Irradiance-Driven Natural Watermarking for Detection of False Data Injection in PV Inverters

Abstract

The widespread deployment of photovoltaic (PV) inverters with digital control and communication systems has increased the power grid’s attack surface, making it more vulnerable to cyberattacks. This creates a need for locally implementable attack-detection methods that do not disrupt inverter operation. This paper therefore proposes an irradiance-driven natural watermarking approach for decentralized detection of false data injection (FDI) attacks on inverter terminal measurements. The approach leverages irradiance-driven DC-link voltage variations to watermark the inverter outputs, generating a non-removable signature in the true measurements. The proposed method is evaluated using a real-time hardware-in-the-loop model of a three-phase grid-following PV inverter that captures PV-array and grid-connection dynamics. Implementation robustness is further assessed on a separate hardware grid-forming inverter testbed with non-idealized components. In the tested cases, the detection model identifies noise-injection and replay attacks within $15\mathrm{ms}$, while otherwise undetectable model-based attacks are revealed when DC-link voltage variations between 5% and 10% occur. These experimental results demonstrate that irradiance-driven natural watermarking can reveal FDI attacks without affecting normal inverter operation.

1. Introduction

The rise in renewable energy deployment significantly expands the attack surface of the power grid [1]. Power generation has traditionally been dominated by large synchronous generators, and cybersecurity efforts have therefore primarily focused on securing these generators and the surrounding transmission and distribution infrastructure. However, the low geographic power density of wind and solar generation requires larger land areas per unit of energy produced, resulting in a much larger number of distributed generation units [2]. These renewable generation units interface with power grids through power electronic inverters with digital sensing, control, and communication systems, making them vulnerable to cyberattacks and motivating the need for novel detection solutions.

This increased vulnerability of renewables reflects a broader trend in the security risks facing industrial control systems (ICSs). Although ICSs were once considered secure because of their isolation and specialized software, the 2010 Stuxnet attack on Iran’s uranium enrichment facilities exposed their potential vulnerabilities [3]. Since then, the increasing digitalization of ICSs and remote access capabilities has been paralleled by a growing number of malware variants, such as Shamoon, Duqu, Flame, and Gauss, which specifically target ICSs and have been used in various attacks [4]. Most notably, the BlackEnergy and CrashOverride attacks on Ukraine’s power grid in 2015 and 2016 each caused power outages affecting more than 200,000 people [5]. These attacks were highly sophisticated and required substantial resources to develop and execute. However, with the growing number of smaller and less protected distributed energy resources (DERs), such as rooftop solar panels, the barrier to attack is lowered. The risks associated with lower attack barriers were exemplified by the attack on the Bowman Avenue Dam in New York in 2013 [4], where the attackers gained access to the SCADA system used to control local storm surges. Unlike other attacks on ICSs, the intrusion was not exceedingly sophisticated, and it is generally believed that the dam was targeted due to its minimal security [6,7]. The frequency of similar small-scale attacks on less protected cyber–physical systems is therefore expected to increase with the proliferation of DERs [8].

Cyberattack-detection methods for attacks on electric energy systems fall into three categories: network-based, data-driven, and model-based methods [9]:

Network-based methods for cyberattack detection aim to secure both internal and external communication channels [10]. External communications typically use encryption, network segmentation, and intrusion detection systems (IDSs) to complicate unauthorized access. Blockchain technology has been proposed for secure information sharing and patch management, including the distribution of blockchain clients, IDS updates, malware analysis results, and firmware changes [11]. While network-based detection methods can identify some attacks carried out via inverter communication channels, they are less effective against false data injection (FDI) attacks that manipulate sensor data either externally through physical-layer attacks such as Hall-sensor spoofing [12] or internally through malware embedded in the inverter control microcontroller. Such malware may be introduced through third-party vendor vulnerabilities [13] or supply chain attacks [14]. Given these vulnerabilities, it is impossible to ensure the system’s cybersecurity by securing only the communication channels. Therefore, a defense-in-depth strategy that combines network-level detection with local inverter-side validation is essential [15].

Data-driven methods use machine learning (ML) models trained on historical data to detect FDI attacks and can be implemented at the local device level [9]. Reference [16] proposes a multilayer long short-term memory (MLSTM) network and evaluates its ability to detect and classify attacks using the voltage and current measurements from the PV array in a two-stage PV inverter. Reference [17] leverages various data-driven methods to evaluate micro-phasor measurement unit (μPMU) data at the point of common coupling (PCC) between an inverter and the grid to detect performance degradation caused by cyberattacks. Additionally, a hardware-in-the-loop (HIL) study compared the real-time operation of multiple data-driven methods for detecting and classifying attacks based on similar PCC measurements [18]. While these studies report very high accuracy, data-driven approaches lack physical interpretability and depend strongly on the quality and comprehensiveness of the training data, limiting their reliability against cyberattacks not represented in the training set.

Model-based detection methods use analytically derived system models to evaluate measurements. Common approaches include minimum mean square estimation for static systems [19], Luenberger observers for linear dynamics [20], and generalized Kalman filters for nonlinear systems [21]. These methods estimate system states and identify bad data when measurements deviate significantly from the model estimates [22]. While these methods were originally developed to detect low-quality measurements [23], they have been extended to cyberattack detection [19]. However, attackers with sufficient model knowledge can construct stealthy attacks that evade such estimators [24]. Dynamic watermarking addresses this limitation by continuously injecting known excitations into the control signal and verifying their presence in the measured response [25,26]. Although [26] demonstrated consistent detection of both regular and stealthy attacks within $8\mathrm{ms}$, the dynamic watermarking approach inevitably distorts the inverter output, negatively affecting its normal operation.

