Cybersecurity Analysis of Load Frequency Control in Power Systems: A Survey

: Today, power systems have transformed considerably and taken a new shape of geograph-ically distributed systems from the locally centralized systems thereby leading to a new infrastructure in the framework of networked control cyber-physical system (CPS). Among the different important operations to be performed for smooth generation, transmission, and distribution of power, maintaining the scheduled frequency, against any perturbations, is an important one. The load frequency control (LFC) operation actually governs this frequency regulation activity after the primary control. Due to CPS nature, the LFC operation is vulnerable to attacks, both from physical and cyber stand-points. The cyber-attack strategies ranges from a variety of attacks such as jamming the network communication, time-delay attack, and false data injection. Motivated by these perspectives, this paper studies the cybersecurity issues of the power systems during the LFC operation, and a survey is conducted on the security analysis of LFC. Various cyber-attack strategies, their mathematical models, and vulnerability assessments are performed to understand the possible threats and sources causing failure of frequency regulation. The LFC operation of two-area power systems is considered as a tutorial example to quantify the vulnerabilities. Mitigation strategies through control theoretic approaches are then reviewed and highlighted for LFC operation under cyber-attack.


Introduction
Today, the power sector is one of the critical infrastructures in the industrial control system because generation, transmission, and distribution of power are governed by automation. Moreover, the penetration of renewable energy resources, incorporation of demand side to provide ancillary services, and power systems restructuring is increasing daily. Due to large interconnections and remotely located generation, load, and control terminals, the power systems can be categorized as a cyber-physical systems where sensing, communication, and computing technologies are applied to physical spaces [1,2]. Note that the concept of cyber-physical power systems was initially depicted in [3] as a dedicated case of a cyber-physical system in a power system. It includes a large number of computing devices (servers, embedded systems, etc.), data acquisition devices (sensors and phasor measurement unit, etc.), and physical devices (large-scale generator set, distributed power supply, load, etc.). All these devices are interconnected through communication and transmission networks [4][5][6][7].
It is well known that the dependency on the communication media makes power systems vulnerable to cyber-attack as there are many openings in the network to disrupt the signal flow [8][9][10][11]. The cyber-attack known as the "Stuxnet malware incident" brought substantial damage to the Iranian nuclear program [12], which clearly indicated that the security is inefficient [13]. Such an incident raised alarm to avoid serious issues in the advanced power technology. In a smart grid, the frequency regulation, optimal power flow analysis, and contingency analysis operations are based on the network communication technology, such as LAN, 3G, 4G, or 5G [14][15][16]. It is nearly impossible to remove the openings in the network for attack, however we can propose the framework focusing on (i) attack detection, (ii) effect of attack, and (iii) resilient system development. Note that the attackers target the power grid to (i) obtain economic benefits in terms of electricity bill reduction by tampering the smart meters, (ii) make profit in terms of contingency in electricity market, and (iii) promote terrorism. In principle, cyber-resilient power systems are required which can execute smooth generation of power despite an hostile cyber-threat environment. Thus, targeting the smart grid is actually a critical societal-threatening resource.
Among the different functionalities of power system, LFC is a crucial one [17]. LFC is always considered a benchmark problem in control theory as electrical grids are monitored by SCADA and controlled by industrial control systems [18][19][20][21]. This secondary frequency control operation (after the primary control by droop of the generator) is responsible for maintaining the frequency within scheduled range around (50/60 Hz depending upon the geographical region) and power flow on tie lines to agreed value. This operation can be affected by adversary to perturb the schedule frequency. In fact, the attacks could prevent the appropriate measurement signal being transferred to the control center, and affect the control center to make true commands. This creates large fluctuation of the frequency and deteriorate the power quality; in extreme cases, could lead the power system to collapse. In view of this, the objective of cybersecurity of LFC operation deals mainly with (1) the problem of finding the malicious measurements and prevent the controller from performing incorrect area control error (ACE) computations, and (2) maintaining the balance between generation and demand in the presence of untrusted measurements. With these security objectives of LFC operation, this article presents a control theoretic tutorial/survey and makes the following key contributions: 1.
it provides an overview of the vulnerability assessment of LFC operation from a network-based attack standpoint; 2.
it presents the implementation of network-based attacks on LFC operation in a simulated environment; 3.
it provides a brief review of attack detection, identification and mitigation strategies on normal LFC operation along with existing techniques for hardware validation; 4.
it discusses the role of data-driven and learning-based algorithms as trending tools for the attack modeling and defense strategy in the LFC operation.
We have omitted the comprehensive analysis of detection and mitigation schemes from this article and an instead attempted is made to produce a quick, clear, and concise summary with motivation towards the problem handling approach as a control engineering.
The remainder of the paper is structured as follows. Section 2 describes the motivation of this study towards cybersecurity in the power system and cyber-physical control-oriented mathematical description of LFC operation. As a whole, the attack on LFC operation ranges from a wiretapping attack (i.e., spoofing attack) to integrity attack (i.e., parameter or variable falsification attack). Section 3 presents different techniques to generate the adverse effects caused by the attackers in the LFC operation. The simulation studies for vulnerability assessment in LFC operation with the nominal controller (who is unaware of the unknown situations) are presented in Section 4 to showcase the effect of the cyber-attack. The next step is the requirement of resilient framework to detect and withstand the cyber-attack. Therefore, the summary of mitigation schemes on the basis of the different concepts in control theory is provided in Section 5 followed by literature survey on hardware testing of LFC operation in Section 6. Finally, Section 7 summarizes the paper and provides directions for future work in this critical area of research.

