset{w}{min}\sum _{i\in B}{\left(V_i-V_{ref}\right)}^2,$$

(1)

where $d$, $a,$ and $w$ denote the decision variables of the defender, the attacker, and the scheduling center in turn, with the node voltage offset as the optimization objective, $V_i$ denotes the voltage square of grid node $i$, and $V_{ref}$ is the node reference voltage.

3.2. Constraints

The limited network protection resources used by the defender to exert can be expressed as follows:

$$\sum _{k\in K}{\zeta }_k\le K_{\zeta },$$

(2)

where constraint (2) is the defense resource budget constraint. ζ_k is a 0–1 variable indicating whether charging station $k$ is protected or not, when ζ_k = 1, then the charging station is protected, and $K_{\zeta }$ represents the defense resource budget.

The optimization model for mid-level attack can be specified as follows:

$$\sum _{k\in K}{\psi }_k\le K_{\psi },$$

(3)

$$a_k={\psi }_k(1-{\xi }_k),$$

(4)

$${\tilde{P}}_{p,w,k}^{EV}=P_{p,w,k}^{EV}+\Delta P_k^{EV}\cdot a_k, \forall p,w$$

(5)

$$\sum _{k\in K}\Delta P_k^{EV}=0,$$

(6)

$$-P_{max}^{pile}\le {\tilde{P}}_{p,w,k}^{EV}\le P_{max}^{pile},$$

(7)

$${\tilde{P}}_k^{EV}=\sum _{w\in W}\sum _{p\in p^w}{f}_{p,w}\cdot {\tilde{P}}_{p,w,k}^{EV},$$

(8)

where constraint (3) is the attack resource budget constraint, ${\psi }_k$ is a 0–1 variable indicating whether charging station $k$ is attacked or not, when ${\psi }_k=1$ then the charging station is attacked; constraint (4) represents the interaction between the defender and the attacker, $a_k$ denotes the security status of the charging station at node $k$, where $a_k=1$ indicates an insecure station and $a_k=0$ indicates a secure station; and ${\tilde{P}}_{p,w,k}^{EV}$ denotes the charging/discharging power of the EVs on path $p$ for origin–destination (O-D) pair $w$ at station $k$ under attack. A negative value indicates discharging to the grid via vehicle-to-grid (V2G), whereas a positive value indicates charging. The parameter $P_{max}^{pile}$ is the charging maximum power maximum charging power of a single charger. ${\tilde{P}}_k^{EV}$ denotes the aggregate power at charging station $k$. The path flow $f_{p,w}$ for O-D pair $w$ is computed by the user-equilibrium traffic assignment (UE-TAP) model.

The lower-level scheduling center optimization model can be specified as follows:

$$P_i+P_i^G+P_i^{Sub}+P_i^{PV}=P_i^{In}+{\tilde{P}}_i^{EV}+P_i^{ES},i\in B,$$

(9)

$$Q_i+Q_i^{Sub}+Q_i^{PV}=\left[P_i^{In}+{\tilde{P}}_i^{EV}+P_i^{ES}\right]\mathit{tan}({\theta }_i),i\in B,$$

(10)

$$P_i=\sum _{ji\in {\Omega }_{Line}}{P}_{ji}-\sum _{ih\in {\Omega }_{Line}}{P}_{ih},$$

(11)

$$Q_i=\sum _{ji\in {\Omega }_{Line}}{Q}_{ji}-\sum _{ih\in {\Omega }_{Line}}{Q}_{ih},$$

(12)

$$-P_{ij,max}\le P_{ij}\le P_{ij,max},\forall ij\in L,$$

(13)

$$-Q_{ij,max}\le Q_{ij}\le Q_{ij,max},\forall ij\in L,$$

(14)

$$V_j-V_i+2\left(R_{ij}{P}_{ij}+X_{ij}{Q}_{ij}\right)=0,ij\in L,$$

(15)

$$V_{ref}=1,$$

(16)

where constraints (8) and (9) denote the node active–reactive power balance and $P_i^{In}$ denotes the base load of node $i$. $P_i^{ES}$ denotes the power of DESS (charging if $P_i^{ES}>0$, discharging otherwise); ${\theta }_i$ is the power-factor angle; and $P_i$ and $Q_i$ are the active and reactive injected power at node $i$, respectively. Constraints (11)–(14) denote the power-flow constraints, and $P_{ij}$ and $Q_{ij}$ are the active and reactive power flows on line $ij$; $P_{ij,max}$ and $Q_{ij,max}$ are the maximum active and reactive power limits of line $ij$; $R_{ij}$ and $X_{ij}$ are the resistance and reactance of line $ij$; $P_i^{sub}$ and $Q_i^{sub}$ are the active and reactive power transferred from the upstream grid to the distribution grid through the transformer; $P_i^{PV}$ and $Q_i^{PV}$ are the active and reactive power generated by the photovoltaic (PV); and $P_{i,t}^G$ is the power output of distributed generators in the distribution grid. Constraints (15) and (16) enforce the nodal voltage constraints. $V_i$ is the voltage magnitude at node $i$ and $V_{ref}$ is the reference voltage.

