Optimal False Data Injection Attack against
Automatic Generation Control in Power Grids
Rui Tan1∗ Hoang Hai Nguyen2∗
David K. Y. Yau3,4 Zbigniew Kalbarczyk2
1 2
Nanyang Technological University, Singapore
3 4
Advanced Digital Sciences Center, Illinois at Singapore
Abstract—This paper studies false data injection attacks
against automatic generation control (AGC), a fundamental con-
trol system used in all power grids to maintain the grid frequency
at a nominal value. Attacks on the sensor measurements for AGC
can cause frequency excursion that triggers remedial actions
such as disconnecting customer loads or generators, leading to
blackouts and potentially costly equipment damage. We derive
an attack impact model and analyze an optimal attack, consisting
of a series of false data injections, that minimizes the remaining
time until the onset of remedial actions, leaving the shortest time
for the grid to counteract. We show that, based on eavesdropped
sensor data and a few feasible-to-obtain system constants, the at-
tacker can learn the attack impact model and achieve the optimal
attack in practice. This paper provides essential understanding
on the limits of physical impact of false data injections on power
grids, and provides an analysis framework to guide the protection
of sensor data links. Our analysis and algorithms are validated
by experiments on a physical 16-bus power system testbed and
extensive simulations based on a 37-bus power system model.
I. I NTRODUCTION
Power grids maintain operation by various closed-loop
control systems. Being at the interface between cyberspace
intelligence and physical infrastructures, these control systems
become attractive targets for cyber-attackers who aim at caus-
ing service outage and infrastructural damage. Recent high-
profile intrusions such as the Stuxnet [1] and Dragonfly [2],
[3] have alerted us to a general class of integrity attacks called
false data injection (FDI) [4]. The Stuxnet worm attacked
nuclear centrifuges by injecting false control commands and
forging normal system states. Its design and architecture are
not domain-specific [1]; they could be readily customized
against other systems like power grids. Similarly, in Dragonfly,
the attacker was able to gain access to power grid control sys-
tems. More generally, insider attacks are well documented [5]
that occurred on critical infrastructures and produced severe
consequences. Hence, research must address strong adversaries
who are quite knowledgeable about their target control systems
and have the ability to eavesdrop on and tamper with real-time
data in the control loops.
In this paper, we study FDI attacks that corrupt real-time
data in the feedback loop of automatic generation control
(AGC) [6], a fundamental control system used in all power
grids to maintain the grid frequency at its nominal value (50
∗ Part of this work was completed while Rui Tan and Hoang Hai Nguyen
were with Advanced Digital Sciences Center, Illinois at Singapore.
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.
978-1-5090-1772-0/16/$31.00 ©2016 IEEE
Eddy. Y. S. Foo1 Xinshu Dong3
Ravishankar K. Iyer2 Hoay Beng Gooi1
University of Illinois at Urbana-Champaign, IL, USA
Singapore University of Technology and Design, Singapore
or 60 Hz). AGC is an attractive target for attackers, because
a successful FDI attack against AGC can cause catastrophic
consequences. In a grid, imbalance between power gener-
ation and consumption will lead to deviation of the grid
frequency from its nominal value. AGC maintains the grid
frequency by adjusting the output power of generators based
on measurements collected from sensors distributed in the grid.
The grid frequency under AGC control is a safety-critical
global parameter of the grid. A frequency deviation caused
by an attack will propagate to the entire grid and trigger
remedial actions such as disconnecting generators or customer
loads. Such unscheduled actions may cause equipment damage
and cascading failures leading to massive blackouts. Moreover,
AGC is a highly automated system that requires minimal
supervision and intervention by human operators. Once com-
promised, it may cause the grid frequency to deviate quickly.
Given its credibility and severe consequences, FDI against
AGC has attracted initial research attention [7], [8], [9], [10].
However, these studies were conducted in a constrained adver-
sarial setting, by assuming that the attacker will follow limited
predefined templates, such as injections of signal scaling,
ramps, surges, and random noises [7], [10], and constant
or random packet delays [8], [9]. Instead of following any
prescribed templates, resourceful real-world attackers targeting
critical infrastructures are likely to be strategic, and their
tactics can adapt during attacks. For example, a preliminary
phase of the attack may be designed to uncover system
configurations and surveil real-time data to design FDIs that, in
subsequent phases, will cause the largest frequency deviation.
However, a basic understanding of such strategic AGC attacks
that aim to maximize their physical impact is still lacking.
To advance our understanding, in this paper we study
strategic attackers and analyze an optimal attack in which FDIs
on sensor measurements for AGC mislead the grid frequency
to exceed certain safety-critical thresholds within the shortest
time, without tripping at any integrity checks on the sensor
data. Such an attack leaves the shortest time for the grid to
counteract before costly and possibly errant remedial actions
must kick in. Understanding the optimal attack under various
constraints on the attacker’s capability (e.g., the number of
sensor data links that he can compromise) provides practical
insights on strengthening the security of AGC. For instance,
we can assess which sensor data links should receive the
 highest priority for protection, so that the grid frequency can 31
be kept within a safe region until an ongoing attack is detected 38
1 39 35
and isolated. Note that in this paper we focus on FDI attacks
40
against sensor data needed for the AGC. However, our analysis 10
12 17
can be readily extended to address FDI attacks on other data 19 13
3 27 21
types such as AGC commands sent to generators. 47
16 55
18
Our contributions in this paper are in answering the fol-
15 48
lowing two fundamental research questions. First, how to 56
formulate the optimal attack against the AGC? Based on 37 53
20
5
a classical AGC model in power engineering, we derive a 24
54
closed-form Laplace-domain model for the impact of a series
34 50
of FDIs on the grid frequency. To the best of our knowledge, 44 14
we provide a first rigorous analysis of this problem. Based on 41 33 28
30 29
a time-domain counterpart of the derived model, we develop 32

