Vulnerability Assessment of Electrical Cyber-Physical Systems against Cyber Attacks

The integration of modern computing and advanced communication with power grids has led to the emergence of electrical cyber-physical systems (ECPSs). However, the massive application of communication technologies makes the power grids become more vulnerable to cyber attacks. In this paper, we study the vulnerability of ECPSs and develop defence strategies against cyber attacks. Detection and protection algorithms are proposed to deal with the emergency of cascading failures. Moreover, we propose a weight adjustment strategy to solve the unbalanced power flows problem which is caused by splitting incidents. A MATLAB-based platform with advantages of easy programming, fast calculation, and no damage to systems is built for the offline simulation and analysis of the vulnerability of ECPSs. We also propose a five-aspect method of vulnerability assessment which includes the robustness, economic costs, degree of damage, vulnerable equipment, and trip point. The study is of significance to decision makers as they can get specific advice and defence strategies about a special power system.


Introduction
Nowadays, cyber-physical systems (CPSs) are becoming increasingly pervasive across the critical infrastructures [1].A cyber-physical system is an integration of computing and communication with physical systems [2].Embedded computers monitor and control physical processes, usually with feedback loops, where physical processes affect computations and vice versa [3,4].It dramatically enhances the controllability, adaptability, autonomy, efficiency, functionality, reliability, safety, and usability of the original system.Examples of CPSs include transportation systems [5], defensive weapon systems [6] industrial systems [7], and energy systems [8] (such as oil systems, water systems, and power systems).
However, cyber-physical attacks are posing great threats to the safety and security of cyberphysical systems.Cyber-physical interactions in the cyber-physical systems make cross-domain attacks, specifically, and cyber-physical attacks, possible.Attackers may use cyber attack techniques (involving viruses, worms, and denial of service) in communication networks to cause damage to the physical system or use means of physical attacks in the physical system to cause disruptions in the communication network.In addition, these attacks can be applied comprehensively to achieve collaborative cyber-physical attacks.The objectives of cyber-physical attacks are usually achieved via threat propagation within the cyber and physical systems.According to the Industrial Control System Cyber Emergency Team reports [9], major cyber threats (such as cyber attacks and computer worms) against critical cyber-physical infrastructures have increased from 9 incidents in 2009 to 257 incidents in 2013.
The blackout of the Ukrainian power systems that happened in 2016 shows the fragility of the electrical cyber-physical systems (ECPSs) under cyber attacks [10].The integration of traditional power grids and modern communication networks into ECPSs has improved the efficiency of the stand-alone power systems [11][12][13].However, the introduction of communication makes power systems become vulnerable to cyber attacks, which has already been a serious problem and needs to be solved [14].Thus, studying the vulnerability of ECPSs has become an important topic recently.On this issue, research efforts have been undertaken along three different approaches.
The first approach focuses on analyzing the vulnerability of ECPSs caused by safety loopholes based on a specific cyber attack, such as denial of service attacks [15], false data injection attacks [16], and undetectable cyber attacks [17].Cardenas et al. [18] summarized that sensor measurements and control commands were avenues of cyber-physical attacks.Mo et al. [19] thought that existing security approaches were either inapplicable, not viable, insufficiently scalable, incompatible, or simply inadequate to address the challenges posed by highly complex environments such as the smart grid.Rahman et al. [20] pointed out that the vulnerability of ECPSs was caused by deceived bad data detection tests with attackers compromising some of the power grid measurements.Liu et al. [21] showed that the key real-time operational tools (for example, State Estimator) of the electric power grids were vulnerable to false data injection attacks.Based on these points, studies [22,23] improved the detection strategies in estimators.Pasqualetti et al. [24] studied attack detection for descriptor systems by geometric control theory.Pooranian et al. [25] proposed a random response approach to achieve strong privacy and minimize the privacy leakage based on data-deduplication.However, these strategies are only effective for a special attack or situation.If there are multiple attacks, these methods may not be helpful.Therefore, it is necessary to find a way which can deal with a more complex situation.
The second approach assesses the vulnerability of ECPSs based on models in order to enhance the system security.Buldyrev et al. [26] modeled ECPSs and quantized the vulnerability of the systems using the theory of complex networks.Shao et al. [27] described the relationship of communication networks and power grids with multiple support-dependence relations.Guo et al. [28] summarized the effectiveness indicators of power grids based on the topology information of ECPSs.Nezamoddini et al. [29] measured the damage of cyber attacks in terms of the load curtailment and addressed the problem of the transmission system security with an optimization model.Wei et al. [30] considered ECPSs multi-agent dynamic systems and proposed a flocking-based paradigm for security control.Chen et al. [31] introduced a two-player zero-sum game between the adversary and the defender to evaluate the performance of defense mechanisms with different network configurations.Although these models can be used to assess the vulnerability of ECPSs, the theory of complex networks can only be used to analyze the topological characteristics of ECPSs, not considering the electrical information.State equations of generators do not fit for analyzing large-scale transmission grids.
In the third approach, scholars concentrate on the development of smart grid cyber-physical system testbeds for vulnerability analyses.Carlini et al. [32] presented a cyber-physical power system framework based on the service-oriented architecture for experimental results.Wang et al. [33] provided a simulation environment to model the process of supervisory control and data acquisition (SCADA) system vulnerability exploitations.In Reference [34], the Optimized Network Engineering Tools (OPNET) was extended to simulate wide-area communication networks in power systems where the power system dynamic simulation was simplified as a virtual demander.NS-2 [35] was also a popular and open source discrete-event simulator developed to facilitate the simulation of communication networks.In some of the testbeds [36,37], actual data acquisition and actuator components (remote terminal unit (RTU), phasor measurement unit (PMU), and intelligent electronic device (IED)) were integrated with the power system simulators using middleware to enable hardware-in-the-loop (HIL) simulations.In summary, different simulation platforms and approaches integrating existing simulators have been proposed with different purposes and limitations.Several simulation paradigms of communication networks (such as time delay or packet loss) are no longer a concern in smart grids.
Our research focuses on establishing a complete evaluation procedure of vulnerability analysis with ECPSs considering cyber attacks.For this purpose, we have developed our study from three aspects in Figure 1: model, platform, and assessment.The model approach is suitable for large-scale systems (as shown in References [13,38]).In this paper, we will first go on with the study of the simulation platform with advantages of easy programming, fast calculation, and no damage to systems, and secondly, propose a convincing and comprehensive vulnerability assessment from five aspects.NS-2 [35] was also a popular and open source discrete-event simulator developed to facilitate the simulation of communication networks.In some of the testbeds [36,37], actual data acquisition and actuator components (remote terminal unit (RTU), phasor measurement unit (PMU), and intelligent electronic device (IED)) were integrated with the power system simulators using middleware to enable hardware-in-the-loop (HIL) simulations.In summary, different simulation platforms and approaches integrating existing simulators have been proposed with different purposes and limitations.Several simulation paradigms of communication networks (such as time delay or packet loss) are no longer a concern in smart grids.
Our research focuses on establishing a complete evaluation procedure of vulnerability analysis with ECPSs considering cyber attacks.For this purpose, we have developed our study from three aspects in Figure 1: model, platform, and assessment.The model approach is suitable for large-scale systems (as shown in References [13,38]).In this paper, we will first go on with the study of the simulation platform with advantages of easy programming, fast calculation, and no damage to systems, and secondly, propose a convincing and comprehensive vulnerability assessment from five aspects.This paper has two contributions.The first is a MATLAB-based platform (R2013a, The MathWorks, Inc., Natick, MA, USA, 2013) for the offline simulation and analysis of the vulnerability of ECPSs.This platform has advantages of easy programming, fast calculation, and no damage to systems.The protection procedure of ECPSs under cyber attacks and algorithms about detection and protection when dealing with a cascading failure are embedded by functions.The proposed simulation platform has great compatibility and expansibility in which operators can easily change the algorithm without changing the inputs.