Motivated by the need for a non-disruptive detection method for FDI attacks, we propose an alternative watermarking approach for PV inverters that does not inject additional distortions. Our method first introduces two attack indicators that continuously validate inverter measurements against a state-space model to detect abnormal behavior, providing the benefits of model-based detection and enabling the detection of common FDI attacks, including noise injection and replay attacks. We then leverage the DC-link voltage fluctuations that naturally occur in PV inverters in response to irradiance variations [27] as a watermark, making it possible to reveal otherwise undetectable model-based attacks without additional distortions.

Specifically, the contributions of this paper are: (1) Unlike previous physical watermarking methods that introduce intentional distortions into control signals [25,26], our approach utilizes naturally occurring voltage fluctuations and therefore does not harm the inverter output. (2) We develop a HIL testbed for a two-stage grid-following PV inverter with irradiance-dependent DC-link voltage dynamics and use it to evaluate the proposed natural watermarking method under realistic DC-link voltage waveforms. Compared with our previous work, which modeled the DC-link voltage as an ideal voltage source with Gaussian noise [28,29], this testbed substantially improves waveform realism while retaining model performance. (3) We further validate the practical robustness of the detection architecture on a grid-forming hardware inverter platform with non-ideal sensing and real-time implementation constraints. This hardware study is used to assess implementation robustness and detector portability rather than to reproduce the full grid-following PV plant one for one. (4) The real-time implementation confirms the computational efficiency of our detection approach. The computational load of the model is evaluated against the baseline inverter control processes, confirming the feasibility for integration into existing inverter controllers without significant computational overhead.

The remainder of the paper is organized as follows. Section 2 describes the inverter system, the associated control loops, and the attacks on the system. Section 3 describes the proposed natural watermarking approach and how it has been modified for the HIL and hardware implementation. Section 4 shows the accuracy of the state-space estimator and the effectiveness of attack detection against each type of attack in the HIL environment. Section 5 evaluates the attack detection in a physical testbed. Finally, Section 6 summarizes the findings of this paper.

2. False Data Injection Attacks in PV Inverters

The architecture of the inverter system used in this paper is shown in Figure 1. From left to right, a PV array is connected to a boost converter, which feeds the DC-link capacitor of the inverter. The inverter converts this DC voltage to a three-phase AC output, which is connected to the grid through an LCL (inductor–capacitor-inductor) filter. Measurement signals from the DC-link voltage and the inverter outputs are processed by a digital signal processing (DSP) controller, which implements current control and DC-link voltage stabilization. FDI attacks are realized by embedding code on the DSP board, which intercepts and alters sensor signals before they enter the control loop. To detect these attacks, the DSP implements a natural watermarking model described in Section 3.

2.1. System Control

Maximum power point tracking (MPPT) for the PV array is achieved using a perturb-and-observe (P&O) algorithm to optimize power extraction from the panels [30]. As a result, the DC-link input current varies with solar irradiance. A phase-locked loop (PLL) ensures synchronization with the grid, and the AC signals used for current control are transformed into a synchronous direct-quadrature ($dq$) reference frame to simplify control implementation. In this frame, a proportional–integral (PI) controller regulates the DC-link voltage, $v_{dc}$, around its nominal value by generating the direct-axis current reference, $i_{f_d}^{*}$, which sets the inverter output current. The quadrature-axis current reference is set to zero, $i_{f_q}^{*}=0$. PI current controllers then compute the modulation indices $m_d$ and $m_q$ from the current tracking errors, and these are transformed back to the modulation indices in the three-phase frame, i.e., $m_a$, $m_b$ and $m_c$, to generate pulse-width modulation (PWM) signals for the inverter switches. Detailed equations and parameters are provided in Appendix A.

2.2. Threat Model

FDI attacks manipulate inverter behavior by modifying sensor measurements before they reach the inverter control loops. The controller therefore reacts to falsified measurements, causing it to deviate from normal operation and potentially damage the inverter or connected equipment. In this paper, the attacker is assumed to be able to observe and modify selected grid-side measurement signals before they are used by the inverter controller.

One possible attack vector is physical interference with the sensing hardware. Barua et al. [12] demonstrated that an electromagnet can be used to interfere with Hall-effect sensors used for voltage measurements. However, physical manipulation is less suitable for precise FDI attacks because the attacker has limited visibility into the recorded inverter measurements and is affected by uncontrolled variables such as sensor placement and electromagnetic shielding. Physical attacks are therefore limited to less advanced attacks such as the noise injection attack seen in Section 2.3.

More advanced attacks can be implemented through malicious code embedded in the controller or in the measurement-processing chain. Such malware may remain inactive until triggered by a timer, a control condition, or an external command and is referred to as a logic bomb [31]. Once triggered, the compromised sensing path modifies the measurements according to the attack strategy, and the distorted measurement propagates through the controller and affects the outputs. In the experimental implementation used in this paper, the attacks are programmed directly onto the DSP to ensure repeatability. This implementation emulates a compromised measurement path rather than unrestricted access to all controller resources. The attacker is therefore limited to manipulating the measurements and cannot rewrite the inverter control algorithm or directly change outputs. This is consistent with an attacker exploiting measurement calibration and recording functions rather than replacing the inverter firmware.