an efficient linear programming algorithm to compute the

Generator
optimal attack. Second, is the optimal attack achievable by Area 1 Area 2 Area 3 under AGC Tie-line
the attacker? We answer this question with respect to the
knowledge needed about the grid to guide the attack. Our Fig. 1. A three-area 37-bus power grid. (Average line capacity: 160 MVA;
total load: about 800 MW.)
analysis shows that it is feasible for the attacker to learn
the attack impact model stealthily, based on eavesdropped
line. Fig. 1 illustrates a three-area grid with 37 buses,1 where
sensor data and a few system constants that are either public
the dotted lines represent the tie-lines. The power export of
knowledge or can be obtained in an advanced persistent threat
an area, i.e., the total power transmitted over all the tie-lines
(APT) scenario (e.g., via social engineering against employees
from the area, is maintained at a scheduled value by AGC.
of the grid operator). Then, the attacker can use the learned
For the 𝑖th area, based on measured deviations of the grid
model to compute the optimal attack. Our measurements on a
frequency and the power export from their nominal values
working system prototype further confirm the feasibility of the
(denoted by Δ𝜔𝑖 and Δ𝑝𝐸𝑖 ), the area control error (ACE) is
attack. This result suggests the importance of understanding
ACE𝑖 = 𝛼𝑖 ⋅ Δ𝑝𝐸𝑖 + 𝛽𝑖 ⋅ Δ𝜔𝑖 , where 𝛼𝑖 and 𝛽𝑖 are constants.
optimal FDI attacks and their implications.
Usually, only a subset of the generators are under AGC. The
To validate and illustrate our analysis, we conduct extensive
ACE is updated every AGC cycle that is typically two to four
PowerWorld [11] simulations based on a 37-bus power system
seconds [6], and sent to generators to determine their setpoints.
model. We compare the impact caused by the optimal attack
Tie-line power flow sensors that measure Δ𝑝𝐸𝑖 can be noisy
and two limited attacks of random and surge injections [7].
and faulty. State estimation (SE) [4] can reduce measurement
We show that the limited attacks are ineffective because
noise and detect faulty sensor data. However, due to limited
their effects can be corrected by the feedback control loop.
compute capability in the past, legacy power grids often exe-
Moreover, we conduct real experiments on a physical 16-bus
cute SE at five-minute intervals and do not apply it to improve
power system testbed equipped with a 13.5 kVA generator and
the sensor data for the AGC. Recently, high-performance
a variable load to demonstrate the achievability of the optimal
computing has significantly reduced the execution time of SE
attack in practice.
[13] and made it feasible for AGC. In this paper, we pipeline
The balance of the paper is organized as follows. Section II
SE and AGC to address the latest idea that SE can enhance
presents preliminaries and related work. Section III defines
AGC’s reliability [14]. However, it is easy to remove SE from
the FDI attack. Sections IV and V address the two research
our analysis if we need to model legacy systems faithfully (see
problems that we outlined above. Section VI discusses coun-
Section III-A). The simulations in Section VII consider both
termeasures and a few practical considerations. Sections VII
AGC alone and AGC in combination with SE. We adopt an SE
and VIII present our PowerWorld simulations and testbed
approach as follows. Let z = [𝑧1 , 𝑧2 , . . . , 𝑧𝑚 ]⊺ denote all the
experiments, respectively. Section IX concludes.
power flow sensors’ measurements. The grid state, denoted by
x = [𝑥1 , . . . , 𝑥𝑛 ]⊺ , consists of voltage angles of all the buses.
II. P RELIMINARIES AND R ELATED W ORK The relationship between z and x is z = Fx + e, where F
is the measurement matrix and e is the noise. SE estimates
A. Preliminaries x as x̂ = (F⊺ VF)−1 F⊺ Vz, where V is a weight matrix.
To maintain the grid frequency at its nominal value, AGC The power export deviation Δ𝑝𝐸𝑖 can be computed from an
adjusts the input mechanical power setpoints of the generators improved measurement vector ẑ = Fx̂. The SE’s bad data
[6]. For trading purposes, AGC also maintains the power
1 We use the 37-bus model in Fig. 1 as a case study system throughout this
export (or import) of an area, which is part of a grid and
paper. Its scale generally represents small-/mid-scale grids. According to our
typically operated by a utility company. A transmission line rough count based on a grid topology database [12], a major fraction of 130
connecting two buses belonging to two areas is called a tie- national grids consist of less than 37 buses.