Simulation
Existing power simulation platforms and approaches integrating existing simulators like Matpower (V6.0, R. D. Zimmerman, C. E. Murillo-Sánchez, and R. J. Thomas, Ithaca, NY, USA, 2017), PSCAD (X4, Manitoba-HVDC research centre, Winnipeg, MB, Canada, 2014), and PSASP (V7.0,China electric power research institute, Beijing, China, 2011) can be used for analyzing both steady states and transient states.However, when dealing with a simulation of the propagation of cascading failures, these simulators are not convenient because the topology of the power grid will be changed after a splitting accident.Detailed comparisons with existing solution approaches of vulnerability analyses with ECPSs are shown in Table 1.This paper has two contributions.The first is a MATLAB-based platform (R2013a, The MathWorks, Inc., Natick, MA, USA, 2013) for the offline simulation and analysis of the vulnerability of ECPSs.This platform has advantages of easy programming, fast calculation, and no damage to systems.The protection procedure of ECPSs under cyber attacks and algorithms about detection and protection when dealing with a cascading failure are embedded by functions.The proposed simulation platform has great compatibility and expansibility in which operators can easily change the algorithm without changing the inputs.
Existing power simulation platforms and approaches integrating existing simulators like Matpower (V6.0, R. D. Zimmerman, C. E. Murillo-Sánchez, and R. J. Thomas, Ithaca, NY, USA, 2017), PSCAD (X4, Manitoba-HVDC research centre, Winnipeg, MB, Canada, 2014), and PSASP (V7.0,China electric power research institute, Beijing, China, 2011) can be used for analyzing both steady states and transient states.However, when dealing with a simulation of the propagation of cascading failures, these simulators are not convenient because the topology of the power grid will be changed after a splitting accident.Detailed comparisons with existing solution approaches of vulnerability analyses with ECPSs are shown in Table 1.The second contribution is a comprehensive approach to vulnerability assessments.The five aspects of the vulnerability assessment include robustness, economic costs, the degree of damage, vulnerable equipment, and trip point.Associated with the simulation results obtained by our platform, we can have a thorough comprehension of the vulnerability in ECPSs.Additionally, decision-makers can get specific advice and defence strategies from this system against cyber attacks based on the results.
Existing indicators (such as node degree, cluster coefficient, and node betweenness) are mainly proposed in the research area of complex networks.These indicators cannot represent the relationship of power flows and topologies.
The rest of this paper is organized as follows.The modeling framework for ECPSs is presented in Section 2. Section 3 introduces the solution approaches for fault detections, protection procedures, and adjustment strategies.The aspects of vulnerability assessment and simulation platform are illustrated in Section 4. Section 5 analyzes the vulnerability with numbers of examples with the IEEE 39-bus system based on our proposed simulation platform.Section 6 concludes the paper.Section 7 discusses future works.

