Topology Robustness of State Estimation Against False Data Injection and Network Parameter Attacks on Power Monitoring and Control Systems

Abstract

With the integration of information and communication systems, cyberattacks threaten the normal operation of the power grid. As a critical function, state estimation in the power monitoring and control system is an attractive target for attackers. There are two typical cyberattacks—false data injection attack (FDIA) and network parameter attack (NPA)—that produce incorrect state estimation results, threatening the control and operation of the power system. This paper introduces the first theoretical framework for analyzing the topology robustness of state estimation against FDIA, NPA, and coordinated FDIA+NPA, quantifying the inherent tolerance to injected errors under the DC model. Novel contributions include the following: (1) derivation of analytical bounds on relative state errors for FDIA and similar expressions for NPA and coordinated attacks; (2) proof that sensor measurements, network topology, and branch parameters are key factors influencing robustness, with larger robustness factor amplifying errors in dense or partially measured systems; and (3) validation through extensive MATPOWER simulations on IEEE 14-, 30-, 57-, 118-, and 300-bus systems, confirming bound tightness across scales. These insights enable preventive grid design to enhance resilience against cyber-physical threats.

1. Introduction

The modern power system has become more flexible and efficient through the integration of sensing and electronic devices. The large-scale system can be monitored, controlled, and operated with wide-area information sharing and coordination. However, the data transmission network and the remote control channel are vulnerable to cyberattacks [1]. For example, it has been demonstrated that smart meters can be tampered with [2] and that remote terminal units (RTUs) can be corrupted [3].

As a critical function, state estimation is vital for providing reliable data for subsequent applications, such as contingency analysis and optimal power flow. Since its computation requires sensor measurements from the supervisory control and data acquisition (SCADA) system and physical parameters from the transmission network, it is vulnerable to both internal and external attackers.

False data injection attack (FDIA) is a common attack that modifies sensor measurements to introduce bias into the estimation result [4]. Liu et al. [5] presented a framework for constructing stealthy FDIA if the attacker has full knowledge about the system network and branch parameters. Then, Kosut et al. [6] proposed two regimes of attack: if the attacker performs a stealthy attack, a graph-theoretic method is designed to find the minimum-size stealthy FDIAs; if the attacker cannot launch a stealthy attack, a minimum-residue-energy attack is proposed as a trade-off between causing large estimation errors and a low detection probability. Yang et al. [7] first proved that the optimization problem of minimizing the number of compromised measurements required to modify a predetermined set of state variables is NP-hard. But with the insight that large-degree buses can be modeled as linear matrix transformations, they proposed a heuristic to solve this optimization problem efficiently. Based on the topology analysis, Deng et al. [8] provided that the attacker can arbitrarily modify the state variables of buses/superbuses that are connected by known branches. They leveraged a new countermeasure by actively perturbing branch admittances to prevent the attackers from obtaining the line parameters. More recently, Zhang et al. [9] proposed an FDIA that requires only the transmission topology, thereby reducing the need for branch parameters. The FDIA demonstrates the vulnerability of the sensor measurements used in state estimation. There are also studies that have explored FDIAs in AC models, such as the unified framework for designing optimal AC FDIAs proposed in [10], which demonstrates attack construction while highlighting vulnerabilities in nonlinear state estimation. There are many methods proposed to detect FDIAs. Fusion deep learning methods for real-time FDIA countermeasures, emphasizing confidence-aware strategies for robustness against data drifts [11]. For FDIA detection in DC microgrids, the data-driven framework proposed in Wang et al., which uses adaptive residual generators for attack localization, demonstrates high accuracy in multi-generator systems [12]. Advances in ML-based countermeasures include stacking models for intrusion detection against cyber attacks in power systems, as in [13], which improves accuracy in identifying threats like FDIA. Another relevant work uses supervised ML for cyberattack detection in PV-powered systems, adaptable to state estimation scenarios [14]. However, most existing work has focused on FDIA design and detection, failing to reveal the state estimator’s tolerance to the FDIA.

Another typical attack is the network parameter attack (NPA). The attacker can take control of Flexible Alternating Current Transmission System (FACTS) devices and inject unexpected capacitors into the transmission line [15,16]. FACTS is an equipment that is used to compensate for the reactive power with the resistor–inductor–capacitor circuit [17]. The compensation reference value is sent to the FACTS device, which is vulnerable to compromise and modification. Therefore, the network parameter is changed. Zhang et al. [18] introduced a stealthy physics-manipulated attack (SPMA) targeting FACTS devices, combining physical reactance manipulation with coordinated FDIA sensor data to evade detection. It analyzed the attack’s stealthiness across varying levels of adversarial knowledge, quantified its economic and operational impacts, and proposed countermeasures, such as critical sensor protection and Thévenin-based impedance monitoring, to mitigate risks. Considering the dynamic environment of the power system, Zhang et al. [17] investigated the vulnerability of intelligent grid Load Frequency Control (LFC) to NPA, in which attackers manipulated the reactance values of transmission lines via compromised Thyristor-Controlled Series Compensators (TCSCs) to destabilize grid frequency. By analyzing eigenvalue sensitivity to identify critical transmission lines and formulating a resource-efficient attack strategy, the study demonstrated, through simulations on IEEE test systems, that NPAs could induce instability, underscoring the need for robust cybersecurity defenses in power systems. Although the papers above showed that NPA can affect system operation, they did not provide a deep analysis of why the power system is vulnerable to these modifications.

As noted above, existing studies have primarily investigated how to design robust and stealthy attacks. The ability of state estimation to tolerate errors injected into sensor measurements and network parameters has not been sufficiently studied. To fill this gap, we analyze the topology robustness of power system state estimation against FDIA and NPA in this paper. In other words, we aim to quantify the tolerance of state estimation to injected errors. There is prior work studying this topic. Pajic et al. [19] proposed a robust method for attack-resilient state estimation in cyber-physical systems under noise and modeling errors, demonstrating that attackers cannot exploit model discrepancies to destabilize the system. Chakhchoukh and Ishii [20] proposed enhancing the security of the power system state estimation by deploying multiple robust least trimmed squares (LTS) estimators with varying breakdown points in parallel, reducing reliance on costly secure sensors. However, these studies primarily focused on improving the power system’s topology robustness. The factors influencing topology robustness against cyberattacks remain unexplored. Therefore, by jointly modeling the attack and the system, we aim to identify which parameters are critical to the topology robustness of power system state estimation. The contributions are given in the following:

• First, we develop a unified model integrating FDIA (targeting sensor measurements) and NPA (targeting branch parameters via devices like FACTS) to analyze their combined impact on power system state estimation, providing a theoretical framework that quantifies topology robustness through norm-based sensitivity measures-unlike prior works that focus primarily on attack design without deriving tolerance bounds.
• Second, we derive closed-form analytical bounds for topology robustness, including the metric for FDIA in fully measured systems and the metric for partially measured cases, extended to NPA and coordinated attacks, enabling operators to evaluate vulnerability without exhaustive simulations.
• Finally, we conduct extensive simulations on IEEE test systems (14-, 30-, 57-, 118-, and 300-bus), validating that lower robustness values correlate with reduced error propagation (e.g., up to 30% robustness improvement with partial measurements), under scenarios including noise and topology variations.