We assume that the attacker targets the grid-side measurements while the DC-link voltage measurement remains uncompromised. For physical attacks, this is motivated by the fact that grid-side sensors are located near the grid connection point and are generally more accessible than the DC-link voltage sensor, which is located deeper inside the inverter. Digitally, the grid-side measurements describe the inverter’s interaction with the external grid and are generally communicated to grid-support interfaces. These signals therefore have a larger attack surface and are more relevant to an attacker than internal DC-link measurements. Under this threat model, the DC-link voltage is considered a trusted internal signal for detecting inconsistencies caused by manipulated grid-side measurements.

2.3. Types of FDI Attacks

This paper specifically investigates three types of FDI attacks with increasing complexity and attacker knowledge requirements: noise injection, replay, and model-based attacks.

Noise-injection attacks degrade measurement quality by adding artificial noise to selected sensor signals. These attacks require the ability to alter the measurements, but they do not require system knowledge or previously recorded data. Although noise injection can quickly distort inverter operation, the resulting signals often differ significantly from normal behavior, making these attacks easier to detect.

Replay attacks replace real-time measurements with previously recorded data, breaking the correspondence between the physical inverter state and the feedback used by the controller. Such attacks require the ability to record and later replay measurements over a period of time, but they do not require any knowledge of the system model. Because replayed measurements resemble normal operation, replay attacks can be difficult to detect by monitoring only the compromised output signals [32].

Model-based attacks use a system model to generate realistic but false measurements. To execute a model-based attack, the attacker must therefore know the relevant measurements and control-loop outputs, as well as a sufficiently accurate model of the system dynamics. This enables the attack to remain stealthy while gradually driving the inverter toward harmful operating conditions, potentially causing accelerated component degradation or premature failure [24,33]. Due to their stealthy nature, model-based attacks are especially challenging to detect and are the primary motivation for the detection approach proposed in this paper.

2.4. DC-Link Voltage

Due to the transient behavior of the inverter controls, changes in the irradiance incident on the PV array trigger DC-link voltage fluctuations that can be used to reveal advanced FDI attacks. These dynamics are captured by the HIL model, and the voltage waveforms reflect what is observed in real systems. While the magnitude, duration, and waveform of these voltage deviations depend on the DC-link capacitance and controller gains, the transients are triggered and mainly defined by changes in irradiance. The timing and profile of these irradiance variations are further affected by cloud formation, which is governed by inherently stochastic atmospheric processes [34]. Additional site-specific effects, including panel degradation, soiling, and cell damage, further complicate the response [29]. As a result, without direct access to the sensor data, the corresponding DC-link voltage changes are exceedingly difficult to predict and can therefore help detect attacks by serving as a natural watermark. Because this watermark is already part of the normal operation, it is well-suited for detecting attacks that aim to cause gradual degradation.

3. Irradiance-Driven Natural Watermarking

The irradiance-driven natural watermarking approach requires five components: (1) a state-space model for predicting inverter behavior, (2) attack indicators for validating inverter measurements, (3) unpredictable DC-link voltage variations that act as natural watermarks, (4) methods for mitigating measurement noise and model imperfections, and (5) a computationally efficient detection process that can run alongside the inverter controller.

3.1. State-Space Model

To simplify the inverter model and directly associate each measurement with its corresponding attack indicator, the state-space model is derived in the stationary $abc$ reference frame. This avoids the balanced-measurement assumption implicit in the synchronous $dq$ frame, which may not hold during an attack, and eliminates cross-coupling between phases, enabling independent phase analysis. The model is therefore derived for phase a and then replicated for phases b and c.

The phase a states are defined as the inductor currents and capacitor voltages of the LCL filter and stored in the state vector $x_a$. The system inputs, $u_a$, are defined as the inverter terminal voltage, $v_{t_a}$, and the grid voltage, $v_{g_a}$. The inverter-side output current, $i_{f_a}$, is chosen as the observed state, as it is already recorded and used in the current control loop.

$$\begin{array}{cc}\hfill x_a& ={\left[\begin{array}{ccc}{i}_{f_a}& i_{g_a}& v_{C_a}\end{array}\right]}^T\hfill \end{array}$$

(1a)

$$\begin{array}{cc}\hfill u_a& ={\left[\begin{array}{cc}{v}_{t_a}& v_{g_a}\end{array}\right]}^T\hfill \end{array}$$

(1b)

$$\begin{array}{cc}\hfill y_a& =\left[\begin{array}{c}{i}_{f_a}\end{array}\right]\hfill \end{array}$$

(1c)

While $v_{g_a}$ is measured directly, $v_{t_a}$ is calculated based on values from within the controller and the two-level inverter configuration [35]:

$$v_{t_a}=m_a{\displaystyle \frac{v_{dc}}{2}}$$

(2)

where $m_a$ is the PWM modulation index for phase a and $v_{dc}$ is the DC-link voltage. To derive the state equations, Kirchhoff’s voltage and current laws are applied to the LCL filter while accounting for the series resistance of each component, where $L_f$ and $R_f$ correspond to the inverter-side inductor, $L_g$ and $R_g$ correspond to the grid-side inductor, and $C_f$ and $R_C$ correspond to the filter capacitor:

$$\begin{array}{cc}\hfill {\dot{i}}_{f_a}& =-{\displaystyle \frac{(R_f+R_C)}{L_f}}{i}_{f_a}+{\displaystyle \frac{R_C}{L_f}}{i}_{g_a}-{\displaystyle \frac{1}{L_f}}{v}_{C_a}+{\displaystyle \frac{1}{L_f}}{v}_{t_a}\hfill \end{array}$$