Cyber-Attack Cases
In the power sector, around 800 cyber-attacks have been observed since the 1980s. Around 250 cyber cases were observed in US that are unintentional such as the Arizona Public Service Outage (2007) and Florida Power and Light Outage (2008), to name a few [22]. However, probably the first intentional major attack on power sector was observed on 23 December 2015 in Ukraine where the blackout lasted for several hours [23,24]. The attack was performed by malware through a phishing email. The workstation was hacked and the power supply got interrupted, and the communication network between customer and provider were blocked. This incident opened the eyes of the control researchers to look for some resilient control mechanism incorporating the cyber-physical approach to secure the power operation.

Mathematical Description of LFC Operation
The cyber-attacks on power generation operation can be introduced in different modes and strategies. The LFC operation of power system can be viewed as a networked control operation on a cyber-physical system. Note that a cyber-attack can change the structure of the LFC control system thereby deteriorating the performance. To explain the attacks and its effects in the LFC operation, we consider a standard simplified power generator network comprising of two control areas where each area consists of governor, non-reheated turbine, and load and machine (refer Figure 1) [25,26]. The notations used are also standard. In LFC operation, the area control error (ACE) is used to maintain zero steady-state error for frequency deviation ∆ f . Note that in multi-area power system, for the i-th control area where β is bias factor, and ∆P tie,ij is a tie-line power between i-th and j-th control area. The different entities in each control area can be expressed through an input-output relationship in terms of transfer function; the governor is represented by the turbine by 1 and the load and machine by K P T P s + 1 . ( The parameters T G , T T , T P are the time constants of governor, turbine, and machine, respectively, and K P is the gain of the machine. The speed regulator takes a constant gain (1/R) and delay acquires a form exp (−θs) where θ is the amount of time as a delay. Throughout this paper, the discussion is limited to the attack on the communication channel propagating the ACE command and its prevention. Now, the cyber-attacks on LFC operation can be introduced in different modes and strategies.

Strategic Attack
The classification based on method is enlisted below [27].

1.
Replay attack: Replay attack is a kind of data manipulation attack. The attacker records the data coming from the sensor and replays the recorded data with the actual data in order to hide the theft or attack. Replay attacks can be executed in two phases which are as follows: (a) Monitoring Phase: In this phase, the attacker records the data or information coming from the sensor/actuator and stores it in a different variable.
Replaying Phase: At this stage, the data collected in the monitoring phase are replayed again and again until the attack has been successfully executed by the attacker.

2.
Denial of Service (DoS): The transmission channel is blocked by flooding the excessive message (measurements) coming from the sensor.