In this paper, topology robustness refers to the inherent tolerance of the power system’s state estimation process to errors injected by cyberattacks, specifically quantified as the bounded amplification of estimation errors relative to injected perturbations in sensor measurements (under FDIA) or network parameters (under NPA). This robustness is measured through analytical bounds, which capture the sensitivity of state estimates to topology, branch parameters, and sensor placement. Traditional security solutions, such as encryption and intrusion detection systems (IDS), are insufficient to fully mitigate these threats because FDIA and NPA can be designed to be stealthy—exploiting knowledge of the system topology to evade detection by maintaining consistency with bad data detection mechanisms—while NPA directly manipulates physical parameters via compromised field devices (e.g., FACTS), bypassing cyber-layer protections. Our analysis focuses on these intrinsic vulnerabilities to inform topology-aware defenses.

The organization of this paper is as follows: the system model and threat model are given in Section 2; the topology robustness of the power system state estimation against FDIA and NPA is analyzed in Section 3; the extensive simulations used to validate the theoretical results are in Section 4; Section 5 discusses some implications for Power Grid Planning and Operation and Section 6 concludes the paper.

2. System Model and Threat Model

Here, we introduce the power system state estimation and threat model for an easy understanding of the following derivations.

2.1. System Model

The DC model is usually used in power systems to analyze contingencies, faults, and market behavior [21]. Although it is linearized from the nonlinear AC model, the DC power flow model is designed for real-time operations, such as computing marginal price [22,23]. Therefore, although the DC model is simple, it captures the power system’s physical characteristics. The state variables to be estimated are the voltage phase angles. The power flow is represented as

$$f_{ij}=-b_{ij}({\theta }_i-{\theta }_j), p_i=\sum _{j\in {\mathcal{Q}}_i}{f}_{ij},$$

(1)

where $f_{ij}$ denotes the power flow between bus i and j, $b_{ij}$ represents the equivalent susceptance of branch $\{i,j\}$, ${\theta }_i$ and ${\theta }_j$ represent the voltage phase angles of bus i and j, respectively, $p_i$ denotes the power injection of bus i, ${\mathcal{Q}}_i$ is a set containing neighboring buses connected to bus i. Considering a power transmission network having a set $\{1,2,\cdots ,n+1\}$ of buses (bus 1 is the reference bus) and a set $\{k_1,k_2,\cdots ,k_l\}$ of branches. Apart from the reference bus, the rest n phase angles ${\theta }_1,{\theta }_2,\cdots ,{\theta }_n$ are state variables that should be estimated, denoted by $\mathbf{x}\in {\mathbb{R}}^n$. The branch/line $k_t=\{i,j\}\in \mathcal{L}$ incidents from bus i to bus j. If the power system is fully measured, meaning each bus is sensed by a meter and each branch is sensed by two meters (one in each direction), then there are $m=2l+n+1$ meters. The DC power flow model is formulated as

$$\mathbf{z}=\mathbf{H}\mathbf{x}+\mathit{\eta }.$$

(2)

in which, $\mathbf{H}$ denotes the measurement matrix, $\mathbf{z}$ represents the measurements of power injections and power flows.

2.2. Measurement Matrix

By using $\mathbf{V}$ to denote the branch–bus incidence matrix, we have

$$v_{ti}=\left\{\begin{array}{cc}1,\hfill & k_t\mathrm{starts}\mathrm{from}\mathrm{bus}i;\hfill \\ -1,\hfill & k_t\mathrm{ends}\mathrm{at}\mathrm{bus}i;\hfill \\ 0,\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

(3)

in which, $v_{ti}$ denotes the element at position $(t,i)$ of $\mathbf{V}$. Using $\mathbf{W}$ as the diagonal branch susceptance matrix, its element ${\mathbf{w}}_{tt}$ is $-b_{ij}$ with $k_t=\{i,j\}$. Hence, the symmetric admittance matrix is $\mathbf{B}={\mathbf{V}}^T\mathbf{W}\mathbf{V}$ (invertible), and the branch-bus shift factor matrix is $\mathbf{S}=\mathbf{W}\mathbf{V}$. Besides, we have

$$\mathbf{f}=\mathbf{S}\mathit{\theta }, \mathbf{p}=\mathbf{B}\mathit{\theta },$$

(4)

where $\mathbf{f}$ denotes a vector of power flows, $\mathbf{p}$ denotes a vector of power injections, and $\mathit{\theta }$ denotes a vector of phase angles. In the fully measured case, the matrix $\mathbf{H}\in {\mathbb{R}}^{m\times n}$ is

$$\mathbf{H}=\left[\begin{array}{c}\mathbf{B}\\ \mathbf{S}\\ -\mathbf{S}\end{array}\right].$$

(5)

The matrix $\mathbf{H}$ is related to the transmission network and branch parameters (i.e., susceptance).

Suppose the system is partially measured, meaning some buses and branches are not equipped with meters. In that case, the measurement matrix is constructed by selecting several rows from the fully measured matrix. For any measurement matrix, it is of full column rank.

2.3. State Estimation

State estimation, a basic function for estimating the state variables with sensor measurements monitored by the SCADA system [24]. The state estimation is

$$\widehat{\mathbf{x}}={\left({\mathbf{H}}^T\mathbf{H}\right)}^{-1}{\mathbf{H}}^T\mathbf{z}.$$

(6)

The estimation $\widehat{\mathbf{x}}$ is usually computed using the least squares method.

2.4. Threat Model

The power grid’s security has attracted significant attention. For example, the US National Electric Sector Cybersecurity Organization Resource (NESCOR) reports incidents and impacts on the physical power systems [25,26,27]. The North American Electrical Reliability Council (NERC) issues lessons learned from physical failures and outages caused by cyber faults [28]. In this paper, we focus on two common cyberattacks: the false data injection attack (FDIA) and the network parameter attack (NPA). For these two attacks, we assume that the attacker has the following capabilities.

• FDIA: The attacker has the capability of tampering with the sensor measurements.
• NPA: The attacker has the capability of corrupting the control commands of the devices that adjust the branch parameter (i.e., the reactance).