(3a)

$$\begin{array}{cc}\hfill {\dot{i}}_{g_a}& ={\displaystyle \frac{R_C}{L_g}}{i}_{f_a}-{\displaystyle \frac{(R_g+R_C)}{L_g}}{i}_{g_a}+{\displaystyle \frac{1}{L_g}}{v}_{C_a}-{\displaystyle \frac{1}{L_g}}{v}_{g_a}\hfill \end{array}$$

(3b)

$$\begin{array}{cc}\hfill {\dot{v}}_{C_a}& ={\displaystyle \frac{1}{C_f}}{i}_{f_a}-{\displaystyle \frac{1}{C_f}}{i}_{g_a}\hfill \end{array}$$

(3c)

The resulting $A_a$, $B_a$, and $C_a$ matrices are thus defined as follows:

$$\begin{array}{cc}\hfill A_a& =\left[\begin{array}{ccc}{\displaystyle \frac{-(R_f+R_C)}{L_f}}& {\displaystyle \frac{R_C}{L_f}}& {\displaystyle \frac{-1}{L_f}}\\ {\displaystyle \frac{R_C}{L_g}}& {\displaystyle \frac{-(R_g+R_C)}{L_g}}& {\displaystyle \frac{1}{L_g}}\\ {\displaystyle \frac{1}{C_f}}& {\displaystyle \frac{-1}{C_f}}& 0\end{array}\right]\hfill \end{array}$$

(4a)

$$\begin{array}{cc}\hfill B_a& =\left[\begin{array}{cc}{\displaystyle \frac{1}{L_f}}& 0\\ 0& {\displaystyle \frac{-1}{L_g}}\\ 0& 0\end{array}\right]\hfill \end{array}$$

(4b)

$$\begin{array}{cc}\hfill C_a& =\left[\begin{array}{ccc}1& 0& 0\end{array}\right]\hfill \end{array}$$

(4c)

To enable digital implementation on the DSP, the Tustin approximation method is used to discretize the continuous-time matrices with the same sampling period as the control loop, $T_s=100\mathsf{\mu }\mathrm{s}$. This corresponds to the $10\mathrm{kHz}$ measurement and control rate used in the implementation. To reduce timing uncertainty, ADC sampling, state estimation, and control updates are synchronized with the inverter switching cycle. The PWM switching frequency is $20\mathrm{kHz}$, while the measurement and control loops execute once every two switching periods. Because the ADC sampling and control update occur at fixed points in this cycle, sampling drift and variable data-collection delay are not included in the state-space model. Any remaining implementation delay is treated as part of the nominal prediction error and is accounted for through the baseline-removal and threshold-selection procedure described in Section 3.4. The resulting discrete-time state-space matrices ($A_{d_a}$, $B_{d_a}$, and $C_{d_a}$) enable the prediction of the state vector $x_a$ and the output $y_a$ at each discrete time step k:

$$\begin{array}{cc}\hfill x_a[k+1]& =A_{d_a}{x}_a\left[k\right]+B_{d_a}{u}_a\left[k\right]\hfill \end{array}$$

(5a)

$$\begin{array}{cc}\hfill y_a\left[k\right]& =C_{d_a}{x}_a\left[k\right]\hfill \end{array}$$

(5b)

The model states are initialized to zero during inverter startup and then evolve continuously with the measured inputs and modulation signals. Attack detection is evaluated after the estimator and moving-window baselines have settled, so startup transients do not affect the reported detection results. Component tolerances and discretization errors can introduce small prediction errors, but these errors are also included in the nominal baseline and threshold calibration described in Section 3.4. The resulting state-space model is therefore sufficiently accurate to support the proposed attack-detection method in both the HIL and hardware studies.

3.2. Attack Indicators

Two statistical attack-detection methods are employed to validate the output measurements based on the discrepancy between the measured output $z\left[k\right]$ and the predicted inverter outputs $y\left[k\right]$:

$$\Delta z\left[k\right]=\left|z\left[k\right]-y\left[k\right]\right|$$

(6)

During normal operation, $z\left[k\right]$ and $y\left[k\right]$ closely match each other, and $\Delta z\left[k\right]$ remains near zero. However, if an attacker interferes with the measurements, $z\left[k\right]$ will no longer match the predictions, resulting in larger values of $\Delta z\left[k\right]$. This is captured by the moving average test, (7), which calculates the average prediction error over a window of the n most recent measurements ending at the current time step l. An attack that increases the prediction error will therefore result in an increased value of (7), making the attack detectable.

$$\begin{array}{cc}\hfill {\chi }_1\left[l\right]& ={\displaystyle \frac{1}{n}}{\displaystyle \sum _{k=l-n+1}^l}\Delta z\left[k\right]\hfill \end{array}$$

(7)

Similarly, the moving variance test (8) quantifies the variability of $\Delta z\left[k\right]$ within the same window.

$$\begin{array}{cc}\hfill {\chi }_2\left[l\right]& ={\displaystyle \frac{1}{n}}{\displaystyle \sum _{k=l-n+1}^l}{\left(\Delta z\left[k\right]-{\chi }_1\left[l\right]\right)}^2\hfill \end{array}$$

(8)

Due to the squared difference in the calculation, (8) is more sensitive than (7) and is particularly effective at detecting noisy or rapidly changing attack patterns. Although (8) is more sensitive and will typically detect attacks before (7), combining both indicators is essential for the detection of some attacks. An attack that gradually introduces a DC bias into the measurement values would, for example, not affect the variance of the measurement error and therefore be undetectable by (8). Similarly, an attack could be designed to hide within the system noise and evade detection by (7), but the higher sensitivity of (8) could still reveal such an attack. Thus, using both indicators provides redundancy, making it significantly more challenging to design an attack that simultaneously evades both indicators. However, an attacker with a state-space model of the system could potentially stay within both detection thresholds and would require a watermark to be identified.

