Modeling and Recognition of Latent False Data Injection Attacks on Distributed Cluster Control of Distribution Network

Abstract

The cyber–physical deep integration in distribution networks containing distributed generators (DGs) enables false data injection attacks (FDIAs) through data tampering in monitoring systems, posing cross-domain threats to power system security. Effective FDIA identification methods remain unavailable for distribution networks containing DGs under distributed cluster control. The cyber–physical interaction characteristics are systematically analyzed in the cyber–physical system (CPS) of distribution networks containing DGs under distributed cluster control. A latent FDIA model is established with a specific attack penetration pattern being revealed. The operational impact mechanism of latent FDIAs on distributed cluster control is theoretically elucidated. A synchronous detection signal-based localization methodology is developed for latent FDIAs, coupled with an attack signal computation algorithm. These innovations enable dynamic attack identification and proactive signal isolation, thereby facilitating subsequent defense operations by system operators. Simulation results confirm the effectiveness of the proposed dynamic identification method for latent FDIAs in distribution networks containing DGs.

1. Introduction

The penetration of DGs, particularly wind and photovoltaic systems, has driven rapid development in distribution networks containing DGs [1,2]. Concurrently, CPSs are being extensively deployed in power systems. In the distribution network CPS, data protocol conversion is implemented through interactive devices (e.g., gateways and switches), while communication security requirements are fulfilled via fiber optics and Ethernet, based on the data transmission specifications and collaborative objectives of the control center–communication network–control terminal–physical network architecture [3,4]. Through this framework, real-time grid state observation and effective reference values are enabled for the control center [5,6]. However, the deep cyber–physical coupling characteristics of CPSs create vulnerabilities for attackers to disrupt distribution network operations through cyber attacks [7]. Specifically, cyber attacks against distribution networks containing DGs may induce DG control failures, thereby compromising system security [8,9].

Two control paradigms are identified for DGs in distribution networks based on CPS communication architectures: centralized and decentralized control [10]. The centralized approach, featuring one-to-many communication, suffers from interference susceptibility and low reliability. Although decentralized control enables dedicated controller-based individual regulation through one-to-one communication, it fails to achieve coordinated optimization across multiple controlled objects. These limitations have prompted the adoption of distributed cluster control [11,12]. In this paradigm, peer-to-peer controlled objects receive reference values from the distribution network control center. Control information is propagated through local communication networks. State updates are computed in a distributed way by aggregating information from neighboring nodes according to predefined update rules [13]. This approach facilitates regional DG cluster management and reduces communication infrastructure requirements. Nevertheless, despite firewall configurations, authentication mechanisms, and encrypted service message protocols in existing systems, the wireless private network architecture between CPS access and terminal layers remains vulnerable to cyber attacks [14]. Specifically, FDIAs can be launched against distributed cluster control systems through manipulated electrical measurement data, ultimately disturbing normal grid operations [15].

FDIAs can either immediately compromise information systems to paralyze physical infrastructure or covertly infiltrate to seize control of physical systems [16]. Depending on malicious intent, FDIAs can be categorized into latent and disruptive phases. By constructing specific attack vectors to manipulate measurements in Supervisory Control and Data Acquisition (SCADA) systems, attackers induce deviations in system states while keeping tracking errors unchanged, thereby evading anomaly detection mechanisms in the distribution network Energy Management System (EMS) to implement latent attacks [17]. These attacks employ covert data manipulation and progressive disruption strategies [18], initially driving the system into vulnerable states through subtle disturbances, and subsequently triggering control failures via pre-injected signals to cause cascading failures.

Defending against multi-stage FDIAs has threefold coupled challenges: latent attacks dynamically optimize attack vector covariance matrices to achieve progressive data manipulation while preserving tracking error statistics, creating significant blind zones in conventional residual-based detection due to residual space compression [19]; the phase transition process dynamically correlates with vulnerability indices (e.g., line loading ratios and DG power fluctuations), compelling defenders to identify attack migration thresholds under multivariate state constraints; and most critically, latent signals persistently alter DG unit output characteristics through distributed control architectures, enabling subsequent destructive attacks to induce instability with low-energy perturbations [20]. This cross-phase synergy between coordinated attacks and system vulnerabilities necessitates defense strategies to simultaneously resolve multidimensional challenges encompassing latent attack recognition, vulnerability assessment, and dynamic response optimization within limited time windows, constituting a critical threat to distributed cluster control [21]. Therefore, identifying the latent FDIA is the key to preventing the distribution networks containing DGs from being further damaged.

Existing research predominantly focuses on attack–defense games and the post-disruption isolation of disruptive FDIAs [21,22], with limited attention to latent attacks. While [23] analyzes FDIA characteristics from attacker perspectives, it neglects latent–disruptive phase distinctions. Although an attack–defense game strategy is proposed in [24], cross-domain attack propagation mechanisms remain unaddressed. Current detection methods, summarized in [25], exhibit high communication dependencies, proving inadequate for distributed cluster control scenarios with requirements for real-time performance and low false alarm rates. Fundamental challenges persist, including unclear cyber–physical interaction mechanisms under latent attacks and suboptimal detection methodologies.