For both FDIA and NPA, the attackers eavesdrop on the communication channels before the attack to collect the necessary topology information. The attacker is not assumed to have complete details about the power system. The attack feasibility is discussed as follows:

• FDIA Feasibility: FDIA typically requires cyber access rather than physical contact, achieved by injecting malware into SCADA systems, remote terminal units (RTUs), or smart meters via phishing, supply-chain compromises, or network vulnerabilities. Real-world examples underscore this: the 2015 Ukraine blackout, caused by BlackEnergy malware, manipulated control systems to inject false commands, leading to widespread outages without physical intervention. Similarly, the Stuxnet worm (2010) targeted industrial controls, and more recent incidents, such as the 2019 Utah grid disruption and the 2021 ransomware attacks on U.S. and Australian power providers, demonstrate ongoing vulnerabilities. However, feasibility depends on attacker resources; stealthy FDIAs require topology knowledge, which can be obtained via reconnaissance or insider threats, but evading bad data detection (BDD) demands precise crafting to keep residuals below thresholds.
• NPA Feasibility: NPA often involves compromising devices like Flexible AC Transmission Systems (FACTS) or Thyristor-Controlled Series Compensators (TCSCs) to alter branch parameters (e.g., reactance). This can be cyber-based, requiring no physical access if control channels are hacked, as seen in simulations of physics-manipulated attacks. While fewer direct real-world examples exist than in FDIA, related incidents, such as the 2015 Ukraine attack, involved parameter manipulation in control logic. Detection is challenging, as NPAs can mimic legitimate variations (e.g., load changes) and bypass traditional BDD; advanced methods such as impedance monitoring or ML-based anomaly detection are needed, though not foolproof.
• Coordinated Attacks and Overall Difficulty: Coordinated FDIA+NPA increases impact but also complexity, requiring multi-domain access. Existing security measures (e.g., firewalls, encryption) raise the bar, but gaps in legacy systems persist, as evidenced by state-sponsored studies of grid vulnerabilities. Mitigation via robust estimators or moving target defenses can reduce feasibility.

As shown in Figure 1, we present the scenario diagram and attack entries. The key entities are divided into the following four functional layers: physical layer, cyber layer, control layer, and adversary capability.

3. Topology Robustness of the Power System State Estimation Against FDIA and NPA

In this section, we analyze the power grid’s topology robustness against FDIA and NPA. FDIA is an attack on the power grid that targets the sensor measurements. The measurement $\mathbf{m}$ is perturbed by adding noise to the original sensor measurements. NPA is a command-modification attack that corrupts the capacitance injection of the series capacitor compensator, thereby causing unexpected changes in network parameters [17]. These two cyberattacks can push the system states beyond their physical limits, inducing dangerous operating conditions. In the following, we discuss the power grid’s topology robustness against FDIA and NPA.

3.1. Topology Robustness Under FDIA

Considering the threat of FDIA, the topology robustness of power system state estimation is its tolerance to injected measurement errors. Taking state estimation as the critical function, we examine the change in the estimated state when the sensor measurements are modified. Based on the deployed sensors, two cases should be analyzed: the fully measured case and the partially measured case.

3.1.1. Fully-Measured Case for FDIA

If the power network is fully measured, then we have

$$\mathbf{z}=\mathbf{H}\mathbf{x}=\left[\begin{array}{c}\mathbf{B}\\ \mathbf{S}\\ -\mathbf{S}\end{array}\right] \mathbf{x}.$$

(7)

Since $\mathbf{z}=\left[\begin{array}{c}\tilde{\mathbf{p}}\\ \tilde{\mathbf{f}}\\ -\tilde{\mathbf{f}}\end{array}\right]$, we have

$$\tilde{\mathbf{p}}=\mathbf{B}\mathbf{x},\tilde{\mathbf{f}}=\mathbf{S}\mathbf{x},$$

(8)

where $\tilde{\mathbf{p}}$ and $\tilde{\mathbf{f}}$ are measurements of the injection powers and power flows. Usually, since the first state of $\mathbf{x}$ is set as a reference, the first column of the branch-bus incident matrix $\mathbf{A}$ is removed, which is denoted by $\overline{\mathbf{A}}$. Thus, we have

$$\tilde{\mathbf{p}}=\overline{\mathbf{B}}\overline{\mathbf{x}},$$

(9)

where $\overline{\mathbf{B}}={\overline{\mathbf{A}}}^T\mathbf{D}\overline{\mathbf{A}}$ is an invertible square matrix and $\overline{\mathbf{x}}$ represents the state vector by deleting the first state variable. Furthermore, we can use Equation (9) to assess the topology robustness of the state estimation against FDIA and NPA.

Under FDIA, the sensor measurements are corrupted by the attacker. The impact of FDIA on the state estimation is analyzed as follows.

Proposition 1.

The topology robustness of the power system state estimation against FDIA depends on $\gamma =\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel$.

Proof. 

With (9), we have

$$\tilde{\mathbf{p}}+ϵ\tilde{\mathbf{p}}=\overline{\mathbf{B}}(\overline{\mathbf{x}}+ϵ\overline{\mathbf{x}}),$$

(10)

where $ϵ\tilde{\mathbf{p}}$ and $ϵ\overline{\mathbf{x}}$ are the error injected into the measurement and the state error caused by FDIA, respectively. We can derive that

$$ϵ\overline{\mathbf{x}}={\overline{\mathbf{B}}}^{-1}ϵ\tilde{\mathbf{p}}$$

(11)

According to the compatibility condition of the norm, we have

$$\parallel ϵ\overline{\mathbf{x}}\parallel \le \parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel ϵ\tilde{\mathbf{p}}\parallel ,\parallel \tilde{\mathbf{p}}\parallel \le \parallel \overline{\mathbf{B}}\parallel · \parallel \overline{\mathbf{x}}\parallel ,$$

(12)

where $\parallel \ast \parallel$ denotes any norm. Therefore, we can derive that

$${\displaystyle \frac{\parallel ϵ\overline{\mathbf{x}}\parallel }{\parallel \overline{\mathbf{x}}\parallel }}\le \parallel {\overline{\mathbf{B}}}^{-1}\parallel · \parallel \overline{\mathbf{B}}\parallel · {\displaystyle \frac{\parallel ϵ\tilde{\mathbf{p}}\parallel }{\parallel \tilde{\mathbf{p}}\parallel }}=\gamma {\displaystyle \frac{\parallel ϵ\tilde{\mathbf{p}}\parallel }{\parallel \tilde{\mathbf{p}}\parallel }}.$$

(13)

From above, the state change induced by FDIA is related to $\gamma =\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel$, which dominates the impact of FDIA on the state estimation. □

Since $\overline{\mathbf{B}}$ is constructed according to the transmission topology and branch parameters, the topology robustness of the power system state estimation against FDIA is related to the physical parameters. The smaller the $\gamma$ is, the less sensitive the state is to the injected measurement error. Once $\gamma \gg 1$, the state estimation is vulnerable to the measurement error injected by FDIA. Therefore, in a transmission system, if the transmission topology and branch parameters make $\gamma$ much smaller than 1, the system is more robust to measurement errors injected by FDIA.

