Privacy-Preserving Federated Cybersecurity Analytics for Smart-Grid SCADA: Maintaining Controllability and Observability Under Coordinated Attacks

Abstract

Ensuring resilient controllability and observability in SCADA-based smart grids under coordinated cyberattacks remains a critical and unresolved challenge in modern cyber-physical power systems. This paper investigates the impact of coordinated cyberattacks on the stability and monitoring capabilities of SCADA-based smart-grid systems within a controlled cyber-physical environment. An active cyber-physical testbed representing a multi-bus power system was created to analyze how attacks targeting communication channels affect controllability and observability. Several attack scenarios were implemented, including remote access attacks via Secure Shell (SSH), Modbus/TCP flooding, and ICMP-based attacks, to monitor their impact on control actions, communication reliability, and system responsiveness. To address these vulnerabilities, a SCADA-based cybersecurity monitoring system was implemented within the controlled testbed environment. The system analyzes SCADA operational logs from smart grid devices while packet-level network traffic is captured and examined using monitoring tools such as Wireshark. A central monitoring layer coordinates system-wide attack detection and response. System resilience was evaluated using controllability and observability matrix rank analysis, together with dynamic stability metrics during attack conditions. Experimental and simulation results show that coordinated cyberattacks significantly degrade system performance, with the average delay rising from 12 ms to 210 ms, the packet loss rate increasing to 15.5%, and the command execution error rate reaching 40%. Furthermore, the ranks of the controllability and observability matrices dropped from 4 to 2, indicating a critical partial loss of the system’s control and monitoring capabilities. In this work, the federated-learning-based component is explored as a distributed, privacy-preserving cybersecurity monitoring framework for anomaly detection and observability enhancement using SCADA-derived datasets, rather than as a fully integrated real-time SCADA operational control mechanism. At the same time, the attack’s impact on electrical properties remained limited to less than 2%.

1. Introduction

The enhancement of traditional electrical power systems to smart grids has enabled improved monitoring, automation, and communication, with real-time control systems that support transmission, distribution, and power generation, thereby significantly improving system efficiency and reliability [1,2,3]. Smart grid (SG) systems integrate electrical infrastructure with communication networks, real-time monitoring devices, and control systems to enable transmission, distribution, and power generation processes [1,2,3]. These features improve situational awareness, operational flexibility, and support more efficient energy management in modern power systems [2].

As smart grid technologies continue to evolve, cybersecurity (CS) has become a major concern [1,2,4]. The increasing dependence on communication networks and digital control systems expands the attack surface of power system infrastructures, making it more vulnerable to cyber threats [2,3]. Communication protocols such as Secure Shell (SSH), Modbus/TCP, and ICMP are widely used in modern industrial environments [3,5]. They may be compromised by launching cyberattacks such as Denial-of-Service (DoS), unauthorized access, and traffic flooding [5,6]. Such attacks can significantly affect communication between SCADA systems and field devices, leading to delayed control actions, inaccurate measurement data, and reduced system reliability [6,7].

The integration of physical power system elements with communication and control technologies constitutes a cyber-physical system (CPS) [8]. In such systems, physical processes, including power generation, transmission, and load control, are tightly connected to cyber components such as communication networks, sensors, and control methods. CPS integration enables real-time monitoring and automated control. It also presents weaknesses where cyberattacks can propagate into physical system behavior, disrupting system stability, controllability, and observability [7,9].

The integration of smart-grid infrastructure, cybersecurity mechanisms, and cyber-physical behaviors creates a highly interconnected environment in which communication reliability, system monitoring, and control performance are co-dependent [1,2]. Faults in communication networks caused by cyberattacks can reduce system observability and controllability, limiting operators’ ability to accurately monitor system conditions and respond effectively to attacks [8,9]. Ensuring secure and reliable communication is essential for maintaining stable operation in modern smart grid environments [3,10].

To support cybersecurity monitoring in cyber-physical systems, federated learning has emerged as a promising distributed analytics approach for anomaly detection and privacy-preserving monitoring [11,12]. Federated learning is a decentralized machine learning technique in which multiple nodes collectively train a shared global model without exchanging raw data [11]. Instead of sending sensitive data to a central server, each node performs local training on its own dataset and shares only model parameters or updates with a control center [11,12]. These updates are combined to form an improved global model, which is then redistributed to all active nodes.

This approach is particularly suitable for smart grid environments, where data privacy, communication limitations, and system security are critical concerns [12,13]. By keeping data localized at SCADA nodes and network monitoring devices, federated learning supports privacy-preserving distributed anomaly detection while reducing the exposure of sensitive operational data. The inherently distributed nature of federated learning enables scalable and adaptive cybersecurity monitoring across widely distributed infrastructure [13].

In this research, a SCADA-based smart grid testbed is used to experimentally evaluate the impact of communication-based cyberattacks on system performance. This study analyzes communication behavior, SCADA response, and system stability under attack conditions. A mathematical framework based on controllability and observability is used to interpret how cyberattacks affect system monitoring and control capabilities [8,9]. A federated cybersecurity perspective is incorporated to demonstrate how distributed learning techniques can enhance the resilience of cyber-physical smart grid systems [12,13].

The main contributions of this study are summarized as follows:

• Development of a real-time cyber-physical smart grid testbed integrated with a SCADA monitoring system;
• Implementation of protocol-based cyberattack scenarios using SSH;
• Integration of Wireshark for packet-level network monitoring and analysis;
• Evaluation of system performance using communication metrics and controllability/observability analysis;
• Experimental analysis of the interaction between cyberattacks and power system stability.