Framework of ECPSs
As we have introduced in Reference [13], the proposed framework compressively considers the characteristics of the power grids, communication facilities, and their interdependent relationships.

Model of ECPSs
Owing to the wide application of sensors, routers, controllers, and actuators in ECPSs, power grids and communication networks deeply interact with each other.According to Parandehgheibi's study [39], the topology of a power grid can be abstract as a graph G(V, E), where V and E represent power buses and branches, respectively.Similarly, the topology of a communication network can be abstract as G c (V c , E c ), where V c and E c represent communication nodes and lines, respectively.
In our framework, each bus or branch in a power grid is equipped with a controller and a sensor.That is to say, we consider a highly intelligent smart grid.Figure 2 shows the framework of a regional ECPS.In this two-layer model, the upper layer with nodes numbered 1 to 10 represent a communication network, and C k is the control center, while the lower layer with power nodes labeled A to E and breakers on branches labeled b − 1 to b − 5 represent a power grid.The dashed lines with double-sided arrows are information channels between the power grids and communication networks.In the real word, ECPSs in a large area can be divided into several regional ECPSs by physical distances or locations.In this paper, we consider each regional ECPS a local control center C k with centralized control structures, while in large-scale areas, several regional ECPSs are controlled by a distributed control structures.
Appl.Sci.2018, 8, x FOR PEER REVIEW 5 of 17 In our framework, each bus or branch in a power grid is equipped with a controller and a sensor.That is to say, we consider a highly intelligent smart grid.Figure 2 shows the framework of a regional ECPS.In this two-layer model, the upper layer with nodes numbered 1 to 10 represent a communication network, and k C is the control center, while the lower layer with power nodes labeled A to E and breakers on branches labeled 1 b  to 5 b  represent a power grid.The dashed lines with double-sided arrows are information channels between the power grids and communication networks.In the real word, ECPSs in a large area can be divided into several regional ECPSs by physical distances or locations.In this paper, we consider each regional ECPS a local control center k C with centralized control structures, while in large-scale areas, several regional ECPSs are controlled by a distributed control structures.The framework of a regional ECPS.

DC Power Flow
The Direct Current (DC) power flow model [40] is used to calculate the distribution of power flows.The DC power flow model converts nonlinear problems into linear circuit problems.It clearly reflects the overload phenomenon but greatly reduces the calculation.Although the model has an error of generally 5%, it is acceptable when we estimate the performance of large-scale ECPSs.

Define
as the conductance matrix associated with a power grid.Let  and V p R  be the phases and power injection at the buses, respectively.Let be the matrix of the power flows of the branches.Then a DC power flow model can be described as:   As for communication networks, this paper is concerned more about the impacts of ECPSs under attack rather than the mechanism of different cyber attacks.So we define the relationships of communication networks to power grids to be the control function.A detailed solution approaching fault detections, protection procedures, and adjustment strategies will be introduced in the next section.

DC Power Flow
The Direct Current (DC) power flow model [40] is used to calculate the distribution of power flows.The DC power flow model converts nonlinear problems into linear circuit problems.It clearly reflects the overload phenomenon but greatly reduces the calculation.Although the model has an error of generally 5%, it is acceptable when we estimate the performance of large-scale ECPSs.
Define B ∈ R |V|×|V| as the conductance matrix associated with a power grid.Let θ and p ∈ R |V| be the phases and power injection at the buses, respectively.Let F ∈ R |V|×|V| be the matrix of the power flows of the branches.Then a DC power flow model can be described as: where i = j, i, j ∈ 1, 2, . . ., |V|.
As for communication networks, this paper is concerned more about the impacts of ECPSs under attack rather than the mechanism of different cyber attacks.So we define the relationships of communication networks to power grids to be the control function.A detailed solution approaching fault detections, protection procedures, and adjustment strategies will be introduced in the next section.