For computing $\gamma$, we provide a special example: the norm in Equation (12) is the 2-norm. Based on the singular value decomposition, the largest and smallest singular values (i.e., ${\alpha }_{\min }$ and ${\alpha }_{\max }$) of matrix $\overline{\mathbf{B}}$ have the following relationship:

$${\alpha }_{\min }={\displaystyle \frac{1}{\parallel {\overline{\mathbf{B}}}^{-1}{\parallel }_2}},{\alpha }_{\max }={\parallel \overline{\mathbf{B}}\parallel }_2$$

(14)

Therefore, we have $\gamma ={\displaystyle \frac{{\alpha }_{\max }}{{\alpha }_{\min }}}$. Since $\overline{\mathbf{B}}$ is a symmetry positive matrix, we can derive that $\gamma ={\displaystyle \frac{{\zeta }_{\max }}{{\zeta }_{\min }}}$, where ${\zeta }_{\min }$ and ${\zeta }_{\max }$ are the maximum and minimum eigenvalues of matrix $\overline{\mathbf{B}}$.

3.1.2. Partially-Measured Case for FDIA

Next, we consider a more general case where the transmission system is not fully measured. In this case, we have $\mathbf{z}=\mathbf{H}\mathbf{x}$, and the matrix $\mathbf{H}$ is full column rank.

To assess the topology robustness of the state estimation against FDIA, we conclude as follows.

Proposition 2.

The topology robustness of the state estimation against FDIA depends on ${\gamma }^{\prime }={\displaystyle \frac{{\alpha }_{\mathit{max}}^{\prime }}{{\alpha }_{\mathit{min}}^{\prime }}}$, where ${\alpha }_{\mathit{max}}^{\prime }$ is the maximum singular value of matrix $\mathbf{H}$ and ${\alpha }_{\min }^{\prime }$ is the minimum singular value but not the zero singular value of matrix $\mathbf{H}$.

Proof. 

Since the sensor measurements are injected with errors by FDIA, we have

$$\mathbf{z}+ϵ\mathbf{z}=\mathbf{H}(\mathbf{x}+ϵ\mathbf{x}),$$

(15)

where $ϵ\mathbf{z}$ and $ϵ\mathbf{x}$ are the error injected into the sensor measurement and the state error caused by FDIA, respectively. Therefore, we obtain that

$$ϵ\mathbf{x}={\mathbf{H}}^{\star }ϵ\mathbf{z},$$

(16)

where ${\mathbf{H}}^{\star }$ is the Moore-Penrose pseudoinverse of $\mathbf{H}$. Similar to the proof of Proposition 1, we can derive that

$${\displaystyle \frac{\parallel ϵ\mathbf{x}\parallel }{\parallel \mathbf{x}\parallel }}\le \parallel {\mathbf{H}}^{\star }\parallel ·\parallel \mathbf{H}\parallel ·{\displaystyle \frac{\parallel ϵ\mathbf{z}\parallel }{\parallel \mathbf{z}\parallel }}.$$

(17)

Considering that the norm is 2-norm, we have

$$\parallel \mathbf{H}\parallel ={\alpha }_{\max }^{\prime },\parallel {\mathbf{H}}^{\star }\parallel ={\displaystyle \frac{1}{{\alpha }_{\min }^{\prime }}},$$

(18)

where ${\alpha }_{\max }^{\prime }$ denotes the maximum singular value of the measurement matrix $\mathbf{H}$ and ${\alpha }_{\min }^{\prime }$ denotes the minimum singular value of $\mathbf{H}$ but not the zero singular value. Since ${\gamma }^{\prime }={\displaystyle \frac{{\alpha }_{\max }^{\prime }}{{\alpha }_{\min }^{\prime }}}$, we have

$${\displaystyle \frac{\parallel ϵ\mathbf{x}\parallel }{\parallel \mathbf{x}\parallel }}\le {\gamma }^{\prime }·{\displaystyle \frac{\parallel ϵ\mathbf{z}\parallel }{\parallel \mathbf{z}\parallel }}.$$

(19)

Therefore, the topology robustness of the state estimation depends on ${\gamma }^{\prime }$. □

Since $\mathbf{H}$ is constructed from the positions of deployed sensors, the transmission topology, and the branch parameters, the topology robustness of the state estimation against FDIA depends on these parameters. A smaller ${\gamma }^{\prime }$ indicates the better topology robustness of the state estimation. If ${\gamma }^{\prime }\ll 1$, the state estimation is not sensitive to the measurement error injected by FDIA.

3.2. Topology Robustness Under NPA

Considering the threat of NPA, the topology robustness of the state estimation is its tolerance to injected errors in the physical parameters. Here, we assume that the attacker targets the branch parameter. This attack is usually carried out by modifying the control commands of field electronic devices. A typical target is the Flexible Alternating Current Transmission System (FACTS). By compromising the channel carrying the control signal, the attacker can change the branch reactance by injecting an unexpected capacitor. In the following, we analyze the topology robustness of the state estimation against NPA in two cases.

3.2.1. Fully-Measured Case for NPA

Similar to the analysis given in Section 3.1.1, the Equation (9) is used to derive the result. Under NPA, the branch parameter (i.e., reactance) is modified. The impact of this modification is analyzed as follows.

Proposition 3.

The topology robustness of the state estimation against NPA is closely related to $\gamma =\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel$.

Proof. 