To provide a broad overview of the proposed framework, the integration of smart grid systems, SCADA-based cyber systems, and federated learning for cybersecurity is illustrated in Figure 1. The smart grid physical system is connected to the SCADA-based cyber layer through a communication network, thereby forming a cyber-physical system. An SSH-based cyberattack is modeled to highlight weaknesses within the SCADA environment. To address these challenges, a federated-learning-based distributed monitoring framework is conceptually introduced across SCADA nodes, enabling decentralized anomaly detection while preserving data privacy.

Unlike previous studies that primarily focused on controllability and observability analyses, this work additionally incorporates federated learning as a distributed mechanism for cyberattack detection in a SCADA environment.

2. Related Works

2.1. Smart Grid Cybersecurity

The advancement of power systems toward smart grids has enabled improved monitoring, automation, and operational efficiency through the integration of communication networks, intelligent sensing devices, and digital control platforms. Smart grids are widely characterized as cyber-physical systems (CPSs), in which physical infrastructure is tightly integrated with cyber components responsible for communication and control systems. Several recent investigations emphasize that while this incorporation strengthens system performance and flexibility, it also introduces meaningful cybersecurity challenges due to increased connectivity and interdependence between cyber and physical layers [14,15].

Current smart grid cybersecurity approaches expand beyond protecting individual components and instead require system-level protection strategies that account for SCADA systems, advanced metering infrastructure, distributed energy resources, and communication protocols. Guaranteeing reliability and real-time situational awareness under both normal and adversarial conditions remains a key focus in recent research [14].

2.2. SCADA System Vulnerabilities

SCADA systems play an important role in monitoring and controlling smart grid operations by enabling communication between field devices and centralized control centers. SCADA systems are widely recognized as among the most exposed components in smart grid infrastructure due to their reliance on communication protocols and network connectivity [14,16].

Previously, SCADA systems were designed with a greater focus on reliability and availability than on security. This has led to vulnerabilities such as weak authentication mechanisms, a lack of encryption, and exposure to unauthorized access. These weaknesses can allow attackers to manipulate system behavior, disrupt communication, degrade monitoring capabilities, and overall impact physical system operations [16].

2.3. Cyberattacks on Smart Grid Communication Networks

Communication networks are fundamental to smart grid operations. They allow the exchange of real-time operational data and control commands between system components. Studies highlight that cyberattacks targeting communication layers, including denial-of-service (DoS), distributed denial-of-service (DDoS), spoofing, and false data injection (FDI), can significantly disrupt system operation and decrease situational awareness [17].

The study further shows that enhanced detection methods, particularly those based on artificial intelligence and machine learning, have been widely explored to identify and reduce these threats. Many of these approaches are primarily observed through simulations or datasets rather than real-world applications, limiting their practical testing in cyber-physical environments [17].

2.4. Protocol-Based Attacks and Federated Learning Approaches

Operational control systems and smart grid environments rely on different communication protocols for data exchange and remote access. Protocol-level exposures present a significant attack surface. Attackers can exploit weaknesses in communication behavior, authentication mechanisms, and packet transmission processes to disrupt system functionality [15].

Several researchers have explored federated learning techniques as a promising approach for improving cybersecurity in networked smart grid environments. Federated learning enables decentralized model training across multiple nodes without sharing raw data, by improving privacy and scalability while supporting mutual anomaly identification across scattered systems [18].

2.5. Impact of Cyberattacks on System Stability, Monitoring, and Control

Cyberattacks on smart grids not only affect communication networks but also directly impact power system stability, monitoring accuracy, and control performance. Disturbances in communication can reduce system monitoring by delaying or manipulating measurement data while also impacting controllability by interfering with command operations and control response [14].

Experimental investigations have demonstrated the importance of observing cyberattacks in realistic testbed environments. These environments enable real-time observation of interactions between cyber and physical components. These testbeds provide meaningful insights into how attacks influence system performance, response time, and operational reliability under practical conditions [19,20].

2.6. Research Gap and Contribution of This Work

Several studies have further investigated the resilience of cyber-physical distribution networks under stealth-oriented cyberattacks and communication failures. Dynamic node-failure assessment methods and hybrid energy-management frameworks have been explored to improve grid resilience and vulnerability mitigation under cyber-stealthy intrusion scenarios. These studies further highlight the importance of maintaining reliable observability and secure communication within modern smart-grid infrastructures.

Despite significant advancements in smart grid cybersecurity research, much of the existing research focuses more on conceptual analyses, simulation-based evaluations, or detection algorithm performance. These studies provide valuable insights into threat classification and defense mechanisms. Few studies have experimentally investigated the real-time impact of protocol-based cyberattacks on SCADA-connected smart grid systems while clearly considering controllability and observability [17,20].

To address this gap, this research introduces a real-time experimental observation of cyberattacks on a smart grid laboratory testbed connected with a SCADA monitoring system. This study primarily investigates communication behavior under SSH-based interaction and ICMP flooding conditions, analyzing their effects on network traffic, system monitoring, and operational performance. Unlike prior studies, this work directly observes both controllability and observability within a real-time cyber-physical smart grid environment, providing practical insights into system behavior under attack conditions.

Table 1. Comparison of this work with existing studies on smart grid cybersecurity.