Solution Approach
In an ECPS, when a branch is tripped, the control center will first find out the possible faulty nodes, and then apply the procedure to protect the system.In this section, we first introduce algorithms for detection and protection and then propose methods for adjustment strategy.

Localization of Possible Faults
In a power grid G = (V, E), let V G , V L ⊆ V represent the set of generators and loads, respectively, and E represents the set of branches.If the system is attacked by uplink or downlink spoofing attacks, the control center cannot receive the alerting signal.Definition 1.The distance of Node i and j: the distance L ij of node i and j is defined as the shortest path from node i to j. Definition 2. The possible Fault Set of branch (i, j) : a set of nodes S = {g 1 , g 2 , . . . ,g m , l 1 , l 2 , . . .
a possible fault set of branch (i, j), if S satisfies the following two conditions simultaneously: (1) for ∀g k ∈ S and ∀p ∈ V G , there are g k ∈ V G and L ig k ≤ L ip (or L jgk ≤ L jp ); (2) for ∀l w ∈ S and ∀q ∈ V L , there are l w ∈ V L and L il m ≤ L iq (or L jl w ≤ L jq ).
Algorithm 1 is proposed to identify the possible fault set of branch (i, j).

Algorithm 1 Identify the possible fault set
Calculate the distance L ri and L rj , respectively (not including the path (i, j)) 4: Identify nodes that have the shortest distance with node i 5: Identify nodes that have the shortest distance with node j 6: End 7: For 1 ≤ r ≤ |V L |, r = i, j 8: Calculate the distance L ri and L rj , respectively (not including the path (i, j)) 9: Identify nodes that have the shortest distance with node i 10: Identify nodes that have the shortest distance with node j 11: End 12: Combine steps 4, 5, 9, and 10, get the possible fault set S Remark 1. Algorithm 1 is used to deal with the situations in which an overload is caused by uplink or downlink spoofing attacks.It should be pointed out that Algorithm 1 will be used n times if there are n overloaded branches.

Protection Procedure of ECPSs under Cyber Attacks
Based on Algorithm 1, in this section, we introduce the protection procedure of ECPSs considering cyber attacks.The procedure begins with a tripped branch and follows the steps below: (a) Judge the connectivity of the system after cutting off a branch.
(a-1) If there is a splitting incident, then go to step (b).(a-2) If there is no separation of the system, directly go to step (f).
(b) Identify the main area as the remaining system after splitting.
(b-1) If there is a main area, go to step (c).(b-2) If there is no main area, go to step (i).
(c) Upload the changed topology and electrical information to the control center.
(d) Make decisions with the unbalanced power in the control center.(e) Download and adjust the control strategies to the appointed generators.(f) Update the topology and electrical information to the control center for calculation.(g) Calculate the power flow.(h) Search for the overloaded branches.
(h-1) If there are overloaded branches, cut off the branches and go back to step (a).(h-2) If there is no overloaded branch, then go to step (i).
(i) End the procedure, record the loss.
In power systems, splitting incidents caused by cutting off the overloaded branches may lead to serious cascading failure propagation, especially in ECPSs.Owing to the topology change, related electrical information will be changed, which will consequently influence the stability, robustness, and safety margin of the system.Algorithm 2 is used to assess the damage degree of a system using tools from graph theory when there is an overloading incident.By analyzing the connectivity of the system, the splitting incident is considered a special situation.Let L ∈ R |V|×1 be the area label vector, with l k ∈ L as the area label of node k, k ∈ 1, 2, . . ., |V|.
Remark 2. Note that n is the number of different values of elements in L. If all the elements in L are the same, then there is no splitting and n = 1.
Based on the results from Algorithm 2, we know whether there is a splitting incident and how many areas the system will be separated into when cutting off an overloaded branch.However, according to Kirchhoff laws, not every separated area can still be a functional subsystem.The control center needs to identify the main area of the system.
According to the results in Algorithm 2, assume that the power grid G(V, E) is separated into n(n ∈ Z) parts.The i th part is abstracted as G i (V i , E i ), i ∈ 1, 2, . . ., n. Algorithm 3 is used to search for the main area after a splitting incident with the standard of the maximum numbers of generators and loads.
Let K = [k 1 , k 2 , . . . ,k n ] and M = [m 1 , m 2 , . . . ,m n ] be the vector of the number of generators and loads, respectively.Algorithm 3 Search for the main area after splitting Count k i and m i 4: if k i + m i > t 5: j = i, t = k i + m i 6: End if; end; end 7: Output j So the j th area is the main system after the splitting incident.