This paper establishes a latent FDIA model for distribution networks containing DGs under distributed cluster control, revealing an attack penetration pattern that compromises CPSs without affecting the active power output of DG clusters. A synchronous detection signal-based localization methodology and attack signal computation algorithm are developed to enable the distributed dynamic identification of latent FDIAs, thereby supporting proactive defense measures against potential system damages. The main contributions of this work are systematically articulated through three interconnected components. First, a CPS model embedding latent FDIAs is developed to capture the latent intrusion dynamics. Building upon this foundation, the propagation mechanism of latent attacks is analytically characterized. Furthermore, a dynamic identification framework incorporating adaptive signal isolation is proposed to mitigate attack impacts. Finally, the effectiveness and resilience of the methodology are rigorously validated through simulations with the IEEE 34-node distribution network benchmark.

2. Cyber–Physical Interaction Characteristics in Distributed Cluster Control of Distribution Network

The increasing penetration of DGs is driving the evolution of traditional distribution networks into distribution networks centered on coordinated multi-type DG operations. Modern distribution networks exhibit significant compositional heterogeneity in DG portfolios, predominantly comprising inverter-interfaced units such as photovoltaics, direct-drive wind turbines, and fuel cells. These units’ output characteristics critically depend on inverter control strategies, where the real-time regulation of active/reactive current components enables the precise tracking of power reference values.

Under a distributed cluster control architecture, distribution networks containing DGs implement topological reconfiguration and resource aggregation through virtual power plant (VPP) technology. This approach dynamically aggregates geographically adjacent and control-compatible DG units into virtual clusters with unified regulation interfaces. The control center leverages a consensus algorithm to generate cluster-level power references, enabling distributed coordination among DG units via communication networks. This operational paradigm ensures equitable power sharing while driving the system toward globally optimal operating points through iterative state-update processes [26]. Notably, the escalating DG penetration intensifies cyber–physical coupling complexities. Inverter control latencies and communication delays directly influence cluster dynamic response characteristics, presenting critical technical challenges requiring breakthroughs in attack–defense mechanisms for distribution networks containing DGs.

The CPS architecture for distribution networks containing DGs under distributed cluster control is illustrated in Figure 1. The CPS architecture establishes bidirectional connectivity between cyber and physical layers through communication links. Based on communication topology interfaces, physical-layer DGs are classified into two categories: reference-interface DG (RI-DG) and topology-collaborative DG (TC-DG) [27,28]. These correspond to the reference-interface cyber node (RI-CN) and the topology-collaborative cyber node (TC-CN) in the cyber layer, respectively. The RI-CN serves as a unique cluster-level interface with the distribution network control center, while TC-CNs maintain direct/indirect communication with the RI-CN.

In Figure 1, DG₁ is the RI-DG, and the cyber node CN₁ is the RI-CN. DG₂, DG₃, and DG₄ are TC-DGs. CN₁ is connected to the control center. CN₁ receives both real-time reference values from the control center and real-time output power from the cluster. The reference values of CN₂, CN₃, and CN₄ come from CN₁. Each CN sends the reference values to the corresponding DGs so that the output power of the DG cluster can track the reference values. For a distributed cluster of n DGs, the control objective can be written as follows:

$$f=\underset{P}{\min }{\left(P_{\mathrm{out}}\left(\mathit{P}\right)-P_{\mathrm{ref}}\right)}^2$$

(1)

where $P_{\mathrm{out}}$ is the active power output from the DG cluster; $P_{\mathrm{ref}}$ is the active power reference value of the DG cluster; and $\mathit{P}$ is the vector consisting of the active power of each DG in the cluster, which can be expressed as follows:

$$\mathit{P}={\left[P_{D{\mathrm{G}}_1},P_{D{\mathrm{G}}_2},P_{D{\mathrm{G}}_3},\cdots ,P_{D{\mathrm{G}}_{\mathrm{n}}}\right]}^{\mathrm{T}}$$

(2)

where P_DG1, P_DG2, …, and P_DGn present the active power of each DG in the cluster, and n is the number of DGs in the cluster.

The individual DG active power ratio is defined as follows:

$${\xi }_i={\displaystyle \frac{P_{D{\mathrm{G}}_i}}{P_{D{\mathrm{G}}_i,\max }}}$$

(3)

where ${\xi }_i$ is the active power ratio from the ith DG in the cluster; $P_{D{\mathrm{G}}_i}$ is the active power from the ith DG in the cluster; and $P_{D{\mathrm{G}}_i,\max }$ is the active capacity from the ith DG.

To ensure synergistic power sharing while maintaining controllability, the active power ratio control objective is established as follows:

$${\displaystyle \frac{P_{D{\mathrm{G}}_1}}{P_{D{\mathrm{G}}_1,\max }}}={\displaystyle \frac{P_{D{\mathrm{G}}_2}}{P_{D{\mathrm{G}}_2,\max }}}=\cdots ={\displaystyle \frac{P_{D{\mathrm{G}}_{\mathrm{n}}}}{P_{D{\mathrm{G}}_{\mathrm{n}},\max }}}=\xi *$$

(4)

where $\xi *$ is the synergistic active power ratio of DGs.