Under NPA, the matrix $\overline{\mathbf{B}}$ is changed. With (9), we can derive that

$$\tilde{\mathbf{p}}=(\overline{\mathbf{B}}+ϵ\overline{\mathbf{B}})(\overline{\mathbf{x}}+ϵ\overline{\mathbf{x}}),$$

(20)

where $ϵ\overline{\mathbf{B}}$ is the change caused by NPA and $ϵ\overline{\mathbf{x}}$ is the resulted state error. Since the attacker cannot change the transmission parameters on a large scale, $ϵ\overline{\mathbf{B}}$ is a small perturbation with respect to the matrix $\overline{\mathbf{B}}$. Assume that $\parallel {\overline{\mathbf{B}}}^{-1}ϵ\overline{\mathbf{B}}\parallel <1$; then the term ${(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}·ϵ\overline{\mathbf{B}})}^{-1}$ exists, where $\mathbf{E}$ is the identity matrix. According to (9), we can derive that

$$ϵ\overline{\mathbf{x}}=-{(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}·ϵ\overline{\mathbf{B}})}^{-1}{\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right)\mathbf{x}.$$

(21)

Since $\parallel {\overline{\mathbf{B}}}^{-1}ϵ\overline{\mathbf{B}}\parallel <1$, then the matrix $\overline{\mathbf{B}}+ϵ\overline{\mathbf{B}}$ is nonsingular (i.e., invertible). The inverse matrix of it is as follows:

$${(\overline{\mathbf{B}}+ϵ\overline{\mathbf{B}})}^{-1}={(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}·ϵ\overline{\mathbf{B}})}^{-1}{\overline{\mathbf{B}}}^{-1}.$$

(22)

According to the Neumann series, we have

$${(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}·ϵ\overline{\mathbf{B}})}^{-1}=\mathbf{E}-{\overline{\mathbf{B}}}^{-1}·ϵ\overline{\mathbf{B}}+{({\overline{\mathbf{B}}}^{-1}·ϵ\overline{\mathbf{B}})}^2-{({\overline{\mathbf{B}}}^{-1}·ϵ\overline{\mathbf{B}})}^3+\cdots$$

(23)

Then, the norm satisfies the following relationship:

$$\parallel {(\overline{\mathbf{B}}+ϵ\overline{\mathbf{B}})}^{-1}\parallel \le {\displaystyle \frac{\parallel {\overline{\mathbf{B}}}^{-1}\parallel }{1-\parallel {\overline{\mathbf{B}}}^{-1}ϵ\overline{\mathbf{B}}\parallel }}.$$

(24)

Further, we can derive that

$$\parallel ϵ\overline{\mathbf{x}}\parallel \le {\displaystyle \frac{\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel ϵ\overline{\mathbf{B}}\parallel ·\parallel \mathbf{x}\parallel }{1-\parallel {\overline{\mathbf{B}}}^{-1}(ϵ\overline{\mathbf{B}})\parallel }}.$$

(25)

Since $\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·ϵ\overline{\mathbf{B}}\parallel <1$, we have

$${\displaystyle \frac{\parallel ϵ\overline{\mathbf{x}}\parallel }{\parallel \overline{\mathbf{x}}\parallel }}\le {\displaystyle \frac{\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel ·\frac{\parallel ϵ\overline{\mathbf{B}}\parallel }{\parallel \overline{\mathbf{B}}\parallel }}{1-\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel ·\frac{\parallel ϵ\overline{\mathbf{B}}\parallel }{\parallel \overline{\mathbf{B}}\parallel }}}={\displaystyle \frac{\gamma ·\frac{\parallel ϵ\overline{\mathbf{B}}\parallel }{\parallel \overline{\mathbf{B}}\parallel }}{1-\gamma ·\frac{\parallel ϵ\overline{\mathbf{B}}\parallel }{\parallel \overline{\mathbf{B}}\parallel }}}.$$

(26)

Further, we can derive that

$${\displaystyle \frac{\parallel ϵ\overline{\mathbf{x}}\parallel }{\parallel \overline{\mathbf{x}}\parallel }}\le {\displaystyle \frac{1}{\frac{1}{\gamma }·\frac{\parallel \overline{\mathbf{B}}\parallel }{\parallel ϵ\overline{\mathbf{B}}\parallel }-1}}.$$

(27)

To enhance clarity, we will introduce a relative perturbation parameter $\vartheta ={\displaystyle \frac{\parallel ϵ\tilde{\mathbf{B}}\parallel }{\parallel \tilde{\mathbf{B}}\parallel }}$, which simplifies the expression while preserving its meaning. The revised equation will be reformatted as follows:

$${\displaystyle \frac{\parallel ϵ\tilde{\mathbf{x}}\parallel }{\parallel \tilde{\mathbf{x}}\parallel }}\le {\displaystyle \frac{\gamma \vartheta }{1-\gamma \vartheta }},$$

under the assumption that $\gamma \vartheta <1$.

Therefore, the topology robustness of the state estimation against NPA is closely related to $\gamma =\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel$. □

Since $\gamma$ is related to the transmission topology and branch parameters, the topology robustness of the power system state estimation against NPA is affected by these parameters. The smaller the $\gamma$ is, the less sensitive the state estimation is to the modification of the branch parameter. If $\gamma \ll 1$, then the power system state estimation is robust against NPA.

3.2.2. Partially Measured Case for NPA

Next, we consider the general case in which the power network is partially measured. Thus, the sensor deployment determines the construction of $\mathbf{H}$. Since NPA modifies the branch parameter, $\mathbf{H}$ is changed accordingly. Here is the conclusion about the topology robustness of the state estimation against NPA.

Proposition 4.

The topology robustness of the state estimation against NPA is related to ${\gamma }^{\prime }={\displaystyle \frac{{\alpha }_{\mathit{max}}^{\prime }}{{\alpha }_{\mathit{min}}^{\prime }}}$, where ${\alpha }_{\mathit{max}}^{\prime }$ denotes the maximum singular value of matrix $\mathbf{H}$ and ${\alpha }_{\mathit{min}}^{\prime }$ denotes the minimum singular value but not the zero singular value of $\mathbf{H}$.

Proof. 

Suppose ${\mathbf{H}}^{\star }$ is the Moore–Penrose pseudoinverse of $\mathbf{H}$, we have

$$\mathbf{x}+ϵ\mathbf{x}={(\mathbf{H}+ϵ\mathbf{H})}^{\star }\mathbf{z}.$$

(28)

The error $ϵ\mathbf{H}$ injected by NPA is usually small. According to the Neumann series, we have

$${(\mathbf{H}+ϵ\mathbf{H})}^{\star }\approx {\mathbf{H}}^{\star }-{\mathbf{H}}^{\star }ϵ\mathbf{H}{\mathbf{H}}^{\star }+{\mathbf{H}}^{\star }{\left({\mathbf{H}}^{\star }\right)}^T{\left(ϵ\mathbf{H}\right)}^T(\mathbf{E}-\mathbf{H}{\mathbf{H}}^{\star }).$$

(29)

Therefore, the state error can be approximated with

$$ϵ\mathbf{x}\approx -{\mathbf{H}}^{\star }\left(ϵ\mathbf{H}\right)\mathbf{x}+{\mathbf{H}}^{\star }{\left({\mathbf{H}}^{\star }\right)}^T{\left(ϵ\mathbf{H}\right)}^T(\mathbf{E}-\mathbf{H}{\mathbf{H}}^{\star })\mathbf{z}.$$