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.
 physical power system control center
communication
power flow sensors
network
state estimation (SE)
frequency sensors
generators AGC algorithm
ACE
Fig. 2. Overview of AGC.
detection (BDD) raises an alarm if ∥z − ẑ∥2 is greater than a
threshold [4].
Fig. 2 overviews the AGC. A control center of the area
𝑖 collects z from distributed sensors and estimates the grid
state x̂ using SE. Based on the Δ𝑝𝐸𝑖 computed from ẑ = Fx̂
and the measured grid frequency deviation Δ𝜔𝑖 , the control
center computes ACE𝑖 and transmits it to the generators. This
process is performed every AGC cycle. To help the reader, we
provide a summary of the notations at the end of this paper.
B. Related Work
As discussed in Section I, existing studies on the security
of AGC [7], [8], [9], [10] adopt limited attack templates
that cannot well characterize real-world attackers. Reachability
algorithms have been used to check the existence of a series
of FDI attacks that will lead to the breach of a safety
condition [15], [16]. In contrast to qualitative reachability
analysis, we compute the minimum time until the grid fre-
quency deviates to an unacceptable value, which provides a
quantitative vulnerability metric in a worst-case sense.
Liu et al. [4] analyze the conditions for FDI attacks on the
sensor measurement z to bypass the BDD of SE. Specifically,
if an attacker adds an attack vector a = Fc to z, where c is an
arbitrary vector, the BDD cannot detect the attack and the grid
state will be estimated wrongly as x̂ + c. Hendrickx et al. [17]
show that the problem of minimizing the number of non-zeros
in a is NP-hard. The FDI attacks can mislead grid operations.
Rahman et al. [18] construct a model checker to search for
attack vectors that can increase the grid’s generation cost by a
specified percentage. The physical impact of FDI attacks has
received little attention. In this paper, we analyze this impact
in terms of disruptions of the grid frequency.
Beyond power grids, the security of a broader class of cyber-
physical systems has received increasing attention. Amin et
al. [19] perform threat assessment of water supply SCADA
systems. Cárdenas et al. [20] study the impact of attacks
on a chemical reactor process control system. The optimal
attack analysis approach advanced in this paper can likewise be
applied to other cyber-physical control systems besides AGC.
In [21], [22], fundamental limits of secure SE, as well as attack
detection and identification, are studied under a general linear
control system model. They consider arbitrary FDI attacks
on the control and sensor data. However, they fall short of
analyzing the attacks’ optimality.
III. ATTACK M ODEL AND O BJECTIVE
A. Attack Model
In this paper, we focus on a general class of FDI attacks
on the power flow sensor measurement vector z, which can
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.
be achieved by compromising physical sensors, sensor data
communication links, and data processing programs at the
control center. Hacking geographically distributed physical
sensors is tedious and hard to coordinate. Although compro-
mising computer programs at the strongly protected control
center is not impossible given existing similar attacks [1],
[2], targeting the sensor data links may pose a lower bar for
the attacker. To be cost effective, power grids often leverage
existing network infrastructures (e.g., those leased from third-
party service providers) and set up virtual private networks
(VPNs) as logically isolated channels to collect data from the
distributed sensors [10], [23]. However, such software-based
protection cannot guarantee security, because of pervasive
software vulnerabilities. For instance, our own experiments
have achieved a successful attack by exploiting the Heartbleed
bug [24]. The attacker can also launch stepping stone attacks
and compromise the VPN software providers first as in the
Dragonfly attacks against power grids [2]. By leveraging
compromised VPNs, the attacker can mount the attack at a
few central spots of the communication network to tamper
with the data from many sensors.
ACE signals and frequency measurements are two other
important data streams in AGC’s control loop. The data links
from the control center to the generators for transmitting
ACE signals are usually well protected (e.g., by physically
isolated cables) because of their limited quantity. For instance,
in Fig. 1, at most nine links to the generators need to be
protected, whereas there are 81 sensors feeding the SE and
AGC. The grid frequency is a global parameter of the grid.
Its measurements by remote sensors can be easily verified
by frequency sensors inside the secured control center. These
observations motivate us to focus on FDI attacks on power
flow measurements in z. However, our analysis and algorithms
can be extended to address FDI attacks on the ACEs and grid
frequency measurements. For instance, in the experiments we
report in Section VIII for a physical 16-bus power system
testbed, we extend our approach to address FDI attacks on
frequency measurements.
For an FDI attack on z to be stealthy, it needs to bypass
the BDD of SE. Moreover, the grid operator may apply
other data quality checks on z. For instance, z should not
change significantly over a short time period. Intuitively, if
each element of the FDI attack vector a is bounded around
zero, these data quality checks, designed to be insensitive to
natural random noises in z, will not be alerted. In this paper,
we consider an attack model consisting of the following two
assumptions:
(1) Attack’s stealthiness: There exist constant vectors amin
and amax where amin ⪯ 0 ⪯ amax , such that for any FDI
attack vector a, the compromised measurement vector, i.e.,
z + a, can pass all the data quality checks if
a = Fc and amin ⪯ a ⪯ amax , (1)
where c is an arbitrary vector and a = Fc is the BDD’s
bypass condition [4]. Note that x ⪯ y means that each element
 of x is no greater than the corresponding element of y. We
assume that the attacker knows F, amin , and amax to construct
attack vectors satisfying Eq. (1). Otherwise, the compromised
measurement vectors will be discarded and the injected data
will not enter the control loop. In this paper we focus on FDIs
that can enter the control loop.
(2) Attacker’s access to sensor measurements in z: We
assume that the attacker has read access to the power flow
measurements in z. The attacker has write access to a subset
of the elements in z. Denote by 𝕎 the set of indices of z
elements writable by the attacker and a[𝑗] the 𝑗th element of
an attack vector a. Thus, the attack vector a is subject to
a[𝑗] = 0, ∀𝑗 ∈
/ 𝕎.
Our formulation of the optimal attack will incorporate
Eqs. (1) and (2) as constraints for the attacker. Legacy power
grids do not apply SE for AGC. By ignoring the condition
a = Fc in Eq. (1), our analysis in this paper addresses legacy
grids faithfully.
To simplify the exposition, we assume that the measurement
noise e is negligible (i.e., e = 0). Under this assumption,
we can verify that the improved measurement vector by SE,
i.e., ẑ, is the same as the possibly compromised measurement
vector. In other words, an attack vector injected into the raw
measurement vector is not altered by the SE. When e is not
negligible, we can address the alteration by replacing all the
a in the rest of this paper with F(F⊺ VF)−1 F⊺ Va, where
the latter is the altered attack vector. Note that, whether e is
negligible or not, the original attack vector a needs to satisfy
Eqs. (1) and (2).
B. Attacker’s Objective
Because of the constraints in Eqs. (1) and (2), the attacker
may not be able to cause unsafe frequency deviation in one
shot. Instead, he can craft a series of attack vectors to create
the unsafe frequency excursion. If the current AGC cycle
index is 𝑘 and the attacker launches a series of FDI attacks
from the (𝑘 + 1)th to the (𝑘 + ℎ)th AGC cycle with attack
vectors a𝑘+1 , . . . , a𝑘+ℎ , the sequence {a𝑘+1 , . . . , a𝑘+ℎ } is
called an attack sequence. The following metric characterizes
the effectiveness of a certain attack sequence.
Time-to-emergency (TTE): Given a safety region (𝜖𝐿 , 𝜖𝑈 )
where 𝜖𝐿 < 0 < 𝜖𝑈 , TTE is the time from the onset of
an attack sequence to the first time instant when the average
frequency deviation of all the areas, denoted by Δ𝜔, is out of
(𝜖𝐿 , 𝜖𝑈 ).
The thresholds 𝜖𝐿 and 𝜖𝑈 can be set to those for triggering
remedial actions. For example, we can set 𝜖𝐿 = −0.5 Hz and
𝜖𝑈 = 0.5 Hz [6]. This setting is used for all the simulations
and testbed experiments in this paper. Fig. 3 illustrates the
TTE. The attacker’s objective is to find an attack sequence
that minimizes the TTE.
IV. O PTIMAL ATTACK S EQUENCE
This section derives the models of the impact of an attack
sequence on the grid frequency, which include a Laplace-
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.
0.6
0.4 𝜖𝑈 launch attack
Δ𝜔 (Hz)
0.2
0
-0.2
-0.4 𝜖𝐿
-0.6 TTE
-0.8
20 25 30 35 40 45 50 55 60 65
AGC cycle index
Fig. 3. Illustration of TTE. The attacker launches an attack sequence from
the 36th AGC cycle and the frequency goes out of the safety region (-0.5
Hz, 0.5 Hz) at the 65th AGC cycle. The TTE for this attack sequence is then
65 − 36 = 29 AGC cycles.
domain model in Section IV-A and a time-domain approxi-
mation model in Section IV-B. Based on the attack impact
models, in Section IV-C, we present an algorithm to compute
(2) the optimal attack sequence that minimizes the TTE.
A. Laplace-Domain Attack Impact Model
To derive the attack impact model, we extend Fig. 2 as
Fig. 4 to incorporate more details. Several symbols in Fig. 4
are defined as follows. For an 𝑁 -area grid, denote by ℓ𝑖𝑗 a
virtual tie-line from area 𝑖 to area 𝑗. The power flow over
ℓ𝑖𝑗 is the sum of power flows over all the real tie-lines from
area 𝑖 to area 𝑗. For instance, Fig. 4(c) illustrates the virtual
tie-lines of the three-area grid in Fig. 1. Denote by Δ𝜔𝑖 and
Δ𝑝𝑖 the frequency deviation and the change of load in area 𝑖,
respectively; Δ𝜔 the average of the frequency deviations of all
the areas; Δp = [Δ𝑝1 , . . . , Δ𝑝𝑁 ]⊺ . Suppose there are a total
of 𝐿 virtual tie-lines. Let T represent an 𝐿 × 𝑚 matrix (𝑚 is
the number of power flow sensors) that consists of −1, 0, and
1, and aggregates the real tie-line power flows in z as virtual
tie-line power flows. That is, an element of Tz is the power
flow over a virtual tie-line. Following existing approaches [6],
we model the two sets of generators under and out of AGC in
an area as two virtual generators, respectively. Fig. 4(b) shows
a block diagram of a widely adopted Laplace-domain model
[6] for the two virtual generators. Other symbols in Fig. 4 are
briefly explained in the figure caption.
From a control-theoretic perspective, in the presence of FDI
attacks, an AGC system can be viewed as an open-loop system
with the load change Δp and the FDI attack vector a as the
inputs, and the frequency deviation Δ𝜔 and the area power
export deviations as the outputs. In this section, we treat a as
a vector of continuous-time variables. Denote by 𝑠 the Laplace
coordinates and 𝑥 ˜ the Laplace transform of 𝑥. Based on the
model in Fig. 4, the output Δ𝜔 is given by the following
equation (a detailed derivation is omitted here due to space
constraints and can be found in [24]):
Δ𝜔 ˜ + 𝜽 ⊺ Φ−1 ΛΨTã,
˜ = 𝜽 ⊺ Φ−1 Δp (3)
where 𝜽 = 𝑁1 ⋅ [1, 1, . . . , 1]⊺ ∈ ℝ𝑁 ×1 ; Λ = diag(𝑠 ⋅ 𝑛1 −
1, . . . , 𝑠 ⋅ 𝑛𝑁 − 1) and the expression of 𝑛𝑖 will be presented
in Section V-B when used; Ψ is an 𝑁 × 𝐿 matrix consisting
of −1, 0, and 1; Φ is an 𝑁 × 𝑁 matrix and its elements are
expressions of the generators’ transfer functions (i.e., 𝐺𝑁 𝑖 (𝑠),
𝐺𝑌𝑖 (𝑠), 𝑇𝑖𝑁 (𝑠), and 𝑇𝑖𝑌 (𝑠)). As the detailed expressions of Ψ
and Φ are not used in this paper, they are omitted but can be
found in [24]. As analyzed in Section V, Eq. (3) is key for the
 Long-range Sensors in other areas
communication
Compromised Other sensors in the area 1
measurements + -
Speed Turbine
State estimation (SE) + controller
& + - - area1
Bad data detection
(BDD) +
Attack Speed Turbine power
Compromised controller
load estimates detector I I flow sensor
AGC for area 1
ACE1
Frequency area2 I area3
+ sensor
Generation model of the area 1
(a) (b) (c)

Fig. 4. (a) SE, BDD, AGC programs, and attack detector discussed in Section VI; (b) Block diagram of the generation model for the area 1; (c) Virtual
tie-lines of the three-area grid in Fig. 1. Notation explanation: Δ𝑝𝑖𝑗 is the deviation of the power flow over ℓ𝑖𝑗 from its scheduled value; 𝐺𝑖 (𝑠) and 𝑇𝑖 (𝑠) are
transfer functions of the speed controller and the turbine of a generator, respectively; Δ𝑝𝑀 𝑖 is change of input mechanical power; gain 𝐾𝑖 ; droop constant 𝑅𝑖 ;
total generator inertia 𝑀𝑖 ; load-damping constant 𝐷𝑖 ; superscripts ‘𝑌 ’ and ‘𝑁 ’ modify the symbols for the generators under and out of AGC, respectively.