A discrete-time leader–follower consensus algorithm is employed for distributed implementation. Designated as the leader, CN₁ receives reference values issued by the control center and cluster power measurements and, at the same time, adjusts the active power ratio of the next moment k + 1 according to the active power ratio of the current moment k. When the active power output from the cluster is greater than the reference value, the active power ratio from DG₁ tends to increase, and DG₁ outputs more active power and also transmits the active power ratio information through the communication link, so that the TC-DG generates more active power to compensate for the active power output deficit of the DG cluster, and vice versa. When the active power output deficit of the DG cluster is larger, the variation in the active power ratio from DG₁ is also larger. As the active power output deficit reduces to zero, the variation amplitude of the active power ratio from DG₁ also reduces to zero accordingly, and finally, the active power ratio from DG₁ completes the convergence. The RI-DG active power ratio ${\xi }_1$ is updated temporally through the following:

$$\begin{array}{l}{\xi }_1(k+1)=\min \left\{\max \left[{\xi }_1\left(k\right)+\right.\right.\\ \left.\left.\epsilon \left(P_{\mathrm{ref}}\right(k)-P_{\mathrm{out}}(k\left)\right),0\right],1\right\}\end{array}$$

(5)

where $\epsilon$ is the convergence factor, which is between 0 and 1, and $P_{\mathrm{out}}\left(k\right)$ and $P_{\mathrm{ref}}\left(k\right)$ are the active power output from the DG cluster and the reference value at moment k, respectively. The difference between $P_{\mathrm{out}}\left(k\right)$ and $P_{\mathrm{ref}}\left(k\right)$ is the cluster active power control error at moment k, which, multiplied with the convergence factor, is the updating step of the active power ratio from DG₁ at moment k + 1.

RI-CN is the pivotal node in the cyber layer, which needs to reliably update the active power ratio and pass it to the neighboring CNs through the communication link. For TC-DG, as a follower DG, the CN of TC-DG receives the active power ratio passed by the parent CN and updates the active power ratio at moment k + 1, which is weighted by computing the differences between the active power ratios of the parent CNs and the active power ratio of themselves at moment k to achieve the cooperative tracking of the active power ratio of the TC-DG to the parent DGs. When co-tracking the active power ratio to the parent DGs, the updating principle is as follows:

$${\dot{\xi }}_j(k+1)={\displaystyle \sum _{j^{-}\in {\mathsf{\Omega }}_j}{a}_{j^{-}j}}\left[{\xi }_{j^{-}}\left(k\right)-{\xi }_j\left(k\right)\right]$$

(6)

where j is the identifier of the TC-CN; j⁻ represents the parent CN identifier of the jth TC-CN in the communication topology; ${\mathsf{\Omega }}_j$ represents the set of all parent CNs directly governed by the jth TC-CN; $a_{j^{-}j}$ is the communication coupling gain parameter between the jth and j⁻th TC-CNs [29]; and ${\dot{\xi }}_j(k+1)$ is the differential of the active power ratio from the jth TC-CN at moment k + 1.

When the cluster active power output converges to the reference value, the active power ratio of the RI-DG converges to a specific value. According to the level-by-level updating characteristic of the active output power ratio of the TC-DG, the convergence of the active power ratio of the RI-DG determines the convergence of the active power ratios of the child TC-DGs. All the remaining TC-DGs can also realize the level-by-level convergence of the active power ratio based on Equation (6). Eventually, the active power ratios of the DGs in the cluster converge to the same value.

Figure 2 delineates the operational workflow. Reference values are dispatched from cyber to physical layers, with power measurements fed back to the cyber layer. Following ratio updates at CN₁, neighboring nodes (CN₂ and CN₃) perform localized computations using received ${\xi }_1$ and local measurements. Through the same mechanism, the updated power ratio ${\xi }_2$ is received by CN₄, and the adjustment of ${\xi }_4$ is subsequently completed. This hierarchical update propagates through the communication network, ensuring coordinated power adjustments across all DGs. Final cluster output updates are completed when all nodal computations converge.

3. Latent False Data Injection Attack Modeling for Distributed Cluster Control of Distribution Network

FDIAs are implemented through the injection of attack-corrupted state variables into communication devices or links, thereby compromising measurement and transmission integrity. In a distribution network containing DGs under distributed cluster control, RI-CNs are typically equipped with enhanced defense mechanisms. Consequently, TC-CNs with weaker security configurations are preferentially targeted for FDIAs.

The latent FDIA is characterized by attack vectors that evade bad data detection (BDD) mechanisms in EMS while maintaining compliance with control objectives defined in Equations (1) and (4). This stealthy behavior prevents attack detection by system operators. At moment k₀, the FDIA against the jth TC-DG active power ratio is mathematically formulated as follows:

$${\hat{\xi }}_j(k_0)={\xi }_j(k_0)+{\lambda }_j^a$$

(7)

where ${\hat{\xi }}_j$ is the visual result of the active power ratio of the jth TC-DG following the FDIA; the superscript ^ characterizes the variable following the attack signal; and ${\lambda }_j^a$ signifies the injected attack signal.