3.3. Protected DC-Link Signal

A non-invasive watermark is constructed by using a state-space model to predict how DC-link voltage fluctuations propagate to the inverter output. Its effectiveness depends on the assumption that the attacker can manipulate output-side voltage and current measurements but cannot directly observe or alter the protected DC-link voltage measurement. In this work, the attacker can modify the AC-side sensor measurements used by the control loop and can generate false measurements using recorded data or a system model. However, the attacker is not assumed to have unrestricted access to all ADC channels, controller memory, or internally protected measurements. This assumption is consistent with an architecture in which the DC-link sensing path is isolated from the output-side measurement chain and protected independently. Under the threat model outlined in Section 2.2, the irradiance-driven variations in $v_{dc}$ remain unavailable to the attacker and can therefore serve as a natural watermark. In a practical implementation, this assumption can be strengthened by applying additional protection to the DC-link voltage measurement, such as an isolated or encrypted signal path and restricted access to the corresponding DC-link voltage ADC channel.

An attacker could alternatively attempt to estimate the DC-link voltage based on AC-side measurements and the modulation indices. However, this would require an additional observer model, and the estimate would be complicated by switching behavior, nonlinear inverter dynamics, measurement noise, and uncertainty in the filter and controller parameters. This estimate would also be based on already observed input–output behavior and would therefore be delayed relative to the irradiance-driven DC-link transient. This limits its usefulness for generating falsified measurements that must remain consistent with the protected DC-link variation in real time. An attacker with direct access to the DC-link measurement, or with a sufficiently accurate real-time estimate of it, is therefore outside the threat model considered in this paper. Such a stronger attacker would require additional sensing-path, firmware, or hardware protections beyond the detection method considered here.

3.4. Noise Rejection and Detection Threshold

In a physical system, measurement noise and model imperfections inevitably cause a mismatch between the predicted and measured outputs even during nominal operation. As a result, the attack indicators (7) and (8) will return non-zero values during steady state. To reduce the masking effect of this nominal prediction error, the collection window n is chosen to yield a stable baseline, and the corresponding steady-state offsets are removed from both indicators.

Because the prediction error varies over the AC cycle, n is selected to span an integer number, i, of AC cycles:

$$n=i{\displaystyle \frac{f_{\mathrm{samp}}}{f_{\mathrm{base}}}},i\in \mathbb{Z}$$

(9)

With a sampling frequency of $f_{\mathrm{samp}}=10\mathrm{kHz}$ and a grid frequency of $f_{\mathrm{base}}=60\mathrm{Hz}$, i is set to 3, resulting in a sliding-window length of $n=500$ samples, corresponding to $50\mathrm{ms}$. In this implementation, the attack indicators are therefore calculated over a window spanning three AC cycles. The window length should therefore be treated as a tunable parameter where increasing n improves baseline stability and noise rejection, but also increases detection latency.

To remove the average prediction-error offset, precomputed steady-state baselines ${\overline{\chi }}_1$ and ${\overline{\chi }}_2$ are obtained under nominal conditions and subtracted from (7) and (8), resulting in the modified attack indicators:

$$\begin{array}{cc}\hfill {\chi }_1^{\prime }\left[l\right]& =\left|\left({\displaystyle \frac{1}{n}}{\displaystyle \sum _{k=l-n+1}^l}\Delta z\left[k\right]\right)-{\overline{\chi }}_1\right|\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill {\chi }_2^{\prime }\left[l\right]& =\left|\left({\displaystyle \frac{1}{n}}{\displaystyle \sum _{k=l-n+1}^l}{\left(\Delta z\left[k\right]-{\chi }_1\left[l\right]\right)}^2\right)-{\overline{\chi }}_2\right|\hfill \end{array}$$

(11)

Even after baseline removal, ${\chi }_1^{\prime }$ and ${\chi }_2^{\prime }$ vary during nominal operation. To avoid false positive results and in accordance with standard practice for dynamic watermarking, the detection threshold for each detector is set to three times the maximum nominal value recorded during normal operation [26]. The exact threshold is implementation-dependent and is empirically determined from the maximum nominal indicator value recorded during calibration. This calibration includes steady-state operation at irradiance levels of $500\mathrm{W}/{\mathrm{m}}^2$, $800\mathrm{W}/{\mathrm{m}}^2$, and $1000\mathrm{W}/{\mathrm{m}}^2$, as well as transients between those levels. It therefore captures the combined effects of sensor noise, model mismatch, and irradiance-driven DC-link variation. In the implementations studied, no false positives were observed, and reliable detection was achieved for DC-link voltage deviations of approximately 5% to 10% from the reference value of $500\mathrm{V}$. However, this range is specific to the tested systems and should not be interpreted as a universal requirement. The mismatch required to trigger detection is illustrated in Section 4 and Section 5.