0.15 0.1

Δ𝜔 (Hz)
Δ𝜔 (Hz)

0.05 0
-0.05 -0.1
-0.15 Load change only Both Ground truth
Attack only -0.2 Predicted
-0.25
0 5 10 15 20 25 30 35 40 100 120 140 160 180 200
(a) AGC cycle index AGC cycle index
0.0004
Error (Hz)

0.0002 Fig. 6. Predicted Δ𝜔 based on regression. Prediction horizon 𝐻 is 34; mean

0
-0.0002 absolute prediction error is 0.0014 Hz.
-0.0004
0 50 100 150 200 250 300 350 400
(b) AGC cycle index
Fig. 5(a) plots Δ𝜔 when the simulation is driven by the Δp
Fig. 5. Validating additive property of Eq. (3). trace only, the a trace only, and both traces. Fig. 5(b) plots the
difference between the third curve and the sum of the first two
curves in Fig. 5(a). The errors are two orders of magnitude
attacker to learn attack impact models stealthily and achieve lower than Δ𝜔 in Fig. 5(a).
the optimal attack. Based on the additive property, we propose an attack impact
B. Regression-Based Attack Impact Model model based on linear regression. Let Δ𝜔(𝑘), Δp𝑘 , and a𝑘
denote the grid frequency deviation, the load change vector,
As TTE is a time-domain metric, it is intractable to find and the attack vector in the 𝑘th AGC cycle, respectively. The
a fastest attack sequence in the Laplace domain based on model is given by
Eq. (3). Thus, we need to convert Eq. (3) to an equivalent
∑𝐻−1 ⊺
time-domain model. However, the inverse Laplace transform Δ𝜔(𝑘) = uℎ Δp𝑘−ℎ + vℎ⊺ Ta𝑘−ℎ , (4)
of Eq. (3) is a set of extremely complex differential equations, ℎ=0

especially when the generators’ transfer functions 𝐺𝑖 (𝑠) and
𝑇𝑖 (𝑠) are complex. Even if the inverse Laplace transform can
be discretized, an exhaustive search may be the only viable
solution to the TTE minimization. The high compute overhead
will render the optimal attack computationally impractical.
This section proposes a linear regression model based on a
key observation from Eq. (3).
From Eq. (3), Δp and a produce additive impacts on
Δ𝜔. From the linearity principle of Laplace transform, this
additive property also holds in the time domain. To validate
this, we conduct simulations using PowerWorld [11], a high-
fidelity power system simulator. For the grid in Fig. 1, we run
simulations driven by randomly generated traces for Δp and a.
The trace for Δp is generated by scaling the steady-state load
of each load bus by a zero-mean Gaussian random variable of
standard deviation 0.02 per unit (p.u.), while each element of
a is randomly and uniformly sampled from [−5 MW, 5 MW].
where 𝐻 is the horizon of the regression, uℎ ∈ ℝ𝑁 ×1 and
vℎ ∈ ℝ𝐿×1 are the coefficients that “encode” the coefficients
𝜽 ⊺ Φ−1 and 𝜽 ⊺ Φ−1 ΛΨ in Eq. (3). Eq. (4) preserves the
additive property of Eq. (3). Fig. 6 shows the trace of Δ𝜔
predicted from a trained regression model and the ground truth
in the presence of load fluctuations and random FDI attacks.
We can see that the model accurately predicts Δ𝜔. Extensive
evaluation shows that the mean absolute prediction error is
on the order of 0.001 Hz, which is insignificant compared
with natural fluctuations of the grid frequency on the order
of 0.1 Hz. The details of the evaluation are omitted here due
to space constraints and can be found in [24].
C. Optimal FDI Attack Sequence
Based on Eq. (4), we develop an algorithmic formulation
of an optimal FDI attack sequence that minimizes the TTE.
Suppose 𝑙 ∈ ℤ and 𝑘 ∈ ℤ are the onset time of the attack and

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.
 Algorithm 1 To compute the optimal attack sequence.

Δ𝜔 (Hz) Δ𝜔 (Hz)
0.4
0.2
Input: {Δp𝑖 ∣𝑖 ∈ [𝑘−𝐻 +1, 𝑘]}, {a𝑙 , . . . , a𝑘 }, {uℎ , vℎ ∣ℎ ∈ [0, 𝐻 − 1]} 0
-0.2 Onset of attack ∣𝕎∣ = 81
Output: The attack sequence that minimizes the TTE -0.4
1: ℎ = 1 0.4
0.2 ∣𝕎∣ = 66
2: loop 0
3: {a∗ ∗
𝑘+1 , . . . , a𝑘+ℎ } = arg max{a𝑘+1 ,...,a𝑘+ℎ } Δ𝜔(𝑘 + ℎ) subject to
-0.2
-0.4 Onset of attack
that a𝑘+𝑖 satisfies Eqs. (1) and (2), ∀𝑖 ∈ [1, ℎ] -0.6
4: compute Δ𝜔 ∗ (𝑘 + ℎ) using {a∗ ∗
𝑘+1 , . . . , a𝑘+ℎ } and Eq. (5)
5: if Δ𝜔 ∗ (𝑘 + ℎ) ≥ 𝜖𝑈 then return {a∗ 𝑘+1 , . . . , a∗
𝑘+ℎ } Fig. 8. Two examples of the effects of optimal attacks. The grid is under
6: {a∗𝑘+1 , . . . , a ∗
𝑘+ℎ } = arg min {a𝑘+1 ,...,a𝑘+ℎ } Δ𝜔(𝑘 + ℎ) subject to attack during the shaded periods. We stop a simulation once the frequency
that a𝑘+𝑖 satisfies Eqs. (1) and (2), ∀𝑖 ∈ [1, ℎ] deviation exceeds the safety region (−0.5 Hz, 0.5 Hz).
7: compute Δ𝜔 ∗ (𝑘 + ℎ) using {a∗ ∗
𝑘+1 , . . . , a𝑘+ℎ } and Eq. (5)
8: if Δ𝜔 ∗ (𝑘 + ℎ) ≤ 𝜖𝐿 then return {a∗ ∗
𝑘+1 , . . . , a𝑘+ℎ }
9: ℎ=ℎ+1 Fig. 7 shows the time series of five elements of the attack
10: end loop vector a computed using Algorithm 1 for the three-area grid in
Fig. 1, when the attacker has write access to all the 81 sensor
6 data links. Each element of amin and amax is −5 MW and
a[𝑖] (MW)