The sampling frequency in DG cluster systems is typically set at 5–10 times the maximum effective frequency, exceeding Nyquist theorem requirements. This configuration not only effectively prevents truncation errors arising from integral approximation processes but also maintains rigorous power tracking accuracy with guaranteed stability margins under non-ideal operating conditions, including quantization noise and communication delays, as validated in [30].

Under FDIAs, the jth TC-DG active power ratio is updated at moment k₀ + 1 as follows:

$$\left\{\begin{array}{l}{\stackrel{\dot{^}}{\xi }}_j(k_0+1)={\displaystyle \sum _{j^{-}\in {\mathsf{\Omega }}_j}{a}_{j^{-}j}}\left({\xi }_{j^{-}}\left(k_0\right)-{\hat{\xi }}_j\left(k_0\right)\right)\\ {\hat{\xi }}_j(k_0+1)={\stackrel{\dot{^}}{\xi }}_j(k_0+1)\Delta t{|}_{k_0}^{k_0+1}+{\hat{\xi }}_j(k_0)+{\lambda }_j^{\mathrm{a}}\end{array}\right.$$

(8)

The attack signal against the jth TC-DG persists at each sampling moment, so the active power ratio of the jth TC-DG is updated according to Equation (8) at any moment from moment k₀ forward.

The persistent nature of attack signals ensures continuous ratio updates according to Equation (8). For child DGs of the jth TC-DG, the visualized active power ratio becomes:

$$\left\{\begin{array}{l}{\stackrel{\dot{^}}{\xi }}_{j^{+}}(k_0+1)={\displaystyle \sum _{j^{-}\in {\mathsf{\Omega }}_j}{a}_{j{j}^{+}}}\left({\hat{\xi }}_j\left(k_0\right)-{\xi }_{j^{+}}\left(k_0\right)\right)\\ {\hat{\xi }}_{j^{+}}(k_0+1)={\stackrel{\dot{^}}{\xi }}_{j^{+}}(k_0+1)\Delta t{|}_{k_0}^{k_0+1}+{\xi }_{j^{+}}(k_0)\end{array}\right.$$

(9)

where j⁺ represents the child CN identifier of the jth TC-CN in the communication topology.

The attack propagation mechanism is analytically revealed through Equations (7)–(9). The RI-DG active power ratio is initially altered at moment k₀ + 1 when a TC-CN is compromised at moment k₀. Cascading impacts propagate to the child DGs over subsequent time steps. And uncompromised TC-DGs maintain normal operations through Equation (8).

The hierarchical structure divides the DG cluster into n_c levels, where attacks targeting the wth level require at least max(n_c − w, w − 1) time steps to affect all DGs. Crucially, the fundamental relationship between RI-DG active power ratio and cluster power deviation according to Equation (5) remains intact. After attack-induced deviations in the TC-DG’s active power ratio, provided that the aggregate power disturbance does not exceed the regulation capacity of the RI-DG, the following is shown:

$$\epsilon {\displaystyle \sum _{k=k_0}^{\infty }\left|e\left(k\right)\right|}<\min \left(\xi *,1-\xi *\right)$$

(10)

where $e\left(k\right)$ is the active power output deviation of the cluster at moment k, $e\left(k)=P_{\mathrm{out}}\right(k)-P_{\mathrm{ref}}$, and $\min \left(\xi *,1-\xi *\right)$ is the upper limit of RI-DG’s regulating capacity.

Combining Equations (5), (6), (8), and (9) gives the following active power ratio steady-state deviation of the jth TC-DG:

$$\Delta {\hat{\xi }}_{j,\mathrm{ss}}={\displaystyle \frac{{\lambda }_j^a}{\Delta t\cdot a_{j^{-}j}+\epsilon {\lambda }_j^a{P}_{\mathrm{D}{\mathrm{G}}_j,\max }{(1-\epsilon )}^{-(w-1)}}}$$

(11)

where $\Delta {\hat{\xi }}_{j,\mathrm{ss}}$ is active power ratio steady-state deviation of the jth TC-DG, $\Delta {\hat{\xi }}_{j,\mathrm{ss}}=\underset{k\to \infty }{\lim }\left({\hat{\xi }}_j\left(k\right)-\xi *\right)$, and $\Delta t$ is the time interval between two neighboring sampling moments of the discrete control system.

Combining Equations (10) and (11) yields a sufficient condition for the attack signal to achieve latency:

$${\lambda }_j^a<{\displaystyle \frac{\Delta t\cdot a_{j^{-}j}\cdot \min \left(\xi *,1-\xi *\right)}{1-\epsilon P_{D{\mathrm{G}}_j,\max }{(1-\epsilon )}^{-(w-1)}}}$$

(12)

Despite attack-induced active power ratio shifts, convergence is still achieved due to the attack signal through the negative feedback regulation of the RI-DG in Equation (5) and the active power ratio tracking principle of the TC-DGs in Equation (6) as long as Equation (12) holds true. The sustained fulfillment of Equations (1) and (4) confirms the latent attack characteristics.