3.5. Computational Cost

Finally, a major challenge to implementing cybersecurity in ICSs is the limited computational resources [36]. If a security measure requires more resources than the device’s standard operation, it may necessitate more advanced hardware, thereby increasing manufacturing costs and rendering implementation impractical. Therefore, the state-estimation and attack-detection tests must operate within the constraints of existing hardware. To assess this, the number of clock cycles required for the inverter controller to perform attack detection is recorded and compared with the clock cycles needed to execute the control tasks.

4. HIL Validation and Discussion

4.1. System Specifications

The system is implemented on a Typhoon HIL 506 real-time simulator (Typhoon HIL, Waltham, MA, USA) as shown in Figure 2. The simulation time step is $0.5\mathsf{\mu }\mathrm{s}$ and the main system parameters are summarized in

Table 1. HIL PV inverter system parameters.

Parameter	Symbol	Value
Real-time simulator	–	Typhoon HIL 506
Simulation time step	–	$0.5\mathsf{\mu }\mathrm{s}$
PV array nominal power	$P_{\mathrm{PV}}$	$2350\mathrm{W}$
PV open-circuit voltage	$V_{\mathrm{OC}}$	$120\mathrm{V}$
PV short-circuit current	$I_{\mathrm{SC}}$	$25\mathrm{A}$
Boost-converter inductance	$L_{\mathrm{boost}}$	$1\mathrm{mH}$
DC-link capacitance	$C_{\mathrm{dc}}$	$100\mathsf{\mu }\mathrm{F}$
DC-link voltage reference	$v_{dc}^{*}$	$500\mathrm{V}$
Inverter-side filter inductance	$L_f$	$2\mathrm{mH}$
Inverter-side inductor resistance	$R_f$	$1\mathrm{m}\mathsf{\Omega }$
Filter capacitance	$C_f$	$2\mathsf{\mu }\mathrm{F}$
Filter capacitor resistance	$R_C$	$10\mathrm{m}\mathsf{\Omega }$
Grid-side filter inductance	$L_g$	$2\mathsf{\mu }\mathrm{H}$
Grid-side inductor resistance	$R_g$	$4\mathrm{m}\mathsf{\Omega }$
Grid frequency	$f_{\mathrm{base}}$	$60\mathrm{Hz}$
Grid voltage	–	$120{\mathrm{V}}_{\mathrm{rms}}$ line-to-line
DSP	–	TI F280049C
DSP clock frequency	–	$100\mathrm{MHz}$
Switching frequency	$f_{\mathrm{sw}}$	$20\mathrm{kHz}$
Control and sampling frequency	$f_{\mathrm{samp}}$	$10\mathrm{kHz}$
Detection threshold DAC level	–	$1.5\mathrm{V}$

. The PV array is configured to deliver a nominal power of $2350\mathrm{W}$, with an open-circuit voltage of $120\mathrm{V}$ and a short-circuit current of $25\mathrm{A}$. The boost converter includes a $1\mathrm{mH}$ inductor feeding a $100\mathsf{\mu }\mathrm{F}$ DC-link capacitor. The LCL filter consists of an inverter-side inductor $L_f=2\mathrm{mH}$ ($R_f=1\mathrm{m}\mathsf{\Omega }$), a filter capacitor $C_f=2\mathsf{\mu }\mathrm{F}$ ($R_C=10\mathrm{m}\mathsf{\Omega }$), and a grid-side inductor $L_g=2\mathsf{\mu }\mathrm{H}$ ($R_g=4\mathrm{m}\mathsf{\Omega }$). The system interfaces with a $60\mathrm{Hz}$ three-phase grid rated at $120{\mathrm{V}}_{\mathrm{rms}}$ line-to-line.

The control scheme described in Section 2.1 is implemented on a Texas Instruments F280049C DSP (Texas Instruments Inc., Dallas, TX, USA) and programmed using Code Composer Studio. The DSP uses a $100\mathrm{MHz}$ clock frequency, and both the inverter and boost controller use a $20\mathrm{kHz}$ switching frequency, while measurements and control loops execute at $10\mathrm{kHz}$. The DC voltage and output current control requires 5530 clock cycles ($55.3\mathsf{\mu }\mathrm{s}$), and the complete detection procedure for each phase takes 1820 cycles ($18.2\mathsf{\mu }\mathrm{s}$), with state estimation alone taking only 95 cycles ($0.95\mathsf{\mu }\mathrm{s}$).

Cyberattacks are triggered through one of the DSP’s input–output (I/O) ports using a signal generator. For real-time monitoring, attack indicators are output through the DSP’s digital-to-analog converter (DAC) channels and recorded, along with inverter voltage and current waveforms. The gain of the DAC is tuned such that the attack detection threshold for each indicator corresponds to $1.5\mathrm{V}$.

4.2. HIL Results

Although the signals from all three current measurements are attacked, our analysis focuses on the measurements from phase a, $i_a$. The procedure remains identical for all model states and phases and can be extended to an arbitrary number of measurements.

4.2.1. Model Quality

An accurate system model of the inverter outputs is essential for reliable attack detection. The modeled steady-state and transient performance is therefore evaluated by routing internal signals from the DSP board through its DAC channels and recording them with an oscilloscope. The measured signal (blue) and model prediction (orange) before and after a change in irradiance are plotted in Figure 3 and closely align, indicating strong agreement. Minor deviations arise from system noise and a slight phase shift introduced by the limited ADC sample rate.