Ref.	Year	Focus	Attack/Threat Type	Methodology	Evaluation Environment	Controllability/Observability Consideration	Position Relative to This Work
[21]	2026	AI-driven cybersecurity framework for SCADA-integrated microgrids	DoS, ARP injection, plus broader discussion of FDI/replay	AI-based detection using SCADA and network features	Testbed/realistic scenarios	Not explicit	Strong real-time AI detection, but it does not directly formalize controllability/observability as the core evaluation lens.
[22]	2026	Maintaining smart-grid CPS controllability and observability under adversarial attacks	Telnet DoS, Modbus TCP flood, ICMP flood	SCADA-based real-time CPS + matrix-rank controllability/observability analysis	Real-time CPS + simulation (3-, 9-, 14-bus)	Explicitly addressed	Closest to the current manuscript, your new work extends toward privacy-preserving federated cybersecurity analytics and coordinated monitoring logic.
[23]	2025	AI-based cybersecurity assessment for renewable-integrated smart-grid SCADA systems	Telnet, DoS, Modbus/TCP, ICMP; protocol comparison across SSH/Telnet/HTTP/HTTPS	RNN–LSTM IDS + Wireshark + SCADA logs + protocol performance comparison	Real-world CPS testbed	Not explicit	Valuable for protocol/security benchmarking, but less centered on formal controllability/observability preservation.
[24]	2025	Digital-twin-driven smart grid with asynchronous federated learning and blockchain	Malicious station behavior, poisoning robustness, stale/non-IID updates	Blockchain + asynchronous FL + digital twin	Comparative experiments on heterogeneous devices and real power-grid datasets	Not addressed	Strong distributed learning architecture, but not targeted to SCADA protocol attacks or operator visibility/control.
[25]	2025	Privacy-preserving anomaly detection for smart-grid behavior monitoring	Cyber-physical/privacy attacks	K-means + LSTM + FL	Experimental evaluation of smart-grid behavior data	Not addressed	Strong privacy/anomaly results, but no direct analysis of SCADA testbed controllability/observability.
[26]	2025	Cybersecurity mitigation in smart electric microgrids	DoS, Telnet, Modbus-based intrusion scenarios	SCADA-based mitigation, protocol analysis, and testbed monitoring	Real-time CPS microgrid testbed	Partial/indirect	Practical mitigation paper, but the present work is stronger in control-theoretic interpretation and federated perspective.
[27]	2025	Information security protection for digital power grids	Network intrusion/cyberattack classification	Improved BiLSTM-DNN + multi-head attention + FL	NSL-KDD-based experimental study	Not addressed	Strong FL+DL classifier, but dataset-driven and not validated on a real SCADA/CPS control platform.
[28]	2024	Privacy-preserving FL against poisoning attacks in smart grid	Model poisoning/malicious gradients	Homomorphic encryption + hierarchical aggregation + adaptive defense	FL experiments on MNIST/CIFAR-10 under malicious participants	Not addressed	Strong privacy and robustness at the FL layer, but not a SCADA power-system operational study.
[29]	2024	Holistic review of FL applications across energy services	Broad privacy/security/data-silo concerns	Review/taxonomy of FL methods in energy systems	Conceptual/literature review	Not addressed	Useful background on FL in energy, but not focused on protocol-level SCADA attacks or control visibility.
[30]	2024	Early detection of reconnaissance attacks in smart-grid environments	Reconnaissance attack	FSGD-based federated learning	Kaggle IoT-security dataset; client/server validation	Not addressed	Important for attack-stage detection, but dataset-based and not experimentally tied to SCADA control performance.
[31]	2024	Secure V2X energy trading in smart grids	Trust, privacy, spoofing/SPOF-related platform threats, rather than SCADA intrusion detection	Blockchain + federated reinforcement learning	Simulation using a real-world dataset + Avalanche implementation	Not addressed	Relevant to secure smart-grid transactions, but outside SCADA attack monitoring and control-resilience scope.
[32]	2024	Federated anomaly detection in smart power grids	Abnormal events/anomalies	FL-based anomaly detection with weighted monitoring indicators	Simulation/analysis for grid monitoring categories	Not addressed	Useful anomaly-detection baseline but lacks real-time cyber-physical experimentation and explicit control-theoretic treatment.
[33]	2024	FL for cybersecurity and trustworthiness in 5G/6G networks	Inference, poisoning, insider/outsider FL attacks	Comprehensive survey	Review	Not addressed	Broader-domain FL security survey; indirectly useful for threat/defense framing, not for smart-grid SCADA validation.
[34]	2024	FL in urban sensing systems with attacks, defenses, and incentives	Inference attacks, poisoning attacks	Comprehensive survey	Review	Not addressed	Provides a broader FL attack/defense context but is only indirectly relevant to smart-grid SCADA cybersecurity.
This work	-	Privacy-preserving federated cybersecurity analytics for SCADA-based smart grids under coordinated attacks	SSH, Modbus/TCP flooding, ICMP-based attacks	Real-time SCADA/CPS testbed + federated-learning perspective + controllability/observability matrix analysis + Wireshark-assisted monitoring	Real-time laboratory smart-grid/SCADA testbed	Explicitly addressed	Distinguishes itself by jointly studying protocol attacks, SCADA monitoring, and control-theoretic resilience in one real-time framework.

compares this work with existing smart grid cybersecurity studies.