$$P_{g,min}^G\le P_g^G\le P_{g,max}^G,\forall g\in G,$$

(17)

$$0\le P_s^{PV}\le P_{s,max}^{PV},\forall s\in S,$$

(18)

$$-Q_{s,max}^{PV}\le Q_s^{PV}\le Q_{s,max}^{PV},\forall s\in S,$$

(19)

$$0\le P_u^{sub}\le P_{u,max}^{sub},\forall u\in U,$$

(20)

$$0\le Q_u^{sub}\le Q_{u,max}^{sub}, \forall u\in U,$$

(21)

$$-P_{e,dmax}^{ES}\le P_e^{ESch}\le P_{e,cmax}^{ES},\forall e\in E,$$

(22)

$$P_{e,dmax}^{ES}=min({\displaystyle \frac{E_{e,0}^{ES}-E_{e,min}^{ES}}{\Delta t}},P_{e,max}^{ES}),\forall e\in E,$$

(23)

$$P_{e,cmax}^{ES}=min\left({\displaystyle \frac{E_{e,max}^{ES}-E_{e,0}^{ES}}{\Delta t}},P_{e,max}^{ES}\right),\forall e\in E,$$

(24)

where constraint (17) enforces the upper and lower bounds on microgenerator output; $G$ denotes the set of microgenerator buses; and $P_{g,max}^G$ and $P_{g,min}^G$ denote the upper and lower bounds for microgenerator $g$. Constraints (18) and (19) enforce the upper and lower bound on PV active and reactive outputs; $S$ denotes the set of PV installation buses; and $P_{s,max}^{PV}$ and $Q_{s,max}^{PV}$ denote maximum PV active and reactive power outputs. $U$ denotes the transformer node, and constraints (20) and (21) denote the power-transfer constraints with the upstream grid through the transformer; $P_{u,max}^{sub}$ and $Q_{u,max}^{sub}$ denote the maximum active and reactive power transferred from the upstream grid; $E$ denotes the set of DESS installation buses; constraints (22)–(24) specify the DESS operating constraints; and $P_{e,dmax}^{ES}$ and $P_{e,cmax}^{ES}$ denote the maximum discharging and charging power of the DESS, which depend on the storage capacity and rated power.

In summary, the optimal allocation model of distribution-network defense resources for EV-charging information security can be expressed as follows:

$$\begin{gathered} \underset{d}{min}\underset{a}{max}\underset{w}{min}\sum _{i\in B}{\left(V_i-V_{ref}\right)}^2 \\ s.t.\left(3\right),\left(5\right)-\left(34\right) \end{gathered}$$

(25)

4. Model Solution Method

4.1. Construction of the Bi-Level Optimization Model

To solve the proposed tri-level defense–attack–correction problem involving the defender, attacker, and system operator (scheduling center), we adopt an implicit enumeration approach. The problem is first reformulated as a bi-level mixed-integer program (MIP) between the attacker and defender. Because the lowest-tier operator’s optimization is convex, its KKT optimality conditions are used to equivalently replace the operator subproblem, embedding corrective dispatch into the attacker level and yielding a single inner optimization. The resulting bi-level MIP can thus be represented as follows:

$$\underset{{\psi }_k,\Delta P_k^{EV}}{max}\underset{P_i^G,P_i^{Sub},P_i^{PV},P_i^{ES}}{min}\eta$$

(26)

$$\begin{gathered} s.t. \eta ={\sum }_{i\in B}{\left(V_i-1\right)}^2 \\ {a}_k={\psi }_k(1-{\widehat{\xi }}_k) \\ s.t.\left(7\right)-\left(34\right) \end{gathered}$$

(27)

where ${\widehat{\xi }}_k$ is the defense strategy derived from the upper-level optimization problem.

Using the KKT conditions, the middle-level and lower-level optimization models are transformed into a single-level optimization model for the solution. The equivalent inner decision problem can be expressed as follows:

$$\underset{a,w}{max}\sum _{i\in B}{\left(V_i-1\right)}^2$$

(28)

In addition to the attacker’s constraints, the equivalent inner decision problem must include the KKT conditions of the lower-level scheduling center’s minimization problem. The KKT conditions include the gradient conditions, complementary slackness, and dual feasibility.

The gradient conditions are as follows:

$$\left\{\begin{array}{c}{\displaystyle \frac{\partial L}{\partial P_e^{ES}}}=-{\lambda }_e-{\nu }_{e}tan({\theta }_e)-{\alpha }_e^{Pes}+{\beta }_e^{Pes}=0,e\in E\hfill \\ {\displaystyle \frac{\partial L}{\partial P_g^G}}={\lambda }_g-{\alpha }_g^G+{\beta }_g^G=0,g\in G\hfill \\ {\displaystyle \frac{\partial L}{\partial P_s^{PV}}}={\lambda }_s-{\alpha }_s^{Ppv}+{\beta }_s^{Ppv}=0,s\in S\hfill \\ {\displaystyle \frac{\partial L}{\partial Q_s^{PV}}}={\nu }_s-{\alpha }_s^{Qpv}+{\beta }_s^{Qpv}=0,s\in S\hfill \\ {\displaystyle \frac{\partial L}{\partial P_u^{sub}}}={\lambda }_u-{\alpha }_u^{Psub}+{\beta }_u^{Psub}=0,u\in U\hfill \\ {\displaystyle \frac{\partial L}{\partial Q_u^{sub}}}={\nu }_u-{\alpha }_u^{Qsub}+{\beta }_u^{Qsub}=0,u\in U\hfill \\ {\displaystyle \frac{\partial L}{\partial P_{ij}}}={\lambda }_j-{\lambda }_i+2{\mu }_{ij}{R}_{ij}-{\alpha }_{ij}^{Pline}+{\beta }_{ij}^{Pline}=0,ij\in L\hfill \\ {\displaystyle \frac{\partial L}{\partial Q_{ij}}}={\nu }_j-{\nu }_j+2{\mu }_{ij}{X}_{ij}-{\alpha }_{ij}^{Qline}+{\beta }_{ij}^{Qline}=0,ij\in L\hfill \\ {\displaystyle \frac{\partial L}{\partial V_i}}=2V_i-2-{\displaystyle \sum _{(i,j)\in L}}{\mu }_{ij}+{\displaystyle \sum _{(k,j)\in L}}{\mu }_{k,i}=0,i\ne 0\hfill \end{array}\right.$$

(29)

The complementary slackness conditions are as follows:

$$\left\{\begin{array}{c}{\alpha }_g^G\left(P_{g,min}^G-P_g^G\right)=0, {\beta }_g^G\left(P_g^G-P_{g,max}^G\right)=0\hfill \\ {\alpha }_{ij}^{Pline}\left(-P_{ij,max}-P_{ij}\right)=0, {\beta }_{ij}^{Pline}\left(P_{ij}-P_{ij,max}\right)=0\hfill \\ {\alpha }_{ij}^{Qline}\left(-Q_{ij,max}-Q_{ij}\right)=0, {\beta }_{ij}^{Qline}\left(Q_{ij}-Q_{ij,max}\right)=0\hfill \\ {\alpha }_s^{Ppv}\left(0-P_s^{PV}\right)=0, {\beta }_s^{Ppv}\left(P_s^{PV}-P_{s,max}^{PV}\right)=0\hfill \\ {\alpha }_s^{Qpv}\left(-Q_{s,max}^{PV}-Q_s^{PV}\right)=0, {\beta }_s^{Qpv}\left(Q_s^{PV}-Q_{s,max}^{PV}\right)=0\hfill \\ {\alpha }_e^{Pes}\left(-P_{e,dmax}^{ES}-P_e^{ES}\right)=0, {\beta }_e^{Pes}\left(P_e^{ES}-P_{e,cmax}^{ES}\right)=0\hfill \\ {\alpha }^{Psub}\left(0-P^{sub}\right)=0, {\beta }^{Psub}\left(P^{sub}-P_{sub}^{max}\right)=0\hfill \\ {\alpha }^{Qsub}\left(0-Q^{sub}\right)=0, {\beta }^{Qsub}\left(Q^{sub}-Q_{sub}^{max}\right)=0\hfill \end{array}\right.$$

(30)

The dual feasibility conditions are as follows:

$$\begin{gathered} {\alpha }_i^V,{\beta }_i^V,{\alpha }_g^G,{\beta }_g^G,{\alpha }_{ij}^{Pline},{\beta }_{ij}^{Pline},{\alpha }_{ij}^{Qline},{\beta }_{ij}^{Qline},{\alpha }_s^{Ppv},{\beta }_s^{Ppv}, \\ {\alpha }_s^{Qpv},{\beta }_s^{Qpv},{\alpha }_{\phi }^{Pes},{\beta }_{\phi }^{Pes},{\alpha }^{Psub},{\beta }^{Psub},{\alpha }^{Qsub},{\beta }^{Qsub}\ge 0 \end{gathered}$$

(31)

Among them, ${\lambda }_i$,${\nu }_{\mathrm{i}},$ and ${\mu }_{ij}$ are the Lagrange multipliers corresponding to the equality constraint. ${\alpha }_g^G,{\beta }_g^G,{\alpha }_{ij}^{Pline},{\beta }_{ij}^{Pline},{\alpha }_{ij}^{Qline},{\beta }_{ij}^{Qline},{\alpha }_s^{Ppv},{\beta }_s^{Ppv},{\alpha }_s^{Qpv},{\beta }_s^{Qpv},{\alpha }_{\phi }^{Pes},{\beta }_{\phi }^{Pes},{\alpha }^{Psub}$, ${\beta }^{Psub},{\alpha }^{Qsub},\mathrm{a}\mathrm{n}\mathrm{d} {\beta }^{Qsub}$ denote the Lagrangian multipliers corresponding to the inequality constraints.