4.2.2. Noise-Injection Attack on HIL

The impact of a noise-injection attack starting at $t=0$ is illustrated in Figure 4a, which plots the true current of phase a (in blue) and the attacked measurement (in red). Once the attack is launched, the red curve shows how zero-mean Gaussian noise with a standard deviation equal to half the current amplitude is added to the true signal before it enters the control loop. After the attack is launched, the true output is also distorted, illustrating how the added noise propagates through the controller and distorts the inverter output. Figure 4b shows the moving average attack indicator, ${\chi }_1^{\prime }$, while Figure 4c illustrates the moving variance indicator, ${\chi }_2^{\prime }$. Once the attack is initiated, both indicators increase rapidly before saturating at $3.3\mathrm{V}$, which is the maximum output voltage of the DSP board. The moving variance test, ${\chi }_2^{\prime }$, is most sensitive to noise and detects the attack within $5\mathrm{ms}$.

4.2.3. Replay Attack on HIL

Figure 5a shows the true current of phase a (in blue) and the measurement under attack (in red) $60\mathrm{ms}$ before and after a replay attack is launched at $t=0$. When the attack is launched, it breaks the closed-loop current control of the inverter. Although the controller continues to receive seemingly normal measurements, without the feedback path, the controller cannot correct any errors due to noise or varying operating conditions. As a result, the integral component of the PI controller grows indefinitely, rapidly destabilizing the inverter’s output. Figure 5 shows how both attack indicators rise as the output current of the inverter starts to destabilize, rendering the attack detectable after approximately $10\mathrm{ms}$.

4.2.4. Model-Based Attack on HIL

During a model-based attack, the attacker uses their own state-space model of the inverter to generate realistic but falsified measurements. The attacked measurement therefore closely matches the state-space model used in the attack-detection process, making detection challenging. Consequently, during periods with no DC voltage fluctuations, the indicators cannot detect the attack. This behavior is demonstrated in Figure 6, which shows the DC-link voltage, output current, and both attack indicators over a three-second interval. The attack is launched at $t=0$, but there are no detectable changes in ${\chi }_1^{\prime }$ or ${\chi }_2^{\prime }$.

Figure 7 shows the DC-link voltage, phase a output current, and corresponding attack indicators during a model-based attack scenario with variable irradiance. Here, the irradiance of the PV array changes from $500\mathrm{W}/{\mathrm{m}}^2$ to $1000\mathrm{W}/{\mathrm{m}}^2$ before the attack at $t=-0.75\mathrm{s}$, and then returns to $500\mathrm{W}/{\mathrm{m}}^2$ at $t=1\mathrm{s}$ after the attack is launched. Before the attack, the controller adjusts the output current to stabilize the DC-link voltage. However, without accurate knowledge of the DC voltage, the attacker cannot replicate the correct system response to the irradiance changes. This discrepancy results in instability of both the DC voltage and the output current, enabling detection of the attack. During the post-attack irradiance change at $t=1\mathrm{s}$, both indicators ${\chi }_1^{\prime }$ and ${\chi }_2^{\prime }$ increase significantly, clearly signaling the presence of the attack.

The transient events resulting from changes in irradiance can therefore reveal otherwise hidden attacks. While using these transients results in a longer detection time than dynamic watermarking, this is considered an acceptable trade-off when targeting stealthy attacks that aim to cause gradual component degradation.

5. Hardware Validation and Discussion

Due to safety and practical implementation constraints, the hardware inverter platform differs from the grid-following PV system studied in the HIL environment. The purpose of the hardware test is therefore not to validate PV-side irradiance dynamics, but to evaluate whether the proposed detection architecture remains effective when applied to a physical inverter with non-ideal components.

Figure 8 shows the hardware testbed used to assess the practical implementation of the proposed detector. The PV array and boost stage are emulated by a programmable DC supply, the grid connection is replaced by a local load, and an LC filter replaces the LCL filter. However, the resulting platform preserves the key detection mechanism whereby DC-link variations that are unknown to the attacker propagate to the attacked measurements through the inverter dynamics.

In the hardware configuration, the inverter operates in grid-forming mode. Accordingly, the outer DC-link voltage loop is replaced by an AC voltage loop, the attacks are applied to output-voltage measurements, and the capacitor voltage is used as the observed state in the state-space model. The plots of the observed states are therefore in terms of capacitor voltage, but apart from these plant and control adaptations, the attack indicators, baseline-removal procedure, and residual-based detection logic remain unchanged.

5.1. Hardware Specifications

A Chroma 62000H Series programmable power supply (Chroma ATE Inc., Irvine, CA, USA) delivers a nominal $500\mathrm{V}$ DC-link voltage and replicates voltage fluctuations observed in the HIL simulation. The main hardware-platform parameters are summarized in

Table 2. Hardware inverter platform parameters.