The comparison was extended to include distributed detection systems, where federated learning offers advantages in balancing accuracy and specificity compared with traditional systems. Recent studies have also investigated communication reliability and cyber-physical resilience in distribution networks, including dynamic node failure mechanisms and hybrid-energy frameworks under stealthy cyber intrusions.

Compared with conventional distributed IDS approaches, the proposed federated learning framework improves privacy preservation by avoiding the exchange of raw SCADA data between nodes while still supporting collaborative anomaly detection. In addition, the framework was evaluated in a real-time, SCADA-connected cyber-physical testbed, enabling direct observation of the degradation of controllability and observability under coordinated attack scenarios.

3. Methodology

This section describes the proposed methodology, experimental configuration, and cybersecurity evaluation procedures employed to investigate the impact of coordinated cyberattacks on the smart-grid cyber-physical system.

3.1. Smart Grid Cyber-Physical Testbed

To analyze the impact of cyberattacks on smart grid operations, a real-time cyber-physical smart grid testbed was implemented using a SCADA monitoring platform. The testbed integrates electrical power system components with communication networks to emulate the behavior of a modern smart grid environment. The system includes multiple components such as an integrated network, transmission lines, consumer loads, and a wind power generation unit.

The SCADA interface provides real-time monitoring of system parameters, including power flow, voltage levels, and current measurements. Through this interface, system operators can observe system conditions and control various components within the smart grid infrastructure. Figure 2 illustrates the smart grid SCADA monitoring interface used in this study.

3.2. SCADA Server Monitoring Interface

In addition to the system overview interface, a cybersecurity monitoring interface was implemented to observe system measurements and control signals during cyberattack scenarios. The interface provides real-time measurements of system voltage and current values across different phases of the power system.

The SCADA server allows technicians to monitor system behavior and control the power system through switching operations. This interface plays an important role in observing the effects of cyberattacks on system monitoring capability and communication reliability. Figure 3 presents the cybersecurity server interface used to observe system measurements and control signals during the experiments.

3.3. Proposed Power System

Figure 4 shows a one-line diagram of the proposed power system. A three-bus smart-ring power system is proposed in this work and illustrated in Figure 5. It comprises a primary generator and two loads. The main generator supplies the system with electrical power. Load 1 is powered and connected to renewable sources. A hybrid renewable energy system includes a wind turbine that serves as the on-site power source and is connected to the system via bus 3.

3.4. Physical Smart Grid Laboratory Testbed

The experimental platform used in this research consists of a physical smart grid laboratory setup that integrates power system modules, communication devices, and a SCADA monitoring workstation. The laboratory environment enables controlled experimentation on cyber-physical power system behavior under cybersecurity attack scenarios. Figure 5 shows the physical smart grid laboratory setup used during the experimental evaluation.

The smart grid training system includes multiple electrical modules representing transmission lines, loads, and power generation components. These modules are interconnected via measurement units and communication interfaces, enabling real-time monitoring via the SCADA platform.

Network connectivity between the smart grid devices and the monitoring workstation is provided via a Siemens industrial router, enabling communication across the cyber-physical testbed. This communication infrastructure allows cyberattack experiments to be conducted while observing their impact on power system monitoring and control behavior. Figure 6 shows the architecture of the cyber-physical smart grid testbed used for cybersecurity experiments.

The arrows in Figure 6 indicate the communication and data-flow directions between the smart-grid testbed, SCADA monitoring workstation, security LAN router, and the cyberattack platform.

3.5. Communication Network and Cyberattack Implementation

To evaluate the effect of cybersecurity attacks on the smart grid system, a communication network was established between the smart grid laboratory testbed and the SCADA monitoring workstation. The communication infrastructure was enabled through a Siemens industrial router, which provides network connectivity between the smart grid components and the monitoring computer.

The router was accessed and configured through its assigned IP address using the laboratory workstation. Once the router was powered on and initialized, network connectivity was verified with Wireshark, a packet-analysis tool for monitoring network traffic. Wireshark was used to confirm that the system was actively transmitting and receiving network packets under normal operating conditions before cyberattacking experiments were performed.

After verifying network connectivity, a virtual machine running Kali Linux was launched on the laboratory workstation. Kali Linux was used as the attack platform to generate protocol-based cybersecurity attacks against the smart grid communication network.

The PuTTY 0.76 software tool was then used to initiate remote communication sessions and configure the system’s communication protocol. In this study, only the Secure Shell (SSH) protocol was utilized to establish secure remote connections between the monitoring workstation and the smart grid components.

Using PuTTY as shown in Figure 7, SSH-based sessions were initiated to enable controlled interaction with the system. These sessions served as the basis for generating protocol-based cyberattack traffic directed at the smart grid communication network.

During the attack experiments, Wireshark was employed to capture and analyze network packets under both normal operating conditions and during the SSH-based cyberattack. Packet analysis enabled the identification of abnormal traffic patterns introduced by the attack and provided insight into how communication disruptions affected system monitoring and control performance.

The attacks were carried out using tools such as PuTTY and hping3, with the SSH protocol used to generate abnormal traffic, while an ICMP Flood was used to put high pressure on the network. In the coordinated attack scenario, both attacks were executed simultaneously to maximize their impact on the system.

This study focused on traffic-driven attacks such as SSH and ICMP because they represent direct threats to the communications layer. Advanced attacks such as FDIA were considered for future work due to their complexity in a real-world testing environment.

More stealth-oriented attacks, such as FDIA and replay attacks, typically require synchronized manipulation of measurement and state-estimation data, which adds significant implementation complexity in practical cyber-physical testbeds. Therefore, these attacks were considered outside the current experimental scope and are planned for future work.