4. Latent False Data Injection Attack Recognition Method for Distributed Cluster Control of Distribution Network

4.1. Localization Methodology for Latent False Data Injection Attack

A synchronous detection signal-based localization methodology is proposed for latent FDIAs in distribution networks containing DGs under distributed cluster control, leveraging the attack’s persistent signal injection characteristics. The methodology consists of two sequential phases: synchronized detection signal generation and dynamic latent attack identification. Synchronized detection signals are generated in real-time using operational measurement data, followed by latent attack recognition index computation through a time-series analysis of these signals by TC-DGs.

The technical foundation lies in the behavioral divergence between attacked and normal TC-DGs. When a latent FDIA occurs at moment k₀, the compromised jth TC-DG exhibits persistent attack signal superposition in active power ratio updates, as formalized by the following:

$$x_j(k)=\left|\begin{array}{c}{\hat{\xi }}_j\left(k\right)-{\hat{\xi }}_j(k-1)-\hfill \\ \left({\displaystyle \sum _{j^{\sum }\in {\mathsf{\Omega }}_j}{a}_{j^{-}j}}\left({\hat{\xi }}_{j^{-}}(k-1)-{\hat{\xi }}_j(k-1)\right)\right)\Delta t{|}_{k-1}^k\end{array}\right|$$

(13)

where $x_j\left(k\right)$ is the synchronized detection signal generated by the jth TC-DG at moment k. This signal remains non-zero for all time steps from moment k₀ onwards due to continuous attack influence, while uncompromised TC-DGs are maintained as $x_j(k)=0$ through Equation (9).

Practical implementation challenges arise from information disturbances such as communication delays and packet loss [31], which may induce false-positive detection signals in unaffected TC-DGs. To address this, transient disturbances are distinguished from persistent attacks through dynamic time warping (DTW) distance analysis. Time series of synchronized detection signals are constructed as follows:

$$\begin{array}{c}{X}_j(l)=\left\{x_j(l-\mathrm{m}+1),x_j(l-\mathrm{m}+2),\cdots ,\right.\\ \left.x_j(l-\mathrm{m}+p),\cdots ,x_j(l)\right\}\end{array}$$

(14)

where $X_j\left(l\right)$ is the time series of the synchronized detection signal generated by the jth TC-DG at moment l, and $x_j(l-\mathrm{m}+p)$ is the pth element in the time series. The time-series length m is usually configured according to the following principle, where the synchronization detection signal computational window exceeds the maximum duration of the information interference:

$$\mathrm{m}>{\mathrm{m}}^{\prime }=F_D^{-1}(1-\alpha )=-{\displaystyle \frac{\ln \alpha }{\lambda }}$$

(15)

where $F_D^{-1}(\cdot )$ is the inverse cumulative distribution function of D, D is the information disturbance duration, D is assumed to follow an exponential distribution with parameter λ, and its probability density function is $f_D\left(d\right)=\lambda e^{-\lambda d}$ [32]; 1 − α is the confidence level; and typical disturbances have ${\lambda }^{-1}=1.2$ cycles [33]. Setting α = 0.05 yields a theoretical lower bound ${\mathrm{m}}^{\prime }$, which is 3.6 cycles.

The DTW-based dynamic recognition index is formulated as follows:

$$F{Q}_j\left(l)={\alpha }_{j}d\right(X_j\left(l\right),0)$$

(16)

where ${\alpha }_j$ is an adjustment factor greater than zero, ${\alpha }_j$ is set as ${\mathrm{m}}^{\prime }/\mathrm{m}$ to maintain dimensional consistency between the index and its threshold while enabling a cross-comparison of recognition indices across multiple DGs within the cluster; and $d\left(X_j\right(l),0)$ is the DTW distance between the time series of the synchronized detection signals and the zero series:

$$d(X_j(l),0)=\min {\displaystyle \sum _{k=1}^{N_k}{b}_k}$$

(17)

where the number of elements of both $X_j\left(l\right)$ and the zero series is m; $N\left(k\right)$ is the number of sub-distance components in the DTW distance, which is between m and 2m − 1; and $b_k$ represents the distance between the pth element in the time series $X_j\left(l\right)$ and the qth element in the zero series, which is defined as follows:

$$b_k=s_{p,q}=\left|x_j(l-\mathrm{m}+p)-0\right|$$

(18)

The subsequent term $b_{k+1}$ is derived from $b_k$, which is obtained by selecting the minimum value from the set $\{s_{p,q+1},s_{p+1,q}\}$. The starting and ending points of the DTW distance, $b_1$ and $b_{N_K}$, are initialized as $s_{1,1}$ and $s_{\mathrm{m},\mathrm{m}}$, respectively.