Method of the Control Center under Unbalanced Power
If an ECPS suffers a splitting incident, based on Algorithm 3, the remaining buses in the main area will lead to an unbalanced power distribution.The control center will collect the electrical information of the buses in the main area, calculate the unbalanced power, and adjust the outputs of each of the generators.The method proposed in this paper can be applied in three situations: Situation I: If the splitting incident only causes the separation of generators, the remaining generators in this area must increase their outputs to keep the balance between supply and demand.The total amount of the increased power should be ∆P = ∑ P * gen , where ∑ P * gen is the sum of the lost generator outputs.
Situation II: If the splitting incident only causes the separation of loads, the remaining generators in this area must decrease their outputs to keep the balance between supply and demand.The total amount of the reduced power should be −∆P = ∑ P * load , where ∑ P * load is the sum of the lost loads.Situation III: If the splitting incident causes both the separation of generators and loads, the control center should first calculate the unbalanced power by ∆P = ∑ P * gen + ∑ P * load .If ∆P > 0, take the same strategy in Situation I; if ∆P < 0, take the same strategy in Situation II; and ∆P = 0, take no adjustment strategy.Remark 3. In the above generator power adjustment method, the distribution of the total unbalanced power to each generator should be decided in weighted terms.The specific distribution methods will be introduced in Algorithm 4.
Algorithm 4 is used to calculate the weighted adjustment of each generator in the main area after the splitting incident.Generators near the tripped buses may be distributed with higher weighted terms.Let V G ⊂ V be the set of generators in the main area G = (V , E ) after the splitting incident.

Algorithm 4 Calculate the weighted adjustment
1: Input G , ∆P and the tripped branch (i, j) with node m (generator or load bus) 2: Let l = w = [0, 0, . . . , 0],S = 0 3: For k = 1 : V G 4: Reconnect branch (i, j) to G , and calculate L km , l(k) = L km , S = S + 1/l(k) 5: End 6: For k = 1 : V G 7: Calculate the weight w(k) = l(k)/S and the adjustment P w k = ∆P • w(k) 8: End Remark 4. If the adjusted output of a generator is beyond the output limit, then modify the output of this generator to the nearby limit.The rest of the total power adjustment value should be ∆P = (∆P − ∑ P w i ) + ∑ (P w i − ∆P limit i ) = ∆P − ∑ ∆P limit i , where P w i is the weighted adjustment output of generator i and ∆P limit i is the actually adjustable output of generator i.

Vulnerability Assessment and Simulation Platform
According to Section 3.2, it can be seen that, when dealing with a problem of overloading, every step will need the cooperation of sensors, routers, controllers, and actuators.However, the system is vulnerable because a small fault may lead to a serious cascading failure in ECPSs owing to the strong coupling between the power grids and the communication networks.

Vulnerability Assessment Aspects
In China, the data of the electrical communication systems in power grid systems are not open currently.These communication systems are equipped with special transmission lines which guarantee high bandwidth for data exchange.Hence, in the following discussion, we assume that bandwidth is not a concern.In this section, we assess the impacts of power grids in ECPSs.
In the power grids, the major electrical properties include node (generator or load) constraints, branch capacity limits, and flow direction.The major topological properties include numbers of nodes, connectivity, and the degree of nodes.All of these properties have an effect on the vulnerability of the power grids.Therefore, in this section, we propose thorough assessment procedures from five aspects which take the above properties into account.
(a) The stability and robustness of the system.In this procedure, we randomly cut off a branch, balance the power supplies and demands, redistribute the power flow, and count the number of remaining buses.At last, we calculate the proportion of the numbers of remaining buses.
A system is said to have good stability against a single tripped branch if none of the nodes will be split during the procedure, while the system has bad stability if the system will suffer a cascading failure owing to the tripped branch.As for robustness assessment, the statistics show that a system has good robustness if the system is stable in most of the faulty situations, but not vice versa.(b) The vulnerable branches which will cause higher economic costs.When a branch is randomly cut off from the grid, the consequential balance of power supplies and demands leads to economic cost.The economic cost can be represented by the sum of adjusted outputs of the generators (Algorithm 4) along the shortest path which is defined in Section 3. Generally speaking, the tripped branches which will lead to higher economic costs should be protected by some specific methods.(c) The vulnerable branches which will lead to a serious damage.If we randomly cut off a branch, the degree of damage will be represented by the number of remaining buses or branches after cascading failures.The tripped branch which leads to less remaining buses or branches is more vulnerable.(d) Vulnerable nodes against extra power injection.Randomly choose a power node (generator or load), inject the same amount of power, and recalculate the power flows on the branches.A node is vulnerable if the power injection will cause other lines to overload.The result is influenced by both the topological and electrical properties.(e) The trip point of the cascading failure propagation.It reflects the controllability of a system.The trip point is the point when the number of remaining buses decreases the fastest.In a discrete system, the duration of cascading failures is replaced by the number of loops in the procedure.The system has more time to deal with the emergence if the trip point appears slowly.