3.6. Cyberattack Implementation

Within the configured environment, network security tools were used to simulate cyberattacks on the smart grid communication infrastructure. Communication sessions with the target devices were established using PuTTY, which enabled secure remote access via the Secure Shell (SSH) protocol during experimental scenarios. In addition, the hping3 network testing tool available in the Kali Linux environment was used to generate Denial-of-Service (DoS) traffic against the target device, evaluating the system’s response to abnormal network conditions.

3.7. System Monitoring and Data Collection

System behavior was monitored during both normal network operations and cybersecurity attacks to evaluate the impact of communication disruptions on smart grid operations. Network activity within the communication infrastructure was captured and analyzed using Wireshark, which provided real-time packet inspection and protocol analysis throughout the experiments.

Wireshark was used to observe packet transmission patterns, protocol activity, and communication traffic between the smart grid devices and the monitoring workstation. Captured network traffic allowed verification of normal communication behavior before initiating attack scenarios and provided visibility into network activity during the cybersecurity experiments. Figure 8 shows a Wireshark capture of normal Modbus/TCP communication between the SCADA monitoring workstation and the smart grid device under normal operating conditions.

In addition to monitoring network traffic, system control behavior was observed through the SCADA monitoring interface. The SCADA platform enabled switching operations on electrical loads connected to the smart grid testbed. A lighting load connected to the system was used as an operational indicator of system response.

During the experiments, switching commands were issued via the SCADA interface under both normal network conditions and simulated cyberattack scenarios. The system’s response to these commands was monitored during data collection to assess how communication disruptions affect the system’s control and monitoring capabilities.

System data was collected via SCADA at a constant sampling rate, enabling near-instantaneous monitoring of changes in system behavior during attack execution.

System measurements and SCADA operational logs were collected at a 100 ms sampling interval, enabling near-real-time monitoring of system responsiveness behavior during attack execution. The implemented monitoring framework demonstrated the ability to detect coordinated low-latency attacks by observing changes in network traffic patterns, packet delays, and abnormal SCADA response behavior during the experiments.

3.8. Mathematical Modeling and Controllability/Observability Analysis

In this work, controllability and observability were assessed using the ranks of the controllability and observability matrices. A system was considered controllable or observable when the matrix rank equaled the number of effective states. During attacks, changes in this rank were used to measure the impact of the attack on the system’s controllability and observability.

Controllability and observability are two fundamental properties of a dynamic system. Controllability refers to the ability to drive the system states from an initial condition to a desired state using appropriate control inputs, whereas observability refers to the ability to estimate the internal system states from the measured outputs.

To evaluate the impact of cyberattacks on smart grid performance, the implemented system is modeled as a simplified 3-bus cyber-physical system (CPS). This model captures the interaction between system states, SCADA control actions, and measured outputs under both normal and compromised operating conditions [20,21,22]. The system dynamics are represented in state-space form as:

$$x\left(k+1\right)=Ax\left(k\right)+Bu\left(k\right)+a_u\left(k\right)$$

(1)

$$y\left(k\right)=Cx\left(k\right)+a_y\left(k\right)$$

(2)

where $x\left(k\right)$ is the state vector, $u\left(k\right)$ is the control input vector, and $y\left(k\right)$ is the measured output vector. The terms $a_u\left(k\right)$ and $a_y\left(k\right)$ represent actuator-side and sensor-side attack signals, respectively, modeling the effect of cyberattacks on control commands and measurement data [19,20,21,22].

For the simplified 3-bus smart grid system, the state vector is defined as:

$$y\left(k\right)=\left[\begin{array}{c}{v}_1\left(t\right)\\ v_2\left(t\right)\\ v_3\left(t\right)\\ I_1\left(t\right)\\ I_2\left(t\right)\\ I_3\left(t\right)\end{array}\right]$$

(3)

since the SCADA system provides real-time voltage and current measurements.

3.8.1. Controllability Analysis

The controllability of the system is evaluated using the controllability matrix:

$$C=\left[BAB{A}^{2}B\dots A^{N-1}B\right]$$

(4)

The system is considered controllable if:

$$rank\left(C\right)=n$$

(5)

where $n$ is the number of system states [21].

3.8.2. Observability Analysis

Similarly, the observability of the system is evaluated using the observability matrix:

$$O=\left[\begin{array}{c}\begin{array}{c}C\\ CA\\ C{A}^2\end{array}\\ .\\ .\\ .\\ C{A}^{N-1}\end{array}\right]$$

(6)

The system is considered observable if:

$$rank\left(O\right)=n$$

(7)

Under normal operating conditions, the SCADA monitoring system can reliably transmit control commands and receive measurement data, ensuring full controllability and observability of the system. During cyberattacks, packet loss, delays, or manipulation of control signals may degrade system performance. As a result, the reliable controllability and monitoring of a system may be decreased under attack conditions [19,20,21,22].

Although the complete system model comprises six state variables representing the voltages and currents of each phase, a reduced-order model, based on four effective states, was adopted for the analysis of controllability and observability. This approach stems from the fact that certain variables exhibited a very limited dynamic influence during both normal operation and attack scenarios; consequently, their exclusion does not fundamentally compromise the accuracy of the analysis but rather serves to simplify the model and focus on the states that exert the most significant influence on the system’s behavior.