4
2
0 5 MW, respectively. We can see that the attack vector changes
-2
-4
-6 over time. The top part of Fig. 8 shows the trajectory of Δ𝜔
34 36 38 40 42 44 46
AGC cycle index when the attacker injects the attack sequence in Fig. 7. The
safety condition defined by 𝜖𝐿 = −0.5 Hz and 𝜖𝑈 = 0.5 Hz
Fig. 7. Five elements of the optimal attack vectors. is breached after 10 AGC cycles from the onset of the attack.
We can see that the optimal attack sequence first misleads the
the current AGC cycle index, respectively, where 𝑙 ≤ 𝑘. From system to reduce the grid frequency and then leverages the
Eq. (4), the frequency deviation in the (𝑘 + ℎ)th AGC cycle system’s response to the frequency reduction to achieve an
is predicted by overshoot that breaches the safety condition. The bottom part
⎡ ⎤⊺⎡ ⎤⎡ ⎤⊺⎡ ⎤ of Fig. 8 shows the result when the attacker has write access
u𝐻−1 Δp𝑘−𝐻+ℎ+1 v𝐻−1 0
⎢ .. ⎥⎢ .. ⎥⎢ .. ⎥⎢ .. ⎥ to 66 sensor measurements. As now fewer measurements can
⎢ . ⎥⎢ . ⎥⎢ . ⎥⎢ . ⎥
⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥ be tampered with, the attacker takes a longer time to breach
⎢uℎ+𝑘−𝑙+1 ⎥⎢ Δp𝑙−1 ⎥ ⎢vℎ+𝑘−𝑙+1 ⎥⎢ 0 ⎥
⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥ the safety condition. The optimal attack sequence exhibits
⎢ uℎ+𝑘−𝑙 ⎥⎢ Δp𝑙 ⎥ ⎢ vℎ+𝑘−𝑙 ⎥⎢ Ta𝑙 ⎥
⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥ a similar strategy, i.e., it leverages the system’s response to
⎢ .. ⎥⎢ .. ⎥⎢ .. ⎥⎢ .. ⎥
Δ𝜔(𝑘+ℎ)=⎢ . ⎥⎢ . ⎥+⎢ . ⎥⎢ . ⎥, (5) achieve oscillation and overshoot.
⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥
⎢ uℎ ⎥⎢ Δp𝑘 ⎥ ⎢ vℎ ⎥⎢ Ta𝑘 ⎥
⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥ V. ACHIEVING O PTIMAL ATTACK
⎢ uℎ−1 ⎥⎢ Δp̂𝑘+1 ⎥ ⎢ vℎ−1 ⎥⎢ Ta𝑘+1 ⎥
⎢ ⎥⎢ ⎥⎢ ⎥⎢ ⎥
⎢ .. ⎥⎢ .. ⎥⎢ .. ⎥⎢ . ⎥ This section analyzes whether and how an attacker can
⎣ . ⎦ ⎣ . ⎦ ⎣ . ⎦ ⎣ . ⎦
. achieve the optimal attack. A model in either Eq. (3) or Eq. (4)
u0 Δp̂𝑘+ℎ v0 Ta𝑘+ℎ is a prerequisite for computing the optimal attack sequence
using Algorithm 1. However, such detailed models that de-
where Δp̂𝑘+1 , . . . , Δp̂𝑘+ℎ are the forecast load changes;
scribe the system dynamics may not be readily available. This
a𝑙 , . . . , a𝑘 are the past attack vectors; a𝑘+1 , . . . , a𝑘+ℎ are
is mainly because the real-time AGC control does not rely
the future attack vectors to be optimized. If the attacker
on these models. In this section, we discuss two approaches,
has no access to the load forecast, he can set Δp̂𝑘+1 =
active probing and passive monitoring, for the attacker to learn
. . . = Δp̂𝑘+ℎ = 0. We propose Algorithm 1 to compute an
these models, starting from a modest amount of feasible-to-
attack sequence. Specifically, for each ℎ starting from one,
obtain prior knowledge about the grid. The former approach
Algorithm 1 maximizes and minimizes the grid frequency de-
launches FDI attacks of small magnitudes to learn the model in
viation Δ𝜔(𝑘 + ℎ) subject to the stealthiness and write access
Eq. (4), while the latter learns the model in Eq. (3) by passively
constraints in Eqs. (1) and (2), and stops once Δ𝜔(𝑘 +ℎ) exits
eavesdropping on sensor data without actually tampering with
the safety region defined by 𝜖𝑈 and 𝜖𝐿 . We have the following
them. Apparently, the latter approach is more stealthy. With the
proposition.
learned models, the attacker can use Algorithm 1 to strategize
Proposition 1. Modulo the approximation error of Eq. (5), his attack beyond the random or heuristic attacks studied in
Algorithm 1 computes the optimal attack sequence. prior work [7], [8], [9], [10].
Proof. The optimality of the solution given by Algorithm 1 A. Active Probing
can be proved by contradiction as follows. Suppose the solu-
The attacker injects a series of attack vectors of small
tion given by Algorithm 1, denoted by {a∗𝑘+1 , . . . , a∗𝑘+ℎ∗ },
magnitudes that satisfy the constraints in Eqs. (1) and (2)
is not optimal and there exists a shorter attack sequence
and cause grid frequency fluctuations similar to those caused
{a𝑘+1 , . . . , a𝑘+ℎ′ } where ℎ′ < ℎ∗ such that Δ𝜔(𝑘 + ℎ′ ) ∈ /
by natural demand fluctuations, so that these small “probes”
(𝜖𝐿 , 𝜖𝑈 ). This supposition contradicts the fact that Algorithm 1
will neither alert the grid operator nor damage anything. For
cannot find an attack sequence such that Δ𝜔(𝑘+ℎ) ∈ / (𝜖𝐿 , 𝜖𝑈 )
instance, in Fig. 5, the random FDIs of limited magnitudes
and thus does not return when ℎ = ℎ′ .
introduce little changes to Δ𝜔. Meanwhile, the attacker keeps

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.

track of Δp and Δ𝜔. After accumulating enough data, he
can apply linear regression to learn the model in Eq. (4). The
attacker can treat vℎ⊺ T in Eq. (4) as a single row vector. Thus,
prior knowledge of T is not needed. Section VII will evaluate
this approach.
B. Passive Monitoring
Based on passively eavesdropped sensor measurements
only, we can learn the coefficient uℎ in Eq. (4), but not vℎ .
Thus, we fall back on the Laplace-domain model in Eq. (3),
which preserves additional information about the coefficient
of a. Before presenting details of the passive monitoring
approach, we use a barebone example to illustrate a basic
challenge of the approach and a key to its success. Fig. 9
shows an abstract feedback system with scalar input 𝑥 and
output 𝑦, unknown scalar gains 𝐵1 and 𝐵2 , and malicious
injection 𝑎 on the measurement of 𝑦. We can derive 𝑦 =
𝐵1 𝐵1 𝐵2
1+𝐵1 𝐵2 𝑥 − 1+𝐵1 𝐵2 𝑎. Based on passively eavesdropped traces
of 𝑥 and 𝑦, the attacker can estimate the value of 1+𝐵 𝐵1
1 𝐵2
However, he cannot estimate the individual values of 𝐵1 and
𝐵1 𝐵2
𝐵2 , and thus cannot derive the coefficient for 𝑎, i.e., − 1+𝐵
1 𝐵2
But if he has additional prior information about 𝐵1 and 𝐵2 ,
e.g., 𝐵1 = 𝐵2 , he may be able to estimate 𝐵1 and 𝐵2 ,
and derive the coefficient for 𝑎. For the more complex AGC
system, we have the following proposition.
Proposition 2. If the attacker knows the generator inertia 𝑀𝑖
and the load-damping constant 𝐷𝑖 in Fig. 4(b), the weights
𝛼𝑖 and 𝛽𝑖 of the AGC algorithm in Fig. 4(a), and T in
Eq. (3), and he can eavesdrop on the time series of load
change Δ𝑝𝑖 , virtual tie-line power flow deviation Δ𝑝𝑖𝑗 , and
frequency deviation Δ𝜔𝑖 for each area, he can apply system
identification techniques to learn the attack impact model in
Eq. (3).
The proof, which provides a detailed learning procedure,
can be found in the Appendix. Now, we discuss how the
attacker can obtain the constants and time series data required
by Proposition 2. In the second assumption of the attack model
in Section III-A, we assume that the attacker can obtain the
time series of z that contains Δ𝑝𝑖 and Δ𝑝𝑖𝑗 for each area.
He can also obtain the time series of Δ𝜔𝑖 by using his
own frequency sensors plugged into any power outlets in the
areas. The parameters 𝑀𝑖 , 𝐷𝑖 , 𝛼𝑖 , 𝛽𝑖 , and T are basic grid
information. The attacker can launch data exfiltration attacks
such as in the initial phase of the Dragonfly attack [3] to
obtain them. The attacker can also try other ways that may
be easier. The grid operator periodically estimates 𝑀𝑖 and
𝐷𝑖 , and uses them to configure various algorithms [6]. The
attacker can steal their values by insiders or social engineering
against employees of the grid. As defined in Section IV-A, T
is a matrix that aggregates the real tie-line power flows in z
as virtual tie-line power flows. It can be easily derived from
the grid’s topology graph (e.g., Fig. 1), which can be public
knowledge. For instance, an open database [12] provides the
topology graphs of about 130 national grids. The settings for
𝛼𝑖 and 𝛽𝑖 can also be public knowledge [25].
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.
0.1
Δ𝜔 (Hz)
0
+ - + -0.1
Ground truth
+ -0.2 Predicted AGC cycle = 4 secs
0.1
Δ𝜔 (Hz)
0
-0.1
Ground truth
Fig. 9. A bare- -0.2 Predicted AGC cycle=1.33 secs
bone example that il-
lustrates a basic chal-
0 100 200 300 400
Time (seconds)
lenge of passive mon-
itoring approach to Fig. 10. Prediction using the model in Eq. (3)
learn attack impact learned by passive monitoring under two settings
model. of the AGC cycle (no load changes; training data
length is 26.6 minutes).
We conduct PowerWorld simulations for the grid in Fig. 1
and apply the passive monitoring procedure detailed in the
Appendix, where the elements of 𝜽 ⊺ Φ−1 and Λ in Eq. (3)
are identified as fourth- and second-order polynomial fractions
of 𝑠, respectively. Fig. 10 shows the Δ𝜔 predicted using
the learned model and the ground truth in the presence
. of random FDI attacks without load fluctuations. Thus, it
specifically evaluates the performance of the learned model in
. characterizing the attack impact. The model is learned under
different AGC cycle lengths of 4 seconds and 1.33 seconds.
The training data collection takes 26.6 minutes. Under both
settings, the mean absolute errors, which are 0.021 Hz and
0.015 Hz, are comparable. This result shows the robustness of
the approach to the AGC cycle length within its typical range
(two to four seconds). Although the prediction error of this
approach is higher than that of the active probing approach,
which is on the order of 10−3 Hz as shown in Section VII, its
performance is satisfactory when the prediction horizon is not
long (e.g., 200 seconds).
As Algorithm 1 is based on the regression model in Eq. (4),
the attacker can use the learned Laplace-domain model to
generate simulated traces of Δ𝜔, Δp, and a to train the
regression model. Then, he can use Algorithm 1 to compute
the optimal attack.
It is not trivial to learn the attack impact model, and care is
needed to obtain the required prior information, choose proper
orders for the transfer functions, and prevent overfitting. How-
ever, these tasks are certainly within reach of skillful attackers.
In Section VIII, we demonstrate an oracle implementation of
the passive monitoring approach on a physical power system
testbed. The evaluation results indicate its feasibility for real-
world power grids.
VI. D ISCUSSIONS
A. Attack Detection and Mitigation
It is challenging to distinguish an FDI attack from natural
disturbances based on untrusted sensor data. To address this
challenge, we have developed an attack detection algorithm
that checks the consistency between the observed frequency
deviation and the predicted frequency deviation. The predic-
tion is based on the observed load change vectors and the
first term in the right-hand side of Eq. (4). This algorithm
can effectively detect an attack and its onset time. Because of
space constraints, details of the attack detection algorithm are
 0.6 0.6
0.4 𝜖𝑈 0.4 𝜖𝑈
MTTE
Δ𝜔 (Hz)