The defense–attack–operation process is sequential and information-asymmetric. The defender commits a protection $d$ before an attack; the attacker observes $d$ and chooses an FDIA $a$ subject to a budget; the scheduling center then reacts optimally via a corrective dispatch $w$ that determines the voltage-quality objective (e.g., node-voltage offsets $V_i-V_{ref}$). This timing corresponds to a Stackelberg game with the defender as the leader, the attacker as follower, and the operator as a terminal optimizer. Writing the operator’s problem as a value function

$$\mathsf{\Phi }\left(d,a\right)=\underset{w}{\min }\{C\left(w;d,a\right):G\left(w;d,a\right)\le 0\}$$

(32)

keeps the physical linkage from cyber decisions $(d, a)$ to distribution-level voltage outcomes $(V_i$, $V_{ref}$) explicit. Relative to a bi-level robust form ${\mathrm{m}\mathrm{i}\mathrm{n}}_{d}ma{x}_a$ $f(d, a)$ that treats the operator implicitly, the Stackelberg structure mitigates potential risk overestimation by recognizing the operator’s endogenous redispatch, $w$. Compared with stochastic programming, which models exogenous randomness via probability distributions, the Stackelberg game captures a strategic attacker best-responding to $d$. We assume a conservative (attacker-favorable) selection among multiple follower optima. The convexity of the operator’s problem enables the KKT-based reduction used next.

4.2. Solution Method Based on the Improved Implicit Enumeration Algorithm

The multi-level optimization in Equation (25) has a hierarchical, nonlinear structure that is expensive to solve directly. Column-and-Constraint Generation (C&CG) is a common baseline because it can decompose complex constraints and typically uses modest memory; however, its convergence hinges on well-designed generation rules. Poorly chosen columns and constraints can lead to slow or stalled convergence, and for nonconvex structures, the method may be trapped in local optima in high-dimensional settings. Motivated by these limitations and by the structure of our problem, we adopt a KKT-reduced inner evaluator combined with an IIE outer search for the defense decision.

Figure 2 summarizes the full pipeline. The transport block iterates path generation and UE-TAP until O-D travel costs stabilize, yielding path flows and EVCS charging demand. These demands feed the power/distribution block, where the defender chooses $B$ EVCSs to protect, the attacker selects FDIA actions under a budget, and the operator performs corrective dispatch. The inner “attack + correction” stack is reduced via KKT optimality to a single-level mixed-integer quadratic programming (MIQP) evaluator, $\Phi (d$) that returns the operation-aware objective for any defended set $d$. In what follows, one outer evaluation denoted one call to this KKT-reduced evaluator with fixed data and solver tolerances.

Let $D\ast$ denote an optimal defended EVCS set and $\Lambda$ the set of EVCS that would be attacked if no defenses were deployed (the worst-case attack under zero defense). Then, $D^{*}\cap \Lambda \ne \varnothing$. Intuitively, if the defender protected none of the stations targeted in the zero-defense worst-case, the attacker could still realize the same worst-case damage, contradicting optimality of the defense. This property informs the branching order and early feasible completions in IIE.

Complete enumeration (CE) evaluates all $\left({\displaystyle \genfrac{}{}{0pt}{}{N}{B}}\right)$ size-$B$ subsets among N candidates, i.e., $O\left(\left({\displaystyle \genfrac{}{}{0pt}{}{N}{B}}\right)\right)$ outer evaluations (upper-bounded by $\mathrm{O}\left(2^{\mathrm{N}}\right)$); for a fixed $B$, it grows as $O\left(N^B\right)$. IIE preserves the same inner evaluator as CE but prunes large portions of the search space using bounds and feasibility checks, yielding the same or better solution quality in our tests with far fewer outer evaluations.

Figure 3 depicts the outer search for defense allocation: the algorithm maintains an incumbent defense set $\widehat{S}$ and iteratively refines it by scoring remaining candidates with the inner optimization model.

Step 1: Define the candidate set for defense allocation, $S$ and the budget, $K_{\xi }$. Initialize the optimal set as $\widehat{S}=\mathrm{\varnothing }$, and the counter $k=1$.

Step 2: Based on the current candidate set $S$, initialize a trial allocation (or enumerate candidates) for evaluation.

Step 3: Using the inner optimization model, iterate over nodes in $S$ and evaluate their defense effectiveness. If a node, $i$, yields the smallest inner objective, add it to the optimal set $\widehat{S}$, remove it from $S$, updating $k=k+1$.

Step 4: If $k\le K_{\xi }$ and $S\ne \mathrm{\varnothing }$, return to Step 2. Otherwise, output the optimal defense resource allocation set $\widehat{S}$.

4.3. Node Voltage Evaluation Index

We assessed steady-state voltage quality at the distribution level using three complementary metrics that align with common utility/grid-code practices (band-based compliance at customer nodes). Let $V_i$ denote the squared voltage magnitude at node i (as in our model) and $V_{ref}$ the nominal reference.

• Maximum Node Voltage Deviation.

The maximum node voltage deviation reflects the imbalance in voltage distribution across the system and is expressed as follows:

$$\Delta V_{max}=V_{max}-V_{min}$$

(33)

where $V_{max}$ and $V_{min}$ represent the maximum and minimum node voltages, respectively. This index captures the feeder-wide voltage spread after an attack and corrective dispatch, reflecting how unbalanced the nodal voltages remain. It corresponds to the standard practice of checking the worst-case voltage range across buses against admissible service bands in distribution networks.

2.

Root Mean Square (RMS) of Node Voltage Deviation.

The RMS of voltage deviation measures the overall dispersion of voltage levels, providing insight into system voltage stability. It is calculated as follows:

$$V_{RMS}=\sqrt{{\displaystyle \frac{1}{N}}\sum _{i=1}^N{\left(V_i-V_{ref}\right)}^2}$$

(34)

where $N$ is the total number of nodes and $V_{ref}$ denotes the reference node voltage. This index aggregates system-wide voltage departures from nominal conditions and is aligned with RMS/mean-square measures commonly used in power-quality reporting to summarize overall steady-state voltage performance.