Simulation Platform
In this section, we build a MATLAB-based platform for the offline simulation and analysis of the vulnerability of ECPSs from the five aspects in Section 4.1.The detailed system configuration we used is listed in Table 2. Three necessary settings are required before the simulation: (i) input the topology of a power grid and related electrical information; (ii) input the locations of sensors, routers, and actuators; and (iii) specify the initial tripped branch (or the amount of power injection and the ID of a power node) and the protection algorithms.Then the proposed program will give vulnerability assessments of the system based on the simulation results.
In the simulation, the IEEE 39-bus system (including 10 generators, 21 loads, and 46 branches) is used as an example (Figure 3).We assume that the sensors, routers, and actuators are located at each bus and branch.

Simulation Platform
In this section, we build a MATLAB-based platform for the offline simulation and analysis of the vulnerability of ECPSs from the five aspects in Section 4.1.The detailed system configuration we used is listed in Table 2. Three necessary settings are required before the simulation: (i) input the topology of a power grid and related electrical information; (ii) input the locations of sensors, routers, and actuators; and (iii) specify the initial tripped branch (or the amount of power injection and the ID of a power node) and the protection algorithms.Then the proposed program will give vulnerability assessments of the system based on the simulation results.
In the simulation, the IEEE 39-bus system (including 10 generators, 21 loads, and 46 branches) is used as an example (Figure 3).We assume that the sensors, routers, and actuators are located at each bus and branch.Figure 4 shows the flowchart of the platform for the offline simulation of the performance of ECPSs under different faults.The program begins with a situation selection.In CASE 1, the program user randomly selects a power node and sets the amount of the power injection and the program searches for the overloaded lines at first.In CASE 2, the user randomly selects a branch (i, j) as the initial triggering event and trip the line in CASE 2, the ECPS will suffer a protection and control procedures.

Discussion
In this section, we assess the vulnerability of the ECPSs and provide protection suggestions based on the simulation results provided by the simulation platform developed in this work.
In CASE 1, we set the initial power injection as   50,100,150, 200, 250 . The extra injection of the power can successfully be injected into a power bus if P  is within the capacity limitation. When , almost half of the loads are beyond the limitation.Table 3 shows 8 situations in which the extra injection will cause an overloading incident.Table 3 also lists the IDs of possible fault power nodes based on Algorithm 1.