Δ𝜔 (Hz)
0.2 0.2
0 0
-0.2 -0.2 Other surge attacks
Effect range of random attacks Surge attack in the fig below
-0.4 𝜖𝐿 Predicted effect of optimal attack -0.4 𝜖𝐿 Optimal attack
-0.6 True effect of optimal attack -0.6
20 20
Optimal attack sequence
Ta (MW)

10 Surge attack sequence

Ta (MW)
10
0 0
-10 ℓ12 -10 ℓ12
ℓ23 ℓ23
-20 ℓ31 -20 ℓ31
55 60 65 70 75 55 60 65 70 75
AGC cycle index AGC cycle index
Fig. 11. Optimal attack sequence vs. random attack sequence. The grid is Fig. 12. Optimal attack sequence vs. surge attack sequence. The grid is under
under attack during the shaded period. attack during the shaded period.

omitted in this paper and can be found in [24]. On detecting 0.002 140

MTTE (sec)
MTTE

an attack, a possible mitigation approach is to stop the AGC.
In addition, Sridhar et al. [7] propose to use forecast load,
rather than measured load, to drive the AGC. Further study is
needed to understand how long the grid can sustain without
AGC, or the performance of the forecast-driven AGC.
B. Renewable Energy Sources and Large-scale Grids
Active power controls are not widely adopted by today’s re-
newable energy sources (RES) like wind and solar generators.
With low RES penetration, its generation fluctuation can be
regarded as part of the load change and the attacker can still
learn the attack impact model and optimize his attack using
Algorithm 1 if he can access the past and predicted RES gen-
eration. However, a high RES penetration may invalidate the
steady-state assumptions of the AGC model, and further study
is needed to understand its impact on our analysis. For large-
scale grids, it becomes hard for the attacker to compromise
massive sensor links and manipulate the frequency. Instead,
the attacker may focus on a selected area and aim at increasing
the tie-line power flows to breach safety limits.
VII. S IMULATIONS
To validate our analysis and compare the optimal attack with
prior limited attacks, we conduct PowerWorld [11] simulations
based on the three-area 37-bus model in Fig. 1. Default settings
include: AGC cycle length is four seconds; 𝜖𝐿 = −0.5 Hz and
𝜖𝑈 = 0.5 Hz; all the sensor measurements are writable to the
attacker; each element of amin and amax is −5 MW and 5 MW,
respectively; for all the areas, 𝛼𝑖 = 12, 𝛽𝑖 = 100 MW/Hz,
and the AGC gain 𝐾𝑖 = 10−4 . As the focus of this paper
is to study how to push Δ𝜔 to 𝜖𝐿 or 𝜖𝑈 in the shortest
time, we stop a simulation once Δ𝜔 goes out of (𝜖𝐿 , 𝜖𝑈 ).
Remedial programs like load shedding can be integrated with
our simulations, but they are beyond the present scope of our
analysis. The simulation results are as follows.
Effectiveness of optimal attack sequence: The bottom part
of Fig. 11 shows the traces for the three components of Ta
(i.e., the malicious injections to the virtual tie-line power flow
measurements), where a is computed by Algorithm 1. The
top part of Fig. 11 shows the trajectory of Δ𝜔 when the
attacker injects the optimal attack sequence. It also shows the
MAE (Hz)
120
MAE 100
0.0015
80
60
0.001 40
65 70 75 80
Number of compromised sensor data links ∣𝕎∣
Fig. 13. Impact of write access constraint with SE.
trajectory of Δ𝜔 predicted by the attacker at the 68th AGC
cycle, which well matches the true attack effect. As Δ𝜔 hits
the 𝜖𝑈 threshold at the 78th AGC cycle, the minimum TTE
(MTTE) is 10 AGC cycles. We employ two baseline attack
approaches that are consistent with the two limited attack
templates studied in [7]. The first baseline, random attack,
uniformly and randomly generates an attack vector every AGC
cycle from the feasible space defined by the constraints in
Eqs. (1) and (2). The top part of Fig. 11 shows the range
of Δ𝜔 caused by 2,800 random attack sequences. We can see
that the random attack cannot push Δ𝜔 beyond either 𝜖𝑈 or 𝜖𝐿
within MTTE. The second baseline, surge attack, minimizes
or maximizes each component of Ta under the constraint
amin ⪯ a ⪯ amax . Thus, there are a total of 23 = 8 surge
attack sequences for the three virtual tie-lines. For instance,
the bottom part of Fig. 12 shows a surge attack sequence. The
top part of Fig. 12 shows the trajectory of Δ𝜔 under all the
eight surge attack sequences and the optimal attack. The surge
attack cannot breach the safety condition within MTTE. The
ineffectiveness of the random and surge attacks is due to the
AGC’s ability to correct the frequency deviations caused by
these restricted attacks. To breach the safety limit, the attacker
needs to strategically design his injections based on knowledge
of the system dynamics.
Impact of write access constraint with SE: Fig. 13 shows
the mean absolute error (MAE) of the model in Eq. (4) learned
by the active probing approach versus the number of sensor
data links writable by the attacker (i.e., ∣𝕎∣). We can see
that the attacker’s model accuracy is insensitive to the write
access constraint. Note that the learning and testing phases are
subject to the same write access constraint. This result implies
that overfitting does not occur when the attacker compromises
more sensor data links and needs to learn more parameters.
This is mainly due to the linearity of the attack impact as