3.9. Federated Cybersecurity Modeling

This work used real data collected from a laboratory SCADA environment, where network traffic was captured with Wireshark, along with operational data such as voltage, current, and response time. The data was saved in Excel format and includes normal operating conditions and various attack scenarios.

To enhance cyberattack detection and improve system resilience, a federated learning framework is integrated into the smart grid cybersecurity architecture. In this approach, distributed nodes, such as SCADA devices and network monitoring units, collaboratively train a global intrusion detection model without sharing raw data [7,8,9].

Let $K$ denote the number of distributed nodes in the system. Each node $k$ maintains a local dataset $D_k$, defined as:

$$D_k=\{\left(x_i,y_i\right)\mid i=1,\dots ,n_k\}$$

(8)

where $x_i\in {\mathbb{R}}^d$ represents feature vectors derived from network traffic, protocol behavior, and system measurements, and $y_i\in \left\{\mathrm{0,1}\right\}$ represents the classification label, where 0 corresponds to normal operation, and 1 corresponds to anomalous or malicious activity.

The total number of samples across all nodes is given by:

$$N=\sum _{k=1}^K{n}_k$$

(9)

Each node trains a local model using its private dataset. The local objective function at the node $k$ is defined as:

$$F_k\left(w\right)={\displaystyle \frac{1}{n_k}}\sum _{i\in D_k}l\left(w;x_i,y_i\right)$$

(10)

where $w$ represents the model parameters and $\mathcal{l}(\cdot )$ is the loss function.

During each communication round $t$, the global model $w^t$ is transmitted to participating nodes. Each node updates its local model using gradient descent:

$$w_k^{t+1}=w^t-\eta \mathsf{\nabla }{F}_k\left(w^t\right)$$

(11)

where $\eta$ is the learning rate.

After local training, the updated models are sent to a central aggregator, where they are combined using the Federated Averaging (FedAvg) algorithm [7]:

$$F\left(w\right)=\sum _{k=1}^K{\displaystyle \frac{n_k}{N}}{F}_k\left(w\right)$$

(12)

The corresponding global objective function is expressed as:

$$w^{t+1}=\sum _{k=1}^K{\displaystyle \frac{n_k}{N}}{w}_k^{t+1}$$

(13)

This federated learning framework enables collaborative model training across distributed smart grid nodes while preserving data privacy, as raw cyber-physical system data remain local and are not transmitted. The resulting global model is deployed at each node to perform real-time intrusion detection and identify abnormal system behavior.

The data was distributed across several nodes representing different SCADA devices within the system, with each node possessing a portion of the data. This distribution reflects the nature of real-world systems, where data is distributed rather than identical.

Each node trained a local model using its own data, and only the model’s parameters were sent to the central server, where they were combined using the FedAvg algorithm to obtain a general model distributed across all nodes.

The privacy aspect was achieved by not transferring raw data between nodes but by sharing only model updates, thereby reducing the risk of sensitive data leakage within the system. Note that additional technologies, such as Differential Privacy or Secure Aggregation, could be integrated in the future to enhance the level of protection.

In the current implementation, privacy preservation was primarily achieved through the standard federated learning architecture, in which raw SCADA data remained local to each node. Additional mechanisms, such as Differential Privacy (DP) or Secure Multi-Party Computation (SMPC), were not implemented at this stage. The authors recognize that standard federated learning may still be vulnerable to gradient inversion and model inference attacks. Therefore, integrating stronger privacy-preserving techniques such as DP and secure aggregation is considered part of future work.

In this work, a simple neural network-based classification model was employed and trained in a distributed manner across several nodes within a SCADA system. The integration of local models was carried out over several consecutive training rounds until the model’s performance stabilized.

The communication overhead in the federated learning process is limited to model parameter exchange, which requires significantly less bandwidth compared to transferring raw SCADA data in centralized systems.

In the federated learning implementation, the SCADA-derived datasets were distributed across five monitoring nodes, each representing different smart-grid devices and network conditions. Due to variations in attack behavior, traffic characteristics, and operational measurements among nodes, the local datasets exhibited non-IID properties. The federated model was trained over 15 communication rounds using the FedAvg aggregation algorithm, with a learning rate of 0.001 and three local training epochs per round. During training, the global model parameters were iteratively updated until stable convergence behavior was observed across participating nodes.

4. Experimental Results and Analysis

Each experiment was repeated several times to ensure accuracy, with average values calculated for measurements such as delay and packet loss percentage, thereby enhancing the reliability of the results presented.

4.1. Normal System Operation

Under normal operating conditions, the smart grid system exhibited stable, reliable performance. Network traffic analysis showed steady Modbus/TCP communication between the SCADA workstation and the smart grid device, with no abnormal packet delays or traffic anomalies observed. From an operational perspective, SCADA control commands were performed successfully. Switching actions resulted in immediate and correct responses from the connected lighting load, confirming proper system controllability and responsiveness. These results confirm that both communication and control functions were operating under normal conditions, establishing a baseline for comparison with the cyberattack scenarios.

4.2. SSH-Based Attack

Following baseline system operation, the network was observed during an SSH-based cyberattack. As shown in Figure 9, the Wireshark capture shows a noticeable increase in SSH packets exchanged between the monitoring workstation and the smart grid device during the attack period.

Despite the elevated traffic, the communication channel remained stable, and packet captures continued to load without excessive delay. This indicates that the network maintained operational integrity under increased traffic conditions.