(30)

Since $(\mathbf{E}-\mathbf{H}{\mathbf{H}}^{\star })\mathbf{z}=0$, we have

$$ϵ\mathbf{x}\approx -{\mathbf{H}}^{\star }\left(ϵ\mathbf{H}\right)\mathbf{x}.$$

(31)

Since $\mathbf{H}$ usually has full column rank, we have

$$\parallel ϵ\mathbf{x}\parallel \le \parallel {\mathbf{H}}^{\star }\parallel ·\parallel ϵ\mathbf{H}\parallel ·\parallel \mathbf{x}\parallel .$$

(32)

Further, we can derive that

$${\displaystyle \frac{\parallel ϵ\mathbf{x}\parallel }{\parallel \mathbf{x}\parallel }}\le \parallel {\mathbf{H}}^{\star }\parallel ·\parallel ϵ\mathbf{H}\parallel =\parallel {\mathbf{H}}^{\star }\parallel \parallel \mathbf{H}\parallel ·{\displaystyle \frac{\parallel ϵ\mathbf{H}\parallel }{\parallel \mathbf{H}\parallel }}.$$

(33)

According to the proof of Proposition 2, we have

$${\displaystyle \frac{\parallel ϵ\mathbf{x}\parallel }{\parallel \mathbf{x}\parallel }}\le {\gamma }^{\prime }{\displaystyle \frac{\parallel ϵ\mathbf{H}\parallel }{\parallel \mathbf{H}\parallel }}.$$

(34)

□

Since ${\gamma }^{\prime }$ depends on sensor deployment, the transmission topology, and branch parameters, the topology robustness of the state estimation against NPA is also tied to these parameters. In other words, if the system operator wants to enhance the topology robustness of the state estimation, they can select appropriate sensors for the analysis. From a construction perspective, topology planning and the materials used for power transmission can be considered to defend against NPA. Anyway, the goal is to obtain a sufficiently small ${\gamma }^{\prime }$.

3.3. Topology Robustness Under the Coordinated FDIA and NPA

Furthermore, we consider the coordinated attack (CA) by simultaneously executing FDIA and NAP. This is a more powerful yet practical attack in a real-world case (e.g., BlackEnergy on the Ukrainian power grid [29]). The topology robustness of the state estimation against CA is analyzed in the following. Here, we only consider the fully measured case. The reason will be explained after the detailed analysis. Under CA, we have

$$\tilde{\mathbf{p}}+ϵ\tilde{\mathbf{p}}=(\overline{\mathbf{B}}+ϵ\overline{\mathbf{B}})(\overline{\mathbf{x}}+ϵ\overline{\mathbf{x}}).$$

(35)

Proposition 5.

Let $\eta =\varphi \gamma$, ${\displaystyle \frac{\parallel \overline{\mathbf{B}}\parallel }{\parallel ϵ\overline{\mathbf{B}}\parallel }}\le \varphi$, and ${\displaystyle \frac{\parallel ϵ\tilde{\mathit{p}}\parallel }{\parallel \tilde{\mathit{p}}\parallel }}\le \varphi$. If $\varphi <{\displaystyle \frac{1}{\gamma }}$, then we have ${\displaystyle \frac{\parallel ϵ\overline{\mathit{x}}\parallel }{\parallel \overline{\mathit{x}}\parallel }}\le {\displaystyle \frac{2\varphi }{1-\eta }}\gamma$, where $\gamma =\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel$.

Proof. 

First, since $\overline{\mathbf{B}}$ is invertible, we have

$$\parallel {\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right)\parallel \le \parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel ϵ\overline{\mathbf{B}}\parallel \le \varphi \parallel {\overline{\mathbf{B}}}^{-1}\parallel · \parallel \overline{\mathbf{B}}\parallel =\eta <1$$

(36)

According to the Neumann series, from (23), we analyze the term ${\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right)$. We have

$$\parallel {\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right)\parallel \le \parallel {\overline{\mathbf{B}}}^{-1}\parallel \parallel \left(ϵ\overline{\mathbf{B}}\right)\parallel = \parallel {\overline{\mathbf{B}}}^{-1}\parallel \parallel \overline{\mathbf{B}}\parallel {\displaystyle \frac{\parallel \left(ϵ\overline{\mathbf{B}}\right)\parallel }{\parallel \overline{\mathbf{B}}\parallel }}\le \gamma \varphi =\eta .$$

(37)

Therefore, we can derive that

$$\parallel {(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}(ϵ\overline{\mathbf{B}}))}^{-1}\parallel \le {\displaystyle \frac{1}{1-\eta }}.$$

(38)

Therefore, the matrix $\mathbf{E}+{\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right)$ is invertible. Furthermore, we have $\overline{\mathbf{B}}(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right))=\overline{\mathbf{B}}+ϵ\overline{\mathbf{B}}$ is also invertible.

Next, by multiplying ${\overline{\mathbf{B}}}^{-1}$ with both sides of Equation (35), we have

$$(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right))(\overline{\mathbf{x}}+ϵ\overline{\mathbf{x}})=\overline{\mathbf{x}}+{\overline{\mathbf{B}}}^{-1}\left(ϵ\tilde{\mathbf{p}}\right).$$

(39)

Thus, we have

$$\overline{\mathbf{x}}+ϵ\overline{\mathbf{x}}={(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right))}^{-1}(\overline{\mathbf{x}}+{\overline{\mathbf{B}}}^{-1}\left(ϵ\tilde{\mathbf{p}}\right)).$$

(40)

Further, we obtain

$$\begin{array}{cc}\hfill & \parallel \overline{\mathbf{x}}+ϵ\overline{\mathbf{x}}\parallel \le \parallel {(\mathbf{E}+{\overline{\mathbf{B}}}^{-1}(ϵ\overline{\mathbf{B}}))}^{-1}\parallel (\parallel \overline{\mathbf{x}}\parallel +\varphi \parallel {\overline{\mathbf{B}}}^{-1}\parallel \parallel \left(\tilde{\mathbf{p}}\right)\parallel )\hfill \\ & \le {\displaystyle \frac{1}{1-k}}(\parallel \overline{\mathbf{x}}\parallel +\eta {\displaystyle \frac{\parallel \left(\tilde{\mathbf{p}}\right)\parallel }{\parallel \overline{\mathbf{B}}\parallel }}).\hfill \end{array}$$

(41)