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.
 8
6

min ∣𝕎∣
4
2
motor
0 generator (simulates turbine)
4 6 8 10 12 14
(a) 13.5kVA generator driven by a motor (b) 16-bus power system (c) variable load
amax (MW)
Fig. 15. A 16-bus power system testbed.
Fig. 14. Minimum ∣𝕎∣ yielding MTTE < 2 minutes.
0.15 30
0.1

𝑎 (Hz)
described in Eq. (4). Fig. 13 also shows the MTTE from a 0.05
0
particular attack onset time versus ∣𝕎∣. The decreasing trend -0.05

MTTE (sec)
-0.1 20
-0.15
is consistent with the intuition that a less constrained attacker 50.2 ground truth
prediction
50.1

𝜔 (Hz)
can cause a larger impact.
Minimum write access requirement without SE: This set
of simulations does not consider SE and its BDD. Thus, the
attacker can just focus on the sensors on the eight real tie-
lines shown in Fig. 1. We evaluate the minimum number of
tie-line sensors that the attacker needs to compromise in order
to trigger remedial actions within two minutes. Fig. 14 shows
this minimum number versus the setting of each element of
amax , where amin = −amax . The decreasing trend suggests
that, for a more stringent stealthiness constraint (i.e., a smaller
amax ), the attacker needs to compromise more sensor data
links to achieve a certain TTE.
VIII. T ESTBED E XPERIMENTS
We conduct experiments on a three-phase 16-bus 400 V
power system testbed to evaluate the passive monitoring ap-
proach presented in Section V-B. The 16 buses, each installed
in a cabinet as shown in Fig. 15(b), are connected to form a
ring topology. Each bus is monitored by a smart meter. A vari-
able load, as shown in Fig. 15(c), is connected to a bus in the
system. Its power consumption can be tuned manually using a
knob. A 13.5kVA generator, shown in Fig. 15(a), is driven by a
motor (which simulates a turbine) and is connected to another
bus in the system. The input power of the motor is supplied by
a Current Vector Drive (CVD), which communicates with a
remote computer. Power engineering researchers have imple-
mented a single-area AGC algorithm using LabVIEW on the
computer, which regulates the grid frequency based on a smart
meter’s frequency measurements only. The LabVIEW program
retrieves frequency measurements from the smart meter and
sends the ACE to the CVD. Thus, different from the attacks
on the power flow measurements described in the previous
sections, in this section we study attacks on the frequency
measurements and extend the passive monitoring approach to
address this new attack model. Because of space constraints,
the extension details are omitted here and can be found in
[24]. The extended approach assumes that the attacker knows
𝐷, 𝑀 , 𝛽, and can eavesdrop on the measurements of load
deviation Δ𝑝 and frequency deviation Δ𝜔. We refer the reader
to Section V-B for discussions on how the attacker can obtain
these system constants and measurements.
We conduct experiments to validate the extended passive
monitoring approach. For this testbed, the constants needed
by the attacker are 𝐷 = −23 W/Hz, 𝑀 = 2.6 kJ/Hz, and
𝛽 = 300 W/Hz. The AGC cycle length is two seconds.
50 10
49.9
49.8 0
820 830 840 850 860 870 880 0.15 0.2 0.25
Time (s) 𝑎max (Hz)
Fig. 17. MTTE
Fig. 16. Top: injection to frequency readings.
Bottom: frequency predicted by learned model and vs. 𝑎max setting
ground truth. (𝑎min = −𝑎max ).
During the attacker’s learning phase, we manually tune the
load to simulate load fluctuations. To mimic the attacker’s
eavesdropping, we install Wireshark (a packet sniffer) on the
computer running AGC and use it to extract Δ𝑝 and Δ𝜔 from
the network traffic. Using two minutes of eavesdropped data,
we follow the extended passive monitoring approach [24] to
learn the attack impact model using MATLAB’s system identi-
fication toolbox. We try different orders for some intermediate
transfer functions to be identified and choose the orders that
best fit the training data. The resulting transfer function for the
FDI to the grid frequency is of the seventh order. We evaluate
the learned attack impact model as follows. Using the model,
we predict the trajectory of the grid frequency given a random
attack sequence of limited magnitude, as shown in the top part
of Fig. 16. Then, we inject this attack sequence to the real-time
frequency measurements in the LabVIEW program during an
experiment. We limit the magnitude of this test attack sequence
to ensure that it will not cause damage to the testbed. The
bottom part of Fig. 16 shows our prediction and the observed
ground truth. The prediction matches the ground truth well and
the mean absolute error of the prediction is 0.036 Hz only. This
suggests that the learned model is accurate.
With the learned model, we compute the optimal attack
sequences under different settings for the FDI bound 𝑎max ,
where 𝑎min = −𝑎max . Fig. 17 shows the computed MTTE
versus 𝑎max . We can see that the MTTEs are below 30
seconds. Such short MTTEs suggest that it is critical to protect
the frequency measurements of this testbed. Although we stop
the experiment before physical damage happens on the testbed,
the demonstrated accuracy of the learned attack impact model
substantiates the importance of the optimal attacks in practice.
IX. C ONCLUSION
This paper studied FDI attacks on sensor data for AGC.
We derived key attack impact models and showed that the
attacker can learn the models based on eavesdropped sensor
data and a modest amount of prior knowledge about the grid.
Then, the attacker can compute an attack sequence to minimize