Parameter	Symbol	Value
DC source	–	Chroma 62000H Series
Nominal DC-link voltage	$v_{dc}$	$500\mathrm{V}$
Inverter operating mode	–	Grid-forming
AC output frequency	$f_{\mathrm{base}}$	$60\mathrm{Hz}$
AC output voltage	–	$120{\mathrm{V}}_{\mathrm{rms}}$ line-to-line
Filter topology	–	LC
Filter inductance	$L_f$	$350\mathsf{\mu }\mathrm{H}$
Filter inductor resistance	$R_f$	$100\mathrm{m}\mathsf{\Omega }$
Filter capacitance	$C_f$	$2\mathsf{\mu }\mathrm{F}$
Filter capacitor resistance	$R_C$	$10\mathrm{m}\mathsf{\Omega }$
Load type	–	Resistive
Load power	–	$2\mathrm{kW}$
Voltage transducer	–	LV25-P
Current transducer	–	LA 55-P
DSP	–	TI F280049C
DSP clock frequency	–	$100\mathrm{MHz}$
Switching frequency	$f_{\mathrm{sw}}$	$20\mathrm{kHz}$
Control and sampling frequency	$f_{\mathrm{samp}}$	$10\mathrm{kHz}$
Detection threshold DAC level	–	$1.5\mathrm{V}$

. The inverter converts this to a $60\mathrm{Hz}$ three-phase $120{\mathrm{V}}_{\mathrm{rms}}$ AC output through an LC (inductor–capacitor) filter with nominal $L_f=350\mathsf{\mu }\mathrm{H}$ ($R_f=100\mathrm{m}\mathsf{\Omega }$) and nominal $C_f=2\mathsf{\mu }\mathrm{F}$ ($R_C=10\mathrm{m}\mathsf{\Omega }$), which is then supplied to a $2\mathrm{kW}$ resistive load. Voltage and current measurements at the inverter output and DC-link are obtained using LV25-P and LA 55-P transducers (LEM USA Inc., Milwaukee, WI, USA). To remove switching noise, the signals are processed through a passive first-order low-pass filter and an active second-order low-pass filter, then offset and scaled to remain within the $0\mathrm{to}3.3\mathrm{V}$ input range of the DSP’s ADC channels. These values are then sampled and fed to the control algorithm. Attacks are triggered by an external signal generator.

5.2. Hardware Results

5.2.1. Noise-Injection Attack on Hardware

Figure 9 shows the noise-injection attack. Once the attack starts at $t=0$, Figure 9a shows a degradation of the output voltage, while the indicators in Figure 9b,c show a rapid increase in ${\chi }_1^{\prime }$ and ${\chi }_2^{\prime }$, making the attack detectable within approximately $5\mathrm{ms}$. Despite the higher level of noise, this detection time remains similar to the HIL implementation.

5.2.2. Replay Attack on Hardware

Figure 10 shows the replay attack. Due to the slower voltage control loop, the inverter voltage in Figure 10a deviates more gradually than the output current seen in the HIL implementation. This renders the attack detectable after about $15\mathrm{ms}$. Although detection is slower compared to the noise-injection attack, detectability is proportional to the deviation from nominal operation, and the attack can therefore be identified before causing significant disruption to the system.

5.2.3. Model-Based Attack on Hardware

Finally, the results of the model-based attacks, without and with DC-link voltage fluctuations, are shown in Figure 11 and Figure 12, respectively. Similar to the HIL implementation, the scenario without DC voltage changes shows no indication that the attack has been launched, and the attack remains undetectable. However, once DC-link voltage fluctuations are introduced, the attacker can no longer reproduce realistic measurements, and the inverter output diverges, as seen around the one-second mark in Figure 12a. This deviation from normal operation renders the attack detectable, as indicated by the rise in the ${\chi }_1^{\prime }$ and ${\chi }_2^{\prime }$ indicators in Figure 12b and Figure 12c, respectively.

5.3. Hardware Discussion

The results of the hardware validation closely matched those observed in the HIL system, with a few notable differences. The most prominent change is the increased measurement noise, which is evident in the attack indicators. It should also be noted that the DC-link voltage changes observed during the model-based attack are more sharply defined in the hardware implementation. This difference arises due to the limited ramp rate and program complexity of the programmable power supply. The hardware implementation therefore does not fully replicate the dynamic interactions between the PV array, boost controller, and inverter. Instead, it serves as a physical validation platform for assessing the robustness of the state-space model and attack-detection algorithm, rather than as a one-to-one replication of the HIL testbed.

6. Conclusions

This paper proposes a natural-watermarking approach for local detection of FDI attacks in two-stage PV inverters. A HIL testbed with a grid-following inverter demonstrated that the two proposed attack indicators can quickly detect noise injection and replay attacks during steady-state conditions, while irradiance-driven DC-link fluctuations can function as a natural watermark and reveal model-based attacks that would otherwise remain undetectable. A modified hardware inverter platform further verified robustness to non-ideal sensing, component deviations, and real-time implementation constraints. The required computation was also shown to be compatible with standard inverter control tasks. These results should be interpreted within the proposed threat model and validation scope, noting that the natural watermark is most effective when irradiance changes produce DC-link voltage transients and that prolonged periods of constant irradiance may delay detection of stealthy model-based attacks. The method also relies on a protected DC-link voltage measurement, implementation-specific threshold tuning, and hardware validation that demonstrates implementation robustness rather than full reproduction of the HIL PV system. However, these results show that naturally occurring voltage fluctuations can serve as a non-invasive watermark for advanced attack detection without interfering with the normal inverter operation. Natural watermarking therefore provides a locally implementable detection method for revealing advanced FDI attacks when secure DC-link variations are present. Future work will expand the attack models to include partially informed and adaptive attackers, extend the approach to inverter-dominated microgrids, and develop mitigation strategies to reduce the impact of detected attacks.