Since $\parallel \left(\tilde{\mathbf{p}}\right)\parallel \le \parallel \overline{\mathbf{B}}\parallel ·\parallel \overline{\mathbf{x}}\parallel$, we have

$$\parallel \overline{\mathbf{x}}+ϵ\overline{\mathbf{x}}\parallel \le {\displaystyle \frac{1}{1-k}}(\parallel \overline{\mathbf{x}}\parallel +\eta \parallel \overline{\mathbf{x}}\parallel ).$$

(42)

As $ϵ\overline{\mathbf{x}}={\overline{\mathbf{B}}}^{-1}\left(ϵ\tilde{\mathbf{p}}\right)-{\overline{\mathbf{B}}}^{-1}\left(ϵ\overline{\mathbf{B}}\right)(\overline{\mathbf{x}}+ϵ\overline{\mathbf{x}})$, we can derive that

$$\parallel ϵ\overline{\mathbf{x}}\parallel \le \parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \left(ϵ\tilde{\mathbf{p}}\right)-\left(ϵ\overline{\mathbf{B}}\right)(\overline{\mathbf{x}}+ϵ\overline{\mathbf{x}})\parallel .$$

(43)

According to the triangle inequality, we obtain that

$$\parallel ϵ\overline{\mathbf{x}}\parallel \le \varphi \parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \left(ϵ\tilde{\mathbf{p}}\right)\parallel +\varphi \parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel ·\parallel \overline{\mathbf{x}}+ϵ\overline{\mathbf{x}}\parallel .$$

(44)

Hence, we can derive that

$${\displaystyle \frac{\parallel ϵ\overline{\mathbf{x}}\parallel }{\parallel \overline{\mathbf{x}}\parallel }}\le \varphi \gamma {\displaystyle \frac{\parallel \left(ϵ\tilde{\mathbf{p}}\right)\parallel }{\parallel \overline{\mathbf{B}}\parallel ·\parallel \overline{\mathbf{x}}\parallel }}+\varphi \gamma {\displaystyle \frac{\parallel \overline{\mathbf{x}}+ϵ\overline{\mathbf{x}}\parallel }{\parallel \overline{\mathbf{x}}\parallel }}\le {\displaystyle \frac{2\varphi }{1-\eta }}\gamma$$

(45)

Therefore, the proof is completed. □

From the above results, the topology robustness of power system state estimation against CA is also related to $\gamma$, which depends on the transmission topology and branch parameters. A sufficiently small $\gamma$ can enhance the topology robustness of the state estimation against CA. In the partially measured case, the inverse operation is replaced by the Moore-Penrose pseudoinverse. The derivation process is similar to Proposition 5.

4. Simulation Results

Here, we carry out extensive simulations to validate the derived theoretical results. The IEEE 14-bus, 30-bus, 39-bus, 118-bus, and 300-bus power systems are used to evaluate the topology robustness of the state estimation against FDIA and NPA. The MATPOWER data and settings are used by default in most scenarios. The key settings are as follows:

• Simulations are conducted on IEEE 14-, 30-, 57-, 118-, and 300-bus benchmark systems, sourced from MATPOWER’s case files (e.g., case14.m). These represent varying scales: small (14-bus, 20 branches, average degree 2.86) for detailed analysis, up to large (300-bus, 411 branches, average degree 2.74) to assess scalability. Topology matrices $\tilde{\mathbf{B}}$ are derived from nominal branch parameters, with susceptances $b_{ij}$ in per-unit (p.u.) ranging from 0.1 (long lines) to 10 (short/high-capacity lines), reflecting realistic transmission reactance values.
• Measurement Configurations: For fully measured cases, $m=2l+n+1$ meters include all bus injections and bidirectional branch flows. Partial measurements reduce redundancy to 1.5–2.5 (e.g., all injections plus forward flows only), ensuring observability via rank checks on $\mathbf{H}$. Sensor placements prioritize critical buses (e.g., high-degree or generator-connected) to minimize $\gamma$, with noise $\eta \sim \mathcal{N}(0,0.{01}^2)$ p.u.
• Software and Computational Settings: MATPOWER 7.1 on MATLAB R2019a, with default tolerances (1 × 10⁻⁸ for convergence) and DC model flags. Runtime per system: 0.1s (14-bus) to 5s (300-bus) on a standard CPU.

4.1. Topology Robustness with Different Power Systems

Regardless of FDIA, NPA, or CA, the topology robustness of the state estimation is closely related to the parameter $\gamma$; we compute its values with different power systems and present them in

Table 1. The topology robustness of the power system state estimation with different power systems from MATPOWER test cases.

Power System	14-Bus	30-Bus	39-Bus	118-Bus	300-Bus
$\gamma$	121.2855	492.5221	$1.3525\times {10}^3$	$1.0566\times {10}^4$	$7.5631\times {10}^4$

. We can see that the value of $\gamma$ increases with the size of the power system. This indicates that state estimation in a larger power system is less robust to FDIA, NPA, and CA. The primary reason is that the extensive power system requires more resilient operation to withstand disturbances. The increase in $\gamma$ with system size (e.g., from IEEE 14-bus to 118-bus) is indeed influenced by fundamental network properties: in larger systems, the admittance matrix $\tilde{\mathbf{B}}$ (or measurement matrix $\mathbf{H}$) tends to exhibit higher robustness due to increased connectivity (higher average node degree, leading to denser matrices with more off-diagonal elements) and greater variability in branch parameter distributions (e.g., susceptances spanning a wider range from short urban lines to long transmission lines, resulting in eigenvalues that are more spread out). This makes the state estimation more sensitive to perturbations, as the ratio of maximum to minimum eigenvalues/singular values grows.

4.2. Topology Robustness with Different System Parameters

Next, we analyze the topology robustness of the state estimation against FDIA and NPA with different system parameters. Here, we take the IEEE 14-bus power system as an example. Figure 2 shows the topology of the power system. The transmission topology remains unchanged. We consider varying the branch parameters to assess the impact of FDIA and NPA on the estimation error. There are two configuration cases for the branch parameters, as shown in

Table 2. Branch susceptances for two configuration cases.

Branch Number	Susceptance (Case 1)	Susceptance (Case 2)
$k_1$	16.90	16.90
$k_2$	4.48	1.35
$k_3$	5.05	5.05
$k_4$	5.67	5.16
$k_5$	5.75	5.75
$k_6$	5.85	1.75
$k_7$	23.74	21.37
$k_8$	4.78	2.87
$k_9$	1.80	1.80
$k_{10}$	3.97	3.97
$k_{11}$	5.03	4.68
$k_{12}$	3.91	3.64
$k_{13}$	7.68	7.68
$k_{14}$	5.68	1.70
$k_{15}$	9.09	5.45
$k_{16}$	11.83	11.12
$k_{17}$	3.70	3.70
$k_{18}$	5.21	1.56
$k_{19}$	5.00	5.00
$k_{20}$	2.87	2.87

. The values of $\gamma$ (calculated according to Proposition 3, i.e., $\gamma =\parallel {\overline{\mathbf{B}}}^{-1}\parallel ·\parallel \overline{\mathbf{B}}\parallel$) for these two cases are 121.2855 and 133.8930, respectively. According to the analysis in Section 3, state estimation with the system parameters in case 2 is more sensitive to changes caused by FDIA and NPA.