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.
 the remaining time before the grid must initiate costly and [19] S. Amin, X. Litrico, S. Sastry, and A. M. Bayen, “Cyber security of
disruptive remedial actions such as disconnecting generators water scada systems–part i: analysis and experimentation of stealthy
deception attacks,” IEEE Trans. Control Syst. Technol., vol. 21, no. 5,
and customer loads. We developed an efficient algorithm pp. 1963–1970, 2013.
to detect the attack and its onset time. Our analysis and [20] A. A. Cárdenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and
algorithms were validated by experiments on a physical 16-bus S. Sastry, “Attacks against process control systems: risk assessment,
detection, and response,” in ACM ASIACCS, 2011.
power system testbed and extensive PowerWorld simulations [21] F. Pasqualetti, F. Dorfler, and F. Bullo, “Attack detection and identifica-
based on a 37-bus power system model. tion in cyber-physical systems,” IEEE Trans. Autom. Control, vol. 58,
no. 11, pp. 2715–2729, 2013.
[22] H. Fawzi, P. Tabuada, and S. Diggavi, “Secure estimation and control for
ACKNOWLEDGEMENT cyber-physical systems under adversarial attacks,” IEEE Trans. Autom.
Control, vol. 59, no. 6, pp. 1454–1467, 2014.
This work was supported in part by the research grant for the [23] A. Hahn, A. Ashok, S. Sridhar, and M. Govindarasu, “Cyber-physical
Human-Centered Cyber-Physical Systems Programme at the security testbeds: Architecture, application, and evaluation for smart
Advanced Digital Sciences Center from Singapore’s Agency grid,” IEEE Trans. Smart Grid, vol. 4, no. 2, pp. 847–855, 2013.
[24] Long version of this paper, Tech. Rep., 2016, http://publish.illinois.edu/
for Science, Technology and Research (A★STAR), and in resilient-grid/files/2016/01/AGC-full.pdf.
part under the Energy Innovation Research Programme (EIRP, [25] “PJM manual 12,” 2015, http://www.pjm.com/markets-and-operations/
Award No. NRF2014EWTEIRP002-026), administrated by the ancillary-services/∼/media/documents/manuals/m12.ashx.
Energy Market Authority (EMA). The EIRP is a compet-
A PPENDIX : P ROOF OF P ROPOSITION 2
itive grant call initiative driven by the Energy Innovation
Programme Office, and funded by the National Research Proof. In Eq. (3), Φ−1 and Λ are the only unknowns. First,
Foundation (NRF). learn 𝜽 ⊺ Φ−1 in Eq. (3) as a whole. Based on time series of
Δp and Δ𝜔 computed from those of Δ𝑝𝑖 and Δ𝜔𝑖 , apply
R EFERENCES system identification techniques (e.g., tfest in MATLAB)
to fit 𝜽 ⊺ Φ−1 as a vector of 𝑁 transfer functions. Try different
[1] S. Karnouskos, “Stuxnet worm impact on industrial cyber-physical
system security,” in 37th Conf. IEEE Ind. Electron. Society, 2011. orders for the transfer functions and choose orders that best fit
[2] “Hackers infiltrated power grids,” 2014, http://on.recode.net/1FpKP7Y. the data. Second, as Λ appears in the coefficient of a only, we
[3] “The dragonfly attack,” 2014, http://rsa.dev.neptuneweb.com/ cannot learn Λ based on training data without a traces. We
dragonfly-attack/.
[4] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against
use its expression Λ = diag(𝑠𝑛1 − 1, . . . , 𝑠𝑛𝑁 − 1), where
𝛼 𝐾 𝐺𝑌 (𝑠)𝑇 𝑌 (𝑠)
state estimation in electric power grids,” in ACM CCS, 2009. 𝑛𝑖 = 1𝑠 + 𝑖 𝑖 𝑖𝑠2 𝑖 [24], and follow four steps: (i)
[5] U.S. DHS, “Insider threat to utilities,” 2011, https://info. Compute Δ𝑝𝐸𝑖 from Δ𝑝𝑖𝑗 . With time series of Δ𝜔𝑖 , Δ𝑝𝑖 ,
publicintelligence.net/DHS-InsiderThreat.pdf.
[6] P. Kundur, N. J. Balu, and M. G. Lauby, Power system stability and and Δ𝑝𝐸𝑖 , estimate the time series of (Δ𝑝𝑌𝑀 𝑖 + Δ𝑝𝑁 𝑀 𝑖 ) based
˜
Δ𝑝 ˜
𝑌 +Δ𝑝 ˜𝑖 −Δ𝑝
𝑁 −Δ𝑝 ˜
control. McGraw-hill New York, 1994.
on 𝑀𝑖 𝑀𝑖 𝐸𝑖 ˜
= Δ𝜔𝑖 described in Fig. 4(b). (ii)
[7] S. Sridhar and M. Govindarasu, “Model-based attack detection and 𝑀𝑖 𝑠+𝐷𝑖
mitigation for automatic generation control,” IEEE Trans. Smart Grid, Estimate the time series of ACE𝑖 by ACE𝑖 = 𝛼𝑖 Δ𝑝𝐸𝑖 +
vol. 5, no. 2, pp. 580–591, 2014.
𝛽𝑖 Δ𝜔𝑖 . (iii) From Fig. 4(b), Δ𝑝˜ 𝑁 𝑁
˜𝑖 and
𝑁 = − 𝐺𝑖 (𝑠)𝑇𝑖 (𝑠) Δ𝜔
[8] S. Bhowmik, K. Tomsovic, and A. Bose, “Communication models for 𝑀𝑖 𝑅𝑁 𝑖
third party load frequency control,” IEEE Trans. Power Syst., vol. 19, ˜
Δ𝑝
𝑌 𝑌
𝑌 =− 𝐺𝑖 (𝑠)𝑇𝑖 (𝑠) Δ𝜔
𝑌 𝑌
˜𝑖 − 𝐺𝑖 (𝑠)𝑇𝑖 (𝑠)𝐾𝑖 ⋅ ACE
˜𝑖 . The sum of
no. 1, pp. 543–548, 2004. 𝑀𝑖 𝑅𝑖𝑌 𝑠
[9] K. Tomsovic, D. E. Bakken, V. Venkatasubramanian, and A. Bose, the two equations is a model with Δ𝜔𝑖 and ACE𝑖 as the inputs
“Designing the next generation of real-time control, communication, and and (Δ𝑝𝑌𝑀 𝑖 + Δ𝑝𝑁 𝑀 𝑖 ) as the output. The transfer function for
computations for large power systems,” Proc. IEEE, vol. 93, no. 5, pp. 𝐺𝑌 (𝑠)𝑇𝑖𝑌 (𝑠)𝐾𝑖
965–979, 2005. ACE𝑖 in the summed model is 𝑉𝑖 (𝑠) = − 𝑖 𝑠 . With
[10] S. Sridhar and G. Manimaran, “Data integrity attacks and their impacts time series of Δ𝜔𝑖 , ACE𝑖 , and (Δ𝑝𝑌𝑀 𝑖 + Δ𝑝𝑁 𝑀𝑖 ), fit 𝑉𝑖 (𝑠).
on scada control system,” in IEEE Power and Energy Society General
Meeting, 2010. (iv) Λ = diag(−𝛼1 𝑉1 (𝑠), . . . , −𝛼𝑁 𝑉𝑁 (𝑠)).
[11] “PowerWorld,” 2016, http://www.powerworld.com/.
[12] “National grid maps,” 2016, http://www.geni.org/globalenergy/library/
national energy grid/. TABLE I
[13] Y. Chen, Z. Huang, Y. Liu, M. J. Rice, and S. Jin, “Computational chal- S UMMARY OF N OTATIONS *
lenges for power system operation,” in Hawaii International Conference Symbol Definition Symbol Definition
on System Science, 2012. Δ𝜔𝑖 grid freq. deviation Δ𝜔 avg grid freq. deviation
[14] S. Grijalva, “Research needs in multi-dimensional, multi-scale modeling 𝜖𝐿 Δ𝜔 lower bound 𝜖𝑈 Δ𝜔 upper bound
and algorithms for next generation electricity grids,” 2011, http://1.usa. Δ𝑝𝐸𝑖 power export deviation ACE𝑖 area control error
gov/1VBJAgu. 𝛼𝑖 , 𝛽 𝑖 AGC algorithm constants 𝑚 number of sensors
[15] P. M. Esfahani, M. Vrakopoulou, K. Margellos, J. Lygeros, and G. An- z measurement vector 𝑁 number of areas
dersson, “Cyber attack in a two-area power system: Impact identification 𝕎 corruptible z element indices F measurement matrix of SE
𝐻 regression horizon of Eq. (4) 𝐿 number of tie-lines
using reachability,” in ACC, 2010.
a FDI attack vector c injected SE error
[16] ——, “A robust policy for automatic generation control cyber attack in amin lower bound for a amax upper bound for a
two area power network,” in IEEE CDC, 2010. Δ𝑝𝑖 change of load ℓ𝑖𝑗 tie-line from area 𝑖 to 𝑗
[17] J. M. Hendrickx, K. H. Johansson, R. M. Jungers, H. Sandberg, and Δp = [Δ𝑝1 , . . . , Δ𝑝𝑁 ]⊺ uℎ , vℎ coefficients in Eq.(4)
K. C. Sou, “Efficient computations of a security index for false data Δ𝑝𝑖𝑗 power flow deviation of ℓ𝑖𝑗 Ψ, Λ, Φ parameters of Eq. (3)
attacks in power networks,” IEEE Trans. Autom. Control, vol. 59, no. 12, T (Tz)[𝑖] is a tie-line flow Δ𝑝𝑀 𝑖 mechanical power change
pp. 3194–3208, 2014. 𝐺𝑖 (𝑠) speed controller transfer func. 𝑇𝑖 (𝑠) turbine transfer function
[18] M. A. Rahman, E. Al-Shaer, and R. G. Kavasseri, “A formal model for 𝐾 𝑖 , 𝑅𝑖 generator constants 𝐷𝑖 load-damping constant
verifying the impact of stealthy attacks on optimal power flow in power 𝑀𝑖 total generator inertia 𝜽 = 𝑁 1
⋅ [1, 1, . . . , 1]⊺
grids,” in ACM/IEEE ICCPS, 2014. * Subscript 𝑖 refers to area 𝑖. “Tie-line” refers to virtual tie-line.

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR. Downloaded on July 11,2024 at 11:38:19 UTC from IEEE Xplore. Restrictions apply.