Discussion
In this section, we assess the vulnerability of the ECPSs and provide protection suggestions based on the simulation results provided by the simulation platform developed in this work.
In CASE 1, we set the initial power injection as ∆P = {50, 100, 150, 200, 250MW}.The extra injection of the power can successfully be injected into a power bus if ∆P is within the capacity limitation.When ∆P > 250MW, almost half of the loads are beyond the limitation.Table 3 shows 8 situations in which the extra injection will cause an overloading incident.Table 3 also lists the IDs of possible fault power nodes based on Algorithm 1. Remark 6.The upper right mark '( * ) ' on node ID represents the different power injection.For example, ID = 25 (3-5) means that the node with ID = 25 will cause a line overload with ∆p 3 = 150, ∆p 4 = 200, and ∆p 5 = 250.
Four important conclusions are made based on the simulation results.First, buses 12, 20, 21, 23, 25, 26, 28, and 29 are vulnerable buses against a single power injection, and bus 20 is the most vulnerable bus in the system.Second, the overloaded branches such as (6, 11), (16, 19), (21, 22), and (23, 24) are vulnerable to power flow change.The two possible explanations include the initial higher load rate Q (such as Q (6,11) = 70.4%,Q (16,19) = 76.7%,Q (21,22) = 67.7%, and Q (23,24) = 59% (Q average = 35.9%))and the unreasonable partial design of topology (like branches (2, 25) and (28, 29)).Third, in this system, the branches near the generators have higher capacity limitations with no generator node being vulnerable.This partial design is worth learning.Last, the results in Table 1 also demonstrate the efficiency of Algorithm 1.In seven of eight situations with ten overloaded branches, the accuracy of the proposed algorithm is 90%.In CASE 2, the simulation program begins with a tripped branch.Table 4 presents 20 possible simulation results which will cause cascading failures, with the ID of the initial faulty branch, the number of remaining branches and buses, the economic cost, and running time in the table.Table 3 does not include the situations if cutting off branches will not disturb the original operation.In order to verify the superiority of Algorithm 4, we take the strategy using average adjustments for comparison.Note that 'A' represents the average adjustments and 'W' represents the weighted adjustments.Based on the simulation results, Figure 5 shows the stability of the system.It can be seen that among the 46 branches, if a branch is randomly tripped, the system is still stable with a probability of   23,36 are cut off at the beginning, the government will pay much more for repairing the system after the cascading failures.Comparing these two lines, we can also make a conclusion that the weighted adjustment in Algorithm 4 is more economical than the average one.A significant advantage against the average strategy is that the system with a weighted strategy can largely ease the degree of severe cascading failures (such as branch    Figure 6 presents the vulnerability from the aspect of economic costs.Strategies of average and weighted adjustments are shown together (the black line with circle marks represents for costs with weighted adjustments, while green line with star marks represents the costs with average adjustments).The X-axis is the ID of the initial tripped branch.It can be seen from Figure 4 that if branches (10, 11), (10, 32), (19, 33), (20, 34), or (23, 36) are cut off at the beginning, the government will pay much more for repairing the system after the cascading failures.Comparing these two lines, we can also make a conclusion that the weighted adjustment in Algorithm 4 is more economical than the average one.A significant advantage against the average strategy is that the system with a weighted strategy can largely ease the degree of severe cascading failures (such as branch (16, 21), (21, 22), and (23, 24)).23,36 are cut off at the beginning, the government will pay much more for repairing the system after the cascading failures.Comparing these two lines, we can also make a conclusion that the weighted adjustment in Algorithm 4 is more economical than the average one.A significant advantage against the average strategy is that the system with a weighted strategy can largely ease the degree of severe cascading failures (such as branch    However, in this example, there are four situations in which cutting off a branch with the weighted adjustment will aggravate the cascading failures compared with average adjustment.We have marked these four situations (branches (6, 11), (16, 19), (19, 20) and (20, 34)) with the dashed lines in Figure 7. Inspired by CASE 1, we find that these four lines have high initial load rates Q (Q (6,11) = 52.4%,Q (16,19) = 42.9%,Q (19,20) = 49.8%, and Q (20,34) = 70.5% (Q average = 35.9%)).Branches (6, 11) and (16, 19) are also vulnerable lines in CASE 1.This phenomenon reflects a limitation of our proposed algorithm.If the branches near the tripped power node have a high initial load rate, the weighted adjustment based on the distance may have a higher probability to cause a severe failure.
Appl.Sci.2018, 8, x FOR PEER REVIEW 14 of 17 Figure 7 shows a positive relationship between the remaining branches (blue line with circle marks) and buses (dark green line with star marks) of the system with a weighted adjustment strategy.From the figure, we can find the vulnerable branches which will lead to a serious damage.Figure 8 gives us a deep understanding of the relationship between the trip point and cascading failure propagation caused by splitting incidents.Each shape of mark and its related color line in the figure represent a vulnerable branch.We pick up 9 of the vulnerable branches mentioned above and count the remaining buses after each split and protection procedure.It can be seen that the relationship of time and propagation of cascading failures is nonlinear, but with the increase of loops, the system may suffer a jump point (blue dashed line), in which the size decreases rapidly.

Conclusions
In this paper, we have established a complete evaluation procedure of vulnerability analysis with ECPSs considering cyber attacks.Firstly, a MATLAB-based platform for the offline simulation and analysis of the vulnerability of ECPSs was proposed.This platform has advantages of easy programming, fast calculation, and no damage to the systems.The protection procedure of ECPSs under cyber attacks and algorithms about detection and protection when dealing with a cascading failure are embedded by functions.Compared with the existing power simulation platforms and Figure 7 shows a positive relationship between the remaining branches (blue line with circle marks) and buses (dark green line with star marks) of the system with a weighted adjustment strategy.From the figure, we can find the vulnerable branches which will lead to a serious damage.Cutting off branches (6, 11), (16, 21), (21, 22) or (23, 24) will lead to a rapid decrease of the node scale, which means a serious cascading failure.
Figure 8 gives us a deep understanding of the relationship between the trip point and cascading failure propagation caused by splitting incidents.Each shape of mark and its related color line in the figure represent a vulnerable branch.We pick up 9 of the vulnerable branches mentioned above and count the remaining buses after each split and protection procedure.It can be seen that the relationship of time and propagation of cascading failures is nonlinear, but with the increase of loops, the system may suffer a jump point (blue dashed line), in which the size decreases rapidly.Figure 7 shows a positive relationship between the remaining branches (blue line with circle marks) and buses (dark green line with star marks) of the system with a weighted adjustment strategy.From the figure, we can find the vulnerable branches which will lead to a serious damage.
Cutting off branches    Figure 8 gives us a deep understanding of the relationship between the trip point and cascading failure propagation caused by splitting incidents.Each shape of mark and its related color line in the figure represent a vulnerable branch.We pick up 9 of the vulnerable branches mentioned above and count the remaining buses after each split and protection procedure.It can be seen that the relationship of time and propagation of cascading failures is nonlinear, but with the increase of loops, the system may suffer a jump point (blue dashed line), in which the size decreases rapidly.