3.
Data integrity attack: The transmissions are modified to a create false signal. For example, the modified area control error takes the form Timing attack: Delay is created to prevent the transmissions to reach in time.
For example, where τ is delay term. This delay term may be constant or time-varying function. Obviously, the time-varying function create potential risk.

5.
Covert Attack: This attack basically works on the principle of canceling the effect of attack signal by calculating the response of the output and subtracting the readings which are being measured. Covert attack becomes more stealthy as it can access the data as well as inject the false data into the channels of sensors and actuators of a CPS. 6.
Zero dynamics attack: For successful execution of zero dynamics attack the attacker should have perfect knowledge of plant dynamics which are computed from state and output equations matrices. In this attack, the output of linear system are decoupled and uses the zeroes in transfer function to develop a particular attack strategy.

Template Attack
The attack, namely, template attack, can be introduced by modifying the amplitude of message signal. Such an attack can be broadly divided into following types.

1.
Scaling attack: The magnitude or value of messages are scaled. For example, where constant a is a real number.

2.
Ramp attack: The message of constant magnitude is continuously transmitted. For example, Pulse attack: The transmissions acquires a pulse shape with fixed time.

4.
Random attack: The messages of random values are propagated.

5.
Resonance attack: The message is modified according to a resonance source (e.g., rate of change of frequency). 6.
Bias injection attack: In this attack, a constant bias signal is injected into the channels of sensors or control signal.

Location Attack
Based on the location of attack, the attack in CPS structure (from networked control theory perspective) of LFC system can be of three types.

1.
Attack on sensor: The transmitted measurements are altered under this attack.

2.
Attack on control: The control signal is varied.

3.
Attack on actuator: The actuator signal is distorted in this type of attack.

4.
Attack through Load: In LFC operation, the attacker can also penetrate through the load disturbance ∆P d . The attack format may be where δ is constant.
Thus, from the discussion made above, the overall pictorial representation of the various cyber-attacks on the LFC operation can be summarized in Figure 2. Cyber-Attack

Simulation Study
Based on the discussions in the previous Section 3, this section studies how the different attacks templates affect the performance in the frequency regulation. Using an Intel CORE TM i7 processor, all the simulations have been carried out through MATLAB and Simulink. The block diagram depicted in Figure 1 is replicated with transfer functions expressed in (1)-(3). The parameters of both the control area are [25] identical: R = 2.4, β = 0.425, T G = 0.08, T T = 0.3, T P = 20, and K P = 120. The delay is considered as θ = 1 s. For LFC approach, we consider a PI controller where k P = −0.1 and k I = −0.671. The system is subjected to load disturbance ∆P L = 0.01 p.u. The different cyber-attacks are induced to the LFC system. The system under a data integrity attack with input x = 0.2 is exhibited in Figure 3, which states that ∆ f i , i = 1, 2 do not reach zero. Similarly, the timing attack with induced delay τ = 10 s destabilizes the system response, see Figure 4.  Under template attack, for instance, the ACE is scaled five times, i.e., a = 5, the response becomes oscillatory as depicted in Figure 5. In a random attack, the ACE value for some instance is blocked and provided with some random values, say from −1 to 1. The ACE picks up some random value from this range instead of the original value. As shown in Figure 6, the frequency excursions occur in an abrupt manner around the ideal 0 baseline, making the response unstable. A ramp attack is executed when we replace the continuously changing ACE with a constant. Under this attack, the frequency response increases by +b or decreases by −b with that constant slope and never comes to zero thereby making system unstable as shown in Figure 7 for b = 2. In a pulse attack, a continuous pulsating input is given in channel of ACE which completely disturbs the response as shown in Figure 8. Here, the amplitude of pulsating input is 5. The intensity of fluctuation from the baseline depends on the amplitude of the pulse given; the higher the amplitude, the higher the oscillations and the more unstable system the becomes. In a time-delay attack, an attacker makes sure that the incoming ACE values do not reach to the controller on time and a delay is inculcated into the system, then due to the delayed ACE values, the response becomes quite unstable after some time as shown in Figure 9. Here, a delay of 5 s was given to the system and approximately after 105 s system starts oscillating. Under bias injection attack, as described in Figure 1 the block named as "bias" is hindered or manipulated by the attacker under this kind of attack as shown in Figure 10. It is evident that the response instantly drops from the base line and remains constant thereby creating the fixed variation in the frequency reading. Similarly, Figure 11, shows the non-zero fluctuation when bias is negative.  The location based attack is also a serious type of attack. The most common type in this category is load attack. The simulation studies for such type of attack with ∆P L = 0.01 + δ where δ is Gaussian random signal with mean zero and variation 0.1 is shown in Figure 12. It is clear that the frequency measurements are fluctuating around the zero base line. Based on the simulation studies and considering the control theory aspect, the following observations can be made:

1.
The integrity attack actually produces a constant bias in the scheduled frequency and such an attack can be eliminated easily.

2.
In a timing attack, if the delay identification is possible or the upper bound on the delay is predicted then delay compensation schemes could be applied as mitigation tools.

3.
The template attack simulated in this paper is the amplification of the error signal, and such an attack is among the most dangerous attacks as it immediately amplifies the signal and even the noise present in the network. 4.
The random attacks are often probabilistic in nature and such attacks can be modeled with the stochastic control theory. 5.
The nature of ramp attack presented in simulation studies seems to be a jamming type as the measurements received are fixed and error is not exactly diagnosed. 6.
Pulse attack is also one of the dangerous type of cyber-attack as it has fluctuating nature, that is, the magnitude increases or decreases frequently which results into the wear and tear of the electrical grid. 7.
Location-based attack as already mentioned are risky and easy to implement as there is a requirement of load perturbations that could be easily injected into the generation system.
Thus, based on the these observations for the attack implementation, the next section will throw light upon the defense strategies.

Attack Detection and Prevention
In this section, we present a brief survey of the existing control approaches to limit the adversary attempts which thwart the LFC operation. The main idea behind the detection and prevention is the observation and prediction. In the control center where LFC operation is carried out, a real-time database is available from the the various kinds of measurement data, when the LFC suffers attacks and unable to receive the measurement data (for example, in case of time-delay attack), the control center immediately performs the data prediction algorithm to predict the delayed or lost data in order to estimate and pass the lost data to the control center thereby making LFC operation to restore smoothly and frequency regulation performs stably.

Limited Access in the Control Center
The basic prevention is the limited access to the supervisory control and data acquisition or computer systems in the control center. Avoiding external peripheral devices such as USB sticks, hard disk to plug in the computer is one of the physical prevention. The other option is the usage of security standards such as IEC 62351 to safeguard smart grids by specifying cipher suites (authentication, integrity protection and encryption algorithms) [28]. The other option is to simply suspend the LFC operation in case of attack.

DoS Prevention
Different methods based on DoS attack have been studied on the LFC system of interconnected power system in power grid. From control theory viewpoint, DoS activity in system is incorporated by modeling the system into a switched system (on/off in sensing loop of power system) and then switched system control theory is applied to strengthen the resilience in LFC operation, for example, state feedback controller [29], sliding mode control [30], etc.
The authors of [31] proposed a method that uses data prediction based on deep autoencoder extreme learning machine to defend against DoS attacks. A weighted H 1 -based resilient control technique [32] is proposed to detect and mitigate the DoS attack. Game theoretic topology [33,34] for mitigation is also beneficial here. The event-triggered resilient control is now gaining attraction to deal DoS attack [35][36][37][38]. A novel filter structure has been proposed and a sub-optimal distributed resilient filtering scheme has been developed to prevent micro-grid against malicious cyber threat [39].