3.

Bus-Voltage Qualification Rate (VQR).

The VQR quantifies the proportion of monitored buses operating within the allowable voltage range and is defined as follows:

$${VQR=\gamma }_{qlf}={\displaystyle \frac{N_{qlf}}{N}}\times 100\%$$

(35)

where $N_{qlf}$ is the number of buses satisfying the voltage limits and $N$ is the total number of monitored buses in the distribution grid ($N=18$ in this study: 17 load buses + feeder-head/substation bus).

This index directly quantifies service compliance, i.e., the share of customers operating within prescribed steady-state limits, which is a standard compliance-style indicator in distribution practice.

Taken together, $\Delta V_{max}$ characterizes the extreme spread of node voltages across the feeder, $V_{RMS}$ quantifies the aggregate severity of departures from the nominal level, and ${\gamma }_{qlf}$ indicates the proportion of customer nodes within the admissible steady-state band. This set is minimal and non-redundant for the study of steady-state voltage resilience under EVCS-centric false-data attacks with endogenous corrective dispatch, because it captures localized extremes, system-wide stress, and service compliance. Indices designed for collapsed margins or dynamic behavior, such as voltage-stability margins and frequency-related measures, address different phenomena and are complementary; they can be incorporated when the objective extends beyond steady-state voltage quality.

5. Case Study

5.1. Parameter Settings for the Case Study

A 17-bus, 35 kV distribution feeder and a 12-node transportation network are used to validate the proposed defense-resource-allocation model. The distribution system includes DESS, PV units, and distributed generators. The two networks are coupled via an EVCS: at each coupled location, both conventional chargers and V2G-enabled chargers are available, enabling bidirectional energy exchange between EVs and the distribution grid. Figure 4 illustrates the network topology, DER placements, and EVCS couplings, while

Table 1. EVCS-based mapping between transportation nodes and distribution buses.

Transportation Node	Distribution Bus	Transportation Node	Distribution Bus
1	1	7	7
2	15	8	10
3	17	9	11
4	9	10	12
5	3	11	13
6	5	12	14

summarizes the one-to-one mapping between transportation nodes and distribution buses.

5.2. Analysis of Defense Resource Allocation Effectiveness

Defense resource allocation is evaluated during peak travel periods and low-renewable output conditions. Station-level charging/discharging profiles at these times are computed via the UE-TAP model, as described in the cited reference, and the resulting power distribution is shown in Figure 5.

Table 2. Defense resource allocation results.

Defense Resource Budget	Protected EVCS	Attacked EVCS	MVD (p.u.)	RMS (p.u.)	VQR
1	4	1, 7, 8, 10, 11, 12	0.1006	0.0439	61.11%
2	4, 11	1, 6, 7, 8, 10, 12	0.0948	0.0423	66.67%
3	4, 7, 11	1, 6, 8, 9, 10, 12	0.0897	0.0390	77.78%
4	4, 7, 10, 11	1, 2, 3, 6, 9, 12	0.0787	0.0354	100.00%

reports the optimal defense strategy together with the node-level MVD, RMS voltage deviation, and VQR for a defense budget $K_{\psi }=6$. With $K_{\psi }=6$, protecting transportation nodes 4 and 11 yields an MVD of 0.0948 p.u., an RMS voltage deviation of 0.0423 p.u., and a VQR of 66.67%. Under this configuration, the attacker’s best response targets nodes 1, 6, 7, 8, 10, and 12.

As the defense budget increases, more key nodes are hardened, voltage deviations under attack decline, and overall system stability improves. In our tests, the MVD decreases from 0.1006 p.u. to 0.0787 p.u., while the RMS voltage deviation drops from 0.0439 p.u. to 0.0354 p.u. In the base case, a budget of $K_{\psi }=4$ achieves VQR = 100%, indicating that the network can fully withstand the tested attacks.

From a defense strategy perspective, the selection of critical hub nodes is decisive for robustness. The configuration protecting nodes 4, 7, 10, and 11 effectively reduces node-voltage deviations and enhances overall stability. Conversely, when defense resources are scarce, some critical nodes remain unprotected, leading to larger deviations and a lower VQR. This further confirms the value of prioritizing hub nodes in defense allocation.

Figure 6 illustrates the distribution of bus-voltage magnitudes under different defense budgets. The gray band denotes the safe-operating region, with a lower bound of 0.9025 p.u. When the defense budget is one, several buses remain below the bound, for example, node 12 at 0.8667 p.u. and node 6 at 0.8959 p.u., indicating that, under a low budget, attacks still cause substantial voltage degradation and some buses cannot be maintained within the safe range. As the budget increases, the number of violations decreases. With a budget of two, some buses recover (e.g., node 12 rises to 0.9001 p.u.) but still fall short of the safe-operating region, showing that added resources improve robustness but do not yet achieve full resilience. When the budget reaches four, node 3 rises to 0.9413 p.u., node 6 to 0.9167 p.u., and node 12 to 0.9033 p.u.; all buses are then within the safe range and no violations remain.