Conclusions
In this paper, we have established a complete evaluation procedure of vulnerability analysis with ECPSs considering cyber attacks.Firstly, a MATLAB-based platform for the offline simulation and analysis of the vulnerability of ECPSs was proposed.This platform has advantages of easy programming, fast calculation, and no damage to the systems.The protection procedure of ECPSs under cyber attacks and algorithms about detection and protection when dealing with a cascading failure are embedded by functions.Compared with the existing power simulation platforms and

Conclusions
In this paper, we have established a complete evaluation procedure of vulnerability analysis with ECPSs considering cyber attacks.Firstly, a MATLAB-based platform for the offline simulation and analysis of the vulnerability of ECPSs was proposed.This platform has advantages of easy programming, fast calculation, and no damage to the systems.The protection procedure of ECPSs under cyber attacks and algorithms about detection and protection when dealing with a cascading failure are embedded by functions.Compared with the existing power simulation platforms and approaches integrating existing simulators like Matpower, PSCAD, or PSASP, our platform has a higher performance when dealing with the propagation of cascading failures.
Secondly, this paper has presented a comprehensive approach to vulnerability assessment.Existing indicators (such as node degree, cluster coefficient, node betweenness) are mainly proposed in the research area of complex networks.These indicators cannot represent the relationship of power flows and topologies.Our proposed indicators of vulnerability assessment include robustness, economic costs, the degree of damage, vulnerable equipment, and trip point.Associated with the simulation results obtained by our platform, we can have a thorough comprehension of the vulnerability in ECPSs.Additionally, decision-makers can get specific advice and defence strategies of this system against cyber attacks based on the results.

Future Works
In the future, based on this platform, we will focus on studying fault detection and the prediction of ECPSs using the algorithm of Neural Networks.We may replace the DC power flow model with an AC power flow model in order to get a higher precision.

Figure 1 .
Figure 1.A complete evaluation procedure of vulnerability analysis.

Figure 1 .
Figure 1.A complete evaluation procedure of vulnerability analysis.

Figure 2 .
Figure 2.The framework of a regional ECPS.

Figure 2 .
Figure 2.The framework of a regional ECPS.

Figure 3 .
Figure 3.The topology of the IEEE 39-bus system.

Figure 4
Figure 4 shows the flowchart of the platform for the offline simulation of the performance of ECPSs under different faults.The program begins with a situation selection.In CASE 1, the program user randomly selects a power node and sets the amount of the power injection and the program searches for the overloaded lines at first.In CASE 2，the user randomly selects a branch   , i j as the initial triggering event and trip the line in CASE 2, the ECPS will suffer a protection and control procedures.

Figure 3 .
Figure 3.The topology of the IEEE 39-bus system.

Figure 4 .
Figure 4.The flow chart of the simulation platform.

Figure 4 .
Figure 4.The flow chart of the simulation platform.

Figure 5 .
Figure 5.The performance of the system under faults.

Figure 6
Figure 6 presents the vulnerability from the aspect of economic costs.Strategies of average and weighted adjustments are shown together (the black line with circle marks represents for costs with weighted adjustments, while green line with star marks represents the costs with average adjustments).The X-axis is the ID of the initial tripped branch.It can be seen from Figure 4 that if branches   10,11 ,   10,32 ,   19,33 ,   20,34 , or  

Figure 5 .
Figure 5.The performance of the system under faults.

17 Figure 5 .
Figure 5.The performance of the system under faults.

Figure 6
Figure 6 presents the vulnerability from the aspect of economic costs.Strategies of average and weighted adjustments are shown together (the black line with circle marks represents for costs with weighted adjustments, while green line with star marks represents the costs with average adjustments).The X-axis is the ID of the initial tripped branch.It can be seen from Figure 4 that if branches   10,11 ,   10,32 ,   19,33 ,   20,34 , or  

Figure 6 .
Figure 6.The economic costs of protection.

Figure 7 .
Figure 7.The remaining buses and branches in the system.

Figure 8 .
Figure 8.The propagation of cascading failures.

Figure 7 .
Figure 7.The remaining buses and branches in the system.

Figure 7 .
Figure 7.The remaining buses and branches in the system.

Figure 8 .
Figure 8.The propagation of cascading failures.

Figure 8 .
Figure 8.The propagation of cascading failures.

Table 1 .
The comparisons with existing solution approaches of vulnerability analyses with electrical cyber-physical systems (ECPSs).
If there are n generators and loads tripped at a splitting incident, Algorithm 4 should be used for dealing with each tripped bus, respectively.

Table 2 .
The system configuration.

Table 2 .
The system configuration.

Table 3 .
The CASE 1 result.

Table 3 .
The CASE 1 result.

Table 4 .
The CASE 2 results.