In addition to the observed SSH traffic, further analysis of the Wireshark capture revealed ICMP packets during the attack period, as shown in Figure 10. These packets indicate that the attack generated additional abnormal network activity beyond standard SSH communication.

The observed increase in ICMP traffic indicates flooding behavior that imposed additional stress on the communication network. System performance was further observed through control operations. Switching commands issued through the SCADA interface remained operational. Although communication was functional, noticeable delays were observed during control operations. In several instances, the system exhibited inverse behavior, in which issued commands did not correspond to the expected response. These inconsistencies indicated reduced control reliability under the attack conditions, even though the system maintained partial operational capability.

Overall, the SSH-based attack preserved partial system functionality under abnormal traffic conditions; however, communication delays and unstable control responses were observed.

4.3. Comparative Performance and Power Flow Analysis

To further observe the impact of the SSH-based cyberattack on both communication performance and physical system behavior, a combined analysis of network activity and smart meter measurements was conducted.

From a communication perspective, the SSH-based attack introduced increased network traffic and noticeable delays, as observed in the Wireshark analysis. Although SCADA commands remained functional, inconsistent control responses were observed, including instances of inverse behavior in command execution.

To assess the effect on the physical layer, electrical measurements were collected from two smart meters (Meter 1 and Meter 2), under both normal operating conditions and during the SSH-based attack. The recorded parameters include phase voltage(V_PH(V)), line voltage(V_Line(V)), current(I), active power(P(W)), reactive power(Q(var)), apparent power(S(VA)), system frequency (Hz), and power factor.

The electrical measurements obtained from Meter 1 and Meter 2 under normal operating conditions are presented in

Table 2. Electrical measurements at Meter 1 and Meter 2 under normal operating conditions.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH (V)	114-114-114	114-114-114
V_Line (V)	198-198-198	198-198-198
I (A)	0.19	0.34
P (W)	14	−14
Q (var)	−1	−116
S (VA)	21	116
F (Hz)	60.00	60.00
Power Factor	0.68	0.12

, while the measurements recorded during the SSH-based cyberattack scenarios at M1 and M2 are summarized in

Table 3. Electrical measurements at Meter 1 and Meter 2 during SSH-based cyberattack conditions at M1.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH (V)	108-115-113	110-112-113
V_Line (V)	191-197-194	191-197-194
I (A)	0.19-0.00-0.00-0.19	0.34-0.35-0.35-0.00
P (W)	14	−14
Q (var)	−1	−115
S (VA)	21	116
F (Hz)	59.99	59.98
Power Factor	0.68	0.12

and

Table 4. Electrical measurements at Meter 1 and Meter 2 during SSH-based cyberattack conditions at M2.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH (V)	108-114-113	108-111-112
V_Line (V)	192-197-194	190-196-193
I (A)	0.2-0.00-0.00-0.19	0.34-0.34-0.34-0.00
P (W)	14	−14
Q (var)	−1	−115
S (VA)	21	116
F (Hz)	59.99	59.98
Power Factor	0.68	0.12

, respectively. Furthermore, the percentage deviation of the measured electrical parameters under cyberattack conditions is presented in

Table 5. Percentage deviation of electrical parameters under cyberattack conditions.

Parameter	Meter	Normal	Attack	Deviation (%)
Vph avg (V)	Meter 1	114	112	−1.75%
Vph avg (V)	Meter 2	114	111.67	−2.00%
Frequency (Hz)	Meter 1	60.00	59.99	−0.017%
Frequency (Hz)	Meter 2	60.00	59.98	−0.033%
Reactive Power (var)	Meter 2	−116	−115	+0.86%

.

A comparison of the measurements indicates that the SSH-based cyberattack had minimal impact on the system’s physical operation. Voltage levels at both meters remained stable, with only minor variations observed between normal and attack conditions. Current measurements show small changes, indicating that the load demand was not significantly affected.

Active and reactive power values at both Meter 1 and Meter 2 remained consistent, with only slight changes observed during the attack scenario. Apparent power values followed a similar pattern, confirming that overall power flow in the system was preserved.

System frequency remained stable at approximately 60 Hz for both meters, showing that grid synchronization was not disrupted. Power factor values also remained unchanged, demonstrating that the efficiency of power delivery was maintained.

These results confirm that the SSH-based cyberattack increased network activity and introduced moderate communication delays. Its impact on the physical power system was minor. The smart grid maintained stable electrical operation under the attack scenario. These results demonstrate that the cyberattack primarily affected the cyber layer, while the physical power system maintained stable electrical operation.

4.4. Cyberattack Scenarios Definition

4.4.1. Scenarios

Four distinct operational states were defined to analyze the impact of cyberattacks on SCADA performance.

Table 6. Proposed scenarios used.

Scenario	Type of Attack	Protocol	Tool Used	Duration (s)	Packet Rate (pkt/s)
S1	Normal	Modbus/TCP	—	60	120
S2	SSH	SSH	PuTTY	60	350
S3	ICMP Flood	ICMP	hping3	60	1200
S4	Coordinated Attack	SSH + ICMP	PuTTY + hping3	60	1800

represents the first state, normal operation, with a packet rate of 120 pkt/s. In comparison, the remaining states represent various attack scenarios using SSH at 350 pkt/s and ICMP at 1200 pkt/s, as well as a coordinated attack that combines multiple protocols. The packet rate for each state was measured with Wireshark to enable a precise quantitative comparison across conditions.

4.4.2. Metrics

Table 7. The impact of cyberattacks on system performance.