The DTW distance reflects the similarity of two synchronous detection signal time series. In the DTW distance, the two time series do not need to have the same length, so it is suitable for sequences that are not synchronized due to communication delays and packet loss [34]. A larger DTW distance indicates significant dissimilarity between the sequences, whereas a smaller value implies higher similarity. The latent FDIA dynamic recognition index, as formulated in Equation (16), exclusively computes the DTW distance between locally generated and stored synchronous detection signal time series of TC-DGs and a zero series. This design eliminates inter-node communication dependencies while enhancing computational efficiency to ensure real-time detection of the latent FDIA. Due to the persistent influence of attack signals, the dynamic recognition index of TC-DGs compromised by the latent FDIA consistently exceeds that of unaffected TC-DGs. Consequently, localization criteria are established through threshold comparisons:

$$F{Q}_j(l)>K_{\mathrm{rel}}F{Q}_{\mathrm{th}}$$

(19)

where $K_{\mathrm{rel}}$ is the reliability factor, and $F{Q}_{\mathrm{th}}$ is the threshold value of the latent FDIA recognition index, which is calibrated from maximum disturbance-induced deviations during five-cycle simulations.

When the latent FDIA dynamic recognition index of the jth TC-DG satisfies Equation (19), it is determined that the jth TC-DG suffers from the latent FDIA, and the jth TC-CN generates a latent FDIA identifier ${\gamma }_j$ with the value of 1. Otherwise, the generated latent FDIA identifier is 0. The process of the localization method for the latent FDIA against distribution networks containing DGs under distributed cluster control is shown in Figure 3.

The active power ratio update rule for TC-DG is revised based on the localization result of the latent FDIA and discrepancies in the attack identifier, as follows:

$${\dot{\xi }}_j(k+1)=h_j{\displaystyle \sum _{j^{-}\in {\mathsf{\Omega }}_j}{a}_{j^{-}j}}{g}_{j^{-}j}\left[{\xi }_{j^{-}}\left(k\right)-{\xi }_j\left(k\right)\right]$$

(20)

where $h_j$ is the latent FDIA recognition parameter of the jth TC-DG, $h_j=1-{\gamma }_j$, and $g_{j^{-}j}$ is the coupling recognition parameter of the jth TC-DG with the parent DG, $g_{j^{-}j}=1-{\gamma }_{j^{-}}$.

If the CPS of distribution networks containing DGs under distributed cluster control successfully identifies that the latent FDIA occurs in the jth TC-DG, then ${\gamma }_j=1$, $h_j=0$, and ${\dot{\xi }}_j(k+1)=0$, demonstrating that the jth TC-DG stops the co-tracking of the active power ratio of the parent DG. Meanwhile, the coupling recognition parameter $g_{\mathit{jj}+}$ of the jth TC-DG has a child DG equal to 0, demonstrating that the jth TC-DG cuts off the cluster communication connection with the child DG, and the active power ratios of the child DGs no longer track the active power ratio of the jth TC-DG.

The enhanced distributed cluster control strategy, as formulated in Equation (20), isolates the TC-DG compromised by the latent FDIA, thereby deactivating the affected TC-DG from the distributed cluster control. This isolation prevents the propagation of the latent FDIA signals injected into the compromised TC-DG within the DG cluster, enabling the system to operate with n − 1 DGs. If the child DGs that solely communicate with the target TC-DG exist, the differential term of the active power ratio for such child DGs becomes zero, resulting in the temporary deactivation from the cluster control. Upon completing the mitigation of the attack signal, the attack identifier of the target TC-DG is reset to zero, allowing both the target TC-DG and the child DGs to rejoin the distributed cluster control.

4.2. Recognition Method for Latent False Data Injection Attack Signal

Based on the latent FDIA process in distribution networks containing DGs under distributed cluster control, this paper proposes a latent FDIA signal recognition method. After successfully locating and isolating the TC-DG following the latent FDIA, the correlation coefficient of the time series of continuous synchronous detection signals is used to compute the latent FDIA signal and upload it to the distribution network control center. It could make it easy for the manager to eliminate the potential hazards in the system by deploying the defense resources and preventing attackers from continuing to launch the disruptive FDIA based on the latent FDIA signal in order to disrupt the normal operation of distribution networks. If the latent FDIA occurs at moment k, after locating the latent FDIA, the time-series correlation coefficient of the synchronized detection signal generated by the target TC-DG at any two consecutive moments from moment k onwards is computed as follows:

$$r_j(l)=\left|{\displaystyle \frac{{\displaystyle \sum _{p=1}^{\mathrm{m}}{x}_{l-1,j}(p)x_{l,j}(p)}}{\sqrt{{\displaystyle \sum _{p=1}^{\mathrm{m}}{x}_{l-1,j}^2(p)}{\displaystyle \sum _{p=1}^{\mathrm{m}}{x}_{l,j}^2(p)}}}}\right|$$

(21)

where $r_j\left(l\right)$ is the correlation coefficient between l − 1 and l moments, which is between 0 and 1, and $x_{l-1,j}\left(p\right)$ and $x_{l,j}\left(p\right)$ are elements in the time series of synchronized detection signals of TC-DG_j at moments l − 1 and l.

The correlation coefficient of TC-CN_j at moments l − 1 and l represents the degree of similarity of the time series $X_j(l-1)$ and $X_j\left(l\right)$. The closer the value of $r_j$ is to 1, the higher the correlation between the two time series. The time series of the synchronized detection signals generated by TC-CN_j at moment l may have moments that do not follow the latent FDIA, demonstrating that $X_j\left(l\right)$ may contain zero elements. So, it is necessary to compute the correlation coefficients of the time series of TC-CN_j at any two consecutive moments from moment k forward in order to obtain the time series that have all non-zero elements. Since this non-zero element is the synchronized detection signal under the latent FDIA, the latent FDIA signal can be computed by finding the average value of all non-zero elements in the time series.