Quantitatively, as the defense budget increases, the MVD decreases from 0.1006 p.u. to 0.0787 p.u. (−21.77%), and the RMS voltage deviation decreases from 0.0439 p.u. to 0.0354 p.u. (−19.36%). These results demonstrate that defense-resource allocation significantly enhances system stability by reducing boundary violations and improving distribution-network security.

5.3. Analysis of the Impact of DESS and PV on Defense Resource Allocation

To quantify the corrective effect of the lower-level system operator (scheduling center) when re-dispatching DESS and PV under the attacker’s FDIA, and to further verify the need to plan DESS/PV in the distribution network, we examine the scenarios in

Table 3. Research S = scenarios.

Scenario Number	DESS	PV
1	√	√
2	√	50% Reduction
3	50% Reduction	√

. Scenario 1 is the benchmark (optimal) case. Scenario 2 reduces installed PV capacity by 50% relative to Scenario 1. Scenario 3 reduces installed DESS capacity by 50% relative to Scenario 1.

Analysis is conducted under the scenario of the attack resource budget $K_{\psi }=8$, and the resulting defense resource allocation for each scenario is presented in

Table 4. Defense resource allocation results in Scenario 1.

Defense Resource Budget	Protected EVCS	MVD (p.u.)	RMS (p.u.)	VQR
1	4	0.1050	0.0462	55.56%
2	4, 11	0.0947	0.0435	50.00%
3	4, 7, 11	0.0891	0.0392	83.33%
4	4, 7, 10, 11	0.0793	0.0356	100.00%

,

Table 5. Defense resource allocation results in Scenario 2.

Defense Resource Budget	Protected EVCS	MVD (p.u.)	RMS (p.u.)	VQR
1	4	0.1101	0.0489	55.56%
2	4, 11	0.0967	0.0464	55.56%
3	4, 7, 11	0.0955	0.0430	55.56%
4	4, 7, 10, 11	0.0884	0.0392	77.78%
5	4, 6, 7, 10, 11	0.0818	0.0369	83.33%
6	4, 6, 7, 9, 10, 11	0.0767	0.0341	100%

and

Table 6. Defense resource allocation results in Scenario 3.

Defense Resource Budget	Protected EVCS	MVD (p.u.)	RMS (p.u.)	VQR
1	4	0.1083	0.0474	55.56%
2	4, 11	0.0957	0.0449	55.56%
3	4, 7, 11	0.0931	0.0409	61.11%
4	4, 7, 10, 11	0.0842	0.0374	88.88%
5	4, 6, 7, 10, 11	0.0789	0.0352	100.00%

.

Across the scenarios, when installed PV and DESS capacities are sufficient, hardening only four key EVCS nodes is enough to achieve VQR = 100%. When PV capacity is insufficient (Scenario 2), the defense budget required to reach VQR = 100% increases by 50% relative to Scenario 1, indicating a pronounced loss of voltage support. This is because PV inverters supply both active power and local reactive power; reducing PV capacity simultaneously diminishes $P$ and VAR support, especially at voltage-sensitive buses, thereby degrading voltage stability.

Node-voltage profiles for Scenarios 1–3 are shown in Figure 7, Figure 8 and Figure 9.

Under sufficient PV and DESS capacities, increasing the defense budget steadily reduces nodal voltage deviations and eliminates low-voltage clusters. Hardening buses 4, 7, 10, and 11 lowers the MVD from 0.1050 p.u. to 0.0793 p.u. (−24.48%), and the RMS deviation from 0.0462 p.u. to 0.0356 p.u. (−22.94%). The VQR reaches 100%, with all buses meeting the qualification threshold.

With limited PV headroom, more defense resources are needed to achieve comparable voltage quality because corrective redispatch operates with a lower margin. Hardening buses 4, 6, 7, 9, 10, and 11 reduces the MVD from 0.1101 p.u. to 0.0767 p.u. (−30.30%) and the RMS voltage deviation from 0.0489 p.u. to 0.0341 p.u. (−30.26%). Low-voltage regions contract but fully clear only at higher defense budgets.

With insufficient DESS capacity, low-voltage clusters persist, requiring a higher defense budget to clear them. Hardening buses 4, 6, 7, 10, and 11 reduces the MVD from 0.1083 p.u. to 0.0789 p.u. (−27.15%) and the RMS deviation from 0.0474 p.u. to 0.0352 p.u. (−25.74%), while the VQR rises from 55.56% to 100% as all bus curves cross the threshold.

Across the three figures, the DAC framework improves voltage quality by breaking the spatial correlation induced by coordinated FDIAs along feeder sections. The optimizer prioritizes junction and measurement hubs (e.g., buses 4, 7, 10, and 11); hardening these nodes blocks falsified data propagation and unlocks the corrective layer so that PV/DESS and tap/reactive controls can support stressed corridors. As a result, we observe cluster-level recovery and worst-node uplift, not merely a uniform shift, with the VQR increasing as the defense budget rises.

To enable a vertical comparison of node-voltage distributions across scenarios under a common defense budget, we analyze the case with $K_{\psi }=4$; results are shown in Figure 10.