Scenario	Avg. Delay (ms)	Packet Loss (%)	Command Error (%)	Response Time (ms)
Normal	12	0	0	15
SSH	45	2.5	10	60
ICMP	120	8.2	25	140
Coordinated	210	15.5	40	260

illustrates the measurable impact of cyberattacks on the system’s performance. The average latency increased from 12 ms under normal conditions to 210 ms during a coordinated attack, a 1650% increase. The packet loss rate increased from 0% to 15.5%, which directly impacted the system’s responsiveness. The command execution error rate reaching 40% was recorded during the coordinated attack, indicating a clear deterioration in control reliability.

The error rate for command execution was calculated by comparing the number of commands not executed correctly to the total number of commands sent via the SCADA system during the testing period.

4.4.3. Controllability & Observability

Table 8. The status of the Controllability & Observability of the system.

Scenario	Rank (Controllability)	Rank (Observability)	System States (n)	Status
Normal	4	4	4	Fully Controllable & Observable
SSH	4	3	4	Partial Observability Loss
ICMP	3	3	4	Degraded System
Coordinated	2	2	4	Critical Loss

shows the status of the system’s controllability and observability. Under normal conditions, the system was fully controllable and observable, as the ranks of both the controllability and observability matrices were 4. During a coordinated attack, these values dropped to 2, indicating a critical, partial loss of the system’s control and observability capabilities, confirming the direct impact of cyberattacks on the system’s dynamic properties.

4.4.4. Performance Under Cyberattacks

Figure 11 illustrates the gradual degradation in system performance under various cyberattacks. Specifically, the average latency increased from 12 ms under normal conditions to 210 ms during a coordinated attack, while the packet loss rate rose to 15.5%. Furthermore, the command execution error rate surged to 40%, reflecting the substantial impact of these attacks on the system’s communication and control layers.

4.4.5. Voltage and Frequency Deviations

Although the changes in electrical values were limited (less than 2%), as shown in

Table 9. The deviation in voltage and frequency due to the attack.

Parameter	Normal	Attack	Deviation (%)
Voltage (V)	115	113	−1.7%
Frequency (Hz)	60.01	59.98	−0.05%

, the greatest impact was observed in the communication and control layer, indicating that the attack primarily targeted the cyber layer without directly affecting the physical layer.

4.4.6. Federated Learning

The results of federated learning show a high accuracy of 96.4%, as shown in

Table 10. Intrusion detection performance based on the SCADA dataset.

Metric	Value (%)
Accuracy	96.4
Precision	95.8
Recall	95.2
F1-Score	95.5

. The results confirm the effectiveness of the distributed model in enhancing attack detection, with precision 95.8%, recall 95.2%, and F1-score 95.5%.

The trained federated learning model enabled the detection of abnormal network traffic patterns, improving the system’s ability to identify cyberattacks at an early stage.

The error rate for command execution was calculated by comparing the number of commands that were not executed correctly to the total number of commands sent via the SCADA system during the testing period.

In addition to model accuracy, error rates such as false positives and false negatives were considered to evaluate system performance in a SCADA environment more accurately.

The results indicate that the attacks had the greatest impact on the communications and control layer. At the same time, the electrical variables remained relatively stable, illustrating the separation between the two layers in the cyber-physical system.

The model’s performance was stable across federated training rounds. Classification accuracy gradually improved until a stable state was reached, indicating convergence even with non-matching data between nodes.

Table 11. Estimated communication overhead per federated-learning round.

Communication Round	Avg. Upload (KB)	Avg. Download (KB)	Total Bandwidth (KB)
1	120	115	235
3	122	116	238
5	121	117	238
7	123	118	241
9	124	118	242
11	125	119	244
13	126	120	246
15	127	121	248

shows the estimated communication overhead per federated-learning round. The communication overhead of the federated learning framework was evaluated by estimating the average bandwidth exchanged between distributed SCADA nodes and the central aggregator in each communication round. The results indicate a relatively stable communication load across training rounds, demonstrating that the proposed distributed monitoring framework can operate with moderate bandwidth requirements suitable for practical smart-grid communication environments.

To further evaluate the convergence behavior of the federated learning framework under non-IID data conditions, the global model’s performance was monitored across multiple communication rounds. Figure 12 illustrates the variation in classification accuracy (Figure 12a) and global training loss (Figure 12b) during the federated-learning process. The results show that the global loss gradually decreased. At the same time, the classification accuracy improved and stabilized after several communication rounds, confirming the distributed model’s convergence capability despite heterogeneous SCADA datasets across participating nodes.

5. Conclusions

This study shows the impact of SSH- and ICMP-based cyberattacks on a SCADA-integrated smart grid within a cyber-physical system. A controlled testbed was used to analyze how network attacks and communication performance affected system monitoring and control operations. Only minor deviations in voltage, current, and frequency were observed during the attacks, remaining below 2%. The greatest impact was observed in the communication and control layer, showing that the attack primarily targeted the cyber layer without directly affecting the physical layer. The average latency increased significantly during coordinated attacks compared with normal operating conditions, while the packet loss rate rose to 15.5%. The command execution error rate increased to 40%, reflecting the significant impact of these attacks on the system’s cyber layers. These findings confirm that communication-layer attacks can significantly degrade the reliability of SCADA monitoring and control, even when physical electrical deviations remain limited. They also demonstrate how cyberattacks can weaken both system controllability and observability, emphasizing the need for stronger cybersecurity measures in smart grid environments.