The correlation coefficient $r_j\left(l\right)$ is compared with the threshold value $r_{\mathrm{th},j}$ to ensure that the elements in the time series $X_j(l-1)$ and $X_j\left(l\right)$ are all non-zero elements. Based on the number of elements of the time series shown in Equation (14), the threshold value $r_{\mathrm{th},j}$ is determined based on the fact that $X_j(l-1)$ contains m-1 non-zero elements while $X_j\left(l\right)$ consists entirely of non-zero elements. Only when $r_j\left(l\right)$ is greater than the threshold value are $X_j(l-1)$ and $X_j\left(l\right)$ judged to be highly similar; at this time, all elements in $X_j(l-1)$ and $X_j\left(l\right)$ are greater than zero, which can be used to compute the latent FDIA signal. If $r_j\left(l\right)$ is less than the threshold value, it is iterated to the next moment, the active power ratio at moment l + 1 is acquired, and the synchronized detection signal of the target TC-DG_j is computed. Then, the time series $X_j(l+1)$ is updated, the correlation coefficient $r_j(l+1)$ between $X_j\left(l\right)$ and $X_j(l+1)$ is computed, and comparisons with the threshold value are continually made. The process is repeated until the correlation coefficient is greater than the threshold.

When $r_j\left(l\right)$ is greater than the threshold, the latent FDIA signal acting on the target TC-DG_j can be obtained based on the non-zero element being the latent FDIA signal:

$${\lambda }_j^{\mathrm{a}}={\displaystyle \frac{1}{2\mathrm{m}}}\left({\displaystyle \sum _{p=1}^{\mathrm{m}}{\mathrm{x}}_{l-1,j}\left(p\right)}+{\displaystyle \sum _{p=1}^{\mathrm{m}}{\mathrm{x}}_{l,j}\left(p\right)}\right)$$

(22)

The block diagram of the dynamic recognition for the latent FDIA is shown in Figure 4, which mainly includes the DG control module, the latent FDIA localization module, and the latent FDIA signal recognition module. The latent FDIA localization module incorporates synchronous detection signal generation and dynamic recognition index generation. Active power output data acquired from the DG controller are injected into this module, where the output power ratios of individual DGs are calculated in real time via Equation (3). Subsequently, the output power ratios of TC-DGs and their parent DGs are combined to generate synchronized detection signals through Equation (13). Following this, the time series of synchronized detection signals is constructed using Equation (14), and the latent FDIA dynamic recognition index is derived via Equation (16), enabling attack localization through Equation (19).

The latent FDIA signal recognition module comprises correlation coefficient computation, threshold discrimination, and attack signal calculation. Upon successful localization of the compromised TC-DG, the latent FDIA signal recognition protocol is activated. The targeted DGj disengages from distributed cluster control based on Equation (20) and computes the correlation coefficient using synchronized detection signal time series from two consecutive time steps via Equation (21). If the correlation coefficient exceeds the predefined threshold, the attack signal is calculated through Equation (22) and transmitted to the distribution network control center. Otherwise, the computation iterates with updated time-step data until the threshold condition is satisfied.

After acquiring the attack signal, the distribution network control center initiates defensive measures such as injecting suppression signals or switching to backup sensor data streams [35].

5. Case Study

The effectiveness of the proposed latent FDIA dynamic recognition method is validated through an IEEE 34-node test system implemented in MATLAB/Simulink R2022b. As illustrated in Figure 5, DGs are integrated at nodes 822, 828, 832, 838, and 848, adopting a distributed cluster control strategy. Active power output from the DG cluster to node 812 is centrally regulated through the control center. DG₁ operates as the primary RI-DG with a 6 MW capacity, while DG_2-3 and DG_4-5 function as secondary and tertiary TC-DGs with 4 MW and 3 MW capacities, respectively. Constant power loads (0.6 MW each) are deployed with an RI-DG convergence coefficient of 0.1. The correlation coefficient threshold for synchronized detection signal time series is set at 0.99.

The cluster active power reference value is initially set to 3.5 MW, then modified to 6.5 MW at t = 1.5 s. An information disturbance of size 0.05 acts on DG₄ at t = 0.6 s, with a disturbance period of five cycles. A persistent latent FDIA signal (amplitude = 0.2, which is satisfied with Equation (12)) is injected into the active power ratio of DG₃ at t = 0.8 s. Figure 6 demonstrates normal operational characteristics: the cluster tracks the 3.5 MW reference by t = 0.51 s with all DG active power ratios converging to 0.325. Subsequent reference value switching to 6.5 MW triggers rapid retracking, achieving renewed convergence at 0.475. These results confirm that the control objectives in Equations (1) and (4) remain unaffected by reference value changes.