To validate further, the sensor measurements and branch parameters are randomly changed with 10 different values. The “Test” of the x-axis means these 10 trials. The bound parameters $\gamma {\displaystyle \frac{\parallel ϵ\tilde{\mathbf{p}}\parallel }{\parallel \tilde{\mathbf{p}}\parallel }}$ and $\gamma {\displaystyle \frac{\parallel ϵ\overline{\mathbf{B}}\parallel }{\parallel \overline{\mathbf{B}}\parallel }}$ of FDIA and NPA are shown in Figure 3 and Figure 4. In both cases, the bound parameters for case 2 are larger than those for case 1. This indicates that the state estimation with the system parameters in case 1 is more robust than in case 2. The results are consistent with the analytical results obtained in Section 3.

Figure 5 shows the change of the estimation results with respect to the change of the sensor measurements. We can see that the relative error ${\displaystyle \frac{\parallel ϵ\mathbf{x}\parallel }{\parallel \mathbf{x}\parallel }}$ with the system parameters in case 1 is always smaller than that with the system parameters in case 2, although the size of the injection error changes. Therefore, the value of $\gamma$ determines the topology robustness of the power system state estimation against FDIA. While $\gamma$ is related to the branch parameters. Changes in branch parameters affect the topology robustness of the state estimation against FDIA.

Figure 6 shows the change of the estimation results with respect to the change of the branch parameter. We can see that the relative error ${\displaystyle \frac{\parallel ϵ\mathbf{x}\parallel }{\parallel \mathbf{x}\parallel }}$ with the system parameters in case 1 is always smaller than that with the system parameters in case 2, although the size of the injection error of NPA changes. Therefore, the value of $\gamma$ determines the topology robustness of the state estimation against NPA. While $\gamma$ is related to the branch parameters. Changes in branch parameters affect the topology robustness of the state estimation against NPA.

4.3. Topology Robustness Against FDIA with the Partially Measured Cases

Next, we evaluate the topology robustness of the state estimation under partial measurement. Here, we assume that the power injections are not measured. Only the power flowing in one direction along the transmission lines is measured. Therefore, we have $\mathbf{H}=\mathbf{S}$ in this partially measured case. Considering the branch parameters given in Table 2, we can obtain that the topology robustness parameters are 21.0950 and 24.5300 for case 1 and case 2, respectively. We take the topology robustness against FDIA as a typical example. Therefore, the state estimation against FDIA is more sensitive to case 2 than to case 1. The upper bound parameter is shown in Figure 7. We observe that the bound parameter for case 2 is always larger than that for case 1. The results are consistent with the conclusions obtained in Section 3. Besides, the relative estimation error with respect to the injected measurement error is shown in Figure 8. We observe that the estimation error for case 2 is always larger than that for case 1. Therefore, the simulation results demonstrate the correctness of the analytical results provided in Section 3.

5. Implications for Power Grid Planning and Operation

Topology Design to Reduce $\mathit{\gamma }$: To mitigate error amplification, grids should be designed with balanced connectivity, avoiding over-reliance on high-degree buses that increase eigenvalue spread in $\tilde{\mathbf{B}}$. For instance, modular or decentralized topologies (e.g., microgrid integrations) can lower $\mathit{\gamma }$ by reducing matrix ill-conditioning, as shown in larger IEEE systems where denser networks elevate $\mathit{\gamma }$. Additionally, active perturbation of branch admittances via FACTS devices can dynamically adjust parameters to prevent attackers from exploiting fixed topologies, enhancing resilience as demonstrated in moving target defense (MTD) approaches.

Sensor Deployment to Optimize $\mathit{\gamma }$: Optimal placement of phasor measurement units (PMUs) should prioritize increasing redundancy in vulnerable areas (e.g., high-$\mathit{\gamma }$ branches identified via eigenvalue analysis), ensuring observability while minimizing the condition number of $\mathbf{H}$. Strategies include graph-based algorithms for PMU allocation that protect against coordinated FDIA, such as placing PMUs at critical buses to transform unprotected measurements into secure ones. Simulations on IEEE 118-bus systems show that targeted deployments can reduce $\mathit{\gamma }$ by up to 20–30% in partially measured scenarios.

Integrated Planning Considerations: Combine topology modifications with cybersecurity measures, such as consensus-based estimators for distributed systems under attacks, to achieve holistic robustness. For future grids with renewables, adaptive designs accounting for dynamic topologies (e.g., via temporal graph convolutional networks) are recommended to maintain low $\mathit{\gamma }$ amid uncertainties.

6. Conclusions

This study advances the field of power system cybersecurity by providing the first comprehensive theoretical framework for quantifying topology robustness in state estimation against FDIA, NPA, and coordinated attacks. Unlike prior works that primarily focus on designing stealthy attacks or enhancing robustness through estimators, our approach derives analytical bounds (e.g., ${\displaystyle \frac{\parallel ϵ\tilde{\mathbf{x}}\parallel }{\parallel \tilde{\mathbf{x}}\parallel }}\le \gamma ·{\displaystyle \frac{\parallel ϵ\tilde{\mathbf{p}}\parallel }{\parallel \tilde{\mathbf{p}}\parallel }}$ for FDIA) that reveal key influencing factors—sensor measurements, network topology, and branch parameters—without assuming complete attacker knowledge. This originality lies in shifting from reactive defenses to preventive insights, enabling grid planners to optimize $\gamma$ (e.g., via balanced connectivity or PMU placements) for inherent resilience. Simulations on IEEE benchmarks validate these bounds, demonstrating their tightness and scalability, thus paving the way for topology-informed cyber-physical security in modern grids.

There are several limitations in this paper. First, the analysis in this paper is based on the linearized DC power flow model. While the DC model is a standard industry tool for contingency analysis and state estimation, it ignores reactive power, voltage magnitude fluctuations, and line losses. In a real-world AC environment, the nonlinear relationship between measurements and state variables could introduce complexities that the current $\gamma$ factor may not fully capture. Second, the research provides a method to quantify and identify vulnerabilities (the “diagnostic” phase) but does not propose an automated, real-time mitigation algorithm to actively reconfigure the topology or sensor placement once a high-risk $\gamma$ value is detected.