Overall, across all three scenarios, buses near the upstream source (e.g., buses 1–2) maintain higher voltages, while voltages decline with electrical distance along the feeder, reaching their lowest levels around buses 8–13. Under a common defense budget (e.g., $K_{\psi }=4$ and fixed attack budget, the node-voltage distributions differ materially across scenarios. For the same setting, the MVD values for Scenarios 1–3 are 0.0793 p.u., 0.0884 p.u., and 0.0842 p.u., respectively—+11.47% and +6.18% for Scenarios 2 and 3 relative to Scenario 1. The RMS voltage deviations are 0.0356 p.u., 0.0392 p.u., and 0.0374 p.u., corresponding to +10.11% and +5.06% increases for Scenarios 2 and 3 versus Scenario 1.

In this test system, reducing PV capacity degrades voltage quality in more than an equal proportional reduction in DESS under the same adversarial setting. To reach VQR = 100%, halving PV requires two additional protected sites ($k$: 4 → 6, +50%), whereas halving DESS requires one ($k$: 4 → 5, +25%). At a common defense budget, the PV-reduction case exhibits larger deviations, higher MVD and RMS, than the DESS-reduction case, consistent with the steeper deterioration visible in bus-voltage profiles. Mechanistically, in our formulation, PV inverters provide both active power and local reactive-power support, while the modeled DESS primarily supplies active-power shifting subject to SOC/power limits; cutting PV therefore removes both $P$ and local VAR in electrically weak buses, reducing the leverage of the lower-level voltage-correction layer and necessitating a larger protected set to meet the same VQR target.

From a planning and operations standpoint, these results indicate that Volt/VAR capabilities and the cyber-defense footprint act as partially substitutable levers for meeting a fixed voltage-quality target. Where dependable, PV VAR is maintained at voltage-sensitive locations, the target can be met with fewer hardened EVCS sites; when PV VAR is scarce or uncertain, the target can instead be achieved by enabling VAR-capable assets at high-sensitivity buses or by expanding the protected set. Accordingly, the planning model should jointly optimize defense allocation with Volt/VAR provisioning and DER siting, enforcing the VQR requirement as a hard constraint while minimizing total cost across two knobs: incremental VAR enablement and protection expansion. In real-time operations, the distributed energy resource management system (DERMS) should link adaptive protection priorities to forecasts of PV VAR availability and telemetry quality, with priority for hardening at PV-rich, voltage-sensitive buses where the loss of VAR would have an outsized impact.

5.4. Analysis of the Superiority of the Improved Implicit Enumeration Algorithm

• Quality and search effort (

  Table 7. Comparison between complete enumeration and improved implicit enumeration.

  Defense Resource Budget	Solution Method	Protected EVCS	Attacked EVCS	VQR	Outer Evaluations
  1	CE	4	1, 7, 8, 10, 11, 12	61.11%	12
  	IIE	4	1, 7, 8, 10, 11, 12	61.11%	12
  2	CE	7, 11	1, 4, 6, 8, 10, 12	61.11%	66
  	IIE	4, 11	1, 6, 7, 8, 10, 12	66.67%	23
  3	CE	4, 7, 11	1, 6, 8, 9, 10, 12	77.78%	220
  	IIE	4, 7, 11	1, 6, 8, 9, 10, 12	77.78%	33
  4	CE	4, 7, 10, 11	1, 2, 3, 6, 9, 12	100.00%	495
  	IIE	4, 7, 10, 11	1, 2, 3, 6, 9, 12	100.00%	42

  ).

Under the same model/data and solver tolerances (with $K_{\psi }=6$), IIE matches CE in solution quality while using far fewer outer evaluations. Across budgets $B=1–4$, IIE delivers solution quality that is identical to or better than CE: the defended/attacked EVCS sets and VQR coincide in most cases, and in the remaining case, IIE attains the same objective value (with respect to the bus-voltage-offset objective) while achieving a higher VQR, all with substantially fewer outer evaluations. In terms of search effort, CE evaluates all $\left({\displaystyle \genfrac{}{}{0pt}{}{N}{B}}\right)$ size-$B$ defenses (12, 66, 220, and 495 evaluations for $B=1,2,3,\mathrm{a}\mathrm{n}\mathrm{d} 4$), whereas IIE requires only 12, 23, 33, and 42 evaluations, respectively. At $B=3$, IIE uses about 15% of CE’s evaluations; at $B=4$, IIE reduces outer evaluations from 495 to 42 (a 91.5% reduction). These results confirm that IIE preserves solution quality and, in cases with objective ties, can select defenses with at least comparable (and here higher) compliance as measured by VQR, while sharply shrinking the outer search. Table 6 reports the defended and attacked sets, VQR, and outer evaluations for each budget.

• Complexity perspective.

For the outer defense search, CE evaluates all size-$B$-defended sets among $N$ candidates, i.e., $O\left(\left({\displaystyle \genfrac{}{}{0pt}{}{N}{B}}\right)\right)$ outer evaluations, upper-bounded by $O\left(2^N\right)$. For fixed $B$ it grows as $O\left(N^B\right)$. Each outer evaluation calls the KKT-reduced inner model to obtain the operation-aware objective. IIE performs a branch-and-bound-style search with problem-guided upper and lower bounds plus pruning, which substantially reduces the explored space in practice. We do not provide a formal worst-case bound for IIE; the experiments in this subsection show large empirical savings in outer evaluations while preserving solution quality relative to CE.