Information disturbance and attack impacts are analyzed in Figure 7. The information disturbance causes fluctuations in the cluster active power output and the active power ratio of each DG at t = 0.6 s, but the effect of the fluctuations caused by the information disturbance is also suppressed when it ends. Cluster active power fluctuations occur at t = 0.8 s following attack initiation, with final tracking achieved at t = 1.15 s (3.5 MW) and t = 2.04 s (6.5 MW). The active power ratio of DG₃ exhibits 0.2 deviation at t = 0.8 s, propagating to other DGs as per Equations (7)–(9). Despite these transients, all ratios ultimately reconverge, confirming the non-disruptive nature of the latent attack. From Figure 7, it can be seen that the active power fluctuations caused by both latent attack and information disturbance can be suppressed by the synergistic mechanism shown in Equations (5) and (6), thus realizing the control objectives shown in Equations (1) and (4).

Further, comparative experiments are conducted using the latent FDIA dynamic recognition method proposed in this paper and the traditional residual constraint-based bad data detection method [36], and the simulation results are shown in Figure 8, respectively. In the method proposed in this paper, the detection mechanism employs a 12-element time series (m = 12) with an adjustment factor of ${\alpha }_j$ = 0.3. Thresholds are calibrated using a maximum index from five-cycle disturbance simulations set at $F{Q}_{\mathrm{th}}$ = 1.5. As shown in Figure 8a, pre-attack indices, including the duration of the information disturbance, remain reliably below thresholds. Post-attack DG₃ indices persistently exceed thresholds despite reference switching-induced fluctuations at t = 1.5 s, demonstrating method robustness. In the residual detection method, the nodal active and reactive power injection vectors, as well as branch active power and reactive power vectors of the distribution network, are used as measurement vectors, while the voltage magnitude and phase angle of each node are used as state vectors. The two parameters of the measurement residual of six physical quantities, such as 822, 828, 832, 838, and 848 nodal active powers and 812-850 branch active powers, are calculated and judged whether they are out of bounds or not in order to recognize the occurrence of latent FDIAs. The detection threshold is determined as 3 based on the general false detection probability [7]. As shown in Figure 8b, the residuals are shown as a red solid line, and the residual fluctuation caused by the information disturbance acting on DG₄ at t = 0.6 s and the latent attack signal acting on DG₃ at t = 0.8 s cannot lead to the residual result overstepping the limit, which indicates that the detection of undesirable data of the distribution network based on the fixed residual constraints cannot identify the occurrence of the latent FDIA effectively. Combined with Figure 8a and Figure 8b, compared with the residual detection method, the proposed method in this paper can effectively recognize the occurrence of latent FDIAs and can distinguish between latent FDIAs and information disturbance with high recognition reliability.

Based on Equation (20), to improve the active power ratio update rule of each TC-DG at t = 1.5 s, DG₃, DG_4, and DG₅ adjust active power ratios according to the results of localization. The active power output of the DG cluster and the active power ratio of each DG in the cluster are shown in Figure 9.

Attack isolation is implemented at t = 1.2 s through Equation (20). Figure 9 shows DG_3-5 being deactivated from cluster control, freezing their power ratios at 3.25 MW. DG_1-2 maintain normal operation, achieving 6.5 MW tracking by t = 1.89 s with a converged ratio of 0.625. This confirms effective attack containment without compromising overall control objectives.

Final validation computes attack signal magnitude through Equations (20) and (21). As shown in

Table 1. Correlation coefficient of synchronous detection signal time series.

l	r3 (l)	l	r3 (l)
1	0.7071	7	0.9354
2	0.8165	8	0.9428
3	0.8660	9	0.9487
4	0.8944	10	0.9896
5	0.9129	11	0.9901
6	0.9258	12	0.9911

, the correlation coefficient between DG₃’s 10th and 11th post-attack samples is 0.9901, which exceeds the 0.99 threshold. The computed attack signal magnitude (0.1977) shows minimal error (0.0023) from the actual injection (0.2), demonstrating high detection accuracy.

6. Conclusions

This study addresses the critical challenges of high concealment and severe threat potential posed by latent FDIAs targeting CPSs in distribution networks containing DGs under distributed cluster control. Through the establishment of a latent FDIA model for distribution networks containing DGs, three core research questions are systematically addressed:

(1) Mechanism of Attack Concealment: By analyzing the dynamic propagation process of latent FDIAs within the CPS of distribution networks containing DGs, this work reveals the cyber–physical coupling paths through which attack signals achieve covert infiltration via distributed cluster control architectures.

(2) Dynamic Discrimination Between Latent Attacks and Information Disturbances: Through quantitative analysis of physical-layer characteristic discrepancies, a synchronized detection signal model and a dynamic attack recognition model are established, demonstrating the proposed method’s capability to accurately identify latent attacks in distributed cluster control systems.

(3) Proactive Defense Requirements Against Latent Attacks: Experimental validation of attack localization and signal characterization accuracy confirms that the proposed method enables precise recognition of compromised DG and specific attack signals, providing reliable decision-making support for cluster operators to implement targeted defense measures.

The contributions of this research offer novel insights into eliminating potential security vulnerabilities in distributed control architectures. The established “modeling–identification–defense” technical framework effectively prevents latent attack signals from undermining the secure and stable operation of CPS.