False Data Injection Prevention
Watermarking-based defense techniques [40,41] are highly popular schemes which actually conceptualize the identification of attack by matching the artificially injected probability-based sensor noise to measurement with the corrupted one. An algorithm based on a state estimator serves a suitable remedy to prevent false data injection also called stealth attack in the power network [42][43][44][45]. Characterizing the vulnerabilities based on power flow analysis is also a strong solution [46]. Unknown input observer based schemes reported in [47] are used to determine and mitigate false data injection attack. Functional observer based methodologies for optimal LFC operation under cyber-attack are also introduced in [48,49]. False data injection detection can be analyzed under reachability framework where the attacker acquires access to the states of the power system [50]. The scaling and unknown disturbance attack can also be detected using support vector machine concepts [51] and multi-layer perceptron classifier-based approach [52].
The cyber-attack can also be avoided by maintaining the LFC operation in a safe domain by finding the appropriate state constraints and raising alarm if the state is out of this domain [53]. A set-theoretic approach for false data detection is employed to observe the adversary [54]. A model (real-time load forecast) [55], linear inequality matrix [56], and feedback linearization control-based [57] detection and mitigation serves a useful algorithm in LFC operation. Recently, an optimal two-stage Kalman filtering approach has been proposed to handle the template attacks and has been validated on benchmark mulit-area power systems [58]. In [59], the authors suggested installing an automatic intrusion mitigation unit supported with PID controller that can not only protect the LFC operation against the cyber-attack, but also against power system model uncertainties and external noises.

Time Delay Mitigation
Time delays are evident and unavoidable in cyber-physical systems, however the intentional delay intrusion can cause catastrophe to system. A two-tiered mitigation policy based on machine learning [60] is successfully implemented to counter the delay in LFC operation. A time-delay estimator to estimate any time delays to avoid delay based attack is introduced in [61] and disturbance rejection is performed using the traditional PID controller.
Few more detection and mitigation strategies for the resilient LFC framework can be found in the comprehensive survey performed in [62].

Hardware Validation
Apart from theoretical analysis, the hardware implementation and real-time testing is necessary to ensure the proper safety of LFC operation. In view of this, experimental validation on IEEE 16-bus system [63] and CPS security test bed [64] are performed. Testing of consensus-based LFC operation on renewable energy micro-grid is conducted in [65]. OPAL RT [66] is also a suitable platform to test the proposed cybersecurity solutions to LFC operation, for example, the authors of [67] proposed an observer-based resilient control scheme and utilizes OPAL-RT for validation. In fact, OPAL-RT provides integration of emulated network with equipment and power grid dynamics simulation to assess the network behavior under different types of cyber-attack. The advanced laboratory testing methods have been elaborated in [68] to carry out the electric grid simulations. The other evaluation methods, for example, the distributed DOS and man-in-the-middle attack using real-time simulations and hardware-in-loop techniques have been studied in [69].

Conclusions and Future Work
Safe and reliable operation of the LFC is the prime concern in power generation. LFC operation in power systems is actually a CPS which requires researchers from system, control, and information engineering. In the present study, vulnerabilities of LFC operation in the smart grid, different kinds of attacks in the system, and their defense measures to increase the security of the future power systems have been discussed. The article also provides a preliminary review that allows students, researchers, and practitioners to gain a fundamental understanding of the nature of cyber-attack and defense in LFC operation of power systems.
There are many research gaps for control engineering where they can contribute to CPS security in LFC operation of power systems, such as identification of critical resources, prediction and detection of attacks schemes, and robust and optimal attack resilient techniques. In addition, digital protection, sampling strategies, reachability analysis, and machine learning tools can be effective tools in the near future for designing a strong defense framework in the power sector.
These days, data-driven and learning-based control schemes are gaining increasing popularity in the LFC operation. For instance, machine learning tools such as batch and online learning algorithms (supervised and semisupervised) can be utilized with decision-and feature-level fusion attack modeling, detection, and defense techniques [70]. The reinforcement learning methods [71] for the adaptive control law in LFC operation could possibly be the next extension for the cybersecurity of electric grid. Artificial neural network-based observer and state estimation via Kalman filtering methods (for example, the work in [72,73] and references therein) contribute toward identifying false data detection. The key idea behind all these techniques is that the LFC problem is formulated in a way that the measurements are augmented with the additional signal. This signal may be the noise term, and based on the nature of the noise, it is predicted if the attack occurred or not. These strategies are still at its nascent stage and a full-fledged analysis is still required.