• Runtime and memory (

  Table 8. Runtime and memory under identical settings (B = 4).

  Run	Algo	Wall (s)	CPU (s)	Outer Evals	Peak RSS (MB)
  1	CE	878.356	2511.781	495	209.7
  	IIE	80.105	321.203	42	191.3
  2	CE	794.627	2686.250	495	209.8
  	IIE	212.322	211.297	42	190.3
  3	CE	924.665	2882.203	495	209.6
  	IIE	71.797	279.812	42	192.3
  Avg.	CE	865.880	2693.410	495	209.7
  	IIE	121.410	270.770	42	191.3

  ).

Beyond iteration counts, we compare wall-clock time (Wall), aggregated CPU time across threads (CPU), and peak resident set size recorded by the operating system (Peak RSS) under identical settings. For the representative case $B = 4$ over three runs (Table 7), IIE attains an average Wall of 121.41 s versus 865.88 s for CE (−86.0%, about 7.1× speedup) and an average CPU of 270.77 s versus 2693.41 s for CE (−89.9%, about 10×). Per-run Wall speedups range from 3.7× to 12.9×; per-run CPU speedups range from 7.8× to 12.7×. For the two runs with memory logging, Peak RSS averages 191.3 MB for IIE versus 209.7 MB for CE (about 8.8% lower). CPU time can exceed Wall because it aggregates across parallel solver threads. These measurements, together with the solution-quality parity in Table 7, show that IIE’s efficiency gains are manifested in runtime, not only in iteration counts.

• Measurement protocol.

All comparisons use the same hardware and software stack and identical solver tolerances for IIE and CE: Ubuntu 22.04, Intel Xeon Gold 6348 at 2.6 GHz (2 sockets, 24 cores each), 128 GB RAM, Python 3.10, Gurobi 10.0.3 with eight threads.

5.5. Comparison with Column-and-Constraint Generation

The C&CG algorithm decomposes the original problem into a master problem and a subproblem and iteratively generates new columns or constraints. This strategy can handle large-scale instances and reduce computational burden. However, its performance hinges on well-designed generation rules; in nonconvex settings it may stall or become trapped in locally optimal regions and fail to reach the global optimum.

By contrast, the IIE method employs a systematic branch-and-bound search that does not rely on local information and, upon completion, certifies global optimality, thereby mitigating the risk of premature local convergence. IIE is particularly advantageous when decisions are 0–1: (i) a predictive pruning mechanism discards unpromising branches early, avoiding redundant computation; and (ii) the discreteness of integer variables enables a hierarchical search structure that markedly improves global search efficiency. To assess IIE’s suitability for defense-resource allocation with many 0–1 variables, we conduct a head-to-head comparison between IIE and C&CG.

When the defense-resource budget is $B=1$, IIE attains the optimal defense allocation within 12 outer evaluations, whereas C&CG stalls and does not reach a final solution under the same evaluation budget—likely because the generated columns/constraints did not sufficiently tighten the relaxation or effectively guide the master toward the optimum, impeding convergence. This performance gap highlights IIE’s dual advantages: at the algorithmic level, its deterministic search avoids solution-space distortions caused by suboptimal column/constraint generation; at the problem level, explicitly enumerating discrete decision combinations makes IIE especially suitable for resource-allocation problems with numerous 0–1 variables.

6. Conclusions

This paper addresses cybersecurity-aware defense-resource optimization for transport–power networks and formulates a tri-level DAC model in a Stackelberg framework. The information-security defense problem is cast as multi-agent sequential decision-making, with the objective of mitigating bus-voltage deviations under FDIAs via proactive defense allocation. To solve the tri-level program, we propose a KKT-reduced solution framework combined with IIE. Performance is evaluated using MVD, RMS voltage deviation, and VQR.

Simulation results validate the approach: hardening key EVCS sites prevents attack-induced voltage violations and reveals a synergy between defense allocation and physical dispatch. Compared with CE, the KKT-reduced model with IIE provides an operation-aware security assessment and scalable defense planning for EVCS-centric threats, achieving target voltage quality with substantially fewer outer evaluations. Under identical settings, IIE attains the same defended sets and voltage outcomes as CE while reducing outer evaluations by up to 91.5%, demonstrating a clear computational-efficiency advantage.

Future work will pursue three thrusts:

(i)

Frequency-aware resilience. Extend the DAC architecture to frequency stability by modeling convex proxies for system frequency response—nadir, rate of change in frequency, and automatic generation control/area control error—and co-optimize DESS and EV fast-frequency-response headroom together with hardening of frequency-critical telemetry and control channels.

(ii)

Uncertainty and co-design. Develop multi-period, uncertainty-aware scheduling that couples traffic-demand and PV-output variability with adversarial perturbations, while jointly designing detection and defense via robust state estimation and anomaly aware reweighting.

(iii)

Scalability and validation. Scale the framework to city-scale, unbalanced three-phase networks using decomposition, parallelization, and learning-guided pruning; release open benchmarks, a reference solver, and digital-twin co-simulation to enable reproducible validation.